SonicOS 7.3 Release Notes

Technical Documentation>  SonicOS 7.3>  Version 7.3.3-7014
Table of Contents

Version 7.3.3-7014

May 2026

This version of SonicOS 7.3.3 is a maintenance release for existing platforms and also resolves issues found in previous releases.

Important

  • SonicOS 7.3.3 is not FIPS or Common Criteria certified.
  • SonicWall firewalls running versions of SonicOS 7.1.x or later cannot be managed using Global Management System (GMS).
  • Downgrading to SonicOS 7.0.x, SonicOS 7.1.x, and SonicOS 7.2.x from SonicOS 7.3.3 is not supported.
  • Upgrading SonicOS 7.0.x, 7.1.x and 7.2.x to 7.3.3 for NSv requires a fresh installation of NSv for all platforms.
  • Use the Firmware Auto Update feature in SonicOS 7.3.3 to ensure that your firewall always has the latest updates for critical vulnerabilities. (For more information, refer to Firmware Auto Update.)

Compatibility and Installation Notes

  • A MySonicWall account is required.
  • Network Security Manager (NSM) SaaS 4.1 is required to manage firewalls using SonicOS 7.3.3.
  • Network Security Manager (NSM) On-Premises 4.1 is required to manage firewalls using SonicOS 7.3.3.
  • Most popular browsers are supported, but Google Chrome is preferred for the real-time graphics display on the Dashboard.
  • Credential Auditor feature is not supported on NSsp 15700.

NetExtender Compatibility & Bundling Update

  • New Embedded Version: SonicOS 7.3.3 ships with NetExtender version 10.3.4 embedded in the SSL‑VPN portal. Users accessing the portal will be prompted to install or update to NetExtender 10.3.4 automatically.
  • Upgrade Recommendation: To ensure access to the latest security patches and performance optimizations, we strongly recommend that customers upgrade all NetExtender clients to version 10.3.4 at their earliest convenience.

Supported Platforms

The platform-specific version for this unified release is the same:

Platform Firmware Version
TZ Series 7.3.3-7014
NSa Series 7.3.3-7014
NSv Series 7.3.3-7014
NSsp Series 7.3.3-7014
  • TZ270 / TZ270W
  • TZ370 / TZ370W
  • TZ470 / TZ470W
  • TZ570 / TZ570W
  • TZ570P
  • TZ670
  • NSa 2700
  • NSa 3700
  • NSa 4700
  • NSa 5700
  • NSa 6700
  • NSv 270
  • NSv 470
  • NSv 870
  • NSsp 10700
  • NSsp 11700
  • NSsp 13700
  • NSsp 15700

SonicOS NSv deployments are supported on the following platforms:

  • AWS (BYOL and PAYG)
  • Microsoft Azure (BYOL)
  • VMware ESXi
  • Microsoft Hyper-V
  • Linux KVM

Deprecation Notice

Support for customizing guest login pages using external web servers with the CGI mechanism has been deprecated. This functionality will no longer be enhanced, and customers are advised to migrate to the supported API‑based guest login customization mechanism.

For migration guidance and additional details, refer to the following Knowledge Base article: Deprecation of CGI-Based Guest Login Page Customization.

What's New

  • New Content Filtering Categories

    SonicOS now includes four additional CFS categories to address evolving content risks. Self‑Harm enables organizations to block access to content promoting self‑harm. DNS‑over‑HTTPS (DoH) allows administrators to control or restrict DoH traffic to enforce DNS visibility policies. Low‑THC Cannabis Products provides granular control separate from existing cannabis categories. Generative AI enables policy control over access to AI content‑generation platforms. All four categories are available in the CFS policy editor and can be applied per‑zone or per‑user.

  • New Country Support in Geo‑IP: Kosovo and South Sudan

    Kosovo and South Sudan have been added to the SonicOS Geo‑IP country database. Administrators can now apply Geo‑IP‑based access policies to target or exclude traffic originating from these countries. For more information and configuration details, refer to the following Knowledge Base article: Geo-IP Database Update: Kosovo and South Sudan.

