tech note--audit support for stonesoft firewalls - techdocs

Tech Note--Audit Support for Stonesoft Firewalls Symantec CloudSOC Tech Note

Tech Note--Audit Support for Stonesoft Firewalls

Copyright statement Copyright (c) Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com. Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.

2

http://www.broadcom.com/

http://www.broadcom.com/


Table of Contents

Introduction

Supported Stonesoft firewall versions

Sample log formats

CSV log format

Mandatory fields

Enabling firewall logging

Creating access rules

Configuring logging level

Configuring SSL inspection

Configuring URL logging

Exporting logs

References

Revision history

3


Introduction

This Tech Note describes how the CloudSOC Audit application supports log files from Stonesoft devices. Stonesoft Corporation was a vendor of network security solutions until 2013 when it was acquired by McAfee.

Supported Stonesoft firewall versions

Stonesoft firewall minimum supported version: 5.5

Sample log formats

Stonesoft v5.5 supports the following log types in CSV format and CEF format that can be used for SaaS Audit. CLI uses ‘comma’ as the default delimiter while CEF is special key-value pair format that is exported via the syslog servers.

CSV log format

"Creation time","Data

Identifier","Sender","Facility","Type","Event","Action","Src Addr","Dst

Addr","Service","IP Protocol","Src Port","Dst Port","Rule tag","Nat Src","Nat

Dst","Nat Src Port","Nat Dst Port","FLAG only there for compatibility

reason","Src IF","Protocol Agent","Alert type","Syslog","ICMP Type","ICMP

code","ICMP Id","Inbound SPI","Round Trip","Elapsed Time","Bytes Sent","Bytes

Rcvd","Auth. User","Src VLAN","Component ID","Information Message","Nat Rule

Tag","Auth. Rule Tag","Acknowledged","Reception time","Sender

type","Situation","FP situation","Severity","Event ID","QoS Class","DSCP

Mark","QoS Priority","IKE Cookie","Situation type","Connection dropped","DNS

type","Description","Reference event ID","Address","Alert Event","Alert

Identifier","Event Description","Storage Server","User","Packets Rcvd","Packets

Sent","Content type of message body","Correlation base component

ID","Correlation begin time","Correlation end time","DNS class","DNS hdr

ancount","DNS hdr arcount","DNS hdr flag tc","DNS hdr id","DNS hdr is

request","DNS hdr nscount","DNS hdr opcode","DNS hdr qdcount","DNS hdr

rcode","DNS name length","DNS offset","DNS pointer","DNS qclass","DNS

qname","DNS qtype","DNS section","DNS UDP payload","DNS UDP payload by

opt","Eth frame length","Eth min frame length","Ethernet type","Event

count","Event update","Excerpt data","Excerpt position","Frame dropped","Fields

updatable","Failed response cnt","HTTP content length","HTTP content

type","HTTP header","HTTP header name","HTTP no request","HTTP request

host","HTTP request line","HTTP request method","HTTP request URI","HTTP

request version","HTTP response code","HTTP URI length","IP checksum","IP

datagram length","IP datagram new length","IP header length","IP

identification","IP offset","IP option length","IP option number","IP total

length","IP version","Length of message body","Module","Module mem usage","Node

configuration","Node dynup","One LAN","Orig config id","Orig sender os

ver","Original alert type","Original correlation begin time","Original

correlation end time","Original event count","Original module","Original

severity","Original situation","Original time","Packet analysis end","Packet

not seen","Physical interface","Record ID","Sender module version","TCP

handshake seen","TCP option kind","TCP option length","UDP datagram

4

http://en.wikipedia.org/wiki/Network_security


size","Packet data","Record frame cached"

"2014-03-28

13:16:39","2040520","192.168.77.100","Authentication","Notification","Kernel

usertable",,,,,,,,,,,,,,,,,,,,,,,,,,,,"StoneSoftFW node 1","Sync failure:

maintenance sync. User data -> source address: 192.168.77.10 id: Bob\,domain:

InternalDomain\, ve_id: 0\,set timeout: 0. Sync data size 140",,,,"2014-03-28

13:16:39","Firewall","FW_Authentication-Kernel-Usertable",,,"585521818179201504

8",,,,,,,,,,,,,,"LogServer

192.168.77.1",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

,,,,,,,,,,,,,,,,,,,

Mandatory fields

The following fields must be present in the logs uploaded to the CloudSOC Audit application:

● Reception Time

● Src Addr

● Dst Addr or Http Request Host

● Bytes sent or Bytes recvd

Enabling firewall logging

The example below guides you through the creation of new policies and Access Rules that enable logging. Use these instructions as a guideline to enable logging on your existing policies.

Creating access rules

Access rules are created in the Firewall Policies. You access firewall policies from Configuration > Configuration > Security Engine > Policies.

In the Firewall Policies, create a policy by right clicking on Policies and choosing New > Firewall Policy.

5


The following figure shows typical access rules that allow internet access, user authentication and administration.

Configuring logging level

There are seven logging levels that you can set on the firewall. The default logging level is None. To create access rules, you must change the logging level from None to Essential. This setting generates a log entry that is shown in the Logs view, saved for further use, and handled as high-priority if the log transfer from the firewall to the log server is interrupted.

Configuring SSL inspection

To perform SSL inspection, you must generate a private key and create a CA certificate.

To create a Client Protection Certificate Authority element:

1. Choose Configuration > Configuration > Security Engine.

The Security Engine Configuration view opens.

6


2. Browse to Other Elements > Engine Properties > Certificates.

3. Right-click Client Protection Certificate Authorities and choose New Client Protection Certificate Authority.

The Client Protection Certificate Authority Properties dialog opens.

7


4. Select the CA certificate in the firewall’s properties page, which you open from Configuration > Security Engines > Firewall> right click > properties > Add ons > TLS Inspection.

5. Create an HTTP service object with decryption and URL logging enabled as shown in the following two figures.

8


Configuring URL logging

In order for the firewall to log URLs, it must be configured for deep inspection. To enable deep inspection on an access rule with HTTP protocol:

1. Right click on the Action cell and choose Edit Options.

9


2. On the Connection Tracking tab, choose Override Inspection Options Set With Continue Rules and select Deep Inspection.

3. Enable Logging of accessed URLs.

Exporting logs

To Export the logs, run the command:

sgTextBrowser [host=ADDRESS] [login=LOGIN_NAME] [pass=PASSWORD]

[format=CSV|XML] [o=OUTPUT_FILE] [f=FILTER_FILE] [e=FILTER_EXPRESSION]

[m=current|stored] [limit=<maximum number of unique records to

fetch>][-h]

Where:

● i=INPUT_FILE parameter defines the source archive from which the logs will be exported.

● pass=PASSWORD parameter defines the password for the user account used for this export.

● e=FILTER_EXPRESSION parameter defines the filter that you want to use for filtering the log data for exporting. Type the name as shown in the Management Client.

● f=FILTER_FILE parameter defines the StoneGate filter exported to a file that you want to use for filtering the log data for exporting.

● format=[CSV|XML] parameter defines the file format for the output file. If this parameter is not defined, the XML format is used.

10


● host=ADDRESS parameter defines the address of the Management Server used for checking the login information. If this parameter is not defined, Management Server is expected to be on the same host where the script is run.

● login=LOGIN_NAME parameter defines the username for the account that is used for this export. If this parameter is not defined, the username root is used.

● o=OUTPUT_FILE parameter defines the destination file where the logs will be exported. If this parameter is not defined, the output is displayed on screen.

● m defines whether you want to view or export logs as they arrive on the Log Server (current) or logs stored in the active storage directory (stored). If this option is not defined, the current logs are used.

● limit defines the maximum number of unique records to be fetched. The default value is unlimited.

● -h option displays information on using the script.

The following figure shows a n example of how you use this command.

11


References

● http://www.manageengine.com/products/firewall/help/configure-firewall/configure-stonesoft.html

● https://www.stonesoft.com/opencms/export/system/galleries/download/product_docs/archive/StoneGate_Management_Center_Reference_Guide_v5-0.pdf

● https://www.stonesoft.com/opencms/export/system/galleries/download/product_docs/current/St onesoft_Firewall_Installation_Guide_v5-6.pdf

● https://www.stonesoft.com/opencms/export/system/galleries/download/product_docs/current/St onesoft_Management_Center_Installation_Guide_v5-6.pdf

● https://www.stonesoft.com/opencms/export/system/galleries/download/product_docs/current/St onesoft_Firewall_Reference_Guide_v5-6.pdf

● http://help.stonesoft.com/onlinehelp/StoneGate/SMC/5.3.2/SGAG/SGOH_Rules/Defining_Access_ Rule_Logging_Options.htm

● http://help.stonesoft.com/onlinehelp/StoneGate/SMC/5.5.4/SGAG/SGOH_UserAuthentication/Defi ning_IPv4_Access_Rules_for_Browser- Based_User_Authentication.htm#XREF_18820_Defining_IPv4

● http://help.stonesoft.com/onlinehelp/StoneGate/SMC/5.5.0/SGAG/SGOH_Rules/Modifying_the_In spection_Rules_Tree.htm#XREF_96046_Selecting

Revision history

Date Version Description

2014 1.0 Initial release

4 November 2015 1.1 Minor revisions

12

tech note--audit support for stonesoft firewalls - techdocs

Documents