Ctrlk
ProductBook a demoOpen app
linkedinyoutube

SonicWall

Connect SonicWall to Radiant Security to forward firewall syslog for AI triage.

SonicWall is a network firewall platform that inspects perimeter and internal traffic to block threats such as exploit attempts, denied connections, and protocol abuse. Connecting SonicWall forwards firewall syslog to Radiant Security through the Radiant Agent. Radiant triages the syslog and uses the surrounding connection data to determine whether observed traffic reflects a real compromise or benign network activity.

Prerequisites

SonicWall cannot forward syslog over TCP or Secure Syslog directly. The Radiant Agent acts as the intermediary syslog receiver.

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, click Settings > Data Connectors, then click + Add Connector.

  3. Search for and select Radiant Agent, then click Data Feeds.

  4. Under Select your data feeds, select SonicWall Firewall Syslog, then click Credentials.

  5. Under Credential Name, enter an identifiable name for the Radiant Agent integration (e.g., Radiant Agent integration). To reuse an existing Radiant Agent credential, select it from the drop-down menu.

  6. Click Add Connector.

Configure the SonicWall Firewall

  1. Sign in to the SonicWall firewall with an admin account.

  2. From the top navigation bar, click Device.

  1. From the left navigation list, click Log > Settings.

  1. Set Logging Level to Informative and Alert Level to Alert. Click Accept to save the changes.

  1. In the Category column, expand the Network category, then expand TCP.

  2. Enable the Syslog toggle for the following entries, leaving the rest as default:

    • TCP LAN DENY

    • TCP Connection Reject

    • TCP Connection Abort

  3. For the TCP Connection Reject and TCP Connection Abort entries, click the debug text in the Priority column and change it to inform.

  1. Still under Network, expand the UDP category and confirm the Syslog toggle is enabled for all three entries. Enable any that are not.

  1. Click Accept to save the changes.

  2. From the left navigation list, click Log > Syslog.

  1. Click Enhanced Syslog Fields Settings and confirm that each field is toggled on. Click Save.

  1. Click Syslog Servers, then click Add. Enter the following values:

    • Event Profile: 0

    • Name or IP Address: the name or IP address of your syslog server.

  2. Click Create an Address Object and enter the following values:

    • Name: Radiant Security Syslog Connector

    • Zone Assignment: LAN

    • Type: Host

    • IP Address: the IP address of the Radiant Agent.

  1. Click Save, then click Go Back.

  2. Enter the remaining values:

    • Port: the port configured on the Radiant Agent to receive SonicWall data.

    • Server Type: Syslog Server

    • Syslog Format: Enhanced Syslog

    • Syslog Facility: Local use 0

    • Syslog ID: leave empty.

    • Enable Event Rate Limiting: Disabled

    • Enable Data Rate Limiting: Disabled

  3. Click Add to save your changes.

Verify ingestion

After SonicWall begins forwarding, confirm alerts and events are reaching Radiant.

  1. In Radiant, navigate to Log Management.

  2. Filter by rs_connectorType:"sonicwall".

  3. Confirm recent alerts and events appear.

Allow several minutes for alerts and events to be parsed, indexed, and available for search.

PreviousSentinelOne Singularity Data LakeNextSophos Intercept X

Last updated

Was this helpful?