sonicwall™ sonicos 6.2.7software.sonicwall.com/firmware/documentation/232-00… ·  ·...

Click here to load reader

Post on 28-Apr-2018

215 views

Category:

Documents

2 download

Embed Size (px)

TRANSCRIPT

  • SonicWallSonicOS6.2.7.1ReleaseNotesMarch2017

    ThesereleasenotesprovideinformationabouttheSonicWallSonicOS6.2.7.1release.

    Topics:

    AboutSonicOS6.2.7.1

    SupportedPlatforms

    NewFeatures

    Enhancements

    ResolvedIssues

    KnownIssues

    SystemCompatibility

    ProductLicensing

    UpgradingInformation

    SonicWallSupport

    AboutSonicOS6.2.7.1SonicWallSonicOS6.2.7.1providesimportantnewfeaturesandfixesmanyknownissuesfoundinpreviousreleases.Formoreinformation,seetheNewFeaturesandResolvedIssuessections.

    SupportedPlatformsSonicOS6.2.7.1issupportedonthefollowingSonicWallappliances:

    SuperMassive9600 NSA6600 TZ600

    SuperMassive9400 NSA5600 TZ500/TZ500Wireless

    SuperMassive9200 NSA4600 TZ400/TZ400Wireless

    NSA3600 TZ300/TZ300Wireless

    NSA2600 SOHOWireless

    SonicWallSonicOS6.2.7.1ReleaseNotes

    1

  • NewFeaturesThissectiondescribesthenewfeaturesintroducedinSonicOS6.2.7.

    Topics:

    HighAvailability

    PPPoEUnnumberedInterfaceSupport

    VendorOUIDetectionandLogging

    DellXSeriesSwitchIntegrationFeatures

    DPISSH

    SupportforpcapNG

    TSRFTPforPeriodicBackup

    CustomListsforGeoIPandBotnet

    SIPUDPFragmentationFixes

    SystemLogsonAppFlowServerviaIPFIX

    NAT64:StatefulNATfromIPv6ClienttoIPv4Server

    DNSProxy

    FQDNRouting

    MaximumRoutesDoubled

    MaximumZonetoZoneAccessRulesIncreased

    FlowReportingusingIPFIXExtensionVersion2

    SyslogServerProfiling

    IPv6Support

    DPISSLIncreasedConnectionCountsandEnhancements

    OpenAuthenticationSocialLogin

    UpdatedSonicPointFirmware

    SonicPointRadiusAccounting

    31BitNetwork

    ThreatAPI

    BiometricAuthentication

    VPNAutoProvisioning

    HighAvailabilitySonicOS6.2.7introducestwonewfeaturesintheareaofHighAvailability:

    HAsupportwithDynamicWANinterfaces

    InSonicOS6.2.7,PPPoEcanbeenabledoninterfacesinHAActive/Standbymode.

    AftertheactiveunitconnectstothePPPoEserver,itsynchronizesthePPPoEsessionIDandservernametotheidleunit.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    2

  • Duringafailover,theactiveunitterminatesthePPPoEHAconnectionontheclientsidebytimingout.ThesecondaryunitthenterminatestheoriginalconnectionontheserversideandstartsanewPPPoEconnection.

    WhenHighAvailabilityisenabledandoneinterfaceisconfiguredasPPPoEUnnumbered,thefollowingsettingsarerequired:

    IntheHighAvailability>Settingsscreen:

    SelecttheEnableVirtualMACcheckbox

    CleartheEnablePreemptModecheckbox

    IntheHighAvailability>Monitoringscreen:

    SelectEnablePhysical/LinkMonitoring

    SetthePrimaryandSecondaryIPaddressfieldsto0.0.0.0

    Clearallothercheckboxes

    HAStatefulSynchronizationsupportforDHCP

    DHCPcannowbeenabledoninterfacesinHAmode.ThisfeatureissupportedinbothActive/Standby(nonstateful)andStatefulSynchronizationmode.

    OnlytheactiveunitcangetaDHCPlease.ItsynchronizestheDHCPIPaddressalongwiththeDNSandgatewayaddressestotheidleunit.TheDHCPclientIDisalsosynchronized,allowingthisfeaturetoworkevenwithoutenablingVirtualMAC.

    Duringafailover,theactiveunitreleasestheDHCPleaseandthesecondaryunitrenewstheDHCPleaseusingtheexistingDHCPIPaddressandclientIDasitbecomestheactiveunit.TheIPaddressdoesnotchange,andnetworktraffic,includingVPNtunneltraffic,continuestopass.

    IftheactiveunitdoesnothaveanIPaddresswhenfailoveroccurs,thesecondaryunitstartsanewDHCPdiscover.

    PPPoEUnnumberedInterfaceSupportAPPPoEUnnumberedinterfaceallowsyoutomanagearangeofIPaddresseswithonlyasinglePPPoEconnection.TheInternetServiceProvider(ISP)providesmultiplestaticIPaddressesthatcanbeallocatedwithinasubnet.Thefirstaddressisdesignatedasthenetworkaddress,andthelastoneasthebroadcastaddress.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    3

  • StartbyconfiguringthePPPoEclientsettingsonaWANinterface:

    TheUnnumberedPPPoEinterfaceisconfiguredonadifferentinterface:

    1 ForZone,selectLAN,DMZ,orcreateanewzone.

    2 ForMode/IPAssignment,selectIPUnnumbered.

    3 ForIPAddress,entertheaddressprovidedbyyourISP.UsuallyitisthesecondIPaddressassignedbytheprovider.ThesubnetmaskisalsoassignedbytheISP.

    Notes:

    ThedefaultMTUofPPPoEis1492.

    TochangeX3toanothermodewhenX2unnumberedtoX3isconfigured,firstterminatetherelationshipwithX2bychangingX2toanothermode.Otherwise,ifyouchangetheIPaddressormaskofinterfaceX3,itcausesX3toreconnecttothePPPoEserver.

    IfX3issetasunnumberedinterface,otherinterfacescannotconnecttoX3usinganL2Bridge.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    4

  • IfHighAvailabilityisenabled,HighAvailability>SettingsisconfiguredasshownbelowwithUnnumberedPPPoE:

    Asamplenetworktopologyisshownbelow:

    Inthistopology,X2isthePPPoEunnumberedinterfaceandX3isanunnumberedinterface.

    SonicOSaddstworoutes:

    SonicWallSonicOS6.2.7.1ReleaseNotes

    5

  • SonicOSalsoaddstwoNATpolicies:

    AmanuallyaddedNATpolicywouldhavesettingssuchas:

    VendorOUIDetectionandLoggingEverywiredorwirelessnetworkingdevicehasa48bitMACaddressassignedbytheirhardwaremanufacturers.Anorganizationallyuniqueidentifier(OUI)isa24bitnumberthatuniquelyidentifiesavendor,manufacturer,orotherorganizationgloballyorworldwide.ThefirstthreeoctetsoftheMACaddressaretheOUI.

    InSonicOS6.2.7,thisinformationisusedtoprovideaVendorcolumninthefollowingtables:

    Dashboard>ConnectionsMonitor

    Dashboard>LogMonitor

    Dashboard>AppFlowMonitor

    Network>ARP

    Network>NeighborDiscovery

    Network>MACIPAntispoof

    Network>DHCPServer

    Network>IPHelper

    Switching>L2Discovery

    Switching>LinkAggregation

    VPN>DHCPoverVPN

    Wireless>Status

    SonicWallSonicOS6.2.7.1ReleaseNotes

    6

  • Wireless>IDS

    SonicPoint>StationStatus

    SonicPoint>RFAnalysis

    SonicPoint>IDS

    DellXSeriesSwitchIntegrationFeaturesSonicOS6.2.7providesseveralenhancementsandnewfeaturesforDellXSeriesintegration:

    PortShieldandHighAvailability

    DellXSeriesintegrationpreviouslysupportedSonicOSPortShieldfunctionalityinHAmodeusingDedicatedUplink(s).InSonicOS6.2.7,supportforPortShieldfunctionalityinHAmodeisavailableusingCommonUplink.

    Inthisconfiguration,alinkbetweentheactive/standbyfirewallandtheXSeriesswitchservesasacommonuplinktocarryallthePortShieldtraffic.InthisconfigurationfirewallinterfaceswhichserveasPortShieldhostsshouldbeconnectedtoaseparateswitchandnotthesameXSeriesswitchconnectedtotheactiveandstandbyunits.ThisistoavoidloopingofpacketsforthesamePortShieldVLAN.ThePortShieldmemberscanbeconnectedtoportsontheXSeriesswitchwhichiscontrolledbytheactive/standbyfirewall.

