Latest News

By Georgy Thadathil (SonicWall Product Manager)

Overview

Cybersecurity is no longer just about blocking threats; it's about proving security works as intended, especially when auditors, regulators, or customers come asking. FIPS 140-3 validation plays a crucial role in delivering that assurance.

SonicWall's FIPS 140-3 Commitment

SonicWall firewalls incorporate FIPS 140-3-validated cryptographic modules, meeting the stringent security requirements demanded by government, defense, and regulated industry customers.

By achieving FIPS 140-3 validation, SonicWall demonstrates that:

• Cryptography is implemented securely and according to federal standards
• Products meet compliance expectations required for regulated procurement
• Security claims are independently verified, not self-certified

This validation provides enterprises with assurance that SonicWall solutions are built on a strong technical and compliance foundation.

What Enterprises Gain from FIPS 140-3 Validation

1. Independently Verified Cryptographic Security

FIPS 140-3 validation ensures that encryption and authentication mechanisms are:

• Correctly implemented according to cryptographic standards
• Resistant to known weaknesses such as side-channel attacks
• Independently tested by accredited laboratories, not self-certified by vendors

This reduces the risk of hidden implementation flaws that attackers could exploit.

Real-world context: Over the years, security researchers have discovered critical vulnerabilities in products that claimed "military-grade encryption" but had flawed key generation, weak random number generators, or improper memory handling. FIPS 140-3 validation helps prevent these issues from reaching production.

2. Simplified Compliance and Audit Success

Organizations operating under regulations such as:

• Federal government security mandates (FedRAMP, FISMA, DoD)
• Financial compliance frameworks (PCI-DSS, SOX, GLBA)
• Healthcare regulations (HIPAA)
• Critical infrastructure requirements (NERC CIP)

…often require or strongly prefer FIPS 140-3 validated products to pass audits.

Using FIPS 140-3 validated solutions simplifies:

Security audits and compliance reporting

• Vendor risk assessments
• Third-party security questionnaires
• Regulatory documentation requirements

Bottom line: When auditors ask, "How do you know your encryption works?", you can point to an independent government validation.

3. Reduced Operational and Security Risk

Weak or incorrectly implemented cryptography can lead to:

• Data breaches exposing sensitive customer or operational data
• Compliance violations resulting in fines and legal liability
• Loss of customer trust and competitive damage
• Incident response costs and remediation expenses

FIPS 140-3 validation minimizes these risks by enforcing rigorous design, implementation, and testing standards before products reach customers.

4. Future-Proof Security Architecture

Security standards and threats evolve continuously. Products designed with FIPS 140-3 discipline are typically:

• Built with modular, standards-based cryptography that can be upgraded
• Easier to migrate as new algorithms and requirements emerge
• Better positioned for post-quantum cryptography transitions
• Aligned with long-term security roadmaps rather than short-term fixes

Choosing FIPS 140-3 validated products today means fewer disruptive replacements tomorrow.

5. Performance Without Compromise

A common concern is whether FIPS mode impacts performance.

Modern FIPS 140-3 validated implementations:

• Leverage hardware acceleration for cryptographic operations
• Maintain high throughput for VPN, SSL/TLS, and encrypted traffic
• Use optimized algorithms that balance security and speed

With SonicWall firewalls, FIPS mode can be enabled without significant performance degradation, ensuring security doesn't come at the cost of user experience.

Where FIPS 140-3 Matters in Real Deployments

Whether securing:

• Enterprise perimeter networks with next-generation firewalls
• Remote access VPNs for hybrid and distributed workforces
• Cloud workloads with virtual security appliances
• Service provider infrastructure supporting government or regulated customers
• Critical operational technology (OT)in industrial environments

...FIPS 140-3 validated solutions provide confidence that security controls will behave reliably, even under attack, stress, or error conditions.

Deploying SonicWall in FIPS Mode

SonicWall firewalls make FIPS 140-3 compliance straightforward:

• Enable FIPS mode through the management interface
• Configure approved algorithms for VPN and encryption
• Verify operation using built-in diagnostics
• Document configuration for audit and compliance purposes

SonicWall's management tools provide visibility into FIPS status, making it easy to maintain compliance over time.

Security That is Proven

For enterprises, FIPS 140-3 validation means peace of mind. It ensures that the cryptographic security protecting critical data and operations is not just claimed by marketing teams but independently validated by experts.

When the stakes are high and compliance matters, FIPS 140-3 is the difference between "we think we're secure" and "we can prove we're secure."

