Arkwright Community Legend ✭✭✭✭✭
Reactions
Comments
-
We just get periodic emails saying we have $nnnnn in renewal opportunities for all the expired firewalls. On occasions where we've not named firewalls properly in MSW, Sonicwall have been unwilling to provide information. All we would need is to know the last public IP it connected from and we would be able to know which…
-
Given that: the main functional difference between models is the count of interfaces the migration tool asks you which interface to map to which interface on the exported configuration any other functionality differences between models are known to Sonicwall then migrating any model to any model is possible. If something…
-
I am not sure that document is relevant to your scenario as your Sonicwall won't be handling the relevant DNS queries. Surely if you have enough v6 address space to give the WAN and DMZ interfaces v6 IPs, then you can give the mailserver a v6 IP as well? I am assuming that you mean a global IP when you say "valid IPv6 IP".…
-
The on-firewall tool is the only one that is relevant, because that's how the firewall determines what to do. You won't be able to progress this issue with Sonicwall if you use any other lookup tool.
-
Presumably consolidating all their clients into one implementation would save Sonicwall time and money, so there must be some reason why they don't.
-
Did you do the lookup from the GeoIP diags tool on the firewall or from Sonicwall's online GeoIP lookup tool? I have found some inconsistencies between the two - obviously what the firewall says "wins" when it comes to applying the rule.
-
Update the firmware.
-
Update the firmware. Check the logs. Interfaces going up and down? Look at Failover & LB. Is the probing losing contact with the internet?
-
Fully meshed [VPN tunnels between every site] will give the best performance and redundancy. Routing all traffic via a "central" Sonicwall will be the least complex to manage, but will require capacity at that central location which then becomes a point of failure. Swings and roundabouts. Take your pick.
-
IPsec between SonicOS and OpnSense will be absolutely fine. Set it up with manual IKE IDs to handle the changing public IPs.
-
What is happening on the firewall at this time? Check CPU and interface graphs whilst pinging.
-
I suggest you monitor the firewall remotely [eg Pingdom, F8lure] and see if it matches up with what the firewall says. I've never known F&LB monitoring to lie - when it says a target is down, it's down. What are your probe monitoring targets? With one large site [8k peak users] we couldn't use 8.8.8.8 as a ping monitoring…
-
Automating with CLI sure beats manual click, click, click, click to recreate something. You just need to bear in mind that policies reference address groups [and potentially other objects as well], so they need to be aligned, or at the very least, exist, before this is going to work.
-
This might seem a bit too obvious a question, but why are you putting the credentials in here? If the user of the PC is a domain user then surely 'net use' is sufficient?
-
If you've got the group synced with LDAP then the quickest way to do this is delete the user from the firewall. The user gets created the first time they log in and bind their TOTP. You would lose any manual permissions you might have set on the user, but we don't do that so it's not an issue.