Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=aryaka

Integrate Aryaka

MSP Flex customers must have the Network integrations license pack to use this feature.

You can integrate Aryaka with Sophos Central so that it sends alerts to Sophos for analysis.

The key steps are as follows:

  • Add an integration for this product. In this step, you create an image of the appliance.
  • Download and deploy the image on a VM. This becomes your appliance.
  • Configure Aryaka to send data to the appliance.

Add an integration

To add the integration, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.

  2. Click Aryaka.

    The Aryaka page opens. You can add integrations here and see a list of any you've already added.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See Provide your domain and IP details.

Integration setup steps appears.

Configure the appliance

In Integration setup steps, you can configure a new appliance or use an existing one.

We assume here that you configure a new appliance. To do this, create an image as follows:

  1. Enter an integration name and description.
  2. Click Create new appliance.
  3. Enter a name and description for the appliance.
  4. Select the virtual platform. Currently, we support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.

  5. Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the appliance.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

  6. Select the Syslog IP version and enter the Syslog IP address.

    You'll need this syslog IP address later, when you configure Aryaka to send data to your appliance.

  7. In Protocol, TCP is pre-selected. You can't change it.

    When you configure Aryaka to send data to your appliance, you must make sure it uses the same protocol.

  8. Click Save.

    We create the integration, and it appears in your list.

    In the integration details, you can see the port number for the appliance. You'll need this later when you configure Aryaka to send data to it.

    It might take a few minutes for the appliance image to be ready.

Deploy the appliance

Restriction

If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.

Use the image to deploy the appliance, as follows:

  1. In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
  2. When the image download finishes, deploy it on your VM. See Deploy appliances.

Configure Aryaka

Configure Aryaka to send data to the appliance as follows:

  1. Sign in to MyAryaka.
  2. In the top menu, click Config.
  3. In the left menu, click Security.
  4. Click the SIEM tile.
  5. Click Add SIEM Configuration.

  6. In the SIEM Details pane, enter a name and description for this connection.

    Vendor functionality defaults to Generic and can't be edited.

  7. In the Connectivity Details pane, do as follows:

    1. Click the SIEM Log Transport Method drop-down list and select Network Port.
    2. Enter the Syslog IP address you configured earlier.
    3. Click the Protocol drop-down list and select TCP.

    4. Enter the listening port for this connection that you configured earlier in the Port Number field.

      Aryaka assumes the port number is 443 if you don't specify it.

  8. In the Log Types pane, you can choose the logs to send to Sophos. Click the following options:

    • Security Logs—Send logs from your Aryaka SmartSecure NGFW-SWG service: Logs include insights from SASE and non-SASE security engines.
    • IPS Event Logs—Send logs from your Aryaka SmartSecure IPS service: This option is only displayed if you have the Aryaka SmartSecure IPS add-on service.
    • Flow Logs—Send logs from your SD-WAN service: Logs contain basic connection details and traffic statistics. These logs don't contain security engine details.
    • Private Access Logs—Send logs from your Private Access service: This option is only displayed if at least one Private Access region is enabled.

  9. Click Submit.

    A message warns that you can't edit the SIEM configuration until after the Aryaka support team completes the configuration.

  10. Click OK.

    A message confirms the request was submitted. Status is set to Provisioning.

When the change request is complete, the SIEM page (Config > Security > SIEM) displays a tile with the SIEM name, the vendor type Generic, and the status Configured.

Aryaka now sends all the log types you selected to Sophos.