SonicWall Network Security Manager (NSM) allows you to centrally orchestrate all firewall operations error-free, see and manage threats and risks across your firewall ecosystem from one place, and stay connected and compliant.
NSM gives users central control of all firewall operations and any switches and access points connecting to the firewall. It lets you:
- Deploy and manage all firewall devices, device groups and tenants from one place
- Synchronize and enforce consistent security policies across your environments
- Monitor everything from one dynamic dashboard with detailed analytics
Customer would want to use NSM because:
- It gives them total control to orchestrate firewall operations from single cloud console.
- It makes security teams more proficient at their job using smart management tools and workflows to perform tasks and take security actions faster and do it all with less effort.
- It makes them more situation-aware and allow them to investigate hidden risks with active monitoring, reporting and analytics.
- What are the key features?
Cloud native architecture | Deliver boundless scalability to support thousands of SonicWall security devices under its management, regardless of location. |
New UI | User-centric design with menus, navigation and workflows are streamlined and logical organized ad simplified |
Zero-touch deployment | Simplified onboarding of 100s of units in minutes |
Dashboard | Aggregated view of various information in a single view |
Unified Device table | Provides a simple view to view device status and take actions |
Device Groups | Group devices per your organizational needs |
Templates | Apply common configuration across multiple devices |
Commit and Deploy | View configuration changes and deploy them to devices |
Configuration Diff | View difference in changes before configuration is deployed |
API-ready | Provide a standard approach to managing NSM specific features programmatically without a management web interface and facilitate interoperability between NSM and backend services to increases the efficiency of your SOC. |
Flexible deployment | Available as SaaS, virtual or public cloud |
NSM offers two deployment options: cloud (SaaS) and on-prem.
- When is the availability of NSM on-prem?
NSM on-prem is supported from NSM 2.1 release. NSM can be installed on your on-premise infrastructure and offers the same features as available in NSM SaaS release. The NSM on-premises version offers additional features such as Console administration, Closed Network Support, Admin Lockout, and Active Passive high availability.
- What platforms can NSM on-prem support?
NSM On-prem is supported on EXSi, Hyper-V, KVM and Azure.
- How many Firewalls can NSM SaaS manage?
NSM SaaS is very scalable and can manage thousands of firewalls.
- What sort of scale can 1 NSM on-prem server/HAPAIR support?
NSM can support up to 5K firewalls on a single instance of NSM with enough CPU, memory and disk space. The base NSM on-prem install requires 16GB of RAM, 4 core CPU and can support up to 250 firewalls.
- How is NSM SaaS licensed?
NSM SaaS offers two very easy to choose packages. Both options offer full management capabilities.
- NSM Essential - Best suited for customers that have a requirement for 7-day reporting or less and does not need analytics.
- NSM Advanced includes everything in NSM Essential and is ideal for customers needing a full year of reporting and up to 30 days of log analytics.
- Multi-year SKUs are available for all supported firewall models at launch.
- How is NSM on-prem licensed?
NSM on-prem licensing is node-based, with a base license of five nodes and add-on licenses.
- Is there a cost for customer migrating from CSC-MA tom NSM?
CSC-MA licensed customers will auto-migrate to new NSM equivalent license at no additional cost as shown in the table below.
CSC MA License | NSM License |
CSC Management | NSM Essential |
CSC Management + Reporting (7-day reporting) | NSM Essential |
CSC Management and Reporting (365-day reporting) | NSM Advanced |
CSC Analytics | NSM Advanced |
CSC Management Lite customers will require to purchase NSM Essential. A discount promotion will be offered to customers on Management lite to move to NSM Essential providing them full management capabilities and 7-days of reporting.
- I am managing devices with CSC-MA Management Lite license. What is their path to NSM 2.2?
You will have to purchase NSM Essential package to move to NSM 2.2. A 1yr promotional subscription license will be offered to customers/partners who wish to move to NSM 2.2
- I am managing devices with CSC-MA Management Lite license. They don’t want to move to NSM. What will be their option?
If you do not wish to purchase NSM Essential, you can remain on CSC-MA Management Lite license until their license is expired. The license will not be renewed.
