SonicWall Reporting on Users, Departments and AD Security Groups

Fastvue Reporter for SonicWall enables easy reporting on Users, Departments, Offices, and Security Groups as defined in Active Directory. For any of these feature to work, SonicWall needs to be authenticating users. Without authentication, only IP addresses (or at best a resolved hostname) are logged and Fastvue Reporter is not able to match the traffic to a real person in Active Directory.

This article explains how to report on users and groups of users, both with and without SonicWall authentication, using Fastvue Reporter for SonicWall.

Authenticating Users with SonicWall

SonicWall supports a few authentication methods including defining local users and groups, Radius, LDAP and AD SSO. In order for Fastvue Reporter to match users to SonicWall log data, SonicWall needs to log the user's Active Directory username (sAMAccountName) as it logs web and firewall traffic. The most comprehensive way to do this is using AD SSO.

For more information on how to configure this, please see SonicWall's Knowledge Base article on configuring AD SSO and/or LDAP authentication, or check out the video below:

Reporting on Users with SonicWall Authentication Enabled

If Fastvue Reporter for SonicWall is installed on a machine that is a member of your domain, it will automatically communicate with Active Directory behind the scenes and match the authenticated usernames in SonicWall's logs to real people in your organization. All the features for reporting on people, Departments, Offices, Security Groups and Companies can then be utilized.

If Fastvue Reporter for SonicWall is not installed on a member of your domain, go to Settings | LDAP / Directory to enter your directory settings so that Fastvue Reporter can communicate with AD via LDAP.

When running a User Overview Report, a pick list of users from Active Directory is shown. If authentication is enabled on your SonicWall, then all you need to do is pick a user, select a date range and click Run Report.

Likewise, if you open the Filters interface and select Users, Departments, Offices, Companies or Security Groups, you will have a pick list of items to choose from.

Ensure your users have a properly defined Department, Office and Company in Active Directory Users and Computers.

Unfortunately, it is not always feasible to enable authentication for all of your networks. So what can you do for the situations where authentication is not enabled?

Reporting on Users without SonicWall Authentication Enabled

If a username is not logged (either authentication is not enabled, or is bypassed for specific traffic), then Fastvue Reporter for SonicWall will look for a resolved hostname in the logs and display the result in its reports. For SonicWall to do this, ensure you have your settings correctly configured in Log | Name Resolution and your specified DNS servers can perform reverse lookups (return a hostname for a given IP address).

If a resolved hostname cannot be found in the log file, then Fastvue Reporter for SonicWall will attempt to resolve the Source IP itself and display the result. The screenshot below shows what the Top Users section of the Bandwidth Dashboard may look like with resolved hostnames.

If the Source IP cannot be resolved, and there is no hostname in SonicWall's log, then Fastvue Reporter for SonicWall has no choice but to display the Source IP addresses in the User sections of its Dashboards, Reports and Alerts.

Unfortunately, Fastvue Reporter for SonicWall will not provide you with a pick list of resolved hostnames when running User Overview Reports, or when filtering by users.

Furthermore, Fastvue Reporter will still present the list of Users, Departments, Offices, Companies and Security Groups it retrieved from Active Directory, regardless of whether your SonicWall is authenticating users. As Fastvue Reporter cannot match AD users to an IP or a resolved IP, choosing a user from the pick list will result in a blank report.

Therefore, to report on a hostname, you need to manually type/enter the hostname that you want to report on in User Overview Reports.

Alternatively, filter an Overview Report (not a User Overview Report), and use the Contains operator to make life a little easier. For example, use User 'Contains' scott instead of User 'Equal to' scotts-mbp-fastvue.local, scotts-iphone.fastvue.co, scotts-ipad.fastvue.local.

In addition to being unable to report on AD users if you are not authenticating, the same is true for reports on Departments, Offices, Companies or Security Groups. All traffic will appear in the 'Unknown' Department and Office on the Live Dashboards and Reports.

Using Saved Filters

Although it is not ideal, you can create your own pick lists of users, and groups of users using Saved Filters.

For example, define a filter that selects all the hostnames for a specific user, and save the filter as the User's name:

Alternatively, define a filter that groups multiple users together and save it as the Department's name.

You can then easily load these filters using the Load Filter button when running future reports.

If you do not have resolved hostnames to filter on, you can also use IP addresses in your saved filters. But this is only really an option if your users have statically defined IPs. Use the Source IP field for this. For example, Source IP 'Equal to' 192.168.168.5, 192.168.168.10, 192.168.168.22.

You can also group multiple IPs into Subnets using the In Subnet operator, and defining the subnet in CIDR notation. For example, Source IP 'In Subnet' 192.168.1.0/24

Conclusion

The easiest way to report on users and groups using Fastvue Reporter for SonicWall is to enable authentication on your SonicWall. Then let Fastvue Reporter automatically provide the pick lists for Users, Departments, Offices, Companies and Security Groups as you have defined in Active Directory.

If authentication is not an option, ignore the pick lists that Fastvue Reporter provides, and instead use Saved Filters to make reporting against resolved host names and Source IPs a little easier for the people running reports.