Tech Note--Audit Support for Sonic Wall Firewalls Symantec CloudSOC Tech Note

 

 

Tech Note--Audit Support for SonicWALL Firewalls 

Copyright statement Copyright (c) Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com. Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.    

2 

 

Tech Note--Audit Support for SonicWALL Firewalls 

Table of Contents

Introduction 

Supported SonicWALL firewall version 

Sample log formats 

Default log format (Session Information) 

Default Format (URL Information) 

Mandatory fields 

Enabling firewall logging 

Creating a firewall policy 

HTTPS inspection 

Configuring logging 

Exporting Logs 

References 

Revision history 

 

   

3 

 

Tech Note--Audit Support for SonicWALL Firewalls 

Introduction 

This Tech Note describes how the CloudSOC Audit application supports log files from SonicWALL NSA Series Next-Generation Firewall devices. 

Supported SonicWALL firewall version 

SonicWALL minimum supported version: SonicWALL Firewall NSA220 v5.8.1.4-31o 

Sample log formats 

SonicWALL creates logs in the WELF format. You obtain these logs in a “default” format via Syslog Server. 

Default log format (Session Information) 

Friday, April 4, 2014,6:50:59.813 AM,Info,192.168.100.2,,id=firewall

sn=C0EAE403A824 time="2014-04-04 06:51:06" fw=70.91.207.251 pri=6 c=262144

m=98 msg="Connection Opened" n=561546 usr="Bob" src=182.73.23.2:2912:X1

dst=70.91.207.251:443:X1 proto=tcp/https

Friday, April 4, 2014,6:51:21.326 AM,Info,192.168.100.2,,id=firewall

sn=C0EAE403A824 time="2014-04-04 06:51:28" fw=70.91.207.251 pri=6 c=1024 m=537

msg="Connection Closed" f=12 n=578196 src=182.73.23.2:2912:X1

dst=70.91.207.251:443:X1 proto=tcp/https sent=933 rcvd=1557 usr="Bob"\

Default Format (URL Information) 

Friday, April 4, 2014,6:51:02.711 AM,Info,192.168.100.2,,id=firewall

sn=C0EAE403A824 time="2014-04-04 06:51:09" fw=70.91.207.251 pri=6 c=262144

m=98 msg="Connection Opened" sess=Web n=561616 src=192.168.100.30:44948:X0

dst=96.17.148.51:80:X1 proto=tcp/http

Friday, April 4, 2014,6:51:02.761 AM,Info,192.168.100.2,,id=firewall

sn=C0EAE403A824 time="2014-04-04 06:51:09" fw=70.91.207.251 pri=6 c=1024 m=97

sess=Web n=86471 src=192.168.100.30:44948:X0 dst=96.17.148.51:80:X1

proto=tcp/http op=GET sent=445 rcvd=1637 result=0

dstname=b.scorecardresearch.com arg=/beacon.js code=17 Category="Education" 

 

   

4 

 

Tech Note--Audit Support for SonicWALL Firewalls 

Mandatory fields 

The following fields must be present in the logs uploaded to the CloudSOC Audit application: 

● time 

● src 

● dst 

● msg 

● usr or user 

● proto 

● sent 

● rcvd 

● dstname 

● arg 

Enabling firewall logging 

The example below will guide you through creation of a new policy that enables logging. You can use these instructions as a guideline to enable logging on your existing policies. 

To enable logging, we need to have a policy that allows access to internet, manage the URL filtering and configure the Tracking options on the policies. 

 

   

5 

 

Tech Note--Audit Support for SonicWALL Firewalls 

Creating a firewall policy 

The firewall comes with a default set of access rules which cannot be deleted but be modified. The access rules are added using the tools at Firewall > Access Rules > Add. 

 

 

   

6 

 

Tech Note--Audit Support for SonicWALL Firewalls 

Click Add to open a rule window as shown in the following figure. 

 

 

   

7 

 

Tech Note--Audit Support for SonicWALL Firewalls 

To allow any traffic to pass through from any source to any destination, the From zone is selected as LAN, To zone is selected as WAN, Service as Any, Source as LAN Subnets (means whole LAN network) and User as All (by default). 

 

The rule allows any traffic from the LAN to the Internet, as shown in the following figure. 

 

 

   

8 

 

Tech Note--Audit Support for SonicWALL Firewalls 

HTTPS inspection 

The HTTPS or SSL Inspection feature is turned on for the client SSL which is for the HTTPS sites accessed from the clients through the firewall. SonicWALL has a default CA certificate that can be used for the signing authority. The certificate can be downloaded and installed in the root CAs of client browsers to avoid certificate warnings. 

Navigate to DPI-SSL > Client SSL to open this configuration page. 

 

Include the LAN network segment for HTTPS inspection as shown in the following figure. 

 

9 

 

Tech Note--Audit Support for SonicWALL Firewalls 

Configuring logging 

You must enable traffic logging for certain categories. The following log category settings are turned on by default to log locally and via syslog [1]. 

● Denied LAN IP 

● Dynamic Address Objects 

● Firewall rule 

● Network 

● Network Access 

● Network Debug 

 

The logs that are collected through syslog include two different formats, default and web trends (not supported). You configure syslog as shown below. Local Use 0 is the default syslog facility that provides the maximum information. Use the “Default” option from the Syslog format menu to provide logs in the supported format. 

10 

 

Tech Note--Audit Support for SonicWALL Firewalls 

 

Use the following commands to configure Syslog using the CLI: 

> syslog add-change <syslog server IP> port <syslog port>

> syslog format default

 

Exporting Logs 

We have used the Syslog Watcher 4 application installed in a windows PC which listens and collects syslog logs from the firewall. Click the Start Server toolbar button to start listening for the logs. 

Once Syslog Watcher collects the required logs, click the Export toolbar button to export them. 

 

11 

 

Tech Note--Audit Support for SonicWALL Firewalls 

 

Use the Message conversion template box to add the required tags. Separate the tabs with commas(,) as shown below. 

 

Use the clear log command to clear the log history. 

References 

[1] http://webspy.com/most-popular-vendors/Sonicwall/analyzing-Sonicwall-log-files-with-webspy/ 

http://208.17.117.208/downloads/SonicOS_5.8.1_RevF_Administrators_Guide.pdf 

Revision history 

Date  Version  Description 

2014  1.0  Initial release 

10 November 2015  1.1  Minor revisions 

 

12