SonicWall NetFlow Integration with ThreatSync+ NDR

The SonicWall firewall uses the NetFlow protocol to export data about IP traffic that enters its interfaces and exports this data as NetFlow fields to a NetFlow collector. The NetFlow collector is a server used to collect network traffic and upload to ThreatSync+ NDR to analyze for security, administration, accounting, and troubleshooting.

WatchGuard provides integration instructions to help customers configure WatchGuard products to work with products created by other organizations. If you want more information or technical support about how to configure a third-party product, go to the documentation and support resources for that product.

This document describes how to integrate the SonicWall with ThreatSync+ NDR using the NetFlow protocol.

Contents

Integration Summary

The hardware and software used to complete the steps outlined in this document include:

  • SonicWall TZ670 with SonicOS 7.0.0-R906
  • WatchGuard Cloud account with a ThreatSync+ NDR or Total NDR license
  • ThreatSync+ NDR Collection Agent (for more information, go to About ThreatSync+ NDR Collection Agents)

Topology

This diagram shows the integration topology of the SonicWall firewall and ThreatSync+ NDR.

Screenshot of the ThreatSync+ NDR and SonicWall topology diagram

Configure the ThreatSync+ NDR Collection Agent

Make sure the ThreatSync+ NDR Collection Agent is installed on your Windows or Linux computer, and the status of the collection agent is Success. For detailed instructions about the ThreatSync+ NDR Collection Agent installation, go to Configure Collection Agents for ThreatSync+ NDR (Windows Computers) or Configure Collection Agents for ThreatSync+ NDR (Linux Computers).

Configure the SonicWall

Before you can configure SonicWall NetFlow, configure these basic settings.

  1. Log in to the SonicWall management UI at https://<IP address of the SonicWall device>.
  2. Configure the management IP, external IP and DNS servers.
    SonicWall configures the route rules and access rules to the Internet automatically.

    3. Screenshot of SonicWall, Basic Settings 1

  3. Configure the zones for the different networks management. In our example, we created internal-1.

    4. Screenshot of SonicWall, Basic Settings 2

  4. Configure the interface. In our example, we assigned zone internal-1 which we created in the previous step to Interface X6.
    SonicWall configures the route rules, NAT rules, and access rules to the Internet automatically.

    5. Screenshot of SonicWall, Basic Settings 3

  5. Click OK.

For more information, go to the SonicWall documentation.

Configure NetFlow on SonicWall

To configure your SonicWall as a NetFlow exporter:

  1. Log in to the SonicWall management UI.
  2. From the top navigation, click DEVICE.
  3. From the left navigation, select AppFlow > Flow Reporting > Settings.
  4. In the Report Connections section, select Interface-based.
  5. Enable Enable Aggregate AppFlow Report Data Collection.
  6. Enable Enable Real-Time Data Collection [*].
  7. In the Local Server Settings section, enable Enable AppFlow To Local Collector.
  8. For other settings, keep the default values.
  9. Click Accept.

    10. Screenshot of SonicWall, NetFlow Profile 1

  10. From the top navigation, click DEVICE.
  11. From the left navigation, select AppFlow > Flow Reporting > External Collector.
  12. Enable Send Flows and Real-Time Data To External Collector [*].
  13. From the External Flow Reporting Format drop-down list, select Netflow version-9 .
  14. In the External Collector's Server Address section, check IP.
  15. In the text box under AddrObj, enter the collector ip. In our example, we entered 10.12.0.20.
  16. In the External Collector's UDP Port Number text box, enter the collector port number that receives NetFlow traffic. In our example, we entered 2055.
  17. Enable Send IPFIX/Netflow Templates At Regular Interval.
  18. Enable Report On Connection OPEN.
  19. Enable Report On Connection CLOSE.
  20. Enable Report Connection On Active Timeout.
  21. For other settings, keep the default values.
  22. Click Accept.

    23. Screenshot of SonicWall, NetFlow Profile 2

  23. After the configuration is saved, there will be a warning at the top of the page. Click Restart to save the configuration.
    It might take several minutes to complete the reboot.

    24. Screenshot of SonicWall, NetFlow Profile 3

Test the Integration

To test the SonicWall integration with ThreatSync+ NDR:

  1. Log in to your WatchGuard Cloud account.
  2. Select Configure > ThreatSync+ Integrations > Collection Agents. If you have a Service Provider account, you must select an account from Account Manager.
  3. Select the ThreatSync+ NDR Collection Agents tab to view the Last Activity column of your collection agent. This column shows the last time the collection agent uploaded the NetFlow records to ThreatSync+ NDR. It might take a few hours for the first upload.

    4. Screenshot of WatchGuard Cloud, the ThreatSync+ Collectors page, Test Integration 1

  4. From the navigation menu, select Monitor > ThreatSync+ to view the Network Summary page.

    5. Screenshot of WatchGuard Cloud, the ThreatSync+ Network Summary page, Test Integration 2

For more information about ThreatSync+, go to ThreatSync+.