Table of Contents -
Overview
We are providing you the steps to integrate your Sophos Firewall with Seceon SIEM so that you can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Netflows forwarding.
Steps of Configuration:
- Login to the Webadmin GUI for the Sophos XG Firewall.
- Navigate to Administration > Netflow.
c. Inside netflow section , put the name of server , IP of CCE and port should be 9995
- Server Name: Netflow server's friendly name.
- Netflow Server IP/Domain: IPv4, IPv6 or hostname for the Netflow server(Seceon CCE).
- Netflow Server Port: The listening port for the Netflow Server. Records are sent to the Netflow server over the specified port, 9995.
- Netflow will only log traffic for firewall rules that have Log Firewall Traffic enabled.
d. Click on apply .
A MEESAGE WILL POP SAYING NETFLOW CONFIGURATION HAS BEEN DONE SUCCESSFULLY .
Note:
- Sophos XG Firewall supports Netflow v5. You can export all the parameters of v5.
- When a conntrack entry is destroyed at the time of closing, we send the date or traffic counters to the netflow collector.
- Further information regarding the netflow v5 record format can be found in NetFlow v5 Record Format.
- You may add up to 5 separate Netflow servers.
Reference Source: https://community.sophos.com/kb/en-us/132762
Verification of configuration :-
Verification can be done in 2 ways either on CCE or on UI
- VERIFICATION THROUGH UI
1.Open UI >>Systems
2. Dropdown systems and go inside logs and flows collection status.
3. Under Source device IP address section the device configured will reflect.
- Verification Through CCE server
sudo tcpdump -i any host 9995 and host <IP address> -AAA” command should be ran on CCE server to check wheather or not we are getting logs .