SonicWall SonicOS 7.1 Logs User Guide

SonicWall SonicOS 7.1 Logs

Product Information

Specifications

• Product Name: SonicOS 7.1 Logs Administration Guide

• Compatibility: SonicWall family of firewalls

• Features: Network service management, traffic management,
  network security, threat monitoring

• Management Interface: Web-based

• API: Application Program Interface

• CLI: Command Line Interface

Product Usage Instructions

About SonicOS
This guide is a part of the SonicOS collection of administrative guides that describe how to administer and monitor the SonicWall family of firewalls. SonicOS provides network administrators with the management interface, API, and Command Line Interface (CLI) for firewall configuration by setting objects to secure and protect the network services, manage traffic, and provide the desired level of network service.

Working with SonicOS
SonicOS provides a web management interface for configuring, managing, and monitoring the features, policies, security services, connected devices, and threats to your network. SonicOS runs on top of SonicCore, SonicWall’s secure underlying operating system. The SonicOS management interface facilitates:

• Policy Mode: Provides a unified policy configuration workflow. It combines Layer 3 to Layer 7 policy enforcement for security policies and optimizes the workflow for other policy types.
• Classic Mode: More consistent with earlier releases of SonicOS; you need to develop individual policies and actions for specific security services. The Classic Mode has a redesigned interface.

The table below identifies which modes can be used on different SonicWall firewalls:

Firewall Type| TZ Series| NSa Series| NSsp 10700, NSsp 11700, NSsp 13700| NSsp 15700| NSv Series
---|---|---|---|---|---
Classic Mode| Yes| Yes| Yes| No| Yes
Policy Mode| No| Yes| No| No| No

FAQ (Frequently Asked Questions)

• Q: What is SonicOS?
  A: SonicOS is the collection of administrative guides that describe how to administer and monitor the SonicWall family of firewalls.

• Q: What are the different modes in SonicOS?
  A: SonicOS has two modes – Policy Mode and Classic Mode. Policy Mode provides a unified policy configuration workflow, while Classic Mode is more consistent with earlier releases of SonicOS.

• Q: Which SonicWall firewalls support Classic Mode?
  A: The TZ Series, NSa Series, and NSv Series firewalls support Classic Mode.

• Q: Which SonicWall firewalls support Policy Mode?
  A: The NSa Series firewall supports Policy Mode.

About SonicOS

This guide is a part of the SonicOS collection of administrative guides that describes how to administer and monitor the SonicWall family of firewalls. SonicOS provides network administrators the management interface, API (Application Program Interface), and the Command Line Interface (CLI) for firewall configuration by setting objects to secure and protect the network services, to manage traffic, and to provide the desired level of network service.

Working with SonicOS

SonicOS provides a web management interface for configuring, managing, and monitoring the features, policies, security services, connected devices, and threats to your network. SonicOS runs on top of SonicCore, SonicWall’s secure underlying operating system.

The SonicOS management interface facilitates:

• Setting up and configuring your firewall
• Configuring external devices like access points or switches
• Configuring networks and external system options that connect to your firewall
• Defining objects and policies for protection
• Monitoring the health and status of the security appliance, network, users, and connections
• Monitoring traffic, users, and threats
• Investigating events

SonicWall offers two different modes of operation in SonicOS; the modes differ mainly in the areas of policy, object configuration and diagnostics.

• Policy Mode provides a unified policy configuration work flow. It combines Layer 3 to Layer 7 policy enforcement for security policies and optimizes the work flow for other policy types. This unified policy work flow gathers many security settings into one place, which were previously configured on different pages of the management interface.
• Classic Mode is more consistent with earlier releases of SonicOS; you need to develop individual policies and actions for specific security services. The Classic Mode has a redesigned interface.

This table identifies which modes can be used on the different SonicWall firewalls:

In addition to the management interface, SonicOS also has a full-featured API and a CLI to manage the firewalls. For more information, refer to:

SonicOS Workflow

When working with SonicWall products, you can use the following workflow as a guide for setting up your security solution.

You begin your planning as you start making your purchasing decisions. Your sales partners can help you assess your network and make recommendations based on the kinds of security services you need. You can learn more about SonicWall products by reviewing product information and solutions. After selecting the solution, you can schedule your implementation. After planning and scheduling your solution, you begin setting up the firewalls. The Getting Started Guides for your products can help you begin setting up the pieces to your solution. The getting started guides are designed to help you install the firewall to a minimal level of operation. Before performing any detailed configuration tasks described in the SonicOS Administration Guides, you should have your firewall set up and basic operation validated.

