Configuring the Firewall Analyzer

How to configure the Firewall Analyzer App

Overview

The Firewall Log Analyzer works similarly to an Intrusion Detection System, but without buying and installing an expensive device (if you have an IDS/IPS, our app can help make sense of those logs too!).

You configure the app to send firewall logs to one of your RocketCyber-connected computers. That computer runs our firewall analysis software to find malicious traffic, data leaks, and a wide variety of reconnaissance and attack vectors. Any events trigger an immediate alert that will appear on your RocketCyber dashboard.

Configuring Firewall Log Analyzer

  1. Go to an organization

    NOTE: This app must be configured at the organization level. This is to allow the flexibility to send each organization's logs to one of their own machines for processing if this is desired for business or compliance reasons.

  2. Select the gear at the bottom of the tile to configure the Firewall Log Analyzer

    mceclip1.png
  3. There are a lot of configuration options. Let's start on the Syslog Configuration tab. This tab configures the selected agent as a Syslog server so that it can receive data from your firewall devices. 

     

    Screen_Shot_2021-02-24_at_8.00.36_PM.png

Here, we will configure the options that will turn an installed RocketAgent into a Syslog server to collect firewall log data.

Setting Action
Syslog Server Device This selects which of your RocketCyber-connected computers will be used a Syslog server to collect Syslog data from the desired firewalls. 
Syslog Server IP This is the IP address of the Syslog Server Device. Copy this IP address you will need when configuring Syslog forwarding on your firewall.
Syslog Server Port This is the port that the Syslog Server Device will listen to in order to receive the firewall logs.

We recommend using the default 514
Syslog Server Protocol elects to receive the logs via  TCP or UDP. We recommend using the default UDP
Max Daily Results Worried about these overwhelming your RocketCyber account or providing so much data you can't process the results? This allows you to limit how many results we report per day
Local Log Save/Save Size These last two items allow you to save a copy of your logs to the local hard drive (of the machine doing the processing), and to manage how large that log file can become. NOTE that this will have a performance impact on the system. Log file does not overwrite and will stop when limit is reached.
Don't Report Events Lower Than This Priority The vast majority of notifications you will receive from a firewall deal with events that do not need any action on your part (e.g. malicious email attachment blocked). This can be several thousand results a day, which would completely overwhelm your dashboard and hide any real threats in the noise.

This setting allows you to filter out low-priority notifications and only see what is important. In the case of a confirmed attack (or if you want to verify the app is functioning), you can change this setting to Info or Debug. The default is Error

 

NOTE: Reputation IP lookups are the one exception to the "Don't Report Events Lower Than This Priority" setting.

fw_example.png

All connections are informational by nature. If you have lookups enabled, it is assumed you want advance warning of attacks, so these alerts are allowed through even though they are informational.

This setting can be turned off under the tab for the brand of firewall and toggling  to "NO" - IP reputation lookup

 

Non-firewall devices such as switches, routers or access points may register as being a firewall and can be excluded.

 

The non-firewall devices can then be deleted from the firewall registration list

 

Next, Click on the Geo Location Tab


Screen_Shot_2021-02-24_at_8.00.44_PM.png

Using the Geo Location tab you can enable or disable countries that you want to monitor traffic for. By default, all countries except the US are selected.

When looking for a specific country on the Enabled Countries list, ctrl-f 

Configure Firewall Specific Items

Now select the Tab relevant to your brand of firewall product. We have selected reasonable default rules that will keep you protected without creating too many false positives. However, each network is unique and you know your organizations better than we do. Modify the selected events as desired.

    1. Barracuda
    2. Cisco Meraki
    3. Fortinet
    4. PfSense
    5. SonicWall
    6. Sophos
    7. Ubiquiti
    8. Untangle
    9. WatchGuard
    10. Juniper
    11. Zyxel
    12. Palo Alto
    13. Cisco ASA
    14. Cisco IOS
    15. Checkpoint

Don't forget to click "Create" or "Update" when you are done! Otherwise, your configuration settings won't be saved.

 

*The Firewall Log Analyzer app can only be configured on a organization level. If trying to configure on the MSP level there will be a message indicating to only configure on the organization level. 

mceclip0.png

 

Troubleshooting articles

 

https://helpdesk.kaseya.com/hc/en-gb/articles/11947960343185-Firewall-Log-Analyzer-Agent-failed-to-bind-port

https://helpdesk.kaseya.com/hc/en-gb/articles/12431813570193-How-can-I-tell-if-firewall-is-connected-to-the-Firewall-log-analyzer-app-

https://helpdesk.kaseya.com/hc/en-gb/articles/4407228488721-Firewall-Analyzer-Troubleshooting

https://helpdesk.kaseya.com/hc/en-gb/sections/4406091575185-Troubleshooting-FAQ-s

Have more questions?

Contact us

Was this article helpful?
1 out of 1 found this helpful

Provide feedback for the Documentation team!

Browse this section