NETASQ EVENTREPORTERV.9 USER MANUAL
Contents
1. ries Mo data filter 20 c Figure 9 Filters 4 3 a The selection of this option enables you to constitute data filters on each column When you activate this oO 3 option an arrow pointing downwards appears at the far right of the columns By selecting one of the pre entered values or entering a value of your own choice you automatically limit the table data to those corresponding to the filter on the selected column Then the arrow turns navy blue and the actual filter appears at the bottom of the table A white cross enables you to delete all the active filters at once 2 1 5 Result display zone Data and options from the selected menus appear in this zone in the form of graphs or tables O NOTE These windows will be explained in further detail in the corresponding chapters N pa enue y uonein31juo 135N USER MANUAL NETASQ we secure IT 2 1 6 Status bar lo logs to receive Ready iw E Figure 10 Status bar This bar comprises 5 information zones A text zone displaying Reporter s activity in real time A progress bar allowing an estimate of the duration of the operation A zone displaying the application s status whether processing is in progress or not respectively blue or green An icon displaying the status of the connection with the firewall 2 1 7 Action bar Figure 11 Action bar 2 1 7 1 Columns Customize The columns of the table may be moved around removed or2. Media Indicates the type of media control audio video etc a Caller Indicates the caller Callee Indicates the party being called i e callee 3 3 2 1 Context a Configuration id ID configuration 3 3 2 2 Translation NAT a Source address Source port amp Destination orig amp Destination port orig 3 3 2 3 Content policy a ID Politique identifier of configuration policy in force 36 c 3 3 3 Sorting by columns MD S Logs are displayed in a table that has certain properties which enhance data reading E c S 9 Firstly it is possible to sort the data according to type alphabetical date bytes etc in ascending or 5 descending order In order to do so click on the header of the column selected An arrow pointing upwards c D or downwards enables you to confirm that the sorting has been carried out A grouping system in the form of nodes enables you to isolate the data requested A drop zone is placed above the table it reads as follows Drag a column header here to group by that column In order to group together the data of any one column select the header of the column and drag it into this zone The table will then change its form The grouped column appears in the drop zone and the table displays the values resulting from this grouping in the form of nodes A H sign appears in front of the group values enabling the expansion of the nodes It is thus possible to group data together within the
3. s time zone at midnight he will see whether the firewall has been configured as it should be in the London timezone 2 2 DESCRIPTION OF THE MENU BAR 2 2 1 File menu The File menu allows the following N N Open Enables connecting directly to a Firewall via its protocol m a O A o a a ee CCS so a e oo _ JenuelW uonein31juo Jas 2 2 2 Applications menu The Applications menu enables connecting to other applications in the NETASQ Administration Suite Use these shortcuts instead of having to re authenticate each time on each application Launch NETASQ REAL Enables opening the NETASQ REAL TIME MONITOR application from the TIME MONITOR NETASQ Administration Suite Launch NETASQ UNIFIED Enables opening the NETASQ UNIFIED MANAGER application from the MANAGER NETASQ Administration Suite in Global Administration mode Arrange icons Enables the organization of icons representing the Firewalls Cascade Cascades the windows connected to Firewall Tile vertical Enables vertically organizing windows which have not been reduced to icons USER MANUAL NETASQ we secure IT 2 2 4 menu help Help Displays a screen that accesses documentation in your secure access area on A NETASQ S website License Enables retrieving a new downloaded license from a directory A A ed es ea GEC REPORTER In the professional version information on the REPORTER license is found here license version organization n
4. 1 2 CONNECTION 1 2 1 Access There are 2 ways to launch the NETASQ EVENT REPORTER application 9 Via the shortcut Applications Launch NETASQ EVENT REPORTER in the menu bar on other applications in the Administration Suite If this is your very first time connecting to your product a message will prompt you to confirm the serial number found on the underside of the appliance 9 Via the menu Start Programs NETASQ Administration Suite 9 0 NETASQ Event Reporter A connection window or the main window will open Connection Read only Cancel NETASO USER MANUAL we secure IT E NETASQ Event Reporter E File Tools Applications Windows Selection by time at which file was saved This Year v fa From 01 01 2012 00 00 00 To 17 01 2012 2353959 Time zone Station Filter No data filter Explore the logs stored in files by the syslog service on your workstation Sources Laos ny Firewall Lines date Interface Protocol Source Destination PS Line Date v Time Rul Priority w P Source Interfa Internet w User v Sourc Source Po Destinatio Destin vy Acti v bh EW ny 10 201 22 Connect to Figure 1 Connection 1 2 2 Connection In the window Connection you can select how you wish to view data When NETASQ EVENT REPORTER is executed from the Windows menu Windows will check whether there is an address book Thi
5. NETASQ will not be held responsible for any error in this document or for any resulting consequence Acceptance of terms By opening the product wrapping or by installing the administration software you will be agreeing to be bound by all the terms and restrictions of this License Agreement USER MANUAL NETASQ we secure IT License NETASQ hereby grants and you accept a non exclusive non transferable license only to use the object code of the Product You may not copy the software and any documentation associated with the Product in whole or in part You acknowledge that the source code of the Product and the concepts and ideas incorporated by this Product are valuable intellectual property of NETASQ You agree not to copy the Product nor attempt to decipher reverse translate de compile disassemble or create derivative works based on the Product or any part thereof or develop any other product containing any of the concepts and ideas contained in the Product You will be held liable for damages with interests therein in favor of NETASQ in any contravention of this agreement Limited warranty and limitation of liability a Hardware NETASQ warrants its Hardware products Hardware to be free of defects in materials and workmanship for a period of one year in effect at the time the Purchaser order is accepted This period begins with effect from the date on which the product is activated b Software NETASQ Software produ
6. Percentage of CPU up to 100 Figure 16 Graphs 3 2 2 Customizing enue y uonein31juo sN When you select the Graphs menu in the directory the customization screen will appear at the same time as the graphs You may close this screen at any time Q TIP Click on the graph zone to open the window Customize graph again if you have closed it 3 2 2 1 Security indicators and system events 3 2 2 1 1 Security The security indicator is linked to the monitoring of alarm and events relating to the ASQ kernel The security indicator is weighted in several elements USER MANUAL NETASQ we secure IT Minor alarms indicators of the number of minor alarms a Major alarms indicators of the number of major alarms ASQ memory indicators of the amount of ASQ memory left The display of these indicators is based on the weighting of system events in relation to each other in order to present a coherent status of the Firewall major alarms will have more weight than minor alarms 3 2 2 1 2 System events System indicators are linked to the monitoring of events relating to Ethernet interfaces supported by the Firewall processor System indicators concern Logs indicators relating to the occupation of space allocated to logs a Ethernet indicators relating to interface connectivity a CPU indicators relating to the load of the Firewall processor a HA indicators relating to the high availability set up i