    SinglePointofManagementoverCommonUplinkforVLANTraffic

    DellXSeriesintegrationpreviouslysupportedVLANsinaDedicatedUplinkconfiguration.InSonicOS6.2.7,VLANsarealsosupportedwithCommonUplink.ThisallowsasinglelinkbetweenthefirewallandtheXSeriesswitchtocarrymanagementtrafficofthefirewallmanagingtheXSeriesswitchplusPortShieldtrafficfortheInterfaceDisambiguationviaVLAN(IDV)VLANscorrespondingtothefirewallinterfacesplustrafficfortheVLANsubinterfacespresentundertheCommonUplinkinterface.

    IncreaseXSeriesSwitchMaximumtoFour

    InpreviousSonicOSreleases,aSonicWallfirewallcouldbeprovisionedforamaximumoftwoXSeriesswitches.InSonicOS6.2.7,amaximumoffourXSeriesswitchesissupported.AllfourXSeriesswitchesmustbedirectlyconnectedtothefirewallappliance.DaisychainingofXSeriesswitchesisnotyetsupported.

    SupportforSonicWallNSAandSuperMassive

    InSonicOS6.2.7,supportfortheXSeriessolutionisextendedtoincludeSonicWallNSAandSuperMassiveappliances,withtheexceptionoftheNSA2600.ThefollowingSonicWallplatformsarenowsupported:

    NOTE:OverlappingVLANscannotexistunderapplianceinterfacesconfiguredasdedicateduplinksorcommonuplinkstothesameswitch.ThisisbecausetheVLANspaceisglobalontheXSeriesswitch.

    NOTE:PortShieldofExtendedSwitchInterfacestoCommonUplinkInterfaceswithoutselectinganyVLANsforaccess/trunkconfigurationisnotsupported.

    SuperMassive9600 NSA6600 TZ600

    SuperMassive9400 NSA5600 TZ500/TZ500Wireless

    SuperMassive9200 NSA4600 TZ400/TZ400Wireless

    NSA3600 TZ300/TZ300Wireless

    SonicWallSonicOS6.2.7.1ReleaseNotes

    7

  • DPISSHSonicOS6.2.7introducestheDPISSHfeature.DPISSHinspectsthedatatraversingthefirewallinanSSHtunnel.

    SSH,orSecureShell,isacryptographicnetworkprotocolforsecurenetworkcommunicationandservicesbetweentwonetworkedcomputers.Itconnects,viaasecurechanneloveraninsecurenetwork,aserverandaclientrunningSSHserverandSSHclientprograms,respectively.SSHisnotonlyashell,butactsasasecurechannel.Itcanprovidedifferentservicesoverthistunnel,includingshell,filetransferorX11forwarding.

    SonicOSsupportsSSH2.SSH1sessionswillnotbeinterceptedandinspected.IftheSSH1bannermessagecontainsanonconformingSSHversionnumber,itwillbetreatedasabadprotocolanddropped.

    DPI,orDeepPacketInspection,examinesthedatapart(andpossiblyalsotheheader)ofapacketasitpassestheSonicWallfirewall.Itsearchesforprotocolnoncompliance,viruses,spam,intrusions,ordefinedcriteriatodecidewhetherthepacketmaypass.

    DPISSHdecryptsincomingSSHpacketsandsendsthemtotheDPImoduleforinspection.AftercompletionofDPIinspection,itreencryptsthepacketagainandsendsthepackettothedestination.Ifthedata/packetdoesnotpasstheDPIinspection,DPISSHresetstheconnection.

    DPISSHprovidesinclusion/exclusioncriteriatoinspectorbypasscertainkindsoftraffic.TheSonicOSadministratorcanmodifythecriteriaontheDPISSH>Configurescreen.

    DPISSHsupportsbothroutemodeandwiremode.Forwiremode,DPISSHisonlysupportedinthesecure(activeDPIofinlinetraffic)mode.Forroutemode,thereisnolimitation.

    DPISSHsupportsthefollowingclients:

    SSHclientforCygwin

    Putty

    secureCRT

    SSHonUbuntu

    SSHoncentos

    SFTPclientforCygwin

    SCPonCygwin

    Winscp

    DPISSHsupportsthefollowingservers:

    SSHserveronFedora

    SSHserveronUbuntu

    DPISSHsupportsthefollowingkeyexchangealgorithms:

    Diffiehellmangroup1sha1

    Diffiehellmangroup14sha1

    ecdhsha2nistp256

    Notes:

    IfthereisalreadyanSSHserverkeystoredinthelocalmachine,itmustbedeleted.Forexample,ifyoualreadySSHtoaserver,andtheserverDSSkeyissaved,theSSHsessionwillfailiftheDSSkeyisnotdeletedfromthelocalfile.

    Thesshkeygenutilitycannotbeusedtobypassthepassword.

    PuttyusesGSSAPI.ThisoptionisforSSH2only,whichprovidesstrongerencryptedauthentication.Itstoresalocaltokenorsecretinthelocalclientandserverforthefirsttimecommunication.ItexchangesmessagesandoperationsbeforeDPISSHstarts,soDPISSHhasnoknowledgeaboutwhateverwasexchangedbefore,includingGSSAPItoken.DPISSHwillfailwiththeGSSAPIoptionenabled.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    8

  • Ontheclientside,eithertheSSH2.xor1.xclientcanbeusedifDPISSHisenabled.However,clientswithdifferentversionnumberscannotbeusedatthesametime.

    GatewayAntiSpywareandApplicationFirewallinspectionsarenotsupportedeveniftheseoptionsareselectedintheDPISSH>Configurescreen.

    SupportforpcapNGSonicOS6.2.7providesanoptiontoexportthepcapNGfileonthepacketmonitoruserinterface.ThepcapNGfilecanbedirectlyopenedbyWiresharkandthenewPacketcommentssectionisdisplayed.

    Inpreviousreleases,packetmonitorexportsupportspcap,buttheadministratormustexportpcap,HTMLandtexttofindoutthelinenumber,ininterface,outinterface,andthefunctionnamewhichactedonthepacket.ThisdataisnowavailablebyexportingasinglepcapNGfile.

    TheDashboard>PacketMonitorscreenprovidesanewoptiontoexportthepcapNGfile.

    WhenthefileisopenedinWireshark,thenewPacketcommentssectionisdisplayed.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    9

  • TSRFTPforPeriodicBackupThisfeatureallowsadministratorstosendtheconfigurationsettings(prefs)andtechsupportreport(TSR)toaspecifiedFTPserver.AdminscanconfigureascheduleforperiodicbackupofthisinformationtotheFTPserver.

    ToenablescheduledprefsandTSRbackups:

    1 NavigatetotheSystem>Settingspage.

    2 ClicktheSendbyFTPbutton.TheScheduleReportspagedisplays.

    3 SelecttheSendTechReportbyFTPcheckboxtosendTSR.

    4 SelecttheSendSettingsbyFTPcheckboxtosendprefs.

    5 EntertherequiredinformationfortheFTPserver.

    6 ClicktheSetSchedulebuttontodefineastartschedule.

    7 ClickOKandthenclickApply.

    CustomListsforGeoIPandBotnetSonicOS6.2.7providesnewoptionstoconfigureacustomcountrylistforGeoIPFilterandacustombotnetlistforBotnetFilter.

    AnIPaddresscanbeassociatedwithawrongcountry.Thiskindofmisclassificationcancauseincorrect/unwantedfilteringofanIPaddress.Havingacustomcountrylistcansolvethisproblem.ThecustomcountrylistoverridesthefirewallcountryassociatedwithaparticularIPaddress.

    Similarly,anIPaddresscanbewronglymarkedasbotnet.AcustombotnetlistcanoverridethebotnettagforaparticularIPaddress.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    10

  • TheSecurityServices>GeoIPFilterpageischangedforthisnewfeature,andhasfourtabswithvariousconfigurationsettingsoneach.

    TheSecurityServices>BotnetFilterpageissimilarlychangedforthisnewfeature,alsowithfourtabs.

    SIPUDPFragmentationFixesInpreviousreleases,theSIPtransformationdesignandimplementationdoesnothandlefragmentedSIPpacketstransportedinUDPmode.ASIP/UDPsignalingpacketisfragmentedwhentheSIPpayloadlengthisgreaterthanthemaximumMTUsizeofthenetworkminusthesizeoftheSIPpacketheaders.Forexample,foracommonlyacceptedmaximumMTUsizeof1514bytes,iftheSIPsignalingpacketpayloadlengthexceeds1472bytes,theSIPpacketisdroppedbySonicOS.

    InSonicOS6.2.7,SIP/UDPpayloadlengthisnotrestrictedbytheunderlyingMTUsizeonthenetwork.Thissupportiscompletelytransparenttousers.Noconfigurationisrequired.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    11

  • SystemLogsonAppFlowServerviaIPFIXInSonicOS6.2.7,systemlogscanbesenttoanexternalserverviaIPFIXpacketsandthensavedintothedatabaseonthedisk.ThelogsonlyincludetheoneswhicharereportedWITHOUTconnectioncache.UserscanedittheconfigurationintheLog>Settingspagetoindicatewhichlogeventsshouldbesent.

