SonicWall Network Security Manager (NSM) FAQ
10/28/2024 161 People found this article helpful 473,230 Views
Description
- What is NSM?
SonicWall Network Security Manager (NSM) allows you to centrally orchestrate all firewall operations error-free, see and manage threats and risks across your firewall ecosystem from one place, and stay connected and compliant.
- What does “NSM” do?
NSM gives users central control of all firewall operations and any switches and access points connecting to the firewall. It lets you:
a) Deploy and manage all firewall devices, device groups and tenants from one place
b) Synchronize and enforce consistent security policies across your environments
c) Monitor everything from one dynamic dashboard with detailed analytics
- Why would you use “NSM”?
Customer would want to use NSM because:
a) It gives them total control to orchestrate firewall operations from single cloud console.
b) It makes security teams more proficient at their job using smart management tools and workflows to perform tasks and take security actions faster and do it all with less effort.
c) It makes them more situation-aware and allow them to investigate hidden risks with active monitoring, reporting and analytics.
- What are the key features?
Cloud native architecture | Deliver boundless scalability to support hundreds of SonicWall security devices under its management, regardless of location. |
New UI | User-centric design with menus, navigation and workflows are streamlined and logical organized and simplified |
Zero-touch deployment | Simplified onboarding of 100s of units in minutes |
Dashboard | Aggregated view of various information in a single view |
Unified Device table | Provide a simple view to view device status and take actions |
Device Groups | Group devices per your organizational needs |
Templates | Apply common configuration across multiple devices |
Commit and Deploy | View configuration changes and deploy them to devices |
Configuration Diff | View difference in changes before configuration is deployed |
API-ready | Provide a standard approach to managing NSM specific features programmatically without a management web interface and facilitate interoperability between NSM and backend services to increases the efficiency of your SOC. |
Flexible deployment | Available as SaaS or on-premises |
- How can NSM be deployed?
NSM offers two deployment options: cloud (SaaS) and on-prem.
- What platforms can NSM On-premises support?
NSM On-prem is supported on EXSi, Hyper-V, KVM and Azure.
- How many Firewalls can NSM SaaS manage?
NSM SaaS is very scalable and can manage hundreds of firewalls.
- How is NSM SaaS licensed?
NSM SaaS offers two very easy to choose packages. Both options offer full management capabilities.
1) NSM Essential - Best suited for customers who require 7-day reporting or less and do not need analytics.
2) NSM Advanced includes everything in NSM Essential and is ideal for customers who need 365 days of of reporting and up to 30 days of log analytics.
SonicWall TZ80 is a subscription-based model which requires NSM licensing. Without a service subscription, TZ80 will not be operational.There are 3 service subscription options: Secure Connect, Advanced Protection Security Suite (APSS), and Managed Protection Security Suite (MPSS). MPSS licensing is only available in the Service Provider Program for MSSP partners at launch.
The service subscriptions are available for 1-year, 3-year, and 5-year terms. There is also a monthly licensing option for partners of our Service Provider Program. The TZ80 MSSP-only SKU cannot be used with MPSS Bundle.
- How is NSM on-prem licensed?
The licensing is node-based, with a base license of five nodes and add-on licenses.
- What happens if my migration fails? Is the data lost?
SonicWall creates a backup of the configuration before the migration, so no data will be lost. If for some reason the migration fails, you will contact SonicWall support to restore your configuration.
- Will my Reporting and Analytics data be migrated to NSM as well?
Yes. SonicWall will migrate Management, Reporting and Analytics data to NSM.
- How many levels can be created in the device group hierarchy?
Groups can be created up to 5 levels of nesting. Templates can apply across all these levels.
- Will the template be limited to firewalls only?
Correct. Currently, templates support only firewalls.
- Does NSM integrate with ConnectWise?
Integration between NSM and ConnectWise’s Manage and Automate is currently on the roadmap.However, SonicWall does integrate with ConnectWise via the My Workspace menu within MySonicWall. The integration allows partners to map Tenants to Companies, automate the invoicing and billing of SonicWall security services and create, process and close service tickets for their customers. With this integration:
a) SonicWall Hardware, Software and Cloud products are added to their Product Catalog where partners can set their standard prices
b) Active SonicWall Software and Cloud products are added as Additions to their Company Agreements of choice for automated product usage accounting and invoicing
c) SonicWall Hardware and Virtual Appliances are added as Configurations, which can in turn be shared with other automation platforms like IT Glue
d) Auto-creation of tickets based on alerts from Capture Client
Service tickets are currently limited to alerts from Capture Client. Future versions will bring more alerts from other products like NSM, Firewall, Cloud App Security, Wireless, etcetera.
