Scanning results flags enablement of TLS 1.0 and 1.1 on SonicWall UTM

Description

The scanning results indicate that TLS 1.0 and 1.1 are enabled on the SonicWall UTM, which can pose security risks due to outdated encryption protocols. This issue may occur if the firewall’s WAN management settings allow HTTPS access, legacy settings are not updated, or a misconfiguration retained insecure protocols. Disabling TLS 1.0/1.1 and enforcing TLS 1.2+ is recommended to maintain security compliance.

Resolution

NOTE: SonicWall Firewall does not allow traffic with TLS 1.0 and 1.1 over HTTP/ HTTPS.

1. Navigate to diag page of the unit [Refer this link] and with CRTL+F search keyword 'TLS'
2. You should see and make sure the settings are as below by default (unless changed )

image

 

3. Please perform a packet capture on the Destination IP and allow HTTP/HTTPS management and then check the results to observe what version of SSL/TLS is reported for the protocol version.  


For demo purpose :

a. The test is being shown from a LAN machine [192.18.168.65] on the firewall accessing management page on port 443


NOTE: Please disable the option shown below before doing a capture



 

b. Capture the traffic for Destination port 443 (or the customized management port) 

c. Export the pcap as PcapNG and analyze over Wireshark : 

image

** An Alternate way to confirm the same is via doing a Nmap test

What is Nmap?

Nmap (Network Mapper) is an open-source tool used for network discovery, security auditing, and penetration testing. It helps identify live hosts, open ports, running services, and security vulnerabilities on a target system or network.

Below is shown for Windows : 

To run the Nmap command, you need a terminal or command prompt. Here’s what to use depending on your operating system:

For Windows : 

  • Download & Install Nmap
  • Get the latest Nmap from nmap.org.
  • Install it and make sure to check the box for "Install Ncap" (needed for scanning).
  • Run Nmap from Command Prompt or Powershell
  • Open Command Prompt (cmd.exe) or Powershell.
  • Run the command: nmap --script ssl-enum-ciphers -p 443 <firewall_ip>


    image

 

NOTE: If the problem still continues, Please collect the pcap, nmap result, TSR and reach out to Sonicwall Support OR raise a Technical Support Ticket via your Mysonicwall.com account. 

Related Articles

  • How to block ICMP (Ping ) using Application control
    Read More
  • SonicWall GEN8 TZ and NSa Firewalls FAQ
    Read More
  • How to configure Link Aggregation
    Read More

Categories

Firewalls
SonicWall NSA Series
Firewalls
TZ Series
not finding your answers?
Ask the Community