Broadcom Edge Secure Web Gateway

About the Device

Broadcom Edge SWG (appliance or VMs) to provide businesses with better web security and enforcement of corporate and regulatory compliance. Your high-performance secure web gateway can be delivered on-premises on Symantec hardware and virtual appliances, or in private cloud infrastructure such as AWS, Azure or Google Cloud.

Device Information

 Entity

Particulars

 Entity

Particulars

Vendor Name

Broadcom (Previously known as Symantec and before that Bluecoat Respectively)

Product Name

Edge Secure Web Gateway (Previously Known as ProxySG)

Type of Device

Hosted

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Blue Coat Proxy

BLUECOAT_WEBPROXY

Syslog (Via Logstash/NXlog)

CyberHub

Port Requirements

Source

Destination

Port

Source

Destination

Port

Broadcom Edge Secure Web Gateway

CyberHub

6514 (SECURE_TCP)

To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.

While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 6514 for seamless integration.

In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.

Device Configuration

Prerequisites:

  • A Central Log Aggregation Server with either CentOS 7.9 or Windows Server 2012 OS must be deployed and managed by customer in their internal network.

  • The customer is required to configure FTP Receiver in the Central Log Aggregation Server to enable saving incoming log files to their chosen directory.

  • This Central Log Aggregation Server needs to be installed either Logstash with java v1.8 as a dependency or Nxlog Community Edition as per customer’s log forwarding agent preference.

Adaptive MxDR prefers Logstash over Nxlog for log forwarding to avoid SSL Output related issues with Nxlog.

Configuring Broadcom Edge SWG :

  • Broadcom Edge SWG logs have to be sent to the Central Log Aggregation Server via FTP Upload. Find the configuration steps below.

  1. Configure the log format

    1. Login to the device Web interface.

    2. Click Configuration and navigate to Access Logging > Formats.

    3. In Log Formats, click New. The New Create Format pop-up window appears.

    4. In Format Name, type a name for the CyberHub.

    5. Select the W3C Extended Log File Format (ELFF) string option.

    6. In the text box, type the following.

date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host x-http-connect-host cs-uri-port cs-uri-path cs-uri-query cs-username c-cpu cs-auth-group s-hierarchy s-supplier-name rs(Content-Type) cs(Referer) cs(User-Agent) sc-filter-result cs-categories x-virus-id s-ip x-bluecoat-application-name x-bluecoat-application-operation c-port cs(X-Forwarded-For) x-exception-id cs-category cs-uri-extension cs-uri x-bluecoat-appliance-primary-address s-sitename r-ip r-port r-dns x-rs-certificate-hostname x-rs-certificate-hostname-category x-rs-certificate-observed-errors x-rs-connection-negotiated-cipher x-rs-connection-negotiated-cipher-strength x-rs-connection-negotiated-cipher-size x-rs-connection-negotiated-ssl-version s-supplier-ip s-supplier-country s-supplier-failures cs-threat-risk x-bluecoat-transaction-uuid x-icap-reqmod-header(X-ICAP-Metadata) x-icap-respmod-header(X-ICAP-Metadata) x-exception-category x-rs-certificate-hostname-threat-risk x-cs(Referer)-uri-threat-risk x-cs(Referer)-uri-categories s-port s-source-ip s-source-port

g. To check the log format, click Test Format.

In the Edge SWG version 6.x or later, the Test Format Results pop-up window appears with deprecated fields. In a few Edge SWG versions, fields such as s-hierarchy, r-hierarchy are unsupported and can be removed. Once the unsupported log fields are removed, the Test Format Results pop-up window will display the message "Format Syntax correct".

h. From Multiple-valued header policy, select Log last header and click OK.

i. In Log Formats, click Save.​

image-20240109-065426.png

2. Configure the Log Facility​

a. Click Configuration and navigate to Access Logging > Logs.

b. In Logs, click New. The Create Log window appears.

c. In Log Settings, in the Log Name, type a name for the CyberHub.

d. In Log Format, select the log format created in Step1.

e. In Description, type the description of the CyberHub.

f. In Log file limits, in the The maximum size of each remote file is, type 200

g. In Start an early upload if log reaches, type 200 and click OK.

image-20240109-065500.png
  1. Configure the FTP client

a. Click Configuration and navigate to Access Logging > Logs > Upload Client.

b. In Log, select the log facility created in Step 2.

c. In Client type, select FTP Client and click Settings

d. In Settings for, select Primary FTP Server.

e. In Host, type the IP address of the Central Log Aggregation Server.

f. In Port, enter port number of your FTP Server, default port is 21

g. Provide the Directory path where the access log is uploaded on the Central Server.

h. In Username, type your FTP Server Username

i. Click Change Primary password to change the password on the FTP server; the Change Password dialog displays; enter and confirm the new password; click OK. You may leave the field empty if no password configured at FTP Server.

j. In Filename,

i. Type the log file name in the following format if you want to send logs without compression.

SG_%f_%c_%I%m%d%H%M%S.log

ii. Type the log file name in the following format if you want to send logs with compression.
SG_%f_%c_%I%m%d%H%M%S.gzip.log

1.The default filename includes the log name (%f), name of the external certificate used for encryption if any (%c), fourth parameter of the Edge SWG device IP address (%l), date and time (Month: %m, Day: %d, Hour: %H, Minute: %M, Second: %S), and .log or .gzip.log file extension. 

  1. You must configure sending logs without compression which is also supported with any forwarder configuration. Configuring sending logs with compression gets worked only if you have chosen Logstash as your forwarder deployed in CentOS as Central Log Aggregation Server OS.

k. Select Use secure connections (SSL) 

l. Select Local Time, only if you need to send logs in your local time. 

m. Select Use PASV and then click OK and Apply.

4.Assign a log facility to the format.

a. Click Configuration and navigate to Access Logging > General.

b. In Default Logging, all the available protocols will be mapped to the default log facility. 

c. Adaptive MxDR supports the following protocol logs which are given in the table and recommends you map the protocols to the CyberHub log facility.

d. Click each of the above protocols and click Edit

e. Map the logging facility created in Step 2 to each protocol and click Apply.

5.Configure the Upload Schedule

a. Click Configuration and navigate to Access Logging > Logs > Upload Schedule.

b. In Log, choose the logging facility created in Step 2.

c. In Upload type, select the periodically option.

d. In Rotate the log file, do the following:

i. Click Every

ii. In hours, type 0

iii. In minutes, type 15 and then click Apply.

6.Test the access log upload

a. To set the event logging level for testing, do the following: 

i. Click Maintenance and go to Event Logging > Level.

ii. Select Verbose and click Apply.​

b. To test the log upload:

i. Click Configuration and navigate to Access Logging > Logs > Upload Client.

ii. In Log, choose the logging facility created in Step 2 and click Test Upload

c. To reset the event logging level after testing:

i. Click Maintenance and navigate to Event Logging > Level.

ii. Uncheck the Verbose and click Apply.

7.Enable the newly created log facility


To enable a new logging facility, follow the steps below.

a. Click Configuration and navigate to Policy > Visual Policy Manager.

b. In Visual Policy Manager window, navigate to Policy > Add Web Access Layer.

c. Enter a name for the Web Access Layer and click OK.

d. Right-click the newly created Web Access Layer and navigate to Action > Set.

e. In Set Action Object, navigate to New > Modify Access Logging.

f. In Name, type a name for the Accenture MDR Access Logging Object.

g. Select Enable logging to, from the dropdown list, select the log facility created in Step 2 and click OK.

h. Click OK to close the VPM window and click Yes to save the changes.

8. Enable the device to send logs via FTPS

a. Login to the device Web interface.

b. Click Configuration and navigate to SSL > CA Certificates > Import.

c. In Import CA Certificate

i. In CA Cert Name, type a name for your certificate.

ii. In CA Certificate PEM, paste your certificate

iii. Click OK and Apply

iv. To validate Blue Coat event logging, click the Statistics and navigate to System > Event Logging.

  • Configure Logstash Agent to forward logs to CyberHub

  1. Download, Install and setup Logstash agent by referring to this link Installing Logstash | Logstash Reference [8.2] | Elastic. Logstash requires JAVA to be installed as a prerequisite. You must install JAVA 8 in the Central Log Aggregation Server to enable Logstash processing log files. For Windows environments, Logstash should be installed with Admin User.

  2. Ensure that logstash service and logstash user have appropriate permissions for having full access on uploaded log files on Windows and Linux Log Aggregation Server respectively.

  3. Steps to configure Logstash Agent

    1. Navigate to Logstash configuration directory location,

      1. In CentOS with default installation, please navigate to “/etc/logstash/conf.d/.

      2. In Windows, please navigate to the installed directory {Logstash_extract.path}/config where {Logstash_extract.path} is Logstash Directory created by unpacking the archive.
        This could be any chosen custom path on which you extracted Logstash archive. Example value could be “C:/logstash-8.3.1/config“

    2. Rename attached logstash.conf to "edgeswg.conf" and copy this in the Logstash Configuration directory. Here edgeswg.conf file should be copied either in conf.d or config directory for CentOS and Windows installation respectively. Kindly edit this file for log forwarding by following the steps provided in it and then Save it.

    3. Start the logstash service.



  • Configure NxLog Agent to forward logs to CyberHub

  1. Download and Install NXLog agent from location Download (There are few dependencies that you need to install and then you can install NXLog on machine. Refer NXLog documentation collections | NXLog Docs )

  2. Ensure that nxlog service and nxlog user have appropriate permissions for having full access on uploaded log files on Windows and Linux Log Aggregation Server respectively.

  3. Configure NXLog Agent

    1. Navigate to NXLog configuration directory location.

      1. In CentOS with default installation, please navigate to “/etc/nxlog/directory.

      2. In Windows with default installation, please navigate to “C:\Program Files\nxlog\conf” folder.

    2. For CentOS installation, rename attached nxlog_linux.conf to "nxlog.conf" and copy into this /etc/nxlog directory. For Windows installation, rename attached nxlog_windows.conf to "nxlog.conf" and copy into this C:\Program Files\nxlog\conf directory. Kindly edit this file for log forwarding by following the steps provided in it and then Save it.

    3. Start the nxlog service.

Integration Parameters

Parameters required from customer for Integration.

Property

Default Value

Description

Property

Default Value

Description

IP Address

Broadcom Edge Secure Web Gateway interface IP address

Hostname or IP address of the device which forwards logs to the CyberHub

 

 

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.