Thank you Mr JeanPier, i love how you made it simple and clear. question please: can we operate an etherchannel link directly from the core switchs (2 in stack) to the firewalls directly ?(no l2 switch)
Great Video JPT. One question. when configure monitoring on the X0, what the real benefit of doing that, since the video you didn't select the checkbox to "Allow Management on Primary/Secondary IPv4 Address". Even if you had, what's the benefit of that versus using the dedicate management port on each firewall configured with different IPs?
I appreciate all your videos! I started working with new Gen7 SonicWalls so it really helps. Have you had a chance to do the Capture ATP video yet? Thanks!
Best video! Thanks for sharing. Do I have to use X0? I believe that interface is limited to 1GB. Can I use another interface instead of X0 that supports higher speeds for the HA redundancy?
You can you as many interfaces as you want. As long as the second firewall has them too. Make sure you keep x0 up. I believe it’s used as part of HA configuration/communication. You don’t need to use x0 as your main LAN traffic. It can be dedicated to management of the firewall only. (That’s what I personally do. A MGMT network where I manage the firewall, the switches, VMware, AP… that allows standard end users to not have access to those critical devices.
Thank you for sharing your knowledge, on thing that bugs me is that it showed you were connected to the secondary not primary. Then you set it to boot fom the new firmware, you said that it was installing on the passive first. Was that the primary SonicWall? If so then you only need to upload it once not to the individual firewalls?
Yes, you do not have to update firmware on both individually. You just connect to your HA and select to update firmware, just like if it was not a HA, and it will update both on its own. Can’t be easier!
I always did. but by looking at the picture of the documentation from sonicwall on how to setup HA, I think you can get away with one interface www.sonicwall.com/support/knowledge-base/how-to-configure-high-availability-ha/170503978252820/ and sonicwall KB here covers exactly that topic. www.sonicwall.com/support/knowledge-base/when-should-i-separate-the-high-availability-ha-control-and-data-links/181107105952121/
@@JeanPierTalbot Thank you for the answer :) and... another question : at this moment I use only X6 according to the first document , but I like the idea of using two interfaces . Can I change it any moment adding another patch cord for the second interface ? ( and configuring it .. for example X7 for data )
You can do it with a single switch. But the switch is your single point of failure. To not have a single point of failure, you need 2 switches that are stacked.
Q1: In the 2nd half of the video when you're using redundant switches, where is your PC connected? Through the Phone? I only ever saw you plug in one device to the access switch that you called your phone. Q2: In the 2nd half of the video when you're using redundant switches, you enabled port redundancy for the voice (x12/x13) and data (x0/x2) vlan's but then only disabled STP on the switch ports used for the voice vlan, why?
Let's say I start with one TZ670, and I have two ISP's set up for WAN failover if one goes down. Then I decide I want High Availability of my Sonicwall hardware, so I buy another TZ670 w/HA and maybe even the Stateful Upgrade. Can I maintain both ISP failover, AND HA (active/standby) by just setting up two separate VLANS for the WANS (1 for each ISP)? So I can keep going if I have 1 of my 2 ISP's go down, AND/OR keep functioning if one of the TZ's has a hardware failure? Thanks as always for these great videos! Sonicwall documentation is very good, but these videos let us see the *application* of the feature set much better.
Yes that’s how you would do it. Take your switch and create 2 vlans of 3 ports each so both firewall have both ISP. Since firewall are in active/passive, you do not need multiple IPs per internet lines.
Hi Jean, Just a small question, I have a 4560 Sonicwall and I am upgrading to Sonicwall 3700 with HA, can i export the config from 4560 and import it in my new 3700 and keeps the same config as it was than i add the HA ?
Hi Jean-Pier, Love your videos, very helpful. I also would like to see some detail of the actual switch configuration. I am trying to setup an HA configuration using 2 TZ670's and a SWS14-24 switch. I simply do not understand the VLAN configuration involved.
Also, one more quick question. In the video, you connected two ports between the two firewalls, but in the Sonicwall documentation that specify one. Are two necessary?
