Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

NSA 3700 7.0.1-5050 syslog website accessed

I have syslog configured and receiving data. The raw entries for syslog website accessed (set to inform) is not showing pass traffic. I am only seeing raw data for fw_action=drop.

Support wants me to upgrade to fw 7.0.1-5095 then they will submit a bug report.

Before I do that I wanted to ask the community.

I did disable CFS and still saw the same raw entries for drops so it is not a CFS policy dropping.

Category: High End Firewalls
Reply

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    So what is the question?

  • Is it a bug or setting to show all web traffic in syslog not just dropped traffic?

    In my case it's not CFS dropped traffic. Not sure why the traffic has fw_action=drop and that's the only web traffic that is showing in syslog data using enhanced syslog format.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Please provide an example of the syslog message, and show what your logging settings are for entries under Network \ Network Access.

  • here's an example syslog message:

    Message : id=xxxxxx sn=xxxxxx time="2023-01-11 21:44:23 UTC" fw=w.x.y.z pri=6 c=1024 gcat=2 m=97 msg="Web site hit" srcMac=macaddress src=LANIP:51368:X0 srcZone=Trusted natSrc=w.x.y.z dstMac=macaddress dst=20.190.135.43:443:X1 dstZone=Untrusted natDst=20.190.135.43:443 usr="username" proto=tcp/https sent=4264 rcvd=7388 sess="Auto" rule="Default Access Rule" app=7927 dstname=graph.microsoft.com arg=/ code=27 Category="Information Technology/Computers" note="Policy: cfsUserPolicy0, Info: 6148 " n=627072623 fw_action="drop" dpi=1

    Network Access Log Settings.

    The msg = "Web site hit" from what I understand is from Log Setting; Log\syslog\syslog website accessed

    If I disable CFS, traffic like "web site hit" will still show in syslog as drop.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    For clarity, you want the syslog 'Web Site Hit' messages to show allowed traffic. Not sure if that's a thing, you might get it from another setting.

    Have you tried setting the logging level to debug for Syslog \ Syslog Website Accessed? Or enabling Syslog on Network \ Network Access \ Packet Allowed?

  • correct. web site hit should show non-dropped traffic, not destinations in CFS allowed policy but rather all other web traffic that traverses the sonicwall. Remember viewpoint? It had reports for web traffic. I have a similar report in my syslog app but of course my dilemma is i can't get web site traffic to appear - it's not coming in the syslog packets.

    i tried the packet allowed and that doesn't show http lan to wan traffic. I also tried the debug level for syslog website accessed and i'm getting the same content - dropped traffic, mgmt traffic.

    I'm going to update firmware and see if that resolve this issue.

Sign In or Register to comment.