Support on SonicWall Products, Services and Solutions
Browse Knowledgebase by Category
NTP synchronizations showing in Attack Report
03/26/2020 
1042 
7663
DESCRIPTION:
This article describes the issue with seeing NTP Synchronization attempts and successes in the Attack Reports of Analyzer and GMS.
CAUSE:
The general cause of this issue is the SonicWall UTM appliances sending Syslogs with 0.0.0.0 as the IP in the src= field. The GMS/Analyzer then interpets this as an attack and puts it in the attack report.
Example:
<133>id=firewall sn=0017CXXXXXXX time="2016-05-23 20:59:35 UTC" fw=XXX.XXX.XXX.229 pri=5 c=128 m=1232 msg="NTP Request sent" n=51 src=0.0.0.0:123:X0 dst=130.207.244.240:123:X1:navobs1.gatech.edu note="Send request to NTP server 130.207.244.240"
RESOLUTION:
Workaround:
Log into the SonicWall UTM appliance and disable Syslog ID messages 1231 and 1232 (Only available on 5.9 and 6.2 firmwares)
-Or-
Log into the GMS go to Console | Reports | Syslog Filter and add m= 1231 and another for m=1232
Resolution:
Upgrade Gen5 SonicWall UTM appliances to 5.9.1.6 and beyond
Upgrade Gen6 to latest 6.2 version
