SonicOS SonicOS Enhanced 5.0 Early Field Trial Release Notes

Contents Platform Compatibility......................................................................................................................................................................1 Overview..........................................................................................................................................................................................2 Downloading and Installing Firmware from Mysonicwall.com..........................................................................................................3 Providing Beta Release Feedback...................................................................................................................................................4 Beta Release Anomalies .................................................................................................................................................................4 Beta Buddy Overview ......................................................................................................................................................................5 Connecting the SonicWALL Beta Buddy Appliance.........................................................................................................................5 Key Features ...................................................................................................................................................................................6 Known Issues ................................................................................................................................................................................13 Resolved Issues ............................................................................................................................................................................14

Platform Compatibility The SonicOS Enhanced 5.0.0.0 Early Field Trial release (build 31o) is supported for the following SonicWALL NSA E-Class appliances:

• SonicWALL E7500 • SonicWALL E6500 • SonicWALL E5500

This release supports the following Web browsers: • Microsoft Internet Explorer 6.0 and higher • Mozilla Firefox 2.0 and higher • Netscape 7.2 or 9.0 and higher • Opera 9.10 and higher for Windows • Safari 2.0 and higher for MacOS

Strong SSL and TLS Encryption Required in Your Browser

The internal SonicWALL Web server now only supports SSL version 3.0 and TLS with strong ciphers (128 bits or greater) when negotiating HTTPS management sessions. SSL implementations prior to version 3.0 and weak ciphers (symmetric ciphers less than 128 bits) are not supported. This heightened level of HTTPS security protects against potential SSLv2 roll-back vulnerabilities and ensures compliance with the Payment Card Industry (PCI) and other security and risk-management standards.

TIP: By default, Mozilla Firefox 2.0 and Microsoft Internet Explorer 7.0 enable SSL 3.0 and TLS, and disable SSL 2.0. SonicWALL recommends using these most recent Web browser releases. If you are using a previous release of these browsers, you should enable SSL 3.0 and TLS and disable SSL 2.0. In Internet Explorer, go to Tools > Internet Options, click on the Advanced tab, and scroll to the bottom of the Settings menu.

Overview The SonicWALL E-Class is a new generation of enterprise class network security appliances from SonicWALL. The all-new E-Class platform is purpose-built for high-speed internal and external network protection, virtual private network (VPN) implementations and deployment flexibility and scalability. The SonicWALL E-Class is a multi-core Unified Threat Management (UTM) appliance that delivers deep packet inspection without significantly impacting network throughput.

SonicOS Enhanced 5.0 on the E-Class appliances provides a newly designed graphical user interface for increased functionality and enhanced user experience, along with key features to ensure the security of your networks. Many of the newest features are described in this document, while other features have been carried over from established SonicOS releases.

2

Downloading and Installing Firmware from Mysonicwall.com To activate your SonicWALL E-Class network security appliance, you must download the SonicOS Enhanced 5.0 beta firmware from mysonicwall.com and install it on your appliance. The following procedures describe the necessary steps.

To Download Firmware and Release Notes: 1. Launch a Web browser on a computer that you can later connect directly to the SonicWALL appliance. 2. Point your browser at https://www.mysonicwall.com and log in or create a new account. 3. In the Register field, enter the serial number of your SonicWALL appliance, and then click Next. Complete

the registration process. 4. On the Service Management screen for this appliance, scroll down to the Beta section.

Note: If you do not see the Beta section, go to Preferences for your account, select Yes, I want to be a Beta Tester, and then click Save.

5. In the row for the Beta Firmware Download for your appliance model, click Try. 6. On the Activate Service page, read the terms and conditions, select the checkbox, and click Submit. 7. On the Beta Downloads page, click the links for the firmware and release notes to download, and save the

files to your computer.

To Install Firmware on Your SonicWALL E-Class Appliance: 1. Connect your computer to the X0 port on the SonicWALL appliance and configure your IP address with an

address on the 192.168.168.0/24 subnet, such as 192.168.168.20. 2. Use the LCD control buttons on the front bezel to set the appliance to Safe Mode. Once selected, the LCD

displays a confirmation prompt. Select Y and press the Right button to confirm. The SonicWALL security appliance changes to SafeMode.

