Stormshield Event Reporter User Guide
Contents
1. STORMSHIELD i EVENT REPORTER V 1 2 USER CONFIGURATION MANUAL Vg USER MANUAL STORMSHIELD INTRODUCTION FOREWORD License Products concerned U30 U70 U120 U250 U450 U1100 U1500 U6000 NG1000 A NG5000 A U30S U70S U150S U250S U500S U800S SN150 SN200 SN300 SN500 SN700 SN9OO SN2000 SN3000 SN6000 VS5 VS10 V50 V100 V200 V500 and VU Copyright NETASQ 2014 All rights reserved Any copying adaptation or translation of this material without prior authorization is prohibited The contents of this document relate to the developments in NETASQ s technology at the time of its writing With the exception of the mandatory applicable laws no guarantee shall be made in any form whatsoever expressly or implied including but not limited to implied warranties as to the merchantability or fitness for a particular purpose as to the accuracy reliability or the contents of the document NETASQ reserves the right to revise this document to remove sections or to remove this whole document at any moment without prior notice Liability This manual has undergone several revisions to ensure that the information in it is as accurate as possible The descriptions and procedures herein are correct where Stormshield Network firewalls are concerned NETASQ rejects all liability directly or indirectly caused by errors or omissions in the manual as well as for inconsistencies between the product and2. URL to submit 4 category Url for online help Figure 14 General options Tools tab 2 2 3 3 1 Packet analyzer When an alarm is raised on a Stormshield Network Firewall the packet that set off the alarm can be viewed You will need a packet viewer such as Wireshark or Packetyzer to do this Specify the viewer to be used in the Packet analyzer field so that Reporter can use it to display malicious packets 2 2 3 3 2 URLtosubmita category Administrators of Stormshield Network Firewalls cannot edit listed and categorized URL groups However certain URLs may turn out to be wrongly categorized or are not in the list To add URLs to the list administrators can submit these URLs to the website https mystormshield eu There are two ways of submitting URLs by connecting directly to the website to manually specify the URL or when the URL appears in Reporters tables by using the contextual menu of the Web grid in Reporter so that the submission will be automatic In order to do this the URL to be submitted has to be specified in the URL to submit a category field in Reporter 2 2 3 3 3 URL for online help The address shown here allows you to access the online help Stormshield Network Xe 26 45 snfrgde nom du document v1 2 Copyright Netasq 2014 hg USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER 2 2 3 4 Address book tab Ceneiopsons NN s General Log Tools Address bo
3. reset Message Alarm Help Links to an explanation of the alarm raised Alarm ID Alarm s identifer on the Firewall Repeat Number of times the alarm has been repeated within the duration specified in the Administration Suite e Rule name This column contains the value specified in the Name field in the filter rule editor e Class Class to which the raised alarm belongs 3 3 2 8 Operation e Category Category to which the URL having caused the generation of logs belongs e Category group category group containing the category to which the URL that set off the log function belongs Operation Protocol s identified command Result Error message return code Argument Operation s parameter Ads icon Spam level Spam level 0 message not considered spam 1 2 and 3 spam x error when processing message and The nature of the message could not be determined e Virus Indicates whether the e mail contains a virus Possible values are safe infected etc e Classification Generic category in which the alarm belongs Examples Protocol Content filtering Web Mail FTP 3 3 2 9 Vulnerability Manager Vuln ID Vulnerability identifier Family Family to which the vulnerability belongs Severity Level of the vulnerability s criticality Solution Yes or no depending on whether there is a solution suggested Exploit Indicates the location where a vulnerability can be exploited
4. Virus Indicates the name of the detected virus 3 4 2 Services logs 3 4 2 1 Introduction 5 services are available Administration Authentication System IPSec VPN SSL VPN 3 4 2 2 Administration Selection by time at which file was saved This Year VC From 01 01 2012 000000 To 17 01 2012 235959 Time zone Station Filters Logs ili vanes Date aga Milest E Session 01 0000 02 01 2012 11 43 0 01 0000 ok PT eve E e Filtering 02 01 2012 12 11 07 01 0000 ok Serverd startec lu Alarm Session 01 0001 Session 01 0002 Connection Session 01 0037 Session 01 0038 Web amp Session 01 0039 fl SMTP Session 01 0040 Session 01 0041 amp POP3 Session 01 0042 Session 02 0001 Plugin Session 02 0002 Session 03 0001 SSL Session 03 0002 Vulnerability m Session 04 0001 Session 04 0002 iy FTP Session 05 0001 Session 05 0002 aka Services Session 06 0001 Session 06 0002 Administration Session User Source Session Status Message Figure 20 Administration snfrgde nom du document v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER A history of all commands transmitted to the Firewall is given in this sub menu 11 fields are used Firewall Firewall s serial number Date Date on which the entry was generated Tim
5. 2 possible options locally or remotely e Client target Client target x age 34 45 snfrgde nom du document v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER e Server target Server target e Detected on Date on which the vulnerability was detected 3 3 2 10 SIP e Media Indicates the type of media control audio video etc e Caller Indicates the caller e Callee Indicates the party being called i e callee 3 3 2 11 Context e Configuration id ID configuration 3 3 2 12 Translation NAT e Source address e Source port e Destination orig e Destination port orig 3 3 2 13 Content policy e ID Politique identifier of configuration policy in force 3 3 3 Sorting by columns Logs are displayed in a table that has certain properties which enhance data reading Firstly it is possible to sort the data according to type alphabetical date bytes etc in ascending or descending order In order to do so click on the header of the column selected An arrow pointing upwards or downwards enables you to confirm that the sorting has been carried out A grouping system in the form of nodes enables you to isolate the data requested A drop zone is placed above the table it reads as follows Drag a column header here to group by that column In order to group together the data of any one column select the header of the column and drag it into this zone The
6. To 26 06 2014 DSS To download logs and other mformation you must select a data source Sources Frewall __Lines gt p Inertace Une Date Tmev Rul Prony v P Sowcelnefa v he amp Connect to D Syslog Diag a column header here to group by that column Lines date c onnection a Address 1060372 F Figure 1 Connection snfrgde nom du document v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER 2 1 2 Connection In the window Connection you can select how you wish to view data When Stormshield Network EVENT REPORTER is executed from the Windows menu Windows will check whether there is an address book This address book which is common to all Stormshield Network applications may or may not be encrypted If it is encrypted or does not yet exist there will be an additional step before connecting Stormshield Network EVENT REPORTER to the Firewall REMARK A message appears when connecting to a firewall configured with its default password 2 1 2 1 Direct connection to a Stormshield Network Firewall REMARK This connection is recommended if you have only one firewall and the amount of logs generated is fairly small If the address book exists and is encrypted see the section Part1 Chapter 2 Address Book for more information on address book options its password will be requested before every connection t
7. throughput on the appliance s interfaces as well as the use of each QoS rule 3 2 2 Customizing When you select the Graphs menu in the directory the customization screen will appear at the same time as the graphs You may close this screen at any time rP Click on the graph zone to open the window Customize graph again if you have closed it 3 2 2 1 Security indicators and system events 3 2 2 1 1 Security The security indicator is linked to the monitoring of alarm and events relating to the ASQ kernel The security indicator is weighted in several elements e Minor alarms indicators of the number of minor alarms e Major alarms indicators of the number of major alarms e ASQ memory indicators of the amount of ASQ memory left The display of these indicators is based on the weighting of system events in relation to each other in order to present a coherent status of the Firewall major alarms will have more weight than minor alarms 3 2 2 1 2 System events System indicators are linked to the monitoring of events relating to Ethernet interfaces supported by the Firewall processor System indicators concern e Logs indicators relating to the occupation of space allocated to logs Ethernet indicators relating to interface connectivity CPU indicators relating to the load of the Firewall processor HA indicators relating to the high availability set up if this is present on the Firewall Server Indicators re
8. Drag a column header here to group by that column Date 01 01 2012 04 18 00 01 01 2012 04 18 59 01 01 2012 04 19 18 01 01 2012 05 07 00 01 01 2012 05 07 19 01 01 2012 05 55 01 01 01 2012 05 55 20 01 01 2012 06 43 02 01 01 2012 06 43 21 01 01 2012 07 31 03 01 01 2012 07 31 22 01 01 2012 08 13 04 01 01 2012 08 19 23 01 01 2012 03 06 00 01 01 2012 03 06 01 01 01 2012 03 06 01 01 01 2012 03 07 05 01 01 2012 03 07 24 01 01 2012 09 55 07 01 01 2012 09 55 26 01 01 2012 10 43 08 01 01 2012 10 43 27 Source Destination Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gy Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gw Firewall bridge gw 1 2 2 2 2 2 2 2 2 2 2 2 2 1 1 1 2 2 2 2 2 2 Firewall_bridge gw Figure 23 IPSec VPN This sub menu provides a history of events concerning IPSec VPN snfrgde nom du document v1 2 Copyright Netasq 2014 Vg USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER Several fields are used e Date Date on which entry was generated Result Error message Phase SA negotiation phase Corresponds to a VPN tunnel endpoint Source connection s source address Destina
9. Mn TET NN BA TT S age 44 45 snfrgde nom du document v1 2 Copyright Netasg 2014 UG USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER 3 4 4 2 The Generate URLs section This section generates a list of web addresses visited by users in an HTML file in the case URL filtering has been activated This list can be used to indicate to Stormshield Network UNIFIED MANAGER new URLs to filter Click on the Generate button to generate this HTML file A screen will appear allowing you to name the file and save it in a folder of your choice 1 1 1 1 The Firewall information section This section provides information about Firewall firewall identifier serial number firewall name user name et HA satus of High avalaibility 3 5 DATA EXPORT 3 5 1 Export Click on the Export button in the action bar of the Logs tabs to export data A wizard will guide you in exporting your data Data can be exported in 4 formats Export wizard Welcome to the export wizard It will quide you through the process of creating your own data export Select an export format Export format TXT O HTML Step 1 of 3 Figure 26 Export wizard Step 1 e TXT e XML e HTML e YLS If you select the TXT format during Step 2 the assistant will prompt you to choose a field separator as shown in the example below Xe 45 45 snfrgde nom du document v1 2 Copyright Netasq 2014 UG USER MANU
10. Rule2 25 0 Bytes amp Filtering 01 01 2012 00 20 29 ly s 01 01 2012 00 35 29 2 01 01 2012 00 50 29 w Coton 01 01 2012 01 05 29 o 01 01 2012 01 20 29 j web 01 01 2012 01 35 29 as 01 01 2012 01 50 29 6 SMTP 01 01 2012 02 05 29 01 01 2012 02 20 29 3 CAES 01 01 2012 02 35 29 Plugin 01 01 2012 02 50 29 01 01 2012 03 05 29 SSL 01 01 2012 03 20 29 set 01 01 2012 03 35 29 Vulnerability rn 01 01 2012 03 50 29 FTP G ka Services Administration Authentication System ka IPSec VPN mm CM VPN SSL 01 01 2012 04 05 29 E Statistics HE ee a a om m H f H BE H t 01 01 2012 04 20 29 01 01 2012 04 35 29 01 01 2012 04 50 29 01 01 2012 05 05 29 01 01 2012 05 20 29 01 01 2012 05 35 29 01 01 2012 05 50 28 01 01 2012 06 05 29 01 01 2012 06 20 29 01 01 2012 06 35 29 01 01 2012 06 50 29 01 01 2012 07 05 29 01 01 2012 07 20 29 01 01 2012 07 35 29 01 01 2012 07 50 29 Figure 24 Count 3 fields are available 1 1 1 1 Date Date on which entry was generated Rule ID Rule identifier Count Indicates the number of megabytes Filtering 3 4 3 2 1 3 4 3 3 1 Filter stats Date Date on which entry was generated Firewall Firewall s serial number or name if known Time Time at which entry was generated Line Line number in the log file Date Time Date and time on which the entry was generated Saved evaluation Number of rule evaluations that could not be performed b
11. given Incoming throughput At a given moment Maximum incoming throughput Observed over the defined period Outgoing throughput At a given moment e e e e Maximum outgoing throughput Observed over the defined period snfrgde nom du document v1 2 Copyright Netasq 2014 USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER age 31 45 dr gt 3 2 2 5 QoS 3 2 2 5 1 Listof QoS rules This section sets out the list of different QoS Qualities of service defined on the firewall e DEFAULT e SSH pri e HTTP e SSH Ext e DNS e Squid e CIFS e FIP 3 2 2 5 2 Traffic by QoS e Incoming bandwidth At a given moment e Maximum incoming bandwidth Observed over the defined period e Outgoing bandwidth At a given moment e Maximum outgoing bandwidth Observed over the defined period 3 2 2 6 Graphs options 3 2 2 6 1 Full precision for longs periods When this option is checked all the points in the period are taken into account However for very long periods only certain significant points are taken in order to prevent the graph from getting too crammed 3 2 2 6 2 Percentage of CPU up to 100 When this option is selected the scale at which the processor s load is plotted is dynamic Therefore if the processors load is light graphs scale will be adapted so that the administrator can read them Otherwise the maximum value of the scale will remain at 100 regardless of the maximum value
12. history of authentication requests Several fields are used e Firewall Firewall s serial number Date Date on which entry was generated User user seeking authentication Source address requesting authentication Result Error message Message return message for the request age 39 45 snfrgde nom du document v1 2 Copyright Netasq 2014 STORMSHIELD 3 4 2 4 System USER MANUAL USING STORMSHIELD NETWORK EVENT REPORTER Drag a column header here to group by that column Date 01 01 2012 00 00 01 01 01 2012 00 00 02 01 01 2012 00 34 04 01 01 2012 01 20 54 01 01 2012 01 20 55 01 01 2012 01 20 57 01 01 2012 01 34 05 01 01 2012 02 34 05 01 01 2012 03 34 04 01 01 2012 04 20 53 01 01 2012 04 20 53 01 01 2012 04 20 54 01 01 2012 04 34 06 01 01 2012 05 34 07 01 01 2012 06 34 07 01 01 2012 07 20 52 01 01 2012 07 20 52 01 01 2012 07 20 53 01 01 2012 07 34 08 01 01 2012 08 34 08 Service proxy proxy dns proxy proxy sysevent dns dns dns proxy proxy sysevent dns dns dns proxy proxy sysevent dns dns Message Sighup received refresh config URL iltering profile 01 unable to load rule 8 bypass it cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 299 hours Sighup received refresh config URLFiltering profile 01 unable to load rule 8 bypass it Active Update update successful Kaspersky cache cycle 1 times ea
13. obtained up until then 3 3 CUSTOMIZING COLUMNS AND HEADERS The names of the following columns correspond to the data that may be consulted in Network logs These columns are grouped according to the type of data under headers To start customizing your headers and columns open a log file in the Logs tab click on the Columns button in the action bar Customize Columns Print cg Exporting Import WELF file v View time Filter Figure 16 Button bar snfrgde nom du document v1 2 Copyright Netasq 2014 Vg USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER 3 3 1 Headers Headers are thematic classifications of columns Columns under the same header are place adjacently Customize columns Figure 17 Customizing headers e Lines date Information relating to the line and time of the packets log Interface Information relating to the interface through which the packet passed Protocol Information relating to the packets protocol Source Information relating to the packet source Destination Information relating to the packets destination Volume Information relating to the packet s volume Action Information relating to the volumes of data in the packet Operation Information relating to the commands carried out when using protocols managed by plugins and proxies Vulnerability Manager Information relating to the VULNERABILITY MANAGER module SIP