Resources:

• Verify FIPS validations: Search the NIST CMVP database
• Learn more: Contact your SonicWall representative for FIPS-specific documentation and deployment guides
• Need help? SonicWall support and professional services can assist with FIPS mode configuration and compliance requirements

Throughput Requirements - Firewall vs threat protection

Concurrent Sessions - Max number of simultaneous connections

New Connections Per Second - Speed in establishing new sessions

Number of Users & Devices -Total internal clients, IoT devices, servers and guest devices

Network Architecture & Segmentation - Number of zones, VLANs, DMZs

Security Services Enabled - DPI, IPS, Anti-malware, application control, SSL/TLS Decryption

Redundancy & High Availability - Active/Passive or Active/Active

VPN & Remote Access Needs - Number Of concurrent remote VPN users

Understanding Throughput Metrics

Firewall Throughput - Routing/switching vs real-world security

Threat Prevention Throughput - Includes all major security services

IPS Throughput - Only IPS/IDS engine is active

TLS/SSL Inspection (DPI-SSL) - Most CPU and memory-intensive operation

IPSec VPN Throughput - Measures data transfer capability tor encrypted site-to-site or client VPNs

Sessions and Connections - Firewall Sizing Considerations

Concurrent Sessions

• Total number of active sessions at any given time
• Essential in high user/device density or heavy internal traffic environment
• Need to account for Internal and external connections (e.g.. LAN Internet. LAN LAN)

New Connections Per Second (CPS)

• Number of new sessions pet second
• Important for bursty environments like web servers. application gateways. or VoIP
• Low CPS capacity can create bottlenecks

Session Table Capacity

• Tracks every connection's state — once full. new connections are dropped or delayed
• Need to account for peak usage and expected growth

Session Persistence and Cleanup

• Long-lived sessions (e.g., VPNs, streaming) consume resources longer
• Proper timeout settings and idle session cleanup help optimize resource use

Impact of Security Services

• DPI, AV, SSL Inspection. etc. increase session processing load
• Must handle session state tracking and inspection concurrently

Check numbers multiple times a day to get an average number,
8am, 1 pm, and 3pm are good times to record the connections and connections per second, compare with SonicWall's datasheet.

User & Application Profiles - Impact on Firewall Sizing

Application Usage Impact

• Applications using real-time traffic (VoIP, video conferencing) are sensitive to latency and need low-lag inspection
• SaaS-heavy environments generate frequent SSL sessions, requiring DPI-SSL handling capacity
• Legacy apps using non-standard ports/protocols require flexible inspection and exception handling
• Firewalls must accommodate both session quantity and throughput demand per application type

Use Case- Small Business

Deployment Overview

• 30 users
• 1 Gbps bi-directional fibre internet
• Moderate web and VPN usage
• Full security services enabled (except DPI-SSL)

Key Assumptions

• "Basic firewall + antivirus" is a misnomer — all best-practice security services are considered enabled.
• Threat throughput should be used as the base for sizing unless DPI-SSL is implemented.
• VPN adds overhead, similar to attaching a trailer to a car — this impacts performance.
• SSL VPN is still in use (though ideally offloaded to CSE).

Current Option: TZ380

• Threat throughput: 1.5 Gbps
• May be insufficient once VPN overhead is considered.
• Limited headroom for future growth,

Recommended Upgrade: TZ480

• Threat throughput: 2 Gbps
• More powerful CPU for handling VPN load
• Headroom for growth and consistent performance under full inspection load

Use Case - Mid-Size Org

Deployment Overview

• 250 users
• SSL inspection, IPS, cloud applications in use
• Dual internet links:
  • 1 Gbps fibre (bi-directional)
  • 2 Gbps broadband (200 Mbps upload)

Traffic Calculation

• 1G up + 1G down + 2G down + 0.2G up = 4.2 Gbps Internet Traffic
• Additional intra-zone traffic assumed: 4.0 Gbps
• Total aggregate throughput requirement: —8.2 Gbps
• SSL inspection traffic: 4.2 Gbps

Sizing Recommendation

• Smallest model meeting requirements: NSA 3800
• For 5-year growth projection (I .6x load increase):
  • NSA 4800 (100% capacity)
  • NSA 5800 (75% capacity)
• Either model could support this use case depending on growth profile

Summary

• Right-sizing of firewalls is critical for:
  • Preventing performance bottlenecks and limitations on threat inspection capacity
  • Aligning threat protection throughput with security requirements
  • Maintaining cost efficiency.
• Key factors for sizing go beyond throughput requirements
• Understand the different throughputs and how they apply to sizing
• The impact of sessions and connections varies with different types of environments
• The type of users and application usage must be considered for sizing
• Plan for user/traffic growth and high availability

With NSM 3.5 SaaS, SonicWall integrates credential protection, data security and visibility directly into everyday firewall operations.