  • Credential Auditor Enabled by Default

    Credential Auditor is now enabled by default in SonicOS 7.3.3. On first boot or factory reset, the appliance automatically audits configured credentials against known compromised password databases. Administrators are alerted if any credentials match known breached passwords, prompting remediation. For more information and configuration details, refer to the following Knowledge Base article: Understanding and Using Credential Auditor on SonicWall Firewalls.

  • W0‑WAN and X1 WAN in the Same Subnet

    SonicOS now permits the W0‑WAN and X1 WAN interfaces to be configured within the same IP subnet, resolving a previous limitation that prevented valid ISP configurations where both WAN handoffs share a common subnet. Routing and failover behavior for same‑subnet WAN configurations is handled correctly and is fully supported with SD‑WAN policies.

  • DTLS Support in SSL‑VPN

    SonicOS SSL‑VPN now supports DTLS (Datagram TLS), providing a UDP‑based alternative to TLS for encrypted remote access sessions. DTLS reduces latency and improves throughput for real‑time applications including voice, video, and interactive sessions carried over SSL‑VPN. When a connecting client supports DTLS, the SSL‑VPN gateway negotiates DTLS automatically. TLS fallback is maintained for clients that do not support DTLS.

    To enable DTLS support, you must use NetExtender version 10.3.5 or later. DTLS is supported only when connecting to SonicOS 7.3.3 and above. Download NetExtender 10.3.5 from one of the following:
    - MySonicWall (recommended)
    - https://www.sonicwall.com/products/remote-access/vpn-clients.

    For additional details, refer to the NetExtender 10.3.5 Release Notes.

  • MAC‑IP Anti‑Spoof Support in Native Bridge (L2 Deployments)

    SonicOS Native Bridge mode now includes MAC‑IP Anti‑Spoofing support for Layer 2 deployments. When enabled, the appliance enforces MAC‑to‑IP address bindings on bridged interfaces, detecting and blocking traffic where the source MAC and IP pairing does not match the learned or statically configured binding table.

  • NetExtender 10.3.4 Embedded in SonicOS 7.3.3

    SonicOS 7.3.3 ships with NetExtender 10.3.4 embedded in the SSL‑VPN portal. Users accessing the portal will be prompted to install or update to NetExtender 10.3.4 automatically. This release of NetExtender includes stability and compatibility improvements.

  • Improved Save/Edit Configuration Banner

    The banner notification that appears when saving or editing a firewall configuration has been redesigned to be more intuitive and less visually crowded. The updated banner provides clearer action prompts and reduces cognitive load during configuration changes.

  • Updated UI Text for Unified Management

    Several UI text strings and labels related to Unified Management in SonicOS have been updated to align with current product naming and to improve clarity. Administrators using NSM‑based centralized management will notice updated terminology in relevant configuration pages. No functional changes are associated with this update.

This maintenance release also provides security updates and resolves previously reported issues.

Resolved Issues

Issue ID Issue Description

GEN7-54100

Firmware upgrade on Microsoft Azure fails and causes the VM to reset for certain VM sizes such as D2ds_v4.

GEN7-54404

When using NSM to release DHCP on the WAN interface of the firewall, the IP address remains and is not cleared.

GEN7-54849

After a High Availability failover, traffic over wiremode interfaces results in slow packet convergence, delays, or packet drops.

GEN7-55181

In a High Availability environment with a GMS management policy configured with an FQDN, the default HTTPS management NAT rule returns to top priority after a reboot causing re-prioritization of the default NAT rule for GMS HTTPS management.

GEN7-55799

Incorrect up-status behavior is observed on a policy-based route when the probes are edited from within the route.

GEN7-55927

A PPPoE connection takes a long time to reconnect after a reboot or failover.

