Reporting_Firewall

Firewall Reporting Overview

The Reports available under the Firewall tab provide specific information on data gathered by the SonicWALL GMS interface.

For a general introduction to reporting, see the Dell SonicWALL GMS Reporting Overview.

The Firewall reports display either summary or unit views of connections, bandwidth, uptime, intrusions and attacks, and SRA usage, displayed in a Data Container. Information can be viewed in either chart (timeline or pie chart) form, or tabular (grid) format. The list of available reports allows you to navigate to a high-level or specific view.

All of the reports in SonicWALL GMS report on data gathered on a specific date or range of dates. Data can be filtered by time constraints and data filters.

Benefits of Firewall Reporting

Firewall Reports allow you to access both real-time and historical reports and view all activity on SonicWALL Internet security appliances. By monitoring network access, logins, and sites accessed, you can enhance system security, monitor internet usage, and anticipate future bandwidth needs.

You can gain more information from the display, simply by hovering the mouse pointer over certain sections. Additionally, by clicking on selected sections of a pie chart or bar-graph timeline view, you can view more information or view different aspects of the information presented.

Firewall Reports Tab

The Firewall tab gives you access to the Firewall’s reports section of the SonicWALL GMS management interface. Reporting supports both graph and non-graph reports, and allows you to filter data according to what you wish to view. It supports multiple product-licensing models.

Firewall Reports provide the following features:

You can view Reports either as Summary reports for all or selected units on the SonicWALL GMS network, or view detailed reports for individual units.

Viewing Available Firewall Report Types

To view the available types of reports for the Firewall appliances, perform the following steps:

  1. Log into your GMS management console.
  2. Click the Firewall tab.
  3. Select an appliance, global view, or group of appliances from the TreeControl.
  4. Click the Reports tab on the top of the screen.
  5. Expand the desired selection on the Reports list and click on it.

Note: All Reports show a one-day period unless another interval is specified in the Time Bar.

The following types of reports are available:

Global Level Reports:

Note: Summary Reports are not drillable and no Detail view is available.

Unit Level Reports

Detail views are available for all Report items unless otherwise noted.

Understanding the Data Container

The Report contains a filter bar at the top, plus the actual Data Container. The default Data Container contains an interactive chart view, which contains either a grid view, containing a text version of the information. One or more sections may be present in the grid view. Toggle buttons allow you to display the Chart view, Grid view, or Chart and Grid view.

Grid sections are arranged in columns. Columns may be rearranged to view them from the top down or bottom up, by clicking the up and down arrows in the column headings. You can narrow results by applying a filter to a column: right-click on a column heading and click Add Filter.

Hypertext-linked columns are drillable, meaning you can click on the hypertext entry to bring up a Detail view with more information on the desired entry. Detail views might have multiple sections.

The Detail views are usually reflected in the sub-headings under the Reports list, which provide a shortcut directly to the Detail Report. To go to the full Detail view, click the Details entry in the Reports list. From the Detail view, you can access the system logs, for event-by-event information, or further filter the results. For more information on using the Log Analyzer to view and filter syslog reports, see the Using the Log Analyzer.

Details views can contain multiple sections. To determine if you have reached the end of the list of sections, check for the time zone message, which indicates the end of the Detail View.

Reports with hyperlinked columns can be filtered on the column or by drilling down on the hyperlinked entry.

You can also get to a filtered Detail view by clicking the section representing the desired information in the pie chart.

To save a filtered view for later viewing, click on the Save icon on the Filter Bar. The saved view will now appear under Custom Reports.

To learn more about Custom reports, see the Custom Reports

How to View Firewall Reports

The Firewall Summary reports display an overview of bandwidth, uptime, intrusions and attacks, and SRA usage for managed SonicWALL Firewall appliances. The security summary report provides data about worldwide security threats that can affect your network. The summaries also display data about threats blocked by the SonicWALL security appliance.

