Skip to content

Commit

Permalink
Apply suggestions from code review comments
Browse files Browse the repository at this point in the history 
Co-authored-by: May Lee <[email protected]>
  • Loading branch information
@Kaustubhtandel-crest @maycmlee
Kaustubhtandel-crest and maycmlee committed Oct 8, 2024
1 parent 33d9451 commit f65330c
Show file tree
Hide file tree
Showing 7 changed files with 62 additions and 65 deletions.
67 changes: 32 additions & 35 deletions sonicwall_firewall/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,135 +1,132 @@
## Overview

[Sonicwall Firewall][1] is a network security solution designed to protect organizations from a wide range of cyber threats. It offers advanced security features, high performance, and scalability, making it suitable for businesses of all sizes. Sonicwall Firewall are known for their ability to provide real-time protection against emerging threats while ensuring secure and efficient network traffic management.
[SonicWall Firewall][1] is a network security solution designed to protect organizations from a wide range of cyber threats. It offers advanced security features, high performance, and scalability, making it suitable for businesses of all sizes. SonicWall Firewall is known for its ability to provide real-time protection against emerging threats, while ensuring secure and efficient network traffic management.

This integration provides enrichment and visualization for all log types shared by Sonicwall Firewall over syslog. It helps to visualize detailed insights into the analysis of logs received by Syslog through the out-of-the-box dashboards and detection rules.
This integration provides enrichment and visualization for all log types shared by SonicWall Firewall over syslog. Detailed insights into the logs received by syslog are visualized in out-of-the-box dashboards and detection rules.


## Setup

### Installation

To install the Sonicwall Firewall integration, run the following Agent installation command and the steps below.

For more information, see the [Integration Management][2] documentation.
To install the SonicWall Firewall integration, run the following Linux command to install the Agent.

**Note**: This step is not necessary for Agent version >= 7.58.0.

Linux command
```shell
sudo -u dd-agent -- datadog-agent integration install datadog-sonicwall-firewall==1.0.0
```

For more information, see the [Integration Management][2] documentation.

### Configuration

#### Log Collection

1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` file:
1. Logs collection is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` file:
```yaml
logs_enabled: true
```

2. Add this configuration block to your `sonicwall_firewall.d/conf.yaml` file to start collecting your Sonicwall Firewall logs:
2. Add this configuration block to your `sonicwall_firewall.d/conf.yaml` file to start collecting your SonicWall Firewall logs:

```yaml
logs:
- type: udp
port: <udp_port>
source: sonicwall-firewall
```

See the [sample sonicwall_firewall.d/conf.yaml][3] for available configuration options.

**NOTE**: configure a [syslog server][8] on a Sonicwall Firewall with `<udp_port>`.
**NOTE**: Configure a [syslog server][8] on a SonicWall Firewall with `<udp_port>`.

Configure a Syslog Server in your firewall using the following options:

- **Name or IP Address**: The address where your Datadog Agent running this integration is reachable.
- **Name or IP Address**: The address of the Datadog Agent running this integration.
- **Port**: The Syslog port (UDP) configured in this integration.
- **Server Type**: Syslog Server.
- **Syslog Format**: Enhanced Syslog.
- **Syslog ID**: Change this default (firewall) if you need to differentiate between multiple firewalls.

Set default time as UTC:
Set the default time as UTC:

- In `Device -> Log -> Syslog` first select the **Syslog Settings** tab and enable **Display Syslog Timestamp in UTC** and click **Accept** button to get time in UTC.
- In **Device** > **Log** > **Syslog**, select the **Syslog Settings** tab, and then enable **Display Syslog Timestamp in UTC**. Click **Accept** to set the time to UTC.

Additional Configuration:

- In `Device -> Log -> Settings` you can select the **Logging Level** and **Alert Level** to get different kind of logs.
- In **Device** > **Log** > **Settings**, you can select the **Logging Level** and **Alert Level** to get different kind of logs.

