SonicOS 7.3 Release Notes

Version 7.3.2-7010

February 2026

This version of SonicOS 7.3.2 is a maintenance release for existing platforms and also resolves issues found in previous releases.

Important

  • SonicOS 7.3.2 is not FIPS or Common Criteria certified.
  • SonicWall firewalls running versions of SonicOS 7.1.x or later cannot be managed using Global Management System (GMS).
  • Downgrading to SonicOS 7.0.x, SonicOS 7.1.x, and SonicOS 7.2.x from SonicOS 7.3.2 is not supported.
  • Firewalls currently operating on SonicOS 7.3.1 (non-Hotfix) are supported for upgrade to SonicOS 7.3.2-7010.

    If customers have any questions or require clarification regarding the firmware upgrade path, it is strongly recommended to open a support ticket for assistance.

  • Upgrading SonicOS 7.0.1 to 7.3.2 for NSv requires a fresh installation of NSv for all platforms. (For more information, refer to NSv upgrade from 7.0.1 to 7.1.X.)
  • Use the Firmware Auto Update feature in SonicOS 7.3.2 to ensure that your firewall always has the latest updates for critical vulnerabilities. (For more information, refer to Firmware Auto Update.)

Compatibility and Installation Notes

  • A MySonicWall account is required.
  • Network Security Manager (NSM) SaaS 3.5 is required to manage firewalls using SonicOS 7.3.2.
  • Network Security Manager (NSM) On-Premises 3.5 is required to manage firewalls using SonicOS 7.3.2.
  • Most popular browsers are supported, but Google Chrome is preferred for the real-time graphics display on the Dashboard.
  • Credential Auditor feature is not supported on NSsp 15700.

NetExtender Compatibility & Bundling Update

  • New Version Support: SonicOS 7.3.2 provides official support for NetExtender version 10.3.4, while maintaining backward compatibility with the NetExtender version 10.2.x branch.
  • Upgrade Recommendation: To ensure access to the latest security patches and performance optimizations, we strongly recommend that customers upgrade all NetExtender clients to version 10.3.4 at their earliest convenience.
  • Transition & Integration Details:
    • Current State: To facilitate a seamless transition for existing users, SonicOS 7.3.2 remains embedded with NetExtender version 10.2.341.
    • Future Path: NetExtender version 10.3.4 is scheduled to become the default embedded client in a subsequent firmware release.

Supported Platforms

The platform-specific version for this unified release is the same:

Platform Firmware Version
TZ Series 7.3.2-7010
NSa Series 7.3.2-7010
NSv Series 7.3.2-7010
NSsp Series 7.3.2-7010
  • TZ270 / TZ270W
  • TZ370 / TZ370W
  • TZ470 / TZ470W
  • TZ570 / TZ570W
  • TZ570P
  • TZ670
  • NSa 2700
  • NSa 3700
  • NSa 4700
  • NSa 5700
  • NSa 6700
  • NSv 270
  • NSv 470
  • NSv 870
  • NSsp 10700
  • NSsp 11700
  • NSsp 13700
  • NSsp 15700

SonicOS NSv deployments are supported on the following platforms:

  • AWS (BYOL and PAYG)
  • Microsoft Azure (BYOL)
  • VMware ESXi
  • Microsoft Hyper-V
  • Linux KVM

What's New

This maintenance release provides security updates and resolves previously reported issues.

Resolved Issues

Issue ID

Description

GEN7-56576

Category 14 logs are not displaying firewall system event logs in NSM.

GEN7-56535

The outbound NAT policy added for CSE connectivity is automatically deleted after a reboot. The CSE Access Tier AIPs are dynamic and are populated only after the CSE connector comes up. During device boot-up, the CSE AO remains empty, causing validation to fail and preventing the NAT policy from being added.

GEN7-56477

A certain configuration of the SSO Terminal Service Agent causes the device to reboot.

GEN7-56475

Users authenticated via SAML receive a 60-minute session duration with Google IdP

GEN7-56472

LDAP bind passwords with 14, 30, 46, and 62 characters cause the LDAP test connection and user authentication to fail due to an error in the calculation of the cipher length for an AES-256 encrypted password with PKCS#7 padding.

