I don't want to ask, but SONICWALL

ericgeater · ‎05-14-2019

For all the Palo Alto, Juniper and Fortinet users who're reading this, I'm already embarrassed enough. Let's skip the teasing and get to the guts of my question, because I'm sure I ain't the only one running these appliances. And if you're also embarrassed, feel free to PM me.

What's your professional guidance on upgrading their firmwares?

In the contemporary mode at mysonicwall.com, a TZ300 will say the latest firmware is a 6.5.4.3. But if I look in classic mode, all versions are available for download. Classic also reveals that the general release is 6.5.1.3, and that 6.5.4.3 is a recent feature release.

Phone support always pushes for the latest release, but my practice is to stick with the most stable release, and not to upgrade at every turn. So are there any early adopters? All fourteen of you Sonicwall users should respond! Thanks!

-----------
A claim is as good as its veracity.

dcontesti · ‎05-14-2019

@ericgeater wrote:

Phone support always pushes for the latest release, but my practice is to stick with the most stable release, and not to upgrade at every turn. So are there any early adopters? All fourteen of you Sonicwall users should respond! Thanks!

So from my experience, regardless of the technology being used, the first answer from phone support is "push the latest release and that will fix the issue".

Unfortunately that does not always work but it is their "stock and standard" answer. So you go away, upgrade to a potentially flaky version of the software/firmware and still have the issue.

We went through this many times when things stopped working or began working differently and we had to spend hours on the phone trying to convince first level support that yes we were at the most recent version before they would escalate internally.

So no jokes about SonicWall, it seems to be a trait of the industry 😉

Regards

Diana

Shannon · ‎05-14-2019

Sticking to a stable version of a software might sound like an attractive idea, particularly if you don't want to risk some undocumented bug causing havoc in your organization. Then there's the other side of the coin --- If a vendor-supported solution isn't up-to-date, they aren't likely to accept responsibility for anything that goes wrong with it and may not provide assistance to resolve issues.

I'll give you an example involving Juniper firewalls. After observing something unusual during manual config backups, we contacted support. They gathered info & did some troubleshooting, but made no progress, and finally told us this : -

'This behavior may be attributable to an undocumented bug in the older firmware that the customer is using. The customer is advised to upgrade to version <> to rule this out --- after which we can provide further assistance.'

(In other words, they couldn't explain it either --- but if we wanted to avail of their support, we had to upgrade to the latest stable version.)

After this, things went fine until we tried out an application control feature. It didn't work perfectly --- when we contacted support they asked us to upgrade to the latest firmware version again. Seeing a pattern?

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz

ericgeater · ‎05-15-2019

I am grateful for this type of "strong-armed" solution, as long as the devices can go backwards in version if something screws up.

My hesitance on upgrades is always borne from knowing that we rarely have a Plan B solution; that we are applying a fix to production equipment -- but I guess that's a risk every time.

Thanks for your response!

-----------
A claim is as good as its veracity.

Steve-Wilme · ‎05-15-2019

You should generally be okay on N-1 of releases until the new release stabilises. If the release overwrites firmware and you have no means to back it out I'd stay as is unless you need the feature you mentioned.

I've used the NSA series and they were okay as midrange single box UTMs internally within the network, but didn't have the bells an whistles you'd expect with other vendors, such as Palo Alto or Fortigate.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

ericgeater · ‎05-15-2019

Great response. Mind if I ask you a question in private?

-----------
A claim is as good as its veracity.

dcontesti · ‎05-15-2019

Sorry if that was meant for me....I do not mind private messages.

ericgeater · ‎05-16-2019

great, thanks! In your inbox.

-----------
A claim is as good as its veracity.

ericgeater · ‎05-16-2019

Thank you! Since you have a familiarity with Sonicwall devices, I'd like to ask you something privately, if you don't mind.

-----------
A claim is as good as its veracity.

dcontesti · ‎05-16-2019

@ericgeater

Eric,

As the community is for sharing, maybe it would be better to ask all questions on the forum. That way everyone learns and maybe someone could avoid some of the pitfalls that you and others have experienced.

Will that work for you?

Regards

Diana