Apart from reporting on most enterprise firewalls, Firewall Analyzer can also analyze logs and generate specific reports on Squid Proxy servers, and Radius servers.
Data sent from Firewall Analyzer is normally not encrypted and hence is readable if intercepted.
The log files are located in the <FirewallAnalyzer_Home>/server/default/log directory. Typically when you run into a problem, you will be asked to send the serverout.txt file from this directory to Firewall Analyzer Support.
Internet Explorer throws this error when you try to open an exported PDF report in the web browser itself. This is a known issue, and we are working on resolving it. For now, save the report to your local machine, and open it using the regular PDF software that you use (Adobe Acrobat Reader or xpdf)
You need to configure your Intranets in order to separate inbound and outbound traffic. The Inbound Outbound Traffic report will show the traffic details about inbound traffic ( traffic coming into LAN ) and outbound traffic ( traffic going out of LAN ) of the firewall.When configured, the Inbound Outbound Traffic Reports shows you which hosts and what protocol groups have been contributing the most traffic on either side of the firewall. Please follow the instructions available for Setting Up Intranets
Typical firewall logs are in the following format: 16.1.1.1 www.yahoo.com 10 bytes 1MB (i.e. Source-IP Destination-IP Bytes-Sent Bytes-Received). But Cisco PIX does not provide a split-up of bytes-sent and bytes-received, but just provides a cumulative BYTES info. In most of the cases/protocols, RECEIVED will be more than SENT with respect to the source who originated the transaction. So we assume BYTES in Cisco PIX as RECEIVED. And in the case of FTP, Cisco PIX provides another log to identify the direction of the traffic. In that case, based on FTP put/get, we will determine whether the traffic is SENT or RECEIVED.
Probable cause: Firewall Analyzer installation directory 'ManageEngine' is accessed by other applications. It is possibile that the inbuilt MySql database of Firewall Analyzer could get corrupted if other processes are accessing these directories.
Solution: Kindly exclude the 'ManageEngine' directory (prior to version 6.0 it was C:\AdventNet or D:\AdventNet) from both the Backup process and Anti-Virus Scans.
To increase the time limit of web client time out, follow the steps given below:
The above changes will affect all the web clients connected to the FWA server. Alternatively, you can install the "Auto IE Refresher" in your machine for IE browser and monitor the pages from your machine.
Reference pages:
http://www.softpedia.com/get/Internet/Other-Internet-Related/Auto-IE-Refresher.shtml
http://www.download.com/AutoRefresher-for-IE/3000-12512_4-10293579.html
It is recommended that you install Firewall Analyzer on a machine with the following configuration:
Look up System Requirements to see the minimum configuration required to install and run Firewall Analyzer.
The installation of Firewall Analyzer does not make any changes to the firewall server configuration.
Firewall Analyzer can be started as a root user, but all file permissions will be changed, and later you cannot start the server as another user.
The web server port you have selected during installation is possibly being used by another application. Configure that application to use another port, or change the Firewall Analyzer web server port.
The archiving feature in Firewall Analyzer automatically stores all logs received in zipped flat files. You can configure archiving settings to suit the needs of your enterprise. Apart from that, if you need to backup the database, which contains processed data from firewall logs, you can run the database backup utility,BackupDB.bat/.shpresent in the
<FirewallAnalyzer_Home>/troubleshooting directory.
Normally, the Firewall Analyzer is installed as a service. If you have installed as an application and not as a service, you can configure it as a service any time later. The procedure to configure as service, start and stop the service is given below.
To configure Firewall Analyzer as a service after installation, execute the following command.
<Firewall Analyzer Home>/bin sh configureAsService.sh -i
Yes, you can use Java installation present in the Firewall Analyzer server machine. The procedure is given below:
Copy and paste below files from Java bundled in the product to the Java existing in the machine for SMS functionality.
This message could be shown in two cases:
Case 1: Your system date is set to a future or past date. In this case, uninstall Firewall Analyzer, reset the system date to the current date and time, and re-install Firewall Analyzer.
Case 2: You may have provided an incorrect or corrupted license file. Verify that you have applied the license file obtained from ZOHO Corp.
If neither is the reason, or you are still getting this error, contact licensing@manageengine.com
Probable cause: An instance of MySQL is already running on this machine.
Solution: Shut down all instances of MySQL and then start the Firewall Analyzer server.
Probable cause:Port 33336 is not free
Solution: Kill the other application running on port 33336. If you cannot free this port, then change the MySQL port used in Firewall Analyzer.
Probable cause:The default web server port used by Firewall Analyzer is not free.
Solution: Kill the other application running on port 8500. If you cannot free this port, then change the web server port used in Firewall Analyzer
The session information for each user can be accessed from the User Management page. Click the View link under Login Details against each user to view the active session information and session history for that user.
Firewalls usually need to be configured specifically to generate log files in WELF. The Configuring Firewalls section includes configuration instructions for some of the firewalls supported by Firewall Analyzer.
Different firewalls denote the port numbers in the logs in different ways, for example, http:80 can be shown as tcp:80, http:80, etc. Hence, the protocol identifiers are grouped as Protocols and then to Protocol Groups. We found that the reports using Protocols are much usable than the reports based on port numbers. Hence, we show the Protocols in the reports. If all the unassigned protocols assigned to Protocols and Protocol Groups, there would not be any issue of unknown protocols.
Assigning Unassigned ProtocolsYou can view the port details of theunassigned protocols:
We have configured the generally used protocols as Groups like Mail, Web, FTP, Telnet, etc. However, you can group the unknown protocols as per your requirement. Configuring Unassigned Protocol will be a one-time activity.
Note:Once you assign the protocols, the reports will show the assigned protocols and the newly assigned protocols under their appropriate protocol group only from the assigned time. You will see the unassigned protocols in the reports generated earlier to the assigned time.
If you find that the reports based on ports, please assign specific protocols to the corresponding port numbers and create a custom report to view the details.
Probable Cause: Graphs are empty if no data is available.
Solution: If you have started the server for the first time, wait for at least one minute for graphs to be populated.
Probable cause:Graphs are empty either because there is no traffic passing through the firewall or if the firewall traffic is not sufficient enough to populate the reports table of Firewall Analyzer.
Solution: If you are starting Firewall Analyzer for the first time or if you are shutting down and restarting Firewall Analyzer, it will wait for the reports table to be populated with 5000 log records for the first time. From the next time onwards, Firewall Analyzer will populate reports table once in 7 minutes or once it receives the next 5000 records, whichever is earlier. You can check for the number of records received in " Packet Count " icon shown in top right corner in client UI. This will list out the details like the number of logs received and also the last received log time. It is better to run the server continuously and check whether 5000 records are collected. Do not stop and restart the server in-between!
Moreover, for viewing the already collected log records in the reports, kindly do the following:
To view the "Un Used Rules Reports", you need to configure Firewall Analyzer to fetch rules from device via Telnet or SSH. After this configuration the reports will be available. However, this advanced feature is available only for Premium License Users of Firewall Analyzer.
Example log is as follows:
id=leafirewall time="23Oct2006 9:49:30" action="encrypt" orig="testing" i/f_dir="inbound" i/f_name="eth-s4p1 c0" has_accounting="1" product="VPN-1 & FireWall-1" __policy_id_tag="product=VPN-1 & FireWall-1[db_tag={C59340B0 -6276-11DB-B086-00000000C2C2};mgmt=testing;date=1161594819;policy_name=RKR_Policy] " src="xxx.xxx.xxx.xxx" s_port=" 40555" dst="xxx.xxx.xxx.xxx" service="https" proto="tcp" rule="15" scheme:="IKE" dstkeyid="0x31b52e56" methods:="ES P: AES-256 + SHA1" peer gateway="mygateway"community="SECU" start_time="23Oct2006 9:49:30" segment_time="23Oct 2006 9:49:30" elapsed="0:00:09" packets="3" bytes="180" client_inbound_packets="3" client_outbound_packets="0 " server_inbound_packets="0" server_outbound_packets="3" client_inbound_bytes="180" client_outbound_bytes="0" server_inbound_bytes="0" server_outbound_bytes="360" client_inbound_interface="eth-s4p1c0" server_outbound_inter face="eth-s3p1c0" __pos="7" __nsons="0" __p_dport="Unknown"
All the received logs are stored in Firewall_Analyzer_Home\server\default\archive\directory. You can browse through those logs to troubleshoot the problem.
If you find vpn related logs with other fields, then kindly send us the sample logs by uploading them to the following link:
http://bonitas.zohocorp.com/upload/index.jsp?to=fwanalyzer-support@manageengine.com
It looks for the attribute resource in the log.
Example log is as follows:
id=leafirewall time="16Aug2006 7:43:56" action="accept" orig="AHFW_1" i/f_dir="outbound" i/f_name="eth0" has _accounting="1" product="VPN-1 & FireWall-1" __policy_id_tag="product=VPN-1 & FireWall-1[db_tag={55E82635-247B-44 B7-9E29-42EDE0F57E2C};mgmt=FW_MGMT;date=1155671079;policy_name=N2H2_Filtered] " rule="22" rule_uid="{5A131CD7-BCBA -4859-AB39-43594A24931A}" rule_name="HTTP Outbound" service_id="http" src="xxx.xxx.xxx.xxx" s_port="2624" dst="xxx.xxx.xxx.xxx" service="http" proto="tcp" xlatesrc="xxx.xxx.xxx.xxx" xlatesport="57700" xlatedport="Unknown" NAT _rulenum="94" NAT_addtnl_rulenum="internal" resource="http://www.yahoo.com/index.html" start_time="16Aug2006 7:43:56" segment_time="16Aug2006 7:43:56" elapsed="0:00:00" packets="11" b ytes="1161" client_inbound_packets="6" client_outbound_packets="5" server_inbound_packets="5" server_outbound_p ackets="6" client_inbound_bytes="753" client_outbound_bytes="408" server_inbound_bytes="408" server_outbound_by tes="753" client_inbound_interface="eth0" client_outbound_interface="eth0" server_inbound_interface="eth1" serv er_outbound_interface="eth1" __pos="7" __nsons="0"
The files are stored in the directory conf or database.
We can setup two kind of VPNs in Cisco firewalls as below.
1. Remote Host VPN:This is between a User PC and the Cisco firewalls. User PC could be anywhere in the Internet. There are various technologies used to accomplish the same. Firewall Analyzer supports the following types.
IpSec:Firewall Analyzer supports IpSec remote host vpn in Cisco firewalls. Following are the sample logs generated:
Cisco PIX:20_12_2005_09_00_20:<166>Dec 20 2005 09:52:14: %PIX-6-109005: Authentication
succeeded for user 'john' from xxx.xxx.xxx.xxx/0 to xxx.xxx.xxx.xxx/0 on interface outside
20_12_2005_09_00_20:<166>Dec 20 2005 09:52:16: %PIX-6-602301: sa created, (sa)
sa_dest= xxx.xxx.xxx.xxx, sa_prot= 50, sa_spi= 0x1e01c9b1(503433649), sa_trans= esp-3des
esp-md5-hmac , sa_conn_id= 46
20_12_2005_09_00_20:<166>Dec 20 2005 09:52:16: %PIX-6-602301: sa created, (sa)
sa_dest= xxx.xxx.xxx.xxx, sa_prot= 50, sa_spi= 0x94e99fdc(2498338780),V sa_trans=
esp-3des esp-md5-hmac , sa_conn_id= 45
20_12_2005_09_00_20:<166>Dec 20 2005 09:55:24: %PIX-6-602302: deleting SA, (sa)
sa_dest= xxx.xxx.xxx.xxx, sa_prot= 50, sa_spi= 0x1e01c9b1(503433649), sa_trans= esp-3des
esp-md5-hmac , sa_conn_id= 46
20_12_2005_09_00_20:<166>Dec 20 2005 09:55:24: %PIX-6-602302: deleting SA, (sa)
sa_dest= xxx.xxx.xxx.xxx, sa_prot= 50, sa_spi= 0x94e99fdc(2498338780), sa_trans= esp-3des
esp-md5-hmac , sa_conn_id= 45
<166>:Apr 10 15:26:51 CDT: %PIX-vpn-6-602303: IPSEC: An inbound remote access SA
(SPI= 0x2C4009CD) between xxx.xxx.xxx.xxx and xxx.xxx.xxx.xxx (user= ARNOLD) has been
created
<166>:Apr 10 22:13:21 CDT: %PIX-vpn-6-602304: IPSEC: An inbound remote access SA
(SPI= 0xA57F6150) between xxx.xxx.xxx.xxx and xxx.xxx.xxx.xxx (user= ARNOLD) has been
deleted
a.<164>:Apr 10 20:13:23 CDT: %PIX-auth-4-113019: Group = TUMBUVPN, Username =
ARNOLD, IP = xxx.xxx.xxx.xxx, Session disconnected. Session Type: IPSecOverUDP?,
Duration: 4h:46m:39s, Bytes xmt: 1270639, Bytes rcv: 4292608, Reason: User Requested
Firewall Analyzer supports PPTP VPN between Cisco firewall and users PC. Following are the sample logs generated:
<133>Oct 20 2005 20:57:10: %PIX-6-603108: Built PPTP Tunnel at inside,tunnel-id = 25,
remote-peer =xxx.xxx.xxx.xxx, virtual-interface = 1,client-dynamic-ip = xxx.xxx.xxx.xxx,
