Remediation Playbook

Description

UPDATE: SonicWall has released an online tool that analyzes firewall configuration files and provides targeted remediation guidance. The tool streamlines the process by automatically identifying which services require action, eliminating the need for administrators to follow lengthy conditional checklists. 

The tool is available at: https://www.sonicwall.com/firewall-config-analysis-tool

Overview

Follow the IF/THEN statements below to determine the recommended steps based on the features enabled on the target firewall.Shape

Configuration Groups (Execute in Order)

GROUP 1: Core Authentication Systems - CRITICAL (DO FIRST)

Execute all items in this group before proceeding to other groups. These form the foundation of all other authentication.

IF Local Users are enabled:

  • THEN: Reset and update passwords of all Local Users
  • Critical: Yes
  • Impact: Force all local users to set a new strong password

IF Users TOTP (MFA) is enabled:

  • THEN: Reset TOTP for all users
  • Critical: Yes
  • Impact: Users must re-bind authenticator apps

IF Users with LDAP (and/or RADIUS/TACACS+) Authentication enabled:

  • THEN:
    1. Update the bind account password in LDAP
    2. Update LDAP server entry in SonicOS
  • External Updates: LDAP server password
  • Critical: Yes, if primary auth
  • Impact: Update LDAP (and/or RADIUS/TACACS+) shared secret on server and SonicOS

GROUP 2: VPN & Remote Access Infrastructure - CRITICAL

Execute after Group 1 completion. Coordinate timing with remote endpoints.

IF IPSec VPN is enabled:

  • THEN:
    1. Update shared secret in all IPSec site-to-site configurations
    2. Update GroupVPN policies
  • External Updates: Remote IPSec Gateways/Peer VPN endpoints
  • Critical: Yes
  • Impact: Replace all pre-shared keys; coordinate with remote endpoints

IF L2TP/PPPoE/PPTP WAN interfaces enabled:

  • THEN: Update passwords for any L2TP/PPPoE/PPTP WAN interfaces
  • External Updates: ISP account passwords
  • Critical: Yes
  • Impact: Should be done in coordination with ISP account change

IF SSLVPN is enabled:

  • THEN: Reset password in all SSLVPN Bookmarks
  • Critical: No
  • Impact: Reset password associated with each SSLVPN BookmarkShape

GROUP 3: Cloud & External Integrations - HIGH PRIORITY

Can be executed in parallel after Groups 1-2. Coordinate with external vendors.

IF AWSAPI integration enabled:

  • THEN: Update AWS keys used for Logging and VPN integration
  • External Updates: AWS Console - Generate new IAM access keys
  • Critical: Yes
  • Impact: Update in SonicWall settings

IF DDNS is enabled:

  • THEN:
    1. Reset Dynamic DNS provider account password on provider website
    2. Update DDNS entry in SonicOS
  • External Updates: DDNS provider(s)
  • Critical: No
  • Impact: Update password at provider website and in firewall

IF Clearpass NAC enabled:

  • THEN: Reset passwords to Network Access Control (NAC) Clearpass servers
  • External Updates: NAC server(s)
  • Critical: No
  • Impact: Should be done in coordination with NAC server change

IF SNMP monitoring enabled:

  • THEN: Update password for any SNMPv3 user entries
  • External Updates: SNMP monitoring host(s)
  • Critical: No
  • Impact: Reset credentials to maintain monitoring security

IF WWAN backup enabled:

  • THEN: Update passwords used for cellular WWAN connections
  • External Updates: ISP(s) cellular accounts
  • Critical: No unless primary
  • Impact: Refresh credentials for backup connectionsShape

GROUP 4: Email & Reporting Services - MEDIUM PRIORITY

Independent group - can be executed in parallel with other medium/low priority groups.

IF Email Logs enabled:

  • THEN: Reset password to email accounts used for Log Automation
  • External Updates: Email provider
  • Critical: No
  • Impact: Update credentials for log/alert forwarding and OTP emails

IF FTP/Web Passwords configured:

  • THEN: Reset password to any FTP/HTTPS servers used for:
    • Log automation
    • Packet Monitor
    • Settings and TSR scheduled reports
    • Dynamic External Address Objects/Groups
    • Dynamic Botnet List Server
  • External Updates: FTP/HTTPS server(s) with listed features of SonicOS
  • Critical: No
  • Impact: Reset credentials for automated tasks and reports

IF AppFlow reporting enabled:

  • THEN: Reset password for SMTP/POP email account used for AppFlow SFR reports
  • External Updates: Email provider
  • Critical: No
  • Impact: Update credentials for SFR email reporting

GROUP 5: Wireless Infrastructure - MEDIUM PRIORITY

All wireless components grouped together. Coordinate timing to minimize wireless outages.

IF Wireless is enabled:

  • THEN: Update shared keys for Internal Wireless interface, Access Points & Profiles, and Virtual Access Points & Profiles
  • External Updates: None (but coordinate with wireless clients)
  • Critical: No
  • Impact: Rotate WPA/WPA2/WPA3 passphrases and profile keys

IF SonicPoint/SonicWave L3 SSLVPN Management enabled:

  • THEN: Reset SonicPoint/SonicWave L3 SSLVPN Management password
  • External Updates: Managing SSLVPN server
  • Critical: No
  • Impact: Update password on SonicPoint/SonicWave and coordinating server

IF SonicPoint/SonicWave Administrator password configured:

  • THEN: Reset SonicPoint/SonicWave Administrator password
  • External Updates: None
  • Critical: No
  • Impact: Update password to access individual SonicPoint/SonicWave access points

IF SonicPoint/SonicWave Internal Wireless RADIUS enabled:

  • THEN: Reset SonicPoint/SonicWave Internal Wireless RADIUS server shared secrets for Remote MAC Access Control and WPA/WPA2/WPA3/EAP authentication
  • External Updates: RADIUS server
  • Critical: No
  • Impact: Rotate RADIUS secrets for wireless authentication

IF RADIUS wireless Zone objects enabled:

  • THEN: Reset RADIUS server shared secrets used on wireless-type Zone objects
  • External Updates: RADIUS clients and LDAP password on LDAP server
  • Critical: No
  • Impact: Rotate RADIUS secrets and LDAP Identity passwordShape

GROUP 6: User Services & SSO - LOW PRIORITY

Independent group focused on user experience features. Can be done last.

