Intrustion Prevention Report on SonicWall TZ-210 Appliance

I've recently purchased the Gateway AV/Anti-Spyware/Intrusion Prevention/App Control/App Visualization for a SonicWall TZ appliance.  I've enabled the Gateway AV, Anti-Spyware & Intrusion Prevention a few days ago and I'm trying to figure out how to run a report to see what those features have blocked/detected.

I would appreciate some help on how to do this and possibly how to get it emailed to me if possible.  Thanks very much.
SupermanTBAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi SupermanTB,

In order to receive email alerts and/or email of the entire log you need to go to Log > Automation.

Under E-mail Log Automation you can specify the email to send logs and alerts. Below that under Mail Server Settings fill out the email server. Click Accept. You can choose alerts or logs or both. You select either one by simply inputting your email address - leaving one blank essentially disables the send transmission.

Also, for Gateway AV, Intrusion Prevention, and Antispyware you should check Detect ALL for Low, Medium & High.

Let me know if you have any other questions!
0
SupermanTBAuthor Commented:
I do see that, thank you.  I"m looking specifically to get reporting about those items.  I do not see where is allows me to get reports about those three items
0
Blue Street TechLast KnightCommented:
Awe, for reporting you have a few other options:

A) If you have a syslog server you can connect it to that
B) CGSS comes with ViewPoint, but I believe as of late they have discontinued that
C) you can purchase Analyzer
D) you can purchase Scrutinizer
E) GSM - but this is only really useful if you have more than 10 SonicWALLs under management.

You always have the active log but if you want reports then you need a report collector.
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Wayne88Commented:
damn, diverseit always beat me to Sonicwall questions :)
0
SupermanTBAuthor Commented:
Ok, so would i be correct in saying that CGSS comes with what i purchased along with the Analyzer, Scrutinizer, etc?
0
Blue Street TechLast KnightCommented:
No you have to purchase either the Analyzer or Scrutinizer.

It's pre-built into your system much like CGSS is but you still have to license it to make it work.
Analyzer part# 01-SSC-3378      $125 (one time cost)

Here is a comparison between the options:
http://www.sonicwall.com/us/en/products/management-reporting.html#tab=compare

Click on Analyzer to see sys req: http://www.sonicwall.com/us/en/products/Firewall-Analyzer.html#tab=specifications
0
SupermanTBAuthor Commented:
Thank you again for your assistance.  Ok, so if I want to run reports, I've got to purchase either the Analyzer or Scrutinizer.

Is it possible to look at the log files on the SW and only view the logs for....say just the Intrusion Prevention?
0
Blue Street TechLast KnightCommented:
Please re-read my posts above...I was editing them while you commented. :)

Yes, you can depending on your firmware version. What firmware are you running?

If you have a recent version then you'd go to Log > Log Monitor then click on the "+" to the left of Filter View, then under Category, then select Security Services.

If you see a log item you'd like to filter by you can also just select the cell and click the "+" again and it will auto filter that.
0
SupermanTBAuthor Commented:
Reading back over your posts.....running firmware 5.9.0.6-3o.  I've setup the Analyzer on several networks, but have only monitored bandwidth.  Never used it for Intrusion Prevention, etc.
0
SupermanTBAuthor Commented:
Ok, so i see the Security Services filter in the log.  When i do that, I do get some IPS stuff in the logs, but nothing from AntiGateway or AntiSpam.  i've only had it in place for about a week.  Am i to assume that it didn't detect anything or do I have to have either the Analyzer/Scrutinizer to see that?
0
Blue Street TechLast KnightCommented:
Yes, specifically under Multi-Threat Reporting, Attack Intelligence Reporting, and Next-Gen Syslog Reporting (Custom Reports with Drill Down Capabilities).
0
Blue Street TechLast KnightCommented:
I verified you are on the new firmware leg so you should have all the new features of the logs amongst other numerous features.

You have to filter the time frame of the logs at the top to see what you want.

If you want to see a more real-time alert, I'd recommend setting up the alerts portion of the automation as described previously. Then you can use Exchange/Outlook Rules to filter what you care about.

Hope that helps!
0
SupermanTBAuthor Commented:
Ok.  Thanks again for your help.  

I just want to make sure I understand as i don't think my previous question was clear.  Is it possible for me to view logs for the Antivirus, AntiMalware & Intrusion Prevention on the SonicWall with my current firmware?  If so, can you tell me how i go about doing that?
0
Blue Street TechLast KnightCommented:
Sorry, my real job called!

The answer is unequivocally, yes.

You have to make sure to setup your logs for what exact info you want it to record. Go to Log > Settings then click the expander next to Security Services and there you will see all related services to your question. Click Apply at the top left to save the changes.

Also, see my previous comment on filtering the logs: http:#a40894334
0
SupermanTBAuthor Commented:
Gotcha.  I'm showing you what I'm seeing.  I'm trying to figure out how to read this.  Not the most intuitive thing in the world.
Capture.JPG
0
Blue Street TechLast KnightCommented:
Categories are on the left | color coding | alert type | type of logs | count |edit

That is the breakdown by column, here is what it means:
Categories - self-explanatory
Color Coding - this is really useful so that you can tell visually the difference between threats and noise or specifically prevention and detection. I code critical errors and security preventions in red, authentication in green, SSO activity in blue, etc.
Alert Type - this is where you granularly enable what type of logs to record. For example maybe you want to see everything on the Logs page (GUI) but only receive Email alerts for AV attacks. To accomplish this you'd make the dot green in the Email Column under AV and all of the dots green in the GUI column for everything else.
Count - is how many times an event has transpired for the category. In your screenshot it means that 0 AV instances, 1,518 attacks, and 589 IDP (Intrusion Detection Preventions) occurred.
Edit button - allows you to edit the category.

Make sense?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SupermanTBAuthor Commented:
Thank you very much for your help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.