SonicWall NSv XS FAQ

This article covers some of the basic FAQ'S related to SonicWall NSv XS

Q: What is SonicWall NSv XS?

SonicWall NSv XS is SonicWall's entry-level Gen 8 virtual firewall — a single-core Next-Generation Firewall (NGFW) purpose-built for SOHO (Small Office/Home Office) and micro-SMB environments. It delivers enterprise-grade threat protection at an accessible price point

Q: How many virtual CPUs (vCPUs) does NSv XS support?

NSv XS is a single-core virtual firewall, supporting 1 vCPU. This single-core design reduces VM resource consumption and simplifies deployment for environments without dedicated IT staff.

Q: What are the minimum hardware requirements?

NSv XS requires a minimum of 2 GB RAM and 32 GB of storage. It runs as a lightweight VM on supported hypervisors.

Q: What are the throughput specifications for NSv XS?

NSv XS delivers the following throughput:

• Firewall throughput: 2 Gbps
• Threat prevention: 800 Mbps
• IPS: 1 Gbps
• TLS/SSL DPI: 400 Mbps
• VPN throughput: 700 Mbps

Q: How many VPN policies and tunnels does NSv XS support?

NSv XS supports 25 site-to-site VPN policies

Q: How many logical interfaces does NSv XS support?

NSv XS supports up to 128 logical VLAN/tunnel interfaces.

Q: Which hypervisors are supported by NSv XS?

NSv XS supports the following hypervisors:

• VMware ESXi
• Microsoft Hyper-V
• KVM
• Proxmox (native support — first Gen 8 virtual firewall to support Proxmox)

Q: Is NSv XS available on public cloud platforms?

Yes. NSv XS is available on:

• AWS — both BYOL (Bring Your Own Licence) and PAYG (Pay As You Go)
• Microsoft Azure — BYOL only

Q: When NSv XS will be available in AWS and Azure Marketplace?

NSv XS is expected to be available from the week of May 4th, subject to approvals from AWS and Azure Marketplace.

Q: What makes Proxmox support significant?

NSv XS is the first Gen 8 virtual firewall to offer native Proxmox support. This provides budget-conscious IT teams running the free, open-source Proxmox hypervisor with a full Gen 8 security option — something many competitors do not offer at this price tier.

Q: What threat protection technologies does NSv XS include?

NSv XS includes:

• RTDMI™ (Real-Time Deep Memory Inspection) — patented zero-day protection
• RFDPI (Reassembly-Free Deep Packet Inspection)
• Capture ATP multi-engine sandboxing
• TLS 1.3 deep packet inspection including encrypted traffic
• IPS with automatic signature updates
• Gateway Anti-Virus and Anti-Spyware
• Botnet and Geo-IP filtering
• DNS security and Content Filtering (CFS 5.0)

Q: Does NSv XS inspect encrypted (TLS) traffic?

Yes. NSv XS performs full TLS 1.3 and SSL/SSH deep inspection, eliminating blind spots in encrypted traffic — including east-west traffic between cloud workloads that cloud-native security groups cannot inspect.

Q: What networking and connectivity features are included?

NSv XS includes:

• Built-in SD-WAN with intelligent routing
• IPSec and SSL VPN
• Cloud Secure Edge (CSE) connector
• Zero Trust Network Access (ZTNA)
• BGP, OSPF, RIPv1/v2 dynamic routing

Q1: How is NSv XS managed?

NSv XS is managed via NSM (Network Security Manager)/Unified Management, SonicWall's centralised cloud management console. NSM provides a single pane of glass for all sites and workloads, including multi-tenant architecture for MSPs.

Q: Does NSv XS support zero-touch deployment?

Yes. NSv XS supports zero-touch provisioning allowing branch offices to go live without a technician on-site. Unlike a physical firewall, NSv requires manual registration before it can be managed by NSM via zero-touch provisioning.

Note: Before registration, NSv operates in an unlicensed mode without an associated serial number (SN), whereas a physical firewall has an embedded SN in its factory default state. When NSv is in an unlicensed state, none of the core functions are operational. Features such as VPN, management, and traffic pass-through are not available. Only limited functions like DNS configuration, basic administrative settings, and logging/diagnostics are accessible.

Q: What management and reporting tools are included?

NSv XS includes:

• SAMI AI assistant for administrative tasks
• REST API and CLI full access
• NetFlow/IPFix and SNMPv2/v3 support
• 7-day reporting and analytics (Secure Connect and APSS tiers)
• 30-day advanced reporting with MPSS

Q: What are the available subscription tiers for NSv XS?

