Reporting_Firewall
Firewall Reporting Overview
The Reports available under the Firewall tab provide specific information on data gathered by the SonicWALL GMS interface.
For a general introduction to reporting, see the Dell SonicWALL GMS Reporting Overview.
The Firewall reports display either summary or unit views of connections, bandwidth, uptime, intrusions and attacks, and SRA usage, displayed in a Data Container. Information can be viewed in either chart (timeline or pie chart) form, or tabular (grid) format. The list of available reports allows you to navigate to a high-level or specific view.
All of the reports in SonicWALL GMS report on data gathered on a specific date or range of dates. Data can be filtered by time constraints and data filters.
Benefits of Firewall Reporting
Firewall Reports allow you to access both real-time and historical reports and view all activity on SonicWALL Internet security appliances. By monitoring network access, logins, and sites accessed, you can enhance system security, monitor internet usage, and anticipate future bandwidth needs.
You can gain more information from the display, simply by hovering the mouse pointer over certain sections. Additionally, by clicking on selected sections of a pie chart or bar-graph timeline view, you can view more information or view different aspects of the information presented.
Firewall Reports Tab
The Firewall tab gives you access to the Firewall’s reports section of the SonicWALL GMS management interface. Reporting supports both graph and non-graph reports, and allows you to filter data according to what you wish to view. It supports multiple product-licensing models.
Firewall Reports provide the following features:
You can view Reports either as Summary reports for all or selected units on the SonicWALL GMS network, or view detailed reports for individual units.
Viewing Available Firewall Report Types
To view the available types of reports for the Firewall appliances, perform the following steps:
Note: All Reports show a one-day period unless another interval is specified in the Time Bar.
The following types of reports are available:
Global Level Reports:
Note: Summary Reports are not drillable and no Detail view is available.
Unit Level Reports
Detail views are available for all Report items unless otherwise noted.
Understanding the Data Container
The Report contains a filter bar at the top, plus the actual Data Container. The default Data Container contains an interactive chart view, which contains either a grid view, containing a text version of the information. One or more sections may be present in the grid view. Toggle buttons allow you to display the Chart view, Grid view, or Chart and Grid view.
Grid sections are arranged in columns. Columns may be rearranged to view them from the top down or bottom up, by clicking the up and down arrows in the column headings. You can narrow results by applying a filter to a column: right-click on a column heading and click Add Filter.
Hypertext-linked columns are drillable, meaning you can click on the hypertext entry to bring up a Detail view with more information on the desired entry. Detail views might have multiple sections.
The Detail views are usually reflected in the sub-headings under the Reports list, which provide a shortcut directly to the Detail Report. To go to the full Detail view, click the Details entry in the Reports list. From the Detail view, you can access the system logs, for event-by-event information, or further filter the results. For more information on using the Log Analyzer to view and filter syslog reports, see the Using the Log Analyzer.
Details views can contain multiple sections. To determine if you have reached the end of the list of sections, check for the time zone message, which indicates the end of the Detail View.
Reports with hyperlinked columns can be filtered on the column or by drilling down on the hyperlinked entry.
You can also get to a filtered Detail view by clicking the section representing the desired information in the pie chart.
To save a filtered view for later viewing, click on the Save icon on the Filter Bar. The saved view will now appear under Custom Reports.
To learn more about Custom reports, see the Custom Reports
How to View Firewall Reports
The Firewall Summary reports display an overview of bandwidth, uptime, intrusions and attacks, and SRA usage for managed SonicWALL Firewall appliances. The security summary report provides data about worldwide security threats that can affect your network. The summaries also display data about threats blocked by the SonicWALL security appliance.
You can view Firewall Reports as either as global or group summary reports, or by individual unit:
Viewing Global Summary Reports
Summary reports for data usage, applications, web usage and filtering, VPN usage, and threats for managed SonicWALL appliances are available at the global level, through the TreeControl menu. Summary reports are available for:
Group-level Summary reports provide an overview of information for all Firewalls under the group node for the specified period. The report covers the connections and transfers by appliance for Data Usage, App Control, and VPN Usage, For Web Usage and Web Filters, hits are also included. Web filters and Threats list attempts at connection. Unless specified differently in the Date Selector, the Summary report covers a single day. Global Summary reports are not drillable.
To view the Summary report, perform the following steps:
The timelines at the top of the page display the totals, and the grid section sorts the information by appliance or applications.
Similar summary reports are available for all the Global or Group reports specified above.
Viewing Unit Level Status Reports
Unit level reports display status for an individual SonicWALL appliance. From this information, you can locate trouble spots within your network, such as a SonicWALL appliance that is having network connectivity issues caused by the ISP. You can also monitor web usage, including attempts to reach filtered sites, as well as incoming attacks on your network.
Note: Global reports are displayed in the GMS’s timezone. Reports for individual SonicWALL security appliances are displayed in the individual appliance’s time zone.
Viewing Data Usage Reports
The default Data Usage report displays a timeline for hours that the selected SonicWALL appliance was online and functional during the time period with connections, transferred connections, and cost displayed.
Click Data Usage > Timeline. (This is the default view when the Firewall Report interface comes up.)
This report is drillable. Click on an Initiator IP entry to break the Timeline report down into its Detail View report groups for the selected IP address. These groups also contain drillable hyperlinks that will take you to more specific Detail View information. The columns can also be filtered on. For more information on drilling down in a report, refer to Drilling Down
The following Section entries are available:
Viewing User Activity Logs
Web User Activity logs allow you to filter results to view only the activity of a specific user.
The User Activity Analyzer provides a detailed report listing activity filtered by user. If a user report has been saved previously, bringing up the User Activity Analyzer will display a list of saved reports under the Filter Bar.
If you wish to create a new report, use the Filter Bar to create a new report.
If no user activity reports were saved, only the Filter Bar will display, with the User filter pre-selected. You can enter a specific user name, or use the LIKE operator wildcards (*) to match multiple names.
The customized User Activity Details report will display a timeline of events, Initiators, Responders, Services, Applications, Sites visited, Blocked site access attempted, VPN access policy in use, user authentication, Intrusions, Initiator Countries, and Responder Countries associated with that particular user.
Data for a particular user may not be available for all of these categories.
Viewing Applications Reports
Application Reports provide details on the applications detected and blocked by the firewall, and their associated threat levels.
The Applications Report displays a pie chart with the application and threat level it poses.
You can drill down for additional Details views on connections over time (Timeline view), Data Usage, Detected applications, Blocked applications, Categories of applications, top initiators.
Viewing Web Activity Reports
Web Activity Reports provide detailed reports on browsing history.
The Web Activity Report displays a pie chart with the Top Categories of type of access, total browse time, and hits.
You can drill down for additional Details views on connections over time (Timeline view), Sites visited, Categories of sites, and Top Initiators. A Details entry links directly to the details view of all entries.
Viewing Web Filter Reports
Web Filter Reports provide detailed reports on attempts to access blocked sites and content.
The Web Filter Report displays a pie chart with the Top Categories of blocked access and total attempts to access.
You can drill down for additional Details views on connections over time (Timeline view), Sites visited, Categories of sites, and Top initiators. A Details entry links directly to the details view of all entries.
Viewing VPN Usage Reports
VPN usage reports provide details on the services and policies used by users of virtual private networks.
The VPN Usage Report displays total connections for each VPN Policy item as a pie chart and tabular grid view.
You can drill down for additional Details views on Service protocols and Top initiators.
Viewing Intrusions Reports
Intrusion Reports provide details on types of intrusions and blocked access attempts.
The Attacks report provides a pie chart and a list of the initiating IP addresses, hosts, and users, with number of attempts for each.
Drill down for additional Detail views of Intrusion Categories, Targets, Initiators, Ports affected, Target Countries, and Initiator Countries.
Viewing Gateway Viruses Reports
The Gateway Viruses reports provide details on the Top Viruses that were blocked when attempting to access the firewall.
The Top Viruses report appears.
The report provides details on the viruses blocked, the targets, initiators, and a timeline of when they attempted access.
Drilling down provides a list of virus identity, Targets, Initiators, Target Countries, and Initiator Countries.
Viewing Spyware Reports
The Spyware report gives details of the spyware that was detected and/or blocked, the targets, initiators, and a timeline of when they attempted access.
The report provides details on the types of spyware detected and blocked, targets.
Drilling down provides a list of virus identity, Targets, Initiators, Target Countries, and Initiator Countries.Drilling down lists countries of origin, and target countries.
Viewing Attacks Report
The Attacks report lists attempts to gain access, target systems, initiators, and a timeline of when the attack occurred.
The Attacks report provides a pie chart and a list of the initiating IP addresses and hosts.
Drill down for additional Detail views of Intrusion Categories, Targets, Initiators, Ports affected, Target Countries, and Initiator Countries.
Viewing Authentication Reports
Authentication reports provide information on users attempting to access the Firewall.
The Authentication report displays a list of authenticated users, their IP addresses, service, time they were logged in, and type of login/logout. Additional Reports are available for Administrator logins and failed login attempts.
Clicking on hyperlinks provides additional filtering for the reports.
You can filter on the Service to view SRA and other appliances by drilling down to the syslog.
Note: For the Duration and Service categories to be present, the Firewall appliance firmware must be at least version 5.6.0.
Viewing Flow Activity Reports
The Flow Activity Reports offers administrators an effective and efficient interface to visually monitor their network in real time, providing effective flow charts of real-time data, customizable rules, and flexible interface settings. With the Flow Activity Reports, administrators can efficiently view and sort real-time network and bandwidth data in order to:
The GMS management interface includes the following for Flow Activity: