SonicOS 7.0.1 Release Notes

Version 7.0.1-5145 November 2023

November 2023

This version of SonicOS7.0.1 is a maintenance release for existing platforms and resolves issues found in previous releases.

What's New

  • Administrators can disable the Virtual Portal on the Wide Area Network (WAN) while keeping SSL VPN services unaffected. This feature offers greater control over network accessibility without disrupting secure remote connections.

    Key benefits include:

    • Enhanced Security: With the Virtual Portal disabled on the WAN, you can substantially reduce the attack surface for potential security breaches. External entities will not be able to access your Virtual Portals, enhancing overall network security.
    • Uninterrupted SSL VPN Services: By disabling the Virtual Portal on the WAN, SSL VPN services remain unaffected, ensuring that your users can continue to securely access your network resources.

    The default behavior is that the virtual portal settings are migrated from the previous SonicOS version.

    To disable the virtual portal access on the WAN Zone on the appliance:

    1. Navigate to NETWORK | SSL VPN > Portal Settings.
    2. In the Portal Settings section, enable Disable Virtual Office on Non-LAN Interfaces.
  • Support for Non-WDS Wireless Bridge mode

  • Support for AESGCM algorithms in IKEv2 for encryption

Supported Platforms

The platform-specific versions for this unified release are all the same:

Platform Firmware Version
TZ Series 7.0.1-5145
NSa Series 7.0.1-5145
NSv Series 7.0.1-5145
NSsp Series 7.0.1-5145
  • NSa 2700
  • NSa 3700
  • NSa 4700
  • NSa 5700
  • NSa 6700
  • NSsp 10700
  • NSsp 11700
  • NSsp 13700
  • NSsp 15700
  • TZ270 / TZ270W
  • TZ370 / TZ370W
  • TZ470 / TZ470W
  • TZ570 / TZ570W
  • TZ570P
  • TZ670
  • NSv 270
  • NSv 470
  • NSv 870

SonicOSNSv deployments are supported on the following platforms:

  • AWS (BYOL and PAYG)
  • Microsoft Azure (BYOL)
  • VMware ESXi
  • Microsoft Hyper-V
  • Linux KVM

Resolved Issues

Issue ID Issue Description
GEN7-24752 L2TP connections cannot be made when Enable IP header checksum enforcement is enabled. The packet is dropped for the failure to handle IPSec or an incorrect IP checksum value.
GEN7-36260 The appliance reboots with a segmentation fault after changes are made to WAN Load Balancing.
GEN7-36305 An appliance may experience high CPU usage when WAN Load Balancing is enabled.
GEN7-36796 Administrators cannot edit or disable automatically added NAT policies after Enable the ability to disable auto-added NAT policy is enabled on the DEVICE | Diagnostics page.
GEN7-37233 Users running Capture Client for MacOS may lose their Internet connection when Endpoint Security Rules are applied for SSO Enforcement.
GEN7-38094 The list of blocked countries for GeoIP is not sorted alphabetically.
GEN7-38337 Network Loop/Flood happens when enabling LACP between SonicWall and Dell switches running VLT.
GEN7-38389 Network Loop/Flood happens when enabling LACP between SonicWall and Dell switches running VLT.
GEN7-38538 Creation of a Link Aggregation Group may fail when using X0 as the aggregator interface.
GEN7-38601 The appliance displays an error and restarts when using the Access Point Floor Plan feature and managed using Network Security Manager (NSM).
GEN7-38644 Administrators cannot to filter logs based on the time.
GEN7-39035 Traffic fails after shutdown of a L2 Link Aggregation Group aggregator port (PortShield mode or trunk mode) using the management interface.
GEN7-39248 Creating an administrator account name that contains special characters causes the Device > Settings > Firmware & Settings page to not display any backups. The error An error occurred but the cause could not be determined at this time is displayed when trying to access the list.
GEN7-39415

DPI-SSL version selection options have been improved:

