Skip to main content

Sonicwall 5.8 New Features


I'm very impressed by all the new features that Sonicwall has added to v5.8.  I spoke to Jock Breitwieser and Eric Crutchlow who gave us a nice overview of some of the features.  I wanted to make sure I didn't miss anything as there were quite a few changes.  There are even more NG (Next Generation) Firewall features coming this year in v6.0.  Sonicwall has been a great vendor for us, I am very happy we moved to their platforms.

Here is some of the new features (screenshots) with some explanation above the screen capture.

Before you can turn on the netflow sender (and built in netflow collector) you need to consider the impact this will have on your firewall.  You should keep an eye on your CPU and ensure you aren't running above 50%, or you will probably have CPU contention issues.  You also need to be aware that the memory usage of the netflow database and visualization will reduce your peek connections.  This model is a NSA 3500 (http://www.sonicwall.com/us/products/NSA_3500.html) which previous to netflow could handle 35,000 stateful connections can only handle 49,152 when I have all of the DPI (Deep packet inspection) and Netflow enabled.  This includes gateway antivirus, content filtering, IDS/IPS, and more.  As you can see we don't go over 4000 which makes this a non-issue.  Most firewalls can handle much higher workloads for connections and CPU than people are using.



First you have to turn on flow reporting.  You can turn it on internally and or file it off to another netflow collector :

http://www.networkuptime.com/tools/netflow/
http://www.solarwinds.com/downloads/ - Solarwinds makes a nice free netflow collector as well.



Once you have netflow turned on you can see the applications below being collected, there are many views, graphs, and other options:


Here is a user list with our AD users and how much traffic, connections, and throughput they are doing.  You will need to setup SSO for this to work (more on that later):
Here is the realtime monitor, this is the default view, which shows the main applications, you can filter by interface or by application and see realtime usage:


Here is a view of just some of the applications I picked : evernote, twitter, wikipedia, google, twitter:



Now for the SSO, you need to setup a small program on a windows host which will get requests from the firewall and lookup the users via active directory in order to correlate the DHCP (we use windows DHCP) address with the username.  Here is the SSO setup screen:
























When you click configure next to the "SonicWALL SSO Agent" then you get the following screen where you can setup the agent and view the stats to the agent process:

Sonicwall has also added in application control, which are rules which allow for much more customized actions based on the application detection engine.  Before you can use these rules you need to turn App Control on (below), and then turn it on for a zone.  After that you can control the applications.  I have attached some additional applications below as well:




You can also define you own custom applications as well which can be used in rules :

The Content Filter can use Users/Zones (legacy) or App Rules which are far more flexible.  They can be restricted and bandwidth controlled:



Email addresses and content can also be included in App Rules:

Here are the Action objects (what you want to do if an App Rule is matched).  You can also define your own.  Note that you have options such as Bandwitch Management, Blocking, Ignoring DPI, or enabling a packet capture session (for debugging those difficult to find issues).  

If you have any question please leave a comment or hit me up on twitter or instant messenger.  I hope you found this useful!

Comments

Vinny Booth said…
We are a SonicWALL Gold Partner here in the UK (www.solved.it) and have been using this since early beta stage. I can't agree with you more how good this new update is and am also very much looking forward to all coming in the next few releases.

Your article is spot on - many thanks for sharing.

Vinny

Popular posts from this blog

Dynatrace Growth Misinformation

For my valued readers: I wanted to point out some issues I’ve recently seen in the public domain. As a Gartner analyst, I heard many claims about 200% growth, and all kind of data points which have little basis in fact. When those vendors are asked what actual numbers they are basing those growth claims on, often the questions are dodged. Dynatrace, recently used the Gartner name and brand in a press release. In Its First Year as an Independent Company, Gartner Ranks Dynatrace #1 in APM Market http://www.prweb.com/releases/2015/06/prweb12773790.htm I want to clarify the issues in their statements based on the actual Gartner facts published by Gartner in its Market Share data: Dynatrace says in their press release: “expand globally with more than three times the revenue of other new generation APM vendors” First, let’s look at how new the various technologies are: Dynatrace Data Center RUM (DCRUM) is based on the Adlex technology acquired in 2005, but was cr...

Misunderstanding "Open Tracing" for the Enterprise

When first hearing of the OpenTracing project in 2016 there was excitement, finally an open standard for tracing. First, what is a trace? A trace is following a transaction from different services to build an end to end picture. The latency of each transaction segment is captured to determine which is slow, or causing performance issues. The trace may also include metadata such as metrics and logs, more on that later. Great, so if this is open this will solve all interoperability issues we have, and allow me to use multiple APM and tracing tools at once? It will help avoid vendor or project lock-in, unlock cloud services which are opaque or invisible? Nope! Why not? Today there are so many different implementations of tracing providing end to end transaction monitoring, and the reason why is that each project or vendor has different capabilities and use cases for the traces. Most tool users don't need to know the implementation details, but when manually instrumenting wi...

IBM Pulse 2008 - Review

I spent Monday-Wednesday at IBM Pulse in Orlando. It was a good show, but quite a few of the sessions were full when I arrived. It was frustrating because they didn't offer them more than once. The morning sessions were mostly pie in the sky, and not very useful to me. I got to spend a lot of time with senior people in engineering, architecture, and acquisitions/strategy. I also got to meet people I knew from online or other dealings with IBM. Overall, the show was a good use of my time, and I found it enjoyable. Here are some of my highlights: ITM 6.2.1 improvements including agentless capabilities and such. New reporting framework based on BIRT which will be rolling forward. New UI which is being pushed and was on display from TBSM 4.2. Hearing about what other customers are up to (mostly bad decisions from what I've seen). Affirmation of ITNM (Precision) as a best of breed tool, with a excellent roadmap. Some things which are bad and make no sense: Focus on manufactur...