Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

ForcePoint : NGFW Syslog and Netflow Configuration

Overview

We are providing you with the steps to integrate your NGFW Firewall with Seceon SIEM so One can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Log and Netflows forwarding.

 

Note: Syslog should be forward on- 514 UDP Port (need be allowed from the firewall)

Netflow should be forward on- 9995 UDP Port (need be allowed from the firewall)

 

Steps Of Configuration

Syslog Configuration

Login to the Firewall as admin user.

Add log forwarding rules to the Log Server to enable log forwarding.

1.Select Home.

2.Browse to Others > Log Server.

3.Right-click the Log Server from which you want to forward log data, then select Properties.

4.Click the Log Forwarding tab.

5.To create a rule, click Add.

Tip: To remove a rule, select the rule, then click Remove.

6.In the select Target Host cell, select the external host to which the log data is forwarded.

Double-click the Target Host cell.

Select a Host element.

Click Select.

7 .To add a rule, click Add.

Configure the log forwarding rules.

Click OK.

>>Log Server Properties dialog box.

Use this dialog box to define Log Server properties.

Option

Definition

Option

Definition

General tab

Name

The name of the element.

IPv4 Address

CCE IP Address

IPv6 Address

Enter the IPv6 address of the server. The server can have both an IPv4 and an IPv6 address.

Port

(Optional)

514 UDP Port

 

Netflow Configuration

Option

Definition

Option

Definition

Log Forwarding tab

Target Host

The Host element that represents the target host to which the log data is forwarded.

Double-clicking this cell opens the Select Host dialog box.

Service

The network protocol for forwarding the log data. Click the cell, then select the Service from the drop-down list.

UDP (For IPFIX and NetFlow v9, this is the only available network protocol.)

Port

The port that is used for log forwarding. The default port used by IPFIX/NetFlow data collectors is 9995 UDP port. Double-click to edit the cell.

Note: You might have to define an Access rule that allows traffic to the target host. In this case, make sure that the port you select is also used as the port in the Access rule.

Format

.CSV — Forwards log data in comma separated value format.

Verification OF Configuration

Verification can be done either from CCE Server or from UI.

Using UI

STEP 1: Log in to UI >> SYSTEM

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS.

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

Using CCE Server

We should run below command on the CCE server to check whether we are getting logs or not.

sudo tcpdump -i any host 514 (for logs) and 9995 (for flows) and host <IP address> -AAA

Seceon Inc. All rights reserved. https://www.seceon.com