7. This option enables you to select the columns you wish to display A window comprising two tabs then appears enabling you to manage column headers and the columns To add or delete a column from the table all you have to do is select the group of columns or column and drag it either into the table or into the tools window Show totals Subtotaling of packet volumes sent received duration for all logs viewed When you perform a sort by dragging and dropping a column a sub total per sort may be viewed 2 1 7 2 Print With this option you are able to access a print preview menu 2 1 7 3 Export Displayed data may be exported for it to be used in other environments A Wizard will assist you in this process See Chapter 6 Data Export USER MANUAL NETASQ we secure IT 2 1 7 4 See time This option allows you to automatically calculate the date and time of the logs displayed in Reporter according to different time zones depending on Your computer s time zone a The Firewall s time zone a GMT Thus the date and time vary according to the option selected from those indicated above Logs from a firewall in London GMT can therefore be consulted on a workstation in Paris GMT 1 Example An antispam update event was detected at midnight London time If the user selects the option Your computer s time zone he will see this event at 1 00 a m Paris time However if he selects the option The Firewall
8. the logs will be loaded in cache and a browsing system will enable the display of 15 000 lines per page each time only in the case of logs directly downloaded from a Firewall Example You have indicated that you wish to load a maximum of 500 log lines per page for the firewall If the number of lines exceeds this number the button will become Page 1 2 0 REMARK This only applies to logs that have been directly downloaded from a Firewall USER MANUAL NETASQ we secure IT 2 3 3 Tools tab General options o General Packet analyzer URL to submit a category http an metas com updates urlfiltering php Url for online help http Ana netazg com secunitykb Figure 14 General options Tools tab 26 a 2 3 3 1 Packet analyzer 3 When an alarm is raised on a NETASQ Firewall the packet that set off the alarm can be viewed You will gt E need a packet viewer such as Wireshark or Packetyzer to do this Specify the viewer to be used in the pl Packet analyzer field so that Reporter can use it to display malicious packets O gt oO gt 5 2 3 3 2 URL to submit a category Administrators of NETASQ UTM appliances cannot edit listed and categorized URL groups However certain URLs may turn out to be wrongly categorized or are not in the list of URLs categorized by NETASO To add URLs to the list of NETASQ URLs administrators can submit these URLs to N
9. Packets 8 E TCP Number of TCP packets transmitted through the firewall pl UDP Number of UDP packets transmitted through the firewall e 5 3 4 3 3 6 Connections Rule ID Rule identifier Filtered 3 4 3 3 7 Filtered Facts Overflow Number of log lines lost Q TIP If you select a line from a developed node an explanation appears in the button bar situated below the table USER MANUAL NETASQ we secure IT 3 4 4 Miscellaneous The Miscellaneous menu enables viewing several types of information 10 2 0 1 gt Miscellaneous Sources Logs ffi Graphs JEJ Network SR Fitering hy Alarm SA Connection E web 3 SMTP R Pors EJ Plugin Ej ss GB Vulnerability m EN FTP Y Services EY Administration Authentication les System K Psecven CN VPN SSL Y Statistics f con a Generate URL list Ea Filtering This action provides help on entering the URLs to filter in NETASO UNIFIED MANAGER Generate uu Miscellaneous log information Delete Name lines LD O Figure 26 Miscellaneous JenuelW uonein31juo 135N 3 4 4 1 The Log information section This section provides information on the number of log lines on the Firewall To update information click on the Get info button If you possess modification privileges an additional column will appear enabling the selection of logs to be deleted on the Firewall using the Clear on firewall button Archived l
10. Phase SA negotiation phase Corresponds to a VPN tunnel endpoint Source connection s source address Destination connection destination address Message Message regarding the attempt to set up a tunnel User user identifier in the context of an anonymous tunnel Initiator Cookie Initiator identifier for the negotiation session in progress Receiving Cookie Responder identifier for the negotiation session in progress O Spi in identifier for the ingoing SA a Spi out identifier for the outgoing SA 3 4 2 6 VPN SSL This sub menu provides a history of events concerning VPN SSL Several fields are used 43 Date Date on which entry was generated p Result Result of the SSL VPN connection to the selected server a Port server connection port El a Source connection s source address J Destination connection destination address 3 Message Message relating to the SSL VPN connection 3 User user identifier Argument additional information regarding the log line web page contacted 3 4 3 Statistics Logs 3 4 3 1 Introduction 2 types of statistical analyses are available a Counters Filters USER MANUAL NETASQ we secure IT 3 4 3 2 Counters This table corresponds to the number of times a rule has been activated To display information in this zone the Count option must have been activated in the filter rules Sources Logs pa Ei
11. concerned U30 U70 U120 U250 U450 U1100 U1500 U6000 NG1000 A and NG5000 A VS5 VS10 V50 V100 V200 V500 VU USER MANUAL NETASQ we secure IT FOREWORD 4 1 INTRODUCTION 7 1 1 BASIC PRINCIPLES 7 1 1 1 Who should read this user guide 7 1 1 2 Typographical conventions 7 1 1 3 Vocabulary 9 1 1 4 Getting help 9 1 1 5 Introduction to NETASQ EVENT REPORTER 9 1 2 CONNECTION 10 1 2 1 Access 10 1 2 2 Connection 11 1 2 3 Address book 13 2 GETTING FAMILIAR WITH REPORTER 17 2 1 PRESENTATION OF THE INTERFACE 17 2 1 1 Main window 17 2 1 2 Menu bar 18 2 1 3 Menu directory 18 2 1 4 Date and filter selection bar 19 2 1 5 Result display zone 20 2 1 6 Status bar 21 2 1 7 Action bar 21 2 2 DESCRIPTION OF THE MENU BAR 22 2 2 1 File menu 22 2 2 2 Applications menu 22 2 2 3 Windows menu 22 2 2 4 menu help 23 2 3 OPTIONS 23 2 3 1 General tab 23 2 3 2 Log tab 29 2 3 3 Tools tab 26 2 3 4 Address book tab 27 3 USING NETASQ EVENT REPORTER 28 3 1 SOURCES 28 3 1 1 Firewall 28 3 2 GRAPHS 28 3 2 1 Introduction 28 3 2 2 Customizing 29 3 3 CUSTOMIZING COLUMNS AND HEADERS 32 3 3 1 Headers 32 3 3 2 Columns 33 3 3 3 Sorting by columns 36 3 3 4 Contextual menu 37 3 4 LOG TYPES 37 3 4 1 Network logs 37 3 4 2 Services logs 39 3 4 3 Statistics Logs 43 3 4 4 Miscellaneous 46 3 5 DATA EXPORT 47 3 5 1 Export 47 3 5 2 Log format 49 USER MANUAL NETASQ we s
12. is as follows Y Inthe column Password double click on the password for an address that needs to be changed A window will open allowing you to make the change Click on the OK button or close the address book The following message will appear The address book has been modified Save changes E Click on the Yes button to confirm changes 1 2 3 3 Deleting an address Pour supprimer un firewall du carnet d adresses suivez la proc dure ci dessous E select the firewall to delete Click on the Delete button The following message will appear Confirm removal of these items ki Click on Yes to confirm removal USER MANUAL NETASQ we secure IT 1 2 3 4 Importing an address book The procedure for importing an existing address book is as follows ho Click on the Import button The following window will appear Ouvrir Regarder dans mes documents leo H Poste de travail Mes documents Favoris r seau r cents Mes documents er Foste de travail 15 Favoris r seau Fichiers de type Dat file dat w c O gt Figure 4 Importing an address book ga c g S FA select the file to import lt o 0 REMARK The file to import should be in CSV format Click on Open For obvious security reasons the address book can be encrypted To activate encryption check the option Encrypt address book then define the related password This password is absolutely necessary for r
13. list of registered Firewalls allowing quick connection to the selected Firewall 3 2 GRAPHS 3 2 1 Introduction Reporter is capable of analyzing the Firewall s activity The Graphs menu in Reporter enables the display of Security and System events the use of the firewall s processor indicators of vulnerability levels supplied by NETASQ Vulnerability Manager throughput on the appliance s interfaces as well as the use of each QoS rule USER MANUAL NETASQ we secure IT File Tools Applications Windows Selection by time at which file was saved This Year vIe From 01 01 2012 000000 To 17 01 2012 235959 Time zone Station Filters No data filter fwlaboro 10 2 0 1 gt Graphs Sources Logs Security io System events Users Js Network MI interruptions ae min e events Filtering dy Alarm k Connection Web Ansan MM ju l SMTP j y 0 Es A O a e ec cd R Pors Day Plugin web incoming throughput null MN web outgoing throughput null Es E Vulnerability m Customize graphs FTP Indicators 2621129424 ka Y Security Services WI System events Y Statistics s Users a Miscellaneous interruptions System events Vulnerability manager Interfaces 4 List of interfaces 3 W Traffic by interface Z incoming throughput Y max incoming throughput J outgoing throughput Y max outgoing throughput QoS Full precision for long periods _
