SonicOS Core0 Principles and Common Configurations
03/26/2020 98 9291
Help in Identification of configuration and/or events that lead to issues on the Control Plane (AKA Core 0).
These Issues individually can slightly impact the SonicWall's performance. Core 0 is a major component of SonicWall processing.
Issue 1: App Control Advance Log Redundancy
The default Log Redundancy setting for almost all firmware versions, expect for the latest (6.2.3 and 6.2.4), is set to zero. This will heavily impact logging on the SonicWall when all Categories have logging enabled.
Edits of log redundancy filter intervals should only be done on the Log | Settings | Firewall | Application Control screen since doing it in the main App Control Advanced area changes it for both UI and syslog. Suggested values:
- Display Events in Log Monitor: 120 seconds
Issue 2: IKE negotiations
Site-to-Site VPNs with mismatched network proposals are going to have an effect like a UDP DoS attack.
- Fix any issues with the tunnels
- Reduce the logging level for "VPN IKEv2" and "VPN IKEVPN"
- Disable any unused VPNs
Issue 3: Logging
SonicWall generating high volumes of Logs
- Enable the checkbox “Main Log Process Reschedule Interval” on diag.html page. Leave the value of the related “Log Entries” setting at 100.
- Configure logging to remove items that are not needed
Issue 4: AppFlow to Local Collector
AppFlow to Local Collector, which is the SonicWall itself, can cause Core 0 to Spike when under a load.
- Disable it while troubleshooting Core 0 issues.
- If app flow data is really needed send to an appflow/netflow collector.
- Unless this feature is mission critical, turn it off and use it only when needed.
Issue 5: FQDN address Objects And WildcarD FQDN address Objects
FQDN Address Objects can cause major issues especially when the DNS lookup fails for the object. Wildcard FQDN address objects like *.google.com can cause issues due to the amount of DNS entries that will be returned on the DNS lookup.
- Ensure the SonicWall can resolve the FQDN object
- Delete any Unused FQDN address Objects
- Limit the amount of Wildcard FQDN address Objects or do not use them at all
Issue 6: Log Name Resolution
This setting is located under Log > Name Resolution. The issue is when it the DNS addresses located here are public DNS servers. This name resolution would then try to go out to those Public DNS servers for every single log to resolve its name.
- Use only Internal DNS servers
- Change to DNS only
Issue 7: Single Sign-On Probing
Single Sign-On can become an issue when a large amount of IP addresses are not being identified or do not require SSO.
- Add all IP addresses and Subnets that do not require SSO to the SSO Bypass Group
- Ensure all SSO configurations are correct.
- Ensure the Server hosting the SSO software can handle all the lookups.