cancel
Showing results for 
Search instead for 
Did you mean: 
alhiar
Level 7
Report Inappropriate Content
Message 1 of 9

Where i can find the firewall events in NSM?

Jump to solution

I am using the firewall feature in the Network Security Plattform i find it very useful and simple, but i cannot find any firewall log in the manager, there are no firewall logs in the attack log and i cannot find a guide that tells me where those events go.

¿Somebody can tell me there are this logs stored? or ¿The NSManager receive this logs?

Thank you.

NSM Version: 8.3.7.86

NSP Sensor: 7100 \ 8.3.5.50

The firewall feature is configured in: Policy --> Policy Types --> Firewall Policies

 

Tags (1)
1 Solution

Accepted Solutions
Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: Where i can find the firewall events in NSM?

Jump to solution

No worries Alhiar

Here are the answers:

1) The NSM manager works as a Syslog Server?

- A syslog server *receives* syslog messages with specific 'marked/named' fields you can use for processing those syslog messages from any 'syslog enabled clients'. The NSM is a syslog client - have a look at the syslog message options you can customize to your needs to manage what information is *sent* from NSM to the syslog server (i.e. SIEM solution). This is key for automating and searches at SIEM/syslog server level.

 

if not...

2) Do i have to use a Syslog Server to process those logs?.

- Yes

3) The NSM manager does not process those events?

- The NSM receives IPS alerts and Firewall events based on the policies you configure and are applied to the devices the NSM manage. It will also receive faults from these devices, including the NSM/MDR itself, IPS sensors, NTBA appliances, and 3rd party integrations -DNS servers, DxL, GTI, etc...

The event is processed once it is received by the NSM. The actions that define how to process the event (receive and store, receive and forward to configured syslog/SNMP server, etc..) will also be defined by the multiple configuration options you have on the NSM UI, as per my previous message.

 

Hope this helps, else let us know 😉

 

Regards

David

 

 

8 Replies
Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: Where i can find the firewall events in NSM?

Jump to solution

Hi Alhiar

 

when you configure a new firewall rule, each access rule embedded within the firewall rule has an option at the very end of the actions to "log to syslog".

I believe thst if you check this box, the action taken by the access rule (allow/deny) will be send to the syslog server if you also configure the notification under the tab "Manager" ->Setup/Notification/Firewall Access Events

 

I know PER (product mods) have been requested to get the fw events on the attack log - I am not sure these have been yet implemented. - Maybe someone else can confirm this (or correct me if wrong). Cheers.

HTH

Regards

David

Highlighted
alhiar
Level 7
Report Inappropriate Content
Message 3 of 9

Re: Where i can find the firewall events in NSM?

Jump to solution

Hi David thank you for your answer, the check "Log to syslog" is enabled.

Understanding what you explain, 3 questions come to my mind:

The NSManager works as a Syslog Server? if not,

Do i have to use a Syslog Server to process those logs?.

The NSManager does not process those events?

Regards

Alberto.

Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: Where i can find the firewall events in NSM?

Jump to solution

No worries Alhiar

Here are the answers:

1) The NSM manager works as a Syslog Server?

- A syslog server *receives* syslog messages with specific 'marked/named' fields you can use for processing those syslog messages from any 'syslog enabled clients'. The NSM is a syslog client - have a look at the syslog message options you can customize to your needs to manage what information is *sent* from NSM to the syslog server (i.e. SIEM solution). This is key for automating and searches at SIEM/syslog server level.

 

if not...

2) Do i have to use a Syslog Server to process those logs?.

- Yes

3) The NSM manager does not process those events?

- The NSM receives IPS alerts and Firewall events based on the policies you configure and are applied to the devices the NSM manage. It will also receive faults from these devices, including the NSM/MDR itself, IPS sensors, NTBA appliances, and 3rd party integrations -DNS servers, DxL, GTI, etc...

The event is processed once it is received by the NSM. The actions that define how to process the event (receive and store, receive and forward to configured syslog/SNMP server, etc..) will also be defined by the multiple configuration options you have on the NSM UI, as per my previous message.

 

Hope this helps, else let us know 😉

 

Regards

David

 

 

Reliable Contributor kylekat
Reliable Contributor
Report Inappropriate Content
Message 5 of 9

Re: Where i can find the firewall events in NSM?

Jump to solution

This post is great, thank you for putting all this usefull information.

I will throw in my 2 cents on the fact that for this logs to be sent to a remote syslog or SIEM, it has to be configured both in NSM's "Manager - setup - Notification - Firewall access events" tab as well as in a per-device basis "Devices - setup - Logging - Firewall Access Logging" or the ACL hits will not be sent to the NSM

Reliable Contributor mjesmer
Reliable Contributor
Report Inappropriate Content
Message 6 of 9

Re: Where i can find the firewall events in NSM?

Jump to solution

Everything David has said is correct. There have been PER requests to have Firewall events shown in the Attack Log.

However, the Sensors are IPS devices not firewalls and should not be used as such. If you try to use the sensors as both a firewall and IPS you will see HUGE performance loss and the functionality of the sensor firewall is limited. It is for this reason that McAfee PM team will most likely never approve adding this functionality to NSP/NSM. It would just enable people to use the product in a way it was never intended to be used.

 

Now using the Firewall feature to mitigate some traffic and ignore other traffic is ok to an extent, but not as a primary firewall solution.

Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 7 of 9

Re: Where i can find the firewall events in NSM?

Jump to solution

Hi Mjesmer

 

I don't see why using the advanced firewall features available on the platform should cause any performance impact? Could you elaborate on this or point us to any online docs explainig why this may happen?

From my point of view, advanced ACLs should increase the performance.

If you block traffic, then that traffic will not be processes or inspected. This is great to make sure you use the IPS devices to monitor only those protocols of interest. I.e.. I just want to focus on HTTP/S traffic, so I could block or ignore other protocols to make sure 100% of the throughput inspection capabilities are dedicated to the protocol of my interest.

In another use case, and that is a very common one, you may want to ignore traffic from sppecific IP addresses - i.e. - I have external vulnerabilitiy scanners on specific network ranges that will trigger thousands of alerts when the vuln scan run - so ignoring the traffic with the ACLs will prevent those alerts being raised.

ACLs are the only 'firewall' features available on the ISP devices. There is no switching/routing/natting - which would be the most common functions (including IPSEC, etc) you would find on a firewall, so I don't see why you would not use the advanced ACL feature on NSP - and why the manager shouldn't be forwarding those events via syslog.

Regards

Davis

 

Reliable Contributor mjesmer
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: Where i can find the firewall events in NSM?

Jump to solution

Davis,

I am all for using the feature as intended, but there are customers out there that I have supported who try to use this as an edge device and try to filter all of the external traffic through it. (It was for this reason I was saying that the sensor is meant to be just that an IPS device). I was also making the case that if you can drop the traffic for a particular IP at the boarder firewall...you should.

Like I said though, the feature is meant to do exactly what you have stated...ignore scanners/IPs that you do not need to scan or alert on. When this is configured properly it should decrease load on sensor and provide a throughput boost. If configured incorrectly there is still a throughput and processing price paid.

 

From my time at McAfee, PM has pushed back and denied PERs for ACL triggers to be shown in Attack Log, they simply stated that the sensor is an IPS first FW is a feature that triggers can be monitored in a Syslog. 

 

Have they changed their stance on this, we can only hope. It would help provide a more seemless one window view for alerts triggered by the product. 

 

Also, when there my management said that

"The squeaky wheel, gets the grease." meaning if the community is vocal enough about having this feature, then they will be more likely to add it.

 

I would say open a PER again, and try to get as many people as we can to "up" vote it.

Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 9 of 9

Re: Where i can find the firewall events in NSM?

Jump to solution

🙂

I completely get what you mean now.... That's the typical customer that would place the sensor on the 'outside' of the firewall to filter out traffic, when that is the fw job really, and then DPI for 'allowed' traffic in is performed by the sensor.

 

And on my previous post I meant why those fw events shouldn't be shown on the attack log (not forwarded as syslog events... they already are, so autocorrect there). 

 

Thanks for the reply mate.

 

Cheers

David

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center