-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
GMS best practices when pushing firewall policies to groups
01/12/2024 
2 People found this article helpful
437,430 Views
Description
When pushing firewall policies (NAT/Access Rules/Address object/group/etc) within a GMS group to multiple firewalls it is important to note that the firewall zone settings will be modified to match the group zone settings. All zone settings will be modified on that firewall's zone to match the GMS group setting for that zone.
If there are different firewalls that do or do not use certain security services, or SSLVPN, it is important to group those firewalls into their own separate groups.
If not, there is a potential to toggle off or on SSLVPN on the WAN zone when pushing a WAN zone address object to the group.
Resolution
In this example the GMS group settings have SSLVPN enabled and different security services toggled on.
When we look at the first firewall within the group, we can see that SSLVPN is disabled.
As an example, If we create a WAN zone object in the group and push it to this firewall using forward inheritance, it will toggle SSLVPN on within that firewall's WAN zone, to match the other security services settings within the WAN zone.
This is by design and expected behavior.
If you have a deployment that runs different zone settings among different firewalls it requires you to split those into different groups within GMS.
Best Practice Scenario
In this scenario we have one deployment that has SSLVPN disabled and the rest enabled.
The second group has SSLVPN enabled.
With these broken down into two separate groups this ensures pushing address objects to each respective group. They will continue to operate with the same zone settings after the address object push to the firewalls.
For instructions on creating new groups and views click the link below
https://www.sonicwall.com/support/knowledge-base/creating-a-custom-view-in-gms/170502944462349/
Configuration Changes
Before making global or group level configuration changes and firmware upgrades, a GMS administrator should apply the change at a unit level, and then test it with a group node that has two to three firewalls. If both tests lead to expected results without causing any side effects or bringing down management access to the remotely managed units, the GMS administrator can push the changes to a larger group or global level node in GMS.
Related articles below on how to push group settings to multiple firewalls within GMS
https://www.sonicwall.com/support/knowledge-base/how-to-use-forward-inheritance/170502594863192/
https://www.sonicwall.com/support/knowledge-base/how-to-use-reverse-inheritance/170502466760286/
Related Articles
- How to Expand the HDD of a GMS Virtual Appliance
- How to create a template in NSM
- How to edit Device Groups in NSM
YES
NO