1

Short of enabling packet capture/monitor on specific rules/policies, is there an easier way to see or to setup a Sonicwall to show blocked ports/services (realtime or as a report)?

I think packet capture is an overkill. I do not want to see content of packets, I do not want to see Accepted/Forwarded packets, I just want to see some "Dropped" events with src-ip, dst-ip, dst-proto and dst-port details.

I've searched online for this, went through the menu items of the device, checked out Sonicwall Analyzer, nothing. There are logs and statuses of successfull connections, detected and blocked attacks etc, but not just simple report showing blocked ports.

I used to work with Juniper firewalls, and both ScreenOS and JunOS flavours allowed me to enable logging on a policy (for example the global block policy) and then use a web interface or a command line to check what is blocked.

Mark Henderson
  • 68,823
  • 31
  • 180
  • 259
Alex
  • 1,828
  • 4
  • 31
  • 52

1 Answers1

1

According to SonicWALL's Log Event Reference Guide, the UTM only logs up to 32k and then flush the logs.

Log Persistence

SonicOS currently allocates 32K to a rolling log buffer. When the log becomes full, it can be emailed to a defined recipient and flushed, or it can simply be flushed. Emailing provides a simple version of logging persistence, while GMS provides a more reliable and scalable method. By offering the administrator the option to deliver logs as either plain-text or HTML, the administrator has an easy method to review and replay events logged.

So, If you wan't to gather enough data to troubleshoot blocked/dropped ports issues you will need to setup either a GMS/Analyzer (Which displays lots of information in a graphical console), or your favorite syslog daemon in a server.

The procedure to enable a syslog server is the same as adding an GMS/Analyzer appliance: https://support.software.dell.com/kb/sw10097

Update:

To get that level of detail with SonicWALL, you definitely will have to deploy a Syslog server. If you don't want to see anything else besides dropped/blocked packets reports, make sure to go to Log > Categories and uncheck all the fields except Network Access.

To have an idea of what kind of information you can expect to find in your syslog server, take a look at this filter:

enter image description here

Gabriel Talavera
  • 1,377
  • 1
  • 11
  • 18
  • Hi Gabriel, I have mentioned trying Analyzer in the question text. The problem is, I do not see where in Analyzer shows blocked ports. I found blocked sites and blocked intrusion attempts but not blocked (dropped) ports. – Alex Sep 04 '14 at 01:28
  • @Gabrial, which report in the analyzer shows the dropped packets/sessions, either due to policy or other? – Alex Sep 08 '14 at 06:40
  • Apologies @Gabriel, name misspelled – Alex Sep 08 '14 at 06:40
  • @Alex, try going to Analyzers > Log Analyzer and find a filter that suits your need, it's very limited though. – Gabriel Talavera Sep 08 '14 at 11:50