SonicWall Firewall Integration
Overview
This integration collects firewall traffic, IPS, VPN, content filtering, and application control logs from SonicWall UTM/NGFW appliances.
Supported models: TZ270/370/470 (SMB), NSa 2700+ (mid-market) Supported OS: SonicOS 7.x
Prerequisites
- A KYRA MDR Collector installed and running (Installation Guide)
- SonicWall administrative access (GUI)
- Network connectivity from the SonicWall to the collector on port 514
Configuration
Syslog Setup
- Log in to the SonicWall management console
- Navigate to Log > Syslog
- Add a syslog server with the following settings:
| Setting | Value |
|---|---|
| Server IP | Your KYRA Collector IP |
| Port | 514 |
| Protocol | UDP |
| Format | Default or ArcSight (CEF) |
- Click Apply
Tip: Selecting ArcSight (CEF) format simplifies log parsing and is recommended.
Sample Log Format
id=firewall sn=C0EAE4xx time="2026-03-20 10:30:00" fw=10.0.0.1 pri=6 m=97 msg="Connection Opened" srcip=192.168.1.10Collected Log Types
| Log Type | Security Use | Priority |
|---|---|---|
| Firewall traffic | Network flow visibility, lateral movement detection | High |
| IPS events | Intrusion detection and attack signatures | Critical |
| VPN | Remote access monitoring | High |
| Content Filter | Web access policy enforcement | Medium |
| Application Control | Application-level traffic visibility | Medium |
| Anti-Virus / Anti-Spyware | Malware detection at the gateway | High |
| DPI-SSL | Encrypted traffic inspection events | Medium |
| System / Admin | Configuration changes, admin logins | High |
Troubleshooting
No Logs Received
- Verify syslog server IP and port in Log > Syslog
- Ensure no firewall rules block UDP 514 between devices
- Check that logging is enabled for the desired categories
High Log Volume
Reduce noise by disabling verbose traffic logging and keeping only security-relevant categories (IPS, AV, admin events).
For additional help, contact kyra@seekerslab.com.