3. Point the Web browser on your computer to 192.168.168.168. The SafeMode management interface displays.

4. Click Upload New Firmware, and then browse to the location where you saved the SonicOS beta image, select the file, and click the Upload button.

5. When the upload is complete, you are ready to reboot your SonicWALL security appliance with the SonicOS beta image. From the SonicWALL’s System > Settings page, select the boot icon for the following entry:

Uploaded Firmware with Factory Defaults – New! 6. In the dialog box, click OK to proceed. 7. After successfully booting the firmware, the login screen is displayed. Enter the default user name and

password (admin / password) to access the SonicWALL management interface.

3

Providing Beta Release Feedback You can provide feedback or report a problem at any time by logging into mysonicwall.com and going to the Beta Firmware Download link for your product to access the online feedback form, or by directly emailing nsa_beta@sonicwall.com. Be sure to document and keep track of your steps as you work with the beta firmware, so in the event that there is a problem SonicWALL can quickly isolate the cause. The information from the feedback form will be evaluated by a SonicWALL engineer and entered into our database for follow up. All information collected is confidential and will only be used for the purposes of the internal beta program. You can also obtain help in one of the following ways:

• SonicWALL forums at https://forum.sonicwall.com. The Beta forums are located at the bottom of the page, and the E-Class topic is under Network Security. The password to access the Beta forum is solarwind.

• Mailing list for the E-Class beta. You can subscribe to it at: http://listserv.sonicwall.com/mailman/listinfo/eseries

• Directly email feedback to nsa_beta@sonicwall.com.

Beta Release Anomalies In this beta release, there are certain aspects of the product that have not yet been finalized. You may see anomalies such as the following:

• References to previous SonicOS releases or outdated screenshots in the product guides • Rendering issues in the graphical user interface, such as those relating to screen-sizing or popup windows • User interface elements such as missing tooltips, and wizards, time-out pages, or popup windows that

retain the look and feel of previous SonicOS releases

4

Beta Buddy Overview The Beta Buddy device is pre-configured for plug and play. It captures the console log generated by SonicOS running on the SonicWALL E-Class appliance and automatically transfers the data to SonicWALL for analysis and ongoing product improvements. It is designed to be connected to your SonicWALL appliance, your test network segment, and to the Internet.

Connecting the SonicWALL Beta Buddy Appliance The following diagram shows how to connect the Beta Buddy device to your SonicWALL E-Class appliance, test network, and Internet:

To Connect the Beta Buddy For all connections except between Console ports, use a standard Cat 5 Ethernet cable.

1. Using a null-modem serial cable, connect the Beta Buddy Console port to the SonicWALL E-Class appliance console port.

2. Connect the Beta Buddy X0 port to the ingress for your test segment (LAN side). 3. Connect the Beta Buddy X1 port to port X0 on the E-Class appliance. 4. Connect the Beta Buddy X2 port to port X1 on the E-Class appliance. 5. Connect the Beta Buddy X3 port to the egress of your test network segment (WAN side). 6. Connect the Beta Buddy X9 port to your gateway or other Internet access.

The gateway should be a DHCP server. This allows the Beta Buddy to connect to the SonicWALL network.

5

Key Features The following are the key features supported in SonicOS Enhanced 5.0:

• Single Sign-On User Authentication – SonicOS Enhanced 5.0 includes Single Sign-On User Authentication, which provides privileged access to multiple network resources with a single workstation login. Single Sign-On uses the SonicWALL SSO Agent to identify user activity based on workstation IP addresses. Access to resources is based on policy for the group to which the user belongs.

• Stateful Hardware Failover – SonicOS Enhanced 5.0 includes Stateful Hardware Failover, which provides improved failover performance. With Stateful Hardware Failover, the primary and backup security appliances are continuously synchronized so that the backup can seamlessly assume all network responsibilities if the primary appliance fails, with no interruptions to existing network connections. Once the primary and backup appliances have been associated as a hardware failover pair on mysonicwall.com, you can enable this feature by selecting Enable Stateful Synchronization in the Hardware Failover > Advanced page.

