SonicWall is one of those vendors people have strong opinions about. I find the NSA line boringly reliable for small perimeters, which is the quality I want in a perimeter firewall.
WAN rules that don't accumulate cruft
Every perimeter I inherit has 40 rules, 10 of which do something and 30 of which were added "temporarily" in 2019. I rebuild them in order of specificity, with comments that include a ticket number and an expiry date. Every quarterly review, expired rules get reviewed for continued need.
DPI-SSL: yes, but carefully
Deep packet inspection on TLS traffic is powerful and controversial. My defaults:
- Turned on, with a robust exclusion list (banking, health, HR, pinned-cert apps).
- Root CA distributed via Intune, not manually — you'll have 300 help tickets otherwise.
- Performance headroom at 2x the steady-state throughput. DPI-SSL eats CPU.
SMA for contractors
The Secure Mobile Access appliance is a clean way to give contractors browser-based access to specific resources without handing them a VPN client or an AD account. Per-resource policies, time-boxed accounts, and session recording for compliance-sensitive portals.
Logging destination
Send SonicWall syslog to Graylog, not to SonicWall's cloud. You want the logs in the same place as everything else — the firewall isn't special, it's just another source.