Cannot access SSLvpn Portal since 7.1.1 update
CF_ADMIN
Newbie ✭
HI.
Upgraded from 7.0.1-5095-R3599
to
7.1.1-7040-R5387
When accessing from browser to https://vpn.domainname.com:port ...
Shows redirection page.. Then redirects to
http://ipaddress/sonicui/7/sslvpn-portal/
Page show, unable to access <<ip adress>>
Been able to use the web portal just before the upgrade
Thanks for any input
Category: Entry Level Firewalls
Tagged:
1
Answers
What is ipaddress? Does it actually belong to an interface on the firewall?
Yes, it's the actual wan address as per these settings:
But the address resolves to a non https destination without the <<port>>..
Hi @CF_ADMIN ,
This is an issue in the current firmware that will be resolved in the next firmware release.
For now the workaround is as follows:
Enable WAN HTTPS Management and then specify, on the WAN to WAN HTTPS Management rule, an object or group on the WAN who have access,
The Issue ID for this issue is: Gen7-45497
Thank you very much, at least now I know.
I tried to find a release roadmap onto your website but found myself a bit confused, may I ask when this new version is expected to be released. Trying to evaluate if I can afford to wait for it or not.
Thank you very much
Hi @CF_ADMIN ,
No problem!
The current plan is for March, but it depends on QA validation process which may delay the release date.
I question the QA validation process given how many issues 7.1.1 created.
That's exactly what I had in mind when I read this. QA can't be that long if that kind of issue goes through.
I did not apply the suggested parameters to mitigate the solution and I really believe that a full step by step procedure on how to do that, and how to undo that, once the problem is fixed, is the least we deserve.
I see there's a new firmware release 7.1.1-7047
Is this issue resolved in this one? I read the changelog but it does not seem very clear this particular issue is solved.
Thanks
Hi @CF_ADMIN
The 7.1.1-7047 firmware release addresses a single issue: the vulnerability CVE-2024-22394. However, our upcoming release scheduled for mid-March will encompass multiple issue resolutions. Please note that the exact date of the firmware release is subject to change and contingent upon the completion of Quality Assurance (QA) tests.
Summary of the CVE
An improper authentication vulnerability has been identified in SonicWall SonicOS SSL-VPN feature, which in specific conditions could allow a remote attacker to bypass authentication. This issue affects only firmware version SonicOS 7.1.1-7040.
Hi,
And yet another release rolled out but I t does not seem to fix this issue, Will somebody notify here when the update will be released? Do you know what build it's gonna be?
Trying to figure a way to know asap when this is gonna be released.
Thank you
Two cents from someone who has no skin your game.
You never stated why you upgraded your device to 7.1 (never mind there was a more recent 7.0 update you could have deployed).
However, you were quickly given a workaround to your problem when you reported it. Kudos to SonicWall for acknowledging the problem. For reasons unknown to this community, you chose not to implement it.
There was another option available to you that was not presented on the forum: Revert your firewall to the prior 7.0 version of the OS (assuming, of course, you created the appropriate backups before you upgraded to 7.1).
So, you had two ways to avoid this problem.
Historically, for major releases, SonicWall issues MRs every three to six months. The reason they wait is to identify the most significant problems and thoroughly test them before tackling the rest.
As mentioned, you will - if you have the appropriate notification settings - receive an email when the new MR is available. I've seen these emails take up to a month to be issued (YMMV).
If you are champing at the bit to get the latest update to 7.1, log into your MySonicWall account, go to the Download Center and select your device from the "By Product Line" section. Make sure you sort by Release Date to ensure you get the most current item at the top of the list.
Trying to implement this temporary fix, but even doing this it seems the one-time password by email is being sent to the wrong email. Is there some guidance as to the workaround and/or is there a hotfix as mentioned in the following thread?
https://community.sonicwall.com/technology-and-support/discussion/5822/ssl-portal-no-longer-reachable
Hi Larry.
Good question!
Do we see anything in there stating '' RC, Beta?'' or anything with an exclamation mark in red warning the customer they are choosing a experimental path upgrading to 7.1?
Sure, now I can google it:
https://community.sonicwall.com/technology-and-support/discussion/528/explanation-for-different-sonicos-firmware-release-models
And now I know ''maintenance release'' basically means ''public beta'' but why not say so?
Even there!:
They are several reasons why different update trains cohexists but never assumed they could interfere with the platform and it's very included features themselves! We are not talking about third party extensions that need to adapt to the new ''core'' version here, it's all within the os itself!
__
The whole discussion here is based on this misleading assign of names and I perfectly understand that some can afford testing features on one version, hence the availlability of ''maintenance releases'' but this is clearly not my case I'll pay closer attention to this in the future.
