How to configure the Firewall Analyzer App
The Firewall Log Analyzer works similarly to an Intrusion Detection System, but without buying and installing an expensive device (if you have an IDS/IPS, our app can help make sense of those logs too!).
You configure the app to send firewall logs to one of your RocketCyber-connected computers. That computer runs our firewall analysis software to find malicious traffic, data leaks, and a wide variety of reconnaissance and attack vectors. Any events trigger an immediate alert that will appear on your RocketCyber dashboard.
Configuring Firewall Log Analyzer
Go to an organization
NOTE: This app must be configured at the organization level. This is to allow the flexibility to send each organization's logs to one of their own machines for processing if this is desired for business or compliance reasons.
Select the gear at the bottom of the tile to configure the Firewall Log Analyzer
There are a lot of configuration options. Let's start on the Syslog Configuration tab. This tab configures the selected agent as a Syslog server so that it can receive data from your firewall devices.
Here, we will configure the options that will turn an installed RocketAgent into a Syslog server to collect firewall log data.
|Syslog Server Device||This selects which of your RocketCyber-connected computers will be used a Syslog server to collect Syslog data from the desired firewalls.|
|Syslog Server IP||This is the IP address of the Syslog Server Device. Copy this IP address you will need when configuring Syslog forwarding on your firewall.|
|Syslog Server Port||This is the port that the Syslog Server Device will listen to in order to receive the firewall logs.
We recommend using the default 514
|Syslog Server Protocol||elects to receive the logs via TCP or UDP. We recommend using the default UDP|
|Max Daily Results||Worried about these overwhelming your RocketCyber account or providing so much data you can't process the results? This allows you to limit how many results we report per day|
|Local Log Save/Save Size||These last two items allow you to save a copy of your logs to the local hard drive (of the machine doing the processing), and to manage how large that log file can become. NOTE that this will have a performance impact on the system. Log file does not overwrite and still stop when limit is reached.|
|Don't Report Events Lower Than This Priority||The vast majority of notifications you will receive from a firewall deal with events that do not need any action on your part (e.g. malicious email attachment blocked). This can be several thousand results a day, which would completely overwhelm your dashboard and hide any real threats in the noise.
This setting allows you to filter out low-priority notifications and only see what is important. In the case of a confirmed attack (or if you want to verify the app is functioning), you can change this setting to Info or Debug. The default is Error
NOTE: Reputation IP lookups are the one exception to the "Don't Report Events Lower Than This Priority" setting.
All connections are informational by nature. If you have lookups enabled, it is assumed you want advance warning of attacks, so these alerts are allowed through even though they are informational.
This setting can be turned off under the tab for the brand of firewall and toggling to "NO" - IP reputation lookup
Non-firewall devices such as switches, routers or access points may register as being a firewall and can be excluded.
The non-firewall devices can then be deleted from the firewall registration list
Next, Click on the Geo Location Tab
Using the Geo Location tab you can enable or disable countries that you want to monitor traffic for. By default, all countries except the US are selected.
Configure Firewall Specific Items
Now select the Tab relevant to your brand of firewall product. We have selected reasonable default rules that will keep you protected without creating too many false positives. However, each network is unique and you know your organizations better than we do. Modify the selected events as desired.
Don't forget to click "Create" or "Update" when you are done! Otherwise, your configuration settings won't be saved.
*The Firewall Log Analyzer app can only be configured on a organization level. If trying to configure on the MSP level there will be a message indicating to only configure on the organization level.