GEN7-56452

Some local users are showing as logged in via SAML.

GEN7-56391

Incoming IP Helper traffic from CSE GlobalEdge Access Tier is being dropped on the firewall with drop code "Packet has unallowed source IP from peer". As a result, CSE clients are unable to access any resources behind the firewall connector.

GEN7-56243

Post-authentication Format String vulnerability (SNWLID-2026-0001).

GEN7-55784

Syslog is not showing the SSLVPN User login timestamp; only the SSLVPN User logout is mentioned in the report.

GEN7-55730

Post-authentication Stack-based Buffer Overflow (SNWLID-2026-0001).

GEN7-55729

Post-authentication Stack-based Buffer Overflow (SNWLID-2026-0001).

GEN7-55728

Post-authentication Stack-based Buffer Overflow (SNWLID-2026-0001).

GEN7-55727

Post-authentication Stack-based Buffer Overflow (SNWLID-2026-0001).

GEN7-55726

Post-authentication Stack-based Buffer Overflow (SNWLID-2026-0001).

GEN7-55724

Post-authentication Stack-based Buffer Overflow (SNWLID-2026-0001).

GEN7-55723

Post-authentication Stack-based Buffer Overflow (SNWLID-2026-0001).

GEN7-55722

Post-authentication Stack-based Buffer Overflow (SNWLID-2026-0001).

GEN7-55721

Post-authentication Stack-based Buffer Overflow (SNWLID-2026-0001).

GEN7-55719

Post-authentication Stack-based Buffer Overflow (SNWLID-2026-0001).

GEN7-55718

Unable to modify the X1 PPPoE interface on an NSM-managed firewall.

GEN7-55717

Post-authentication Stack-based Buffer Overflow (SNWLID-2026-0001).

GEN7-55703

Post-authentication Stack-based Buffer Overflow (SNWLID-2026-0001).

GEN7-55702

Post-authentication Stack-based Buffer Overflow (SNWLID-2026-0001).

GEN7-55581

The Session Expiry Time is miscalculated for externally authenticated guest users.

GEN7-55515 Post-authentication NULL Pointer Dereference vulnerability (SNWLID-2026-0001).

GEN7-52883

In a high-availability deployment with an external Sonicwall-managed switch using a Portshield interface, the Spanning-Tree port status doesn't change on switches after HA failover.

GEN7-48603

In a high-availability deployment with an external Sonicwall-managed switch with a Portshield interface, the Spanning-Tree port status doesn't change on switches after HA failover.

Known Issues

Issue ID Issue Description
GEN7-54726 The IPv6 route that is added to NetExtender is incorrect when the SSLVPN IPv6 pool is a range address object.
GEN7-54715 Clicking the Accept button on the Geo-IP Filter settings page will enable the Block all Unknown countries option on the other tab automatically if nothing is configured

GEN7-54598

A locked IP address is automatically unlocked when using the GVC client. IPsec VPN reuses connection caches that are not deleted right after a login failure.

GEN7-54569

In a high-availability setup, locked-out IP addresses aren't getting synced with the standby node.

GEN7-54564

Unable to import LDAP users belonging to child domains. When clicking on Import LDAP users and selecting the primary server in the list, the user list doesn’t show users from the child domain. It lists users only from the primary domain. Selecting Import from all LDAP servers will show all the users from all the servers configured/learnt.

GEN7-54531

The Firewall UI is not accessible via HTTPS (port 8080) after changing from port 443. This causes a conflict. Please use a different port than 8080.

GEN7-54348

Changing the OTP length and then reverting to the original value results in the error: Ensure the minimum length is not greater than the maximum length.

GEN7-44977

CLI has commands to adjust the percentage of storage for logs, packet capture, threat-logs, and appflow-report. However, these commands have no effect because this feature was never implemented.

Additional References

GEN7-57023, GEN7-56920, GEN7-56774, GEN7-56606, GEN7-56554, GEN7-56479, GEN7-56431, GEN7-56135, GEN7-56134, GEN7-55817, GEN7-55816, GEN7-55776, GEN7-55757, GEN7-55756, GEN7-55654, GEN7-55190, GEN7-55045, GEN7-54875, GEN7-54423, GEN7-54360, GEN7-51893