Looking for help with Sonicwall logs, also does IDR work better with Palo Alto or FortiNet NGFWs?

I’ve transitioned from network admin over to security and have slowly been working more with our Insight products, mainly IDR. Currently we have two Sonicwalls sending logs to IDR but from what I can tell, the dashboard cards are pretty dysfunctional. Specifically, “Denied Traffic by Port” and “…over Time” are always flat/no data. Basically IDR’s not able to read or make sense of the logs unless we do some manual work to parse them better. I can’t tell if support even wants to do that or not.

Essentially IDR is almost useless to me with regards to the firewall reporting. It’s frustrating.

That said, I’m also planning to get away from Sonicwall and move to PAN or FortiNet if I can convince management. I’m hoping IDR integrates with those systems a bit better.

Thoughts/input?

Hi David,

I’d recommend a support ticket so we can take closer look at the logs, its possible the issue lies with our parser, or the built-in dashboard queries.

As for PAN or Fortinet, we have parsers for both. PAN is one of the more popular ones which we constantly add support for new parsing updates.

https://docs.rapid7.com/insightidr/fortinet-firewall

https://docs.rapid7.com/insightidr/palo-alto-firewall-vpn

David

Hey David,

Yes, I do currently have a ticket for this issue. I just wanted to see about getting additional input from the community.

David

Great, can you share the support case ID?

David

Sure, the case is 00756748. I do have a technician looking at it too, just waiting for them to get back to me.

Hey David! I have had my palo alto firewalls as well as panorama and even my cortex xdr agents integrated into IDR for a few years and it is really solid. Having said that all the other external syslog sources sending into IDR also have been working really well for me.

Oh yeah @pete_jacob does and many good dashboards for those as well, highly recommend them!!