- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
MITM Man-in-the-middle attack or HTTP Strict Transport Security (HSTS) recommendations
04/29/2021 
0 People found this article helpful
83,546 Views
Description
Is SMA1000 vulnerable to HTTP Strict Transport Security (HSTS) attacks
Cause
HTTP Strict Transport Security (HSTS) is an security enhancement that is specified by a web application through the use of a special response header.
Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will
instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.
Resolution
SonicWall SMA1000 devices are recommended to be placed behind Firewall and only Specific Ports to be allowed for VPN access:
- 443 SSL Tunneling
- 4500 UDP for ESP Tunneling
- 53 UDP/DNS
- Any Custom Defined URL Ports.
- SonicWall does not recommend to have AMC access over Internet. AMC access on Port 8443 is recommended to be accessed internally with proper certificate assigned for AMC access.
Securing VPN Access:
-MA Device are to be applied with below CEM Value(s) Note: Recommended to get this applied under Support Guidance.
1. Log in to AMC.
2. Click on Maintenance in the left-hand navigation menu.
3. In the URL, append "?advanced=1", and hit return.
4. Click on Configure under the new section Configuration extensions.
5. Click New
6. For the Key field, put in EW_ENABLE_HSTS
7. For the Value field, put in true
8. Click OK.
9. Click Save,
10. Apply Changes (this will force an apply-all, making the changes take effect).
Note: For CMS Deployment CEM Values could be pushed to Management Appliances.
1. Log in to AMC.
2. Click on Maintenance in the left-hand navigation menu.
3. In the URL, append "?advanced=1", and hit return.
4. Click on Configure under the new section Configuration extensions
On policy synchronization, overwrite all CEMs on the managed appliances with CEMs on the CMS
Note:
- Post Save and apply pending changes would restart services. Such changes would impact Connected users.
- Management Console Access and Workplace are to be with Valid and Trusted Certificates
- Management Console Access is always recommended from Internal Trusted Network.
- Management Console to be accessed or tied with External Auth-Server or 2FA.
- Scans run against Management console are false positive and does not affect SMA1000 devices.
Related Articles
- CT with Device Guard is stuck on Identifying when GVC Client is installed
- SMA1000: CT compatibility with 3rd party VPN clients like GVC, Citrix and Fortinet
- How can I upgrade firmware in SMA 1000 series appliance?
YES
NO