Sonicwall monitor user activity

Sonicwall monitor user activity DEFAULT

SonicWall firewall user auditing and management

Monitoring firewall user account activities, such as adding, deleting, or changing user privilege levels, helps track peculiar account changes. Keeping tab on these activities help tracking changes that are vital in securing the network from malicious attacks and threats.

EventLog Analyzer presents all user logon and account activities in simple, predefined reports with in-depth information. Administrators can create alert profiles to instantly receive notifications about changes of any type.

Firewall logon reports:

These out-of-the-box reports monitor all successful and failed user logon attempts. Logon reports are categorized by users and source. Reports on successful and failed logons trends are also available.

Available Reports

Successful Logons | Failed Logons | Top Successful Logons from Source | Top Successful Logons by Users | Top Failed Logons from Source | Top Failed Logons by Users | Successful Logons Trends | Failed Logons Trends

Firewall account management reports:

These reports represent all user-based information, such as new and deleted users and changes in user privilege levels. Account management reports help administrators conduct audit trials of firewall users and their activities.

Available Reports

Users Added | Users Deleted | Users Modified | Users Disabled | Users Enabled | User Privilege Changed

SonicWall traffic monitoring reportsSonicWall rules management reports


How can I track which users or IP addresses are accessing a certain website using AppFlow?

12/20/2019 139 34833


This article describes how to track which Users or IP addresses are accessing a certain website using AppFlow Monitor on Dashboard.


NOTE: Before following this KB, please ensure that AppFlow is enabled. [[Enabling the Real-Time Monitor and AppFlow Collection in SonicOS Enhanced|170503566814827]].

Login to your SonicWall management page and click on Investigate tab on top of the page.

  1.  Navigate to AppFlow Logs page. Select 'URLs' tab and In Group by select Domain Name from drop-down list.

  2.  Click on the website you want to track and click Filter option. In this example we use the URL 

    This will limit all the information under all the other tabs specific to

  3. Click Users tab.It will show all the users who tried to access

  4. Clicking on username shows the IP address.
  1. Sylvania tailgate speaker
  2. Twisted star quilt block
  3. Archangel stock for savage axis
  4. I am interested synonyms

Enable SonicWall DPI-SSL

With most of the web now using HTTPS, DPI-SSL is not only an essential technology for protecting your network from threats transmitted over HTTPS, but also for reporting on web usage traffic. Without SonicWall’s DPI-SSL feature enabled, only the domain of a website will be logged (e.g. but not the full URL (e.g. This is important if you need to report on web searches, youtube videos, full web pages, or full virus URLs.

Fastvue Reporter also utilizes full URLs for its Site Clean algorithm to clean ‘Junk’ urls from your reports. For example, we don’t want to clean visits to from your reports, but we do want to clean hits to facebook ‘Like’ buttons on other pages. Facebook ‘Like’ buttons come from the URL Without DPI-SSL, SonicWall will only log, leaving the Site Clean engine unable to clean the ‘like’ buttons from your reports.

Enabling DPI-SSL can be pain as it requires deploying certificates to all devices that you want to protect and report on. Although this can be relatively easily achieved for devices controlled by AD group policy, it gets tricky for other devices such as BYOD mobile devices, devices on a ‘guest’ network and for browsers with their own certificate store (we’re looking at you Mozilla Firefox!).

In these situations, you can manually email the certificate to users along with installation instructions, post it on an internal website that users can access once logged in (captive portal), or use onboarding tools like Impulse’s SafeConnect which can help in some automation without agent deployment.

Instructions for enabling DPI-SSL vary slightly depending on your SonicOS version, but look for DPI-SSL, Deep Packet Inspection or Decryption Services in the left-hand menu. For testing, create an Address Object that includes a few host machines you would like to test with, and then include this object in your DPI-SSL settings. Once you’re happy everything is working, you can easily change this to a broader group.

Enabling SonicWall DPI-SSL

DPI-SSL Logging Issues

Earlier versions of SonicOS had some logging issues when DPI-SSL was enabled, affecting the accuracy and detail of web traffic in your reports. Fortunately, SonicWall fixed these in SonicOS 6.5.

If you’re running SonicOS 6.2.7 and below, please be aware of these two issues:

Enable Name Resolution

Even if you have authentication enabled, you may have certain traffic excluded from authentication such as Windows and virus updates, guest networks, BYOD devices etc. In these situations, Fastvue Reporter for SonicWall will attempt to resolve the IP addresses, however it is a good idea to get SonicWall to log the resolved IP address instead. This will save the extra lookups from your Fastvue server, and/or any extra DNS configuration that is required for the Fastvue Server to resolve IPs in the first place.

On your SonicWall device, go to Log Settings | NameResolution and ensure you have a Name Resolution method set, and the DNS servers correctly configured.

SonicWall Name Resolution Log Settings

Enable Referrer URL Logging:

One of the major inputs to Fastvue’s Site Clean engine is referer URLs which SonicWall added support for in SonicOS version

Ensure you are running SonicOS or above, and your logging format is set to ‘Enhanced Syslog’ with all fields selected (specifically, the ‘Notes’ field as this is where the referer URL is logged).

SonicWall SonicOS 6.2.7 Enhanced Syslog

SonicWall will then log referrer URLs for http requests which helps the Fastvue Site Clean engine better determine the websites actually visited by your users, and remove/clean the background websites from your reports.

Note: SonicWall released hotfix SonicOS–HF187283 to fix an issue where referrer URLs were not logged for DPI-SSL traffic. We believe this has been rolled into SonicOS and above.

Block the QUIC Protocol

Google, owning many web properties as well as a popular web browser with Chrome (currently used by 60% of the population), decided to take web speed into their own hands and introduce a new protocol between their browser and their servers. This is called QUIC and works over UDP.

Although this is great for the web development community generally, it is not great for firewalls as it impacts on the accuracy of logging and reporting. For now, this only affects Google web properties such as YouTube, Google Search and Gmail, but it may be adopted by other websites moving forward.

Fortunately, SonicWall enables you to disable the QUIC protocol for your network, and then Google Chrome will fall back to using normal https.

You can do this via SonicWall’s Application Control Advanced page, or use a standard firewall rule to block UDP port 443.

To block QUIC using SonicWall’s Application Control:

  1. Go to Security Services | ApplicationControl (or Rules | Advanced Application Control in SonicOS 6.5 and above).
  2. Select Category = Infrastructure, and edit the Google QUIC application
  3. Select Block = Enable
Block Google Quic with SonicWall Application Control

You can also disable QUIC in Google Chrome directly by going to typing chrome://flags in the address bar, and setting the Experimental QUIC protocol to Disabled.

Disable Google Quic In Chrome

Without the QUIC protocol disabled, you may see inaccurate bandwidth and browsing time figures for Google web properties.


Getting started with Fastvue Reporter for SonicWall is very easy, but once you start digging into the reports, you may discover issues such as users showing as IP addresses instead of usernames, blank ‘search term’ reports, blank productivity reports, reports cluttered with advertising and other junk, or inaccurate bandwidth figures.

Ensuring you’re on the latest SonicOS (we recommend SonicOS 6.5 and above) and enabling the features above will give you the best configuration from a logging and reporting perspective, and improve your ability to protect and secure your network.


How can I generate a detailed report on the browsing activity of a particular user?

03/26/2020 1240 36285


This article will explain you one way to get access to the full details available in GMS for a particular user. Other methods may exist to obtain similar result.It also explain how to filter reports to obtain only the information that you need.


In this example we will follow the user Prasad and get details for a particular website he browsed: We will be able to see when he visited this website and what URLs he visited.

  1. We will start from the Top sites report, under Web Activity.First, we will filter the report by user by adding a filter ("plus" button on the top left corner) on user name in the format "domain\user", in this case: user=sv\prasad.

    NOTE: Using the floppy disk button on the left of the filter will let you save this particular report configuration for later use.Saved reports can be found under the Custom Reports category and can also be used to configure Scheduled Reports which are sent by email.

  2. Now that our report is filtered by user, we want to have more information on the browsing activity that was made onto the website this, we can simply click on the website name and the report will be filtered to show details for this particular site only.
  3. The report we now have does not provide enough information. To access all details (raw syslogs), right-click on the website name and then click Drilldown.You will now see all information sent by the unit to GMS/Analyzer regarding this particular user and website.
  4. From this report, it is easy to view details for all users or all websites, a click on the small cross after a filter will remove it. a click on the red cross at the end of the filter bar will remove all filters. Click on the arrow to submit your new filter.
    As always with GMS/Analyzer, the report data is updated up-to-the-second. The capture below would show you all browsing activity for the user sv\prasad in near real-time.Image

    NOTE:CFS enforcement is Mandatory for these reports . For CFS 4.0 please visit : CFS 4.0 Overview, For Cfs 3.0 , please visit: CFS 3.0 Overview .


User sonicwall activity monitor

SonicWall firewall rules/policies, configuration & log analyzer

Gaining Internet activity insights and keeping abreast about security events is a challenging task as the security appliance generates a huge quantity of security and traffic logs. With a package of features, Firewall Analyzer's reporting capability for SonicWall firewall appliance fit like a glove enabling you to strengthen the network security. Firewall Analyzer lets you to collect, archive, analyze SonicWall device logs and generate security and forensic reports.

SonicWall network security and capacity management

With Firewall Analyzer for SonicWall, you can access pre-defined reports that help in analyzing bandwidth usage and understanding security and network activities. These reports helps you to study the security vulnerability with top denied hosts, blocked URL hits, attacks, targets, virus, affected hosts, spam, receiving hosts.

SonicWall Network Security Firewall - ManageEngine Firewall Analyzer

SonicWall bandwidth capacity planning

Trend reports in Firewall Analyzer trace patterns in network behavior and bandwidth usage over time. Analysis of trend reports gives better insight into the nature of web site traffic or network traffic, and helps you make decisions on capacity planning, business risk assessment, bandwidth management, traffic shaping, and network security posture.

