SonicWall firewall India: a Mumbai NBFC’s Friday cutover, an amber alert, and a Sunday off
Last updated: 20 June 2026
06:18 AM, BKC. The first coffee was for the firewall, not me.
The new SonicWall NSa 3700 at Bandra-Kurla Complex had been carrying production traffic for nine days. The six branch TZ570s in Andheri, Worli, Thane, Borivali, Vashi and Powai had been live for seven. We were a fortnight out from an RBI cyber audit at a 350-seat NBFC with roughly four thousand two hundred crore in assets under management, and the IT head, Suraj, had not slept past 06:00 since the cutover began.
He had reason. The kit we replaced was an eight-year-old FortiGate 100D at HQ and five TZ300s at branches that hit end-of-support in early 2026. The board had asked the question every board asks. “Are we covered?” Suraj wanted to say yes without flinching.
I was the cyber lead on the rollout. My job that Friday was simple on paper: walk the policy book one more time, sign off the audit pack, and stay near a laptop in case the SonicWall said something interesting. SonicWall in India for a mid-market NBFC means the NSa series at HQ, TZ at branches, Capture ATP cloud sandbox switched on, and Cloud Edge SSE if remote staff need it. The buyer’s guide is straightforward. Friday afternoons rarely are.
10:40 AM. The audit pack. The policy book. The boring part.
By mid-morning we had cleared the easy items. RBI wants a documented cyber resilience posture for NBFCs, and the firewall is the visible face of that. The audit pack had: an inventory of every appliance with serial, firmware and license window. A change log for every rule pushed since the cutover. A copy of the IPS, GAV and Capture ATP signature subscriptions, current as of that morning. The escalation matrix with names and phone numbers, including mine.
Suraj kept the printed copy in a black folder. “Bas, achha,” he said. “If they ask anything else, you answer.” Fair.
14:47 PM. The amber alert I almost waved through.
My phone vibrated. Capture ATP, the SonicWall cloud sandbox tier, flagged a suspicious outbound connection from a workstation on the accounts-payable subnet. The destination IP matched an IOC list it pulls in from CERT-In and three commercial threat feeds. The verdict line said “possible C2 callback, low confidence.”
I had assumed it was a false positive. It was not.
Accounts-payable runs a desktop scanner that talks to a vendor portal in the US for invoice processing. Three earlier Capture ATP nudges that week had all turned out to be that scanner. I was tired and I read this one the same way. I almost waved it through. Yaar, that is the thing about amber. It looks like the last amber. It almost never is.
I pulled the packet capture on the SonicWall and looked at what was actually leaving the laptop. It was not the scanner. It was a renamed PowerShell process beaconing every 47 seconds to a host registered through a privacy proxy in Eastern Europe. The MDR we had been paying for fourteen months had not flagged it. The old FortiGate 100D would not have caught it because it never ran the sandbox tier. The NSa 3700 caught it on day nine.
I called Suraj. He stopped pacing.
15:20 PM. Contain, isolate, breathe, then think.
We did the boring things in order. Pulled the laptop off the network via the SonicWall policy, blocked the IOC at the perimeter, snapshotted the workstation for forensic image, paged the user, opened a ticket. The PowerShell beacon turned out to have arrived via a macro-enabled invoice attachment six weeks earlier. The user had not noticed anything strange because nothing strange had happened on her screen. The beacon was dormant most of the day, awake in 47-second windows, waiting for instructions that had not yet come.
We did not know if data had left the building. We did know that nothing leaving the building had been larger than a few kilobytes per beacon, which was inconsistent with bulk exfiltration. We documented all of it. The RBI 6-hour incident reporting clock per CERT-In started when we confirmed the beacon. We notified inside the window. We did not embellish.
By 19:30 the workstation was off the floor, the AP team was on a clean device, and our DFIR partner was inside the snapshot. Suraj’s wife sent him a photo of dinner getting cold. He left at 21:00. We have seen this exact pattern at a Mumbai cooperative bank last quarter, with the same 47-second beacon cadence and the same six-week dormancy.
Saturday and Sunday. The first quiet weekend in eleven months.
Saturday we wrote the postmortem. Sunday we did nothing. That is the part Suraj had been asking for since the audit notice landed in February. Not a quieter inbox, not a faster help desk. One Sunday where the firewall did not call.
