Firewall Shows Offline / Out of Sync in NSM After Firmware Upgrade to SonicOS 7.3.3
Description
After upgrading a Gen7 firewall to SonicOS 7.3.3-7014, the firewall may appear Offline and Out of Sync in Network Security Manager (NSM), and Zero Touch provisioning fails to complete.
This behavior has been observed specifically on:
-
Gen7 firewalls managed by NSM (Cloud/SaaS).
-
Firewalls with Zero Touch enabled.
-
Units that were upgraded to SonicOS 7.3.3-7014
-
HTTP management port has been changed from the default to 8080.
The following common recovery steps do not resolve the issue:
-
Resynchronizing licenses.
-
Restarting (rebooting) the firewall.
-
Restarting the Zero Touch task from the internal/diagnostic settings.
Note: Browser access to the firewall using HTTP port 8080 also fails while the firewall is in this state.
Cause
SonicOS 7.3.3 reintroduced the Data Plane (DP) HTTP redirect feature. By default, this feature serves HTTP redirect pages on port 8080.
If the firewall's Web Management HTTP port has been changed from the default (80) to 8080, the management port and the DP HTTP redirect port now conflict. In earlier releases the DP redirect code was disabled, so the conflict did not occur.
This port conflict prevents Zero Touch from establishing a connection to NSM, which causes the firewall to show Offline and Out of Sync.
Note: Only firewalls whose HTTP Management port is set to 8080 are affected. The default port (80) and most other ports are not impacted.
Resolution
This issue is avoided or resolved by ensuring the Web Management HTTP port is set to a value other than 8080. Ports 80, 8081, 8082, and 10800 have been confirmed to work. There are two scenarios, depending on whether the firewall has been upgraded yet.
Before Upgrading — Change the HTTP Management Port (Recommended)
The most reliable approach is to change the Web Management HTTP port before upgrading any firewall to SonicOS 7.3.3, while the firewall is still online and managed by NSM.
-
Before upgrading, check whether the firewall's Web Management HTTP port is set to 8080.
-
If it is set to 8080, change it to another value (for example, 80, 8081, or 8082) while the firewall is still online and in sync with NSM.
-
Save the configuration and confirm the firewall remains In Sync in NSM.
-
Proceed with the upgrade to SonicOS 7.3.3.
Why this is preferred: Because the change is made while the firewall is still online and in sync, it can be applied before the upgrade and the firewall avoids going Offline afterward. This also removes the need to reach the firewall locally to recover it.
After Upgrading — Recovering a Firewall That Is Already Offline
If a firewall has already been upgraded to SonicOS 7.3.3 and is now Offline / Out of Sync, change the Web Management HTTP port to a value other than 8080 using one of the methods below.
Important: Because NSM connectivity is broken while the firewall is in this state, the change generally cannot be pushed from NSM. The firewall must be reached locally — through the management interface, console, or SSH — to apply the workaround.
Option 1 — Change the HTTP Management Port in the GUI (preferred)
Use this method when local management UI access to the firewall is available.
-
Log in to the SonicOS management interface.
-
Navigate to Device | Settings | Administration.
-
Locate the Web Management Settings section.
-
Change the HTTP Port from 8080 to another value (for example, 80, 8081, or 8082).
-
Save the configuration.
After the change, Zero Touch should complete the acquisition, and the firewall should return to Online / In Sync in NSM.
Option 2 — Change the Management Port via CLI
If only console or SSH access is available, change the HTTP management port from the administration configuration context. Connect to the firewall over SSH or the console port with an administrator account, then run the following (this example changes the HTTP port to 8081):
configure
administration
web-management http-port 8081
commit
You can confirm the configured port with the show administration command. The equivalent command for the HTTPS port is web-management https-port <port>. After the change, include the new port number in the URL when accessing the appliance, for example http://LAN-IP:8081.
Option 3 — Change the DP HTTP Redirect Port (alternative)
If you need to keep the HTTP Management port at 8080, the conflict can instead be avoided by moving the DP HTTP redirect to a different port. This setting is not exposed in the SonicOS 7 GUI and must be set through the CLI:
configure
diag advanced user-authentication
serve-http-redirect-dp-port 10080
commit
You can verify the current value with:
diag show advanced user-authentication
Port 10080 is recommended, as it is the value the firewall's default selection logic would normally choose when 8080 is already in use.
If the Workaround Does Not Resolve the Issue
If changing the port does not restore NSM connectivity, a firmware hotfix that addresses this behavior is available. Contact SonicWall Technical Support for the appropriate hotfix build for your appliance.
Frequently Asked Questions
|
Question |
Answer |
|
Which firewalls are affected? |
Gen7 firewalls running SonicOS 7.3.3, managed by NSM Cloud/SaaS with Zero Touch enabled, where the HTTP Management port has been set to 8080. |
|
How can I avoid this before upgrading? |
Before upgrading to SonicOS 7.3.3, change the Web Management HTTP port from 8080 to another value (for example 80, 8081, or 8082) while the firewall is still online. This prevents the conflict from occurring after the upgrade. |
|
Why did this only start after upgrading to 7.3.3? |
The DP HTTP redirect feature that uses port 8080 was reintroduced in 7.3.3. On earlier releases it was disabled, so no conflict existed. |
|
Can I apply the workaround from NSM? |
Before upgrading, yes — the firewall is still in sync. After the firewall is already offline, generally no, because it is not communicating with NSM; the change must then be made locally via the GUI, console, or SSH. |
|
Will a permanent fix be provided? |
Yes. A permanent fix is being addressed in a subsequent firmware release. Until then, the port change above is the recommended workaround. |
