Skip to content Skip to main navigation Skip to footer

No Usernames in SonicWall Reports? Here’s Why and How to Fix It

If your Cyfin reports and dashboards are only displaying IP addresses instead of usernames, it indicates that SonicWall is not authenticating users.

Why Are There No Usernames?

Cyfin relies on SonicWall to log usernames. When SonicWall does not authenticate users, only IP addresses are captured in the log data. As a result, Cyfin will show the IP address in place of a username.

How to Enable User Authentication in SonicWall

To report on actual usernames, user authentication must be enabled on your SonicWall firewall. Here’s how to ensure usernames are included in your logs:

  1. Configure Authentication Settings – Go to Users | Settings in your SonicWall appliance and set up an authentication method. Typically, this will be one of the following:
    • LDAP + Local Users
    • Active Directory Single Sign-On (SSO) using the SonicWall SSO Agent.
  2. Force User Authentication – After configuring authentication, you need to set access rules that require users to authenticate before traffic is allowed through the firewall. For detailed instructions, refer to the SonicWall Knowledge Base article How to Force User Authentication Prior to Allowing Traffic Through the Firewall.
  3. Verify AD SSO is Working – If you’re using Active Directory Single Sign-On, ensure it’s functioning correctly by following the test steps outlined at the end of the SonicWall guide.

By enabling authentication on your SonicWall, Cyfin will be able to log and display usernames, providing more meaningful and detailed reports.


How to Verify SonicWall is Authenticating Users

You can confirm whether SonicWall is logging usernames (independently of Cyfin) by checking SonicWall’s built-in log monitor. Follow these steps:

Step 1: Ensure SonicWall is Logging Internet Usage Events

  1. Go to Log | Settings and expand the Log | Syslog section.
  2. Click the Configure button next to Syslog Website Accessed events.
  3. Ensure that the option Display Events in Log Monitor is enabled and set the display interval to 0 seconds.

Step 2: Investigate Logs for User Authentication

  1. Navigate to Investigate | Event Logs.
  2. Filter the logs by:
    • Priority = Inform
    • Category = Log
    • Source IP = (enter the IP address you want to check, such as your own for testing purposes).
      This will display all web traffic for that IP address.
  3. Click the More Details button (three lines) next to any event to view additional details.

Step 3: Check the Username Field

In the event details, look for the Username field. If this field is blank, it means that the IP address in question is not being authenticated for web traffic.

Additional Support

If you need further help with authentication issues, it’s best to contact SonicWall support. When troubleshooting, show them the issue using the SonicWall log monitor as described above.

Once SonicWall is logging authenticated users, Cyfin Reporter will be able to match usernames with their corresponding Active Directory objects. This allows you to take advantage of features like reporting on Departments and Security Groups. For more information, see our article on SonicWall Reporting on Users, Departments, and AD Security Groups.