NDR: Supported Firewalls & Sensor Options

Description

Description

For successful integration, a Security Sensor appliance is required. This sensor is normally deployed at the same location and (not necessary, but if not) should be reachable from the devices that you be setting up syslog forwarding on. This will allow the device(s) to send logs to the Security Sensor appliance which will then process and securely communicate back to our main SIEM data processor.

This document outlines the different ways that you can deploy a security sensor so that you can determine which one might be right for you and/or your customer.

Notes/Things to Consider

  • A security sensor can be deployed on a Windows Server, deployed as a virtual machine, or a physical device (provided by MSS for NOAM ONLY).
  • A sensor is required for every end customer.
    • Customers with multiple locations can deploy one sensor and have devices from each location send logs to a single sensor providing the total Events per second DO NOT exceed 500.

Table of Contents

Data Flow Examples for Different Sensor Deployments

MSS’s Network Detection and Response (NDR) solution offers flexible sensor deployment options to suit different environments. Below are common deployment types to help you choose the best option for your needs or those of your customers.

On-Prem Windows Server Sensor with Syslog Forwarder Option

A Windows Server Sensor can function as a syslog forwarder, allowing you to collect and process syslog records without needing a separate virtual or physical sensor. This is ideal for environments where deploying a dedicated sensor may not be practical.

Data Flow_Windows Server Sensor

Image


On-Prem Virtual Sensor

A Virtual Sensor can be installed on existing on-premises infrastructure, such as VMware, Hyper-V, or KVM, providing a flexible and scalable option for network monitoring.

Data Flow_Virtual Sensor

Image

Cloud Hosted Virtual Sensor

Virtual Sensors can also be deployed on major cloud platforms, including Azure, AWS, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI).

Data Flow_Cloud Hosted Virtual Sensor

Image

On-Prem Physical Sensor

A Physical Sensor is used when a Windows Server Sensor or Virtual Sensor deployment is not feasible. These sensors, provided by MSS (for North America only), are compact—similar in size to a small firewall—and are installed directly on-site.

Data Flow_On-Prem Physical Sensor

Image

Multi-Location Customers

For businesses with multiple locations, a single sensor can be placed at one main location (e.g., Location A, Cloud hosted, etc.) and configured to receive logs from devices at all connected locations. This allows centralized monitoring without requiring multiple sensors.

Data Flow_Multi-Location

Image

By selecting the appropriate sensor type and deployment model, organizations can effectively enhance their network security while optimizing resource usage. If you're unsure which deployment is right for your environment, reach out to MSS for guidance.

Supported Firewall/Device Manufacturers

The following manufacturers are natively supported, meaning their logs can be directly ingested into our system.

If your firewall or security device manufacturer is not listed, we may still be able to support it. To determine compatibility, we need to know:

  1. Can your firewall export logs via syslog to an external syslog server?
    1. If no (which is rare), unfortunately, we cannot support it.
    2. If yes, we can work with Stellar to develop a custom parser, but there are important considerations:

Custom Parser Development Process

  • Stellar will need 4–8 weeks to develop the custom parser.
  • There is no cost to you for this development.
  • We will work with you to ensure logs are successfully ingested into the SIEM for Stellar to analyze.
  • During the development process, security events will not be generated, meaning there will be no alerts until the parser is fully operational.
  • Due to the work involved, we do not offer proof-of-concept (POC) trials for unsupported brands.

