Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Cannot access SSLvpn Portal since 7.1.1 update

HI.

Upgraded from 7.0.1-5095-R3599

to

7.1.1-7040-R5387

When accessing from browser to https://vpn.domainname.com:port ...

Shows redirection page.. Then redirects to

http://ipaddress/sonicui/7/sslvpn-portal/

Page show, unable to access <<ip adress>>


Been able to use the web portal just before the upgrade

Thanks for any input

Category: Entry Level Firewalls
Reply
Tagged:

Best Answers

  • CORRECT ANSWER
    MustafaAMustafaA SonicWall Employee
    Answer ✓

    Hi @CF_ADMIN

    The new firmware is expected to be released in the second half of March, depending on QA tests. When this is published, our Product Management team sends an email to the registered MySonicWall.com accounts.

  • CORRECT ANSWER
    BWCBWC Cybersecurity Overlord ✭✭✭
    Answer ✓

    7.1.1-7051 got released and seems to address a lot of the reported issues.

    --Michael@BWC

Answers

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    What is ipaddress? Does it actually belong to an interface on the firewall?

  • CF_ADMINCF_ADMIN Newbie ✭

    Yes, it's the actual wan address as per these settings:

    But the address resolves to a non https destination without the <<port>>..

  • TonyATonyA SonicWall Employee

    Hi @CF_ADMIN ,

    This is an issue in the current firmware that will be resolved in the next firmware release.

    For now the workaround is as follows:

    Enable WAN HTTPS Management and then specify, on the WAN to WAN HTTPS Management rule, an object or group on the WAN who have access,

    The Issue ID for this issue is: Gen7-45497

  • CF_ADMINCF_ADMIN Newbie ✭

    Thank you very much, at least now I know.

    I tried to find a release roadmap onto your website but found myself a bit confused, may I ask when this new version is expected to be released. Trying to evaluate if I can afford to wait for it or not.

    Thank you very much

  • TonyATonyA SonicWall Employee

    Hi @CF_ADMIN ,


    No problem!

    The current plan is for March, but it depends on QA validation process which may delay the release date.

  • IT_BrianIT_Brian Newbie ✭

    I question the QA validation process given how many issues 7.1.1 created.

  • CF_ADMINCF_ADMIN Newbie ✭

    That's exactly what I had in mind when I read this. QA can't be that long if that kind of issue goes through.

    I did not apply the suggested parameters to mitigate the solution and I really believe that a full step by step procedure on how to do that, and how to undo that, once the problem is fixed, is the least we deserve.

  • CF_ADMINCF_ADMIN Newbie ✭

    I see there's a new firmware release 7.1.1-7047


    Is this issue resolved in this one? I read the changelog but it does not seem very clear this particular issue is solved.


    Thanks

  • MustafaAMustafaA SonicWall Employee

    Hi @CF_ADMIN

    The 7.1.1-7047 firmware release addresses a single issue: the vulnerability CVE-2024-22394. However, our upcoming release scheduled for mid-March will encompass multiple issue resolutions. Please note that the exact date of the firmware release is subject to change and contingent upon the completion of Quality Assurance (QA) tests.

    Summary of the CVE

    An improper authentication vulnerability has been identified in SonicWall SonicOS SSL-VPN feature, which in specific conditions could allow a remote attacker to bypass authentication. This issue affects only firmware version SonicOS 7.1.1-7040.

  • CF_ADMINCF_ADMIN Newbie ✭

    Hi,

    And yet another release rolled out but I t does not seem to fix this issue, Will somebody notify here when the update will be released? Do you know what build it's gonna be?

    Trying to figure a way to know asap when this is gonna be released.


    Thank you

  • LarryLarry All-Knowing Sage ✭✭✭✭

    Two cents from someone who has no skin your game.

    You never stated why you upgraded your device to 7.1 (never mind there was a more recent 7.0 update you could have deployed).

