Configuration options for SonicWall

Review configuration options for SonicWall firewalls in RocketCyber

SonicWall log reporting is done differently than its competitors. The logs related to specific events, which can then be generally grouped by behaviours.

In addition, SonicWall also has groups of events that are the same event with different levels of certainty (e.g. attack - low confidence, attack - high confidence).

As a result, there are significantly more options for SonicWall than other vendors, since the events are broken out rather than being grouped in categories. We have listed all generally security-relevant event types. Because these are specific events rather than categories, it is easier to decide whether each is relevant to you.

These are all legitimate security concerns, so if you are on the Pro plan and not sure which to select, it is reasonable to leave them all enabled or disable only the low-confidence alerts.

In general, it is a bad idea to disable things with "attack" in the name. Disabling low confidence detections or reminders of expirations (e.g. "AV Expired") may be reasonable depending on your particular situation

Log Format

The expected format for SonicWall logs is space-separated.  For example

<134> id=MIT_PF_RTR07 sn=187777777164 time="2020-01-09 17:08:35 UTC" fw= pri=6 c=267744 gcat=6 m=98 msg="Connection Opened" src= natSrc= dst= natDst= proto=tcp/https sent=52 n=1577775 fw_action="NA" dpi=0

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section