SonicOS 7.0.1 Release Notes

Version 7.0.1-5111 April 2023

April 2023

This version of SonicOS 7.0.1 is a maintenance release for existing platforms and resolves issues found in previous releases.

For information about the most recent release for the NSsp 15700 platform, please see Version 7.0.1-5100 March 2023.

Supported Platforms

The platform-specific versions for this unified release are all the same:

Platform Firmware Version
TZ Series 7.0.1-5111
NSa Series 7.0.1-5111
NSv Series 7.0.1-5111
NSsp Series 7.0.1-5111
  • NSa 2700
  • NSa 3700
  • NSa 4700
  • NSa 5700
  • NSa 6700
  • NSsp 10700
  • NSsp 11700
  • NSsp 13700
  • TZ270 / TZ270W
  • TZ370 / TZ370W
  • TZ470 / TZ470W
  • TZ570 / TZ570W
  • TZ570P
  • TZ670
  • NSv 270
  • NSv 470
  • NSv 870

SonicOS NSv deployments are supported on the following platforms:

  • AWS (BYOL and PAYG)
  • Microsoft Azure (BYOL)
  • VMware ESXi
  • Microsoft Hyper-V
  • Linux KVM

Resolved Issues

Issue ID Issue Description
GEN7-29243 SNMP Queries are taking a long time to complete when there are Portshielded Interfaces and querying interface-related object identifiers.
GEN7-31345 The SMB File transfer speed over VPN drops significantly when the files are copied to a LAN device behind an NSv instance in Azure.
GEN7-32492 The OSPF MTU of Unnumbered Tunnel Interfaces is set to a fixed value of 1446, which may not always be correct.
GEN7-32624 A device may be unable to get a WAN IP from the ISP from a PPPoE connection after the device is restarted.
GEN7-33153 Appliances now require that the administrator must change the administrator password if the appliance is started from factory default settings or if the default administrator password is still password.
GEN7-33218 Guest users are not redirected to the captive portal authentication page.
GEN7-33655 When the user authentication method is set to RADIUS, even if the Read-Only Admins Group belongs to the user's group, the user can log in as a Full Administrator when logging in to the administration user interface using a Global VPN Client.
GEN7-34401 DHCP via IP Helper is not working over IPSec VPN in SD-WAN configurations.
GEN7-34875 NSa 3700 only: The appliance stops passing traffic and becomes inaccessible through the LAN interface after a few months in operation.
GEN7-35282 The download speed is slower than expected when Bandwidth Management is enabled on access rules when the TCP advertised window is not large enough.
GEN7-35355 LDAP users of the format domain\username are unable to authenticate when using Time-based One-Time Password authentication.
GEN7-35356 NSa 2700 only: An appliance may become inaccessible after being active for some time because of a deadlock state between the routing and VPN modules.
GEN7-35478 The system log displays an incorrect fw_action for the message Syslog Website Accessed.
GEN7-35530 When configuring a High Availability environment, both the Primary and Secondary device both became Active and cannot discover its peer firewall for synchronization or failover.
GEN7-35651 An option was added on the diagnostics page for GEO-IP that allows administrators to drop TCP handshakes coming from an IP address that originates from a blocked country. Synchronized packets not forwarded to the LAN Geo-IP will prevent the block page from being displayed. The default behavior if this option is not enabled requires TCP handshakes to establish a connection to be able to display the block page.
GEN7-35761 On the management user interface, the Storage LED may display as being Off, but the light remains lit on the device .
GEN7-35947 NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, and NSsp 13700 models only: If an administrator is logged into both the Safe Mode user interface and the Safe Mode command-line interface at the same time, and uploads firmware and restarts the appliance with the current configuration or factory default, the unit will stop responding after displaying the message Installed Firmware.
GEN7-36244 The management interface shows that the 10G interfaces (X29-X33) are still available in the front panel display with a TwinAX cable connected and shutting down the interfaces as an administrator.
GEN7-36461 A firewall may reboot when multiple Access Rules are deleted when the source zone is in a custom DMZ and the destination zone is a VPN.
GEN7-36535 When using a DPI-SSL server, the intermediate certificate is not being sent.
GEN7-36602 The administrator cannot disable RADIUS proxy forwarding when the user-name attribute format is set to Other in the SSO configuration.
GEN7-36610 Cannot to connect to WiFi when both SSID suppression and MAC filtering are enabled.
GEN7-36631 In High Availability configurations, for Flow Reporting on Network Security Manager for firewalls , the secondary device sends flow logs with the secondary serial number instead of the primary serial number.
GEN7-36703 Security Headers have been added for servers.
GEN7-36790 NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, and NSsp 13700 models only: An issue was intermittently experienced when an appliance could not be successfully upgraded using the Safe Mode user interface.
GEN7-36919 When using the Wizard to create a NAT policy, a Service Group gets created for service explicitly named "any" instead of using the default any Service Group.
GEN7-36965 Global VPN client RCF import fails when password contains special chars, such as #.
GEN7-37018 When an LDAP user without administration privileges attempts to log in from a LAN, the error message Unknown error is displayed instead of a more specific reason, such as not enough privilege.
GEN7-37044 Improper Restriction of Excessive MFA Attempts
GEN7-37095 For TZ 270, TZ 370, and TZ 470 models only: the Enable Stateful Synchronization option is not displayed within the management interface for High Availability. If this option was enabled in prior versions, the setting will continue to function even though it is not visible.
GEN7-37134 Under some conditions, the Content Filtering Service (CFS) DNS reply handling and request time can trigger conflicts in the handling of cache timers, causing the device to restart.
GEN7-37186 When CASS is enabled, the Real-time Block List (RBL) filter is not hiding the RBL Filter settings.
GEN7-37221 Sorting the NAT Policies list does not work as expected.
GEN7-37274 The Send IKEv2 Cookie Notify setting is not functioning correctly and causes establishment of a IKEv2 VPN to fail.
GEN7-37417 Deleting a user account with a domain format causes the error to be displayed: Network Object not found.
GEN7-37480 The QR code is blank for RADIUS users while binding SSL VPN Time-based One-Time Password (TOTP) authentication.
GEN7-37783 Devices are unable to negotiate IKE using 3rd Party Certificate VPN tunnel when using a certificate of a larger size because the DF flag forbids the fragmentation of the packet involved, causing the packet to never reach the peer gateway.
GEN7-38111 SonicOS Stack-based Buffer Overflow Vulnerability. For more information, refer to CVE-2023-0656.
GEN7-38501 A firewall with the watchdog settings enabled restarts itself every few minutes after updating to SonicOS 7.0.1-5108.