    However, you were quickly given a workaround to your problem when you reported it. Kudos to SonicWall for acknowledging the problem. For reasons unknown to this community, you chose not to implement it.

    There was another option available to you that was not presented on the forum: Revert your firewall to the prior 7.0 version of the OS (assuming, of course, you created the appropriate backups before you upgraded to 7.1).

    So, you had two ways to avoid this problem.

    Historically, for major releases, SonicWall issues MRs every three to six months. The reason they wait is to identify the most significant problems and thoroughly test them before tackling the rest.

    As mentioned, you will - if you have the appropriate notification settings - receive an email when the new MR is available. I've seen these emails take up to a month to be issued (YMMV).

    If you are champing at the bit to get the latest update to 7.1, log into your MySonicWall account, go to the Download Center and select your device from the "By Product Line" section. Make sure you sort by Release Date to ensure you get the most current item at the top of the list.

  • Joe88Joe88 Newbie ✭

    Trying to implement this temporary fix, but even doing this it seems the one-time password by email is being sent to the wrong email. Is there some guidance as to the workaround and/or is there a hotfix as mentioned in the following thread?

    https://community.sonicwall.com/technology-and-support/discussion/5822/ssl-portal-no-longer-reachable

  • CF_ADMINCF_ADMIN Newbie ✭
    edited March 1

    Hi Larry.

    Good question!

    Do we see anything in there stating '' RC, Beta?'' or anything with an exclamation mark in red warning the customer they are choosing a experimental path upgrading to 7.1?

    Sure, now I can google it:

    https://community.sonicwall.com/technology-and-support/discussion/528/explanation-for-different-sonicos-firmware-release-models

    And now I know ''maintenance release'' basically means ''public beta'' but why not say so?

    Even there!:

    They are several reasons why different update trains cohexists but never assumed they could interfere with the platform and it's very included features themselves! We are not talking about third party extensions that need to adapt to the new ''core'' version here, it's all within the os itself!

    __

    The whole discussion here is based on this misleading assign of names and I perfectly understand that some can afford testing features on one version, hence the availlability of ''maintenance releases'' but this is clearly not my case I'll pay closer attention to this in the future.

    SO .. no to answer your question directly, there are absolutely no particular features I needed out of 7.1 and the only interest I had from upgrading was from a security standpoint: Get to the lastest most secure version which, from my understanding, is not guaranteed in 7.1.


    Now the question I ask back is, will this new version be another maintenance release or a stable one?

    Because yes understanding all of this now makes me want to stay out of the ''public beta channel'' as soon and as intelligently as possible.


    Thank you

  • Bcon08Bcon08 Newbie ✭

    Larry,

    It's a bit disingenuous to imply that you have no skin in the game, considering your account's activity level and status as Partner.

    More times than I can count, over the course of many years, I have essentially been given an ultimatum by SonicWALL support, to upgrade to the latest firmware version before being eligible to receive further support.

    So, the narrative here is always: "Upgrade first, then ask for help."

    If Maintenance releases are intended to be interpreted as a beta version, that created two issues:

    1. The labeling falsely implies an improvement. "Maintenance" is generally considered something that should be performed regularly, which leads to the conclusion that the release is intended to be applied when it's published. And if it shouldn't, it puts a lot of scrutiny on SonicWALL's marketing/publishing choices..
    2. It leaves licensed units without patches for large gaps of time, occasionally extending over 12 months, leaving them vulnerable to the security issues that are uncovered in-between. It's a non-starter to suggest that a security appliance facing the public web is intended to go without updates for that long.

    As for the workarounds:

    WAN management is a security vulnerability in and of itself, regardless of what kind of objects you use to limit it. In addition, SSLVPN connections are frequently used to connect traveling users. The overhead involved in managing address objects for a moving target like that, or even a static team of sufficient size, just for the sake of a temporary workaround, makes this approach unfeasible.

    Reverting to the previous version brings the release itself into question. Why publish an update that reduces the necessary functionality of a feature with a 10+ year tenure, instead of ensuring it works?

