Configuring the Firewall Log Analyzer

Updated 2 months ago by Andrew Hill

Overview

The Firewall Log Analyzer works similarly to an Intrusion Detection System, but without buying and installing an expensive device (if you have an IDS/IPS, our app can help make sense of those logs too!).

You configure the app to send firewall logs to one of your RocketCyber-connected computers. That computer runs our firewall analysis software to find malicious traffic, data leaks, and a wide variety of reconnaissance and attack vectors. Any events trigger an immediate alert that will appear on your RocketCyber dashboard.

Configuring Firewall Log Analyzer

  1. Go to the App Store and enable the Firewall Log Analyzer app.
  2. Go to a customer (This app must be configured at the customer level. This is to allow the flexibility to send each customer's logs to one of their own machines for processing if this is desired for business or compliance reasons)
  3. Select the gear at the bottom of the tile to configure the Firewall Log Analyzer
  4. There are a lot of configuration options. Let's start on the Basic tab. This has all basic configuration options, which will apply to all firewalls for this client

    Setting

    Action

    Monitoring Device

    This selects which of your RocketCyber-connected computers will be used to process the firewall logs.

    Listen IP/Listen Port

    This is the IP/Port the machine will listen to in order to receive the firewall logs (i.e. the IP of the device the agent is running on). For example, if this is 192.168.12.20 : 514, then the machine will listen for firewall log traffic at 192.168.12.20 on port 514

    The default value is 127.0.0.1. This will not work, you MUST change it to the correct IP for your network

    Forward IP/Port

    Do you have log retention requirements, or your own log analysis system you don't want to give up? Once we are done with the firewall logs, we will forward the original log data to this IP/Port.

    Protocol

    Do you want to send the logs via TCP or UDP?

    Max Daily Results

    Worried about these overwhelming your RocketCyber account or providing so much data you can't process the results? This allows you to limit how many results we report per day

    Local Log Save/Save Size

    These last two menus allow you to save a copy of your logs to the local hard drive (of the machine doing the processing), and to manage how large that log file can become. NOTE that this will have a performance impact, and if you have a system in place already, forwarding the logs is preferable

    Enabled Countries

    This allows you to set the countries which normally interact with your customers. Move any country you expect normal traffic from to No

    For many MSPs in the United States, consistent traffic from the default countries shown is a warning sign. However, if your clients do considerable business overseas or in one of these countries, traffic from these countries may be perfectly normal. We will customize our search based on your specific circumstances

    Don't Report Events Lower Than This Priority

    The vast majority of notifications you will receive from a firewall deal with events which do not need any action on your part (e.g. malicious email attachment blocked). This can be several thousand results a day, which would completely overwhelm your dashboard and hide any real threats in the noise.

    This setting allows you to filter out low-priority notifications and only see what is important. In the case of a confirmed attack (or if you want to verify the app is functioning), you can change this setting to Info or Debug. The default is Error

When looking for a specific country on the Enabled Countries list, ctrl-f is your friend
  1. Now select the section relevant to your brand of firewall product. We have selected reasonable default rules that will keep you protected without creating too many false positives. However, each network is unique and you know your customers better than we do. Modify the selected events as desired.
    1. Cisco Meraki
      1. Meraki firewalls report events based on different types. HTTP GET requests will monitor traffic and inform you only of unexpected traffic or traffic coming from unusual locations (e.g. countries on the Enabled Countries list)
      2. Rogue SSID and SSID spoofing will monitor for attempts to hijack network traffic by convincing packets that the malicious device is part of the legitimate network
      3. IDS match finds a variety of dangerous traffic such as known viruses
      4. Packet flood detection warns you of Denial of Service attacks against your network, as well as certain types of network reconnaissance
      5. Changes in VPN connectivity and IP session initiations can provide useful information, but on most systems create far too much noise
    2. Fortinet
      1. FortiGuard block events often have lower noise than allow events, since they only occur when the firewall believes something is wrong (whereas allow events will be extremely common even if all traffic is legitimate).
      2. ActiveX is bad. Kill it with fire.
      3. The two intrusion attempt categories handle different situations, so it is advised that both stay enabled
      4. Reputation lookups will only return results if they come from a country which you configured as bad in the Basic tab
    3. SonicWall
      1. SonicWall log reporting is done differently than its competitors. The logs relate to more specific events, which can then be generally grouped by behaviors. In addition, in some cases SonicWall will create duplicates of the event with different levels of certainty (i.e. attack - low confidence, attack - high confidence)
      2. We have listed all generally security-relevant event types. Because these are specific events rather than categories, it is easier to decide whether each is relevant to you.
      3. These are all legitimate security concerns, so if you are on the Pro plan and not sure which to select, it is reasonable to leave them all enabled or disable only the low-confidence alerts.
      4. In general, it is a bad idea to disable things with "attack" in the name. Disabling low confidence detections or reminders of expirations (e.g. "AV Expired") may be more reasonable depending your particular situation
    4. Don't see your brand of firewall? Contact us to ask when it will be available
Don't forget to click "Create" or "Update" when you are done!

Otherwise your configuration settings won't be saved
  1. If you have not already done so, add a syslog forward to your firewall.
    1. In most firewall admin consoles, there will be some type of Syslog or Monitoring menu with the option to enable/add Syslog Forwarding
    2. Select this menu item, and you will be given a place to input a target IP and port for the syslog forwarding.
    3. Input the value you entered in Listen IP and Listen Port
  2. You should see a single notification on your dashboard. It should be an informational alert saying CONNECTED
    1. If you do not see this alert after a few minutes, there may be a problem

Common Problems

  1. Windows Firewall blocking incoming traffic on the machine
  2. Accidentally putting the Firewall's IP instead of the monitoring device's IP
  3. Not adding a syslog forwarding rule on the firewall to send the logs to the Firewall Analyzer (step 6 above)
  4. By default, our filtering removes informational messages that do not require any action on your part. If you want to verify that everything works, try going to the configuration menu and changing the Don't Report Events Lower Than This Priority setting to Info
    One exception is IP Reputation Lookup. Traffic from malicious IPs will display even though it has an Info priority level.

    If you wish to block this traffic, use the Whitelist capabilities in the Review pane
    select traffic --> click "Action" button in bottom right --> "Add to Whitelist"
  5. Windows Server 2019 is sometimes experiencing problems when used as the monitoring platform. Try a non-Server 2019 machine. If you would like updates on the status of Server 2019 support, let us know
  6. If you are experiencing problems using UDP/TCP, try using the other
  7. If you are using a firewall that allows you to configure the severity level of syslog events being sent, set severity to info
  8. Ensure your logs are being sent space-separated (not comma-separated)
  9. If needed, try restarting the agent

If you have any questions about the Firewall Log Analyzer not covered here, feel free to contact support via email or using chat on our website


How did we do?


Powered by HelpDocs

Powered by HelpDocs