Sonic Wall Alternatives?

[mikeblas]

I have a SonicWall TZ300, and I'm growing increasingly disappointed with it.

The most recent issue is that the content protection feature prevents my TiVo devices from contacting the TiVo service servers, and took them offline. This was caused by a recent update. Unfortunately, I can't find any documentation that explains how I can investigate what packets get dropped or filtered by which rules or policies. Further, I can't even figure out how to edit the policies in the content filtering settings.

SonicWall support hasn't been great, but ever sine the Dell purchase a few years ago it's absolutely in the toilet.
What alternatives are there? I'm thinking of getting a WatchGuard device, since I had one in the early 2000s and their service was great. Any others that I can consider?

On the outside chance, any advice on finding good docs about configuring Content Filtering, or tracing packets that were filtered?

 

[MrGuvernment]

get a used box and pfsense and save a crap load of money?

 

[swatbat]

Why not give the tivo a static ip address on your network and white list it from the content filtering? You can apply the policy by ip range.

 

[k1pp3r]

Get a fortinet, unless you want to build something yourself.

 

[mikeblas]

Why not give the tivo a static ip address on your network and white list it from the content filtering? You can apply the policy by ip range.

I have six TiVos. For each one, I'd have to create a DHCP reserved static IP address on my DHCP Servers. Then, separately create address objects in the SonicWall. Then, set up the exception.

That's tedious and error-prone; instead, I tried creating an IP Address range object for the public TiVo servers and tried to set that up as an exception for all of the LAN traffic. It didn't work.

It would be far easier (and correct, IMO) to alter or disable the offending content filtering rule. Except that I can't find any documentation which describes how to find the failing rule, and how to edit the rules in question.

 

[mikeblas]

Get a fortinet, unless you want to build something yourself.

The Fortinet 60D looks like it's about my speed. Why do you recommend it?

I'm not interested in building something myself because I don't have the time, and want the higher reliability of an appliance.

 

[Nicklebon]

Not K1pp3r but I personally use a Fortigate 140D at home and have many customers that use Fortinet, Checkpoint and Palo Alto firewalls. Their cost, performance and ease of use make Fortinet boxes hard to beat. I'm not going to go on about them but you can easily have multiple content filtering ( or IPS /AV/AC/SSL) policies (or none) based on source, destination or both. If you have any specific questions let me know and I can try to answer them.

 

[Nicklebon]

I'll add to the above and say that the integrated wireless controller that is included in all their firewalls is another huge plus.

 

[byusinger84]

pfSense is also my recommendation

 

[dave99]

unless you need easy QoS or a subscription type filtering, pfsense is great.

 

[Spartacus]

>>I have six TiVos. For each one, I'd have to.....

I think I'd take swatbat's advice on this. It's only 6 boxes, not like it's 40 of them.

Make yourself a spreadsheet with the names on the boxes and IP addresses.
Should be really easy to do.

The thing is, any replacement router you get is going to need some rules and programming too correct?
You're not really going to gain much if anything moving to a different router.

I like SonicWall routers except for the silly VPN licensing costs. I have a number of them at customer sites
and they give me very little trouble.

But as far as SonicWall alternatives.....

I was using the Cisco/Linksys RV082 as a cheaper alternative but they have their own issues and are EOL
discontinued now.

I bought a Ubiquiti ERLITE-3 for my home network and to eval for customer use..... so far so good, I like it a lot.
The setup is a little odd, not really difficult to figure out. Even with the latest firmware, there are still some
things you have to do using the CLI. Not terrible however and there is plenty of online info on them.

Something like that sounds like more than you want to tackle though.

I'm with swatbat..... keep the SonicWall and simply whitelist the Tivo boxes.

ETA: Update the firmware on the SonicWall if it needs it.

ETA2: You could also look at just moving content filtering off of the router.

https://signup.opendns.com/homefree/


.

 

[k1pp3r]

The Fortinet 60D looks like it's about my speed. Why do you recommend it?

Their hardware is solid, its a good all around firewall for what you described needing, and support is pretty good on them.

At their pricepoint, they are hard to beat in a lot of cases.

 

[mikeblas]

>>I have six TiVos. For each one, I'd have to.....

I think I'd take swatbat's advice on this. It's only 6 boxes, not like it's 40 of them.

Make yourself a spreadsheet with the names on the boxes and IP addresses.
Should be really easy to do.

It should be even easier to modify the offending content filtering rule, shouldn't it?

I like SonicWall routers except for the silly VPN licensing costs. I have a number of them at customer sites
and they give me very little trouble.

How are you enabling tracing to find which CF or FW rules are causing which packets to drop? The logging page in the UI simply doesn't work, as far as I can tell.

ETA: Update the firmware on the SonicWall if it needs it.

A firmware update is what got me here. Version n-2 or so didn't have a problem. After upgrading, my TiVos couldn't phone home. I reasoned out that something changed in the CF since then, as disabling it lets the TiVos connect. To me, the ideal (and obvious, really) solution would be to figure out what the offending rule is and disable or edit it. But I can't get the SonicWall to log anything about dropped packets or rule triggers. And I can't even find UI that would let me enumerate the details of the rules in question. Since you're experienced with SonicWalls, do you have any tips in this area?

ETA2: You could also look at just moving content filtering off of the router.

I guess if I hand't already paid for a CF as a primary feature in the SonicWalls, I'd be inclined to accept the complexity of a secondary solution.