Security shouldn't be an afterthought added after deployment, it should be integrated into the platform from the start. The latest NSM 3.5 SaaS release from SonicWall further emphasizes Secure by Design (SbD) philosophy, incorporating protections directly into the management, configuration and monitoring of firewalls.

NSM 3.5 doesn't rely on manual procedures or reactive measures; it automatically minimizes risk by securing credentials, configurations and operational data at scale.

Protecting Against Publicly Known Passwords

Compromised credentials remain among the most common attack vectors. With Credential Auditor now powered by Network Security Manager (NSM), this protection is no longer limited to specific firewall generations.

Credential Auditor automatically detects firewall passwords and keys that match publicly known exposed credentials, such as those found in breached credential databases. By identifying weak or compromised secrets early, NSM enables teams to remediate risk before attackers can exploit it, reinforcing secure configurations across your entire firewall fleet.

This is our Secure by Design principles in action: proactive, automated and built directly into platform operations.

Protecting Configuration Data by Default

Firewall configuration backups are often overlooked as a security risk. NSM 3.5 addresses this head-on with password-protected export backup files and per-tenant encryption.

Each tenant’s configuration backups can now be protected with a password and a unique encryption key, significantly reducing the risk of unauthorized access or misuse. This ensures that sensitive configuration data remains secure at rest and aligns with modern expectations for data protection and isolation in multi-tenant environments.

Turning Logs into Actionable Security Intelligence

Visibility is only valuable when it’s usable. NSM 3.5 enhances analytics logs and system events with advanced search and filtering capabilities, making it easier to surface meaningful security insights when they matter most.

With support for multi-column queries, logical operators, saved searches and custom report queries, security teams can quickly identify anomalies, investigate incidents and support auditing and compliance efforts without needing to export data or rely on external tools.

Improved Visibility into Your Overall Security Posture

The Security Assessment Report, previously only available to SonicWall’s Managed Security Services (MSS) team, is now available to all partners and customers through NSM with an advanced reporting and analytics license.

This report provides a structured view of your environment, highlighting areas for improvement and helping organizations take a more proactive, informed approach to risk reduction.

NSM 3.5 SaaS also supports SonicOS 8.x. Keeping your firewalls up to date and compliant has never been easier.

Why NSM 3.5 Matters

With these updates, NSM 3.5 SaaS not only simplifies management across multiple firewalls and tenants but also strengthens your security posture. From proactive credential auditing to enhanced analytics and secure backup options, NSM continues to empower IT teams and partners to operate confidently in today’s threat landscape.

Explore what’s new in NSM.

For optimal results, SonicWall recommends upgrading to the latest firewall hardware to take full advantage of modern security, analytics and management capabilities.

SonicWall have released some new promotions (for moving to Gen 7 appliances).

1-YEAR REIGNITE PROMOTION:
Legacy SonicWall firewall customers can purchase a 1-year Advanced Protection Security Suite (APSS) subscription and receive a FREE Gen 7 firewall. This offer applies to legacy SonicWall firewalls that are inactive for 90 days or more and requires registration using the legacy SonicWall serial number. Not valid for competitive replacements.

2 & FREE PROMOTION:
Legacy SonicWall firewall customers can purchase a 2-year Advanced Protection Security Suite (APSS) subscription and receive a FREE Gen 7 firewall. This promotion is available for devices with either active or expired services and requires registration using the legacy SonicWall serial number. Not valid for competitive replacements.

3 & FREE PLUS FREE HIGH AVAILABILITY (HA) PROMOTION:
(Gen 7 TZ Only) Want the longest term? Includes two free next-generation firewalls (primary and high availability hardware) with the cost of a three-year APSS subscription. SonicWall Replacement and Competitive Takeout Eligible. Standard Secure Upgrade Matrix applies.

Available through a special pricing request, please contact us for more information.

This promotional offering may not be combined with any other sale, promotion, discount, rebate, coupon, or offering, nor may it be used in conjunction with stock rotations. Standard Deal Registration Eligible.

Datasheet: https://yoursonicwall.com/images/document/21925849...

Cyberattacks often begin with a single click. That’s why content filtering is more critical than ever in today’s digital landscape. But not all filtering technologies are the same and understanding the difference between DNS and URL filtering can help your organization build a smarter, layered security strategy for web access.

What is DNS Filtering?

DNS filtering works at the Domain Name System (DNS) level.
This is the same system that translates a website (like linkedin.com) into the IP address your device uses to connect.
When DNS filtering is enabled, requests for malicious, risky, or non-compliant domains are blocked before a full connection is established.

