Configuration options for SonicWall

Review configuration options for SonicWall firewalls in RocketCyber

SonicWall log reporting is done differently than its competitors. The logs related to specific events, which can then be generally grouped by behaviours.

In addition, SonicWall also has groups of events that are the same event with different levels of certainty (e.g. attack - low confidence, attack - high confidence).

As a result, there are significantly more options for SonicWall than other vendors, since the events are broken out rather than being grouped in categories. We have listed all generally security-relevant event types. Because these are specific events rather than categories, it is easier to decide whether each is relevant to you.

These are all legitimate security concerns, so if you are on the Pro plan and not sure which to select, it is reasonable to leave them all enabled or disable only the low-confidence alerts.

In general, it is a bad idea to disable things with "attack" in the name. Disabling low confidence detections or reminders of expirations (e.g. "AV Expired") may be reasonable depending on your particular situation

Log Format

The expected format for SonicWall logs is space-separated. For example

<134> id=MIT_PF_RTR07 sn=187777777164 time="2020-01-09 17:08:35 UTC" fw=77.77.77.77 pri=6 c=267744 gcat=6 m=98 msg="Connection Opened" src=192.168.7.77:63237:X0 natSrc=71.77.77.77:877 dst=7.77.76.73:443:X1 natDst=7.77.76.73:443 proto=tcp/https sent=52 n=1577775 fw_action="NA" dpi=0

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.