SONICWALL Sonic Wall Next Gen Firewalls User Manual

: June 25, 2024
: SONICWALL

Table of Contents

SONICWALL Sonic Wall Next Gen Firewalls
Product Information
Product Usage Instructions
Microsoft Sentinel with SonicWall Firewall Integration Guide
References
Read User Manual Online (PDF format)
Download This Manual (PDF format)

SONICWALL Sonic Wall Next Gen Firewalls

Specifications

Product Name: Microsoft Sentinel with SonicWall Firewall Integration Guide
Product Type: Security Software Integration
Compatibility: SonicWall Firewall, Microsoft Sentinel

Product Information

This integration guide explains how to integrate SonicWall firewall with Microsoft Sentinel to enhance security operations. Microsoft Sentinel is a cloud-native SIEM and SOAR solution, while SonicWall provides next-gen firewall capabilities for effective cybersecurity.

Product Usage Instructions

Functionality:
The integration allows ingestion of SonicWall access logs into Microsoft Sentinel for custom workflows and automated responses.

Configuration

Deploying a Microsoft Sentinel Workspace: Access the Sentinel instance in the resource group and create a workspace.
Installing the SonicWall Solution: Install the SonicWall Network Security Solution from the Content hub in Microsoft Sentinel.
Installing Operations Management Suite (OMS) or Log Analytics Agent: Set up OMS or Log Analytics Agent for data collection.
Configuring Syslog Server on SonicWall Device: Configure syslog forwarding on the SonicWall device.
Validating Data: Ensure the data reaches the workspace successfully.

FAQ

Q: What data sources are supported for Microsoft Sentinel in SonicWall firewall integration?
A: Microsoft Sentinel supports various connectors for Microsoft solutions and uses standard syslog as the data source for non-Microsoft solutions like SonicWall.

Microsoft Sentinel with SonicWall Firewall Integration Guide

This document describes how SonicWall firewall integrates with Microsoft Sentinel. Combining these two tools can significantly enhance your security operations.
Understanding the Microsoft Sentinel and SonicWall Firewall:

Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Sentinel solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in user’s workspace with a single deployment step.
SonicWall next-generation firewalls (NGFW) provide the security, control, and visibility you need to maintain an effective cybersecurity posture. With solutions designed for networks of all sizes, SonicWall’s award-winning hardware and advanced technology are built into each firewall to give you the edge on evolving threats.

Topics

Functionality
Configuration
Microsoft Sentinel Content Type
SonicWall Support

Functionality
The integration of SonicWall next-gen Firewalls with Microsoft Sentinel provides the capability to ingest SonicWall access logs (in syslog format) into Microsoft Sentinel. These integration capabilities enable our partners and customers to forward the firewall logs to Microsoft Sentinel, parse the logs and create custom workflows, and automate the responses.
Data Sources for Microsoft Sentinel in SonicWall firewall integration with Azure Sentinel:

Microsoft Sentinel comes with several connectors for Microsoft solutions, including Microsoft Threat Protection, Microsoft 365 sources (such as Office 365, Azure AD, and Azure ATP), and more.
Microsoft Sentinel uses standard syslog as the data source (Common Event Format or CEF) for non-Microsoft solutions like SonicWall.
To ingest SonicAlert access logs into Azure Sentinel, we will set up a syslog forwarder on a Linux machine (which can be a VM on Azure or a physical machine on-premises).

Configuration
Follow the below steps to configure Microsoft Sentinel with SonicWall firewall:

Deploying a Microsoft Sentinel Workspace
Installing the SonicWall Solution for Microsoft Sentinel
Installing the Operations Management Suite (OMS) or Log Analytics Agent
Configuring a Syslog Server on SonicWall Device
Validating the Data that Reaches Workspace

Deploying a Microsoft Sentinel Workspace
To deploy a Microsoft Sentinel workspace:

Create a new resource using deploy a custom template that builds the resources needed for Microsoft Sentinel.
Select QuickStart mode template and create or select resource group.
Let deployment to be completed.
Do one of the following:
- Navigate to the resource group.
- Click the Log Analytics workspace resource.
Navigate to the Microsoft Sentinel service on Azure Home page.
If Microsoft Sentinel service is not presented on the home page, click More services.
Click the Sentinel instance within the resource group you created.

