SonicWall — 7 prefixes (MA-L)

SonicWall holds seven MA-L (24-bit) OUI blocks in the IEEE registry, registered to the network-security vendor across a string of name spellings (SonicWall, Sonicwall, SonicWALL) and a trail of office addresses that track the company's moves over time — Sunnyvale (94089 and 95126), San Jose (95124), and the current Milpitas, California address at 1033 McCarthy Blvd. The current official brand spelling is SonicWall. These prefixes map to physical and virtual network-security appliances: next-generation firewalls (the TZ, NSa, NSsp, SuperMassive, and SOHO series), unified threat management gateways, SSL VPN / secure remote access appliances, wireless access points, switches, and NSv virtual firewall instances. A field-identification detail worth knowing: SonicWall derives a device's MAC address from its serial number — the LAN interface (X0) MAC equals the serial number formatted with colons every two hex digits (serial 0017C5E1T74Y → MAC 00:17:C5:E1:T7:4Y), and other interface MACs increment the last octet. That means the OUI prefix can be read straight off a unit's serial-number label. Because these appliances sit on the network perimeter and frequently terminate SSL VPN sessions, a SonicWall OUI on a scan flags a security/edge device — a class of hardware repeatedly targeted by ransomware and nation-state actors (CVE-2024-40766 exploited by Akira, CVE-2024-53704 and others on CISA's KEV list), so detecting one is a cue to check firmware currency rather than a finding to wave past.

IEEE assignment

7 prefixes → SonicWall, registered across CA, US offices (current: 1033 McCarthy Blvd, Milpitas, CA 95035) [Confirmed] — IEEE MA-L (enrichment/registries/oui.csv)

Registry / block size

MA-L (24-bit OUI) on all 7 assignments; ~117.4M addresses combined [Confirmed] — enrichment/registries/oui.csv. NOTE: IEEE publishes NO assignment/registration date for OUI/MAC prefixes (oui.csv columns are only Registry, Assignment, Organization Name, Organization Address). Any "date registered" on third-party tools (e.g. maclookup.app, netify.ai shows earliest 2001-06-04, most recent FC:39:5A 2025-05-30) is a database artifact, NOT an IEEE fact. No RIR/IANA allocation applies (MAC/OUI entry, not an ASN).

HQ / country

Milpitas, CA, US (current registry + corporate address); legacy registry addresses span Sunnyvale and San Jose, CA [Confirmed] — enrichment/registries/oui.csv, en.wikipedia.org/wiki/SonicWall

Company status

active [Confirmed] — sonicwall.com

Device types

next-generation firewalls (NGFW), UTM appliances, SSL VPN / secure remote access appliances, wireless access points, network switches, NSv virtual firewalls [Confirmed] — sonicwall.com/products/firewalls, netify.ai

Notable products

TZ Series (SMB/SOHO), NSa Series (mid-range), NSsp Series (high-end), SuperMassive Series (data-center), SOHO Series [Confirmed] — sonicwall.com/products/firewalls

Verified prefixes (all MA-L)

00:06:B1, 00:17:C5, 18:B1:69, 18:C2:41, 2C:B8:ED, C0:EA:E4, FC:39:5A [Confirmed] — enrichment/registries/oui.csv. No MA-M (mam.csv) or MA-S (oui36.csv) assignments found.

Company background

founded August 1991 as Sonic Systems by Sreekanth and Sudhakar Ravi (originally Ethernet cards/hubs for Apple hardware); pivoted to network security late 1990s with the SonicWALL firewall; Nasdaq IPO November 1999; acquired by Dell (2012); divested to Francisco Partners and Elliott Management (May/June 2016); Bob VanKirk President & CEO (since July 2022) [Confirmed] — en.wikipedia.org/wiki/SonicWall

MAC ↔ serial relationship

SonicWall derives the appliance MAC from its serial number — X0 (LAN) MAC = serial formatted with colons every two hex digits (e.g. 0017C5E1T74Y → 00:17:C5:E1:T7:4Y); other interfaces increment the last octet; OUI prefix is readable from the serial-number label [Confirmed] — sonicwall.com KB (finding-the-ethernet-hardware-mac-addresses, ethernet-hardware-mac-address-defined)

Security context

perimeter/SSL-VPN appliances; repeatedly targeted. CVE-2024-40766 (SonicOS improper access control, Gen 6/7) exploited by Akira ransomware, CISA KEV; CVE-2024-53704 (SSL VPN auth bypass) CISA KEV; CVE-2025-23006 (SMA 1000 critical RCE) targeted Jan 2025; CVE-2025-40601 (SonicOS Gen 7/8 stack overflow, unauth DoS); CVE-2026-0204 (CVSS 8.0 access-control bypass, SonicOS mgmt interface, Gen 6/7/8, requires L2 adjacency, found by CrowdStrike). Sept 2025: attacker access to firewall config backups in MySonicWall accounts. [Confirmed] — cisa.gov KEV, bleepingcomputer.com, cybersecuritydive.com, sonicwall.com/support notices

Analyst note

A SonicWall OUI on a globally-administered address identifies a genuine SonicWall security/perimeter appliance. Given the device class and CVE history, treat detection as a prompt to verify firmware currency and exposure of SSL VPN / management interfaces.