August 11th, 2017 by StorageReview Enterprise Lab
In the Lab: SonicWall NSA 3600 Firewall Upgrade
We are in the process of upgrading our networking fabric; a major part of that includes moving to the NSA 3600 from the SonicWall Network Security Appliance (NSA) Midrange Firewall Series. Ideal for small to medium-sized corporate environments, this firewall series is highlighted by its advanced automated threat-prevention technologies. Previously, we used Sonicwall’s TZ500W, an easy-to-deploy, all-in-one SMB desktop firewall solution that is great for smaller-scale networks. Moving to an entry-enterprise rack platform, the NSA 3600 acts as a significant upgrade in our labs, offering 10G support with SFP+ ports and support for jumbo frames.
The NSA 3600 is powered by SonicOS, a comprehensive operating system that is simple to configure and easy to use. SonicOS helps to streamline management and offers admins substantial network control and versatility through features such as application intelligence and control, real-time visualization, and intrusion prevention system.
With its comprehensive control options, real-time visualization and WLAN management, we will be able to easily monitor activity across our entire network. Moreover, the NSA 3600 comes with SonicWall’s Reassembly-Free Deep Packet Inspection technology, which scans traffic for all threats (both known and unknown) and eliminates them before they are able to infect a network. Capture Advanced Threat Protection Service also gives enterprises cloud-based, multi-engine sandboxing that blocks unknown and zero-day gateway attacks. This technology works by scanning all traffic in a wide range of file sizes and types, then extracting any suspicious code for further analysis. The SYN flood protection offers protection against DoS attacks through Layer 3 SYN proxy and Layer 2 SYN blacklisting technologies while defending against DOS/DDoS using UDP/ICMP flood protection and connection rate limiting. This NSA Mid Range Series firewall also provides threat API, Stateful packet inspection, WAN load balancing, biometric authentication and more. Through all of these defense measures, the NSA 3600 is capable of delivering 3.4 Gbps, 1.1 Gbps, and 600 Mbps in Firewall, IPS, and Anti-malware throughput, respectively.
SonicWall NSA 3600 Specifications
- Operating system: SonicOS 6.2.9
- Security processing cores: 6
- Interfaces: 2 x 10-GbE SFP+, 4 x 1-GbE SFP, 12 x 1 GbE, 1 GbE Management, 1 Console
- Memory (RAM): 2.0 GB
- Expansion: 1 Expansion Slot (Rear), SD Card
- Management: CLI, SSH, GUI, GMS
- SSO users: 40,000
- Maximum SonicPoints supported: 48
- Logging: Analyzer, Local Log, Syslog
- Firewall/VPN Performance:
- Firewall inspection throughput: 3.4 Gbps
- Full DPI throughput: 500 Mbps
- Application inspection throughput: 1.1 Gbps 2.0 Gbps 3.0 Gbps 4.5 Gbps
- IPS throughput: 1.1 Gbps
- Anti-malware inspection throughput: 600 Mbps
- IMIX throughput: 900 Mbps
- SSL Inspection and Decryption (DPI SSL): 300 Mbps
- VPN throughput: 1.5 Gbps
- Connections per second: 20,000/sec
- Maximum connections (SPI): 750,000
- Maximum connections (DPI): 375,000
- Default/Maximum connections (DPI SSL): 2,000/2,750
- Site-to-site tunnels: 1,000
- IPSec VPN clients (max): 50 (1,000)
- SSL VPN NetExtender Clients (max): 2 (350)
- Encryption/Authentication: DES, 3DES, AES (128, 192, 256-bit)/MD5, SHA-1, Suite B Cryptography
- Key exchange: Diffie Hellman Groups 1, 2, 5, 14v
- Route-based: VPN RIP, OSPF
- IP address assignment: Static (DHCP PPPoE, L2TP and PPTP client), Internal DHCP server, DHCP Relay
