Seqrite XDR 3.0

SonicWall Firewall Connector

Print Friendly, PDF & Email




Connector Setup

  • Under the connector, go to Ingestion.
  • Select SonicWall Firewall Connector and click Configure.
  • Enable SonicWall Firewall Events? → Yes.
  • Select Validate and Save.
  • Copy and save the generated Token (required for ES agent setup).

System Requirements

  • Linux or Mac machine with static IP allocation.
  • RAM: 4 GB or more
  • CPU: 2 vCPUs or more
  • Disk: 100 GB or more
  • curl installed

SonicWall ES Agent Installation

The Fleet URL depends on the tenant stack:

  • Stack 1 → https://elk-next-fleet-1.seqrite.com:443
  • Stack 2 → https://elk-next-fleet-2.seqrite.com:443
  • Stack 3 → https://elk-next-fleet-3.seqrite.com:443
  • Stack 4 → https://elk-next-fleet-4.seqrite.com:443

Replace <token> with the actual token saved earlier.

sudo bash
mkdir SonicWall_es_agent
cd SonicWall_es_agent
curl -L -O https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.17.9-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.17.9-linux-x86_64.tar.gz
cd elastic-agent-8.17.9-linux-x86_64
sudo ./elastic-agent install --url=https://elk-next-fleet-1.seqrite.com:443 --insecure --enrollment-token=<token>

SonicWall Firewall Configuration

  • Go to SonicWall Web interface → Logs & Reporting | Log Settings > Syslog > Syslog Server.
  • Add a new syslog server.
  • Set event collector machine IP and UDP port 514 as target.
  • Save changes and click Apply.

Alerts will begin to generate in the XDR portal automatically.

SonicWall ES Agent Uninstallation

After deleting the connector configuration in the XDR portal, uninstall the ES agent:

sudo bash
elastic-agent uninstall
rm -rf elastic-agent-8.17.9-linux-x86_64 elastic-agent-8.17.9-linux-x86_64.tar.gz
sudo rm -rf /opt/Elastic/Agent
sudo rm -rf /etc/elastic-agent
sudo rm -rf /var/lib/elastic-agent
sudo rm -rf /var/log/elastic-agent
# Verify it's Gone
ps aux | grep elastic-agent
sudo systemctl status elastic-agent

Sophos Firewall Configuration Requirement

  • Ensure event collector is running.
  • Go to SonicWall Web interface → Logs & Reporting | Log Settings > Syslog > Syslog Server.
  • Add a new syslog server.
  • Set event collector machine IP and UDP port 1515 as target.
  • Save changes.


Was this page helpful?
Yes No