LdapPlugin Conditions
The following types of conditions are available for this plugin:
SonicWALLPlugin
|
|
NOTE: The Security Analytics Engine Installer - SonicWALL Processor Service.msi and SonicWALL firewall must be installed and configured in order for the Security Analytics Engine to enable the SonicWALLPlugin for use in risk policies. For information on how to configure SonicWALL to send malware information to the Security Analytics Engine, see the Security Analytics Engine SonicWALL Configuration Guide. |
The SonicWALLPlugin is used for detecting whether the access attempt comes from an IP address or username associated with malware, blacklists, a specific threat level, etc.
When viewing the plugin information on the Edit Plugin page, the top two fields provide information on the plugin and cannot be changed:
Instance Name
SonicWALLPlugin1
Description
The SonicWALL plugin provides the integration of SonicWALL firewall user activity, associated with the user name and/or client IP address.
SonicWALLPlugin Configuration
The following settings are available for the plugin in the SonicWALL Configuration section:
- Maximum Retention Days - This is the number of days to retain malware records starting with the date detected by the SonicWALL firewall. By default, this is 30 days. The maximum number of days tracking data can be retained is 365 days.
- Maximum Audit Records - This is the maximum number of malware records to list in the details of an audit record. By default, this is 10 records. The maximum number of records that can be returned is 20.
- Ignore Malware Signatures - (Optional) This field is for listing any malware signature IDs to ignore and is used for instances where certain signatures have also been disabled in the SonicWALL firewall configuration by a firewall administrator, when specific signatures are considered false positives, or when any signatures should be ignored for any other reason. The signature ID values must be separated by a comma and fall between 0-4294967295. By default, signature IDs for ICMP Destination Unreachable (Port Unreachable) (310) and ICMP Echo Reply (316) are configured to be ignored.
- Ignore Application Signatures - (Optional) This field is for listing any application signature IDs to ignore and is used for instances where certain signatures have also been disabled in the SonicWALL firewall configuration by a firewall administrator, when specific signatures are considered false positives, or when any signatures should be ignored for any other reason. The signature ID values must be separated by a comma and fall between 0-4294967295. By default, signature IDs for Microsoft App Store (10313, 10314,10366), Akamai (6570, 6572, 6573, and 6574), cURL (1618), BITS (6583), and WGET (1613) are configured to be ignored.
(Optional) Dynamic IP Network Filters
This section allows you to configure the list of IP/subnet network addresses that are used to ignore firewall activity IP associations. Adding a dynamic IP network element results in the username association still matching firewall activity records, but it will not match on IP addresses contained in these networks. This allows you to take into consideration wireless or VPN networks where the IP addresses are dynamically reassigned and reused at a high rate.
Click Add to display the following fields:
- IP Address - This is for configuring an IPv4 or IPv6 address.
- IP Subnet Mask - This is for configuring the optional IPv4 or IPv6 subnet mask.
- Enable - Select this check box to enable the dynamic network.
- Delete - Click this button to remove the dynamic network.
After modifying the plugin, click the Validate button in the lower right corner to check that the configuration is valid.
SonicWALLPlugin Conditions
The following types of conditions are available for this plugin: