Configuring Auditing Records on SonicOS 18.104.22.168
05/11/2020 12 3952
Configuration auditing is a feature that automatically records any configuration changes that an administrator attempts from one of the available user interfaces, web management (via HTTP and HTTPS), command line (via console or SSH), or SonicWall GMS. A configuration auditing records table is created to record all attempted configuration changes, both successful and failed. With configuration auditing, SonicOS archives the history of its configuration changes, so that the administrator or others can later revisit and analyze the records. This feature is enabled by default for the platforms where it is available.
Benefits of Configuring Auditing:
- Automatic documentation of any configuration changes performed by an administrator
- Assistance in troubleshooting unexpected changes in run-time system behavior SonicOS 6.5 Logs and Reporting
- Visibility, continuity, and consistency where there are several administrators, either simultaneously or consecutively. Each administrator has access to a record of changes performed or attempted by all other administrators.
- Third-party integration with Firewall Manager, SEIM systems, logging, and reporting solutions.
- Compliance with regulations such as SOX, FISMA, NIST, DISA STIP
What Information is Recorded:
- Which parameter was changed
- When the change was made
- Who made the change
- From where the change was made
- Details of the change, such as the previous and subsequent values
What Information is Not Recorded:
- Importing a Settings File - Configuration changes due to importing a settings file are currently not recorded by the configuration auditing feature. Since all current settings are cleared prior to applying imported configurations, the assumption is that all existing configurations are modified.
- WXA configuration settings — SonicOS does not audit any configuration changes in WAN Acceleration. Some settings are saved on the WXA instead of the firewall, although the settings can be configured from the SonicOS web management interface.
- ZEBOS settings for BGP/OSPF/RIP routing configurations — SonicOS stores these settings as one long string of ZEBOS CLI commands. Records of changes made by these commands are not duplicated in the configuration auditing operation.
- Anti-Spam Junk Store applications — Configuration settings changed through a proxy server running a junk store are excluded from configuration auditing.
- Licensing - All aspects of system licensing are authenticated through MySonicWall and are not recorded through configuration auditing.
- Uploading a file from MONITOR | Capture ATP / Status - Configuration auditing does not audit uploading a file from the MONITOR | Capture ATP | Status page, because the contents of this page do not reside on the firewall.
Auditing Record Storage and Persistence:
Configuration auditing records are saved to non-volatile storage (such as flash), so that records can be restored, if required, after a reboot. The number of records saved is directly proportional to the capability of the device, as defined in the product matrix below. Higher-end platforms can store more records than lower-end devices. Devices with no flash or smaller flash capacity do not support configuration auditing.
All configuration auditing records, on any platform, are deleted when the appliance is rebooted with factory defaults.
The maximum number of records that can be stored is defined according to the RAM and flash size of the appliance platform, as given in the table below.
Viewing Auditing Records:
The MANAGE | Log Settings | Auditing Records page displays all the configuration auditing records. It allows a user to view, search, and sort the records.
- The user can customize the columns by clicking the Show, Hide, or Rearrange Columns button.
- There are also buttons for Show all Columns and Reset to Default for ease of operation.
- The user can search for a specific string pattern and highlight the matched results if any are found.
- The first column is expandable to display the summary of the log entry.
- Failed configuration changes are marked in red.
- All columns are sortable.
Manually Emailing Auditing Records:
When a valid mail server and email address are configured, the user can click the email button on the toolbar of the Auditing Records page to manually email auditing records at any time. To set up email automation, see Configuring Log Automation
The button is disabled if either the mail server or the email address is not configured under Manage | Log Settings | Automation.
Exporting Auditing Records:
There are two export options for auditing records. The button next to the email button on the toolbar is for exporting the records as a text file.
The next button is for exporting the records as a CSV file.
Refreshing the Auditing Records Table:
The Reload Auditing Records button provides a way to refresh the page and display the latest auditing records, as seen below:
Displaying the Auditing Records on the Console:
You can click the Display Auditing Records on the Console button to display the auditing records on the console in a text format:
Auditing All Parameters During Addition:
By default, configuration auditing only logs significant changes, defined as changes where the new value of the parameter is different from the default value. You can click the Audit All Changes button to record all parameter changes during an additional activity, even when the new values are the same as the default values.