SonicOS 7.3.3 FAQ

This FAQ covers the key features and changes in SonicOS 7.3.3. It is structured by feature area and is intended to help customers, partners, and field teams quickly find answers to the most common questions about the release.

For technical detail on the Geo-IP changes specifically, refer to Knowledge Base article Geo-IP Database Update: Kosovo and South Sudan.

Release Overview

• What is SonicOS 7.3.3 and when is it available?
  SonicOS 7.3.3 is the next feature release for GEN7 SonicWall appliances, targeted for release by end of May 2025. The headline features are the addition of Generative AI as a Content Filtering Service category, Credential Auditor enabled by default, and Geo-IP UI support for Kosovo and South Sudan.
• What are the priority features in SonicOS 7.3.3?
  Three high-priority changes ship with SonicOS 7.3.3:
  • Generative AI CFS Category — administrators can now apply allow, block, or warn policies to Generative AI platforms (ChatGPT, Copilot, Gemini, and others)
  • Credential Auditor enabled by default — the appliance automatically checks credentials against known compromised password databases and generates alerts. No administrator configuration required.
  • Geo-IP UI support for Kosovo and South Sudan — Kosovo is reclassified from Europe; South Sudan gains UI-level selectability for the first time
• Is SonicOS 7.3.3 a free upgrade?
  Yes, for customers with an active support contract. Firmware is available at no additional charge through the MySonicWall portal. A CFS subscription is required to use the new Generative AI and other content filtering categories.

Generative AI — New Content Filtering Category

• What is the Generative AI CFS category?
  SonicOS 7.3.3 introduces Generative AI as a new Content Filtering Service (CFS) category. Administrators can apply allow, block, or warn policies specifically to Generative AI platforms — such as ChatGPT, Microsoft Copilot, Google Gemini, and similar tools — independently of other content categories. This gives organisations precise control over AI tool access without requiring custom URL lists.
• Why is this a priority feature?
  Generative AI adoption is accelerating rapidly across SMB and enterprise environments, often without IT visibility or governance. Employees are frequently accessing these platforms using corporate devices and networks, creating risks around data leakage, regulatory compliance, and productivity. This category gives administrators a straightforward, policy-based mechanism to manage that exposure without blocking broader internet access.
• Which industries should prioritise enabling this policy?
  The Generative AI category is particularly relevant for:
  • Education — preventing students from using AI tools to circumvent academic integrity policies
  • Healthcare — managing data privacy risks associated with patient information being submitted to AI platforms
  • Financial services — controlling AI platform usage for regulatory compliance (GDPR, SOC 2, PCI DSS)
  • Any organisation with confidential IP or data residency obligations
• Do I need a CFS subscription to use the Generative AI category?
  Yes. The Generative AI category is part of the Content Filtering Service and requires an active CFS subscription. The category is available immediately in the CFS policy editor after upgrading to SonicOS 7.3.3 — no additional configuration is required to see it.
• How do I enable a Generative AI block or warn policy after upgrading?
  After upgrading to SonicOS 7.3.3:
  • Navigate to Security Services | Content Filter | CFS Policy
  • Locate the Generative AI category in the category list
  • Set the action to Block or Warn as appropriate for your organisation's policy
  • Apply the policy to the relevant zones or user groups and save
• What other new CFS categories are included in 7.3.3?
  In addition to Generative AI, three further CFS categories are added:
  • Self-Harm — block access to content promoting or facilitating self-harm
  • DNS-over-HTTPS (DoH) — control or restrict DoH traffic to maintain DNS policy enforcement and prevent CFS bypass
  • Low-THC Cannabis Products — granular policy control, distinct from existing cannabis categories
• Is Generative AI available on GEN8 as well?
  Yes, but on a different timeline. Generative AI as a CFS category is introduced on GEN7 with SonicOS 7.3.3. GEN8 customers will receive this capability with SonicOS 8.2.2, targeted for GA on July 21, 2025.

Credential Auditor — Enabled by Default

• What is Credential Auditor?
  Credential Auditor checks administrator and user credentials configured on the SonicWall appliance against known compromised password databases. When a match is found, it generates an alert to notify the administrator. This helps prevent attackers from exploiting credentials exposed in third-party data breaches — a leading cause of network compromise.
• What do I need to do to enable Credential Auditor in 7.3.3?
  Nothing. Credential Auditor is enabled by default in SonicOS 7.3.3. No administrator configuration is required. On first boot, factory reset, or upgrade, the feature is active automatically and will begin auditing credentials and generating alerts without any manual intervention.
• What happens if Credential Auditor detects a compromised credential?
  The appliance generates an alert in the management interface notifying the administrator that a credential matches a known compromised password. No traffic is blocked and no accounts are locked — the alert is informational, prompting the administrator to take action. SonicWall recommends updating any flagged credential to a strong, unique password not previously used elsewhere.
• Will upgrading to 7.3.3 immediately audit my existing credentials?
  Yes. Once the upgrade is complete and Credential Auditor is active, it will audit existing configured credentials against the compromised password database. Administrators should be prepared to receive alerts if any current credentials match known breached passwords — this is expected and is the feature working as intended.
• Is Credential Auditor already on GEN8?
  Yes. Credential Auditor is already enabled by default on GEN8 appliances running current firmware. SonicOS 7.3.3 brings the same default-on behaviour to GEN7, aligning the security posture across both generations.
• Can Credential Auditor be disabled?
  Yes, it can be disabled through the management interface. However, SonicWall strongly recommends keeping it enabled. It operates silently in the background, generates alerts only — it does not interrupt connectivity or block traffic — and provides meaningful protection against credential-based attacks with no performance impact.

