SonicWALL Firewall

SonicWALL Firewall provides network security by blocking attacks, preventing advanced threats, and other features. When you connect SonicWALL to InsightIDR, you can parse events for firewall, IDS, and VPN events.

To get started:

  1. Configure SonicWALL Syslog
  2. Create a Firewall Event Source

Configure SonicWALL Syslog

You can configure syslog forwarding to the InsightIDR Collector on your SonicWALL Firewall.

To do so:

  1. Sign in to your SonicWALL console.
  2. On the top menu, select the Manage link.
  3. On the bottom of the left menu, go to "Logs & Reporting" and expand the Log Settings dropdown.
  4. Select the Syslog page.
  5. On the "Syslog Settings" page, click the Add button to add a syslog server.
  6. From the "Name or IP Address" dropdown, select IP Address and add the IP address of your InsightIDR Collector.
  7. Provide the unique port on your InsightIDR Collector that will accept firewall traffic.
  8. In the "Syslog Format" dropdown, select the Enhanced Syslog option.
  9. Click the OK button to save the configuration.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for SonicWALL Firewall & VPN in the event sources search bar.
    • In the Product Type filter, select Firewall.
  3. Select the SonicWALL Firewall & VPN event source tile.
  4. Choose your collector and select SonicWALL Firewall & VPN as your event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Configure your default domain and any advanced settings.
  8. Select a data collection method and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  9. Click the Save button.

Sample logs

Here is a typical parseable log entry that is created by the event source:

"<181>SSLVPN: id=sslvpn sn=xxxxxx time=\"2018-03-27 20:25:06\" vp_time=\"2018-03-28 00:25:06 UTC\" fw= pri=5 m=1 c=1 src= dst=0.00.0 user=\"user\" usr=\"user\" msg=\"User login successful\" portal=\"VirtualOffice\" domain=\"DomainName\" agent=\"SonicWALL NetExtender for Windows 7.5.216 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1)\""

Event codes parsed by InsightIDR

Refer to this event code table to find the event codes that InsightIDR parses, the associated event messages, and the document types that are produced. SonicWALL event codes appear in the logs using the formatting m=.

Event code table

Event codeLog event messageDocument type
36TCP connection droppedFirewall
37UDP packet droppedFirewall
38ICMP packet dropped due to PolicyFirewall
41Unknown protocol droppedFirewall
97Web site hitFirewall
98Connection OpenedFirewall
139XAUTH Succeeded with VPN %sIngress Authentication
237VPN zone remote user login allowedIngress Authentication
608IPS Detection Alert: %sIDS
609IPS Prevention Alert: %sIDS
809Gateway Anti-Virus Alert: %sAdvanced Malware
1080SSL VPN zone remote user login allowedIngress Authentication
1110Assigned IP address %sHostName To Ip