Additional References

The following additional resolved issues in this release are listed here for reference:

GEN7-26565, GEN7-31774, GEN7-32249, GEN7-32373, GEN7-33318, GEN7-33434, GEN7-33890, GEN7-34069, GEN7-34418, GEN7-35180, GEN7-35494, GEN7-35518, GEN7-35647, GEN7-35831, GEN7-36030, GEN7-36179, GEN7-36191, GEN7-36192, GEN7-36321, GEN7-36332, GEN7-36541, GEN7-36642, GEN7-36648, GEN7-36826, GEN7-36852, GEN7-36908, GEN7-37043, GEN7-37142, GEN7-37316, GEN7-37336, GEN7-37600, GEN7-37794, GEN7-37818, GEN7-37835, GEN7-37976, GEN7-38196, GEN7-38549, GEN7-38551

Known Issues

Issue ID Issue Description
GEN7-35241 If two IPv6 WAN interfaces are configured, configuring the second interface in IPv6 static mode causes the error Command 'dns primary xxxxx::xxx:xxxx:xxxx::xxxx' does not match to be displayed
GEN7-35248 Deleting the DHCPv6 prefix delegation for one interface will clear the prefix delegation configuration on other interfaces.
GEN7-36178 FTP automation fails if the server response is longer than 2 seconds.
GEN7-36194 If two VPN tunnel interfaces are named starting with the same 16 characters, Advanced Routing support cannot be enabled on both interfaces.
GEN7-36620

NSA 4700, NSA 5700, NSA 6700, NSsp 10700, NSsp 11700, NSsp 13700 models only: After High Availability with Stateful Failover is set up, disabling and then re-enabling Stateful Failover, and keeping the same Control and Data interfaces, will cause the secondary unit to stay in Election state and access to the primary unit will be lost.

The status will recover after fifteen minutes or after the units have been power cycled..

GEN7-37226 The user interface allows 10G interfaces and 1G interfaces to be added to an L2 Static LAG Group even though this configuration is not valid.
GEN7-37326 Editing the WAN GroupVPN settings, and then immediately enabling or disabling WAN GroupVPN, may cause some configuration settings to be lost.
GEN7-37501 After the Deny Mac-Filter list containing a wireless client MAC is changed to No Mac Address, or if the Deny Mac-filter list has been disabled, the wireless client remains blocked.
GEN7-37508 When importing a configuration that has WAN to TrustZone secure Wire Mode interfaces configured, the traffic is not blocked.
GEN7-37511 When configuring a gateway and adding a policy-based route using the 6to4AutoTunnel, an error is displayed: gateway must be default.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden