FortiSIEM Configuring Firewalls

Configuring Firewalls

AccelOps supports these firewalls for discovery and monitoring.

Check Point FireWall-1 Configuration

Check Point Provider-1 Firewall Configuration

Configuring MDS for Check Point Provider-1 Firewalls

Configuring MLM for Check Point Provider-1 Firewalls

Configuring CMA for Check Point Provider-1 Firewalls

Configuring CLM for Check Point Provider-1 Firewalls

Check Point VSX Firewall Configuration

Cisco Adaptive Security Appliance (ASA) Configuration

Dell SonicWALL Firewall Configuration

Fortinet FortiGate Firewall Configuration

Juniper Networks SSG Firewall Configuration

McAfee Firewall Enterprise (Sidewinder) Configuration

Palo Alto Firewall Configuration

Sophos UTM Firewall Configuration

WatchGuard Firebox Firewall Configuration

Check Point FireWall-1 Configuration

What is Discovered and Monitored

Add AccelOps as a Managed Node

Create an OPSEC Application for AccelOps

Create a Firewall Policy for AccelOps  Settings for Access Credentials

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP Host name, Firewall model and version, Network interfaces Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability and

Performance

Monitoring

LEA   All traffic and system logs Security and

Compliance

Event Types

In CMDB > Event Types, search for “firewall-1” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

LEA

Add AccelOps as a Managed Node

  1. Log in to your Check Point SmartDomain Manager.
  2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

  1. Select the Firewall
  2. Click the Network Objects
  3. Select Nodes, and then right-click to select Node > Host… .
  4. Select General Properties.
  5. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
  6. Click OK.

Create an OPSEC Application for AccelOps

  1. In the Firewall tab, click the Servers and OPSEC
  2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
  3. Click the General
  4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
  5. For Host, select the AccelOps host.
  6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

  1. Click Communication.
  2. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

  1. Click Initialize.
  2. Close and re-open the application.
  3. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

  1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
  2. In the Rules menu, select Top.
  3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
  4. Right-click DESTINATION, then click Add and select your Check Point firewall.
  5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

  1. Right-click ACTION and select Accept.
  2. Right-click TRACK and select Log.
  3. Go to Policy > Install.
  4. Click OK.
  5. Go to OPSEC Applications and select your AccelOps application.
  6. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

Settings for Access Credentials

 

Check Point Provider-1 Firewall Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration Overview

Component Configuration for Domain-Level Audit Logs

Component Configuration for Firewall Logs

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP Host name, Firewall model and version, Network interfaces Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability and

Performance

Monitoring

LEA   All traffic and system logs Security and

Compliance

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration Overview

The configuration of  Check Point Provider-1 depends on the type of log that you want sent to AccelOps. There are two options:

 Domain level audit logs, which contain information such as domain creation, editing, etc.

Firewall logs, which include both audit log for firewall policy creation, editing, etc., and traffic logs

These logs are generated and stored among four different components:

Multi-Domain Server (MDS), where domains are configured and certificates have to be generated

Multi-Domain Log Module (MLM), where domain logs are stored

Customer Management Add-on (CMA), the customer management module

Customer Log Module (CLM), which consolidates logs for an individual customer/domain

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Component Configuration for Domain-Level Audit Logs

  1. Configure MDS.
  2. Use the Client SIC obtained while configuring MDS to configure MLM.
  3. Pull logs from MLM.

Component Configuration for Firewall Logs

  1. Configure CMA.
  2. Use the Client SIC obtained while configuring CMA to configure CLM.
  3. Pull logs from CLM.

If you want to pull firewall logs from a domain, you have to configure CLM for that domain.

See these topics for instructions on how to configure each component for Check Point Provider-1 firewalls.