NSv XS is offered in three annual subscription tiers:

1. Secure Connect
   Includes 24×7 support, NSM management, Layer 4/7 stateful firewall with HA, software entitlement and firmware, and 7-day reporting.
2. APSS (Advanced Protection Security Suite)
   Includes all Secure Connect features plus Capture ATP sandboxing, IPS, gateway AV/anti-spyware, content filtering, DNS/botnet/geo-IP, application control, and a $100K embedded cyber warranty.
3. MPSS (Managed Protection Security Suite)
   Includes all APSS features plus configuration management, 30-day reporting, SonicSentry NOC (24×7 managed monitoring), and a $200K embedded cyber warranty.

Q:What is the cyber warranty included with NSv XS?

NSv XS includes an embedded Cysurance cyber warranty at no additional cost — up to $100K with the APSS tier and up to $200K with MPSS. This provides customers and auditors with financial assurance in the event of a breach. No competitor at this price point offers equivalent financial backing.

Q: Is PAYG (Pay As You Go) available?

Yes. On AWS, NSv XS is available as PAYG, meaning there is no upfront commitment and customers pay only for actual usage. This is particularly beneficial for DevOps, lab, or proof-of-concept environments.

Q: How does NSv XS address cloud security blind spots?

Cloud-native security groups define allow/deny rules but perform no traffic inspection — encrypted lateral movement between cloud workloads goes completely unseen. NSv XS deploys natively within the cloud boundary (AWS/Azure), inspecting east-west traffic using full TLS 1.3 decryption and RTDMI sandboxing.

Q: How does NSv XS support branch office deployments?

NSv XS runs as a VM on branch server infrastructure (VMware, Hyper-V, KVM, or Proxmox), eliminating the need to ship, stage, or replace hardware at each site. Zero-touch deployment  and optional MPSS with SonicSentry NOC enable branches to go live with no local IT expertise required.

Q: What distinguishes NSv XS from competing entry-level virtual firewalls?

NSv XS offers three primary differentiators:

1. Embedded cyber warranty — no competitor at this price point provides financial backing for a breach (up to $200K with MPSS).
2. Single-core efficiency with full Gen 8 depth — RTDMI, TLS 1.3, NSM, and embedded warranty at a price rivals cannot match with equivalent security.
3. Native Proxmox support — first Gen 8 virtual firewall to market with native Proxmox support at competitive price

Q: Why should MSPs consider NSv XS?

NSv XS acts as a margin multiplier for MSPs — enabling more customer sites to be served from the same headcount. MPSS bundled with SonicSentry NOC creates a recurring managed firewall revenue stream. The $200K embedded cyber warranty serves as a competitive differentiator when presenting to prospective clients.

Q: What is the default mode in Gen 8?

Now, Global/Classic mode is the default modein Gen 8 NSv. SonicWall recommends staying in Classic mode.

Q: What are the features not supported in PolicyMode?

SAML Support, CSE Connector and anythingbeyond SonicOS 7.3.2

Q: Compared to TZ, What are the features not available in NSv XS?

• Internal Switching UI(L2 LAG, PortShielding,LACP Support)
• External Switch Support and UI
• External AP Support and UI
• CASS Support and Anti-SPAM feature UI

Q: How to switch modes: Classic to Policy and Vice-versa? 

• Firewall mode switching feature has to be enabled in MSW; Change mode via Network ->Firewall ->Advanced Page
•  Other option to de-register and reregister firewall

Q: Is there a trial License available?

Yes, Trial License is available for NSv XS

Q: Can we delete interfaces from NSv XS?

SonicWall does not recommend deleting interfaces in NSv.

Q: Does NSv work in Closed Network?

NSv XS will not work in Closed Network. NSv S, M & L will be supported in Closed Network 8.2.2 Release.

Q: What are the NSM versions supported?

NSM 4.0.0 --> NSv XS

Q: Can users upgrade to newer generation of NSv from older generation without reboot or with seamless upgrade? 

No, currently this is not supported.

Q: Can firmware upgrades be done via NSM?

Yes

Q: Does Microsoft Azure support Active/Standby High Availability without using Azure Load balancer? 

NSv supports Layer 3 High Availability in Active/Standby Mode

Q: Does Azure Active/Standby HA solution support settings/configuration synchronizing?

Yes. Azure Active/Standby HA solution supports settings synchronization.

Q: Does Azure Active/Standby HA solution support Stateful synchronization

Yes, It is supported

Q: Is Availability zone settings supported on NSv Azure cloud deployments?

Yes. It is supported on standalone and HA deployments using ARM templates.

Q: Is HA supported for NSv AWS?

HA is not supported in NSv deployment in AWS. It is supported only in Azure

Q: Is migration of licenses possible from BYOL to PAYG and vice versa?

No. It is not possible to migrate the licenses 

Q: Like TZ80, Gen 8 NSv won't work without an active subscription, correct?

Yes