> ## Documentation Index
> Fetch the complete documentation index at: https://docs.airmdr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Sonicwall

> The SonicWall integration enables AirMDR to securely connect with SonicWall firewalls for monitoring, investigation, alert enrichment, and automated security operations workflows.

## Purpose

The SonicWall integration enables AirMDR to connect with a SonicWall firewall and retrieve security, network, and firewall-related information for investigation, enrichment, and automated response workflows.

This guide explains how to collect the following values from the SonicWall UI:

| Required Field | Description                                                           |
| :------------- | :-------------------------------------------------------------------- |
| Firewall IP    | IP address used to access the SonicWall firewall management interface |
| Username       | SonicWall administrator or read-only administrator username           |
| Password       | Password for the selected SonicWall user account                      |

<Note>
  Use a dedicated read-only or least-privilege administrator account wherever possible.
</Note>

## Supported Versions

| Component            | Supported Details               |
| :------------------- | :------------------------------ |
| Product              | SonicWall Firewall              |
| Management Interface | SonicOS web-based management UI |
| Recommended Access   | HTTPS management interface      |
| Authentication Type  | Username and password           |
| API Support          | SonicOS API, if enabled         |

<Note>
  SonicWall confirms that SonicOS firewalls can be managed through the local web-based management interface by accessing the LAN or WAN IP address and signing in with an administrator account.
</Note>

## Authentication

AirMDR uses SonicWall firewall credentials to authenticate with the SonicWall firewall.

### Required Credentials

| Field       | Required | Example               |
| :---------- | :------- | :-------------------- |
| Firewall IP | Yes      | `https://192.168.1.1` |
| Username    | Yes      | `airmdr-readonly`     |
| Password    | Yes      | `********`            |

### Role-Based Access Considerations

Recommended user role:

| Role Type               | Recommendation                                                |
| :---------------------- | :------------------------------------------------------------ |
| Read-only administrator | Preferred for monitoring and investigation                    |
| Full administrator      | Use only if AirMDR requires response or configuration actions |
| Shared admin account    | Avoid                                                         |

<Warning>
  Do not use a personal admin account for integrations. Create a dedicated SonicWall user account for AirMDR
</Warning>

### Pre-requisites

> <Check>
>   Users must have Administrator access to the **SonicWall** management UI with sufficient privileges to create or manage users and verify firewall settings.
> </Check>
>
> <Check>
>   The SonicWall management interface must be accessible from the AirMDR Remote Agent over HTTPS (default port `443`).
> </Check>
>
> <Check>
>   AirMDR Remote Agent and Network Connectivity installed and active (if required by deployment model).
> </Check>

### Setup Steps

<Steps>
  <Step title="Identify the SonicWall Firewall IP">
    1. Log in to the SonicWall firewall UI using an administrator account.
       ```text theme={null}
       https://<sonicwall-firewall-ip>
       ```
    2. Navigate to **Network → System → Interfaces**.
    3. In the **Interface Settings** table, locate the interface used for management access. **Common examples:**
       | Interface | Typical Use                     |
       | :-------- | :------------------------------ |
       | X0 / LAN  | Internal firewall management    |
       | X1 / WAN  | External management, if enabled |
       | MGMT      | Dedicated management interface  |
    4. Copy the IP address shown for the selected interface.
    5. Use this value as the **Firewall IP** in AirMDR.
           <Tip>
             SonicWall’s interface table lists configured interfaces and their zones, including LAN, WAN, WLAN, DMZ, and MGMT where applicable.
           </Tip>
           <Note>
             Prefer the internal LAN or dedicated MGMT IP. Avoid exposing firewall management over the public WAN unless required and secured.
           </Note>
  </Step>

  <Step title="Verify HTTPS Management Access">
    1. Navigate to **Device → Settings → Administration**.
    2. Open the **Management** section.
    3. Confirm that HTTPS management is enabled.
    4. Confirm the HTTPS port.\
       Default: `443`\
       Test browser access: `https://<firewall-ip>`
           <Tip>
             SonicWall recommends using HTTPS to log in to the SonicOS management interface, while HTTP management is disabled by default.
           </Tip>
           <Warning>
             Avoid using HTTP for firewall administration because credentials may be exposed in transit.
           </Warning>
  </Step>

  <Step title="Create a Dedicated SonicWall User">
    1. Log in to SonicWall UI.
    2. Navigate to **Device →  Users →  Local Users & Groups**.
    3. Click **Add User**.
    4. In the **Settings** tab, enter:
       | Field            | Example                 |
       | :--------------- | :---------------------- |
       | Name             | `airmdr-readonly`       |
       | Password         | Enter a strong password |
       | Confirm Password | Re-enter password       |
    5. Save the **user**.
           <Tip>
             SonicWall documentation states that local users are managed from **Device → Users → Local Users & Groups**.
           </Tip>
  </Step>

  <Step title="Assign User to the Required Group">
    1. In the same user configuration window, open the **Groups** tab.
    2. Add the user to the required administrator group. Recommended options:
       | Group                    | Use Case                              |
       | :----------------------- | :------------------------------------ |
       | Read-Only Admins         | Monitoring, investigation, log review |
       | SonicWall Administrators | Full administrative access            |
    3. Click **Save** or **Accept**.
           <Check>
             SonicWall allows local users to be assigned to groups from the **Groups** tab under local user settings.
           </Check>
           <Note>
             For AirMDR monitoring-only use cases, assign the minimum permissions required.
           </Note>
  </Step>
</Steps>

### Integration Credential Requirements

Use the following placeholder values while configuring the SonicWall integration in AirMDR.

| Field                 | Placeholder                       | Description                                         |
| :-------------------- | :-------------------------------- | :-------------------------------------------------- |
| Firewall IP           | `https://<sonicwall-firewall-ip>` | SonicWall management interface IP or hostname       |
| Username              | `<sonicwall-admin-username>`      | SonicWall administrator or read-only username       |
| Password              | `<sonicwall-password>`            | Password associated with the SonicWall user account |
| Remote Agent          | `<remote-agent-name>`             | AirMDR Remote Agent used to establish connectivity  |
| HTTPS Port            | `443`                             | Default SonicWall management HTTPS port             |
| API Access (Optional) | `Enabled / Disabled`              | Indicates whether SonicOS API access is enabled     |

### SonicWall Credential Reference Table

| Credential / Field         | Where to Find in SonicWall UI                                | Description                                                                                     |
| :------------------------- | :----------------------------------------------------------- | :---------------------------------------------------------------------------------------------- |
| Firewall IP                | `Network > System > Interfaces`                              | Displays the management IP address configured on interfaces such as X0, X1, or MGMT             |
| Username                   | `Device > Users > Local Users & Groups`                      | Displays the local administrator or read-only user accounts configured on the firewall          |
| Password                   | `Device > Users > Local Users & Groups`                      | Password is not visible after creation. It can only be set or reset by editing the user account |
| HTTPS Management Port      | `Device > Settings > Administration`                         | Shows the HTTPS management port used to access the SonicWall UI (default: 443)                  |
| SonicOS API Access         | `Device > Settings > Administration > SonicOS API`           | Used to verify whether API access is enabled for integrations                                   |
| User Role / Permissions    | `Device > Users > Local Users & Groups > Edit User > Groups` | Displays the administrator or read-only groups assigned to the integration user                 |
| Remote Management Settings | `Device > Settings > Administration`                         | Used to verify whether HTTPS management access is enabled internally or externally              |
| Firmware / SonicOS Version | `Device > Settings > Firmware & Backups`or `System > Status` | Displays the current SonicOS version running on the firewall                                    |
| Firewall Hostname          | `Device > System > Administration`                           | Displays the configured firewall device name or hostname                                        |
| Interface Zone Details     | `Network > System > Interfaces`                              | Displays whether the interface belongs to LAN, WAN, DMZ, or MGMT zones                          |

### Validate Connectivity

Use the following sample token request only for validation from an approved secure environment:\
**Parameter Details:**

| Parameter              | Description                                                           |
| :--------------------- | :-------------------------------------------------------------------- |
| `-k`                   | Ignores SSL certificate validation for self-signed certificates       |
| `-u`                   | Supplies SonicWall username and password                              |
| `-X GET`               | Sends a GET request                                                   |
| `/api/sonicos/version` | SonicOS API endpoint used to validate connectivity and authentication |

<AccordionGroup>
  <Accordion title="Example POST Request using cURL:">
    ```text theme={null}
    curl -k -u "<username>:<password>" \
    -X GET "https://<firewall-ip>/api/sonicos/version"
    ```
  </Accordion>

  <Accordion title="Sample Successful Response">
    "status": "success": true , "firmware\_version": "SonicOS 7.0.1", "model": "NSa 2700", "serial\_number": "123456789", "hostname": "sonicwall-fw"
  </Accordion>

  <Accordion title="Sample Authentication Failure Response">
    "status":

    "success": false

    ,

    "message": "Authentication failed"
  </Accordion>

  <Accordion title="Sample Connection Failure">
    curl: (7) Failed to connect to 192.168.1.1 port 443: Connection refused
  </Accordion>
</AccordionGroup>

**Common Causes**

| Error                  | Possible Cause                                  |
| :--------------------- | :---------------------------------------------- |
| Authentication failed  | Incorrect username or password                  |
| Connection refused     | Firewall IP unreachable or HTTPS disabled       |
| SSL certificate issue  | Self-signed or invalid certificate              |
| 401 Unauthorized       | Insufficient permissions or invalid credentials |
| API endpoint not found | SonicOS API not enabled                         |

### Configure Sonicwall in AirMDR Integrations Dashboard

1. Navigate to [AirMDR](https://app.airmdr.com/auth/login), provide the credentials and click **Login**
2. Navigate to the AirMDR Integrations Dashboard in the left navigation pane and select **Integrations**.
3. Use the search option, enter the keyword "**SonicWall**", select the **Connections** tab, and click **+ Create** button.
4. Enter an unique name to the Instance (e.g., `your org name-SonicWall`) to easily identify the user connection by AirMDR.
5. Enter the application credentials like **Firewall IP, Username** and **Password** in the Authentication Details field params, and click **Save**.

### Skills provided by this Integration

| **Skill ID**                      | **Purpose**                                           |
| :-------------------------------- | :---------------------------------------------------- |
| Get SonicWall IPv4 NAT Policies   | Retrieve IPv4 NAT policies from SonicWall firewall.   |
| Get SonicWall IPv4 Route Policies | Retrieve IPv4 route policies from SonicWall firewall. |
| Get SonicWall IPv4 Access Rules   | Retrieve IPv4 access rules from SonicWall firewall.   |
| Get SonicWall IPv4 Interfaces     | Retrieve IPv4 interfaces from SonicWall firewall.     |
| Get SonicWall Service Groups      | Retrieve service groups from SonicWall firewall.      |
| Get SonicWall Zones               | Retrieve zones from SonicWall firewall.               |

<Tip>
  To view the details of Input Parameters and Output for the respective skills

  * Go to [AirMDR → SonicWall](https://app.airmdr.com/integrationsv2/a7b9c5d3-2e1f-4a8b-9c6d-5e4f3a2b1c8d/skills?search=sonic) Integration page.
  * Select the **Skills** tab and click on the required listed skills.
</Tip>

## Additional Information

<AccordionGroup>
  <Accordion title="🧰 Error Handling">
    | Issue                   | Possible Cause                     | Resolution                                                   |
    | :---------------------- | :--------------------------------- | :----------------------------------------------------------- |
    | Connection failed       | Firewall IP is incorrect           | Verify the IP from Network > System > Interfaces             |
    | Authentication failed   | Incorrect username or password     | Reset password or verify credentials                         |
    | Access denied           | User lacks required permissions    | Assign user to correct admin/read-only group                 |
    | Timeout                 | Remote agent cannot reach firewall | Check routing, firewall rules, and port access               |
    | API request failed      | SonicOS API disabled               | Enable SonicOS API in Administration settings                |
    | SSL certificate warning | Self-signed firewall certificate   | Validate certificate trust policy before allowing connection |
  </Accordion>

  <Accordion title="🔄 Monitoring & Logs">
    ### SonicWall UI Logs

    Navigate to \
    **Monitor → Logs → System Logs**\
    or\
    **Investigate → Logs**\
    depending on SonicOS version.

    ### What to Monitor

    | Log Type       | Purpose                                 |
    | :------------- | :-------------------------------------- |
    | Login events   | Validate AirMDR authentication attempts |
    | Admin activity | Track configuration or access changes   |
    | API activity   | Confirm API requests, if enabled        |
    | System events  | Identify firewall-side errors           |

    ### Sample Log Entry

    User login successful: user=airmdr-readonly source=\<remote-agent-ip>

    User login failed: user=airmdr-readonly reason=Invalid credentials
  </Accordion>

  <Accordion title="🛑 Security & Access Best Practices">
    | Best Practice                      | Description                                                                                                                                     |
    | :--------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------- |
    | Use Least-Privilege Access         | Assign only the minimum permissions required for the integration. Prefer read-only administrator roles whenever possible.                       |
    | Use Dedicated Integration Accounts | Create a separate SonicWall account specifically for AirMDR integration to improve auditing and access tracking.                                |
    | Enforce Strong Password Policies   | Use complex passwords with uppercase, lowercase, numbers, and special characters. Rotate passwords periodically based on organizational policy. |
    | Restrict Management Access         | Limit SonicWall management UI access to trusted IP ranges or internal management networks only.                                                 |
    | Use HTTPS Only                     | Ensure the firewall management interface is accessible only over HTTPS to protect credentials during transmission.                              |
    | Enable Audit Logging               | Monitor administrator logins, configuration changes, and authentication failures through SonicWall system logs.                                 |
    | Periodically Review Permissions    | Regularly validate user roles, access groups, and API permissions associated with the integration account.                                      |
    | Disable Unused Management Services | Turn off unused services such as HTTP or WAN management access if not required.                                                                 |
    | Protect Remote Agent Connectivity  | Ensure secure communication between the AirMDR Remote Agent and SonicWall firewall using approved firewall and network policies.                |
    | Review Failed Login Attempts       | Investigate repeated authentication failures or suspicious login activity immediately.                                                          |
  </Accordion>

  <Accordion title="👉 Support & Maintenance">
    * 📧 Contact [**AirMDR Support**](mailto:support@airmdr.com) through your designated support channel.
    * 🔁 Rotate credentials regularly. Recommended cadence: Every 90 days or as per internal security policy
    * 🔄 Reconnect in AirMDR when secrets are changed.
    * Access Review Review the SonicWall integration user periodically.
      | Review Item                  | Recommended Frequency            |
      | :--------------------------- | :------------------------------- |
      | User account status          | Quarterly                        |
      | Assigned permissions         | Quarterly                        |
      | API access                   | Quarterly                        |
      | Firewall management exposure | After every major network change |
  </Accordion>

  <Accordion title="🛑 Data Flow & Security">
    ### Data Exchanged

    | Data Type           | Description                                         |
    | :------------------ | :-------------------------------------------------- |
    | Firewall metadata   | Device and interface details                        |
    | Security events     | Firewall alerts, events, and logs                   |
    | Network details     | IPs, zones, sessions, or policy-related information |
    | Authentication data | Username/password used for connection               |

    ### Ports and Endpoints

    | Purpose                    | Protocol | Default Port |
    | :------------------------- | :------- | :----------- |
    | SonicWall HTTPS management | HTTPS    | `443`        |
    | SonicWall HTTP management  | HTTP     | `80`         |
    | API communication          | HTTPS    | `443`        |

    <Note>
      Allow connectivity from the AirMDR remote agent to the SonicWall management IP on the required port.
    </Note>
  </Accordion>
</AccordionGroup>
