Accenture MDR Quick Start Guide for Blue Coat® ProxySG

Owned by KS
Last updated: May 02, 2021
6 min read

This quick start guide will help Accenture MDR customers configure Blue Coat® Proxy Secure Gateway (SG) to allow log collection from the Log Collection Platform (LCP).

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document

(Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for Blue Coat ProxySG communication.

Source 

Destination

Port

Description

Blue Coat ProxySG

LCP

21 (TCP)

20 (TCP)

Default FTP ports

Note: The passive FTP ports (20000 - 20499) are negotiated between the Blue Coat Proxy and LCP before data transfer takes place.

Configuring Blue Coat ProxySG

Blue Coat ProxySG logs have to be sent to the LCP via FTP. Accenture Security MDR supports text and GZIP format logs.

To configure the Blue Coat ProxySG, follow the steps below.

I Configure the log format.

  1. Login to the Blue Coat ProxySG Web interface.

  2. Click the Configuration tab and go to Access Logging > Formats.

  3. In the Log Formats section, click New. The New Create Format pop-up window appears.

  4. In the Format Name text box, type a name for the LCP.

  5. Select the W3C Extended Log File Format (ELFF) string option.

  6. In the text box, type the following.

date time time-taken c-ip c-port cs-username cs-bytes sc-bytes x-virus-id cs-auth-group x-exception-id sc-status sc-filter-result cs-categories cs-category cs(Referer) s-action cs-method rs(Content-Type) cs(User-Agent) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs-uri x-bluecoat-appliance-primary-address s-ip s-supplier-name s-sitename r-ip r-port r-dns x-bluecoat-application-name x-bluecoat-application-operation x-rs-certificate-hostname x-rs-certificate-hostname-category x-rs-certificate-observed-errors x-rs-connection-negotiated-cipher x-rs-connection-negotiated-cipher-strength x-rs-connection-negotiated-cipher-size x-rs-connection-negotiated-ssl-version cs(X-Forwarded-For) s-supplier-ip s-supplier-country s-supplier-failures cs-threat-risk x-bluecoat-transaction-uuid x-icap-reqmod-header(X-ICAP-Metadata) x-icap-respmod-header(X-ICAP-Metadata) x-exception-category x-rs-certificate-hostname-threat-risk x-cs(Referer)-uri-threat-risk x-cs(Referer)-uri-categories s-port s-source-ip s-source-port

7. To check the log format, click Test Format.

 Note: In Blue Coat ProxySG version 6.x or later, the Test Format Results pop-up window appears with deprecated fields. In a few Blue Coat ProxySG versions, fields such as s-hierarchy, r-hierarchy are unsupported and can be removed. Once the unsupported Bluecoat log fields are removed, the Test Format Results pop-up window will display the message "Format Syntax correct".

  8. From the Multiple-valued header policy drop-down list, select Log last header and click OK.

9. In the Log Formats screen, click Save.​

II Configure the log facility​.

  1. Click the Configuration tab and go to Access Logging > Logs.

  2. In the Logs tab, click New. The Create Log window appears.

  3. In the Log Settings section, in the Log Name text box, type a name for the LCP.

  4. From the Log Format drop-down list, select the log format created in step I.

  5. In the Description text box, type the description of the LCP.

  6. In the Log file limits section, in the The maximum size of each remote file is text box, type 200

  7. In the Start an early upload if log reaches text box, type 200 and click OK.

 

III Configure the FTP client.

  1. Click the Configuration tab and go to Access Logging > Logs > Upload Client.

  2. From the Log drop-down list, select the log facility created in step II.

  3. From the Client type drop-down list, select FTP Client and click Settings. 

  4. From the Settings for drop-down list, select Primary FTP Server.

  5. In the Host text box, type the IP address of the LCP.

  6. In the Port text box, type 21

  7. Leave the Path text box empty.

  8. In the Username text box, type bluecoatproxysg 

​Note: Username should be bluecoatproxysg only. Changing the username will affect Blue Coat ProxySG log collection. 

9. Click Change Primary Password, the Change Primary Password pop-up window appears. Leave the field empty.

10. In the  Filename text box, type the log file name in the following format: 

Bluecoat SG devicename_IPAddress. 

