SonicWall firewall user auditing and management
Monitoring firewall user account activities, such as adding, deleting, or changing user privilege levels, helps track peculiar account changes. Keeping tab on these activities help tracking changes that are vital in securing the network from malicious attacks and threats.
EventLog Analyzer presents all user logon and account activities in simple, predefined reports with in-depth information. Administrators can create alert profiles to instantly receive notifications about changes of any type.
Firewall logon reports:
These out-of-the-box reports monitor all successful and failed user logon attempts. Logon reports are categorized by users and source. Reports on successful and failed logons trends are also available.
Successful Logons | Failed Logons | Top Successful Logons from Source | Top Successful Logons by Users | Top Failed Logons from Source | Top Failed Logons by Users | Successful Logons Trends | Failed Logons Trends
Firewall account management reports:
These reports represent all user-based information, such as new and deleted users and changes in user privilege levels. Account management reports help administrators conduct audit trials of firewall users and their activities.
Users Added | Users Deleted | Users Modified | Users Disabled | Users Enabled | User Privilege Changed
SonicWall traffic monitoring reportsSonicWall rules management reports
How can I track which users or IP addresses are accessing a certain website using AppFlow?
12/20/2019 139 34833
This article describes how to track which Users or IP addresses are accessing a certain website using AppFlow Monitor on Dashboard.
NOTE: Before following this KB, please ensure that AppFlow is enabled. [[Enabling the Real-Time Monitor and AppFlow Collection in SonicOS Enhanced|170503566814827]].
Login to your SonicWall management page and click on Investigate tab on top of the page.
- Navigate to AppFlow Logs page. Select 'URLs' tab and In Group by select Domain Name from drop-down list.
- Click on the website you want to track and click Filter option. In this example we use the URL www.junk.com.
This will limit all the information under all the other tabs specific to www.junk.com.
- Click Users tab.It will show all the users who tried to access www.junk.com.
- Clicking on username shows the IP address.
- Sylvania tailgate speaker
- Twisted star quilt block
- Archangel stock for savage axis
- I am interested synonyms
Enable SonicWall DPI-SSL
With most of the web now using HTTPS, DPI-SSL is not only an essential technology for protecting your network from threats transmitted over HTTPS, but also for reporting on web usage traffic. Without SonicWall’s DPI-SSL feature enabled, only the domain of a website will be logged (e.g. www.google.com) but not the full URL (e.g. www.google.com/search?q=my+search+term). This is important if you need to report on web searches, youtube videos, full web pages, or full virus URLs.
Fastvue Reporter also utilizes full URLs for its Site Clean algorithm to clean ‘Junk’ urls from your reports. For example, we don’t want to clean visits to https://www.facebook.com from your reports, but we do want to clean hits to facebook ‘Like’ buttons on other pages. Facebook ‘Like’ buttons come from the URL http://www.facebook.com/plugins/like.php. Without DPI-SSL, SonicWall will only log www.facebook.com, leaving the Site Clean engine unable to clean the ‘like’ buttons from your reports.
Enabling DPI-SSL can be pain as it requires deploying certificates to all devices that you want to protect and report on. Although this can be relatively easily achieved for devices controlled by AD group policy, it gets tricky for other devices such as BYOD mobile devices, devices on a ‘guest’ network and for browsers with their own certificate store (we’re looking at you Mozilla Firefox!).
In these situations, you can manually email the certificate to users along with installation instructions, post it on an internal website that users can access once logged in (captive portal), or use onboarding tools like Impulse’s SafeConnect which can help in some automation without agent deployment.
Instructions for enabling DPI-SSL vary slightly depending on your SonicOS version, but look for DPI-SSL, Deep Packet Inspection or Decryption Services in the left-hand menu. For testing, create an Address Object that includes a few host machines you would like to test with, and then include this object in your DPI-SSL settings. Once you’re happy everything is working, you can easily change this to a broader group.
DPI-SSL Logging Issues
Earlier versions of SonicOS had some logging issues when DPI-SSL was enabled, affecting the accuracy and detail of web traffic in your reports. Fortunately, SonicWall fixed these in SonicOS 6.5.
If you’re running SonicOS 6.2.7 and below, please be aware of these two issues:
Enable Name Resolution
Even if you have authentication enabled, you may have certain traffic excluded from authentication such as Windows and virus updates, guest networks, BYOD devices etc. In these situations, Fastvue Reporter for SonicWall will attempt to resolve the IP addresses, however it is a good idea to get SonicWall to log the resolved IP address instead. This will save the extra lookups from your Fastvue server, and/or any extra DNS configuration that is required for the Fastvue Server to resolve IPs in the first place.
On your SonicWall device, go to Log Settings | NameResolution and ensure you have a Name Resolution method set, and the DNS servers correctly configured.