- I manage my devices in CSC-MA today. When will I migrate to NSM?
SonicWall will inform you via your registered My SonicWall email address. You are required to choose an available date and time for the migration withing 15 calendar days of receipt of the communication.
- What happens if I don’t select a migration date and time when asked?
If you don’t select a migration slot within the 15-day window, your devices in the tenant will be moved to NSM by SonicWall by end the time period.
- Can I manage my devices when they are migrating to NSM?
No. You will not be able to access CSC-MA during the migration. However, the migration doesn’t affect the functionality of the firewalls managed by CSC-MA. You will be informed via your My SonicWall email upon the completion of migration.
- What happens if my migration fails? Is the data lost?
SonicWall creates a backup of the configuration before the migration, so no data will be lost. If for some reason the migration fails, you will contact SonicWall support to restore your configuration.
- Will my Reporting and Analytics data be migrated to NSM as well?
Yes. SonicWall will migrate Management, Reporting and Analytics data to NSM.
- Can a customer without any firewall security services (AGSS/CGSS) use NSM to manage it?
Yes
- Any limitation on number of devices for Zero-Touch deployment?
No, there is no limitation.
- When will CSC-MA 1.7.1 be deprecated?
CSC-MA 1.7.1 will continue to be available to customers and co-exist with NSM 2.2 for some time. No timing has been determined as to when it will be retired.
- How many levels can be created in the device group hierarchy?
Groups can be created up to 5 levels of nesting. Templates can apply across all these levels.
- Will the template be limited to firewalls only?
Correct. Currently, templates support only firewall.
- Does NSM integrate with ConnectWise?
Integration between NSM and ConnectWise’s Manage and Automate is currently on the roadmap.
However, SonicWall does integrate with ConnectWise via the My Workspace menu within MySonicWall. The integration allows partners to map Tenants to Companies, automate the invoicing and billing of SonicWall security services and create, process and close service tickets for their customers. With this integration:
a) SonicWall Hardware, Software and Cloud products are added to their Product Catalog where partners can set their standard prices
b) Active SonicWall Software and Cloud products are added as Additions to their Company Agreements of choice for automated product usage accounting and invoicing
c) SonicWall Hardware and Virtual Appliances are added as Configurations, which can in turn be shared with other automation platforms like IT Glue
d) Auto-creation of tickets based on alerts from Capture Client
Service tickets are currently limited to alerts from Capture Client. Future versions will bring more alerts from other products like NSM, Firewall, Cloud App Security, Wireless, etcetera.
- Can NSM templates be shared between different "User Groups" in MSW/CSC?
Templates can be shared across tenants that a user has access to (multi-tenant Templates) but not across user groups in the current release.
- Will 2FA be available in NSM? With an authenticator type authorization?
2FA is done via the Capture Security Center portal for NSM SaaS. For NSM on-prem, you can register your mobile authenticator app, either Microsoft authenticator or Google authenticator, and then select the preferred 2-F-A method, either via an app or email, in which to receive the authorization code for access.
- Will there be a free NSM Lite option similarly to CSC Management Lite?
NSM lite will not be offered. SonicWall will be offering a discount promotion to customers on Management lite to move to NSM Essential providing them full management capabilities and 7-days of reporting.
- Will NSM support exporting of raw logs to external devices (NAS/SAN/DAS) for long term storage?
Exporting of raw logs will be introduced in a follow-on release soon.
- Can NSM manage other SonicWall security products other than firewalls?
It is currently only for firewalls.
- Will NSM support all the versions of SonicOS and SonicOSX?
NSM supports both SonicOS (Gen 6, firmware version 6.5.x or higher) and SonicOSX (Gen 7, firmware version 7.0 or higher) firewalls.
- Will we provide a migration path from GMS to NSM on prem.
Yes. There will be a migration path for GMS to NSM On-prem.
- Can we generate a report on a configuration differences between a baseline configuration and configurations of devices in the group?
Not supported in NSM 2.2. This is a roadmap feature under consideration.
- When configuring IP/port, will it accept FQDNs ?
