Logo
Sign in
  1. Logpoint Service Desk
  2. Products Hub
  3. Marketplace
app-115003790089.png

SonicWall Firewall

SonicWall Firewall normalizes SonicWall Firewall events. LogPoint aggregates and normalizes the SonicWall Firewall logs so you can analyze the information and monitor the security status of your organization through dashboard. The SonicWall Firewall dashboard provides visualization of event details for malicious IP addresses, severities, user activities, bandwidth usage, and administrative tasks detected by the firewall on your network. You can customize the dashboard to suit your needs and perform in-depth analysis by adjusting the data and searches.

For Logpoint version:

6.7.0 or later 6.0.0 to 6.6.6
Release Details
Version:5.1.0
Release date:2022-04-13
Document date:2022-04-13
SHA 256: b3693437db496e2a844aa63af564c661fa25d01b5fcaafea037431893b6fd7ea
Download

Package Details

 

 

 

 

 

 

 

Enhancements

Description

Issue ID

Reference ID

Changed the severity field to log_level in the SonicWall Firewall logs to maintain consistency with other application packages.

KB-16189

62864

Made the following changes in the SoniceWall Firewall VPN logs to make it compatible for LogPoint UEBA:

  • Added the VPN label.
  • Added the User and Authentication labels.
  • Added the status field.

Renamed the following fields to maintain consistency:

Former Field Name
New Field Name

packet_sent 

sent_packet
packet_received received_packet
bytesTotal datasize
bytesOut sent_datasize
bytesIn received_datasize
packetsTotal packet
packetsIn received_packet
packetsOut sent_packet
KB-16379 -

Bug Fix

Description
Issue ID
Reference ID
The user field in the SoniceWall Firewall VPN logs previously captured the user details instead of username. - -

Installation 

To install SonicWall Firewall v5.1.0:

  1. Download the .pak file from the Download section in the Release Details table.
  2. Add SonicWall Firewall as a device in LogPoint.
  3. Create a collection policy with the Syslog collector and an appropriate processing policy. 
  4. Assign the policy to the device.
  5. Add the dashboard.

Sample Dashboard

sonic1.pngsonic5.pngsonic4.pngsonic3.pngsonic2.png

Supported Devices

  • STOSonicWall Firewall version 6.x and above
  • Secure Mobile Access SonicWall SRA EX7000 

Log Formats

Expected Log Format Sample

SonicWall VPN 

id=sslvpn sn=C0EAE49CC0F0 time="2022-01-20 04:00:23" fw=1.1.1.1 pri=5 c=16 m=526 msg="Web management request allowed" dur=0 n=12345678 src=1.1.1.3:123456:X0 dst=1.1.1.3:80:X1 user_agent=abc.net proto=tcp/http sent=48 dpi=0 fw_action="NA"'

<134>id=firewall sn=xxxxx fw=1.1.1.5 time="2022-01-19 18:05:44" pri=1 c=32 m=609 msg="IPS Prevention Alert: DNS named version attempt" sid=143 ipscat=DNS ipspri=3 n=3 src=1.1.1.1 dst=1.1.1.4

Expected Log Format Sample

SonicWall Aventail

Jul 2 09:22:15 AventailSSLVPN-node2 logserver: [02/Jul/2018:09:19:15.380825 +0200] AventailSSLVPN-node2 000000 kt 00000000 Info Audit Src='192.168.1.1:4912' Auth='-' User='(xxxxx)@(LBW Inern)' SocksVersion='0x101' Command='Flow:TCP' Dest='19.26.219.132:445' Error='0xffffff92' SrcBytes='152' DstBytes='0' Duration='70' VirtualHost='-' PlatformPrefix='W' EquipmentId='3S70WNHA433' AppNumber='0'

Expected Log Format Sample

SonicWall Firewall

id=firewall sn=xxxxx fw=192.168.2.15 time="2016-08-19 18:05:44" pri=1 c=32 m=609 msg="IPS Prevention Alert: DNS named version attempt" sid=143 ipscat=DNS ipspri=3 n=3 src=192.168.3.180:2907 dst=192.168.2.11:53

Documentation

The SonicWall Firewall v5.1.0 guide  is available on the LogPoint Documentation Portal. 

 

Changes in the Previous Version

Changes in SonicWall Firewall v5.0.2

Enhancement

Description Issue ID Zendesk Support ID
The field agent has been renamed as user_agent for the VPN logs in the compiled normalizer SonicFirewallCompiledNormalizer. KB-13976 58677

Bug Fix

Description Issue ID Zendesk Support ID
An issue in the compiled normalizer SonicFirewallCompiledNormalizer where some VPN logs were not normalized.  KB-13976 58677

 

Release Details
Version:3.4.0
Release date:2020-05-14
Document date:2020-05-14
SHA 256: 6a089c8cf580701774820dcb5673d46b2d4de833842d2af96a11c1e6a7476ea5
Download

Package Details

The application consists of the following components:

  1. Dashboard Package
    • LP_Sonicwall Firewall 
  2. Normalization Package
    • LP_SonicWall SMA 
    • LP_SonicWall SMA Process 

Enhancement

A minor update has been done in the application’s normalizer for better signature handling.

Installation 

Follow these steps to install the Sonicwall Firewall v3.4.0 plugin:

  1. Download the Sonicwall Firewall package from the Download section above.
  2. Add Sonicwall Firewall as the required device in LogPoint.
  3. Create a collection policy with the Syslog collector and appropriate processing policy. 
  4. Assign the policy to the device.
  5. Add the dashboard.

Screenshots

sonic5.pngsonic4.pngsonic3.pngsonic2.pngsonic1.png

Supported Devices

The supported devices of SonicWall Firewall with LogPoint in this configuration are:

  • STOSonicWall Firewall version 6.x and above
  • Secure Mobile Access SonicWALL SRA EX7000 Version:11.4.0-468

Log Format

Expected Log Format

Syslog

Log Samples

<190>id=firewall sn=xxxxxxxxxxxxx time="2015-01-19 15:20:20 UTC" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" sess=None n=8348256 src=1.1.1.1:3:X0:dst=1.1.1.1:6:X1:ip1-1-1-1.abc.net proto=tcp/6881 sent=52 rcvd=46 spkt=1 rpkt=1 cdur=200 <190>id=firewall sn=0017xxxxxxxxx time="2015-01-19 14:32:57 UTC" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" f="General HTTPS" sess=None n=8328063 src=1.1.1.1:6:X0:MONITOR-SELKS dst=1.1.1.1:1:X1 proto=tcp/443 sent=838 rcvd=309 spkt=6 rpkt=4 cdur=2250 vpnpolicy="Sixxxxxxxxx_vCloud"

<5>FADT:1487367208,831909,'smith','xxyz',65537,6,0,2422,[1.1.1.1]:49436,1.1.1.2:59534->1.1.1.3:58748,910,2559,'W','-',0

<4>Feb 20 14:12:36 hub kernel: IPv4: martian source 1.1.1.1 from 1.1.1.2, on dev eth1

To export data to LogPoint, use Syslog collector on port 514 on the LogPoint server.


Support

If you have any queries or require assistance, please feel free to contact our support team: 

Email: servicedesk@logpoint.com
Phone: +45 7060 6100

Best regards,
untitled.svg

  • SonicWallFirewall.zip (1 MB)

Comments

Article is closed for comments.

Follow

Related articles

  • Sophos
  • Microsoft Dynamic NAV
  • NXLog Enterprise
  • Netgear Firewall
  • Mitre Dataset Updater
Privacy policy    EULA    Terms of service   
Copyright © , Logpoint. All rights reserved.

Note: We use cookies that are essential for the smooth functioning of our website.