I would love to see a version of this video using Sonicwall switches that are managed by the firewall. HA firewalls w/ 2 Sonicwall switches is the config I'm trying to get working at the moment, but the HA and the Portshields and so forth gets a little confusing especially with traditional VLANs in the mix too
A few comment here. - sonicwall switches cannot be stacked for now. So you won’t be able to achieve what I did with the Dell switches. - I would suggest to move management of the sonicwall switches in the cloud. So if you change your gen6 sonicwall for a gen7, you don’t have to worry about the switch management. Or if a firewall needs to be replace under warranty, again no need to worry about switch management. - I would advice to not use port shield on HA firewall.
Hi jp! Question about x0 int. on pair of nsa 4700 ; we are not using x0 as we are using x25 with sfp. do i give x0 ip address of an unused subnet. and do I set x0 monitoring range the same as the subnet on my x25. thanks for super informative video guide!
Hello Martin! Yes please set x0 with a different subnet. Give it monitoring ip in the same subnet as x0. And make sure you connect network cables. Personally I would advice to make x0 your dedicated management interface for your firewall. After all, why HR and other département would have access to managing your firewall?
Switch is layer 2. I did multiple things in that video. Recommendation I got from better-than-me colleagues is to use port redondancy on the firewall instead of LAG.
Jean, I need some advice going from a 3 ISP (x7, x9, x10 ) 4600 to a HA (maybe like 2x 4700) , do you have a video about something like this? does the ISP IPs get forwarded to the firewalls ports?
Hi Jean! I am wondering if one NSA 2700 can support 4 WAN lines? The setup will look like this. There will be two NSA 2700. Each have 4 WAN lines. NSA 2700 will be configured in HA.
Jean, I also need some advice. I'm trying to HA a motherinterface, with several sub-vlans. same configuration as the one with no motherinterface. (3 untagged). Other Interface with no VLANs just works well. Hope you can help me on this. Thanks
Sorry I’m not following you. « Morherinterface » as in a trunk? (One interface with multiple vlans) That is not an issue to use trunk in HA, just ensure you have the same vlan settings on the switch. Also you mention one interface with 3 untag vlan. That is not possible. You can only have one untag vlan in a trunk. If you can’t get it to work, sonicwall tech support line would be a good option
Do I need a managed switch for this to work? Cant I just replicate the primary firewall connection on the HA also?. looking to upgrade to the TZ370 HA but my network has two ISP for failover.
Hi Jean, thanks for the demo. If possible would you be able to explain the difference between link aggregation under the interface vs under the switch section?
Hi, I suspect “the switch section” you are referring to is portshield? If that’s the case, portshield is not supported in HA. www.sonicwall.com/support/knowledge-base/how-to-configure-high-availability-ha/170503978252820/
@@JeanPierTalbot Hi Jean, here is the detail for both section; network>interfaces>X#>Advanced(tab)-->redundant/aggregate ports (not sure if this provides lacp as there is no option) and 2nd one is under switching>link aggregation-->Add (LACP option is on the list) Again appreciate, if you can provide any insight...
I am looking into HA active/active clustering. Would I be able to do this with an HA device and do I need an additional static IP when switching the WAN together?
For now sonicwall does not have Active/active HA. I personally prefer the stateful active passive sonicwall does. (1) it’s WAY less expensive. (2) it feels like active active as the HA is stateful. So everything Keeps working like if nothing happened.
Hi Jean-Pier, quick question for you re: HA Status/Licensing - you might be able to point me in the right direction. I have the Primary device license in MySonicwall with Stateful High Availability. Connected and configured HA settings on Primary selecting Active/Standby, Enable Stateful Sync, entered correct serial number of secondary device and specified Control plus Data interface. I can connect to Secondary device and see it is happily in Standby mode. Also this secondary device is registered in MySonicwall and the device has inherited all policies, etc from Primary. However on the Primary when I check HA Status all appears correct however the Stateful HA Synchronised is No, and Secondary Stateful HA Licensed is No. Any clues as to what I have missed? Obviously I do not license Secondary with same Stateful High Availability license, as that makes no sense.
