Learning SonicWALL CLI: Useful Scripts for Network Administration

    Scripting Image
    Scripting Image

    Throughout my journey working with SonicWALL firewalls, I’ve collected some helpful CLI scripts that have made my day-to-day tasks easier. I’d like to share three scripts that I’ve found particularly useful for content filter whitelisting, access rule creation, and site-to-site VPN setup in SonicOS 7.

    Content Filter Whitelisting:

    Here’s a script I use when needing to whitelist specific domains in the content filtering policy. I’ve placed XXX in the spaces where your domain/IP information would go.

    configure
content-filter
uri-list-object Your_Allow_List
uri yourdomain.com
uri yourotherdomain.com
end
commit best
exit

    Access Rule Creation

    While the SonicWALL GUI is quite user-friendly, sometimes using the Command Line can save time when creating multiple access rules. Here’s a script I use frequently, I’ve tried to elaborate what some of these lines mean as there are multiple steps involved while creating a functional Access Rule.

    configure
service-object "TCP 50000" --Create a Service Object
address-object ipv4 "Your-Object-Name" --Creates Address Object
host XXX.XXX.XXX.XXX
zone WAN
end
address-group ipv4 "Your-Group" --Creates Address Group
address-object ipv4 "Your-Object-Name" --This adds the Object to your Group
access-rule ipv4 from "Zone" to "Zone" action allow source address "Your-Address" service name "Service-Object" destination address "Your-Destination
end
commit best
exit

    Site-to-Site VPN Setup

    Setting up a site-to-site VPN can be tricky. Here’s a script that I’ve used as a starting point for basic VPN configurations:

    configure
vpn policy site-to-site "Policy-Name"
auth-method shared-secret
shared-secret "SecretPassword"
ike-id local firewall-id "Firewall-MAC"
ike-id peer firewall-id "Firewall-MAC"
exit
managment snmp
management https
management ssh
gateway primary "XXX.XXX.XXX.XXX"
proposal ike authentication sha-256
proposal ike dh-group 21
proposal ike encryption aes-256
proposal ipsec protocol esp
proposal ipsec protocol authentication sha-256
proposal ipsec protocol encryption aes-256
proposal ike exchange ikev2
no keep-alive
network local group "Your-Network"
network remote destination-network group "Remote-Network"
end
commit best
exit

    Lessons Learned and Tips

    Through trial and error, I’ve learned a few things that might be helpful:

    1. Always create a new backup, export Tech Support Report, and the backup
    2. Start in a test environment if possible
    3. Keep notes about what changes you make as there will be many
    4. Use clear naming conventions
    5. Test on one or two firewalls first before pushing to all your Firewalls.
    6. Spot check your work to ensure accuracy

    Final Thoughts

    These scripts have helped me streamline some common tasks, though they’re just starting points that you’ll need to adapt for your specific needs. I’m constantly learning new ways to improve them and would love to hear how others have modified these for their environments.

    Remember to always verify commands and configurations against your specific SonicWALL model and firmware version, as syntax can vary between SonicOS 6.5 and SonicOS 7.
    If you spot any ways to improve these scripts, I’d be grateful for your feedback!

    Leave a Reply

    Your email address will not be published. Required fields are marked *