FortiSIEM Configuring Load Balancers and Application Firewalls

Leave a reply
Configuring Load Balancers and Application Firewalls

AccelOps supports these load balancers and application firewalls for discovery and monitoring.

Brocade ServerIron ADX Configuration

Citrix Netscaler Application Delivery Controller (ADC) Configuration

F5 Networks Application Security Manager

F5 Networks Local Traffic Manager Configuration

F5 Networks Web Accelerator

Qualys Web Application Firewall

Brocade ServerIron ADX Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
SNMP Host name, serial number, hardware (CPU, memory, network interface etc) Uptime, CPU, Memory, Interface Utilization, Hardware status,

Real Server Statistics

 Performance/Availability

Monitoring

There are no predefined rules for this device other than covered by generic network devices.

Reports

There are no predefined reports for this device other than covered by generic network devices.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Citrix Netscaler Application Delivery Controller (ADC) Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Example Syslog

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
Syslog   Permitted and Denied traffic Log analysis and compliance

Event Types

In CMDB > Event Types, search for “netscaler” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “nestler” in the Name column to see the reports associated with this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

<182> 07/25/2012:19:56:41   PPE-0 : UI CMD_EXECUTED 473128 :  User nsroot – Remote_ip 10.13.8.75 – Command “show ns hostName” – Status “Success” <181> 07/25/2012:19:56:05  NS2-MAIL PPE-0 : EVENT DEVICEUP 33376 : Device “server_vip_NSSVC_SSL_172.17.102.108:443(accellion:443)” – State

UP <181> 07/25/2012:19:55:35  NS2-MAIL PPE-0 : EVENT DEVICEDOWN 33374 : Device “server_vip_NSSVC_SSL_172.17.102.108:443(accellion:443)” – State

DOWN

<182> 07/24/2012:15:37:08   PPE-0 : EVENT MONITORDOWN 472795 :  Monitor

Monitor_http_of_Domapps:80(10.50.15.14:80) – State DOWN

F5 Networks Application Security Manager

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Example Syslog

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
Syslog   Various application level attack scenarios – invalid directory access, SQL injections, cross site exploits. Log analysis and compliance

Event Types

In CMDB > Event Types, search for “f5-asm” in the Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

<134>Jun 26 14:18:56 f5virtual.tdic.ae

ASM:CEF:0|F5|ASM|10.2.1|Successful Request|Successful Request|2|dvchost=f5virtual.adic.com dvc=192.168.1.151 cs1=master-key_default cs1Label=policy_name cs2=master-key cs2Label=web_application_name deviceCustomDate1=Jul 13 2011 16:24:25 deviceCustomDate1Label=policy_apply_date externalId=3601068286554428885 act=passed cn1=404 cn1Label=response_code src=10.10.77.54 spt=49399 dst=10.10.175.82 dpt=443 requestMethod=POST app=HTTPS request=/ipp/port1 cs5=N/A cs5Label=x_forwarded_for_header_value rt=Jun 26 2012 14:18:55 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A cs6Label=geo_location cs3Label=full_request cs3=POST /ipp/port1 HTTP/1.1\r\nHost: 127.0.0.1:631\r\nCache-Control: no-cache\r\nContent-Type: application/ipp\r\nAccept: application/ipp\r\nUser-Agent: Hewlett-Packard IPP\r\nContent-Length: 9\r\n\r\n

 

F5 Networks Local Traffic Manager Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

SNMP Trap

Example SNMP Trap

Syslog

Example Syslog

Settings for Access Credentials

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
SNMP Host name, serial number, hardware (CPU, memory, network interface, disk etc) and software information (running and installed software) Uptime, CPU, Memory, Disk utilization, Interface Utilization, Hardware status, process level CPU and memory urilization Performance/Availability

Monitoring
SNMP

Trap

   Exception situations including hardware failures, certain security attacks, Policy violations etc Performance/Availability

Monitoring
Syslog   Permitted and Denied traffic Log analysis and compliance

Event Types

In CMDB > Event Types, search for “f5-LTM” in the Name column to see the event types associated with this device.

Search for “f5-BigIP” in  CMDB > Event Types to see event types associated with SNMP traps for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

2012-01-18 14:13:43 0.0.0.0(via UDP: [192.168.20.243]:161) TRAP2, SNMP v2c, community public                . Cold Start Trap (0) Uptime: 0:00:00.00         DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks:

(33131) 0:05:31.31                SNMPv2-MIB::snmpTrapOID.0 = OID:

SNMPv2-SMI::enterprises.3375.2.4.0.1

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

Settings for Access Credentials

F5 Networks Web Accelerator

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Example Syslog

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
Syslog   Permitted traffic Log analysis and compliance

Event Types

In CMDB > Event Types, search for “f5-web” in the Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

Qualys Web Application Firewall

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Example Syslog

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
Syslog   Permitted and Denied Web traffic Log analysis and compliance

Event Types

The following event types are generated by parsing Qualys Web Application Firewall traffic logs and analyzing the HTTP error code.

Qualys-WAF-Web-Request-Success

Qualys-WAF-Web-Bad-Request

Qualys-WAF-Web-Client-Access-Denied

Qualys-WAF-Web-Client-Error

Qualys-WAF-Web-Forbidden-Access-Denied

Qualys-WAF-Web-Length-Reqd-Access-Denied

Qualys-WAF-Web-Request

Qualys-WAF-Web-Request-Redirect

Qualys-WAF-Web-Server-Error

Rules

There are no predefined rules for this device.

Reports

Relevant reports are defined in CMDB > Reports > Device > Network > Web Gateway

Configuration

AccelOps processes events from this device via syslog sent in JSON format.  Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

Note that each JSON formatted syslog contains many logs.

<1350>1 2015-05-15T12:57:30.945000+00:00 localhost qualys_waf –

QUALYS_WAF –

{“timestamp”:”2015-05-15T12:57:30.945-00:00″,”duration”:6011,”id”:”487c1

16c-4908-4ce3-b05c-eda5d5bb7045″,”clientIp”:”172.27.80.170″,”clientPort”

:9073,”sensorId”:”d3acc41f-d1fc-43be-af71-e7e10e9e66e2″,”siteId”:”41db09 70-8413-4648-b7e2-c50ed53cf355″,”connection”:{“id”:”bc1379fe-317e-4bae-a e30-2a382e310170″,”clientIp”:”172.27.80.170″,”clientPort”:9073,”serverIp “:”192.168.60.203″,”serverPort”:443},”request”:{“method”:”POST”,”uri”:”/ “,”protocol”:”HTTP/1.1″,”host”:”esers-test.foo.org”,”bandwidth”:0,”heade rs”:[{“name”:”Content-Length”,”value”:”645″},{“name”:”Accept”,”value”:”t ext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0. 8″},{“name”:”User-Agent”,”value”:”Mozilla/5.0 (Windows NT 6.1; WOW64)

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36″},{“name”:”Content-Type”,”value”:”application/x-www-form-u rlencoded”},{“name”:”Referer”,”value”:”https://esers-test.ohsers.org/”}, {“name”:”Accept-Encoding”,”value”:”gzip, deflate”},{“name”:”Accept-Language”,”value”:”en-US,en;q=0.8″}],”headerOr der”:”HILCAUTRELO”},”response”:{“protocol”:”HTTP/1.1″,”status”:”200″,”me ssage”:”OK”,”bandwidth”:0,”headers”:[{“name”:”Content-Type”,”value”:”tex t/html; charset=utf-8″},{“name”:”Server”,”value”:”Microsoft-IIS/8.5″},{“name”:”C ontent-Length”,”value”:”10735″}],”headerOrder”:”CTXSDL”},”security”:{“au ditLogRef”:”b02f96e9-2649-4a83-9459-6a02da1a5f05″,”threatLevel”:60,”even ts”:[{“tags”:[“qid/226015″,”cat/XPATHi”,”cat/SQLi”,”qid/150003″,”loc/req /body/txtUserId”,”cfg/pol/applicationSecurity”],”type”:”Alert”,”rule”:”m ain/qrs/sqli/xpathi/condition_escaping/boolean/confidence_high/3″,”messa ge”:”Condition escaping detected (SQL or XPATH injection) txtUserId.”,”confidence”:80,”severity”:60,”id”:”262845566″},{“tags”:[“ca t/correlation”,”qid/226016″],”type”:”Observation”,”rule”:”main/correlati on/1″,”message”:”Info: Threat level exceeded blocking threshold (60).”,”confidence”:0,”severity”:0,”id”:”262846018″},{“tags”:[“cat/corre lation”,”qid/226016″],”type”:”Observation”,”rule”:”main/correlation/1″,” message”:”Info: Blocking refused as blocking mode is

disabled.”,”confidence”:0,”severity”:0,”id”:”262846167″},{“tags”:[“cat/c orrelation”,”cat/XPATHi”,”qid/226015″],”type”:”Alert”,”rule”:”main/corre lation/1″,”message”:”Detected:

XPATHi.”,”confidence”:80,”severity”:60,”id”:”268789851″}]}}


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiSIEM on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.