Documente Academic
Documente Profesional
Documente Cultură
1
Release Notes
January 2019
These release notes provide information about the SonicWall® SonicOS 6.5.3.1 release.
Topics:
• About SonicOS 6.5.3.1
• Supported Platforms
• New Hardware
• New Features
• Resolved Issues
• Known Issues
• System Compatibility
• Product Licensing
• Upgrading Information
• SonicWall Support
Supported Platforms
SonicOS 6.5.3.1 is supported on these SonicWall appliances:
New Features
This section describes the new features introduced in SonicOS 6.5.3.1.
Topics:
• SD-WAN Features
• Support for Zero Touch GMS
• Automatic Guest Redirection to Policy Page
• Networking Features
• Wireless Features
• Authentication Features
• Advanced Security Features
• SonicOS API Enhancements
• External Storage of Trace Logs
• OpenSSL Support
• Configurable Internal VLANs
• 4G/LTE USB Modem Support
• IPv6 Addressing Mode for H.323 ALG
• Enhancements to Reports
• Switch Shield Support (DDOS Protection using Switch Capabilities)
• Pin Friendly Name of Firewall
SD-WAN Features
SD-WAN (Software-Defined Wide Area Network) provides software-based control over wide area network
(WAN) connections. SonicOS SD-WAN offers these features:
• Application-aware routing
• Dynamic path selection based on:
• Latency, jitter, and/or packet loss
• User-defined thresholds for quality assessment
• SD-WAN Interface Groups
• WAN and VPN
• Scalable from one to N interfaces
• Path Performance Probes for metrics
Topics:
• SD-WAN Groups
• Performance Probes
• Performance Class Objects
• Path Selection Profiles
• SD-WAN Routing
• Viewing SD-WAN Route Policy Connections
SD-WAN Groups
SD-WAN Groups are logical groups of interfaces that can be used for load-balancing as well as dynamic path
selection based on the performance criterion through each interface path. You can create your own custom
groups.
The SD-WAN Groups page displays the custom pool of interfaces used for optimized and resilient traffic flow.
5 Click the Right Arrow to move the selected interfaces to the Selected Interface Ordering column.
6 To change the priority of the selected group members:
a Select the interface.
b Click the Up Arrow or Down Arrow.
7 Repeat Step 6 for each interface to prioritize.
8 Click OK.
Performance Probes
Network path performance metrics are determined using the SD-WAN performance probes, which are similar to
Network Monitor Probes. SonicOS supports the ICMP and TCP probe types. A SD-WAN probe can be used by
multiple Path Selection profiles.
TIP: For VPN tunnel interface SD-WAN groups, internal, system-created performance probes are created
automatically to probe the remote end point, and creating custom performance probes is not permitted.
9 Enter the maximum delay for a response in the Reply time out … seconds field. The minimum is 1
second, the maximum is 60 seconds, and the default is 1 second.
10 Enter the maximum number of missed intervals before the probe is set to the DOWN state in the Probe
state is set to DOWN after … missed intervals field. The minimum number is 1, the maximum is 100, and
the default is 3.
You configure custom performance thresholds that best meet the needs of your application/traffic categories
with Performance Class Objects.
2 Click the Add icon. The Add Performance Class Object dialog displays.
TIP: For VPN configurations, the matching PSP configuration must be done at the peer VPN SonicWall
running same release firmware as the current firewall.
SD-WAN Routing
Dynamic Path selection for specific traffic flows uses Policy Based Routes. A SD-WAN Policy Based Route is used
to configure the route policy for the specific source/destination service/app combination, with a corresponding
Path Selection Profile that determines the outgoing path dynamically based on the Path Selection Profile. If
there is more than one path qualified by the Path Selection Profile, the traffic is automatically load balanced
among the qualified paths. If none of the paths are qualified by the path selection profile and the backup
interface in the profile is not configured or is down, the route is disabled.
SD-WAN routing can be configured from the MANAGE I System Setup > Network > Routing page or MANAGE I
System Setup > SD-WAN > Routing page. The SD-WAN > Routing page only shows the SD-WAN Routes and only
allows configuration of SD-WAN-type routes.
TIP: For VPN configurations, the matching SD-WAN route configuration must be done at the peer VPN
SonicWall running same release firmware as the current firewall.