14. of such damages NETASQ s maximum liability for damages shall be limited to the license fees received by NETASQ under this license for the particular product s which caused the damages USER MANUAL NETASQ we secure IT Any possible legal action relating to the alleged defectiveness of the software will come under the jurisdiction of NETASQ s headquarters French law being the binding authority 4 WARNING 1 Certain NETASQ products enable gathering and analyzing logs This log information allows the activity of internal users to be tracked and may provide nominative information The legislation in force in the destination country may impose the application of certain measures namely administrative declarations for example when individuals are subject to such monitoring Ensure that these possible measures have been applied before any use of the product 2 NETASQ products may provide cryptographic mechanisms which are restricted or forbidden by the legislation in force in the destination country Despite the control made by NETASQ before exportation ensure that the legislation in force allows you to use these cryptographic mechanisms before using NETASQ products 3 NETASQ disclaims all liability for any use of the product deemed illegal in the destination country m enue y uonein31juo asn USER MANUAL NETASQ we secure IT 1 INTRODUCTION 1 1 BASIC PRINCIPLES 1 1 1 Who should read this user guide Thi
15. 1 43 00 01 0000 ok Serverd starter ee Filtering 02701 2012 12 11 07 01 0000 ok Serverd startec olla Alam Session 01 0001 Session 01 0002 Ed Connection Session 01 0037 Session 01 0038 E Wes 7 Session 01 0039 Session 01 0040 Session 01 004 Session 01 0042 Session 02 0001 Session 02 000 2 Session 03 0007 Session 03 0002 Session 04 0001 Session 04 0002 Session 05 0001 Session 05 0002 Session 06 0001 Session 06 000 2 Session 07 000 l z m C a a ee 8 SMTP Py rors Plugin E SSL Vulnerability m 4 Er Services Administration 40 Figure 21 Administration A history of all commands transmitted to the Firewall is given in this sub menu 11 fields are used JenuelW uonein31juo 135N Firewall Firewall s serial number Date Date on which the entry was generated Time Time at which the entry was generated Line Line number in the log file Date time Date and time on which the entry was generated Result error message User connection identifier Source connection s source address Session id 00 0000 format The first two digits correspond to the number times the Firewall has been reinitialized the following 4 correspond to the number of connections on the Firewall Message command line sent to the Firewall o GS o 0 Timezone F
16. 2012 23 59 59 Time zone Station Filters No data filter fwlaboro D10 2 0 1 Sources Logs w Graphs Lines date Interface Protocol Source Destination Action Context Translation NAT N Line Date y Time v Rul Priority v P Source Interface Name Internet Proto User y Sourc y Source Po v Destination Na v Destination Port N Acti Message v Hiv Al v Ruy Classi v Co v Confi y So v S Ori y Origin y ES etworl B Filtering iy Alarm hal Connection we Es sure fa Pors EJ Plugin E ssi EJ Vulnerability m Ej rre Administration Authentication System K Psec ven VPN SSL Y Statistics ue Count E Filtering w Miscellaneous pa N Figure 6 Main window It comprises six parts A menu bar A menu directory to the left of the screen a A date and filter selection bar allowing only the analysis of data in the chosen period a A result display zone JenuelW uonein31juo 135N a An action bar A status bar USER MANUAL NETASQ we secure IT 2 1 2 Menu bar The main window contains the following options File Allows you to connect to the firewalls and to access options in the application me A e de Cd Administration Suite NETASQ UNIFIED MANAGER et NETASQ REAL TIME 7 D EE CSCS ao 7 2 1 3 Menu directory The menu directory consists of 2 tabs 2 1 3 1 Sources tab The Sources tab enables connection to d
17. 4 20 54 sysevent Active Update update successful Kaspersky B TEE mn 0101 2012 04 34 06 dns cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 303 hours 01 01 2012 05 34 07 dns cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 304 hours FTP 01 01 2012 06 34 07 dns cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 305 hours ka Services 01 01 2012 07 20 52 proxy Sighup received refresh config 01 01 42012 07 20 52 proxy URLFiltering profile 01 unable to load rule 8 bypass it EN Administration 01 01 2012 07 20 53 sysevent Active Update update successful Kaspersky Authentication 01 01 2012 07 34 08 dns cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 306 hours System 01 01 2012 08 34 08 dns cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 307 hours m im 29019 na 3 AA Alam NUCDACHY an 10 EN A A ta NTRMRC EN da Mit Dim ml Figure 23 System 42 This sub menu provides a history of messages linked to Firewall services 3 4 2 5 IPSec VPN 10 2 0 1 gt Services gt IPSec VPN Sources Logs enue y U0 1e131JUO09 135N w Graphs Date Result phase Source Destination ela Ne
18. Date T Graphs Rule ID Count Network Date 01 01 2012 00 05 29 Rule2 25 0 Bytes ER Fitering 4 Date 01 01 2012 00 20 29 hs A Date 01 01 2012 00 35 29 Date 01 01 2012 00 50 29 k Connection Date 01 01 2012 01 05 29 Date 01 01 2012 01 20 29 MEN Web Date 01 01 2012 01 35 29 Date 01 01 2012 01 50 29 he SMTP Date 01 01 2012 02 05 29 pira 4 Date 01 01 2012 02 20 29 4 Date 01 01 2012 02 35 29 3 Plugin 4 Date 01 01 2012 02 50 29 4 Date 01 01 2012 03 05 29 SSL 4 Date 01 01 2012 03 20 29 Date 01 01 2012 03 35 29 By Vulnerability m Date 01 01 2012 03 50 29 E Elo Date 01 01 2012 04 05 29 4 Date 01 01 2012 04 20 29 Y Services 4 Date 01 01 2012 04 35 29 4 Date 01 01 2012 04 50 29 EN Administration Date 01 01 2012 05 05 29 e Date 01 01 2012 05 20 29 da Authentication Date 01 01 2012 05 35 29 g slat Date 01 01 2012 05 50 28 Date 01 01 2012 06 05 29 o IPSec VPN Date 01 01 2012 06 20 29 4 Date 01 01 2012 06 35 29 ru VPN SSL Date 01 01 2012 06 50 29 4 Date 01 01 2012 07 05 29 Y Statistics Date 01 01 2012 07 20 29 Date 01 01 2012 07 35 29 dy Eoun 4 Date 01 01 2012 07 50 29 44 Figure 25 Count 3 fields are available Date Date on which entry was generated Rule ID Rule identifier Count Indicates the number of megabytes enue y U0 1e1n31JUO09 135N 3 4 3 1 Filtering 3 4 3 3 1 Filter stats Date D
19. ETASQ s website The URL for this submission page is http www netasq com updates urlfiltering php There are two ways of submitting URLs by connecting directly to NETASQ s website to manually specify the URL or when the URL appears in Reporter s tables by using the contextual menu of the Web grid in Reporter so that the submission will be automatic In order to do this the URL to be submitted has to be specified in the URL to submit a category field in Reporter 2 3 3 4 URL for online help The address shown here allows you to access the online help NETASO USER MANUAL NETASQ we secure IT 2 3 4 Address book tab General options Address book location C Users AppD ata Aoaming Hetaz x Cancel Figure 15 General options Address book tab Location of the address book the NETASQ UNIFIED MANAGER NETASQ REAL TIME MONITOR and NETASQ EVENT REPORTER applications use the same address book and therefore the same address book file To retrieve a gap file NETASQ project file simply click on Browse N N enue y uonein31juo 135N USER MANUAL NETASQ we secure IT 3 USING NETASQ EVENT REPORTER 3 1 SOURCES The Sources tab in the menu directory enables specifying the source of logs viewed Firewall The Sources tab enables connection to different log sources provided by NETASQ for the analysis of logs and events raised by the Firewall 3 1 1 Firewall When direct
