SonicWall

Review configuration options for SonicWall firewalls in RocketCyber

SonicWall log reporting is done differently than its competitors. The logs relate to specific events, which can then be generally grouped by behaviors.

In addition, SonicWall also has groups of events which are the same event with different levels of certainty (e.g. attack - low confidence, attack - high confidence).

As a result, there are significantly more options for SonicWall than other vendors, since the events are broken out rather than being grouped in categories. We have listed all generally security-relevant event types. Because these are specific events rather than categories, it is easier to decide whether each is relevant to you.

These are all legitimate security concerns, so if you are on the Pro plan and not sure which to select, it is reasonable to leave them all enabled or disable only the low-confidence alerts.

In general, it is a bad idea to disable things with "attack" in the name. Disabling low confidence detections or reminders of expirations (e.g. "AV Expired") may be reasonable depending your particular situation

Log Format

The expected format for SonicWall logs is space-separated.  For example

<134> id=MIT_PF_RTR07 sn=187777777164 time="2020-01-09 17:08:35 UTC" fw=77.77.77.77 pri=6 c=267744 gcat=6 m=98 msg="Connection Opened" src=192.168.7.77:63237:X0 natSrc=71.77.77.77:877 dst=7.77.76.73:443:X1 natDst=7.77.76.73:443 proto=tcp/https sent=52 n=1577775 fw_action="NA" dpi=0