Advancing Our Secure by Design Pledge: What’s New in SonicOS 7.3 and NSM 3.1

Answering CISA’s Call for Secure by Design and Default

In today’s threat landscape, security cannot be an afterthought — it must be engineered into products from day one. Earlier this year, the United States Cybersecurity and Infrastructure Security Agency (CISA), alongside international partners, issued Secure by Design and Secure by Default guidance, urging technology providers to take greater responsibility for product security. The message was clear: shift the burden away from users and make strong protection the default.

As a SonicWall product manager, I’m proud to say that we have heard that call. SonicWall publicly committed to these principles and signed CISA’s Secure by Design pledge, fully embracing and implementing its core tenets in our latest releases. SonicOS 7.3 and Network Security Manager (NSM) 3.1 are direct outcomes of that commitment. This isn’t just a routine update; it represents a significant leap forward in delivering secure-by-default solutions aligned with the CISA framework.

CISA’s guidance emphasizes that customers shouldn’t have to bolt on security or scramble to patch vulnerabilities on their own. Instead, security features should be built in and enabled by default, with vendors ensuring products stay up-to-date automatically. SonicWall wholeheartedly agrees. Our leadership has made clear that SonicWall’s latest solutions include secure configurations, MFA support, the elimination of default passwords and rapid patch deployment, which are all aligned with Secure-by-Design principles.

Advancing our Secure by Design pledge means delivering concrete enhancements that make our firewalls and management tools safer and easier to maintain. Below, we highlight how SonicOS 7.3 and NSM 3.1 bring these principles to life in direct response to CISA’s public guidance.

Secure-by-Default Enhancements in SonicOS 7.3 & NSM 3.1

SonicOS 7.3 (the operating system powering SonicWall firewalls) and NSM 3.1 (our cloud and on-prem management platform) were developed with a secure-by-default mindset. We’ve introduced a wave of new features and security-first defaults that align with CISA’s Secure by Design recommendations, including:

Enforcing Strong Passwords by Default

Weak default credentials are gone. SonicOS 7.3 now enforces robust password policies out of the box. Administrators must use strong, unique passwords, eliminating factory-default credentials and significantly reducing the risk of unauthorized access. This aligns directly with CISA’s goal of removing default passwords entirely.

Built-In Brute-Force Login Defense

Login rate limiting is now automatically enabled in SonicOS 7.3 to slow or block repeated failed login attempts. By having this defense on by default, the firewall protects itself against brute-force attacks without requiring administrators to configure additional settings. This directly supports CISA’s call for products to be secure “out of the box.”

Automatic Critical Firmware Updates

Timely patching is essential, yet often delayed by busy IT teams. SonicOS 7.3 enables automatic installation of critical firmware updates by default, even when a firewall is managed via NSM. In NSM 3.1, we improved the update workflow to allow devices to fetch firmware directly from SonicWall’s cloud servers, ensuring fast and reliable upgrades. These enhancements support CISA’s guidance to speed the installation of security updates and reduce customer burden.

Up-to-Date OpenSSH for Stronger Encryption

SonicOS 7.3 includes the latest stable OpenSSH library to ensure secure management interfaces and hardened cryptographic protocols. By proactively updating third-party components and eliminating outdated libraries, we reduce entire classes of vulnerabilities, which is a core Secure by Design priority.

One-Click Diagnostics and Visibility

When issues arise, rapid insight matters. SonicOS 7.3 introduces a one-click diagnostic feature that gathers logs and troubleshooting data instantly. This accelerates support and incident response and reflects CISA’s recommendation to improve customer visibility into anomalies or potential intrusions.

Secure Update Delivery

In both NSM 3.1 and SonicOS 7.3, all signature downloads now use HTTPS encryption by default when fetched through a proxy. This ensures update integrity and prevents tampering or interception. Securing the update mechanism itself is a foundational Secure-by-Design practice and gives customers confidence in the authenticity of their protections.

Each of these enhancements was designed with a Secure-by-Default philosophy, meaning they're enabled automatically and require minimal configuration. Together, they strengthen SonicWall firewalls at their core. From day one, networks benefit from stronger authentication, automated patching and built-in defenses against common attack vectors. Importantly, these improvements come standard. They are part of the base SonicOS and NSM experience, not add-on features. This is how SonicWall is raising the security baseline and delivering on our Secure by Design promise.

What’s Next on Our Secure-by-Design Journey

SonicOS 7.3 and NSM 3.1 represent major progress on SonicWall’s Secure by Design pledge, but our work is ongoing. Secure by Design is not a single project. It is a continuous commitment across our engineering, product and security teams.

Looking ahead, we will continue evolving our products to be even more secure by default. This includes expanding MFA options, further reducing configuration complexity and incorporating technologies like machine learning and memory-safe programming to eliminate entire vulnerability classes before they appear. We are also committed to transparency and community engagement, from strong vulnerability disclosure practices to tools that help customers verify product integrity.

SonicWall will continue leading from the front, collaborating with government and industry partners to exceed emerging Secure by Design benchmarks. SonicOS 7.3 and NSM 3.1 deliver real, immediate security benefits with less effort from administrators. And this is only the beginning.

Confident and committed, SonicWall is building a future where security is woven into every product we create. As CISA challenges the industry to raise the bar, we are accelerating that evolution. Our pledge is simple: continue improving, continue securing and continue delivering solutions built for the threats of today and tomorrow.

We’re excited about this milestone and hope you are too. Together, let’s embrace a secure-by-default future with confidence.

Relevant Links

SonicWall SonicOS 7.3 Release Notes

NSM 3.1 Release Notes

CISA Secure-by-Design Guidance