Configuring Stonesoft Firewall
Firewall Analyzer supports Stonesoft Firewall 5.5
Configuring Stonesoft firewall to send syslog to Firewall Analyzer
- Stop the Stonesoft log server service
- Open the LogServerConfiguration.txt in the Stonesoft installation directory
- Change the below attributes
|| Set this attribute to CEF
||Default UDP port is 514, retain it
||IPv4 address of Firewall Analyzer server
To set the Logging options for Access rules
- Start the Stonesoft log server service
- Login to the Stonesoft firewall's GUI
- Enable the Log Accounting Information against the rules. This provides both open and connection logs
- Go to IPV4 tab and edit the access rules
- Double-click the Logging cell. The logging options dialog opens.
- Set the options as explained in the table below
|| No log entries are created when connections are closed
||Both connection opening and closing are logged, but no information is collected on the volume of traffic
|Log Accounting Information
Both connection opening and closing are logged and information on the volume of traffic is collected. This option is not available for rules that issue Alerts.
If you want to create reports that are based on traffic volume, you must select this option for all rules that allow traffic that you want to include in the reports
The Stonesoft firewall will now send syslog data to Firewall Analyzer.
How to enable IPS logging?
Change SYSLOG_EXPORT_IPS attribute value to YES. Default setting is: NO
Restart the log server.
How to enable URL logging?
To enable deep inspection on access rule with HTTP protocol,
Right click on the Action Cell, select Edit Options > under Connection Tracking tab, select 'Override Inspection Options Set With Continue Rules' and select 'Deep Inspection'.
URL logging in Stonesoft firewall is controlled with 'Logging of accessed URLs' setting on HTTP service protocol parameters. If you enable this, accessed URLs are logged.
If the HTTP connection matches access rule that uses HTTP service where URL logging is enabled, but deep inspection is disabled, the URL is written to 'Information Message' field on 'HTTP_URL-Logged' type log entry
If the HTTP connection matches access rule that uses HTTP service with URL logging enabled, and deep inspection is enabled, the URL is written to two fields 'HTTP Request Host' and 'HTTP Request URI'. First one contains the access host name (e.g., www.example.com), and the second one contains the URI accessed (e.g., /something/here/page.php), which means that accessed address was www.example.com/something/here/page.php
The 'Information Message' field is firewall log entry field should be imported in eScope configuration as INFO_MSG field is one of the fields defined in syslog config file:
<version> 1 </version>
<name>Export list - Default</name>
<fieldref> INFO_MSG </fieldref>
'HTTP Request Host' and 'HTTP Request URI' fields are IPS log entry fields generated by deep inspection. These are currently not set as exported fields in eScope configuration, but can be added as additional exportable fields in default_syslog_conf.xml file's list of exportable fields:
<fieldref> HTTP_REQUEST_HOST </fieldref>
<fieldref> HTTP_REQUEST_URI </fieldref>