Affected SonicWALL Security Appliance Platforms:
PRO 1260, TZ 170, TZ 170
W, TZ 170 SP, TZ 170 SP Wireless, TZ150, TZ150W
E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400,
Gen5 TZ Series:
TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 Wireless
Gen4: PRO series:
PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040
Gen4: TZ series:
TZ 190, TZ 190 W, TZ 180, TZ 180 W
Version: All Standard Versions
Services: Standard to Enhanced settings
The SonicOS Standard to Enhanced
Settings Converter is designed to convert a source Standard
Configuration Settings file to be compatible with a target SonicOS
Enhanced appliance. Due to the more advanced nature of SonicOS Enhanced,
its Configuration Settings file is more complex than the one SonicOS
Standard uses and is not compatible. The Setting Converter creates an
entirely new target Enhanced Setting file based on the network settings
found in the source Standard file. This allows for a rapid upgrade from a
Standard deployment to an Enhanced one with no time wasted in
re-creating network policies. Note: SonicWALL recommends deploying the
converted target Configuration Settings file in a testing environment
first and always keeping a backup copy of the original source
Configuration Settings file.
The SonicOS Standard to Enhanced
Settings Converter is available at: https://convert.global.sonicwall.com/
Please Note: If the
preferences conversion fails, email your SonicOS Standard configuration
file to firstname.lastname@example.org
with a short description of the problem. In this case, you may also
consider manually configuring your SonicWALL appliance.
To convert a Standard Network Settings file to an Enhanced one:
1. Login using your MySonicWALL credentials and
agree to the security statement.
The source Standard Network Setting file must be uploaded to
MySonicWALL as part of the conversion process. The Setting Conversion
tool uses MySonicWALL authentication to secure private network settings.
Users should be aware that SonicWALL will retain a copy of their
network settings after the conversion process is complete.
2. Upload the source Standard Network Settings file:
Navigate to and select the source SonicOS Standard Settings
Click the right arrow to proceed.
3. Review the source SonicOS Standard Settings
This page displays useful network settings information contained in
the uploaded source Network Settings file. For testing purposes, the LAN
IP of the appliance can be changed on this page in order to deploy it
in a testing environment.
(Optional) Change the LAN IP address of the source
appliance to that of a target testing appliance.
Click the right arrow to proceed.
4. Select the target SonicWALL appliance for the
Enhanced deployment from the available list.
SonicOS Enhanced is configured differently on various SonicWALL
appliances, mostly to support different interface numbers. As such, the
converted Enhanced Network Settings file must be customized to the
appliance targeted for deployment.
5. Complete the conversion by clicking the right
arrow to proceed.
6. Click the
download button and save
the new target SonicOS Enhanced Network Settings file.
SonicOS Standard to Enhanced Preferences Caveats List
number of features are shared in SonicOS Standard and Enhanced, leading
to elements represented similarly between STD and ENH network settings
files. Such common elements are translated to the new Enhanced file.
Not Supported Items
following items from the SonicOS UI and preferences tags are not
the settings for the network ranges listed here are not supported when
the checkbox is set to Specified address ranges are attached to the WAN
In the VPN policy creation,
there is a checkbox named "Forward packets to remote VPNs". This setting
is normally used in a hub and spoke VPN scenario. In ENH, the local and
destination networks are explicitly specified. This setting is
translated only when there is more than one VPN policy that has the
checkbox enabled. This is supported in ENH firmware by adjusting the
local networks of each policy to include the remote networks of every
When translating access rules, the destination IP addresses
are compared to the entries from the One-to-One NAT table. When a
matching range is found in that table, the destination network in the
translated access rule will contain the public IP address object rather
than the private address object.
For firewalls with the WLAN connections, there is a checkbox
and a configuration section in WGS->Settings called "Enable URL Allow
List for Unauthenticated Users". In ENH, this has been replaced with
address objects and address objects at the moment does not support URLs.
Certificates are not translated at all as these belong to
Upgrade keys are not translated as these are unique to each
The biggest difference in between SonicOS Standard and Enhanced
is the way that Enhanced increases network policy granularity through
the use of network objects. While initially time consuming to set up, an
extensive object library allows a network administrator to define very
specific and effective network policies.
As part of the conversion to Enhanced, the Standard policies
found in the Standard Network Settings file are broken down into logical
network objects and are named in the following way:
The destination networks in VPN policies are replaced with
address objects. The naming convention for the address objects created
are: policy-name-local and policy-name-remote.
Access rules are also created depending on the checkboxes per
STD VPN Policies refer to its local networks using the
termination point. There are three choices, a) LAN, b) DMZ and c) LAN
and DMZ. In order to support this in ENH, the local networks are pointed
to the appropriate subnets object. If the termination point is LAN and
DMZ, an address group containing both the LAN and DMZ subnets is created
and used as its local network.
The naming convention for address objects is to use the IP
address as its name as well.
Ungrouped items referring to LAN/WAN/DMZ in STD are set to
the correct interface and zone objects in ENH.
If LAN subnets are supported in ENH, the tool creates the
appropriate ARP entry/ies, routing entry/ies and address objects.
Address Objects referring to the source/destination are
Schedule objects are created if a time constraint is
configured in Standard.
In Standard, certain services can be configured to pass
through the firewall from LAN to WAN unimpeded (i.e., the access rules
are ignored). A Service Object group is created for these services and
an access rule allowing the traffic for these services to flow between
HTTP/HTTPS/Ping/SNMP management are derived from default
rules in STD and set in the proper interfaces in ENH.
The order of the access rules in Standard is not followed
when translated to ENH because the access rules from Standard can have
multiple equivalents in ENH. Also, the default rules are ensured to
remain as the lowest priority.
SonicOS Standard One-to-One NAT policies are translated to
appropriate NAT policies in SonicOS Enhanced, which may include the
creation of address objects when necessary. Note that in order to
support One-to-One NAT correctly, the address ranges specified in a
One-to-One NAT policy requires that we create individual address objects
for each IP address in the range.
Default Service items in STD are translated to equivalent ENH
Additional service items are also translated into new service
Service Object groups were supported in STD by using similar
names. An equivalent ENH service object group is created in this case.
Dynamic and Static lease settings require creation of its
equivalent ENH settings.
NetBIOS settings in STD are supported by creating appropriate
IP Helper policies. This is not supported yet.
Local users are translated to equivalent ENH users
Passwords are copied over to ENH and the tool also updates
the tag that is used for encryption.
User properties were supported by checkboxes in STD. This is
supported in ENH by adding the user to a group that supports the
property (e.g., Limited Admin, Bypass Auth, etc.)
If WLAN restricts certain MAC addresses, MAC address objects
are created and added to a group of objects with the name WLAN ACL MAC
If WLAN allows certain MAC addresses, MAC address objects are
created and added to a group of objects with the name WLAN ACL MAC
The set of authorized access points also require the creation
of MAC address objects and group.
Guest Profiles are translated to ENH directly.
Configured items in Wireless guest services are translated to
correct users in ENH.
Static routes are translated by creating address objects for
the destination network, the gateway and adding the static route in the
routing section for the ENH firmware.
Transparent mode between WAN and DMZ is translated by
creating address objects for each of the ranges defined and then
creating an address group containing the address objects created. The
address group is then used for the DMZ configuration in ENH.
Transparent mode between WAN and LAN is supported
in a similar manner as the WAN/DMZ pairing and the network ranges are
created depending on the settings from the Network->Intranet page in