SonicWall UTM Firewall
Version : SonicWall UTM SonicOS 5.8 and later.
SonicWall’s approach to UTM Unified Threat Management (UTM) is the security approach for small- to medium-sized businesses (SMBs). It uses for networking, security, threat prevention, and management to deliver predictable performance.
Netsurion Open XDR gathers and examines acquired logs to identify malicious traffic, fatal threats, configuration changes, VPN activity and user behaviour. It generates reports for changes in firewall configuration, user management and its activities, detection of intrusion, virus and spyware. It alerts when user tries to access blocked URL and login fails.
Netsurion data source integration for SonicWall UTM firewall allows you to monitor following:-
- Operations:- High Availability Activity, Link monitoring, DHCP Relay Activity, User Activity and Content Filtering
- Security:- Anti-Spam Service, Wireless LAN Intrusion Detection System(IDS) Activity
- Compliance:- Authenticated Access Activity, Network Access Activity, Firewall Events Alerts, VPN Client activity having user authentication failed and success, VPN activity having IPsec, PKI, IKE information and VPN IPsec tunnel status changed activity.
Once SonicWall UTM is configured to deliver events to Netsurion Open XDR; alerts, dashboards and reports can be configured into Netsurion Open XDR.
The following are the key Data Source Integration available in Netsurion Open XDR.
Alerts
| Type | Name | Description |
|---|---|---|
| Security | SonicWall UTM – Security web category access blocked | This alert is generated when access to URL listed in Security web category is blocked by SonicWall UTM. |
| Operations | SonicWall UTM – Bandwidth web category access blocked | This alert is generated when access to URL listed in Bandwidth web category is blocked by SonicWall UTM. |
| Operations | SonicWall UTM – Baseline web category access blocked | This alert is generated when access to URL listed in Baseline web category is blocked by SonicWall UTM. |
| Compliance | SonicWall UTM – Productivity web category access blocked | This alert is generated when access to URL listed in Productivity web category is blocked by SonicWall UTM. |
| Compliance | SonicWall UTM – Social networking web category access blocked | This alert is generated when URL listed in Social networking web category access has been blocked by SonicWall UTM. |
| Compliance | SonicWall Firewall – VPN User authentication failed | This alert is generated when user authentication is failed by SonicWall Firewall VPN. |
Reports
| Type | Name | Description |
|---|---|---|
| Security | SonicWall UTM – WLAN IDS report | This report provides information related to WLAN IDS which includes source IP and message field. |
| Security | SonicWall UTM – AntiSpam service | This reports provides information related to antispam service which includes status of service and by whom it is enabled or disabled. |
| Security | SonicWall UTM – Intrusion detection | This reports provides information related to intrusion detected by SonicWall firewall which includes source and victim details and attack name. |
| Security | SonicWall UTM – Authentication success | This report provides information related to authentication success which includes user name, source IP and messages field. |
| Security | SonicWall UTM-Anti – Spyware detected | This report provides information related to anti-spyware detected which includes Event generated time and source IP field. |
| Security | SonicWall UTM – FTP logon details | This report provides information related to FTP logon details which includes user name, source IP and message field. |
| Security | SonicWall UTM – Attacks detection | This report provides information related to attack detection which includes source IP address and messages field. |
| Security | SonicWall Firewall – access rule change | This report is generated to give information related to firewall access rule changes. |
| Security | SonicWall Firewall – IDS attacks | This report is generated to give information related to IDS attacks that occurs in the system. |
| Security | SonicWall UTM – FTP logon status | This report is generated to give information related to FTP logon status. |
| Operations | SonicWall Firewall – Network access report | This report provides information related to network access which includes source IP address, source Port, destination IP address, destination port, WAN address and message field. |
| Operations | SonicWall UTM – Website access allowed | This report provides information related to website access allowed which includes user name, source IP, URL category and URL name. |
| Operations | SonicWall UTM – DSL activity | This report provides information related to DSL activity which includes user name, source IP and message field. |
| Operations | SonicWall UTM – Application control prevention | This report provides information related to application control prevention which includes source IP and messages field. |
| Operations | SonicWall UTM – Application control detection | This report provides information related to application control detection which includes source IP and messages field. |
| Operations | SonicWall UTM – Interface link status | This report provides information related to interface link status which includes interface name and it’s status(UP OR DOWN). |
| Operations | SonicWall UTM – Connection closed dropped or terminated | This report provides information related to connection status which includes source and destination IP and ports and connection status(closed, dropped and terminated) with protocol used during connection. |
| Operations | SonicWall UTM – Connection opened or established | This report provides information related to connection opened and established which includes source and destination IP, ports and interface, application used for making connection and protocol details. |
| Operations | SonicWall UTM – Terminal services or SSO Agent | This report provides information related to terminal and SSO services status which includes service name (terminal or SSO) and it’s status and by whom these services are enabled and disabled. |
| Operations | SonicWall UTM – Multicast policy list | This reports provides information related to addition or deletion of multicast policy list in interface or VPN SPI, which includes the interface Name and VPN SPI value in which multicast policy is added or deleted. |
| Operations | SonicWall UTM – System Shutdown by Administrator | This reports provides information related to system shutdown by administrator which includes user details i.e. by whom firewall is shutdown. |
| Operations | SonicWall UTM – Traffic flow | This reports provides information related to traffic flow whether the connection to the traffic flow is opened or closed. |
| Operations | SonicWall UTM – Administrator login status | This report is generated to give information related to administrator login that has occurred. |
| Operations | SonicWall UTM – Application management | This report is generated to give information related to application activities that occurred. |
| Operations | SonicWall UTM – Connection status | This report is generated to give information related to connection status. |
| Operations | SonicWall UTM – DHCP lease status | This report is generated to give information related to DHCP lease status. |
| Compliance | SonicWall UTM – User activity | This report provides information related to user activity which includes user name, source IP and message field. |
| Compliance | SonicWall UTM – Admin login failed | This report provides information related to admin login failure which includes user name, source IP and message field. |
| Compliance | SonicWall UTM – Authentication failed | This report provides information related to authentication failure which includes user name, source IP and messages field. |
| Compliance | SonicWall UTM – Website access denied | This reports provides information related to websites whose access are denied which includes source and destination IP, port and interface and URL and it’s category. |
| Compliance | SonicWall Firewall – VPN User authentication failed | This report provides information related to user authentication failure which includes source address and port, destination address and Port, additional information and reason for failure. |
| Compliance | SonicWall Firewall-VPN User authentication success | This report provides information related to user authentication success which includes source address and port, destination address and port, additional information and reason for success. |
| Compliance | SonicWall Firewall – VPN activity | This report provides information related to VPN activity that contains VPN Client, VPN IPsec, VPN IKE, and VPN PKI which includes source address and port, destination address and port, additional information and message. |
| Compliance | SonicWall Firewall – VPN IPsec tunnel status changed | This report provides information related to IPsec tunnel status changed to up or down which includes source range, destination range, gateway, reason, status and VPN details. |
| Compliance | SonicWall UTM – User admin login statu | This report is generated to give information related to user admin login status. |
| Compliance | SonicWall Firewall – VPN IPsec tunnel status changed | This report provides information related to IPsec tunnel status changed to up or down which includes source range, destination range, gateway, reason, status and VPN details. |
| Compliance | SonicWall UTM – User authentication status | This report is generated to give information related to user authentication status. |
| Compliance | SonicWall UTM – Website access status | This report is generated to given information related to website access status. |
Documentation
The configuration details are consistent with Netsurion Open XDR 9.x or later, and SonicWALL UTM Firewall.
Download Integration Guide and How-to Guide for configuration instructions and more information.