SonicWALL Firewall

SonicWALL Firewall provides network security by blocking attacks, preventing advanced threats, and other features. When you connect SonicWALL to InsightIDR, you can parse events for firewall, IDS, and VPN events.

To get started:

  1. Configure SonicWALL Syslog
  2. Create a Firewall Event Source

Configure SonicWALL Syslog

You can configure syslog forwarding to the InsightIDR Collector on your SonicWALL Firewall.

To do so:

  1. Sign in to your SonicWALL console.
  2. On the top menu, select the Manage link.
  3. On the bottom of the left menu, go to "Logs & Reporting" and expand the Log Settings dropdown.
  4. Select the Syslog page.
  5. On the "Syslog Settings" page, click the Add button to add a syslog server.
  6. From the "Name or IP Address" dropdown, select IP Address and add the IP address of your InsightIDR Collector.
  7. Provide the unique port on your InsightIDR Collector that will accept firewall traffic.
  8. In the "Syslog Format" dropdown, select the Enhanced Syslog option.
  9. Click the OK button to save the configuration.

Create a Firewall Event Source

After you configure SonicWALL syslog, you must create a Firewall event source in InsightIDR.

To do so:

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
  4. Choose your collector and select SonicWALL Firewall & VPN as your event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Configure your default domain and any advanced settings.
  8. Select a data collection method and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  9. Click the Save button.

Verify Logs

SonicWALL Logs are key-value pairs (KVPs), and will appear in the logs as m=1, pri=5, and others.

A parsable log will look similar to the following:

"<181>SSLVPN: id=sslvpn sn=xxxxxx time=\"2018-03-27 20:25:06\" vp_time=\"2018-03-28 00:25:06 UTC\" fw= pri=5 m=1 c=1 src= dst=0.00.0 user=\"user\" usr=\"user\" msg=\"User login successful\" portal=\"VirtualOffice\" domain=\"DomainName\" agent=\"SonicWALL NetExtender for Windows 7.5.216 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1)\""