SonicWall Tale Of Woe – Approaching “Do NOT Buy”

This is a story “In the process of becoming”… Meaning that the ultimate resolution is not here yet, and likely will not be for a few days.

The basic situation is that I’m doing a HIPPA Compliance make over for a medical office. His I.T. Guy retired and moved out of State. Nobody else is stepping up to the job… due to a LOT of anyone with money from being a Tech Guy moving out of State… so everyone is so booked up taking a new small client isn’t very interesting. No joke. I had 2 VARs (Value Added Resellers) where I tried to give them the installation business and they basically blew it off.

So I do my “Due Diligence” and pick a HIPPA compliant firewall appliance with every feature you could want. A SonicWall Total device. (They have 4 tiers of software. From Essential, to Threat, to Advanced, to Total.) This is (supposedly) the all up full boat appliance. About $2k worth of hardware and software.

I got the box about a day ago. Spent a few hours reading the “Best Practices Doc” and the “Ransomware Config” doc. And the Getting Started doc. And a half dozen others. Then, about 5 hour ago, went to do the pre-install bring up. ( I’d already done the Site Check and the unboxing parts check and the assembly).

You expect some surprises on the first bring up of a new product where you haven’t done a dozen of them. I ran into some of “the usual”, where you assumed something that isn’t what you get. Nothing horrible. “Worst” one is that it has 8 RJ-45 ports on the back, plus a “Console” RJ-45. Numbered X0 to X7 plus Console. Turns out to configure it with a local laptop (or R. Pi…) you plug that into the “X0 Lan” port and not into the Console Port. OK… It comes up with an (undocumented in what I read) IP address of 192.168.168.168 (again “OK…”, I can cope with that). Then you plug the internet into the “X2 Wan” port. Which does DHCP an address… BUT turns out you can not get any packets to the internet through it. “Some configuration required”.

I could ping my AT&T boundary router, but not Yahoo.com by name or by number, from my configuration station. This matters as there are a load of things you end up wanting to do on the internet that you Just Can’t Do from the workstation plugged into the SonicWall “Lan” port “out of the box”. So expect to have a 2nd computer for all of that stuff…

OK… I’ve dealt with that level of annoyance before too.

I tried to do the “best practices update firmware” where you press the reset button at first power-on as their docs say that’s easier as you don’t need certs yet to do it in “safe mode”, but that didn’t work. Possibly as I was not yet getting my internet connection properly talking to the box (that had just come out of it’s shipping box…). In fact, I’m still not sure it’s talking to the internet. Near as I can tell, it stops at the AT&T box. Only working over non-routing internal numbers.

Some time passes… and I find I CAN configure the network interfaces. Oh Boy, a bit of progress.

Here’s where my assumption that with 8 ports it is likely an 8 port HUB or SWITCH like everything else on the planet and is exactly what I’d like to have, collided with reality. Each port can be set as a LAN or WAN port, and can have DHCP address set or a Static Address. BUT, they are not just ports all on the same subnet. You can configure them to “Bridge”, so I suspect that, with some work, I can set them up to act like a switch. But at first attempt to configure, it really wants each one to have a separate subnet address block and not have overlapping IP number ranges or netmasks. OK….

I can work with that, as there’s really just 2 switches at the client site that need to be plugged into it. Everything will get DHCP addresses anyway, or at least they do at present. The one where I plug in the Configuration Computer gets a DHCP address assigned. But so far I’ve not seen anywhere that I can set the range of IPs that get handed out by DHCP and on what interfaces. So chopping the shop into 3 IP ranges ( 2 hard wire and one WiFi) isn’t THAT much of an annoyance and likely no worse then figuring out how to tell this box to just be a switch…

So I do a rough configuration of the interfaces, bring it back up, it can DHCP an address for “WAN” from my AT&T boundary router and my configuration computer can ping the gateway. Progress. The LAN spigots look usable, and the WiFi claims to be live (but does not show up in my Tablet… perhaps more “default turn on” config required…