• Application Firewall – SonicOS Enhanced 5.0 includes Application Firewall, which provides a way to create application-specific policies to regulate Web browsing, file transfer, email, and email attachments. Application Firewall enables application layer bandwidth management, and also allows you to create custom policies for any protocol. It gives you granular control over network traffic on the level of users, email users, and IP subnets.

• HTTPS Filtering – SonicOS Enhanced 5.0 uses HTTPS Filtering to allow administrators to control user access to Web sites when using the encrypted HTTPS protocol. HTTPS Filtering is based on the ratings of Web sites, such as Gambling, Online Banking, Online Brokerage and Trading, Shopping, and Hacking/Proxy Avoidance.

Note that HTTPS Filtering is IP-based, so IP addresses must be used rather than domain names in the Allowed or Forbidden lists. You can use the nslookup command in a DOS cmd window to convert a domain name to its IP address(es). There may be more than one IP address associated with a domain, and if so, all must be added to the Allowed or Forbidden list.

6

Click the Configure button to display the following screen where you can enable IP based HTTPS content filtering.

• SSL Control – SonicOS Enhanced 5.0 includes SSL Control, which is a system that provides visibility into

the handshake of Secure Socket Layer (SSL) sessions, and a method for configuring policies to control the establishment of SSL sessions.

7

• Certificate Blocking – SonicOS Enhanced 5.0 provides a way to specify which HTTPS certificates to block. This feature is closely integrated with SSL Control.

• Inbound NAT Load Balancing with Server Monitoring – SonicOS Enhanced 5.0 includes Inbound NAT Load Balancing with Server Monitoring, which detects when a server is unavailable and stops forwarding requests to it. Inbound NAT Load Balancing spreads the load across two or more servers. When NAT Load Balancing with Server Monitoring is configured in the environment, during a failure of the primary server, SonicOS forwards all requests to the alternate server(s) until it detects that the offline server is back online. Inbound NAT Load Balancing also works with SonicWALL SSL-VPN appliances.

• BWM Rate Limiting – SonicOS Enhanced 5.0 enhances the Bandwidth Management feature to provide rate limiting functionality. You can now create traffic policies that specify maximum rates for Layer 2, 3, or 4 network traffic. This enables modem bandwidth management in cases where the primary WAN link fails over to a secondary modem connection that cannot handle as much traffic.

• Security Dashboard Web Page – SonicOS Enhanced 5.0 includes the Security Dashboard page in the user interface, which displays a summary of threats stopped by the SonicWALL security appliance. The Security Dashboard shows two types of reports:

o A Global Report that displays a summary of threat data received from all SonicWALL security appliances worldwide.

o An Individual Appliance Report that displays a summary of attacks detected by the local SonicWALL security appliance.

• License Wizard – As part of the Security Dashboard, SonicOS Enhanced 5.0 provides a License Wizard for both firewall registration and the purchase of security service licenses. The available security services are the same as those that enable Global Reports by providing threat data from SonicWALL devices around the world.

• Multiple and Read-only Administrator Login – SonicOS Enhanced 5.0 includes Multiple Administrator Login, which provides a way for multiple users to be given administration rights, either full or read-only, for the SonicOS security appliance. Additionally, SonicOS Enhanced 5.0 allows multiple users to concurrently manage the appliance, but only one user at a time can be in config mode with the ability to change configuration settings. This feature applies to both the graphical user interface (GUI) and the command line interface (CLI).

• Multiple SSH Support – SonicOS Enhanced 5.0 provides support for multiple concurrent SSH sessions on the SonicWALL security appliance. When connected over SSH, you can run command line interface (CLI) commands to monitor and manage the device. The number of concurrent SSH sessions is determined by device capacity. Note that only one session at a time can configure the SonicWALL, whether the session is on the GUI or the CLI (SSH or serial console). For instance, if a CLI session goes to the config level, it will ask you if you want to preempt an administrator who is at config level in the GUI or an SSH session.

• Default CFS Policy Per Zone – SonicOS Enhanced 5.0 supports default Content Filtering policies for each network zone. This feature allows customized content filtering for different zones that is applied by default to all users logging in on that zone.

• IKEv2 Secondary Gateway Support – SonicOS Enhanced 5.0 includes IKEv2 Secondary Gateway Support, which provides a way to configure a secondary VPN gateway to act as an alternative tunnel end-point if the primary gateway becomes unreachable. While using the secondary gateway, SonicOS can periodically check for availability of the primary gateway and revert to it, if configured to do so. Configuration for the secondary VPN gateway is available under VPN > Settings > Add Policy in the management interface.

8

• IKEv2 Dynamic Client Support – SonicOS Enhanced 5.0 includes IKEv2 Dynamic Client Support, which provides a way to configure the Internet Key Exchange (IKE) attributes rather than using the default settings. In addition to the Diffie-Hellman (DH) Group 2, the 3DES encryption algorithm, and the SHA1 authentication method, SonicOS now allows the following IKE Proposal settings:

o DH Group: 1, 2, or 5 o Encryption: DES, 3DES, AES-128, AES-192, AES-256 o Authentication: MD5, SHA1

These settings are available by pressing the Configure button in the VPN > Advanced screen of the management interface. However, if a VPN Policy with IKEv2 exchange mode and a 0.0.0.0 IPsec gateway is defined, you cannot configure these IKE Proposal settings on an individual policy basis. Note that the VPN policy on the remote gateway must also be configured with the same settings.

• Wireless IDS Rogue Detection – SonicOS Enhanced 5.0 supports wireless intrusion detection on SonicPoint devices. Wireless IDS Rogue Detection allows you to configure a set of authorized access points, defined by address object groups. If contact is attempted from an unauthorized access point, SonicOS generates an alert.

• RF Management – SonicOS Enhanced 5.0 includes Radio Frequency Management on SonicPoint devices. RF Management provides detection of eleven types of wireless threats:

o Long duration attack o Management frame flood o Null probe request o Broadcasting de-authentication o Valid station with invalid SSID o Ad-Hoc station o Unassociated station o Wellenreiter attack o NetStumbler attack o EAPOL packet flood o Weak WEP IV

• Enhanced Packet Capture – SonicOS Enhanced 5.0 provides an enhanced version of the Packet Capture feature. Enhanced Packet Capture contains improvements in both functionality and flexibility, including the following:

o Capture control mechanism with improved granularity for custom filtering o Display filter settings independent from capture filter settings o Packet status indicating dropped, forwarded, generated, or consumed o Three-window output in the user interface that provides the packet list, decoded output of selected

packet, and hexadecimal dump of selected packet o Export capabilities that include text, HTML, hex dump, and CAP file format o Automatic buffer export to FTP server when full o Bidirectional packet capture based on IP address and port o Configurable wrap-around of capture buffer when full

• Link Monitor Tool – SonicOS Enhanced 5.0 provides a new Link Monitor tool on the System > Diagnostics page to allow the administrator to monitor ingress/egress link utilization.

9

• User Authentication – There are a number of enhancements to user authentication in SonicOS Enhanced 5.0, including optional case-sensitive user names, optional enforcement of unique login names, support for MSCHAP version 2, and support for VPN and L2TP clients changing expired passwords (when that is supported by the back-end authentication server and protocols used). Note that for this purpose there is a new setting on the VPN > Advanced page to cause RADIUS to be used in MSCHAP mode when authenticating VPN client users.

• IP Helper Scalability – SonicOS Enhanced 5.0 provides enhancements to the IP Helper architecture to support large networks. Improvements include changes to DHCP relay and Net-BIOS functionality. DHCP relay over VPN is now fully integrated.

• Diagnostics Page Tool Tips – SonicOS Enhanced 5.0 incorporates self-documenting mouse-over descriptions for diagnostic controls in the graphical user interface.

• Generic DHCP Option Support – SonicOS Enhanced 5.0 supports generic DHCP configuration, which allows vendor-specific DHCP options in DHCP server leases.

• DHCP Server Lease Cross-Reboot Persistence – SonicOS Enhanced 5.0 includes DHCP Server Lease Cross-Reboot Persistence, which provides the ability to record and return to DHCP server lease bindings across power cycles. The SonicWALL security appliance does not have to depend on dynamic network responses to regain its IP address after a reboot or power cycle. This feature is supported on all SonicWALL PRO platforms. It is not supported on SonicWALL TZ platforms.

