Essential Credential Reset

Overview

This document contains three main sections containment, remediation and monitoring. Containment reduces the risk of an exposed firewall configuration being leveraged to gain access to the network. Remediation is the process of reconfiguring potentially exposed secrets and passwords. Monitoring will identify potential threat activity.

This article outlines the essential steps required to reset the credentials of commonly used features in SonicOS which may be configured to be accessible via the internet. These remediation steps include links to other resources such as KB articles and Admin Guides with step-by-step directions for resetting various passwords, shared secrets, encryption keys, and TOTP bindings across SonicOS.

Begin with the Containment section below.  Once containment is complete, you can proceed to the Remediation IF/THEN section to determine the recommended steps based on the features enabled on the target firewall.

Containment

Disable or restrict access to services from WAN

• Disable or restrict access to HTTP/HTTPS & SSH Management over the WAN.
• Disable or restrict access to SSL VPN, IPSEC VPN, and SNMP until the actions below have been completed.
• Disable or restrict inbound WAN access to internal services allowed via NAT/Access Rules.

It is very important that containment is done before moving on to the remediation steps.

Disabling or restricting access to the SSLVPN Service and Web/SSH Management over the WAN to known addresses helps to ensure that an attacker is unable to regain access to compromised user accounts after forcing a password change and/or resetting TOTP bindings. Additionally, due to the dependencies associated with changing passwords and shared secrets, it is also important to update the password in other relevant locations. Such locations may include, but are not limited to, the remote IPSec Gateways/peer VPN endpoints, LDAP/RADIUS servers, wireless clients, dynamic DNS providers, etc.

SonicOS 6.5.5.1 and 7.3.0 also contain enhancements that allow an administrator to restrict a user account’s access until the password has been changed, ensuring that users change their password from within the perimeter if desired. In the absence of this feature, disabling or restricting access from the WAN is the most effective course of action.

Disabling or restricting inbound access from the WAN to internal services can prevent any threat actor from regaining access to any potentially compromised systems.

NOTE: If managing via GMS, restricted inbound HTTPS may be required.  Proceed to the next section, Restricting access to HTTP/HTTPS/SSH Management, for details.

 

Disabling Access

Disabling access to HTTP/HTTPS/SSH Management

1. Navigate to NETWORK | System | Interfaces.
   
    
2. Edit each WAN interface. Disable the HTTPS/SSH Management options. Click OK.
    

 

Restricting access to HTTP/HTTPS/SSH Management

Alternatively, you can limit access to only known/trusted IP addresses if you are unable to disable management over the WAN completely. Refer to the KB article titled How can I enable or disable SonicWall firewall management access? for step-by-step instructions on restricting management access.

 

Disabling access to SSLVPN

1. Navigate to NETWORK | SSL VPN | Server Settings.
2. Under the SSL VPN STATUS ON ZONES header, disable the service on the WAN Zone.
    

 

Restricting access to SSLVPN

Alternatively, you can limit access to SSLVPN services to only known/trusted IP addresses if you are unable to disable SSLVPN completely. Refer to the KB article titled How to Disable Virtual Office Portal Access for step-by-step instructions on restricting SSLVPN access.

 

Disabling access to IPSec VPN

1. Navigate to NETWORK | IPSec VPN | Rules and Settings. Click on the Settings tab. Disable the Enable VPN option. Click OK.
    

 

Restricting access to IPSec VPN

Alternatively, you can limit IPSec VPN access to only known/trusted IP addresses if you are unable to disable IPSec VPN completely. Refer to the KB article titled How to restrict who can connect through GVC for step-by-step instructions on restricting access.

 

Disabling or restricting access to internal servers

Below are the brief steps. Refer to the KB titled How can I enable port forwarding and allow access to a server through the SonicWall? (Creating the necessary Firewall Access Rules) for more information.

1. Navigate to POLICY | Rules and Policies | Access Rules.
    
2. Filter the rules or use the search field to find rules that allow inbound access from the WAN zone or any WAN interfaces to internal servers.
3. Edit each applicable rule, disable the rule, then click Save. Alternatively, select each applicable rule and click Disable. Alternatively, the source address can be set to an Address Group object containing the known/trusted addresses that would be allowed through the rule.
   
    

 

Disabling SNMP

1. Navigate to DEVICE | Settings | SNMP.
   
    
2. On the SNMP tab, disable the Enable SNMP option. Click Accept. Refer to the SonicOS 7 Admin Guide (Enabling and Configuring SNMP Access) for more information.