You can view Firewall Reports as either as global or group summary reports, or by individual unit:

Viewing Global Summary Reports

Summary reports for data usage, applications, web usage and filtering, VPN usage, and threats for managed SonicWALL appliances are available at the global level, through the TreeControl menu. Summary reports are available for:

Group-level Summary reports provide an overview of information for all Firewalls under the group node for the specified period. The report covers the connections and transfers by appliance for Data Usage, App Control, and VPN Usage, For Web Usage and Web Filters, hits are also included. Web filters and Threats list attempts at connection. Unless specified differently in the Date Selector, the Summary report covers a single day. Global Summary reports are not drillable.

To view the Summary report, perform the following steps:

  1. Click the Reports tab.
  2. Select the global icon or a group of appliances.
  3. Click Data Usage > Summary.

The timelines at the top of the page display the totals, and the grid section sorts the information by appliance or applications.





Similar summary reports are available for all the Global or Group reports specified above.

Viewing Unit Level Status Reports

Unit level reports display status for an individual SonicWALL appliance. From this information, you can locate trouble spots within your network, such as a SonicWALL appliance that is having network connectivity issues caused by the ISP. You can also monitor web usage, including attempts to reach filtered sites, as well as incoming attacks on your network.

Note: Global reports are displayed in the GMS’s timezone. Reports for individual SonicWALL security appliances are displayed in the individual appliance’s time zone.

Viewing Data Usage Reports

The default Data Usage report displays a timeline for hours that the selected SonicWALL appliance was online and functional during the time period with connections, transferred connections, and cost displayed.

  1. Click the Reports tab.
  2. Select the global icon, a group, or a SonicWALL appliance.

Click Data Usage > Timeline. (This is the default view when the Firewall Report interface comes up.)





This report is drillable. Click on an Initiator IP entry to break the Timeline report down into its Detail View report groups for the selected IP address. These groups also contain drillable hyperlinks that will take you to more specific Detail View information. The columns can also be filtered on. For more information on drilling down in a report, refer to Drilling Down

The following Section entries are available:

Viewing User Activity Logs

Web User Activity logs allow you to filter results to view only the activity of a specific user.

The User Activity Analyzer provides a detailed report listing activity filtered by user. If a user report has been saved previously, bringing up the User Activity Analyzer will display a list of saved reports under the Filter Bar.

If you wish to create a new report, use the Filter Bar to create a new report.

  1. Click the Reports tab.
  2. Select a SonicWALL appliance.
  3. Click on User Activity > Details to bring up the User Activity Analyzer. The User Activity Analyzer generates a Detail report based on the user name.




  4. If no user activity reports were saved, only the Filter Bar will display, with the User filter pre-selected. You can enter a specific user name, or use the LIKE operator wildcards (*) to match multiple names.

  5. Enter the name of the user into the field and click the Go (arrow) button to generate the report

The customized User Activity Details report will display a timeline of events, Initiators, Responders, Services, Applications, Sites visited, Blocked site access attempted, VPN access policy in use, user authentication, Intrusions, Initiator Countries, and Responder Countries associated with that particular user.

Data for a particular user may not be available for all of these categories.

Viewing Applications Reports

Application Reports provide details on the applications detected and blocked by the firewall, and their associated threat levels.

  1. Click the Reports tab.
  2. Select a SonicWALL appliance.
  3. Click Application > Data Usage.

The Applications Report displays a pie chart with the application and threat level it poses.





You can drill down for additional Details views on connections over time (Timeline view), Data Usage, Detected applications, Blocked applications, Categories of applications, top initiators.

Viewing Web Activity Reports

Web Activity Reports provide detailed reports on browsing history.

  1. Click the Reports tab.
  2. Select a SonicWALL appliance.
  3. Click Web Activity > Categories.

The Web Activity Report displays a pie chart with the Top Categories of type of access, total browse time, and hits.

You can drill down for additional Details views on connections over time (Timeline view), Sites visited, Categories of sites, and Top Initiators. A Details entry links directly to the details view of all entries.

