Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Can SonicWall syslog shows the status of the IP?(blocked or not)

Hi all, we are doing security operation of the SonicWall, and we use Azure Sentinel to monitor the incidents caused by the firewall. Once we detect some abnormal port scanning activities, we will use an automatic tool to block the IP (add the IP to an Automation Black List Group of SonicWall). However, after we doing so, Sentinel will still generate alert of this IP (because for example we run the query every one hour and the count is exceed the threshold…..)and the syslog does not show whether the IP was in the blocklist or not.

I wonder is there any configuration we can do to reflect our operations? Now the log data is like below:

id=firewall sn=18C241050A48 time="2025-03-18 13:59:46" fw=none_1 pri=1 c=32 gcat=3 m=83 msg="Probable port scan detected" srcMac=94:bf:94:7e:29:a6 src=196.251.90.132:44146:X18 srcZone=WAN dstMac=1a:c2:41:05:0a:5a dst=103.152.56.126:34773:X18 dstZone=WAN proto=tcp/34773 rcvd=52 note="Pkt is dropped. TCP scanned port list" n=21068

but sometimes it will have an additional 'uuid' field in the log data. I am not sure whether this is the field that indicates that the IP has been added to the block list.

Category: Firewall Management and Analytics
Reply
Tagged:

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    I don't know at which point in the Packet Flow the Port Scan detection is executed, but it might before the Access Rules.

    https://www.sonicwall.com/support/knowledge-base/sonicos-packet-flow-in-global-and-policy-mode/240104055537077

    Did you exported a TSR and searched for the UUID? This will give you the information to what the UUID points to.

    —Michael@BWC

  • sakisaki Newbie ✭

    Thanks Michael! I saw others questions about this issue. It seems that we cannot determine the IP status before the syslog is sent. (which may be a shortcoming of syslog…..) I will follow your advice to see whether I can get TSR from our customer to determine the meaning of the UUID.

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    The UUID will be that of the access rule in question. The UUID should not change once the rule has been created; if all your automation does is add/remove IPs to a group which is used by a rule, then all you need to do is learn the UUIDs of the rules you're interested in.

    If you are lucky, there might be an API method to retrieve rule information by UUID.

  • MarkDMarkD Cybersecurity Overlord ✭✭✭

    SonicOS Packet flow in Global and Policy Mode

    SonicOS Packet flow in Global and Policy Mode

Sign In or Register to comment.