SonicAdmin80 Cybersecurity Overlord ✭✭✭
Comments
-
No there shouldn't be a need to create users manually, at least for SSL-VPN which is where I've used it. I'm not that familiar with using external users in rules, so you might have to use "Mirror LDAP user groups locally" and periodically refresh the users automatically or use the Directory Connector like @BWC said.…
-
You don't need to specifically import users with SonicWall either. If you imported the group, SonicWall will dynamically check the members of that group and create local users in the firewall for them when needed.
-
Looks like it was a flood on one web server. Strange as it isn't shown in AppFlow logs, perhaps the firewall was so taxed it couldn't log it. The problems stopped right after blocking the traffic coming in. Hasn't failed over again either. I didn't get any flood alerts, but connection limit alerts were coming in sometimes,…
-
Connection peak has been at the maximum so I did some limiting in the access rules. I also changed probe destinations and HA monitoring destinations. During the night it failed over multiple times due to "higher link status" on different interfaces on different times. I'm starting to think something might be wrong on the…
-
Should be easy enough to do I think. Add the correct networks to local/remote networks to the VPN tunnel settings on both sides or alternatively use tunnel interface VPN. Then add the needed routing and access rules.
-
It failed over again. Looks like it coincides this in the logs: The cache is full; 375512 cacheCurrentInUse, 0 freed from pendingFreeList (Total 0) open connections; some will be dropped I haven't been able to track down what uses those connections, as after the failover the connections go down to a normal level. Could…
-
Actually in the NSv console I see that there are "logical monitoring on interface X1 fails" messages on both units. So there seems to have been a short problem with the primary WAN which caused the failover. Nothing in the logs about LB probes failing though, so those probes seemed to have succeeded between the set…
-
HA status looked good and both WAN connections were online, so I'm not sure why it switched to the secondary in the first place. HA events in the log don't give much detail why these things happen. "Higher link status" doesn't tell which interface it was that caused the failover when there are multiple interfaces with…
-
@BWC Yep, both WAN interfaces are static. Main is fiber and secondary 5G. Gen 6 NSv hasn't received much updates anymore, should be the latest (6.5.4.4-44v). I'll try to failback to the primary HA unit later to see if it starts using the main WAN after that.
-
Yes TOTP works better in my opinion. The last time I tried email OTP every little hickup in the connection caused a reconnection and another email being sent. So worst case you could get frequent requests to enter the code for disruptions you wouldn't otherwise notice necessarily.
-
This seems to be the new normal. There isn't automatic license synchronization anymore. Every firewall has to be manually synced using the button and even auto-allocation with FlexSpend doesn't work anymore for every appliance.
-
I also had an unexpected restart problem with TZ670 about once a week. Got a hotfix and now it has been fine. How long has the Gen 7 line been out, maybe year and a half? And stilll these major issues.
-
Will this ever be fixed? I'm getting emails that licenses have expired the day it happens and I have to go in to click on the synchronize button in the licenses page. That usually updates the licenses so why can't it do it automatically? Is it a firmware bug? Most of my units are still on 6.5.4.7.
-
The updates have been released. They are labeled as "32-bit upgrade" and "64-bit upgrade". Is there such a thing as 32-bit version? Shouldn't they be "64-bit new install" and "64-bit upgrade"?
-
Very similar to what I had to do the last time. I also used some strong language in the case update and here in the forum and I almost immediately got a hotfix firmware as it was after all a known issue. Looks like this is now standard flow a cases.