- NAT modes: 1:1, many:1, 1:many, flexible NAT (overlapping IPS), PAT, transparent mode
- VLAN interfaces: 256
- Routing protocols: BGP, OSPF, RIPv1/v2, static routes, policy-based routing, multicast
- QoS: Bandwidth priority, max bandwidth, guaranteed bandwidth, DSCP marking, 802.1p
- Authentication: XAUTH/RADIUS, Active Directory, SSO, LDAP, Novell, internal user database, Terminal Services, Citrix, Common Access Card (CAC)
- VoIP: Full H323-v1-5, SIP
- Standards: TCP/IP, ICMP, HTTP, HTTPS, IPSec, ISAKMP/IKE, SNMP, DHCP, PPPoE, L2TP, PPTP, RADIUS, IEEE 802.3
- Certifications: ICSA Firewall, ICSA Anti-Virus, FIPS 140-2, Common Criteria NDPP (Firewall and IPS), UC APL
- High availability:
- Active/Passive with State Sync
- Active/Active Clustering
- Power supply: Single, Fixed 250W
- Input power: 100-240 VAC, 60-50 Hz
- Maximum power consumption (W): 74.3
- MTBF @25ºC in hours: 146,789
- MTBF @25ºC in years: 16.76
- Form factor: 1U Rack Mountable
- Dimension: 1.75 x 19.1 x 17 in (4.5 x 48.5 x 43 cm)
- Weight: 13.56 lb (6.15 Kg)
- WEEE weight: 14.24 lb (6.46 Kg)
- Shipping weight: 20.79lb (9.43 Kg)
- Major regulatory: FCC Class A, CE (EMC, LVD, RoHS), C-Tick, VCCI Class A, MSIP/KCC Class A, UL, cUL, TUV/GS, CB,
- Mexico CoC by UL, WEEE , REACH, ANATEL, BSMI, CU
- Environment: 32-105 F, 0-40 deg C
- Humidity: 10-90% non-condensing
Design and Build
The SonicWall NSA 3600 comes in a 1U rack form factor and has the same connectivity layout as the 4600 and 5600 models. On the left side of the front panel is the console port (which gives access to the SonicOS CLI when connected via an enclosed serial CLI cable), a SDHC port, two USB ports, and a SafeMode button (press until blinking to access). There are also four LED status Indicators: the Power LED, where blue means the power supply is operating normally and yellow means the power supply has been disconnected; the Test LED, which displays Initializing, Test, SafeMode statuses; the red Alarm LED; and the M0 LED, which shows expansion module 0 activity.
Next to the status indicators is the Management Port (1 GE), two X16-X17 (10 GE SFP+) hot-swappable ports, four X12-X15 (1 GE SFP) ports for high-speed fiber or copper Ethernet communication, and twelve X0-X11 (1 GE) High-speed copper Gigabit Ethernet ports.
The back panel is home to the expansion bay, which supports “SonicWall-approved” expansion modules, as well as dual auto-throttling fans and the power supply port/switch.
SonicWall makes the process of upgrading firewalls very simple. In our case to move from the TZ500W to the NSA 3600, we were able to take the saved configuration file from one and import it into the other, no additional conversion necessary. This was quite important for us, since while deploying the firewall is simple, manually adding in all of our existing firewall rules would be a time consuming process otherwise. In this case we had our networking environment swapped over to the NSA 3600 within a few minutes from the file import, once the NSA 3600 was upgraded to the same firmware version (or newer) than the TZ500W.
During the upgrade process we kept the same interface connections; connecting to the firewall over 1GbE. The main reason for the upgrade though is the SFP+ 10GbE ports the NSA 3600 offers, allowing us to uplink the firewall directly into our new 48-port 10G Dell S4048 or 32-port 100G Dell Z9100 switches as they come online. This upgrade is a large undertaking as we migrate off our 40GbE fabric over to 100G for next-gen storage and compute hardware. The NSA 3600 deployment was an easy first step in this process though as we work to modernize our network.