  • Removed SSL 3.0 support in the DPI- SSL version.
  • Provided new user interface for the DPI-SSL version selection on the Diagnostics page.
  • Added the corresponding diagnostic commands to the command-line interface (CLI) to match those available in the management interface.
GEN7-39523 SSL VPN users may intermittently be unable to connect with NetExtender, Mobile Connect, or Virtual Office.
GEN7-39636 NSsp 15700 only: When a NSsp 15700 appliance is configured in High Availability mode, the management interface may intermittently be unavailable.
GEN7-39654 The CTA (Capture Threat Assessment) Report shows IPS Reporting and Spyware Reporting as disabled when they are enabled.
GEN7-39775 Mobile client users connecting through a TZ wireless series are not able to access the internet after changing the device from WDS Station to Access point mode.
GEN7-39805 A Zero Touch session is treated as a connection going through interface X0, which blocks configuring X0 using Network Security Manager (NSM).
GEN7-40407 Using Two-Factor authentication to log in via Virtual Office when Partitions is enabled succeeds for the first domain in the dropdown list, but other domains fail displaying the error: Incorrect name/password.
GEN7-40455 High memory utilization may be experienced on NSv platforms.
GEN7-40534 The status code of a security policy may show as Active when the policy is disabled.
GEN7-40564 CVE-2023-2650 Possible DoS translating ASN.1 object identifiers
GEN7-40609 When logging in with the correct administrator credentials, the error Require client certification login is displayed when Common Access Card is enabled.
GEN7-40610 After a user has logged in using Common Access Card using a smart card, the user is shown as Unknown User in the User Session window and Dashboard.
GEN7-40617 Changing the web management certificate from ECDSA to RSA type does not take effect until the appliance is restarted.
GEN7-40829 NSsp 15700 only: The IPFix statistics are not updated after enabling IPFIX.
GEN7-40972 Loading the Geo-IP cache while loading the Diagnostic tab may cause high DataPlane CPU utilization.
GEN7-41026 When an appliance is configured with a value of Any for the service field and Allow Management Traffic is enabled for the access rule may cause the CPU usage to increase to 100%.
GEN7-41050 High Core 0 utilization may be seen when the appliance starts up with FQDN address objects defined.
GEN7-41064 Post-authentication Stack-Based Buffer Overflow Vulnerability in the SSL VPN's getBookmarkList.json URL endpoint.
GEN7-41065 Post-authentication Stack-Based Buffer Overflow Vulnerability in the SSL VPN's sonicflow.csv, appflowsessions.csv endpoints.
GEN7-41068 Post-authentication SSL-VPN user assertion failure leads to Stack-Based Buffer Overflow vulnerability via main.cgi.
GEN7-41069 Post-authentication Stack-Based Buffer Overflow Vulnerability in the SSL VPN's getPacketReplayData.json URL endpoint.
GEN7-41074 Post-authentication Stack-Based Buffer Overflow Vulnerability in the SSL VPN's ssoStats-s.xml, ssoStats-s.wri endpoints.
GEN7-41075 Post-authentication Stack-Based Buffer Overflow Vulnerability in the SSL VPN's sonicwall.exp, prefs.exp endpoints.
GEN7-41076 Post-authentication Stack-Based Buffer Overflow Vulnerability in the SSL VPN's plainprefs.exp URL endpoint.
GEN7-41107 Audit Logs configured with a field that begins with special characters (such as - or + or =) may cause memory-related issues.
GEN7-41149 TZ series only: Traffic may fail when setting built-in wireless on a TZ wireless model series when changing the setting from WDS station mode.
GEN7-41231 A hard-coded password was present in the dynHandleBuyToolbar demo function.
GEN7-41394 The information for the countries of Iraq and Syria was adjusted to no longer use DST.
GEN7-41433 improvements were made to ensure extra file system integrity checks are performed to prevent potential system corruption.
GEN7-41622 When a packet is send via VPN with certain tags, it may trigger high CPU DataPlane usage if traffic is heavy.
GEN7-41952 Post-authentication Improper Privilege Management vulnerability in the SonicOS SSL VPN Tunnel.
GEN7-43527 NSsp 15700 only: A High Availability Pair may show a high Core 0 utilization of 100% causing the appliance to restart.
GEN7-43528 The appliance may restart automatically after enabling LDAP authentication.

Additional References

GEN7-28433, GEN7-34477, GEN7-37004, GEN7-37288, GEN7-37318, GEN7-37858, GEN7-37943, GEN7-37977, GEN7-38521, GEN7-38795, GEN7-39183, GEN7-39401, GEN7-39443, GEN7-39522, GEN7-39876, GEN7-39937, GEN7-39958, GEN7-40001, GEN7-40046, GEN7-40051, GEN7-40073, GEN7-40232, GEN7-40370, GEN7-40660, GEN7-40737, GEN7-40779, GEN7-40781, GEN7-40798, GEN7-40908, GEN7-41521, GEN7-41644, GEN7-41730, GEN7-42178, GEN7-42199, GEN7-42952, GEN7-43153

Known Issues

Issue ID Issue Description
GEN7-41011 Groups imported from LDAP are not automatically populated with the LDAP location.
GEN7-41040 A security policy is automatically added from the SSO Bypass settings, but it should not be added in appliances configured for Policy Mode.
GEN7-41102 The user is not prompted to change their password when Password change is enabled on the appliance for an imported user.
GEN7-41340 The connected route of sub-VLAN WAN interface displays as inactive when its parent interface is set to Unassigned.
GEN7-41630 An IPv6 VPN policy with a Disabled status will become enabled after the policy is edited.
GEN7-41996 Disabling Automatically adjust clock for daylight saving time makes no change to current system time.
GEN7-42202 A custom uploaded botnet signature file is not saved and then is lost when the device restarts.
GEN7-42675 In devices configured for Policy Mode, if the highest priority matching security policy has All users selected and does not have any of App/Match/URL/Web-Cat selected then user redirection is skipped for subsequent security policies.
GEN7-43049 An intermittent issue may occur when a network error is seen in the management interface after uploading the firmware and restating the appliance with factory default settings. The API sends the response and closes the HTTP connection before rebooting, making it appear that the unit is still operating.
GEN7-43500 After changing the name of a local user, the entry is still displayed in Server DPI-SSL Inclusion and Server DPI-SSL Exclusion lists. The user with the changed name cannot be selected.
GEN7-43505 Unable to add a central gateway VPN policy for DHCP over VPN when the authentication method is Certificate.
GEN7-43554

Unable to add valid domains to the Custom Malicious Domain Name List and White List page after adding an invalid domain because the pending configuration is still present.

Logging out and back in resolves the issue.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden