Metrics Library

Title: Identify Enabled Management Methods on SonicWall Interfaces Description: This metric identifies which management methods (e.g., HTTP, HTTPS, SSH, Ping) are enabled on each network interface of a SonicWall firewall running SonicOS version 6. It filters out interfaces with no management methods enabled and breaks down the access methods per interface. Query: Interfaces[?ManagementFormatted != ''].{ Interface: name, ManagementMethods: ManagementFormatted, HTTP_Enabled: contains(ManagementFormatted, 'http'), HTTPS_Enabled: contains(ManagementFormatted, 'https'), SSH_Enabled: contains(ManagementFormatted, 'ssh'), Ping_Enabled: contains(ManagementFormatted, 'ping') } Purpose: To provide visibility into the management surface of each SonicWall interface. This helps MSPs and IT admins assess which interfaces may expose the firewall to potential remote access or management risks and verify that only intended protocols are allowed. How It Works: The metric: Filters the Interfaces object to include only those where at least one management method is enabled. Lists: The interface name (e.g., X0, X1) A combined string of enabled methods Boolean flags for http, https, ssh, and ping, indicating whether each method is individually enabled. Beneficiaries: Security Analysts: Gain insight into firewall management exposure points. Network Engineers: Quickly validate whether interface configurations comply with internal access policies. Compliance Teams: Use this data to audit firewall access protocols. MSPs: Enable proactive reviews of SonicWall configurations across client environments. Notes on Customization & Enhancements: Add More Management Methods: If newer methods (e.g., SNMP, Telnet) are introduced or monitored, add additional flags using contains(ManagementFormatted, 'snmp'). Add Interface Zones or IPs: Include data like interface zone or IP address for additional context by appending fields to the output. Filter Specific Interfaces: Narrow the output to include only WAN-facing interfaces or exclude internal zones using more advanced filters. Track Changes Over Time: Pair with Liongard Change Detection to alert on unauthorized changes to interface management settings. Why These Changes Might Be Valuable: Helps tailor the metric to your organization’s security posture. Supports more detailed audits and compliance reviews. Enables focused reviews on high-risk interfaces (e.g., public-facing). Increases clarity and actionability of the metric output.

Metric Name: interfaces_with_remote_access Category: Network & Infrastructure Query: Network.InterfacesIPv4[?ManagementHttps == true || ManagementHttp == true ].{   Interface: Name,   Zone: IpAssignmentZone,   IP_Address: IpAssignmentModeStaticIp,   HTTP_Enabled: ManagementHttp || false ,   HTTPS_Enabled: ManagementHttps || false ,   SSH_Enabled: ManagementSsh || false } Description: Identifies all network interfaces where remote access is enabled via HTTP, HTTPS, or SSH. This includes both management and user login services that may expose interfaces to remote access. Purpose: Helps surface potential security risks by identifying interfaces that may be unintentionally exposed to the internet or external users. How it Works: This metric queries Network.InterfacesIPv4 and filters interfaces where any of the following are true: ManagementHttps ManagementHttp UserLoginHttps UserLoginHttp For each matching interface, the following details are returned: Interface: Name of the interface Zone: Assigned IP zone IP_Address: Static IP (if set) HTTP_Enabled, HTTPS_Enabled: Whether management access is enabled UserLogin_HTTP, UserLogin_HTTPS: Whether user login is allowed SSH_Enabled: Whether SSH management is enabled Beneficiaries: IT Admins Security Teams MSPs (Managed Service Providers) Compliance Officers Customization & Notes: Filter by Zone or IP Range: Add conditions to limit results to Zone == "DMZ" or specific subnet ranges. Add Device Info: Join data from the root object to include device name, serial number, or location. Track Over Time: Use Inspectors with Timeline to monitor when remote access settings change. Alerting: Combine with a Liongard alert to trigger notifications when insecure access is detected. Ticketing Integration: Auto-create tickets when HTTP or SSH is found on exposed interfaces.

Firewall support seems to be pretty good, but there doesn't seem to be any support for Sonicwall switches or access points. It would be great to get these supported in LG for stand alone devices as well as when managed via cloud.sonicwall.com NSM/WNM.

Detects IKE connections with ANY as the source IP. TSRAccessRules[].rules[?contains(Parent, WAN -> WAN ) && contains(Name, Deny ) == false && contains(Ip, Any -> ) && contains(Name, IKE )].Ip []

This one is a little trickier to catch but looks for the translated service containing RDP, RDS, Terminal, or 3389 with source being any. This is an indicator of wide open RDP however if the service does not contain these names it is missed. NATPolicies[?contains(TranslatedService, RDP ) || contains(TranslatedService, 'RDS') || contains(TranslatedService, 'Terminal') || contains(TranslatedService, '3389') && contains(Source, 'any')].name

Using new roarpath function, check if sonicwall is version 6.5 or greater. Change the 6.5 to any version you want to compare for. version_compare(SystemInfo.Revision, >= , '6.5')

Show the configured Primary member of a load balancer and the active at the time of the Inspector scan.Note: Does not work for Gen 7 Sonicwalls FailoverLBStatus.GroupStatus[?GroupName == Default LB Group && TotalMembers > 1 ].join(` , [ Primary: , PrimaryMember, , Active: `, ActiveMember])

Determines if Content Filtering is "Licensed". Can add | length(@) at the end for a return of 1. LicenseStatus.SecuritySuite[?contains(SecurityService, Content Filtering ) && SecurityStatus == Licensed ]

Detects WAN Zone enabled HTTP Management interfaces with ANY as the source IP TSRAccessRules[].rules[?contains(Parent, WAN -> WAN ) && contains(Name, Deny ) == false && contains(Ip, Any -> ) && contains(Name, HTTP Management )].Ip[]

Detects WAN Zone enabled HTTPS Management interfaces with ANY as the source IP TSRAccessRules[].rules[?contains(Parent, WAN -> WAN ) && contains(Name, Deny ) == false && contains(Ip, Any -> ) && contains(Name, HTTPS Management )].Ip []