 

Remediation

Remediation Overview

The following checklist provides a structured approach to ensure all relevant passwords, keys, and secrets are updated consistently. Performing these steps helps maintain security and protect the integrity of your SonicWall environment. The critical items are listed first. All other credentials should be updated at your convenience. Please note that the passwords, shared secrets, and encryption keys configured in SonicOS may also need to be updated elsewhere, such as with the ISP, Dynamic DNS provider, email provider, remote IPSec VPN peer, or LDAP/RADIUS server, just to name a few. Failure to do so can cause Internet and/or VPN outages or disruption to certain services such as authentication, log/alert forwarding, etc.

You may have received communication from SonicWall regarding a new preferences file to import into your firewall. The modified preferences file provided by SonicWall was created from the latest preferences file found in cloud storage. If the latest preferences file does not represent your desired settings, please do not use the file. Instead, please follow the documented instructions for manual remediation. For information on remediation using the provided preferences file, please refer to the Remediation through updated preferences file KB article.

 

 

SonicWall provides an online tool to assist in identifying services listed above that require remediation action. Follow the instructions provided in the tool here. (Note UPE Mode is not supported) 

To manually review a Remediation Playbook is also available with provides a checklist of IF/THEN actions covering the table above in detail. 

Detailed Remediation Steps

Users

 

Reset any passwords and TOTP that are saved on the firewall, including the following, as applicable.

Local Users - including accounts with (SonicOS) admin privileges.
 

• SSL-VPN 2FA: How to unbind TOTP for a single user or multiple users
• How admins can enforce password changes for local user accounts?

Below are the brief steps. Refer to the KB articles above for screenshots and more information.

 

1. Log into the SonicWall appliance, navigate to Device | Users | Local Users & Groups.
   
    
2. Reset the password and remove the TOTP binding from each user.
   
    

 

LDAP, TACACS+ and RADIUS servers – including any configured for SSO, Wireless interface and WLAN zone

• SonicOS 7.0 Admin Guide (User Login Settings)
• Integrating LDAP/Active Directory User Authentication
• Configuring RADIUS and LDAP authentication concurrently

Below are the brief steps. Refer to the above resources for more information.

 

1. Update the LDAP bind account password and/or RADIUS/TACACS+ shared secret on the LDAP, RADIUS, or TACACS server(s).
2. Navigate to DEVICE | Users | Settings.
    

 

3. Click the Configure button for LDAP, RADIUS, or TACACS+ (whichever applies to your environment).
    

LDAP Authentication

1. On the LDAP Servers tab, edit each Primary and Secondary LDAP server entries and update the password.
   
    

 

2. Replica/Backup entries do not have a configurable password.
3. On the LDAP Relay tab, update the RADIUS shared secret if this feature is enabled/in use. Refer to the SonicOS 7.0 Admin Guide (LDAP Relay) for more info.
    

 

RADIUS Authentication

1. On the Settings/RADIUS Servers tab, edit each RADIUS server entry and update the shared key.
   
   
    

TACACS+ Authentication

1. On the Settings/TACACS Servers tab, edit each RADIUS server entry and update the shared key.
   
   
    

 

IPSec VPN

IPSec VPN pre-shared keys – including, if applicable, those used for GMS

• How can I configure a Site to Site VPN policy using Main Mode?
• How can I configure IPSec Client based VPN for remote users?
• How can I setup Site to Site VPN with IKE2 Dynamic client Proposal?
• How Can I Setup Site To Site VPN With IKE2?
• SonicOS 7.0 Admin Guide (Enabling GMS Management)

Below are the brief steps. Refer to the above resources for more information.

Note: The shared secrets must be updated on both sides/IPSec Gateways of the VPN tunnel.

1. Navigate to NETWORK | IPSec VPN | Rules and Settings.
   
    
2. Edit each policy and update the shared secret. Click Save. The shared secret will need to be updated on the remote IPSec Gateway.
    

 

3. Update the encryption keys for the GMS IPSec Management Tunnel Mode, if applicable.
   1. Navigate to DEVICE | Settings | Administration.
       

 

2. Click Configure under the Advanced Management section. Update the encryption keys. Click OK.
   
    
3. Refer to the SonicOS 7.0 Admin Guide (Enabling GMS Management) for more information.
    

Network Interfaces/WAN Connectivity

Interface L2TP/PPPoE/PPTP password(s) and WWAN

• How can I configure the SonicWall WAN / X1 Interface with PPPoE connection?
• How can I configure the SonicWall WAN / X1 interface with L2TP connection?
• How to configure the SonicWall WAN /X1 Interface with PPTP Connection?

Below are the brief steps. Refer to the above resources for more information.

1. Update your L2TP/PPPoE/PPTP password with your provider.
2. Navigate to Network | System | Interfaces.
    

 

3. Edit the WAN or WWAN interface. Update the password and click OK.
4. If you use cellular WWAN with SonicWall Access Points, navigate to DEVICE | Access Points | Settings.
    

 

5. Edit each applicable Access Point Provisioning Profile. On the 3G/4G/LTE WWAN tab, update the password. Click OK.
   
   
    

Wireless

Wireless - Wi-Fi WAP/WAP2/WPA3/EAP pre-shared keys

1. Pre-shared keys can be configured for SonicWall internal wireless, SonicPoint/SonicWave Access Points, and Virtual Access Points. Refer to the following resources for more information.

• SonicOS 7.0 Admin Guide (Access Point Provisioning Profiles)
• SonicOS 7.0 Admin Guide (Virtual Access Point Objects)
• SonicOS 7.0 Admin Guide (Configuring WPA3/WPA2/WPA EAP Settings)
• SonicOS 7.0 Admin Guide (WPA/WPA2-PSK Encryption Settings)
• How to set Radius server (NPS) when using WPA-EAP, WPA2-EAP or WPA2-AUTO-EAP
• SonicOS 7 Internal Wireless Admin Guide
• SonicOS 7.0 Admin Guide (Internal Wireless/Configuring WPA3/WPA2/WPA EAP Settings)
  
   

Advanced Management

SNMP - SNMP Engine ID

1. Navigate to DEVICE | Settings | SNMP | User/Group.
    

 

2. Expand the default “* No Group *” entry and any custom groups. Edit each user entry and update its password. Click OK. Refer to the following resources for more information:
   1. Configuring SNMPv3 Engine IDs in SonicOSX
   2. Configuring SNMPv3 in SonicOS (5.9/6.1 & above)
   3. SonicOS 7.0 Admin Guide (Configuring SNMPv3 Engine IDs)

Cloud Secure Edge connector

1. Go to MySonicWall, locate the firewall connector, and Remove Association
   1. Log in to MySonicWall
   2. Go to the Products page and select the Tenant from the drop-down menu to which your device is registered.
   3. If you have the serial number and do not remember the Tenant, please select “All Tenants” from the drop down and search for the serial number to identify the Tenant Name.
      
      
   4. Once you have the Tenant, you can follow step (b) above to list all products under the Tenant.
   5. This will list all the products in this tenant.
   6. Select the serial number for the product name: SonicWall Cloud Secure Edge.
      
      
   7. Under the Product Details page, you can select the “Firewall Connection” link under “Associated Products” section.
      
      
   8. This will list all the connectors linked to this Cloud Secure Edge tenant.
   9. Click on the trash icon against the connector you would like to dissociate.
      
      
2. Wait 10 minutes.
3. Go to firewall. Toggle Enable Cloud Secure Edge Connectivity to Off. Click on Accept.
   
   
4. Toggle Enable Cloud Secure Edge Connectivity to On. Click on Accept.

Advanced Routing

NOTE: Not all auth tokens used in the advanced routing configuration are encrypted in the firewall configuration file. Therefore, it is imperative that you rotate the credentials used in advanced routing where possible.

Update the passwords associated with any advanced routing configuration. This should be done in coordination with the changes on the peer devices to minimize disruption. Refer to the following resources for more information:

• How to Setup OSPF between Multiple SonicWalls within the Same Area
• SonicOS 7.0 Admin Guide (Dynamic Routing / RIP) 

Creating New Golden Image Backup/Re-export Preferences

Re-export the preferences file and create a new system backup

SonicWall recommends exporting a new preferences file and creating a new system backup after reconfiguring all relevant credentials. Store the preferences file locally for safekeeping. Below are the brief steps. Refer to the KB titled How can I save a backup settings file from a SonicWall firewall? for more information.

1. Navigate to DEVICE | Settings | Firmware and Settings
2. Click Import/Export Configuration. Click Export Configuration. Click Export on the Export Configuration overlay. Save the file locally.
   
   
   
   
   

Monitoring using SonicOS Web UI

Logging

Review logs and recent configuration changes for unusual activity

1. Navigate to MONITOR | Logs | System Logs.
    

 

2. Use the available filters to review the events. Optionally, export the log to CSV for additional filtering within your spreadsheet application of choice.
   1. Filtering SonicWall event logs in SonicOS
   2. Modifying the log settings and levels
   3. SonicOS 7.0 Admin Guide (System Logs)
   4. Monitoring SSLVPN User Logins
   5. Configure Syslog to increase logging window

 

3. Navigate to MONITOR | Logs | Auditing Logs.
    

 

4. Review the log for unusual or unexpected changes.
   1. Optionally, export the log to CSV format for additional filtering within a spreadsheet application.