3. [Restart the Agent][4].

#### Specify a time zone other than UTC in the Sonicwall Firewall Datadog log pipeline
Datadog expects all logs to be in the UTC time zone by default. If the timezone of your Sonicwall Firewall logs is not UTC, specify the correct time zone in the Sonicwall Firewall Datadog pipeline.
#### Specify a time zone other than UTC in the SonicWall Firewall and Datadog log pipeline
Datadog expects all logs to be in UTC time zone by default. If the time zone of your SonicWall Firewall logs is not in UTC, specify the correct time zone in the SonicWall Firewall Datadog pipeline.

To change the time zone in Sonicwall Firewall pipeline:
To change the time zone for the SonicWall Firewall pipeline:

1. Navigate to the [**Pipelines** page][10] in the Datadog app.

2. Enter "Sonicwall Firewall" in the **Filter Pipelines** search box.
2. Enter `SonicWall Firewall` in the **Filter Pipelines** search box.

3. Hover over the Sonicwall Firewall pipeline and click on the **clone** button. This will create an editable clone of the Sonicwall Firewall pipeline.
3. Hover over the SonicWall Firewall pipeline and click **clone**. This creates an editable clone of the SonicWall Firewall pipeline.

4. Edit the Grok Parser using the below steps:

- In the cloned pipeline, find a processor with the name `"Grok Parser: Parsing Sonicwall Firewall time"` and click on the `Edit` button by hovering over the pipeline.
- Under **Define parsing rules**
- Modify the rule and provide the [TZ identifier][9] of the time zone of your Sonicwall Firewall server. For example, if your timezone is IST, you would remove `' z'` and add the value to `Asia/Calcutta`.
- Example:

**Existing rule**
- In the cloned pipeline, find the processor with the name **Grok Parser: Parsing Sonicwall FireWall time**. Hover over the pipelines and click **Edit**.
- Under **Define parsing rules**:
- Modify the rule and provide the [TZ identifier][9] of the time zone of your SonicWall Firewall server. For example, if your time zone is IST, replace `' z'` with `Asia/Calcutta`.
- For example, if this is the existing rule:

```shell
rule %{date("yyyy-MM-dd HH:mm:ss z"):timestamp}
```

**Modified rule for IST timezone**
The modified rule for IST timezone is:

```shell
rule %{date("yyyy-MM-dd HH:mm:ss", "Asia/Calcutta"):timestamp}
```

- Additional step

- Under **log samples**
- Under **log samples**:
- Remove UTC from the existing value.
- Example:

**Existing Value**
- For example, if the existing value is:

```shell
2024-09-11 06:30:00 UTC
```

**Updated Value**
The updated value is:
```shell
2024-09-11 06:30:00
```

- Click the **update** button.
- Click **Update**.

### Validation

[Run the Agent's status subcommand][5] and look for `sonicwall_firewall` under the Checks section.
## Data Collected
### Log
### Logs
| Format | Log Types |
| -------------------- | -------------- |
| CEF (Enhanced Syslog) | All |
### Metrics
The Sonicwall Firewall integration does not include any metrics.
The SonicWall Firewall integration does not include any metrics.
### Events
The Sonicwall Firewall integration does not include any events.
The SonicWall Firewall integration does not include any events.
### Service Checks
The Sonicwall Firewall integration does not include any service checks.
The SonicWall Firewall integration does not include any service checks.
See [service_checks.json][6] for a list of service checks provided by this integration.
Expand Down
14 changes: 7 additions & 7 deletions sonicwall_firewall/assets/dashboards/sonicwall_firewall_and_firewall_settings.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
"id": 6474031660100888,
"definition": {
"type": "note",
"content": "## Overview\n- This dashboard gives insights about Firewall and Firewall Setting logs.\n- Firewall Logs include logs related to application firewall and security policies.\n- Firewall settings include logs for flood attacks, FTP, multicast etc.\n",
"content": "## Overview\n- This dashboard provides insights on Firewall and Firewall Setting logs.\n- Firewall logs include logs related to the application firewall and security policies.\n- Firewall Settings include logs for flood attacks, FTP, multicast, and so on.\n",
"background_color": "white",
"font_size": "14",
"text_align": "left",
Expand Down Expand Up @@ -372,7 +372,7 @@
{
"id": 8754231207549794,
"definition": {
"title": "Total Access Rule Added",
"title": "Total Number of Access Rules Added",
"title_size": "16",
"title_align": "left",
"type": "query_value",
Expand Down Expand Up @@ -426,7 +426,7 @@
{
"id": 3419154176130290,
"definition": {
"title": "Total Access Rule Deleted",
"title": "Total Number of Access Rules Deleted",
"title_size": "16",
"title_align": "left",
"type": "query_value",
Expand Down Expand Up @@ -616,7 +616,7 @@
{
"id": 2062049705340546,
"definition": {
"title": "Top Users ",
"title": "Top Users",
"title_size": "16",
"title_align": "left",
"type": "toplist",
Expand Down Expand Up @@ -1268,7 +1268,7 @@
{
"id": 2760824977893310,
"definition": {
"title": "Events by Protocol ",
"title": "Events by Protocol",
"title_size": "16",
"title_align": "left",
"requests": [
Expand Down Expand Up @@ -1530,7 +1530,7 @@
{
"id": 3904888047203856,
"definition": {
"title": "Multicast UDP Packet Drop Over Time",
"title": "Multicast UDP Packets Dropped Over Time",
"title_size": "16",
"title_align": "left",
"show_legend": true,
Expand Down Expand Up @@ -1897,7 +1897,7 @@
{
"id": 763526985321184,
"definition": {
"title": "Top FTP Port Bounce Attack",
"title": "Top FTP Port Bounce Attack",
"title_size": "16",
"title_align": "left",
"type": "toplist",
Expand Down
12 changes: 6 additions & 6 deletions sonicwall_firewall/assets/dashboards/sonicwall_firewall_anti_spam.json
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"title": "SonicWall Firewall - Anti Spam",
"title": "SonicWall Firewall - Anti-Spam",
"description": "This dashboard provides information about the Firewall Anti-Spam logs generated in SonicWall Firewall.",
"widgets": [
{
Expand All @@ -26,7 +26,7 @@
"id": 25814084312524,
"definition": {
"type": "note",
"content": "## Overview\n- This dashboard gives insights about Anti-Spam logs.\n- SonicWall logs for Anti-Spam categories typically include information about emails flagged as spam, actions taken (such as blocking or quarantining), source and destination IPs, email addresses, and categories of spam identified.\n",
"content": "## Overview\n- This dashboard provides insights on Anti-Spam logs.\n- SonicWall's logs for Anti-Spam categories include information on emails flagged as spam, actions taken (such as blocking or quarantining), source and destination IPs, email addresses, and the categories of spam identified.\n",
"background_color": "white",
"font_size": "14",
"text_align": "left",
Expand Down Expand Up @@ -157,7 +157,7 @@
{
"id": 7192538660853662,
"definition": {
"title": "Total Disabled Antispam Services",
