Sonicwall monitor user activity

Sonicwall monitor user activity DEFAULT

I need to start monitoring internet traffic at the user level.  I was wondering, if this is possible with my SonicWALL NSA 2400.


Best Answer

Ryan_w

Chipotle

OP

I think it should be.  We do it on a NSA 3500.  You just need to have a license for the Sonicwall that lets you turn on content filtering and also setup a Viewpoint or GMS server to run the reports and log the data.

View this "Best Answer" in the replies below »

10 Replies

· · ·

Ryan_w

Chipotle

OP

Best Answer

I think it should be.  We do it on a NSA 3500.  You just need to have a license for the Sonicwall that lets you turn on content filtering and also setup a Viewpoint or GMS server to run the reports and log the data.

1

· · ·

Ryan_w

Chipotle

OP

You might also want to setup a SSO agent on your network to ID your users, but that depends on your environment if it will work well or not.

0

· · ·

Support Guy

Serrano

OP

After doing some basic research, I see that I can navigate to, AppFlow Monitor in the sonicwall and click on Users to view some of this information.  Problem is, my users are not setup here.  Any idea's on how I can do that if I'm going in the right direction?  As you can tell, I'm not exactly a firewall guy. 

0

· · ·

Ryan_w

Chipotle

OP

Are you wanting to see real time traffic by user or run historical reports per user?  We have ours setup more for historical reporting.

0

· · ·

Support Guy

Serrano

OP

Ryan_w wrote:

Are you wanting to see real time traffic by user or run historical reports per user?  We have ours setup more for historical reporting.

historical

0

· · ·

Ryan_w

Chipotle

OP

You will need to setup a Viewpoint server or GMS.  The Sonicwall itself does not keep a history of access for very long.  I believe Viewpoint is free, but not as good as GMS.  Then if you want the actual user IDs to show up in the reports you will need to configure a SSO Agent that scans your computers to check who is logged in when they access the Internet.  

SSO Agent Directions:

http://help.mysonicwall.com/sw/eng/5505/ui2/25201/PANEL_ssoProps.html

ViewPoint Info: (strongly recommend look into GMS instead)  GMS also makes automatic backups and monitoring of your firewall

http://help.mysonicwall.com/sw/eng/5505/ui2/25201/Log_logViewpointView1.html#1017123

2

· · ·

Doughnut

Mace

OP

Also make sure you enable Flow Reporting for users. Simple step but its not setup by default.

Log>Flow Reporting> *Enable AppFlow to Local Collector*

0

· · ·

Support Guy

Serrano

OP

doughnutdestroyer wrote:

Also make sure you enable Flow Reporting for users. Simple step but its not setup by default.

Log>Flow Reporting> *Enable AppFlow to Local Collector*

I do't see "Flow Reporting" when I click on "Log"
Firmware Version:SonicOS Enhanced 5.9.0.2-107o



1

· · ·

Support Guy

Serrano

OP

Ryan_w wrote:

You will need to setup a Viewpoint server or GMS.  The Sonicwall itself does not keep a history of access for very long.  I believe Viewpoint is free, but not as good as GMS.  Then if you want the actual user IDs to show up in the reports you will need to configure a SSO Agent that scans your computers to check who is logged in when they access the Internet.  

SSO Agent Directions:

http://help.mysonicwall.com/sw/eng/5505/ui2/25201/PANEL_ssoProps.html

ViewPoint Info: (strongly recommend look into GMS instead)  GMS also makes automatic backups and monitoring of your firewall

http://help.mysonicwall.com/sw/eng/5505/ui2/25201/Log_logViewpointView1.html#1017123

What is GMS?

0

· · ·

Ryan_w

Chipotle

OP

Here is a link with more details on what GMS is.

http://www.sonicwall.com/us/en/products/GMS-Application.html

Basically for us it is just a virtual server that monitors and logs activity on the Firewall.  You can run reports from it's web interface.

0

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question.

Sours: https://community.spiceworks.com/topic/464200-can-i-monitor-internet-traffic-broken-down-by-user-with-my-sonicwall

How can I track which users or IP addresses are accessing a certain website using AppFlow?

12/20/2019 139 34833

DESCRIPTION:

This article describes how to track which Users or IP addresses are accessing a certain website using AppFlow Monitor on Dashboard.

RESOLUTION:

NOTE: Before following this KB, please ensure that AppFlow is enabled. [[Enabling the Real-Time Monitor and AppFlow Collection in SonicOS Enhanced|170503566814827]].

Login to your SonicWall management page and click on Investigate tab on top of the page.

