Integrate Sophos XG Firewall - EventTracker · Integrate Sophos XG Firewall Abstract This guide provides instructions to configure Sophos XG Firewall to send crucial events to EventTracker

Integrate Sophos XG Firewall EventTracker v8.x and above

Publication Date: October 29, 2018

1

Integrate Sophos XG Firewall

Abstract

This guide provides instructions to configure Sophos XG Firewall to send crucial events to EventTracker

Enterprise by means of syslog.

Scope The configurations detailed in this guide are consistent with EventTracker Enterprise version 8.x and later,

and Sophos XG Firewall version 15.x-17.x.

Audience Sophos XG Firewall users, who wish to forward its events to EventTracker Manager and monitor them

using EventTracker Enterprise.

The information contained in this document represents the current view of EventTracker. on the

issues discussed as of the date of publication. Because EventTracker must respond to changing

market conditions, it should not be interpreted to be a commitment on the part of EventTracker,

and EventTracker cannot guarantee the accuracy of any information presented after the date of

publication.

This document is for informational purposes only. EventTracker MAKES NO WARRANTIES,

EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, this paper may be freely distributed without permission from

EventTracker, if its content is unaltered, nothing is added to the content and credit to

EventTracker is provided.

EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from EventTracker, the furnishing of this document does not give you

any license to these patents, trademarks, copyrights, or other intellectual property.

The example companies, organizations, products, people and events depicted herein are fictitious.

No association with any real company, organization, product, person or event is intended or

should be inferred.

© 2018 EventTracker Security LLC. All rights reserved. The names of actual companies and

products mentioned herein may be the trademarks of their respective owners.

2


Table of ContentsAbstract ................................................................................................................................................................. 1

Scope ................................................................................................................................................................. 1

Audience ............................................................................................................................................................ 1

Overview ................................................................................................................................................................ 3

Prerequisites .......................................................................................................................................................... 3

Enable Syslog Forwarding in Sophos XG Firewall .................................................................................................. 3

EventTracker Knowledge Pack .............................................................................................................................. 6

Categories .......................................................................................................................................................... 6

Alerts ................................................................................................................................................................. 7

Flex Reports ....................................................................................................................................................... 7

Import Sophos XG Firewall Knowledge Pack into EventTracker ......................................................................... 19

Import Category .............................................................................................................................................. 20

Import Alerts ................................................................................................................................................... 21

Import Knowledge Object ............................................................................................................................... 22

Token Template ............................................................................................................................................... 24

Import Flex Reports ......................................................................................................................................... 25

Verify Sophos XG Firewall Knowledge Pack ........................................................................................................ 27

Verify Categories ............................................................................................................................................. 27

Verify Alerts ..................................................................................................................................................... 27

Verify Knowledge Object ................................................................................................................................. 28

Token Template ............................................................................................................................................... 29

Verify Flex Reports .......................................................................................................................................... 30

Create Dashboards in EventTracker .................................................................................................................... 31

Schedule Reports ............................................................................................................................................. 31

Create Dashlets ............................................................................................................................................... 33

Sample Dashboards ............................................................................................................................................. 37

3


Overview Sophos Firewall, combines the best of both Sophos and Cyberoam technology delivering an

unprecedented level of innovation to next-generation firewalls. With all new user interface, new Security

Heartbeat technology, and a powerful new unified policy model, it introduces many important innovations

that take simplicity, protection, and performance, to a whole new level. Sophos Firewall OS runs on all

existing Sophos SG Series and Cyberoam NG Series hardware and is available for a variety of virtual

platforms or as a software appliance.

EventTracker collects and analyses firewall events and enlightens an administrator about security

violations, user behavior, and traffic anomalies.

Prerequisites

EventTracker should be installed.

Sophos XG Firewall version 15.x-17.x should be installed.

Enable Syslog Forwarding in Sophos XG Firewall 1. Navigate to System > System Services > Log Settings and click Add under the Syslog Servers section.

2. Enter server details.

Name

Enter a unique name for the syslog server.

IP Address / Domain

Enter the EventTracker Manager IP Address.

Port

Enter Port number 514, UDP protocol.

