-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
-
Company
- Company
- Promotions
- Managed Services
- Contact Us
SMA 1000: Best Practices - Securing the Network Configuration on SMA & CMS
01/22/2025 
0 People found this article helpful
9,613 Views
Description
This document describes best practices related to the network configuration to ensure secure access to the SMA & CMS appliances.
Resolution
Configuring the Appliance to Use Dual Interfaces
When configuring the appliance in dual-homed configuration, services should be split between the interfaces so that management services such as the AMC & CMC are only exposed to trusted networks on the internal interface, whereas public services such as access services & workplaces required for the client VPN are exposed on the external, public facing interface. A firewall should be used to limit the ports required for VPN access on the external interface. For a complete list of ports required for VPN access and/or those needed for more complex architectures, such as when operating in a GTO cluster, see What are the SMA 1000 Series Default Assigned Ports.
Configuring the Appliance to Use a Single Interface
When configuring the appliance in single-homed configuration, it is highly recommended to use a firewall capable of filtering access to the AMC & CMC so only trusted networks can access either. Access to the administrative consoles over the public internet is highly discouraged, rather public facing traffic should be limited to ports and protocols required to facilitate user and authentication access. For a complete list of ports required for VPN access and/or those needed for more complex architectures, such as when operating in a GTO cluster, see What are the SMA 1000 Series Default Assigned Ports.
SSH Access
If both network interfaces are active, the Secure Shell (SSH) service will listen on both. To enhance security, ensure that SSH access is restricted to the IP addresses of trusted management workstations or, at a minimum, to the internal network's address range.
SNMP Service
If both network interfaces are enabled, Simple Network Management Protocol (SNMP) listens on both interfaces. Restrict SNMP service access to the IP addresses of trusted management workstations or, at a minimum, the address range of the internal network.
By default, the SNMP configuration in AMC sets the string your network management tool uses to query the SMA appliance in the Community string field to public. Be sure to change this to a secure passphrase.
ICMP
If both network interfaces are enabled, activating Internet Control Message Protocol (ICMP) can expose the appliance to discovery from the Internet. The most secure approach is to disable ICMP entirely or restrict it to the internal interface. If ICMP must be enabled, it is recommended to suppress ICMP Echo Request traffic through a firewall or other network security device.
NTP
Synchronize with an external Network Time Protocol (NTP) server to ensure accurate timestamps in the system logs, and to ensure that time-based security checks—such as password and certificate expiration—occur properly.
Server Certificates
Ensure that the appliance server certificate is securely stored and inaccessible to unauthorized individuals. Always encrypt the associated private key with a strong password. If attackers gain access to the certificate and key, they could identify the associated host and potentially decrypt sensitive data.
NTP
Synchronize with an external Network Time Protocol (NTP) server to ensure accurate timestamps in the system logs, and to ensure that time-based security checks—such as password and certificate expiration—occur properly.
Related Articles
- How to download Client Installation package and the access agents from the appliance using WinSCP
- SMA 1000: How to update Advanced EPC Signatures to the Latest Version
- If OTP is enabled, NX disconnects after SMA100 Connect Agent installation
YES
NO