# SonicWall

SonicWall is a network firewall platform that inspects perimeter and internal traffic to block threats such as exploit attempts, denied connections, and protocol abuse. Connecting SonicWall forwards firewall syslog to Radiant Security through the Radiant Agent. Radiant triages the syslog and uses the surrounding connection data to determine whether observed traffic reflects a real compromise or benign network activity.

#### Prerequisites

* [ ] Admin access to SonicWall
* [ ] A deployed [Radiant Agent](https://help.radiantsecurity.ai/radiant-connectors/data-connectors/install-the-radiant-security-agent) reachable from the SonicWall firewall

{% hint style="info" %}
SonicWall cannot forward syslog over TCP or Secure Syslog directly. The Radiant Agent acts as the intermediary syslog receiver.
{% endhint %}

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings** > **Data Connectors**, then click **+ Add Connector**.
3. Search for and select **Radiant Agent**, then click **Data Feeds**.
4. Under **Select your data feeds**, select **SonicWall Firewall Syslog**, then click **Credentials**.
5. Under **Credential Name**, enter an identifiable name for the Radiant Agent integration (e.g., `Radiant Agent integration`). To reuse an existing Radiant Agent credential, select it from the drop-down menu.
6. Click **Add Connector**.

### Configure the SonicWall Firewall

1. Sign in to the SonicWall firewall with an admin account.
2. From the top navigation bar, click **Device**.

<figure><img src="/files/O8XKdbHCLopw60WLBqcp" alt=""><figcaption></figcaption></figure>

3. From the left navigation list, click **Log** > **Settings**.

<div align="left"><figure><img src="/files/3Eav62xWaSVyqlzSDAnH" alt=""><figcaption></figcaption></figure></div>

4. Set **Logging Level** to **Informative** and **Alert Level** to **Alert**. Click **Accept** to save the changes.

<figure><img src="/files/R9TNfVxNjxWkE9Ntz14f" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/8u2q10aGCG1cjdrPDCuI" alt=""><figcaption></figcaption></figure>

5. In the **Category** column, expand the **Network** category, then expand **TCP**.
6. Enable the **Syslog** toggle for the following entries, leaving the rest as default:
   * **TCP LAN DENY**
   * **TCP Connection Reject**
   * **TCP Connection Abort**
7. For the **TCP Connection Reject** and **TCP Connection Abort** entries, click the **debug** text in the **Priority** column and change it to **inform**.

<figure><img src="/files/uIJp3gLFTsWAcPXD8BE7" alt=""><figcaption></figcaption></figure>

8. Still under **Network**, expand the **UDP** category and confirm the **Syslog** toggle is enabled for all three entries. Enable any that are not.

<figure><img src="/files/qIsOSdLTmIwyRuXcnoNW" alt=""><figcaption></figcaption></figure>

9. Click **Accept** to save the changes.
10. From the left navigation list, click **Log** > **Syslog**.

<div align="left"><figure><img src="/files/XMB6RIMFX18aXF2PCoFt" alt=""><figcaption></figcaption></figure></div>

11. Click **Enhanced Syslog Fields Settings** and confirm that each field is toggled on. Click **Save**.

<div align="left"><figure><img src="/files/M1rVaOS687ZRwu91gL3N" alt="" width="563"><figcaption></figcaption></figure></div>

12. Click **Syslog Servers**, then click **Add**. Enter the following values:
    * **Event Profile**: 0
    * **Name or IP Address**: the name or IP address of your syslog server.
13. Click **Create an Address Object** and enter the following values:
    * **Name**: `Radiant Security Syslog Connector`
    * **Zone Assignment**: `LAN`
    * **Type**: `Host`
    * **IP Address**: the IP address of the Radiant Agent.

<figure><img src="/files/MKPfQT4YGHIZ9SOkcblX" alt=""><figcaption></figcaption></figure>

14. Click **Save**, then click **Go Back**.
15. Enter the remaining values:
    * **Port**: the port configured on the Radiant Agent to receive SonicWall data.
    * **Server Type**: `Syslog Server`
    * **Syslog Format**: `Enhanced Syslog`
    * **Syslog Facility**: `Local use 0`
    * **Syslog ID**: leave empty.
    * **Enable Event Rate Limiting**: `Disabled`
    * **Enable Data Rate Limiting**: `Disabled`
16. Click **Add** to save your changes.&#x20;

<div align="left"><figure><img src="/files/1rsP7bf3nzseY5xf2Ckg" alt="" width="410"><figcaption></figcaption></figure></div>

### Verify ingestion

After SonicWall begins forwarding, confirm alerts and events are reaching Radiant.

1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs).
2. Filter by `rs_connectorType:"sonicwall"`.
3. Confirm recent alerts and events appear.

{% hint style="info" %}
Allow several minutes for alerts and events to be parsed, indexed, and available for search.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/sonicwall.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.