So I decided to try the higher levels. That’s where it all starts turning into a BOHICA Moment. (Bend Over, Here It Comes Again…)

Seems just about everything beyond basic “Give me a working wire” has a Big Yellow Warning saying “Device Not Registered”. I’ll save you the long and sad “exploration”… Nowhere in the docs does it talk about this. There’s a “MySonicWall” site where you must sign up for an “account”.

https://www.mysonicwall.com/muir/login

It will give you an “account” and then you can enter your Account / Password into the SonicWall device you bought and THEN (and only then, it seems) can you actually USE the $2k device you bought. PITA…

But, OK, I can live with that too. Though now I’m thinking “Well, do I slip schedule by a day or two to get the Client email address he wants to use to sign up? And take days of “did they send it? Send it to me” for stuff, or just use my email and move on.

I’ve scheduled time on Friday when his shop is closed to drop this in, renumber all his gear, put it behind the robust firewall, and test everything. I’ve got Wed and Thu to finish the config and pre-install QA. I want to have the weekend to work out any issues of things like specialized X-Ray gear perhaps being grumpy about any particular firewall rule, or figuring out just how it was configured and how to change it if needed…

So I go ahead and choose “sign up” from down at the bottom… And get the Dreaded Captcha where I get to practice my 3rd grade “Which of these things are the same?” skills. BUT it doesn’t work right on Brave on the Tablet. Also, at the top, it has this message:

Capture Client services will be under maintenance from May 15th to May 21st 2021. During this time, no MSW operations will be permitted on Capture Client subscriptions including activations, renewals, upgrades or deletions.

Being a little worried that perhaps “activations” included activating my account / hardware, I decided to call “Tech Support”.

I was assured that was “something else” (but exactly what was unclear through a thick Indian English accent from a fairly soft high pitched female voice that isn’t well matched to the frequencies I can still hear and where my built in English ECC is blown by the “variations”…) So, OK, I heard “Firefox” and me, my phone, and “Tech Support” went to the other room and onto a Raspberry Pi that was already booted up. It worked and got me past the “next” button…

Pretty standard stuff. Email, Name of Business. Address. Phone. Zip. MY Name. etc. It complained that I’d typed “Suite FOO” instead of “Ste FOO” but there wasn’t a “back” button to just fix it, OR accept their preferred address with abbreviations. BUT there was a “use this address” button under my hand typed, correct, but missing abbreviations one. So I said “Yeah, use it”. After all, why would they let me say “just use it” if they were not going to “just use it”? Right?

Wrong.

Turns out it goes ahead and builds the account, and then sends you a Secret Code to your email, but complains that the address isn’t quite right…

So now I get to log into my email, find their mail, extract the “confirmation code”, go BACK to their web site, put in the confirmation code, along with the email address AND the password… and…

I get told their is something wrong with the business name or address and “Call Tech Support”.

OK…

So now I’m back in Bum Bum India with Yet Another Pennies On The Dollar Sweet Young Thing who is very polite in that Suck Up Indian kind of way but can’t do a damn thing. I get a “case number” and after 2 repeats find out I’m going to get a “call back” in 24 to 48 hours after someone with a tiny bit of clue looks at what is wrong with my account and decides what to do to fix it. (Perhaps have your software smart enough to know that Suite and Ste. are the same thing? Or that the 5 digit zip code is the same place as the 9 digit variation?)

What this means it that, as of now, I get to be stuck tethered to my cell phone for 1 or 2 days, DOING NOTHING, while they figure out how to give me a “Free” account, so that I can actually activate and use a $2000 appliance we OWN. This also means my pre-work time all evaporates, and likely it will blow my Friday scheduled time to take his office down.

In Summary

$2000.00 Sonicwall Appliance is a “Floating boat anchor” and entirely useless when you buy it.

