Security Analytics Engine 1.2 - SonicWALL Configuration Guide

Introduction to the SonicWALL firewall

After the SonicWALL Processor service has been installed and configured, the firewall must be configured to send AppFlow data to the service. An authorized firewall administrator must configure the firewall settings based on the required and optional settings discussed in this chapter. The required minimum configuration allows for activity records to be generated, but not all available details are recorded without some of the optional configuration settings.

Required SonicWALL configuration

In order for the firewall to generate AppFlow data and send it to the SonicWALL Processor service for processing, a minimum set of AppFlow options must be enabled in the firewall. This allows activity records to be generated.

To configure an AppFlow External Connector and enable relevant SonicWALL security services in the firewall administration

1. Select AppFlow in the left-hand pane to display the Flow Reporting page.
2. Open the Settings tab.
3. Verify that the following default options are selected:
   • Report DROPPED Connection
   • Skip Reporting STACK Connections
4. Open the External Collector tab and make the following configuration changes:
   1. Select the Send Flows and Real-Time Data To External Collector check box.
   2. Set the External Flow Reporting Format to IPFIX with extensions.
   3. Set the External Collector’s IP address to the configured SonicWALL Processor service IP address.
   4. Set the External Collector’s UDP Port Number to match the configured SonicWALL Processor service settings (default is 2055).
   5. Select the Send IPFIX/Netflow Templates At Regular Interval check box.
   6. Select the Send StaticAppFlow At Regular Interval check box.
   7. In the Send Static AppFlow For Following Tables field, use the drop-down menu to select the following tables:
      • Viruses
      • Applications
      • Spyware
      • Intrusions
      • Table Map

      • Column Map

        NOTE: Additional tables are ignored by the SonicWALL Processor service.

   8. In the Send Dynamic AppFlow For Following Tables field, use the drop-down menu to select the following tables:
      • Connections
      • Users (SonicWALL user detection required)

      • Devices

        NOTE: Additional tables are ignored by the SonicWALL Processor service.

   9. Clear the Report On Connection OPEN check box.
   10. Select the Report On Connection CLOSE check box.
   11. Clear the Report Connection On Active Timeout check box.
   12. Clear the Report Connection On Kilo BYTES Exchanged check box.
   13. In the Report Connections On Following Updates field, use the drop-down menu to select the following options:
       • threat detection
       • application detection

       • user detection

         NOTE: Additional options are ignored by the SonicWALL Processor service.

5. Click the Accept button in the upper left corner of the Flow Reporting page to accept the configuration changes. If prompted, do NOT select to restart the firewall.
6. Expand Security Services in the left-hand pane and select Gateway Anti-Virus.

7. In the Gateway Anti-Virus Global Settings pane, select the Enable Gateway Anti-Virus check box. Optionally, configure the remaining Gateway Anti-Virus Global Settings pane options.

   IMPORTANT: If any Gateway Anti-Virus blocking is enabled, the following configuration is required in order for the Security Analytics Engine to detect malware records: Click the Configure Gateway AV Settings button. On the Gateway AV Config View dialog, clear the Enable HTTP Clientless Notification Alerts check box. Click OK to save and close the dialog.

8. Click the Accept button in the upper left corner of the Gateway Anti-Virus page to accept the configuration changes.
9. From the expanded Security Services section, select Intrusion Prevention.
10. In the IPS Global Settings pane, select the Enable IPS check box.
11. For each of the Signature Groups (High Priority Attacks, Medium Priority Attacks and Low Priority Attacks) select the corresponding Detect All check box. Optionally, select the Prevent All check box for each group.
12. Click the Accept button in the upper left corner of the Intrusion Prevention page to accept the configuration changes.
13. From the expanded Security Services section, select Anti-Spyware.
14. In the Anti-Spyware Global Settings pane, select the Enable Anti-Spyware check box.

15. For each of the Signature Groups (High Danger Level Spyware, Medium Danger Level Spyware and Low Danger Level Spyware) select the corresponding Detect All check box. Optionally, select the Prevent All check box for each group.

    IMPORTANT: If any Anti-Spyware blocking is enabled, the following configuration is required in order for the Security Analytics Engine to detect malware records: Click the Configure Anti-Spyware Settings button. On the Anti-Spyware Config View dialog, clear the Enable HTTP Clientless Notification Alerts check box. Click OK to save and close the dialog.

16. Click the Accept button in the upper left corner of the Anti-Spyware page to accept the configuration changes.
17. From the expanded Security Services section, select Botnet Filter.
18. Verify that the Check Block connections to/from Botnet Command and Control Servers check box is selected. You may also change any of the current settings.

19. Click the Accept button to save any configuration changes.

    NOTE: When an Associated w/ Malware condition is used in a risk policy, Botnet detections are displayed as malware detections in audit events. The details pane for the audit event displays the malware type ‘Bot’ and the signature name ‘Botnet Filter’.

20. Expand Firewall in the left-hand pane and select App Control Advanced.
21. In the App Control Global Settings sections, select the Enable App Control check box.
22. Click Accept to save.
23. Expand Network in the left-hand pane and select Zones.
24. For any desired Zone (for example, LAN), click the button in the configuration column to open an Edit Zone dialog.
25. On the General tab of an Edit Zone dialog, ensure that the following settings are selected:
    • Enable Gateway Anti-Virus Service
    • Enable IPS
    • Enable App Control Service
    • Enable Anti-Spyware Service
26. Click the OK button to close the dialog and return to the Zone page.
27. Repeat Step 24 through Step 26 to configure each desired zone.
28. Once you have finished configuring zones, click the Accept button to save the configuration.
29. If necessary, reboot the firewall to enable AppFlow:

    1. Expand System in the left-hand pane and select Restart.

       IMPORTANT: Restarting disconnects all users.

    2. Click the Restart button.
    3. A dialog appears confirming you are ready to restart. Click the OK button.
30. Once the firewall has rebooted, select AppFlow in the left-hand pane to display the Flow Reporting page.
31. Open the External Collector tab and sequentially click the following buttons approximately 2 minutes apart, to generate template and static data for the configured SonicWALL Processor service:
    • Generate ALL templates
    • Generate Static AppFlow Data
32. The service now processes user and IP address activity detection records.

Optional SonicWALL Configuration

Topics:

Introduction to the optional SonicWALL configurations

Utilizing the required installation allows the SonicWALL Processor service to process SonicWALL AppFlow data and generate user and IP address activity detection records for IP addresses and user names (if known to the firewall). However, not all data elements or detection modes are possible without additional configurations. These capabilities include:

• Identifying the user (see User identification (recommended))
• Identifying the client computer name (see Client computer name identification)
• Analyzing SSL-encrypted web site activity (see SSL-Encrypted detection)

If any of these optional firewall capabilities are desired, follow the instructions in the corresponding section.