• DHCP Client Reboot Behavior Control – In SonicOS Enhanced 5.0 you can configure the WAN DHCP client to perform a DHCP RENEW or a DHCP DISCOVERY query when attempting to obtain a lease. The previous behavior was to always perform a RENEW, which caused lease failures on some networks, particularly certain cable modem service providers. The new behavior is to perform a DISCOVERY, but it is configurable. A checkbox has been added to the Network > Interfaces > WAN >DHCP Client page:

o Enabled: when the appliance reboots, the DHCP client performs a DHCP RENEW query. o Disabled: (Default) when the appliance reboots, the DHCP client performs a DHCP DISCOVERY

query.

• Custom IP Type Service Objects – SonicOS Enhanced 5.0 includes support for Custom IP Type Service Objects, allowing administrators to augment the pre-defined set of Service Objects.

• Dynamic Address Objects – SonicOS Enhanced 5.0 supports two changes to Address Objects: o MAC – SonicOS Enhanced 5.0 will resolve MAC AOs to an IP address by referring to the ARP

cache on the SonicWALL. o FQDN – Fully Qualified Domain Names (FQDN), such as ‘www.sonicwall.com’, will be resolved to

their IP address (or IP addresses) using the DNS server configured on the SonicWALL. Wildcard entries are supported through the gleaning of responses to queries sent to the sanctioned DNS servers.

• Dynamic Route Metric Recalculation Based on Interface Availability – In SonicOS Enhanced 5.0, to better support redundant or multiple path Advanced Routing configurations, when a default-route's interface is unavailable (due to no-link or negative WAN LB probe response), that default route's metric will be changed to 255, and the route will be instantly disabled. When a default-route's interface is again determined to be available, its metric will be changed back to 20, and the route will be non-disruptively enabled.

10

• Virtual Access Points – SonicOS Enhanced 5.0 supports Virtual Access Points. A Virtual Access Point (VAP) is a multiplexed instantiation of a single physical Access Point (AP) so that it presents itself as multiple discrete Access Points. To wireless LAN clients, each Virtual AP appears to be an independent physical AP, when there is actually only a single physical AP. Before Virtual AP feature support, wireless networks were relegated to a one-to-one relationship between physical Access Points and wireless network security characteristics, such as authentication and encryption. For example, an Access Point providing WPA-PSK security could not simultaneously offer Open or WPA-EAP connectivity to clients. If Open or WPA-EAP were required, they would need to have been provided by a separate, distinctly configured AP. This forced WLAN network administrators to find a solution to scale their existing wireless LAN infrastructure to provide differentiated levels of service. With the Virtual Access Point feature, multiple VAPs can exist within a single physical AP in compliance with the IEEE 802.11 standard for the media access control (MAC) protocol layer that includes a unique Basic Service Set Identifier (BSSID) and Service Set Identifier (SSID). This allows segmenting wireless network services within a single radio frequency footprint of a single physical access point device. In SonicOS Enhanced 5.0, VAPs allow the network administrator to control wireless user access and security settings by setting up multiple custom configurations on a single physical interface. Each of these custom configurations acts as a separate (virtual) access point, and can be grouped and enforced on single or multiple physical SonicPoint access points simultaneously. You can configure up to eight VAPs per SonicPoint access point.

11

• Layer 2 Bridge Mode – SonicOS Enhanced 5.0 supports Layer 2 (L2) Bridge Mode, a new method of unobtrusively integrating a SonicWALL security appliance into any Ethernet network. L2 Bridge Mode is similar to SonicOS Enhanced Transparent Mode in that it enables a SonicWALL security appliance to share a common subnet across two interfaces, and to perform stateful and deep-packet inspection on all traversing IP traffic, but it is functionally more versatile. L2 Bridge Mode employs a secure learning bridge architecture, enabling it to pass and inspect traffic types that cannot be handled by many other methods of transparent security appliance integration. Using L2 Bridge Mode, a SonicWALL security appliance can be non-disruptively added to any Ethernet network to provide in-line deep-packet inspection for all traversing IPv4 TCP and UDP traffic. Unlike other transparent solutions, L2 Bridge Mode can pass all traffic types, including IEEE 802.1Q VLANs, Spanning Tree Protocol, multicast, broadcast, and IPv6, ensuring that all network communications will continue uninterrupted. L2 Bridge Mode provides an ideal solution for networks that already have an existing firewall, and do not have immediate plans to replace their existing firewall but wish to add the security of SonicWALL Unified Threat Management (UTM) deep-packet inspection, such as Intrusion Prevention Services, Gateway Anti-Virus, and Anti-Spyware.

Key Features of SonicOS Enhanced Layer 2 Bridge Mode The following table outlines the benefits of each key feature of layer 2 bridge mode:

Feature Benefit

L2 Bridging with Deep Packet Inspection

This method of transparent operation means that a SonicWALL security appliance can be added to any network without the need for readdressing or reconfiguration, enabling the addition of deep-packet inspection security services with no disruption to existing network designs. Developed with connectivity in mind as much as security, L2 Bridge Mode can pass all Ethernet frame types, ensuring seamless integration.

Secure Learning Bridge Architecture

True L2 behavior means that all allowed traffic flows natively through the L2 Bridge. Whereas other methods of transparent operation rely on ARP and route manipulation to achieve transparency, which frequently proves problematic, L2 Bridge Mode dynamically learns the topology of the network to determine optimal traffic paths.

Universal Ethernet Frame-Type Support

All Ethernet traffic can be passed across an L2 Bridge, meaning that all network communications will continue uninterrupted. While many other methods of transparent operation will only support IPv4 traffic, L2 Bridge Mode will inspect all IPv4 traffic, and will pass (or block, if desired) all other traffic, including LLC, all Ethertypes, and even proprietary frame formats.

Mixed-Mode Operation

L2 Bridge Mode can concurrently provide L2 Bridging and conventional security appliance services, such as routing, NAT, VPN, and wireless operations. This means it can be used as an L2 Bridge for one segment of the network, while providing a complete set of security services to the remainder of the network. This also allows for the introduction of the SonicWALL security appliance as a pure L2 bridge, with a smooth migration path to full security services operation.

12

Known Issues The following issues are known to exist in this SonicOS Enhanced 5.0 early field trial release:

High Availability / Stateful High Availability • 52342: Symptom: Network traffic from the LAN to the WAN is dropped after a failover followed by a

failback. Condition: Occurs when Stateful Synchronization and Virtual MAC are enabled, and when a small HA Heartbeat Interval is configured. A value of 1000 milliseconds or greater should be used when Stateful Synchronization is enabled (as recommended in the user interface).

• 52132: Symptom: In an HA pair configured for Interface Monitoring where the primary unit has an active WAN connection but the backup does not, the unit without an active WAN connection can be selected as the primary unit even when both units are available. Condition: Occurs after a failover followed by the primary becoming available again when Interface Monitoring is configured for the HA pair.

• 52097: Symptom: An FTP connection loses its control channel connectivity after a failover. Condition: Occurs when a failover happens after an FTP connection is initiated, but before the user has logged into the FTP server.

• 52015: Symptom: Preempt mode is not supported with Stateful High Availability. Condition: Preempt mode is disabled whenever Stateful Synchronization is enabled. Workaround: Reboot the backup unit to simulate preempt mode, causing the original primary unit to regain primary status.

• 51339: Symptom: The backup system in an HA pair can become out of sync with the primary unit when firmware is booted on it. Condition: Occurs when a version of SonicOS firmware that does not match the version on the primary unit is manually booted on the backup unit.

• 50380: Symptom: High availability cannot be enabled after disabling it and rebooting. Condition: Occurs when both SonicWALL appliances are rebooted with factory defaults.

Networking • 51328: Symptom: In an HA pair, 802.1p marking and DSCP do not behave as configured after failover to

the backup unit, but instead show the priority and value settings of the traffic. Condition: Occurs when 802.1p marking and DSCP are set to Explicit with certain values set on the VPN>LAN access rule on the HA pair, and then the primary unit is powered off to cause failover while traffic is flowing through the VPN tunnel.