The configuration block of the workflow refers to the many tasks that combine to define how your firewall is integrated into your security solution and how it behaves when protecting your environment. Depending on the features of your security solution, this task can be quite complex. The System Administration Guides are broken into the key command sets and features. Some documents may be used for all solutions, but others may be used use only if you integrated that feature into your solution. For example, High Availability or Wireless Access Points are not necessarily used by all customers. More information about a feature’s workflow is presented in the feature administration guide. Refer to the specific Administration Guide for a SonicOS feature for more information.

Configuration tends to be a one-time activity, although you might make minor adjustments after monitoring performance or after diagnosing an issue. The configuration activity can be broken down into the more detailed flow as the following figure shows. This also mirrors the key functions that are listed across the top of the management interface.

There is some flexibility in the order in which you do things, but this is the general work-flow you would follow when configuring your firewall. Start by defining the settings on the firewall. Next you set up the system and other devices that your firewall is connected to, and you can choose to implement High Availability when done. After your device, network, and system is configured, you should define the objects that you want to monitor. Then you use those objects to define the policies that protect your network. The final step to preparing your setup is to validate the user authentication.

How to Use the SonicOS Administration Guides

The SonicOS Administration Guide is a collection of guides that detail the features represented by each of the main menu items in the management interface. Within each guide, you can find topics covering commands in that menu group, along with procedures and in-depth information. The exceptions are the SonicOS 7.1 Monitor Guide and the SonicOS 7.1 Objects Guide which combine the topics for each of those functions into a single book.

To help you understand how the books align with the features and commands, the following figure shows the books organized like the SonicWall management interface.

The SonicOS Administration Guides, along with related documentation, such as the getting started guides, are available at https://www.sonicwall.com/support/technical-documentation/.

Guide Conventions

These text conventions are used in this guide:

• NOTE: A NOTE icon indicates supporting information.
• IMPORTANT: An IMPORTANT icon indicates supporting information.
• TIP: A TIP icon indicates helpful information.
• CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
• WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

1. Bold text
   Used in procedures to identify elements in the management interface like dialog boxes, windows, screen names, messages, and buttons. Also used for file names and text or values you are being instructed to select or type into the interface.

2. Function | Menu group > Menu item
   Indicates a multiple-step menu choice on the user interface. For example, NETWORK | System > Interfaces means to select the NETWORK functions at the top of the window, then click on System in the left navigation menu to open the menu group (if needed) and select Interfaces to display the page.

3. Code
   Indicates sample computer programming code. If bold, it represents text to be typed in the command line interface.

4. < Variable>
   Represents a variable name. The variable name and angle brackets need to be replaced with an actual value. For example in the segment serialnumber=<your serial number>, replace the variable and brackets with the serial number from your device, such as serialnumber=2CB8ED000004.

5. Italics
   Indicates the name of a technical manual. Also indicates emphasis on certain words in a sentence, such as the first instance of a significant term or concept.

System Logs

The SonicWall network security appliance maintains an Event log for tracking potential security threats.

Viewing System Logs
To view system events, navigate to MONITOR | Logs > System Logs page.

For a description of the:

• Functions, see System Log Functions
• Columns, see Display Options

System Log Functions

The System Log table provides numerous settings to allow you to navigate, view, and export results. Table columns can be customized, so that you can view full data on any event, or only the data you need. Table entries can be sorted to display in either ascending or descending order. To sort the entries in the Event Log, click the column heading. The entries are sorted by ascending or descending order. The arrow to the right of the column name indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order.

The top row of the Event Log contains various functions. Functions pertaining only to Event Logs are described in the below table.

SYSTEM EVENT LOG FUNCTIONS

Display Options

Customize the Events log to display as many or a few columns that meet your needs.

To select which columns to display:

1. Navigate to MONITOR | Logs > System Logs.

2. Click the Grid icon. The Grid Settings dialog displays:

3. Select the items you want to appear as columns in the System Log.

4. When done, click Apply to preserve any changes or click Restore Default to revert back to the default settings.
   You can perform the following actions on the System Logs page:

   • To export the logs in CSV, TXT files, and email, click the Export icon and select the required format
   • To clear the logs from the table, click the Clear Logs icon
   • To refresh the page, click the Refresh icon
   • To view more details of the log, click the triangle icon of the log

Filtering the View

The Filter View input field at the top left corner of the System Log enables you to narrow your search using drop-down options and search strings.

To filter the System Event logs:

1. Navigate to MONITOR | Logs > System Logs.
2. Click Filter icon.
3. Select any filtering scheme you want. Filter on just one field or you can filter on all of them. In the General, Source and Destination fields, you can enter a partial string to filter on.
4. Click Accept.
   OR
   Click Reset to clear the filters applied.

Auditing Logs

This section describes in detail the recording feature that collects and records information on any changes in the security appliance configuration. To access this feature, navigate to MONITOR | Logs > Auditing Logs in the SonicOS web management interface.

What is Configuration Auditing
Configuration auditing is a feature that automatically records any configuration changes that an administrator attempts from one of the available user interfaces, web management (via HTTP and HTTPS), command line (via console or SSH), or SonicWall GMS. A configuration auditing records table is created to record all attempted configuration changes, both successful and failed. With configuration auditing, SonicOS archives the history of its configuration changes, so that the administrator or others can later revisit and analyze the records. This feature is enabled by default for the platforms where it is available.

Benefits of Configuration Auditing

Auditing of configuration change records can be useful as described below:

• Automatic documentation of any configuration changes performed by an administrator
• Assistance in troubleshooting unexpected changes in run-time system behavior
• Visibility, continuity, and consistency where there are several administrators, either simultaneously or consecutively. Each administrator has access to a record of changes performed or attempted by all other administrators.
• Third party integration with Firewall Manager, SEIM systems, logging and reporting solutions
• Compliance with regulations such as SOX, FISMA, NIST, DISA STIP

What Information is Recorded
Configuration auditing generates a record for every configuration change. The record includes:

• Which parameter was changed
• When the change was made
• Who made the change
• From where the change was made
• Details of the change, such as the previous and subsequent values

What Information is Not Recorded

The following are not included in the Configuration Auditing operation:

• Importing a Settings File – Configuration changes due to importing a settings file are currently not recorded by the configuration auditing feature. Since all current settings are cleared before applying imported configurations, the assumption is that all existing configurations are modified.
• WXA configuration settings — SonicOS does not audit any configuration changes in WAN Acceleration. Some settings are saved on the WXA instead of the firewall, although the settings can be configured from the SonicOS web management interface.
• ZEBOS settings for BGP/OSPF/RIP routing configurations — SonicOS stores these settings as one long string of ZEBOS CLI commands. Records of changes made by these commands are not duplicated in the configuration auditing operation.
• Anti-Spam Junk Store applications — Configuration settings changed through a proxy server running a junk store are excluded from configuration auditing.
• Licensing – All aspects of system licensing are authenticated through MySonicWall and are not recorded through configuration auditing.
• Uploading a file from Home > Capture ATP does not audit uploading a file from the page, because the contents of this page do not reside on the firewall.

Audit Recording in High Availability Configurations

The Configuration Auditing operation records changes individually for each device. It does not synchronize the recorded information between appliances in an HA pair. When the active HA unit next synchronizes with the standby HA unit, it sends configuration changes to the standby unit. The synchronization operation information

updates the auditing record of the standby device in the pair. On the standby unit, the auditing record indicates that the configuration changes it recorded came from the active unit.

Modifying and Supplementing Configuration Auditing
Configuration Auditing operations can be modified and supplemented through the following:

SNMP Trap Control
SNMP (Simple Network Management Protocol) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks. SNMP traps allow the user to monitor security appliance status and configuration through a Management Information Database (MIB). Configuration auditing works in conjunction with SNMP by giving the user the option to enable a trap for each logged event collected during a network configuration change, whether successful or failed.

E-CLI Commands
E-CLI (Enterprise Command Line Interface) commands are available for configuration auditing record setting and display, for those administrators who like to work from the command line. You can use the following E-CLI commands to enable or disable configuration auditing and to view records:

to work with settings:

• config(C0EAE49CE84C)# log audit settings
• (config-audit)# enable
• (config-audit)# debug
• (config-audit)# auditall
• (config-audit)# commit

to show audit records:

• (config-audit)# show log audit view

Auditing Record Storage and Persistence

Configuration auditing records are saved to non-volatile storage (such as flash), so that records can be restored, if required, after a reboot. The number of records saved is directly proportional to the capability of the device, as

defined in the product matrix below. Higher-end platforms can store more records than lower-end devices. Devices with no flash or smaller flash capacity do not support configuration auditing. All configuration auditing records, on any platform, are deleted when the appliance is rebooted with factory defaults.

Managing the Audit Logs Table

The administrator can manage the auditing records in many useful ways. The following activities are available:

Viewing Auditing Logs
The MONITOR | Logs > Auditing Logs page displays all the configuration auditing records. It allows a user to view, search, and sort the records.

• The first column is expandable to display the summary of the log entry.
• There are also buttons for Select all Columns and Restore Default for ease of operation. Click the Grid Settings icon to perform the desired action.
• The user can search for a specific string pattern and highlight the matched results if any are found.
• Failed configuration changes are marked in red.
• All columns are sortable.