In order to make it “go”, you must have a “Mysonicwall” account, that you get to discover you need all on your lonesome, that’s extraordinarily picky about how you enter data, pisses on you with a captcha, and then slams the door on you with any typos / abbreviation variation AFTER asking if you want to just go ahead and use that address and get trapped…

All while trying to understand “India-English” with accents and with non-solution “answers”…

But they were very polite while accomplishing nothing of use to me…

Then you get to figure out a whole new install schedule as all you are doing for the next 2 days is waiting for the next useless “update” on what may (or may not) get you one step closer to a working device…

Lord Help Me if I miss the return call because I’m asleep when Calcutta or Hyderabad is awake…

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Human Interest, Tech Bits. Bookmark the permalink.

38 Responses to SonicWall Tale Of Woe – Approaching “Do NOT Buy”

  1. Kneel says:

    I had to use one of these before – a bit “quirky” to be sure, but once you get your head around it, not too bad a firewall box. At least it has a web-based interface, not the Cisco command line interpreter where you need to read all the docs from front-to-back, back-to-front and right-to-left before you can do much.
    Fortunately, I didn’t have to deal with the registration thingy. Pretty good at tunnels (IPSec, L2TP/IPSec, OpenVPN are all “native”, and does tunnel NAT no problems). And yes, I believe you can “bridge” all the LAN ports (so, a ‘switch’) – although it is beyond me why this is not the “out of the box” config, as that is what most people want when they buy an 8 port firewall-in-a-box as it saves buying a switch too.
    You’ll have to unsubscribe to their mailing list that you will now be on as well. Several times a week they will send you sales/marketing crap, so don’t wait, unsubscribe immediately.

  2. Bob ernest says:

    “Welcome to Hi-Tech” 🤦🏻‍♂️

  3. Mordineus says:

    Was a SonicWALL partner for years and even got my certs for them… at one time they were the absolute best things for SMB, then Dell purchased them and their firmware went from solid to solid crap as they offshored the development of it. A while back they bought themselves back so they are an independent company again, so I am hoping the quality comes back.
    These devices, like all NGFW firewall basically work hand in glove with online services hence all the “register your device” stuff. Honestly these devices (and others like it: Fortigate, WatchGuard, etc.) aren’t really intuitive and take some training to setup correctly.
    You can create a switch by sort of adding in other ports to bridge to it. This is NOT called a bridge (that is different for them), this is called a PortShield group. Wow just found an emulator to look at the admin interface as I haven’t touched them in 4 years or so and BOY have they changed it… more glossy and a LOT more confusing.
    The other thing to keep firmly in mind is that your policies are all going to be zone based.. By default the three zones you will play with are the WAN, LAN and WLAN zones. You will craft rules that basically state how packets can traverse from one zone into another. Quickie config would be that WAN>LAN is DENY, but LAN>WAN is ALLOW with WLAN>LAN and LAN>WLAN = ALLOW. Easiest way to look at that is to put it into grid view by hitting the ZONE MATRIX SELECTOR button on the policy page, then selecting a grid intersection such as LAN > WAN so you can see all the rules that apply to that.
    Email me if you get stuck.

  4. E.M.Smith says:

    @Kneel & Mordineus:

    Thanks for the info (and the help offer). I decided to use this “down time” to read up on their “Layer 2 Bridge” setting. FWIW, last “Layer 2 Bridge” I installed (as opposed to just plug in a switch…) was about 1984 between 2 THICK Ethernet cables and bought from DEC for several hundred dollars IIRC. About the size of a Calzone and installed via drilling the cable and vampire taps.

    It threw me for just a couple of minutes to see it called that and I had to revert to thinking in terms of actual chunks of thick cable… Once I realized “Oh, Wait, it’s a DIY Kit for making it into a switch” things were better… So for “Later Today” while continuing to wait I’m going to see if I can at least get the “make it a layer 2 switch” part done…

    I have a “crap collector” email address that is used for all things likely to collect spam / UCE (Unsolicited Commercial Email). That’s the one they got… I check it at least once a year ;-)

    At this point it looks like the most painful part of the whole install will just be getting the device “registered” so it will actually function. (I’m assuming they know what level of device it is supposed to be and there won’t be a 2nd round of “registration” PITA to get them to recognize they sold us the top of the line software too…)

    Ah, the “cycled through Dell” explains why some online stuff is tagged “Dell Sonicwall” and some isn’t.

    FWIW I was originally planning on ONE interior zone and ONE WAN zone, with no rules between internal stuff and everything applying to the WAN access. Now I’m pondering setting up the WiFi as it’s own zone… In Theory it is supposed to just be 3 “treatment room” computers that only talk to a specific device for records. In theory that lets me lock it down pretty tight… OTOH, I hope to eliminate that WiFi chunk with an upgrade in a couple of months…

    But first I need to get it to work AT ALL.

    I’m much happier with the FOSS (Free & Open Source Software) world where things just work. Yes, it means you get to fix your own bugs or deal with “whatever” isn’t “developed” yet, but at least you don’t need to study Hindi… and end up locked out of progress for days…

    I know that under the skins they are just some hot hardware with some Unix / Linux derivative OS on them and then an isolation layer to keep me out of it. Just a bother.

    Where did you find an emulator? That would at least let me do the familiarization / test config while I wait for the purchased device to become usable…

    @Bob Ernest:

    Yeah, I’ve been banging my head on “High Tech” since about 1979… You’d think I’d have calluses by now…

  5. Ed Forbes says:

    I am so glad to out of comp tech.

    I moved from engineering track to comp tech track in the mid 80’s for 15 yrs before I went back to engineering. I got tired of trying to support crappy software and hardware that did not work. It was fun to puzzle out the fixes when I started. When it ceased to be fun, I quit and moved on to something that was fun for me.

    I went to doing onsite construction engineering where I got to fix crappy construction design and contractor scams real time in the field. This I found fun and actually miss it since I retired.

  6. philjourdan says:

    Never had to support one, but did have to talk some folks through diagnosing VPN tunnels. Not what I would call user friendly.

    And @Kneel – I guess they did not tell you about ASDM. Too bad, it would have saved you a lot of headaches.

  7. jim2 says:

    BE INFORMED. BE STRATEGIC. BE SECURE.888 720

    4633sales@directdefense.comdirectdefense.com

    USING FIREEYE ENDPOINTFOR PCI AND HIPAA/HITECH COMPLIANCEDirectDefense’s analysis of FireEye Endpoint attests that the products help meet the HIPAA Security Rule and PCI DSS v3.2 requirements for malware protection, access control and for providing IPS/IDS protection.DirectDefense analyzed the FireEye Endpointfeature set and mapped those to HIPAA and PCI compliancerequirements. The results showed that FireEye Endpointapplies tosome keyrequirements which make it a valuable component of compliance for any entity.

    During the course of the analysis of FireEye’s Endpointproduct DirectDefense mapped HIPAA and PCI requirements against the FireEye Endpoint product functionality. DirectDefense performed extensive testing in a lab environment. Testing was performed against malware found in the wild and DirectDefense’s own home-written malware that tested for true “zero-day” detection of:¾Stealth Executable downloading¾DLL hooking¾Ransomware¾Memory scraping¾Kernel I/O hooking¾Registry monitoring¾Service listing¾Process listing¾VBscript code¾WMI querying¾Key Stroke LoggingThis testing proved that FireEye Endpointis not just a signature based detection product, but that it goes much deeper. Much of the test code was known to be zero-day since DirectDefense wrote it makingsignature analysis impossible because known signatures did not exist.

    Click to access cg-pci-and-hipaa-compliances.pdf

  8. Kneel says:

    @philjourdan: Yes, I had ASDM. But that’s a windows exe, not a browser-based config.
    It works fine and I used it for sure.
    Of course, if you want your “Cisco Certified Nufty Entity” (CCNE), you need to know their custom specific language. Don’t get me wrong, I’ve created the odd language interpreter when I need to and it made sense (using a recursive descent parser library, usually – much quicker than LEX/YACC. Builds the parser at run-time even). Cisco just seems to revel in “my way or the highway”, which I’m not too keen on. If all I ever did was Cisco stuff, then sure – but this was a one-off ASA I had to manage, all the rest was fairly basic stuff you didn’t need a training course to nut out. It seemed ridiculously complex to do some of the easiest sounding things…

  9. pouncer says:

    Sadly this combination of difficulty /user-hostility with need-for-rigorous protection is what makes so many of us skeptical about U.S voting machines and election security. ‘Can’t do it right’ versus ‘can’t do it at all’ equals can’t trust whatever’s been done, or reported done.

    In your scenario a result — some months or years from now — will be tagged with the Spam Email account ID you used as an owner-identifier when the system designed intended the transaction to be tagged to the actual operator. Just a pointer to an attribute that got mis-aligned.

  10. E.M.Smith says:

    Update:

    Well, as of today, I’m past the “MySonicWall” login process. Along the way collected a “Maintenance key” and a “Registration Token” (two random alphanumeric strings, one 34 char long…). Realize that is in addition to the product serial number and “authentication code” from the hardware and the login name / password…

    The “fixed” what wasn’t broken at about 3 AM my time, so likely from India somewhere.

    So many hoops, so little coffee…

    Whatever. Now I finally get to go back to trying to make the product actually DO something…

    I might, maybe still be able to make my tomorrow install schedule.

    @Pouncer:

    Yeah, that’s an issue. MY email account is now tied to the product as the authenticated manager of it. At some point I’ll need to figure out how to “hand off” the product to the client.

  11. E.M.Smith says:

    And once again a mandatory login / account thingy with a hidden non-discoverable logout.

    So “somewhere” there’s surely a way to end a session. It just isn’t visible and there’s a dozen little meaningless icons that I get to search looking for one that hopefully, maybe, just logs me out without doing any damage from not being the logout but something else…

  12. E.M.Smith says:

    Just a note to self (and others someday):

    Use “Native Bridge Mode” to connect multiple interfaces into effectively a switch. “Layer 2 Bridge” mode only lets you hook two of them together.

  13. E.M.Smith says:

    Well, I’ve got it basically working. Posting this comment through it.

    There was a bit of excitement at first power-up this morning. A big No-Go. Checking the PSU with my voltmeter showed No Volts. Dead PSU means dead gear… So in Hail Mary WTHell have I got to lose, whacked it “gently” on the carpet. Got volts!

    So I’ll need to order a new / replacement / spare PSU as this cheap-ass one has something loose inside. But for now it is working OK and I can proceed with configuring et. al.

    Still need to check all the default rules it set, and figure out how to save log files from it. Oh, and the WiFi claims to be configured but I can’t see it with my Tablet scan, so need to figure out that bit too. But at present, I’m on the secure side of it typing this, and it is talking to my boundary router and on to the rest of world…

  14. E.M.Smith says:

    And I’m done. Only site install work and testing left to do.

  15. Ian says:

    I’m glad I retired !

  16. E.M.Smith says:

    @Ian:

    Well I was retired…. Then I got a request from a 40 year relationship for help…

    FWIW, he was a Black Belt in my Karate classes of the early 80s and I occasionally sparred against him as I advanced ranks. IIRC, then he was 2nd Don. Also been my provider for the same interval.

    So when my provider has a problem, and was bonded in martial arts as Brother, what can I do but provide my assistance to him. There just is no other option. He needs, I help.

    Seems that locally the availability of “Tech Support” for small businesses is approaching zero. LOTS of folks bailing / leaving and the big companies are not interested in the small “one sale one professional” shops. I could likely make a business out of it… but I want to leave the State too…

    So I don’t know how this will work out 1/2 year from now. Remote support? Fly in once / week? Hand off to, what?… I only know I can’t leave him in a bad situation. I’ll do what is best for him. It is my duty to Sensei and friend.

