Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.
ForcePoint : NGFW Syslog and Netflow Configuration
- Customer Success & Engineering (Unlicensed)
Overview
We are providing you with the steps to integrate your NGFW Firewall with Seceon SIEM so One can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Log and Netflows forwarding.
Note: Syslog should be forward on- 514 UDP Port (need be allowed from the firewall)
Netflow should be forward on- 9995 UDP Port (need be allowed from the firewall)
Steps Of Configuration
Syslog Configuration
Login to the Firewall as admin user.
Add log forwarding rules to the Log Server to enable log forwarding.
1.Select Home.
2.Browse to Others > Log Server.
3.Right-click the Log Server from which you want to forward log data, then select Properties.
4.Click the Log Forwarding tab.
5.To create a rule, click Add.
Tip: To remove a rule, select the rule, then click Remove.
6.In the select Target Host cell, select the external host to which the log data is forwarded.
Double-click the Target Host cell.
Select a Host element.
Click Select.
7 .To add a rule, click Add.
Configure the log forwarding rules.
Click OK.
>>Log Server Properties dialog box.
Use this dialog box to define Log Server properties.
Option | Definition |
|---|---|
General tab | |
Name | The name of the element. |
IPv4 Address | CCE IP Address |
IPv6 Address | Enter the IPv6 address of the server. The server can have both an IPv4 and an IPv6 address. |
Port (Optional) | 514 UDP Port |
Netflow Configuration
Option | Definition |
|---|---|
Log Forwarding tab | |
Target Host | The Host element that represents the target host to which the log data is forwarded. Double-clicking this cell opens the Select Host dialog box. |
Service | The network protocol for forwarding the log data. Click the cell, then select the Service from the drop-down list. UDP (For IPFIX and NetFlow v9, this is the only available network protocol.) |
Port | The port that is used for log forwarding. The default port used by IPFIX/NetFlow data collectors is 9995 UDP port. Double-click to edit the cell. Note: You might have to define an Access rule that allows traffic to the target host. In this case, make sure that the port you select is also used as the port in the Access rule. |
Format | .CSV — Forwards log data in comma separated value format. |
Verification OF Configuration
Verification can be done either from CCE Server or from UI.
Using UI
STEP 1: Log in to UI >> SYSTEM
STEP 2: >> LOGS AND FLOWS COLLECTION STATUS.
STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.
Using CCE Server
We should run below command on the CCE server to check whether we are getting logs or not.
“sudo tcpdump -i any host 514 (for logs) and 9995 (for flows) and host <IP address> -AAA”
Seceon Inc. All rights reserved. https://www.seceon.com