Installing the SonicWall Solution for Microsoft Sentinel
To install the SonicWall solution for Microsoft Sentinel:

Click the Sentinel instance within the resource group you created.
Install the SonicWall solution from the Content hub:
- Navigate to Content management > Content hub.
- Search for SonicWall.
- Select the SonicWall Network Security Solution and click Install.
Configure the Common Event Format (CEF) via AMA data connector’s data collection rule to set the event filter types (Syslog facilities) to collect.
Edit the data collection rule or create one if necessary. On the Collect tab of the rule’s configuration, configure the following:
- LOG_LOCAL* (0-7) to LOG_DEBUG
- LOG_SYSLOG to LOG_DEBUG
- LOG_USER to LOG_DEBUG

Installing the Operations Management Suite (OMS) or Log Analytics Agent
The Operations Management Suite (OMS)/Log Analytics Agent provides a Syslog relay.

NOTE: Make sure that this agent is installed on a host within the network and configure SonicOS to send ArcSight-formatted Syslog data to the agent. The Agent establishes a secure connection with Azure, so the log data is not sent to the cloud in plaintext.
NOTE: Before installing one, review the requirements for the agent (Supported operating systems). Some versions of Linux have additional requirements with regard to Python that you should be aware of.

To install the Operations Management Suite (OMS) or Log Analytics Agent:

On the Microsoft Sentinel page, navigate to Data Connectors under Configuration.
Search for SonicWall and Choose [Deprecated] SonicWall Firewall via Legacy Agent and follow the instructions to set up the forwarder agent on your machine.
NOTE : You can also run scripts to download the installer and execute it. They also include the workspace ID and primary key that the agent needs to connect to the workspace.
Note down the IP address of the machine.
NOTE: This IP address is needed for SonicWall configuration.

IMPORTANT: Log analytics agent will be retired on August 31, 2024, so make sure you migrate to Azure Monitor Agent (AMA). For more information, refer to migration instructions.

Here are some other reference articles if you want to learn more about the Arc Agent and Azure Monitor Agent:

Install the Arc Agent/Azure Connected Machine Agent
- Connected Machine agent prerequisites – Azure Arc
- Overview of the Azure Connected Machine agent – Azure Arc
Install the Azure Monitor Agent extension
- Azure Monitor Agent overview – Azure Monitor
- Manage Azure Monitor Agent – Azure Monitor
Install the Azure Monitor Agent (AMA) forwarder.
- Tutorial: Forward Syslog data to Microsoft Sentinel and Azure Monitor by using Azure Monitor Agent
Configure a Data Collection Rule (DCR)
- Tools for migrating to Azure Monitor Agent from legacy agents – Azure Monitor
- Collect Syslog events with Azure Monitor Agent – Azure Monitor
- Tutorial: Forward Syslog data to Microsoft Sentinel and Azure Monitor by using Azure Monitor Agent

Configuring a Syslog Server on SonicWall Device
To configure a syslog server:

Configure a syslog server on your SonicWall device using syslog format as ArcSight (CEF).
Specify the IP address or Name of your Linux VM as the syslog server, and Syslog Facility should be Local use 4.

NOTE

The Syslog data is sent to the OMS Agent on UDP/514.
For more information, refer to Knowledge Base Article.

Validating the Data that Reaches Workspace
Once configured, you’ll receive SonicOS-generated CEF messages in the Sentinel Workspace.
Validate that the OMS Agent is receiving CEF messages and can connect to Azure. If the validation initially fails, try again. The validation checks the connection to the workspace as well as a stream of CEF from a source. The firewall needs to be actively generating Syslog CEF messages for the validation to pass.

