Accenture MDR Quick Start Guide for ForcePoint Next Generation Firewall (Stonesoft StoneGateā¢)
This quick start guide will help Accenture MDR customers configure ForcePoint Next Generation Firewall (NGFW) to send logs to the Log Collection Platform (LCP).
Ā
The document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
Ā ForcePoint NGFW (Stonesoft StoneGate) | LCP | 514 (UDP) or 601 (TCP) | Default port |
Configuring ForcePoint NGFW
Based on the StoneGateĀ appliance orĀ ForcePoint NGFW version used, you can configure it in two ways.
StoneGate orĀ ForcePoint NGFWĀ appliance or version 5.5 or lower.
StoneGate orĀ ForcePoint NGFW appliance upto version 5.5 or higher
Configuring StoneGateĀ appliance orĀ ForcePoint NGFW appliance version 5.5 or lower
To configure the StoneGateĀ appliance orĀ ForcePoint NGFW appliance, follow the steps below.
To stop the Log server,Ā
Ā Note:Ā If you have defined the Log server as a service in Windows, you may stop the Log server in the Windows Services list.
Ā StoneGate
a) For Windows, go toĀ StartĀ >Ā RunĀ and enter the command:Ā <installation directory>/bin/sgStopLogSrv.bat
b) In Linux CLI prompt, enter the command:Ā <installation directory>/bin/sgStopLogSrv.sh
Forcepoint
c) For Windows , go to Start > Services.msc > Forcepoint NGFW Log server services > Stop.
2. Modify the LogServerConfiguration.txt file which is located inĀ <installation directory>/data/Ā using the following configurations:
SYSLOG_EXPORT_ALERT = YES
SYSLOG_EXPORT_FORMAT = XML
SYSLOG_PORT=Ā 514
SYSLOG_SERVER_ADDRESS =Ā <LCP_IP_Address>
For FirewallĀ
SYSLOG_EXPORT_FW = YES
For IPS
SYSLOG_EXPORT_IPS = YES
3. Save the file and restart the Log server.
Ā Note:Ā Table 1-2Ā provides additional information on the Log server configuration parameters:
Parameter | Values and Meaning |
SYSLOG_CONF_FILE | <File name> Defines the configuration file for syslog export. The file contains a list of the fields that are exported to syslog.Ā The Ā <installationĀ directory>/data/fields/syslog_templates/Ā directory contains example configuration files. Ā If you also want the exported logs to contain the reference IDs of known vulnerabilities,Ā add the VULNERABILITY_REFERENCES field to the configuration file. |
SYSLOG_EXPORT_ALERT | Defines whether to export alert entries to syslog. Possible values are as follows: YES NO |
SYSLOG_EXPORT_FORMAT | Defines the file format used for syslog exporting. Possible values are as follows: CSV XML |
SYSLOG_EXPORT_FW | Defines whether to export StoneGateĀ Firewall/VPNĀ logs to syslog. Possible values are as follows: YES NO |
SYSLOG_EXPORT_IPS | Defines whether to export IPS logs to syslog. Possible values are as follows: YES NO |
SYSLOG_FILTER_MATCH | ALL Note:Ā The log is exported if it matches all filters. ONE Note:Ā The log is exported if it matches at least one filter. NONE Note:Ā The log is exported if it does not match any of the filters. |
SYSLOG_FILTER_TYPE | KEEP Note:Ā The matching logs are sent to the syslog server. DISCARD Note:Ā The matching logs are not sent to the syslog server. |
SYSLOG_MESSAGE_PRIORITY | The priority of the syslog message is included at the beginning of each UDP packet (the default is 6). 0-191 Note:Ā As defined in RFC 3164Ā (http://www.ietf.org/rfc/rfc3164.txt). |
SYSLOG_PORT | The default port is 514 (UDP).Ā |
SYSLOG_SERVER_ADDRESS | The IP address of the LCP. |
Ā | Ā |
Configuring StoneGateĀ appliance orĀ ForcePoint NGFWĀ appliance version 5.5 or higher.
To configure the StoneGateĀ appliance orĀ ForcePoint NGFWĀ appliance, follow the steps below.
Login to the SMC console.
Go to HomeĀ > Others.
Right-click theĀ Log Server,Ā and selectĀ Properties.
Ā 4. Switch to theĀ Log ForwardingĀ tab.
For Firewall:
DataType = FW
Format = XML
Port = 514
For IPS:
DataType = Inspection
Format = XML
Port = 514
Note:Ā The Collector supports only XML format for Firewall and IPS.
Table 1-3: The Log server properties and their description.
Property | Value | Explanation |
Target Host | Ā | The Host element that represents the target host to which log data is forwarded. |
Service | TCP UDP | The network protocol to forward log data. Note:Ā If you have to define an access rule that allows traffic to the target host, make sure that the service you select is also used as the service in the access rule |
Port | 514 | The port that is used for log forwarding. Note:Ā If you have to define an access rule that allows traffic to the target host, make sure that the port you select is also used as the port in the access rule. |
Format | CEF | Logs are forwarded in CEF format. |
Ā | CSV | Logs are forwarded in CSV format. |
Ā | LEEF | Logs are forwarded in LEEF format. |
Ā | NetFlow | Logs are forwarded in NetFlow format. The supported version is NetFlow v9. |
Ā | IPFIX | Logs are forwarded in IPFIX (NetFlow v10) format. |
Ā | XML | XML |
Data Type | Ā | The type of log data that is forwarded. |
Filter (Optional) | Ā | An optional local filter that defines which log data is forwarded. The local filter is only applied to the log data that matches the log forwarding rule. |
Ā To Populate Packet Fields for IPS v5.5.x
Add the following fields in theĀ < Installation Directory>:\ForcePoint\Management Center\dataStonegate\fields\datatypes\ips_log_datatype.xmlĀ file.
<fieldref>ACC_RX_BYTES</fieldref>
<fieldref>ACC_TX_BYTES</fieldref>
<fieldref>ACC_RX_PACKETS</fieldref>
<fieldref>ACC_TX_PACKETS</fieldref>
<fieldref>EXCERPT</fieldref>
<fieldref>RECORD_ID</fieldref>
<fieldref>EXCERPT_POS</fieldref>
Add the following fields in theĀ <Installation Directory>:\ForcePoint\Management Center\dataStonegate\fields\syslog_templates\default_syslog_conf.xmlĀ file.
<fieldref>ACC_TX_PACKETS</fieldref>
<fieldref>ACC_RX_PACKETS</fieldref>
<fieldref>RECORD_ID</fieldref>
<fieldref>EXCERPT</fieldref>
Save the file and restart the Log server.
Ā
Note: Accenture MDR recommends not to use the Alert level of logging as Alert logs because it reduces the quality of logs. Accenture MDR provides support to retention of logs only, if Alert logging is used.
Ā LCP Configuration Parameters
Ā Table 1-4: ForcePointĀ NGFW event collector (Syslog ā 3134) properties to be configured by MDR are shown in the table.
Property | Default Value | Description |
Protocol | UDP | The default protocol for syslog. The collector can also accept logs inĀ TCP.Ā Note:Ā WhileĀ TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity, contact the Accenture MDR onboarding team. |
IP Address | ForcePointĀ NGFW interface IP address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture MDR onboarding team. |
Port Number | 514 | The default port number for syslog.Ā For TCP, the default port is 601. Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture MDR onboarding team if this is a requirement. |
Ā
Ā
Ā
Ā
Ā
Ā
Ā
Ā
Ā
Legal Notice
Copyright Ā© 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.