en-US
search-icon

GMS 8.3 Admin Guide

Introduction

Introduction to the SonicWall Global Management System

This introduces the SonicWall™ Global Management System (GMS) User Interface (UI) navigation and management views. GMS can be used in a variety of roles in a wide range of networks. Network administrators can use GMS as a Management Console role in an Enterprise network containing a single SonicWall E-Class NSA or SuperMassive appliance and also as a Remote Management System role for managing multiple unit deployments for Enterprise and Service Provider networks consisting of hundreds and thousands of firewalls, Secure Mobile Access (SMA), and Email Security (ES) appliances.

Topics:

Overview of GMS

This section contains the following subsections:

What Is GMS?

SonicWall™ Global Management System (GMS) is a Web-based application that can configure and manage thousands of SonicWall firewall appliances and NetMonitor non-SonicWall appliances from a central location.

GMS can be used as a Management Console in an Enterprise network containing a single SonicWall E-Class NSA or SuperMassive. GMS can also be used as a Remote Management System for managing multiple unit deployments for Enterprise and Service Provider networks consisting of hundreds and thousands of firewalls, Email Security appliances, and Secure Mobile Access (SMA) appliances. This dramatically lowers the cost of managing a secure distributed network. GMS does this by enabling administrators to monitor the status of and apply configurations to all managed SonicWall appliances, groups of SonicWall appliances, or individual SonicWall appliances. GMS also provides centralized management of scheduling and pushing firmware updates to multiple appliances and to apply configuration backups of appliances at regular intervals.

GMS provides monitoring features that enable you to view the current status of SonicWall appliances and non-SonicWall appliances, pending tasks, and log messages. It also provides graphical reporting of Firewall, SMA, and Email Security (ES) appliance and network activities for the SonicWall appliances. A wide range of informative real-time and historical reports can be generated to provide insight into usage trends and security events.

Network administrators can also configure multiple site VPNs for SonicWall appliances. From the GMS user interface (UI), you can add VPN licenses to SonicWall appliances, configure VPN settings, and enable or disable remote-client access for each network.

Key Features in GMS 8.3

This section describes the key SonicOS enhancements included in the GMS 8.3 release:

Topics:
High Availability
PPPoE Unnumbered Interface Support
Vendor OUI Detection and Logging
Dell Networking X-Series Switch Integration Features
DPI-SSH
Support for pcapNG
TSR FTP for Periodic Backup
Custom Lists for Geo-IP and Botnet
SIP UDP Fragmentation Fixes
System Logs on AppFlow Server via IPFIX
NAT64: Stateful NAT from IPv6 Client to IPv4 Server
DNS Proxy
FQDN Routing
Maximum Routes Doubled
Maximum Zone to Zone Access Rules Increased
Flow Reporting using IPFIX Extension Version 2
Syslog Server Profiling
IPv6 Support
DPI-SSL Increased Connection Counts and Enhancements
Open Authentication Social Login
Updated SonicPoint Firmware
SonicPoint Radius Accounting
31-Bit Network
RESTful API
Biometric Authentication
Auto-Provision VPN

Key Features in GMS 8.2

This section describes the SonicOS enhancements included in the GMS 8.2 release:

Enhanced Flow Reporting Agent — The Flow Reporting Agent introduced in GMS 7.1 has been enhanced with a new Real-Time Viewer with drag and drop customization, a new Real-Time Report screen with one-click filtering, a new Top Flows Dashboard with one-click View By buttons, a new Flow Reports screen with five additional flow attribute tabs, a new Flow Analytics screen with powerful correlation and pivoting features, and an all-new Session Viewer for deep drill-downs of individual sessions and packets.
MySQL 5.7 upgrade — The 5.0 MySQL server has been replaced with a newer version of the MySQL Community server 5.5.50. During a GMS/Analyzer fresh installation, the SGMS database is created with the new MySQL server. For GMS/Analyzer upgrade installations, existing data is migrated to the newer MySQL server using the MySQL upgrade process.
SonicOS 6.2.6 support — SonicOS Enhanced versions 6.2.6 and above are supported, including Content Filter Objects like the CFS 4.0 policy screen changes, and SonicPoint enhancements like Capture ATP policy configuration. SonicOS 6.2.6 also supports a new checkbox in the VPN Policy add dialog, Advanced tab: Allow Advanced Routing. It is available on the Advanced tab only when you select Tunnel Interface as the Policy Type on the General tab.

SonicOS 6.2.6.0 includes two important new features that are supported by GMS 8.2:

Capture Advanced Threat Protection (Capture ATP)
Content Filtering Service 4.0 (CFS 4.0)
About Capture ATP — Capture Advanced Threat Protection (ATP) is an add-on security service to the firewall, similar to Gateway Anti-Virus (GAV). Capture ATP helps a firewall identify whether a file contains a zero-day virus by transmitting a suspicious file to the Cloud where the Capture ATP service analyzes the file to determine if it contains a virus. Capture ATP then sends the results to the firewall. This is done in real time while the file is being processed by the firewall.

The Capture ATP > Status page displays a graph chart that shows the percentages of benign and malicious files discovered, as well as the total number of files analyzed. It also displays a log table that shows the results of individual files submitted for analysis.

Capture ATP must be configured on each firewall individually. After the Capture ATP service license is activated, you can enable Capture ATP on the Capture ATP > Settings page.

Capture ATP can also analyze files that you upload for analysis from the Capture ATP > Status page. After the files are analyzed they are listed in the table on the Status page. You can click on any file in the log table on the Status page and see the results from the detailed analysis of that file.

Note that Capture ATP is only supported on the following appliances using SonicOS 6.2.6.0 or newer. The smaller TZ appliances and the SOHO wireless appliance do not support Capture ATP.

Table 1.  

SuperMassive 9600
NSA 6600
TZ600
SuperMassive 9400
NSA 5600
TZ500 and TZ500 Wireless
SuperMassive 9200
NSA 4600

 

 

NSA 3600

 

 

NSA 2600

 

Capture ATP reports

Support for Capture ATP report functionality. The Capture ATP feature is the latest development to the second generation of SonicWall Cloud Anti-Virus.

For more information about using Capture ATP, refer to the SonicOS 6.2.6 Capture ATP Feature Guide.

About CFS 4.0 — Content Filtering Service (CFS) 4.0 has been redesigned to improve performance and ease of use. The workflow was redesigned and more accurate filtering options have been provided. Refer to SonicOS 6.2.6 Content Filtering Service (CFS) 4.0 Feature Guide for more details. For information about upgrading from an older version of CFS, see the SonicOS 6.2.6 CFS 4.0 Upgrade Guide.

CFS workflow

When processing packets, CFS follows this workflow:

1)
A packet arrives and is examined by CFS.
2)
CFS checks it against the configured exclusion addresses, and allows it through if a match if found.
3)
CFS checks its policies and finds the first policy which matches the following conditions in the packet:
Source Zone
Destination Zone
Address Object
Users/Group
Schedule
Enabled state
4)
CFS uses the CFS Profile defined in the matching policy to do the filtering, and returns the corresponding operation for this packet.
5)
CFS performs the action defined in the CFS Action Object of the matching policy.
6)
If no CFS Policy is matched, the packet is passed through without any action by CFS.

CFS settings

The following global settings are used in CFS 4.0:

Global settings
Max URI Caches (entries) - Defines the maximum number of cached URI entries. Cached URI entries save the URI rating results, so that GMS does not need to ask the backend server for the rating of a known URI. In CFS 3.0, the cache size had a maximum; in CFS 4.0 the maximum is changed to the entry count.
Enable Content Filtering Service - This option can be cleared to bypass CFS for all packets. By default, it is selected.
Enable HTTPS content filtering - When enabled, CFS first attempts to get the ServerName from the client “hello.” If that fails, CFS attempts to get the CommonName from the SSL certificate and then get the rating. If both attempts fail to get the ServerName/CommonName, CFS uses the IP address for the rating.
Blocked if CFS Server is Unavailable - If the CFS server cannot provide the rating request within the specified duration (5 seconds by default), this option defines whether to allow or deny the request.
CFS Exclusions
Exclude Administrator - When enabled, content filtering is bypassed for all requests from an account with administrator privileges.
Excluded address - Content filtering is bypassed for all requests from address objects selected in the Excluded address list.
Custom Category
Enable CFS Custom Category - Allows the administrator to customize the ratings for specific URIs. When CFS checks the ratings for a URI, it first checks the user ratings and then checks the CFS backend server for the ratings.
Advanced Settings
Enable Smart Filtering for Embedded URL - When enabled, detects the embedded URL inside Google Translate (Https://translate.google.com) and filters the embedded URL too. Requires that client DPI-SSL be enabled also.

New CFS policy design

A CFS policy defines the filtering conditions that a packet is compared to, and CFS 4.0 provides a new policy design, different from the way policies were implemented in CFS 3.0. A default policy is provided, but you can define your own. When writing your own policies, following matching conditions can be defined:

Name
Source Zone
Destination Zone
Source Address
Users/Group
Schedule
Profile
Action

If a packet matches the conditions defined for Source Zone, Destination Zone, Address Object, Users/Groups, Schedule, and Enabled state, it is filtered according to the corresponding CFS Profile and then the CFS Action is applied. If authentication data is not available during matching for Users/Groups, no match is made for this condition. This strategy prevents performance issues, especially when Single Sign-On is in use.

Each CFS policy has a priority level and policies with higher priorities are checked first.

CFS custom categories

In CFS 4.0, CFS custom categories are handled consistently with the way ratings are handled in the CFS backend server. When adding or editing a custom category, you can select up to four categories for the URI.

Besides adding custom category entries one by one, export and import functions are also supported. One way to use this functionality is by exporting the custom category first, editing it, and then importing from that exported file.

Only the first 10,000 custom category entries in the file are imported. Invalid entries are skipped and do not count toward the maximum of 10,000 custom category entries that are supported.

New objects in CFS 4.0

Three new kinds of objects are supported in CFS 4.0:

URI List Objects - Defines the URI list which can be marked as allowed or forbidden.
CFS Action Objects - Defines what happens after a packet is filtered by CFS.
CFS Profile Objects - Defines what kind of operation is triggered for each HTTP/HTTPS connection.