IF Guest Services enabled:

  • THEN: Reset shared secret used by Guest Services External Guest Authentication feature
  • External Updates: Web server for Message Authentication
  • Critical: No
  • Impact: Rotate secrets for guest authentication services

IF SSO enabled:

  • THEN: Reset shared secrets used by SSO features:
    • SSO Agent
    • Terminal Services Agent (TSA)
    • SSO RADIUS Accounting clients
    • 3rd Party SSO API
  • External Updates: Each SSO/TSA server, RA client, and 3rd party SSO API client
  • Critical: No
  • Impact: Update secrets across all SSO components

IF Accounting enabled:

  • THEN: Reset RADIUS/TACACS+ shared secrets used for Accounting server entries
  • External Updates: RADIUS/TACACS+ server(s)
  • Critical: No
  • Impact: Update authentication secrets for accounting serversShape

GROUP 7: Infrastructure & Legacy Systems - LOW PRIORITY

Miscellaneous infrastructure components. Execute last or in parallel with other low-priority groups.

IF NTP custom servers enabled:

  • THEN: Reset password for any custom NTP servers
  • External Updates: NTP server(s)
  • Critical: No
  • Impact: Update authentication credentials for custom NTP servers

IF Signature Proxy enabled:

  • THEN: Reset password for proxy server used to download signature updates
  • External Updates: Proxy server
  • Critical: No
  • Impact: Rotate password to download SonicWall signature updates

IF Extended Switches managed:

  • THEN: Reset password for any Dell/SonicWall-integrated external switches managed by firewall
  • External Updates: None (direct to switches)
  • Critical: No
  • Impact: Update management passwords for integrated switches

IF GMS - Legacy enabled:

  • THEN: Update GMS management encryption keys
  • External Updates: GMS
  • Critical: No
  • Impact: Only applicable when using "IPSec Management Tunnel" for GMS management

IF Routing protocols enabled:

  • THEN: Update passwords used for routing protocols such as RIP, OSPFv2, and BGP
  • External Updates: Associated L3 switches, routers, etc.
  • Critical: No
  • Impact: Update passwords associated with any advanced routing configurationShape

Reference: Complete External Credential Update List

Critical External Systems (Priority 1)

  1. AWS Console - Generate new IAM access keys
  2. LDAP Server - Update bind account password
  3. RADIUS Servers - Update all shared secrets
  4. TACACS+ Servers - Update authentication secrets
  5. ISP Accounts - Update L2TP/PPPoE/PPTP passwords
  6. DDNS Providers - Update account passwords on provider websites
  7. NAC Servers (Clearpass) - Update server passwords
  8. Email Providers - Update SMTP/POP account passwords
  9. FTP/HTTPS Servers - Update server passwords for log automation
  10. NTP Servers - Update custom NTP server passwords
  11. Proxy Servers - Update passwords for signature downloads
  12. GMS Management - Update IPSec Management Tunnel encryption keys
  13. L3 Switches/Routers - Update passwords on associated routing devices

Non-Critical External Systems (Priority 2)

  1. SNMP Monitoring Hosts - Update SNMPv3 credentials
  2. Cellular WWAN Providers - Update backup connection credentials
  3. SSO Web Servers - Update Message Authentication secrets
  4. AppFlow SFR Email - Update email reporting credentials
  5. SSLVPN Bookmarks - Update stored passwords

Example Execution Sequence

Phase 1: Pre-Migration

  1. Document all current configurations
  2. Identify all external systems requiring updates
  3. Schedule maintenance window
  4. Notify affected users and stakeholders
  5. Prepare rollback plan

Phase 2: Critical Foundation

Execute GROUP 1: Core Authentication Systems

  • Local Users password reset
  • TOTP/MFA re-enrollment
  • LDAP authentication updates
  • RADIUS/TACACS+ authentication updates

Phase 3: Critical Infrastructure

Execute GROUP 2: VPN & Remote Access Infrastructure

  • IPSec VPN pre-shared key replacement
  • ISP WAN interface credential updates
  • SSLVPN bookmark updates

Phase 4: External Systems

Execute GROUP 3: Cloud & External Integrations

  • AWS Console IAM key rotation
  • DDNS provider account updates
  • NAC server password changes
  • SNMP monitoring credentials
  • WWAN backup credentials

Phase 5: Services & Infrastructure

Execute in parallel:

  • GROUP 4: Email & Reporting Services
  • GROUP 5: Wireless Infrastructure
  • GROUP 6: User Services & SSO
  • GROUP 7: Infrastructure & Legacy Systems

Phase 6: Verification & Testing

  1. Test all authentication flows
  2. Verify VPN connectivity (both site-to-site and client)
  3. Confirm monitoring system functionality
  4. Validate wireless access
  5. Test guest services
  6. Verify email alerts and reporting
  7. Document all changes in secure location

Phase 7: Post-Migration

  1. Monitor for authentication failures
  2. Address any user access issues
  3. Update documentation
  4. Secure credential storage
  5. Schedule follow-up review

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
NSa Series
not finding your answers?
Ask the Community