This article discusses the possible conflicts between Datto Appliances and SonicWall Unified Threat Management firewalls. If you are using a SonicWall device on the same LAN as a Datto appliance, you might have issues with local backups and/or Cloud Synchronization. You can mitigate the possible conflicts by following the advice in this article.
There are two known conflicts. See the sections below for more information on each issue:
- SonicWall NSA and TZ devices
- SonicWall CDP devices
SonicWall NSA and TZ Devices
SoniceWall NSA and TZ appliances are stateful firewalls, and use threat management software known as Stateful Packet Inspection or Deep Packet Inspection. This software filters out certain network packets based on the identification of possible threatening activity. The problem is that this software can prevent the offsite replication of your backups. The Datto appliance must have full access to the internet to send backup snapshots to the Datto Cloud.
If you have a networking issue with a SonicWall NSA or TZ device, you can try the following to mitigate the problem:
- Ensure that netbios traffic is allowed to pass both in and outbound through the SonicWALL. (UDP 137-139)
- Disable the security settings that are created by SonicWALL within the Unified Threat Management software platform provided for the device.
- Set a custom demilitarized zone (DMZ) for just the Datto device with all security disabled on the SonicWALL. Allow for an open connection should the device fail to have outbound access.
- The Stateful Packet Inspection is hanging onto the Datto device outbound connections.
- If the previous solutions have failed, you might have to disable SPI or DPI on your device. See this article from Dell's Knowledge Base: UMT: How to disabled DPI and Enabled SPI engine in Sonicwall OS Enhanced (SW11566).
SonicWall CDP Devices
SonicWall CDP devices use Microsoft's Volume Shadow Service to perform backups of connected machines. Since Datto's backup agent, ShadowSnap, also uses VSS, you will have a conflict. To avoid this conflict, you must choose which backup agent you will use: ShadowSnap or SonicWall.
Here is more information from SonicWall's Knowledge Base:
SonicWALL implemented the use of Microsoft’s Volume Shadow Copy Service (VSS) for backing up all file sets.
- In past releases, it could take significant time for larger files to back up to SonicWALL CDP appliances.
- With the implementation of VSS in SonicWALL CDP 6.0, file sets can be backed up at more frequent intervals.
- This provides more reliability and stability.
- Files are sent to an alternate VSS-eligible queue.
- The entire queue is all taken at once because of the VSS snapshot.
- SonicWALL CDP acts as a VSS Requestor at the time of the snapshot.
- Microsoft VSS informs the VSS writers to commit changes and shut down for a VSS snapshot.
- Once the snapshot is complete, SonicWALL CDP begins serially uploading the file backups to the appliance.
- VSS has no visibility to the end user. It is a transparent task from a user’s point of view.
- VSS only applies to files on Microsoft operating systems equipped with VSS.
- VSS is supported for backups of files, folders, server applications, and client applications such as Outlook and Outlook Express.
- The Volume Shadow Copy service must be enabled in order for SonicWALL CDP to take advantage of this functionality.
- VSS snapshots are of type FULL.
- VSS for CDP is only supported for Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003.
- The file system type of the shadow copy storage area and the volume to be shadow copied must be NTFS.
- VSS is not available on Linux or Mac operating systems.
- If VSS is not running, is disabled, or is not supported on the operating system, then the regular File Watcher queue is used.
- If a VSS snapshot is attempted and fails, SonicWALL CDP will fall back to the regular File Watcher queue.