SonicWall SMA OS 12.4 is supported by SMA models 6210, 7210 and 8200v. The following FAQ addresses questions related to the latest firmware release.
Where can I download the latest firmware? Latest SMA firmware is available to download on mysonicwall.com. Customers with active support contracts are eligible for this upgrade to this version.
What are the key features? Latest SMA firmware release along with other enhancements include but not limited to the following features: • CMS + GTO + Global HA •CMS Licensing (Subscription, Perpetual, Email, Spike) •Biometric Identity Verification •EPC OPSWAT OESIS v4 Update (Anti-Malware) •Capture ATP Enhancements •SAML IdP •Always ON VPN •CMS on AWS Cloud •TOTP (Google, MicroSoft, DUO) •SMS Gateway Integration •Device VPN •Global HA w/ Disaster Recovery (DR) and Load Based Redirection •CMS Centralized Certificate Management and FIPS Licensing •CMS on Azure •SMA8200v on AWS/Azure •Dynamic Run Time Forms based SSO •TLS v1.3 support
What are the actively supported releases on the SMA 100 and 1000 series as of March 2021 ?
Actively Supported Releases on SMA100 series:9.x and 10.2.x,
Actively Supported Releases on SMA1000 series:v12.1 and v12.4
How do I deploy Capture ATP on SMA?
We do not offer Capture ATP free trial anymore. Following SKUs are needed for enabling Capture ATP on the SMA 100 and 1000 series:
•02-SSC-0412 CAPTURE ADVANCED THREAT PROTECTION FOR SMA 200/210/400/410/500V 1YR •02-SSC-0413 CAPTURE ADVANCED THREAT PROTECTION FOR SMA 200/210/400/410/500V 3YR •02-SSC-0399 CAPTURE ADVANCED THREAT PROTECTION FOR SMA CMS 1YR •02-SSC-0400 CAPTURE ADVANCED THREAT PROTECTION FOR SMA CMS 3YR
What resources are available for me to find more information on SMA and CMS? Subscribe to the SMA Sales pack to keep up-to-date on all the latest resources available. The following new resources are made available for this new release. • A new datasheet for SMA (combined SMA 100 series and SMA 1000 series). The datasheet is up to date with new features and a model by model comparison table. • A new datasheet for CMS. • SMA courses are available on SonicWall University.
What are the licenses accompanying the SMA OS 12.4 release? SMA 12.4 release has 4 new user licensing options (these are not backward compatible): • Email user licenses (Subscription) ° Allow ActiveSync and Outlook Anywhere connections to be licensed (and sold) separately. • CMS-based Spike licenses ° Spike user licenses are “full” user licenses and allow any type of connection (tunnel, web, ActiveSync). ° Allow temporary increases in licenses to meet sudden increase in demand for licenses due to inclement weather or disaster. • Perpetual pooled licenses ° CMS-based user licenses that do not expire. ° They allow any type of connection (tunnel, web, ActiveSync) . ° Customers will need to purchase the corresponding support contracts. • Capture ATP licensing ° No-cost trial license of Capture licensed through CMS.
What are the differences in the 3 Licensing Models? • Email user licenses (Subscription) – these and user licenses that allow ActiveSync and Outlook Anywhere connections to be licensed separately. • Perpetual licenses – these and user licenses that do not expire and allow any type of connection (tunnel, web, ActiveSync). Customers will need to purchase the corresponding support contracts. • Spike licenses – these are “full” user licenses and allow any type of connection (i.e. tunnel, web, ActiveSync). It allows temporary increases in licenses to meet sudden increase in demand for licenses due to inclement weather or disaster.
Subscription based license
Perpetual license with support
What are the licensing options for SMA 1000 Series? The license options are: •SMA CMS-Pooled Subscription User Licenses ° Full User Licenses ° Email User Licenses • SMA CMS-Pooled Perpetual User Licenses with Support • SMA CMS Spike Licenses • SMA CMS Capture ATP License • SMA CMS FIPS License • SMA Standalone SMA FIPS Licensing • Standalone SMA Stackable/Perpetual User Licenses with Support • Standalone SMA Spike Licensing
What is Pooled Licensing, Subscription or Perpetual? Pooled Licensing allows CMS to share a pool of user licenses among managed appliances.