Note:  The default filename includes the log name (%f), name of the external certificate used for encryption if any (%c), fourth parameter of the ProxySG IP address (%l), date and time (Month: %m, Day: %d, Hour: %H, Minute: %M, Second: %S), and .log or .gzip.log file extension. However, to identify each Bluecoat log file, it is recommended that you use the format Bluecoat SG devicename_IP Address. 

11. Check the Use secure connections (SSL) check box.  

Note: SSL is used to enable FTPS connection. At present, SFTP is not supported by MDR. Check this box only if you want to send logs using FTPS.  

12. Check the Local Time check box only if you need to send logs in your local time. 

Note: By default, Blue Coat sends logs in UTC. 

13. Check the Use PASV check box and then click OK and Apply.

IV Assign a log facility to the format.

  1. Click the Configuration tab and go to Access Logging > General.

  2. In the Default Logging tab, all the available protocols will be mapped to the default log facility. 

  3. MDR supports the following protocol logs which are given in the table and recommends that you map the protocols to the LCP log facility.

Protocol 

Endpoint Mapper

FTP

HTTP

         HTTPS-Reverse-Proxy                

TCP Tunnel

Telnet

 

4. Click each of the above protocols and click Edit. 

5. Map the logging facility created in step II to each protocol and click Apply.

V Configure the upload schedule.

  1. Click the Configuration tab and go to Access Logging > Logs > Upload Schedule.

  2. From the Log drop-down list, choose the logging facility created in step II.

  3. In the Upload type section, select the periodically option.

  4. In the Upload the log file section, do the following:

  • Click the Every option.

  • In the hours text box, type 0

  • In the minutes text box, type 15 and then click Apply.

Test the access log upload.

  1. To set the event logging level for testing, do the following: 

  • Click the Maintenance tab and go to Event Logging > Level.

  • Check the Verbose check box and click Apply.​

2. To test the log upload:

  • Click the Configuration tab and go to Access Logging > Logs > Upload Client.

  • From the Log drop-down list, choose the logging facility created in step II and click Test Upload. 

3. To reset the event logging level after testing:

  • Click the Maintenance tab and go to Event Logging > Level.

  • Uncheck the Verbose check box. and click Apply.

Note: ​It is important to uncheck the Verbose check box after testing to ensure that the Blue Coat ProxySG server does not fill the disk with Verbose event logs.

VI Enable the newly created log facility.

Note: This is required if you need flexible monitoring or already have a logging system setup that you cannot replace.

To enable a new logging facility, follow the steps below.

  1. Click the Configuration tab and go to Policy > Visual Policy Manager.

  2. In the Visual Policy Manager window, go to Policy > Add Web Access Layer...

3. Enter a name for the Web Access Layer and click OK.

4. Right-click the newly created Web Access Layer and go to Action > Set.

5. In the Set Action Object dialog box, go to New > Modify Access Logging.

6. In the Name text box, type a name for the Accenture MDR Access Logging Object.

7. Select the Enable logging to option. From the drop-down list, select the log facility created in step II and click OK.

8. Click OK to close the VPM window and click Yes to save the changes.

VII Enable Blue Coat ProxySG to send logs via FTPS.

 Note: This step is required only if you need to send Blue Coat ProxySG logs to LCP via FTPS. Please contact the Accenture Security MDR onboarding team to obtain the certificate.

 To import the certificate in Blue Coat ProxySG, follow the steps below.

  1. Login to the Blue Coat ProxySG Web interface.

  2. Click the Configuration tab and go to SSL > CA Certificates > Import.

  3. In the Import CA Certificate window, 

  • In the CA Cert Name text box, type a name for the LCP certificate.

  • In the CA Certificate PEM text box, paste the certificate provided by Accenture.

  • Click OK and Apply.

4. Click the Configuration tab and go to SSL > CA Certificates > CA Certificates Lists > browser-trusted.

5. In the Edit CA Certificate List dialog box, do the following:

  • Select the Accenture CA Certificate name and click Add and OK.

  • Click Apply.

6. To validate Blue Coat event logging, click the Statistics tab and go to System > Event Logging.

LCP Configuration Parameters

Table 1-3: The Blue Coat ProxySG event collector (FTP - 3801) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Port Number

21 & 20

The default port numbers for FTP.

Host Names/IP Addresses

Blue Coat ProxySG IP Address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture Security MDR onboarding team.

 

 

 

 

 

 

 

 

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.