GEN7-55970

High Availability synchronization intermittently fails, with status changing to NO when the standby unit is busy with other tasks.

GEN7-56010

Websites randomly stop working when Client DPI-SSL is enabled, due to out-of-order packets causing memory fragmentation.

GEN7-56175

In a High Availability deployment, the management UI becomes inaccessible for an extended period after a configuration change.

GEN7-56359

Configuration Auditing logs are not displayed in order when sorted by time.

GEN7-56556

The password expiration date is reset to its starting value after a reboot.

GEN7-56741

The CSE Connector could only publish 64 CIDRs. This limit has been increased to 256.

GEN7-56849

With the CSE connector configured, NAT policies with the source CSE_Access_Tier_AIPs created on the primary firewall are not synced to the standby firewall.

GEN7-57138

The firewall UI is not accessible on an L2 Bridge or Native Bridge interface when the parent interface has no link.

GEN7-57414

Users receive a Bad Request (HTTP 400) error when connecting to an external captive portal.

GEN7-57456

Numbered VPN interfaces created with a subnet that overlaps other interfaces can stop working when a High Availability failover occurs.

GEN7-57781

The Cloud Backup tab has been removed from the UI as the feature is no longer supported.

GEN7-57801

Cloud Backup has been removed from the CLI and API as the feature is no longer supported.

GEN7-57817

Redirection to the firewall's configured domain name does not work for Guest Authentication.

GEN7-58015

Instability is observed when ULA is configured with LDAP and the LDAP search request does not include the DN for the user.

GEN7-58060

Unable to import a manual License Keyset, resulting in the error: Upgrade Keyset: Failed to parse and process keyset.

Known Issues

Issue ID Issue Description
GEN7-54348 Changing the OTP length and then reverting to the original value results in the error: Ensure the minimum length is not greater than the maximum length.
GEN7-54531 The firewall UI is not accessible via HTTPS on port 8080 after changing from port 443. This causes a conflict. Use a different port than 8080.

GEN7-54564

Unable to import LDAP users belonging to child domains. When selecting the primary server, users from child domains are not displayed. Selecting Import from all LDAP servers lists all users from all configured servers.

GEN7-54569

In a High Availability setup, locked-out IP addresses are not synced with the standby node.
GEN7-56715 Clicking the Accept button on the Geo-IP Filter settings page enables the Block all Unknown countries option on the other tab automatically when nothing is configured on that tab.
GEN7-56726 The IPv6 route added to NetExtender is incorrect when the SSL-VPN IPv6 pool is a range address object.

GEN7-57624

The DNS filter profile is not persisted correctly after importing preferences.

GEN7-57651

A NAT policy change does not take effect after the translated service address object port and name are changed. A reboot is required for the change to take effect.

Additional References

GEN7-48725, GEN7-53524, GEN7-54755, GEN7-54909, GEN7-55158, GEN7-55183, GEN7-55191, GEN7-55399, GEN7-55440, GEN7-55499, GEN7-55560, GEN7-55566, GEN7-55667, GEN7-55780, GEN7-55795, GEN7-55796, GEN7-55801, GEN7-55891, GEN7-55924, GEN7-55943, GEN7-55989, GEN7-56011, GEN7-56075, GEN7-56162, GEN7-56163, GEN7-56220, GEN7-56229, GEN7-56258, GEN7-56274, GEN7-56289, GEN7-56352, GEN7-56382, GEN7-56417, GEN7-56418, GEN7-56446, GEN7-56524, GEN7-56530, GEN7-56550, GEN7-56552, GEN7-56559, GEN7-56560, GEN7-56737, GEN7-56762, GEN7-56866, GEN7-56889, GEN7-56911, GEN7-56932, GEN7-56982, GEN7-56984, GEN7-57233, GEN7-57309, GEN7-57398, GEN7-57531, GEN7-57567, GEN7-57660, GEN7-57799, GEN7-58036, GEN7-58147, GEN7-58181, GEN7-58183

Chat