Facility

Select syslog facility for logs to be sent to the syslog server. Facility indicates to the syslog server

the source of a log such as operating system, the process or an application. It is defined by the

syslog protocol. The device supports several syslog facilities for received log.

4


Figure 1

Note: You can configure maximum five syslog servers.

3. Click Save.

Once you add the server, go to the System > System Services > Log Settings page and enable all

those logs, which are to be sent to the syslog server in the section Log Settings.

IPS

5


Anti-Virus

Anti-Spam

Content Filtering

Events

Sandbox

ATP

6


Web Server Protection

System Health

EventTracker Knowledge Pack Once logs are received into EventTracker, Categories and reports can be configured into EventTracker.

The following Knowledge Packs are available in EventTracker Enterprise to support Windows.

Categories

Sophos XG Firewall- Admin activities- This category based report provides information related to all

admin activities.

Sophos XG Firewall- Admin login and logout- This category based report provides information related

to all the admin login and logout activity.

Sophos XG Firewall- Advanced threat protection- This category based report provides information

related to all the threat that is detected by the Sophos Firewall.

Sophos XG Firewall- Allowed and denied traffic- This category based report provides information

related to all the traffic that is allowed and denied by the Sophos Firewall.

Sophos XG Firewall- Content filtering- This category based report provides information related to all

the content filtering that is done by the Sophos Firewall.

Sophos XG Firewall- Firewall login and logout- This category based report provides information

related to all the firewall login and logout activity.

Sophos XG Firewall- Firewall login failures- This category based report provides information related

to all the firewall login failures that is done.

Sophos XG Firewall- IPS attack detection- This category based report provides information related to

all the IPS attack that is detected by the Sophos Firewall.

Sophos XG Firewall- Sandbox activities- This category based report provides information related to all

the sandbox activities.

Sophos XG Firewall- Security policy events- This category based report provides information related

to all the security policy events.

Sophos XG Firewall- Spam detection- This category based report provides information related to all

the spam that is detected by the Sophos Firewall.

7


Sophos XG Firewall- System health- This category based report provides information related to all the

system health status.

Sophos XG Firewall- Virus detection- This category based report provides information related to all

the virus that is detected by the Sophos Firewall.

Sophos XG Firewall- VPN login and logout- This category based report provides information related to

all the vpn login and logout activity.

Sophos XG Firewall- VPN login failures- This category based report provides information related to all

the vpn login failures that is done.

Sophos XG Firewall- WAF allowed and blocked traffic- This category based report provides

information related to all the traffic that is allowed and denied by the Sophos Firewall.

Alerts

Sophos XG Firewall: Advanced threat protection: This alert is generated when a threat is detected by the

Sophos Firewall

Sophos XG Firewall: Firewall login failures: This alert is generated when any firewall login failure is

attempted.

Sophos XG Firewall: IPS attack detection: This alert is generated when any IPS attack is detected by the

Sophos firewall.

Sophos XG Firewall: Virus detection: This alert is generated when any virus is detected by the Sophos

firewall.

Sophos XG Firewall: VPN login failures: This alert is generated when any VPN login failure is attempted.

Flex Reports

Sophos XG Firewall- Admin activities - This report provides information related to all admin activities that

is done.

8


Logs Considered:

Sophos XG Firewall- Admin login and logout- This report provides information related to all the admin

login and logout activity.

9


Logs Considered:

Sophos XG Firewall- Advanced threat protection- This provides information related to all the threat that

is detected by the Sophos Firewall.

10


Logs Considered:

Sophos XG Firewall- Allowed and denied traffic- This report provides information related to all the traffic

that is allowed and denied by the Sophos Firewall.

Logs Considered:

Sophos XG Firewall- Content filtering- This report provides information related to all the content filtering

that is done by the Sophos Firewall.

11


Logs Considered:

Sophos XG Firewall- Firewall login and logout- This report provides information related to all the firewall

login and logout activity.

12


Logs Considered:

Sophos XG Firewall- Firewall login failures- This report provides information related to all the the firewall

login failures that is done.

Logs Considered:

Sophos XG Firewall- IPS attack detection- This report provides information related to all the IPS attack

that is detected by the Sophos Firewall.