Configuring MDS for Check Point Provider-1 Firewalls

Configuring MLM for Check Point Provider-1 Firewalls

Configuring CMA for Check Point Provider-1 Firewalls

Configuring CLM for Check Point Provider-1 Firewalls

Configuring MDS for Check Point Provider-1 Firewalls

Configuration

Get the MDS Server SIC for AccelOps Access Credentials

Add AccelOps as a Managed Node

Create an OPSEC Application for AccelOps

Create a Firewall Policy for AccelOps

Copy Secure Internal Communication (SIC) certificates Settings for Access Credentials

The Check Point Provider-1 firewall Multi-Domain Server (MDS) is where domains are configured and certificates are generated for communicating with AccelOps. if you want to have domain logs from the Multi-Domain Log Module (MLM) sent from your firewall to AccelOps, you must first configure and discover MDS, then use the AO Client SIC created for your AccelOps OPSEC application to configure the access credentials for MLM.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

Get the MDS Server SIC for AccelOps Access Credentials

You will use the MDS Server SIC to create access credentials in AccelOps for communicating with your server.

  1. Log in to your Check Point SmartDomain Manager.
  2. Select Multi-Domain Server Contents.
  3. Select MDS, and then right-click to select Configure Multi-Domain Server… .
  4. In the General tab, under Secure Internet Communication, note the value for DN.

Add AccelOps as a Managed Node

  1. Log in to your Check Point SmartDomain Manager.
  2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

  1. Select the Firewall
  2. Click the Network Objects
  3. Select Nodes, and then right-click to select Node > Host… .
  4. Select General Properties.
  5. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
  6. Click OK.

Create an OPSEC Application for AccelOps

  1. In the Firewall tab, click the Servers and OPSEC
  2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
  3. Click the General
  4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
  5. For Host, select the AccelOps host.
  6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

  1. Click Communication.
  2. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

  1. Click Initialize.
  2. Close and re-open the application.
  3. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

  1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
  2. In the Rules menu, select Top.
  3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
  4. Right-click DESTINATION, then click Add and select your Check Point firewall.
  5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

  1. Right-click ACTION and select Accept.
  2. Right-click TRACK and select Log.
  3. Go to Policy > Install.
  4. Click OK.
  5. Go to OPSEC Applications and select your AccelOps application.
  6. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

Copy Secure Internal Communication (SIC) certificatesCopy Client SIC

  1. Go to Manage > Server and OPSEC Applications.
  2. Select OPSEC Application and then right-click to select accelops.
  3. Click
  4. Enter the SIC DN of your application. Copy Server SIC
  5. In the Firewall tab, go to Manage.
  6. Click the Network Object icon, and then right-click to select Check Point Gateway.
  7. Click Edit.
  8. Enter the SIC DN.
  9. If there isn’t a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

  1. Configure Checkpoint Provider-1 MDS credential as shown below.

Activation key was the one-time password you input in Step 2f above.

AO Client SIC was generated in Step 2g above

MDS Server SIC was generated in Step 1 above

  1. Click “Generate Certificate”. It should be successful. Note that the button will be labeled ‘Regenerate Certificate’ if you have

Configuring MLM for Check Point Provider-1 Firewalls

Prerequisites

Configuration

Get MLM Server SIC for Setting Up AccelOps Access Credentials

Settings for Access Credentials

Prerequisites

You need to have configured and discovered your Check Point Provider-1 MDS before you configure the Multi-Domain Log Module (MLM). You will need the AO Client SIC that was generated when you created your AccelOps OPSEC application in the MDS to set up the access credentials for your MLM in AccelOps.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

 Get MLM Server SIC for Setting Up AccelOps Access Credentials
  1. Log in to your Check Point SmartDomain Manager.
  2. In the General tab, click Multi-Domain Server Contents.
  3. Right-click MLM and select Configure Multi-Domain Server… .
  4. Next to Communication, note the value for DN.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

 

 

Configuring CMA for Check Point Provider-1 Firewalls

The Check Point Provider-1 Customer Management Add-On (CMA) creates logs that are then consolidated by the Customer Log Module (CLM). If you want the CLM to send logs to AccelOps, you need to first configure the CMA and obtain the AO Client SIC to configure access credentials for communication between the CLM and AccelOps.

Configuration

Get CMA Server SIC for Setting Up AccelOps Access Credentials

  1. Log in to your Check Point SmartDomain Manager.
  2. Click the General
  3. Select Domain Contents.
  4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard.
  5. Select the Desktop
  6. Select the Network Objects
  7. Double-click on the Domain Management Server to view the General Properties
  8. Click Test SIC Status… .

Note the value for DN. You will use this for the CMA Server SIC setting when creating the access credentials for AccelOps to access your CMA server.