    Systemlogsincludeeventsthataretypicallynotdependentontrafficflowingthroughthefirewall.Sucheventsaremostlyflow(session/connection)relatedevents.

    Systemlogstypicallyinclude,butarenotlimitedto:

    Interfacestatechange

    Fanfailure

    Userauthentication

    HAfailoverandfailback

    Tunnelnegotiations

    Systemeventssuchasconfigurationchanges

    Configurationoptionsforthisfeatureareonthesepages:

    AppFlow>FlowReporting>ExternalCollectortab:

    Animportantstepissendlogpropertiesandsomefieldsoflogsettingstotheexternalcollector.MakesuretheconnectionbetweenSonicOSandtheexternalcollectorserverisreadybeforeclickingtheSendAllEntriesbuttontosendthesettings.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    12

  • Clickthebuttonagaintosyncthesettingsinthefollowingcases:

    SonicOSisupgradedwithsomeNEWaddedlogevents.

    TheconnectionbetweenSonicOSandtheexternalserverhasbeendownforsometimeandlogsettingsmighthavebeeneditedintheperiod.

    AppFlow>FlowReporting>GMSFlowServertab:

    EnableLogsintheIncludeFollowingAdditionalReportsviaIPFIXdropdownlist.

    ClicktheSynchronizeLogSettingsbuttonwhenready.

    AppFlow>FlowReporting>AppFlowServertab:

    EnableLogsintheIncludeFollowingAdditionalReportsviaIPFIXdropdownlist.

    ClicktheSynchronizeLogSettingsbuttonwhenready.

    NAT64:StatefulNATfromIPv6ClienttoIPv4ServerAsaNAT64translator,SonicOS6.2.7allowsanIPv6onlyclientfromanyzonetoinitiatecommunicationstoanIPv4onlyserverwithproperrouteconfiguration.ItmapsIPv6addressestoIPv4addressessothatIPv6trafficchangestoIPv4trafficandviceversa.IPv6addresspools(representedasAddressObjects)andIPv4addresspoolsarecreatedtoallowthemapping.AnIP/ICMPtranslationalgorithmisimplementedtotranslatepacketheadersbetweenIPv6andIPv4.TheIPv4addressesofIPv4hostsaretranslatedtoandfromIPv6addressesbyusinganIPv6prefixconfiguredinSonicOS.ADNS64serverisconfiguredintheIPv6onlyclient,whichcreatesAAAArecords(IPv6records)withArecords(IPv4records).SonicOSdoesnotactasaDNS64server.

    ThisfeatureprovidesawayforadministratorstoconfigureaNAT64policyinthesamewayasaregularNATpolicy.Inthepolicy,byconfiguringtranslateddestinationtoOriginalina6to4policy,SonicOSwillautomaticallytranslateIPv4convertedIPv6addressestoIPv4addresses.WhenaddingapolicyfromtheNetwork>NATPoliciespage,selectNAT64OnlyfortheIPVersionfield.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    13

  • InSonicOS,anAddressObjectofNetworktypecanbeconfiguredtorepresentalladdresseswithpref64::/ntorepresentallIPv6clientwhichcandoNAT64.Pref64::/ndefinesasourcenetworkwhichcangofromanIPv6onlyclientthroughNAT64toanIPv4onlyclient.

    Awellknownprefix,64:ff9b::/96,isautocreatedbySonicOS.

    PacketsfromanIPv6clientareoriginallyfromtheLANzone,butappeartobefromtheWANzoneafterbeingtranslatedbytheNAT64policy.TopreventSonicOSfromdroppingthesepacketsinsomecases,anewWANtoWANallowrulepolicyshouldbecreated,suchas:

    Notes:

    NAT64currentlyonlytranslatesunicastpacketscarryingTCP,UDP,andICMPtraffic.

    NAT64currentlysupportsFTPandTFTPapplicationlayerprotocolstreams.ItcurrentlydoesnotsupporttheH.323,MSN,Oracle,PPTP,RTSP,andRealAudioapplicationlayerprotocolstreams.

    NAT64currentlydoesnotsupportIPv4initiatedcommunicationstoasubsetofIPv6hosts.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    14

  • DNSProxySonicOS6.2.7supportsDNSproxytoallowIPv4clientstoaccessDNSservicesinanetworkwithmixedIPv4andIPv6.

    Inanormaldeployment,anIPv4interfacecandonameresolutiononIPv4internet,andanIPv6interfacecanonlydonameresolutiononIPv6internetthroughDNSproxy.

    AnewpageisaddedtotheSonicOSwebmanagementinterface,Network>DNSProxy.

    SelecttheEnableDNSProxycheckboxtogloballyenablethefeature.

    TherearetwomodesforDNSproxy:IPv4toIPv4,andIPv4toIPv6.ThedefaultmodeisIPv4toIPv6,meaningthatthefirewallredirectsqueriesfromclientstoupstreamIPv6DNSservers.ForIPv4toIPv4,thefirewallredirectsthequeriestoupstreamIPv4DNSservers.

    DefaultoptiononDNSproxyprotocolisUDPandTCP,whichmeanswhenDNSqueryissentoverTCP,itwillbeproxiedandretransmittedtooutsideDNSserversoverTCP.

    ThecheckboxEnforceDNSProxyForAllDNSRequestsisanenhancedoptionforDNSproxy.Whentheoptionisselected,othertypesofDNSquerieswillbehookedbytheDNSproxymodule,includingstackDNSpacketssentbySonicOS,andforwardingDNSquerieswithdestinationaddressofoutsideDNSservers.

    InterfaceConfigurationandAllowRulesSonicOS6.2.7supportstheDNSproxyfeatureonphysicalinterface,VLANinterface,orVLANtrunkinterface,andthezoneforeachinterfacecanonlybeLAN,DMZorWLAN.

    IntheAdvancedtaboftheinterfaceconfigurationpage,thereisacheckboxnamedEnableDNSProxywhentheinterfacepermitsconfiguringDNSproxy.

    WhenDNSproxyisenabledonaninterface,oneAllowRuleisautoaddedbySonicOSforUDPwiththesettings:Fromtheinterfacetotheinterface,sourcewithanyanddestinationwiththeinterfaceIP,servicewithDNS,andenablemanagement.WhenDNSProxyoverTCPisenabled,anotherAllowRuleisautoadded.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    15

  • DHCPWhenDNSproxyisenabledonaninterface,thedeviceneedstopushtheinterfaceIPasDNSserveraddresstoclients,sotheSonicOSadministratorneedstoconfiguretheDHCPservermanuallyandusetheinterfaceaddressastheDNSServer1addressintheDHCPserversettingsontheDNS/WINStab.TheInterfacePrepopulatecheckboxintheDHCPpagemakesthiseasytoconfigure;iftheselectedinterfacehasenabledDNSproxy,theDNSserverIPisautoaddedintotheDNS/WINSpage.

    DNSCacheIntheNetwork>DNSProxypage,theDNSCachefunctioncanbeenabledbyselectingtheEnableDNSCachecheckbox;thedefaultsettingisenabled.

    Whenenablingthefunction,SonicOScachestheanswersfromDNSresponsesduringtheDNSProxyprocess,andwilldirectlyrespondtoclientsifasubsequentDNSquerymatchestheDNScache.

    TherearetwokindsofDNScache:staticDNScacheanddynamicDNScache.StaticDNScachemeansthatitcanbemanuallycreatedandeditedbyusers,andneverexpires.DynamicDNScacheisaddedautomaticallyduringtheDNSproxyprocess,anditisdisplayedonlyinthewholeDNScachetable.ItstypeisDynamic,andhasTTLvalue.DynamicDNScachecanbeflushedbytheadministrator.

    SplitDNSSplitDNSisanenhancementforDNSproxy,whichallowstheadministratortoconfigureasetofnameserversandassociatethemtoagivendomainname(canbewildcard).WhenSonicOSreceivesaquerythatmatchesthedomainname,itwillbetransmittedtothedesignatedDNSserver.

    FQDNRoutingSonicOS6.2.7introducesFullyQualifiedDomainName(FQDN)supportinPolicybasedrouting(PBR).TheFQDNcanbeusedasthesourceordestinationofthePBRentry,andthePBRentrycanberedistributedtoadvancedroutingprotocols.

    Policybasedroutingisatechniqueusedtomakeroutingdecisionsbasedonpoliciessetbythenetworkadministrator.Policybasedroutingmaybebasedonthesizeofthepacket,thesourceaddress,theprotocolofthepayload,orotherinformationavailableinapacketheaderorpayload.

    TheFQDNisaddedasanaddressobject,whichcanthenbeusedwhenconfiguringthepolicy.TheFQDNobjectcancontainbothIPv4andIPv6hosts;thenumberofhostsinanFQDNobjectisvariable.ToconfigureanFQDNaddressobject,selectFQDNintheTypefieldandfillintheotherfields.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    16

  • MaximumRoutesDoubledThisfeaturedoublesthemaximumnumberofstaticanddynamicroutessupportedbySonicOS.Allplatformsshouldmaintainreasonableperformancewhileadaptingtodynamicroutingchangeswhenthemaximumnumberofdynamicandstaticrouteshasbeenexploited.TheSonicOSwebmanagementinterfacemightrespondmoreslowlyduringtheadaptationperiod.

