SonicWall UTM Firewall

Version : SonicWall UTM SonicOS 5.8 and later.

SonicWall’s approach to UTM Unified Threat Management (UTM) is the security approach for small- to medium-sized businesses (SMBs). It uses for networking, security, threat prevention, and management to deliver predictable performance.

Netsurion Open XDR gathers and examines acquired logs to identify malicious traffic, fatal threats, configuration changes, VPN activity and user behaviour. It generates reports for changes in firewall configuration, user management and its activities, detection of intrusion, virus and spyware. It alerts when user tries to access blocked URL and login fails.

Netsurion data source integration for SonicWall UTM firewall allows you to monitor following:-

  • Operations:- High Availability Activity, Link monitoring, DHCP Relay Activity, User Activity and Content Filtering
  • Security:- Anti-Spam Service, Wireless LAN Intrusion Detection System(IDS) Activity
  • Compliance:- Authenticated Access Activity, Network Access Activity, Firewall Events Alerts, VPN Client activity having user authentication failed and success, VPN activity having IPsec, PKI, IKE information and VPN IPsec tunnel status changed activity.           

Once SonicWall UTM is configured to deliver events to Netsurion Open XDR; alerts, dashboards and reports can be configured into Netsurion Open XDR.

The following are the key Data Source Integration available in Netsurion Open XDR.

Alerts

Type Name Description
Security SonicWall UTM – Security web category access blocked This alert is generated when access to URL listed in Security web category is blocked by SonicWall UTM.
Operations SonicWall UTM – Bandwidth web category access blocked This alert is generated when access to URL listed in Bandwidth web category is blocked by SonicWall UTM.
Operations SonicWall UTM – Baseline web category access blocked This alert is generated when access to URL listed in Baseline web category is blocked by SonicWall UTM.
Compliance SonicWall UTM – Productivity web category access blocked This alert is generated when access to URL listed in Productivity web category is blocked by SonicWall UTM.
Compliance SonicWall UTM – Social networking web category access blocked This alert is generated when URL listed in Social networking web category access has been blocked by SonicWall UTM.
Compliance SonicWall Firewall – VPN User authentication failed This alert is generated when user authentication is failed by SonicWall Firewall VPN.

Reports

Type Name Description
Security SonicWall UTM – WLAN IDS report This report provides information related to WLAN IDS which includes source IP and message field.
Security SonicWall UTM – AntiSpam service This reports provides information related to antispam service which includes status of service and by whom it is enabled or disabled.
Security SonicWall UTM – Intrusion detection This reports provides information related to intrusion detected by SonicWall firewall which includes source and victim details and attack name.
Security SonicWall UTM – Authentication success This report provides information related to authentication success which includes user name, source IP and messages field.
Security SonicWall UTM-Anti – Spyware detected This report provides information related to anti-spyware detected which includes Event generated time and source IP field.
Security SonicWall UTM – FTP logon details This report provides information related to FTP logon details which includes user name, source IP and message field.
Security SonicWall UTM – Attacks detection This report provides information related to attack detection which includes source IP address and messages field.
Security SonicWall Firewall – access rule change This report is generated to give information related to firewall access rule changes.
Security SonicWall Firewall – IDS attacks This report is generated to give information related to IDS attacks that occurs in the system.
Security SonicWall UTM – FTP logon status This report is generated to give information related to FTP logon status.
Operations SonicWall Firewall – Network access report This report provides information related to network access which includes source IP address, source Port, destination IP address, destination port, WAN address and message field.
Operations SonicWall UTM – Website access allowed This report provides information related to website access allowed which includes user name, source IP, URL category and URL name.
Operations SonicWall UTM – DSL activity This report provides information related to DSL activity which includes user name, source IP and message field.
Operations SonicWall UTM – Application control prevention This report provides information related to application control prevention which includes source IP and messages field.
Operations SonicWall UTM – Application control detection This report provides information related to application control detection which includes source IP and messages field.
Operations SonicWall UTM – Interface link status This report provides information related to interface link status which includes interface name and it’s status(UP OR DOWN).
Operations SonicWall UTM – Connection closed dropped or terminated This report provides information related to connection status which includes source and destination IP and ports and connection status(closed, dropped and terminated) with protocol used during connection.
Operations SonicWall UTM – Connection opened or established This report provides information related to connection opened and established which includes source and destination IP, ports and interface, application used for making connection and protocol details.
Operations SonicWall UTM – Terminal services or SSO Agent This report provides information related to terminal and SSO services status which includes service name (terminal or SSO) and it’s status and by whom these services are enabled and disabled.
Operations SonicWall UTM – Multicast policy list This reports provides information related to addition or deletion of multicast policy list in interface or VPN SPI, which includes the interface Name and VPN SPI value in which multicast policy is added or deleted.
Operations SonicWall UTM – System Shutdown by Administrator This reports provides information related to system shutdown by administrator which includes user details i.e. by whom firewall is shutdown.
Operations SonicWall UTM – Traffic flow This reports provides information related to traffic flow whether the connection to the traffic flow is opened or closed.
Operations SonicWall UTM – Administrator login status This report is generated to give information related to administrator login that has occurred.
Operations SonicWall UTM – Application management This report is generated to give information related to application activities that occurred.
Operations SonicWall UTM – Connection status This report is generated to give information related to connection status.
Operations SonicWall UTM – DHCP lease status This report is generated to give information related to DHCP lease status.
Compliance SonicWall UTM – User activity This report provides information related to user activity which includes user name, source IP and message field.
Compliance SonicWall UTM – Admin login failed This report provides information related to admin login failure which includes user name, source IP and message field.
Compliance SonicWall UTM – Authentication failed This report provides information related to authentication failure which includes user name, source IP and messages field.
Compliance SonicWall UTM – Website access denied This reports provides information related to websites whose access are denied which includes source and destination IP, port and interface and URL and it’s category.
Compliance SonicWall Firewall – VPN User authentication failed This report provides information related to user authentication failure which includes source address and port, destination address and Port, additional information and reason for failure.
Compliance SonicWall Firewall-VPN User authentication success This report provides information related to user authentication success which includes source address and port, destination address and port, additional information and reason for success.
Compliance SonicWall Firewall – VPN activity This report provides information related to VPN activity that contains VPN Client, VPN IPsec, VPN IKE, and VPN PKI which includes source address and port, destination address and port, additional information and message.
Compliance SonicWall Firewall – VPN IPsec tunnel status changed This report provides information related to IPsec tunnel status changed to up or down which includes source range, destination range, gateway, reason, status and VPN details.
Compliance SonicWall UTM – User admin login statu This report is generated to give information related to user admin login status.
Compliance SonicWall Firewall – VPN IPsec tunnel status changed This report provides information related to IPsec tunnel status changed to up or down which includes source range, destination range, gateway, reason, status and VPN details.
Compliance SonicWall UTM – User authentication status This report is generated to give information related to user authentication status.
Compliance SonicWall UTM – Website access status This report is generated to given information related to website access status.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.x or later, and SonicWALL UTM Firewall.

Download Integration Guide and How-to Guide for configuration instructions and more information.