tech note--audit support for sonic wall firewalls
TRANSCRIPT
Tech Note--Audit Support for Sonic Wall Firewalls Symantec CloudSOC Tech Note
Tech Note--Audit Support for SonicWALL Firewalls
Copyright statement Copyright (c) Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com. Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.
2
Tech Note--Audit Support for SonicWALL Firewalls
Table of Contents
Introduction
Supported SonicWALL firewall version
Sample log formats
Default log format (Session Information)
Default Format (URL Information)
Mandatory fields
Enabling firewall logging
Creating a firewall policy
HTTPS inspection
Configuring logging
Exporting Logs
References
Revision history
3
Tech Note--Audit Support for SonicWALL Firewalls
Introduction
This Tech Note describes how the CloudSOC Audit application supports log files from SonicWALL NSA Series Next-Generation Firewall devices.
Supported SonicWALL firewall version
SonicWALL minimum supported version: SonicWALL Firewall NSA220 v5.8.1.4-31o
Sample log formats
SonicWALL creates logs in the WELF format. You obtain these logs in a “default” format via Syslog Server.
Default log format (Session Information)
Friday, April 4, 2014,6:50:59.813 AM,Info,192.168.100.2,,id=firewall
sn=C0EAE403A824 time="2014-04-04 06:51:06" fw=70.91.207.251 pri=6 c=262144
m=98 msg="Connection Opened" n=561546 usr="Bob" src=182.73.23.2:2912:X1
dst=70.91.207.251:443:X1 proto=tcp/https
Friday, April 4, 2014,6:51:21.326 AM,Info,192.168.100.2,,id=firewall
sn=C0EAE403A824 time="2014-04-04 06:51:28" fw=70.91.207.251 pri=6 c=1024 m=537
msg="Connection Closed" f=12 n=578196 src=182.73.23.2:2912:X1
dst=70.91.207.251:443:X1 proto=tcp/https sent=933 rcvd=1557 usr="Bob"\
Default Format (URL Information)
Friday, April 4, 2014,6:51:02.711 AM,Info,192.168.100.2,,id=firewall
sn=C0EAE403A824 time="2014-04-04 06:51:09" fw=70.91.207.251 pri=6 c=262144
m=98 msg="Connection Opened" sess=Web n=561616 src=192.168.100.30:44948:X0
dst=96.17.148.51:80:X1 proto=tcp/http
Friday, April 4, 2014,6:51:02.761 AM,Info,192.168.100.2,,id=firewall
sn=C0EAE403A824 time="2014-04-04 06:51:09" fw=70.91.207.251 pri=6 c=1024 m=97
sess=Web n=86471 src=192.168.100.30:44948:X0 dst=96.17.148.51:80:X1
proto=tcp/http op=GET sent=445 rcvd=1637 result=0
dstname=b.scorecardresearch.com arg=/beacon.js code=17 Category="Education"
4
Tech Note--Audit Support for SonicWALL Firewalls
Mandatory fields
The following fields must be present in the logs uploaded to the CloudSOC Audit application:
● time
● src
● dst
● msg
● usr or user
● proto
● sent
● rcvd
● dstname
● arg
Enabling firewall logging
The example below will guide you through creation of a new policy that enables logging. You can use these instructions as a guideline to enable logging on your existing policies.
To enable logging, we need to have a policy that allows access to internet, manage the URL filtering and configure the Tracking options on the policies.
5
Tech Note--Audit Support for SonicWALL Firewalls
Creating a firewall policy
The firewall comes with a default set of access rules which cannot be deleted but be modified. The access rules are added using the tools at Firewall > Access Rules > Add.
6
Tech Note--Audit Support for SonicWALL Firewalls
Click Add to open a rule window as shown in the following figure.
7
Tech Note--Audit Support for SonicWALL Firewalls
To allow any traffic to pass through from any source to any destination, the From zone is selected as LAN, To zone is selected as WAN, Service as Any, Source as LAN Subnets (means whole LAN network) and User as All (by default).
The rule allows any traffic from the LAN to the Internet, as shown in the following figure.
8
Tech Note--Audit Support for SonicWALL Firewalls
HTTPS inspection
The HTTPS or SSL Inspection feature is turned on for the client SSL which is for the HTTPS sites accessed from the clients through the firewall. SonicWALL has a default CA certificate that can be used for the signing authority. The certificate can be downloaded and installed in the root CAs of client browsers to avoid certificate warnings.
Navigate to DPI-SSL > Client SSL to open this configuration page.
Include the LAN network segment for HTTPS inspection as shown in the following figure.
9
Tech Note--Audit Support for SonicWALL Firewalls
Configuring logging
You must enable traffic logging for certain categories. The following log category settings are turned on by default to log locally and via syslog [1].
● Denied LAN IP
● Dynamic Address Objects
● Firewall rule
● Network
● Network Access
● Network Debug
The logs that are collected through syslog include two different formats, default and web trends (not supported). You configure syslog as shown below. Local Use 0 is the default syslog facility that provides the maximum information. Use the “Default” option from the Syslog format menu to provide logs in the supported format.
10
Tech Note--Audit Support for SonicWALL Firewalls
Use the following commands to configure Syslog using the CLI:
> syslog add-change <syslog server IP> port <syslog port>
> syslog format default
Exporting Logs
We have used the Syslog Watcher 4 application installed in a windows PC which listens and collects syslog logs from the firewall. Click the Start Server toolbar button to start listening for the logs.
Once Syslog Watcher collects the required logs, click the Export toolbar button to export them.
11
Tech Note--Audit Support for SonicWALL Firewalls
Use the Message conversion template box to add the required tags. Separate the tabs with commas(,) as shown below.
Use the clear log command to clear the log history.
References
[1] http://webspy.com/most-popular-vendors/Sonicwall/analyzing-Sonicwall-log-files-with-webspy/
http://208.17.117.208/downloads/SonicOS_5.8.1_RevF_Administrators_Guide.pdf
Revision history
Date Version Description
2014 1.0 Initial release
10 November 2015 1.1 Minor revisions
12