SonicOS 22.214.171.124-23n firmware has been officially posted as ‘feature release’ on mysonicwall.com marking the end to the SonicOS 6.2.7 beta program. Affected SonicWall models include:
- SonicWall TZ SOHO Wireless, TZ 300/300W/400/400W/500/500W/600
- SonicWall NSA 2600/3600/4600/5600/66000
- SonicWall Supermassive 9200/9400/9600
This latest SonicOS firmware includes some great new features and enhancements such as SSH Decryption, DNS Proxy, and DPI SSL enhancements. You can read the full release notes here: SonicOS 126.96.36.199 Release Notes.
At Fastvue, one of the major features we have been looking forward to is something so small that it didn’t even make it into the release notes! The inclusion of Referrer URLs in the ‘Syslog Website Accessed’ log events.
Why is Referrer URL so Important?
The Fastvue Reporter platform includes our unique Site Clean engine, to better determine actual websites visited and remove background domains such as advertising servers, content delivery networks (CDNs) and website visitor tracking widgets from our reports. A major input to the Site Clean algorithm is the Referrer URL which is only logged by some firewall vendors.
When Referrer URL is not present in the firewall log files, Fastvue Reporter falls back to a list of known CDNs and Junk URLs collected (and frequently updated) by the Fastvue web crawler, but there are many instances of logged web traffic that can’t be ‘cleaned’ without the Referrer URL.
Now that SonicOS 6.2.7 logs the Referrer URL, the list of websites shown in the ‘Clean’ section of Fastvue Reporter for SonicWall should be much more reflective of actual web browsing. Once configured (see below), SonicWall will log Referrer URLs when possible into the Note field:
Fastvue Reporter for SonicWall will then utilize this URL in the Site Clean algorithm, and store the actual domains visited into its Origin Domain field. The result is a much cleaner list of sites when viewing web usage Reports and Dashboards..
Referrer URLs are also useful for identifying the actual site someone was browsing when a specific URL was accessed (such as a virus), and for finding the complete list of URLs or domains to whitelist to allow a website to work through a strict firewall configuration.
How to Log Referrer URLs in SonicWall
Log into mysonicwall.com and download SonicOS 188.8.131.52-23n or later.
Note: Earlier generations of SonicWall hardware(below Gen6) do not have access to this firmware.
Once upgraded, change the Syslog Format in Log | Syslog to Enhanced Syslog, and make sure the ‘Note (note)’ field is selected.
Enhanced Syslog? What about SonicWall GMS!?
If alarm bells are ringing in your head because you know SonicWall GMS requires the Default syslog format to be set, then don’t worry! Another great feature that SonicWall have introduced in 6.2.7.x is the ability to set the Syslog Format per Syslog Server!
Go to Log | Syslog, edit your Fastvue Syslog Server, and set the Syslog Format to Enhanced Syslog. The global Syslog Format option will change to ‘mixed’ if you have another syslog server defined with a different syslog format.
Upgrade Fastvue Reporter for SonicWall
We added support for importing the Referrer URL in Fastvue Reporter for SonicWall v184.108.40.206 (check your existing build number in Settings | About). You can always download the latest build from our main download page.
Simply run the new installer over the top of your existing installation. The installer will pick up your existing settings, so just click next throughout the wizard without making any changes. Once installed, browse to the site and clear the browser cache by hitting ctrl + F5 (cmd + R on Mac).
As of SonicOS 220.127.116.11-23n, there are a few outstanding issues that you should be aware:
- Log format resets on reboot
Changing the Syslog Format to Enhanced Syslog (as above) does not survive a reboot of the SonicWall Firewall. Unfortunately, if you reboot the SonicWall device, the syslog format will get reset to ‘Default’. This happens regardless of whether you set the Syslog Format at the global level, or per syslog server.
- Referrer URL does not get logged for DPI-SSL traffic
If you have DPI-SSL enabled, the Referrer URL is not logged for any traffic going through this feature.
- Size information is not logged correctly for DPI-SSL traffic
If you have DPI-SSL enabled, any traffic going through this feature has incorrect ‘size’ values logged for URLs. The size values are always very small, and usually the same for all URLs. This is a continued issue that began when CFS 4.0 was introduced in SonicOS 6.2.6.x. SonicWall fixed this issue for normal http traffic, but it still affects DPI-SSL traffic. This means that bandwidth heavy HTTPS sites (such as YouTube) do not show up in Bandwidth reports, and the ‘total bandwidth’ figures are reduced.
- Normal URLs are limited to 127 characters
As of the first beta release of SonicOS 6.2.7.x, we noticed that normal URLs (not referrer URLs) get truncated to 127 characters. This is not a huge problem as most reports simply show the domain section of the URL. It’s only when viewing full URLs in our Activity Reports that you will find URLs have been truncated if it is over 127 characters.
- Referrer URLs Contained within the ‘Note’ field
SonicWall’s log events follow a key=”value” format making it easy for log analysis applications to parse the log lines. Instead of adding a new referrer=”value” field, SonicWall added the Referrer URL into the note=”” field. This field contains other information besides Referrer URLs, such as ‘Info’ and ‘Policy’ (shown in the log line above). The different fields in the Note field are also separated with a carriage return instead of the usual ‘space’. We are noting this as a potential issue as we needed to write special code to deal with the carriage returns and parse out the referrer. If you have another log analysis application, it may need adjustments to work with this Note field.
We have reported all of these issues to SonicWall, and we hear a hotfix is on the way for the DPI-SSL issues. We’ll keep you posted!
If you have any questions, please let us know in the comments below, or in our Support Portal.