  17. andysaurus says:

    I was never a bits and bytes techie, mainly a management bozo but started as an operator where the interface to bootstrap the machine required the careful setting of switches then pushing them into accumulators, so not without some appreciation of the craft. I could probably still write cobol if my life depended on it.

    For that reason I chose an ISP based in Adelaide (I live near Brisbane) who use native english speaking support people. They are superb and even if they charge a little more, they are well worth it. I have run support staff and I know that they are the primary customer facing interface. More important than sales and marketing in technology companies; IMHO.

    I was therefore surprised when in one telephonic exchange I came across a name that sounded very African,and when I quizzed her about it, she told me she was working out of Cape Town. I told her that I had worked in Botswana for 3 years and could speak some Setswana. So could she and we exchanged pleasantries in that language.

    She asked how I learned the language. I told her that when I went to Botswana, I was advised that the best way was to buy a blanket. She understood the implication immediately and fortunately had a robust sense of humour.

    I can share the story now my wife is dead.

    Another support related story.
    The guy who taught me cobol was an irascible old bastard. He was put on the support desk for the mainframe supplier we both worked for (ICL). He said he dealt with stupid questions by telling the customer “I’m going to look it up in the manual. If I find it, I won’t call you back”.

  18. Taz says:

    NextDNS is good DNS. Can substitute for many expensive features.

    IPFire is a German open source effort. They are pigheaded as they come – but remain the ONLY company I know of which is making a serious effort to mitigate Spectre flaws. Mates to NextDNS nicely. DNS over TLS support is excellent.

    Find a good Cedarville or lower ATOM board – those don’t do speculative execution at all. Safe.

    I’ve thrown away hardware to divorce myself from Indian support. YMMV.

    I don’t know of any “ransomware” mitigation beyond “avoiding sites likely to infect” and “Current backup to WORM storage”. Maybe SonicWall’s ransomware claims are just hubris?

  19. E.M.Smith says:

    @Taz:

    SonicWall have an online signature download feature so as soon as some exploit or ransomware gets a known signature, your box can update that, then DPI spots it and blocks it from entering.

    You can also set up the same filters to run between LAN segments, so even if some doofus with a laptop brings it from home, and it starts to spread on the network, it gets stopped at the LAN boundary.

    (Or so it seems…)

    I’ll look into NextDNS. I was very fond of OpenDNS, but now Cisco owns them, so there’s that…

  20. E.M.Smith says:

    Oh, and I’ve got the install done and basic testing. Real final exam is Monday Morning when they open for business again. I’m pretty sure I’ve “got it right”.

    Along the way had Networking Gremlins causing Down / Up / Down / Up pulsating interface issues. Found a switch where “pull ANY wire” it is fine. Shut off machine so link drops, it is fine. Has 2 open ports so ought to stay fine, but doesn’t. So I think it is having a load dependent failure mode onset. Swapping switch when the order arrives and then we’ll know.

    For now it is just “leave one machine off at any one time”. (I ran around turning them all on for testing / configuration. I doubt that is done every day ;-)

  21. Nick Fiekowsky says:

    SonicWall is building a poor reputation. See this recent report:
    https://www.grc.com/sn/sn-789.htm
    Steve: Unfortunately, it’s in trouble right now. While we’re on the topic of supercritical remote code execution network vulnerabilities with critical ratings above 9 out of 10, we need to make sure that any of our listeners who might be responsible for the operation of one or more of the nearly 800,000 vulnerable SonicWall NSA – that’s Network Security Appliance – firewall devices that are currently exposed to the Internet have patched their devices. Just, I mean, like absolutely you have to patch.
    The vulnerability was discovered by the Tripwire VERT security team and was given a CVE-2020-5135. It impacts the SonicOS, which is the operating system running on the SonicWall Network Security Appliance devices. As its name implies, the SonicWall NSAs are used as firewalls and as SSL VPN portals to filter control and allow employees to access internal and private networks. Maybe there are a bunch more of these things that have been deployed recently in order to set up VPNs to allow remote workers to connect back to the enterprise network.

