-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
Configuring Auditing Records on SonicOS 6.5.4.5 and above
07/28/2023 
60 People found this article helpful
476,158 Views
Description
Configuration auditing is a feature that automatically records any configuration changes that an administrator attempts from one of the available user interfaces, web management (via HTTP and HTTPS), command line (via console or SSH), or SonicWall GMS. A configuration auditing records table is created to record all attempted configuration changes, both successful and failed. With configuration auditing, SonicOS archives the history of its configuration changes, so that the administrator or others can later revisit and analyze the records. This feature is enabled by default for the platforms where it is available.
Benefits of Configuring Auditing:
- Automatic documentation of any configuration changes performed by an administrator
- Assistance in troubleshooting unexpected changes in run-time system behavior SonicOS 6.5 Logs and Reporting
- Visibility, continuity, and consistency where there are several administrators, either simultaneously or consecutively. Each administrator has access to a record of changes performed or attempted by all other administrators.
- Third-party integration with Firewall Manager, SEIM systems, logging, and reporting solutions.
- Compliance with regulations such as SOX, FISMA, NIST, DISA STIP
What Information is Recorded:
- Which parameter was changed
- When the change was made
- Who made the change
- From where the change was made
- Details of the change, such as the previous and subsequent values
What Information is Not Recorded:
- Importing a Settings File - Configuration changes due to importing a settings file are currently not recorded by the configuration auditing feature. Since all current settings are cleared prior to applying imported configurations, the assumption is that all existing configurations are modified.
- WXA configuration settings — SonicOS does not audit any configuration changes in WAN Acceleration. Some settings are saved on the WXA instead of the firewall, although the settings can be configured from the SonicOS web management interface.
- ZEBOS settings for BGP/OSPF/RIP routing configurations — SonicOS stores these settings as one long string of ZEBOS CLI commands. Records of changes made by these commands are not duplicated in the configuration auditing operation.
- Anti-Spam Junk Store applications — Configuration settings changed through a proxy server running a junk store are excluded from configuration auditing.
- Licensing - All aspects of system licensing are authenticated through MySonicWall and are not recorded through configuration auditing.
- Uploading a file from MONITOR | Capture ATP / Status - Configuration auditing does not audit uploading a file from the MONITOR | Capture ATP | Status page, because the contents of this page do not reside on the firewall.
Auditing Record Storage and Persistence:
Configuration auditing records are saved to non-volatile storage (such as flash), so that records can be restored, if required, after a reboot. The number of records saved is directly proportional to the capability of the device, as defined in the product matrix below. Higher-end platforms can store more records than lower-end devices. Devices with no flash or smaller flash capacity do not support configuration auditing.
All configuration auditing records, on any platform, are deleted when the appliance is rebooted with factory defaults.
The maximum number of records that can be stored is defined according to the RAM and flash size of the appliance platform, as given in the table below.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Viewing Auditing Records:
By navigating to Monitor > Logs > Auditing Logs page displays all the configuration auditing records. It allows a user to view, search, and sort the records.
- The first column is expandable to display the summary of the log entry.
- There are also buttons for Select all Columns and Restore Default for ease of operation. Click Grid Settings icon to perform the desired action.
- The user can search for a specific string pattern and highlight the matched results, if any are found.
- Failed configuration changes are marked in red.
- All columns are sortable.
Manually Emailing Auditing Records:
When a valid mail server and email address are configured, the user can click the email button on the tool bar of the Auditing Records page to manually email auditing records at any time. The button is disabled if either the mail server or the email address is not configured under Device > Log > Automation.
The Device > Log > Automation page includes settings for configuring the SonicWall to send log files using Email and configuring mail server settings.
Exporting Auditing Records:
There are two export options for auditing records. You can export the records as a text file or as a CSV file.
Refreshing the Auditing Records Table:
The Refresh button provides a way to refresh the page and display the latest auditing records, as seen below:
Displaying the Auditing Records on the Console:
Click Supplemental > Display Auditing Records on Console option to display the auditing records on the console in a text format.
Auditing All Parameters During Addition:
By default, configuration auditing only logs significant changes, defined as changes where the new value of the parameter is different from the default value. Click Supplemental > Audit Supplemental Parameter Changes option to record all parameter changes during an addition activity, even when the new values are the same as the default values.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Viewing Auditing Records:
The MANAGE | Log Settings | Auditing Records page displays all the configuration auditing records. It allows a user to view, search, and sort the records.
- The user can customize the columns by clicking the Show, Hide, or Rearrange Columns button.
- There are also buttons for Show all Columns and Reset to Default for ease of operation.
- The user can search for a specific string pattern and highlight the matched results if any are found.
- The first column is expandable to display the summary of the log entry.
- Failed configuration changes are marked in red.
- All columns are sortable.
Manually Emailing Auditing Records:
When a valid mail server and email address are configured, the user can click the email button on the toolbar of the Auditing Records page to manually email auditing records at any time. To set up email automation, see Configuring Log Automation
The button is disabled if either the mail server or the email address is not configured under Manage | Log Settings | Automation.
Exporting Auditing Records:
There are two export options for auditing records. The button next to the email button on the toolbar is for exporting the records as a text file.
The next button is for exporting the records as a CSV file.
Refreshing the Auditing Records Table:
The Reload Auditing Records button provides a way to refresh the page and display the latest auditing records, as seen below:
Displaying the Auditing Records on the Console:
You can click the Display Auditing Records on the Console button to display the auditing records on the console in a text format:
Auditing All Parameters During Addition:
By default, configuration auditing only logs significant changes, defined as changes where the new value of the parameter is different from the default value. You can click the Audit All Changes button to record all parameter changes during an additional activity, even when the new values are the same as the default values.
Related Articles
- How to Block Google QUIC Protocol on SonicOSX 7.0?
- How to block certain Keywords on SonicOSX 7.0?
- How internal Interfaces can obtain Global IPv6 Addresses using DHCPv6 Prefix Delegation
YES
NO