SMA 1000 series and CMS general FAQ

06/16/2021 20 People found this article helpful 93,514 Views

Description

SonicWall SMA1000 OS 12.4 is supported by SMA1000 models 6200, 6210, 7200, 7210, 8200v and CMS.. The following FAQ addresses questions related to the latest firmware release

Resolution

Where can I download the latest firmware?
Latest SMA firmware is available to download on mysonicwall.com. Customers with active support contracts are eligible for this upgrade to this version.
What are the key features?
Latest SMA firmware release along with other enhancements include but not limited to the following features:

• CMS + GTO + Global HA
•CMS Licensing (Subscription, Perpetual, Email, Spike)
•Biometric Identity Verification
•EPC OPSWAT OESIS v4 Update (Anti-Malware)
•Capture ATP Enhancements
•SAML IdP
•Always ON VPN
•CMS on AWS Cloud and Azure
•TOTP (Google, MicroSoft, DUO)
•SMS Gateway Integration
•Device VPN
•Global HA w/ Disaster Recovery (DR) and Load Based Redirection
•CMS Centralized Certificate Management and FIPS Licensing
•SMA8200v on AWS/Azure
•Dynamic Run Time Forms based SSO
•TLS v1.3 support
•Microsoft InTune
•Let’s Encrypt
•Connect Tunnel Support on Win10 Surface ProX and macOS M1 (devices w/ ARM processors)
•SMA 8200v on ESXi, Hyper-V and KVM
•CMS on ESXi, Hyper-V and KVM
What are the actively supported releases on the SMA 100 and 1000 series as of March 2021 ?
Actively Supported Releases on SMA100 series:9.x and 10.2.x,
Actively Supported Releases on SMA1000 series:v12.1 and v12.4
How do I deploy Capture ATP on SMA?
We do not offer Capture ATP free trial anymore. Following SKUs are needed for enabling Capture ATP on the SMA 100 and 1000 series:
•02-SSC-0412 CAPTURE ADVANCED THREAT PROTECTION FOR SMA 200/210/400/410/500V 1YR
•02-SSC-0413 CAPTURE ADVANCED THREAT PROTECTION FOR SMA 200/210/400/410/500V 3YR
•02-SSC-0399 CAPTURE ADVANCED THREAT PROTECTION FOR SMA CMS 1YR
•02-SSC-0400 CAPTURE ADVANCED THREAT PROTECTION FOR SMA CMS 3YR
What resources are available for me to find more information on SMA and CMS?
Subscribe to the SMA Sales pack to keep up-to-date on all the latest resources available. The following new resources are made available for this new release.
• A new datasheet for SMA (combined SMA 100 series and SMA 1000 series). The datasheet is up to date with new features and a model by model comparison table.
• A new datasheet for CMS.
• SMA courses are available on SonicWall University.
What are the licenses accompanying the SMA OS 12.4 release?
SMA 12.4 release has 4 new user licensing options (these are not backward compatible):
• Email user licenses (Subscription)
° Allow ActiveSync and Outlook Anywhere connections to be licensed (and sold) separately.
• CMS-based Spike licenses
° Spike user licenses are “full” user licenses and allow any type of connection (tunnel, web, ActiveSync).
° Allow temporary increases in licenses to meet sudden increase in demand for licenses due to inclement weather or disaster.
• Perpetual pooled licenses
° CMS-based user licenses that do not expire.
° They allow any type of connection (tunnel, web, ActiveSync) .
° Customers will need to purchase the corresponding support contracts.
• Capture ATP licensing
° No-cost trial license of Capture licensed through CMS.

What are the differences in the 3 Licensing Models?
• Email user licenses (Subscription) – these and user licenses that allow ActiveSync and Outlook Anywhere connections to be licensed separately.
• Perpetual licenses – these and user licenses that do not expire and allow any type of connection (tunnel, web, ActiveSync). Customers will need to purchase the corresponding support contracts.
• Spike licenses – these are “full” user licenses and allow any type of connection (i.e. tunnel, web, ActiveSync). It allows temporary increases in licenses to meet sudden increase in demand for licenses due to inclement weather or disaster.

