Contents
Platform Compatibility ................................................................................................................................................... 1 New Features in SonicOS 5.8.1.0 ................................................................................................................................. 2 Supported Features by Appliance Model .................................................................................................................... 17 Key Features in SonicOS 5.8.0.x ................................................................................................................................ 19 Browser Support .......................................................................................................................................................... 26 Known Issues .............................................................................................................................................................. 27 Resolved Issues .......................................................................................................................................................... 29 Upgrading SonicOS Image Procedures ...................................................................................................................... 31 Related Technical Documentation .............................................................................................................................. 36
Platform Compatibility
The SonicOS 5.8.1.0 release is supported on the following SonicWALL Deep Packet Inspection (DPI) security appliances: SonicWALL NSA E8500 SonicWALL NSA E7500 SonicWALL NSA E6500 SonicWALL NSA E5500 SonicWALL NSA 5000 SonicWALL NSA 4500 SonicWALL NSA 3500 SonicWALL NSA 2400 SonicWALL NSA 240 SonicWALL TZ 210 / 210 Wireless SonicWALL TZ 200 / 200 Wireless SonicWALL TZ 100 / 100 Wireless
The SonicWALL WXA 2000 / 4000 appliances are also supported for use with SonicWALL network security appliances running 5.8.1.0.
WAN acceleration using a SonicWALL WXA series appliance can provide an increase in application performance response time without purchasing a higher quality service or larger provision of bandwidth. This is especially noticeable on WAN connections such with high latency, which causes some applications to perform poorly. For more information, please refer to the SonicWALL WXA series documentation available on MySonicWALL or www.sonicwall.com.
After you click Create Rule and confirm, the new policy appears on the Firewall > App Rules page.
You can select either WAN or Global as the Bandwidth Management Type. NOTE: When switching between bandwidth management modes, all bandwidth management settings in firewall access rules are set back to defaults must be reconfigured. Default BWM actions in Application Control policies are automatically converted to WAN BWM or Global BWM, using default priority levels. In the global priority queue table, you can configure the Guaranteed and Maximum\Burst rates for each Priority queue. The rates are specified as a percentage. The actual rate is determined dynamically while applying BWM on an interface. The configured bandwidth on an interface is used in calculating the absolute value. The sum of all guaranteed bandwidth must not exceed 100%, and guaranteed bandwidth must not be greater than maximum bandwidth per queue.
Per interface bandwidth is configured for both ingress and egress directions from the Network > Interfaces page:
Per Firewall Rule bandwidth settings are configured by enabling the direction in which to apply the bandwidth management, and setting the priority queue.
You can select default Global BWM or WAN BWM actions when configuring App Rules policies for application control:
On the Firewall > Action Objects page, you can configure custom bandwidth management actions. When Global BWM is enabled, the global guaranteed and maximum bandwidth settings are used, but you can select the priority. If a selected priority is not enabled, the default enabled priority will be used.
You can also configure bandwidth management from the Dashboard > App Flow Monitor page. First, select one or more applications or service objects, and then click the Create Rule button.
It uses as input the combined results of SonicWALL Application Intelligence and Control, and Application Visualization to create a detailed application report based on your network traffic. The SonicWALL Application Intelligence and Control feature allows administrators to maintain granular control of applications and users by creating bandwidth management and other policies based on local pre-defined categories, individual applications or signatures, users and groups, or custom match objects. With the Application Visualization feature, administrators are able to view real-time graphs of applications, ingress and
egress bandwidth, websites visited, and all user activity. Administrators are able to adjust network policies based on these critical observations. The SonicOS Application Usage and Risk Report combines the results of these two features in a downloadable report listing the following categories: o o o o o o High Risk Applications in Use Top URL Categories in Use Applications with the Highest Bandwidth Usage Application Usage by Category and Technology Top Findings of Network Characteristics Recommendations based on the Top Findings
An example of the Applications with the Highest Bandwidth Usage report is shown below:
At the top of the page, you can select the Block connection to/from Botnet Command and Control Servers checkbox to enable Botnet filtering. Below that, to enable Geo-IP filtering, you can select the Block connections to/from following countries checkbox, and select the checkboxes for the desired countries to block. The Geo-IP/Botnet Exclusion Object field allows you to select an Address Object containing IP addresses to exclude from filtering and blocking.