username = king,MPPE-key-strength = number
<134>Oct 20 2005 20:58:01: %PIX-6-603109: Teardown PPPOE Tunnel at interface_name,
tunnel-id = 25,remote-peer = xxx.xxx.xxx.xxx
<134>Oct 20 2005 20:53:21: %PIX-6-603104: PPTP Tunnel created, tunnel_id is 26,
remote_peer_ip is xxx.xxx.xxx.xxx, ppp_virtual_interface_id is 2,client_dynamic_ip is
xxx.xxx.xxx.xxx, username is king, MPPE_key_strength is None
b.<134>Oct 20 2005 20:58:01: %PIX-6-603105: PPTP Tunnel deleted, tunnel_id = 26,
remote_peer_ip = xxx.xxx.xxx.xxx
This vpn connection will be established between firewall to firewall. In most of the cases, this connection would have been established before the Firewall Analyzer installation. Also Cisco firewalls do no hint about the traffic that is going through this Site To Site VPN tunnel in the logs. So Firewall Analyzer is not supporting this type of VPN connection now.
Firewall Analyzer reports login/logout attempts by searching the Cisco firewall logs for message ids like 611101,611102, 611103, 605004, and 605005. Take a look at the logs available
atFirewall_Analyzer_Home\server\default\archive\directory in case of any discrepancy.
Firewall Analyzer searches for the attributes like virus= to generate the virus reports. Example logs are given below.
id=firewall time="2005-06-13 20:48:37" fw=FGT4002803033009 pri=5 src=xxx.xxx.xxx.xxx dst=xxx.xxx.xxx.xxx src_int=n/a dst_int=n/a service=http status=passthrough from="n/a" to="n/a" file=trace.exe virus="Suspicious"msg="The file trace.exe is infected with Suspicious. ref http://www.fortinet.com/VirusEncyclopedia/search/
encyclopediaSearch.do?method=quickSearchDirectly&virusName=Suspicious.";
Firewall Analyzer searches for the attributes like attack= or attack_id= to generate attack reports. Example logs are given below.
17_08_2005_16_54_03:id=firewall time="2005-08-18 00:59:03" fw=FGT4002803033026 pri=1attack_id=101974095 src=xxx.xxx.xxx.xxx dst=xxx.xxx.xxx.xxx src_port=110 dst_port=58714 src_int=n/a dst_int=n/a status=detected proto=6 service=58714/tcp msg="misc: MS.Outlook.GMT.BufferOverflow,repeated 2 times[Reference: http://www.fortinet.com/ids/ID101974095]";
Firewall Analyzer combines values of the fields like dst/dstname and arg to form the complete url. Kindly check whether your firewall generates the same in the log files available underFirewall_Analyzer_Home/server/default/archive/ directory. Example logs are given below.
1902-01-16 08:52:47 Local0.Info 192.168.14.3 "id=firewall sn=0006B10C5210 time="2006-01-06 15:53:30 UTC" fw=myfirwall pri=6 src=xxx.xxx.xxx.xxx dst=xxx.xxx.xxx.xxx proto=tcp/http
op=GET sent=1533 rcvd=512 result=200 dstname=c.microsoft.com arg=/trans_pixel.asp? source=msdn&TYPE=PV&p=library_en-us_cpguide_html&URI=%2flibrary%2ft
In case of Fortigate Firewalls , device_id is considered as resource name in Firewall Analyzer. In the High Availability mode, eventhough both active and standby Firewalls have the same name, the device_id will be different. So, Firewall Analyzer displays them as two devices. To avoid this, you can configure the device name (devname) of standby Firewall as device_id of active Firewall.
Example: Active Firewall log: <189>date=2011-09-28 time=13:14:58 devname=DSAC456Z4
device_id=FGT80G3419623587 log_id=0021000002
Standby Firewall log: <188>date=2011-09-28 time=13:14:59
devname=FGT80G3419623587device_id=FGT80G4534717432 log_id=0022000003