-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
NDR: Sensor Troubleshooting
12/04/2024 
0 People found this article helpful
50,634 Views
Description
Sensor Not Receiving Logs
If a sensor is online but not receiving logs from the expected device(s), please follow these troubleshooting steps:
Verify Sensor Status in the Data Processor (DP)
- Navigate to `System > Collection > Sensors` and select the sensor in question.
- Confirm that the sensor is online and that all services are running.
Ensure Firewall Logs are Sent to the Sensor
- Verify that the specific port for the firewall sending its logs is open to the sensor. Refer to the NDR: Integration Guide - Syslog Port Index for more details.
- Ensure the required ports are open and the necessary URLs are not blocked in the firewall upstream of the virtual sensor. Refer to the NDR: Virtual Sensor Requirements
Verify Log Reception
- Follow the steps outlined in the document NDR: Sensor Troubleshooting to confirm that the sensor is receiving logs.
- Alternatively, log in directly to the sensor and run the following command to view real-time logs being received by the sensor: "!tcpdump -i eth0 port <syslog "port> -A
Offline Sensors
The below sections details how to troubleshoot a sensor that is showing offline.
Virtual Sensor
If a sensor is online but not receiving logs from the expected device(s), please follow the steps below for troubleshooting:
Verify Sensor VM Power
Ensure the Sensor VM is powered on.
Check Internet Connectivity
Confirm the sensor can access the internet by performing the following:
- SSH into or open the virtual console for the Sensor’s VM.
- Log in with the username `aella` and the password you set during deployment.
- Run the command: `!ping http://google.com`
- If you receive replies, the sensor has internet access.
- If you see failures, troubleshoot and resolve the internet connectivity issue before continuing.
Verify SIEM DP Reachability
Ensure the sensor can reach the SIEM DP by performing the following:
- SSH into or open the virtual console for the Sensor’s VM.
- Log in with the username `aella` and the password you set during deployment.
- Run the command: `show cm`
- If the status is "up" or "established," the sensor is successfully connected to the SIEM DP.
- If the status is "down," the sensor cannot communicate with the SIEM DP. Proceed to the next step to verify firewall ports.
Check Firewall Configuration
- Ensure the required ports are open and the necessary URLs are not blocked in the firewall upstream of the virtual sensor. Refer to the NDR: Virtual Sensor Requirements
Windows Server Sensor
To troubleshoot windows server sensors, please verify the following:
- Is the server powered on?
- Can the server get to the internet?
- Is the SIEM DP reachable by the sensor?
- Open the Windows Agent Sensor CLI program (requires admin access).
- Run the command show cm
- If you see up or established, then the sensor is successfully connected to the SIEM DP.
- If you see down, then the sensor is not able to communicate to the SIEM DP. Procedure to the next step to verify firewall ports.
- Ensure the required ports are open in the firewall upstream of the virtual sensor: NDR: Integration Guide - Windows Servers Step 1: Firewall Configuration
Physical Sensor
To troubleshoot physical sensors, please verify the following
- Verify that the Sensor is powered on.
- Ensure the required ports are open and the necessary URLs are not blocked in the firewall upstream of the virtual sensor. Refer to the NDR: Virtual Sensor Requirements
If the sensor remains offline after completing the above steps, please schedule a meeting with an NDR engineer. During the screenshare session, the engineer will SSH into the sensor to confirm its connectivity to the internet and the SIEM DP.
Related Articles
- MSS FW Best Practices: CLI/Console
- MSS FW Best Practices: DPI-SSL (Client)
- MSS FW Best Practices: Configuration Export & Import
YES
NO