20. NETASOA USER MANUAL we secure IT NETASQ EVENT REPORTER V 9 USER MANUAL CI author es Reference engde_nereporter v9 0 USER MANUAL NETASQ we secure IT Copyright NETASQ 2011 All rights reserved Any reproduction adaptation or translation of this current document without prior written permission is prohibited except where expressly allowed by copyright laws NETASQ applies a method of continual development and as such reserves the right to modify and improve any product described in the document without prior notice Under no circumstances shall NETASQ be held liable for any loss of data or revenue or any special damage or incident resulting from or indirectly caused by the use of the product and its associated documentation The contents of this document relate to the developments in NETASQ s technology at the time of its writing With the exception of the mandatory applicable laws no guarantee shall be made in any form whatsoever expressly or implied including but not limited to implied warranties as to the merchantability or fitness for a particular purpose as to the accuracy reliability or the contents of the document NETASQ reserves the right to revise this document to remove sections or to remove this whole document at any moment without prior notice To ensure the availability of products which may vary according to your geographical locations contact your nearest NETASQ distributor Products
21. Sec and SSL VPN information and errors in the form of tables 19 A AA A 3 Enables you to display in the form of tables different types of statistics A Statistics counters filter rules created and address translation 3 ug Enables you to retrieve various log data It is also possible to generate a file 2 containing the addresses of all the Internet sites consulted 3 Miscellaneous z gt 3 O wp D Selecting an entry that is already displayed will refresh data 2 1 4 Date and filter selection bar 2 1 4 1 Selecting the date E File Tools Applications Windows Selection by time at which file was saved This Year Ea From 01 01 2072 00OCOO To 17 01 2012 w 2353959 Time zone Station Filters No data filter Figure 8 Selecting the date USER MANUAL NETASQ we secure IT This bar enables you to define the period over which you wish to retrieve data You may choose from among a number of pre defined periods Manual selection you may define any period whatsoever This option enables you to extract personalized data Last hour Last six hours a Today Yesterday a This week This month a This year Last week Last month O Last year All Last lines 2 1 4 1 1 Filters You can select the filters to be applied on the columns and perform multi criteria searches using the selection button see the section Part 3 Chapter 5 Filter Constructor in this manual
22. ame contact name e mail address and unique user identification for technical support 2 3 OPTIONS The Options sub menu allows configuring the application and logs Go to the menu File Options to configure these options 2 3 1 General tab General options o Sa General N Ww Change the default language setting here English reporter EMG Reporter starting Fal Open 4 grid Fl Connect to the firewall enue y uonein31juo 135N Miscellaneous T Keep connection details in the log file Clear log file each time the application ts started Grid font Selected font MS Sans Serf Figure 12 General options General USER MANUAL NETASQ we secure IT 2 3 1 1 Default language The NETASQ EVENT REPORTER application is multilingual Select the language required for the graphical interface 2 3 1 2 At startup 2 options are possible Open a grid opens up a log grid when the application is opened a Connection to the firewall Authorizes a direct connection to the firewall 2 3 1 3 Miscellaneous Keep connection logs in a file Enables you to generate logs concerning the applications behavior Empty the log file each time the application is started Enables you to have a file of limited volume and to keep active logs only for the purpose of the application in progress 2 3 1 4 Grid font N A This option allows you to specify the font and font size of the text which ap
23. ard Step 2 In the last step Step 3 the wizard will ask you to select the column headers and the columns to be exported using checkboxes Export wizard Select headers and columns to export 48 C n D pa Configuration S h Default va c y O Save 5 lt D 5 lt D Step 3 of 3 Figure 29 Export wizard Step 3 The interface allows you to check or uncheck all the boxes get the default selection save restore your column selection Each export type has its own backup By checking a box you automate this operation When you later select the Finish button the interface will ask you if you wish to save the generated file in a folder of your choice This folder will be remembered for each export type USER MANUAL NETASQ we secure IT O REMARK If the Reporter connects directly to a Firewall and the number of lines to be retrieved on the Firewall exceeds 10 000 a download confirmation message will appear on the screen 3 5 2 Log format The logs are in WELF WebTrends Enhanced Log Format format Line whole type number of the Firewall log line alphabetical type Firewall serial number 2 Time Log_Time type date date of the log line a Pri whole type priority of the event alarm ref a Srcif alphabetical type source interface a Srcifname alphabetical type interface name a Dstif alphabetical type destination interface Dstifname alphabe
24. ate on which entry was generated Firewall Firewall s serial number or name if known Time Time at which entry was generated Line Line number in the log file Date Time Date and time on which the entry was generated Saved evaluation Number of rule evaluations that could not be performed because of the ASQ technology Fragmented Number of fragmented packets transmitted through the firewall Timezone Firewall s time zone at the moment of writing the log Slot Number of the activated policy Real host USER MANUAL NETASQ we secure IT Host Memory allocated to a host Fragmented Number of fragmented packets transmitted through the firewall ICMP Memory allocated to ICMP Connection Memory allocated to connections Dynamic Percentage of ASQ memory being used 3 4 3 3 2 Memory Logged Number of log lines generated Log overflow Number of log lines lost Accepted Number of packets matching Pass rules Blocked Number of packets matching Block rules 3 4 3 3 3 Rules Rule n nn Number of times that a rule has been applied to a packet In brackets the first number indicates the number of the policy and the second refers to the number of the rule in this policy 3 4 3 3 4 Bytes TCP Number of bytes from TCP packets transmitted through the firewall UDP Number of UDP packets transmitted through the firewall ICMP Number of ICMP packets transmitted through the firewall 45 C 3 4 3 3 5
25. cts Software are warranted for a period of 90 days unless otherwise stated at purchase from the date of the product s activation to be free from defects and to operate substantially according to the manual as it exists at the date of delivery under the operating system versions supported by NETASQ uw NETASQ does not warrant its software products for use with operating systems not specifically identified c Default NETASQ s entire liability and your exclusive remedy shall be at NETASQ s option either a return of the price paid for this License or Product resulting in termination of the agreement or repair or replacement of enue y uonein31juo 135N the Product or media that does not meet this limited warranty d Warranty Except for the limited warranties set forth in the preceding paragraph this product is provided as is without warranty of any kind either expressed or implied NETASQ does not warrant that the product will meet your requirements or that its operation will be uninterrupted or error free NETASQ disclaims any implied warranties or merchantability or fitness for particular purpose or non infringement e Recommendations In no event will NETASQ be liable to you or any third party for any damages arising out of this agreement or the use of the product including lost profit or savings whether actual indirect incidental or consequential irrespective of whether NETASQ has been advised of the possibility
26. e server application Detail self explanatory a Client target Client target Server target Server target Detected Date on which the vulnerability was detected 3 4 1 3 FTP 11 fields are used a Line Line number in the logs Date Date on which recorded logs were generated a Time Time at which recorded logs were generated a User Connection identifier Source name source address of the connection Destination name destination address of the connection Destination port name destination address port of the connection Received Volume received nn dl Action Action to perform Pass Block or Scan o 68 6 Message command line sent to the firewall a Operation Indicates FTP commands LIST RETR QUIT 39 a Virus Indicates the name of the detected virus C 8 5 E a o e z 3 4 2 Services logs fob gt en D 3 4 2 1 Introduction 5 services are available Administration a Authentication System a IPSec VPN SSL VPN USER MANUAL NETASQ we secure IT 3 4 2 2 Administration Selection by time at which file was saved This Year MO Fom 00 202 00 00 00 To 17 01 2012 235959 Time zone Station Filters No data fiter 10 2 0 1 gt Services gt Administration Sources Logs Session m Graphs Date User Source Session Status Message JF Hetwork Session 01 0000 gt 02 01 2072 1
