Firewall logging private IP of the remote user connecting to SSL VPN
In SSL VPN logs, a user is reported logged in from an SRC IP as "10.26.137.101". ( Log below ). This is a private IP. The user connected from his home and the firewall was supposed to be logging the actual public IP.
=====================================
"07/20/2022 13:08:09","1050","Users","Authentication Access","Successful SSL VPN User Login","Standard String Service","Information","","","","X2","","","","X2","","10.26.137.101","","","","","","192.168.29.3","0","","","","","tcp","","","","","","","rajeevj","0s"," ","","","","","","","","","NA","","rajeevj","SSL VPN zone remote user login allowed",""
=====================================
We checked the entire logs from this year and only see this log entry with a private IP in it. So this is a first-time incident. But still, we are wondering why it logged that way.
How could the firewall not grab the actual public IP of the remote user?
Answers
@Fabin
I think you are trying to pull the logs from FIrewall itself. Better if you more concern about the security logs, install Sonicwall Analytics instead searching in the Firewall.
As well as you are not mentioned your Firewall model. if its small or medium model you wont get logs. it will flush after the reboot.
The firewall model TZ400. This log is exported as CSV to our logs servers. Even Sonicwall Analytics will have the same information.