It does support FQDN. We need to update the label. It can additionally verify SSL cert for the FQDN.
- Can a device in one group be moved to a different group?
Yes. First, you will need to move the device back to an “Unassigned” state and then reassign it to the desire group. We will support seem-less transfer in a future release.
- We would like to do audit if sites have any-to-any allow rule enabled. Currently, we need to go device by device and check manually. Possible?
Not supported in NSM 2.2. This is a roadmap feature under consideration.
- Can the root group be renamed?
Not supported in NSM 2.2. This is a roadmap feature under consideration.
- Can a device be moved from one tenant to another or does it need to be deleted and re-acquired?
Devices can be moved between tenants and does not require to be deleted and reacquired.
- Can devices be moved in NSM between tenants or does that have to happen in MSW.com?
It is done through My SonicWall.
- Can we switch between SonicOS and SonicOSX on a NSv via NSM?
No, switching from NSM is not allowed. You can switch on the FW and then re-acquire.
- Do we have templated based on ISO27001 / PCI -DSS, GDPR, etcetera?
Not available in NSM 2.2. This is a roadmap feature under consideration.
- Will zero touch template apply changes if you just move between groups?
The template applied to a group will be applied to the firewall if you move the firewall to that group.
- Can we convert a live configuration into a Template?
You can convert the live configuration into a Golden Template that can be applied across your devices.
- Can I configure interfaces in templates?
Yes, you can configure physical, virtual or tunnel interface configurations in templates.
- Is the IP address allocation in the interface configuration in a template static?
Yes, in NSM 2.2 release, this allocation is static. Dynamic allocation will be supported in the future release.
- Can the changes to the template be exported for inclusion in a change ticket?
Not supported in NSM 2.2. However, you will have the ability to select and copy all the changes applied in the commit job.
- Can I Schedule EXP and TSR backups in NSM for my firewalls?
Yes, you can schedule firewall configuration and TSR backups in NSM.
- For how long does Backup files are stored in NSM?
Only 10 days of TSR/backup files are stored in NSM today.
- What is the time zone being derived for scheduled commits?
Based on local time for the user creating the commit.
- Any plans to create predefined templates such as SD-WAN connectivity, SD-Branch, etcetera?
This is a roadmap feature under consideration.
- Can you build a pre-deployment template so any new devices can be pre- configured as a new firewall comes online?
User can create Zero-touch template and associate with a device group. A Zero touch device can be added to such device group and as device becomes online; Zero touch template gets applied to the device.
- Is it possible to add pre-commit rule/change checks to define any policy or change that will create a conflict within the existing firewall policies/configuration?
This is a roadmap feature under consideration.
- If a change deployed is only partly successful, can it be configured to be automatically be backed out? For example, I'm enabling a service but if it wasn't fully configured, then it might create a problem. I want an all or nothing option when deploying templates.
This is a roadmap feature under consideration. The feature will provide a way to re-deploy or edit and re-deploy a failed commit.
- Are we migrating Analyzer to NSM?
No. Analyzer is an on-prem product. The migration to NSM will happen for CSC-MA customers only.
- Is there any migration path from NSM SaaS to NSM On-Prem?
No. You will have to delete the firewalls from cloud and manually add them to NSM On-prem
- Is there any option to transfer the NSM SaaS license to NSM On-Prem?
No. NSM Cloud and NSM On-Prem are very different licensing models.
- Is there any upgrade path for NSM 2.1 on-prem to NSM 2.2 on-prem?
Yes, there is an upgrade option from NSM 2.1 to NSM 2.2. For more details, refer to this guide -https://www.sonicwall.com/techdocs/pdf/nsm-getting_started.pdf.
- What format is available for export of the data within Analytics?
PDF format.
- Does the log button navigate directly to the corresponding log section or import associated logs into the current view?
Logs/flows are stored in the NSM database (DB). It fetches the data from the DB for the corresponding section.
- Can we roll back after commit?
This is a roadmap feature under consideration.
- Can I pull report out for specific user? For example, all the activity for specific month.
Yes. You can schedule report for users, which will include all users.
