Configure a SonicWall firewall with SonicOS 7.x to send logs to Arctic Wolf

You can configure a SonicWall® firewall with SonicOS 7.x to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • Access to a SonicWall device with administrator permissions

Configure an Address Object for the Arctic Wolf sensor

  1. Sign in to your SonicWall device with administrator permissions.
  2. In the menu bar, click Object.
  3. In the navigation menu, click Match Objects > Addresses > Address objects.
  4. In the Add Address Object dialog, configure these settings:
    • Name — Enter a name for the Arctic Wolf Sensor.
    • Zone Assignment — Select the correct zone.
    • Type — Select Host.
    • IP Address — Enter the IP address of your Arctic Wolf physical or virtual sensor.
  5. Click Save.

Configure your SonicWall device for security monitoring

  1. Sign in to your SonicWall device with administrator permissions.
  2. In the menu bar, click Device.
  3. In the navigation menu, click Log > Syslog.
  4. Click the Syslog Servers tab.
  5. Click + Add.
  6. In the Add Syslog Server dialog, configure these settings:
  7. Click Add.

Enable firewall rule change logging

  1. Sign in to your SonicWall device with administrator permissions.
  2. In the menu bar, click Device.
  3. In the navigation menu, click Log > Settings.
  4. In the Firewall section, click Security Policy.
  5. Click the GUI, Alert, Syslog, and Email toggles to the on position for these rules:
    • Rule Deleted
    • Rule Modified
    • Rule Added
  6. Click Accept.

Enable SSL VPN logging

  1. Sign in to your SonicWall device with administrator permissions.
  2. In the menu bar, click Device.
  3. In the navigation menu, click Log > Settings.
  4. In the Users category, click Authentication Access.
  5. For all entries under Authentication Access, make sure that the toggles in the Syslog column are clicked to the on position.
    Note: It is especially important that the Syslog toggle is clicked to the on position for the Successful SSL VPN User Login entry with ID 1080.
  6. Click Save.

Enable configuration auditing

This step is optional.

  1. Sign in to your SonicWall device with administrator permissions.
  2. In the menu bar, click Device.
  3. In the navigation menu, click Log > Settings.
  4. In the Category column, click Log > Configuration Auditing.
  5. For each entry, change the setting in the Priority column to warning:

    • Configuration Change Succeeded

    • Configuration Change Failed

    • Chassis settings change

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.