13


Logs Considered:

Sophos XG Firewall- Sandbox activities- This report provides information related to all the sandbox

activities.

14


Logs Considered:

Sophos XG Firewall- Security policy events- This report provides information related to all the security

policy events.

Logs Considered:

Sophos XG Firewall- Spam detection- This report provides information related to all the spam that is

detected by the Sophos Firewall.

15


Logs Considered:

Sophos XG Firewall- System health- This report provides information related to all the system health

status.

16


Log Considered:

Sophos XG Firewall- Virus detection- This report provides information related to all the virus that is

detected by the Sophos Firewall.

Logs Considered:

Sophos XG Firewall- VPN login and logout- This report provides information related to all the vpn login

and logout activity.

17


Logs Considered:

Sophos XG Firewall- VPN login failures- This report provides information related to all the vpn login

failures that is done.

18


Logs Considered:

Sophos XG Firewall- WAF allowed and blocked traffic- This report provides information related to all the

traffic that is allowed and denied by the Sophos Firewall.

19


Logs Considered:

Import Sophos XG Firewall Knowledge Pack into

EventTracker NOTE: Import knowledge pack items in the following sequence:

Categories

Knowledge Objects

Alerts

Token Templates

Flex Reports

NOTE: Export knowledge pack items in the following sequence:

Categories

Knowledge Objects

Alerts

Token Templates

Flex Reports

1. Launch EventTracker Control Panel.

2. Double click Export Import Utility, and then click the Import tab.

20


Figure 2

Import Category

1. Click Category option, and then click the browse button.

Figure 3

21


2. Locate Sophos XG Firewall_Categories.iscat file, and then click the Open button.

3. To import categories, click the Import button.

4. EventTracker displays success message.

Figure 4

5. Click OK, and then click the Close button.

Import Alerts

1. Click Alert option, and then click the browse button.

Figure 5

22


2. Locate Sophos XG Firewall Alerts.isalt file, and then click the Open button.

3. To import alerts, click the Import button.


Figure 6

5. Click the OK button, and then click the Close button.

Import Knowledge Object 1. Click the Admin menu, and then click Knowledge Objects.

2. Click on ‘Import’ option.

Figure 7

3. In IMPORT pane click on Browse button.

23


Figure 8

4. Locate Sophos XG Firewall_Knowledge objects.etko file, and then click the UPLOAD button.

Figure 9

5. Now select the check box and then click on ‘OVERWRITE’ option.

EventTracker displays success message.

24


Figure 10

6. Click on OK button.

Token Template 1. Click the Admin menu, and then click Parsing rule.

2. Select Template tab, and then click on ‘Import’ option.

3. Click on Browse button.

Figure 11

4. Locate Sophos XG Firewall Templates.ettd file, and then click the Open button.

Figure 12

5. Now select the check box and then click on ‘Import’ option.

25


EventTracker displays success message.

Figure 13

6. Click on OK button.

Import Flex Reports

1. Click Reports option, and then click the ‘browse’ button. 2. Locate applicable Sophos XG Firewall Reports.etcrx file, and then click the Open button.

Figure 14

3. To import scheduled reports, click the Import button.

26


Figure 15


Figure 16

5. Click OK, and then click the Close button.

27


Verify Sophos XG Firewall Knowledge Pack

Verify Categories 1. Logon to EventTracker Enterprise.

2. Click the Admin menu, and then click Category.

3. In Category Tree to view imported categories, scroll down and expand ‘Sophos XG Firewall’ group

folder to view the imported categories.

Figure 17

Verify Alerts 1. Logon to EventTracker Enterprise.

2. Click the Admin menu, and then click Alerts.

3. In the Search box, type ‘Sophos XG Firewall’, and then click the Go button.

Alert Management page will display all the imported alerts.

28


Figure 18

4. To activate the imported alerts, select the respective checkbox in the Active column.

EventTracker displays message box.

Figure 19

5. Click OK, and then click the Activate Now button.

NOTE: Please specify appropriate systems in alert configuration for better performance.

Verify Knowledge Object 1. Click the Admin menu, and then click Knowledge Objects

2. Scroll down and select Sophos XG Firewall in Objects pane.

Imported Sophos XG Firewall details are shown.