SO .. no to answer your question directly, there are absolutely no particular features I needed out of 7.1 and the only interest I had from upgrading was from a security standpoint: Get to the lastest most secure version which, from my understanding, is not guaranteed in 7.1.
Now the question I ask back is, will this new version be another maintenance release or a stable one?
Because yes understanding all of this now makes me want to stay out of the ''public beta channel'' as soon and as intelligently as possible.
Thank you
Larry,
It's a bit disingenuous to imply that you have no skin in the game, considering your account's activity level and status as Partner.
More times than I can count, over the course of many years, I have essentially been given an ultimatum by SonicWALL support, to upgrade to the latest firmware version before being eligible to receive further support.
So, the narrative here is always: "Upgrade first, then ask for help."
If Maintenance releases are intended to be interpreted as a beta version, that created two issues:
As for the workarounds:
WAN management is a security vulnerability in and of itself, regardless of what kind of objects you use to limit it. In addition, SSLVPN connections are frequently used to connect traveling users. The overhead involved in managing address objects for a moving target like that, or even a static team of sufficient size, just for the sake of a temporary workaround, makes this approach unfeasible.
Reverting to the previous version brings the release itself into question. Why publish an update that reduces the necessary functionality of a feature with a 10+ year tenure, instead of ensuring it works?
Issues with new releases are understandable, and my team has the means and procedures to revert back to the previous version, but making the assumptions that
...betrays the trust that SonicWALL's customers are intended to have in their products, and puts their development and marketing team in a bad light. I wouldn't want to take that stance as it goes against the intent behind the updates, and SonicWALL support's demonstrated positive attitude towards them.
I look forward to the release that addresses this issue, and I wish the best of luck to the dev teams working on it!
@Bcon08 - As I stated in mid-January 2024, shortly after the initial release:
I am not going to install 7.1 on my office (test) firewall until after the third update to 7.1 is released. It was nearly a year late in coming out of the gate and looks like insufficient attention was paid to all the parts and pieces.
I have learned - through years of SonicWall tribulations - that being "first" may be very nice if you absolutely, positively, require new functionality for your business. But being on the bleeding edge makes you victim to all the flaws that were either overlooked or missing, items that were rushed through development without fully being tested, and even the ones that were flat-out ignored because "someone" decided the cost to fix now outweighed the cost to delay release.
So the March MR will count as 1 update. We'll see how much the code base stabilizes after that.
As for the Support issue of "you must be current," there is a simple response: "No, I do not - for my business - require the latest MR unless it fixes the problem I'm reporting." If that is not satisfactory to the CSR, you must - as is your right - request the problem be escalated to a senior who has some common sense. In this particular case, upgrading to 7.1 is simply NOT a valid response when calling about a 7.0 problem.
@CF_ADMIN - You were already ON a Maintenance Release for your 7.0 device as you stated at the outset. What's upsetting - at least to me - is that you missed three known updates - over a one year span.
By all accounts, you should have gone to the General Release of that SAME software (Version 7.0 - 5095 to 5145).
So I'm left questioning: what are your internal Standard Operating Procedures for SonicWall firmware updates? And should they be reviewed and refined based on your recent decision?
HI Larry,
I'm deeply sorry I made you upset, I'm definitely not a seasonned Sonicwall user like you are and I don't even undestand what you are tyring to show me there, but I'm quite sure the discussion pulled toward not helping me with my current situation.
I'd really appreciate getting less personnal about the topic and I'm really not interested into this crusade because at the end of the day, as I said, I just want things to work and avoid downtimes. The current situation is:
My ''past'' user are still using SSLVPN with 2fa
New users are logging in without 2fa since they can't enroll on the SSLVPN portal page.
-- Now understanding the situation a bit better, this issue maybe an indicator that there are much worse risks i'm facing right now, that I was aware of.
I'm not pefectly sure wether I should simply wait for a fixed version of 7.1 or roll back to 7.0 ''stable''
@CF_ADMIN The reps here have said the first MR for 7.1.1 will be in "second half of March," and that statement has been made with the caveat that QA testing could extend it. Could it be released in April? Yes, that is a possibility. So if you decide to wait, implement the workaround solution that was provided. (Note: document those changes so you can undo them before you implement the vetted fix.)
If you don't want to wait, revert to your 7.0.1 backup, and then update your firmware to the latest MR (7.0.1-5145).
Thanks for the head up BWC.
I dare to hope that the issue un this thread is resolved when I read:
GEN7-45497 Virtual Office is not accessible when HTTPS management is disabled in the
interface configuration. ?
Thank you
Installed yesterday so far so good thanks