Found part of what I was looking for in MySonicWall. On Primary select Associated Products, HA Secondary and selected secondary from dropdown list. Now I have "Secondary Stateful HA Licensed" showing as Yes. Stateful HA Synchronised is still showing as No ... hmmmm. Ideas? Edit: waited 10 minutes and Stateful HA Synchronised now displaying Yes. SonicWall gods smiled down on me.
Great advice Jean-Pier, HA thoroughly tested and works well with our 2 WAN connections too sitting, in their own VLAN's. Thank you again for this particular video, must have watched it in total half a dozen times - pause, test, then go back, rewatch, rinse and repeat.
On my SonicWall NSa2700 pair configured as HA I dissabled Port Shield according to SonicWall advice and ... there is no Auto-detecting of sonicwall switches in interface advanced config ... is it ok ? do I have a chance to manage of sonicwall switch from firewall in that case ?
I would personally advise to manage the switch from the cloud. Not that management from the firewall is bad, just because, one day, you might change your nsa2700 for a nsa3700 because you got growth. Or whatever newer model sonicwall will release one day. Then if the firewall is managed in the cloud. You have nothing to worry about when migrating your firewall. According to This, you can manage the switch with firewall in HA if you want. www.sonicwall.com/support/knowledge-base/how-to-deploy-sonicwall-switches-when-sonicwall-utm-is-in-high-availability-mode/200610082147037/
I have HA installed on my current setup. I'm using the migration tool going from a NSA 2600 to 2700. Is it okay to use the migration tool on both my primary and HA, I want to just plug everything in and move my licenses over to the new devices. Everything looks good but won't know until everything is live.
No need to migrate the passive unit. Migrate the primary config to the new firewall and build your HA back. Best is if you can re-do your config. That way you get rid of all your « test » policies and all the « I’ll check that box if it fix my issue »
@@JeanPierTalbot I cleaned up all my old policies prior to migration. I will reset the HA back to factory default and build as noted. Your video's are awesome!
What is the difference if I put HA Control Interface and HA Data Interface on a same interface for example I put both on X12? what is the advantage and disadvantage of putting both in one interface and having them on separate interfaces?
Hi, what about connecting the HA unit through x0 with factory settings. is there not an issue with the ha unit starting DHCP on the network and making big problems ?
Hi, not sure I’m following you. Yes the firewalls in HA can be DHCP server. Keep in mind, it’s a active/passive HA. So only one firewall is working. The second one is just waiting for the main one to die and to take over :-)
ok, but in initial setup when i connect the HA to the network and it boots up, i am afraid that this unit is making dhcp in the network. or can i solve this when i first register the new HA unit in my sonicwall as HA and activate HA in the activ unit before physical connecting the HA unit ? @@JeanPierTalbot
hum, good one. I dont know. I would advice to setup the HA in a maintenance window outside business hours. DHCP shouldnt be a problem then. :-) @@frankpfeiffer7645
ok, on the package from the ordered HA Unit i can read HIGH Availability. could it be, that this unit have a special boot mode and don´t react as a normal firewall and can only configured as a HA ? @@JeanPierTalbot
maybe one day :-) my personal recommendation is to put the SMA on a dedicated interface of your NSa and to only use one interface on the SMA. that way you can control and inspect traffic of VPN users going into your network.
If you created a vlan just for your WAN, no they won’t be able to reach your LAN without going through the firewall. Unless your switch has a security vulnerability that allows jumping from a vlan to another. I would ensure you WAN vlan on the switch does not have an IP. So it can’t be managed from the outside
I just did a HA deployment for nsa 6600 but am unable to reach the second device. As a matter of face the control and data interface is missing in the list when you go to the monitoring. Thus am unable to assign address to the management
Hi Ismail. Best would be to call support on this. NSA6600 are faily old. I wasn’t at sonicwall when those were current product and never tried HA with them. I would also advise to trade for new units. You could save money in renewal as maybe you won’t need to go to NSa6700, maybe the 5700 would do as it probably outperform the 6600
So I have a GEN6 SonicWALL that I need to set-up with HA. My WAN one has one port. Do I need to use a VLAN to connect both? If so what are the settings I need for the VLAN. Or is there another way to set this up
Hi Mauro, I would suggest to take a small switch or create a VLAN of 3 ports (like shown in the video) so then both firewall have connectivity to that wan.
This was one of the most useful, clear and easy to follow videos I've seen, thank you so much.
This is one of my most favourite feedback :-) thank you very much!
Thank you Mr JeanPier, i love how you made it simple and clear.
question please: can we operate an etherchannel link directly from the core switchs (2 in stack) to the firewalls directly ?(no l2 switch)
Thank you so much for this video. Now i can easy set up HA.
Awesome!
Great Video JPT. One question. when configure monitoring on the X0, what the real benefit of doing that, since the video you didn't select the checkbox to "Allow Management on Primary/Secondary IPv4 Address". Even if you had, what's the benefit of that versus using the dedicate management port on each firewall configured with different IPs?
I appreciate all your videos! I started working with new Gen7 SonicWalls so it really helps. Have you had a chance to do the Capture ATP video yet? Thanks!
Thank you so much for this video.
Thank you so much..m🙏🙏🙏 it's really helpful 👍👍👍
Best video! Thanks for sharing. Do I have to use X0? I believe that interface is limited to 1GB. Can I use another interface instead of X0 that supports higher speeds for the HA redundancy?
You can you as many interfaces as you want. As long as the second firewall has them too.
Make sure you keep x0 up. I believe it’s used as part of HA configuration/communication. You don’t need to use x0 as your main LAN traffic. It can be dedicated to management of the firewall only. (That’s what I personally do. A MGMT network where I manage the firewall, the switches, VMware, AP… that allows standard end users to not have access to those critical devices.
Thank you for sharing your knowledge, on thing that bugs me is that it showed you were connected to the secondary not primary. Then you set it to boot fom the new firmware, you said that it was installing on the passive first. Was that the primary SonicWall? If so then you only need to upload it once not to the individual firewalls?
Yes, you do not have to update firmware on both individually. You just connect to your HA and select to update firmware, just like if it was not a HA, and it will update both on its own. Can’t be easier!
@@JeanPierTalbot many thanks for replying. I have to update this weekend. I love you channel
Hi Jean, is it possible to create etherchannel between sonicwall firewall and cisco switches ? Will it work ?
Thanks for this video !!! One question : can I use this same interface for both control and data ?
I always did. but by looking at the picture of the documentation from sonicwall on how to setup HA, I think you can get away with one interface www.sonicwall.com/support/knowledge-base/how-to-configure-high-availability-ha/170503978252820/ and sonicwall KB here covers exactly that topic. www.sonicwall.com/support/knowledge-base/when-should-i-separate-the-high-availability-ha-control-and-data-links/181107105952121/
@@JeanPierTalbot Thank you for the answer :) and... another question : at this moment I use only X6 according to the first document , but I like the idea of using two interfaces . Can I change it any moment adding another patch cord for the second interface ? ( and configuring it .. for example X7 for data )
@@pawelkaa334 sure, I never did it. so I would ensure you do that during a maintenance window :-)
Great video! Do the two switches need to be stackable for this to work? Is the configuration the same for two stand alone switches?
You can do it with a single switch. But the switch is your single point of failure. To not have a single point of failure, you need 2 switches that are stacked.
@@JeanPierTalbot Any recommendation on stackable switches?
@@chrisleengo Good question. We don't see the Dell swiche model in the video... would be a good starting point
Q1: In the 2nd half of the video when you're using redundant switches, where is your PC connected? Through the Phone? I only ever saw you plug in one device to the access switch that you called your phone.
