Skip to content
Find out how we support MDR.

SonicWall SonicOS

You must have the Firewall integrations license pack to use this feature.

You can integrate the SonicOS security appliance with Sophos Central so that it sends event messages to Sophos for analysis.

This integration uses a log collector hosted on a virtual machine (VM). Together they're called an appliance. The appliance receives third-party data and sends it to the Sophos Data Lake.


You can add multiple instances of SonicWall firewalls to the same appliance.

To do this, set up your SonicWall SonicOS integration in Sophos Central, then configure one firewall to send logs to it. Then configure your other SonicWall firewalls to send logs to the same Sophos appliance.

You don't have to repeat the Sophos Central part of the setup.

The key steps are as follows:

  • Configure an integration for this product. This configures an image to use on a VM.
  • Download and deploy the image on your VM. This becomes your appliance.
  • Configure SonicOS to send data to the appliance.


Appliances have system and network access requirements. To check that you meet them, see Appliance requirements.

Configure an integration

To integrate SonicOS with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
  2. Click SonicWall SonicOS.

    The SonicWall SonicOS page opens. You can configure integrations here and see a list of any you've already configured.

  3. In Data Ingest (Security Alerts), click Add Configuration.


    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration setup steps appears.

Configure the VM

In Integration setup steps you configure your VM as an appliance to receive data from SonicOS. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Add a name and description for the new integration.
  2. Enter a name and description for the appliance.

    If you've already set up a Sophos appliance, you can choose it from a list.

  3. Select the virtual platform. Currently we support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.

  4. Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the VM.

    • Select DHCP to assign the IP address automatically.


      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

  5. Select the Syslog IP version and enter the Syslog IP address.

    You'll need this syslog IP address later, when you configure SonicOS to send data to your appliance.

  6. Select a Protocol.

    You must use the same protocol when you configure SonicOS to send data to your appliance.

  7. Click Save.

    We create the integration and it appears in your list.

    In the integration details, you can see the port number for the appliance. You'll need this later when you configure SonicOS to send data to it.

    It might take a few minutes for the VM image to be ready.

Deploy the VM


If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.

Use the VM image to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
  2. When the image download finishes, deploy it on your VM. See Deploy a VM for integrations.

Configure SonicOS

You now configure SonicOS to send data to us.

To configure syslog settings on your firewall, do as follows:


If you use SonicWall's Global Management System (GMS) to manage your firewall, you can't change the syslog format (Default) or the syslog ID (Firewall). You can change the other settings. The following instructions don't use GMS.

  1. Go to Log > Syslog.
  2. Select Syslog Servers and click Add.
  3. Enter the syslog IP address you set for your appliance.

    You must enter the same setting you entered in Sophos Central when you added the integration.

  4. In Syslog Format choose ArcSight. The Sophos appliance receives ArcSight CEF format alerts.

    When you select Arcsight, the Configure icon becomes active.

  5. Click the Configure icon. The ArcSight CEF fields Settings configuration window appears.

  6. Select the ArcSight options that you want to log. In most cases, this is All. To select all options, click Select All.
  7. Click Save.
  8. In the Syslog ID box, enter the syslog ID that you want.

    A Syslog ID field is included in all generated messages, prefixed by id=.

    For example, for firewall, the default value, all syslog messages include id=firewall. You can set an ID consisting of 0 to 32 letters, numbers, and underscores.


    When Override Syslog Settings with Reporting Software Settings option is turned on, the Syslog ID field is fixed to "Firewall". You can't change it.

  9. Click Accept at the top of the page.

  10. Go to Log > Settings to configure which alerts are forwarded to Sophos.
  11. In Logging Level you must select Warning.

    This filters out lower priority events.

  12. On the Log > Settings page you can also filter events according to their Event Attributes.

    1. Select a category and click Configure.
    2. In Edit Log Category, select the syslog checkbox for specific categories.

      Your changes apply to all groups and events in the selected category.

More information