01/11/2024
Description
This article helps answer frequently asked questions regarding SonicOS 7.1.1.
Q. What is SonicOS 7.1.1?
A. SonicOS 7.1.1 is the feature release available on all Gen 7 firewalls which brings in new capabilities around security, content filtering, integrations and virtual platforms.
Q. Will we be able to manage SonicOS 7.1 from NSM 2.3.5?
A. NSM 2.3.5 will not support SonicOS 7.1. The support for SonicOS 7.1 will be available from NSM 2.4.0, which will be released early next year (2024). Please read the following article on NSM Compatibility with SonicOS 7.1.
Q. What are the new features available on SonicOS 7.1.1?
A. The major features implemented in SonicOS 7.1.1 are DNS Filtering, reputation-based content filtering, Wi-Fi 6 access-point management, Network Access Control (NAC) integration with Aruba ClearPass, NSv bootstrapping, auto-update firmware and some other enhancements with storage and user interface (UI) for ease of use.
Q. How can existing firewall customers running SonicOS 7 upgrade/migrate to SonicOS 7.1.1?
A. You can upgrade the firewall to SonicOS 7.1 on box without using a migration tool.
Q. How can existing firewall customers running SonicOS6.5 and previous versions upgrade to SonicOS 7.1.1?
A. Users will be required to make use of our Secure Upgrade Program to upgrade their existing hardware models to Gen 7. They will then need to migrate their settings to the new firewall running 7.1.1 OS
Learn more about the Secure Upgrade Program
Q. Are there any new features in 7.1.1 that will require new licenses?
A. The DNS Filtering feature is a licensed feature that will be available as an a la carte license for Gen 7 firewalls without the APSS bundle.
Q. Do I need any additional licensing if I already have the APSS license available on my current Gen 7 firewall?
A. No.
Q. Can I perform a firmware/OS upgrade on my existing NSv NGFW running SonicOS 7.1.1?
A. The downgrade of firmware from SonicOS 7.1 to SonicOS 7.0 is not supported. Please refer to this article when upgrading your firewall: How can I upgrade SonicOS Firmware?
Q. Is there any change in behavior with regard to Policy Mode with 7.1.1?
A. There is no change in behavior with regard to Policy Mode in SonicOS 7.1.1. The NSv 270, 470 and 870 will continue to support both Global and Policy Mode. The NSsp15700 will continue to support only Policy Mode.
Q. What is CFS 5.0? How does it differ from CFS 4.0?
A. Content Filtering Service 5.0 brings category extension with CFS 4.0. SonicOS 7.0.1 supported 64 categories and that has been increased to 89. Content Filtering 5.0 brings in performance improvements along with reputation-based blocking.
Q. What is upgrade behavior when a user upgrades from SonicOS 7.0.1 to SonicOS 7.1.1 with regard to CFS policies?
A. There will be no impact on the existing CFS policies, however as CFS 5.0 brings in reputation-based blocking, users will be required to configure the CFS policies with the new reputation parameter in CFS 5.0. Please refer to this upgrade article.
Q. Can we downgrade the firewall from SonicOS 7.1 to SonicOS 7.0?
A. The downgrade of firmware from SonicOS 7.1 to SonicOS 7.0 is not supported. Please refer to this article when upgrading your firewall.
Q. What is DNS Filtering? How is it different from the current DNS capabilities in SonicOS 7.0.1?
A. DNS Filtering inspects the DNS traffic in real time and provides the ability to block threats and access to malicious websites. DNS Filtering blocks threats before they can reach your network. The DNS security capabilities on 7.0.1 include DNS Tunnel Detection and DNS Sinkholes. Please read DNS Security to understand them in detail.
Q. What is the upgrade behavior when users upgrade from SonicOS 7.0.1 to SonicOS 7.1.1 with regard to DNS proxy and sink-holing?
A. The upgrade from SonicOS 7.0.1 to SonicOS 7.1.1 would have no impact on the behavior that was there previous to the SonicOS 7.1 upgrade.
Q. What does the NAC integration feature do?
A. SonicWall Next-Generation Firewalls (NGFWs) provide Restful threat API which integrates with Aruba ClearPass as network access control (NAC). ClearPass can pass the security context vectors using the restful API which is included with SonicWall NGFWs. ClearPass can pass security context vectors including Source IP, Source MAC, User ID, User Role, Domain, Device Category, Device Family, Device Name, OS Type, Hostname and Health Posture to SonicWall NGFWs to enforce real-time rules based on Device Type, OS and Device Health Posture at every point of control. When an alert is generated on a client machine, it can be shared by ClearPass to SonicWall NGFWs which would trigger a range of predetermined, policy-based actions from quarantine to blocking.
Q. Does this NAC integration feature work with any NAC providers?
A. No, this NAC integration only works with Aruba ClearPass.
Q. Which access point models can I integrate with firewalls running SonicOS 7.1.1?
A. With the launch of SonicOS 7.1.1, users will now also be able to integrate and manage Wi-Fi 6 APs like 621, 641 and 681.
Q. How can I automate NSv deployment using the bootstrapping feature? Which platforms support this feature?
Bootstrapping helps with NSv automated deployments. Token-based registration will help ease the bootstrapping process. KVM already supported bootstrapping in SonicOS 7.0.1. With the launch of 7.1.1, other platforms like VMWare, Hyper-V, AWS and Azure will also support bootstrapping features.
Q. How is the bootstrapping process different between private cloud and public cloud?
A. The bootstrapping process is not different between private cloud and public cloud. SonicOS supports bootstrapping on AWS, Azure, VMware, KVM and Hyper-V.
Q. What are the new parameters that will be stored in secondary storage modules with the launch of 7.1.1?
A. TSR , exp, PCAP, threat logs and appflow logs will be stored in the secondary storage module as part of SonicOS 7.1.1
Q. Will the new features available in SonicOS 7.1.1 be available in the Capture Threat Assessment (CTA) report?
A. During the launch, the new features in SonicOS 7.1.1 will not be included in the CTA report.
Q. Are the new features available on NSM?
A. Yes. The upcoming NSM version 2.4 is planned to support the new features on SonicOS 7.1.1.
Q. Can I manage SonicOS 7.1.1 on the previous versions of NSM (prior to 2.4)?
A. You can upgrade the SonicOS version to 7.1.1, but the new features which are part of 7.1.1 will not be available on NSM versions prior to 2.4
Q. What are the best practices to be followed on SonicOS 7.1.1?
A. Please follow the best practices when upgrading the firewall from SonicOS 7.0.1 to SonicOS 7.1 documented here.
The migration tool is not required for the configuration migration from SonicOS 7.0 to SonicOS 7.1. Any customer migrating from Gen 6 to SonicOS 7.1 would need to upgrade to SonicOS 7.0.1 using the migration tool and then migrate to SonicOS 7.1.
DNS Filtering is the first line of defense and works independent of Content Filtering Services (CFS). Please follow the admin guides for seamless configuration with best practices.
Q. What is the new website for URL rating and reputation lookup with CFS 5.0?
A. https://cfssupportapi.global.sonicwall.com/
Q. How can I check the URL rating on the firewall UI?
A. Device –> Diagnostics –> URL Rating Request Tool
Q. What is the performance impact of enabling the new SonicOS 7.1 features on an existing firewall?
A. We do not expect there to be any impact on the performance of an existing firewall because of new features.
Q. Can DNS proxy 4to4 and 4to6 features work alongside DNS filtering? Can this be accomplished by adding an additional DNS proxy-only rule alongside a DNS filtering rule for X0 Interface? If so, what will take precedence/priority?
A. DNS rules give the choice of either proxy or filtering on a single rule. When proxy is enabled, Client 4to4 or 4to6 DNS queries can be proxied. When DNS filtering is enabled, only Client 4to4 Requests DNS queries will be proxied and filtered.
—While DNS proxies will process both DNS TCP and DNS UDP, DNS filtering is only for DNS UDP.
—Both proxy or filtering DNS rules can be stacked, the most specific match will be applied, and the lookup precedence/priority is top-down.
—To have DNS proxy 4to6 alongside DNS filtering, the proxy rule must explicitly have source zone and address of the 4to6 Clients for the traffic to hit the rule and the policy to be applied
Q. Can DNS Filtering be applied on custom zones or is it restricted to default zones, LAN, DMZ and WLAN?
A. DNS Filtering can be applied to LAN, DMZ and WLAN zones as well as custom zones with Trusted, Public and Wireless Security Types.
Q. How long does a cache entry last before we request a category for a specific domain again?
A. The cache entry of a domain would depend on the TTL of the domain.
Q. Are there plans to support DNS over TLS and DNS over HTTPS?
A. Yes. DNS over TLS and DNS over HTTPS will be available in a future release.
Q. Will the DNS Filtering license be included with any existing bundle or does the customer need to buy it separately?
A. DNS Filtering will be available with APSS and there will be a la carte SKUs for EPSS, TPSS and HW only.
Q. What happens to the WNM managed access-point when the firewall is upgraded to SonicOS 7.1?
A. Please note that if you have 600 series access points on the network connected to a WLAN zone of a firewall with 7.0.x managed by WNM, after the update to 7.1 the access points will be acquired by the firewall. All WNM settings will not be available. Please “Disable SonicPoint/SonicWave management” on the WLAN zone for seamless management.
Related Articles
- Why is my SonicWall’s power, test, or alarm LED blinking?
- Microsoft Teams randomly dropping (Video conferencing applications)
Categories
Source :
https://www.sonicwall.com/support/knowledge-base/sonicos-7-1-1-faq/231212121859137/