- Will 2FA be available in NSM? With an authenticator type authorization?
2FA is done via the Capture Security Center portal for NSM SaaS. For NSM on-prem, you can register your mobile authenticator app, either Microsoft authenticator or Google authenticator, and then select the preferred 2-F-A method, either via an app or email, in which to receive the authorization code for access.
- Will NSM support exporting of raw logs to external devices (NAS/SAN/DAS) for long term storage?
Exporting of raw logs will be introduced in a follow-on release soon.
- Can NSM manage other SonicWall security products other than firewalls?
It is currently only for firewalls and the switches and APs connected to these firewalls.
- Will NSM support all the versions of SonicOS and SonicOSX?
NSM supports both SonicOS (Gen 6, firmware version 6.5.x or higher) and SonicOSX (Gen 7, firmware version 7.0 or higher) firewalls.
- Will we provide a migration path from GMS to NSM on prem.
Yes. There will be a migration path for GMS to NSM On-prem.
- Can we generate a report on a configuration differences between a baseline configuration and configurations of devices in the group?
Not supported in in current NSM release. This is a roadmap feature under consideration.
- When configuring IP/port, will it accept FQDNs ?
It does support FQDN. It can additionally verify SSL cert for the FQDN.
- Can a device in one group be moved to a different group?
Yes. First, you will need to move the device back to an “Unassigned” state and then reassign it to the desire group.
- We would like to do audit if sites have any-to-any allow rule enabled. Currently, we need to go device by device and check manually. Possible?
Not supported in current NSM release. This is a roadmap feature under consideration.
- Can the root group be renamed?
Not supported in current NSM release. This is a roadmap feature under consideration.
- Can a device be moved from one tenant to another or does it need to be deleted and re-acquired?
Devices can be moved between tenants and does not require to be deleted and reacquired.
- Can devices be moved in NSM between tenants or does that have to happen in MySonicWall?
It is done through MySonicWall.
- Can we switch between SonicOS and SonicOSX on a NSv via NSM?
No, switching from NSM is not allowed. You can switch on the firewall and then re-acquire.
- Do we have templated based on ISO27001 / PCI -DSS, GDPR, etcetera?
Not available in the current NSM release. This is a roadmap feature under consideration.
- Will zero touch template apply changes if you just move between groups?
The template applied to a group will be applied to the firewall if you move the firewall to that group.
- Can we convert a live configuration into a Template?
You can convert the live configuration into a Golden Template that can be applied across your devices.
- Can I configure interfaces in templates?
Yes, you can configure physical, virtual or tunnel interface configurations in templates.
- Can the changes to the template be exported for inclusion in a change ticket?
Not supported in the current NSM release. However, you will have the ability to select and copy all the changes applied in the commit job.
- Can I Schedule EXP and TSR backups in NSM for my firewalls?
Yes, you can schedule firewall configuration and TSR backups in NSM.
- For how long does Backup files are stored in NSM?
Only 10 days of TSR/backup files are stored in NSM today.
- What is the time zone being derived for scheduled commits?
Based on local time for the user creating the commit.
- Can you build a pre-deployment template so any new devices can be pre- configured as a new firewall comes online?
User can create Zero-touch template and associate with a device group. A Zero touch device can be added to such device group and as device becomes online; Zero touch template gets applied to the device.
- Is it possible to add pre-commit rule/change checks to define any policy or change that will create a conflict within the existing firewall policies/configuration?
This is a roadmap feature under consideration.
- If a change deployed is only partly successful, can it be configured to be automatically be backed out? For example, I'm enabling a service but if it wasn't fully configured, then it might create a problem. I want an all or nothing option when deploying templates.
This is a roadmap feature under consideration.
- Is there any migration path from NSM SaaS to NSM On-premises?
No. You will have to delete the firewalls from cloud and manually add them to NSM On-premises
- Is there any option to transfer the NSM SaaS license to NSM On-premises?
No. NSM Cloud and NSM On-Prem are very different licensing models.
- How can i upgrade my NSM on-prem deployment? ?
Use the instructions here to do the upgrade.
- What are the supported formats fordata export in NSM SaaS?
In general NSM support export of data in CSV and PDF format. However, supported format may vary on report or log data that user is trying to export
- Can we roll back after commit?
This is a roadmap feature under consideration.
- Can I pull report out for specific user? For example, all the activity for specific month.
Yes. You can schedule report for users, which will include all users.
- What is the timeline for SMA 100 to be supported in NSM?
There are no plans to add SMA 100 and other security devices under NSM management.
- Is Role-based Access Control (RBAC) supported?
Yes, RBAC is supported in NSM. For NSM SaaS, roles can be created using mysonicwall.com account. For on-prem, admins can use pre-defined or create custom user roles for granular access control within NSM.
- Can I configure a read-only users?
Yes, read-only users can be configured in NSM.
- Do we plan to support drag and drop VPN between Groups or a one-click mesh VPN without templates?
You can use VPN orchestrator to define VPN topologies.
- What does that mean "Create Policy from Reports"?
NSM offers an option to auto create a policy based on the reports outputs.
- How does config diff work without object optimization today? Does it call out which rules/objects are getting overlapped or used elsewhere?
NSM does not do optimization, shadowing or overlapping. These are roadmap features under consideration in a follow-on release.
- Will NSM On-Prem support closed network in the first release?
Yes, closed network support is added in NSM on-premises release.
- When will NSM support NSsp 15700?
NSsp 15700 is supported in NSM.
- One common request is the ability to export the rule-based to CSV for review. Is this on the roadmap or available with NSM today?
This is a roadmap feature under consideration.
- If you have a template at the tenant level and another template at the group level, which will take precedence? Or will the group level template append to the tenant level one?Tenant level template is the top level and applied first. Device group level template is applied subsequently.
- Will we have 'health checks' through NSM where it looks whether DPI/DPI-SSL/Content Filtering/IPS/Capture ATP is enabled and alerts the admin.
This is a roadmap feature under consideration.
- Does NSM include audit reports (firewall changes, firewall configuration per user)?
This is a roadmap feature under consideration.
- Will the reports be AD/LDAP Group friendly? For example, report on users in a group with totals?
This is a roadmap feature under consideration. Currently, NSM will show the report at user level and not at group level.
- Role based Access Control was mentioned in the competitive slides as through MSW. But in MSW workplace it says RBAC is from product itself. Can you elaborate if we will have some enhancements on role-based controls based on NSM screens/views/groups/templates etcetera?
Roles can be created in MSW for NSM SaaS and within NSM in on-prem version. The granular control such as screen level permissions can be granted based on the role of the user.
- Are we adding custom alerting options?
Alerts settings can be configured for all firewalls within a tenant.
- Can we work with cross platform templates for templates based on SonicOS and SonicOS/X?
Both SonicOS and SonicOSX templates can be created. However, SonicOS and SonicOSX devices can't be grouped together for applying a single template.
- Will we have search queries that are via regular expressions or being able to search by subnet for NSM analytics/Reporting?
NSM provide capability to search for subnets in reporting and analytics
- Will our Cloud Secure Edge offering be integrated into NSM?
Starting with NSM 2.5, we have an integration with the Cloud Secure Edge Connector. This will bring our Cloud Secure Edge security capabilities to our Firewalls. The connector establishes a connection to the Internet and cloud clusters hosted by corporate resources to secure them, providing secure access to remote users.
- What new alert enhancements are available in NSM starting NSM 2.5?
The new alerts and enhancements include NSM 2.5, which includes VPN Up/Down alert enhancements, Firewall reboot alerts, WAN Probe failure alerts, and WAN Failover alert enhancements.
- Can I get Firewall Up-Time summary reports on NSM?
Firewall Up-Time summary reports are available starting NSM 2.5.0.
- Can secondary storage settings be applied through Templates?
Yes, the secondary storage settings are added to Templates starting NSM 2.5 and can be used to configure storage of System Logs, threat logs, packet capture logs, and AppFlow report data in External Storage.
- How do I get notified about upcoming NSM upgrades and maintenance releases?
NSM will have a banner appear to show when there is an upcoming release within 72 hours.
- Integration with AWS CloudWatch?
This is a roadmap feature under consideration
- Does NSM come with Google auth and Microsoft MFA support?
Yes, NSM supports MFA through Google and Microsoft authenticator apps.
- Can NSM be integrated with LDAP and RADIUS for Admin authentication?