For this feature to work correctly, the country database must be downloaded to the appliance. The Status indicator turns yellow if this download fails for any reason. Green status means that the download was successful:
The firewall must be able to resolve geodnsd.global.sonicwall.com. When a page is blocked and the connection happens to be an HTTP GET, then a block page appears on the client machine. You can look up an IP address to find out the domain, DNS server, and check whether it is part of a Botnet. The Services > Geo-IP & BOTNET Filter page provides this functionality at the bottom of the page:
10
Geo-IP Blocking is also available from the Dashboard > App Flow Monitor page:
11
Wire Mode
Wire Mode is a deployment option where the SonicWALL appliance can be deployed as a Bump in the Wire. It provides a least-intrusive way to deploy the appliance in a network. Wire Mode is very well suited for deploying behind a pre-existing Stateful Packet Inspection (SPI) Firewall. Wire Mode is a simplified form of Layer 2 Bridge Mode. A Wire Mode interface does not take any IP address and it is typically configured as a bridge between a pair of interfaces. None of the packets received on a Wire Mode interface are destined to the firewall, but are only bridged to the other interface. Wire Mode operates in any one these 4 different modes: Bypass Mode - Bypass Mode can be configured between a pair of interfaces. All traffic received is bridged to the paired interface. There is no SPI or Deep Packet Inspection (DPI) processing of traffic in this mode. There is no application visualization or control in Bypass Mode. Inspect Mode - Inspect Mode can be configured between a pair of interfaces. Packets continue to pass through the SonicWALL to the paired interface, but they are also mirrored to the DPI engine for the purposes of passive inspection, classification and flow reporting. There is full application threat detection and visualization, but no application control in Inspect Mode. Secure Mode - Secure Mode can be configured between a pair of interfaces. All traffic received is fully processed by the firewall. There is full application visualization and control in Secure Mode. Tap Mode - Tap Mode can be configured for a single interface. All traffic received is never sent out of the firewall, but the firewall performs full SPI and DPI processing. There is full application visualization, but no application control in Tap Mode. Typically, a mirror port is set up on the switch to mirror the network traffic to the firewall. Note: Wire Mode is supported on the following SonicWALL appliance models: NSA E8500 NSA E7500 NSA E6500 NSA E5500 NSA 5000 NSA 4500 NSA 3500 Wire Mode and Tap Mode are available as an additional option under the IP Assignment options. Wire/Tap Mode is only available for interfaces in the LAN zone:
12
Once Wire Mode is selected, the Wire Mode Setting and Paired Interface options are displayed:
When Tap Mode is selected, there is no Paired Interface configuration since it only operates as a single interface:
13
Wire Mode settings are displayed on the Network > Interfaces page after configuration:
14
The Customizable Login Page feature provides the following functionality: Keeps the style of original login by default Allows administrators to customize login related pages (over ten) Allows administrators to use the default login related pages as templates Allows administrators to save customized pages into system preferences Allows administrators to preview their changes before saving to preferences Presents customized login related pages to normal users You can select from over 14 login related pages to customize in the Select Login Page drop-down list. The default selection is the Login Authentication page. Click the Default button to load the default page templates into the Login Page Contents text field, making it easier to construct the new page than it would be from a blank page. The var strXXX = lines in the template pages are customized JavaScript Strings. You can change them into your preferring wording. Modifications should follow the JavaScript syntax. You can also edit the wording in the HTML section. Before you save the modification by clicking the Apply button, you can preview your changes by clicking the Preview button. Once you are satisfied with the result, remember to apply changes so that they are saved into the system preferences. Leave the Login Page Contents field blank and apply the change to present the default page to users. An alternative login page is always available for the administrator, in case a customized login page has any issues. To access the alternate login page, manually input the URL http://(device_ip)/defauth.html directly into the address line of browser (case sensitive). The default login page without any customization is then displayed, allowing you to login as normal and reset your customized login pages.
