Update: The issue described below appears to be resolved in SonicOS 6.5. Make sure you also have DPI-SSL correctly enabled and configured, and the QUIC protocol disabled or blocked, as described in our article The Best SonicWall Configuration for Detailed Logging and Reporting.
We have noticed two issues in SonicWall’s logging that you need to be aware of if you are running SonicOS 6.2.7 and above, and you need to alert or report on Google searches.
Final Google Search Not Logged
When performing a Google search, a new ‘instant search’ is triggered on every key press. These get logged with a URL that looks like:
/complete/search?q=my+search
Then, once all the keystrokes settle down, a final search request is logged without the ‘complete’ part in the URL:
/search?q=my+search
Unfortunately, SonicWall is not logging these final requests. Only the ‘instant search / auto-complete’ requests are logged.
URLs are Truncated
To make matters worse, it appears Google’s URLs have become longer recently. I’ve previously raised the issue where SonicWall truncates URLs to 127 characters, which unfortunately means that search terms are often not logged, or only partially logged as they are now pushed further along the URL.
So even extracting the search terms from these ‘auto-complete’ requests is no longer working in most situations.
Logging Google Searches – Examples
This image shows the correctly logged activity resulting from three Google searches:
- This is a test search
- This is another test search
- This is yet another test search
The above activity is logged by another firewall (not SonicWall). You can clearly see all the auto-complete requests, then one final request with the full search term (highlighted in red). Notice the full URLs are logged and not truncated.
This image shows the same activity in SonicWall’s logs.
Notice that only the auto-complete requests are logged and all URLs are truncated, preventing the full search term being extracted from any log lines.
Testing
This issue was verified in SonicOS 6.2.7.1-23n, as well as the new 6.5.0.0-25n beta (SonicOS 6.5.0_25n-1010750).
Tests were run with and without safe-search, and force-safe-search options enabled on SonicWall. Searches were done using Chrome (with Quic disabled), Firefox and Safari.
Testing was done by looking at the raw syslog text files created by Fastvue Syslog, but you could easily use something like Kiwi Syslog for the same purpose.
Effects on Alerts and Reports on Google Searches
This issue obviously affects any reports and alerts that work on the ‘Search Terms’ field in Fastvue Reporter for SonicWall, such those we’ve described in our article on monitoring web searches to prevent extremism and radicalisation.
The Search Terms section in User Overview Reports may be blank or only show partial searches.
We have informed SonicWall of the issue and hopefully, they will make a fix available soon! We’ll keep you posted!
Update: The issue described below appears to be resolved in SonicOS 6.5. Make sure you also have DPI-SSL correctly enabled and configured, and the QUIC protocol disabled or blocked, as described in our article The Best SonicWall Configuration for Detailed Logging and Reporting.
In other news, SonicWall has fixed another issue we reported previously where the ‘size’ of DPI-SSL traffic was not being correctly logged and affecting bandwidth reports. This is available in hotfix 6.2.7.1-23n—HF187283 which you can request from SonicWall support.
Leave A Comment