PHPKB Knowledge Base Software Logo  
Guru Corner
Online Knowledgebase System  
Knowledge Base Home Knowledge Base Home
Home > All Categories > Dell > SonicWALL > Convert settings from SonicOS Standard to SonicOS Enhanced
Question Title Convert settings from SonicOS Standard to SonicOS Enhanced

Affected SonicWALL Security Appliance Platforms:

From To
PRO 1260, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless, TZ150, TZ150W

Gen5: NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 240

Gen5 TZ Series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 Wireless

Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040

Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W

Firmware/Software Version: All Standard Versions
Services: Standard to Enhanced settings conversion

 

Feature/Application:

The SonicOS Standard to Enhanced Settings Converter is designed to convert a source Standard Configuration Settings file to be compatible with a target SonicOS Enhanced appliance. Due to the more advanced nature of SonicOS Enhanced, its Configuration Settings file is more complex than the one SonicOS Standard uses and  is not compatible. The Setting Converter creates an entirely new target Enhanced Setting file based on the network settings found in the source Standard file. This allows for a rapid upgrade from a Standard deployment to an Enhanced one with no time wasted in re-creating network policies. Note: SonicWALL recommends deploying the converted target Configuration Settings file in a testing environment first and always keeping a backup copy of the original source Configuration Settings file.

The SonicOS Standard to Enhanced Settings Converter is available at: https://convert.global.sonicwall.com/

Please Note: If the preferences conversion fails, email your SonicOS Standard configuration file to settings_converter@sonicwall.com with a short description of the problem. In this case, you may also consider manually configuring your SonicWALL appliance.

 

Procedure:

To convert a Standard Network Settings file to an Enhanced one:

1. Login using your MySonicWALL credentials and agree to the security statement.


The source Standard Network Setting file must be uploaded to MySonicWALL as part of the conversion process. The Setting Conversion tool uses MySonicWALL authentication to secure private network settings. Users should be aware that SonicWALL will retain a copy of their network settings after the conversion process is complete.


2. Upload the source Standard Network Settings file: 

• Click Browse.
• Navigate to and select the source SonicOS Standard Settings file.


• Click Upload.
• Click the right arrow to proceed.


3. Review the source SonicOS Standard Settings Summary page.

This page displays useful network settings information contained in the uploaded source Network Settings file. For testing purposes, the LAN IP of the appliance can be changed on this page in order to deploy it in a testing environment.

            • (Optional) Change the LAN IP address of the source appliance to that of a target testing appliance.
            • Click the right arrow to proceed.


4. Select the target SonicWALL appliance for the Enhanced deployment from the available list.

SonicOS Enhanced is configured differently on various SonicWALL appliances, mostly to support different interface numbers. As such, the converted Enhanced Network Settings file must be customized to the appliance targeted for deployment.


5. Complete the conversion by clicking the right arrow to proceed.
6. Click the download button and save the new target SonicOS Enhanced Network Settings file.


 

SonicOS Standard to Enhanced Preferences Caveats List
Common Items
A number of features are shared in SonicOS Standard and Enhanced, leading to elements represented similarly between STD and ENH network settings files. Such common elements are translated to the new Enhanced file.
Not Supported Items
The following items from the SonicOS UI and preferences tags are not supported:
            • In Network->Intranet, the settings for the network ranges listed here are not supported when the checkbox is set to “Specified address ranges are attached to the WAN link.”
 
            • In the VPN policy creation, there is a checkbox named "Forward packets to remote VPNs". This setting is normally used in a hub and spoke VPN scenario. In ENH, the local and destination networks are explicitly specified. This setting is translated only when there is more than one VPN policy that has the checkbox enabled. This is supported in ENH firmware by adjusting the local networks of each policy to include the remote networks of every other policy.

            • When translating access rules, the destination IP addresses are compared to the entries from the One-to-One NAT table. When a matching range is found in that table, the destination network in the translated access rule will contain the public IP address object rather than the private address object.

            • For firewalls with the WLAN connections, there is a checkbox and a configuration section in WGS->Settings called "Enable URL Allow List for Unauthenticated Users". In ENH, this has been replaced with address objects and address objects at the moment does not support URLs.

