SonicWall Advises Users to Reset Logins After Config Backup Leak

SonicWall has alerted its customers to reset all login credentials after a recent leak exposed firewall configuration backups.

The vendor emphasizes three critical stages—containment, remediation, and monitoring—to minimize risk and restore secure access.

Users should follow each stage in order, beginning with containment to block further exposure, proceeding to remediation to reset passwords and shared secrets, and concluding with monitoring to detect any unauthorized activity.

Disabling access to HTTP/HTTPS/SSH Management

The first step is to limit access from the public internet. Administrators should disable or restrict management services over the WAN interface before making any configuration changes.

Navigating to Network > System > Interfaces, they must edit each WAN interface and disable HTTP, HTTPS, and SSH management.

If complete disabling is not possible, SonicWall’s knowledge base article provides guidance on limiting management access to trusted IP addresses only.

Next, SSL VPN and IPsec VPN services should be turned off for the WAN zone via Network > SSL VPN > Server Settings and Network > IPsec VPN > Rules and Settings.

Restricting these services prevents attackers from regaining access after a password reset. Finally, inbound access to internal servers must be blocked.

Under Policy > Rules and Policies > Access Rules, administrators can identify rules allowing WAN traffic to internal hosts, disable those rules, or scope them to specific trusted sources.

Completing containment ensures that an exposed backup cannot be exploited while credentials are changed.

Once containment is in place, the focus shifts to resetting potentially exposed credentials.

Administrators should review every feature that was reachable over the internet and reset its password or shared secret.

For HTTPS and SSH management, a new administrator password should be configured under System > Administration. SSL VPN and IPsec VPN certificates and pre-shared keys require regeneration through the SSL VPN Server Settings and IPsec VPN Settings tabs.

Any dynamic DNS credentials or LDAP, RADIUS, and wireless authentication secrets must also be updated, as these are often stored on the firewall.

SonicWall’s Admin Guides and knowledge base articles offer step-by-step directions for each password type and encryption key.

For time-based one-time password (TOTP) bindings, users must unbind and rebind their authenticators to ensure new codes are in effect.

Administrators using Global Management System (GMS) should verify that restricted inbound HTTPS does not prevent necessary management connections and adjust policies as needed.

After resetting all credentials, continuous monitoring is essential. SonicWall recommends enabling real-time logging and reviewing system event logs for failed login attempts, configuration changes, or unusual VPN connections.

Alerts can be configured to notify administrators when user accounts fail authentication multiple times or when new services are enabled on the WAN.

Integrating firewall logs with a Security Information and Event Management (SIEM) platform provides deeper visibility into potential threat behavior. Monitoring should remain in place for at least 30 days or until confidence in network integrity is restored.

By following these containment, remediation, and monitoring steps in sequence, organizations can quickly secure their SonicWall firewalls after a configuration backup leak and reduce the chance of unauthorized network access.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.