Documentation Index
Fetch the complete documentation index at: https://docs.airmdr.com/llms.txt
Use this file to discover all available pages before exploring further.
Purpose
The SonicWall integration enables AirMDR to connect with a SonicWall firewall and retrieve security, network, and firewall-related information for investigation, enrichment, and automated response workflows. This guide explains how to collect the following values from the SonicWall UI:| Required Field | Description |
|---|---|
| Firewall IP | IP address used to access the SonicWall firewall management interface |
| Username | SonicWall administrator or read-only administrator username |
| Password | Password for the selected SonicWall user account |
Use a dedicated read-only or least-privilege administrator account wherever possible.
Supported Versions
| Component | Supported Details |
|---|---|
| Product | SonicWall Firewall |
| Management Interface | SonicOS web-based management UI |
| Recommended Access | HTTPS management interface |
| Authentication Type | Username and password |
| API Support | SonicOS API, if enabled |
SonicWall confirms that SonicOS firewalls can be managed through the local web-based management interface by accessing the LAN or WAN IP address and signing in with an administrator account.
Authentication
AirMDR uses SonicWall firewall credentials to authenticate with the SonicWall firewall.Required Credentials
| Field | Required | Example |
|---|---|---|
| Firewall IP | Yes | https://192.168.1.1 |
| Username | Yes | airmdr-readonly |
| Password | Yes | ******** |
Role-Based Access Considerations
Recommended user role:| Role Type | Recommendation |
|---|---|
| Read-only administrator | Preferred for monitoring and investigation |
| Full administrator | Use only if AirMDR requires response or configuration actions |
| Shared admin account | Avoid |
Pre-requisites
Users must have Administrator access to the SonicWall management UI with sufficient privileges to create or manage users and verify firewall settings.The SonicWall management interface must be accessible from the AirMDR Remote Agent over HTTPS (default port443).AirMDR Remote Agent and Network Connectivity installed and active (if required by deployment model).
Setup Steps
Identify the SonicWall Firewall IP
- Log in to the SonicWall firewall UI using an administrator account.
- Navigate to Network → System → Interfaces.
- In the Interface Settings table, locate the interface used for management access. Common examples:
Interface Typical Use X0 / LAN Internal firewall management X1 / WAN External management, if enabled MGMT Dedicated management interface - Copy the IP address shown for the selected interface.
- Use this value as the Firewall IP in AirMDR.
Prefer the internal LAN or dedicated MGMT IP. Avoid exposing firewall management over the public WAN unless required and secured.
Verify HTTPS Management Access
- Navigate to Device → Settings → Administration.
- Open the Management section.
- Confirm that HTTPS management is enabled.
- Confirm the HTTPS port.
Default:443
Test browser access:https://<firewall-ip>
Create a Dedicated SonicWall User
- Log in to SonicWall UI.
- Navigate to Device → Users → Local Users & Groups.
- Click Add User.
- In the Settings tab, enter:
Field Example Name airmdr-readonlyPassword Enter a strong password Confirm Password Re-enter password - Save the user.
Assign User to the Required Group
- In the same user configuration window, open the Groups tab.
- Add the user to the required administrator group. Recommended options:
Group Use Case Read-Only Admins Monitoring, investigation, log review SonicWall Administrators Full administrative access - Click Save or Accept.
SonicWall allows local users to be assigned to groups from the Groups tab under local user settings.For AirMDR monitoring-only use cases, assign the minimum permissions required.
Integration Credential Requirements
Use the following placeholder values while configuring the SonicWall integration in AirMDR.| Field | Placeholder | Description |
|---|---|---|
| Firewall IP | https://<sonicwall-firewall-ip> | SonicWall management interface IP or hostname |
| Username | <sonicwall-admin-username> | SonicWall administrator or read-only username |
| Password | <sonicwall-password> | Password associated with the SonicWall user account |
| Remote Agent | <remote-agent-name> | AirMDR Remote Agent used to establish connectivity |
| HTTPS Port | 443 | Default SonicWall management HTTPS port |
| API Access (Optional) | Enabled / Disabled | Indicates whether SonicOS API access is enabled |
SonicWall Credential Reference Table
| Credential / Field | Where to Find in SonicWall UI | Description |
|---|---|---|
| Firewall IP | Network > System > Interfaces | Displays the management IP address configured on interfaces such as X0, X1, or MGMT |
| Username | Device > Users > Local Users & Groups | Displays the local administrator or read-only user accounts configured on the firewall |
| Password | Device > Users > Local Users & Groups | Password is not visible after creation. It can only be set or reset by editing the user account |
| HTTPS Management Port | Device > Settings > Administration | Shows the HTTPS management port used to access the SonicWall UI (default: 443) |
| SonicOS API Access | Device > Settings > Administration > SonicOS API | Used to verify whether API access is enabled for integrations |
| User Role / Permissions | Device > Users > Local Users & Groups > Edit User > Groups | Displays the administrator or read-only groups assigned to the integration user |
| Remote Management Settings | Device > Settings > Administration | Used to verify whether HTTPS management access is enabled internally or externally |
| Firmware / SonicOS Version | Device > Settings > Firmware & Backupsor System > Status | Displays the current SonicOS version running on the firewall |
| Firewall Hostname | Device > System > Administration | Displays the configured firewall device name or hostname |
| Interface Zone Details | Network > System > Interfaces | Displays whether the interface belongs to LAN, WAN, DMZ, or MGMT zones |
Validate Connectivity
Use the following sample token request only for validation from an approved secure environment:Parameter Details:
| Parameter | Description |
|---|---|
-k | Ignores SSL certificate validation for self-signed certificates |
-u | Supplies SonicWall username and password |
-X GET | Sends a GET request |
/api/sonicos/version | SonicOS API endpoint used to validate connectivity and authentication |
Example POST Request using cURL:
Example POST Request using cURL:
Sample Successful Response
Sample Successful Response
“status”: “success”: true , “firmware_version”: “SonicOS 7.0.1”, “model”: “NSa 2700”, “serial_number”: “123456789”, “hostname”: “sonicwall-fw”
Sample Authentication Failure Response
Sample Authentication Failure Response
“status”:“success”: false,“message”: “Authentication failed”
Sample Connection Failure
Sample Connection Failure
curl: (7) Failed to connect to 192.168.1.1 port 443: Connection refused
| Error | Possible Cause |
|---|---|
| Authentication failed | Incorrect username or password |
| Connection refused | Firewall IP unreachable or HTTPS disabled |
| SSL certificate issue | Self-signed or invalid certificate |
| 401 Unauthorized | Insufficient permissions or invalid credentials |
| API endpoint not found | SonicOS API not enabled |
Configure Salesforce in AirMDR Integrations Dashboard
- Navigate to AirMDR, provide the credentials and click Login
- Navigate to the AirMDR Integrations Dashboard in the left navigation pane and select Integrations.
- Use the search option, enter the keyword “SonicWall”, select the Connections tab, and click + Create button.
- Enter an unique name to the Instance (e.g.,
your org name-SonicWall) to easily identify the user connection by AirMDR. - Enter the application credentials like Firewall IP, Username and Password in the Authentication Details field params, and click Save.
Skills provided by this Integration
| Skill ID | Purpose |
|---|---|
| Get SonicWall IPv4 NAT Policies | Retrieve IPv4 NAT policies from SonicWall firewall. |
| Get SonicWall IPv4 Route Policies | Retrieve IPv4 route policies from SonicWall firewall. |
| Get SonicWall IPv4 Access Rules | Retrieve IPv4 access rules from SonicWall firewall. |
| Get SonicWall IPv4 Interfaces | Retrieve IPv4 interfaces from SonicWall firewall. |
| Get SonicWall Service Groups | Retrieve service groups from SonicWall firewall. |
| Get SonicWall Zones | Retrieve zones from SonicWall firewall. |
Additional Information
🧰 Error Handling
🧰 Error Handling
| Issue | Possible Cause | Resolution |
|---|---|---|
| Connection failed | Firewall IP is incorrect | Verify the IP from Network > System > Interfaces |
| Authentication failed | Incorrect username or password | Reset password or verify credentials |
| Access denied | User lacks required permissions | Assign user to correct admin/read-only group |
| Timeout | Remote agent cannot reach firewall | Check routing, firewall rules, and port access |
| API request failed | SonicOS API disabled | Enable SonicOS API in Administration settings |
| SSL certificate warning | Self-signed firewall certificate | Validate certificate trust policy before allowing connection |
🔄 Monitoring & Logs
🔄 Monitoring & Logs
SonicWall UI Logs
Navigate toMonitor → Logs → System Logs
or
Investigate → Logs
depending on SonicOS version.
What to Monitor
| Log Type | Purpose |
|---|---|
| Login events | Validate AirMDR authentication attempts |
| Admin activity | Track configuration or access changes |
| API activity | Confirm API requests, if enabled |
| System events | Identify firewall-side errors |
Sample Log Entry
User login successful: user=airmdr-readonly source=<remote-agent-ip>User login failed: user=airmdr-readonly reason=Invalid credentials🛑 Security & Access Best Practices
🛑 Security & Access Best Practices
| Best Practice | Description |
|---|---|
| Use Least-Privilege Access | Assign only the minimum permissions required for the integration. Prefer read-only administrator roles whenever possible. |
| Use Dedicated Integration Accounts | Create a separate SonicWall account specifically for AirMDR integration to improve auditing and access tracking. |
| Enforce Strong Password Policies | Use complex passwords with uppercase, lowercase, numbers, and special characters. Rotate passwords periodically based on organizational policy. |
| Restrict Management Access | Limit SonicWall management UI access to trusted IP ranges or internal management networks only. |
| Use HTTPS Only | Ensure the firewall management interface is accessible only over HTTPS to protect credentials during transmission. |
| Enable Audit Logging | Monitor administrator logins, configuration changes, and authentication failures through SonicWall system logs. |
| Periodically Review Permissions | Regularly validate user roles, access groups, and API permissions associated with the integration account. |
| Disable Unused Management Services | Turn off unused services such as HTTP or WAN management access if not required. |
| Protect Remote Agent Connectivity | Ensure secure communication between the AirMDR Remote Agent and SonicWall firewall using approved firewall and network policies. |
| Review Failed Login Attempts | Investigate repeated authentication failures or suspicious login activity immediately. |
👉 Support & Maintenance
👉 Support & Maintenance
- 📧 Contact AirMDR Support through your designated support channel.
- 🔁 Rotate credentials regularly. Recommended cadence: Every 90 days or as per internal security policy
- 🔄 Reconnect in AirMDR when secrets are changed.
- Access Review Review the SonicWall integration user periodically.
Review Item Recommended Frequency User account status Quarterly Assigned permissions Quarterly API access Quarterly Firewall management exposure After every major network change
🛑 Data Flow & Security
🛑 Data Flow & Security
Data Exchanged
| Data Type | Description |
|---|---|
| Firewall metadata | Device and interface details |
| Security events | Firewall alerts, events, and logs |
| Network details | IPs, zones, sessions, or policy-related information |
| Authentication data | Username/password used for connection |
Ports and Endpoints
| Purpose | Protocol | Default Port |
|---|---|---|
| SonicWall HTTPS management | HTTPS | 443 |
| SonicWall HTTP management | HTTP | 80 |
| API communication | HTTPS | 443 |
Allow connectivity from the AirMDR remote agent to the SonicWall management IP on the required port.