Log Analytics Agent

NOTE

Troubleshoot your CEF or Syslog data connector according to https://learn.microsoft.com/en-us/azure/sentinel/troubleshooting-cef-syslog?tabs=cef.
sudo wget -O cef_troubleshoot.py, https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py (python cef_troubleshoot.py [WorkspaceID]).

Azure Monitor Agent

To validate data on Microsoft Sentinel workspace:

On the Microsoft Sentinel workspace, navigate to the General > Logs link.
Set a short time range that covers a period where data should have been ingested. It can take several minutes to begin seeing data in Log Analytics. Wait for more time if you do not see data right away.
Enter a basic query to confirm data is arriving at Sentinel and click Run.

To get AMA Heartbeat Logs
Use Heartbeat query with a short time range (last 30 minutes):

Heartbeat
| distinct Computer, Category, ComputerIP

NOTE: This only applies to AMA, not the OMS/Log Analytics Agent.

Microsoft Sentinel Content Type
The SonicWall Data connector includes a Workbook containing a variety of queries for various security services as well as other traffic and security insights.
To navigate to Microsoft Sentinel content types:

Navigate to the Content management > Content hub link.
Click the installed SonicWall Network Security Solution to view the content types:
- Workbook
- Analytics Rules
- Hunting Query

Workbook
SonicWall Workbook contains the collection of queries to provide visibility into the events reported by the SonicWall firewalls.

You can also select the Auto refresh time for the queries. Analytics Rules
Topics:

SonicWall – Capture ATP Malicious File Detection
SonicWall – Allowed SSH, Telnet, and RDP Connections

SonicWall – Capture ATP Malicious File Detection
SonicWall- Capture ATP Malicious File Detection identifies malicious file verdicts from the SonicWall Capture ATP service. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser
(ASimNetworkSessionSonicWallFirewall).

To set rules logic

Click the Analytics rule to create the rule and set the rules logic.
Navigate to Incident Settings, select the Automated response.
Review the settings and click Save to schedule the rule.

SonicWall – Allowed SSH, Telnet, and RDP Connections
SonicWall – Allowed SSH, Telnet, and RDP Connections identifies allowed inbound SSH, Telnet, and RDP connections. This analytic rule leverages the SonicWall Firewall ASIM Network Session parser
(ASimNetworkSessionSonicWallFirewall).

To set rules logic:

Click the Analytics rule to create the rule and set the rules logic.
Navigate to Incident Settings, select the Automated response.
Review the settings and click Save to schedule the rule.

Hunting Query
Outbound SSH/SCP Connections query looks for outbound SSH/SCP connections identified by the expected port number (22) or by the SonicWall Deep Packet Inspection services. This query leverages the SonicWall Firewall ASIM Network Session parser.

To run query:

Run the query in one of following ways:
- Select the Threat hunting query and click Run query. Scroll right and click on three dots the end and run the query.
  NOTE : You can also create your own hunting query using this. For more information about setup instructions, refer to the SonicWall Firewall-Sentinel Integration KB Article. Here is the data connector instructions Article.

SonicWall Support
Technical support is available to customers who have purchased SonicWall products with a valid maintenance contract.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year.
The Support Portal enables you to:

View Knowledge Base articles and Technical Documentation
View and participate in the Community Forum discussions
View Video Tutorials
Access MySonicWall
Learn about SonicWall Professional Services
Review SonicWall Support services and warranty information
Register at SonicWall University for training and certification

About This Document

NOTE: A NOTE icon indicates supporting information.
IMPORTANT: An IMPORTANT icon indicates supporting information.
TIP: A TIP icon indicates helpful information.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

Microsoft Sentinel Integration Guide
Updated – April 2024
Copyright © 2024 SonicWall Inc. All rights reserved.
The information in this document is provided in connection with SonicWall and/or its affiliates’ products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its affiliates make no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. and/or its affiliates do not make any commitment to update the information contained in this document.
For more information, visit https://www.sonicwall.com/legal.

Microsoft Sentinel Integration Guide