SonicWall Traffic Trend Report - ManageEngine Firewall Analyzer

SonicWall VPN monitoring

VPN trend reports show trends in the number of VPN connections accessed through the SonicWall firewall on a historical and current basis. VPN trends are especially useful in troubleshooting VPN connections, and identifying security risks.

Sonicwall Monitor VPN Traffic - ManageEngine Firewall Analyzer

SonicWall bandwidth monitoring

Firewall Analyzer for SonicWall provides you a unique way to monitor the Internet traffic of the network in near real-time. Firewall traffic data is collected and analyzed to get granular details about the traffic across each firewall. There is no requirement for any probes or collection agents to get these details on the traffic.

SonicWall Traffic Monitoring & Management - ManageEngine Firewall Analyzer

SonicWall traffic analyzer

Firewall Analyzer acts as a SonicWall Firewall Bandwidth Management tool and measures network traffic based on the analysis of logs received from SonicWall firewalls (SonicWall Bandwidth Usage Report). Firewall logs are collected, archived, and analyzed to get granular details about traffic (SonicWall Firewall Bandwidth Monitor) across SonicWall firewall devices.


SonicWall Network Traffic Analyzer - ManageEngine Firewall Analyzer

Employee internet usage monitoring

With Firewall Analyzer you can monitor SonicWall traffic and can maximize the business usage of Internet bandwidth using the employee Internet monitoring report. You can fine-tune the Firewall policies to block or restrict bandwidth guzzling web sites and in turn effectively control the employee Internet usage. This will ensure that the bandwidth is available for smooth functioning of the business.

Employee Internet Usage Monitoring

SonicWall security audit

Firewall Analyzer for SonicWall  provides elaborate compliance report for the Firewall devices. The report helps to configure the Firewall rules, which will prevent potentially dangerous access to network and allow only those network hosts that are required. The issues are assessed and the results are presents as statistics.

SonicWall Firewall Security - ManageEngine Firewall Analyzer

Securepoint firewall alerts

Apart from exhaustive firewall reports with respect to network security, Firewall Analyzer offers comprehensive alarms and their notifications.

Alarms can be generated for an anomalous security criteria, bandwidth values, and any normal criteria of security interest.

Alarms can be notified via email and SMS. It can trigger a script to achieve various threat mitigation activities. Alarms are also displayed in the UI screen.

SonicWall Firewall Alarm Alerts - ManageEngine Firewall Analyzer

 If you are looking for more on SonicWALL log management, Firewall Analyzer provides comprehensive SonicWALL firewall log management feature: Click here to know how.

SonicWall supported versions

CompanyFirewall/VersionWELF CertifiedOther Log Format
SonicWallSonic OS 5.8.x and above (supports ' IPFIX with extensions ')AvailableAvailable

Steps to Configure

For detailed steps about how to configure Firewall Anlayzer with SonicWall's firewall appliance you can refer this link here


Related links


SonicWall basic configuration step by step (part 1)

SonicWall Manager-Ready Reports That Only Show Actual User Web Browsing

"I tested at least a dozen products before being introduced to Cyfin; I spent a lot of time working with other vendors' Sales and Support staff trying to make their systems do what Wescast required. I can honestly say that all the vendors tried their best to assist me but sometimes you cannot make systems do something they were not meant to do. I wish I had known about the Cyfin product from the start, the description alone would have steered me towards it first and I could have saved a lot of time.

I can honestly say there are a lot of great products available that claim they can provide Internet usage reports, but this is usually a bolt-on feature to a more robust system that provides reports on Web, FTP, firewall traffic, and so on. If you are really serious about monitoring Internet usage you need a product that focuses on this area. Cyfin is that product!

–Mick Montgomery, Wescast Industries Inc., Canada


You will also be interested:

How to monitor user activity with a sonicwall tz205?

SonicWall/Dell solutions:

SonicWall makes two product, ViewPoint (included in the Comprehensive Security bundle license) and Analyzer, that aren't too expensive (~$200USD), and will do exactly what you wish in a very easy to use way.

If you don't want to invest, you may be licensed:

Take a look here:

Referring to the administrators guide, interesting parts are:

  • page 99, 630 (Enabling packetmonitor checkbox)
  • Part 18
  • Part 20 (chapter 85)
  • Page 1368 (Dashboard > Real-Time Monitor and App Flow Monitor)
  • Page 1373 (ViewPoint)

Analyzing traffic flows might be of interest, but is much more robust/granular:

I use flow probe/generator (netflow/argus) and a free project called flow-inspector. This is not as simple as proxy logs.

Maybe watching DNS will help:

Not exactly what you were looking for, but monitoring DNS lookups is valuable. This can likely most easily be done by using something to parse logs produced by your DNS server.


If you already haven't done so, I suggest restricting outgoing traffic by firewall policy, then filtering and tracking that traffic.


288 289 290 291 292