"title": "Total Disabled Anti-Spam Services",
"title_size": "16",
"title_align": "left",
"type": "query_value",
Expand Down Expand Up @@ -212,7 +212,7 @@
{
"id": 8979897882829710,
"definition": {
"title": "Total Enabled Antispam Services",
"title": "Total Enabled Anti-Spam Services",
"title_size": "16",
"title_align": "left",
"type": "query_value",
Expand Down Expand Up @@ -351,15 +351,15 @@
{
"formulas": [
{
"alias": "Dropped Outbound Connection",
"alias": "Dropped Outbound Connections",
"style": {
"palette": "dd20",
"palette_index": 4
},
"formula": "query1"
},
{
"alias": "Dropped Inbound Connection",
"alias": "Dropped Inbound Connections",
"style": {
"palette": "dd20",
"palette_index": 0
Expand Down
18 changes: 9 additions & 9 deletions sonicwall_firewall/assets/dashboards/sonicwall_firewall_network.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
"id": 8907054059342398,
"definition": {
"type": "note",
"content": "## Overview\n- This dashboard gives insights about Network logs.\n- Network logs displays network traffic details, threat detection, and system events related to network security.\n- DHCP group tracks DHCP logs including lease IP information, total discover, acknowledged and non acknowledged packets etc.\n- L2TP tracks logs related to VPN connection attempts, successes, and failures. This group allows for detailed tracking of remote access activity.\n- DNS group provides detailed monitoring of DNS traffic, helping to identify potential issues or malicious activity within the network.",
"content": "## Overview\n- This dashboard provides insights on network logs.\n- Network logs displays network traffic details, threat detection, and system events related to network security.\n- The DHCP group tracks DHCP logs, including lease IP information and the total discovered, acknowledged and non-acknowledged packets.\n- L2TP tracks logs related to VPN connection attempts, successes, and failures. This group allows for detailed tracking of remote access activity.\n- The DNS group provides detailed monitoring of DNS traffic, helping to identify potential issues or malicious activity within the network.",
"background_color": "white",
"font_size": "14",
"text_align": "left",
Expand Down Expand Up @@ -220,7 +220,7 @@
{
"id": 8501494248010598,
"definition": {
"title": "Total Connection Opened",
"title": "Total Connections Opened",
"title_size": "16",
"title_align": "left",
"type": "query_value",
Expand Down Expand Up @@ -277,7 +277,7 @@
{
"id": 7749815108871318,
"definition": {
"title": "Total Connection Closed",
"title": "Total Connections Closed",
"title_size": "16",
"title_align": "left",
"type": "query_value",
Expand Down Expand Up @@ -650,7 +650,7 @@
{
"id": 7864063519032976,
"definition": {
"title": "Events by Protocol ",
"title": "Events by Protocol",
"title_size": "16",
"title_align": "left",
"requests": [
Expand Down Expand Up @@ -784,7 +784,7 @@
{
"id": 268660645109168,
"definition": {
"title": "Top Blacklisted Devices Triggered MAC-IP For Anti-Spoofing Event",
"title": "Top Blacklisted Devices that Triggered MAC-IP for Anti-Spoofing Event",
"title_size": "16",
"title_align": "left",
"type": "toplist",
Expand Down Expand Up @@ -1794,7 +1794,7 @@
{
"id": 4802767918194872,
"definition": {
"title": "Total Offer Recieve Packets",
"title": "Offer Received Packets",
"title_size": "16",
"title_align": "left",
"type": "query_value",
Expand Down Expand Up @@ -2029,7 +2029,7 @@
{
"id": 5196385749415732,
"definition": {
"title": "Distribution of Event by MAC Address and Lease IPs",
"title": "Distribution of Event by MAC Address and Lease IPs",
"title_size": "16",
"title_align": "left",
"requests": [
Expand Down Expand Up @@ -2791,7 +2791,7 @@
{
"id": 4946151417278448,
"definition": {
"title": "Total DNS Proxy Packet Received",
"title": "Total DNS Proxy Packet Received",
"title_size": "16",
"title_align": "left",
"type": "query_value",
Expand Down Expand Up @@ -2838,7 +2838,7 @@
{
"id": 770812064818576,
"definition": {
"title": "Total DNS Proxy Request Packet Drop",
"title": "Total DNS Proxy Request Packet Dropped",
"title_size": "16",
"title_align": "left",
"type": "query_value",
Expand Down
Loading

0 comments on commit f65330c

Please sign in to comment.