Untangle

Configuration options for Untangle firewalls in RocketCyber

 

Content checks

Untangle devices classify network traffic by destination into various categories, including the ones listed here. In particular, we suggest monitoring activity which is:

  • Illegal

  • Visiting known malicious sites

  • Accessing remote access tools

  • Probably unwanted (e.g. sites which harm productivity)

Reputation lookups on connecting IPs This will monitor traffic and inform you only of unexpected traffic or traffic coming from unusual locations (e.g. countries on the Enabled Countries list).
Potential compromise Like most high confidence/low confidence event pairs, the low confidence detections introduce a large amount of noise and are not helpful in most situations
VPN detection This will detect any attempt to use VPN functionality, so only enable this if VPN is disabled in your network and there should not be any VPN usage on your network.

Log Format

The expected format for Untangle logs is syslog-compatible JSON.  For example

<174>Mar 3 14:21:07 INFO uvm[0]: {"reason":"DEFAULT","appName":"web_filter","requestLine":"GET http://app.rocketcyber.com/","sessionEvent":{"entitled":true,"partitionTablePostfix":"_2020_03_03","protocol":6,"hostname":"ROCY-16","CServerPort":443,"protocolName":"TCP","tag":"uvm[0]: ","serverLatitude":39.0481,"localAddr":"/192.168.7.77","class":"class com.untangle.uvm.app.SessionEvent","SServerAddr":"/72.72.72.207","remoteAddr":"/72.72.72.207","serverIntf":1,"CClientAddr":"/192.168.7.77","serverCountry":"US","sessionId":103742377779893,"SClie...