Geo-IP — Kosovo and South Sudan

• What is changing with Kosovo and South Sudan in the Geo-IP feature?
  Two distinct changes are being made:
  • Kosovo: Previously classified under Europe in the Geo-IP database. From this update, Kosovo IP addresses are reclassified as Kosovo specifically. SonicOS 7.3.3 adds UI-level policy controls to explicitly block or allow Kosovo as a distinct country.
  • South Sudan: Was already recognised as a distinct country at the database level, but had no UI-level policy support. SonicOS 7.3.3 adds explicit UI selectability for South Sudan in the Geo-IP policy editor for the first time.
• I currently block Europe. Will Kosovo still be blocked after upgrading to 7.3.3?
  Not automatically. After the database update, Kosovo IP addresses are reclassified from Europe to Kosovo. An existing Europe block rule will no longer cover Kosovo. To continue blocking Kosovo, you must explicitly add it to your Geo-IP block policy after upgrading to 7.3.3.
• Was South Sudan previously covered by the 'Block all Unknown countries' rule?
  No. South Sudan was already recognized as a distinct country at the database level before this update and was not classified as Unknown. It simply had no UI selectability. SonicOS 7.3.3 adds the ability to explicitly target South Sudan in the Geo-IP policy editor for the first time.
• What do GEN6 customers need to know?
  The Geo-IP database update applies automatically to GEN6 appliances, so the Kosovo reclassification will take effect. However, UI-level policy controls for Kosovo and South Sudan are not planned for GEN6. GEN6 administrators who require explicit per-country policy control should consider upgrading to GEN7. For full details, refer to Knowledge Base article Geo-IP Database Update: Kosovo and South Sudan.
• Is there a knowledge base article with more detail on the Geo-IP changes?
  Yes. KB article Geo-IP Database Update: Kosovo and South Sudan covers the full behaviour changes, firmware impact across GEN6, GEN7 and GEN8, required administrator actions, and a detailed FAQ. It is recommended reading for any administrator using Geo-IP policies.

DTLS Support for SSL-VPN 

• What is DTLS and why does it matter for SSL-VPN?
  DTLS (Datagram Transport Layer Security) is a UDP-based alternative to TLS for encrypted tunnelling. Because it uses UDP rather than TCP, it significantly reduces latency for real-time applications such as voice and video. SonicOS 7.3.3 adds DTLS support to SSL-VPN, meaning users on performance-sensitive connections will get a noticeably better experience without any change to their workflow.
• Do I need to configure anything to enable DTLS?
  No. When a connecting client supports DTLS, the SSL-VPN gateway negotiates it automatically. TLS fallback is maintained for clients that do not support DTLS. No administrator configuration is required on either the appliance or the client side.
• Which applications benefit most from DTLS?
  Any application sensitive to latency benefits from DTLS, particularly voice and video conferencing (Microsoft Teams, Zoom, Webex), interactive desktop sessions, and clinical or field service applications that require low-latency remote access. Bulk data transfers over TLS will see little difference; real-time communications over SSL-VPN will see the most improvement.

Same-Subnet WAN Support

• What is the same-subnet WAN limitation and what changed in 7.3.3?
  Previously, SonicOS would generate a configuration error if W0-WAN and X1 WAN were assigned IP addresses within the same subnet. This affected deployments where an ISP provides two WAN handoffs in the same subnet, which is common with certain bonded or aggregated circuit types. SonicOS 7.3.3 removes this restriction. W0-WAN and X1 WAN can now be configured in the same IP subnet, and SD-WAN failover is fully supported in that configuration.
• Do I need to reconfigure anything after upgrading if I was working around this limitation?
  No reconfiguration is required to preserve your existing setup. If you previously used workarounds such as static routes or intermediate subnets to accommodate this limitation, you may choose to simplify that configuration after upgrading. The native same-subnet WAN support is available immediately after the upgrade without any additional steps.

