cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 8

Is Sonicwall and Solarwinds ever going to work together?

Jump to solution

I had a NSA250 now I have a TZ400. All current.

Firmware Version: SonicOS Enhanced 6.2.7.1-23n

Safemode Version: SafeMode 6.2.3.9

ROM Version: SonicROM 5.6.2.1

Netpath will NOT work unless these 3 things are UNCHECKED...

  • Enable Stealth Mode
  • Randomize IP ID
  • Decrement IP TTL for forwarded traffic

See pic...

2017-04-26_15-57-25.png

BUUUT... I do NOT know the risk(s) of leaving them unchecked.

Test it and you will see. Sonicwall NOR Solarwinds can fix this and I have case numbers to prove it.  Had we known this before we dropped $10k on Solarwinds...

Meh!

0 Kudos
1 Solution

You are at odds here, the security appliance has those options to make itself invisible or harder to identify by remote tools, and you are trying to use a remote tool to gain visibility into the firewall as packets move past it.  You will be hard pressed to come up with a solution that will make both happen at the same time.

Network security is always a balancing act between being gentle enough to not interfere with the intended uses of the network versus keeping things locked down enough that outsiders can't abuse it.  Unchecking those options will make your firewall more visible to outsiders, and it will allow your internal tool to function.  Only your organization can weigh those risks and decide if the Netpath feature provides you enough value today to make it worth the risk of an outside party identifying your firewall in hopes of finding a vulnerability against that product line.

Netpath is neat but I would never consider it a deal breaker in terms of feeling like I am getting value from my Solarwinds purchase, it is just an icing kind of thing to me to go along with the core functionality as an NMS.

- Marc Netterfield, Github

View solution in original post

4 Replies
Level 14

NetPath follows rules similar to Traceroute. These Detection Prevention options are designed to obscure network replies.

Traceroute uses TTL increment increase as notification that a layer 3 exists. From How Trace Route Works: TTLs

          Trace Route works by setting the TTL for a packet to 1, sending it towards the requested destination host, and listening for the reply. When the initiating machine receives a "time exceeded" response, it examines the packet to determine where the packet came from - this identifies the machine one hop away. Then the tracing machine generates a new packet with TTL 2, and uses the response to determine the machine 2 hops away, and so on.

Decrement IP TTL for forwarded traffic Configuring Advanced Firewall Settings (SW12547)  - Time-to-live (TTL) is a value in an IP packet that tells a network router whether or not the packet has been in the network too long and should be discarded. Select this option to decrease the TTL value for packets that have been forwarded and therefore have already been in the network for some time.

Enable Stealth Mode option from What is Stealth Mode? (SW3859)

     Normally, when a connection is attempted to the SonicWall or a node behind it from the WAN or DMZ, the SonicWall sends a reset packet back to the client that initiated the connection then drops it. This is the correct behavior based on the IP protocol specifications. However, some users prefer that security devices not respond at all, as any response confirms that a device exists at the IP address to which the client tried to connect. If the security device does not respond, the result is as if the remote node is trying to connect to an IP address that is not assigned to anything. This is known as stealth mode.

Randomize IP ID Configuring Advanced Firewall Settings (SW12547) - Select Randomize IP ID to prevent hackers using various detection tools from detecting the presence of a security appliance. IP packets are given random IP IDs, which makes it more difficult for hackers to “fingerprint” the security appliance.

sean.martinez

Thank You!

Great feedback and much appreciated info.

That said... if Netpath won't work with ANY one of those checked... do you think it's safe to un-check them permanently?

If not... any idea how to make Netpath work with those enabled?

0 Kudos

You are at odds here, the security appliance has those options to make itself invisible or harder to identify by remote tools, and you are trying to use a remote tool to gain visibility into the firewall as packets move past it.  You will be hard pressed to come up with a solution that will make both happen at the same time.

Network security is always a balancing act between being gentle enough to not interfere with the intended uses of the network versus keeping things locked down enough that outsiders can't abuse it.  Unchecking those options will make your firewall more visible to outsiders, and it will allow your internal tool to function.  Only your organization can weigh those risks and decide if the Netpath feature provides you enough value today to make it worth the risk of an outside party identifying your firewall in hopes of finding a vulnerability against that product line.

Netpath is neat but I would never consider it a deal breaker in terms of feeling like I am getting value from my Solarwinds purchase, it is just an icing kind of thing to me to go along with the core functionality as an NMS.

- Marc Netterfield, Github

View solution in original post

Good point. Yeah, I agree it's better to be safe than sorry.  I guess I can disable them temporarily if needed.  The downside is the more we move things into the cloud the more Netpath would be handy and also having a history in Netpath. 

0 Kudos