Sonicwall Download Configuration

0 views
Skip to first unread message

Maral Mende

unread,
Aug 3, 2024, 5:31:56 PM8/3/24
to cieginkzosar

I have a TZ500 that hangs every 2-3 months or so and requires a hard reboot. After the reboot it has usually lost all configuration and settings need to be imported back. Afterwards it again works fine before it eventually happens again.

Has anyone seen this? Somehow either the settings must be corrupted, the firmware version is buggy or someone is crashing the unit through SSL-VPN portal perhaps using the recently revealed vulnerability.

This has been quite an annoyance. The unit will be upgraded soon to a TZ670 but I'm afraid the problem might transfer again unless I do all configuration manually from scratch. The TZ500 will be reset and repurposed so hopefully it stops there for that unit.

The only time I've seen the units lose their config entirely is due to power surges or faulty power supplies, When you recieved your replacement TZ500 did you also replace the Power supply or just use the exsisting one ?

I would recommend just connecting via SSH and copy and paste the sections in one section at a time no more than 50 lines at a time, also you will need to manually go through the Address objects and Address groups as when the CLI exports they are in the wrong order, you need to make sure all the IPv4 and IPv6 Address objects are added before attempting to import the Address object groups, you also need to delete all the lines which start with UUID, and any default rules, there is a lot you can ommit from the file also like logging settings, default Applications rule categories etc....

Ok. The TZ670 will be in use before I have time to observe if the update fixes the issue, so I guess I'll just see with TZ670 if the problem transfers over or not. I could do the configuration again through CLI but I suspect SonicOS 7 has changed syntax so a simple copy-paste probably won't work.

That's great info. I actually didn't replace the power supply so that could explain it. I'll make sure to replace it when I repurpose the appliance as I have the new one delivered with the replacement unit.

Surprise, the X1 Https management was not enabled on the new TZ370 but I had my old access rules as default rules and When I enabled the Https management again on X1 (TZ370), new firewall access rule was added, and when I tried to change the source address I could not because of duplicated rule.

However, the migration would not work with the TZ370 firmware at 7.0.0. I attempted it several times (reset to factory default & import new migration created configuration) but every time the TZ370 would become unresponsive. I also tried to do a manual setup, which went fine until I changed something it didn't like, and it became unresponsive again. I'm still not sure what change caused the problem. Finally, I decided to update the TZ370 firmware to 7.0.1. After that the migration went smoothly and it appears that all settings are correct on the TZ370.

the only time I've seen this and the only thing that could possibly cause this, is if on your original configuration you have Enforce password complexity or OTP enabled on your previous configuration file, as otherwise you are not normally prompted to change the password when logging in for the first time after importing a config file, as you know the config file doesn't contain the password but it does contain the password settings,

I would think very carefully before selecting Wipe Device unless you has a SonicWall Serial Cable handy and the correct image file from Support to put the firmware back on, you should only need the Factory Reset at most, you should never select Wipe Device unless SonicWall Support ask you to.

The reason Wipe device is an option is if you want securely wipe the device and remove everything from the appliance before selling or scrapping the device, as this was not an option on previous Generation appliances, so if you had created a backup on Gen 6 and then you Factory Default the appliance the settings backup was still there with no option to remove it, technically you could just factory reset the appliance then create another backup which would then overwrite the original, but with the option on Gen7 you are making sure there isn't anything left on there that could include sensitive data.

if it is the case that your original config file did contain password complexity requirements just log in to the original Gen 6 appliance under Administration/Login Security and disable the settings before exporting the config file, you might want to also enable SSH on the X0 Interface also before export just in case you need another way in.

And as I said I see the login page, enter the default credentials (as it is after every migration) and then I am beeing asked to enter my new admin password (as usually) but after that I get this non specific error

SSH isnt available on that port - since I uploaded my ol FWs config X0 subnet is identical to the productrion network, so it is not connected and the additional Port I use for configuration SSH is disabled

Hi @blublub, even if it turns out to be that you are not enforcing any Password restrictions, it does sound like there is corruption with the original config file, in this case I would recommend just manually rebuilding the config on the new appliance from scratch.

Hello

I am doing a migration from a Sonicwall device to a Palo device and I am not finding any migration tools that can help me. Does anyone know of a tool that will migrate from Sonicwall to PAN?

Probably not what you were hoping to hear, and I'll redibly admit it doesn't help answer your question, but I would personally take the time to rebuild the configuration during a migration. I say this for two reasons; the first being that you don't have to go back and 'Palotize' the configuration at a later date, and the second being you can take the chance to verify there are no un-needed configuration statements that get moved over.

As far as actually moving over a sonicwall configuration as you've already noted the migration tool does not include a sonicwall option. Sonicwall has been a very popular request as far as adding it to the migration tool goes, it simply hasn't been done yet. If you are comfortable working with XML I would suggest modifying the actual configuration file directly, it makes migrations like this a little faster in my experience.

In Sonicwall, you have to configure both the syslog server as well as the individual events you want to be sent via syslog, and it is a very extensive list. Here are some screenshots of my sonicwall config.

is anyone running Asterisk pbx on a sonicwall.i currently use a Sonicwall tz300 and although once working i am now unable to receive incoming calls.i can make outgoing calls therefore i am now thinking this is firewall related, the pbx server sits on the lan but then routes out through a seperate gateway.is anyone able to provide a screenshot of their firewall/nat rules to highlight where i might be going wrong.?

If the ITSP is the only outside SIP Source/Destination, switching it to X3 will fix the problem - If you have SIP clients connecting to the the PBX through X1 (Outside -> X1-IP -> PBX) then you are going to have to get trickier and create Static Routes on the SonicWALL that say when any traffic is destined for the ITSP, use X3.

Ok - That was weirding me out there - so from your PBX, do a traceroute to the IP of the TRUNK you are sending the traffic to - for example, for Vitelity in my trunk definition for the outbound leg, I have

Although you have a much better Round Trip Time to it than I do - so that dedicated router is working, and moreover, your SonicWALL is routing the traffic that direction - so I think your LAN and Firewalls are working correctly and are correctly set up - Congrats.

So the next step would be a simple Packet Capture - Start capturing on the PBX, initiate a call out to them and then stop the capture and open it up in Wireshark - look at the SIP Flow and I am willing to bet you are going to see a reject from them for either a bad secret, or a rejected Source IP.

I'm trying to provision SonicWall Mobile Connect Client 4.0.12.
Our clients are locked down and when I try and configure the VPN client, I get an error from the VPN software saying Administrator Access Only.
Has anyone done this successfully and if so - how?
Thanks.

@boberito @llitz123 I have Mobile Connect deploying via Self Service and the App Store and I have a config profile successfully setting it up.
My problem is that the app still requires administrator access on first run.

I've been trying to capture it and figure out what is being modified that would need access but no luck so far.
It does mess with the kernel extensions and that may be it but I can't replicate it.

@boberito Nothing different than I'm sure you probably tried.
Added the SonicWALL app from the App Store to Self Service.
Then added a configuration profile with the VPN payload for SonicWALL.

Honestly I strangely never thought to do both. I tried 1 or the other. I figured if I pushed a configuration profile I didn't need the App. But the profile configures the app it sounds like (or partially). And I tried to configure things using plists and nonsense like that.

c80f0f1006
Reply all
Reply to author
Forward
0 new messages