Document toolboxDocument toolbox

firewall.sonicwall

Introduction

The tags beginning with firewall.sonicwall identify log events generated by the SonicWall Firewall (SonicOS).

Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and forwarded securely to the Devo Cloud. 

Tag structure

The full tag must have at least three levels. The first two are fixed as firewall.sonicwall. The third level identifies the SonicOS version and must be one of general or genv58. 

Therefore, the valid tags are:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

SonicWall general

firewall.sonicwall.general

firewall.sonicwall.general

firewall.sonicwall.genv58

firewall.sonicwall.genv58

For more information, read more about Devo tags.

Devo Relay rule

Then you should define a new rule where all the events received on a specified port are tagged with the correct firewall.sonicwall tag.

  • Source port → 13020 (you can use any port that is free on your relay)

  • Target tag → firewall.sonicwall.xxx (xxx corresponding to your general or genv58 tag)

SonicWall configuration

To configure the sending of log events to a remote syslog server (in this case, the Devo Relay), see the vendor documentation.

Table structure

These are the fields displayed in these tables:

firewall.sonicwall.general

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

fwhost

str

vhost

 

serverdate

str

 

 

host

str

 

 

message

str

 

 

id

str

 

 

sn

str

 

 

timestamp

str

 

 

fw

str

 

 

pri

str

 

 

c

str

 

 

m

str

 

 

msg

str

 

 

n

str

 

 

src

str

 

 

srcIp

str

 

 

srcPort

str

 

 

dst

str

 

 

dstIp

str

 

 

dstPort

str

 

 

proto

str

 

 

type

str

 

 

code

str

 

 

sent

str

 

 

rcvd

str

 

 

vpnpolicy

str

 

 

unknown

str

 

 

hostchain

str

 

✓

tag

str

 

✓

rawMessage

str

message

✓

firewall.sonicwall.genv58

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

id

str

 

 

sn

str

 

 

time

str

 

 

vp_time

str

 

 

fw

str

 

 

pri

str

 

 

c

int8

 

 

m

str

 

 

msg

str

 

 

f

int4

 

 

app

int4

 

 

appName

str

 

 

sess

str

 

 

dur

int4

 

 

af_policy

str

 

 

af_action

str

 

 

category

str

 

 

url

str

 

 

n

int8

 

 

usr

str

 

 

user

str

 

 

if

str

 

 

srcV6

str

 

 

src

str

 

 

srcIp

ip4

 

 

srcPort

str

 

 

srcNet

str

 

 

srcResName

str

 

 

dstV6

str

 

 

dst

str

 

 

dstIp

ip4

 

 

dstPort

str

 

 

dstNet

str

 

 

dstResName

str

 

 

srcMac

str

 

 

dstMac

str

 

 

proto

str

 

 

uuid

str

 

 

op

int4

 

 

sent

int8

 

 

rcvd

int8

 

 

result

int4

 

 

dstname

str

 

 

arg

str

 

 

sid

int4

 

 

ipscat

str

 

 

ipspri

int4

 

 

appcat

str

 

 

appid

str

 

 

catid

str

 

 

code

str

 

 

Category

str

 

 

spkt

int4

 

 

rpkt

int4

 

 

cdur

int8

 

 

dpi

int4

 

 

vpnpolicy

str

 

 

ucastRx

int8

 

 

bcastRx

int8

 

 

bytesRx

int8

 

 

ucastTx

int8

 

 

bcastTx

int8

 

 

bytesTx

int8

 

 

radio

int4

 

 

station

int4

 

 

goodRxBytes

int8

 

 

goodTxBytes

int8

 

 

type

str

 

 

icmpCode

int4

 

 

rule

str

 

 

fw_action

str

 

 

note

str

 

 

agent

str

 

 

hostchain

str

 

✓

tag

str

 

✓

rawMessage

str

message

✓