SonicWall firewall India: the honest call against FortiGate and Palo Alto
If you are in the middle of the same decision, here is the comparison we ran for the NBFC’s procurement committee. The numbers below are indicative for a 350-seat headquarters plus six branches, ranged on review, GST 18% extra.
| Dimension | SonicWall NSa 3700 + TZ570 | FortiGate 100F + 40F | Palo Alto PA-440 + branches |
|---|---|---|---|
| 3-year hardware and license, indicative | Rs 38-44 lakh | Rs 46-54 lakh | Rs 72-90 lakh |
| Sandbox tier | Capture ATP, on | FortiSandbox, separate license | WildFire, separate license |
| SSE / ZTNA from same vendor | Cloud Edge SSE | FortiSASE | Prisma Access |
| Indian partner depth, mid-market | Wide | Wide | Narrower, enterprise-leaning |
| Best fit | Indian SMB and mid-market wanting one console for firewall + sandbox + SSE | FortiOS-shop muscle memory, large branch counts | Global stack alignment, security team with PCNSE staff |
Route the call this way. If you already run FortiOS at fifty branches with trained admins, lift to Check Point only if you have a specific reason and stay with Fortinet otherwise. If your security operations team holds Palo Alto certifications and the global parent insists, take the Palo Alto Prisma Access path and budget for it. If you are a mid-market Indian shop where one team runs the firewall, the sandbox, the SSE and the ZTNA from one console, the NSa with Capture ATP is the answer we keep landing on. For estates where the office is gone and everyone works from home or hot-desks, look at Cato SASE instead of replacing the box at all.
Talk to us about a SonicWall sizing call for your branch count and audit window. We will quote the kit and the policy work together.
What we learned, and what we will do differently next time
Three things from this run. First, we should have switched on Capture ATP at the cutover, not staged it for week two. The decision to phase it was a worry about false positive volume, and that worry cost us six weeks of visibility on a beacon that was already inside. Arre, that one stings.
Second, the user awareness training that the AP team had taken in October was eight months stale. The invoice macro lure that delivered the beacon was a known pattern. A six-monthly refresher would have given the user a fighting chance to flag the email. We have moved it to quarterly.
Third, we will keep the FortiGate 100D in a Pelican case for a year, switched off, in case the DFIR work needs a comparison log pull from the old box. The instinct to e-waste the appliance on the day the new one stabilises is a bad instinct. Keep the corpse for the autopsy.
Frequently asked questions from the NBFC procurement committee
Is SonicWall data resident in India?
The appliances live on your premises. The management plane can be on-prem (Network Security Manager on-prem) or cloud (NSM SaaS). For Indian regulated workloads we usually recommend NSM on-prem with cloud-fetched signature updates. Document the choice for the auditor. ISO 27001 control set treats this as a clarity-of-residency issue, not a hard ban on cloud.
Should we run Capture ATP from day one?
Yes. We learned this the hard way on the NBFC project. The sandbox-tier callback detection catches what flow-based IPS will not. Switch it on at cutover, accept the first week of tuning noise, and triage every alert. The cost of the licence is small against one undetected beacon.
What is a realistic deployment timeline for a 6-branch mid-market NBFC?
Eight working weeks from signed PO to last branch cutover, end-to-end. Week 1-2 design and policy port. Week 3 HQ cutover, two-night maintenance window. Week 4-7 branch cutovers, one branch per weekend. Week 8 audit pack assembly, training handover, signature subscription verification.
What if our auditor specifically asks for a sandbox other than Capture ATP?
SonicWall’s Capture ATP uses a multi-engine sandbox approach and is one of the listed solutions in regulated reviews. If the auditor names a different tool, the answer is a documented compensating control, not a panic rebuild. Talk to us before you re-tender.
Get a quote for SonicWall NSa or TZ in your environment, with the policy work and the audit pack included. Same-week provisioning across the metros.
P.S. Priya here. The hardest call of that week was the 14:47 one. It looked like the last three amber alerts. It was not. If you take one thing away from this story, take this: read every amber fully, even the boring ones. Security is a verb.
Reach the Sirius team on a SonicWall sizing call. We will walk the buyer’s guide with you and give you a quote you can take to the audit committee.