Category	Feature	210	410	500v	6210	7210	8200v
	Subscription based license	–	–	–	•	•	•
License options	Perpetual license with support	•	•	•	•	•	•
	Spike licensing	•	•	•	•	•	•

What are the licensing options for SMA 1000 Series?
The license options are:
•SMA CMS-Pooled Subscription User Licenses
° Full User Licenses
° Email User Licenses
• SMA CMS-Pooled Perpetual User Licenses with Support
• SMA CMS Spike Licenses
• SMA CMS Capture ATP License
• SMA CMS FIPS License
• SMA Standalone SMA FIPS Licensing
• Standalone SMA Stackable/Perpetual User Licenses with Support
• Standalone SMA Spike Licensing
What is Pooled Licensing, Subscription or Perpetual?
Pooled Licensing allows CMS to share a pool of user licenses among managed appliances.

Managed appliances do not have their own user licenses & share the common pool of licenses. Customers with appliances that are globally distributed can use their licenses more efficiently with central user licenses where user demands peaks in one geographic area while it falls in a different geographic area due to off-work/night hours.
Appliances that are in a datacenter can share licenses instead of having individual licenses for each appliance. When new or replacement appliances (physical or virtual) are added under CMS management, they get to share the pool of central user licenses.
How does Pooled Licensing work?
User licenses do not have to be applied to individual SMA appliances. The pooled licensing allows user licenses to be shared among the managed appliances.

Pooled Licensing makes use of a distributed data store to keep track of license usage. The distributed data store has storage nodes on multiple appliances so that central user licensing is resilient to the failure of (or communication loss with) the CMS or any one appliance.
When will the new license SKUs be available?
The license SKUs will be available from the SonicWall February 2020 pricelist.
What is the difference between email license and full license?
Starting SMA OS 12.4, there are three new types of user licenses that customers can choose to deploy:
• Full license: A full central user license permits a connection of any of the following connection types - VPN tunnel, web, ActiveSync or Outlook Anywhere.
• Tiered license: A tiered central user license permits a connection of a specific connection type - VPN tunnel, web, ActiveSync or Outlook Anywhere.
• Email license: An email license is a tiered license that permits an ActiveSync or Outlook Anywhere connection.
Can I deploy a mix of email licenses (subscription) and full CMS user licenses (subscription or perpetual)?
Yes, customers can choose to deploy a combination of tiered (email) licenses and full CMS user licenses, subscription or perpetual. The CMS and all managed appliances must be on 12.1 or higher for tiered licensing to work.
What happens when an ActiveSync request is made and I have only a full user license?
If all Email licenses are consumed and an ActiveSync connection request is made (and full licenses are available), then a full license will be used.
Do I need to enable GTO for Email licensing?
Email licensing does not require GTO to be enabled.
How does CMS Spike licenses work?
A spike license (for a day) is automatically activated if the user session count exceeds CMS user license count (+ 10% grace). The Admin can choose to turn off automatic spikes. When a spike is active it allows the appliances to service up to sum of:
• CMS base license max user count
• Spike license max user count
What types of user licenses does Spike licensing support?
Spike licenses can be applied to a CMS with a subscription user license or perpetual user license. A spike license allows any of the following user license types to spike:
• Subscription full user license
• Subscription tiered user licenses
• Perpetual full user license
How do I know when the spike license is being used?
CMS Dashboard (and licensing page) indicates that a spike is in effect.
What happens to Spike licenses when subscription licenses expire?
When a spike license is installed on a CMS with a subscription user license (tiered or full) and the subscription license expires, the spike will remain enabled.
Are perpetual User licenses stackable?
Perpetual CMS licenses are stackable. Licensed user counts from stacked licenses get summed. A perpetual CMS user licenses cannot be stacked with a subscription CMS user license.
EXAMPLE:1
•Customer purchase an SMA appliance with a 5 User license SKU. Customer then adds a 25 User license. Combined, customer now have a total of 30 user license.
•SonicWall recommends customer to purchase a corresponding support license. Customer would purchase a support license SKU supporting up to 50 users.
EXAMPLE: 2
•Customer purchase an SMA appliance with the corresponding support for up to 100 users. Customer then ordered an additional 25 User license. Since support SKUs are stackable, customer would purchase a support license SKU supporting up to 25 users in this scenario. Combined, customer now have support for up to 125 users. The stackable support duration will be recalculated through co-termination logic. Refer to What Is Service Co-Termination? for full detail.
What are the different types of VPN Clients and difference between them?
•Mobile Connect: Works with all SMA models. The client supports iOS, OS X, Android, Chrome OS, and Windows 10. Ideal for the use case that requires biometric authentication, per-app VPN and endpoint control enforcement.
•Connect Tunnel: Works with all SMA 1000 Series including the 8200v virtual model. The client supports Windows, MAC OS, and Linux. Ideal for the use case that demands complete “in-office” experience with robust endpoint control.
•NetExtender: Works with all SMA 100 Series including the 500v virtual model. The client supports Windows and Linux. Ideal for the use case that needs to enforce granular access policies and extend network access through native clients.
Deciding between Connect Tunnel Client and Mobile Connect when using Windows PC and macOS computer?
SonicWall recommends that SMA 1000 customers use the Connect Tunnel client for Windows and macOS PCs instead of the Mobile Connect client. The Connect Tunnel client employs all the features of Advanced End-Point Control (EPC). Mobile Connect is better suited for use on mobile devices like iOS and Android devices.
What are the enhancements to GHA and license management?
License management/regulation no longer requires active CMS participation. The enhanced GHA feature uses a global distributed data store to share state between appliances. The new data store is also used to keep track of and regulate user license consumption by appliances.
How long are the leased licenses valid on a SMA appliance?
“leased license” issued to each appliance by the CMS has a validity of 7 days and a user count = max user licenses on CMS. An orphaned appliance (that is unable to communicate with CMS) can run for 7 days on its leased license.
What are the HTML5 enhancements?
HTML 5 enhancements include:
• Printer Redirection
• HTML5 File Transfer Integration (Modern File Explorer in Workplace)
• Time Zone Redirection
• Client Computer Name
• Load Balance Info – TS Farm
• AMC Control to allow/disallow end user editing of options
• Expanded Keyboard Support • RDP Option Import
• Ability to control HTML5 Client app in MC
Until what time will the OESIS V3 libs be supported by OPSWAT?
The OESIS V3 libs have already been declared out of support by OPSWAT. However for existing customers like SonicWall, OPSWAT will continue supporting them for some more time. The current Advanced End Point Control OPSWAT supports only version 4. Upgrading to 12.4 or importing an older version configuration into a 12.4 appliance requires OPSWAT v4 clean EPC device profiles.
What should the customers on versions 11.4.x, 12.0.x, 12.3.x or older do?
SonicWall recommends all customers to upgrade to the latest firmware to leverage the benefits of OESIS V4 as well as to avoid the risk of going into a mode where the EPC Anti-malware and Firewall product definitions are not constantly updated and kept current via mysonicwall.com. 11.4.x hit end of support on 1 November 2019. 12.0.x hit end of support on 31 October 2018. 12.3.x hit end of support on 31 January 2021.
https://www.SonicWall.com/support/product-lifecycle-tables/SonicWall-secure-mobile-access/software/

NOTE: It is strongly recommended that customers/partners upgrade their CMS/SMA appliances to the latest/actively supported feature release and client/platform hotfixes w.r.t 12.4 and 12.1 firmware, respectively, and stay up to date from feature set, performance and security standpoint.
I have upgraded to the latest version and I see warnings on the Management Console against a few device profiles saying "There are device profiles using OPSWAT V3 attributes" and a tool tip saying "OPSWAT V3 attributes are deprecated". What am I expected to do?
You are suggested to delete the existing profiles and recreate them. The new profiles will by default be OESIS V4 profiles.
I understand that all newly created profiles should be OESIS V4 compliant since OESIS V3 support may be stopped anytime. However for some unavoidable reasons, I need to create a new OESIS V3 compliant profile. Can I do that?
Even though it's not recommended, you can override the default behavior and create a new OESIS V3 compliant device profile by adding a CEM value in the management console: MGMT_ALLOW_NEW_OPSWAT_V3=true.
Will the OESIS V4 compliant profiles work for older Connect Tunnel clients like 12.0.x or 11.4.x?
No, the clients will need to be upgraded to the latest firmware in order to work based on the new OESIS V4 device profiles. Ideally the Administrator should make use of the "Forced" or "Required" setting under the page: "Access Methods | Network Tunnel Client Settings" until all end users upgrade their clients to the latest version.
Do we have any changes in the existing functionality of signature update, Files system scanned, Real-time Protection required?
No we don't have any changes in the functionality of signature update and Real-time Protection. However there is a minor change for File System Scanned i.e. in OESIS V4 we support "full" Scan of the system. When using the "Any product from this vendor" option depending on the vendor and the features their products support, there are some differences in what can be set between OPSWAT v3 and v4.
I see a new category "Antimalware Program" replacing the Antivirus Program and Antispyware Program. What has changed?
Nothing much has changed except that the two categories, i.e. Antivirus and Antispyware have been merged to Antimalware. This is because a lot of products nowadays qualify in both categories.
What will happen if 11.4 or 12.0 clients try to connect to an appliance that is using V4 profiles?
The 11.4 and 12.0 clients should be able to upgrade to latest version and should be able to connect and work normally thereafter. However if the force/ required option for upgrade is not enabled at the Management Console, and the user does not choose to upgrade at the time of connecting, the user may or may not be able to connect. In such a scenario, the users may be able to connect only if there is at least one OESIS V3 compliant device profile that qualifies the user to be classified successfully into a zone.

NOTE: It is strongly recommended that customers/partners upgrade the SMA appliances part of the CMS cluster to the latest/actively supported feature release and client/platform hotfixes w.r.t 12.4 and 12.1 firmware FIRST. After successful upgrade of the SMA appliances, the CMS should be upgraded to the identical, latest/actively supported feature release and client/platform hotfixes w.r.t 12.4 and 12.1 firmware. The CMS and SMA appliances part of the cluster MUST be on the SAME latest/actively supported feature release and client/platform hotfixes w.r.t 12.4 and 12.1 firmware respectively
What is CMS ?
SonicWall Central Management Server (CMS) provides organizations, distributed enterprises and service providers with a powerful and intuitive solution to centrally manage and rapidly deploy SonicWall Secure Mobile Access (SMA1000 series) solutions.
CMS streamlines security policy management and appliance deployment, minimizing administration overhead. Administrators can cluster SMA1000 appliances thro' CMS high availability, scalability and optimal total cost of ownership (TCO).
What are the key features of CMS ?

• Centralized User Licensing (Pooled Licensing or License Sharing across managed SMA1000 appliances)
• Global Traffic Optimization
• Global High Availability and Disaster Recovery
• Single Pane Of Glass for Configuration, Management, Alerts w/ SNMP Notifications, Monitoring and Reporting
• Capture ATP
• Ability to scale up to 100 * SMA1000 appliances and 1 Million Concurrent Users
What is the latest firmware available for CMS ?
SMA1000 v12.4
Is CMS available in physical form factor ?
No. CMS is a virtual appliance.
Is CMS supported on private cloud and public cloud ?
Yes. CMS is supported on ESXi, Hyper-V and KVM* (private cloud) and AWS/Azure (public cloud). KVM support is added from 12.4.1
What are the SMA1000 appliances supported by CMS on firmware v12.4 ?
SMA 6200, 6210, 7200. 7210 and 8200v.
What are the CMS base appliance licenses ?