    TheTSRdisplaysthemaximumstaticanddynamicroutes.

    MaximumZonetoZoneAccessRulesIncreasedPreviousversionsofSonicOSdonotallowtheadministratortoincreaseordecreasetheRuleTablesize.TheRuleTablesizeforalltheZoneZonepairsisfixedtoaconstantvaluebasedontheplatform.

    SonicOS6.2.7allowsflexibleRuleTablesizeforeveryZoneZonepair.TheFirewall>AccessRulespageisrefreshedandhasalayoutsimilartotheFirewall>AddressObjectspage.TheselectedZoneZoneruletablesizeisconfiguredontheFirewall>AccessRulespage.

    FlowReportingusingIPFIXExtensionVersion2SonicOS6.2.7introducessupportforIPFIXwithExtensionv2.TheflowreportingformattotheGMSFlowServer(collector)inearlierSonicOSversionsusestheIPFIXwithExtensionformat(version1)bydefault.InSonicOS6.2.7,youcancustomizeflowreportingtoreportineitherIPFIXwithExtension(v1)orIPFIXwithExtensionv2.

    Thenewformatusesvariablelengthfields,whichismuchmorememoryefficientthansendingstaticfieldsandwillvastlyreducetheamountofinformationtransmittedoverthenetwork.

    InIPFIXwithExtensionv2,manynewfieldshavebeenaddedtoconveymoreinformationaboutthefirewall,andsomeredundantorunnecessaryfieldshavebeenremoved.TheadditionaldatainthesenewfieldswillenrichtheGMSFlowServersvisualizationcapabilities.TheGMSFlowServersupportstheIPFIXwithExtensionv2formatbeginninginSonicWallGMS8.3.SonicWallGMS8.2orearlierreleasesonlysupporttheIPFIXwithExtension(v1)format.

    TheadministratorcanselectIPFIXwithExtensionv2fortheGMSFSReportingFormatoptionintheAppFlow>FlowReportingpage,GMSFlowServertab.AsimilaroptionisaddedontheAppFlowServertab.Toseethesefields,youmustenableaninternalsetting.ContactSonicWallSupportforinformationabouthowtoenablethis.Seehttps://support.sonicwall.com/contactsupportforSupportphonenumbers.

    SyslogServerProfilingThisfeatureprovidestheabilitytoconfigurethesettingsforeachSyslogserverindependentlyinsteadofusingtheglobalsettingsforalltheservers.Inpreviousreleases,theeventsgeneratedfromallthemodulesinthesystemarereportedtoalltheconfiguredSyslogservers.Dependingonthedeployment,thisgeneratesahugeamountofSyslogtrafficandcancauseperformanceissuesorevenpacketloss.

    WithSyslogServerProfiling,thefollowingnewfunctionalityisavailable:

    SyslogmessagescanbesentusingdifferentsettingsfordifferentSyslogservers

    MaximumPolicies

    Platform MaxSizeperZoneZoneRuleTable

    SuperMassive9200/9400/9600 5000rules

    NSA2600/3600/4600/5600/6600 2500rules

    TZ300/400/500/600Series 1250rules

    SOHOWireless 250rules

    SonicWallSonicOS6.2.7.1ReleaseNotes

    17

    https://support.sonicwall.com/contact-support

  • TherecanbemultiplegroupsofSyslogservers

    DifferenteventscanbeconfiguredtobereportedtodifferentgroupsofSyslogservers

    AllthesettingsintheLog>SyslogpageexcepttheEnableNDPPEnforcementforSyslogServercheckboxcannowbeconfiguredforeachrowindependentlyintheSyslogServerstable.ThisallowstheSyslogmessagestoberenderedwithdifferentsettingsfordifferentserversandeachservercanhaveitsownRateLimitingoptions.

    ThenewlyaddedEnablecheckboxcanbeusedtoenableordisablesendingofSyslogmessagestoaspecificSyslogserver.ThesettingsforEnhancedSyslogandArcSightformatcanalsobeconfiguredindividuallyandthecorrespondingbuttonsareshownintheLog>Syslogpage.

    AllthesesettingscanbeconfiguredfromtheSonicOSwebinterfaceandfromthecommandlineinterface(CLI.)Forconvenience,theglobalsettingscanbeusedtoconfigureallservers.

    EventProfileTheEventProfileisanintegerandcanrangefrom0to23.ItcanbeusedtocombinemultipleSyslogserversintoagroup.AllSyslogserversinthegrouphavethesameProfile.Therecanbeamaximumof24groups(0to23)andsevenSyslogserverspergroup.Therefore,intotaltherecanbeamaximumof168Syslogservers.

    AnewcolumncalledEventProfileisaddedtotheSyslogServerstable.Thisnewfieldalsobelongstothegroupkeyinadditiontoservernameandport.So,insteadof,acombinationmustbeuniqueforeachrowintheSyslogServerstable.ThisallowsmultiplerowstohavesamecombinationwithdifferentProfiles.ThismeansoneSyslogservercanbepartofmultiplegroups,ifnecessary.

    TheeventsintheLog>SettingspagealsohaveaconfigurableEventProfile.TheEventProfileofaneventcanbesettoanyavailablegroup,causingtheSyslogmessagesforthateventtobesentonlytothatgroupofservers.IftheEventProfileofaneventissettoagroupthatdoesnotexistintheSyslogServerstable,thennoSyslogmessagesforthateventaresent.

    GMSTheGMSserverhasafixedSyslogFacility(LocalUse0),SyslogFormat(Default),andServerID(firewall).AlthoughtheEventProfilevalueforGMSissetto0bydefault,alleventsarereportedtoGMSirrespectiveoftheprofile.GMSisalsoexemptedfromRateLimiting.ThenewlyaddedEnablecheckboxdoesnotapply.GMScanbeenabled/disabledonlyintheSystem>AdministrationpageandnotintheLog>Syslogpage.

    WhenGMSisenabled,theGMSserverisaddedtotheEventProfile0groupintheSyslogServerstable.ItcannotbeaddedtoanyotherProfilegroups.Therefore,onlytheProfile0groupcanhave8serversintotal(7Syslogserversand1GMSserver).Allothergroupscanhaveonly7servers.TheeventsintheGMSgroupintheLog>SettingspagehaveProfile0andcannotbechanged.OthereventscanhaveadifferentProfile.

    IPv6SupportInSonicOS6.2.7,IPv6issupportedonanumberofadditionalfeatures,asshowninthissection.

    SSLControlSonicOS6.2.7introducesIPv6supportforSSLControl.Nonewoptionsorsettingshavebeenadded.BothIPv4andIPv6networktrafficisinspectedbasedonthesettingsintheFirewallSettings>SSLControlpage.

    IPv6DPISSLSonicOS6.2.7introducesIPv6supportforDPISSL.Nonewoptionsorsettingshavebeenadded.ThesettingsontheDPISSL>ClientSSLandDPISSL>ServerSSLpagesarenowappliedtobothIPv4andIPv6networktraffic.

    NOTE:TheOverrideSyslogSettingswithReportingSoftwareSettingsoptionhasbeenremoved.SincetheSyslogserverscanhavetheirownindependentsettings,thisoptionisnolongerneeded.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    18

  • IPv6NTPSonicOS6.2.7introducessupportforNTPserverswithIPv6domainnamesorIPaddresses.AdministratorscannowaddIPv6NTPserversintheNTPSettingssectionoftheSystem>Timepage.

    IPv6DNSSonicOS6.2.7introducesIPv6supportforDNS.

    TocommunicatewithanIPv6DNSserver,firstgotoNetwork>InterfacesandconfigureaWANinterfacewithanIPv6address,eitherasastaticIPorthroughDHCPv6.

    ThenontheNetwork>DNSpage,selecttheIPv6radiobuttonforViewIPVersion.ThedisplaychangestoallowinputofIPv6DNSserveraddresses,whichcanbeenteredmanuallyorobtaineddynamicallyfromtheWANzone.SelectthePreferIPv6DNSServerscheckboxtomakeSonicOSsendDNSrequeststotheIPv6DNSserversfirst,andifthatfails,sendtherequesttotheconfiguredIPv4DNSservers.

    TheDNSNameLookupdiagnostictoolontheSystem>DiagnosticspagecanbeusedtotesttheDNSservers.AllfourDNSdiagnostictoolsinpreviousreleasesarenowintegratedintoDNSNameLookup.

    IPv6MACAddressObjectSonicOS6.2.7introducesIPv6supportforMACaddressobjects.AMACaddressobject(AO)bindstothedynamicmemoryofhostIPaddresses.Itisoftenusedwhendefiningaccessrules.

