Differences between SonicOS and SonicOSX
Description
This KB explains the differences between SonicOS and SonicOSX. It also lists the devices that run on SonicOS or SonicOSX and on both.
Resolution
What is SonicOSX?
SonicOSX 7.0 is the new SonicWall firewall firmware that allows granular control and enforcement of dynamic Layer 7 applications within the security policy. SonicOSX combines Layer 3 to Layer 7 rules into a single rule called Security Policy. Hence, the user will no longer need to configure any rules in separate tabs as in the case of global mode. It also includes multiple improvements around user experience with rule exporting, cloning of a rule, shadowing alerts, bulk editing, and many more.
There is a significant difference in packet flow on SonicOS and SonicOSX.
In SonicOS:
The matches are done only based on 5 tuples (Source/Destination IP, Source/Destination Port, and Protocol used). If the action is set to allow, we can further apply BWM, QoS, or Geo-IP/Botnet checks.
NOTE: For a more detailed packet flow on SonicOS, please refer to How Does The Firewall Process A Packet On An Interface?
In SonicOSX:
We can perform matches on a much wider range of criteria like 5 tuple, user, Apps, websites, web categories, patterns, geo-location, etc. When the packet is allowed, we can apply a variety of additional actions like Security services, BWM, Logging, clean cookies, safe search, passphrase, consent page, etc.
When to choose SonicOS and when to choose SonicOSX?
| Situation | Mode |
| Ease of Use | Global |
| Default Rules Enabled | Global |
| SonicOS decides the priority | Global |
| Only need to create access rules to match Layer 3 and 4 | Global |
| Security is the prime focus | Policy |
| Managing all security services from a single Policy view | Policy |
| Ability to create Decryption rules for TLS/SSH traffic | Policy |
| Ability to create DoS rules | Policy |
| Ability to match application on Security Rule | Policy |
| Ability to match URLs/keywords on Security Rule | Policy |
Benefits of using SonicOSX:
-
Allowing granular control of Layer 7 applications.
-
Enabling dynamic applications as match conditions.
-
Simplifying application-based security policy management.
-
Adapting to the dynamic traffic changes.
-
Greater control for dynamic applications.
Compatibility Matrix:
The below table shows the SonicOS releases supported for each SonicWall Firewall model.
| SonicWall Firewall Model | SonicOSX 7 | SonicOS 7 | SonicOS 6.5 |
| Hardware Firewalls: | |||
| SOHO Series SOHO-W, SOHO-250, SOHO-250W | No | No | Yes |
| TZ Series Firewalls TZ300, TZ300P, TZ300W, TZ350, TZ350W, TZ400, TZ400W, TZ500, TZ500W, TZ600, TZ600P | No | No | Yes |
| TZ Series Firewalls TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ670 | TBD | Yes | No |
| NSa Series NSA 2600, NSA 3600, NSA 4600, NSA 5600, NSA 6600, NSa 2650, NSa 3650, NSa 4650, NSa 5650, NSa 6650, NSa 9250, NSa 9450, NSa 9650 | No | No | Yes |
| NSa Series NSa 2700, NSa 3700, NSa 4700, NSa 6700 | TBD | Yes | No |
| SuperMassive Series SM 9200, SM 9400, SM 9600, SM 9800 | No | No | Yes |
| NSsp Series NSsp 12400, NSsp 12800 | No | No | Yes |
| NSsp Series NSsp 13700 | TBD | Yes | No |
| NSsp Series NSsp 15700 | Yes | TBD | No |
| Virtual Firewalls: | |||
| NSv Series NSv 10, NSv 25, NSv 50, NSv 100, NSv 200, NSv300, NSv 400, NSv 800, NSv 1600 | No | No | Yes |
| NSv Series NSv 270, NSv 470, NSv 870 | Yes | Yes | No |
Let us take a look at few examples of how granular the rules can be on SonicOSX.
EXAMPLE 1: Allow access for User ‘Dave’ trying to access social websites during daytime from Sweden location but limit the bandwidth to low usage, report the details and apply security services like IPS,GAV and AntiSpyware.
Deny access for User ‘Joe’ when trying access videos on social websites from country Romania.
This can be done using two separate security policies as below.
LAN subnet to ANY user= Dave, Web category = social websites, country = sweden, schedule = day, action allow ->bwm = low/log/report/ips/gav/As
LAN subnet to ANY user= Joe, app = video and web category=social websites country = romania, schedule = day, action deny ->bwm = low/log
EXAMPLE 2: Deny access for User ‘Joe’ trying to access websites/applications like youtube/google from Germany
Deny access for User ‘Dave’ using same tuples as above and in addition regular expression match
This can also be achieved using two separate security policies as below.
10.0.0.0/24 ANY user=Joe, apps={yahoo, google……], Germany ----> deny
10.0.0.0/24, ANY, user=Dave, {apps= {yahoo….} , match object ==={regular expression} ----> deny
EXAMPLE 3: Allow access for User ‘Dave’ trying to access applications like BitTorrent from Sweden, during non-business hours but limit the bandwidth to low usage, report the usage and apply security services like IPS, GAV and AntiSpyware.
Allow access for User ‘Joe’ accessing youtube from Romania during daytime but limit the bandwidth to low usage, log/ report the usage and also apply security services like IPS, GAV, and Anti-Spyware.
Show a block page for User ‘Joe’ accessing porn category from Romania during daytime.
This can be achieved by using three security policies as below.
LAN subnet to ANY user= Dave, apps = bittorrent, country = sweden, schedule = off hours, action allow ->bwm = low/log/report/ips/gav/As
LAN subnet to ANY user= Joe, Websites = youtube.com, country = romania, schedule = day, action allow ->bwm = low/log/report/ips/gav/As
LAN subnet to ANY user= Joe, Web category = porn, country = romania, schedule = day, action block -> block page
NOTE: For more details/configurations using SonicOSX, please refer to What Is SonicOSX 7.0