nsa 5650 logging issue

jtuckerchug · December 2023

Hello. I manage a NSA 5650 and am having a weird problem with logging. The guest WiFi is connected to an 8 port PoE switch to give power to the APs. The uplink for that switch is port X8 on the NSA. I have tried packet capture, events, etc to see traffic. The only traffic I ever see is when a device gets an IP address from the NSA DHCP for that subnet. The port is setup as DMZ zone. I noticed the issue the first time when Appcontrol was enabled on the NSA. The blocking of the desired App worked fine but nothing in logs. The logging works fine on the LAN zone. Any ideas? Thank you.

TonyA · December 2023

Hi @jtuckerchug

Lets start with the packet capture, if you set up a capture as follows:

Monitor filter tab:

Ether: IP

IP Type: ICMP

Destination: 4.2.2.2

Enable - Enable Bidirectional Address and Port Matching

All other check boxes, leave unticked

Display filter:

Leave fields blank and check all checkboxes at the bottom

Advanced monitor filter:

Check all boxes except - Restore original ports on SSL decrypted traffic.

Run a ping from a device connected to one of those AP's.

You should see traffic egressing - if you don't it likely means the traffic is not reaching the firewall. (Which would be odd if they have an internet connection and the only link out is through the firewall).

Let me know the results and we can continue looking into the event logs next.

jtuckerchug · December 2023

@TonyA - thanks for the reply and i apologize for the delay in my reply.

i ran packet capture and see the traffic

1 12/20/2023 08:55:57.816 X8*(i) X1 192.168.11.15 4.2.2.2 IP ICMP -- FORWARDED 74[74]

2 12/20/2023 08:55:57.816 -- X1* (PUBLIC_IP) 4.2.2.2 IP ICMP -- FORWARDED 74[74]

3 12/20/2023 08:55:57.816 X1*(i) X8 4.2.2.2 (PUBLIC_IP) IP ICMP -- FORWARDED 74[74]

4 12/20/2023 08:55:57.816 -- X8* 4.2.2.2 192.168.11.15 IP ICMP -- FORWARDED 74[74]

5 12/20/2023 08:55:58.832 X8*(i) X1 192.168.11.15 4.2.2.2 IP ICMP -- FORWARDED 74[74]

6 12/20/2023 08:55:58.832 -- X1* (PUBLIC_IP) 4.2.2.2 IP ICMP -- FORWARDED 74[74]

7 12/20/2023 08:55:58.832 X1*(i) X8 4.2.2.2 (PUBLIC_IP) IP ICMP -- FORWARDED 74[74]

8 12/20/2023 08:55:58.832 -- X8* 4.2.2.2 192.168.11.15 IP ICMP -- FORWARDED 74[74]

9 12/20/2023 08:55:59.832 X8*(i) X1 192.168.11.15 4.2.2.2 IP ICMP -- FORWARDED 74[74]

10 12/20/2023 08:55:59.832 -- X1* (PUBLIC_IP) 4.2.2.2 IP ICMP -- FORWARDED 74[74]

11 12/20/2023 08:55:59.848 X1*(i) X8 4.2.2.2 (PUBLIC_IP) IP ICMP -- FORWARDED 74[74]

12 12/20/2023 08:55:59.848 -- X8* 4.2.2.2 192.168.11.15 IP ICMP -- FORWARDED 74[74]

13 12/20/2023 08:56:00.848 X8*(i) X1 192.168.11.15 4.2.2.2 IP ICMP -- FORWARDED 74[74]

14 12/20/2023 08:56:00.848 -- X1* (PUBLIC_IP) 4.2.2.2 IP ICMP -- FORWARDED 74[74]

15 12/20/2023 08:56:00.864 X1*(i) X8 4.2.2.2 (PUBLIC_IP) IP ICMP -- FORWARDED 74[74]

16 12/20/2023 08:56:00.864 -- X8* 4.2.2.2 192.168.11.15 IP ICMP -- FORWARDED 74[74]

thanks for your attention

TonyA · December 2023

Thanks @jtuckerchug

Looks like traffic flow is fine and going through the firewall and back. So traffic is looking fine but you are not seeing any events in the event logs for for things like app control right?

Can you check the Zone page to see if app control is enabled? Do you see app control logs for LAN devices?

jtuckerchug · December 2023

hello @TonyA

thanks again for the assistance. correct. i do not see any events except when a device on the DMZ gets an IP from DHCP running on the SonicWALL for that interface (X8).

Zones page the AppControl is enabled per the green check box

i do see events for AppControl for the LAN zone.

really strange.

thanks again for the assistance.

TonyA · December 2023

Hey @jtuckerchug

I checked some things on my side and didn't find anything useful. I'd suggest calling support when you have some time so we can go through this a bit deeper and possibly try to replicate it in lab.

Sorry I couldn't be of more help here!