NSA 3700 7.0.1-5050 syslog website accessed
MarchMadness Newbie ✭
I have syslog configured and receiving data. The raw entries for syslog website accessed (set to inform) is not showing pass traffic. I am only seeing raw data for fw_action=drop.
Support wants me to upgrade to fw 7.0.1-5095 then they will submit a bug report.
Before I do that I wanted to ask the community.
I did disable CFS and still saw the same raw entries for drops so it is not a CFS policy dropping.
Category: High End Firewalls
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
So what is the question?
Is it a bug or setting to show all web traffic in syslog not just dropped traffic?
In my case it's not CFS dropped traffic. Not sure why the traffic has fw_action=drop and that's the only web traffic that is showing in syslog data using enhanced syslog format.
Please provide an example of the syslog message, and show what your logging settings are for entries under Network \ Network Access.
here's an example syslog message:
Message : id=xxxxxx sn=xxxxxx time="2023-01-11 21:44:23 UTC" fw=w.x.y.z pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=macaddress src=LANIP:51368:X0 srcZone=Trusted natSrc=w.x.y.z dstMac=macaddress dst=126.96.36.199:443:X1 dstZone=Untrusted natDst=188.8.131.52:443 usr="username" proto=tcp/https sent=4264 rcvd=7388 sess="Auto" rule="Default Access Rule" app=7927 dstname=graph.microsoft.com arg=/ code=27 Category="Information Technology/Computers" note="Policy: cfsUserPolicy0, Info: 6148 " n=627072623 fw_action="drop" dpi=1
Network Access Log Settings.
The msg = "Web site hit" from what I understand is from Log Setting; Log\syslog\syslog website accessed
If I disable CFS, traffic like "web site hit" will still show in syslog as drop.
For clarity, you want the syslog 'Web Site Hit' messages to show allowed traffic. Not sure if that's a thing, you might get it from another setting.
Have you tried setting the logging level to debug for Syslog \ Syslog Website Accessed? Or enabling Syslog on Network \ Network Access \ Packet Allowed?
correct. web site hit should show non-dropped traffic, not destinations in CFS allowed policy but rather all other web traffic that traverses the sonicwall. Remember viewpoint? It had reports for web traffic. I have a similar report in my syslog app but of course my dilemma is i can't get web site traffic to appear - it's not coming in the syslog packets.
i tried the packet allowed and that doesn't show http lan to wan traffic. I also tried the debug level for syslog website accessed and i'm getting the same content - dropped traffic, mgmt traffic.
I'm going to update firmware and see if that resolve this issue.