MAC-IP Anti-Spoofing in Native Bridge (Layer 2)

• What is MAC-IP Anti-Spoofing in Native Bridge mode?
  Native Bridge mode (also called Layer 2 bridge mode) allows SonicWall to be deployed transparently inline without re-addressing the network. MAC-IP Anti-Spoofing in this mode enforces bindings between MAC addresses and IP addresses on bridged interfaces. When enabled, the appliance detects and blocks traffic where the source MAC and IP pairing does not match the learned or statically configured binding table, preventing ARP spoofing and IP spoofing attacks inline.
• Which deployment types are most affected by this change?
  This is most relevant for retail, banking, and campus network environments where SonicWall is deployed transparently without re-addressing the network. These environments typically have Layer 2 segments where ARP spoofing has historically been difficult to mitigate inline. Organisations deploying SonicWall in routed mode are unaffected, as MAC-IP Anti-Spoofing has been available in routed deployments for some time.

NetExtender 10.3.4 Embedded in SonicOS 7.3.3

• What does it mean that NetExtender 10.3.4 is embedded in SonicOS 7.3.3?
  The SSL-VPN portal hosted on a SonicOS 7.3.3 appliance now serves NetExtender 10.3.4 directly to connecting users. When a user accesses the portal, they will be prompted to install or update to NetExtender 10.3.4 automatically. No separate client distribution, manual download, or administrator action is required. The update is delivered transparently as part of the standard SSL-VPN connection flow.
• Will users be prompted to update NetExtender automatically?
  Yes. Users connecting to an upgraded appliance via the SSL-VPN portal will be prompted to install or update to NetExtender 10.3.4 on their next login if they are running an older version. This is the same auto-update flow they would have experienced in previous embedded client upgrades. No end-user communication or pre-staging is required.

Management & User Interface

• What changed in the Save/Edit configuration banner?
  The banner that appears when saving or editing a firewall configuration has been redesigned to be less visually cluttered. Primary actions are now more prominently displayed and the save state of pending configuration changes is easier to interpret at a glance. There are no functional changes to configuration save or edit behaviour; this is a layout and clarity improvement only.

• The UI labels for Unified Management look different after upgrading. Is something broken?
  No. SonicOS 7.3.3 updates several UI text strings related to Unified Management to align with current NSM product naming. This is a terminology and clarity improvement only. No settings, features, or functions have changed. Administrators who reference UI labels in runbooks or internal documentation may wish to update those references after upgrading.

• What are the switch diagnostics improvements in SonicOS 7.3.3?
  SonicOS 7.3.3 extends switch diagnostic capabilities to both x86 and ARM-based appliances. Previously, GUI-accessible switch diagnostics were not available on ARM platforms. Administrators can now access link state, MAC address tables, port statistics, and VLAN assignments from the management UI on both architecture types, without requiring CLI access or out-of-band tools. This reduces escalation time and simplifies remote troubleshooting for NOC staff and SEs.

APSS Licensing Bundle -- NSsp Series

• What is the APSS licensing bundle and which appliances are now eligible?
  The APSS (Advanced Protection Service Suite) licensing bundle is a comprehensive security subscription that combines SonicWall’s advanced threat protection services into a single SKU. With this release, NSsp Series firewalls are now eligible for the APSS bundle. A key capability included in the bundle is Advanced 7-day reporting, which provides extended log retention and detailed traffic analysis beyond the standard reporting window.
• What does Advanced 7-day reporting include and who benefits most?
  Advanced 7-day reporting extends the log retention and reporting window beyond the standard real-time view, giving administrators access to a full seven days of traffic analysis, threat events, and policy activity from the management interface. This is particularly valuable for enterprise and service provider accounts with compliance requirements around log retention, incident investigation workflows that require historical context, and managed security operations that need trend visibility across multiple days. NSsp customers upgrading to the APSS bundle gain this capability as part of the bundle without requiring a separate reporting add-on.
• How does an NSsp customer add the APSS bundle to an existing deployment?
  The APSS bundle is available through the MySonicWall portal and through authorised SonicWall partners. NSsp customers on existing individual service subscriptions can transition to the APSS bundle at renewal. Partners should contact their SonicWall account team or distributor for NSsp APSS bundle SKUs and pricing. For additional questions, contact Product Management at nspm@sonicwall.com.

Upgrade Guidance & Support

• What should I do before upgrading to SonicOS 7.3.3?
  SonicWall recommends the following before upgrading:
  • Export and save a backup of your current configuration
  • Note your current firmware version in case rollback is needed
  • Review the SonicOS 7.3.3 Release Notes for any caveats relevant to your deployment
  • Plan the upgrade during a maintenance window
• Will my existing configuration survive the upgrade?
  Yes. SonicOS upgrades preserve existing configurations. Credential Auditor will activate automatically post-upgrade and may generate alerts for existing credentials — this is expected behaviour. CFS policies referencing the new categories (Generative AI, Self-Harm, DoH, Low-THC Cannabis) will need to be configured post-upgrade as they are new additions.
• Where can I download SonicOS 7.3.3?
  SonicOS 7.3.3 firmware is available through the MySonicWall portal for customers with an active support contract. It can also be pushed through NSM for centrally managed deployments.
• Where can I get support if I encounter issues after upgrading?
  SonicWall Technical Support is available athttps://www.sonicwall.com/support/contact-support.  Partners can raise cases on behalf of customers through the MySonicWall partner portal.