sonicwall

SonicWALL's 'Not Rated' Syslog Bug and Workaround

by

Scott Glew

Scott Glew

If you are running SonicOS 5.9 or above, and are using Fastvue Reporter for SonicWALL, you may have noticed that your top Category is showing as 'Not Rated'. Typically, this means that the URL being accessed was not categorized by your SonicWALL device, however there is a bug in SonicWALL's syslog feature where all allowed URLs are logged with the Category 'Not Rated' even though they have been correctly processed through SonicWALL's Content Filtering System (CFS).

SonicWALL have confirmed this as a bug, and are currently working on a fix (Time of writing: June 20, 2016).

Update (Jun 29, 2016): We've been told SonicWALL have fixed the bug internally in v6.2.6 and will be shipping a firmware update towards the end of July.

If the traffic is blocked by SonicWALL's Content Filter (CFS) then the URL Category does get logged appropriately.

Fastvue Reporter for SonicWALL's Productivity Dashboard, Reports, and Alerts all rely on the category field to be populated correctly in order to show desirable and undesirable traffic flowing through your SonicWALL device, and to calculate the most unproductive users and sites.

Fortunately, there is a relatively easy workaround for this syslog bug:

  1. Log into your SonicWALL device, and go to Log | Syslog
  2. Check the Override Syslog Settings with Reporting Software Settings check box and click Accept.

Override Syslog Settings with Reporting Software Settings

 

Once this option is checked, the syslog's Category field will be populated with the correct category instead of 'Not rated'. Fixed! Well, with the following limitations...

Limitations of SonicWALL's Override Syslog Settings Option:

We have previously been recommending customers enable the Enhanced Syslog format, which is only available if you uncheck the Override Syslog Settings with Reporting Software Settings checkbox.

This is because the Enhanced Syslog format is more comprehensive and logs extra, potentially important fields. For Web Traffic log events, these extra fields include:

msg (Message)

The msg field is composed of either or both a predefined message and a dynamic message containing a string %s or numeric %d argument.

Certain features of SonicWALL utilize the msg field to log information about their events, such as IPS and Application Control. For example, an IPS event populates the msg field with msg="IPS Prevention Alert: P2P BitTorrent -- Peer Sync".

Fastvue Reporter for SonicWALL parses these events to populate the Action (Blocked/Allowed/etc.), Threat Name and Event Type fields.

That's not to say that when you check the 'Override syslog settings...' option that these fields and reports will be completely blank. Just certain events, including IPS and Application Control, will not populate these fields, and therefore cannot be reported or alerted on in Fastvue Reporter.

srcZone (Source Zone)

A major feature of SonicWALL is the ability to define network zones. The srcZone felid displays the zone that the traffic originated from (Source Zone).

Fastvue Reporter for SonicWALL's Overview Reports include a section to display the top Source Zones, and you can select Source Zones when defining Report Filters and Alerts. These features cannot be used if you check the 'Override syslog settings...' option.

dstZone (Destination Zone)

This dstZone field displays the zone that the traffic was destined for (Destination Zone).

As per Source Zones above, Fastvue Reporter for SonicWALL's Overview Reports include a section to display the top Destination Zones, and you can select Destination Zones when defining Filters and Alerts. These features cannot be used if you check the 'Override syslog settings...' option.

rule (Rule)

According to SonicWALL's Log Events Reference Guide, the 'rule' field displays the Access Rule number causing packet drop. However, we have also seen the rule field logged for other types of traffic, not just 'dropped' traffic.

The rule field contains values such as rule="2 (LAN->WAN)", or rule="5 (LAN->LAN)".

Fastvue Reporter for SonicWALL imports this field so that you can use it when defining Report Filters and Alerts, however the field is not displayed in Overview Reports or in Dashboards.

You can view Rules in Reports by running an Activity Report with a **Rule 'Contains' ... ** filter.

Other fields

This is only the list of extra fields for Web events when enabling 'Enhanced Syslog'. Other types of events such as Firewall Messages are also improved by using the Enhanced Syslog format.

Conclusion

Without URL Categories in the log, the productivity sections in Fastvue Reporter for SonicWALL are not very useful. You can overcome this by checking the Override Syslog Settings with Reporting Software Settings checkbox, as long as you are aware of the limitations above.

Generally speaking, the advantage of logging categories outweighs the disadvantages, but if you enable the Override Syslog Settings With Report Software Settings option, just be aware that certain sections in Fastvue Reporter will be blank / not populated.

If you have any specific questions or reporting requirements, don't hesitate to get in touch!

Take Fastvue Reporter for a test drive

Download our FREE 14-day trial, or schedule a demo and we'll show you how it works.

  • Share this story
    facebook
    twitter
    linkedIn

SonicWall SonicOS Enhanced 6.2.7.1 - Now with Referrer URLs!

SonicOS Enhanced 6.2.7.1 now logs Referrer URLs in the 'Syslog Website Accessed' events, providing massive benefits to your Fastvue Web Usage Reports!
SonicWall

SonicOS 6.2.6.0-20n New CFS and New Logging Bugs

The new CFS and ATP Features in SonicOS 6.2.6.0 are amazing, but there is a problem you need to be aware of before upgrading.
SonicWall