These objects are configured on the Firewall > Content Filter Objects page in the GMS management interface.

URI List Objects

In CFS 4.0, a URI List Object is used for URI/domain matching. Each URI List Object contains a custom list of URIs. You can add/edit/delete a CFS URI list object on the Firewall > Content Filter Objects page in GMS.

Use the following guidelines when configuring URI List Objects:

A maximum of 128 URI list objects are allowed.
In each object, up to 5,000 URIs are supported.
A URI is a string containing host and path. Port and other content are currently not supported.
An IPv4 or IPv6 address string is supported as the host portion of a URI.
The maximum length of each URI is 255 characters.
The maximum combined length of all URIs in one URI list object is 131,072 (1024*128) including one character for each new line (carriage return) between the URIs.
Each URI can contain up to 16 tokens. A token in URI is a string composed of the characters:

0-9

a-z

A-Z

$ - _ + ! ' ( ) ,

The maximum length of each token is 64 characters including one character for each separator (. or /) surrounding the token.
An asterisk (*) can be used as a wildcard representing a sequence of one or more valid tokens.

When building a policy URI List Objects can be used as either the forbidden URI list or the allowed URI list. URI List Objects can also be used by the Web Excluded Domains of Websense.

Action Objects

The CFS Action Object defines what happens after a packet is filtered by CFS and specified by a CFS Policy. You can add/edit/delete a CFS Action Object on the Firewall > Content Filter Objects page in GMS. Within the Action Object you can define whether to block a web site, require a passphrase (password) for access, require a confirmation before proceeding to the web site, or use Bandwidth Management.

Passphrase and Confirm features only work for HTTP requests. HTTPS requests cannot be redirected to the Passphrase or Confirm page, respectively.

Profile Objects

The CFS Profile Object defines the action that is triggered for each HTTP/HTTPS connection. You can add/edit/delete a CFS Profile Object on the Firewall > Content Filter Objects page in GMS. When setting up a new Profile Object under the new design, a domain may now be resolved to one of four ratings. From highest to lowest, the ratings are:

Block
Passphrase
Confirm
BWM (Bandwidth Management)

If the URI is not categorized into any of these ratings, then the operation is allowed.

CFS log entries

In CFS 4.0, there are only three types of log entries:

logstrSyslogWebSiteAccessed
logstrWebSiteBlocked
logstrCFSAlert

These log entries start with CFS Alert: and are followed by a descriptive message.

Websense support in CFS 4.0

The Websense configuration settings are shown in the Security Services > Content Filter page when the Content Filter Type selection is set to Websense Enterprise. Websense only works for IPv4 requests. It does not work with IPv6.

Websense can be used even when the firewall is not licensed for CFS 4.0 (Content Filtering Premium).

Deprecated CFS 3.0 features

CFS 4.0 includes the following changes to CFS 3.0 features:

Merge “CFS via App Rules” and “CFS via Zones” into one.
Remove the Global/Local custom lists, replaced by URI List objects.
Users cannot use CFS without a license, but can still use Websense.
Remove CFS configuration from Users/Groups CFS tab.
Remove CFS configuration from Zone page if using SonicWall CFS. The CFS configuration in Zone is available only if CFS type is Websense.
Remove Restrict Web Features for Java/ActiveX. They can be replaced with entries in the Forbidden URI list using *.java and *.ocx.
Remove Restrict Web Features for HTTP Proxy Server.
In CFS 4.0, to block access to HTTP Proxy Server, go to the Firewall > App Control Advanced page, enable App Control, and then edit the 3648 signature ID to block HTTP proxy access.

Comparison of CFS 3.0 to CFS 4.0

The following table compares the user experience for various aspects of the old and new CFS.

Open Java Development Kit and Tomcat 8 upgrade

Current Java Runtime Environment (JRE) and Tomcat versions have been phased out. Still, there are many library-related security updates that are only supported in the newer versions. The effort is bundled together to upgrade both JDK/JRE and Tomcat in the GMSVP 8.2 release.

Apache Flex BlazeDS XXE

The BlazeDS data services library has been upgraded from 4.0 version to 4.7.2.

One of the Blaze DS library jar files was vulnerable (flex-messaging-core.jar) to the XXE injection attack. This has been addressed in the 4.7.2 version.

Geo map support in GMS with a proxy

Geo map on the dashboard is not displayed when GMS is configured to go through proxy. The traffic to get the map was not going through the proxy, and hence failed.

Data deletion

Update to the settings of Data Deletion.

Optimized code for performance

There were many feature enhancements to the Summarizer module of the GMS, and many old codes that were no longer in use that needed cleanup. Included are the details of the changes made during the cleanup of the Summarizer code.

Email Security and GMS Integration

Email Security version 7.X.X has disabled iFrame support. As a result, GMS is unable to show the Email Security user interface for Recording Policy changes.

Applications report

Categories Report shows a different category of applications, events, and a transferred bytes column.

Key Features in GMS 8.1

This section describes the SonicOS enhancements included in the GMS 8.1 release:

Provides SonicOS 6.2.5 support New features in SonicOS 6.2.5 are supported.
DPI-SSL enhancements - See Configuring Firewall DPI-SSL Settings
DPI-SSL Strengthened Encryption Methods - See Supported Features
Disable DPI Option for Firewall Access Rules - See Configuring Access Rules
Firewall Sandwich support - See Firewall Sandwich
Numbered VPN tunnel interfaces - See Numbered VPN tunnel interfaces
Change Auditor Support in AppFlow - Viewing the AppFlow Server Page
Botnet Source Identification in AppFlow Monitor
Gateway Anti-Virus Detection Only Mode - See Configuring GAV Settings
Control Plane Flood Protection - See Control Plane Flood Protection
Shutdown Port Option - See Advanced Settings
Port based network monitoring - See Configuring NAT Policies
Disable Source Port Remapping option for NAT - See Configuring NAT Policies
Suffix Option for HA/Clustered Firewalls - See Configuring Administrator Settings
Source/Destination IP address binding for Round Robin/Spillover load balancing - See WAN Failover and Load Balancing
SonicPoint ACe/ACi/N2 FCC new rule certification for DFS channels - See Configuring Firewall SonicPoints
Feature support on TZ Series and SOHO Wireless appliances

SonicWall SOHO Wireless and TZ series appliances running SonicOS 6.2.5.1 support most of the features available for other platforms in earlier 6.2 releases, but not all.

The following features are not supported on the TZ series or SOHO Wireless appliances:

Active/Active Clustering
Advanced Switching
Jumbo Frames
Link Aggregation
Port Redundancy
Wire Mode

In addition, SOHO Wireless appliances do not support the following features:

App Visualization (Real-Time Monitor and AppFlow)
Geo-IP Filtering
Botnet Filtering
High Availability
SonicWall X-Series switch integration — SonicWall X-Series switches can now be managed easily within TZ series firewalls to offer a single pane of glass management of the entire network security infrastructure.
Provides SonicOS 6.2.4 and 6.2.4.3 and above support — New features in SonicOS 6.2.4, 6.2.4.3 and above are supported.
Log > Settings enhancements — New fields added including: “Syslog ID,” “E-mail Format, and “Include All Log Information.”
In the Syslog ID box, enter the Syslog ID that you want. A Syslog ID field is included in all generated Syslog messages, prefixed by “id=”. Thus, for the default value, firewall, all Syslog messages include “id=firewall.” The ID can be set to a string consisting of 0 to 32 alphanumeric and underscore characters.
* 
NOTE: The Syslog ID field is fixed to firewall when the Override Syslog Settings with Reporting Software Settings option is enabled, and therefore, cannot be modified.
Email Format - Select whether log emails will be sent in Plain Text, CSV Attachment, or HTML format from the drop-down menu.
Include All Log Information - Select to have all information included in the log report.
Solera Capture Stack - Solera Networks makes a series of appliances of varying capacities and speeds designed to capture, archive, and regenerate network traffic. The Solera Networks Network Packet Capture System (NPCS) provides utilities that allow the captured data to be accessed in time sequenced playback, that is, analysis of captured data can be performed on a live network via NPCS while the device is actively capturing and archiving data.
Firewall Settings > Advanced enhancements - Added a new field, “Enable ICMP Redirect on LAN zone.” The field is available for the firewall in versions 6.2.4.3 and above at the group level. Enables an Internet Control Message Protocol (ICMP) to redirect LAN zone error and control messages. This field is supported in both the types of inheritance and when selected, the appliance generates ICMP redirect packets on the LAN zone.
Users > RADIUS enhancements - Added a new field “User Name Format,” under the “RADIUS Global Settings” section. This field is available for firewall versions running 6.2.4.3 and above and at the group level. This field is supported in both the types of inheritance. Select between the user name format styles offered from the pull-down menu.
Network > Interfaces enhancements - Added two new fields, “Secondary IP Address” and “Secondary Subnet Mask” in the “Add/Edit Interfaces” dialog of the Network > Interfaces | Advanced screen. These fields are available for the firewall versions running 6.2.4.3 and above and at the group level. Contact Customer Service for information on activating this feature.
Firewall Action - Changes to the report database, table structure, and associated reports in the UI. Report can now include the firewall action for all events relating to the traffic that is traversing or being blocked by the firewall.
Reporting Database - Infobright with Postgres - The GMS 8.1 upgrade replaces the Infobright-MySQL database formerly used in earlier versions of GMS with Infobright PostgreSQL. The installer will ask if you want to perform the data migration from the MySQL to the new PostgreSQL database.
GMS 8.1 Installation and Deployment Requirements - The license to distribute Infobright with MySQL, the reporting database used in GMS 8.0, expires on Dec 31, 2015. Infobright is replacing it with Infobright running the PostgreSQL engine.

Support for InfoBright with MySQL will continue and customers who have MySQL deployments as of Dec 31, 2015 will continue to receive upgrades, patches, and hot fixes until Dec 31, 2018. They will also be able to add new Agents to the existing deployments.