29


Figure 20

Token Template 1. Logon to EventTracker Enterprise web interface.

2. Click the Admin menu, and then click Parsing Rules and click Template.

3. Click on Sophos XG Firewall group option.

Figure 21

30


Verify Flex Reports 1. Logon to EventTracker Enterprise.

2. Click the Reports menu, and then Configuration.

3. Select Defined in report type.

4. In Report Groups Tree to view imported Scheduled Reports, scroll down and click Sophos XG Firewall

group folder.

Scheduled Reports are displayed in the Reports configuration pane.

Figure 22

NOTE: Please specify appropriate systems in report wizard for better performance.

31


Create Dashboards in EventTracker

Schedule Reports 1. Open EventTracker in browser and logon.

Figure 23

2. Navigate to Reports>Configuration.

Figure 24

32


3. Select Sophos XG Firewall in report groups. Check defined dialog box.

4. Click on ‘schedule’ to plan a report for later execution.

Figure 25

5. Choose appropriate time for report execution and in Step 8 check Persist data in Eventvault explorer

box.

33


Figure 26

6. Check column names to persist using PERSIST checkboxes beside them. Choose suitable Retention

period.

7. Proceed to next step and click Schedule button.

8. Wait for scheduled time or generate report manually.

Create Dashlets 1. EventTracker 8 is required to configure flex dashboard.

2. Open EventTracker in browser and logon.

34


Figure 27

3. Navigate to Dashboard>Flex.

Flex Dashboard pane is shown.

Figure 28

4. Click to add a new dashboard.

Flex Dashboard configuration pane is shown.

Figure 29

35


5. Fill fitting title and description and click Save button.

6. Click to configure a new flex dashlet.

Widget configuration pane is shown.

Figure 30

7. Locate earlier scheduled report in Data Source dropdown.

8. Select Chart Type from dropdown.

9. Select extent of data to be displayed in Duration dropdown.

10. Select computation type in Value Field Setting dropdown.

11. Select evaluation duration in As Of dropdown.

12. Select comparable values in X Axis with suitable label.

13. Select numeric values in Y Axis with suitable label.

14. Select comparable sequence in Legend.

15. Click Test button to evaluate.

Evaluated chart is shown.

36


Figure 31

16. If satisfied, Click Configure button.

17. Click ‘customize’ to locate and choose created dashlet.

18. Click to add dashlet to earlier created dashboard.

37


Sample Dashboards REPORT: Sophos XG Firewall- Advanced threat protection

WIDGET TITLE: Sophos XG Firewall- Advanced threat protection CHART TYPE: Pie AXIS LABELS [X-AXIS]: Threat Name LEGEND [SERIES]: Source IP Address

38


REPORT: Sophos XG Firewall- IPS attack detection WIDGET TITLE: Sophos XG Firewall- IPS attack detection CHART TYPE: Donut AXIS LABELS [X-AXIS]: Signature Message LEGEND [SERIES]: Source IP Address

39


REPORT: Sophos XG Firewall- Spam detection WIDGET TITLE: Sophos XG Firewall- Spam detection CHART TYPE: Stacked Column AXIS LABELS [X-AXIS]: Spam Action LEGEND [SERIES]: Sender Address

40


REPORT: Sophos XG Firewall- Virus detection WIDGET TITLE: Sophos XG Firewall- Virus detection CHART TYPE: Pie AXIS LABELS [X-AXIS]: Virus Name LEGEND [SERIES]: Source IP Address

REPORT: Sophos XG Firewall- Firewall login failures WIDGET TITLE: Sophos XG Firewall- Firewall login failures CHART TYPE: Donut AXIS LABELS [X-AXIS]: User Name LEGEND [SERIES]: Source IP Address

41


REPORT: Sophos XG Firewall- VPN login failures WIDGET TITLE: Sophos XG Firewall- VPN login failures CHART TYPE: Pie AXIS LABELS [X-AXIS]: User Name LEGEND [SERIES]: Source IP Address

Documents

Integrate Sophos XG Firewall - EventTracker · Integrate Sophos XG Firewall Abstract This guide provides instructions to configure Sophos XG Firewall to send crucial events to EventTracker