circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Troubleshooting Sonicwall Firewall

hashtag
Common Issues and Solutions

Installation Issues

Issue: Integration fails to install

  • Solution: Verify Logpoint version compatibility (v6.7.4 or later)

  • Solution: Check available disk space and system resources

  • Solution: Ensure proper administrative privileges

Issue: Integration not visible after installation

  • Solution: Refresh the browser and check under Settings >> System Settings >> Plugins

  • Solution: Restart Logpoint if necessary

Configuration Issues

Issue: Cannot configure syslog forwarding on SonicWall device

  • Solution: Verify you have administrative access to SonicWall device

  • Solution: Ensure Logpoint IP address is reachable from SonicWall device

  • Solution: Check firewall rules allow syslog traffic (typically UDP port 514)

  • Solution: Consult SonicWall documentation for proper syslog configuration

Issue: Wrong normalizer selected

  • Solution: Use SonicFirewallCompiledNormalizer for standard SonicWall logs

  • Solution: Use SonicWallAventailCompiledNormalizer for SonicWall Aventail logs

  • Solution: Verify log format from SonicWall matches selected normalizer

Issue: Processing policy configuration errors

  • Solution: Ensure normalization policy is created before processing policy

  • Solution: Verify the correct normalizer is selected in the normalization policy

  • Solution: Check that routing and enrichment policies are properly configured

Data Ingestion Issues

Issue: No logs being ingested

  • Solution: Verify SonicWall device is configured to forward syslog to Logpoint

  • Solution: Check if syslog service is running on SonicWall device

  • Solution: Confirm syslog collector is active in Logpoint

  • Solution: Test network connectivity from SonicWall to Logpoint

  • Solution: Verify SonicWall syslog configuration includes correct destination IP and port

Issue: Incomplete log ingestion

  • Solution: Check routing criteria configuration - ensure it matches SonicWall log structure

  • Solution: Verify the correct normalizer and normalization packages are selected

  • Solution: Monitor collector logs for errors or warnings

  • Solution: Check if specific log types are disabled on SonicWall

Issue: Logs not normalized correctly

  • Solution: Verify appropriate Compiled Normalizer is selected (SonicFirewallCompiledNormalizer or SonicWallAventailCompiledNormalizer)

  • Solution: Check log format matches expected format

  • Solution: Ensure SyslogParser is selected as the parser

  • Solution: Verify SonicWall firmware version is supported

Issue: Date/timestamp parsing errors

  • Solution: Check SonicWall timezone configuration matches Logpoint device timezone

  • Solution: Ensure date and time fields are present in SonicWall logs

  • Solution: Verify timestamp format in logs matches expected format

Dashboard and Analytics Issues

Issue: Dashboard widgets not displaying data

  • Solution: Verify repository selection matches where SonicWall logs are stored

  • Solution: Check time range settings on dashboard

  • Solution: Confirm normalization is working correctly using search query: norm_id = "Sonic*"

  • Solution: Ensure device timezone matches log source timezone

Issue: Bandwidth widgets showing no data

  • Solution: Verify traffic logs are being generated by SonicWall

  • Solution: Check that byte count fields are populated

  • Solution: Ensure bandwidth logging is enabled on SonicWall

  • Solution: Verify bandwidth calculation fields are being normalized correctly

Issue: User activity widgets showing no data

  • Solution: Verify user authentication logging is enabled on SonicWall

  • Solution: Check that user field is populated in logs

  • Solution: Ensure authentication events are being forwarded

  • Solution: Verify user activity normalization is working correctly

Issue: Severity widgets showing incorrect data

  • Solution: Verify severity field is being parsed correctly

  • Solution: Check severity value mapping (0=High to 7=Low)

  • Solution: Ensure severity levels are configured on SonicWall

  • Solution: Verify severity normalization matches SonicWall format

Issue: Geographic data not appearing

  • Solution: Verify GeoIP enrichment policy is configured in Logpoint

  • Solution: Check that source_address and destination_address fields are populated