    In any event, the Tripwire researchers explained that the SonicOS contains a bug in a component that handles custom protocols. The vulnerable component is exposed to the WAN, of course, the public Internet, interface; right? Meaning that any attacker can exploit it remotely. And moreover, Tripwire teased that exploiting the bug is trivial, even for unskilled attackers. Oh, boy. In its simplest form, the bug can cause a denial of service and crash devices. But as we often see, a remote code execution exploit is probably feasible, they said.

  22. E.M.Smith says:

    @Nick:

    Thanks for that!

    Good news is that I updated the firmware during install, so that patch is already in place. Does explain why all their docs on-line repeatedly nagged to “update firmware”…

    Other good bit is that this is an “interior firewall” and behind an internet facing NAT firewall / boundary router / telco modem (whatever they are being called these days…) and not running VPN.

    So nice to know that bug is patched and that it is hard to tickle the way I’ve set this up. Not so nice that it existed…

    For the present use case (small office, obscure target, interior firewall for compliance behind exterior firewall / NAT, no VPN) it is still a reasonable solution. Were I looking at an internet direct exposed firewall for a larger industrial high target, I’d likely go with a different vendor, perhaps even CISCO with their PITA CLI…

  23. E.M.Smith says:

    Well, all equipment installed and configured. LAN repairs done ( a dying switch was causing all sorts of LAN Gremlins…). QA testing says everything is working and fast. Punch down list completed. So tomorrow is a day off for me! Oh Boy! Retired again! (At least for a day or two..)

    I’m rather thrilled everything is done and working. Looks like I still know what I’m doing (more or less ;-)

  24. p.g.sharrow says:

    Always wonderful when a plan comes to gather and works well. Specially when it is complex and all the parts must all function well.

  25. E.M.Smith says:

    @P.G.:

    Yup. Also a bit of Adrenalin from knowing that if you get it wrong the business halts. (System included things like an Xray machine and image storage / retrieval etc. used all day every day).

    I was really tickled that I got this all done with essentially zero business impact. (One printer didn’t get renumbered so for about 10 minutes printing didn’t print. Easy fix.)

    Enjoying a “lazy morning” of Bacon, Eggs, Coffee and videos ;-)

  26. H.R. says:

    @E.M.

    Have you tried hacking your set-up from home?

    OK, sure, so it’s triple armor-plated, bulletproof, and bombproof . What about inside employee goof-proofing?

    You know that some systems can be impenetrable from the outside, but they wind up getting hacked anyhow because someone inside the defense does a no-no.

    Have you ‘hardened’ the inside people? Maybe a poster with the half-dozen “Never do this or that” bulleted?

    You say it’s a small office, so you should be able to get the inside people trained and to continue doing as trained. But what about turnover and the next new person comes in and straightaway does the exact wrong thing?
    .
    .
    .
    That’s it. That’s all I’ve got that may be of some possible help on this thread. You may well have already got it covered.

  27. E.M.Smith says:

    @H.R.:

    I’m not going to try from home. The AT&T Boundary Router firewall is in the way and it is pretty darned tight. Trying to hack a secondary industrial class firewall through it would be a great pain and I’m not going to be paid to do that…

    What I will do is a bit of pen-testing of the WiFi as generally WiFi is the softest target. (OTOH, I just tightened it up a LOT…)

    The folks are already pretty aware of phishing and such. I think I can do with systems changes.

    Frankly, the biggest “issues” were the ones I just closed up.

  28. H.R. says:

    Just throwing in some little bit, and you did see it that way.

    Oh yeah. WiFi. That also leads to issues with ‘Smart’ stuff that we’ve kicked around here in the past.

    Doe that mean I have to ‘harden’ that water heater I recently installed 😜 (I didn’t activate the WiFi feature. Thankfully, it isn’t automatic. It must be turned on.)

  29. philjourdan says:

    @Kneel – Understood. And yes you need to know CLI for the CCNP.

