I needed to replace my router/firewall recently (my old Symantec Firewall Appliance was behaving erratically and regularly killing connections, and reinstalling the firmware did not help). I looked at multiple options, and ended up selecting a SonicWALL device.
My initial experience with SonicWALL was rather pathetic. I filled in an online form to have an appropriate partner get back to me, and to this day (a month later) no one has responded. I also sent an e-mail message to the posted sales e-mail address, and that message has also yet to be responded to. Finally, I called and spoke to a sales rep who answered my questions, and gave me completely incorrect information (I had a couple of very specific requirements that he told me were doable, neither of which really were).
But, despite my obvious misgivings, I bought the device anyway. The initial experience was superb – the setup wizard starts up automatically and it establishes defaults that will generally be all you need to be online safely. The software is highly responsive and incredibly intuitive, I’ve yet to have to refer to help or docs for anything (even for more complex tasks like setting up firewall rules). I also upgraded the firmware to the Enhanced OS (which provides greater control, particularly in the firewall) and the process sets the bar for how firmware updates should work: upload the new firmware via a form in the web admin console, a list of all available firmware options is then displayed, just click on the one to boot with, the device resets, and in a minute or so you are done and back up and running. (Contrast that to the Symantec device, or the HotBrick I used previously, or others – this process is nothing short of perfect).
Of course, it was at this point that I discovered that the sales rep had given me incorrect information (I am not accusing him of lying, I just think that the second I mentioned firewall rules tied to MAC addresses and wildcard host names he was out of his depth). I left a message for support on the online forum, and received timely, detailed, thorough, and accurate responses. Unfortunately, the responses verified that I was correct, and that the device could not do what I wanted, but at least I had an authoritative answer.
I called back, and spoke to a regional rep who put me in touch with a sales engineer who absolutely got it. He understood exactly what I wanted, offered me workarounds (none of which were ideal), suggested that I replace the device with the next model up so as to have access to additional firmware options (which I did), and then told me that the two features I needed were in the next version of the firmware that is currently in beta. He offered me the firmware, which installed as painlessly as previously mentioned, and has since sent me updated beta versions as they become available. The beta firmware itself has proven to be rock solid, and the primary enhancements are indeed exactly the features I was looking for.
The bottom line is that, despite a rather unsatisfactory initial sales experience, SonicWALL gets it. The devices (I’ve now tried two, the initial one that I returned, and the newer replacement) just work, the feature set is thorough and well thought out, the software is responsive and the best I have seen in any device, the add-on services (security, content-filtering, and more) are simple to activate and administer (although not as tightly integrated with core functionality as they should be), applying updates is nothing short of perfect, and the technical help is second to none.
If you are in the market for a firewall device, I’d strongly suggest that you seriously consider a SonicWALL.

23 thoughts

  1. Ben, I have used Sonicwall for years. Iun the past 5 years it has not been by choice. I can tell you horrible stories about my experiences with them. They are also buggy and they know the bugs. They dont operate in 100MBPS modes, only 10MBPS. Play with the firmware, you will see what I mean. You will lock yourself out by forcing 100MBPS. There are also other issues, and to get support you have to maintain an anual contract, this is even firmware upgrades. Upgrades that fix security holes in their product.
    Support responses times are horrifcby phone and their web-based system! I have records of conversatiosn where they asked me the same question 3x in a row even after the system shows my responses below their questions.
    I’ve also noticed that FTP is incredibly slow on any network I have a Sonicwall installed. It drops, and sessions take a long time to restart.
    I have used all levels of their product, right up to the enterprise class firewalls, and have the same exeperience.
    Stay away from Sonicall.
    I recommend using your old PC, install an additional network card and use IPCOP, http://www.ipcop.org. It has most of the functionality of any commercial firewall (and some features they dont) and any functionality you might need can easily be added via OSS packages. It’s free, and I am running about 20 of these, with naught an issue except maybe the occasional hard drive or network card failure. It’s Linux-based

  2. Thanks for not giving up on buying our products, we’ve obviously got some work to do there.
    SonicWALL engineers have been working dilligently to create compelling network security solutions for the past decade and I think that we’ve really started to hit our stride in terms of features, stability and performance. We are particularly proud of our Enhanced firmware that delivers a highly integrated feature set tied together under a powerful graphical user interface.
    If you’d like to see what Ben’s talking about, check out our online demo at https://sonicos-enhanced.demo.sonicwall.com/
    If you like 3.5, you’re gonna love 4.0 (beta should kick off in October)…
    -Matt
    Matt Dreyer
    Product Line Manager
    SonicWALL

  3. Ben,
    Can you tell us which features required the upgrade to the next model? I’ve been looking at SonicWall, and it sounds like I have some of the same requirements as you.

  4. Matt,
    Wow, a SonicWALL PM dropping by, I am honored.
    Yes, it is the 3.5 beta I am now running, and I have not experienced any of the issues that TJ referred to in his comments. On the contrary, having used lots of other devices (Symantec, Cisco, CheckPoint, HotBrick, and others) I think I have enough experience to make comparisons. And as I said in my original post, the functionality and software are superb.
    Yep, it sounds like you have some work to do training sales reps and managing prospects, but those are criticisms of the sales organization, not of the product itself. And as originally noted, based on my experiences thus far I’ll definitely be recommending your products in the future.
    Looking forward to 4.0!
    — Ben

  5. The active directory integration in the Enhanced OS leaves a lot to be desired, at least in the 3.5 version. Actually, it was misrepresented to us that we could use this to control access to Windows Active Directory users and groups. Itnever functioned properly after several inquiries to Sonicwall, under a support contract. We were told by a technician that it was buggy and was not working properly, yet we paid a considerable sum extra for this feature.

  6. Michael,
    Sure thing. The two features I needed were:
    1) The ability to use MAC addresses as address objects which could then be used in firewall rules. The current shipping firmware can use IP addresses, but not MAC addresses. The workaround is to assign static addresses to those machines, but that is not ideal as IP addresses are far too easy to change. MAC addresses are safer, as most users won’t start switching NICs.
    2) Some of my hosts have full outbound unrestricted access, others have content filtered access, and yet others have limited access to a whitelist. I could not use the content filtering whitelist as that provided no way to associate group policies with address groups. And the firewall rule option did not work as I’d have to use IP addresses instead of domain names.
    And I hope I did not just violate some beta rules by sharing these details!
    — Ben

  7. Matt, since you are here I have a question… (sorry for the semi-postjacking Ben)
    I need a Linux client for SonicWall VPN but have had no luck. Is there any such animal?

  8. I’d love to hear your suggestions for improving our AD authentication implementation. We’ve got a pretty interesting suite of authentication gizmos in 3.5 and a couple more coming in the 4.0 release. We can currently do authentication for VPN, CFS (web filtering) Wireless, and Firewall Rules.
    Actually, that brings something else to mind. We’ve got a pretty slick technology called Lightweight Hotspot Messaging (LHM) that can be used to authenticate against just about anything (including PayPal for micropayments). I appologize in advance that we don’t have CF versions of these scripts, (I’m confident that this group can port our .NET examples in a couple hours).
    Check out the SonicWALL LHM Resource Center at: http://www.sonicwall.com/support/secure_wireless_documentation.html

  9. >Matt, since you are here I have a question… (sorry for the semi-postjacking Ben)
    >I need a Linux client for SonicWall VPN but have had no luck. Is there any such animal?
    Most Linux distro’s have some sort of IPSec client included in them, but they are admittedly difficult to get configured without some guidance. If you’re looking for a starting place my favorite is the Openswan project at http://www.openswan.org/
    Here is a quickstart that the Openswan guys created: http://wiki.openswan.org/index.php/Openswan/SonicWall
    As an alternative, our SSL-VPN products provide a very very robust replacement technology for IPSec. Our NetExtender technology gives you a virtual IP address and an IPSec-like tunnel. NetExtender is currently available for Win32 platforms and I believe that Mac and Linux versions will be in beta in the next couple of months.

  10. I have been using SonicWALL’s since around 1997. For a while there was a difficult period, but I gotta tell you — they have never let me down. I’ve never had one broken into. Support does take some time in certain instances, but the sonicWALL I have at my data center now has been up continuously for more than 1000 days without hiccup, and it includes many VPN’s and a rather long access rule list. Not that this is the end-all, but it’s a good indicator for me. VPN-VPN on Sonicwalls is a breeze and I find there are more options than I could hope for and the pricing is just about right (we always want lower prices, of course! 🙂
    I do wish there was a bit more pre-sales and general support, though, because when the firewall is down EVERYONE notices and you want responsiveness. But like Ben said, the devices are pretty intuitiuve and overall I’d recommend them to anyone for anything.

  11. Ben,
    Great blog! Thanks for the details on the 3.5 beta firmware. Any idea when 3.5 will be released for consumption?
    -Tony

  12. Tonyt, I don’t know a date. But as Matt Dreyer of SonicWALL said the 4 beta will start in October, I have to assume that 3.5 will be out before then.
    — Ben

  13. I have a Sonicwall TZ170w at a client site now. I have mixed feelings about it.
    Good: Awesome wireless signal output. Great coverage and the autochannel selection works great in office buildings with other wireless networks nearby that could cause interference. The Standard version is pretty easy to use and setup. The ability to stage firmware updates and keep a backup firmware settings availble in flash is wonderful way to save your butt when you screw up. The content filtering works quite well albiet a bit slow to initiate the loading of a page while it checks it out. Great mounting bracket with easy removal of the device when needed! Just about every other firewall/WLAN device vender could stand to learn from their design.
    Bad: The Standard firmware in 3.1 does not allow you to disable DHCP for the LAN and keep it for the Wireless LAN nor Wireless Guest Services. This is necessary is you have an MS network esp SBS and want to use DHCP to have Dynamic DNS registration work properly on MS DNS. I called about it after some forum surfing and filed a ticket. Nearly one month later no response. I called back and got through 70 minutes and 5 transfers to get to a sales person to provide the Enhanced version at no cost to solve the problem. It was provided the next day (kudos). You also cannot simply have the secure WLAN running WPA be on the LAN subnet as a bridged wireless network. That should at least be an option. WGS then could be implemented with a second SSID that maps to it’s own subnet and rules.
    Enhanced firmware is substantially more complicated and very UNintuitive. It would be nice if there were an option to have the UI behave much like the Standard OS but have access to the deep control through submenus. Setting up NAT Policies is a mess even with the wizard. Removing them is worse since it has to be done manually in 4 different places. Frankly, I like m0n0wall’s UI and it’s ease much better. Sonicwall’s help pages and PDF docs leave much to be desired as far as clarity and good examples to follow.
    Overall I would have to rate 6 of 10. It’s a great piece of hardware with decent features that are simply too hard to put to use without a lot of consternation.
    Thanks for the place to post my comments!
    -felipe

  14. One more bad thing. When I installed the upgrade to Enhanced and activated it the router went out to lunch and did not come back. I had to reset it and reconfigure all the settings with the now far more complicated interface. That was no fun. I would have expected it to keep it’s settings when upgrading (obviously not when downgrading due to having extra data in the config files).
    Thanks again.
    -felipe

  15. Felipe wrote: <B>"Bad: The Standard firmware in 3.1 does not allow you to disable DHCP for the LAN and keep it for the Wireless LAN nor Wireless Guest Services"</B>
    Hi Felipe: All SonicOS versions fully support having scopes only for LAN, DMZ or WLAN, so this isn’t true. I just checked on a TZ150W, which runs the same 3.1 Standard firmware and it allows having only WLAN DHCP scope enabled. I manually delete the LAN DHCP scope and then could run a Windows DHCP on the LAN w/out problems.

  16. regarding Sonicwall Enhanced OS, i just spent the last 2 hours wondering what the hell was going on with trying to get port forwarding working.
    i created the access rules and NAT perfectly, i checked it checked it and checked it again about 10 times and i am pretty competent with this sort of thing.
    after deleting my custom NAT rules and access rules 4 times and reentering the same values exactly the same each time it suddenly started working after about the 4th full wipe and recreate, what can i say, this firmware (SonicOS Enhanced 3.2.3.0-6e) is buggy as hell – something to do with Service Groups, it really doesnt like.
    apart from that i am pleased with its actual performance

Leave a Reply