14. window contains the following options File Allows you to connect to the firewalls and to access options in the application Applications Allows you to directly launch the two other applications that make up the Stormshield Network Administration Suite UNIFIED MANAGER and REAL TIME i MONITOR Windows Position of the windows and icons in the application Help Allows access to the current help file and to find out Reporter s version aZ 19 45 snfrgde nom du document v1 2 Copyright Netasq 2014 Page 20 45 USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER Firewall l Graphs Network k 2 2 1 3 Menu directory The menu directory consists of 2 tabs 2 2 1 3 1 Sources tab The Sources tab enables connection to different log sources provided by Stormshield Network for the analysis of logs and events raised by the Firewall When directly connected to the Firewall this log retrieval method makes it possible to dispense with the use of log centralization tools However it does not allow centralizing the logs of several Firewalls which is usually essential for analyzing an event that is spreading on several company sites Furthermore this method is only available for appliances that These three actions in the Sources tab are explained in the Part 3 Chapter 1 Sources in this manual 2 2 1 3 2 Logstab Logs El l Graphs aE Network aka Services akg Statistics Lo Miscell
15. 8 02882806862882806882886862806262868862 888880288828 28622880 268 182 886 888 286 886 288888 888282 082 205 465285 4805288285 282282508282202485285204 282206222000 282288 e POP3 e mail logs generated by the POP3 proxy The POP3 proxy has to be activated for these logs to be available e SSL SSL secure connection logs HTTPS e Plugins information regarding plugins activated on your Firewall except the HTTP plugin e FTP Transferred log files FTP proxy See Customizing columns and header Part 3 CHAPTER to get a better description of the table notes Web and plugin logs can no longer be merged as they will become independent again The name of the intrusion prevention profile will be displayed in the Alarms Connection and Filter logs 3 4 1 1 Web Right clicking on a destination name will display the contextual menu that allows you to e Submit URL to a category when you open the contextual menu after having selected a URL this option allows sending the URL to the URL submission form on the website This form will also enable putting a URL into a category and to submit a new URL category 3 4 1 2 Vulnerability Manager 21 fields are used Line Line number in the logs Date Date on which recorded logs were generated Time Time at which recorded logs were generated Internet Protocol Name of the internet protocol used Protocol Name of the protocol used User Connection identifier Source name source address o
16. AL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER Export wizard Select a field separator Separator options Comma CSW file Semicolon Tab Space 6 Other Step 2 of 3 Figure 27 Export wizard Step 2 In the last step Step 3 the wizard will ask you to select the column headers and the columns to be exported using checkboxes Export wizard Select headers and columns to export Be Lines date H Interface Soloct al Configuration E H E EE OF sip Step 3 of 3 Figure 28 Export wizard Step 3 The interface allows you to check or uncheck all the boxes get the default selection save restore your column selection Each export type has its own backup By checking a box you automate this operation When you later select the Finish button the interface will ask you if you wish to save the generated file in a folder of your choice This folder will be remembered for each export type age 46 45 snfrgde nom du document v1 2 Copyright Netasq 2014 STORMSHIELD USER MANUAL USING STORMSHIELD NETWORK EVENT REPORTER REMARK If the Reporter connects directly to a Firewall and the number of lines to be retrieved on the Firewall exceeds 10 000 a download confirmation message will appear on the screen 3 5 2 Log format The logs are in WELF WebTrends Enhanced Log Format format Xe 47 45 Line whole type
17. Information relating to media caller and callee of the SIP plugin Context Translation NAT Content policy When you deselect an option that is linked to a header in the grid the column will be deleted for that grid Example For Alarm logs you have deselected the header Line date The header and the options associated with it will be removed from the grid The other log files will nonetheless maintain this header If you disconnect and reconnect to the firewall changes to the customization will be saved Xe 32 45 snfrgde nom du document v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER 3 3 2 Columns Customize columns Lines date OM Firewall OM Firewall Name ff Line fi Date fifi Time CO Mi New rules O ff Rule ID O ff Priority CI fifi Saved at OM Time zone O ff Packet O fi Source Interface C1 fff Source Interface Name O fff Destination Interface O ff Destination Interface Name O fif Movement Type CO Movement S E Protocol O ff Intemet Protocol O ff Protocol O fi Group 7 T Source Il 1 Figure 18 Customizing columns 3 3 2 1 Lines date Firewall Firewall s serial number Firewall name Name ofthe firewall Line Number of the log line Date Date the log line was generated Time Time the log line was generated Slot level Number corresponding to the classification of filter rules local or global Rule ID Rule identifi
18. ameters of a web page snfrgde nom du document v1 2 Copyright Netasq 2014 hg USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER g STORMSHIELD documentation stormshield eu snfrgde nom du document v1 2 Copyright Netasq 2014
19. aneous Figure 7 Logs tab This tab contains five options each distinguished by a colored icon Enables you to display in the form of on line graphs vector graphs or histograms different types of Firewall data security and system indicators processor consumption throughput on different interfaces quality of service Enables you to display in the form of tables all types of Firewall logs which are divided into 8 tables Filter alarms connection web SMTP POP3 plugin and Vulnerability Manager Enables viewing different types of information and messages administration on the Firewall authentication information and errors or IPSec and SSL VPN information and Services errors in the form oftables Enables you to display in the form of tables different types of statistics counters Statistics filter rules created and address translation Es Enables you to retrieve various log data It is also possible to generate a file Miscellaneous containing the addresses of all the Internet sites consulted rir Selecting an entry that is already displayed will refresh data snfrgde nom du document v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER 2 2 1 4 Date and filter selection bar Figure 8 Selecting the date This bar enables you to define the period over which you wish to retrieve data You may choose from among a number of pre defin
20. ation will be represented in the following fonts Menu Interfaces Xe 7 45 snfrgde nom du document v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD INTRODUCTION 1 1 2 3 Indications Indications in this manual provide important information and are intended to attract your attention Among these you will find NOTES REMARKS These messages provide a more detailed explanation on a particular point WARNING RECOMMENDATION These messages warn you about the risks involved in performing a certain manipulation or about how not to use your appliance tp This message gives you ingenious ideas on using the options on your product DEFINITION Describes technical terms relating to Stormshield Network or networking These terms will also be covered in the glossary 1 1 2 4 Messages Messages that appear in the application are indicated in double quotes Example Delete this entry 1 1 2 5 Examples Example This allows you to have an example of a procedure explained earlier 1 1 2 6 Commands lines Command lines Indicates a command line for example an entry in the DOS command window 1 1 2 7 Reminders Reminders are indicated as follows Reminder 1 1 2 8 Access to features Access paths to features are indicated as follows Access the menu File Options 1 1 3 Vocabulary Dialup Interface on which the modem is connected Firewall Stormshield Network UTM device product Logs rec