Add AccelOps as a Managed Node

  1. Log in to your Check Point SmartDomain Manager.
  2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

  1. Select the Firewall
  2. Click the Network Objects
  3. Select Nodes, and then right-click to select Node > Host… .
  4. Select General Properties.
  5. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
  6. Click OK.

Create an OPSEC Application for AccelOps

  1. In the Firewall tab, click the Servers and OPSEC
  2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
  3. Click the General
  4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
  5. For Host, select the AccelOps host.
  6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

  1. Click Communication.
  2. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

  1. Click Initialize.
  2. Close and re-open the application.
  3. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

  1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
  2. In the Rules menu, select Top.
  3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
  4. Right-click DESTINATION, then click Add and select your Check Point firewall.
  5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

  1. Right-click ACTION and select Accept.
  2. Right-click TRACK and select Log.
  3. Go to Policy > Install.
  4. Click OK.
  5. Go to OPSEC Applications and select your AccelOps application.
  6. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Configuring CLM for Check Point Provider-1 Firewalls

Prequisites

Configuration

Get CLM Server SIC for Creating AccelOps Access Credentials

Settings for Access Credentials

Prequisites

You must first configure and discover the Check Point CLA and obtain the AO Client SIC before you can configure the Customer Log Module (CLM). The AO Client SIC is generated when you create the AccelOps OPSEC application.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

Get CLM Server SIC for Creating AccelOps Access Credentials

  1. Log in to your Check Point SmartDomain Manager.
  2. Click the General
  3. Select Domain Contents.
  4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard.
  5. Select the Desktop
  6. Click the Network Objects
  7. Under Check Point, select the CLM host and double-click to open the General Properties
  8. Under Secure Internal Communication, click Test SIC Status… .
  9. In the SIC Status dialog, note the value for DN.

This is the CLM Server SIC that you will use in setting up access credentials for the CLM in AccelOps.

  1. Click Close.
  2. Click OK.

Install the Database

  1. In the Actions menu, select Policy > Install Database… .
  2. Select the MDS Server and the CLM, and then OK. The database will install in both locations.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Check Point VSX Firewall Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

SNMP

Add AccelOps as a Managed Node

Create an OPSEC Application for AccelOps

Create a Firewall Policy for AccelOps

Copy Secure Internal Communication (SIC) certificates Settings for Access Credentials

What is Discovered and Monitored

AccelOps uses SNMP, LEA to discover the device and to collect logs, configurations and performance metrics.

Protocol Information Discovered Metrics collected Used for
SNMP Host name, Firewall model and version, Network interfaces Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability and

Performance

Monitoring

LEA   All traffic and system logs Security and

Compliance

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

LEA

Add AccelOps as a Managed Node

  1. Log in to your Check Point SmartDomain Manager.
  2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

  1. Select the Firewall
  2. Click the Network Objects
  3. Select Nodes, and then right-click to select Node > Host… .
  4. Select General Properties.
  5. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
  6. Click OK.

Create an OPSEC Application for AccelOps

  1. In the Firewall tab, click the Servers and OPSEC
  2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
  3. Click the General
  4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
  5. For Host, select the AccelOps host.
  6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

  1. Click Communication.
  2. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

  1. Click Initialize.
  2. Close and re-open the application.
  3. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

  1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
  2. In the Rules menu, select Top.
  3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
  4. Right-click DESTINATION, then click Add and select your Check Point firewall.
  5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

  1. Right-click ACTION and select Accept.
  2. Right-click TRACK and select Log.
  3. Go to Policy > Install.
  4. Click OK.
  5. Go to OPSEC Applications and select your AccelOps application.
  6. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

Copy Secure Internal Communication (SIC) certificates

Copy Client SIC

  1. Go to Manage > Server and OPSEC Applications.
  2. Select OPSEC Application and then right-click to select accelops.
  3. Click
  4. Enter the SIC DN of your application. Copy Server SIC
  5. In the Firewall tab, go to Manage.
  6. Click the Network Object icon, and then right-click to select Check Point Gateway.
  7. Click Edit.
  8. Enter the SIC DN.
  9. If there isn’t a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

 