    TocreateanIPv6MACAO,gototheNetwork>AddressObjectspageandclickAdd.ThenselectMACintheTypefieldandentertheIPv6MACaddressintheMACAddressfield.TheconfigurationisbasicallythesameasforanIPv4MACAO;nonewoptionsorsettingshavebeenaddedforconfiguringanIPv6MACAO.

    IPv6FQDNAddressObjectSonicOS6.2.7introducesIPv6supportforFQDNaddressobjects.

    First,configureanIPv6DNSserverontheNetwork>DNSpage.SeeIPv6DNSformoreinformationaboutthisconfiguration.

    TocreateanIPv6FQDNAO,gototheNetwork>AddressObjectspageandclickAdd.ThenselectFQDNintheTypefieldandentertheIPv6FQDNhostnameintheFQDNHostnamefield.TheconfigurationisbasicallythesameasforanIPv4FQDNAO;nonewoptionsorsettingshavebeenaddedforconfiguringanIPv6FQDNAO.

    DPISSLIncreasedConnectionCountsandEnhancementsSonicOS6.2.7increasesthenumberofDPISSLconnectionsavailableonTZ500SeriesandTZ600appliances.

    Inadditiontotheincreaseinconnectioncounts,thisfeatureprovidesthefollowingenhancementsforallplatforms:

    Stabilityfixesrelatedtoraceconditions

    Redesignoftheinitializationsequence

    Caching(bothSessioncacheandSpoofcache)enhancementsandoptimizations

    Memoryfootprintreductionperconnectionleadingtoincreasedconnectioncounts

    SonicWallSonicOS6.2.7.1ReleaseNotes

    19

  • OpenAuthenticationSocialLoginSonicOS6.2.7introducessupportforOpenAuthenticationSocialLogin.

    OAuthSocialLoginissupportedonSonicWallfirewallswithinternalwirelessandSonicPoint,inthescopeofwirelesszoneguestservices.WirelessguestservicesarewidelyusedinpublicWiFihotspotsandcorporateWiFiforguests.

    Facebook,Twitter,andGooglePlusaresupportedinSonicOS6.2.7.WithintheSonicOSscope,socialloginissupportedforwirelessguests,notforSonicOSadministratorlogin.

    ExternalAuthenticationServerTopology

    SonicOSSettingsToenablesociallogininSonicOS:

    1 EdittheWLANzoneandclicktheGuestServicestab.

    2 SelecttheEnableGuestServicesandEnableExternalGuestAuthenticationcheckboxes.

    3 ClickConfigurenexttotheEnableExternalGuestAuthenticationcheckbox.

    4 IntheSocialNetworkLoginsectionontheGeneraltabofthepopupdialog,selecttheSocialNetworkLogincheckboxandthenselectoneormoreoftheFacebook,Google,orTwittercheckboxes.

    5 OntheAuthPagestab,enterthedesiredpagenamesuchaslogin.phpintheLoginPagefield.

    6 ClickOK.

    SocialLogin Alsoknownassocialsignin,socialloginisaformofsinglesignonusingexistinginformationfromasocialnetworkingservicesuchasFacebook,Twitter,orGooglePlustosignintoathirdpartywebsiteinsteadofcreatinganewloginaccountspecificallyforthatwebsite.

    OpenAuthentication(OAuth) OAuthisanopenstandardforauthorization.OAuthprovidesclientapplicationsasecuredelegatedaccesstoserverresourcesonbehalfofaresourceowner.Itspecifiesaprocessforresourceownerstoauthorizethirdpartyaccesstotheirserverresourceswithoutsharingtheircredentials.

    NOTE:ReadtheOpenAuthenticationSocialLoginguidancefromFaceBook/Google/TwitterandSonicWallbeforeenablingthisfeature.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    20

  • SonicOSautomaticallycreatesthenecessarypassnetworkdomainsforallowingauthenticationprocesstrafficbetweentheauthenticationserverandtheuser.TheautomaticallyaddedaddressobjectgroupisnamedDefaultSocialLoginPassGroup.Thisaddressobjectgroupisappendedtothecurrentconfiguredpassnetworks,ifany,oraddedintoanewgroupnamedSocialLoginPassGroup.TheNetwork>AddressObjectspageshowstheseentries.

    FacebookSettings

    UpdatedSonicPointFirmwareNewSonicWallbrandedfirmwareversion9.0.1.010isavailableforSonicPointsconnectedtoappliancesrunningSonicOS6.2.7.

    Supportedplatformsare:

    SonicPointACe

    SonicPointACi

    SonicPointN2

    YourSonicPointisautomaticallyprovisionedwiththenewfirmwarebySonicOS.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    21

  • SonicPointRadiusAccountingSonicOS6.2.7introducessupportforRadiusAccountingonSonicWallfirewallswithaconnectedSonicPointACe,ACi,orN2,inthescopeofIEEE802.11iEnterpriseAuthentication.

    RadiusAccountingusestheRADIUSprotocoltodeliveraccountinginformationfromaNetworkAccessServer(NAS,aSonicPointinourcase)totheRadiusAccountingServer(RAS).TheSonicOSadministratorcanusetheaccountinginformationtoapplyvariousbillingrulesontheRadiusAccountingserverside,basedonsessiondurationtimeortrafficloadbeingtransferredforeachindividualuser.RadiusAccountingistheprocessofcollectingandstoringtheinformationcontainedinthefollowingsystemmessages:

    AccountingStart

    AccountingStop

    SonicOSSettingsToconfigureRadiusAccounting:

    1 OntheSonicPoint>SonicPointspage,clicktheConfigurebuttonforyourSonicPoint.

    2 OntheRadio0Basictab,selectWPA2AUTOEAPfortheAuthenticationType.

    3 UnderRadiusServerSettings,clickConfigure.

    NOTE:Theadditionofthisfeatureresolvesrequestforenhancement#159713.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    22

  • 4 Intheconfigurationdialog,enterthecorrectIP,Port,andSecret(password)underRadiusServerSettings(authenticationserver)andRadiusAccountingServerSettings.

    5 ClickOKtoprovisiontheSonicPointACe/ACi/N2.

    RadiusServerSettingsTheRadiusServerneedstobeconfiguredaccordinglytoturnonaccountingsupport.

    Toconfigurefreeradius2.1.10toturnonaccountingsupport:

    1 AddtheRadiuscliententryintothefile/etc/freeradius/clients.conf:

    Client 10.103.12.192 { Secret= "password"

    }

    2 Addtheuserinformationintothefile/etc/freeradius/users:

    user_name Cleartext-Password := "password"3 Runthecommandsudo freeradius -Xintheterminaltostartfreeradius.

    NOTE:TheRadiusAccountingServerandRadius(Authentication)ServerdonotneedtobelocatedatthesameIP.

    NOTE:10.103.12.192istheWANIPoftheSonicWallGatewayfromwhichtheRadiusServercanbereached.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    23

  • 31BitNetworkSonicOS6.2.7introducessupportforRFC3021,whichdefinestheuseofa31bitsubnetmask.Thismaskallowsonlytwohostaddressesinthesubnet,withnonetworkorgatewayaddressandnobroadcastaddress.Suchaconfigurationcanbeusedwithinalargernetworktoconnecttwohostswithapointtopointlink.Thesavingsinaddressspaceresultingfromthischangeiseasilyseen,eachpointtopointlinkinalargenetworkwouldconsumetwoaddressesinsteadoffour.

    Inthiscontext,thepointtopointlinkisnotequivalenttoPPP(pointtopointprotocol).Thepointtopointlinkusinga31bitmaskcanuseornotusethePPPprotocol.31bitprefixedIPv4addressesonapointtopointlinkcanalsobeusedintheEthernetnetwork.

    ConfiguringSonicOSToconfigureaninterfacefora31bitsubnet:

    1 OntheNetwork>Interfacespage,editthedesiredinterface.

    2 SettheSubnetMaskto255.255.255.254.

    3 EnteronehostIPaddressintotheIPAddressfield.

    4 EntertheotherhostIPaddressintotheDefaultGatewayfield.

    5 Settheotherfieldsaccordingtoyournetwork,asneeded.

    6 ClickOK.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    24

  • ExampleNetworkEnvironment

    Inthisnetworkenvironment,HostPC1andHostPC2canusevisiteachother,whilehostsintheLANnetworkcanvisitHostPC2.

    Toconfiguresettingsforthisenvironment:

    1 ForHostPC1,addtworouteentries:

    Route add 10.5.10.0 mask 255.255.255.0 15.6.8.10 Route add 10.102.234.0 mask 255.255.255.0 15.6.8.10

    2 ForHostPC2,addtworouteentries:

    Route add 10.5.10.0 mask 255.255.255.0 10.102.234.70 Route add 15.6.8.0 mask 255.255.255.0 10.102.234.70

    3 OntheCiscorouter(F0/0):

    interface fastEthernet 0/0 ip address 10.5.10.120 255.255.255.254

    4 OntheCisco2811,addonerouteentry:

    ! ip route 15.6.8.0 255.255.255.0 10.5.10.120!

    5 Onthefirewall,addonerouteentrytoenabletheWANzonedataflowfromX2toX5,andX5toX2:

    Any 10.102.234.0 Any X2 Default Gateway X2

    ThreatAPISonicOS6.2.7introducessupportfortheThreatAPIfeature.TheSonicOSThreatAPIprovidesAPIaccesstoSonicWallfirewallservices.ComparedwithcurrentfirewallGUI/CLIuserinterfaces,theThreatAPIissimpleandmakesgooduseofthestandardHTTPprotocol.Withthetrendtowardclouddeployment,theThreatAPIcanmoreeasilybeusedthanthetraditionalSonicOSGUI/CLI.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    25

  • MaliciousthreatscanoriginatefromURLsorIPaddresses.Listsofthesethreatscanbelargeandchangefrequently.SonicOScanalreadyblockcustomlistsofURLsandIPaddresses,itsjustinconvenientbecauseahumanhastologinandupdatethelistsbyhand.UsinganAPIinterfacemakesitmucheasier.

    TheThreatlistissenttoSonicOSusingtheThreatAPI.Threatscanbeaddedineitherofthefollowingformats:

    URLs(https://malicious123.example.com/malware)

    IPaddresses(10.10.1.25)

    ThirdpartiescangeneratethethreatlistandpassittothefirewallusingThreatAPI.

    ForIPaddressesinthethreatlist,SonicOSinitiallycreatesadefaultThreatAPIAddressGroupandthencreatesanAddressObject(AO)foreachIPaddressinthethreatlist.TheSonicOSadministratorconfiguresFirewallAccessRulesthatreferencethatAddressGroupandblocktheIPaddresses.

    SonicOSaddstheURLstoitsCFSThreatURIlist.TheSonicOSadministratorenablesThreatAPIEnforcementintheassociatedCFSProfileandconfiguresaContentFilteringSystem(CFS)policytoblocktheURLsinthethreatlist.

    WhenathreatisblockedbyCFS,theuserwillseeablockmessageintheirbrowser:

    SonicOSWebUIUpdatesforThreatAPI

    InternalSettingAnewinternalsettingisaddedforThreatAPI:

    EnableThreatAPIFilteringGlobalThreatAPIenable/disablesetting

    Firewall>ContentFilterObjectsSettingsWhenaddingoreditingaCFSProfileObjectontheFirewall>ContentFilterObjectspage,theAdvancedtabhasanewEnableThreatAPIEnforcementcheckbox.AfterSonicOSreceivestheinitialthreatlistandcreatesa

    NOTE:SonicOSThreatAPIrequiresthatthefirewallhasaContentFilteringSystem(CFS)license.

    NOTE:ThreatAPIsettingsareonlyavailabletotheSonicOSadministrator.Bydefault,thisistheadminuser.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    26

  • ThreatURIListObject,theadminaddsaCFSProfileObjectthatreferencestheThreatURIListObjectandenablestheEnableThreatAPIEnforcementcheckbox.

    TheFirewall>ContentFilter>ActionObjectspageprovidesawaytoconfigureacustomThreatAPIBlockPageonagranularperCFSActionObjectbasis.

    APIAuthenticationAlltheAPIcommandslistedbelowrequireHTTPBasicAuthenticationforeveryAPIcall.Usercredentialsarenotstored.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    27

  • APICommands GET/threat/block/uri/ReturnsURIblocklistinasimpleplaintext,1URIperlineformat.

    OPTIONS/threat/block/uri/Allowsrestrictedresourcesonawebpagetoberequestedfromanotherdomainoutsidethedomainfromwhichthefirstresourcewasserved.

    POST/threat/block/uri/InstantiatestheURIblocklist.

    DELETE/threat/block/uri/ClearstheURIblocklist.

    GET/threat/block/ip/ReturnshostIPblocklistinasimpleplaintext,1V4/V6hostperlineformat.

    OPTIONS/threat/block/ip/Allowsrestrictedresourcesonawebpagetoberequestedfromanotherdomainoutsidethedomainfromwhichthefirstresourcewasserved.

    POST/threat/block/ip/InstantiatesthehostIPblocklist.

    PUT/threat/block/ip/Addshost(s)totheIPblocklist.

    DELETE/threat/block/ip/Deletesallorspecifiedhost(s)fromtheIPblocklist.

    ThreatAPIExamples

    Example1:AThreatAPIcallrequestingtoblockaURLpointingtoanarticle:

    Example2:InstantiateIP&URIblocklists:curl -k -i -u admin:password -X POST -d "`printf "1.2.3.4\n1.2.3.5\n"`" https://192.168.1.254/threat/block/ip/Anotherexampleforthis:

    curl -k -i -u admin:password -X POST -d "`printf "example1.com\nexample2.com\n"`" https://192.168.1.254/threat/block/uri/

    Example3:UpdatelistbyaddinganentrytoIPblocklist:curl -k -i -u admin:password -X PUT -d "`printf "4.3.2.1\n"`" https://192.168.1.254/threat/block/ip/

    SonicWallSonicOS6.2.7.1ReleaseNotes

    28

  • Example4:DeleteIP&URIentries:curl -k -i -u admin:password -X DELETE -d "`printf "1.2.3.4\n1.2.3.5\n"`" https://192.168.1.254/threat/block/ip/Anotherexampleforthis:

    curl -k -i -u admin:password -X DELETE https://192.168.1.254/threat/block/uri/

    BiometricAuthenticationSonicOS6.2.7introducessupportforbiometricauthenticationinconjunctionwithSonicWallMobileConnect.

    MobileConnectisanappthatallowsuserstosecurelyaccessprivatenetworksfromamobiledevice.MobileConnect4.0supportsusingfingertouchforauthenticationasasubstituteforusernameandpassword.

    SonicOS6.2.7providesconfigurationsettingsontheSSLVPN>ClientSettingspagetoallowthismethodofauthenticationwhenusingMobileConnecttoconnecttothefirewall.

    Toenablebiometricauthentication:

    1 OntheSSLVPN>ClientSettingspage,clicktheConfigurebuttonfortheDefaultDeviceProfile.

    2 OntheClientSettingstab,selectEnabledforoneorbothofthefollowingsettings:

    AllowTouchIDonIOSdevices

    AllowFingerprintAuthenticationonAndroiddevices

    3 Ontheclientsmartphoneorothermobiledevice,enableTouchID(iOS)orFingerprintAuthentication(Android).

    EnsurethatMobileConnect4.0orhigherisinstalledonthemobiledevice,andconfigureittoconnectwiththefirewall.

    VPNAutoProvisioningSonicOS6.2.7introducestheVPNAutoProvisioningfeature.ThisfeatureprovidesautomaticVPNprovisioningforboxtoboxhubandspokeconfigurations.TheuserexperienceissimilartothatseenwhenusingSonicWallGlobalVPNClienttoconnectfromaclientmachinetoafirewall,inwhichnoneofthecomplexityisvisibletotheuser.

    Minimally,onlytwopiecesofinformationarerequiredtoconfigureaspokeappliancewhenusingVPNAutoProvisioning:

    Thepeergatewayaddressordomainname

    Themachineauthenticationcredentials

    ByselectingtheDefaultProvisioningKeyoption,machineauthenticationcredentialscanbebasedonadefaultvalueknowntoalltheappliances.Toincreasesecurity,userlevelcredentialsmayalsoberequired.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    29

  • VPNAutoProvisioningcanbeusedwhenaddingaVPNPolicyintheVPN>Settingspage.IntheAdddialogunderSecurityPolicy,selecteither:

    SonicWallAutoProvisioningClient

    SonicWallAutoProvisioningServer

    4 Configuretheotherfieldsasneeded.

    EnhancementsThefollowingenhancementsareincludedinthisrelease.

    RADIUSAccountingwithWPA2EAP

    Enhancement IssueID

    InSonicOS6.2.7,RADIUSAccountingworkswhenauthenticatingwirelessusersaccessingthefirewallviaaSonicPoint.

    159713

    SonicWallSonicOS6.2.7.1ReleaseNotes

    30

  • ResolvedIssuesThissectionprovidesalistofresolvedissuesinthisrelease.

    MACAddressObjectswithCFS4.0

    Enhancement IssueID

    InSonicOS6.2.7,MACaddressobjectsareallowedinCFS4.0exclusionlists. 179692

    AntiVirus

    Resolvedissue IssueID

    TheMcAfeeAntiVirusenforcedinstallationdoesnotoccurOccurswhenthedestinationinterfaceisPPPoE,ratherthanastaticIPaddress.

    180292

    CFS

    Resolvedissue IssueID

    Websiteaccessfails,linksandpicturesfailtoload,browserjustspins,butnoCFSblockpageisdisplayed.OccurswhentheForbiddenURIintheCFSprofilecontainsanyentries.