21. ch day based on last 60 minutes activity 3 times each day based on activity since first check 300 hours cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 301 hours cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 302 hours Sighup received refresh config URLFiltering profile 01 unable to load rule 8 bypass it Active Update update successful Kaspersky cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 303 hours cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 304 hours cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 305 hours Sighup received refresh config URL iltering profile 01 unable to load rule 8 bypass it Active Update update successful Kaspersky cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 306 hours cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 307 hours Figure 22 System This sub menu provides a history of messages linked to Firewall services 3 4 2 5 3 Services B Administration Authentication IPSec VPN
22. cting to the Firewall A Firewall connection in the Sources tab enables performing three connection related actions e New By clicking on this option the address book opens automatically on the list of registered Firewalls This enables saving the address book of a new Firewall e Connect to the Firewall By clicking on this option the connection window appears and allows connections to the Firewall without the need to register it REMARKS 1 If a firewall was already connected the following message will appear before the connection screen appears Confirm disconnection 2 If you wish to remain connected while connecting to another firewall access the menu bar and select File Open A connection window will open allowing you to authenticate in order to access another firewall You can be connected simultaneously to as many firewalls as you wish e Firewall xx lastly this option provides direct access to the list of registered Firewalls allowing quick connection to the selected Firewall snfrgde nom du document v1 2 Copyright Netasq 2014 Vg USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER Page 29 45 3 2 GRAPHS 3 2 1 Introduction Reporter is capable of analyzing the Firewall s activity The Graphs menu in Reporter enables the display of Security and System events the use of the firewall s processor indicators of vulnerability levels supplied by Stormshield Network Vulnerability Manager
23. ctions e Rule ID Rule identifier e Filtered 3 4 3 2 7 3 4 3 3 7 Filtered e Facts e Overflow Number of log lines lost rP If you select a line from a developed node an explanation appears in the button bar situated below the table Xe 43 45 snfrgde nom du document v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER 3 4 4 Miscellaneous The Miscellaneous menu enables viewing several types of information Sources log information SE Network Filtering o Alam SA Connection web fy SMTP 3 Por EX Pugn ea ss Vulnerability m Ell Fre K Services Administration Authentication system K iPsec ven Gy ven ssi AQ Statistics i Count a _ Generate URL list Filtering This action provides help on entering the URLs to filter in NETASG UNIFIED MANAGER Generate u Miscellaneous Delete Figure 25 Miscellaneous 3 4 4 1 The Log information section This section provides information on the number of log lines on the Firewall To update information click on the Get info button If you possess modification privileges an additional column will appear enabling the selection of logs to be deleted on the Firewall using the Clear on firewall button Archived logs will then be deleted Delete The selected line will be deleted if this option is checked m T ETET ST L ETVJNNNNTEECoG ax loll D Mat eGR hee nm
24. dy been performed Data is no longer sent from the Firewall when this option is selected and when data has already been sent This option is inactive when working on the current day e Keep local copy of WELF files from the firewall Locally stores all the log files downloaded from the Firewall The Clear local cache button as its name implies allows you to purge the local cache of downloaded logs 2 2 3 2 2 Maximum number of downloaded lines This option allows you to specify the maximum number of lines downloaded for a connection to the Firewall In order to facilitate loading and transforming logs they can be displayed in 15 000 lines per page when you select the option Download by page If the specified period contains more than the maximum number of lines the logs will be loaded in cache and a browsing system will enable the display of 15 000 lines per page each time only in the case of logs directly downloaded from a Firewall Example You have indicated that you wish to load a maximum of 500 log lines per page for the firewall If the number of lines exceeds this number the button will become Page 1 2 REMARK This only applies to logs that have been directly downloaded from a Firewall Xe 25 45 snfrgde nom du document v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER 2 2 3 3 Tools tab General options General Log Tools Address book Packet analyzer
25. e Time at which the entry was generated Line Line number in the log file Date time Date and time on which the entry was generated Result error message User connection identifier Source connection s source address Session id 00 0000 format The first two digits correspond to the number times the Firewall has been reinitialized the following 4 correspond to the number of connections on the Firewall e Message command line sent to the Firewall e Timezone Firewall s time zone at the moment of writing the log 3 4 2 3 Authentication Sources Loos it Drag a column header here to group by that column Graphs Date A User Source Status LE Network 01 01 2012 01 24 16 10 2 22 1 ok ml 01 01 2012 01 42 14 10 2271 Filtering 01 01 2012 01 42 14 10 2271 els Alarm 0101 2012 01 42 20 10 2 27 1 Re 01 01 2012 01 42 21 10 2 27 1 01 01 2012 02 17 49 10 2 200 40 01 01 2012 05 24 16 10 2 22 1 Bi SMTP 01 01 2012 05 45 02 10 2 27 1 amp 01 01 2012 09 24 17 10 2221 01 01 2012 09 45 57 10 2271 Plugin 01 01 2012 13 24 17 10 2221 SSL 01 01 2012 13 46 57 10 2 27 1 Web 1 P 01 01 2012 17 24 18 10 2 22 1 Vulnerability m 01 01 2012 17 47 51 10 2 27 1 E FTP 01 01 2012 21 24 18 10 2 22 1 k Savicus 01 01 2012 21 49 16 10 2 27 1 01 01 2012 21 49 16 10 2 27 1 01 01 2012 21 49 26 10 2 27 1 Ni 2 PE Authentication 01 01 2012 21 49 49 10 2 27 1 Figure 21 Authentication This sub menu provides a
26. ecause of the ASQ technology Fragmented Number of fragmented packets transmitted through the firewall Timezone Firewall s time zone at the moment of writing the log Slot Number of the activated policy Real host Host Memory allocated to a host Fragmented Number of fragmented packets transmitted through the firewall ICMP Memory allocated to ICMP Connection Memory allocated to connections Dynamic Percentage of ASQ memory being used snfrgde nom du document v1 2 Copyright Netasq 2014 Vg USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER 3 4 3 2 2 3 4 3 3 2 Memory Logged Number of log lines generated Log overflow Number of log lines lost Accepted Number of packets matching Pass rules Blocked Number of packets matching Block rules 3 4 3 2 3 3 4 3 3 3 Rules e Rule n nn Number of times that a rule has been applied to a packet In brackets the first number Indicates the number of the policy and the second refers to the number of the rule in this policy 343 24 3 4 3 3 4 Bytes e TCP Number of bytes from TCP packets transmitted through the firewall e UDP Number of UDP packets transmitted through the firewall e ICMP Number of ICMP packets transmitted through the firewall 3 4 3 2 5 3 4 3 3 5 Packets e TCP Number of TCP packets transmitted through the firewall e UDP Number of UDP packets transmitted through the firewall 3 4 3 2 6 3 4 3 3 6 Conne
27. ed periods e Manual selection e This year e Last hour e Last week e Lastsix hours e Last month e Today e Last year e Yesterday e All e This week e Lastlines e This month 2 2 1 4 2 Filters You can select the filters to be applied on the columns and perform multi criteria searches using the selection button see the section Part 3 Chapter 5 Filter Constructor in this manual re Mo data filter Figure 9 Filters The selection of this option enables you to constitute data filters on each column When you activate this option an arrow pointing downwards appears at the far right of the columns By selecting one of the pre entered values or entering a value of your own choice you automatically limit the table data to those corresponding to the filter on the selected column Then the arrow turns navy blue and the actual filter appears at the bottom of the table A white cross enables you to delete all the active filters at once 2 2 1 5 Result display zone Data and options from the selected menus appear in this zone in the form of graphs or tables note These windows will be explained in further detail in the corresponding chapters snfrgde nom du document v1 2 Copyright Netasq 2014 Xe 21 45 Vg USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER Page 22 45 2 2 1 6 Status bar a logs to receive eB Figure 10 Status bar This bar comprises 5 information zones e Atext zone di
28. er Priority Alarm level major or minor Saved at Time at which log was saved Timezone Firewall s timezone Packet Displays the packet which had raised the alarm This feature has to be configured on Monitor in the Administration Suite 3 3 2 2 Interface Source interface Source interface s network adapter Source interface name Name of the source interface Destination interface Destination interface s network adapter Destination interface name Name of the destination interface Movement type Type of packet movement e Movement Packet movement 3 3 2 3 Protocol e Internet Protocol Internet Protocol e Protocol Base protocol e Group Protocol group 3 3 2 4 Source e Source name Source IP address or resolved name e User Name of the authenticated user age 33 45 snfrgde nom du document v1 2 Copyright Netasq 2014 Vg USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER e Source IP address e Source port name Name of the source port e Source port Source port number 3 3 2 5 Destination Destination Destination IP address Destination name Destination IP address or resolved name Destination port Destination port number Destination port name Name of the destination port 3 3 2 6 Volume e Sent Amount of data sent e Received Amount of data received e Duration Connection duration 3 3 2 7 Action Action Filter rule action none pass block
29. extual menu LOG TYPES Network logs Services logs Statistics Logs Miscellaneous DATA EXPORT Export Log format USER MANUAL INTRODUCTION NI snfrgde nom du document v1 2 Copyright Netasq 2014 Vg USER MANUAL STORMSHIELD INTRODUCTION 1 INTRODUCTION 1 1 BASIC PRINCIPLES 1 1 1 Who should read this user guide This manual is intended for network administrators or for users with the minimum knowledge of IP In order to configure your Stormshield Network Firewall in the most efficient manner you must be familiar with these protocols and their specific features e ICMP Internet Control Message Protocol e P Internet Protocol e TCP Transmission Control Protocol e UDP User Datagram Protocol Knowledge of the general operation of the major TCP IP services is also preferable e HTTP e DNS e FIP e DHCP e Messagerie SMTP POP3 IMAP e SNMP e Telnet e NTP If you do not possess this knowledge don t worry any general book on TCP IP can provide you with the required elements The better your knowledge of TCP IP the more efficient will be your filter rules and the greater your IP security 1 1 2 Typographical conventions 1 1 2 1 Abbreviations For the sake of clarity the usual abbreviations have been kept For example VPN Virtual Private Network Other acronyms will be defined in the glossary 1 1 2 2 Display Names of windows menus sub menus buttons and options in the applic
30. f the connection Source port name source port of the connection Message command line sent to the firewall Argument complementary information associated with the log line contacted web page Vuln ID Vulnerability identifier Family Family type to which the vulnerability belongs Severity Level of criticality of the vulnerability Solution Indicates with a yes or no whether a solution is offered Exploit The solution may be accessed locally or remotely via the network It allows exploitation of the vulnerability Product Name of the client application Service Name of the server application Detail self explanatory Client target Client target Server target Server target Detected Date on which the vulnerability was detected snfrgde nom du document v1 2 Copyright Netasq 2014 hg USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER 3 4 1 3 FTP 11 fields are used Line Line number in the logs Date Date on which recorded logs were generated Time Time at which recorded logs were generated User Connection identifier Source name source address of the connection Destination name destination address of the connection Destination port name destination address port of the connection Received Volume received Action Action to perform Pass Block or Scan Message command line sent to the firewall Operation Indicates FTP commands LIST RETR QUIT
31. ifferent time zones depending on e Yourcomputer s time zone e The Firewall s time zone e GMT Thus the date and time vary according to the option selected from those indicated above Logs from a firewall in London GMT can therefore be consulted on a workstation in Paris GMT 1 snfrgde nom du document v1 2 Copyright Netasq 2014 Vg USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER Example An antispam update event was detected at midnight London time If the user selects the option Your computers time zone he will see this event at 1 00 a m Paris time However if he selects the option The Firewall s time zone at midnight he will see whether the firewall has been configured as it should be in the London timezone 2 2 2 DESCRIPTION OF THE MENU BAR 2 2 2 1 File menu The File menu allows the following Open Enables connecting directly to a Firewall via its protocol NOT oe FES eT ane sr CRS pr ne ae nr a ee ee SNS NSNNNK ss TEL o S 2 2 2 2 Applications menu The Applications menu enables connecting to other applications in the Administration Suite Use these shortcuts instead of having to re authenticate each time on each application Launch Stormshield Enables opening the REAL TIME MONITOR application from the Administration Network REAL TIME Suite i MONITOR Launch Stormshield Enables opening the UNIFIED MANAGER application from the Administration Network UNIFIED Suite
32. in Global Administration mode MANAGER Arrange icons Enables the organization of icons representing the Firewalls _ ES ET EE nn a D D dCi oe Re D AEK nev n t D nes ncaa Help Displays a screen that accesses documentation in your secure access area on the a eee website License Enables retrieving a new downloaded license from a directory About Displays the about box indicating the software version of Stormshield Network EVENT REPORTER In the professional version information on the REPORTER license is found here license version organization name contact name e mail address and unique user identification for technical support x age 23 45 snfrgde nom du document v1 2 Copyright Netasq 2014 USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER 2 2 3 OPTIONS Xe 24 45 The Options sub menu allows configuring the application and logs Goto the menu File Options to configure these options 2 2 3 1 Generaltab General options eme Sem General Log Tools Address book Change the default language setting here English reporter ENG Reporter starting 7 Open a grid 7 Connect to the firewall Miscellaneous Keep connection details in the log file Clear log file each time the application is started Grid font Selected font MS Sans Serif EE s l Figure 12 General options General 2 2 3 1 1 Default language The Stormshield Netwo
33. ion file This file can be found on the website https mystormshield eu The installation file is in English and French You will also need your firewall s internal IP address as well as its serial number 1 2 1 PRE REQUISITES The basic library corresponds to all the modules necessary for the other programs 15 3 MB of hard disk space is necessary The minimum installation groups together e Stormshield Network Unified Manager Graphical interface for the administration of Stormshield Network Firewalls e Stormshield Network Real Time Monitor Real time viewer of your Stormshield Network Firewall 2 58 MB e Stormshield Network Event Reporter Log consultation and management on your firewall 140 MB x age 9 45 snfrgde nom du document v1 2 Copyright Netasq 2014 Vg USER MANUAL STORMSHIELD INTRODUCTION OO 0900290 0 0 8 0 08 0 00 00 4020 0 08628 0 280 288 28 0688288206 280285 428 8 28 0286280686288282688288286228662862862808 86828802 28228020 862 288268 882 282 882 28 6888 288888 888282 082 205 4842848802 288282 085282682282204482285208 288204222208 22228 The installation comprises all the graphic configuration tools of the Stormshield Network suite which serve as the interface between the user and the appliance These tools have to be installed on an administration workstation The Stormshield Network firewall is fully configured via a software program developed by NETASQ Stormshield Network UNIFIED MANAGER Using this
34. lating to some of the Firewall s critical servers The display of these indicators is based on the weighting of system events in relation to each other in order to present a coherent status of the Firewall major alarms will have more weight than minor alarms snfrgde nom du document v1 2 Copyright Netasq 2014 USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER 3 2 2 2 CPU load This graph represents the processor s load e User load attributable to processes that the user executes e Interruptions load represented by exchanges between the kernel and processes executed by the user e System events load attributable to the kernel 3 2 2 3 Vulnerability Manager 3 2 2 3 1 Vulnerabilities Vulnerability indicators concern the following Total Remote refers to vulnerabilities that can be exploited remotely via the network Target server vulnerability that affects a server application Critical Minor Major e Fixed refers to vulnerabilities for which a fix is available 3 2 2 3 2 Information Information indicators concern the following Total info Minor info Major info Monitored 3 2 2 4 Interfaces age 30 45 3 2 2 4 1 Listof interfaces This section sets out the list of different interfaces In Out Dmz 3 2 2 4 2 Traffic by interface This section of the graphs represents the use of each interface on the Firewall For every interface four types of information are
35. le displaying the events Stored in each log file in one of the following ways e Selecting periods predefined in relation to the current date today this week etc or defined manually e Sorting ascending descending by the value in each field in which a security event has been captured e Hierarchical classifications according to the value of one or several fields in which a security event has been captured WARNING The version 1 0 of Stormshield Network EVENT REPORTER no longer supports Syslog except the possibility to open view a log file in Syslog UNIX in Tools Menu or any other form of database Xe 11 45 snfrgde nom du document v1 2 Copyright Netasq 2014 USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER 2 1 CONNECTION 2 1 1 Access There are 2 ways to launch the Stormshield Network EVENT REPORTER application 5 Via the shortcut Applications Launch Stormshield Network EVENT REPORTER inthe menu bar on other applications in the Administration Suite If this is your very first time connecting to your product a message will prompt you to confirm the serial number found on the underside of the appliance Via the menu Start Programs Stormshield Network Administration Suite 1 0 Stormshield Network Event Reporter A connection window or the main window will open File Toots Apphcabtons Windows Selection by time at which file was saved Thus Week vit From 2306 2014 000000
36. ll without modification privileges using an account that ordinarily has these privileges You may connect to several Firewalls simultaneously by opening several windows menu File Open 2 1 2 2 Connection via the menu Sources This connection mode is recommended if you have a fleet of firewalls If the option Connect to firewall has not been selected in the configuration of the service the connection window will not appear Instead Stormshield Network EVENT REPORTER s main window will open To connect click on the tab Sources Firewall then select the firewall s on which you would like reporting see the CHAPTER Sources for more information on this connection aZ 14 45 snfrgde nom du document v1 2 Copyright Netasg 2014 Vg USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER 2 1 3 Address book The address book can be accessed from the menu File Address book The address book centralizes all passwords for access to different modules and other application in the Administration Suite This information is stored on the same client workstation on which the interface has been installed It may be encrypted if you check the option Encrypt address book In this case you will be asked to enter an encryption key For each Firewall indicate a name you can select any name which does not necessarily have to correspond to the Firewall s name IP address password and serial number WARNING You are str
37. ly check the application s signature follow the procedure below before installing the application 1 Right click on the Stormshield Network appliance whose signature you wish to check then select the menu Properties from the contextual menu that appears Selectthe Digital signatures tab then the name ofthe signor NETASQ Click on Details this window will indicate whether the digital signature is valid x age 10 45 snfrgde nom du document v1 2 Copyright Netasq 2014 Vg USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER 1 2 2 2 Registration During installation you will be asked to register your product This registration is mandatory in order to obtain your product s license to download updates and to access technical support l STORMSHIELD NETWORK EVENT REPORTER The EVENT REPORTER is a module of the Stormshield Network Firewall Administration Suite This application program enables the display of log files generated by Stormshield Network Firewalls This data can be used to analyze your network activity access to your computer systems staff use of the Internet web sites visited email use in order to diagnose hacking attempts detected and blocked by the Firewall The data is displayed either in the form of tables enabling a precise and detailed analysis or in the form of graphs thus providing a consolidated global display of the data Stormshield Network EVENT REPORTER s logging functions enab
38. number of the Firewall log line alphabetical type Firewall serial number Time Log Time type date date of the log line Pri whole type priority of the event alarm ref Srcif alphabetical type source interface Srcifname alphabetical type interface name Dstif alphabetical type destination interface Dstifname alphabetical type destination interface name Movement whole type direction of movement in to in in to out out to out out to in MoveTypeMS whole type direction of movement Server to Server Server to Client Client to Client Client to Server Ipproto alphabetical type Internet protocol Proto alphabetical type protocol Src alphabetical type source address IPV6 ready Srcport alphabetical type source port Srcportname alphabetical type source port name Srcname alphabetical type name of the source Dst alphabetical type destination address IPV6 ready Dstport alphabetical type destination port Dstportname alphabetical type name of destination port Dstname alphabetical type destination name User luser alphabetical type Ruleid whole type filter rule identifier Action chain type action reserved word for interbase Msg alphabetical type Sent whole type amount of data sent Rcvd whole type amount of data received Duration real type duration Op alphabetical type operation Result alphabetical type Arg alphabetical type command par
39. o Reporter on each registered Firewall Address book Enter password Confirm Figure 2 Address book Password Next Stormshield Network EVENT REPORTER will display a log grid and a connection popup which allow you to enter connection information for a Firewall This connection window can be accessed if the option Connect to firewall has been selected See section Options To connect to a Firewall use the menu Firewall in the tab Sources in the menu directory and select a firewall The following window willthen open aZ 13 45 snfrgde nom du document v1 2 Copyright Netasg 2014 STORMSHIELD Enables connecting to the Firewall in read only mode In this way you can connect to the firewall without modification privileges using an account that ordinarily has these privileges This allows avoiding the use of modification privileges if they are not necessary USER MANUAL STORMSHIELD NETWORK EVENT REPORTER Connection Read only Cancel Figure 3 Connection If Stormshield Network EVENT REPORTER has been launched from Stormshield Network UNIFIED MANAGER or Stormshield Network REAL TIME MONITOR Reporter will automatically connect to the Firewall that is connected to Manager or Monitor The Stormshield Network Firewall is case sensitive both for the user name as well as for the password The option Read Only enables connecting to the Firewall in read only mode In this way you can connect to the firewa