Q2: In the 2nd half of the video when you're using redundant switches, you enabled port redundancy for the voice (x12/x13) and data (x0/x2) vlan's but then only disabled STP on the switch ports used for the voice vlan, why?
Let's say I start with one TZ670, and I have two ISP's set up for WAN failover if one goes down. Then I decide I want High Availability of my Sonicwall hardware, so I buy another TZ670 w/HA and maybe even the Stateful Upgrade. Can I maintain both ISP failover, AND HA (active/standby) by just setting up two separate VLANS for the WANS (1 for each ISP)? So I can keep going if I have 1 of my 2 ISP's go down, AND/OR keep functioning if one of the TZ's has a hardware failure? Thanks as always for these great videos! Sonicwall documentation is very good, but these videos let us see the *application* of the feature set much better.
Yes that’s how you would do it.
Take your switch and create 2 vlans of 3 ports each so both firewall have both ISP.
Since firewall are in active/passive, you do not need multiple IPs per internet lines.
@@JeanPierTalbot BRILLIANT - THANKS! Ordered two Sonicwalls today and will order another next month as a result of this video!
@@kellybrady4229 terrific! glad those videos have been helpful!
enjoy holidays with your loved ones!
Hi Jean, Just a small question, I have a 4560 Sonicwall and I am upgrading to Sonicwall 3700 with HA, can i export the config from 4560 and import it in my new 3700 and keeps the same config as it was than i add the HA ?
Yes you can.
Have a look at my config migration video. You cannot simply export the config, it has to be sent to a config migration tool first.
Hi Jean-Pier, Love your videos, very helpful. I also would like to see some detail of the actual switch configuration. I am trying to setup an HA configuration using 2 TZ670's and a SWS14-24 switch. I simply do not understand the VLAN configuration involved.
Also, one more quick question. In the video, you connected two ports between the two firewalls, but in the Sonicwall documentation that specify one. Are two necessary?
Hi James, the second cable in HA is used for stateful synchronisation
And I’ll do a video on sonicwall switches eventually:-)
I would love to see a version of this video using Sonicwall switches that are managed by the firewall. HA firewalls w/ 2 Sonicwall switches is the config I'm trying to get working at the moment, but the HA and the Portshields and so forth gets a little confusing especially with traditional VLANs in the mix too
A few comment here.
- sonicwall switches cannot be stacked for now. So you won’t be able to achieve what I did with the Dell switches.
- I would suggest to move management of the sonicwall switches in the cloud. So if you change your gen6 sonicwall for a gen7, you don’t have to worry about the switch management. Or if a firewall needs to be replace under warranty, again no need to worry about switch management.
- I would advice to not use port shield on HA firewall.
@@JeanPierTalbot My firewall are Gen7 and can manage the switches but I couldn't figure out how to make it work...especially with vlans in the mix too
great explanations
Hi jp!
Question about x0 int. on pair of nsa 4700 ; we are not using x0 as we are using x25 with sfp. do i give x0 ip address of an unused subnet. and do I set x0 monitoring range the same as the subnet on my x25. thanks for super informative video guide!
Hello Martin!
Yes please set x0 with a different subnet. Give it monitoring ip in the same subnet as x0. And make sure you connect network cables. Personally I would advice to make x0 your dedicated management interface for your firewall. After all, why HR and other département would have access to managing your firewall?
Hi, what did you do to your core switch connected to FW x0 LAN? Is it LAYER 3 and you create LAG and connect it to x0 and x2 interface ?
Switch is layer 2.
I did multiple things in that video. Recommendation I got from better-than-me colleagues is to use port redondancy on the firewall instead of LAG.
Jean, I need some advice going from a 3 ISP (x7, x9, x10 ) 4600 to a HA (maybe like 2x 4700) , do you have a video about something like this? does the ISP IPs get forwarded to the firewalls ports?
I think I found your contact information in our system. The local SE should already have reached out to you to help you on this migration project.
Hi Jean! I am wondering if one NSA 2700 can support 4 WAN lines?
The setup will look like this.