Backup and Restore Performance enhancements - Added two new fields to the UMH System > Backup/Restore screen to include “Free disk space required,” and “Auto disk space management.”
Free disk space required” - Indicates the space required to perform the backup, and how much space is available for use on the resource. If available disk space is less than the estimated free disk space required, the backup process will not start. However, if the auto disk space management feature is enabled, the backup process deletes the previous backup files to free the disk space required for the backup process to begin.
Auto disk space management” - Select to allow GMS to manage the disk space and backup requirements. Auto disk space management is a configurable option provided for you to automate recovering disk space by deleting previous backup files in case of a disk space shortage for the backup process. If there is sufficient disk space for the backup process to run, this feature does not have any impact.

Key Features in GMS 8.0

This section describes the SonicOS enhancements included in the GMS 8.0 release:

Provides SonicOS 6.2.4 support — GMS 8.0 supports the following SonicWall network security platforms for management and reporting:
TZ300 and TZ300 Wireless
TZ400 and TZ400 Wireless
TZ500 and TZ500 Wireless
TZ600 and TZ600 Wireless
SOHO and SOHO Wireless*

* The TZ appliances run SonicOS 6.2.3.1 or higher, while the SOHO runs SonicOS 5.9.1.3 or higher. Appliances running firmware newer than the SonicOS 6.2.3.1 or 5.9.1.3 releases can still be managed and reports can still be generated by GMS 7.2.

Change Order Management and Workflow — GMS 8.0 introduces a workflow automation feature that assures the correctness and the compliance of policy changes by enforcing a process for configuring, comparing, validating, reviewing and approving policies prior to deployment. The approval groups are user-configurable for adherence to company security policy. All policy changes are logged in an auditable form that ensures the firewall complies with regulatory requirements. This feature provides the ability to “Infer” what would end up on the unit as part of a task and then “Validate” that configuration based on what is presently on the unit and what is then going to be pushed to the unit. The changes can then be optionally approved by a set of users before they get deployed, through the WorkFlow mechanism. All granular details of any changes made are historically preserved to help with compliance, audit trailing, and troubleshooting.
Features no longer supported — The following features have been dropped from support:
Management and Reporting of CDP appliances
Support of UMA as a platform for GMS 8.0 to run on
Support of Windows 32-bit Operating Systems as a platform for GMS 8.0 to run on
Firewalls with firmware older than SonicOS 5.0
Gen4 or older Firewalls
Java Applet Replacement The TreeControl application (that displays all managed appliances) and the User Management application (Console > Management > Users) have now been replaced with non-Java versions. All Java applets in the front-end have been removed, except for NetMonitor.
SonicOS Support — New features in SonicOS 6.2 are supported.
Support for Brazilian/Portuguese — The Login screen now includes version information and indicates Brazilian Portuguese support.
Access Rules — The Access Rules screen now allows users to update Address Objects, Address Groups, Service Objects, and Service Groups all from the same Access Rules screen instead of jumping to separate screens to carry out these operations.
Reporting
Report Database Rebuild Utility — The Reporting Database Rebuild Utility allows you to submit a request to rebuild any specific month's report table if it were to become corrupt.
Report Data Optimization — In previous versions, report data optimization exported sorted report data into a file and reloaded that data back to the report database. In GMS 8.0, instead of using a file to upload the data, a temporary table is created that exports and reimports that data, leading to better performance.
Botnet Reports Botnet reporting is added to the Reports panel and includes four report types: Attempts, Targets, Initiators, and Timeline.
Enhanced USR Template Manager — In addition to the PCI Report template, HIPAA and SOX templates are added to Universal Scheduled Reports as an aid for compliance audits.
Signature Details — You can view the details of any signature matched with the new “Show Signature details” or “Show Spyware Signature details” right-click options.
Geo-IP Reports Geo-IP reports contain information on blocked traffic that is based on the traffic's country of origin or destination. Geo-IP Reporting is added to the Reports panel and includes four report types: Attempts, Targets, Initiators, and Timeline.
USR-Customizing Sorting Option in PDF — Provides additional sorting options for Scheduled PDF reports.
Log Analyzer — The Firewall > Reports > Analyzers > Log Analyzer page has been updated with an out-of-the-box default view.
Packet Data View for Signature Alerts
MAC Address in Reporting This feature shows the Media Access Control (MAC) address on the report page. This adds detail to the current device-specific information in the Reports panel and the PDF report. New columns “Initiator MAC” and “Responder MAC” are added to the following reports:
Data Usage > Initiators
Data Usage > Responders
Data Usage > Details
User Activity > Details
Web Activity > Initiators
Enhanced Reporting Database The Reporting Database has been upgraded to a newer version that offers better performance and higher reliability.
Distributed Universal Scheduled Report PDF report generation is now distributed and uses an engine that can make better use of your CPU and RAM resources, resulting in faster delivery of scheduled reports with larger volumes and more rows of data.
CSV File Import for IPS Signatures — You can import configurations of your IPS signatures (such as Block vs Logged, and so on) using a spreadsheet in CSV format.
Update at Unit-And-One-Level-Up Permission — The “Update At Unit and One Level Up” option is an addition to the existing screen permissions for users and user types, which now include:
None
View Only
Update at Unit Level Only
Update at Unit and One Level Up
Update at All Levels

The new permission is especially useful in the management of firewalls that are distributed geographically and where each location uses high availability (HA) or a handful of firewalls with similar policies and configurations, and where technicians are allocated to those geographic locations to make such changes.

In these deployments, technicians are given permission to make changes to the firewall at the Unit and Group levels, as long as that Group level is just one level higher than the firewall level, as it would be on an immediate parent node on a firewall or unit node. Technicians for these deployments do not normally have full permissions at the higher level nodes, however, they can have full permissions at the unit and the unit's parent node levels.

Improved Inheritance Filters — In earlier versions of GMS, when a Screen was selected for inheritance, GMS automatically selected dependent screens so that a comprehensive list of interdependent screens was included in the filter. For instance, selecting an Access Rule screen for inheritance would automatically select dependent screens such as Zones, Address Objects, Service Objects, and so on. This was not only confusing, but it also led to undesirable end results. To inherit a few rules, GMS inherited all Zones, Address Objects, and Service Objects even when they did not need to be inherited. In GMS 8.0, the filters have been enhanced to address these limitations: selecting a filter does not additionally select the dependent screens, which minimizes confusion. Instead, GMS automatically determines which objects are needed to be inherited, and inherits only those dependent objects instead of all the objects from dependent screens. If you are upgrading from a version prior to GMS 8.0, your old filters will remain intact to take advantage of this more intuitive approach in GMS 8.0, you will need to re-create your filters.
TLS Support in Emails — Provides support for Microsoft Office 365 and Gmail.
The disabling of default Syslog filters is allowed by Superadmin
Comments Possible for Syslog Filters
Number of Syslog messages per file configurable through UI
Support for Firewall's Native Backup/restore Functionality — In GMS 8.0, you can now perform a System Backup of the firmware image on a firewall, if the firewall supports this functionality. Using GMS 8.0, you can also boot such firewalls using their System Backup image. This functionality is provided in GMS 8.0 in the Policies panel > Register/Upgrades > Firmware Upgrade screen, in the “System Backup” section.
All Windows Modules of GMS 8.0 are now 64-bit — Provides better usage of system resources and better performance.
High-level User Interface Changes
Secure Remote Access (SRA) has been renamed to Secure Mobile Access (SMA).
The CDP tab is removed
SRA and ES tabs are no longer shown by default, but can be activated in Console > Management > Settings.
Discontinued View Attributes — The following Attributes can no longer be used to create your Views - these have been discontinued because these were associated with older firewalls or discontinued features:
Enable Anti-Virus Client Automated Enforcement
Network Type
PKI Status
VPN Present
Instance Name
New Diagnostics > Cluster Status screen
Screen Groups and Screens Removed
WGS Screen Group
WGS > Settings
WGS > URL Allow List
WGS > IP Deny List
WGS > Custom Log
WGS > External Authentication
WGS > Profiles
Application Filters Screen Group
Application Filters > Settings
Application Filters > Category Sets
Application Filters > Ports
Network > Settings
Network > Switch Ports
System > Licensed Nodes
Log > Log Settings
Content Filter > CFL Filter List
Content Filter > CFS Standard
Firewall > Services
Firewall > Rules
Users > ULA Settings
Network > Intranet
Network > Routing
Network > RIP
Network > DMZ Addresses
Network > One-to-One NAT
Network > Ethernet
DHCP > Setup
VPN > Configure
VPN > ULA Settings
Web Filters > Settings
Web Filters > Policies
Web Filters > Custom Categories
Web Filters > Miscellaneous
Web Filters > Custom Block Page
Policies > Policy List
Users > HTTP URL ULA
Security Services > Email Filter
Hardware Failover > Monitoring
Screens renamed
Log > “Enhanced Log Settings” renamed to “Log Settings”
Log > “Enhanced Log Categories” renamed to “Log Categories”
Content Filter > “Websense” renamed to “Websense Enterprise”
Network > “Routing (ENH)” renamed to “Routing”
Network > “RIP (ENH)” renamed to “RIP”
Screen group “Hardware Failover” renamed to “High Availability”
VPN > “Configure 2.0" renamed to “Configure”
Changes to sections within screens
The “Add User” section of the Users > Settings screen has been removed from GMS.
In the Firewall > Policies > Content Filter > Custom List screen, the Timing (Filter List/URL Keywords/Custom Sites) section has been removed from the screen.
In the Firewall > Policies > Wireless > IDS screen, the SonicOS Standard references (visible at group/global levels) has been removed.
In the Console > Tasks > Default Tasks screen, the task titled “Setup minimal Syslog Categories for reporting Gen 3 Units” has been removed and the remaining tasks for Gen 3 have been renamed and have no reference to Gen 3, such as “Setup minimal Syslog Categories for reporting.”

Scaling SonicWall GMS Deployments

GMS is designed to be highly scalable to support service providers and enterprise customers with large numbers of SonicWall appliances.

GMS offers a distributed management architecture, consisting of multiple servers, multiple consoles and several agents. Each agent server can manage a number of SonicWall appliances. Additional capacity can be added to the management system by adding new agent servers. This distributed architecture also provides redundancy and load balancing, assuring reliable connections to the SonicWall appliances under management.