You can view the connections that have been associated with SD-WAN Route policies on the INVESTIGATE |
Logs > SD-WAN Connection Logs page.
7 Select Auto Accept Policy Page. This option is not selected by default.
8 Click OK.
9 Finish configuring the zone.
10 Click OK.
Networking Features
Topics:
• High Availability Encryption
• UUID for CFS Policies
• Support of Large-Scale Static and Dynamic Routes
Wireless Features
SonicOS 6.5.3 introduces several new wireless features.
Topics:
• One-Click Wireless and Non-Wireless Controller Modes
• RF Spectrum Analysis with Real-Time Noise Detection
• Bluetooth Low Energy on SonicWave Series
• The status of access point objects becomes Disabled on the MANAGE I Connectivity > Access Points >
Base Settings page.
• All interfaces to SSL VPN are disabled on the MANAGE I Connectivity > SSL VPN > Server Settings page.
• Any attempt to enable SIP and/or H.323 options on MANAGE I System Setup > VOIP displays an error
message in the lower right corner of the browser window:
• Any attempt to enable a zone with VPN and/or SSL VPN results in an error.
4 Click OK.
5 Click ACCEPT.
6 Click Restart in the bottom right corner of the browser window.
4 Click OK.
5 Click ACCEPT. The Edit and Delete icons for wireless zones become dimmed on the MANAGE I System
Setup > Network > Zones and MANAGE I Connectivity > Access Points > Base Settings pages.
6 Click Restart in the bottom right corner of the browser window.
4 Click OK.
5 Click ACCEPT.
6 Click Restart in the bottom right corner of the browser window.
Topics:
• Enabling BLE
• Viewing BLE Scan Status
Enabling BLE
To enable Bluetooth low energy:
1 Navigate to MANAGE I Connectivity > Access Points > Base Settings.
2 Scroll to the SonicPoint / SonicWave Provisioning Profiles section.
3 Click the Edit icon for SonicWave. The Edit SonicWave Profile dialog displays.
5 To enable BLE, select Enable iBeacon. This option is not selected by default. The subordinate fields
become available.
6 Complete the fields:
• UUID – Enter the 128 hexadecimal digits of the UUID. The UUID displays in five-character groups
separated by hyphens.
• Major – Enter the significant identity in the same geographical group. The range is 0 to 65535; the
default is 0.
• Minor – Enter the secondary identity in the same geographical group. The range is 0 – 65535; the
default is 0.
TIP: Use different UUIDs to distinguish different geographical groups and major and minor options
to distinguish areas within the geographical group. For example, you deploy several SonicWave
appliances with BLE in one building, and you set the same UUID for these SonicWave appliances.
The SonicWave appliances on the same floor have the same Major number, but have different
Minor numbers in different places on the same floor. In this way, your mobile device is close to a
SonicWave appliance and its location.
7 Click OK.
WWAN Cards
SonicWall is continually updating the list of supported WWAN devices. For the most up-to-date list of supported
WWAN devices, see the Knowledge Base article, What wireless cards and broadband devices are supported on
SonicWall firewalls?
WWAN devices with new or improved support in SonicOS 6.5.3.1 include:
• Verizon USB730L USB Modem (USA)
• Verizon USB620L USB Modem (USA)
• AT&T Velocity USB Stick (ZTE MF861) (USA)
• Sprint Franklin U772 USB Modem (USA)
• T-mobile Alcatel Linkzone Hotspot; supported in USB tethering mode (USA)
• Telstra 4GX (Huawei E8372) USB Modem (Australia)
• Huawei E3372 - There are numerous variants of the E3372, specific variants tested are: Entel-branded
E3372h-510 and MTN-branded E3327h-153
In this mode When traffic or noise levels exceed the configured DCS thresholds
Monitor An alarm is triggered and an information log is generated. The DCS monitor alarm is used for
evaluating the RF environment of your deployed APs.
Active An alarm is triggered and an information log is generated. In addition, the AP ceases operating
on the current channel and ACS is employed to select an alternate channel for the AP to
operate on. DCS does not trigger channel changes on neighboring APs.
All Rogue Access MAC address object group listing all rogue APs either added automatically or added by
Points you.
All Rogue Devices IP address object group listing the IP of all rogue devices.
This feature adds a new type of NAS (network attached storage) ID in WP2A-EAP authentication and accounting
messages. SonicWall supports the name and MAC address of an access point as its NAS-ID. To support this
feature, a new option, SSID, has been added to the NAS Identifier Type option on the SonicPoint Radius Server
Setting dialog and the Add/Edit Virtual Access Point dialog.
TIP: The NAS Identifier Type option displays only if an EAP authentication type is selected for the
Authentication Type option.
When the SSID option is selected, both the RADIUS authentication message and RADIUS accounting message
carry the access point or VAP SSID.
Authentication Features
Topics:
• Two-Factor Authentication (TOTP)
• First Login Password Change
• User Login Record
• TACACS+ Accounting
• Captive Portal Authentication
• Multiple External (LHM) Web Servers
The Require one-time passwords option has been replaced with the one-time passwords method
option, which allows you to select the how one-time passwords are processed:
• Disabled (default) – If User must change password is selected this dialog displays at the first login
attempt:
• Total number of all successful users login attempts during the organizationally defined time
• Administrative user’s last login time stamp and location
• Total number of an administrative user's successful login attempts during the organizationally defined
time
• Total number of an administrative user's unsuccessful login attempts during the organizationally defined
time
• Administrative user's current privilege
• Notification of administrative user's privilege change since last login
TIP: This information is displayed only if the Display user login info since last login option is selected on
the MANAGE I System Setup > Users > Settings page.
NOTE: The defined time is configured in an internal setting. For information about SonicOS internal
settings, contact SonicWall Support., contact Technical Support.
6 Enter the host name or IP address of the TACACS+ server in the Host Name or IP Address field.
7 Enter the port number of the server in the Port field. The default is 49.
8 Enter the shared secret in the Shared Secret and Confirm Shared Secret fields.
9 Click Advanced.
13 Enter the server timeout in the TACACS+ Server Timeout (seconds) field. The default is 5 seconds.
14 Enter the maximum number of retries in the Retries field. The default is 3.
15 To support single connect, select Support Single Connect. This option is not selected by default.
16 To allow encrypted packets, select Packet Encrypted. This option is selected by default.
17 Click User Accounting.
18 From Send accounting data for, select one or more types of users.
19 Choose whether to track domain and/or local users from Include. Domain users is selected by default.
20 To receive watchdog messages, select Send Watchdog Messages. This option is not selected by default.
22 From Select server to test, select the IP address of the TACACS+ server.
23 Choose the type of test from Test. Connectivity is selected by default.
24 Click Test. The results of the test display in Returned User Attributes.
25 Click Apply.
DNS Security
SonicOS 6.5.3 detects DNS tunneling, which is a method to bypass security controls and exfiltrate data from a
targeted organization. A DNS tunnel can be used as a full, remote-control channel for a compromised internal
host. Exfiltrated data include Operating System (OS) commands, file transfers, or even a full IP tunnel.
OpenSSL Support
SonicOS 6.5.3 supports OpenSSL 1.0.2.
NOTE: Unlike with older model modems, the receive signal strength is not displayed. Use the Click to
Access Modem link to view the receive signal strength.
Topics:
• Appflow Reports
• Capture Threat Assessment
Appflow Reports
On the INVESTIGATE | Reports > Appflow Reports page, you can now display the statistical data since last reset
as well as since restart and on a schedule:
When you select Since Last Reset from View, a Reset icon displays between the Limit and IPv4/IPv6 options.
You can manually reset the statistics by clicking the icon.
Your view selection also is reflected in the reports you generate manually.
Language Selection
A new option, Language, on the INVESTIGATE | Reports > Captive Threat Assessment page allows you to select
the language for your SFR report:
This feature provides protection from a Denial of Service attacks that make the firewall too busy to provide
service. A new management interface page, MANAGE I System Setup > Switching > Switch Shield, has been
added to SonicOS 6.5.3:
Friendly name
TIP: Record the firewall-generated name along with its friendly name.
High Availability
Resolved issue Issue ID
HTTPS to HTTP redirected GUI administration access is denied. 211722
Occurs when X0 LAN IP is used by SSLVPN users.
Device rebooting due to DP Core Exceptions on the HA pair. 211409
Logging
Resolved issue Issue ID
Login fails as the user is not allowed to change their password. 210877
Occurs when the User must change password option is enabled on the Add User dialog
(MANAGE | System Setup > Users > Local Users & Groups). Occurs only when HTTP logins are
used.
Cannot configure Maximum Events Per Second and Maximum Bytes Per Second on the Add 208498
Syslog Server dialog (MANAGE | Logs & Reporting > Log Settings > SYSLOG).
Occurs when a Syslog server has not been configured.
Networking
Resolved issue Issue ID
High Core 0 CPU utilization by tWebmain-related tasks. 209527
Occurs on TZ Series and NSA Series firewalls.r
The default route doesn't sync to the idle firewall after the primary WAN is unavailable. 209291
Occurs when the default route gets modified by interface state changes.
The DNS Doctoring feature has been supported on all SonicWall platforms in SonicOS 6.5.3. DNS 203367
Doctoring allows SonicWall security appliance to change the embedded IP addresses in DNS
responses so that clients can connect to the correct server IP address. DNS Doctoring performs
address translation in the DNS response: from a public address to a private address when the
DNS client is on the private interface or from a private address to a public address when the DNS
client is on the public interface.
PoE
Resolved issue Issue ID
An error message displays when configuring power mode from 802.3AT to 802.3AF. 209784
VOIP
Resolved issue Issue ID
Memory Pool CB pool leak over time due to SIP TCP ALG. 209658
VPN
Resolved issue Issue ID
A VPN tunnel interface might not come up when the X5 interface is used. 209361
Known Issues
This section provides a list of known issues in this release.
DPI-SSH
Known issue Issue ID
Blocking of attachments and append message actions may not work with SMTP over SSL. 198590
Occurs when SSL Client Inspection is enabled and the Application Firewall option is selected on
the MANAGE | Security Configuration > Decryption Services > DPI-SSL/TLS Client page with an
accompanying App Rule policy configured to block attachments and add text.
Skip CFS Category-based Exclusion may not work correctly. 198185
Occurs when a common name is added on the Common Name view of the MANAGE | Security
Configuration > Decryption Services > DPI-SSL/TLS Client page with the Skip CFS Category-
based Exclusion option selected on the Add Common Names dialog. Category 20. (Online
Banking) is excluded on the CFS Category-based Exclusions/Inclusions view, and then a LAN-
side PC attempts to access the excluded common name.
CFS Category-based Inclusions/Exclusions may not exclude correctly. 196892
Occurs when Enable SSL Client Inspection is selected on the MANAGE | Security Configuration
> Decryption Services > DPI-SSL/TLS Client > General page, Category 29 (Search Engines and
Portals) is excluded on the CFS Category-based Exclusions/Inclusions view, and then a LAN-side
PC accesses a search engine. DPI-SSL still occurs.
High Availability
Known issue Issue ID
Virtual MAC addresses cannot be updated on the idle firewall. 206623
Occurs when manually changing the virtual MAC address and the Enable Virtual MAC option is
already enabled on the MANAGE | System Setup > High Availability > Base Setup page.
Logging
Known issue Issue ID
On the INVESTIGATE | Logs > Appflow Logs page, selecting Chart View from the Display Option 208389
icon displays a blank page with the error, Requests to the server have been
blocked by an extension.
Occurs when using a Chrome browser.
Management Interface
Known issue Issue ID
JS error when viewing the MONITOR | Current Status > System Status page 206529
Occurs when viewing the page on a SOHO W firewall.
Networking
Known issue Issue ID
The load balancing interface displays as up on MANAGE | System Setup > Network > Failover & 213663
Load Balancing.
Occurs when the interface is manually shut down from the CLI.
Application-based routing doesn't support SIP TLS signatures (it works with a standard route 213429
policy with Service set to Any).
Proxy page is not completely loaded for Verizon 620L and Verizon 730L WWAN cards. 213304
After failover, an N-series switch is not programmed properly with Dedicated Link-VLAN 212846
topology; hence traffic fails.
After failover, the N-switch should be programmed properly and traffic should be passed through
successful.ly
App-based routing shows idle connections in the Connections Monitor (until expiry) when a 212075
route fails over to the secondary route.
Occurs when configuring an SD-WAN with IPSec tunnels and App-based route with Skype
business - Office 365 applications. Traffic is generated and load balanced on both Tunnels. After
inducing latency on both paths and getting disqualified, traffic is processed on the standard
route, but SD-WAN connections logs still shows the traffic is being passed through SD-WAN
although the SD-WAN route is disabled. No connections should be shown in the SD-WAN
connection logs after the SD-WAN route is disabled.