Enable Referrer URL Logging:
One of the major inputs to Fastvue’s Site Clean engine is referer URLs which SonicWall added support for in SonicOS version 188.8.131.52.
Ensure you are running SonicOS 184.108.40.206 or above, and your logging format is set to ‘Enhanced Syslog’ with all fields selected (specifically, the ‘Notes’ field as this is where the referer URL is logged).
SonicWall will then log referrer URLs for http requests which helps the Fastvue Site Clean engine better determine the websites actually visited by your users, and remove/clean the background websites from your reports.
Note: SonicWall released hotfix SonicOS 220.127.116.11-23n–HF187283 to fix an issue where referrer URLs were not logged for DPI-SSL traffic. We believe this has been rolled into SonicOS 18.104.22.168 and above.
Block the QUIC Protocol
Google, owning many web properties as well as a popular web browser with Chrome (currently used by 60% of the population), decided to take web speed into their own hands and introduce a new protocol between their browser and their servers. This is called QUIC and works over UDP.
Although this is great for the web development community generally, it is not great for firewalls as it impacts on the accuracy of logging and reporting. For now, this only affects Google web properties such as YouTube, Google Search and Gmail, but it may be adopted by other websites moving forward.
Fortunately, SonicWall enables you to disable the QUIC protocol for your network, and then Google Chrome will fall back to using normal https.
You can do this via SonicWall’s Application Control Advanced page, or use a standard firewall rule to block UDP port 443.
To block QUIC using SonicWall’s Application Control:
- Go to Security Services | ApplicationControl (or Rules | Advanced Application Control in SonicOS 6.5 and above).
- Select Category = Infrastructure, and edit the Google QUIC application
- Select Block = Enable
You can also disable QUIC in Google Chrome directly by going to typing chrome://flags in the address bar, and setting the Experimental QUIC protocol to Disabled.
Without the QUIC protocol disabled, you may see inaccurate bandwidth and browsing time figures for Google web properties.
Getting started with Fastvue Reporter for SonicWall is very easy, but once you start digging into the reports, you may discover issues such as users showing as IP addresses instead of usernames, blank ‘search term’ reports, blank productivity reports, reports cluttered with advertising and other junk, or inaccurate bandwidth figures.
Ensuring you’re on the latest SonicOS (we recommend SonicOS 6.5 and above) and enabling the features above will give you the best configuration from a logging and reporting perspective, and improve your ability to protect and secure your network.
How can I generate a detailed report on the browsing activity of a particular user?
03/26/2020 1240 36285
This article will explain you one way to get access to the full details available in GMS for a particular user. Other methods may exist to obtain similar result.It also explain how to filter reports to obtain only the information that you need.
In this example we will follow the user Prasad and get details for a particular website he browsed: www.visitor-track.com. We will be able to see when he visited this website and what URLs he visited.
- We will start from the Top sites report, under Web Activity.First, we will filter the report by user by adding a filter ("plus" button on the top left corner) on user name in the format "domain\user", in this case: user=sv\prasad.
NOTE: Using the floppy disk button on the left of the filter will let you save this particular report configuration for later use.Saved reports can be found under the Custom Reports category and can also be used to configure Scheduled Reports which are sent by email.
- Now that our report is filtered by user, we want to have more information on the browsing activity that was made onto the website www.visitor-track.com.For this, we can simply click on the website name and the report will be filtered to show details for this particular site only.
- The report we now have does not provide enough information. To access all details (raw syslogs), right-click on the website name and then click Drilldown.You will now see all information sent by the unit to GMS/Analyzer regarding this particular user and website.
- From this report, it is easy to view details for all users or all websites, a click on the small cross after a filter will remove it. a click on the red cross at the end of the filter bar will remove all filters. Click on the arrow to submit your new filter.
As always with GMS/Analyzer, the report data is updated up-to-the-second. The capture below would show you all browsing activity for the user sv\prasad in near real-time.
NOTE:CFS enforcement is Mandatory for these reports . For CFS 4.0 please visit : CFS 4.0 Overview, For Cfs 3.0 , please visit: CFS 3.0 Overview .
User sonicwall activity monitor
SonicWall firewall rules/policies, configuration & log analyzer
Gaining Internet activity insights and keeping abreast about security events is a challenging task as the security appliance generates a huge quantity of security and traffic logs. With a package of features, Firewall Analyzer's reporting capability for SonicWall firewall appliance fit like a glove enabling you to strengthen the network security. Firewall Analyzer lets you to collect, archive, analyze SonicWall device logs and generate security and forensic reports.
SonicWall network security and capacity management
With Firewall Analyzer for SonicWall, you can access pre-defined reports that help in analyzing bandwidth usage and understanding security and network activities. These reports helps you to study the security vulnerability with top denied hosts, blocked URL hits, attacks, targets, virus, affected hosts, spam, receiving hosts.
SonicWall bandwidth capacity planning
Trend reports in Firewall Analyzer trace patterns in network behavior and bandwidth usage over time. Analysis of trend reports gives better insight into the nature of web site traffic or network traffic, and helps you make decisions on capacity planning, business risk assessment, bandwidth management, traffic shaping, and network security posture.
SonicWall VPN monitoring
VPN trend reports show trends in the number of VPN connections accessed through the SonicWall firewall on a historical and current basis. VPN trends are especially useful in troubleshooting VPN connections, and identifying security risks.
SonicWall bandwidth monitoring
Firewall Analyzer for SonicWall provides you a unique way to monitor the Internet traffic of the network in near real-time. Firewall traffic data is collected and analyzed to get granular details about the traffic across each firewall. There is no requirement for any probes or collection agents to get these details on the traffic.
SonicWall traffic analyzer
Firewall Analyzer acts as a SonicWall Firewall Bandwidth Management tool and measures network traffic based on the analysis of logs received from SonicWall firewalls (SonicWall Bandwidth Usage Report). Firewall logs are collected, archived, and analyzed to get granular details about traffic (SonicWall Firewall Bandwidth Monitor) across SonicWall firewall devices.
Employee internet usage monitoring
With Firewall Analyzer you can monitor SonicWall traffic and can maximize the business usage of Internet bandwidth using the employee Internet monitoring report. You can fine-tune the Firewall policies to block or restrict bandwidth guzzling web sites and in turn effectively control the employee Internet usage. This will ensure that the bandwidth is available for smooth functioning of the business.
SonicWall security audit
Firewall Analyzer for SonicWall provides elaborate compliance report for the Firewall devices. The report helps to configure the Firewall rules, which will prevent potentially dangerous access to network and allow only those network hosts that are required. The issues are assessed and the results are presents as statistics.
Securepoint firewall alerts
Apart from exhaustive firewall reports with respect to network security, Firewall Analyzer offers comprehensive alarms and their notifications.
Alarms can be generated for an anomalous security criteria, bandwidth values, and any normal criteria of security interest.
Alarms can be notified via email and SMS. It can trigger a script to achieve various threat mitigation activities. Alarms are also displayed in the UI screen.
If you are looking for more on SonicWALL log management, Firewall Analyzer provides comprehensive SonicWALL firewall log management feature: Click here to know how.
SonicWall supported versions
|Company||Firewall/Version||WELF Certified||Other Log Format|
|SonicWall||Sonic OS 5.8.x and above (supports ' IPFIX with extensions ')|
Steps to Configure
For detailed steps about how to configure Firewall Anlayzer with SonicWall's firewall appliance you can refer this link here
SonicWall Manager-Ready Reports That Only Show Actual User Web Browsing
"I tested at least a dozen products before being introduced to Cyfin; I spent a lot of time working with other vendors' Sales and Support staff trying to make their systems do what Wescast required. I can honestly say that all the vendors tried their best to assist me but sometimes you cannot make systems do something they were not meant to do. I wish I had known about the Cyfin product from the start, the description alone would have steered me towards it first and I could have saved a lot of time.
I can honestly say there are a lot of great products available that claim they can provide Internet usage reports, but this is usually a bolt-on feature to a more robust system that provides reports on Web, FTP, firewall traffic, and so on. If you are really serious about monitoring Internet usage you need a product that focuses on this area. Cyfin is that product!
–Mick Montgomery, Wescast Industries Inc., Canada
You will also be interested:
- Building services engineering salary
- Walmart great value
- Longmont humane society
- 2008 subaru impreza
- Redline star blast review
- Aquarium solutions 101
- 20% packet loss
SonicWall makes two product, ViewPoint (included in the Comprehensive Security bundle license) and Analyzer, that aren't too expensive (~$200USD), and will do exactly what you wish in a very easy to use way.
If you don't want to invest, you may be licensed:
Take a look here: http://www.sonicwall.com/us/en/products/TZ_205.html#tab=resources
Referring to the administrators guide, interesting parts are:
- page 99, 630 (Enabling packetmonitor checkbox)
- Part 18
- Part 20 (chapter 85)
- Page 1368 (Dashboard > Real-Time Monitor and App Flow Monitor)
- Page 1373 (ViewPoint)
Analyzing traffic flows might be of interest, but is much more robust/granular:
I use flow probe/generator (netflow/argus) and a free project called flow-inspector. This is not as simple as proxy logs.
Maybe watching DNS will help:
Not exactly what you were looking for, but monitoring DNS lookups is valuable. This can likely most easily be done by using something to parse logs produced by your DNS server.
If you already haven't done so, I suggest restricting outgoing traffic by firewall policy, then filtering and tracking that traffic.