• 01-SSC-8535 SMA CMS BASE + 3 APPLIANCES LICENSE USED WITH SUBSCRIPTION USER LICENSES
• 01-SSC-8536 SMA CMS 100 APPLIANCES LICENSE 1YR USED WITH SUBSCRIPTION USER LICENSES
• 02-SSC-1464 SMA CMS 100 APPLIANCES LICENSE 3YR USED WITH SUBSCRIPTION USER LICENSES

• 01-SSC-3369 SMA CMS BASE + 3 APPLIANCES LICENSE NON-TRIAL USED WITH PERPETUAL USER LICENSES
• 01-SSC-3402 SMA CMS 100 APPLIANCES LICENSE 1YR NON-TRIAL USED WITH PERPETUAL USER LICENSES
• 02-SSC-1465 SMA CMS 100 APPLIANCES LICENSE 3YR NON-TRIAL USED WITH PERPETUAL USER LICENSES
Could you please share some of the CMS subscription pooled licenses ?

• 01-SSC-2401 SMA CMS POOLED LICENSE 50 USER 1YR
• 01-SSC-2402 SMA CMS POOLED LICENSE 50 USER 3YR
• 01-SSC-8537 SMA CMS POOLED LICENSE 100 USER 1YR
• 01-SSC-8540 SMA CMS POOLED LICENSE 100 USER 3YR
Could you please share some of the CMS perpetual pooled licenses ?

• 01-SSC-2054 SMA POOLED PERPETUAL FULL LICENSE 50 USER
• 01-SSC-2055 SMA POOLED PERPETUAL FULL LICENSE 100 USER
Could you please share the Capture ATP licenses for CMS ?

• 02-SSC-0399 CAPTURE ADVANCED THREAT PROTECTION FOR SMA CMS 1YR
• 02-SSC-0400 CAPTURE ADVANCED THREAT PROTECTION FOR SMA CMS 3YR
Could you please share the FIPS ADD ON SKU for CMS ?
02-SSC-0401 SMA CMS FIPS ADD-ON
Could you please share some of the spike licenses for CMS ?

• 01-SSC-2109 SMA CMS SPIKE ADD-ON LICENSE 100 USER 5 DAYS
• 01-SSC-2111 SMA CMS SPIKE ADD-ON LICENSE 1,000 USER 5 DAYS
CMS Dashboard, Monitoring and Reporting Screenshots

• CMS Dashboard

• Monitoring and Reporting of User Sessions w/ Custom Filters

• Monitoring and Reporting for Resource Access for each user

• Statistical Reporting for SMA Appliances

• Statistical Reporting for Resource Access

• Statistical Reporting for Bandwidth Usage per User
How does GTO load balance? What factors considered during establishing a connection through GTO?
DNS is the only mechanism available, and the term "load balancing" is generally avoided because we are not a traditional load balancer. The primary factor is distance to the appliance, the closest appliance taking the highest priority. Distance being equal, appliance "load score" is used to determine the appliance that will likely have the best user experience.
Can appliances under the CMS have same static IP pool?
Static pools are not overwritten on appliances when policy sync is performed. This will occur only if "force" option is selected. From 12.4.1 forward, all address pool management can be done on CMS via "CMS Address Pools".
Why are the license expiry dates on CMS and SMA different from MSW?
CMS acquires licensing for 30 days and SMA gets license lease for 7days.The expiry dates get updated daily as long as the SMA can communicate with the CMS.
Can we schedule configuration backups from CMS ?
No, additionally live snapshots of CMS/SMA VM not supported ,switch off before taking snapshots/backup.
Does CMS require Client hot fixes?
Client hotfixes should also be installed on the CMS so that it can keep track of which sessions are on "current" client versions.

NOTE: It is strongly recommended that customers/partners upgrade the SMA appliances part of the CMS cluster to the latest/actively supported feature release and client/platform hotfixes w.r.t 12.4 and 12.1 firmware FIRST. After successful upgrade of the SMA appliances, the CMS should be upgraded to the identical, latest/actively supported feature release and client/platform hotfixes w.r.t 12.4 and 12.1 firmware. The CMS and SMA appliances part of the cluster MUST be on the SAME latest/actively supported feature release and client/platform hotfixes w.r.t 12.4 and 12.1 firmware respectively.
Can we change certificates used by workplace through CMS?
There have been improvements in certificate handling for 12.4.1, both with Let's Encrypt, which will auto-renew for all appliances, and with the workflow when replacing a certificate on all managed appliances.