STUN is detected instead of Skype for Business when connecting Video or Screen Sharing. 212059
Skype for Business is not being detected correctly when Video, Audio and Screen Sharing is used.
Instead, the Baidu App is detected and seen in the AppFlow logs.
For a tap-mode interface, after running the PortShield wizard, the interface shows tap mode, but 208645
acts as in PortShield mode.
Occurs when configuring a SonicWall ethernet interface as tap mode and then running the
PortShield wizard to choose a WAN/LAN/LAN2 Switch, after applying the change, that SonicWall
interface still shows tap mode, but it actually acts as in PortShield mode.
The PC is not able to get a DHCP IP address connected to the child extended switch port 208412
portshielded to a FW port with dedicated uplink.
Occurs when connecting a PC to an extended switch port that is portshielded to a SonicWall
firewall ethernet interface with dedicated uplink. The PC cannot get a DHCP IP address. If the
same PC port is portshielded to th X0 interface or to a VLAN subinterface of the previous
interface with dedicated uplink, then the PC can get an IP address. The switch is configured in
common uplink topology.
Editing an interface with an IE browser, results in an error. 207624
Occurs when booting the SonicWalll firewall with factory default setting and then opening an IE
browser to access the SonicWall management interface to configures an X1 interface. The IE
browser displays a sub-page about the security certificate with the message, Please wait!,
until another item is edited and saved. This issue only occurs in IE, other browsers do not have
this issue.
SSL VPN
Known issue Issue ID
Virtual Assist fails to download from the user portal. 193798
Occurs when attempting to download Virtual Assist by clicking the Virtual Assist icon. The
message, An add-on for this website failed to run, displays.
VOIP
Known issue Issue ID
SIP calls to the same destination may fail. 202700
Occurs with the SIP TCP transformations option on the MANAGE | System Setup > VOIP page
checked when making a second series of calls to the same destination within a short time.
VPN
Known issue Issue ID
IP helper over VPN does not work when configuring non-X0 as a local subnet in DHCP server side. 212009
When the local subnet on the DHCP server side is changed to X0, the issue does not occur
VPN traffic LAN > VPN or VPN > LAN fails after disabling and re-enabling the global VPN as well as 208702
the VPN policy.
Site-to-Site VPN is created and starts passing traffic. If global VPN and VPN policy are disabled
and then the SonicWall firewall is restarted, the pass-through traffic cannot resume even after
global VPN and VPN policy are re-enabled.
System Compatibility
This section provides additional information about hardware and software compatibility with this release.
GMS Support
Support for the new TZ300P and TZ600P firewalls, as well as new features introduced in SonicOS 6.5.3 will be
available in a future release of GMS. Please refer to GMS release notes for details
Browser Support
SonicOS with Visualization uses advanced browser technologies such as HTML5, which are supported in most
recent browsers. SonicWall recommends using the latest Chrome, Firefox, Internet Explorer, or Safari browsers
for administration of SonicOS. This release supports the following Web browsers:
• Chrome 45.0 and higher
• Firefox 25.0 and higher
• IE Edge or IE 10.0 and higher
• Safari 10.0 and higher running on non-Windows machines
NOTE: On Windows machines, Safari is not supported for SonicOS management.
NOTE: Mobile device browsers are not recommended for SonicWall appliance system administration.
Upgrading Information
For information about obtaining the latest firmware, upgrading the firmware image on your SonicWall
appliance, and importing configuration settings from another appliance, see the SonicOS 6.5 Upgrade Guide
available on the Support portal at https://www.sonicwall.com/en-us/support/technical-documentation.
SonicWall Support
Technical support is available to customers who have purchased SonicWall products with a valid maintenance
contract and to customers who have trial versions.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support.
The Support Portal enables you to:
• View knowledge base articles and technical documentation
• View video tutorials
• Access MySonicWall
• Learn about SonicWall professional services
• Review SonicWall Support services and warranty information
• Register for training and certification
• Request technical support or customer service
To contact SonicWall Support, visit https://www.sonicwall.com/support/contact-support.
Legend
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are
not followed.
IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.