- What is the timeline for SMA 100 to be supported in NSM?
There are no plans to add SMA 100 and other security devices under NSM management.
- Is Role-based Access Control (RBAC) supported?
Yes, RBAC is supported in NSM. For NSM SaaS, roles can be created using mysonicwall.com account. For on-prem, admins can use pre-defined or create custom user roles for granular access control within NSM.
- Can I configure a read-only users?
Yes, read-only users can be configured in NSM.
- Do we plan to support drag and drop VPN between Groups or a one-click mesh VPN without templates?
Yes. This is on the roadmap. We will be adding VPN wizard to create large scale VPNs with ease.
- What does that mean "Create Policy from Reports"?
NSM offers an option to auto create a policy based on the reports outputs.
- How does config diff work without object optimization today? Does it call out which rules/objects are getting overlapped or used elsewhere?
NSM 2.2 does not do optimization, shadowing or overlapping. These are roadmap features under consideration in a follow-on release.
- Will NSM On-Prem support closed network in the first release?
Yes, closed network support is added in NSM 2.2 release.
- What are the NSM’s feature differentiations compared to CSC-MA?
The most impactful NSM enhancements over CSC MA include:
- Ease of Device Group management is designed to reduce management complexity of firewall device silos
- Uses of configuration templates, Commit and Deploy to synchronize and enforce consistent security policies across the firewall environments whether on-prem, in-the-cloud or both.
- Configuration Audit and Config Diff to compare or contrast between changes to reduce misconfiguration, human errors, violations or conflicts before committing.
- 7-days reporting provides visibility and reporting the device or device group level.
- Will customers be able to migrate part of their units, so not all units will migrate at the same time?
Yes, partial migration will be supported.
- When will NSM support NSsp 15700?
NSsp 15700 is supported in NSM 2.2.
- One common request is the ability to export the rule-based to CSV for review. Is this on the roadmap or available with NSM today?
This is a roadmap feature under consideration.
- Why keep choosing between syslog and IPFIX? Will the firewall be able to report to both?
This is a roadmap item. In future, NSM Analytics will be able to support both together.
- If you have a template at the tenant level and another template at the group level, which will take precedence? Or will the group level template append to the tenant level one?
Tenant level template is the top level and applied first. Device group level template is applied subsequently.
- Will NSM have syslog & flow based together ?
Not supported in NSM 2.2. This is a roadmap feature under consideration.
- For a partner to move to on prem NSM, will they first need to move to GMS 9.3, or can they go directly from 8.7.x to NSM 2.2 on prem?
There is a plan to provide direct path to NSM On-prem from GMS 8.7.1
- Will we have 'health checks' through NSM where it looks whether DPI/DPI-SSL/Content Filtering/IPS/Capture ATP is enabled and alerts the admin.
This is a roadmap feature under consideration.
- Does NSM include audit reports (firewall changes, firewall configuration per user)?
This is a roadmap feature under consideration.
- Will the reports be AD/LDAP Group friendly? For example, report on users in a group with totals?
This is a roadmap feature under consideration. Currently, NSM will show the report at user level and not at group level.
- Will a customer be able to migrate say 25, 50 or 100 units all at once?
Yes
- Role based Access Control was mentioned in the competitive slides as through MSW. But in MSW workplace it says RBAC is from product itself. Can you elaborate if we will have some enhancements on role-based controls based on NSM screens/views/groups/templates etcetera?
Roles can be created in MSW for NSM SaaS and within NSM in on-prem version. The granular control such as screen level permissions can be granted based on the role of the user.
- Are we adding custom alerting options?
Yes, it will be there.
- Can we work with cross platform templates for templates based on SonicOS and SonicOS/X?
SonicOSX support is added in the NSM 2.2 release. Both SonicOS and SonicOSX templates can be created. However, SonicOS and SonicOSX devices can't be grouped together for applying a single template.
- Will we have search queries that are via regular expressions or being able to search by subnet for NSM analytics/Reporting?
This is a roadmap feature under consideration.
- Will our CloudEdge offering be integrated into NSM?
Currently, NSM is solely for firewall management plus any switch and access point connected to the firewall. There are no current plans to integrate our CloudEdge products.
- Integration with AWS CloudWatch?
This is a roadmap feature under consideration
- Does NSM come with Google auth and Microsoft MFA support?
Yes, NSM supports MFA through Google and Microsoft authenticator apps.
- Can NSM be integrated with LDAP and RADIUS for Admin authentication?
Yes. NSM On-Prem supports LDAP and RADIUS authentication.
- Can I login to unit via NSM on a SonicOS/X device?
Yes, you can login to unit directly through NSM for both SonicOS/X Gen 7 firewalls.
- What will happen when a unit is changed local does NSM pick-up this change?
Yes, it will. The device will become unmanaged in NSM and admin will need to synchronize to bring the new configurations.
- What is the workflow when a template is deleted? Do all firewalls that have this template sync and remove the template config?
No. When a template gets removed, config is not removed automatically.
- Can NSM manage the firewall behind NAT with Private IP? With Zero Touch?
Yes. It can be behind many NAT boundaries.
- Can we convert a config in a firewall back into a template?
Yes, you can convert a device configuration into a Template and deploy it to multiple devices through golden template functionality.
- Will there be any enhancements in NSM views specially for MSSPs? Example, dashboard for MSSP?
NSM will have regular enhancements and new features introduced in every product release. This includes enhancements to management and implementation of templates, device groups, unified policies, dashboard analytics, etcetera.
- Do we have group level reports and group level analytics?
Yes. NSM gives you up to 7 days of reporting and analytics at the tenant, group or device level.
- Can NSM add firewall with dynamic IP?
Preferred option should be via Zero touch in such a case. If firewall is in manual mode, then management via FQDN should be deployed.
- Will On-Prem Analytics work with NSM?
This is a roadmap feature under consideration in a follow-on release.
- Is it possible to have a bandwidth (BW) level usage information per WAN interface (ISP wise)? For example, weekly/monthly BW usage information per ISP link(X1/X2) in a PDF report.
Yes. You can see bandwidth report in live reports. It also supports time range for reports. You can also schedule live report to be exported to pdf.
- What are the plans to put NSM into the MSSP program?
It is currently under consideration.
- Will acquired firewalls still have default admin/password local login if not changed by NSM?
Yes
- Does NSM On-prem support HA?
Yes, NSM 2.2 support High Availability feature.
- I bought NSM on-prem without HA, can I add NSM HA to my primary NSM instance?
You have to buy the HA SKU. The serial # of NSM HA is registered as secondary and tied to primary device count.
- I’ve two NSM on-prem installs with independent licensing. Can I bind them as a HA pair?
No, you’ve to buy a NSM HA SKU to add a new secondary.
- Does backups/TSR get synchronized between the HA pair?
Settings gets synchronized across the pair. Backups – TSRs/EXPs and audits are not synchronized between the pairs.
- Will we advertise all the public addresses and FQDN's for customers who lockdown the WAN interfaces?
Yes.
- I have a customer with more than 200 firewalls that uses LTU. Will NAT configuration wizard be available on NSM?
This a roadmap feature under consideration. This feature will have wizards to create large scale VPNs and SDWAN, etcetera.
- Any plans on NSM taking over firewall admin/password, so no one can login locally?
This is a roadmap feature under consideration.
- Do we have a change approval workflow in NSM?
Yes, change approval workflow is supported in NSM 2.1. Administrators can configure an approval process for firewall change management.
- What is the expected workflow of an admin that is pushing interface config to multiple firewalls via a template?
Support for Template Variables is a roadmap feature under consideration.
- Will a Gen 7 SonicOS configuration be able to be imported into Gen 7 Sonic OS\X ?
A SonicOSX golden template can be applied to OSX devices only.
- What is the workflow when a template is deleted? Do all firewalls that have this template sync and remove the template config?
No. When template gets removed config is not removed
- Do we have now an integration with SIEM solutions now in both SaaS and on-prem NSM?
This is a roadmap feature under consideration.
- Any expectations to have CSa1000 managed by NSM as well?
This is a roadmap feature under consideration.