    179393

    HighAvailability

    Resolvedissue IssueID

    TheactiveprimaryfirewallinanHAPairgoesdown,andtheactivesecondaryfirewallalsogoesdownafterupgradingfirmware.OccursafterthefirmwareisupgradedtoSonicOS6.2.7.121nonanNSA2600HAPair.

    184807

    Networking

    Resolvedissue IssueID

    ADynamicMACAddressObjectcannotbeusedinanaccessruleandSonicOSdisplaystheerror,PolicyAction:MixedIPVersionAddressObjectandGroupsarenotallowedinpolicy.OccurswhenaLANMACAOwithaLANcomputerMACaddressisaddedandthenattempttocreateanaccessrulefromLANtoWANzoneusingtheMACAOastheSource.

    184863

    VerifoneCCterminalscannotgetaDHCPIPaddresslease.OccurwhenusingstaticDHCPscopes.

    181648

    System

    Resolvedissue IssueID

    ThefirewallinaHighAvailabilityconfigurationexperiencesfailoversatrandomtimes.OccursinacertaincaseinvolvingaNULLconditionintheuserlevelauthenticationfunctionality.

    182014

    SonicWallSonicOS6.2.7.1ReleaseNotes

    31

  • KnownIssuesThissectionprovidesalistofknownissuesinthisrelease.

    ThefirewallrebootsunexpectedlyduetoDataPlanecoreexceptions.Occurswhenthereisamemorybuffererrorrelatedtoablockpage.

    180142

    ThefirewallrebootsduetotasksuspensionTracetsfTaskLoc.OccurswhenincorrectNATpoliciesusingrangeobjectsareconfiguredandwhendownloadingtheBotnetdatabase.

    176249

    UserInterface

    Resolvedissue IssueID

    CannotchangetheBWMtypefromAdvancedtoGlobalandbacktoAdvanced.OccurswhenchangingtheBWMtypefromAdvancedtoGlobalontheFirewallSettings>BWMpageandenablingthePreventthispagefromcreatingadditionaldialogsoptioninthepopupdialog,andthenattemptingtochangetheBWMmodebacktoAdvanced.

    183586

    VPN

    Resolvedissue IssueID

    AnIKEv2interoperabilityissuewithCiscoIOScausesaSelectorCheckErrorlogmessage.OccurswhenSitetoSitetunnelsconnectmanyTZfirewallstomultipleCisco3945routerswhichareusingdynamiccryptomap.

    171152

    Vulnerability

    Resolvedissue IssueID

    TestingindicatesthatthefirewallisvulnerabletotheHTTProxyVulnerability.OccurswhenrunningaTrustWavePCIscan.

    179227

    3G/4G

    Knownissue IssueID

    SprintcardFTPdownloadtimeishigheronSonicOS6.2.7.017nthanonSonicOS6.2.6.0.OccurswhenusingFTPBinarymodeanddownloadinga1MBzipfileacoupleoftimes.

    183961

    CFS

    Knownissue IssueID

    DomainsincludedintheForbiddenURIlistinCFS3.0,butnotbeingblocked,areaddedtotheForbiddenURIListinCFS4.0andarethenblocked.OccurswhenupgradingfromCFS3.0toCFS4.0afterconfiguringaForbiddenURIlistanddisablingtheBlockAccesstoURLoption.

    185082

    System

    Resolvedissue IssueID

    SonicWallSonicOS6.2.7.1ReleaseNotes

    32

  • IPv6

    Knownissue IssueID

    SonicOSsendsIPv4DNSrequestswhencommunicatingwithSonicWallbackendserverssuchasMySonicWallortheLicenseManager.OccurswhentheX1(WAN)interfaceandtheDNSserverareonlyconfiguredwithIPv6addresses.

    183975

    Networking

    Knownissue IssueID

    IPv6FQDNNetworkMonitorpoliciesarelostafterrestartingthefirewall.OccurswhentheIPv6FQDNNetworkMonitorpolicieshaveacommentincludedintheirconfiguration.

    185079

    WhenaddinganaccessruleinFirewall>AccessRules,usingtheoptiontocreateanewaddressobjectpreventstherulefrombeingsaved.OccurswhenusingtheInternetExplorer11browsertomanagetheappliance.

    185057

    ActiveorpassiveFTPdoesnotworkwithNAT64whenspecifyingtheoutboundinterface.OccurswhenthespecifiedoutboundinterfaceisaffectedbyaNAT64policy.Workaround:SettheoutboundinterfacetoAny.

    184889

    WhenusingNAT64,HTTPStrafficfailsinsomecases.OccurswhenSSLClientInspectionisenabled.

    184830

    Anaccessrulewithaschedulewillchangeitsscheduleafterrebooting.Occurswhentwoscheduleobjectsareavailableandtheaccessruleisconfiguredtouseoneofthem.Afterthereboot,theruletableshowstheaccessruleusingtheotherschedule.

    184803

    TheEnableDNSProxyoptionbecomesdisabledordisappearsaftertheWLANtunnelinterfaceissavedandtheneditedagain.OccurswhentheglobalEnableDNSProxyoptionisenabledandthenaWLANtunnelinterfaceisaddedwiththeEnableDNSProxyoptionselectedinitsconfiguration.Aftersavingthetunnelinterfaceconfiguration,theEnableDNSProxyoptionisshownasdisabledordisappearedwhencheckingthetunnelinterfacesettings.

    184385

    AnIPv6hostresolvedinanIPv6MACAddressObjectdoesnotdisappearaftermodifyingthatMACaddresstoanewvalueinastaticNDPentry.OccurswhenaMACAOresolvesanIPv6addressfromastaticNDPtable,thenoneNDPentry'sMACaddressischangedtoanewvalue,andfindthatthepreviouslyresolvedIPv6addressisstilldisplayedintheMACAO.

    184318

    AspecificsubdomainhostIPaddresscannotbeaddedintoaFQDNAddressObject.OccurswhenaFQDNAOsuchas*.e.comisadded,thentheadminqueries1.e.com,2.e.com,and3.e.comonacomputerconnectedtothefirewallLANzoneandtheIPaddressesforthosesubdomainsarereturnedbytheserver.But,theFQDNAOstillonlycontainsthehostIPaddressfore.com.

    184156

    TrafficisdroppedinL2BmodeduetoIPHelperRPFcheckwhileitsprotocolisenabledinIPhelperbutnopolicyconfigured,e.g.NetBIOS,DNS.

    183632

    AsubVLANinterfaceconfiguredinPPPoE/PPTP/L2TPmodeandthenchangedcannotconnectagainduringtheenabledschedule.Occurswhentheinterfaceischangedtostaticmodewhileconnected,andthenchangedbacktoiPPPoE/PPTP/L2TPmode.

    183607

    SonicWallSonicOS6.2.7.1ReleaseNotes

    33

  • Networkmonitorpolicydoesnotwork.Occurswhenselect'AllSonicPoints'asprobetarget.

    183567

    CannotmanagethesecondaryunitinanHAPairfromtheWANzonealthoughitisconfiguredtoallowmanagement,andallARPrequestsaredroppedwiththeerrorDropCode:31(InvalidHAARPpacket).OccurswhenaccessingtheunitontheHAmonitorIPforX1,whichisaDHCPaddress.

    173915

    SonicPoint

    Knownissue IssueID

    RADIUSAccountingfailswithaSonicPointNDRaccesspoint. 181522

    System

    Knownissue IssueID

    SonicOScannotdisableorenableaNAT64policy.OccurswhenafewNATpoliciesalreadyexist.

    183304

    Switching/XSeries

    Knownissue IssueID

    InanHApair,importingsettingsafteranXseriesswitchisdeletedclearstheVLANconfigurationintheswitch.

    183564

    Readdingaswitchafterdeletingitthrowsanerrorandtheswitchbecomesinaccessible. 181357

    UserInterface

    Knownissue IssueID

    SortingdoesnotworkonAppFlowMonitor,AppFlowreports,LogMonitortables.Columnsarealwayssortedindescendingorder.Also,thesorticondoesnotshowup.

    184114

    VPN

    Knownissue IssueID

    OnlyoneoftwoprotectedsubnetsbehindanAutoProvisioning(AP)clientcanestablishatunneltotheAPserver.OccurswhentheAPserverpolicyhastheRequireAuthenticationofVPNAPClientsviaXAUTHoptionenabled.IftheAllowUnauthenticatedVPNAPClientAccessoptionisenabledinstead,bothsubnetscanestablishatunnel.

    185074

    WithVPNAutoProvisioning,theAPClientstopssendingAggressiveModenegotiationrequestsatregularintervals.OccursaftertheAPClientgetsanIPPooloftheVPNPolicyisFullrejectionfromtheAPServer.Workaround:WhendeployingVPNAutoProvisioning,allocatealargerIPpoolfortheAPClients.

