Configuring the Firewall Analyzer

How to configure the Firewall Analyzer App

Overview

The Firewall Log Analyzer works similarly to an Intrusion Detection System, but without buying and installing an expensive device (if you have an IDS/IPS, our app can help make sense of those logs too!).

You configure the app to send firewall logs to one of your RocketCyber-connected computers. That computer runs our firewall analysis software to find malicious traffic, data leaks, and a wide variety of reconnaissance and attack vectors. Any events trigger an immediate alert that will appear on your RocketCyber dashboard.

Configuring Firewall Log Analyzer

  1. Go to an organization. NOTE: This app must be configured at the organization level. This is to allow the flexibility to send each organization's logs to one of their own machines for processing if this is desired for business or compliance reasons.
  2. Select the gear at the bottom of the tile to configure the Firewall Log Analyzer.
    mceclip1.png
  3. There are a lot of configuration options. Let's start on the Syslog Configuration tab. This tab configures the selected agent as a Syslog server so that it can receive data from your firewall devices. 
    Screen_Shot_2021-02-24_at_8.00.36_PM.png
    Here, we will configure the options that will turn an installed RocketAgent into a Syslog server to collect firewall log data.
Setting Action
Syslog Server Device This selects which of your RocketCyber-connected computers will be used a Syslog server to collect Syslog data from the desired firewalls. 
Syslog Server IP This is the IP address of the Syslog Server Device. Copy this IP address you will need when configuring Syslog forwarding on your firewall.
Syslog Server Port This is the port that the Syslog Server Device will listen to in order to receive the firewall logs.

We recommend using the default 514
Syslog Server Protocol elects to receive the logs via  TCP or UDP. We recommend using the default UDP
Max Daily Results Worried about these overwhelming your RocketCyber account or providing so much data you can't process the results? This allows you to limit how many results we report per day
Local Log Save/Save Size These last two items allow you to save a copy of your logs to the local hard drive (of the machine doing the processing), and to manage how large that log file can become. NOTE that this will have a performance impact on the system. Log file does not overwrite and still stop when limit is reached.
Don't Report Events Lower Than This Priority The vast majority of notifications you will receive from a firewall deal with events that do not need any action on your part (e.g. malicious email attachment blocked). This can be several thousand results a day, which would completely overwhelm your dashboard and hide any real threats in the noise.

This setting allows you to filter out low-priority notifications and only see what is important. In the case of a confirmed attack (or if you want to verify the app is functioning), you can change this setting to Info or Debug. The default is Error

NOTE  Reputation IP lookups are the one exception to the Don't Report Events Lower Than This Priority setting.

fw_example.png

All connections are informational by nature. If you have lookups enabled, it is assumed you want advance warning of attacks, so these alerts are allowed through even though they are informational.

This setting can be turned off under the tab for the brand of firewall and toggling  to NO - IP reputation lookup.

Non-firewall devices such as switches, routers or access points may register as being a firewall and can be excluded.

The non-firewall devices can then be deleted from the firewall registration list.

Next, Click on the Geo Location tab.
Screen_Shot_2021-02-24_at_8.00.44_PM.png

Using the Geo Location tab, you can enable or disable countries that you want to monitor traffic for. By default, all countries except the US are selected.

When looking for a specific country on the Enabled Countries list, ctrl-f 

Configuring Firewall Specific Items

Now select the tab relevant to your brand of firewall product. We have selected reasonable default rules that will keep you protected without creating too many false positives. However, each network is unique and you know your organizations better than we do. Modify the selected events as desired.

  1. Configuration options for Barracuda
  2. Configuration options for Cisco Meraki
  3. Configuration options for Fortinet
  4. Configuration options for PfSense
  5. Configuration options for SonicWall
  6. Configuration options for Sophos
  7. Configuration options for Ubiquiti
  8. Configuration options for Untangle
  9. Watchguard
  10. Configure Network Device - Juniper Firewall
  11. Configure Network Device - Palo Alto Firewall
  12. Configure Network Device - Cisco ASA Firewall
  13. Configure Network Device - Cisco IOS Device
  14. Configure Network Device - Checkpoint Firewall

Don't forget to click Create or Update when you are done. Otherwise, your configuration settings won't be saved.

*The Firewall Log Analyzer app can only be configured on a organization level. If trying to configure on the MSP level there will be a message indicating to only configure on the organization level. 
mceclip0.png

Troubleshooting articles