Firewall Analyzer overview
Want to know more about how the Firewall Analyzer App works?
Firewall Analyzer results are categorized differently than other apps. Make sure you have read the How Should I Analyze These Results section at the bottom of this page at least once.
What is the Firewall Analyzer?
The Firewall Analyzer works similarly to an Intrusion Detection System, but without buying and installing an expensive device (if you have an IDS/IPS, our app can help make sense of those logs, too!). We analyze your logs and surface only what is important.
How does it work?
You configure the app to send firewall logs to one of your RocketCyber-connected computers. That computer runs our firewall analysis software to find malicious traffic, data leaks, and various reconnaissance and attack vectors. Any events trigger an immediate alert that will appear on your RocketCyber dashboard.
How Should I Analyze These Results?
Unlike other apps, "informational" results in the Firewall Analyzer cannot always be safely ignored. In general, the Firewall Analyzer follows the following schema:
| Category | Meaning | Example |
|---|---|---|
|
Malicious |
Definitely bad |
Virus detections Network hijacking attempt in progress |
|
Suspicious |
Probably bad, with some variation depending on your particular situation |
Possible data leak Probable scanning activity |
|
Informational |
Probably bad. The difference between Informational and Suspicious in the firewall app is the degree to which this could be normal behavior for certain types of businesses; for example, an informational message on the firewall analyzer could be something very bad or nothing. Some familiarity with your specific business situation is needed to determine which. |
Login activity from an unexpected source ActiveX usage Changes in VPN activity |
Note that events such as changes in VPN activity could mean nothing if your clients commonly use VPN or could indicate active compromise if you do not have VPN capabilities set up at all.
Make sure you check what the message says. Depending on the firewall type, settings, and situation, the message may say that the event is ongoing, or it may say that the firewall has already taken corrective action automatically.
