Sonicwall Experiences

Archived from groups: comp.security.firewalls (More info?)

I have a Sonicwall network comprised of redundant Sonicwall 300's and
about 10 SOHO's out in the field. Here are my experiences.

Good-

Once you learn the drawbacks and gotchas, sonicwalls are fairly
reliable and easy to setup. It works well for WAN office to office
VPN, i.e Sonicwall to Sonicwall.

Bad-

1. The reason we have redundant Sonicwalls is that they have a
tendency to crash. When they crash you loose your default gateway. Not
good. Unfortunately they sometime crash in such a way as not allow the
secondary to kick in. So we had to put the Sonicwalls behind a router
to avoid the loss of our gateway router everytime this happens.

2. You have to over-provision the SOHO's as they use IP sessions for
licensing. So if you have a 5 user with 2 computers and a access point
and a computer is rebooted twice in secession (for example you are
doing MS patch installation), you run out of licenses and the user is
locked out. The time-out for the session is not configurable for the
end-user. For the above example you need at least a 10 user license to
avoid lots of support calls.

3. Sonicwall antivirus is a constant Charlie Foxtrot. They keep
changing how they do it, not letting us know, and the net result is
that everybody on your network looses access to the internet everytime
they Sonicwall screws things up. They just changes stuff again and I
can't get to our antivirus statistics page. Of course they deny
everything. We are changing to eTrust.

4. Their support policy is to deny everything and blame the user. They
will deny a problem exists and then a firmware update will come out
and the problem that does not exist will mysteriously disappear. We
got a new Wireless sonicwall which is a complete piece of junk.

5. Never, ever do a Sonicwall firmware upgrade right away. Their
firmware upgrades consistently screw things up. God help you if you do
a firmware without backing up your config first. Always wait for the
fixed version which invariably follows a month or so later.

6. Sonicwall not only does not support Macs, they pretty much deny
their existence. I would not be surprised if Microsoft has a
considerable investment in Sonicwall.

7. You cannot push out subnets on the VPN client, they must be added
manually in their complex client, which is windows only. Sonicwall
added Radius for the GroupVPN (which is required for DHCP client
addresses) but it requires their VPN client which of course does not
exist for anything but Microsoft. We finally gave up on Sonicwall VPN
and got a Cisco 3000 concentrator, which has a much nicer client and
much more sophisticated roaming user management. I recommend the Cisco
3000 highly for VPN.

8. Sonicwall end-of-lifes products very quickly. Our 2 300's we bought
2 years ago are already completely obsolete. No more firmware
upgrades, which means that no support for future methods of attacks.
They have re-visioned their firmware to 1.0 They are up to 2.x. the
funny part about this is when they did this they forgot to tell tech
support. We had a call on a new 802.11b firewall and tech support was
completely confused when we said we had version 1.8, they had no idea
it existed. How bizarre!

9. Their Viewpoint software just had an upgrade. The 1.x version was
viewable on several web browsers, the 2.0 version is only viewable on
Microsoft version 6 with Sun Java 1.4.2 installed. It emails out
reports in mhtml, a Microsoft only format. How incredibly stupid and
useless. They changed the database in Viewpoint from MyPhp to MSSQL
personal edition. Hmmm...

10. Viewpoint shows you the attacks and it shows the source but it
does not show what source did what attack. You would think this
linkage would be important in a firewall log analysis package.

11. Sonicwall Anti-virus is pretty much strip out enclosures with
whatever extension you choose, and thats the end of it, no packet
inspection at all. And they charge you to do that.

We have a considerable investment in Sonicwall. The good part about
them EOL'ing their products so quickly is it gives you an opportunity
to change platforms, which we intend to take advantage of. They do
offer a hardware "upgrade" program where they give you a token price
for your EOL'ed units.

Personally I feel I have participated in a very large public beta
program which we had to pay big bucks to participate in. Which
reinforces my opinion that MS has a hand in their management.

This is the only firewall system I have used other than Cisco router
software based stateful inspection, so I don't know how other systems
compare in a corporate environment, would be interested to know.

Jim

Archived from groups: comp.security.firewalls (More info?)

<SNIPIDITY SNIP>
>
> This is the only firewall system I have used other than Cisco router
> software based stateful inspection, so I don't know how other systems
> compare in a corporate environment, would be interested to know.
>
> Jim


I had Pro300 with a couple SOHO's. Similar problems as you. Their speed
at EOL'ing products is inexcusable. The only reason I got Sonic in the
first place was we were a RedCreek shop which Sonicwall bought. EOL'd our
RedCreek stuff, offered us a 300 which ended up crashing so much it was
basically unusable. This was 2 years ago, at which time the 300 was their
hot new product. With the investment you put into the things, 3 years to
EOL is laughable.

Went Netscreen and never looked back. Rock solid.