40. ok Address book location C Users ppData Roaming Netas Figure 15 General options Address book tab e Location of the address book the Stormshield Network UNIFIED MANAGER Stormshield Network REAL TIME MONITOR and Stormshield Network EVENT REPORTER applications use the same address book and therefore the same address book file To retrieve a gap file Stormshield Network project file simply click on Browse y x age 27 45 snfrgde nom du document v1 2 Copyright Netasq 2014 STORMSHIELD 3 USING STORMSHIELD NETWORK EVENT REPORTER Xe 28 45 gt 3 1 SOURCES USER MANUAL USING STORMSHIELD NETWORK EVENT REPORTER The Sources tab in the menu directory enables specifying the source of logs viewed Firewall The Sources tab enables connection to different log sources provided by Stormshield Network for the analysis of logs and events raised by the Firewall 3 1 1 Firewall When directly connected to the Firewall this log retrieval method makes it possible to dispense with the use of centralization tools However it does not allow centralizing the logs of several Firewalls which is usually essential for analyzing an event that is spreading on several company sites Furthermore this method is only available for appliances that have a hard disk as without it logs cannot be saved directly on the Firewall See the section Connection for more information 3 1 1 1 Ways of conne
41. ok The procedure for exporting an existing address book Is as follows ET Click on the Export button The following window will appear The following message will appear Encrypt address book Highly recommended El 1 you click on Yes you will be asked to enter the password for the address book before the save window appears Ouvrir Regarder dans JUTE AL mes documents 4 4 4 Poste de travail Mes documents Favoris r seau r cents Mes documents Poste de travail 4 Nom du fichier D Favoris r seau Fichiers de type Dat file dat Figure 5 Exporting an address book REMARK The file to export should be in dat format Click on Save Xe 18 45 snfrgde nom du document v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER 2 2 GETTING FAMILIAR WITH REPORTER 2 2 1 PRESENTATION OF THE INTERFACE 2 2 1 1 Main window Once you are connected to the Firewall Reporters main window appears File Tools Applications Windows Selection by time at which fle was saved le From 23 06 2014 000009 To 26 06 2014 235955 Figure 6 Main window It comprises six parts e Amenu bar e Amenu directory to the left of the screen e A date and filter selection bar allowing only the analysis of data in the chosen period e Aresult display zone e Anaction bar e Astatus bar 2 2 1 2 Menu bar The main
42. ongly advised to activate the encryption of the address book for obvious security reasons Once this information has been entered you may Save it using the Save button WARNING If you modify the Encrypt address book option the address book has to be Saved once more to apply the changes Check the option Show passwords to check the passwords used for each Firewall saved in the address book passwords are displayed in plaintext 2 1 3 1 Adding an address Click on the button Add to add an address to the address book Other information to supply Name The name of the firewall Li e oe e n a a ee Z y on Ruane um Be L S 7 2 1 3 2 Modifying the password for an address The procedure for modifying the password for an address is as follows E in the column Password double click on the password for an address that needs to be changed A window will open allowing you to make the change Click on the OK button or close the address book The following message will appear The address book has been modified Save changes Click on the Yes button to confirm changes x age 15 45 snfrgde nom du document v1 2 Copyright Netasq 2014 Iq USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER 2 1 3 3 Deleting an address Pour supprimer un firewall du carnet d adresses suivez la proc dure ci dessous ET select the firewall to delete E click on the Delete button The following message will ap
43. ord of user activity for the purpose of analyzing network activity Le snfrgde nom du document v1 2 Copyright Netasq 2014 Sq USER MANUAL STORMSHIELD INTRODUCTION 1 1 4 Getting help To obtain help regarding your product and the different applications in it e Website https mystormshield eu Your secure access area allows you to access a wide range of documentation and other information e User manuals Stormshield Network UNIFIED MANAGER Stormshield Network REAL TIME MONITOR and Stormshield Network EVENT REPORTER 1 1 5 TECHNICAL ASSISTANCE CENTRE Stormshield Network provides several means and tools for resolving technical problems on your firewall e A knowledge base e Acertified distribution network As such you will be able to call on your distributor e Documents these can be accessed from your client or partner area You will need a client account in order to access these documents For further information regarding technical assistance please refer to the document Support charter 1 2 SOFTWARE INSTALLATION This section provides you with the elements for installing the software suite that would allow you to administer your product For further information on the appliances and how to install them please refer to the product installation guide Presentation and installation of Stormshield Network products Ref snengde product installation pdf You will need the graphical interface installat
44. pear Confirm removal of these items EJ Click on Yes to confirm removal y x Page 16 45 snfrgde nom du document v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER 2 1 3 4 Importing an address book The procedure for importing an existing address book is as follows ET Click on the Import button The following window will appear Ouvrir Regarder dans A mes documents DD 2 Poste de travail Mes documents Favoris r seau r cents Mes documents gi Poste de travail a Nom du fichier gt Favoris r seau Fichiers de type Dat file 7 dat Figure 4 Importing an address book Select the file to import REMARK The file to import should be in CSV format Click on Open For obvious security reasons the address book can be encrypted To activate encryption check the option Encrypt address book then define the related password This password is absolutely necessary for reading information contained in the address book The address book is encrypted in AES which is currently the most powerful symmetrical encryption algorithm Xe 17 45 snfrgde nom du document v1 2 Copyright Netasq 2014 UG USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER 2 1 3 5 Exporting an address book All the information in the address book can be exported to be used for example for complementing another address bo
45. program you will be able to configure your firewall from a Windows workstation You will need the following elements in order to install this software e CPU witha minimum of 2GHz e A minimum of 2 GB of RAM Windows 7 for client software 2 GB for server software e About 300MB of hard disk space as this is what the software will occupy after its installation If possible reserve several gigabytes of space for the database depending on the activity of the connected firewall s e Ethernet 100 or 1000 Mbps network card Software applications are supported on the following operating systems e Microsoft Windows 7 and 8 e Microsoft Windows Server 2008 and 2012 1 2 2 INSTALLING VIA YOUR PRIVATE AREA Download the necessary files from the website and execute the EXE program corresponding to the administration suite The installation information will appear in the same language as the version of Windows that has been installed 1 2 2 1 Verification procedure 1 2 2 1 1 Signature verification procedure When you download an application from your client or partner area on https mystormshield eu the following message will appear Open a file or save on your computer e If you choose Open your web browser will check the signature automatically and inform you about the results e f you choose Save recommended option you will need to perform the check manually 1 2 2 1 2 Manual verification To manual