Yes. NSM On-Prem supports LDAP and RADIUS authentication.
- Can I login to unit via NSM on a SonicOS/X device?
Yes, you can login to unit directly through NSM for both SonicOS/X Gen 7 firewalls.
- What will happen when a firewall configuration is modified outside of NSM?
The device will become unmanaged in NSM and admin will need to synchronize to bring the new configurations.
- What is the workflow when a template is deleted? Do all firewalls that have this template sync and remove the template config?
No. When a template gets removed, config is not removed automatically.
- Can NSM manage the firewall behind NAT with Private IP? With Zero Touch?
Yes. It can be behind many NAT boundaries.
- Will there be any enhancements in NSM views, especially for MSSPs? Example, dashboard for MSSP?
NSM will have regular enhancements and new features introduced in every product release. This includes enhancements to management and implementation of templates, device groups, unified policies, dashboard analytics, etcetera.
- Do we have group level reports and group level analytics?
Yes. NSM has tenant and group level reporting and analytical capabilities.
- Can NSM add firewall with dynamic IP?
Preferred option should be via Zero touch in such a case. If firewall is in manual mode, then management via FQDN should be deployed.
- Will On-premises Analytics work with NSM?
On-prem NSM integrates with On-prem Analytics to provide integrated user interface to manage firewall policy and monitor network traffic.
- Is it possible to have a bandwidth (BW) level usage information per WAN interface (ISP wise)? For example, weekly/monthly BW usage information per ISP link(X1/X2) in a PDF report.
Yes. You can see bandwidth report in live reports. It also supports time range for reports. You can also schedule live report to be exported to pdf.
- What are the plans to put NSM into the MSSP program?
It is currently under consideration.
- Will acquired firewalls still have default admin/password local login if not changed by NSM?
Yes
- Does NSM On-premises support HA?
Yes, NSM support High Availability feature.
- I bought NSM without HA, can I add NSM HA to my primary NSM instance?
You have to buy the HA SKU. The serial # of NSM HA is registered as secondary and tied to primary device count.
- I’ve two NSM On-premises installs with independent licensing. Can I bind them as a HA pair?
No, you’ve to buy a NSM HA SKU to add a new secondary.
- Does backups/TSR get synchronized between the HA pair?
Settings gets synchronized across the pair. Backups – TSRs/EXPs and audits are not synchronized between the pairs.
- Will we advertise all the public addresses and FQDN's for customers who lockdown the WAN interfaces?
Yes.
- I have a customer with more than 200 firewalls that uses LTU. Will NAT configuration wizard be available on NSM?
This a roadmap feature under consideration. This feature will have wizards to create large scale VPNs and SDWAN, etcetera.
- Any plans on NSM taking over firewall admin/password, so no one can login locally?
This is a roadmap feature under consideration.
- Do we have a change approval workflow in NSM?
Yes, change approval workflow is supported in NSM. Administrators can configure an approval process for firewall change management.
- What is the expected workflow of an admin that is pushing interface config to multiple firewalls via a template?
Admin can use template variables to assign variables for interface configurations and resolve these variables per firewall at the time of application.
- Will a Gen 7 SonicOS configuration be able to be imported into Gen 7 Sonic OS\X ?
A SonicOSX golden template can be applied to OSX devices only.
- Do we have now an integration with SIEM solutions now in both SaaS and on-prem NSM?
This is a roadmap feature under consideration.
- Any expectations to have CSa1000 managed by NSM as well?
This is a roadmap feature under consideration.
- Which version of NSM can manage TZ80?
NSM version 2.6 and above can manage the TZ80 firewall.
- What is new about the Auto-sync feature on NSM 2.6?
The auto-sync feature introduced with NSM 2.6.0 automatically synchronizes local firewall configurations with NSM. Once the settings are synchronized with NSM, the device will continue to be in an “in-sync” state, and no manual intervention will be required to synchronize the local firewall settings changes on NSM.
- What is the Firewall-model specific template?
This feature is a template of settings available in NSM 2.6 that can push configuration for mass deployments. Administrators can create a firewall-model specific template that can be used to apply similar configurations to other TZ80s, reducing time-to-deployment.
- What are firewall audit logs and how are they useful?
Admins can now view and manage firewall audit logs directly on NSM starting NSM 2.6, improving visibility and simplifying management.
Related Articles
Categories
Was This Article Helpful?
YESNO