Introduction to the SonicWALL Processor service
The Security Analytics Engine utilizes the SonicWALL Processor service, which processes and forwards data received from the SonicWALL device pertaining to user and IP address activities. Prior to making the required SonicWALL firewall configuration changes, we recommend that the SonicWALL Processor service be installed and configured as follows.
|
|
NOTE: If Windows Firewall is enabled and running on the installation destination server, the SonicWALL Processor service automatically configures firewall rules to allow SonicWALL AppFlow data communications from the firewall to the service. However, if a third-party firewall is installed, it may be necessary to configure the firewall to allow UDP traffic on the configured AppFlow port. |
SonicWALL Processor service installation
The following procedure covers installing the SonicWALL Processor service.
|
|
NOTE: In order to install the SonicWALL Processor service, you must have Administrator privileges. |
To install the SonicWALL Processor service
- Copy the Security Analytics Engine Installer - SonicWALL Processor Service.msi file to the installation destination server.
-
From the installation destination server, install the Security Analytics Engine Installer - SonicWALL Processor Service.msi file with the default parameter values.
NOTE: During a default installation if the Security Analytics Engine is detected on the server, the installer automatically detects the INSTALLFOLDER and REPORTERKEY options and the REPORTERURL option in the following order:
- HTTPS bindings on any port (for example, https://server.domain.local:10443/SecurityAnalyticsEngine)
- HTTP binding on the default port with no host name filter (for example, http://localhost/SecurityAnalyticsEngine)
- HTTP binding on any port with a host name filter (for example, http://mysite:88/SecurityAnalyticsEngine)
OR
From the installation destination server, install the Security Analytics Engine Installer - SonicWALL Processor Service.msi file and provide command line parameter options to specify the following configuration values:
- INSTALLFOLDER - This command overrides the default installation folder for the SonicWALLProcessor folder.
- REPORTERURL - This command overrides the default Security Analytics Engine URL (http://localhost/SecurityAnalyticsEngine if auto-detection cannot determine the Security Analytics Engine web site bindings).
-
REPORTERKEY - This command overrides the auto-detected key value used to send user and IP address activity records to the Security Analytics Engine.
IMPORTANT: Copying encrypted key values from configuration files on different computers is NOT supported. NOTE: For simple, single-server installations of both the Security Analytics Engine and the SonicWALL Processor service, the installers auto-generate an encrypted shared key which is stored in the appropriate configuration files. Therefore, these types of installations do not require use of the REPORTERKEY.
For complex installations where the same shared key must be configured on multiple servers, the REPORTERKEY is required and must be set to the same text as the MALWAREPROVIDERKEY used during the installation of the Security Analytics Engine. See the To reset the key for the SonicWALL Processor and the Security Analytics Engine procedure for information on resetting the key.
In both cases upgrades are handled automatically, where the same key is retained, and providing the installer key parameters during upgrades resets the shared key to the new value.
IMPORTANT: Resetting a key when the SonicWALL Processor and the Security Analytics Engine are installed in different systems requires that the utility is run in both systems individually. In that case, enter the same key into the Provider Key field. - APPFLOWPORT - This command overrides the default SonicWALL AppFlow port number (2055).
-
After installing the SonicWALL Processor service, verify that the service is running and that no errors or warnings are logged to the service log file.
NOTE: By default, the installation path for the SonicWALL Processor service is:
C:\Program Files\One Identity\Security Analytics Engine\SonicWALLProcessor
SonicWALL Processor service configuration
After installing the SonicWALL Processor service, if necessary the service configuration options can be changed by editing the service configuration file.
To configure the SonicWALL Processor service
|
|
NOTE: The following configuration options take effect without requiring manual restarts. Depending on the change there may be a short delay as some configuration changes require additional time, need to stop then restart data listening, or need to wait until the next interval expiration before making the change. All activity is logged in the log file. |
- Navigate to C:\Program Files\One Identity\Security Analytics Engine\SonicWALLProcessor.
- Open the SAE.SonicWALL.processor.exe.config file for editing.
- The AppSetting configuration values that can be changed are as follows:
- ReporterURL - Complete Security Analytics Engine URL (For example, http://securityanalyticsengine.mycompany.com/SecurityAnalyticsEngine)
-
ReporterKey - Key value used to send user and IP address activity records to Security Analytics Engine.
NOTE: This value is configured during the installation process or configuration utility and should not be changed manually. - FlowProcessInterval - Number of seconds between processing of received AppFlow data to determine if user and IP address activity detection has occurred. (By default, 1 second.)
- FlowProcessIdleTime - Number of seconds of inactivity after which an AppFlow record is deemed idle and can be processed. (By default, 10 seconds.)
- FlowPurgeInterval - Number of seconds between purging AppFlow records from memory. (By default, 60 seconds.)
- FlowPurgeIdleTime - Number of seconds of inactivity after which AppFlow records are deemed idle and can be purged from memory. (By default, 60 seconds.)
- DataCacheInterval - Number of seconds between saving cached SonicWALL static and reference data to disk (this also occurs on service shutdown). (By default, 600 seconds.)
- The log4net logging configuration values that can be changed are as follows:
- level - Adjust logging level, valid values include:
- ERROR - Only log errors.
- WARN - Only log warnings and above.
- INFO - (default) Only log info and above.
- DEBUG - Log Debug and above. This adds the logging of AppFlow processing and purging activity.
- TRACE - Log Trace and above. This adds the logging of AppFlow processing details, which can be a large amount of data.
-
VERBOSE - Log Verbose and above. This adds the logging of received AppFlow packet details, which can be a large amount of data.
IMPORTANT: Use caution if selecting the VERBOSE option.
We recommend that the following values NOT be changed:
- File - Name of the log file.
- lockingModel - Controls log4net file locking model.
- encoding - Controls text encoding used.
- appendToFile - Controls log file appending.
- preserveLogFileNameExtension - Retains log file extension when log files are rolled over.
- rollingStyle - Controls log file rollover type.
- maximumFileSize - Sets maximum log file size for rollover.
- maxSizeRollingBackups - Limits maximum number of log file rollovers, after which the oldest is deleted in subsequent followers.
- layout - Controls log file layout schema.
- Once edits have been completed, save the SAE.SonicWALL.processor.exe.config file.