    Issues with new releases are understandable, and my team has the means and procedures to revert back to the previous version, but making the assumptions that

    1. Maintenance releases are not intended for production use, and are advertised clearly enough for that to be unmistakable
    2. A lack of QA for tenured features, in an update, is to be expected

    ...betrays the trust that SonicWALL's customers are intended to have in their products, and puts their development and marketing team in a bad light. I wouldn't want to take that stance as it goes against the intent behind the updates, and SonicWALL support's demonstrated positive attitude towards them.

    I look forward to the release that addresses this issue, and I wish the best of luck to the dev teams working on it!

  • LarryLarry All-Knowing Sage ✭✭✭✭

    @Bcon08 - As I stated in mid-January 2024, shortly after the initial release:

    I am not going to install 7.1 on my office (test) firewall until after the third update to 7.1 is released. It was nearly a year late in coming out of the gate and looks like insufficient attention was paid to all the parts and pieces.

    I have learned - through years of SonicWall tribulations - that being "first" may be very nice if you absolutely, positively, require new functionality for your business. But being on the bleeding edge makes you victim to all the flaws that were either overlooked or missing, items that were rushed through development without fully being tested, and even the ones that were flat-out ignored because "someone" decided the cost to fix now outweighed the cost to delay release.

    So the March MR will count as 1 update. We'll see how much the code base stabilizes after that.

    As for the Support issue of "you must be current," there is a simple response: "No, I do not - for my business - require the latest MR unless it fixes the problem I'm reporting." If that is not satisfactory to the CSR, you must - as is your right - request the problem be escalated to a senior who has some common sense. In this particular case, upgrading to 7.1 is simply NOT a valid response when calling about a 7.0 problem.

  • LarryLarry All-Knowing Sage ✭✭✭✭


    @CF_ADMIN - You were already ON a Maintenance Release for your 7.0 device as you stated at the outset. What's upsetting - at least to me - is that you missed three known updates - over a one year span.

    By all accounts, you should have gone to the General Release of that SAME software (Version 7.0 - 5095 to 5145).

    So I'm left questioning: what are your internal Standard Operating Procedures for SonicWall firmware updates? And should they be reviewed and refined based on your recent decision?

  • CF_ADMINCF_ADMIN Newbie ✭

    HI Larry,

    I'm deeply sorry I made you upset, I'm definitely not a seasonned Sonicwall user like you are and I don't even undestand what you are tyring to show me there, but I'm quite sure the discussion pulled toward not helping me with my current situation.


    I'd really appreciate getting less personnal about the topic and I'm really not interested into this crusade because at the end of the day, as I said, I just want things to work and avoid downtimes. The current situation is:

    My ''past'' user are still using SSLVPN with 2fa

    New users are logging in without 2fa since they can't enroll on the SSLVPN portal page.

    -- Now understanding the situation a bit better, this issue maybe an indicator that there are much worse risks i'm facing right now, that I was aware of.


    I'm not pefectly sure wether I should simply wait for a fixed version of 7.1 or roll back to 7.0 ''stable''

  • LarryLarry All-Knowing Sage ✭✭✭✭

    @CF_ADMIN The reps here have said the first MR for 7.1.1 will be in "second half of March," and that statement has been made with the caveat that QA testing could extend it. Could it be released in April? Yes, that is a possibility. So if you decide to wait, implement the workaround solution that was provided. (Note: document those changes so you can undo them before you implement the vetted fix.)

    If you don't want to wait, revert to your 7.0.1 backup, and then update your firmware to the latest MR (7.0.1-5145).

  • CF_ADMINCF_ADMIN Newbie ✭

    Thanks for the head up BWC.

    I dare to hope that the issue un this thread is resolved when I read:

    GEN7-45497 Virtual Office is not accessible when HTTPS management is disabled in the

    interface configuration. ?


    Thank you

Sign In or Register to comment.