Differences between SonicOS and SonicOSX

07/12/2021 6 People found this article helpful 474,000 Views

Description

This KB explains the differences between SonicOS and SonicOSX. It also lists the devices that run on SonicOS or SonicOSX and on both.

Resolution

What is SonicOSX?

SonicOSX 7.0 is the new SonicWall firewall firmware that allows granular control and enforcement of dynamic Layer 7 applications within the security policy. SonicOSX combines Layer 3 to Layer 7 rules into a single rule called Security Policy. Hence, the user will no longer need to configure any rules in separate tabs as in the case of global mode. It also includes multiple improvements around user experience with rule exporting, cloning of a rule, shadowing alerts, bulk editing, and many more.

There is a significant difference in packet flow on SonicOS and SonicOSX.

In SonicOS:

The matches are done only based on 5 tuples (Source/Destination IP, Source/Destination Port, and Protocol used). If the action is set to allow, we can further apply BWM, QoS, or Geo-IP/Botnet checks.

NOTE: For a more detailed packet flow on SonicOS, please refer to How Does The Firewall Process A Packet On An Interface?

In SonicOSX:

We can perform matches on a much wider range of criteria like 5 tuple, user, Apps, websites, web categories, patterns, geo-location, etc. When the packet is allowed, we can apply a variety of additional actions like Security services, BWM, Logging, clean cookies, safe search, passphrase, consent page, etc.

When to choose SonicOS and when to choose SonicOSX?

Situation	Mode
Ease of Use	Global
Default Rules Enabled	Global
SonicOS decides the priority	Global
Only need to create access rules to match Layer 3 and 4	Global
Security is the prime focus	Policy
Managing all security services from a single Policy view	Policy
Ability to create Decryption rules for TLS/SSH traffic	Policy
Ability to create DoS rules	Policy
Ability to match application on Security Rule	Policy
Ability to match URLs/keywords on Security Rule	Policy

Benefits of using SonicOSX:

Allowing granular control of Layer 7 applications.
Enabling dynamic applications as match conditions.
Simplifying application-based security policy management.
Adapting to the dynamic traffic changes.
Greater control for dynamic applications.

Compatibility Matrix:

The below table shows the SonicOS releases supported for each SonicWall Firewall model.

SonicWall Firewall Model	SonicOSX 7	SonicOS 7	SonicOS 6.5
Hardware Firewalls:
SOHO Series SOHO-W, SOHO-250, SOHO-250W	No	No	Yes
TZ Series Firewalls TZ300, TZ300P, TZ300W, TZ350, TZ350W, TZ400, TZ400W, TZ500, TZ500W, TZ600, TZ600P	No	No	Yes
TZ Series Firewalls TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ670	TBD	Yes	No
NSa Series NSA 2600, NSA 3600, NSA 4600, NSA 5600, NSA 6600, NSa 2650, NSa 3650, NSa 4650, NSa 5650, NSa 6650, NSa 9250, NSa 9450, NSa 9650	No	No	Yes
NSa Series NSa 2700, NSa 3700, NSa 4700, NSa 6700	TBD	Yes	No
SuperMassive Series SM 9200, SM 9400, SM 9600, SM 9800	No	No	Yes
NSsp Series NSsp 12400, NSsp 12800	No	No	Yes
NSsp Series NSsp 13700	TBD	Yes	No
NSsp Series NSsp 15700	Yes	TBD	No
Virtual Firewalls:
NSv Series NSv 10, NSv 25, NSv 50, NSv 100, NSv 200, NSv300, NSv 400, NSv 800, NSv 1600	No	No	Yes
NSv Series NSv 270, NSv 470, NSv 870	Yes	Yes	No

Let us take a look at few examples of how granular the rules can be on SonicOSX.

EXAMPLE 1: Allow access for User ‘Dave’ trying to access social websites during daytime from Sweden location but limit the bandwidth to low usage, report the details and apply security services like IPS,GAV and AntiSpyware.
Deny access for User ‘Joe’ when trying access videos on social websites from country Romania.

This can be done using two separate security policies as below.

LAN subnet to ANY user= Dave, Web category = social websites, country = sweden, schedule = day, action allow ->bwm = low/log/report/ips/gav/As
LAN subnet to ANY user= Joe, app = video and web category=social websites country = romania, schedule = day, action deny ->bwm = low/log

EXAMPLE 2: Deny access for User ‘Joe’ trying to access websites/applications like youtube/google from Germany
Deny access for User ‘Dave’ using same tuples as above and in addition regular expression match

This can also be achieved using two separate security policies as below.

10.0.0.0/24 ANY user=Joe, apps={yahoo, google……], Germany ----> deny
10.0.0.0/24, ANY, user=Dave, {apps= {yahoo….} , match object ==={regular expression} ----> deny

EXAMPLE 3: Allow access for User ‘Dave’ trying to access applications like BitTorrent from Sweden, during non-business hours but limit the bandwidth to low usage, report the usage and apply security services like IPS, GAV and AntiSpyware.
Allow access for User ‘Joe’ accessing youtube from Romania during daytime but limit the bandwidth to low usage, log/ report the usage and also apply security services like IPS, GAV, and Anti-Spyware.
Show a block page for User ‘Joe’ accessing porn category from Romania during daytime.

This can be achieved by using three security policies as below.

LAN subnet to ANY user= Dave, apps = bittorrent, country = sweden, schedule = off hours, action allow ->bwm = low/log/report/ips/gav/As
LAN subnet to ANY user= Joe, Websites = youtube.com, country = romania, schedule = day, action allow ->bwm = low/log/report/ips/gav/As
LAN subnet to ANY user= Joe, Web category = porn, country = romania, schedule = day, action block -> block page

NOTE: For more details/configurations using SonicOSX, please refer to What Is SonicOSX 7.0

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

Differences between SonicOS and SonicOSX

Description

Resolution

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch