Options
Does the Sonicwall TZ 200 support SHA256
gparker919
Newbie ✭
in SSL VPN
Hey there!
Hoping someone can help me.
Trying to confirm that the TZ200 supports SHA256 authentication for VPN connections? I've seen where the TZ300 does but can't find anything that the TZ200 does. We support a user that has to upgrade his SHA-1 to SHA-2 or SHA256 but does not have the option the Signature Algorithm dropdown in the CSR screen.
Thanks,
Greg
Category: SSL VPN
0
Best Answer
-
OptionsCORRECT ANSWER
MustafaA
SonicWall Employee
These are the options available on Gen7 firewalls.
0
Answers
For the CSR creation, there is no option for the Signature Algorithm selection. This is a screen capture from a SOHO device running 5.9.2.14. TZ200 firewalls were end of life back in 2018, so your firmware must be quite old also.
Thank you MustafaA! I am going to assume that is a no on supporting SHA256?
Best regards,
Greg
Hello again - If we upgraded the Sonicwall to a TZ270 Network Security Appliance, would we be able to do a self-signed SSL certificate with SHA-2. Can't find anything definitive, and trying to avoid the cost of purchasing and upkeeping a CA cert but satisfy the PCI requirement.
Thank you again for all your help.
Greg
@gparker919 , yes it is supported on gen7 models.
@gparker919 because it looks you're running in circles, SHA256 is what you're looking for, SHA-2 is a family of functions and SHA256 is one of them.
Just in case this caused confusion, because @MustafaA already answered this a while back.
--Michael@BWC
Thank you @BWC for the further explanation.
I do understand that SHA256 is in the family of SHA-2 but I appreciate the clarity. So, under the PCI Compliance, they have to have a cert that is in the SHA-2 family and can not be self signed. The other thing I want to make sure of, if you all can help me understand - I have purchased and installed certs for websites and servers on Enterprise domains, but how to you get on for a device that is not in or associated with a domain name. This is an office with 6 workstations and the SonicWall. So the internet connection they have is not attached to or has in it any domain related things.
But for the CSR you need the common name FQDN.
Thanks again for any assistance.
Greg
@gparker919 the answer to that is quite simple. Bind a FQDN to the IP associated with the Internet connection of that location where the SNWL is placed. If you have a static IP use an A Record, if you have only a dynamically assigned IP use it in conjunction with a DynDNS service and create a CNAME Record pointing to your DynDNS host. You cannot get a cert issued to the DynDNS name, you need a Alias (CNAME) for that pointing to a public Domain under your control.
No FQDN no Cert, at least not issued by a public CA. If you're running your own CA you can go all in, but need to publish the CA cert to the endpoints trying to connect and it might be in conflict with your PCI Compliance scan.
--Michael@BWC
Thank you @BWC - Unfortunately the only internal CA I am familiar with is one that requires an Windows Server with Active Directory and they don't have any Windows Servers. Am I to assume that we need to buy a domain name in order to have a FQDN to bind to?
Thanks,
Greg
@gparker919 you might check with the guys who are doing the PCI compliance scan for you, if a private CA is sufficient you could OpenSSL (or XCA, a swiss army knife when it comes to keys/certs) to create your own CA. You have to make sure that your endpoints are trusting this CA certificate and you're good to go.
--Michael@BWC