Support for Bearer Token Validation for Non GUI API Sessions

SonicOS introduces support for bearer token validation for non‑GUI (API‑only) sessions to enhance API session security. When enabled, non‑GUI API clients must authenticate using a bearer token returned during login and include it in all subsequent API requests.

Note:

Any Gen-7 or Gen-8 firewall running firmware version 7.3.1-7015 or earlier (Gen-7) or 8.1.0-8017 or earlier (Gen-8) with Two-Factor Authentication and Bearer Token Authentication enabled is affected.

To mitigate this issue, upgrade the firmware to SonicOS version 7.3.2-7010 or later for Gen-7 devices and 8.2.0-8009 or later for Gen-8 devices, and follow the recommendations outlined in this article.

This article describes the behaviour of the features, configuration considerations, limitations, and operational impact.

Affected Products

• SonicWall firewalls running SonicOS Gen7 and SonicOS Gen 8
• Deployments using non‑GUI (API‑only) access for management or automation

Affected Versions

• SonicOS versions 7.3.2-7010 or above for Gen7 and 8.2.0-8009 or above for Gen8 where Non‑GUI API session bearer token check is supported

Note: UI support for this option will be provided in a future update.

Feature Overview

A new security option, Non‑UI API session bearer token check, adds bearer token enforcement for non‑GUI API sessions.

Key Characteristics

• Disabled by default, including after a factory reset
• Applies only to non‑GUI (API‑only) sessions
• Requires API clients to include a bearer token in request headers
• Intended to improve API session security and session validation

Behavior Details

Authentication Flow

• When the option is enabled, a bearer token is returned in the /auth API response.
• All subsequent non‑GUI API requests must include this bearer token in the request header.
• For non‑GUI API users, a bearer token is returned regardless of the authentication method used.

Configuration Constraints

Mutual Exclusivity

The Non‑UI API session bearer token check option conflicts with:

• Session security using RFC‑7616 Digest authentication

Rules:

• Only one of these two options can be enabled at a time.
• Disabling both options is supported.

Operational Impact

• Enabling or disabling this option invalidates all existing non‑GUI API sessions.
• After a configuration change:
• All non‑GUI API clients must re‑authenticate
• Administrators should ensure existing API sessions are logged out

Authentication and Feature Limitations

• Two‑factor authentication (2FA) is not supported for non‑GUI API sessions when bearer token validation is enabled.
• This limitation exists due to conflicts between bearer token enforcement and 2FA mechanisms.
• GUI (UI) logins are not impacted by this limitation.

Tested Scenarios

This feature has been validated with the following scenarios:

Administrator Accounts

• Login / Logout
• Two‑factor authentication (TOTP, email OTP)

User Accounts

• Login / Logout
• Two‑factor authentication (TOTP, email OTP)
• RADIUS / LDAP authentication with two‑factor authentication
• Start Management
• Start Configuration

Other

• SSL VPN users

Recommended Action

SonicWall recommends the following best practices:

• Enable bearer token validation only after confirming API client compatibility
• Plan for API session re‑authentication when toggling this option
• Coordinate changes with NSM deployments where applicable
• Avoid enabling this option alongside RFC‑7616 Digest authentication

Additional Information

• Bearer token validation applies only to non‑GUI API sessions
• Deprecated or conflicting authentication methods are automatically restricted

Future UI enhancements will simplify configuration and visibility