Configuring the Firewall Analyzer

How to configure the Firewall Analyzer App

Overview

The Firewall Log Analyzer works similarly to an Intrusion Detection System, but without buying and installing an expensive device (if you have an IDS/IPS, our app can help make sense of those logs too!).

You configure the app to send firewall logs to one of your RocketCyber-connected computers. That computer runs our firewall analysis software to find malicious traffic, data leaks, and a wide variety of reconnaissance and attack vectors. Any events trigger an immediate alert that will appear on your RocketCyber dashboard.

Configuring Firewall Log Analyzer

  1. Go to the App Store and enable the Firewall Log Analyzer app.

  2. Go to a customer (This app must be configured at the customer level. This is to allow the flexibility to send each customer's logs to one of their own machines for processing if this is desired for business or compliance reasons)

  3. Select the gear at the bottom of the tile to configure the Firewall Log Analyzer

     
  4. There are a lot of configuration options. Let's start on the Basic tab. This has all basic configuration options, which will apply to all firewalls for this client

     

    Setting

    Action

    Monitoring Device

    This selects which of your RocketCyber-connected computers will be used to process the firewall logs.

    Monitoring Port

    This is the port that the monitoring device will listen to in order to receive the firewall logs.

    The default is 514

    Forward IP/Port

    Do you have log retention requirements, or your own log analysis system you don't want to give up? Once we are done with the firewall logs, we will forward the original log data to this IP/Port.

    Protocol

    Do you want to send the logs via TCP or UDP?

    Max Daily Results

    Worried about these overwhelming your RocketCyber account or providing so much data you can't process the results? This allows you to limit how many results we report per day

    Local Log Save/Save Size

    These last two menus allow you to save a copy of your logs to the local hard drive (of the machine doing the processing), and to manage how large that log file can become. NOTE that this will have a performance impact, and if you have a system in place already, forwarding the logs is preferable

    Enabled Countries

    This allows you to set the countries which normally interact with your customers. Move any country you expect normal traffic from to No. For most US-based MSPs, all countries should be enabled except the US

    For many MSPs in the United States, consistent traffic from the default countries shown is a warning sign. However, if your clients do considerable business overseas or in one of these countries, traffic from these countries may be perfectly normal. We will customize our search based on your specific circumstances

    Don't Report Events Lower Than This Priority

    The vast majority of notifications you will receive from a firewall deal with events which do not need any action on your part (e.g. malicious email attachment blocked). This can be several thousand results a day, which would completely overwhelm your dashboard and hide any real threats in the noise.

    This setting allows you to filter out low-priority notifications and only see what is important. In the case of a confirmed attack (or if you want to verify the app is functioning), you can change this setting to Info or Debug. The default is Error

 

When looking for a specific country on the Enabled Countries list, ctrl-f is your friend

Reputation IP lookups are the one exception to the "Don't Report Events Lower Than This Priority" setting.

All connections are informational by nature. If you have lookups enabled, it is assumed you want advance warning of attacks, so these alerts are allowed through even though they are informational.

5.    Now select the section relevant to your brand of firewall product. We have selected reasonable default rules that will keep you protected without creating too many false positives. However, each network is unique and you know your customers better than we do. Modify the selected events as desired.
    1. Barracuda
    2. Cisco Meraki
    3. Fortinet
    4. PfSense
    5. SonicWall
    6. Sophos
    7. Ubiquiti
    8. Untangle
    9. WatchGuard
    10. Don't see your brand of firewall? Contact us to ask when it will be available

Don't forget to click "Create" or "Update" when you are done! Otherwise your configuration settings won't be saved

 

6.    If you have not already done so, add a syslog forwarding rule to your firewall.

    1. In most firewall admin consoles, there will be some type of Syslog or Monitoring menu with the option to enable/add Syslog Forwarding
    2. Select this menu item, and you will be given a place to input a target IP and port for the syslog forwarding.
    3. Input the value you entered in Monitoring IP and Monitoring Port

If you have intelligent APs on your network and do not wish to have their logs analyzed/be charged for them, do not forward the AP logs in this step.

7.    If data is successfully reaching the agent, you will see a notification in your dashboard saying that you are CONNECTED

    1. If you do not see this alert after a few minutes, there may be a problem

 

Common Problems

  1. Windows Firewall blocking incoming traffic on the machine

  2. Accidentally putting the Firewall's IP instead of the monitoring device's IP

  3. Not adding a syslog forwarding rule on the firewall to send the logs to the Firewall Analyzer (step 6 above)

  4. By default, our filtering removes informational messages that do not require any action on your part. If you want to verify that everything works, try going to the configuration menu and changing the Don't Report Events Lower Than This Priority setting to Info

     
     
  5. Windows Server 2019 is sometimes experiencing problems when used as the monitoring platform. Try a non-Server 2019 machine. If you would like updates on the status of Server 2019 support, let us know

  6. If you are experiencing problems using UDP/TCP, try using the other

  7. If you are using a firewall that allows you to configure the severity level of syslog events being sent, set severity to info

  8. Ensure your logs are being sent space-separated (not comma-separated)

  9. If needed, try restarting the agent

One exception to filtering at the severity level is IP Reputation Lookup. Traffic from malicious IPs will display even though it has an Info priority level.

If you wish to block this traffic, use the Whitelist capabilities in the Review paneselect traffic --> click "Action" button in bottom right --> "Add to Whitelist"

 

 

If you have any questions about the Firewall Log Analyzer not covered here, feel free to contact support via email or using chat on our website