SonicWall

The following sections show you how to configure SonicWall firewalls to send their log data to Axoflow.

CAUTION:

Make sure to set data forwarding as described in this guide. Different setting like other message format or port might be valid, but can result in data loss or incorrect parsing.

Prerequisites

  • You have administrative access to the firewall.
  • The date, time, and time zone are correctly set on the firewall.
  • You have an AxoRouter deployed and configured. This device is going to receive the logs from the firewall.
  • You know the IP address the AxoRouter. To find it:

    1. Open the Axoflow Console.
    2. Select the Hosts or the Topology page.
    3. Click on AxoRouter instance that is going to receive the logs.
    4. Check the Networks > Address field.

Steps for SonicOS 7.x

Note: The steps involving the SonicWall user interface are just for your convenience, for details, see the official SonicWall documentation.

  1. Log in to your SonicWall device. You need administrator privileges to perform the configuration.

  2. Register the address of your AxoRouter as an Address Object.

    1. Select MENU > OBJECT.

    2. Select Match Objects > Addresses > Address objects.

    3. Click Add Address.

    4. Configure the following settings:

      • Name: Enter a name for the AxoRouter, for example, AxoRouter.
      • Zone Assignment: Select the correct zone.
      • Type: Select Host.
      • IP Address: Enter the IP address of your AxoRouter: %axorouter-ip%
    5. Click Save.

  3. Set your AxoRouter as a syslog server.

    1. Navigate to Device > Log > Syslog.

    2. Select the Syslog Servers tab.

    3. Click Add.

    4. Configure the following options:

      • Name or IP Address: Select the Address Object of AxoRouter.
      • Server Type: Select Syslog Server.
      • Syslog Format: Select Enhanced.

      If your Syslog server does not use default port 514, type the port number in the Port field.

      By default, AxoRouter accepts data on the following ports:

      • 514 TCP and UDP for RFC3164 (BSD-syslog) formatted traffic.
      • 601 TCP for RFC5424 (IETF-syslog) formatted traffic.
      • 6514 TCP for TLS-encrypted traffic.
      • 4317 TCP for OpenTelemetry log data.

      Make sure to enable the ports you’re using on the firewall of your host.

      SonicWall add syslog server screen

  4. Add the appliance to the Axoflow Console. For details, see Appliances.

Steps for SonicOS 6.x

Note: The steps involving the SonicWall user interface are just for your convenience, for details, see the official SonicWall documentation.

  1. Log in to your SonicWall device. You need administrator privileges to perform the configuration.

  2. Register the address of your AxoRouter as an Address Object.

    1. Select MANAGE > Policies > Objects > Address Objects.

    2. Click Add.

    3. Configure the following settings:

      • Name: Enter a name for the AxoRouter, for example, AxoRouter.
      • Zone Assignment: Select the correct zone.
      • Type: Select Host.
      • IP Address: Enter the IP address of your AxoRouter: %axorouter-ip%
    4. Click Add.

  3. Set your AxoRouter as a syslog server.

    1. Navigate to MANAGE > Log Settings > SYSLOG.

    2. Click ADD.

    3. Configure the following options:

      • Syslog ID: Enter an ID for the firewall. This ID will be used as the hostname in the log messages.
      • Name or IP Address: Select the Address Object of AxoRouter.
      • Server Type: Select Syslog Server.
      • Enable the Enhanced Syslog Fields Settings.
    4. Click OK.

  4. Add the appliance to the Axoflow Console. For details, see Appliances.

Labels

Axoflow automatically adds the following labels to data collected from this source:

label value
vendor dell
product sonicwall

Sending data to Splunk

When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype and index settings:

sourcetype index
dell:sonicwall netfw

Tested with: Dell SonicWall Add-on for Splunk technical add-on