  • Solution: Ensure GeoIP database is up to date in Logpoint

  • Solution: Verify IP addresses are public (not RFC 1918 private IPs)

Issue: Administrative tasks widget empty

  • Solution: Verify administrative action logging is enabled on SonicWall

  • Solution: Check that admin events are being generated

  • Solution: Ensure admin user actions are logged

  • Solution: Verify event_type field contains "admin" value

Alert Issues

Issue: Alerts not triggering

  • Solution: Review alert queries and ensure they match SonicWall log format

  • Solution: Check alert policy configuration and notification settings

  • Solution: Verify logs contain expected fields for alert matching

  • Solution: Test alert query manually in search to confirm matching events exist

Issue: False positive alerts

  • Solution: Tune alert thresholds to reduce noise

  • Solution: Add exclusion criteria for known benign events

  • Solution: Review alert query logic for overly broad matching

  • Solution: Implement correlation rules for more accurate detection

Performance Issues

Issue: Slow query performance

  • Solution: Optimize queries by adding time range constraints

  • Solution: Use indexed fields in search queries where possible

  • Solution: Consider data retention policies to manage repository size

  • Solution: Filter by specific event types to reduce scope

Issue: High resource usage

  • Solution: Monitor syslog collector resource consumption

  • Solution: Implement log filtering using routing criteria to reduce unnecessary data ingestion

  • Solution: Monitor and tune normalization policies

  • Solution: Consider adjusting SonicWall logging levels to reduce volume

Issue: High log volume from SonicWall

  • Solution: Adjust logging levels on SonicWall to reduce verbosity

  • Solution: Disable logging for low-priority events

  • Solution: Configure SonicWall to log only security-relevant events

  • Solution: Use log filtering on SonicWall before forwarding to Logpoint

  • Solution: Implement selective routing criteria in Logpoint

Event-Specific Issues

Issue: Connection events not appearing

  • Solution: Verify connection logging is enabled on SonicWall

  • Solution: Check that connection tracking is active

  • Solution: Ensure firewall policies include logging

  • Solution: Verify connection detail fields are populated

Issue: Port scan detection not working

  • Solution: Verify IPS features are enabled on SonicWall

  • Solution: Check that port scan detection is configured

  • Solution: Ensure intrusion prevention signatures are up to date

  • Solution: Verify message field contains port scan indicators

Issue: Upload/download events missing

  • Solution: Verify file transfer logging is enabled

  • Solution: Check that action field captures upload/download operations

  • Solution: Ensure content inspection is active

  • Solution: Verify data size fields are being populated

Integration-Specific Issues

Issue: SMA (Secure Mobile Access) logs not normalizing

  • Solution: Verify LP_SonicWall SMA normalization package is selected

  • Solution: Check SMA log format compatibility

  • Solution: Ensure SMA is forwarding logs correctly

  • Solution: Verify network connectivity from SMA to Logpoint

Issue: Multiple SonicWall devices logging inconsistently

  • Solution: Ensure all SonicWall devices use consistent syslog configuration

  • Solution: Verify firmware versions are compatible across devices

  • Solution: Check that logging settings are uniform across devices

  • Solution: Use device-specific normalization if needed

Issue: Aventail-specific logs not processing

  • Solution: Verify SonicWallAventailCompiledNormalizer is selected

  • Solution: Check Aventail log format matches expected structure

  • Solution: Ensure Aventail-specific fields are being captured

  • Solution: Verify Aventail devices are forwarding logs to Logpoint

hashtag
Uninstalling SonicWall Firewall

If you need to remove the SonicWall Firewall integration:

  1. Remove Configuration Dependencies

    • Delete or modify any dashboards using SonicWall data

    • Remove alert rules based on SonicWall events

    • Disable collectors fetching SonicWall logs

    • Remove device configurations for SonicWall

  2. Uninstall the Integration

    1. Go to Settings >> System Settings >> Applications.

    2. Locate the SonicWall Firewall integration.

    3. Click the Uninstall icon from the Actions column.

Note: You must remove all SonicWall Firewall configurations before the integration can be completely deleted.

Last updated

Was this helpful?