Syslog Messages - Blocked or not?
I am sending logs from Sonicwall TZ470 (SonicOS 7.0.1) to a 3rd party log management system (Graylog) and it generally works very well.
One issue I am seeing is related to Geo-blocking.
I see connections that are successfully Geo-blocked in Sonicwall, and I can see that they do not get passed along to my application. This is great.
The Syslog messages for these connections, though, list the firewall action as "NA" (allowed) rather than "DROP." This is a problem because it looks like these connections are allowed in my log management reports, when they are actually blocked.
My theory is that these connections match a rule allowed traffic, so they are marked as firewall action "NA" with a syslog message, then further processing blocks them because they match the GeoIP rule. I do see a further log message that the connection is dropped, but it seems to me like there should never be an "NA" message because the connection isn't passed on.
Here's an example of two messages:
<109> id=firewall sn=123456789ABC time="2023-02-14 11:34:37" fw=X.X.X.X pri=5 c=0 gcat=6 m=1197 msg="NAT Mapping" src=XXX.YYY.ZZZ.4:35071:X1 srcZone=WAN natSrc=XXX.YYY.ZZZ.4:35071 dst=AAA.BBB.200.18:53:X0 dstZone=LAN natDst=X.X.X.X:53 proto=udp/dns sent=72 rule="25 (WAN->LAN)" app=2 note="Source: XXX.YYY.ZZZ.4, 35071, Destination: X.X.X.X, 53, Protocol: 17" n=4834210 fw_action="NA" dpi=0
<105> id=firewall sn=123456789ABC time="2023-02-14 11:34:37" fw=X.X.X.X pri=1 c=0 gcat=3 m=1198 srcMac=aa:bb:cc:11:22:33 src=XXX.YYY.ZZZ.4:35071:X1 srcZone=WAN natSrc=XXX.YYY.ZZZ.4:35071 dstMac=dd:ee:ff:44:55:66 dst=AAA.BBB.200.18:53:X0 dstZone=LAN natDst=X.X.X.X:53 proto=udp/dns rcvd=72 rule="25 (WAN->LAN)" app=2 msg="Initiator from country blocked: Initiator IP:XXX.YYY.ZZZ.4 Country Name:Republic of Internet Attacks" n=170982 fw_action="drop"
I'm interpreting the first rule as the connection is allowed, and the second is the connection is blocked.
Is that a correct interpretation? Any ideas on how to avoid the false reporting that a connection is allowed?
Best Answer
-
e__n Newbie ✭
I figured it out. Apparently I have the Syslog configured to send only "notice" or higher priority messages. Connection opened was set to Inform. I changed it to Notice and I am now receiving the messages! Hopefully this will help with my initial query of defining accepted and dropped connections within my SIEM tool.
1
Answers
Hey @e__n
Your theory is correct. Access Rule lookup comes before the Geo-IP Filter check.
-Mustafa
@MustafaA thank you very much for the reply. That is useful information.
Do you know if there is documentation around Syslog messaging as it relates to firewall rule processing?
My current conundrum is that it appears that all traffic gets a NAT rule Syslog message, but no NAT rule Syslog messages will indicate if traffic is blocked by any kind of firewall rule.
Firewall Syslog messages only show blocked traffic and do not show allowed traffic at all.
Because of this, it seems like I can't get a clear picture of blocked vs. allowed traffic. If I rely on NAT rule messages, all traffic allowed. If I rely on firewall messages, all traffic is blocked. If I consider both, traffic could be shown as both allowed and blocked, which is where I am at today, and is confusing.
QUESTION: Is there a way to configure the Syslog messages so that firewall messages show both allowed and blocked messages? I have searched but cannot find anything.
Because this is perhaps a limit of Syslog, I went ahead and set up an IPFIX output to my 3rd party SIEM, however, the messages contained in that stream don't show any blocked or allowed, just source and destination information such as IP addresses, ports, interfaces and bytes transferred.
QUESTION: Is there a way to configure IPFIX messages to show firewall information as in whether or not a connection was blocked, and by what policy? I currently have "flow reporting" enabled on all my WAN rules, and I have taken it off of the interfaces, but still the messages are only very basis source and destination IP/port.
Thanks in advance for any hints or suggestions.
@e__n, have yo checked the Log Settings options, "Network" - "Network Access" - "Connection Opened"?
-Mustafa
Thanks for the reply. I do have that enabled. However, when I disable NAT messages in the Log configuration, I am only seeing "dropped" messages come though to my syslog receiver.
To further add to this, it looks like the Event ID for Connection Opened is 98 - I don't have a single event 98 from my Sonicwall in my SIEM tool. Could there be some other setting preventing this message ID from transmitting? I am recieveing other messages in this category, just not "connection opened."
@e__n , great that your issue is resolved.
-Mustafa