Cisco Adaptive Security Appliance (ASA) Configuration

What is Discovered and Monitored

Sample Cisco ASA Syslog

Commands Used During Telnet/SSH Communication

Set Up AccelOps as a NetFlow Receiver

Create a NetFlow Service Policy

Configure the Template Refresh Rate

Settings for Access Credentials

What is Discovered and Monitored
Protocol Information Discovered Metrics collected Used for  
SNMP (V1,

V2c, V3)

Host name, Hardware model, Network interfaces, Hardware component details: serial number, model, manufacturer, software and firmware versions of components such as fan, power supply, network cards etc., Operating system version, SSM modules such as IPS Uptime, CPU and Memory utilization, Free processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability

and

Performance

Monitoring

SNMP (V1,

V2c, V3)

  Hardware health: temperature, fan and power supply status  
SNMP (V1,

V2c, V3)

OSPF connectivity, neighbors, state, OSPF Area OSPF state change Routing

Topology,

Availability

Monitoring

SNMP (V1,

V2c, V3)

  IPSec VPN Phase 1 tunnel metrics: local and remote Vpn Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent BitsPerSec, Received/Sent Packets, Received/Sent BitsPerSec, Received/Sent

Dropped Packets, Received/Sent Rejected Exchanges, Received/Sent

Invalid Exchanges Invalid Received Pkt Dropped, Received Exchanges

Rejected, Received Exchanges Invalid

IPSec VPN Phase 2 tunnel metrics: local and remote Vpn Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent BitsPerSec, Received/Sent Packets, Received/Sent BitsPerSec, Received/Sent

Dropped Packets, Received/Sent Auth Failed, Sent Encrypted Failed,

Received Decrupt failed, Received Replay Failed

Performance

Monitoring

   
Telnet/SSH Running and startup configuration, Interface security levels, Routing tables, Image file name,

Flash memory size

Startup configuration change, delta between running and startup configuration Performance

Monitoring,

Security and Compliance

 
Telnet/SSH   Virtual context for multi-context firewalls, ASA interface security levels needed for setting source and destination IP address in syslog based on interface security level comparisons, ASA name mappings from IP addresses to locally unique names needed for converting names in syslog to IP addresses  
Netflow

(V9)

Open server ports Traffic logs (for ASA 8.x and above) Security and

Compliance

Syslog Device type All traffic and system logs Security and

Compliance

Event Types

In CMDB > Event Types, search for “asa” in the Device Type column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “asa” in the Description column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “asa” in the Description column to see the reports associated with this device.

Configuration
  1. Log in to your ASA with administrative privileges.

Configure SNMP with this command.

Syslog

  1. Log in to your ASA with administrative privileges.
  2. Enter configuration mode (config terminal).
  3. Enter the following commands: no names logging enable logging timestamp logging monitor errors logging buffered errors logging trap debugging logging debug-trace logging history errors logging asdm errors logging mail emergencies

logging facility 16 logging host <ASA interface name> <AccelOps IP>

Sample Cisco ASA Syslog

SSH

  1. Log in to your ASA with administrative privileges.
  2. Configure SSH with this command.

Telnet

  1. Log in to your ASA with administrative privileges.
  2. Configure telnet with this command.

Commands Used During Telnet/SSH Communication

The following commands are used for discovery and performance monitoring via SSH. Make sure that the accounts associated with the ASA access credentials you set up in AccelOps have permission to execute these commands.

  1. show running-config
  2. show version
  3. show flash
  4. show context
  5. show ip route
  6. enable
  7. terminal pager 0
  8. terminal length 0

NetFlow

NetFlow is an optimized protocol for collecting high volume traffic logs. You should configure NetFlow with ASM, the ASA device manager.

Set Up AccelOps as a NetFlow Receiver

  1. Login to ASDM.
  2. Go to Configuration > Device Management > Logging > Netflow.
  3. Under Collectors, click
  4. For Interface, select the ASA interface over which NetFlow will be sent to AccelOps.
  5. For IP Address or Host Name, enter the IP address or host name for your AccelOps virtual appliance that will receive the NetFlow logs.
  6. For UDP Port, enter 2055.
  7. Click OK.
  8. Select Disable redundant syslog messages.

This prevents the netflow equivalent events from being also sent via syslog.

  1. Click Apply.

Create a NetFlow Service Policy

  1. Go to Configuration > Firewall > Service Policy Rules.
  2. Click Add.

The Service Policy Wizard will launch.

  1. Select Global – apply to all interfaces, and then click Next.
  2. For Traffic Match Criteria, select Source and Destination IP Address, and then click Next.
  3. For Source and Destination, select Any, and then click Next.
  4. For Flow Event Type, select All.
  5. For Collectors, select the AccelOps virtual appliance IP address.
  6. Click OK.

Configure the Template Refresh Rate

This is an optional step. The template refresh rate is the number of minutes between sending a template record to AccelOps. The default is 30 minutes, and in most cases this is sufficient. Since flow templates are dynamic, AccelOps cannot process a flow until it knows the details of the corresponding template. This command may not always be needed, but if flows are not showing up in AccelOps, even if tcpdump indicates that  they are, this is worth trying.

You can find out more about configuring NetFlow in the Cisco support forum.

Settings for Access Credentials
Dell SonicWALL Firewall Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Example Syslog

Settings for Access Credentials

What is Discovered and Monitored
Protocol Information Discovered Metrics collected Used for
SNMP Host name, Hardware model, Network interfaces,  Operating system version CPU Utilization, Memory utilization and Firewall

Session Count

Availability and Performance

Monitoring

Syslog Device type All traffic and system logs Availability, Security and

Compliance

Event Types

In CMDB > Event Types, search for “sonicwall” in the Device Type column to see the event types associated with Dell SonicWALL firewalls.

Rules

There are no predefined rules for Dell SonicWALL firewalls.

Reports

There are no predefined reports for Dell SonicWALL firewalls.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Dell SonicWALL Firewall Administrator’s Guide (PDF)

Syslog

  1. Log in to your SonicWALL appliance.
  2. Go to Log > Syslog.

Keep the default settings.

  1. Under Syslog Servers, click Add.

The Syslog Settings wizard will open.

  1. Enter the IP Address of your AccelOps Supervisor or Collector.

Keep the default Port setting of 514.

  1. Click OK.
  2. Go to Firewall > Access Rules.
  3. Select the rule that you want to use for logging, and then click Edit.
  4. In the General tab, select Enable Logging, and then click OK.

Repeat for each rule that you want to enable for sending syslogs to AccelOps.

Your Dell SonicWALL firewall should now send syslogs to AccelOps.

Example Syslog

Settings for Access Credentials
Fortinet FortiGate Firewall Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

What is Discovered and Monitored
Protocol Information Discovered Metrics collected Used for
SNMP Host name, Hardware model, Network interfaces,  Operating system version Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths). For 5xxx series firewalls, per CPU utilization (event PH_DEV_MON_FORTINET_PROCESSOR_USGE) Availability and

Performance

Monitoring

Telnet/SSH Running configuration Configuration Change Performance

Monitoring,

Security and

Compliance

Syslog Device type All traffic and system logs Availability,

Security and

Compliance

Event Types

In CMDB > Event Types, search for “fortigate” in the Name and Description columns to see the event types associated with this device.

Rules

In Analytics > Rules, search for “fortigate” in the Name column to see the rules associated with this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP and SSH

  1. Log in to your firewall as an administrator.
  2. Go to System > Network.
  3. Select the FortiGate interface IP that AccelOps will use to communicate with your device, and then click Edit.
  4. For Administrative Access, makes sure that SSH and SNMP are selected.
  5. Click OK
  6. Go to System > Config > SNMP v1/v2c.
  7. Click Create New to enable the public

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device.

  1. show firewall address
  2. show full-configuration
  3. Log in to your firewall as an administrator.
  4. Go to Log &Report > Log Config > syslog.
  5. Enter the IP Address, Port Number, and Minimum Log Level and Facility for your AccelOps virtual appliance.
  6. Make sure that CSV format is not selected. With the CLI note th
  7. Connect to the Fortigate firewall over SSH and log in.
  8. To configure your firewall to send syslog over UDP, enter this command, replacing the IP address 168.53.2 with the IP address of your AccelOps virtual appliance.

Example FortiGate Syslog

Settings for Access Credentials
Juniper Networks SSG Firewall Configuration

What is Discovered and Monitored

SNMP and SSH

Create SNMP Community String and Management Station IP

Modify Policies so Traffic Matching a Policy is Sent via Syslog to AccelOps

Set AccelOps as a Destination Syslog Server

Set the Severity of Syslogs to Send to AccelOps

Sample Parsed FortiGate Syslog

Settings for Access Credentials

What is Discovered and Monitored
Protocol Information Discovered Metrics collected Used for
SNMP Host name, Hardware model, Network interfaces,  Operating system version Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability and

Performance

Monitoring

Telnet/SSH Running configuration Configuration Change Performance

Monitoring, Security and Compliance

Syslog Device type Traffic log, Admin login activity logs, Interface up/down logs Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “SSG” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP and SSH

Enable SNMP, SSH, and Ping

  1. Log in to your firewall’s device manager as an administrator.
  2. Go to Network > Interfaces > List.
  3. Select the interface and click Edit.
  4. Under Service Options, for Management Services, select SNMP and SSH.
  5. For Other Services, select Ping.

Create SNMP Community String and Management Station IP

  1. Go to Configuration > Report Settings > SNMP.
  2. If the public community is not available, create it and provide it with read-only access.
  3. Enter the Host IP address and Netmask of your AccelOps virtual appliance.
  4. Select the Source Interface that your firewall will use to communicate with AccelOps.
  5. Click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Modify Policies so Traffic Matching a Policy is Sent via Syslog to AccelOps

  1. Go to Policies.
  2. Select a policy and click Options.
  3. Select Logging.
  4. Click OK.

Set AccelOps as a Destination Syslog Server

  1. Go to Configuration > Report Settings > Syslog.
  2. Select Enable syslog messages.
  3. Select the Source Interface that your firewall will use to communicate with AccelOps.
  4. Under Syslog servers, enter the IP/Hostname of your AccelOps virtual appliance.
  5. For Port, enter 514.
  6. For Security Facility, select LOCALD.
  7. For Facility, select LOCALD.
  8. Select Event Log and Traffic Log.
  9. Select Enable.
  10. Click Apply.

Set the Severity of Syslogs to Send to AccelOps

  1. Go to Configuration > Report Setting > Log Settings.
  2. Click Syslog.
  3. Select the Severity Levels of the syslogs you want sent to AccelOps.
  4. Click Apply.

Sample Parsed FortiGate Syslog

<129>Aug 26 11:09:45 213.181.33.233 20090826, 6219282, 2009/08/26

09:09:40, 2009/08/26 08:09:49, global.CoX, 1363,

CoX-eveTd-fw1, 213.181.41.226, traffic, traffic log, untrust, (NULL),

81.243.104.82, 64618, 81.243.104.82,

64618, dmz, (NULL), 213.181.36.162, 443, 213.181.36.162, 443, tcp, global.CoX, 1363, Workaniser_cleanup, fw/vpn, 34, accepted, info, no, (NULL), (NULL), (NULL), (NULL), 3, 858, 1323, 2181, 0, 0, 14, 1, no, 0, Not

<129>Aug 26 11:09:45 213.181.33.233 20090826, 6219282, 2009/08/26

09:09:40, 2009/08/26 08:09:49, global.CoX, 1363,

CoX-eveTd-fw1, Category, Sub-Category, untrust, (NULL), 81.243.104.82,

64618, 81.243.104.82, 64618, dmz,

(NULL), 213.181.36.162, 443, 213.181.36.162, 443, tcp, global.Randstad, 1363, Workaniser_cleanup, fw/vpn, 34, accepted,

info, no, (NULL), (NULL), (NULL), (NULL), 3, 858, 1323, 2181, 0, 0, 14, 1, no, 0, Not

Settings for Access Credentials
McAfee Firewall Enterprise (Sidewinder) Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed Sidewinder Syslog

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

In CMDB > Event Types, search for “sidewinder” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Parsed Sidewinder Syslog

Jun 18 10:34:08 192.168.2.10 wcrfw1 auditd: date=”2011-06-18 14:34:08 +0000″,fac=f_http_proxy,area=a_libproxycommon, type=t_nettraffic,pri=p_major,pid=2093,logid=0,cmd=httpp,hostname=wcrfw1 .community.int,event=”session end”,app_risk=low,

app_categories=infrastructure,netsessid=1adc04dfcb760,src_geo=US,srcip=7 4.70.205.191,srcport=3393,srczone=external,protocol=6,

dstip=10.1.1.27,dstport=80,dstzone=dmz1,bytes_written_to_client=572,byte s_written_to_server=408,rule_name=BTC-inbound, cache_hit=1,start_time=”2011-06-18 14:34:08 +0000″,application=HTTP

Palo Alto Firewall Configuration

What is Discovered and Monitored

SNMP, SSH, and Ping

Set AccelOps as a Syslog Destination

Set the Severity of Logs to Send to AccelOps

Create a Log Forwarding Profile

Use the Log Forwarding Profile in Firewall Policie

Sample Parsed Palo Alto Syslog Mesage  Settings for Access Credentials

What is Discovered and Monitored
Protocol Information Discovered Metrics collected Used for
SNMP Host name, Hardware model, Network interfaces,  Operating system version Uptime, CPU utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability and

Performance

Monitoring

Telnet/SSH Running configuration Configuration Change Performance

Monitoring, Security and Compliance

Syslog Device type Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “palo alto” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “palo alto” in the Description column to see the reports associated with this device.

Configuration

SNMP, SSH, and Ping

  1. Log in to the management console for your firewall with administrator privileges.
  2. In the Device tab, clickSetup.
  3. Click Edit.
  4. Under MGMT Interface Services, make sure SSH, Ping, and SNMP are selected.
  5. For SNMP Community String, enter public.
  6. If there are entries in the Permitted IP list, Add the IP address of your AccelOps virtual appliance.
  7. Click OK.
  8. Go to Setup > Management and check that SNMP is enabled on the management interface

Syslog

Set AccelOps as a Syslog Destination

  1. Log in to the management console for your firewall with administrator privileges.
  2. In the Device tab, go to Log Destinations > Syslog.
  3. Click New.
  4. Enter a Name for your AccelOps virtual appliance.
  5. For Server, enter the IP address of your virtual appliance.
  6. For Port, enter 514.
  7. For Facility, select LOG_USER.
  8. Click OK.

Set the Severity of Logs to Send to AccelOps

  1. In the Device tab, go to Log Settings > System.
  2. Click .. .
  3. For each type of log you want sent to AccelOps, select the AccelOps virtual appliance in the Syslog
  4. Click OK.

Create a Log Forwarding Profile

  1. In the Objects tab, go to Log Forwarding > System.
  2. Create a new log forwarding profile by entering a Name for the profile, and then setting Syslog to the IP address of your AccelOps virtual appliance for each type of log you want send to AccelOps.
  3. Click OK.

Use the Log Forwarding Profile in Firewall Policie

  1. In the Policies tab, go to Security > System.
  2. For each security rule that you want to send logs to AccelOps, click Options.
  3. For Log Forwarding Profile, select the profile you created for AccelOps.
  4. Click OK.
Settings for Access Credentials

 

Sophos UTM Firewall Configuration

What is Discovered and Monitored

Configuration

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog   Configuration change, command execution Log Management, Compliance and SIEM

Event Types

In CMDB > Event Types, search for “sophos-utm” to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

FortiSIEM processes events from this device via syslogs sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device’s product documentation, and FortiSIEM will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance. For Port, enter 514.

Sample Syslog Message

<30>2016:07:05-16:57:39 c-server-1 httpproxy[15760]: id=”0001″ severity=”info” sys=”SecureWeb” sub=”http” name=”http access” action=”pass” method=”GET” srcip=”10.10.10.10″ dstip=”1.1.1.1″ user=”” group=”” ad_domain=”” statuscode=”302″ cached=”0″ profile=”REF_DefaultHTTPProfile (Default Web Filter Profile)” filteraction=”REF_HttCffCustoConteFilte (Custom_Default content filter action)” size=”0″ request=”0xdc871600″ url=”http://a.com” referer=”http://foo.com/bar/” error=”” authtime=”0″ dnstime=”1″ cattime=”24080″ avscantime=”0″ fullreqtime=”52627″ device=”0″ auth=”0″ ua=”Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko” exceptions=”” category=”154″ reputation=”unverified” categoryname=”Web Ads”

WatchGuard Firebox Firewall Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed Firebox Syslog Message

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

In CMDB > Event Types, search for “firebox” in the Device Type  andDescription column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.