Configuring the Firewall Analyzer

How to configure the Firewall Analyzer App

Overview

The Firewall Log Analyzer works similarly to an Intrusion Detection System, but without buying and installing an expensive device (if you have an IDS/IPS, our app can help make sense of those logs too!).

You configure the app to send firewall logs to one of your RocketCyber-connected computers. That computer runs our firewall analysis software to find malicious traffic, data leaks, and a wide variety of reconnaissance and attack vectors. Any events trigger an immediate alert that will appear on your RocketCyber dashboard.

Configuring Firewall Log Analyzer

  1. Go to the App Store and enable the Firewall Log Analyzer app.

  2. Go to a customer (This app must be configured at the customer level. This is to allow the flexibility to send each customer's logs to one of their own machines for processing if this is desired for business or compliance reasons)

  3. Select the gear at the bottom of the tile to configure the Firewall Log Analyzer

     
  4. There are a lot of configuration options. Let's start on the Syslog Configuration tab. This tab configures the selected agent as a Syslog server so that it can receive data from your firewall devices. 

     

    Screen Shot 2020-07-14 at 1.07.04 PM

     

Here, we will configure the options that will turn an installed RocketAgent into a syslog server to collect firewall log data.

Setting Action
Syslog Server Device This selects which of your RocketCyber-connected computers will be used a syslog server to collect syslog data from the desired firewalls. 
Syslog Server IP This is the IP address of the Syslog Server Device. Copy this IP address you will need it when configuring Syslog forwarding on your firewall.
Syslog Server Port This is the port that the Syslog Server Device will listen to in order to receive the firewall logs.

We recommend using the default 514
Syslog Server Protocol elect to receive the logs via  TCP or UDP. We recommend using the default UDP
Max Daily Results Worried about these overwhelming your RocketCyber account or providing so much data you can't process the results? This allows you to limit how many results we report per day
Local Log Save/Save Size These last two items allow you to save a copy of your logs to the local hard drive (of the machine doing the processing), and to manage how large that log file can become. NOTE that this will have a performance impact on the system.
Don't Report Events Lower Than This Priority The vast majority of notifications you will receive from a firewall deal with events which do not need any action on your part (e.g. malicious email attachment blocked). This can be several thousand results a day, which would completely overwhelm your dashboard and hide any real threats in the noise.

This setting allows you to filter out low-priority notifications and only see what is important. In the case of a confirmed attack (or if you want to verify the app is functioning), you can change this setting to Info or Debug. The default is Error

 

Reputation IP lookups are the one exception to the "Don't Report Events Lower Than This Priority" setting.

All connections are informational by nature. If you have lookups enabled, it is assumed you want advance warning of attacks, so these alerts are allowed through even though they are informational.

 

Next, Click on the Geo Location Tab


Screen Shot 2020-07-14 at 1.36.08 PM

Using the Geo Location tab you can enable or disable countries that you want to monitor traffic for. By default all countries except US are selected.

When looking for a specific country on the Enabled Countries list, ctrl-f is your friend

 

Configure Firewall Specific Items

Now select the Tab relevant to your brand of firewall product. We have selected reasonable default rules that will keep you protected without creating too many false positives. However, each network is unique and you know your customers better than we do. Modify the selected events as desired.

    1. Barracuda
    2. Cisco Meraki
    3. Fortinet
    4. PfSense
    5. SonicWall
    6. Sophos
    7. Ubiquiti
    8. Untangle
    9. WatchGuard
    10. Don't see your brand of firewall? Contact us to ask when it will be available

Don't forget to click "Create" or "Update" when you are done! Otherwise your configuration settings won't be saved

 

Setup Syslog Forwarding on Your Firewall

If you have not already done so, add a syslog forwarding rule to your firewall.

    1. In most firewall admin consoles, there will be some type of Syslog or Monitoring menu with the option to enable/add Syslog Forwarding
    2. Select this menu item, and you will be given a place to input a target IP and port for the syslog forwarding.
    3. Input the value from the Syslog Server IP and Syslog Server Port

If you have intelligent APs on your network and do not wish to have their logs analyzed/be charged for them, do not forward the AP logs in this step.

 

If data is successfully reaching the agent, you will see a notification in your dashboard saying that you are CONNECTED. If you do not see this alert after a few minutes, there may be a problem.

Common Problems

  1. Host based firewall blocking incoming traffic on the machine. By default the Firewall Analyzer will configure the Windows Firewall to allow inbound syslog traffic on the configured ports and protocols. You can verify the rule was created properly by opening the Windows Firewall, Clicking on Advanced and looking for a rule named RocketCyber Syslog Allow. If you are using another endpoint security product that has a host based firewall you will need to manually configure it to allow inbound traffic on the configured port and protocol.

  2. Accidentally putting the Firewall's IP instead of the monitoring device's IP

  3. Not adding a syslog forwarding rule on the firewall to send the logs to the Firewall Analyzer (step 6 above)

  4. By default, our filtering removes informational messages that do not require any action on your part. If you want to verify that everything works, try going to the configuration menu and changing the Don't Report Events Lower Than This Priority setting to Info 

  5. Windows Server 2019 is sometimes experiencing problems when used as the monitoring platform. Try a non-Server 2019 machine. If you would like updates on the status of Server 2019 support, let us know

  6. If you are experiencing problems using UDP/TCP, try using the other

  7. If you are using a firewall that allows you to configure the severity level of syslog events being sent, set severity to info

  8. Ensure your logs are being sent space-separated (not comma-separated)

  9. If needed, try restarting the agent

One exception to filtering at the severity level is IP Reputation Lookup. Traffic from malicious IPs will display even though it has an Info priority level.

If you wish to block this traffic, use the Whitelist capabilities in the Review paneselect traffic --> click "Action" button in bottom right --> "Add to Whitelist"

 

If you have any questions about the Firewall Log Analyzer not covered here, feel free to contact support via email or using chat on our website