27. eading information contained in the address book The address book is encrypted in AES which is currently the most powerful symmetrical encryption algorithm USER MANUAL NETASQ we secure IT 1 2 3 5 Exporting an address book All the information in the address book can be exported to be used for example for complementing another address book The procedure for exporting an existing address book is as follows LT Click on the Export button The following window will appear Z The following message will appear Encrypt address book Highly recommended If you click on Yes you will be asked to enter the password for the address book before the save window appears Ouvrir Regarder dans mes documents 4 Poste de travail Mes documents J Favoris feseal r cents Mes documents 16 c un a Poste de travail O gt 5 5 Favoris r seau Fichiers de type Dat file dat w lt o gt c y Figure 5 Exporting an address book O REMARK The file to export should be in dat format Click on Save NETASO USER MANUAL we secure IT 2 GETTING FAMILIAR WITH REPORTER 2 1 PRESENTATION OF THE INTERFACE 2 1 1 Main window Once you are connected to the Firewall Reporter s main window appears E File Tools Applications Windows amp X Selection by time at which file was saved This Year v fa From 01 01 2012 00 00 00 To 17 01
28. ecure IT FOREWORD Copyright Copyright NETASQ 2010 All rights reserved Under copyright law any form of reproduction whatsoever of this user manual without NETASQ s prior written approval is prohibited NETASQ rejects all liability arising from the use of the information contained in these works Liability This manual has undergone several revisions to ensure that the information in it is as accurate as possible The descriptions and procedures herein are correct where NETASQ firewalls are concerned NETASQ rejects all liability directly or indirectly caused by errors or omissions in the manual as well as for inconsistencies between the product and the manual Notice WEEE Directive All NETASQ products that are subject to the WEEE directive will be marked with the mandated crossed out wheeled bin symbol as shown above for items shipped on or after August 13 7 2005 This symbol means that the product meets the requirements laid down by the WEEE S NN directive with regards to the destruction and reuse of waste electrical and electronic equipment a For further details please refer to NETASQ s website at this address 5 http www netasq com recycling html 5 License Agreement Introduction The information contained in this document may be changed at any time without prior notification Despite the care taken in preparing this document it may contain some errors Please do not hesitate to contact NETASQ if you notice any
29. f this is present on the Firewall a Server Indicators relating to some of the Firewall s critical servers The display of these indicators is based on the weighting of system events in relation to each other in order to present a coherent status of the Firewall major alarms will have more weight than minor alarms eii 3 2 2 2 CPU load 7 This graph represents the processor s load 8 a User load attributable to processes that the user executes a a Interruptions load represented by exchanges between the kernel and processes executed by a the user z System events load attributable to the kernel S 5 3 2 2 3 Vulnerability Manager 3 2 2 3 1 Vulnerabilities Vulnerability indicators concern the following a Total Remote refers to vulnerabilities that can be exploited remotely via the network a Target server vulnerability that affects a server application a Critical a Minor a Major a Fixed refers to vulnerabilities for which a fix is available USER MANUAL NETASQ we secure IT 3 2 2 3 2 Information Information indicators concern the following a Total info a Minor info a Major info a Monitored 3 2 2 4 Interfaces 3 2 2 4 1 List of interfaces This section sets out the list of different interfaces In Out Dmz 3 2 2 4 2 Traffic by interface This section of the graphs represents the use of each interface on the Firewall For every interface four types of information are given a Incoming throu
30. ghput At a given moment Maximum incoming throughput Observed over the defined period a Outgoing throughput At a given moment Maximum outgoing throughput Observed over the defined period 31 c 3 2 2 5 QoS 3 2 2 5 1 List of QoS rules E This section sets out the list of different QoS Qualities of service defined on the firewall a o DEFAULT a SSH_priq 5 a HTTP SSH_Ext DNS Squid a CIFS FT 3 2 2 5 2 Traffic by QoS a Incoming bandwidth At a given moment Maximum incoming bandwidth Observed over the defined period a Outgoing bandwidth At a given moment a Maximum outgoing bandwidth Observed over the defined period 3 2 2 6 Graphs options 3 2 2 6 1 Full precision for longs periods When this option is checked all the points in the period are taken into account However for very long periods only certain significant points are taken in order to prevent the graph from getting too crammed USER MANUAL NETASQ we secure IT 3 2 2 6 2 Percentage of CPU up to 100 When this option is selected the scale at which the processor s load is plotted is dynamic Therefore if the processor s load is light graphs scale will be adapted so that the administrator can read them Otherwise the maximum value of the scale will remain at 100 regardless of the maximum value obtained up until then 3 3 CUSTOMIZING COLUMNS AND HEADERS The names of the following columns correspond to the data that may be c
31. groups This feature applies to all logs files Network Services and Statistics Example When you select the display of Web logs it is possible to group data firstly according to the user and then according to the destination in order to highlight the Internet consultations carried out by internal users USER MANUAL NETASQ we secure IT Classification Action Al D arm m Destination Pa ntertace Protocol Source Interface Mame Internet Protocol User Source Name Source Port Name Figure 20 Sorting columns Q TIP The order of the table columns may be customized using the drag and drop mechanism This can be done by right clicking and keeping the mouse button depressed on the column whose order you wish to modify then dropping it to its desired location Two green arrows will help you to locate this new location Columns cannot be moved under a different header 3 3 4 Contextual menu In each log grid in Reporter contextual menus accessible by right clicking with the mouse enable the quick execution of specific actions A maximum of three options are defined for the contextual menu depending on the information on which you right click Copy line to clipboard as WELF This option enables rewriting a line in the Reporter log grid to 37 the clipboard to be used outside Reporter Submit URL to a category when you open the contextual menu after having selected a URL S this option allows send
32. icular point Q WARNING RECOMMENDATION These messages warn you about the risks involved in performing a certain manipulation or about how not to use your appliance Q TIP This message gives you ingenious ideas on using the options on your product a f DEFINITION Describes technical terms relating to NETASQ or networking These terms will also be covered in 7 the glossary S a 3 1 1 2 3 Messages 5 Messages that appear in the application are indicated in double quotes Example Delete this entry 1 1 2 4 Examples Example This allows you to have an example of a procedure explained earlier 1 1 2 5 Commands lines Command lines Indicates a command line for example an entry in the DOS command window NETASQ USER MANUAL we secure IT 1 1 2 6 Reminders Reminders are indicated as follows amp Reminder 1 1 2 7 Access to features Access paths to features are indicated as follows Access the menu File Options 1 1 3 Vocabulary Dialup Interface on which the modem is connected Firewall NETASQ UTM device product Logs A record of user activity for the purpose of analyzing network activity 1 1 4 Getting help To obtain help regarding your product and the different applications in it Website www netasq com Your secure access area allows you to access a wide range of documentation and other information User manuals NETASQ UNIFIED MANAGER NETASQ REAL TIME and NETASQ EVENT REPORTER