• 51136: Symptom: The ARP cache can contain multiple entries for a single MAC address even if Bind MAC Address is enabled. Condition: Occurs when a static ARP entry is added and Bind MAC Address is selected, and then the DHCP lease of that computer is released and renewed, or the computer is manually set to another IP address and then ping’d.

• 51071: Symptom: In some cases, FTP traffic from WAN to LAN FTP server doesn't complete. Condition: Occurs when "Always proxy WAN client connections" is enabled on the Firewall > TCP Settings page.

• 51000: Symptom: Despite interface speed and duplex settings made in the user interface, a device with different settings can still connect to the interface and causes the UI interface speed setting to match the device speed, and the duplex setting to convert to the default for that speed (10Mbps/Half-duplex; 100Mbps/Full-duplex). Condition: Occurs when the connected device has a different speed setting than the setting in the UI.

• 49411: Symptom: The Map function does not work as expected for 802.1p marking in the following configuration: VLAN interfaces are added in the LAN and WAN zones, VLAN tagging is enabled in the LAN and WAN interfaces, DSCP marking is set to Preserve, 802.1p marking is set to Map. Condition: Occurs when the DSCP value in packets sent from the LAN is set to 8, with Class Selector = 1. The VLAN user priority is set to 4 in these packets. The VLAN priority of packets captured on the WAN side still show a VLAN priority of 4 rather than 1. With this configuration, according to the QoS mapping table the VLAN priority should be changed to 1.

VPN • 52587: Symptom: During IKE negotiation, ISAKMP packets are sent from the LAN IP although a VPN

policy is configured with Tunnel All. Condition: Occurs when the option 'Use this VPN Tunnel as default route for all Internet traffic' is selected as the Destination Network in an IKE VPN policy.

13

Resolved Issues The following issues are resolved in this SonicOS Enhanced 5.0 early field trial release:

Bandwidth Management • 51060: Symptom: In some cases, the SonicWALL panics and does not automatically reboot when

bandwidth management rules are being reconfigured. Condition: Occurs when heavy network traffic is passing through the device while inbound BWM rules are being enabled or disabled.

Log • 50973: Symptom: Log view does not show all RBL Filter log messages for detected spam, and connection

is not reset. Condition: Occurs when Enable Real-time Black List Blocking and RBL Services are enabled while SMTP traffic is sent from a listed RBL server (spoofed).

Networking • 51293: Symptom: In an HA pair, the default route is not present on the backup firewall even after it

becomes the active unit. Condition: Occurs when the X1 (WAN) interface on the backup firewall is disconnected and then the unit is rebooted and the default route is not set, and then failover occurs.

System • 51107: Symptom: Prefs files are not imported correctly from the CLI, and attempting to do so causes the

SonicWALL to get a fatal error and reboot. Condition: Occurs when connected to the SonicWALL with a serial console cable and logged in over Hyperterminal, and the CLI command “import preferences” is used.

• 50731: Symptom: A system backup cannot be created. Condition: Occurs when attempting to create a backup by using the Create Backup button in the System > Settings page of the user interface.

Upgrade • 51083: Symptom: The SonicWALL gets a fatal error and reboots continuously after importing certain prefs

files. Condition: Occurs when a prefs file from a PRO 5060 is imported into an E-Class appliance that does not have the same number of interfaces.

Users • 51055: Symptom: The SonicWALL gets a critical error in some cases when a domain user tries to access

the Internet. Condition: Occurs when SSO is configured to allow only users listed locally, but the local user name does not contain the domain component.

• 50879: Symptom: In some cases, using RADIUS for authentication does not work. Condition: Occurs when the radius server is running freeradius on UNIX.

VoIP • 51210: Symptom: H.323 outgoing calls from LAN to WAN or from LAN to LAN of another firewall fail to

connect. Condition: Occurs when all H.323 clients are registered to H.323 Gatekeeper which is located on the WAN.

• 51114: Symptom: A Cisco phone which is located in LAN zone of the NSA unit cannot receive incoming calls. Condition: Occurs when the call is from a Cisco phone in the LAN zone of a PRO 2040 unit, although calls in the other direction work fine.

P/N 232-001053-00 Rev 05 Document created: 7/11/2007 Last updated: 9/28/2007

14