Requirements

• Sonicwall Capture Client - Advanced Subscription
• Sonicwall account with the appropriate permissions to create admin users.
• An active Lumu Defender Subscription or a Lumu for MSP account.

Capture Client on Linux endpoints does not support content filtering and Capture ATP integration. This means Linux endpoints will just process hashes managed by Lumu integration. Further reference on Capture Client agents for Linux can be found here.

Preliminary Checklist

In order to set up the integration, you will need the following for the integration to communicate with SonicWall Capture Client

• An Administrator account.
  
• Keep in mind that you will need access to an account that can create Administrator accounts to proceed with this step.
  
• A SonicWall Tenant that will receive the indicators pushed by Lumu.
  
• To learn more about SonicWall Capture Client and tenants, please refer to SonicWall’s documentation.
  

In the following steps, you will learn how to complete all of these requirements.

Integration Setup - SonicWall

We encourage you to create a new MySonicWall account and assign it to a user group with the least privileges possible, in this case, Admin of the Endpoint solution. If you cannot create a dedicated integration user, ensure you use a user with Admin permissions for the CC / EndPoint solution. For more details about the permissions, go to the Invite a new user to your new user group section.

You must follow these steps to set up SonicWall for the integration:

1. Create a new User group in the MySonicWall console by following the least privilege principle.

2. Invite and activate a New user to your new User group.

3. Generate the API token. This token will be used to create an access token to your Capture Client tenant.

The following sections detail each step.

Create a new user group

You can skip this step if you have an existing user group mapped to the tenant you want to integrate Lumu with. The user group must have Admin permissions for the CC / Endpoint module.

Log in to your MySonicwall account with a user with administrative privileges and follow these steps:

1. Head to the left navigation bar. Select User Groups under the My Workspace section.

2. Click on New user group at the bottom of the User groups section. Then, enter a meaningful name for the new user group. When finished, click the Check mark button.

3. Select your new user group. A new group tile will appear next to it. Head to the Tenants tab. Ensure the tenant you want to integrate is listed in that section. You can modify the tenants associated with the group by clicking the Remove link next to the listed tenants and adding others with the Tenants option located at the bottom of that tile.

You can add more than one tenant to the group if you are an MSP and you will use the same integration user for all your managed tenants.

4. Click the Permissions tab. Edit the permissions. Set the CC / EndPoint permission to Admin. Other solutions' permissions must be set to No Access or Read Only if the latter is not available. When finished, click Done.

Invite a new user to your new user group

If you skipped the last section, open the existing user group and follow the steps depicted in this section to invite your integration user.

Continue from where you left off in the previous section.

1. Go to the Users tab. Then, select Add users at the bottom of the tile. The Add users pop-up will appear. Select Invite user.

2. Fill in the Invite User form as follows:

• Set the Contact Type to Employee.
• Enter the Email of your integration user.
• Optionally, enter the user’s First and Last Name.
• When finished, click on Invite.

Your new user must receive an activation email. Activate the integration user and log in

Issue an API key for your integration user

Log in to your integration user account. Go through the activation steps and follow these steps after you are logged in to the MySonicWall portal:

1. Head to the left navigation bar. Expand the My Workspace section and click the User Groups option.

2. Go to the User list tab. Then, click on Generate My API Key (1).

3. Review the information presented in the Generate API Key modal. Check if the suggested Valid until date complies with your organization’s security policy. Change it if needed. Then, click on Confirm.

4. Copy the API key by clicking the Copy button. Ensure you store it in a safe place. This key will be needed to set up the integration. When finished, click Close.

Ensure you copy and store the API key in a safe place. It cannot be retrieved later. You must regenerate it in case you lose it.

Integration Setup - Lumu Portal

This section of the article describes the steps that must be completed on the Lumu Portal to properly set up the SonicWall Capture Client (EDR). To start, log into your Lumu account through the Lumu Portal.

Integrations are also available for Lumu MSP accounts. To access them, log into the Lumu MSP Portal.

1. In the Lumu Portal, head to the panel on the left and go to Integrations > Apps and go to the Available Apps.

2. Select the Response tab. Locate the SonicWall Capture Client integration and click on Add.

3. Familiarize yourself with the integration details in the app description and click the Activate button to start the integration setup process.

4. Provide a meaningful Name. Under Threat Types, choose the specific threat mappings you want to push to Google Cloud Firewall. Select the option Include IP Indicators to include IP addresses in the information sent to your feed list. When done, click on Next.

If you leave the Include IP Indicators option unselected, you won’t be able to change it later. You will need to remove the integration and repeat all the steps again.

5. Fill in the required information, as follows:

• Under Region, choose the Region under which your account is registered. Your Capture Client region is the domain for the SonicWall Capture Client portal you log into. For the Europe region, the Capture Client URL should be changed to https://captureclient-36eu.sonicwall.com.
• Under API Key, enter the password you collected in Step 4 of the Issue an API key for your integration user section.
• Once done, click on Next to continue.

6. Next, select the Tenant from the dropdown where you want to manage the threat indicators. When done, click on Activate.

7. The integration is now created and active. The Lumu Portal will display the details of the created integration.

Final Steps - Validate the Integration

Once the integration is active, you can monitor updates through your Web Content Filtering Policy. From the dashboard, go to the Policies > Web Content Filtering. Then, under the Manage advanced settings > Forbidden web domains option, you'll find confirmed compromises found by Lumu within the preceding 3 days. The Blacklist section will also be updated with compromises.

Capture Client for Linux devices does not support Web content filtering. If you have Linux devices in your SonicWall Capture Client deployment, they will be only covered by SentinelOne features (hash blocklists).