Wi-Fi

From the trenches: Troubleshooting and securing SonicWall

Consultant Bob Eisenhardt recounts a recent experience working with a small office's SonicWall V200. If you've ever tangled with one of these devices, these tips might help.

Recently, I found a real challenge in a new account at a small medical office. A SonicWall V200 was abandoned half-way through a proper configuration by the departed consultant and thus left in a very damaged state. Otherwise, the network seemed straightforward with a Windows 2003 SBS server and about eight stations and no Exchange server running. I said I could manage it without any problems at all...but I was wrong.

I have since learned that a SonicWall is UNLIKE any "router" in the world: the menu interface LOOKS nice at opening page but going deeper is like an archeological dig. There are literally hundreds of pre-set objects and controls. These multiple objects are visual distractions and should be ignored at first glance. Enabling port-forwarding was my first problem. I performed it remotely through DYNDNS and, after some trial and error, I found it under the DDNS listing, and was able to crack it through to the server. Only much later did I learn that remote control DESTROYS insurance form overlays and I had to disable it!!

After resolving a backup issue, the really big problem was that the public area Wi-Fi just was broken. Patients in the waiting room, connecting to it, would be directed to the login page of the SonicWall. DHCP addresses were being distributed but somewhere DNS to the outside world was failing. The battle began. Among the perhaps 10 opening menu settings are two settings of interest: wireless settings (obvious) and Sonicpoint settings (less obvious). It is not an intuitive design. I asked another consultant for a financial house if he had any experience with a SonicWall. He looked away and said "it's messy in there," which is perfectly true.

Problem number one: Wi-Fi

Examination of the previous wireless structure proved inconclusive. Wi-Fi was there, DHCP was there, DNS was set through the server and the default page was always the SonicWall login page at 10.10.10.1.

I thought of browsing for self-instructive videos, of which there are a few dozen and all of them rather seem to presume the tech knows how to use a SonicWall and, secondly and far worse, do not REALLY address a specific problem per video. I found many that sort-of taught me how to do this but not that other aspect of an issue, so it was frustrating yet again. By contrast, Bill Detwiler is a straight-shooter on a given subject.

I thought of RTFM (Read The "Freaking" Manual) and set about downloading guides. I should have known better, having a huge collection of truly huge computer books on my shelves, many of them 1,199 pages, and the SonicWall guides were no different. HOW CAN WE DEAL WITH PRINTED MATTER? (That is a blog for Chip Camden to address one day). 500 pages in a PDF and SOMEWHERE in there are the two paragraphs that perhaps answer what I want.

I then began pursuit of what turned out to be THE solution, creating a new SSID and comparing it to the old original configuration. The previous consultant was helpful and somewhat informative but his heart was obviously onto new subjects. I contacted a co-consultant I work with, and remotely, he did some work in the Sonicpoint tab, but wireless testing on-site showed no broadcast results. The new SSID was there, but it still went nowhere and the old one still brought me to the login page. The Sonicpoint area had a new object as created by my comrade, but it also broadcast NOT and I was still browsing thin air.

Since none of the three SSIDs were broadcasting, I came to the point of madness. I ignored and disabled ALL the work my co-consultant did and the old SSID entirely so that both were shut down. I also found I had to disable because I could not delete anything (another annoyance as SonicWalls have delete buttons but they do not actually delete an entry).

I then enabled JUST my self-created SSID and...it worked. How? I honestly do not know, but when I visited the office late the other night, and checked my Wi-Fi laptop in the lobby, it connected to the net and also visited my favorite test site: www-dot-1164-dot-com. (Try it out during lunch.) My supposition is that the original SSID was so corrupted that nothing associated with it, in any way, would work. It also could NOT be deleted so disabling everything did the trick.

Problem number two: Security hole

As security is the real strength of the device, service logs can be your best friend. Reading these takes time and patience, but they point to external IP addresses that can be researched. Thereafter, the game was truly afoot, and I had to revise this post as another problem became evident.

A downloaded game showed up on the server along with a little password blaster, Du Brute. I deleted both and added a server welcome page to the registry that prevents auto-logins, and that I recommend for EVERY server in the world: an opening login screen and statement. This requires CTL-ALT-DEL so that password blasting cannot occur EVER. Open Regedit and drill down to key:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENT VERSION\WINLOGON

Create two string values: LEGALNOTICECAPTION and LEGALNOTICETEXT. These are then edited to be a caption such as WELCOME TO THE PCSC SERVER and the ext can be anything legal or frightening you wish it to be. This not only puts a declarative statement on the screen, legal protection, but prevents anybody from the outside to just blast their way in. If you extract and save the registry entries, you can easily modify the key and use as designed FAR faster than drilling down.

I became interested in this because of Du Brute. This is bad business, as it is a hacker's tool, pure and simple. When running, it blasts a list of selected IP addresses (the list is in text format and I have no idea where the original list comes from) with logins and passwords every few seconds. When one IP reaches the end of the list, it moves onto the next address and re-runs from top to bottom. It is also attacking through port 3389, a good port to disable on the firewall. Server fanatics, take note to monitor SECURITY events in the Event Log. If you see Failure Audits, you likely are seeing Du Brute running somewhere else in the world and coming to knock on your server.

I copied Du Brute to my server and AVG hated it within 1 micro second. On the web it is constantly listed as a threat with no hits as a safe file. General advice is DELETE IMMEDIATELY.

Since no one did get into this server (but two others were being attacked, and those I locked down immediately with strong passwords), I also deleted my DYNDNS account as above, just to be certain, and GoToMyPC as another outside door in. I am now using LogMeIn -- free version -- as a monitoring service.

Have you had any run-ins with SonicWall? If so, share your experience below.

13 comments
tom
tom

I'm on my second SonicWall, upgraded from TZ170W to TZ210W. My biggest complaint is every time I find instructions that I think will show me how to do something, the steps and options never match what I have. For example, https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5798 specifies the instructions are for many systems, including mine, and Firmware: SonicOS Enhanced firmware (3.5 and above). The screens and steps don't even come close to what I see. I need to create a SonicPoint Provisioning Profile because the one the article says to use doesn't exist. I go to the link that says "Creating a SonicPoint Provisioning Profile" and these instructions aren't even close to what i see. Very frustrating.

paradigm49
paradigm49

Bob, after figuring out what you were trying to do (the V200 threw me for a loop)... Setting up multiple "virtual" access points can be a pain, quite honestly i had the same issues when i was setting up one for my office here. I also have one at my home, but not nearly as complicated. The question i have though is...what device are you connecting the sonicpoint to?...i ask that because with the older sonicwall devices they don't like to cooperate all that much, and the newer devices, like the tz100, tz210, nsa series...there is alot less trouble getting them to work correctly. Currently i have a sonicpoint N configured on a nsa 3500 with 4 Virtual access points, and on my tz210 at home, i have 2 virtual access points configured--all of which have been up for 2 years plus at this point in time... just trying to wrap my head around the hardware your using and why the new SSID wasn't broadcasting correctly...

Matthew G. Davidson
Matthew G. Davidson

I always recommend the TZ100 or TZ200 for small business shops from 5 to 20 users. They do take some time to get used to, but working with them over time you get used to their "messy" interface. I have not seen any issues since the Dell acquisition so hopefully it stays that way. BTW, Bob, great site...glad to see another CT resident having fun! I also found it humorous that you are #1 on a Google (1164 Morning Glory Circle) search even before Warner Brothers. And are those really your cool license plates?

Glastron
Glastron

The sonicwall is not something you want to walk into without having some previous experience with it. I have worked with them for several years and a few models and would agree they are not for the faint of heart. But they are very capable and can do quite a bit once you get into them. I find their support to be poor at best. Hopefully Dell can fix that but I doubt it. The outsourced support is difficult to understand and not interested in anything but reading from their set support scripts. Definilty keep the support agreemnet current for software updates which come out fairly regularly and often fix issues I had been dealing with. I like the sonicpoints wireless units. Again, they take some tinkering to get configured but once you do adding a new one is just a matter of plugging it in and waiting for it to configure it self.

jfuller05
jfuller05

I was trained on Cisco, so when I began work at an entity that used Sonicwall there was definitely a learning curve. I dug into the manuals and knowledge base on Sonicwall's site and after a little while I learned to like the product. We recently upgraded to a smaller, but more powerful TZ 210 and again, I really like it. Did you work on a TZ 200? I don't think Sonicwall has a V200. http://www.sonicwall.com/us/search.html?site=us&q=sonicwall+v200

straightp
straightp

The firewall will do what you tell it to. The article complains more about busted wifi and insecure 2k3 server. You cannot fault a product due to improper configurations by less than experienced consultants.