            • Certificates are not translated at all as these belong to unique firewalls.
            • Upgrade keys are not translated as these are unique to each firewall.
Naming Conventions
The biggest difference in between SonicOS Standard and Enhanced is the way that Enhanced increases network policy granularity through the use of network objects. While initially time consuming to set up, an extensive object library allows a network administrator to define very specific and effective network policies.
As part of the conversion to Enhanced, the Standard policies found in the Standard Network Settings file are broken down into logical network objects and are named in the following way:
VPN Policies
            • The destination networks in VPN policies are replaced with address objects. The naming convention for the address objects created are: “policy-name”-local and “policy-name”-remote.

            • Access rules are also created depending on the checkboxes per policy.

            • STD VPN Policies refer to its local networks using the termination point. There are three choices, a) LAN, b) DMZ and c) LAN and DMZ. In order to support this in ENH, the local networks are pointed to the appropriate subnets object. If the termination point is LAN and DMZ, an address group containing both the LAN and DMZ subnets is created and used as its local network.
 
Address Objects
            • The naming convention for address objects is to use the IP address as its name as well.
 
Interfaces
            • Ungrouped items referring to LAN/WAN/DMZ in STD are set to the correct interface and zone objects in ENH.
            • If LAN subnets are supported in ENH, the tool creates the appropriate ARP entry/ies, routing entry/ies and address objects.
 
Access Rules
            • Address Objects referring to the source/destination are created.

            • Schedule objects are created if a time constraint is configured in Standard.

            • In Standard, certain services can be configured to pass through the firewall from LAN to WAN unimpeded (i.e., the access rules are ignored). A Service Object group is created for these services and an access rule allowing the traffic for these services to flow between LAN/WAN.

            • HTTP/HTTPS/Ping/SNMP management are derived from default rules in STD and set in the proper interfaces in ENH.

            • The order of the access rules in Standard is not followed when translated to ENH because the access rules from Standard can have multiple equivalents in ENH. Also, the default rules are ensured to remain as the lowest priority.


NAT Policies
            • SonicOS Standard One-to-One NAT policies are translated to appropriate NAT policies in SonicOS Enhanced, which may include the creation of address objects when necessary. Note that in order to support One-to-One NAT correctly, the address ranges specified in a One-to-One NAT policy requires that we create individual address objects for each IP address in the range.
 
Services
            • Default Service items in STD are translated to equivalent ENH address objects.
            • Additional service items are also translated into new service objects.
            • Service Object groups were supported in STD by using similar names. An equivalent ENH service object group is created in this case.
 
DHCP Server
            • Dynamic and Static lease settings require creation of its equivalent ENH settings.
 
IP Helper
            • NetBIOS settings in STD are supported by creating appropriate IP Helper policies. This is not supported yet.
 
Users
            • Local users are translated to equivalent ENH users
            • Passwords are copied over to ENH and the tool also updates the tag that is used for encryption.
            • User properties were supported by checkboxes in STD. This is supported in ENH by adding the user to a group that supports the property (e.g., Limited Admin, Bypass Auth, etc.)
 
Wireless
            • If WLAN restricts certain MAC addresses, MAC address objects are created and added to a group of objects with the name “WLAN ACL MAC Access Denied”.
            • If WLAN allows certain MAC addresses, MAC address objects are created and added to a group of objects with the name “WLAN ACL MAC Access Allowed".
            • The set of authorized access points also require the creation of MAC address objects and group.
            • Guest Profiles are translated to ENH directly.
            • Configured items in Wireless guest services are translated to correct users in ENH.
 
Static Routes
            • Static routes are translated by creating address objects for the destination network, the gateway and adding the static route in the routing section for the ENH firmware.
 
Transparent Mode
            • Transparent mode between WAN and DMZ is translated by creating address objects for each of the ranges defined and then creating an address group containing the address objects created. The address group is then used for the DMZ configuration in ENH.

            • Transparent mode between WAN and LAN is supported in a similar manner as the WAN/DMZ pairing and the network ranges are created depending on the settings from the Network->Intranet page in Standard.
Authored by: Guru Corner
Click Here to View all the questions in SonicWALL category.
File Attachments File Attachments
There are no attachment file(s) related to this question.
Article Information Additional Information
Article Number: 118
Created: 2010-03-26 12:04 AM
Rating: No Rating
 
Article Options Article Options
Print Question Print this Question
Export to Adobe PDF Export to PDF File
Export to MS Word Export to MS Word
 
Search Knowledge Base Search Knowledge Base
 
 

Powered by Guru Corner