There will be two NSA 2700. Each have 4 WAN lines.
NSA 2700 will be configured in HA.
Sure! No problem at putting 4 ISP
Well done awesome you saved my day
Lol glad I did :-)
Jean, I also need some advice. I'm trying to HA a motherinterface, with several sub-vlans. same configuration as the one with no motherinterface. (3 untagged). Other Interface with no VLANs just works well. Hope you can help me on this. Thanks
Sorry I’m not following you. « Morherinterface » as in a trunk? (One interface with multiple vlans)
That is not an issue to use trunk in HA, just ensure you have the same vlan settings on the switch.
Also you mention one interface with 3 untag vlan. That is not possible. You can only have one untag vlan in a trunk.
If you can’t get it to work, sonicwall tech support line would be a good option
Do I need a managed switch for this to work? Cant I just replicate the primary firewall connection on the HA also?. looking to upgrade to the TZ370 HA but my network has two ISP for failover.
Managed switch will be best. Otherwise you will need one switch for each network. Have a look at sonicwall switch, they are pretty inexpensive
Please upload more practical videos..
Hi Jean, thanks for the demo. If possible would you be able to explain the difference between link aggregation under the interface vs under the switch section?
Hi,
I suspect “the switch section” you are referring to is portshield? If that’s the case, portshield is not supported in HA.
www.sonicwall.com/support/knowledge-base/how-to-configure-high-availability-ha/170503978252820/
@@JeanPierTalbot Hi Jean, here is the detail for both section; network>interfaces>X#>Advanced(tab)-->redundant/aggregate ports (not sure if this provides lacp as there is no option) and 2nd one is under switching>link aggregation-->Add (LACP option is on the list)
Again appreciate, if you can provide any insight...
I am looking into HA active/active clustering. Would I be able to do this with an HA device and do I need an additional static IP when switching the WAN together?
For now sonicwall does not have Active/active HA. I personally prefer the stateful active passive sonicwall does. (1) it’s WAY less expensive. (2) it feels like active active as the HA is stateful. So everything Keeps working like if nothing happened.
Hi Jean-Pier, quick question for you re: HA Status/Licensing - you might be able to point me in the right direction. I have the Primary device license in MySonicwall with Stateful High Availability. Connected and configured HA settings on Primary selecting Active/Standby, Enable Stateful Sync, entered correct serial number of secondary device and specified Control plus Data interface.
I can connect to Secondary device and see it is happily in Standby mode. Also this secondary device is registered in MySonicwall and the device has inherited all policies, etc from Primary.
However on the Primary when I check HA Status all appears correct however the Stateful HA Synchronised is No, and Secondary Stateful HA Licensed is No. Any clues as to what I have missed? Obviously I do not license Secondary with same Stateful High Availability license, as that makes no sense.
Found part of what I was looking for in MySonicWall. On Primary select Associated Products, HA Secondary and selected secondary from dropdown list. Now I have "Secondary Stateful HA Licensed" showing as Yes. Stateful HA Synchronised is still showing as No ... hmmmm. Ideas?
Edit: waited 10 minutes and Stateful HA Synchronised now displaying Yes. SonicWall gods smiled down on me.
Lol. Good!
Now test it. If you don’t, then you don’t have a HA, you have a wish list :-)
Great advice Jean-Pier, HA thoroughly tested and works well with our 2 WAN connections too sitting, in their own VLAN's. Thank you again for this particular video, must have watched it in total half a dozen times - pause, test, then go back, rewatch, rinse and repeat.
How can you get training like you have for Sonicwall? Do I have to enroll to Sonicwall University?
On my SonicWall NSa2700 pair configured as HA I dissabled Port Shield according to SonicWall advice and ... there is no Auto-detecting of sonicwall switches in interface advanced config ... is it ok ? do I have a chance to manage of sonicwall switch from firewall in that case ?
I would personally advise to manage the switch from the cloud. Not that management from the firewall is bad, just because, one day, you might change your nsa2700 for a nsa3700 because you got growth. Or whatever newer model sonicwall will release one day. Then if the firewall is managed in the cloud. You have nothing to worry about when migrating your firewall.