Managed appliances do not have their own user licenses & share the common pool of licenses. Customers with appliances that are globally distributed can use their licenses more efficiently with central user licenses where user demands peaks in one geographic area while it falls in a different geographic area due to off-work/night hours. Appliances that are in a datacenter can share licenses instead of having individual licenses for each appliance. When new or replacement appliances (physical or virtual) are added under CMS management, they get to share the pool of central user licenses.
How does Pooled Licensing work? User licenses do not have to be applied to individual SMA appliances. The pooled licensing allows user licenses to be shared among the managed appliances.
Pooled Licensing makes use of a distributed data store to keep track of license usage. The distributed data store has storage nodes on multiple appliances so that central user licensing is resilient to the failure of (or communication loss with) the CMS or any one appliance.
When will the new license SKUs be available? The license SKUs will be available from the SonicWall February 2020 pricelist.
What is the difference between email license and full license? Starting SMA OS 12.4, there are three new types of user licenses that customers can choose to deploy: •Full license: A full central user license permits a connection of any of the following connection types - VPN tunnel, web, ActiveSync or Outlook Anywhere. • Tiered license: A tiered central user license permits a connection of a specific connection type - VPN tunnel, web, ActiveSync or Outlook Anywhere. • Email license: An email license is a tiered license that permits an ActiveSync or Outlook Anywhere connection.
Can I deploy a mix of email licenses (subscription) and full CMS user licenses (subscription or perpetual)? Yes, customers can choose to deploy a combination of tiered (email) licenses and full CMS user licenses, subscription or perpetual. The CMS and all managed appliances must be on 12.1 or higher for tiered licensing to work.
What happens when an ActiveSync request is made and I have only a full user license? If all Email licenses are consumed and an ActiveSync connection request is made (and full licenses are available), then a full license will be used.
Do I need to enable GTO for Email licensing? Email licensing does not require GTO to be enabled.
How does CMS Spike licenses work? A spike license (for a day) is automatically activated if the user session count exceeds CMS user license count (+ 10% grace). The Admin can choose to turn off automatic spikes. When a spike is active it allows the appliances to service up to sum of: • CMS base license max user count • Spike license max user count
What types of user licenses does Spike licensing support? Spike licenses can be applied to a CMS with a subscription user license or perpetual user license. A spike license allows any of the following user license types to spike: • Subscription full user license • Subscription tiered user licenses • Perpetual full user license
How do I know when the spike license is being used? CMS Dashboard (and licensing page) indicates that a spike is in effect.
What happens to Spike licenses when subscription licenses expire? When a spike license is installed on a CMS with a subscription user license (tiered or full) and the subscription license expires, the spike will remain enabled.
Are perpetual User licenses stackable? Perpetual CMS licenses are stackable. Licensed user counts from stacked licenses get summed. A perpetual CMS user licenses cannot be stacked with a subscription CMS user license.
•Customer purchase an SMA appliance with a 5 User license SKU. Customer then adds a 25 User license. Combined, customer now have a total of 30 user license.
•SonicWall recommends customer to purchase a corresponding support license. Customer would purchase a support license SKU supporting up to 50 users.
•Customer purchase an SMA appliance with the corresponding support for up to 100 users. Customer then ordered an additional 25 User license. Since support SKUs are stackable, customer would purchase a support license SKU supporting up to 25 users in this scenario. Combined, customer now have support for up to 125 users. The stackable support duration will be recalculated through co-termination logic. Refer to What Is Service Co-Termination? for full detail.
What are the types of VPN Clients?
Customers have the flexibility to decide the right VPN client that suits their needs. There are three possible choices: •Mobile Connect •Connect Tunnel •NetExtender
What are the differences between them (VPN Clients)? •Mobile Connect: Works with all SMA models. The client supports iOS, OS X, Android, Chrome OS, and Windows 10. Ideal for the use case that requires biometric authentication, per-app VPN and endpoint control enforcement. •Connect Tunnel: Works with all SMA 1000 Series including the 8200v virtual model. The client supports Windows, MAC OS, and Linux. Ideal for the use case that demands complete “in-office” experience with robust endpoint control. •NetExtender: Works with all SMA 100 Series including the 500v virtual model. The client supports Windows and Linux. Ideal for the use case that needs to enforce granular access policies and extend network access through native clients.
Deciding between Connect Tunnel Client and Mobile Connect when using Windows PC and macOS computer? SonicWall recommends that SMA 1000 customers use the Connect Tunnel client for Windows and macOS PCs instead of the Mobile Connect client. The Connect Tunnel client employs all the features of Advanced End-Point Control (EPC). Mobile Connect is better suited for use on mobile devices like iOS and Android devices.
What are the enhancements to GHA and license management? License management/regulation no longer requires active CMS participation. The enhanced GHA feature uses a global distributed data store to share state between appliances. The new data store is also used to keep track of and regulate user license consumption by appliances.
How long are the leased licenses valid on a SMA appliance? “leased license” issued to each appliance by the CMS has a validity of 7 days and a user count = max user licenses on CMS. An orphaned appliance (that is unable to communicate with CMS) can run for 7 days on its leased license.
What are the HTML5 enhancements? HTML 5 enhancements include: • Printer Redirection • HTML5 File Transfer Integration (Modern File Explorer in Workplace) • Time Zone Redirection • Client Computer Name • Load Balance Info – TS Farm • AMC Control to allow/disallow end user editing of options • Expanded Keyboard Support • RDP Option Import • Ability to control HTML5 Client app in MC
Until what time will the OESIS V3 libs be supported by OPSWAT? The OESIS V3 libs have already been declared out of support by OPSWAT. However for existing customers like SonicWall, OPSWAT will continue supporting them for some more time. The current Advanced End Point Control OPSWAT supports only version 4. Upgrading to 12.4 or importing an older version configuration into a 12.4 appliance requires OPSWAT v4 clean EPC device profiles.
What should the customers on versions 11.4.x, 12.0.x, 12.3.x or older do? SonicWall recommends all customers to upgrade to the latest firmware to leverage the benefits of OESIS V4 as well as to avoid the risk of going into a mode where the EPC Anti-malware and Firewall product definitions are not constantly updated and kept current via mysonicwall.com. 11.4.x hit end of support on 1 November 2019. 12.0.x hit end of support on 31 October 2018. 12.3.x hit end of support on 31 January 2021. https://www.sonicwall.com/support/product-lifecycle-tables/sonicwall-secure-mobile-access/software/
I have upgraded to the latest version and I see warnings on the Management Console against a few device profiles saying "There are device profiles using OPSWAT V3 attributes" and a tool tip saying "OPSWAT V3 attributes are deprecated". What am I expected to do? You are suggested to delete the existing profiles and recreate them. The new profiles will by default be OESIS V4 profiles.
I understand that all newly created profiles should be OESIS V4 compliant since OESIS V3 support may be stopped anytime. However for some unavoidable reasons, I need to create a new OESIS V3 compliant profile. Can I do that? Even though it's not recommended, you can override the default behavior and create a new OESIS V3 compliant device profile by adding a CEM value in the management console: MGMT_ALLOW_NEW_OPSWAT_V3=true.
Will the OESIS V4 compliant profiles work for older Connect Tunnel clients like 12.0.x or 11.4.x? No, the clients will need to be upgraded to the latest firmware in order to work based on the new OESIS V4 device profiles. Ideally the Administrator should make use of the "Forced" or "Required" setting under the page: "Access Methods | Network Tunnel Client Settings" until all end users upgrade their clients to the latest version.
Do we have any changes in the existing functionality of signature update, Files system scanned, Real-time Protection required? No we don't have any changes in the functionality of signature update and Real-time Protection. However there is a minor change for File System Scanned i.e. in OESIS V4 we support "full" Scan of the system. When using the "Any product from this vendor" option depending on the vendor and the features their products support, there are some differences in what can be set between OPSWAT v3 and v4.
I see a new category "Antimalware Program" replacing the Antivirus Program and Antispyware Program. What has changed? Nothing much has changed except that the two categories, i.e. Antivirus and Antispyware have been merged to Antimalware. This is because a lot of products nowadays qualify in both categories.
What will happen if 11.4 or 12.0 clients try to connect to an appliance that is using V4 profiles? The 11.4 and 12.0 clients should be able to upgrade to latest version and should be able to connect and work normally thereafter. However if the force/ required option for upgrade is not enabled at the Management Console, and the user does not choose to upgrade at the time of connecting, the user may or may not be able to connect. In such a scenario, the users may be able to connect only if there is at least one OESIS V3 compliant device profile that qualifies the user to be classified successfully into a zone.