  1.  Navigate to AppFlow Logs page. Select 'URLs' tab and In Group by select Domain Name from drop-down list.
    Image

  2.  Click on the website you want to track and click Filter option. In this example we use the URL www.junk.com. 
    Image

    This will limit all the information under all the other tabs specific to www.junk.com.
    Image

  3. Click Users tab.It will show all the users who tried to access www.junk.com.
    Image

  4. Clicking on username shows the IP address.
    Image
Sours: https://www.sonicwall.com/support/knowledge-base/how-can-i-track-which-users-or-ip-addresses-are-accessing-a-certain-website-using-appflow/170505832815323/
  1. Supervillain handbook
  2. Silver throat lozenges
  3. Discord server finder
  4. Joy wedding website

SonicWall firewall user auditing and management

Monitoring firewall user account activities, such as adding, deleting, or changing user privilege levels, helps track peculiar account changes. Keeping tab on these activities help tracking changes that are vital in securing the network from malicious attacks and threats.

EventLog Analyzer presents all user logon and account activities in simple, predefined reports with in-depth information. Administrators can create alert profiles to instantly receive notifications about changes of any type.

Firewall logon reports:

These out-of-the-box reports monitor all successful and failed user logon attempts. Logon reports are categorized by users and source. Reports on successful and failed logons trends are also available.

Available Reports

Successful Logons | Failed Logons | Top Successful Logons from Source | Top Successful Logons by Users | Top Failed Logons from Source | Top Failed Logons by Users | Successful Logons Trends | Failed Logons Trends

Firewall account management reports:

These reports represent all user-based information, such as new and deleted users and changes in user privilege levels. Account management reports help administrators conduct audit trials of firewall users and their activities.

Available Reports

Users Added | Users Deleted | Users Modified | Users Disabled | Users Enabled | User Privilege Changed

SonicWall traffic monitoring reportsSonicWall rules management reports

Sours: https://www.manageengine.com/products/eventlog/sonicwall-firewall-user-audit.html
How to Track Employee Web Access with a SonicWALL

SonicWall firewall rules/policies, configuration & log analyzer

Gaining Internet activity insights and keeping abreast about security events is a challenging task as the security appliance generates a huge quantity of security and traffic logs. With a package of features, Firewall Analyzer's reporting capability for SonicWall firewall appliance fit like a glove enabling you to strengthen the network security. Firewall Analyzer lets you to collect, archive, analyze SonicWall device logs and generate security and forensic reports.

SonicWall network security and capacity management

With Firewall Analyzer for SonicWall, you can access pre-defined reports that help in analyzing bandwidth usage and understanding security and network activities. These reports helps you to study the security vulnerability with top denied hosts, blocked URL hits, attacks, targets, virus, affected hosts, spam, receiving hosts.

SonicWall Network Security Firewall - ManageEngine Firewall Analyzer

SonicWall bandwidth capacity planning

Trend reports in Firewall Analyzer trace patterns in network behavior and bandwidth usage over time. Analysis of trend reports gives better insight into the nature of web site traffic or network traffic, and helps you make decisions on capacity planning, business risk assessment, bandwidth management, traffic shaping, and network security posture.

SonicWall Traffic Trend Report - ManageEngine Firewall Analyzer

SonicWall VPN monitoring

VPN trend reports show trends in the number of VPN connections accessed through the SonicWall firewall on a historical and current basis. VPN trends are especially useful in troubleshooting VPN connections, and identifying security risks.

Sonicwall Monitor VPN Traffic - ManageEngine Firewall Analyzer

SonicWall bandwidth monitoring

Firewall Analyzer for SonicWall provides you a unique way to monitor the Internet traffic of the network in near real-time. Firewall traffic data is collected and analyzed to get granular details about the traffic across each firewall. There is no requirement for any probes or collection agents to get these details on the traffic.

SonicWall Traffic Monitoring & Management - ManageEngine Firewall Analyzer

SonicWall traffic analyzer

Firewall Analyzer acts as a SonicWall Firewall Bandwidth Management tool and measures network traffic based on the analysis of logs received from SonicWall firewalls (SonicWall Bandwidth Usage Report). Firewall logs are collected, archived, and analyzed to get granular details about traffic (SonicWall Firewall Bandwidth Monitor) across SonicWall firewall devices.

 

SonicWall Network Traffic Analyzer - ManageEngine Firewall Analyzer

Employee internet usage monitoring

With Firewall Analyzer you can monitor SonicWall traffic and can maximize the business usage of Internet bandwidth using the employee Internet monitoring report. You can fine-tune the Firewall policies to block or restrict bandwidth guzzling web sites and in turn effectively control the employee Internet usage. This will ensure that the bandwidth is available for smooth functioning of the business.

Employee Internet Usage Monitoring

SonicWall security audit

Firewall Analyzer for SonicWall  provides elaborate compliance report for the Firewall devices. The report helps to configure the Firewall rules, which will prevent potentially dangerous access to network and allow only those network hosts that are required. The issues are assessed and the results are presents as statistics.

SonicWall Firewall Security - ManageEngine Firewall Analyzer

Securepoint firewall alerts

Apart from exhaustive firewall reports with respect to network security, Firewall Analyzer offers comprehensive alarms and their notifications.

Alarms can be generated for an anomalous security criteria, bandwidth values, and any normal criteria of security interest.

Alarms can be notified via email and SMS. It can trigger a script to achieve various threat mitigation activities. Alarms are also displayed in the UI screen.

SonicWall Firewall Alarm Alerts - ManageEngine Firewall Analyzer

 If you are looking for more on SonicWALL log management, Firewall Analyzer provides comprehensive SonicWALL firewall log management feature: Click here to know how.

SonicWall supported versions

CompanyFirewall/VersionWELF CertifiedOther Log Format
SonicWallSonic OS 5.8.x and above (supports ' IPFIX with extensions ')AvailableAvailable

Steps to Configure

For detailed steps about how to configure Firewall Anlayzer with SonicWall's firewall appliance you can refer this link here

 

Related links

 

Sours: https://www.manageengine.com/products/firewall/sonicwall-firewall-analyzer.html

Activity sonicwall monitor user

How can I generate a detailed report on the browsing activity of a particular user?

03/26/2020 1240 36285

DESCRIPTION:

This article will explain you one way to get access to the full details available in GMS for a particular user. Other methods may exist to obtain similar result.It also explain how to filter reports to obtain only the information that you need.

RESOLUTION:

In this example we will follow the user Prasad and get details for a particular website he browsed: www.visitor-track.com. We will be able to see when he visited this website and what URLs he visited.

  1. We will start from the Top sites report, under Web Activity.First, we will filter the report by user by adding a filter ("plus" button on the top left corner) on user name in the format "domain\user", in this case: user=sv\prasad.

    NOTE: Using the floppy disk button on the left of the filter will let you save this particular report configuration for later use.Saved reports can be found under the Custom Reports category and can also be used to configure Scheduled Reports which are sent by email.

    Image
  2. Now that our report is filtered by user, we want to have more information on the browsing activity that was made onto the website www.visitor-track.com.For this, we can simply click on the website name and the report will be filtered to show details for this particular site only.
    Image
  3. The report we now have does not provide enough information. To access all details (raw syslogs), right-click on the website name and then click Drilldown.You will now see all information sent by the unit to GMS/Analyzer regarding this particular user and website.
    Image
  4. From this report, it is easy to view details for all users or all websites, a click on the small cross after a filter will remove it. a click on the red cross at the end of the filter bar will remove all filters. Click on the arrow to submit your new filter.
    As always with GMS/Analyzer, the report data is updated up-to-the-second. The capture below would show you all browsing activity for the user sv\prasad in near real-time.Image

    NOTE:CFS enforcement is Mandatory for these reports . For CFS 4.0 please visit : CFS 4.0 Overview, For Cfs 3.0 , please visit: CFS 3.0 Overview .

Sours: https://www.sonicwall.com/support/knowledge-base/how-can-i-generate-a-detailed-report-on-the-browsing-activity-of-a-particular-user/170502662235115/
RamsonWare SonicWALL Best Practices - Español

Enable SonicWall DPI-SSL

With most of the web now using HTTPS, DPI-SSL is not only an essential technology for protecting your network from threats transmitted over HTTPS, but also for reporting on web usage traffic. Without SonicWall’s DPI-SSL feature enabled, only the domain of a website will be logged (e.g. www.google.com) but not the full URL (e.g. www.google.com/search?q=my+search+term). This is important if you need to report on web searches, youtube videos, full web pages, or full virus URLs.

Fastvue Reporter also utilizes full URLs for its Site Clean algorithm to clean ‘Junk’ urls from your reports. For example, we don’t want to clean visits to https://www.facebook.com from your reports, but we do want to clean hits to facebook ‘Like’ buttons on other pages. Facebook ‘Like’ buttons come from the URL  http://www.facebook.com/plugins/like.php. Without DPI-SSL, SonicWall will only log www.facebook.com, leaving the Site Clean engine unable to clean the ‘like’ buttons from your reports.

Enabling DPI-SSL can be pain as it requires deploying certificates to all devices that you want to protect and report on. Although this can be relatively easily achieved for devices controlled by AD group policy, it gets tricky for other devices such as BYOD mobile devices, devices on a ‘guest’ network and for browsers with their own certificate store (we’re looking at you Mozilla Firefox!).

In these situations, you can manually email the certificate to users along with installation instructions, post it on an internal website that users can access once logged in (captive portal), or use onboarding tools like Impulse’s SafeConnect which can help in some automation without agent deployment.

Instructions for enabling DPI-SSL vary slightly depending on your SonicOS version, but look for DPI-SSL, Deep Packet Inspection or Decryption Services in the left-hand menu. For testing, create an Address Object that includes a few host machines you would like to test with, and then include this object in your DPI-SSL settings. Once you’re happy everything is working, you can easily change this to a broader group.