In the distributed architecture, the console server provides the user a single interface to the management system. Each agent server can manage a number of SonicWall appliances, depending on the SonicWall GMS gateway that resides between the agent server and the SonicWall appliances and the amount of syslog traffic from the remotely managed appliances.

The SonicWall GMS gateway that resides between a GMS agent server and the SonicWall appliances provides secure communications.
Each SonicWall appliance can have a primary agent server and a standby server. Each agent server can be a primary server for certain SonicWall appliances and a standby server for other SonicWall appliances.
Configuration of and changes to the GMS and the SonicWall appliances are written to the database.
The users at the Admin Workstations can access the GMS management interface through a Web browser (HTTP) from any location. The GMS management interface can also be securely accessed using SSL.
The SonicWall GMS console server can also be an agent server.

Overview of IPv6 in GMS

GMS supports the use of IPv6, allowing the user to Install GMS products in an IPv6 network environment. This means that GMS can now access various Network Elements using IPv6 addresses, such as: Firewalls, SMTP servers, RADIUS/LDAP Authentication Servers, SNMP Managers, WebServices, and so on.

IPv6 Deployment Considerations

Consider the following when using IPv6 with GMS:

In the case of a Virtual Appliance, you can use SonicWall Command Line Interface to specify the IPv6 address of the appliance.
For GMS to take advantage of the IPv6 network, dual-stack (IPv4, IPv6) configuration on the underlying platforms is required. This means that these appliances/servers will need to have IPv4 addresses assigned no matter what.
The GMS Scheduler continues to be displayed as an IPv4 address. This does not mean that the GMS Scheduler can access only IPv4 addresses. The IPv4 address in this context is rather used to uniquely identify the GMS Scheduler/Agent instead.

Deployment Requirements

Before installing GMS, review the following deployment requirements. SonicWall GMS can be hosted in two deployment scenarios as follows:

Microsoft Windows server software
VMware ESX/ESXi virtual appliance

This section includes the following subsections:

* 
NOTE: For information on capacity planning and performance tuning, see Capacity Planning and Performance Tuning.

Operating System Requirements

Microsoft Windows

SonicWall GMS supports the following Microsoft Windows operating systems:

Windows Server 2012 Standard 64-bit
Windows Server 2012 R2 Standard 64-bit (English and Japanese language versions)
Windows Server 2012 R2 Datacenter

These Windows systems can either run in physical standalone hardware platforms, or as a virtual machine under Windows Server 2012 Hyper-V or VMware ESXi.

* 
TIP: For best performance and scalability, it is recommended to use a 64-bit Windows operating system. Bundled databases run in 64-bit mode on 64-bit Windows operating systems. All listed operating systems are supported in both virtualized and non-virtualized environments. In a Hyper-V virtualized environment, Windows Server is a guest operating system running on Hyper-V. GMS is then installed on the Windows Server virtual machine that is layered over Hyper-V.
* 
NOTE: GMS is not supported on MS-Windows Server virtual machines running in cloud services, such as Microsoft Azure and Amazon Web Services EC2.
Hardware for Windows Server

Use the Capacity Calculator 2 to determine the hardware requirements for your deployment.

* 
NOTE: A Windows 64-bit operating system with a RAM of 16GB is highly recommended for better performance of reporting modules. Read Capacity Planning and Performance Tuning.
Hard Drive HDD Specifications

The following hard drive HDD specifications are required when using GMS software on a Windows Server or a GMS Virtual Appliance:

Spindle Speed: 10,000 RPM or higher
Cache: 64 MB or higher
Transfer rate: 600 MBs or higher
Average Latency: 4 microseconds or lower
SonicWall GMS Virtual Appliance

The elements of basic VMware structure must be implemented prior to deploying the GMS Virtual Appliance. The GMS Virtual Appliance runs on the following VMware platforms:

ESXi 6.0
ESXi 5.5

Use the following client applications to import the image and configure the virtual settings:

VMware vSphere – Provides infrastructure and application services in a graphical user interface for ESXi, included with ESXi. Allows you to specify Thin or Thick (Flat) provisioning when deploying GMS Virtual Appliance.
VMware vCenter Server – Centrally manages multiple VMware ESXi environments. Provides Thick provisioning when deploying GMS Virtual Appliance.

Deployment Considerations:

GMS management is not supported on Apple MacOS.
All modules are 64-bit.
Using the Flow Server Agent role requires a minimum of:
Quad core
16 GB of memory
300 GB available disk space

Use the Capacity Calculator 2 to determine the hardware requirements for your deployment.

The performance of GMS Virtual Appliance depends on the underlying hardware. It is highly recommended to dedicate all the resources that are allocated to the Virtual Appliance, especially the hard-disk (datastore). In environments with high volumes of syslogs or AppFlow (IPFIX), you will need to dedicate local datastores to the GMS Virtual Appliance.

* 
NOTE: When the GMS Virtual Appliance is booting for the first time, it takes longer for the server to become available. Do NOT Power Off/On the appliance during this time as doing so will cause the boot to fail and an “Available disk space...” error message to appear. Redo the role configuration, be patient, and the configuration should be successful.
When using Thick or Flat provisioning as the storage type option, the entire amount of disk space is allocated when you import and deploy the GMS Virtual Appliance file. When using Thin provisioning, the initial size is very small and will grow dynamically as more disk space is needed by the GMS application, until the maximum size is reached. After being allocated, the size does not shrink if the application space requirements are subsequently reduced.

Additional disk space provided to the GMS Virtual Appliance in the virtual environment, beyond the respective limits of 250GB or 950GB, is not utilized.

MySQL Requirements

Previously, GMS automatically installed MySQL as part of the base installation package. The GMS 8.1 upgrade replaces the Infobright with MySQL database formerly used in earlier versions with Infobright with Postgres (IB-PG). The installer will ask if you want to perform the data migration to the new database. Separately installed instances of MySQL are not supported with GMS.

Microsoft SQL Server Requirements

For SQL Server deployments in countries in which English is not the default language, set the default language to English in the Login Properties of the GMS database user in the SQL Server configuration.

The following SQL Server versions are supported:

SQL Server 2014
SQL Server 2012
* 
NOTE: For SQL Server deployments in countries in which English is not the default language, set the default language to English in the Login Properties of the GMS database user in the SQL Server configuration.
NOTE: A database user with “DB Creator” privileges must be provided to GMS during the Role Configuration process of any GMS Server.

Java Requirements

* 
NOTE: Java is required only when you are using Net Monitor.

Chrome and Internet Explorer no longer support Java. Use Firefox for Java Applets.

Download and install the latest version of the Java 8 plug-in on any system that accesses the GMS management interface. This can be downloaded from:

or

Browser Requirements

SonicWall GMS uses advanced browser technologies such as HTML5, which are supported in most recent browsers. SonicWall recommends using the latest Chrome, Firefox, Internet Explorer, or Safari browsers for administration of the SonicWall GMS.

This release supports the following Web browsers:

Chrome 42.0 and higher (recommended browser for dashboard real-time graphics display)
Firefox 37.0 and higher
Internet Explorer 10.0 and higher (do not use compatibility mode)
* 
NOTE: Internet Explorer version 10.0 in Metro interfaces of Windows 8 is currently not supported.
* 
NOTE: Turn off Compatibility Mode when accessing the GMS management interface with Internet Explorer. For more information, see the Knowledge Base article located at: https://support.sonicwall.com/sonicwall-gms/kb/sw14003

SonicWall Appliance and Firmware Support

GMS supports SonicWall firewall App Control policy management and reporting. Refer to the SonicOS documentation for information on which SonicOS firmware versions support these features.

* 
NOTE: GMS 8.3 does not support legacy SonicWall appliances, including:
• Firewall appliances running firmware earlier than SonicOS 5.0
• CSM Series
• CDP Series

SonicWall GMS supports the following SonicWall appliances and firmware versions:

 

Component requirements

SonicWall platforms

SonicWall firmware version

Network security appliance

SuperMassive 10000 series

SonicOS 6.0 or newer

NOTE: Only partial policy management and reporting support is currently available. The following SuperMassive specific features are not supported for centralized policy management in GMS:
Multi-blade Comprehensive Anti-Spam Service (CASS)
High Availability/Clustering
Support for Management Interface
Flow Reporting Configurations
Multi-blade VPN
Advanced Switching

Contact your SonicWall Sales representative through https://support.sonicwall.com/ for more information.

SuperMassive 9000 series

SonicOS 6.1 or newer

NSA series

SonicOS 5.0 or newer

TZ series and TZ Wireless

SonicOS 5.0 or newer

SonicWall SOHO and SOHO Wireless

SonicOS 6.2.5 or newer

Secure Mobile Access

SRA/SSL-VPN Series

SSL-VPN 2.0 or newer (management)
SSL-VPN 2.1 or newer (management and reporting)

E-Class SRA Series

E-Class SRA 9.0 or newer

SMA 6200/7200

SMA 10.7.2 or newer

Email Security/Anti-Spam

 

Email Security Series

Email Security 7.2 or newer (management only)

Notes:

GMS supports SonicWall firewall App Control policy management and App Control reporting support. Refer to the SonicOS documentation for information on the supported SonicOS firmware versions.
Appliances running firmware newer than this GMS release can still be managed and reports can still be generated. However, the new features in the firmware will be supported in an upcoming release of GMS.

Non-SonicWall Appliance Support

SonicWall GMS provides monitoring support for non-SonicWall TCP/IP and SNMP-enabled devices and applications.

GMS Gateway Requirements

A SonicWall GMS gateway is a SonicWall firewall appliance that allows for secure communication between the SonicWall GMS server and the managed appliance(s) using VPN tunnels.

The SonicWall GMS gateway must meet one of the following requirements:

SonicWall NSA Series network security appliance with minimum firmware version SonicOS 5.0
SonicWall PRO Series network security appliance with minimum firmware version SonicOS Enhanced 3.2
SonicWall VPN-based network security appliance
* 
NOTE: The SonicWall GMS gateway should be at minimum a SonicWall NSA 2400 with minimum firmware SonicOS 5.0.

There are three SonicWall GMS management methods with different SonicWall GMS gateway requirements. When using SSL as the management method, it is optional to have a SonicWall GMS gateway between each SonicWall GMS agent server and the managed SonicWall appliance(s). If you select Existing VPN tunnel, a gateway is optional. If you select Management VPN tunnel, you must have a SonicWall GMS gateway between the SonicWall GMS agent server and the managed SonicWall appliance(s) to allow each SonicWall GMS agent server to securely communicate with its managed appliance(s). The following list provides more detail on SonicWall GMS management methods and gateway requirements:

Management VPN tunnel—A SonicWall GMS gateway is required. Each SonicWall GMS agent server must have a dedicated gateway. The security association (SA) for this type of VPN tunnel must be configured in the managed SonicWall appliance(s). SonicWall GMS automatically creates the SA in the SonicWall GMS gateway. For this configuration, the SonicWall GMS gateway must be a SonicWall VPN-based appliance. The SonicWall GMS gateway can be configured in NAT-Enabled or transparent mode.
The reason for a dedicated gateway with this method is because of the Scheduler's function. When a unit is added into SonicWall GMS with 'Management tunnel' as the method, the scheduler service logs into the gateway and creates the management tunnel. Also, the scheduler service periodically logs into its gateway and checks for management SAs. If there are SAs created for units that the agent does not manage, the SAs are deleted. If there are two agents sharing a gateway, they will be constantly deleting the other agent’s SAs.
Existing VPN tunnel—A SonicWall GMS gateway is optional. SonicWall GMS can use VPN tunnels that already exist in the network to communicate with the managed appliance(s). For this configuration, the SonicWall GMS gateway can be a SonicWall VPN-based appliance or another VPN device that is interoperable with SonicWall VPN.
SSL—A SonicWall GMS gateway is optional. SonicWall GMS can use SSL management instead of a VPN tunnel to communicate with the managed appliance(s). However, the SonicWall EX-Series SMA appliance allows SSL access only to its LAN port(s), and not to its WAN port(s). This means that when SonicWall GMS is deployed outside of the Aventail LAN subnet(s), management traffic must be routed from SonicWall GMS to a gateway that allows access into the LAN network, and from there be routed to the LAN port.
* 
NOTE: No matter what management method is used, GMS will always login to the Firewalls using HTTPS for better security.

Network Requirements

To complete the SonicWall GMS deployment process, the following network requirements must be met:

The SonicWall GMS server must have access to the Internet
The SonicWall GMS server must have a static IP address
The SonicWall GMS server’s network connection must be able to accommodate 1 KB/s for each device under management. For example, if SonicWall GMS is monitoring 100 SonicWall appliances, the connection must support at least 100 KB/s.
* 
NOTE: Depending on the configuration of SonicWall log settings and the amount of traffic handled by each device, the network traffic can vary dramatically. The 1KB/s for each device is a general recommendation. Your installation requirements might be different.

GMS Internet Access through a Proxy Server

If the SonicWall GMS server cannot access the Internet directly and needs to go through a proxy server, the following proxy entries are required in the sgmsConfig.xml file of the SonicWall GMS server:

<Parameter name="proxySet" value="1"/>
<Parameter name="proxyHost" value="10.0.30.62"/>
<Parameter name="proxyPort" value="3128"/>
<Parameter name="proxyUser" value="0A57CF01AB39ACF8863C8089321B9287"/>
<Parameter name="proxyPassword" value="EE80851182B4B962FC3E0EDF1F00275A"/>

The proxyUser and proxyPassword parameters are required only if the Proxy Server requires authentication, in which case these are TEAV encrypted. This configuration supports both HTTP and SSL Proxy, as long as the settings are identical for both.

To exempt certain hosts from the proxy configuration and allow them to be connected to directly, add the following tag to sgmsConfig.xml:

<Parameter name="nonProxyHosts" value="*something.com|www.foo*|192.168.0.*"/>

The exact values of all of these parameters should be changed to the appropriate values for your deployment. The asterisk symbol (*) is a wildcard that means any string. The pipe symbol (|) is a delimiter for the hosts in the list.

To edit the sgmsConfig.xml entries, complete the following steps:
1
Login to the UMH system management interface:
http://<sgms_ipaddress>:<portnumber>/appliance
2
Navigate to the following URL:
http://<sgms_ipaddress>:<portnumber>/appliance/techSupport.html
3
Edit the sgmsConfig.xml file using the Configuration File editor.

Logging into GMS

After registering your SonicWall GMS product, to log into the SonicWall GMS management interface, either double-click on the SonicWall GMS icon on your desktop, or from a remote system, access the following URL from a web browser:

http://<sgms_ipaddress>:<portnumber>

The SonicWall GMS login page appears by default in English. To change the language setting, click your language of choice at the bottom of the login page. The available language choices for SonicWall GMS include English, Japanese, Simplified Chinese, Traditional Chinese, Korean, and Portuguese.

1
Enter the SonicWall user ID (default: admin) and password (default: password). Select Local Domain as the domain (default).
2
Click Submit. The GMS management interface displays.
* 
NOTE: For more information on installation, login procedures, and registration of your SonicWall GMS installation, refer to the appropriate Getting Started Guide, available at: https://support.sonicwall.com/sonicwall-gms/software/technical-documents

Navigating the GMS Management Interface

The following sections describe the four major tabs of the GMS management interface:

Dashboard tab

The Dashboard is a tab intended to work as a customizable dashboard where you are able to monitor the latest happenings with your SonicWall GMS deployment, your network, the IT and Security World, as well as the rest of the world.

Upon initial login, you see a default Dashboard tab. You are able to further customize this page by configuring and adding preferred components.

Appliance tabs

The appliance tabs enable administrators to add, delete, configure and view various SonicWall appliance types managed by SonicWall GMS.

* 
NOTE: The SMA and Email Security (ES) tabs are not enabled or displayed by default. To enable these tabs, see Configuring Email Settings. This change requires a system restart.

These tabs include:

Firewall tab—Provides centralized management and reporting on compatible firewall appliances.
SMA tab—Provides centralized management and reporting on SonicWall SMA and Aventail appliances.
ES tab—Provides centralized management of SonicWall Email Security appliances.

Within the Firewall, SMA, and Email Security (ES) tabs, are two sub-panels:

Policies panel

The Policies panel is used to configure SonicWall appliances. From the screens on this panel, you can apply settings to all SonicWall appliances being managed by the GMS, all SonicWall appliances within a group, or individual SonicWall appliances.

To open the Policies panel, click the appropriate Appliance at the top of the SonicWall GMS management interface and then click the Policies panel. The appropriate Appliance Policies panel appears:

Reports panel

The Reports panel is an essential component of network security that is used to view and schedule reports about critical network events and activity, such as security threats, inappropriate Web use, and bandwidth levels.

To open the Reports panel, click the Firewall, Email Security, or SMA tabs at the top of the SonicWall GMS UI and then click the Reports panel.

Monitor tab

The Monitor tab is the administrator’s central tool for monitoring the status of any managed TCP/IP and SNMP capable devices and applications. The SonicWall GMS Monitor tab provides power and flexibility to help you manage availability of network devices, creating custom threshold-based realtime monitor alerts and emailing or archiving network status reports based on your specifications.

To access the Monitoring features, click the Monitor tab at the top of the GMS management interface.

Console tab

The Console tab is used to configure the GMS settings, view pending tasks, manage licenses, and configure system wide granular event management settings.

To open the Console tab, click the Console tab at the top of the GMS management interface.

Understanding GMS Icons

This section describes the meaning of icons that appear next to managed appliances listed in the left pane of the SonicWall GMS management interface.

 

Status icon descriptions 

Status Icon

Description

One blue box indicates that the appliance is live and communicating with GMS. The appliance is accessible from the SonicWall GMS, and no tasks are pending or scheduled.

Two blue boxes indicate that appliances in a group are live and communicating with GMS. All appliances in the group are accessible from SonicWall GMS and no tasks are pending or scheduled.

Three blue boxes indicate that all appliances in the global node of this type (Firewall/SMA) are live and communicating with GMS. All appliances of this type are accessible from SonicWall GMS and no tasks are pending or scheduled.

One blue box with a lightning flash indicates that one or more tasks are pending or running on the appliance.

Two blue boxes with a lightning flash indicate that tasks are currently pending or running on two or more appliances within the group.

Three blue boxes with a lightning flash indicate that tasks are currently pending or running on three or more appliances within the group.

One blue box with a clock indicates that one or more tasks are scheduled on the appliance.

Two blue boxes with a clock indicate that tasks are currently scheduled to execute at a future time on two or more appliances within the group.

Three blue boxes with a clock indicate that tasks are currently scheduled to execute at a future time on three or more appliances within the group.

One yellow box indicates that the appliance has been added to SonicWall GMS management (provisioned), but not yet acquired.

Two yellow boxes indicate that two or more appliances in the group have been added to SonicWall GMS management, but not acquired.

Three yellow boxes indicate that one or more of the appliances of this type (Firewall/SMA) have been added to SonicWall GMS management, but not acquired.

One yellow box with a lightning flash indicates that one or more tasks are pending on the provisioned appliance.

Two yellow boxes with a lightning flash indicates that tasks are pending on two or more provisioned appliances within the group.

Three yellow boxes with a lightning flash indicates that tasks are pending on three or more provisioned appliances within the group.

A green circle with the number 1 in the middle indicates that the unit is in an HA pair and is currently the Primary unit.

A yellow circle with the number 2 in the middle indicates that the unit is in an HA pair and is currently on backup.

One red box indicates that the appliance is no longer sending heartbeats to SonicWall GMS.

Two red boxes indicate that two or more appliances in the group are no longer sending heartbeats to SonicWall GMS.

Three red boxes indicate that three or more of the global group of appliances of this type (Firewall/SMA) are no longer sending heartbeats to SonicWall GMS.

One red box with a lightning flash indicates that the appliance is no longer sending heartbeats to SonicWall GMS and has one or more tasks pending.

Two red boxes with a lightning flash indicate that two or more appliance in the group are no longer sending heartbeats to SonicWall GMS and have one or more tasks pending.

Three red boxes with a lightning flash indicates that the appliances are no longer sending heartbeats to SonicWall GMS and have three or more tasks pending.

A box with a dot in the top-left corner indicates that the appliance is being managed by GMS using a static IP address.

This icon indicates a fail over to a secondary Ethernet port.

This icon indicates the a modem is connected using a dialup.

This icon indicates the wireless is connected using WWAN.

This icon indicates the unit’s Task Pending status is “Immediate.”

This icon indicates the unit’s Task Pending status is “Scheduled.”

Using the GMS TreeControl Menu

This section describes the content of the TreeControl menu within the GMS management interface. The TreeControl menu view and update permissions can be configured for multiple SonicWall GMS user types. For more information on configuring SonicWall GMS user screen, unit, or action permissions, refer to Configuring Action Permissions.

You can control the display of the TreeControl pane by selecting one of the appliance tabs at the top. For example, when you click the Firewall tab, the TreeControl pane displays all the managed firewall units. You can display any of the following appliance types when SonicWall GMS is managing all of these device types:

Firewall
SMA
Email Security (ES)

You can hide the entire TreeControl pane by clicking the sideways arrow icon, and re-display the pane by clicking it again. This is helpful when viewing some reports or other extra-wide screens, especially on the Monitor or Console tabs.

To open a TreeControl menu, right-click the View All icon, a Group icon, or a Unit icon.

The following options are available in the right-click menu (if you have the permissions set as described in Using the GMS TreeControl Menu to perform them). See Configuring Action Permissions for more information:

Expand—Makes subbranches to the root visible.
Collapse—Compresses the view of the hierarchy so that only the root of the branch is visible.
Expand All—Makes the entire branch visible.
Collapse All—Compresses the entire view of all expanded hierarchies so that only the roots of the branches are visible.
Find—Opens a Find dialog box that allows you to search for groups or units.
Find Next—Finds the next search match.
Find Previous—Finds previous search matches.
Refresh—Refreshes the SonicWall GMS UI display.
Add Unit—Add a new unit to the SonicWall GMS management view. Requires unit IP and login information.
Rename Unit—(unit node only) Renames the selected SonicWall appliance.
Delete—Delete the selected unit or all units in the selected Group or Global Node, with option to delete interconnected SAs or to delete from NetMonitor.
Import XML—Import an edited XML file to replace the current TreeControl navigation view.
Modify Unit—(unit node only) Change basic settings for the selected unit, including unit name, IP and Login information, serial number, management port and encryption/authentication keys.
Login to Unit—(unit node only) Login to the selected unit using SSL protocols.
Modify Properties—Displays the properties for the selected SonicWall appliance, or all managed appliances in the selected group or global node.
Manage Views—Opens a dialog box where you can create, delete, or modify a view.
Change View—Select pre-set or user created views. Views are created in the Manage View window (see above).
Reassign Agents—Opens a dialog box where you can change the IP address of the primary and standby schedulers and the type of management mode used between GMS and the managed SonicWall appliances.

Configuring GMS View Options

The GMS management interface is a robust and powerful tool you can use to apply settings to all SonicWall appliances being managed by GMS, all appliances or devices within a group, or individual appliances or devices simply by selecting the Global, Group, or Unit node within the GMS management interface. The GMS management interface supports up to seven levels of hierarchal depths per view.

* 
NOTE: Views are only available in the Policies and Reports panels. Changing views does not affect the Console or Monitor tabs.

This section describes each view and what to consider when making changes:

Group Node

From the Group node of the Policies panel, changes you make are applied to all SonicWall appliances within the group. The Global node is the top view that contains all appliances.

To open the Group node, click a group icon in the left pane of the GMS management interface. The Group Status page appears. The Group Node Status page contains a list of statistics for all SonicWall appliances within the group.

As you move through the GMS management interface with the Group node selected and make changes, those changes are broken down into configuration tasks and applied to each subgroup and each SonicWall appliance within the group.

As GMS processes the tasks, some SonicWall appliances might be down or offline. When this occurs, GMS spools the tasks and reattempts the update later.

Depending on the page that you are configuring, the SonicWall appliance(s) might automatically restart. We recommend scheduling the tasks to run when network activity is low. To determine if a change requires restarting, refer to the configuration instructions for that task.

Making group changes through the GMS management interface enables you to save time by instituting changes that affect all SonicWall appliances within the group through a single operation. Although this is very convenient, some changes can have unintended consequences. Be careful when making changes on a group or global level.

Unit Node

From the Unit node of the Policies panel, changes you make are only applied to the selected SonicWall appliance. To open the Unit node, click a SonicWall appliance in the left pane of the GMS management interface. The Status page for the SonicWall appliance appears.

From the Unit node on the Reports panel, you can generate real-time and historical reports for the selected SonicWall appliance.

As you navigate the GMS management interface, you can generate graphical reports and view detailed log data for the selected SonicWall appliance. For more information, refer to Reports panel.

As you navigate the GMS management interface with a single SonicWall appliance selected and make changes, those changes are broken down into configuration tasks and sent to the selected SonicWall appliance.

As GMS processes the tasks, the SonicWall appliance might be down or offline. When this occurs, GMS spools the task and reattempts the update later.

* 
NOTE: Depending on the page that you are configuring, the SonicWall appliance might automatically restart. We recommend scheduling the tasks to run when network activity is low. To determine if a change requires restarting, refer to the configuration instructions for that task.

Unit Node Status Page

The Unit Node Status page contains a list of statistics for the selected SonicWall appliance:

Firewall Model—specifies the model of the SonicWall appliance. If the unit is not registered, “Not Registered” appears instead of a model number.
Serial Number—specifies the serial number of the SonicWall appliance.
Number of LAN IPs allowed—specifies the number of IP addresses that are allowed on the LAN.
CPU—specifies the CPU used in the SonicWall appliance.
VPN Upgrade—specifies whether the SonicWall is licensed for a VPN upgrade.
VPN Clients—specifies whether the SonicWall is licensed for VPN Clients.
Firmware Version—specifies the version of the firmware installed on the SonicWall appliance.
Content Filter Subscription List/Service—specifies whether the SonicWall appliance is licensed for a Content Filter List subscription.
Anti-Virus Subscription—specifies whether the SonicWall appliance has an anti-virus subscription.
Extended Warranty—specifies whether the SonicWall appliance has an extended warranty.
SonicWall Status—specifies the operational status of the SonicWall appliance.
Tasks Pending—specifies whether the SonicWall appliance has any pending tasks.
Agent Assigned—specifies the IP address of the GMS agent server that is the primary agent managing the SonicWall appliance.
Standby Agent—specifies the IP address of the peer GMS that acts as the backup agent for this SonicWall appliance. If the primary agent fails, this GMS server begins managing the appliance.
Managed using Management Tunnel—specifies if the SonicWall appliance is being managed by SonicWall GMS using the management VPN tunnel.
Fetch Uptime—the Uptime parameter indicates how long the SonicWall has been running since the last time it was powered up or restarted. To display the current uptime setting at the unit level for the selected SonicWall, click Fetch Uptime.

Creating SonicWall GMS Fields and Dynamic Views

The GMS uses an innovative method for organizing SonicWall appliances. SonicWall appliances are not forced into specific, limited, rigid hierarchies. You can simply create a set of fields that define criteria (such as, country, city, state) that separate SonicWall appliances. Then, create and use dynamic views to display and sort appliances on the fly. For information about organizing SonicWall appliances, see the following sections:

About Default SonicWall Fields

The GMS includes standard fields that can be used to sort SonicWall appliances based on their model, their firmware version, and other criteria. Default GMS fields include the following:

AV Status—places the SonicWall appliances into different groups based on their status.
CFS Status—places the SonicWall appliances into two groups: appliances that have content filtering service (CFS) subscriptions and appliances that do not.
Dialup Mode—does grouping based on whether an appliance has switched to dialup mode for Internet access.
Firmware—creates a group for each Firmware version and places each SonicWall appliance into its corresponding group.
Management—does grouping based on whether appliances are managed by SSL Management mode, SonicWall GMS Management Tunnel mode, or Existing/LAN mode.
Model—creates a group for each SonicWall model and places each SonicWall appliance into its corresponding group.
Nodes—creates a group for each node range and places each SonicWall appliance into its corresponding group.
Registered—places the SonicWall appliances into two groups: appliances that are registered and appliances that are not.
Scheduler—creates a group for each scheduler agent and places each SonicWall appliance into its corresponding group.
UnitStatus—does grouping based on the Up/Down/Provisioned status of appliances.
Warranty Status—places the SonicWall appliances into two groups: appliances that have current warranties and appliances that do not.

Creating Custom Fields

When first configuring GMS, you can create custom fields that you can use to organize managed appliances. GMS supports up to ten custom fields.

* 
NOTE: Although GMS supports up to ten custom fields, only seven fields can be used to sort SonicWall appliances in a single view.

The following are examples of custom fields that you can use:

Geographic—useful for organizing SonicWall appliances by location. Especially useful when used in combination with other grouping methods. Geographic fields might include:
Country
Time Zone
Region
City
Customer-based—useful for organizations that are providing managed security services for multiple customers. Customer-based fields might include:
Company
Division
Department
Configuration-based—useful when SonicWall appliances have very different configurations. (such as, Filtering, No Filtering, Pornography Filtering, Violence Filtering, or VPN).
User-type—different service offerings can be made available to different user types. For example, engineering, sales, and customer service users can have very different configuration requirements. Or, if offered as a service to end users, you can allow or disallow network address translation (NAT) depending on the number of IP addresses that you want to make available.

GMS is pre-configured with four custom fields: Country, Company, Department, and State. These fields can be modified or deleted.

To add new fields, complete the following steps:
1
Click the Console tab, expand the Management tab and click Custom Groups.

2
Right-click Custom Groupings in the right pane.
3
Select Add Category from the pop-up menu.

4
Enter the name of the group in the Category Name field.
* 
NOTE: Category names can only contain alpha-numeric characters. Special characters and/or spaces are not accepted.
5
Enter the default value for the group in the Default Value field.
6
Click Ok. You can create up to ten fields.
* 
NOTE: Although the fields appear to be in a hierarchical form, this has no effect on how the fields appears within a view.

To modify or delete fields, right-click any of the existing fields and select Properties or Delete Category, respectively from the pop-up menu.

Understanding Dynamic Views

After creating custom fields and reviewing the GMS fields, administrators can set up views to dynamically filter the SonicWall security appliances that are displayed in the SonicWall GMS user interface based on fields.

* 
NOTE: Each view can filter for a maximum of seven fields.

Some views can include the following:

Standard Geographic Views—When the number of SonicWall appliances managed by the GMS becomes large, you can divide the appliances geographically among SonicWall administrators.

For example, if one administrator is responsible for each time zone in the United States, you can choose the following grouping methods:
Administrator 1: Country: USA, Time Zone: Pacific, State, City.
Administrator 2: Country: USA, Time Zone: Mountain, State, City.
Administrator 3: Country: USA, Time Zone: Central, State, City.
Administrator 4: Country: USA, Time Zone: Eastern, State, City.
Firmware Views—To ensure that all SonicWall appliances are using the current firmware, you can create a view to check and update firmware versions and batch process firmware upgrades when network activity is low.

For example, if you want to update all SonicWall appliances to the latest firmware at 2:00 A.M., you can use the following grouping method:
Firmware Version, Time Zone

If you want to update SonicWall appliances only for companies that have agreed to the upgrade and you want the upgrades to take place at 2:00 A.M., you can use the following grouping method:
Company, Firmware Version, Time Zone
Registration Views—To ensure that all SonicWall appliances are registered, you can create a registration view and check it periodically. To create a registration view, you can use the following grouping method:
Registration Status, any other grouping fields
Upgrade Views—You can create views that contain information on which upgrades customers do not have and forward this information to the Sales Department.

For example, you can choose the following grouping methods:
Content Filter List, Company, Division, Department
Anti-Virus, Company, Division, Department
Warranty Status, Company, Division, Department

Configuring Dynamic Views

To create a view, follow these steps:
1
Right-click anywhere in the left pane of the GMS window and select Manage Views from the pop-up menu. The Manage Views page appears.

2
Type a descriptive name for the new view in the View Name field.
3
To make this view available to non-administrators, select Visible to Non-Administrators.
4
To add a view category, click Add Level. View categories are used to filter SonicWall appliances in your view. The Group Categories column contains categories that are a combination of custom fields and SonicWall GMS fields.
5
To change the Group Category field, select the desired field from the pull-down list. For a list of SonicWall GMS fields and their meanings, refer to About Default SonicWall Fields.
6
Choose an Operator to apply to apply to the value for this view:
equals (default value)
starts with
ends with
contains
does not equal
does not contain
7
Type a value for the category in the Value column.
8
You can add up to seven categories or levels.
9
To delete a view category, select the level and click Delete Level(s).
10
When you are finished configuring this view, click Modify View.
11
When you are finished, click Close.

Changing Views

To change views from within the GMS management interface, follow these steps:

1
Right-click anywhere in the left pane of the GMS window and select Change View from the pop-up menu. The Change View dialog box appears.

2
Select a view and click OK. The SonicWall GMS management interface displays only the SonicWall appliances that meet the requirements of the filters defined in the view.

Getting Help

In addition to this manual, GMS provides on-line help resources.

To get help, complete the following steps:
1
Navigate to the page where you need help.
2
Click the Question Mark (?) in the upper right-hand corner of the window. Help for the selected page appears.

Adding SonicWall Appliances and Completing Basic Management Tasks

This describes how to add SonicWall appliances to SonicWall™ Global Management System (GMS), register appliances, and modify management properties. It also provides an introduction to basic appliance management tasks that can be executed through SonicWall GMS. This contains the following:

Preparing SonicWall Appliances for GMS Management

Local configuration steps are required on the individual appliance before adding it to GMS. Refer to the desired section for the provisioning procedures:

Preparing a SonicWall Firewall

To prepare a SonicWall firewall appliance for GMS management, complete the following steps:
1
Log in to the firewall appliance. Navigate to the Log > Settings page.
2
In Syslog Servers, click Add.
3
Select a Name or IP Address object to start sending syslogs. The GMS service should be activated. Set the log in UTC format and log category.
4
Navigate to the System > Time page, and enable Display UTC in logs (instead of local time).

Preparing an SMA Appliance

This section describes the local configuration steps required on the individual SMA appliance before adding it to GMS management. See the following subsections:

Preparing SMA Appliances

To prepare a SonicWall SMA appliance (non-Aventail) for GMS management:

1
Log in to your SonicWall SMA. Navigate to System > Management.
2
In Management Method, select GMS under Enable Management Using.
3
Type the GMS host name or IP Address of the GMS server in the GMS HostName or IPAddress field.
4
Type the GMS Syslog server port in the Syslog Server Port field. The default port is 514.
5
Click Apply.

Preparing E-Class SMA Appliances

There are specific requirements for preparing the SonicWall Aventail EX-Series SMA appliance for GMS management:

SonicWall Aventail EX-Series SMA appliances must be licensed before you can enable GMS management in the Aventail Management Console.
When enabling GMS on a SonicWall Aventail appliance, select Enable single sign-on for AMC configuration if you want direct access to the Aventail Management Console from the SonicWall GMS right-click menu. If this check box is cleared, you can still open the AMC from the right-click menu, but you must enter your appliance login credentials.
The SonicWall Aventail EX-Series SMA appliance allows HTTPS access only to its LAN port(s), and not to its WAN port(s). This means that when SonicWall GMS is deployed outside of the Aventail LAN subnet(s), management traffic must be routed from GMS to a gateway that allows access into the LAN network, and from there be routed to the Aventail LAN port.
To prepare a SonicWall Aventail EX-Series SMA appliance for GMS management:
1
Log in to your SonicWall Aventail EX-Series SMA.
2
Click General Settings in the main Aventail Management Console (AMC) navigation menu.
3
Click Edit in the Centralized management area.
4
Select Enable GMS management, and then enter the host name or IP address of the GMS console, and its port number.
5
In the Heartbeat interval text box, set the interval (in seconds) at which the appliance indicates its readiness to send a report on authentication-related events, in addition to status information. An interval of 60 seconds is typical.
6
Select Enable single sign-on for AMC configuration if you want to be able to open the Aventail Management Console and make changes to its configuration from within GMS. If this setting is cleared, you can still open AMC, but you must first enter your AMC login credentials; this is less convenient, but more secure.
7
Select Send only heartbeat status messages if you want to only manage the appliance and not create reports for the appliance.

For more information about preparing SonicWall Aventail appliances for SonicWall GMS management, see the SonicWall GMS Aventail EX-Series Appliance Management feature module and the SonicWall / Aventail EX-Series Installation and Administration Guide on the SonicWall Support Web site:
https://support.sonicwall.com/sonicwall-gms/software/technical-documents

Adding SonicWall Appliances to GMS

GMS can communicate with SonicWall appliances through VPN tunnels, SSL, or directly over VPN tunnels that already exist between the SonicWall appliances and the GMS gateway. GMS should connect to the Aventail SMA appliance on the LAN port of the Aventail appliance. When GMS is deployed outside of the Aventail LAN subnet, management traffic must be routed from GMS to a gateway that allows access into the LAN network, and from there be routed to the Aventail LAN port.

* 
NOTE: A SonicWall appliance might already be registered to a different MySonicWall account, in this case the “Register to MySonicWall.com” task cannot be executed, and will remain in the scheduled tasks queue. To take full advantage of GMS managed appliances, it is important that either the managed appliance is not registered when it is added into GMS, or it is registered to the same MySonicWall.com account as the GMS system that is managing the appliance. Active/Active clusters of SonicWall appliances can be added to GMS simply by adding the Master cluster node. Each individual cluster node sends syslogs directly to the Master cluster node’s serial number, GMS ends up aggregating the reports.

The following sections describe two methods for adding SonicWall appliances to GMS:

Adding SonicWall Appliances Manually

To manually add a SonicWall appliance using the GMS management interface, follow these steps:
1
Click the appliance tab that corresponds to the type of appliance that you want to add: Firewall, SMA, or Email Security (ES).

2
Expand the GMS tree and select the group to which you will add the SonicWall appliance. Then, right-click the group and select Add Unit from the pop-up menu. To not specify a group, right-click an open area in the left pane (TreeControl pane) of the GMS management interface and select Add Unit or click the Add Unit icon in the tool bar.
The Add Unit dialog box appears:

3
Enter a descriptive name for the SonicWall appliance in the Unit Name field.
Do not enter the single quote character (‘) in the Unit Name field.
4
If applicable, choose a Domain to add this appliance to from the Domain pull-down list.
* 
NOTE: Domain selection is only available to the administrator of the LocalDomain. Individual domain administrators are only able to add an appliance to their respective domains.
5
Enter the serial number of the SonicWall appliance in the Serial Number field.
6
For the Managed Address, choose whether to Determine automatically, or Specify manually. Most deployments are able to determine the IP address automatically. If you choose to specify the IP address manually, an option to Make manual address sticky is available. This retains the Manual Mode and the specified IP address is not overwritten.
7
Enter the Administrator login name for the SonicWall appliance in the Login Name field. The Administrator of the appliance can also enter a Local User or a Remote User name (as configured on the Firewall) for GMS Management. If using Local User or Remote User names, they must be included in the user list created on the Firewall.
8
Enter the password used to access the SonicWall appliance in the Password field.
9
For Management Mode, select from the following:
If the SonicWall appliance is managed through an existing VPN tunnel or over a private network, select Using Existing Tunnel or LAN.
If the SonicWall appliance is managed through a dedicated management VPN tunnel, select Using Management Tunnel.
If the SonicWall appliance is managed using SSL, select Using SSL (default).
10
Enter the IP address of the managed appliance in the Management Port field.
11
For VPN tunnel management, enter a 16-character encryption key in the SA Encryption Key field. The key must be exactly 16 characters long and composed of hexadecimal characters. Valid hexadecimal characters are “0” to “9”, and “a” to “f” (such as 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f). For example, a valid key would be “1234567890abcdef.”
* 
NOTE: This key must match the encryption key of the SonicWall appliance. You can set the key on the appliance by logging directly into it.
12
For VPN tunnel management, enter a 32-character authentication key in the SA Authentication Key field. The key must be exactly 32 characters long and composed of hexadecimal characters. For example, a valid key would be “1234567890abcdef1234567890abcdef.”
* 
NOTE: This key must match the authentication key of the SonicWall appliance.
13
Select the IP address of the GMS agent server that manages the SonicWall appliance from the Agent IP Address list box:
If GMS is configured in a multi-tier distributed environment, you must select the GMS Agent whose IP address matches the IP address that you specified when configuring the SonicWall appliance for GMS management.
If GMS is in a single-server environment, the IP address of the GMS agent server already appears in the field.
14
If GMS is configured in a multi-tier distributed environment, enter the IP address of the backup GMS server in the Standby Agent IP field. The backup server automatically manages the SonicWall appliance in the event of a primary server failure. Any Agent can be configured as the backup.
* 
NOTE: If GMS is deployed in a single server environment, leave this field blank.
15
To add the appliance to Net Monitor, select Add this unit to Net Monitor.
16
Click Properties. The Unit Properties dialog box appears.