33. ifferent log sources provided by NETASQ for the analysis of logs pa 00 and events raised by the Firewall Firewall When directly connected to the Firewall this log retrieval method makes it possible to dispense with the use of log centralization tools However it does not allow centralizing the logs of several Firewalls which is usually essential for analyzing an event that is spreading on several company sites Furthermore this method is only available for appliances that have a hard disk as without it logs cannot be saved directly on the Firewall enue y uonein31juo 135N These three actions in the Sources tab are explained in the Part 3 Chapter 1 Sources in this manual USER MANUAL NETASQ we secure IT 2 1 3 2 Logs tab Figure 7 Logs tab This tab contains five options each distinguished by a colored icon mi Enables you to display in the form of on line graphs vector graphs or histograms different types of Firewall data security and system indicators processor consumption throughput on different interfaces quality of service Eg Enables you to display in the form of tables all types of Firewall logs which are divided into 8 tables Filter alarms connection web SMTP POP3 plugin and Vulnerability Manager Graphs Network a Services Enables viewing different types of information and messages administration on the Firewall authentication information and errors or IP
34. ing the URL to the URL submission form on NETASQ s website E Go to xxxxxx when you open the contextual menu after having selected a destination this option enables an HTTP connection attempt to this destination gt gt 5 3 4 LOG TYPES NETASQ EVENT REPORTER allows you to view logs in the form of tables These files comprise three menus Network a Services a Statistics 3 4 1 Network logs a Filter logs generated by the filter rules To obtain these logs at least one of the filter rules must have the Log option a Alarm alarms raised by the firewall Connection information on all the authorized connections having passed through the Firewall Web logs from visited web sites HTTP plugin and HTTP proxy USER MANUAL NETASQ we secure IT SMTP e mail logs generated by the SMTP proxy The SMTP proxy has to be activated for these logs to be available POP3 e mail logs generated by the POP3 proxy The POP3 proxy has to be activated for these logs to be available SSL SSL secure connection logs HTTPS a Plugins information regarding plugins activated on your Firewall except the HTTP plugin a FTP Transferred log files FTP proxy See Customizing columns and header Part 3 CHAPTER to get a better description of the table O NOTES Web and plugin logs can no longer be merged as they will become independent again The name of the intrusion prevention profile will be displayed in the Ala
35. irewall s time zone at the moment of writing the log USER MANUAL NETASQ we secure IT 3 4 2 3 Authentication 10 2 0 1 gt Services gt Authentication Sources Logs Graphs w Date User Source Method Status t E Moe 01 01 2012 01 24 16 10 2 22 1 SSL ok L a i 01 01 2012 01 42 14 10 2 27 1 SSL iltering 01 01 2012 01 42 14 10 2 27 1 SSL de Alarm 01 01 2012 01 42 20 10 2 27 1 SSL ren 01 01 2012 01 42 21 10 2 27 1 SSL 01 01 2012 02 17 49 10 2 200 40 PLAIN ok L Web 01 01 2012 05 24 16 10 2 22 1 SSL ok L fl SMTP 01 01 2012 05 45 02 10 2 27 1 SSL ok L amp 01 01 2012 09 24 17 10 2 22 1 SSL ok L _ 01 01 2012 09 45 57 10 2 27 1 SSL ok L ad 01 01 2012 13 24 17 10 2 22 1 SSL ok L SSL 01 01 2012 13 46 57 10 2 27 1 SSL ok L 01 01 2012 17 24 18 10 2 22 1 SSL ok L By Vulnerability m _ 01 01 2012 17 47 51 10 2 27 1 SSL ok L iE FTP 01 01 2012 21 24 18 10 2 22 1 SSL ok L G ias 01 01 2012 21 49 16 10 2 27 1 SSL E eyes 01 01 2012 21 49 16 10 2 27 1 SSL ministration 01 01 2012 21 49 26 10 2 27 1 SSL N f Authentication 01 01 2012 21 49 49 10 2 27 1 SSL Figure 22 Authentication 41 This sub menu provides a history of authentication requests D A Several fields are used ppan e J a Firewall Firewall s serial number o z Date Date on which entry was generated o r 3 User user seeking authentication o o o Source address requesting authenticati
36. k can be accessed from the menu File Address book The address book centralizes all passwords for access to different modules and other application in the Administration Suite This information is stored on the same client workstation on which the interface has been installed It may be encrypted if you check the option Encrypt address book In this case you will be asked to enter an encryption key For each Firewall indicate a name you can select any name which does not necessarily have to correspond to the Firewall s name IP address password and serial number 4 WARNING You are strongly advised to activate the encryption of the address book for obvious security reasons Once this information has been entered you may save it using the Save button pa A enue y U0 1e131JUO09 135N USER MANUAL NETASQ we secure IT Q WARNING If you modify the Encrypt address book option the address book has to be saved once more to apply the changes Check the option Show passwords to check the passwords used for each Firewall saved in the address book passwords are displayed in plaintext 1 2 3 1 Adding an address Click on the button Add to add an address to the address book Other information to supply Name The name of the firewall re a ee E e E re ect ae a Don Es a al A 1 2 3 2 Modifying the password for an address The procedure for modifying the password for an address
37. ly connected to the Firewall this log retrieval method makes it possible to dispense with the use of centralization tools However it does not allow centralizing the logs of several Firewalls which is usually essential for analyzing an event that is spreading on several company sites Furthermore this method is only available for appliances that have a hard disk as without it logs cannot be saved directly on the Firewall See the section Connection for more information 3 1 1 1 Ways of connecting to the Firewall A Firewall connection in the Sources tab enables performing three connection related actions New By clicking on this option the address book opens automatically on the list of registered 28 Firewalls This enables saving the address book of a new Firewall E Connect to the Firewall By clicking on this option the connection window appears and allows S connections to the Firewall without the need to register it S F gt O remarks gt 1 If a firewall was already connected the following message will appear before the connection oO screen appears Confirm disconnection 2 Ifyou wish to remain connected while connecting to another firewall access the menu bar and select FilelOpen A connection window will open allowing you to authenticate in order to access another firewall You can be connected simultaneously to as many firewalls as you wish a Firewall_xx lastly this option provides direct access to the
38. nfigured on Monitor in the Administration Suite 3 3 2 2 Interface Source interface Source interface s network adapter Source interface name Name of the source interface Destination interface Destination interface s network adapter Destination interface name Name of the destination interface Movement type Type of packet movement Movement Packet movement OO 3 3 2 3 Protocol 34 c a Internet Protocol Internet Protocol 3 a Protocol Base protocol O E a Group Protocol group z gt 5 5 3 3 2 4 Source Source name Source IP address or resolved name User Name of the authenticated user Source IP address Source port name Name of the source port o Source port Source port number 3 3 2 5 Destination Destination Destination IP address Destination name Destination IP address or resolved name Destination port Destination port number o Destination port name Name of the destination port USER MANUAL NETASQ we secure IT 3 3 2 6 Volume Sent Amount of data sent o amp Received Amount of data received Duration Connection duration 3 3 2 7 Action Action Filter rule action none pass block reset Message Alarm Help Links to an explanation of the alarm raised Alarm ID Alarm s identifer on the Firewall E 000 0 Repeat Number of times the ala
