Observed that more than 70% of syslog messages generated from TZ600 is having firewall action as N/A. So can anyone help me to understand how SIEM classifies such logs and why we get "NA" in fw_action field for SonicWALL syslogs?
Sample log:
id=firewall sn=XXXXX time="2017-08-17 13:33:40 UTC" fw=104.X X.X pri=6 c=262144 m=98 dmsg="Connection Opened" n=11353263 src=172.27.17.2:53175:X0 dst=52.52.X.X:80:X1 proto=tcp/http sent=52 fw_action="NA"
Hey kdevmu!
The log literally has the value of fw_action="NA". I would suggest you consult the admin guide of your device, but taking a wild stab, I would assume there was no action taken by the firewall, thus...action=na. I'd assume the other 30% of your logs say things like "allow, deny or drop"? If so, must just mean it is hitting a default policy or no policy.
Either way hit up Sonicwall documentation or your vendor.