Upgrading from a Sonicwall Pro 2040 Enhanced
I recently had the opportunity to use the new Sonicwall NSA 2400. The Sonicwall name has been around for a while, known for making low-to-mid level network firewalls with available security service options. In the past I had used a Sonicwall Pro 2040 with the enhanced firmware – providing IDS/IPS, gateway antivirus, gateway antispyware and content filtering in addition to the firewall function. This new Sonicwall NSA 2400 was going to replace the Pro in a production environment.
The unit arrived Fed-Ex, in good shape. Sonicwall seems to double box their products, and then cushion the device in a layer of protective foam. The kit included the NSA 2400, a console cable, some ethernet cables, a power cord and documentation. Rack mount ears are also included- interestingly enough, these are a different hole pattern than past Sonicwall devices I have encountered. The NSA 2400 was preloaded with SonicOS Enhanced 5.0.2.0 from the factory.
The unit itself features 6 Gigabit Ethernet ports for connectivity, a console port and 2 USB ports- the manual defines these as ‘future use’. The Gig E ports are user definable- X0 and X1 are LAN and WAN, and the rest is up to the user to utilize or not.
Hooking up the unit for a basic config, I attached a ethernet cable from my laptop to the X0 port,after configuring my NIC to use an unused address on the Sonicwall’s default network segment. I then used a browser to hit 192.168.168.168, and was greeted with a simple setup wizard. I went ahead and cancelled the wizard, because I had some specific settings I wanted to use.
Next, The Sonicwall needs to be tied to a mysonicwall.com account. This will give you access to updates, tech support and registration. I grabbed the latest firmware and caught a backup of the default settings before updating to version 5.2.0.1-21. The unit then rebooted.
Once the unit came back up. I used the system-settings page to import my settings from a Sonicwall Pro 2040 (enhanced). This applied to any settings that had remained the same across the devices. The ability to do this was a selling point when considering this unit.
An interesting problem occurred- I had had a rule specifying outbound allowed ports. This rule included the Sonicwall management ports. When the settings were imported, the Sonicwall dropped the rule. This resulted in service traffic not passing through the Sonicwall. After a bit of hunting around, I noticed the rule was not in place. Attempting to recreate it showed that mixing of management and non-management ports was not allowed on this device- on the Pro 2040, it was acceptable. By removing the management ports, I was allowed to recreate the rule and the Sonicwall came to life. Not getting an error message was somewhat disheartening, however.
In this case, the extra interfaces on the NSA 2400 will not be used. The device is behind a router, so the Sonicwall basically does NAT and packet filtering. The Gigabit speed interfaces probably will not have too much of an impact, as the Sonicwall NAS 2400 is constrained by its partner devices in this implementation.
One important thing to take care of is changing the default password. Restoring a config file from a backed up device does not contain this, and will change the password back to the default (admin-password). The Sonicwall can also be configured to use strong passwords and have automatic expiry. This configuration is under the users -> settings page and also the system->Administration page. For some reason, changing it is optional, yet not changing the password is suicidal. This is a security device, is it not?
The new interface is improved, with a cleaner overall look. Sonicwall’s past page designs have been hard to look at. The new layout is much more pleasing to the eye. The new page styles are intuitive, and have no extra clutter in the presentation.
One of the new features the NSA 2400 device has is an application layer firewall. You can set up policies to allow of disallow access at the application layer. There is a nice tutorial available, discussing bandwidth management of MP3 downloads and showing how the application layer firewall can be used to limit the amount of available bandwidth without denying them entirely.
Speaking of tutorials, there seems to be a number of Macromedia Captivate presentations accessible through the management interface. These tutorials run through typical tasks and do a good job explaining the different features – they do not cover every scenario, but exist more to point out how things are done in the Sonicwall world
Overall, the Sonicwall NSA 2400 is a hardware bump to the Pro 2040, with a faster processor and more RAM. The upgrade to GIG E ports, and the forthcoming USB support is a nice feature as well. Rounding out the package is a lot of new features and a better interface. Upgraders should find that the device performs nicely.