 

[Spartacus]

It's been a while since I had a need to enable full logging on a SonicWall, it was years ago.
I think it may have been in an environment that had a lot of SonicWalls and logging for all of them was being dumped to a server.

Try this, I've used the Kiwi syslog before:

https://support.sonicwall.com/kb/sw5106

In the interest of a simple solution on this.... turn off the CF on the SonicWall and try the FREE CF on the link I posted.

You are making this too difficult..... just saying.

ETA: You could just try the Free content filtering with any spare router too (cheap wireless, etc.).
No need to even make any changes to the SonicWall then.

.

 

[k1pp3r]

A firmware update is what got me here.

That doesn't surprise me one bit. Support is always on you about updating firmware, but they ALWAYS release firmware that is buggy as hell. Every time have updated sonicwall firmware, it screws something up.

 

[Valnar]

Fortinet is my choice of firewall in that space these days. I'm not a fan of the Watchguard way of doing things.

 

[stevewm]

If you are on 5.9/6.x series firmware, you need to enable content filter blocks to be logged. I don't believe they are by default.

Security Services/Content Filter, Click the Configure button under content filter type. In the resulting popup, under "If url is marked as forbidden". Make sure "Log access to URL" is checked..

And then under Log/Settings. Expand the Security Services section. Find Content Filter. Make sure the log level is set to Inform, and "GUI" is Enabled (green). If you don't do this part, content filter messages will not appear in the log.

 

[frankmansal]

I'm running a fortigate 40c at home and running a 200d in the office and love them.

 

[boss6021]

Spartacus is completely right here. Creating the exceptions you need in the Sonicwall is extremely easy, and would take you a matter of minutes on such a small network. The TZ 300+ line has been fantastic, and would serve you very well.

 

[Soldier101]

Fortinet for the win. I had a 92D that was provided by my employer. When I left them I snagged a 61E. Will probably run Fortinet for life unless Palo drops in price drastically.

 

[mikeblas]

You are making this too difficult..... just saying.

How so?

 

[mikeblas]

If you are on 5.9/6.x series firmware, you need to enable content filter blocks to be logged. I don't believe they are by default.

I'm using SonicOS Enhanced 6.2.6.1-25n, specifically.

Security Services/Content Filter, Click the Configure button under content filter type. In the resulting popup, under "If url is marked as forbidden". Make sure "Log access to URL" is checked.

I have no such UI. On the "Content Filter" page, there's no "Confgure" button near the "content filter type" setting.

And then under Log/Settings. Expand the Security Services section. Find Content Filter. Make sure the log level is set to Inform, and "GUI" is Enabled (green). If you don't do this part, content filter messages will not appear in the log.

On the logging page, I have the "CFS Alert", "Website Accessed" and "website Blocked" rows for "Content Filter" set to "Error", and marked to write to SysLog. The logging level is set to "Inform" at the alert level "Warning".

Yet, in culling the logs, I see no ndication that access was blocked -- or why.

I've deduced that the "cfsZonePolicy0" (for the LAN) is what's causing the TiVo update to fail. My understanding is that the rule in the "action" column dictates what happens when the policy is triggered. The UI for editing the CFS Action object (on the "Content Filter Objects" page under "Firewall") has a config button -- but this allows me to edit HTML that would be shown to an interactive user when something is filtered. There's "enable flow reporting", but thats' for the AppFlow feature I believe.

The "CFS Default Profile" is configured as default. It allows all categories, including "Not Rated" and "Other". I have no explicit "allowed URI" list, and no explicit "Forbidden URI" list.

The good news is that, in fussing around with the logging settings, I finally figured out that the problem was my exclusion list. I built an address group to collect three or four ranges of Internet IPs that TiVo uses. I botched that: the address group existed, but didn't have the individual address ranges in it. (Probably because I forgot to click "apply" or "Accept" in the byzantine SonicWall UI).

Fixing the exclusion address group allows me to set an exclusion for accessing the TiVo servers, and I far prefer this solution over manually configuing and managing IPs for a variable number of devices. If I buy a new TiVo, I can just plug it in and it works with the server-range exceptions on the WAN side; had I configured LAN-side exceptions, a new device would mean editing DHCP settings on my domain servers, finding a reservation, updating a spreadsheet (backing that up, too), creating a new address object, editing the exception list, and testing.

I'm still terribly puzzled at why the SonicWall doesn't provide any meaningful logs when the content filtering prevents a connection.

 

[Spartacus]

How so?

I just meant that you were resistant to taking the best easiest solution.
Been there done that myself.

Good to hear you got it fixed. I've also forgotten to hit "Apply" and not realized
why my changes were not working sometimes. Usually because I don't scroll
down far enough to see the button. It happens.

Good job getting it fixed!

.

 

[mikeblas]

I just meant that you were resistant to taking the best easiest solution.

Oh.

I think it's that I disagree that your proposal is easier. I think it's lots harder. Maintaining a list of static IPs for a changing list of devices is not as easy as adding the WAN-side servers to an exclusion list. (Though, maybe I _both_ approaches involve an "apply" button. LOLz.)

Using a third-party service (even if it's free) means I have to maintain new credentials and a new dependency, when I'd really rather just use the built-in service. Of course, the built-in service is opaque and hard to maintain by itself ... which is why I was hoping that another firewall vendor would be known to have better diagnostics, discoverability, and a more sensible UI.