Benefits of DNS Filtering:

• Fast and lightweight – stops threats before a page even loads
• Great for remote/hybrid work – protection travels with users
• Broad protection – blocks entire domains known for hosting malware, phishing, or botnets.

Example:
If a user clicks a phishing link to malicious-phish.com, DNS filtering stops it from resolving so no connection or download is made (and no risk).

What is URL Filtering?

URL filtering goes deeper. It analyzes the full web address (URL), including the specific page, folder, or file path, after DNS resolution.

This allows organizations to enforce more granular web access policies and send the entire URL for more in-depth evaluation.

Benefits of URL Filtering:

• Granular control – Send specific pages for further risk-based evaluation (e.g., example.com/sports/basketball)
• Advanced Threat Protection – Stops users from accessing compromised subpages or dangerous downloads on otherwise “safe” domains

Example:
A site like example.com may be generally safe, but example.com/freeware.exe could contain malware. URL filtering catches this.

Version 7.3.1-7013 - This version of SonicOS 7.3.1 is a maintenance release for existing platforms and also resolves issues found in previous releases.

Release notes: 232-006386-00_RevB_SonicOS_7.3.1_ReleaseNotes.pdf

A new feature included in this release is Credential Auditor.

Credential Auditor is a built-in security feature that helps organizations reduce credential-based risks. It validates user passwords against industry-recognized lists of compromised credentials and provides actionable insights for administrators.

Key Capabilities

• Automated Credential Checks: Compares user passwords against known compromised credential databases.
• Risk Identification: Flags accounts with exposed or weak credentials for immediate attention.
• Administrative Actions: Enables administrators to enforce security measures, such as issuing warnings to affected users and requiring password changes.

Key Features:

• Provides proactive protection against leaked credentials, securing both local and externally authenticated accounts.
• Improves password hygiene across the network.
• Reduces the risk of credential-based attacks.
• Simplifies compliance with security best practices

More information: Understanding and Using Credential Auditor on SonicWall Firewalls

NSM (Network Security Manager) is now included with every Gen7/8 firewall with an active support subscription. Additional features are included in security/support bundles (like Advanced Protection Service Suite or Managed Protection Service Suite).

If you want to add or increase the storage time you can purchase SaaS 7, 30, 90 or 365 Days of Advanced Reporting and Analytics.

SaaS Reporting

Firewalls need active management. With MPSS, SonicWall experts handle the management of your Generation 7 or 8 firewall, ensuring you always have the best firewall configuration to defend against cyber threats.

SonicWall’s Managed Protection Security Suite (MPSS) brings the expertise of our SonicSentry team to manage and monitor your firewalls, becoming an extension of your team to help you maximise your resources and achieve better security. For MSPs, partnering with us for firewall management can help you grow your business without adding headcount, while also freeing your team to focus on more customer service-oriented tasks.

Managed Protection Security Suite Datasheet

As a prerequisite, a minimum level of configuration is required and a document is available to help. I would advise anyone to set their firewall to best practices and include these amendments.

MSS Managed Firewall Best Practice Configurations

Gen 7 pricing will be adjusted starting October 15, 2025, as we continue expanding our Gen 8 portfolio. While both Gen 7 and Gen 8 provide strong, modern capabilities, Gen 8 will be the platform for future innovations and extended lifecycle support.

Many of the new Gen 8 models are in stock (currently limited), but we're getting more in every week.

Added some discounted products - see home page promotions.

These mostly include some Essential renewal bundles, but also NSa 2700 offer.

Details here.

The SonicWall GEN8 TZ Series and GEN8 NSa Series firewalls introduce in-product migration capabilities that allow administrators to import configuration settings from supported legacy SonicWall firewalls. This greatly simplifies the upgrade process by eliminating the need for manual reconfiguration during hardware refresh or platform upgrade.

Settings Import Feature:

• Export/Import settings
• Devices must be entirely configured from scratch in a typical greenfield deployment (new setup). With GEN8 firewalls, you can import .exp configuration files from supported legacy devices, streamlining migration.
• The GEN8 TZ and NSa firewalls support in-product migration from select current and previous generation SonicWall firewalls.
• This feature is especially useful when upgrading from GEN6 or GEN7 models.

Key Benefits:

• Reduces time spent on manual configuration
• Maintains policy consistency across hardware generations
• Simplifies deployments and rollback planning

Pre-Requisites: The following devices are supported as source firewalls from which settings can be exported and imported to GEN8 TZs and NSa models: