SonicOS Network - Interface Connectivity Best Practices
01/19/1970 12 3659
Best Practices for configuring SonicOS Network Interfaces and Failover & LB features for optimized connectivity.
Any disruptions in traffic through the firewall which can not be easily ascribed to third party issues.
Applies to SonicOS versions 5.x.x.x, 6.x.x.x on all models
(TZ Series, SonicWall NSA Series, NSa Series, SonicWall SuperMassive 9000 Series) .
Each network interface of a SonicWALL NGFW appliance should be connected to a separate switch or VLAN. (Exceptions: PortShield / Link Aggregation / Port Redundancy features).
No unconfigured / unassigned SonicWALL firewall interface should be connected physically to routers, modems, switches or hosts. Either connect and configure the interface, or don’t do either.
Never configure any WAN zone interface on a SonicWALL firewall and then leave it disconnected. Either connect and configure the interface, or don’t do either.
If you do configure the interface and save it, for a future WAN deployment, and then unassign it, SonicOS will remember the IP address, Subnet Mask and Default Gateway settings you used and show then to you the next time you assign it to WAN zone.
The X1 interface by default on all SonicWALL firewalls is a WAN in DHCP mode with an IP address of 0.0.0.0. In older firmware versions, X1 by default was a WAN in static mode with an IP address of 0.0.0.0. It should only be used with valid, non-zero IP address settings, or configured for DHCP or PPPoE. It should be changed to status "Unassigned," if it will not be used, when another interface like X2 or X16 will be the primary WAN instead. One common reason this is done on our higher end NSA, NSa, SuperMassive or NSsp models is to use a 10-Gbps interface for WAN, instead of the slower 1-Gbps X1.
SonicOS has special code in it which is triggered by the presence of WAN interfaces (such as creation of automatic objects, routes, access rules, NAT Policies).
The Properties of the X1 WAN interface of an NSa-2650 Firewall is pictured below, Advanced tab, with its default values:
Link Speed: Auto-Negotiate.
WAN interface MTU is 1500 bytes.
The checkbox "Fragment non-VPN outbound packets larger than this Interface’s MTU" is enabled.
Ignore DF Bit is disabled.
The checkbox "Do not send ICMP Fragmentation Needed for outbound packets larger than the MTU" is disabled.
This combination of settings is a Best Practice. Adjustments can be made with care.
SonicWALL NGFW appliances come with the Network > Failover & LB feature enabled globally. The checkbox for this is "Enable Load Balancing." Do not turn it off, even if you have only one WAN interface. The Load Balancing code is what pushes SonicOS to work hard to make both WAN Interfaces and the things that rely on it (VPNs, Security Services) highly reliable. Disabling it can have unexpected consequences.
There are a few deployment scenarios and addressing modes in which you must disable it (and messages will appear in the web UI saying so). These are Layer 2 Bridge Mode or Wired Mode pairs involving WANs in the Default LB group.