Manually Emailing Auditing Logs
When a valid mail server and email address are configured, the user can click the email button on the toolbar of the Auditing Records page to manually email auditing records at any time. The button is disabled if either the mail server or the email address is not configured under DEVICE | Log > Automation.

The DEVICE | Log > Automation page includes settings for configuring the SonicWall to send log files using Email and configuring mail server settings.

Exporting Auditing Logs
There are two export options for auditing records. You can export the records as a text file or as a CSV file.

Refreshing the Auditing Logs
The Refresh button provides a way to refresh the page and display the latest auditing records, as seen below:

Displaying the Auditing Logs on the console
Click Supplemental > Display Auditing Records on Console option to display the auditing records on the console in a text format.

Auditing All Parameters During Addition
By default, configuration auditing only logs significant changes, defined as changes where the new value of the parameter is different from the default value. Click Supplemental > Audit Supplemental Parameter Changes option to record all parameter changes during an addition activity, even when the new values are the same as the default values.

Threat Logs

This section describes in detail the recording feature that collects and records information on any changes in the security appliance configuration. To access this feature, navigate to MONITOR | Logs > Threat Logs in the SonicOS web management interface.

Viewing Threat Logs

To view threat events, navigate to MONITOR | Logs > Threat Logs page.

For a description of the:

• For functions, see Threat Log Functions
• Columns, see Display Options

Threat Log Functions

The Threat Log table provides numerous settings to allow you to navigate, view, and export results. Table columns can be customized, so that you can view full data on any event, or only the data you need. Table entries can be sorted to display in either ascending or descending order.

To sort the entries in the Event Log, click the column heading. The entries are sorted by ascending or descending order. The arrow to the right of the column name indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order. The top row of the Event Log contains various functions. Functions pertaining only to Event Logs are described in the below table.

SYSTEM EVENT LOG FUNCTIONS

Display Options

Customize the Events log to display as many or a few columns that meet your needs.

To select which columns to display:

1. Navigate to MONITOR | Logs > Threat Logs.
2. Click the Grid icon. The Grid Settings dialog displays:
3. Select the items you want to appear as columns in the Threat Log.
4. When done, click Apply to preserve any changes or click Restore Default to revert back to the default settings.

SonicWall Support

Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract. The Support Portal provides self- help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. To access the Support Portal, go to https://www.sonicwall.com/support.

The Support Portal enables you to:

• View knowledge base articles and technical documentation
• View and participate in the Community forum discussions at https://community.sonicwall.com/technology-and-support.
• View video tutorials
• Access https://mysonicwall.com
• Learn about SonicWall Professional Services at https://sonicwall.com/pes.
• Review SonicWall Support services and warranty information
• Register for training and certification
• Request technical support or customer service

To contact SonicWall Support, visit https://www.sonicwall.com/support /contact-support.

About This Document

SonicOS Logs Administration Guide
Updated – December 2023
Software Version – 7.1
232-006095-00 Rev A

Copyright © 2023 SonicWall Inc. All rights reserved.

The information in this document is provided in connection with SonicWall and/or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of products. EXCEPT AS OUTLINED IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

SonicWall and/or its affiliates make no representations or warranties for the accuracy or completeness of the contents of this document and reserve the right to make changes to specifications and product descriptions at any time without notice. and/or its affiliates do not make any commitment to update the information contained in this document.
For more information, visit https://www.sonicwall.com/legal.

End User Product Agreement
To view the SonicWall End User Product Agreement, go to: https://www.sonicwall.com/legal/end-user-product-agreements/.

Open Source Code
SonicWall Inc. can provide a machine-readable copy of open source code with restrictive licenses such as GPL, LGPL, and AGPL when applicable per license requirements. To obtain a complete machine-readable copy, send your written requests, along with a certified check or money order in the amount of USD 25.00 payable to “SonicWall Inc.”, to: General Public License Source Code Request Attn: Jennifer Anderson 1033 McCarthy Blvd Milpitas, CA 95035.

References

• SonicWall Community | Technology and Support
• MySonicWall
• sonicwall.com/pes
• MySonicWall
• sonicwall.com/legal
• sonicwall.com/legal/end-user-product-agreements/
• sonicwall.com/support
• sonicwall.com/support/contact-support
• sonicwall.com/support/technical-documentation/
• sonicwall.com/support/technical-documentation/?language=English&category=Firewalls&resources=Administration%20Guide&version=7.1
• sonicwall.com/support/technical-documentation/?language=English&category=Firewalls&resources=Getting%20Started%20Guide
• sonicwall.com/support/technical-documentation/?q=sonicos%20api&language=English
• sonicwall.com/support/technical-documentation/sonicos-7-1-monitor

Read User Manual Online (PDF format)

Download This Manual (PDF format)

Download this manual  >>