SONICWALL Sonic Wall Next Gen Firewalls User Manual
- June 25, 2024
- SONICWALL
Table of Contents
SONICWALL Sonic Wall Next Gen Firewalls
Specifications
- Product Name: Microsoft Sentinel with SonicWall Firewall Integration Guide
- Product Type: Security Software Integration
- Compatibility: SonicWall Firewall, Microsoft Sentinel
Product Information
This integration guide explains how to integrate SonicWall firewall with Microsoft Sentinel to enhance security operations. Microsoft Sentinel is a cloud-native SIEM and SOAR solution, while SonicWall provides next-gen firewall capabilities for effective cybersecurity.
Product Usage Instructions
Functionality:
The integration allows ingestion of SonicWall access logs into Microsoft
Sentinel for custom workflows and automated responses.
Configuration
- Deploying a Microsoft Sentinel Workspace: Access the Sentinel instance in the resource group and create a workspace.
- Installing the SonicWall Solution: Install the SonicWall Network Security Solution from the Content hub in Microsoft Sentinel.
- Installing Operations Management Suite (OMS) or Log Analytics Agent: Set up OMS or Log Analytics Agent for data collection.
- Configuring Syslog Server on SonicWall Device: Configure syslog forwarding on the SonicWall device.
- Validating Data: Ensure the data reaches the workspace successfully.
FAQ
Q: What data sources are supported for Microsoft Sentinel in SonicWall
firewall integration?
A: Microsoft Sentinel supports various connectors for Microsoft solutions
and uses standard syslog as the data source for non-Microsoft solutions like
SonicWall.
Microsoft Sentinel with SonicWall Firewall Integration Guide
This document describes how SonicWall firewall integrates with Microsoft
Sentinel. Combining these two tools can significantly enhance your security
operations.
Understanding the Microsoft Sentinel and SonicWall Firewall:
- Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Microsoft Sentinel solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in user’s workspace with a single deployment step.
- SonicWall next-generation firewalls (NGFW) provide the security, control, and visibility you need to maintain an effective cybersecurity posture. With solutions designed for networks of all sizes, SonicWall’s award-winning hardware and advanced technology are built into each firewall to give you the edge on evolving threats.
Topics
- Functionality
- Configuration
- Microsoft Sentinel Content Type
- SonicWall Support
Functionality
The integration of SonicWall next-gen Firewalls with Microsoft Sentinel
provides the capability to ingest SonicWall access logs (in syslog format)
into Microsoft Sentinel. These integration capabilities enable our partners
and customers to forward the firewall logs to Microsoft Sentinel, parse the
logs and create custom workflows, and automate the responses.
Data Sources for Microsoft Sentinel in SonicWall firewall integration with
Azure Sentinel:
- Microsoft Sentinel comes with several connectors for Microsoft solutions, including Microsoft Threat Protection, Microsoft 365 sources (such as Office 365, Azure AD, and Azure ATP), and more.
- Microsoft Sentinel uses standard syslog as the data source (Common Event Format or CEF) for non-Microsoft solutions like SonicWall.
- To ingest SonicAlert access logs into Azure Sentinel, we will set up a syslog forwarder on a Linux machine (which can be a VM on Azure or a physical machine on-premises).
Configuration
Follow the below steps to configure Microsoft Sentinel with SonicWall
firewall:
- Deploying a Microsoft Sentinel Workspace
- Installing the SonicWall Solution for Microsoft Sentinel
- Installing the Operations Management Suite (OMS) or Log Analytics Agent
- Configuring a Syslog Server on SonicWall Device
- Validating the Data that Reaches Workspace
Deploying a Microsoft Sentinel Workspace
To deploy a Microsoft Sentinel workspace:
-
Create a new resource using deploy a custom template that builds the resources needed for Microsoft Sentinel.
-
Select QuickStart mode template and create or select resource group.
Let deployment to be completed. -
Do one of the following:
- Navigate to the resource group.
- Click the Log Analytics workspace resource.
-
Navigate to the Microsoft Sentinel service on Azure Home page.
If Microsoft Sentinel service is not presented on the home page, click More services. -
Click the Sentinel instance within the resource group you created.
Installing the SonicWall Solution for Microsoft Sentinel
To install the SonicWall solution for Microsoft Sentinel:
- Click the Sentinel instance within the resource group you created.
- Install the SonicWall solution from the Content hub:
- Navigate to Content management > Content hub.
- Search for SonicWall.
- Select the SonicWall Network Security Solution and click Install.
- Configure the Common Event Format (CEF) via AMA data connector’s data collection rule to set the event filter types (Syslog facilities) to collect.
- Edit the data collection rule or create one if necessary. On the Collect tab of the rule’s configuration, configure the following:
- LOG_LOCAL* (0-7) to LOG_DEBUG
- LOG_SYSLOG to LOG_DEBUG
- LOG_USER to LOG_DEBUG
Installing the Operations Management Suite (OMS) or Log Analytics Agent
The Operations Management Suite (OMS)/Log Analytics Agent provides a Syslog
relay.
