Sonicwall SMA Maximum user count
Darshil Newbie ✭
We are having sonicwall SMA 7200 appliance which is running on 12.3 firmware version.In that we are facing issue while adding and removing users in access rule. it giving error like user count reach to maximum.yes we can apply cem value to increase maximum count but why it was gives error when we try to delete users from access rule.
Is there any alternate way we can delete users in access rule.
Category: Secure Mobile Access Appliances
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
Thank you for reaching us on Communities.
Tagging @shiprasahu93 @Nevyaditha @fmadia @Saravanan@Poorni_5 for further assistance
Thanks and Regards,
Global Service Account Manager,Premier Services
SMA 7200 should be able to support 10,000 concurrent users. How many active sessions are you seeing at the moment?
Also, are you facing this issue after some configuration change or firmware upgrade?
Also, moving this to the right category for better results.
Technical Support Advisor, Premier Services
@Sri I tried to find an answer, but there were too many return questions, So i have requested Michael to provide an answer.
Thanks & Regards,
Yes i knew that SMA 7200 support more than 1000 concurrent connection. But we are facing issue while removing users from access rule. I aware about this is a limitation in 12.3 version. But my concern is why this error message come when we try to delete users from access rule.
Your query will be answered by our SMA experts in a while.
Thanks & Regards,
Hi @Darshil is it not a best practice to add individual users in an access control rule, except in very unusual circumstances with very few users.
Access control rules should be a simple as possible to ensure you can manage them and maintain good security. In addition, very complex access control rules will cause delays as they must all be processed at the point a VPN is established. The access control rules limit access, but they also control what routes are pushed to the client at as the VPN is established.
Ideally you would use either group membership in your authentication server, or the realm or community where a user is authenticated, to manage resource accesses. If your users are all on the local authentication server in the SMA, you can create groups in that authentication server as well.
The access control rules should be very simple and easy to manage and understand. Group membership is resolved during authentication so is available to be used in access control rule processing.
Authentication servers are designed to handle this kind of data easily and quickly. Access control rules are not.
Already at the limit of the max number of users in an access control rule, I'd suggest in parallel create a group membership based access control rule. That will let you manage this in the authentication server. Once that rule is established, delete the entire username based access control rule.