Security Analytics Engine 1.1 - SonicWALL Configuration Guide

Chat now with support

SonicWALL Processor service configuration

After installing the SonicWALL Processor service, if necessary the service configuration options can be changed by editing the service configuration file.

To configure the SonicWALL Processor service


	NOTE: The following configuration options will take effect without requiring manual restarts. Depending on the change there may be a short delay as some configuration changes require additional time, need to stop then restart data listening, or need to wait until the next interval expiration before making the change. All activity will be logged in the log file.

Navigate to C:\Program Files\Dell\SecurityAnalyticsEngine\SonicWALLProcessor.

Open the Dell.SecurityAnalyticsEngine.SonicWALL.processor.exe.config file for editing.

The AppSetting configuration values that can be changed are as follows:

•

ReporterURL - Complete Security Analytics Engine URL (For example, http://securityanalyticsengine.mycompany.com/SecurityAnalyticsEngine)

•

ReporterKey - Key value used to send user and IP address activity records to Security Analytics Engine.


	NOTE: This value is configured during the installation process or configuration utility and should not be changed manually.

•

FlowProcessInterval - Number of seconds between processing of received AppFlow data to determine if user and IP address activity detection has occurred. (By default, 1 second.)

•

FlowProcessIdleTime - Number of seconds of inactivity after which an AppFlow record is deemed idle and can be processed. (By default, 10 seconds.)

•

FlowPurgeInterval - Number of seconds between purging AppFlow records from memory. (By default, 60 seconds.)

•

FlowPurgeIdleTime - Number of seconds of inactivity after which AppFlow records are deemed idle and can be purged from memory. (By default, 60 seconds.)

•

DataCacheInterval - Number of seconds between saving cached SonicWALL static and reference data to disk (this also occurs on service shutdown). (By default, 600 seconds.)

The log4net logging configuration values that can be changed are as follows:

•

level - Adjust logging level, valid values include:

•

ERROR - Only log errors.

•

WARN - Only log warnings and above.

•

INFO - (default) Only log info and above.

•

DEBUG - Log Debug and above. This adds the logging of AppFlow processing and purging activity.

•

TRACE - Log Trace and above. This adds the logging of AppFlow processing details, which can be a large amount of data.

•

VERBOSE - Log Verbose and above. This adds the logging of received AppFlow packet details, which can be an extremely large amount of data.


	IMPORTANT: Use caution if selecting the VERBOSE option.

We recommend the following values NOT be changed:

•

File - Name of the log file.

•

lockingModel - Controls log4net file locking model.

•

encoding - Controls text encoding used.

•

appendToFile - Controls log file appending.

•

preserveLogFileNameExtension - Retains log file extension when log files are rolled over.

•

rollingStyle - Controls log file rollover type.

•

maximumFileSize - Sets maximum log file size for rollover.

•

maxSizeRollingBackups - Limits maximum number of log file rollovers, after which the oldest is deleted in subsequent followers.

•

layout - Controls log file layout schema.

Once edits have been completed, save the Dell.SecurityAnalyticsEngine.SonicWALL.processor.exe.config file.

SonicWALL Firewall Configuration Settings

•

Introduction

•

Required SonicWALL configuration

Introduction

After the SonicWALL Processor service has been installed and configured, the firewall must be configured to send AppFlow data to the service. An authorized firewall administrator must configure the firewall settings based on the required and optional settings discussed in this chapter. The required minimum configuration will allow for activity records to be generated, but not all available details will be recorded without some of the optional configuration settings.

Required SonicWALL configuration

In order for the firewall to generate AppFlow data and send it to the SonicWALL Processor service for processing, a minimum set of AppFlow options must be enabled in the firewall. This will allow activity records to be generated.


	NOTE: In order to configure the firewall settings, you must be an authorized firewall administrator.

To configure an AppFlow External Connector and enable relevant SonicWALL security services in the firewall administration

Select AppFlow in the left-hand pane to display the Flow Reporting page.

Open the Settings tab.

Verify the following default options are selected:

•

Report DROPPED Connection

•

Skip Reporting STACK Connections

Open the External Collector tab and make the following configuration changes:

•

Select the Send Flows and Real-Time Data To External Collector check box.

•

Set the External Flow Reporting Format to IPFIX with extensions.

•

Set the External Collector’s IP address to the configured SonicWALL Processor service IP address.

•

Set the External Collector’s UDP Port Number to match the configured SonicWALL Processor service settings (default is 2055).

•

Select the Send IPFIX/Netflow Templates At Regular Interval check box.

•

Select the Send StaticAppFlow At Regular Interval check box.

•

In the Send Static AppFlow For Following Tables field, use the drop-down menu to select the following tables:

•

•

•

•

•

•


	NOTE: Additional tables will be ignored by the SonicWALL Processor service.

•

In the Send Dynamic AppFlow For Following Tables field, use the drop-down menu to select the following tables:

•

Connections

•

Users (SonicWALL user detection required)

•

Devices


	NOTE: Additional tables will be ignored by the SonicWALL Processor service.

•

Clear the Report On Connection OPEN check box.

•

Select the Report On Connection CLOSE check box.

•

Clear the Report Connection On Active Timeout check box.

•

Clear the Report Connection On Kilo BYTES Exchanged check box.

•

In the Report Connections On Following Updates field, use the drop-down menu to select the following options:

•

threat detection

•

application detection

•

user detection


	NOTE: Additional options will be ignored by the SonicWALL Processor service.

Click the Accept button in the upper left corner of the Flow Reporting page to accept the configuration changes. If prompted, do NOT select to restart the firewall at this time.

Expand Security Services in the left-hand pane and select Gateway Anti-Virus.

In the Gateway Anti-Virus Global Settings pane, select the Enable Gateway Anti-Virus check box. Optionally, configure the remaining Gateway Anti-Virus Global Settings pane options.

IMPORTANT: If any Gateway Anti-Virus blocking is enabled, the following configuration is required in order for the Security Analytics Engine to detect malware records:

Click the Configure Gateway AV Settings button.

On the Gateway AV Config View dialog, clear the Enable HTTP Clientless Notification Alerts check box.

Click OK to save and close the dialog.

Click the Accept button in the upper left corner of the Gateway Anti-Virus page to accept the configuration changes.

From the expanded Security Services section, select Intrusion Prevention.

In the IPS Global Settings pane, select the Enable IPS check box.

For each of the Signature Groups (High Priority Attacks, Medium Priority Attacks and Low Priority Attacks) select the corresponding Detect All check box. Optionally, select the Prevent All check box for each group.

Click the Accept button in the upper left corner of the Intrusion Prevention page to accept the configuration changes.

From the expanded Security Services section, select Anti-Spyware.

In the Anti-Spyware Global Settings pane, select the Enable Anti-Spyware check box.

For each of the Signature Groups (High Danger Level Spyware, Medium Danger Level Spyware and Low Danger Level Spyware) select the corresponding Detect All check box. Optionally, select the Prevent All check box for each group.

IMPORTANT: If any Anti-Spyware blocking is enabled, the following configuration is required in order for the Security Analytics Engine to detect malware records:

Click the Configure Anti-Spyware Settings button.

On the Anti-Spyware Config View dialog, clear the Enable HTTP Clientless Notification Alerts check box.

Click OK to save and close the dialog.

Click the Accept button in the upper left corner of the Anti-Spyware page to accept the configuration changes.

From the expanded Security Services section, select Botnet Filter.

Verify that the Check Block connections to/from Botnet Command and Control Servers check box is selected. You may also make changes to the current settings.

Click the Accept button to save any configuration changes.


	NOTE: When an Associated w/ Malware condition is used in a risk policy, Botnet detections will be displayed as malware detections in audit events. The details pane for the audit event will show the malware type ‘Bot’ and the signature name ‘Botnet Filter’.

Expand Firewall in the left-hand pane and select App Control Advanced.

In the App Control Global Settings sections, select the Enable App Control check box.

Click Accept to save.

Expand Network in the left-hand pane and select Zones.

For any desired Zone (for example, LAN), click the

button in the configuration column to open an Edit Zone dialog.

On the General tab of an Edit Zone dialog, ensure the following settings are selected:

•

Enable Gateway Anti-Virus Service

•

Enable IPS

•

Enable App Control Service

•

Enable Anti-Spyware Service

Click the OK button to close the dialog and return to the Zone page.

Repeat Step 24 through Step 26 to configure each desired zone.

Once you have finished configuring zones, click the Accept button to save the configuration.

If necessary, reboot the firewall to enable AppFlow:

•

Expand System in the left-hand pane and select Restart.


	IMPORTANT: Restarting will disconnect all users.

•

Click the Restart button.

•

A dialog will appear confirming you are ready to restart. Click the OK button.

Once the firewall has rebooted, select AppFlow in the left-hand pane to display the Flow Reporting page.

Open the External Collector tab and sequentially click the following buttons approximately 2 minutes apart, to generate template and static data for the configured SonicWALL Processor service:

•

Generate ALL Templates

•

Generate Static AppFlow Data

The service will now process user and IP address activity detection records.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Security Analytics Engine 1.1 - SonicWALL Configuration Guide

SonicWALL Processor service configuration

SonicWALL Firewall Configuration Settings

Introduction

Required SonicWALL configuration