This is a report on the out-of-box experience that I’m having with a new firewall, the SonicWALL TZ 470W. I’ve been using SonicWALL firewalls for more than 20 years, and have generally had good luck with them, but when the licensing ran out on my NSA 3600 I switched to Sophos, keeping the 3600 or a backup. SonicWALL’s licensing program was more expensive for the same fairly complete set of services that I got from Sophos, and I decided to give them a try. I’ve been using the Sophos box for a couple of years now, and find it kind of like Apple computers; if what you want to do is what they expect you to do, it’s easier to use, but it is more opaque, and if you need to dig down, it’s harder than the SonicWALL interface.
I have to configure a firewall for a new residence, and I thought that I’d give SonicWALL another try. I ordered a TZ 470Z from Dell, since it looks like it can keep up with the 1.2 Gb/s Comcast Internet service at the new site. It arrived a couple of days ago, and I started to set it up yesterday.
The new place isn’t fully furnished yet, so I decided to do the setup at home. I plugged the WAN RJ-45 connector on the TZ 470W (from now on I”ll just call it the 470) into a switch that connected to the LAN side of the Sophos. I have a Microsoft Windows Domain Controller DHCP server running on that network, and the 470 is configured by default to be a DHCP client on that interface. The 470 has a DHCP server on the LAN side, so I set a PC Ethernet port to be a DHCP client and plugged it straight into the LAN port of the 470 (isn’t it great that we don’t have to worry about crossover cables anymore?).
I plugged in the 47o and waited for it to boot. I verified that it has given the PC an IP address, and I pointed my browser to 192.168.168.168, which is the default LAN-side administration IP address for the 470. I was greeted with a flashy new login screen. I logged in with the default credentials, which are admin and password.
The first thing I tried to do was register the device. I was presented this alarming screen:
Not very informative, is it?
I checked to make sure the 470 could communicate with the outside world through the Sophos firewall:
That looks good.
I made an exception for SonicWALL on the Sophos:
That didn’t change anything.
I decided to try and register the 470 at the SonicWALL website, but ran into a problem:
I can’t select a trade in unit because I’m not trading anything in. This is a new firewall, not a replacement.
I decided that, just maybe, the Sophos firewall was blocking something. I took the SonicWALL NSA 3600 out of service, and configured the 470 to have the same WAN and LAN IP configurations. Then I installed the 470 in the switch room in place of the NSA 3600. I couldn’t log into the LAN-side admin interface. I couldn’t even establish an IP connection. Trying to eliminate things, I ran an Ethernet cable directly to the LAN-side 470 port from the PC I was using for configuration. No joy.
I must have screwed something up when I configured the LAN-side IP stuff. No biggie. I’ll just reset the 470 to factory configuration and start over, right?
Wrong. It turned out to be a biggie.
Enlisting the aid of someone else (this is much easier done as a two-person job) I held down the reset button with a paper clip while someone else plugged in the mains power. I waited for the amber wrench light to flash, then let go. The 470 booted. I plugged into the LAN side. No DHCP. I figured the DHCP server wasn’t running, and configured the IP properties of the PC to access what I hoped was the same 192.168.168.xxx admin subnet for the 470.
This was my first clue that I had actually not reset the 470 to the initial configuration. I did some research, and I had put it something called Safe Mode, for which I could find only the most cursory explanation.
Undaunted — no, that’s a lie; I was pretty thoroughly daunted at this point — I pointed my browser at the 192.168.168.168 admin IP address on the 470. There was some good news: I got a login screen. There was bad news: this was the screen:
What the heck is a maintenance key? I tried password. That didn’t work. I did a web search and couldn’t find anything useful.
I called SonicWALL support. I got a woman with an Indian accent so strong I could understand every third word. Eventually I explained my problem to her. She said she would give me the maintenance key but she couldn’t do that until I registered the 470. I told her about my difficulties with the web registration. She acted like she thought that was user error, and asked if she could take control of my PC. I set that up, and watched her run into the same problem that I had. She put me on hold several times to do research, and the times were growing longer. Finally, out of time on my end, I asked he to give me the case number so that I could pursue it in the morning. She said that she couldn’t assign a case number until I registered the 470.
I grumbled a bit and rang off.
Usually in troubleshooting, it is wise to assume that only one thing is wrong, and try to find one thing that explains all the symptoms. This especially true if the system once worked. This system has not ever worked, but my current thinking is that the same glitch that is keeping me from registering the product on the SonicWALL website is keeping me from having it register itself. If that’s the case, all my trouble to get the 470 WAN port on the WAN side of the Sophos firewall was probably unnecessary.