15
16
17
Feature / Enhancement WAN Acceleration Support App Control Policy Configuration via App Flow Monitor Global BWM Ease of Use Enhancements Application Usage and Risk Report Geo-IP Filtering and Botnet Command & Control Filtering Wire Mode Customizable Login Page LDAP Primary Group Attribute Preservation of Anti-Virus Exclusions After Upgrade Management Traffic Only Option for Network Interfaces Current Users and Detail of Users Options for TSR User Monitor Tool Auto-Configuration of URLs to Bypass User Authentication
Supported
Supported
Supported Supported Supported Supported Supported Supported Supported Supported Supported Supported Supported Supported Supported Supported Supported Supported Supported
Supported
Supported
Supported
Supported
18
New appliances running SonicOS 5.8 receive an automatic 30-day free trial for App Visualization upon registration. SonicWALL appliances upgrading to SonicOS 5.8 and already licensed for GAV/IPS/AS, Total Secure, or Comprehensive Gateway Security Suite (CGSS) automatically receive a complimentary App Visualization license for the Real-Time Visualization Dashboard. Navigate to the Log > Flow Reporting page to manually select the Enable Flow Reporting and Visualization checkbox to activate the feature. You can then view real-time application traffic on the Dashboard > Real-Time Monitor page and application activity in other Dashboard pages for the configured flows from the SonicWALL application signature database.
If you plan to use both internal and external flow reporting, SonicWALL recommends enabling the following (located in the Log > Flow Reporting screen) after successfully registering and licensing your appliance to avoid multiple restarts: o o Enable Flow Reporting and Visualization Report to EXTERNAL Flow Collector
19
(a) Identification: Identify applications and track user network behaviors in real-time. (b) Control: Allow/deny application and user traffic based on bandwidth limiting policies. Administrators can now more easily create network policy object-based control rules to filter network traffic flows based on: o o o Blocking signature-matching Applications, which are notoriously dangerous and difficult to enforce Viewing the real-time network activity of trusted Users and User Groups and guest services Matching Content-rated categories
Network security administrators now have application-level, user-level, and content-level real-time visibility into the traffic flowing through their networks. Administrators can take immediate action to re-traffic engineer their networks, and quickly identify Web usage abuse, and protect their organizations from infiltration by malware. Administrators can limit access to bandwidth-hogging websites and applications, reserve higher priority to critical applications and services, and prevent sensitive data from escaping the SonicWALL secured networks. New appliances running SonicOS 5.8 receive an automatic 30-day free trial for App Control upon registration. SonicWALL appliances upgrading to SonicOS 5.8 and already licensed for GAV/IPS/AS, Total Secure, or Comprehensive Gateway Security Suite (CGSS) automatically receive a complimentary App Control license, required for creating Application Control policies. Select the Enable App Control option on the Firewall > App Control Advanced page to begin using the App Control feature.
To create policies using App Rules (included with the App Control license), select Enable App Rules on the Firewall > App Rules page.
20
Deep Packet Inspection of SSL encrypted data (DPI-SSL) Provides the ability to transparently decrypt HTTPS and other SSL-based traffic, scan it for threats using SonicWALLs Deep Packet Inspection technology, then re-encrypt (or optionally SSL-offload) the traffic and send it to its destination if no threats or vulnerabilities are found. This feature works for both client and server deployments. It provides additional security, application control, and data leakage prevention functionality for analyzing encrypted HTTPS and other SSL-based traffic. The following security services and features are capable of utilizing DPI-SSL: Gateway Anti-Virus, Gateway Anti-Spyware, Intrusion Prevention, Content Filtering, Application Control, Packet Monitor and Packet Mirror. DPI-SSL is supported on SonicWALL NSA models 240 and higher. Gateway Anti-Virus Enhancements (Cloud GAV) The Cloud Gateway Anti-Virus feature introduces an advanced malware scanning solution that compliments and extends the existing Gateway AV scanning mechanisms present on SonicWALL firewalls to counter the continued growth in the number of malware samples in the wild. Cloud Gateway Anti-Virus expands the Reassembly Free Deep Packet Inspection engine capabilities by consulting with the data center based malware analysis servers. This approach keeps the foundation of RFDPI-based malware detection by providing a low-latency, real-time solution that is capable of scanning unlimited numbers of files of unlimited size on all protocols that are presently supported without adding any significant incremental processing overhead to the appliances themselves. With this additional layer of security, SonicWALLs Next Generation Firewalls are able to extend their current protection to cover multiple millions of pieces of malware. NTP Authentication Type When adding a Network Time Protocol server, the Add NTP Server dialog box provides a field to specify the NTP authentication type, such as MD5. Fields are also available to specify the trust key ID, the key number and the password. Link Aggregation Link Aggregation provides the ability to group multiple Ethernet interfaces to form a trunk which looks and acts like a single physical interface. This feature is useful for high end deployments requiring more than 1 Gbps throughput for traffic flowing between two interfaces. This functionality is available on all NSA E-Class platforms. Static Link Aggregation with the ability to aggregate up to 4 ports into a single link is supported on SonicOS 5.8. A round-robin algorithm is used for load balancing traffic across the interfaces in an aggregated link. Port Redundancy Port Redundancy provides the ability to configure a redundant physical interface for any Ethernet interface in order to provide a failover path in case a link goes down. Port Redundancy is available on all NSA E-Class platforms. When the primary interface is active, it handles all traffic from/to the interface. When the primary interface goes down, the backup interface takes over and handles all outgoing/incoming traffic. When the primary interface comes up again, it takes over all the traffic handling duties from the backup interface. When Port Redundancy, High Availability and WAN Load Balancing are used together, Port Redundancy takes precedence followed by High Availability, then followed by WAN Load Balancing. Content Filtering Enhancements The CFS enhancements provide policy management of network traffic based on Application usage, User activity, and Content type. Administrators are now able to create multiple CFS policies per user group and set restrictive Bandwidth Management Policies based on CFS categories. IPFIX and NetFlow Reporting This feature enables administrators to gain visibility into traffic flows and volume through their networks, helping them with tracking, auditing and billing operations. This feature provides standards-based support for NetFlow Reporting, IPFIX, and IPFIX with extensions. The data exported through IPFIX with extensions contains information about network flows such as applications, users, and URLs extracted through Application Intelligence, along with standard attributes such as source/destination IP address (includes support for IPv6 networks), source/destination port, IP protocol, ingress/egress interface, sequence number, timestamp, number of bytes/packets, and more. VLAN Support for TZ Series SonicOS 5.8 provides VLAN support for SonicWALL TZ 210/200/100 Series appliances, including wireless models. The TZ 210 and 200 Series support up to 10 VLANs, the TZ 100 Series supports up to 5 VLANs.
21
SonicPoint Virtual Access Point Support for TZ Series Virtual Access Points (VAPs) are now supported when one or more SonicWALL SonicPoints are connected to a SonicWALL TZ 210/200/100 Series appliance. The TZ 210 and 200 Series support up to 8 VAPs, the TZ 100 Series supports up to 5 VAPs. Comprehensive Anti-Spam Service (CASS) 2.0 The Comprehensive Anti-Spam Service (CASS) feature provides a quick, efficient, and effective way to add anti-spam, anti-phishing, and anti-virus capabilities to your SonicWALL security appliance. This feature increases the efficiency of your SonicWALL security appliance by providing you the ability to configure user view settings and filter junk messages before users see it in their inboxes. The following enhancements are now available with CASS 2.0: o o The Email Security Junk Store application can now reside outside the Exchange Server system. Unlike in version 1.0, Junk Store can now be installed on another remote server. Dynamic discovery of Junk Store user interface pages has been added. This feature allows the Junk Store to inform SonicOS of a list of pages to display under Anti-Spam in the SonicOS left hand navigation pane. For example, the pane might show Junk Box View, Junk Box Settings, Junk Summary, User View Setup, and/or Address Books. User-defined Allow and Deny Lists can now be configured with FQDN and Range address objects in addition to Host objects. A GRID IP Check tool has been added in the Anti-Spam > Status page. The SonicWALL administrator can specify (on-demand) an IP address to check against the SonicWALL GRID IP server. The result will either be LISTED or UNLISTED. Connections from a LISTED host will be blocked by the SonicWALL security appliance running CASS (unless overridden in the Allow List). A parameter to specify the Probe Response Timeout is added in the Anti-Spam > Settings page Advanced Options section. There are deployment scenarios where a longer timeout is needed to prevent a target from frequently being marked as Unavailable. The default value is 30 seconds.
o o
Enhanced Connection Limiting Connection Limiting enhancements expand the original Connection Limiting feature which provided global control of the number of connections for each IP address. This enhancement is designed to increase the granularity of this kind of control so that the SonicWALL administrator can configure connection limitation more flexibly. Connection Limiting uses Firewall Access Rules and Policies to allow the administrator to choose which IP address, which service, and which traffic direction when configuring connection limiting. Dynamic WAN Scheduling SonicOS 5.8 supports scheduling to control when Dynamic WAN clients can connect. A Dynamic WAN client connects to the WAN interface and obtains an IP address with the PPPoE, L2TP, or PPTP. This enhancement allows the administrator to bind a schedule object to Dynamic WAN clients so that they can connect when the schedule allows it and they are disconnected at the end of the configured schedule. In the SonicOS management interface, a Schedule option is available on the WAN interface configuration screen when one of the above protocols is selected for IP Assignment. Once a schedule is applied, a log event is recorded upon start and stop of the schedule. NTLM Authentication with Mozilla Browsers As an enhancement to Single Sign-On, SonicOS can now use NTLM authentication to identify users who are browsing using Mozilla-based browsers (including Internet Explorer, Firefox, Chrome and Safari). NTLM is part of a browser authentication suite known as Integrated Windows Security and should be supported by all Mozilla-based browsers. It allows a direct authentication request from the SonicWALL appliance to the browser with no SSO agent involvement. NTLM authentication works with browsers on Windows, Linux and Mac PCs, and provides a mechanism to achieve Single Sign-On with Linux and Mac PCs that are not able to interoperate with the SSO agent. Single Sign-On Import Users from LDAP Option A new Import from LDAP button on the Users > Local Users page allows you to configure local users on the SonicWALL by retrieving the user names from your LDAP server. This allows SonicWALL user privileges to be granted upon successful LDAP authentication. For ease of use, options are provided to reduce the list to a manageable size and then select the users to import.
22
SSL VPN NetExtender Update This enhancement supports password change capability for SSL VPN users, along with various fixes. When the password expires, the user is prompted to change it when logging in via the NetExtender client or SSL VPN portal. It is supported for both local users and remote users (RADIUS and LDAP). DHCP Scalability Enhancements The DHCP server in SonicWALL appliances has been enhanced to provide between 2 to 4 times the number of leases previously supported. To enhance the security of the DHCP infrastructure, the SonicOS DHCP server now provides server side conflict detection to ensure that no other device on the network is using the assigned IP address. Conflict detection is performed asynchronously to avoid delays when obtaining an address. SIP Application Layer Gateway Enhancements SIP operational and scalability enhancements are provided in SonicOS 5.8. The SIP feature-set remains equivalent to previous SonicOS releases, but provides drastically improved reliability and performance. The SIP Settings section under the VoIP > Settings page is unchanged. SIP ALG support has existed within SonicOS firmware since very early versions on legacy platforms. Changes to SIP ALG have been added over time to support optimized media between phones, SIP Back-to-Back User Agent (B2BUA), additional equipment vendors, and operation on a multi-core system. The SIP protocol is now in a position of business critical importance protecting the voice infrastructure, including VoIP. To accommodate the demands of this modern voice infrastructure, SIP ALG enhancements include the following: o SIP Endpoint Information Database The algorithm for maintaining the state information for known endpoints is redesigned to use a database for improved performance and scalability. Endpoint information is no longer tied to the user ID, allowing multiple user IDs to be associated with a single endpoint. Endpoint database access is flexible and efficient, with indexing by NAT policy as well as by endpoint IP address and port. o Automatically Added SIP Endpoints User-configured endpoints are automatically added to the database based on user-configured NAT policies, providing improved performance and ensuring correct mappings, as these endpoints are pre-populated rather than learnt. SIP Call Database A call database for maintaining information about calls in progress is implemented, providing improved performance and scalability to allow SonicOS to handle a much greater number of simultaneous calls. Call database entries can be associated with multiple calls. B2BUA Support Enhancements SIP Back-to-Back User Agent support is more efficient with various algorithm improvements. Connection Cache Improvements Much of the data previously held in the connection cache is offloaded to either the endpoint database or the call database, resulting in more efficient data access and corollary performance increase. Graceful Shutdown Allows SIP Transformations to be disabled without requiring the firewall to be restarted or waiting for existing SIP endpoint and call state information to time out.
o o
23
Sessions Flow TableBy clicking on the number specified under the Sessions category of any Application, a Flow Table displays with Application-specific data, including the Rate in KBps.
Dashboard > Real-Time Monitor Real-Time Monitor ApplicationsAll application legends are now hidden by default from the Application Chart. To view the legends, click the Settings Then, click Save. icon. Clear the option to Hide Legends in Application Chart.
To view individual application information, hover the mouse over the real-time visualization; a pop-up displays.
Multi-Core MonitorBy default, the Multi-Core Monitor now displays as a stack chart, rather than as a bar graph, to easily show its relation to the other charts on this screen.
24
The client policy is still strictly checked against the configured proposal in the Proposals tab, as with clients connecting with SonicWALL GVC. This option has no effect on GVC. If the Accept Multiple Proposals for Clients option is selected, SonicOS will allow connections from other L2TP clients, such as Apple OS, Windows, or Android clients whose offered proposal is different from what is configured on the Proposals tab. The proposal is accepted if it meets the following conditions: If the offered algorithm matches one of the possible algorithms available in SonicOS. If the offered algorithm is stronger and more secure than the configured algorithm in the SonicOS proposal. If this option is not selected, SonicOS will require the client to strictly match the configured policy. This option allows SonicWALL to support heterogeneous environments for Apple, Windows, and Android clients. Using this option, SonicOS can work with these clients if their proposal includes a combination of algorithms which are supported in SonicOS, but are not configured in the policy to prevent other clients like GVC from failing.
25
Browser Support
SonicOS 5.8 with Visualization uses advanced browser technologies such as HTML5 which are only supported in the latest browsers. SonicWALL therefore recommends using Google Chrome or Mozilla Firefox browsers for administration of SonicOS 5.8. This release supports the following Web browsers: Chrome 4.0 and higher (recommended browser for dashboard video streaming) Mozilla 3.0 and higher Internet Explorer 8.0 and higher Strong SSL and TLS Encryption Required in Your Browser The internal SonicWALL Web server only supports SSL version 3.0 and TLS with strong ciphers (128 bits or greater) when negotiating HTTPS management sessions. SSL implementations prior to version 3.0 and weak ciphers (symmetric ciphers less than 128 bits) are not supported. This heightened level of HTTPS security protects against potential SSLv2 roll-back vulnerabilities and ensures compliance with the Payment Card Industry (PCI) and other security and risk-management standards. TIP: By default, Mozilla Firefox 3.0, Microsoft Internet Explorer 8.0, and Google Chrome enable SSL 3.0 and TLS, and disable SSL 2.0. SonicWALL recommends using the most recent Web browser releases. If you are using a previous release of these browsers, you should enable SSL 3.0 and TLS and disable SSL 2.0.
26
Known Issues
This section contains a list of known issues in the SonicOS 5.8.1.0 release.
Application Control
Symptom App rules remain in effect even when disabled globally. Condition / Workaround Occurs when the Enable App Rules checkbox is cleared to disable these policies globally, then an app rule is created. When traffic on the WAN interface matches the rule, the configured policy action is applied. Occurs when an application rule is created using Create Rule on the App Flow Monitor page and the Enable App Rules checkbox is not selected, which is the factory default setting. The app rule is created and functions properly, even though the Enable App Rules checkbox is disabled. Issue 101194
Related traffic configured in an application rule is blocked even though the Enable App Rules checkbox is not selected.
100120
Bandwidth Management
Symptom Traffic is dropped when the ingress or egress values for an interface are modified and traffic is passing through that interface. Condition / Workaround Occurs when modifying the ingress or egress interface values while the interface is passing traffic. Workaround: Stop traffic on the interface, and then modify the values. Occurs when creating a bandwidth management rule on the App Flow Monitor page and setting the priority to High. The App Flow Monitor page displays the created rule with a Medium priority setting, even though High was selected. Issue 101286
Bandwidth management application rules are sometimes mapped to the wrong global BWM priority queue.
100116
Firmware
Symptom The Geo-IP and Botnet Exclusion Objects do not take effect, causing DNS query packets to be incorrectly dropped. Condition / Workaround Occurs when enabling the checkbox for Block All Connections to/from Following Countries, selecting all countries, and entering DNS Servers into the Exclusion Object. When a web page is accessed and the packet monitor is used to capture packets, you can see that all DNS query packets are dropped by the Geo-IP filter. Issue 100010
27
High Availability
Symptom With Active/Passive High Availability enabled with probing, and the primary WAN interface configured with a redundant port, the primary WAN interface and all routes to this subnet are marked as down when the primary port stops working. Condition / Workaround Occurs when HA is enabled with probing and the primary WAN interface is configured with a redundant port. If the link for the active port goes down, Load Balancing (enabled by default) will change the status of the primary WAN interface to Failover. All routes to the primary WAN subnet will be marked as down and traffic destined to the subnet will fail. However, traffic will still succeed to any destination that is on the far side of the default gateway of the primary WAN interface, by using the redundant port. Workaround: Disable Load Balancing or HA probing. Issue 97883
Networking
Symptom Configuring more than one remote appliance with a tunnel interface and OSPF could result in dropped routes. Condition / Workaround Occurs when an additional remote appliance is configured with a tunnel interface and OSPF is enabled. Issue 102961
VPN
Symptom Sometimes, the secondary IPSec gateway is unable to establish a tunnel with a peer if the primary gateway is unreachable. Having multiple tunnel interface policies with the same IPSec gateway but different ports configured on the firewall can cause only one tunnel to be active. Condition / Workaround Occurs when there are two SonicWALL devices with VPN configured and the cable from the secondary gateway is unplugged. Occurs when there are two or more tunnel interface policies using the same IPSec gateway and those interfaces are bound to different ports. Issue 103935
103398
28
Resolved Issues
This section contains a list of resolved issues in the SonicOS 5.8.1.0 release.
