Arkwright Community Legend ✭✭✭✭✭
Reactions
Comments
-
What error do you get? TBH if Sonicwall support couldn't work it out then it's unlikely we can help but having some error messages would be a good start.
-
The handset establishes an IPsec tunnel to the mobile provider's datacentre and then all the voice data flows across that. If you don't allow the ports it requires, it will not work. You cannot inspect the traffic in any way. If you don't trust it then put the phones in their own network with no access to your internal…
-
I just checked on a TZ370 and it does have the redundant/aggregate options. So I think I have over-interpreted the linked article - the "not supported on platforms" only lists Gen 6 TZ devices, not Gen 7 TZ devices. In other words, the options are there so it should work, unless there's a UI bug and it's displaying options…
-
Start with the Zyxel's equivalent of Connection Monitor, see what ports/services are used whilst wifi calling. Then check they're allowed in your Sonicwall configuration, and if it still doesn't work, do a packet capture on dropped packets only
-
You could disable general DHCP and just create static entries for the MACs you want to allow. But the question doesn't make sense in the context of a Sonicwall TZ270, it's not a switch and you're not going to "protect the LAN" from there.
-
That linked article says it's not supported on TZ series so don't know how you think you're going to get it working. TZ series does support Portshield though, have you tried that?
-
Hash tag boundless! If you can demonstrate the issue with just a single user connected then that's a pretty poor response from support, IMO.
-
SSLVPN performance has never been great but what you describe is particularly poor. How many users do you have? You can do MFA with Global VPN but AFAIK it can only be RADIUS-based which limits your options.
-
Use FQDN objects instead, I assume they have far fewer domains than they have CIDRs. The main caveat with FQDN objects to work "perfectly" is that the firewall and the clients need to be using the same DNS; the firewall snoops on the DNS requests from the clients and caches the answers. If they don't use the same DNS then…
-
I am never slow to suggest using the CLI for this kind of thing but if you have to interact with it, slowly, for every batch of 100, then you might as well be just ticking 100 address objects at a time and deleting them with the web interface! I asked ChatGPT to generate an 'expect' script to bulk-delete address objects…
-
What are the errors? Do you have a screenshot?
-
Don't expect to see hits on outbound NAT policy if the traffic is matching an inbound NAT policy. One connection will only ever match one NAT policy [and one access rule, for that matter].
-
But perhaps what would be even more secure than either of those would be to restrict access to the firewall so that it cannot be reached from the internet. There is definitely no need for management to be open to everywhere, but if you're using the SSLVPN service on the firewall then you cannot turn that off.
-
Have you checked the logs when it goes down? Do you do anything to make it work again? You can set up probing in Failover & Load Balancing settings to regularly ping the internet. That will log events when the ping stops working.
-
Also, if you want to achieve the published figures then make sure you have use 4 interfaces as LANs and 4 as WANs, and split your traffic evenly across them ;-)