Natively Supported Firewall/Device Manufacturers

  • AhnLab TrusGuard
  • Alcatel Lucent Switch
  • Aruba Switch
  • Avaya Switch
  • AXGATE Next Generation Firewall
  • Barracuda firewall
  • Brocade switch (system & admin logs)
  • Calyptix UTM
  • Check Point - Application Control (CEF)
  • Check Point - URL Filtering (CEF)
  • CheckPoint appliance
  • CheckPoint firewall
  • CheckPoint VPN-1 & FireWall-1 (CEF)
  • Cisco ASA
  • Cisco Catalyst Firewall
  • Cisco Firepower
  • Cisco IKE
  • Cisco MDS
  • Cisco Meraki
  • Cisco routers and switches
  • AccopsCisco VPN
  • Dell Switch
  • DrayTek Firewall
  • F5 BIG-IP
  • F5 BIG-IP Telemetry (HTTP JSON)
  • F5 IPI
  • F5 iRule
  • F5 L7 DDOS
  • F5 Mitigation
  • F5 Silverline
  • F5 VPN
  • Forcepoint - Firewall (CEF)
  • Forcepoint -Firewall (CEF)
  • Fortinet FortiGate
  • Fortinet Fortigate (CEF)
  • FutureSystems WeGuardia SSL plus (SSL VPN)
  • Hillstone
  • HPE Switch
  • Juniper SRX
  • Juniper SSG
  • Juniper Switch
  • Lancope - StealthWatch (LEEF)
  • Mako Networks firewall
  • McAfee Firewall
  • MCAS SIEM Agent (CEF)
  • MikroTik firewall and router
  • Netfilter
  • NetMotion
  • OpenVPN
  • Palo Alto Networks - Next Generation Firewall (LEEF)
  • Palo Alto Networks firewall
  • Palo Alto Networks Firewall via GraylogpfSense Firewall
  • Pulse Secure
  • Radware Alteon
  • RuiJie Switch
  • Sangfor NGAF
  • SECUI Firewall
  • SECUI MF2 Firewall
  • Secuway SSLVPN
  • ShareTech Firewall
  • SonicWall - NSA 2400 (CEF)
  • SonicWall Firewall
  • SonicWall VPN
  • Sophos firewall
  • Sophos Web Appliance
  • Splashtop
  • Splunk Heavy Forwarder
  • Stormshield Net Security Firewall
  • Symantec Endpoint Protection
  • Symantec Firewall
  • Symantec Messaging Gateway
  • Symantec DLP (CEF)
  • Synology Directory Server
  • Syslog4Net
  • Thales Group CipherTrust Manager
  • ThreatLocker Zero Trust EPP
  • Trellix FireEye HX
  • Trend Micro - Deep Security Agent (LEEF)
  • Trend Micro Apex Central (CEF)
  • Trend Micro Interscan Messaging
  • Trend Micro Proxy
  • Trend Micro TippingPoint Intrusion Prevention System (IPS)
  • Tripwire EnterpriseRelated Pages
  • NDR: Frequently Asked Questions (FAQs)
  • NDR: Sensor Troubleshooting
  • NDR: Sensor Options & Supported Firewalls
  • Ubiquiti
  • Unix
  • Untangle Firewall (Syslog JSON)
  • Varonis DatAdvantage (CEF)
  • Versa Networks Firewall
  • VMware - Carbon Black (LEEF)
  • VMware ESXi
  • VMWare Horizon
  • VMware NSX-T Data Center
  • VMware UAG
  • VMware Vcenter
  • VMWare VeloCloud SD-WAN
  • WatchGuard - XTM (LEEF)
  • WatchGuard firewall security appliance
  • Wazuh
  • Windows DNS Server
  • Windows Event NXLog
  • Click here to configure HostIP
  • Windows System Security
  • Wins IPS ONE-1 / Wins DDX
  • WINS Sniper NGFW
  • Zix Mail
  • Zscaler NSSWeblog (CEF)
  • Zscaler ZIA Firewall
  • Zscaler ZIA Web
  • Zscaler ZPA
  • Zyxel Firewall

Getting Started/Next Steps

After determining the appropriate deployment option and sensor type, please communicate your selections to your implementation engineer by updating your NDR POC/deployment service ticket. Once confirmation is received, you may proceed by following the instructions outlined in the NDR: Integration Guide (Start Here) | SonicWall KB page.

Related Articles

  • NDR: Virtual Sensor Deployment (VMware)
    Read More
  • NDR: Virtual Sensor Deployment (OCI)
    Read More
  • NDR: Virtual Sensor Deployment (KVM)
    Read More

Categories

Managed Security Services
Network Detection and Response
not finding your answers?
Ask the Community
was this article helpful?
YesNo