SonicOS 7 System

Table of Contents

One Arm Mode and Single Interface Support

One Arm Mode is when only one firewall interface is used, and all traffic comes into and out from the same interface. It is possible to apply security rules and Deep Packet Inspection (DPI) scans on data traffic from the One Arm interface. Data received from this interface is scanned by SonicOS security services and then sent out on this interface.

One example usage scenario is shown as follows for SonicWall Cloud Edge. Cloud Edge works well when using a single interface on the firewall where traffic comes into and goes out from the same interface.

One Arm Mode with Cloud Edge diagram

For One Arm Mode, you need to configure the interface:

  • Interface must have a valid IP address (IPv4 or IPv6) configured. This can be a static IP address or a DHCP address.
  • Must have One Arm Peer (next hop IP address) configured.
  • Only LAN or WAN zone interfaces allow One Arm Mode in SonicOS 7.0.

When you complete the One Arm Mode interface configuration, SonicOS automatically updates the system configuration to support One Arm Mode.

If the One Arm Mode interface is in the LAN zone, options on the NETWORK | Firewall > Advanced page are enabled or disabled. These are under ACCESS RULE OPTIONS:

  • Enable Apply firewall rules for intra-LAN traffic to/from the same interface - enable LAN-to-LAN security scanning

  • Disable Enable ICMP Redirect on LAN zone - disable ICMP redirect if One Arm Mode interface is in LAN zone

    One Arm Access Rule Options

An address object for the One Arm Peer is automatically created.

Address object for One Arm Peer

A security policy to allow traffic from One Arm Mode interface to One Arm Mode interface is automatically created so traffic is always allowed.

Security policy for One Arm Mode

A routing policy is automatically added with the One Arm Peer as the gateway to allow other traffic to apply One Arm routing, if needed.

One Arm route policy

For using a single interface on the firewall, the minimum number of NIC is changed to 1. To use only X0, you need to shut down X1 to make all traffic go out from X0. When you shut down X1, the priority of the One Arm routing policy becomes higher than the default route priority and traffic uses the X0 One Arm routing policy.

One Arm route policy with higher priority

For configuration of a One Arm Mode interface, see Configuring One Arm Mode.