Firewall Onboarding Best Practices

Follow these recommendations when onboarding a firewall:

• NSM/Firewall Management supports Gen 6, Gen 7, and Gen 8 firewalls. It is always recommended Upgrading Firmware to latest firmware to get latest features and enhancements.

  For Gen 6 firewalls the minimum recommended firmware version is 6.5.4.6.

• When you register a firewall in Unified Management or MySonicWall and assign it to a newly created tenant, choose the data center closest to the firewall’s region to avoid latencies in loading data. Currently, you can select between two data centers: NSM North America and NSM Europe.

• If you are an MSP or MSSP partner, create a separate tenant for each customer to simplify the management and provide controlled access to the interface as needed.

• Zero Touch (ZT) enabled:

  • Ensure that the ZT is enabled while registering a firewall for auto provisioning to NSM/Firewall Management.

    MSW:

    

    Unified Management: If you are registering a firewall in the Unified Management, ZT is enabled by the default.

    

  • If you missed enabling ZT while registering a firewall, follow Enabling Zero Touch.

  • Ensure that TCP port 21021 or 443 is allowed for outbound traffic on the firewall. This port is required to initiate communication with NSM/Firewall Management. Once the port is enabled, the firewall will appear online on the Inventory page in some time.

    For more information about enabling TCP port 21021 or 443, refer to Enabling TCP or UDP Port on Firewall .

  • Ensure that UDP port 16001 and 16002 is allowed for Reporting inbound traffic on the firewall.

• Zero Touch (ZT) disabled: If the ZT is disabled, add the firewall manually.

  • Ensure that TCP port 443 is allowed for inbound traffic on the firewall WAN interface. This port is required to initiate communication with firewall over this port. For more information, refer to Enabling TCP Port 443 on Firewall .

  • Ensure that a Security Policy (an access rule) is configured on the firewall to allow traffic from NSM/Firewall Management server sources to the firewall’s WAN interface. For more information about server sources, refer to the KB article.

  • Now, the firewall appears on the Inventory page, but its status shows as Offline because Zero Touch (ZT) is disabled, edit the firewall settings, add the firewall public IP along with port 443, credentials, and acquire the firewall manually. For more information, refer to Acquiring a Firewall Manually. This is applicable for SaaS only.

     

    • The default acquisition port used is 443. You can use another custom port in the firewall settings menu, but that port must also be set as the firewall’s HTTPS management port.
    • For On-Premises, the user can specify the IP address while adding the firewall.

  • Ensure that UDP ports 16001 and 16002 are allowed for outbound traffic on the firewall to send the reporting and analytics data to the NSM/Firewall Management. For more information, refer to Enabling TCP or UDP Port on Firewall .

    Starting from SonicOS 7.0.1-5080, the firewalls send flow logs through an encrypted transport mechanism over UDP ports 16001 and 16002.

   

  • Verify that no intermediate devices are blocking the required ports for Zero Touch (ZT) provisioning or manual acquisition.
  • ZT connection may take up to one hour for the firewall to appear online.

  • A firewall reboot may be required after acquisition to enable Reporting and Analytics, if App-Flow was not previously enabled. A notification will appear on the firewall’s Inventory page if a reboot is necessary.