NOTE: Make sure that this agent is installed on a host within the network
and configure SonicOS to send ArcSight-formatted Syslog data to the agent. The
Agent establishes a secure connection with Azure, so the log data is not sent
to the cloud in plaintext.
NOTE: Before installing one, review the requirements for the agent
(Supported operating systems). Some versions of Linux have additional
requirements with regard to Python that you should be aware of.
To install the Operations Management Suite (OMS) or Log Analytics Agent:
-
On the Microsoft Sentinel page, navigate to Data Connectors under Configuration.
-
Search for SonicWall and Choose [Deprecated] SonicWall Firewall via Legacy Agent and follow the instructions to set up the forwarder agent on your machine.
NOTE : You can also run scripts to download the installer and execute it. They also include the workspace ID and primary key that the agent needs to connect to the workspace. -
Note down the IP address of the machine.
NOTE: This IP address is needed for SonicWall configuration.
IMPORTANT: Log analytics agent will be retired on August 31, 2024, so make sure you migrate to Azure Monitor Agent (AMA). For more information, refer to migration instructions.
Here are some other reference articles if you want to learn more about the Arc Agent and Azure Monitor Agent:
- Install the Arc Agent/Azure Connected Machine Agent
- Connected Machine agent prerequisites – Azure Arc
- Overview of the Azure Connected Machine agent – Azure Arc
- Install the Azure Monitor Agent extension
- Azure Monitor Agent overview – Azure Monitor
- Manage Azure Monitor Agent – Azure Monitor
- Install the Azure Monitor Agent (AMA) forwarder.
- Tutorial: Forward Syslog data to Microsoft Sentinel and Azure Monitor by using Azure Monitor Agent
- Configure a Data Collection Rule (DCR)
- Tools for migrating to Azure Monitor Agent from legacy agents – Azure Monitor
- Collect Syslog events with Azure Monitor Agent – Azure Monitor
- Tutorial: Forward Syslog data to Microsoft Sentinel and Azure Monitor by using Azure Monitor Agent
Configuring a Syslog Server on SonicWall Device
To configure a syslog server:
- Configure a syslog server on your SonicWall device using syslog format as ArcSight (CEF).
- Specify the IP address or Name of your Linux VM as the syslog server, and Syslog Facility should be Local use 4.
NOTE
- The Syslog data is sent to the OMS Agent on UDP/514.
- For more information, refer to Knowledge Base Article.
Validating the Data that Reaches Workspace
Once configured, you’ll receive SonicOS-generated CEF messages in the Sentinel
Workspace.
Validate that the OMS Agent is receiving CEF messages and can connect to
Azure. If the validation initially fails, try again. The validation checks the
connection to the workspace as well as a stream of CEF from a source. The
firewall needs to be actively generating Syslog CEF messages for the
validation to pass.
Log Analytics Agent
NOTE
- Troubleshoot your CEF or Syslog data connector according to https://learn.microsoft.com/en-us/azure/sentinel/troubleshooting-cef-syslog?tabs=cef.
- sudo wget -O cef_troubleshoot.py, https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py (python cef_troubleshoot.py [WorkspaceID]).
Azure Monitor Agent
To validate data on Microsoft Sentinel workspace:
- On the Microsoft Sentinel workspace, navigate to the General > Logs link.
- Set a short time range that covers a period where data should have been ingested. It can take several minutes to begin seeing data in Log Analytics. Wait for more time if you do not see data right away.
- Enter a basic query to confirm data is arriving at Sentinel and click Run.
To get AMA Heartbeat Logs
Use Heartbeat query with a short time range (last 30 minutes):
- Heartbeat
- | distinct Computer, Category, ComputerIP
NOTE: This only applies to AMA, not the OMS/Log Analytics Agent.
Microsoft Sentinel Content Type
The SonicWall Data connector includes a Workbook containing a variety of
queries for various security services as well as other traffic and security
insights.
To navigate to Microsoft Sentinel content types:
- Navigate to the Content management > Content hub link.
- Click the installed SonicWall Network Security Solution to view the content types:
- Workbook
- Analytics Rules
- Hunting Query
Workbook
SonicWall Workbook contains the collection of queries to provide visibility
into the events reported by the SonicWall firewalls.
You can also select the Auto refresh time for the queries. Analytics Rules
Topics:
- SonicWall – Capture ATP Malicious File Detection
- SonicWall – Allowed SSH, Telnet, and RDP Connections
SonicWall – Capture ATP Malicious File Detection
SonicWall- Capture ATP Malicious File Detection identifies malicious file
verdicts from the SonicWall Capture ATP service. This analytic rule leverages
the SonicWall Firewall ASIM Network Session parser
(ASimNetworkSessionSonicWallFirewall).
To set rules logic
- Click the Analytics rule to create the rule and set the rules logic.
- Navigate to Incident Settings, select the Automated response.
- Review the settings and click Save to schedule the rule.
SonicWall – Allowed SSH, Telnet, and RDP Connections
SonicWall – Allowed SSH, Telnet, and RDP Connections identifies allowed
inbound SSH, Telnet, and RDP connections. This analytic rule leverages the
SonicWall Firewall ASIM Network Session parser
(ASimNetworkSessionSonicWallFirewall).
To set rules logic:
- Click the Analytics rule to create the rule and set the rules logic.
- Navigate to Incident Settings, select the Automated response.
- Review the settings and click Save to schedule the rule.
Hunting Query
Outbound SSH/SCP Connections query looks for outbound SSH/SCP connections
identified by the expected port number (22) or by the SonicWall Deep Packet
Inspection services. This query leverages the SonicWall Firewall ASIM Network
Session parser.
To run query:
- Run the query in one of following ways:
- Select the Threat hunting query and click Run query. Scroll right and click on three dots the end and run the query.
NOTE : You can also create your own hunting query using this. For more information about setup instructions, refer to the SonicWall Firewall-Sentinel Integration KB Article. Here is the data connector instructions Article.
- Select the Threat hunting query and click Run query. Scroll right and click on three dots the end and run the query.
SonicWall Support
Technical support is available to customers who have purchased SonicWall
products with a valid maintenance contract.
The Support Portal provides self-help tools you can use to solve problems
quickly and independently, 24 hours a day, 365 days a year.
The Support Portal enables you to:
- View Knowledge Base articles and Technical Documentation
- View and participate in the Community Forum discussions
- View Video Tutorials
- Access MySonicWall
- Learn about SonicWall Professional Services
- Review SonicWall Support services and warranty information
- Register at SonicWall University for training and certification
About This Document
NOTE: A NOTE icon indicates supporting information.
IMPORTANT: An IMPORTANT icon indicates supporting information.
TIP: A TIP icon indicates helpful information.
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of
data if instructions are not followed.
WARNING: A WARNING icon indicates a potential for property damage,
personal injury, or death.
Microsoft Sentinel Integration Guide
Updated – April 2024
Copyright © 2024 SonicWall Inc. All rights reserved.
The information in this document is provided in connection with SonicWall
and/or its affiliates’ products. No license, express or implied, by estoppel
or otherwise, to any intellectual property right is granted by this document
or in connection with the sale of products. EXCEPT AS SET FORTH IN THE TERMS
AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
SONICWALL AND/OR ITS AFFILIATES ASSUME NO LIABILITY WHATSOEVER AND DISCLAIMS
ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL SONICWALL AND/OR
ITS AFFILIATES BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE,
SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS
OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE
USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF SONICWALL AND/OR ITS AFFILIATES
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SonicWall and/or its
affiliates make no representations or warranties with respect to the accuracy
or completeness of the contents of this document and reserves the right to
make changes to specifications and product descriptions at any time without
notice. and/or its affiliates do not make any commitment to update the
information contained in this document.
For more information, visit https://www.sonicwall.com/legal.
Microsoft Sentinel Integration Guide
References
- SonicWall Community | Technology and Support
- Migrate from legacy agents to Azure Monitor Agent - Azure Monitor | Microsoft Learn
- Overview of the Azure Connected Machine agent - Azure Arc | Microsoft Learn
- Connected Machine agent prerequisites - Azure Arc | Microsoft Learn
- Azure Monitor Agent overview - Azure Monitor | Microsoft Learn
- Azure Monitor Agent overview - Azure Monitor | Microsoft Learn
- Manage Azure Monitor Agent - Azure Monitor | Microsoft Learn
- Tools for migrating to Azure Monitor Agent from legacy agents - Azure Monitor | Microsoft Learn
- Collect Syslog events with Azure Monitor Agent - Azure Monitor | Microsoft Learn
- SonicWall Firewall connector for Microsoft Sentinel | Microsoft Learn
- Tutorial: Forward Syslog data to Microsoft Sentinel and Azure Monitor by using Azure Monitor Agent | Microsoft Learn
- Tutorial: Forward Syslog data to Microsoft Sentinel and Azure Monitor by using Azure Monitor Agent | Microsoft Learn
- What is Microsoft Sentinel? | Microsoft Learn
- Troubleshoot a connection between Microsoft Sentinel and a CEF or Syslog data connector | Microsoft Learn
- MySonicWall
- raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py
- sonicwall.com/legal
- sonicwall.com/partners/partner-enabled-services/
- sonicwall.com/products/firewalls/
- sonicwall.com/search/#t=Support&sort=relevancy&f:sourceTypeFacetId=[Knowledge Base]&f:@language=[English]
- sonicwall.com/support/contact-support/
- sonicwall.com/support/knowledge-base/how-can-i-configure-a-syslog-server-on-a-sonicwall-firewall/170505984096810/
- sonicwall.com/support/knowledge-base/sonicwall-firewall-log-integration-with-microsoft-sentinel/210310071957057/
- sonicwall.com/support/support-services/
- sonicwall.com/support/technical-documentation/?language=English
- sonicwall.com/support/video-tutorials/#t=All&sort=relevancy&numberOfResults=12
- SonicWall University
Read User Manual Online (PDF format)
Read User Manual Online (PDF format) >>