Firmware 7.1.2 Messed up my config!
JackBurton
Newbie ✭
Thanks for rushing this update to fix multiple vulnerabilities and not triple checking everything.
One of my site-to-site vpns not longer works.
The address object of my SSLVPN pool was gone!
The routes for my SSLVPN were gone!
It wrote my DNS server backwards!! What! 5.0.168.192
Thanks for ruining my night!
Category: Entry Level Firewalls
2
Answers
And those are just the things I see wrong right now. Who knows what else is messed up.
It removed some Access Policies and a few Routing policies for us. Some IPSEC tunnels never came back either. Had to rebuild those from scratch.
Good to know QA hasn't improved. Some of these issues have happened on 7.0 updates in the past.
They keep pushing the idea of automatic updates too…
my night was ruined too. soniwall is ruined. all custom access and nat rules were shuffled and some removed. same to web access managment rules. luckily i have multiple interfaces otherwise i couldnt log in anymore.
Firmware rollback to 7.1. 1-7058 and config back-up back and it worked fine but this is not good from sonicwall. They need to release a new good fix firmware.
We've had a few reports of 7.1.2 firmware updates causing problems, and we've advised them to log support calls. We've not had the problem ourselves but have stopped upgrading to 7.1.2 until a newer release comes out. CSE testing will have to wait.
I've upgraded about a dozen so far. Two had serious corruption of outbound firewall rules to the point at which users thought Internet was down. Fortunately, after we ruled out everything else, we looked closely at the outbound rules and could see that key elements had changed and were able to make corrections. In other cases, when we tried to make changes to policies, we got nonsensical error messages that were resolved by deleting the objects involved and recreating them. Whatever was done with 7.1.2 is definitely half-baked. I've never had to check for corruption before, but now it's standard policy. If we didn't have so much riding on Sonicwall at this point, I'd be looking at alternatives as the support has gone down the tubes besides.
Apparently, if you re-import the config (another reboot) it will put everything back as it should.
@sonictek - is this "method" something Support told you? Or are you winging it, and it happened to work? Just trying to understand what could potentially go wrong later on with a 7.1.2-wxyz firmware update.
Not 'winging it'.
This is a public forum, so I'll just say the following.
Was told that in nearly all cases this will fix the config back to how it should be within 7.1.2. You need to make sure you have an exported copy of the config before doing the upgrade. There is still a small chance that this won't work so will need to be manually amended in 7.1.2 or go back to 7.1.1.
Personally, I'm not upgrading any more to 7.1.2 until a newer option becomes available and the 'known' issue is accepted to be fixed.
Oh, and also being reported that 7.1.2 can lock the firewall up when trying to clear connection failures in DPI SSL.
Update. A customer logged a call direct with SonicWall Support and they were told the same thing, so appears to be official.
Has anyone configured 7.1.2 from scratch and seen the same issues, or hopefully it would work better? I have a new installation that I'll start from defaults and I'd like to possibly try out the new Advanced DNS Filtering feature. That I believe requires 7.1.x.
@SonicAdmin80 - if you are not using Cloud Secure Edge Connector / ZTNA, then I don't understand why you would want to use 7.1.2. What else do you think you'll "get" from that (aside from some agita)?
I think DNS Filtering was introduced in 7.1.1 so I could use any of the those versions as well, I just don't know which one is usable after 7.0.1. The last somewhat stable version I've used with Gen 7 is 7.0.1 5030 which isn't even available for download anymore.
Do you know a good 7.1.1 version?
No, as I've stated in other posts, I'm sticking with 7.0.1-5151 on all Gen 7 devices for the foreseeable future, and will only begin to test 7.1.1 sometime later this year (probably in October hoping another MR after 7058 is released for it).
Hello Jack,
We encountered the same problem. For a quick solution, we had to import a backup, and everything worked fine on version 7.1.2. In a nutshell, we were using firmware 7.1.1-7058, which was recommended by SonicWALL. However, we faced some issues with that version, and SonicWALL advised us to upgrade to 7.1.2. Unfortunately, we ran into a similar issue as the one you mentioned. Fortunately, we had previous backups, and importing them into version 7.1.2-7069 worked, but we can't rely on this as a long-term solution. They mentioned that a new version, 7.1.3, will be released soon—hopefully without any issues.
Yes, we're trying to get CSE working.
We have customers using SonicWaves in L3 mode and wanting to add 600 series AP's. You need 7.1.1.x for this support.
I recently received a new TZ370 - to replace the TZ400. It had the factory version 7.0.1.5119. I migrated the configuration from the TZ400 - it worked. I immediately updated directly to version 7.1.2.7019 - it worked and the device works correctly. The TZ370 has ROM version 7.0.1.3 - does it matter? The TZ370 has been working without a restart for 23 days. Full protection - AGSS package.
received this from tech support,
Hi we did have a report of some NAT rules and objects being removed when upgrading the the 7.1.2 engineering has incorporated the fix with the next version of 7.1.3 I don't have an ETA for this release. You may be facing this issue you could just remain on the build your on for now until the 7.1.3 comes out or go to the 7.1.2 in a maintenance window and call us and we can run a capture and Troubleshoot it see where the issue ;lies and if we need to add a NAT or rule for it to work again Let me know how you wish to proceed Candice
We updated another TZ270 on Friday and the first problem was that the local user account the end user had for SSLVPN returned a "bad user name or password" message. When I went to reset the password, the user was missing. When I tried to add the user again, the appliance said that it already existed. I had to import the settings I had saved earlier to correct that. Today the same user had missing address objects that we had to re-add. The 7.1.2 update is atrocious and should be pulled off the web site regardless of what it might purport to fix— and a working update should be substituted in its place immediately. If I get an email that tells me I need to update immediately, that update ought to be better than what I am replacing. The worst part of all this is that I'm at serious risk of liability if I go against Sonicwall's advice and don't install the update. The insurance companies demand that the latest updates are installed, not the latest working updates.
oh hopefully this is not related to the ssl vpn security issues, which sonicwall believes is used out in the wild.
maybe there is a way to check if a sonicwall is affected?
If only someone from SonicWall were to go through Community posts and update us, and more importantly (for a public viewable forum) respond to some of the comments.