39. ogs will then be deleted Delete The selected line will be deleted if this option is checked amie ae a ELIE THE ee nnn oo vean a e a 2 D Die milieu USER MANUAL NETASQ we secure IT 3 4 4 2 The Generate URLs section This section generates a list of web addresses visited by users in an HTML file in the case URL filtering has been activated This list can be used to indicate to NETASQ UNIFIED MANAGER new URLs to filter Click on the Generate button to generate this HTML file A screen will appear allowing you to name the file and save it in a folder of your choice 3 5 DATA EXPORT 3 5 1 Export Click on the Export button in the action bar of the Logs tabs to export data A wizard will guide you in exporting your data Data can be exported in 4 formats Export wizard Welcome to the esport wizard twill guide you through the process of creating your own data export Select an export format 47 Export format n 0 8 HTML x g Ss 5 lt D 5 c Step 1 of 3 a Figure 27 Export wizard Step 1 a TXT a XML a HTML a XLS If you select the TXT format during Step 2 the assistant will prompt you to choose a field separator as shown in the example below USER MANUAL NETASQ we secure IT Export wizard Select a field separator Separator options Comma CS file Semicolon O Tab Space om Step 2 of 3 Figure 28 Export wiz
40. olicy When you deselect an option that is linked to a header in the grid the column will be deleted for that grid Example For Alarm logs you have deselected the header Line date The header and the options associated with it will be removed from the grid The other log files will nonetheless maintain this header If you disconnect and reconnect to the firewall changes to the customization will be saved 33 E n 2 O S 3 3 2 Columns da i S Customize columns S E Lines date gt CI Firewall 2 O Firewall Name D Mi Line fit Date fit Time O New rules O Rule ID O Priority O Saved at CG Time zone O Packet O Source Interface O Source Interface Name O Destination Interface O Destination Interface Name O Movement Type O Movement CA Internet Protocol CI Protocol O Group H MET Source lt Ill Figure 19 Customizing columns USER MANUAL NETASQ we secure IT 3 3 2 1 Lines date Firewall Firewall s serial number Firewall name Name of the firewall Line Number of the log line Date Date the log line was generated Time Time the log line was generated Slot level Number corresponding to the classification of filter rules local or global Rule ID Rule identifier Priority Alarm level major or minor Saved at Time at which log was saved Timezone Firewall s timezone Packet Displays the packet which had raised the alarm This feature has to be co
41. on Result Error message o Message return message for the request USER MANUAL NETASQ we secure IT 3 4 2 4 System 10 2 0 1 gt Services gt System Sources Logs E m Graphs Date Service Message Network 01 01 2012 00 00 01 proxy Sighup received refresh config 2 Filtering 01 01 2012 00 00 02 proxy URLFiltering profile 01 unable to load rule 8 bypass it _ 01 01 2012 00 34 04 dns cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 299 hours Ye Alarm 01 01 2012 01 20 54 proxy Sighup received refresh config ua Connection 01 01 2012 01 20 55 proxy URLFiltering profile 01 unable to load rule 8 bypass it 01 01 2012 01 20 57 sysevent Active Update update successful Kaspersky a we 01 01 2012 01 34 05 dns cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 300 hours fel SMTP 01 01 2012 02 34 05 dns cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 301 hours amp POP3 01 20122012 03 34 04 dns cache cycle 1 times each day based on last 60 minutes activity 3 times each day based on activity since first check 302 hours 01 01 2012 04 20 53 proxy Sighup received refresh config EJ Plugin 01 01 2012 04 20 53 proxy UALFRering profile 01 unable to load rule 8 bypass ei SSL 01 01 2012 0
42. only mode In this way you can connect to the firewall without modification privileges using an account that ordinarily has these privileges This allows avoiding the use of modification privileges if they are not necessary 0 REMARK If NETASQ EVENT REPORTER has been launched from NETASQ UNIFIED MANAGER or NETASQ REAL TIME MONITOR Reporter will automatically connect to the Firewall that is connected to Manager or Monitor pa Ww enue y U0 1e131JUO09 135N USER MANUAL NETASQ we secure IT Q WARNING The NETASQ Firewall is case sensitive both for the user name as well as for the password The option Read Only enables connecting to the Firewall in read only mode In this way you can connect to the firewall without modification privileges using an account that ordinarily has these privileges Q TIP You may connect to several Firewalls simultaneously by opening several windows menu FilelOpen 1 2 2 2 Connection via the menu Sources 0 REMARK This connection mode is recommended if you have a fleet of firewalls If the option Connect to firewall has not been selected in the configuration of the service the connection window will not appear Instead NETASQ EVENT REPORTER s main window will open To connect click on the tab Sources Firewall then select the firewall s on which you would like reporting See the CHAPTER Sources for more information on this connection 1 2 3 Address book 2 The address boo
43. onsulted in Network logs These columns are grouped according to the type of data under headers To start customizing your headers and columns open a log file in the Logs tab click on the Columns button in the action bar Customize Columns y Columns Print Print lt Exporting Import ELF file View time View time Filter iter Figure 17 Button bar 3 3 1 Headers 32 a Headers are thematic classifications of columns Columns under the same header are place adjacently a 3 m Customize columns 5 G E Lines date ME oO gt c D Figure 18 Customizing headers USER MANUAL NETASQ we secure IT a Lines date Information relating to the line and time of the packet s log Interface Information relating to the interface through which the packet passed a Protocol Information relating to the packet s protocol a Source Information relating to the packet source a Destination Information relating to the packet s destination a Volume Information relating to the packet s volume a Action Information relating to the volumes of data in the packet Operation Information relating to the commands carried out when using protocols managed by plugins and proxies a Vulnerability Manager Information relating to the NETASQ VULNERABILITY MANAGER module a SIP Information relating to media caller and callee of the SIP plugin Context a Translation NAT a Content p
44. pears in the log grid enue y uonein31juo2 asn NETASO USER MANUAL we secure IT 2 3 2 Log tab General options rm Tools Address book When downloading from firewall V Local log cache Clear local cache 457 KB space used Keep local copy of WELF files from the firewall Max number of downloaded lines On Firewall 20000 7 Download by page takes effect when the application restarts SYSLOG file directory 25 Figure 13 General options Log 7 2 3 2 1 When downloading from firewall 8 a Local log cache this option allows you to speed up log information searches which have a already been performed Data is no longer sent from the Firewall when this option is selected gt and when data has already been sent This option is inactive when working on the current day gt Keep local copy of WELF files from the firewall Locally stores all the log files downloaded from 3 the Firewall 5 The Clear local cache button as its name implies allows you to purge the local cache of downloaded logs 2 3 2 2 Maximum number of downloaded lines This option allows you to specify the maximum number of lines downloaded for a connection to the Firewall In order to facilitate loading and transforming logs they can be displayed in 15 000 lines per page when you select the option Download by page If the specified period contains more than the maximum number of lines
45. rm has been repeated within the duration specified in the Administration Suite Rule name This column contains the value specified in the Name field in the filter rule editor a Class Class to which the raised alarm belongs 3 3 2 8 Operation Category Category to which the URL having caused the generation of logs belongs a Operation Protocol s identified command Result Error message return code Argument Operations parameter KA Spam level Spam level O message not considered spam 1 2 and 3 spam x error when 7 processing message and The nature of the message could not be determined 8 a Virus Indicates whether the e mail contains a virus Possible values are safe infected etc a a Classification Generic category in which the alarm belongs Examples Protocol z Content _ filtering Web Mail FTP gt oO gt 5 3 3 2 9 Vulnerability Manager Vuln ID Vulnerability identifier Family Family to which the vulnerability belongs Severity Level of the vulnerability s criticality Solution Yes or no depending on whether there is a solution suggested o Exploit Indicates the location where a vulnerability can be exploited 2 possible options locally or remotely a Client target Client target a Server target Server target Detected on Date on which the vulnerability was detected USER MANUAL NETASQ we secure IT 3 3 2 10 SIP
46. rms Connection and Filter logs 3 4 1 1 Web Right clicking on a destination name will display the contextual menu that allows you to Submit URL to a category when you open the contextual menu after having selected a URL this option allows sending the URL to the URL submission form on NETASQ s website 38 This form will also enable putting a URL into a category and to submit a new URL category a a 3 3 4 1 2 Vulnerability Manager z g 21 fields are used 5 a Line Line number in the logs Date Date on which recorded logs were generated Time Time at which recorded logs were generated Internet Protocol Name of the internet protocol used Protocol Name of the protocol used o User Connection identifier Source name source address of the connection Source port name source port of the connection Message command line sent to the firewall Argument complementary information associated with the log line contacted web page a Vuln ID Vulnerability identifier Family Family type to which the vulnerability belongs Severity Level of criticality of the vulnerability a Solution Indicates with a yes or no whether a solution is offered Exploit The solution may be accessed locally or remotely via the network It allows exploitation of the vulnerability USER MANUAL NETASQ we secure IT Product Name of the client application Service Name of th
47. s address book which is common to all NETASQ applications may or may not be encrypted If it is encrypted or does not yet exist there will be an additional step before connecting NETASQ EVENT REPORTER to the Firewall From version 9 0 2 onwards a message will appear when connecting to a firewall configured with its gt default password F D 3 a a 1 2 2 1 Direct connection to a NETASQ Firewall O gt 5 REMARK This connection is recommended if you have only one firewall and the amount of logs generated is fairly small If the address book exists and is encrypted see the section Part1 Chapter 2 Address Book for more information on address book options its password will be requested before every connection to Reporter on each registered Firewall USER MANUAL NETASQ we secure IT Address book Enter password Confirm Figure 2 Address book Password Next NETASQ EVENT REPORTER will display a log grid and a connection popup which allow you to enter connection information for a Firewall This connection window can be accessed if the option Connect to firewall has been selected See section Options To connect to a Firewall use the menu Firewall in the tab Sources in the menu directory and select a firewall The following window will then open Connection Read only pa N Cancel Figure 3 Connection enue y uonein31juo 135N Read only Enables connecting to the Firewall in read
48. s manual is intended for network administrators or for users with the minimum knowledge of IP In order to configure your NETASQ Firewall in the most efficient manner you must be familiar with these protocols and their specific features a ICMP Internet Control Message Protocol a IP Internet Protocol a TCP Transmission Control Protocol UDP User Datagram Protocol Knowledge of the general operation of the major TCP IP services is also preferable HTTP FTP Messagerie SMTP POP3 IMAP Telnet DNS DHCP SNMP NTP vd If you do not possess this knowledge don t worry any general book on TCP IP can provide you with the JenuelW U0 1e1n31JUO09 135N required elements The better your knowledge of TCP IP the more efficient will be your filter rules and the greater your IP security 1 1 2 Typographical conventions 1 1 2 1 Abbreviations For the sake of clarity the usual abbreviations have been kept For example VPN Virtual Private Network Other acronyms will be defined in the glossary USER MANUAL NETASQ we secure IT Display Names of windows menus sub menus buttons and options in the application will be represented in the following fonts Menu Interfaces 1 1 2 2 Indications Indications in this manual provide important information and are intended to attract your attention Among these you will find O NOTES REMARKS These messages provide a more detailed explanation on a part
49. tical type destination interface name Movement whole type direction of movement in to in in to out out to out out to in MoveTypeMS whole type direction of movement Server to Server Server to Client Client to Client Client to Server Ipproto alphabetical type Internet protocol Proto alphabetical type protocol Src alphabetical type source address IPV6 ready Srcport alphabetical type source port Srcportname alphabetical type source port name Srcname alphabetical type name of the source dst alphabetical type destination address IPV6 ready Dstport alphabetical type destination port Dstportname alphabetical type name of destination port Dstname alphabetical type destination name User luser alphabetical type Ruleid whole type filter rule identifier Action chain type action reserved word for interbase Msg alphabetical type a Sent whole type amount of data sent Rcvd whole type amount of data received Duration real type duration Op alphabetical type operation Result alphabetical type Arg alphabetical type command parameters of a web page gt o 8 6 JenuelW uonein31juo 135N NETASO USER MANUAL we secure IT NETASQ we secure IT documentation netasq com
50. twork 0170172012 04 18 00 Info 1 Firewall bridge gw En _ 01 01 201 2 04 18 59 Info 2 Firewall bridge qu 2 Filtering 01 01 2012 04 19 18 Info 2 Firewall bridge gw iol Alarm 0170172012 05 07 00 Info 2 Firewall bridge gw ka Cannechor 01 01 2012 05 07 19 Info 2 Firewall bridge gw 0170172012 05 55 01 Info 2 Firewall bridge qu web i 0170172012 05 55 20 Info 2 Firewall bridge gw fel SMTP 01 01 201 2 06 43 02 Info 2 Firewall bridge gw El POP 01 01 2012 06 43 21 Info 2 Firewall bridge gw 01 01 2012 07 31 03 Info 2 Firewall bridge gw FOR 0140142012 07 31 22 Info 2 Firewall_bridge gw E SSL 01 01 201 2 08 19 04 Info 2 Firewall bridge qu a 01 01 201 2 08 19 23 Info 2 Firewall bridge gw En Vulnerability m gt 0170172012 09 06 00 Info 1 Firewall bridge gw la FTP 0140142012 09 06 01 Info 1 Firewall_bridge gw ao Services 01 01 42012 09 06 01 Info 1 Firewall bridge gw 01 01 201 2 09 07 05 Info 2 Firewall bridge gw Administration 01012012 09 07 24 Info Z Firewall bridge gw E Authentication 01 01 2012 09 55 07 Info 2 Firewall bridge gw Ly System 01 01 2012 09 55 26 Info 2 Firewall bridge qu 01 01 201 2 10 43 05 Info 2 Firewall bridge qu IPSec VPN E ro de 0170172012 10 43 27 Info 2 Firewall bridge qu Figure 24 IPSec VPN USER MANUAL NETASQ we secure IT This sub menu provides a history of events concerning IPSec VPN Several fields are used Date Date on which entry was generated Result Error message
51. w 1 1 5 Introduction to NETASQ EVENT REPORTER JenuelW U0 1e1n31JUO09 135N The NETASQ EVENT REPORTER is a module of the NETASQ Firewall Administration Suite This application program enables the display of log files generated by NETASQ Firewalls This data can be used to analyze your network activity access to your computer systems staff use of the Internet web sites visited email use in order to diagnose hacking attempts detected and blocked by the Firewall The data is displayed either in the form of tables enabling a precise and detailed analysis or in the form of graphs thus providing a consolidated global display of the data NETASQ EVENT REPORTER s logging functions enable displaying the events stored in each log file in one of the following ways Selecting periods predefined in relation to the current date today this week etc or defined manually pa enue y uonein31juo2 asn NETASO USER MANUAL we secure IT a Sorting ascending descending by the value in each field in which a security event has been captured a Hierarchical classifications according to the value of one or several fields in which a security event has been captured O warning The version 9 of NETASQ EVENT REPORTER no longer supports Syslog except the possibility to open view a log file in Syslog UNIX in Tools Menu or any other form of database However these features are still available in version 8 and earlier
Download Pdf Manuals
Related Search