Cloud Secure Edge Docs
Configure a SonicOS firewall as a Cloud Secure Edge Connector
Overview
Cloud Secure Edge (CSE) supports two edge deployment models for accessing private organizational resources: the Self-hosted Private Edge and the Global Edge Network. SonicOS 7.1.2 and later can be deployed as a CSE Connector against the Global Edge Network, allowing a Gen7+ SonicWall firewall to act as the on-premises endpoint of the secure tunnel.
This guide walks an admin through:
- The Connector concepts that govern how a SonicOS-based Connector behaves.
- The supported SonicWall product versions.
- Firmware and feature activation in the firewall.
- Connector configuration in SonicOS (private CIDRs and DNS domains).
- Matching configuration on the CSE Command Center (Connector binding, Service Tunnel, access policy, directory user).
- End-user installation of the CSE Desktop App and connectivity testing.
- Connector log events in SonicOS.
For the basic Firewalls inventory view inside the CSE Command Center, see Install Cloud Secure Edge Connector on your SonicWall firewall.
How the SonicOS Connector works
The SonicOS-based Connector is a dial-out connector that establishes secure outbound tunnels to the CSE Global Edge Network. Key characteristics:
- The Connector can be deployed in any location that has internal service connectivity.
- All connectivity to CSE is outbound; no inbound ports need to be opened on the firewall.
- Traffic enters the firewall over WireGuard tunnels from CSE Points of Presence (PoPs). From the firewall's perspective, only inbound traffic from the WAN to protected zones is permitted.
- A SonicOS Group Address Object is created automatically per Connector. Administrators add allowed private IPv4 addresses to this group to publish the CIDRs that CSE end users will be able to reach.
- Administrators also specify the private DNS domains that the CSE client must resolve through the firewall. These domains are served by the firewall's Split DNS feature.
- Access control is enforced by CSE infrastructure, not by the SonicOS firewall.
Supported SonicWall product versions
| SonicWall product | Minimum version |
|---|---|
| SonicOS | 7.1.2 or higher |
| Network Security Manager (NSM) SaaS | 2.5.0 or higher |
Prerequisites
- The SonicWall firewall is registered in the same MySonicWall tenant that holds the CSE trial or paid license.
- A CSE instance is provisioned in that same tenant.
- Administrative access to the firewall and to the CSE Command Center.
Constraints at a glance
| Limit | Maximum |
|---|---|
| Private CIDRs per Connector | 64 |
| Published DNS domains per Connector | 4 |
| Connectors per Service Tunnel | 1 |
| PoPs per Service Tunnel | 16 |
| Connector name length | 127 characters |
Support
For SonicWall product issues outside the scope of this guide, open a case at https://helpdesk.sonicwall.com.