APSDave
APSDave

Like anything else, your ease of deployment on something has to do with how much experience you have with it. I can deploy a fairly complicated Sonicwall UTM setup pretty quickly. But, put me in front of a Cisco and I will be complaining and moaning that they do things wrong or the hard way :) It's all in what you know. I will agree with you that the interface can get a little messy. Especially when someone before you configured the device. In a small deployment like that I would agree with previous posters and tell you to document the settings and blow it away to start from scratch. YOu would have had it reset bacn up in an hour or so rather than spending all day trying to find that one setting in 10,000 that keeps you from routing properly

RechTepublic
RechTepublic

Always use Firefox to configure them. Always backup the current configuration before making any changes. If you did not install the firewall or if you any concerns about its security, you should reset it to the defaults and start from scratch. BEFORE you reset, document the configuration of the firewall. LAN, WAN, DHCP, DNS, Services, Rules, Etc. Take screenshots and paste them in a document. After the reset, browse to the default IP and a wizard will walk you through configuring the SonicWALL. If you have a problem, you can always restore the backup you made earlier. When you have it configured the way you want it, make another backup. Don't forget about vendor support. The owner should defintely make sure their SonicWALL support agreement is current. There are many situations where contacing SonicWALL support is the fastest way to a resolution. I hope this helps.

jbreitwieser
jbreitwieser

Hi Bob, Thanks for the detailed report - good detail and we're always very interested in feedback from users to help us improve our products. To clarify: did you use a TZ200? If not, WatchGuard has a Firebox V200? Would be happy to connect you with one of our product managers, so we can better understand the challenges you encountered, provide guidance (where still necessary) and take your feedback. Best regards, Jock Breitwieser Director Global Public Relations Dell | SonicWALL +1 408 800 5625 jbreitwieser@sonicwall.com

buck_lane
buck_lane

ive been using sonicwalla for close to 10 years. and while their interface is unlike any other router ( but to be fair all router interfaces are different ) they are actually fairly solid when you have them configured right. Most of your issues are you just not knowing the product, give it time.

joshwillis
joshwillis

We use Sonicwalls in our organization and they tend to be fairly rock solid products. There is a bit of a learning curve as they do things a bit differently than other routers/firewalls, but once you're up to speed you can't beat them for reliability. For a point to point VPN they work flawlessly. My question is why didn't the author nuke the Sonicwall from the start when he inherited it from the former consultant? Going into situations like this I find that it's usually best to start from scratch instead of potentially having to fix unforeseen issues down the road caused by a wet behind the ears paper cert consultant who didn't know what he was doing.

paradigm49
paradigm49

Jock--If i am understanding what he is trying to do----I believe he is trying to set up a virtual access point using a sonicpoint...i did some digging trying to figure out what he may have been doing so that is my guess because last i knew there was no such sonicwall product as the v200. BTW...it's Erin Desko from your Sonic OS 5.8 release. Bob, I've used Cisco and Sonicwall and i will always gripe and complain about cisco...personally i think for most companies and users Cisco is way too complicated to set up. With that being said, there are plenty of documents online to factory default a sonicwall device...which should have been the route taken so that any remaining, or mis-configured settings that were in there were cleared. The newer sonicwall devices even have a step by step wizard to set up your lan/wan, any port forwarding (public server wizards)...so yes there is a bit of a learning curve...but as far as i am concerned, the interface is nowhere near as messy and unorganized as other devices i've dealt with. Having configured 100+ sonicwall devices, i know every nook and cranny of them and they are still by far one of the most rock solid devices i've used. The sonicwall will do what you tell it to. You cannot blame the firewall for this in any respect...proper or improper configuration---the firewall will do what you configure it to do (or not do) Sonicwall support will help you if you contact them as long as your support contract is in place, even if it is the smallest problem you encounter.

JCitizen
JCitizen

there was no backup, and with such bad results, he didn't want to back it up just then. Sometimes a detailed repair is faster than a total re-configuration. I'm reconsidering my next choice in appliances after reading this.

Editor's Picks