SonicOS New CFS and New Logging Bugs


Scott Glew

Scott Glew

SonicWALL have released a firmware update ( that features a complete re-working of their Content Filtering System (CFS), as well as a new sandboxing feature called Capture Advanced Threat Protection (ATP) feature.

These new features are amazing, but there is a problem we'd like all our customers to be aware of before upgrading.

Update #1: We’ve been notified that SonicWALL have fixed this issue described below in a hotfix (–HF176616-1n). Customers can request this via SonicWALL support now, and it will be included in generally.

Update #2: We’ve tested the hotfix and unfortunately there is another logging issue. The size values go from crazy-huge (see below) to crazy-small. SonicWALL are aware of the issue and are working towards a fix.

Update #3: SonicWall released another hotfix for the tiny size values ( This only fixes the problem but only for normal HTTP traffic. HTTPS traffic going through DPI-SSL is still logged with tiny size values. This issue is also present in the newer release.

Update #4: SonicWall released another hotfix for the small size values in DPI-SSL traffic. The hotfix to request from SonicWall support is SonicOS But please be aware of another logging issue in this firmware version that affects reporting on Google searches.

Received Size Logging Bug in SonicOS

Unfortunately, there is an issue with the syslog messages sent to Fastvue Reporter for SonicWALL, where most of the 'received size' values are astronomically large.

Here are two log lines sent by SonicWALL running SonicOS

id=firewall sn=18B1691F9960 time="2016-08-09 12:50:26 UTC" fw= pri=6 c=1024 m=97 app=11 n=304 src= dst= srcMac=28:cf:da:ef:f9:2c dstMac=18:b1:69:1f:99:60 proto=tcp/https sent=517 **rcvd=7562717807960391680** arg=/ code=58 Category="Social Networking"

id=firewall sn=18B1691F9960 time="2016-08-09 15:34:15 UTC" fw= pri=6 c=1024 m=97 app=11 n=4722 src= dst= srcMac=28:cf:da:ef:f9:2c dstMac=18:b1:69:1f:99:60 proto=tcp/https sent=225 rcvd=5367667152344055808 arg=/ code=15 Category="Business and Economy"

Note the "rcvd" field. The values here are 7562717807960391680 and 5367667152344055808 respectively.

Affected Reports in Fastvue Reporter for SonicWALL

In Fastvue Reporter for SonicWALL, you will probably first encounter the affects of this problem on the Overview Dashboard:

SonicOS rcvd size bug


Notice the Total, Average and Largest download sizes. Alternatively, you may see all the values here displayed as zero (0).

Any report, alert or dashboard widget that displays size information will be affected in similar ways.

SonicOS rcvd size bug - Sites By Size Fastvue Reporter



If you have already upgraded, you may like to turn off the 'Large Download' alert as this bug may cause it to be triggered for almost every log record. To do this, go to Settings | Alerts and switch the Large Download alert to Off.

Disable The Large Downloads Alert


The good news is that the new update fixes the bug we previously reported where categories were not being logged for allowed traffic.

Current Status

It's important to note that SonicWALL Analyzer, GMS and any other syslog collection/reporting tool will also be affected by this issue.

We have informed SonicWALL of the bug and it is currently with engineering. Hopefully, they resolve the issue soon.

Latest Update: SonicWall has fixed these issues in hotfix SonicOS The hotfix currently needs to be requested from SonicWall support. But please be aware of another logging issue in this firmware version that affects reporting on Google searches.

We'd love to find a way to work around this, but unfortunately, there's no way we can make sense of the received size value in the data SonicWALL is providing us via Syslog.

In the mean time, hold off on that upgrade if you're enjoying your Fastvue Reports!

Take Fastvue Reporter for a test drive

Download our FREE 30-day trial, or schedule a demo and we'll show you how it works.

  • Share this story

How To Install Fastvue Reporter on your SonicWALL Analyzer or GMS Server

Although not recommended, it is possible to run Fastvue Reporter for SonicWALL on your SonicWALL Analyzer or GMS Server with a little customization.

SonicWall Analyzer End of Life and SonicWall Analytics Review

SonicWall Analyzer is EOL, being replaced by SonicWall Analytics. Here's a short review of SonicWall Analytics and some initial thoughts.