NSA 2600 - Internal Firewall - WAN not Required
I'd like to use our spare NSA 2600 to protect a restricted zone hosting devices like backup repositories. The plan is to secure and separate the zone from the production zone using the NSA 2600 so in case the backup server is compromised from threats like ransomware, we would still be able to recover from backups repositories. I tried to unassign X1 but it's not allowing me because it says that one interface has to be in the Load Balancing.
I'm thinking that perhaps the best way is to use and connect the WAN (X1) interface to the production zone (like the core switch) and the X0 to the Restricted Zone and just explicitly allow traffic from X1 to X0.
Answers
Welcome to SonicWALL community.
By default at least one interface of the firewall needs to be in the default LB group. Based on the deployment you mentioned, you will be using NAT and the X0 subnet of the NSA 2600 will be on a different IP scheme that your production network.
There are wire/tap mode possible that helps you use it in same IP scheme.
https://www.sonicwall.com/support/knowledge-base/how-to-configure-wire-tap-mode-in-sonicos/170505532077365/
But I would recommend using the deployment as you planned and connect X1 to the production network and X0 for your restricted network.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
hi @agcastle2000
you can unassign X1, you need to remove X1 from IPv4 AND IPv6 WLB group first.
The only interface cannot be unassigned is X0 LAN only.
As WAN interface will auto generate outgoing NAT policy, in 2 tier deployment, the NAT is not needed so we can create another untrust zone to replace it.
Hello @agcastle2000,
Were we able to answer your question? If you still need our help, please let us know.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services