SonicWall Firewall

SonicWall Firewall normalizes SonicWall Firewall events. LogPoint aggregates and normalizes the SonicWall Firewall logs so you can analyze the information and monitor the security status of your organization through dashboard. The SonicWall Firewall dashboard provides visualization of event details for malicious IP addresses, severities, user activities, bandwidth usage, and administrative tasks detected by the firewall on your network. You can customize the dashboard to suit your needs and perform in-depth analysis by adjusting the data and searches.

Release Details

Version:5.1.0

Release date:2022-04-13

Document date:2022-04-13

SHA 256: b3693437db496e2a844aa63af564c661fa25d01b5fcaafea037431893b6fd7ea

Download

Package Details

Enhancements

Description

Issue ID

Reference ID

Changed the severity field to log_level in the SonicWall Firewall logs to maintain consistency with other application packages.

KB-16189

62864

Made the following changes in the SoniceWall Firewall VPN logs to make it compatible for LogPoint UEBA:

Added the VPN label.
Added the User and Authentication labels.
Added the status field.

Renamed the following fields to maintain consistency:

Former Field Name	New Field Name
packet_sent	sent_packet
packet_received	received_packet
bytesTotal	datasize
bytesOut	sent_datasize
bytesIn	received_datasize
packetsTotal	packet
packetsIn	received_packet
packetsOut	sent_packet

KB-16379

Bug Fix

Description	Issue ID	Reference ID
The user field in the SoniceWall Firewall VPN logs previously captured the user details instead of username.	-	-

Installation

To install SonicWall Firewall v5.1.0:

Download the .pak file from the Download section in the Release Details table.
Add SonicWall Firewall as a device in LogPoint.
Create a collection policy with the Syslog collector and an appropriate processing policy.
Assign the policy to the device.
Add the dashboard.

Sample Dashboard

Supported Devices

STOSonicWall Firewall version 6.x and above
Secure Mobile Access SonicWall SRA EX7000

Log Formats

Expected Log Format Sample

SonicWall VPN

id=sslvpn sn=C0EAE49CC0F0 time="2022-01-20 04:00:23" fw=1.1.1.1 pri=5 c=16 m=526 msg="Web management request allowed" dur=0 n=12345678 src=1.1.1.3:123456:X0 dst=1.1.1.3:80:X1 user_agent=abc.net proto=tcp/http sent=48 dpi=0 fw_action="NA"'

<134>id=firewall sn=xxxxx fw=1.1.1.5 time="2022-01-19 18:05:44" pri=1 c=32 m=609 msg="IPS Prevention Alert: DNS named version attempt" sid=143 ipscat=DNS ipspri=3 n=3 src=1.1.1.1 dst=1.1.1.4

Expected Log Format Sample

SonicWall Aventail

Jul 2 09:22:15 AventailSSLVPN-node2 logserver: [02/Jul/2018:09:19:15.380825 +0200] AventailSSLVPN-node2 000000 kt 00000000 Info Audit Src='192.168.1.1:4912' Auth='-' User='(xxxxx)@(LBW Inern)' SocksVersion='0x101' Command='Flow:TCP' Dest='19.26.219.132:445' Error='0xffffff92' SrcBytes='152' DstBytes='0' Duration='70' VirtualHost='-' PlatformPrefix='W' EquipmentId='3S70WNHA433' AppNumber='0'

Expected Log Format Sample

SonicWall Firewall

id=firewall sn=xxxxx fw=192.168.2.15 time="2016-08-19 18:05:44" pri=1 c=32 m=609 msg="IPS Prevention Alert: DNS named version attempt" sid=143 ipscat=DNS ipspri=3 n=3 src=192.168.3.180:2907 dst=192.168.2.11:53

Documentation

The SonicWall Firewall v5.1.0 guide is available on the LogPoint Documentation Portal.

Changes in the Previous Version

Changes in SonicWall Firewall v5.0.2

Enhancement

Description	Issue ID	Zendesk Support ID
The field agent has been renamed as user_agent for the VPN logs in the compiled normalizer SonicFirewallCompiledNormalizer.	KB-13976	58677

Bug Fix

Description	Issue ID	Zendesk Support ID
An issue in the compiled normalizer SonicFirewallCompiledNormalizer where some VPN logs were not normalized.	KB-13976	58677

Release Details

Version:3.4.0

Release date:2020-05-14

Document date:2020-05-14

SHA 256: 6a089c8cf580701774820dcb5673d46b2d4de833842d2af96a11c1e6a7476ea5

Download

Package Details

The application consists of the following components:

Dashboard Package
- LP_Sonicwall Firewall
Normalization Package
- LP_SonicWall SMA
- LP_SonicWall SMA Process

Enhancement

A minor update has been done in the application’s normalizer for better signature handling.

Installation

Follow these steps to install the Sonicwall Firewall v3.4.0 plugin:

Download the Sonicwall Firewall package from the Download section above.
Add Sonicwall Firewall as the required device in LogPoint.
Create a collection policy with the Syslog collector and appropriate processing policy.
Assign the policy to the device.
Add the dashboard.

Screenshots

Supported Devices

The supported devices of SonicWall Firewall with LogPoint in this configuration are:

STOSonicWall Firewall version 6.x and above
Secure Mobile Access SonicWALL SRA EX7000 Version:11.4.0-468

Log Format

Expected Log Format

Syslog

Log Samples

<190>id=firewall sn=xxxxxxxxxxxxx time="2015-01-19 15:20:20 UTC" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" sess=None n=8348256 src=1.1.1.1:3:X0:dst=1.1.1.1:6:X1:ip1-1-1-1.abc.net proto=tcp/6881 sent=52 rcvd=46 spkt=1 rpkt=1 cdur=200 <190>id=firewall sn=0017xxxxxxxxx time="2015-01-19 14:32:57 UTC" fw=1.1.1.1 pri=6 c=1024 m=537 msg="Connection Closed" f="General HTTPS" sess=None n=8328063 src=1.1.1.1:6:X0:MONITOR-SELKS dst=1.1.1.1:1:X1 proto=tcp/443 sent=838 rcvd=309 spkt=6 rpkt=4 cdur=2250 vpnpolicy="Sixxxxxxxxx_vCloud"

<5>FADT:1487367208,831909,'smith','xxyz',65537,6,0,2422,[1.1.1.1]:49436,1.1.1.2:59534->1.1.1.3:58748,910,2559,'W','-',0

<4>Feb 20 14:12:36 hub kernel: IPv4: martian source 1.1.1.1 from 1.1.1.2, on dev eth1

To export data to LogPoint, use Syslog collector on port 514 on the LogPoint server.

Support

If you have any queries or require assistance, please feel free to contact our support team:

Email: servicedesk@logpoint.com
Phone: +45 7060 6100

Best regards,