17
This dialog box displays the category fields to which the SonicWall appliance belongs. To change any of the values, select a new value from the pull-down list. When you are finished, click OK. You are returned to the Add Unit dialog box.
18
Click OK. The User Privileges dialog box displays.

19
Select the user group or individual users to which read-write privileges should be assigned. Keep in mind that admins always maintain read-write privileges, regardless of your selection here.
20
Click OK. The new SonicWall appliance appears in the GMS management interface. It will have a yellow icon that indicates it has not yet been successfully acquired.
GMS then attempts to establish a management VPN tunnel, set up an SSL connection, or use the existing site-to-site VPN tunnel to access the appliance. GMS then reads the appliance configuration and acquires the SonicWall appliance for management. This might take a few minutes.
* 
NOTE: After the SonicWall appliance is successfully acquired, its icon turns blue, its configuration settings are displayed at the unit level, and its settings are saved to the database. A text version of this configuration file is also saved in the file: <gms_directory>/etc/Prefs.In a multi-tier distributed environment, both the primary and secondary GMS Agents must be configured to use the same management method.

Importing SonicWall Appliances

To reduce the amount of information that you have to manually enter when adding SonicWall appliances, GMS enables you to import the saved prefs file of a SonicWall appliance.

To add a SonicWall appliance to the GMS management interface using the import option, follow these steps:
1
Right-click in the left pane of the GMS interface and select Add Unit from the pop-up menu. The Add Unit dialog box appears.
2
Enter a descriptive name for the SonicWall appliance in the Unit Name field. Do not enter the single quote character (') in the SonicWall Name field.
3
Enter the password to access the SonicWall appliance in the Password field.
4
Click Properties. The Unit Properties dialog box appears.
5
This dialog box displays fields to which the SonicWall appliance belongs. To change any of the values, enter a new value. When you are finished, click OK.
6
After you are returned to the Add Unit dialog box, click OK again.
7
Select the user group or individual users to which read-write privileges should be assigned. Keep in mind that admins always maintain read-write privileges, regardless of your selection here.
8
The new SonicWall appliance populates in the left pane. It will have a yellow icon that indicates it has not yet been successfully acquired.

GMS then attempts to establish a management VPN tunnel to the appliance, read its configuration, and acquire it for management. This takes a few minutes.

After the SonicWall appliance is successfully acquired, its icon turns blue, its configuration settings are displayed at the unit level, and its settings are saved to the database. A text version of this configuration file is also saved in:
<gms_directory>/etc/Prefs.

Managing Multiple Appliances

GMS can handle multiple appliances depending on you much SYSLOG traffic your firewalls are generating. That data determines how busy each firewall would become. Other considerations would be the number of SYSLOG categories enabled and how much reporting you might want to generate.

If the firewalls sent only heartbeats, with no additional SYSLOG reporting required, you could probably operate a single all-in-one instance of GMS and still manage up to 200 appliances. However, that scenario is not usually the case. So, a good starting place should offer some redundancy and scalability without immediately needing to add more components. That starting point might be:

1 database
3 agents
1 dedicated console

Run all of these components as Windows servers, not virtual machines. You should be sure the agents are running on servers with very fast disk IO. However, a fast disk IO is not necessary for the dedicated console and database. For the RAM and CPU, it is best to have 16GB and quad Xeon available. It’s the agents that need the power and focus.

GMS can be expanded with no other cost than the hardware to run it on. So when you see that agents are seeming loaded up, reports are taking a long to mail out, and so on, additional components can be added.

Registering SonicWall Appliances

After successfully adding one or more SonicWall appliances to GMS, the next step is to register them. Registration is required for firmware upgrades, technical support, and more.

* 
NOTE: Registering SonicWall Aventail SMA appliances from GMS is not supported.
To register one or more SonicWall appliances, follow these steps:
1
Select the global icon, a group, or a SonicWall appliance.
2
Expand the Register/Upgrades tree and click Register SonicWalls. The Register SonicWalls page appears.

3
Click Register. The Modify Task Description and Schedule page displays. GMS creates a task for each SonicWall appliance registration. The Modify Task Description and Schedule page allows you to customize the task description and set the task execution time. During the task execution, GMS registers each selected SonicWall appliance using the information that you used to register with the SonicWall registration site. After registration is complete, the task is removed from the Scheduled Tasks page and the status of the task execution is logged. To view these logs, click the Console tab. Then, expand the Log tree and click View Log.
4
If the appliance is already registered, the “Register SonicWalls” page states This appliance is registered.

Modifying Management Properties

The following sections describe how to modify management properties:

Modifying SonicWall Appliance Management Options

If you make a mistake or need to change the settings of an added SonicWall appliance, you can manually modify its settings or how it is managed.

* 
NOTE: If a unit has not been acquired (yellow icon), you can change its management mode using this procedure. After it has been acquired (red or blue icon), you cannot change its management mode using this procedure and must reassign it. For more information, refer to Changing Agents or Management Methods
To modify a SonicWall appliance, complete the following steps:
1
Right-click in the left pane of the GMS management interface and select Modify Unit from the pop-up menu. The Modify Unit dialog box appears.
2
The Modify Unit dialog box contains the same options as the Add Unit dialog box. For descriptions of the fields, refer to Adding SonicWall Appliances to GMS.
3
When you have finished modifying options, click OK. The SonicWall appliance settings are modified.

Changing Agents or Management Methods

To provide increased flexibility when managing SonicWall appliances, GMS enables you to change the Agents that manage SonicWall appliances, as well as their management methods.

To change how a SonicWall appliance is managed, follow these steps:
1
Right-click on the group or appliance that you want to re-assign and select Re-assign Agents from the pop-up menu.
2
If the appliances to be re-assigned are managed using existing tunnels or the LAN, a warning message is displayed. Click OK.
* 
CAUTION: Make sure that the appliances are able to successfully connect to the reassigned GMS to avoid losing connection to the appliances.
3
The Re-assign Agents dialog box appears.

4
Select the IP address of the GMS agent server that manages the SonicWall appliance from the Scheduler IP Address list box.
5
If GMS is configured in a multi-tier distributed environment, enter the IP address of the backup GMS server in the Standby Scheduler IP field. The backup server automatically manages the SonicWall appliance in the event of a primary failure. Any Agent can be configured as a backup.
* 
NOTE: If GMS is in a single server environment, leave this field blank.
6
Select from the following management modes:
If the SonicWall appliance is managed through an existing VPN tunnel or over a private network, select Using Existing Tunnel or LAN.
If the SonicWall appliance is managed through a dedicated management VPN tunnel, select Using Management VPN Tunnel.
If the SonicWall appliance is managed using SSL, select Using SSL (default).
* 
NOTE: SSL management requires additional configuration on the appliance itself.
7
Enter the port used to administer the SonicWall appliance in the Management Port field (HTTPS: 443).
8
When you are finished, click OK. A task is created for each selected SonicWall appliance.

Moving SonicWall Appliances Between Groups

To move SonicWall appliances between groups, simply change the properties of their custom fields.

To change these properties, follow these steps.
1
Right-click on a SonicWall appliance or group in the left pane of the GMS Management interface and select Modify Properties from the pop-up menu. The Properties dialog box appears.
2
Make any changes to the categories to which the SonicWall appliance or group of appliances belongs. For information on creating categories, refer to Creating SonicWall GMS Fields and Dynamic Views.
* 
NOTE: If you are completing this procedure at the group or global level, all parameters are changed for all selected SonicWall appliances. For example, if you were attempting to only change the Country attribute, all other parameters would be changed as well.
3
Click OK. The SonicWall appliance(s) are moved to the new group.

Deleting SonicWall Appliances from GMS

To delete a SonicWall appliance or a group of appliances from SonicWall GMS, complete the following steps:
1
Right-click on a SonicWall appliance or group in the left pane and select Delete from the pop-up menu.
2
In the warning message that displays, click Yes. The SonicWall appliance or group is deleted from SonicWall GMS.
* 
NOTE: After the deleting the SonicWall appliance from SonicWall GMS, unprovision the unit as a best practice. To unprovision the unit, log in to the SonicWall appliance and disable SonicWall GMS management to avoid sending unnecessary syslogs to the SonicWall GMS host.

Executing Basic Appliance Management

This section provides links to locations in this guide that describe the most common appliance management tasks.

 

Common appliance management tasks 

Management Task

Location

Inheriting Group Settings

Configuring Inheritance Filters

Upgrading Firmware

Upgrading Firmware

Managing Subscription Services

Configuring Security Services Settings

Manually Uploading Signatures

Manually Uploading Signature Updates

Managing Certificates

Configuring Certificates

Generating a Certificate Signing Request

Backing up the Prefs File

Configuring System Settings

Understanding Heartbeat Messages

Configuring System Settings

Configuring Log Settings