According to This, you can manage the switch with firewall in HA if you want. www.sonicwall.com/support/knowledge-base/how-to-deploy-sonicwall-switches-when-sonicwall-utm-is-in-high-availability-mode/200610082147037/
@@JeanPierTalbot So ... everything is possible :) thank You :)
I have HA installed on my current setup. I'm using the migration tool going from a NSA 2600 to 2700. Is it okay to use the migration tool on both my primary and HA, I want to just plug everything in and move my licenses over to the new devices. Everything looks good but won't know until everything is live.
No need to migrate the passive unit. Migrate the primary config to the new firewall and build your HA back.
Best is if you can re-do your config. That way you get rid of all your « test » policies and all the « I’ll check that box if it fix my issue »
@@JeanPierTalbot I cleaned up all my old policies prior to migration. I will reset the HA back to factory default and build as noted. Your video's are awesome!
What is the difference if I put HA Control Interface and HA Data Interface on a same interface for example I put both on X12? what is the advantage and disadvantage of putting both in one interface and having them on separate interfaces?
Hi, what about connecting the HA unit through x0 with factory settings. is there not an issue with the ha unit starting DHCP on the network and making big problems ?
Hi, not sure I’m following you. Yes the firewalls in HA can be DHCP server. Keep in mind, it’s a active/passive HA. So only one firewall is working. The second one is just waiting for the main one to die and to take over :-)
ok, but in initial setup when i connect the HA to the network and it boots up, i am afraid that this unit is making dhcp in the network. or can i solve this when i first register the new HA unit in my sonicwall as HA and activate HA in the activ unit before physical connecting the HA unit ? @@JeanPierTalbot
hum, good one. I dont know. I would advice to setup the HA in a maintenance window outside business hours. DHCP shouldnt be a problem then. :-)
@@frankpfeiffer7645
ok, on the package from the ordered HA Unit i can read HIGH Availability. could it be, that this unit have a special boot mode and don´t react as a normal firewall and can only configured as a HA ? @@JeanPierTalbot
Any Chance we can get a video configuring a Gen 7 NSA and a SMA together ? finding best practices for this configuration is difficult
maybe one day :-)
my personal recommendation is to put the SMA on a dedicated interface of your NSa and to only use one interface on the SMA. that way you can control and inspect traffic of VPN users going into your network.
When connecting the ISP to the vlan on one switch doesn’t that allow people to be able to get into your network before it hits the firewall?
If you created a vlan just for your WAN, no they won’t be able to reach your LAN without going through the firewall. Unless your switch has a security vulnerability that allows jumping from a vlan to another. I would ensure you WAN vlan on the switch does not have an IP. So it can’t be managed from the outside
I just did a HA deployment for nsa 6600 but am unable to reach the second device. As a matter of face the control and data interface is missing in the list when you go to the monitoring. Thus am unable to assign address to the management
Hi Ismail.
Best would be to call support on this.
NSA6600 are faily old. I wasn’t at sonicwall when those were current product and never tried HA with them.
I would also advise to trade for new units. You could save money in renewal as maybe you won’t need to go to NSa6700, maybe the 5700 would do as it probably outperform the 6600
@@JeanPierTalbot ok
So I have a GEN6 SonicWALL that I need to set-up with HA. My WAN one has one port. Do I need to use a VLAN to connect both? If so what are the settings I need for the VLAN. Or is there another way to set this up
Hi Mauro,
I would suggest to take a small switch or create a VLAN of 3 ports (like shown in the video) so then both firewall have connectivity to that wan.
@@JeanPierTalbot so it would be a Untagged VLAN with the 3 Ports needed ONLY. right?
Hi jean what if access switch collapse
This gui is looks different ... Which firmware version is that?
Yes, it’s the 7th generation of firewall and firmware.
@@JeanPierTalbot ohh. Ok Thank you.👍👍👍