46. rk EVENT REPORTER application is multilingual Select the language required for the graphical interface 2 2 3 1 2 Atstartup 2 options are possible e Opena grid opens up a log grid when the application is opened e Connection to the firewall Authorizes a direct connection to the firewall 2 2 3 1 3 Miscellaneous e Keep connection logs in a file Enables you to generate logs concerning the applications behavior e Empty the log file each time the application is started Enables you to have a file of limited volume and to keep active logs only for the purpose of the application in progress 2 2 3 1 4 Grid font This option allows you to specify the font and font size of the text which appears in the log grid snfrgde nom du document v1 2 Copyright Netasg 2014 UG USER MANUAL STORMSHIELD STORMSHIELD NETWORK EVENT REPORTER 2 2 3 2 Logtab General options _ ec Sem General Log Tooks Address book When downloading from firewall WV Local lag cache Cleanlocalicachee 2457 KB space used Keep local copy of WELF files from the firewall Max number of downloaded lines On Firewall 10000 F Download by page takes effect when the application restarts SYSLOG file directory X Cancel a Figure 13 General options Log 2 2 3 2 1 When downloading from firewall e Local log cache this option allows you to speed up log information searches which have alrea
47. splaying Reporters activity in real time e A progress bar allowing an estimate of the duration of the operation e Azone displaying the application s status whether processing is in progress or not respectively blue or green e Anicon displaying the status of the connection with the firewall 2 2 1 7 Action bar Figure 11 Action bar 2 2 1 7 1 Columns Customize The columns of the table may be moved around removed or This option enables you to select the columns you wish to display A window comprising two tabs then appears enabling you to manage column headers and the columns To add or delete a column from the table all you have to do is select the group of columns or column and drag it either into the table or into the a Reset Enables you to restore the original column display Best fit Enables you to adapt the width of the columns to the width of the application Show totals Subtotaling of packet volumes sent received duration for all logs viewed When you perform a sort by dragging and dropping a column a sub total per sort may be viewed 2 2 1 7 2 Print With this option you are able to access a print preview menu 2 2 1 7 3 Export Displayed data may be exported for it to be used in other environments A Wizard will assist you in this process See Chapter 6 Data Export 2 2 1 4 See time This option allows you to automatically calculate the date and time of the logs displayed in Reporter according to d
48. table will then change its form The grouped column appears in the drop zone and the table displays the values resulting from this grouping in the form of nodes A 4 sign appears in front of the group values enabling the expansion of the nodes It is thus possible to group data together within the groups This feature applies to all logs files Network Services and Statistics Example When you select the display of Web logs it is possible to group data firstly according to the user and then according to the destination in order to highlight the Internet consultations carried out by internal users Xe 35 45 snfrgde nom du document v1 2 Copyright Netasq 2014 Vg USER MANUAL STORMSHIELD USING STORMSHIELD NETWORK EVENT REPORTER Classification Acton Al D arm Destination Po hterface Protocol S ounce Interface Hame Internet Protocol ser Source Name Source Port Hame Figure 19 Sorting columns TIP The order of the table columns may be customized using the drag and drop mechanism This can be done by right clicking and keeping the mouse button depressed on the column whose order you wish to modify then dropping it to its desired location Two green arrows will help you to locate this new location Columns cannot be moved under a different header 3 3 4 Contextual menu In each log grid in Reporter contextual menus accessible by right clicking with the mouse enable the quick execution of specific ac
49. the manual Notice gy WEEE Directive HE All NETASQ products that are subject to the WEEE directive will be marked with the mandated crossed out wheeled bin symbol as shown above for items shipped on or after August 13 2005 This symbol means that the product meets the requirements laid down by the WEEE directive with regards to the destruction and reuse of waste electrical and electronic equipment For further details please refer to the website at this address http www netasq com recycling html x age 5 45 snfrgde nom du document v1 2 Copyright Netasq 2014 STORMSHIELD CONTENT Toc391901282 1 INTRODUCTION 1 1 LLI 1 1 2 1 1 3 1 1 4 1 1 5 1 2 1 2 1 1 2 2 BASIC PRINCIPLES Who should read this user guide Typographical conventions Vocabulary Getting help TECHNICAL ASSISTANCE CENTRE SOFTWARE INSTALLATION PRE REQUISITES INSTALLING VIA YOUR PRIVATE AREA 2 STORMSHIELD NETWORK EVENT REPORTER 2 1 2 1 1 2 1 2 4 2 2 2 2 1 Cae Ze CONNECTION Access Connection Address book GETTING FAMILIAR WITH REPORTER PRESENTATION OF THE INTERFACE DESCRIPTION OF THE MENU BAR OPTIONS 3 USING STORMSHIELD NETWORK EVENT REPORTER 3 1 3 1 1 3 2 el 32e 3 3 9 41 3 3 2 3 3 3 3 3 4 3 4 3 4 1 3 4 2 3 4 3 3 4 4 3 5 3 5 1 39L Xe 6 45 SOURCES Firewall GRAPHS Introduction Customizing CUSTOMIZING COLUMNS AND HEADERS Headers Columns Sorting by columns Cont
50. tion connection destination address Message Message regarding the attempt to set up a tunnel User user identifier in the context of an anonymous tunnel Initiator Cookie Initiator identifier for the negotiation session in progress Receiving Cookie Responder identifier for the negotiation session in progress Spi in identifier for the ingoing SA Spi out identifier for the outgoing SA 3 4 2 6 VPNSSL This sub menu provides a history of events concerning VPN SSL Several fields are used e Date Date on which entry was generated Result Result of the SSL VPN connection to the selected server Port server connection port Source connection s source address Destination connection destination address Message Message relating to the SSL VPN connection User user identifier Argument additional information regarding the log line web page contacted 3 4 3 Statistics Logs 3 4 3 1 Introduction 2 types of statistical analyses are available e Counters e Filters 3 4 3 2 Counters This table corresponds to the number of times a rule has been activated To display information in this zone the Count option must have been activated in the filter rules aZ 41 45 snfrgde nom du document v1 2 Copyright Netasq 2014 STORMSHIELD age 42 45 USER MANUAL USING STORMSHIELD NETWORK EVENT REPORTER Sources Logs x ate m Graphs Rule ID Count E Network Date 01 01 2012 00 05 29
51. tions A maximum of three options are defined for the contextual menu depending on the information on which you right click e Copy line to clipboard as WELF This option enables rewriting a line in the Reporter log grid to the clipboard to be used outside Reporter e Submit URL to a category when you open the contextual menu after having selected a URL this option allows sending the URL to the URL submission form on the website e Go to XXXXXX when you open the contextual menu after having selected a destination this option enables an HTTP connection attempt to this destination 3 4 LOG TYPES Stormshield Network EVENT REPORTER allows you to view logs in the form of tables These files comprise three menus e Network e Services e Statistics 3 4 1 Network logs e Filter logs generated by the filter rules To obtain these logs at least one of the filter rules must have the Log option e Alarm alarms raised by the firewall e Connection information on all the authorized connections having passed through the Firewall e Web logs from visited web sites HTTP plugin and HTTP proxy e SMTP e mail logs generated by the SMTP proxy The SMTP proxy has to be activated for these logs to be available x age 36 45 snfrgde nom du document v1 2 Copyright Netasq 2014 STORMSHIELD Page 37 45 USER MANUAL USING STORMSHIELD NETWORK EVENT REPORTER 1 800020008008 0 00 00 48280 0 086 280280 28828 0288288620828 028 0488 2
Download Pdf Manuals
Related Search