Enabling SonicWall DPI-SSL

DPI-SSL Logging Issues

Earlier versions of SonicOS had some logging issues when DPI-SSL was enabled, affecting the accuracy and detail of web traffic in your reports. Fortunately, SonicWall fixed these in SonicOS 6.5.

If you’re running SonicOS 6.2.7 and below, please be aware of these two issues:

Enable Name Resolution

Even if you have authentication enabled, you may have certain traffic excluded from authentication such as Windows and virus updates, guest networks, BYOD devices etc. In these situations, Fastvue Reporter for SonicWall will attempt to resolve the IP addresses, however it is a good idea to get SonicWall to log the resolved IP address instead. This will save the extra lookups from your Fastvue server, and/or any extra DNS configuration that is required for the Fastvue Server to resolve IPs in the first place.

On your SonicWall device, go to Log Settings | NameResolution and ensure you have a Name Resolution method set, and the DNS servers correctly configured.

SonicWall Name Resolution Log Settings

Enable Referrer URL Logging:

One of the major inputs to Fastvue’s Site Clean engine is referer URLs which SonicWall added support for in SonicOS version 6.2.7.1.

Ensure you are running SonicOS 6.2.7.1 or above, and your logging format is set to ‘Enhanced Syslog’ with all fields selected (specifically, the ‘Notes’ field as this is where the referer URL is logged).

SonicWall SonicOS 6.2.7 Enhanced Syslog

SonicWall will then log referrer URLs for http requests which helps the Fastvue Site Clean engine better determine the websites actually visited by your users, and remove/clean the background websites from your reports.

Note: SonicWall released hotfix SonicOS 6.2.7.1-23n–HF187283 to fix an issue where referrer URLs were not logged for DPI-SSL traffic. We believe this has been rolled into SonicOS 6.2.7.3 and above.

Block the QUIC Protocol

Google, owning many web properties as well as a popular web browser with Chrome (currently used by 60% of the population), decided to take web speed into their own hands and introduce a new protocol between their browser and their servers. This is called QUIC and works over UDP.

Although this is great for the web development community generally, it is not great for firewalls as it impacts on the accuracy of logging and reporting. For now, this only affects Google web properties such as YouTube, Google Search and Gmail, but it may be adopted by other websites moving forward.

Fortunately, SonicWall enables you to disable the QUIC protocol for your network, and then Google Chrome will fall back to using normal https.

You can do this via SonicWall’s Application Control Advanced page, or use a standard firewall rule to block UDP port 443.

To block QUIC using SonicWall’s Application Control:

  1. Go to Security Services | ApplicationControl (or Rules | Advanced Application Control in SonicOS 6.5 and above).
  2. Select Category = Infrastructure, and edit the Google QUIC application
  3. Select Block = Enable
Block Google Quic with SonicWall Application Control

You can also disable QUIC in Google Chrome directly by going to typing chrome://flags in the address bar, and setting the Experimental QUIC protocol to Disabled.

Disable Google Quic In Chrome

Without the QUIC protocol disabled, you may see inaccurate bandwidth and browsing time figures for Google web properties.

Summary

Getting started with Fastvue Reporter for SonicWall is very easy, but once you start digging into the reports, you may discover issues such as users showing as IP addresses instead of usernames, blank ‘search term’ reports, blank productivity reports, reports cluttered with advertising and other junk, or inaccurate bandwidth figures.

Ensuring you’re on the latest SonicOS (we recommend SonicOS 6.5 and above) and enabling the features above will give you the best configuration from a logging and reporting perspective, and improve your ability to protect and secure your network.

Sours: https://www.fastvue.co/sonicwall/blog/the-best-sonicwall-configuration-for-detailed-logging-and-reporting/

You will also be interested:

SonicWall Manager-Ready Reports That Only Show Actual User Web Browsing

"I tested at least a dozen products before being introduced to Cyfin; I spent a lot of time working with other vendors' Sales and Support staff trying to make their systems do what Wescast required. I can honestly say that all the vendors tried their best to assist me but sometimes you cannot make systems do something they were not meant to do. I wish I had known about the Cyfin product from the start, the description alone would have steered me towards it first and I could have saved a lot of time.

I can honestly say there are a lot of great products available that claim they can provide Internet usage reports, but this is usually a bolt-on feature to a more robust system that provides reports on Web, FTP, firewall traffic, and so on. If you are really serious about monitoring Internet usage you need a product that focuses on this area. Cyfin is that product!

–Mick Montgomery, Wescast Industries Inc., Canada

Sours: https://www.wavecrest.net/solutions/logfile_analytics.php?wc_page=log_sonicwall


759 760 761 762 763