We are running some Juniper MAG (MAG-SM360, 7.4RXX) for SSL VPN, sending SYSLOG events to the SIEM using WELF format (not the standard one).
We selected WELF as it's easier to write regex.
Although this product is listed as fully supported, I discovered the default ASP rules are not parsing these events correctly, or just discarding some useful information (like the assigned internal address, or hostname for example). I tried to "fix" them but realized it would take to much time.
Instead, I have created custom rules from scratch for the most common events:
- Juniper - NWC30993: Closed connection.
- Juniper - NWC30477: VPN Tunneling: User connected with SSL transport mode.
- Juniper - NWC23465: VPN Tunneling: Session ended.
- Juniper - NWC23464: VPN Tunneling: Session started.
- Juniper - ERR24670: VPN Tunneling.
- Juniper - EAM30446: Session extended.
- Juniper - EAM24460: Session resumed.
- Juniper - AUT31014: Closed connection to TUN-VPN.
- Juniper - AUT31002: Connected to TUN-VPN.
- Juniper - AUT30544: User chose to proceed on the sign-in notification page HC KO
- Juniper - AUT24804: Host Checker policy failed.
- Juniper - AUT24803: Host Checker policy passed.
- Juniper - AUT24414: Agent login succeeded.
- Juniper - AUT24327: Primary authentication failed.
- Juniper - AUT24326: Primary authentication successful.
- Juniper - AUT23574: logged out because user started new session.
- Juniper - AUT23524: Roles changed during policy reevaluation.
- Juniper - AUT23457: Login failed using auth server.
- Juniper - AUT23277: Password realm restrictions failed.
- Juniper - AUT23181: Session has been terminated.
- Juniper - AUT23077: Roles changed.
- Juniper - AUT22927: System process detected a Host Checker time out.
- Juniper - AUT22925: Host Checker policy failed.
- Juniper - AUT22886: Session timed out.
- Juniper - AUT22675: Login failed. Subsequent attempts will be blocked.
- Juniper - AUT22673: Logout.
- Juniper - AUT22670: Login succeeded.
- Juniper - AUT21097: Radius Server unreachable. Login failed.
- Juniper - AUT21073: Failed login. Next Token code is invalid.
- Juniper - AUT21071: Login. New PIN required.
- Juniper - AUT21052: Login rejected. IP address is blocked.
- Juniper - AUT20919: Remote address changed
- Juniper - AUT20918: Remote address changed. Access denied.
- Juniper - AUT20915: Session timed out
- Juniper - AUT20914: Max session timeout
- Juniper - AGU30458: Ending dsagentd session.
- Juniper - AGU30457: Starting dsagentd session.
I also created 3 new custom fields:
- MobileSSL_IP: used to store the assigned internal IP once user is connected to the VPN. (IPv4, #2)
- MobileSSL_Group: used to store the groups assigned to the user when authenticated. (string, #1)
- MobileSSL_US: used to store the application string used by the client. (String, #3)
All these rules are catching the following variables (even if these variables are expected to be empty - this allows easier rule management):
- time: time of the event, mapped to first/last time
- vpn_server: the VPN server IP, mapped to destination IPv4
- user: mapped to UserIDSRc
- roles: mapped to MobileSSL_Group
- src: the user public IP: mapped to source IPV4
- dst: the assigned internal IP, mapped to MobileSSL_IP
- sent: bytes sent (once the session is terminated)
- received: bytes received (once session is termination)
- agent, mapped to MobileSSL_UA
- duration: mapped to Elapse_Time.