Application Control
Symptom Application control rules were not applied to users logged in using Terminal Server Agent (TSA) even though the rule was configured with user group Everybody or Trusted. Condition / Workaround Occurred when a SonicWALL security appliance was configured for authentication with LDAP and Single Sign-On for TSA. A CFS type application control policy or an application list was applied to all users, and then the policy was changed to apply only to a specific user group. Traffic was not blocked for users in the group even though the user was correctly identified as a member of the group. This also occurred with IPS or AntiSpyware policies for TSA users. Issue 100646
Firmware
Symptom The Geo-IP DNS server could not resolve the selected location and the error message: Failed to Resolve Location is displayed. Condition / Workaround Occurred when navigating to Security Services > Geo-IP and Botnet Filter, selecting a country, and entering a DNS Server IP for lookup. Issue 99738
High Availability
Symptom HTTP and PING management access to the backup unit port X0 over VPN would fail, while management access to port X0 on the primary unit and to the logical IP address for the HA pair would pass. UDP connections were incorrectly synchronized to use the TCP connection timeout value on the secondary appliance. An interface used its own physical MAC address instead of the correct Virtual MAC address. Condition / Workaround Occurred when two NAT policies were added to an HA pair with HTTP and Ping management enabled on both the backup and primary X0 interfaces. The NAT policies did some translation involving the HA backup and HA primary X0 IP addresses. Occurred when the primary appliance failed to reboot, the secondary appliance would start with incorrect values. The system should start with UDP timeout values, NOT the TCP values. Occurred when the interface was initially configured as a redundant port to another interface before Virtual MAC was enabled. After enabling Virtual MAC, the interface was removed from port redundancy grouping. Issue 103126
101511
98117
Networking
Symptom Web-proxy does not work with multiple WAN configuration. All the traffic passing through the firewall is stopped and the log message: Malformed or Unhandled IP Packet Dropped . Condition / Workaround Occurred when a NAT policy was not autogenerated for multiple WAN interfaces. Occurs when running two paired interfaces in Wire Mode and setting the type to Secure. After rebooting an NSA 6500, traffic is allowed to pass Issue 101513 101422
29
through the firewall. However, on the SuperMassive the Secure Wire Mode traffic still seems to stop even after a reboot. The added application rules are not correctly blocking traffic passing through the Wire Mode interfaces. Occurs when configuring two interfaces in Secure Wire Mode and creating an application rule to reset the traffic for FTP download of a .pl file extension. The log for Wire Mode interfaces shows the traffic as violating the rule, but the file is still downloaded successfully. Occurred when using OSPF in a PPPoE environment. OSPF v2 was enabled, with Originate Default Route When WAN is UP selected, then a second firewall was connected which had OSPF enabled. Occurred when the source interface was in a zone other than LAN. The configuration included a loopback interface on the router, and a static route on a client host causing pings to the loopback address to be redirected to the gateway address. The redirect occurred when the interface was in the LAN zone, but failed after changing the zone to DMZ. 101282
OSPF was not sending the default route as part of its routing update.
99260
The firewall was not sending ICMP redirect messages to the gateway IP address, as configured.
89672
User Interface
Symptom An error message was displayed indicating that the admin user could not login via HTTPS. Condition / Workaround Occurred when an admin user tried to login to the management system using HTTPS the error HTTPS Admin Login Not Allowed From Here would be displayed. Issue 99184
Users
Symptom LDAP authentication fails for sub-domain users, causing the error "LDAP authentication failed". Condition / Workaround Occurs when sub-domain trees are successfully imported on the LDAP->Directory tab, then a subdomain user attempts to access a resource via the firewall. Occurred when a website was accessed via HTTPS after enabling SSL Client Inspection and choosing 'Trusted users' as included in the DPISSL > Client SSL page. Issue 103356
Single Sign-On authentication was not triggered for users included under DPI-SSL.
101041
Wireless
Symptom Connecting an iPad to the internal wireless radio on the appliance caused management access to fail and the appliance to stop broadcasting the SSID. Condition / Workaround Occurred when an iPad user associated to the appliance using the internal wireless radio. Management through HTTP/HTTPS/SSH would fail on all zones. Other traffic was interrupted, but would still pass. Issue 101976
30
31
32
7.
33
34
35
36