SonicOS Core0 Principles and Common Configurations
03/26/2020 109 10823
Help in Identification of configuration and/or events that lead to issues on the Control Plane (AKA Core 0).
These Issues individually can slightly impact the SonicWall's performance. Core 0 is a major component of SonicWall processing.
Issue 1: App Control Advance Log Redundancy The default Log Redundancy setting for almost all firmware versions, expect for the latest (6.2.3 and 6.2.4), is set to zero. This will heavily impact logging on the SonicWall when all Categories have logging enabled.
Resolution: Edits of log redundancy filter intervals should only be done on the Log | Settings | Firewall | Application Control screen since doing it in the main App Control Advanced area changes it for both UI and syslog. Suggested values:
Display Events in Log Monitor: 120 seconds
Issue 2: IKE negotiations Site-to-Site VPNs with mismatched network proposals are going to have an effect like a UDP DoS attack.
Fix any issues with the tunnels
Reduce the logging level for "VPN IKEv2" and "VPN IKEVPN"
Disable any unused VPNs
Issue 3: Logging SonicWall generating high volumes of Logs
Enable the checkbox “Main Log Process Reschedule Interval” on diag.html page. Leave the value of the related “Log Entries” setting at 100.
Configure logging to remove items that are not needed
Issue 4: AppFlow to Local Collector AppFlow to Local Collector, which is the SonicWall itself, can cause Core 0 to Spike when under a load.
Disable it while troubleshooting Core 0 issues.
If app flow data is really needed send to an appflow/netflow collector.
Unless this feature is mission critical, turn it off and use it only when needed.
Issue 5: FQDN address Objects And WildcarD FQDN address Objects FQDN Address Objects can cause major issues especially when the DNS lookup fails for the object. Wildcard FQDN address objects like *.google.com can cause issues due to the amount of DNS entries that will be returned on the DNS lookup.
Ensure the SonicWall can resolve the FQDN object
Delete any Unused FQDN address Objects
Limit the amount of Wildcard FQDN address Objects or do not use them at all
Issue 6: Log Name Resolution This setting is located under Log > Name Resolution. The issue is when it the DNS addresses located here are public DNS servers. This name resolution would then try to go out to those Public DNS servers for every single log to resolve its name.
Use only Internal DNS servers
Change to DNS only
Issue 7: Single Sign-On Probing Single Sign-On can become an issue when a large amount of IP addresses are not being identified or do not require SSO.
Add all IP addresses and Subnets that do not require SSO to the SSO Bypass Group
Ensure all SSO configurations are correct.
Ensure the Server hosting the SSO software can handle all the lookups.