Viewing Web Filter Reports

Web Filter Reports provide detailed reports on attempts to access blocked sites and content.

  1. Click the Reports tab.
  2. Select the global icon, a group, or a SonicWALL appliance.
  3. Click Web Filter > Categories.

The Web Filter Report displays a pie chart with the Top Categories of blocked access and total attempts to access.





You can drill down for additional Details views on connections over time (Timeline view), Sites visited, Categories of sites, and Top initiators. A Details entry links directly to the details view of all entries.

Viewing VPN Usage Reports

VPN usage reports provide details on the services and policies used by users of virtual private networks.

  1. Click the Reports tab.
  2. Select a SonicWALL appliance.
  3. Click VPN Usage > Policies.

The VPN Usage Report displays total connections for each VPN Policy item as a pie chart and tabular grid view.





You can drill down for additional Details views on Service protocols and Top initiators.

Viewing Intrusions Reports

Intrusion Reports provide details on types of intrusions and blocked access attempts.

  1. Click the Reports tab.
  2. Select a SonicWALL appliance.
  3. Click Intrusions > Detected.

The Attacks report provides a pie chart and a list of the initiating IP addresses, hosts, and users, with number of attempts for each.





Drill down for additional Detail views of Intrusion Categories, Targets, Initiators, Ports affected, Target Countries, and Initiator Countries.

Viewing Gateway Viruses Reports

The Gateway Viruses reports provide details on the Top Viruses that were blocked when attempting to access the firewall.

  1. Click the Reports tab.
  2. Select a SonicWALL appliance.
  3. Click Gateway Viruses > Blocked.

The Top Viruses report appears.

The report provides details on the viruses blocked, the targets, initiators, and a timeline of when they attempted access.





Drilling down provides a list of virus identity, Targets, Initiators, Target Countries, and Initiator Countries.

Viewing Spyware Reports

The Spyware report gives details of the spyware that was detected and/or blocked, the targets, initiators, and a timeline of when they attempted access.

  1. Click the Reports tab.
  2. Select a SonicWALL appliance.
  3. Click Spyware > Detected.

The report provides details on the types of spyware detected and blocked, targets.

Drilling down provides a list of virus identity, Targets, Initiators, Target Countries, and Initiator Countries.Drilling down lists countries of origin, and target countries.

Viewing Attacks Report

The Attacks report lists attempts to gain access, target systems, initiators, and a timeline of when the attack occurred.

  1. Click the Reports tab.
  2. Select a SonicWALL appliance.
  3. Click Attacks > Attempts.

The Attacks report provides a pie chart and a list of the initiating IP addresses and hosts.





Drill down for additional Detail views of Intrusion Categories, Targets, Initiators, Ports affected, Target Countries, and Initiator Countries.

Viewing Authentication Reports

Authentication reports provide information on users attempting to access the Firewall.

  1. Click the Reports tab.
  2. Select a SonicWALL appliance.
  3. Click Authentication > User Login.

The Authentication report displays a list of authenticated users, their IP addresses, service, time they were logged in, and type of login/logout. Additional Reports are available for Administrator logins and failed login attempts.





Clicking on hyperlinks provides additional filtering for the reports.

You can filter on the Service to view SRA and other appliances by drilling down to the syslog.

  1. Go to the filter bar and click on the + and select Service from the pull-down menu. Click on the = operator, and click on the field next to it to bring up the pull-down menu. Select SSLVPN from the pull-down



    list
  2. Click Go to view a report for that Service.

Note: For the Duration and Service categories to be present, the Firewall appliance firmware must be at least version 5.6.0.

Viewing Flow Activity Reports

The Flow Activity Reports offers administrators an effective and efficient interface to visually monitor their network in real time, providing effective flow charts of real-time data, customizable rules, and flexible interface settings. With the Flow Activity Reports, administrators can efficiently view and sort real-time network and bandwidth data in order to:

The GMS management interface includes the following for Flow Activity: