Arkwright Community Legend ✭✭✭✭✭
Reactions
Comments
-
What is the mechanism by which they connect? VPN software running on the clients? VPN tunnel on the Sonicwall to the ASA? My immediate thought would be some connection timeout, but TBH nowadays protocols are pretty chatty so a 4h timeout seems unlikely.
-
I think that zone security type "public" will by default not create rules from this new zone to LAN. So long as you haven't manually added a 'Wireless AP, Internet Only' -> 'LAN' allow rule, you should be good.
-
I think I misunderstood that Sonicwall KB article. The Sonicwall does not have to do anything with DNS, the idea is that some other DNS server returns specially-formatted 6-to-4 replies. I think the KB article only covers an outbound access scenario for clients behind a Sonicwall. So it probably applies to you @FRE but…
-
On a slightly older release of Gen6 I see that Users -> Status != SSLVPN -> Status. The Users bit shows duplicates with absurdly long session times, yet SSLVPN looks "normal". On a firewall with more recent firmware, there is no discrepancy. Both firewalls have the "SSLVPN Inactivity Check:" ticked. In conclusion, update…
-
>@Arkwright, So the references to X6 is not saying that packets are trying to go to or come from X6 to the X0 interface? No - unknown ethertype = not IP = the Sonicwall cannot carry it. So it's not in any meaningful sense going to X0.
-
The reason you see packets on X6 in there is because you've filtered on IP and nothing else. Yes, the firewall "knows" that the IP you've specified should be on X0 but you didn't tell the firewall that you were only interested in X0. So if you put X0 in the interface names box then you won't see these mystery packets that…
-
I don't know why X6 is even showing up in the packet monitor We can only guess because you haven't said exactly what you put in the capture filter.
-
Sonicwalls only handle IP, so if you see "unknown ethertype" then it's not IP and probably not relevant to your problem. If you don't want to see packets on X6 then put X0 in the interface filter.
-
Route-based VPN can certainly be used with Azure. https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-vpn-between-a-sonicwall-firewall-and-microsoft-azure/170505320011694/
-
Check the timers on both ends of the tunnel. Does restarting the ipsec service also fix this?
-
"All WAN IPs" refers to the firewalls own WAN interface IPs. I am not sure that probing on this could ever be of any use to you. My suggestion would be to move the L2 fibre connection outside of the firewalls so you can use the WAN F&LB logic to accomplish this.
-
As far as I know, the answer to this seemingly obvious question is "no". When I spoke to someone in third line a few years ago, he also said that "policy" can mean, NAT policy, access policy or route policy as well, so it's not even as simple as just which firewall rule!
-
Did you really mean static ARP entry rather than static DHCP? I have seen this with Unifi APs before, and the cause was that some other device had the IP defined in the static DHCP entry - I think the Sonicwall pinged it first and because it replied, it didn't assign the IP.
-
You can use the CLI to do this, today. There are Dynamic External address objects as well, might be useful for you. But an import/export to CSV tool really would not take much for Sonicwall to implement and would make lives so much easier. They added the ability to export NAT policies/access rules to CSV and then gave up 🙄
-
Issue still exists in 2023. If they aren't going to fix this feature then they should turn it off because it's completely useless in the state it's in. We had a firewall lose contact with NSM for a few weeks, during which time no changes were made [per audit log from firewall]. Yet the config diff is 78k lines! Only the…