    182214

    TheVPNTunnelcannotbenegotiatedinsomecases.OccurswhentheAutoProvisionedServerusesacertificatewithawildcardincludingIDstring(DC).

    181322

    Networking

    Knownissue IssueID

    SonicWallSonicOS6.2.7.1ReleaseNotes

    34

  • SystemCompatibilityThissectionprovidesadditionalinformationabouthardwareandsoftwarecompatibilitywiththisrelease.

    Wireless3G/4GBroadbandDevicesSonicOS6.2.7.1providessupportforawidevarietyofPCcards,USBdevicesandwirelessserviceproviders.Forthemostrecentlistofsupporteddevices,seehttp://www.sonicwall.com/supportedwirelessbroadbandcardsdevices/.

    GMSSupportSonicWallGlobalManagementSystem(GMS)managementofSonicWallsecurityappliancesrunningSonicOS6.2.7.1requiresGMS8.3formanagementoffirewallsusingthenewfeaturesinSonicOS6.2.7.1.SonicWallGMS8.2supportsmanagementofallotherfeaturesinSonicOS6.2.7.1andearlierreleases.

    WXASupportTheSonicWallWXAseriesappliances(WXA6000Software,WXA500LiveCD,WXA5000VirtualAppliance,WXA2000/4000Appliances)aresupportedforusewithSonicWallsecurityappliancesrunningSonicOS6.2.7.1.TherecommendedfirmwareversionfortheWXAseriesappliancesisWXA1.3.2.

    BrowserSupportSonicOSwithVisualizationusesadvancedbrowsertechnologiessuchasHTML5,whicharesupportedinmostrecentbrowsers.SonicWallrecommendsusingthelatestChrome,Firefox,InternetExplorer,orSafaribrowsersforadministrationofSonicOS.ThisreleasesupportsthefollowingWebbrowsers:

    Chrome18.0andhigher(recommendedbrowserfordashboardrealtimegraphicsdisplay)

    Firefox16.0andhigher

    InternetExplorer9.0andhigher

    Safari5.0andhigherrunningonnonWindowsmachines

    Wizards

    Knownissue IssueID

    TheSetupGuidewizardcontainstheincorrectstatement,SinceHAisenabled,onlyStaticIPaddressingisallowed.InSonicOS6.2.7,DynamicWANinterfacesaresupportedinHighAvailabilitymode.OccursintheWANModescreenofthewizard.

    184891

    NOTE:OnWindowsmachines,SafariisnotsupportedforSonicOSmanagement.

    NOTE:MobiledevicebrowsersarenotrecommendedforSonicWallappliancesystemadministration.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    35

    http://www.sonicwall.com/supported-wireless-broadband-cards-devices/http://www.sonicwall.com/supported-wireless-broadband-cards-devices/

  • ProductLicensingSonicWallnetworksecurityappliancesmustberegisteredonMySonicWalltoenablefullfunctionalityandthebenefitsofSonicWallsecurityservices,firmwareupdates,andtechnicalsupport.LoginorregisterforaMySonicWallaccountathttps://mysonicwall.com.

    UpgradingInformationForinformationaboutobtainingthelatestfirmware,upgradingthefirmwareimageonyourSonicWallappliance,andimportingconfigurationsettingsfromanotherappliance,seetheSonicOS6.2UpgradeGuideavailableonMySonicWallathttps://mysonicwall.comorontheSupportportalathttps://support.sonicwall.com.

    SonicWallSupportTechnicalsupportisavailabletocustomerswhohavepurchasedSonicWallproductswithavalidsupportmaintenancecontractandtocustomerswhohavetrialversions.

    TheSupportPortalprovidesselfhelptoolsyoucanusetosolveproblemsquicklyandindependently,24hoursaday,365daysayear.ToaccesstheSupportPortal,gotohttps://support.sonicwall.com.

    TheSupportPortalenablesyouto:

    Viewknowledgebasearticlesandtechnicaldocumentation

    Downloadsoftware

    Viewvideotutorials

    Collaboratewithpeersandexpertsinuserforums

    Getlicensingassistance

    AccessMySonicWall

    LearnaboutSonicWallprofessionalservices

    Registerfortrainingandcertification

    TocontactSonicWallSupport,visithttps://support.sonicwall.com/contactsupport.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    36

    https://mysonicwall.comhttps://support.sonicwall.comhttps://support.sonicwall.com/contact-supporthttps://mysonicwall.comhttps://support.sonicwall.com

  • Copyright2017SonicWallInc.Allrightsreserved.

    ThisproductisprotectedbyU.S.andinternationalcopyrightandintellectualpropertylaws.SonicWallisatrademarkorregisteredtrademarkofSonicWallInc.and/oritsaffiliatesintheU.S.A.and/orothercountries.Allothertrademarksandregisteredtrademarksarepropertyoftheirrespectiveowners.

    TheinformationinthisdocumentisprovidedinconnectionwithSonicWallInc.and/oritsaffiliates'products.Nolicense,expressorimplied,byestoppelorotherwise,toanyintellectualpropertyrightisgrantedbythisdocumentorinconnectionwiththesaleofSonicWallproducts.EXCEPTASSETFORTHINTHETERMSANDCONDITIONSASSPECIFIEDINTHELICENSEAGREEMENTFORTHISPRODUCT,SONICWALLAND/ORITSAFFILIATESASSUMENOLIABILITYWHATSOEVERANDDISCLAIMSANYEXPRESS,IMPLIEDORSTATUTORYWARRANTYRELATINGTOITSPRODUCTSINCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ORNONINFRINGEMENT.INNOEVENTSHALLSONICWALLAND/ORITSAFFILIATESBELIABLEFORANYDIRECT,INDIRECT,CONSEQUENTIAL,PUNITIVE,SPECIALORINCIDENTALDAMAGES(INCLUDING,WITHOUTLIMITATION,DAMAGESFORLOSSOFPROFITS,BUSINESSINTERRUPTIONORLOSSOFINFORMATION)ARISINGOUTOFTHEUSEORINABILITYTOUSETHISDOCUMENT,EVENIFSONICWALLAND/ORITSAFFILIATESHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.SonicWalland/oritsaffiliatesmakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisdocumentandreservetherighttomakechangestospecificationsandproductdescriptionsatanytimewithoutnotice.SonicWallInc.and/oritsaffiliatesdonotmakeanycommitmenttoupdatetheinformationcontainedinthisdocument.

    Formoreinformation,visithttps://www.sonicwall.com/legal/.

    Lastupdated:3/30/17

    23200384400RevA

    Legend

    WARNING:AWARNINGiconindicatesapotentialforpropertydamage,personalinjury,ordeath.

    CAUTION:ACAUTIONiconindicatespotentialdamagetohardwareorlossofdataifinstructionsarenotfollowed.

    IMPORTANTNOTE,NOTE,TIP,MOBILE,orVIDEO:Aninformationiconindicatessupportinginformation.

    SonicWallSonicOS6.2.7.1ReleaseNotes

    37

    https://www.sonicwall.com/legal/

    SonicWall SonicOS 6.2.7.1About SonicOS 6.2.7.1Supported PlatformsNew FeaturesHigh AvailabilityPPPoE Unnumbered Interface SupportVendor OUI Detection and LoggingDell X-Series Switch Integration FeaturesDPI-SSHSupport for pcapNGTSR FTP for Periodic BackupCustom Lists for Geo-IP and BotnetSIP UDP Fragmentation FixesSystem Logs on AppFlow Server via IPFIXNAT64: Stateful NAT from IPv6 Client to IPv4 ServerDNS ProxyInterface Configuration and Allow RulesDHCPDNS CacheSplit DNS

    FQDN RoutingMaximum Routes DoubledMaximum Zone to Zone Access Rules IncreasedFlow Reporting using IPFIX Extension Version 2Syslog Server ProfilingEvent ProfileGMS

    IPv6 SupportSSL ControlIPv6 DPI-SSLIPv6 NTPIPv6 DNSIPv6 MAC Address ObjectIPv6 FQDN Address Object

    DPI-SSL Increased Connection Counts and EnhancementsOpen Authentication Social LoginSonicOS SettingsFacebook Settings

    Updated SonicPoint FirmwareSonicPoint Radius AccountingSonicOS SettingsRadius Server Settings

    31-Bit NetworkConfiguring SonicOSExample Network Environment

    Threat APISonicOS Web UI Updates for Threat APIInternal SettingFirewall > Content Filter Objects Settings

    API AuthenticationAPI CommandsThreat API ExamplesExample 1: A Threat API call requesting to block a URL pointing to an article:Example 2: Instantiate IP & URI block lists:Example 3: Update list by adding an entry to IP block list:Example 4: Delete IP & URI entries:

    Biometric AuthenticationVPN Auto Provisioning

    EnhancementsResolved IssuesKnown IssuesSystem CompatibilityWireless 3G/4G Broadband DevicesGMS SupportWXA SupportBrowser Support

    Product LicensingUpgrading InformationSonicWall Support