    While I use the ASDM for monitoring, I never use it for configuring. If I have to, I will enter a command in ASDM, click apply, and then copy and paste the config into a Notepad document, and then do a cancel. But that is rare as I can (and have been for quite a long time) do the CLI. Indeed, that is what I hate about Checkpoint and Fortigate. The retardation of the CLI. But I guess that dates me. I am old school and obstinate. So they shunted me off to the F5s that are all GUI based.

    Except they are not. ;-)

  30. philjourdan says:

    @EMS – you convinced me! Cheap aint cheap! I have talked others through setting up VPN site to site, but their Sonic Wall was already set up! I will not recommend to any clients. Cisco has a low end firewall. Not full featured. But it does the job, I will recommend that one. More expensive than Sonic for the hardware. But less expensive when you factor in Tech billing.

  31. E.M.Smith says:

    @PhilJourdan:

    I’ve generally gone with Cisco for sites. But they are very large commercial sites. For this particular site, I do think Sonicwall was the right choice. Yes, hours spent making the configuration right were more than I expected. But, when “I’m gone” in a few months or a few years, it will be easier to transition. Plus, it meets the immediate compliance issue (and then some) at a very reasonable entry cost. I’m OK / “happy” with the SonicWall now that I’m past the “FU” issues.

    Would I use it again?

    Probably for this use case.

    Anything larger, I’d go Cisco. Anything smaller (i.e. not HIPPA laws) I’d look elsewhere. For this client and this “right now at an OK price” need? I do think this has worked out well.

    So I can see a case where maybe 2 years from now I swap this site to some other solution. But I can also see a case where 2 years from now I think they are “Just Fine” and no change needed.

    Most of my “gripes” come from me not being familiar with the product, in depth. OK can own that. Overall, it looks like a workable solution with easy interface and “enough” features at a good price. That I expected a less bureaucratic interface without an obligatory account / log in, that’s on me.

  32. E.M.Smith says:

    @Terry Jackson:

    Thanks for that!

    At this particular site, I’ve not yet brought up “NSM” Network Services Manager, their device management station. But it was on my radar as something to do “going forward”. Now I’m thinking maybe not so much…

    So you’ve given me something to dig into / think about…

    NSM is a software product that runs on a PC and lets you do neat management things with their devices. In particular it lets you collect log files for a year and do reporting from them. I’d left that as a “Future task”… or maybe now a “Do I really need it?” task…

  33. philjourdan says:

    @EMS – have you explored the ASA 5505? Just askin.

  34. philjourdan says:

    Most of your gripes appear from their intrusive need to know who you are. That is not cool

  35. E.M.Smith says:

    @PhilJourdan:

    Nope. Not looked at it. But I will now.

    I’m always peeved when you buy a product and by design it WILL NOT WORK as advertised until you do a bunch of junk. It ought to come basically operational, not hobbled. Yes, by all means, have some kind of license validation, but really, have me MAKE an account before I can even start to configure it?

    They know the product was sold. They know the SSN. They know who the customer is (or ought to know via their seller channel). So just have the SSN validate to their tracking site.

    PITA does not please…

  36. E.M.Smith says:

    @PhilJourdan:

    It looks nice:
    https://www.cisco.com/c/en/us/support/security/asa-5505-adaptive-security-appliance/model.html

    but for one problem. EOL:

    Cisco ASA 5505 Adaptive Security Appliance
    
    Specifications Overview
    Series	Cisco ASA 5500-X Series Firewalls
    Product Type	Firewalls
    Status	End of Sale EOL Details
    Release Date	31-AUG-2006
    End-of-Sale Date	25-AUG-2017 Details
    End-of-Support Date	31-AUG-2022 Details
    

    Last sold 2017. EOL 15 months then no support. No can do.

  37. philjourdan says:

    Damn I am getting old! Bu they should have a replacement. I will see what I can find. I agree that when you buy something, you should be able to plug it in and then configure it to work without going to the vendor site for permission.

Anything to say?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.