Security · SONiC-Native

SONiC Guardian Security for Every Switch

Continuous security monitoring for your SONiC network - powered by a Guardian Agent running natively on every switch, reporting all security events to a centralised Guardian Controller.

See how it works
~0s
Event detection latency
100%
SONiC-native coverage
Agent per switch
SONiC Guardian — Security Event Dashboard
Guardian Controller · SONiC Guardian Dashboard LIVE 3 Critical Alerts 11 Warnings 24 Switches Monitored 99.7% Agent Uptime RECENT SECURITY EVENTS CRITICAL Unauthorised SSH login attempt on Spine-02 Guardian Agent · 2s ago WARNING File integrity change detected: /etc/sonic/config_db.json Guardian Agent · 14s ago CRITICAL Privilege escalation via sudo — user 'netop' on Leaf-07 Guardian Agent · 1m ago INFO SONiC container restarted: swss on Leaf-03 Guardian Agent · 3m ago AGENT STATUS Spine-01 Spine-02 Leaf-01 Leaf-07 Leaf-08 +19 more
How It Works

Security built into the switch, not bolted on

SONiC Guardian embeds a Guardian Agent directly into each SONiC switch. Every security event - from login attempts to config changes - is captured, enriched, and shipped to your central Guardian Controller in real time.

Step 01

Guardian Agent on Every Switch

A lightweight Guardian Agent is deployed as a SONiC container on each switch. It monitors the OS, file system, running processes, and authentication activity continuously without impacting switch forwarding performance.

Runs as an isolated SONiC container
Zero impact on packet forwarding
Auto-registers with the Guardian Controller
Native integration with SONiC host services
Step 02

Real-time Event Detection

The agent monitors every security-relevant event on the switch - SSH logins, sudo usage, file integrity changes, syslog anomalies, container restarts, and SONiC configuration modifications - and flags them instantly.

Authentication and access monitoring
File integrity monitoring (FIM)
SONiC config change detection
Syslog and audit log analysis
Step 03

Centralised Guardian Controller

All events from every switch are aggregated, correlated, and displayed in the Guardian Controller dashboard. Security teams get a unified view across the entire SONiC fabric - from ToR to spine - with enriched alerts and compliance reports.

Single pane of glass across all switches
Alert correlation and deduplication
Compliance reporting (PCI-DSS, HIPAA)
SIEM / SOAR integration via API
Core Capabilities

Everything you need to secure your SONiC fabric

Threat Detection
SSH monitor
Privilege tracking
Process anomaly
Audit events
847 Events today3 Critical<1s Detection
Threat Detection

Real-time security monitoring across every switch

The Guardian Agent runs inside a dedicated SONiC container on each switch, continuously collecting and analysing OS-level security events. Every authentication attempt, privilege escalation, and configuration change is captured and shipped to the controller within milliseconds.

  • SSH login monitoring - successes, failures, and brute-force detection
  • Privilege escalation tracking - sudo commands with full audit trail
  • Process anomaly detection - unexpected processes on switch OS
  • Syslog and audit log analysis with Guardian ruleset enrichment
File Integrity
# FIM alert on Leaf-03! config_db.json modified
/etc/sonic/config_db.json changed at 2026-03-25 14:18:42 UTC
User netadmin (uid=1002)
Hash before a4f2c9.. Hash after e7b1d3..
Diff sent to Guardian Controller
Alert rule: SONIC_FIM_CONFIG_CHANGE
12 Files watched2 Changes todaySHA256
File Integrity

Config drift detection and file integrity monitoring

SONiC Guardian watches critical system files and SONiC configuration files for any unauthorised modification. Any change — intentional or malicious — is immediately detected, hashed, diffed, and reported to the Guardian Controller with full attribution.

  • Monitors config_db.json and all SONiC config files
  • SHA-256 hashing with before/after diff on every change
  • User attribution - who changed what, when, from which session
  • Custom watch paths - extend monitoring to any file or directory
Centralised Control
# gNMI streaming — last 60 seconds
spine-01 eth1/1 ↑ 87.4 Gbps
spine-01 eth1/2 ↑ 91.2 Gbps
leaf-03  BGP    ⚠ session flap ×3
leaf-03  MLAG   ⚠ peer-link util 94%
→ RCA: leaf-03 peer-link near-congestion
22/24 Secure1 Active alert1 Warning
Centralised Control

One controller. Complete visibility across the fabric.

All Guardian Agents across the fabric report to a single Guardian Controller instance. Security teams get a unified, real-time view of every switch from leaves to spine, with zero per-switch polling overhead.

  • Single Guardian Controller serves all agents across the fabric
  • Alert correlation across switches to detect lateral movement
  • Retention and reporting for compliance audits
  • REST API and webhook integration with SIEM, SOAR, and ticketing
Architecture

Designed for SONiC. Built on Guardian.

SONiC Guardian leverages the open-source Guardian security platform, extending it natively into the SONiC NOS layer, so your network infrastructure is monitored as deeply as your servers.

Agent LayerGuardian agent container on each SONiC switch
TransportEncrypted event stream to the controller
ControllerCorrelation, storage, dashboards
Response & IntegrationsSIEM, SOAR, alerting, compliance exports
Selected Layer

Agent Layer

A lightweight Guardian runtime on every SONiC switch captures host-level and control-plane security signals.

  • Containerized deployment per switch
  • Native FIM + auth telemetry capture
  • No impact on packet forwarding

Agent Layer — SONiC Switches

Guardian AgentFIM MonitorSyslog CollectorAudit Log ReaderAuth Monitor

Transport — Management Network

TLS 1.3Management VRFOut-of-band PathAgent Certificates

Guardian Controller

Event CorrelationRulesetsIndexerDashboardCompliance Reports

Response & Integrations

SIEMPagerDuty / OpsGenieSlack / TeamsREST APIPCI-DSS / HIPAA
Why SONiC Guardian

Network security, done right for SONiC

Traditional security tools were designed for servers, not switches. SONiC Guardian is built specifically for SONiC environments, giving you coverage generic tools cannot provide.

CapabilitySONiC Guardian
PalC		Traditional NMSGeneric SIEM AgentHost Security Only
SONiC-native container deployment~
File integrity monitoring for config_db.json~~
SSH & authentication event monitoring~
SONiC syslog and audit log analysis~
Centralised multi-switch event correlation~
Zero impact on packet forwarding plane~~
Compliance reporting (PCI-DSS, HIPAA)~
No proprietary hardware required~
Open integration via REST and webhook~~
Use Cases

Built for every team that depends on the network

SOC & Threat Hunting

Give your security operations centre full visibility into network device behaviour. Detect lateral movement, insider threats, and credential abuse directly at the switch level.

Zero Trust Network Access

Enforce zero trust principles at the infrastructure layer. SONiC Guardian ensures every network device is continuously verified and monitored.

Compliance & Audit Readiness

Generate audit-ready compliance reports covering PCI-DSS, HIPAA, and SOC 2 requirements with a complete switch-level evidence trail.

Insider Threat Detection

Track every CLI command, configuration change, and file modification to provide an exact audit timeline per switch and user.

Incident Response

Get forensic context quickly to pinpoint when and where a change occurred, which account was used, and what preceded the event.

Data Centre Security Posture

Track and improve security posture across your SONiC fabric over time, and demonstrate progress clearly to leadership and auditors.

Get Started

Start securing your SONiC fabric today

SONiC Guardian is available now for SONiC deployments running on PalC-supported hardware. Request access and our team will set up a personalised demo with your own switches.

Deploy in under 30 minutes
PalC handles agent packaging and controller setup for your environment.
Works with your existing Guardian
If you already run Guardian, agents integrate directly into your existing deployment.
Zero impact on forwarding plane
The Guardian container runs in the control plane so switching performance is unaffected.
Dedicated onboarding support
PalC's SONiC engineers guide deployment, ruleset tuning, and dashboard setup.

Request Early Access

Tell us about your environment and we'll be in touch within one business day.

View Documentation
AI-Powered Technical Assistant

Ask PalC AI

Get instant answers about PalC's solutions, SONiC networking, AI fabrics, cloud infrastructure, and technical specifications powered by our AI assistant.

Suggested Questions:

Technical Assistant

Context: Product sonic guardian

ODM PARTNERS

TRUSTED BY LEADING TECHNOLOGY PARTNERS

Next steps

Need switch-level security for your SONiC fabric?

Talk to the PalC team about deploying SONiC Guardian for real-time monitoring, compliance visibility, and switch-native security operations.

Get in touch

Discuss your infrastructure goals with our experts.

View Documentation