Scribd
Upload
114 views7 pages

Manual StoneGate DataSource Config For MNGF

This document provides instructions for configuring McAfee Next Generation Firewall (Stonesoft) to send syslog data to McAfee Enterprise Security Manager for analysis and monitoring. It outlines prerequisites, specific configuration steps for the firewall and receiver, mappings between firewall log fields and ESM fields, and troubleshooting tips.

Uploaded by

javiruma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
114 views7 pages

Manual StoneGate DataSource Config For MNGF

This document provides instructions for configuring McAfee Next Generation Firewall (Stonesoft) to send syslog data to McAfee Enterprise Security Manager for analysis and monitoring. It outlines prerequisites, specific configuration steps for the firewall and receiver, mappings between firewall log fields and ESM fields, and troubleshooting tips.

Uploaded by

javiruma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

McAfee Enterprise Security Manager

Data Source Configuration Guide

Data Source: McAfee Next Generation Firewall


(Stonesoft)

September 2, 2014

McAfee NGFW Page 1 of 7


Important Note:
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.

McAfee NGFW Page 2 of 7


Table of Contents
1   Introduction 4  
2   Prerequisites 4  
3   Specific Data Source Configuration Details 5  
3.1   McAfee NGFW v. Configuration 5  
3.2   McAfee Receiver Configuration 5  
4   Data Source Event to McAfee Field Mappings 6  
4.1   Log Sample 6  
4.2   Mappings 6  
5   Appendix A - Generic Syslog Configuration Details 7  
6   Appendix B - Troubleshooting 7  

McAfee NGFW Page 3 of 7


1 Introduction
This guide details how to configure McAfee NGFW to send syslog data in the proper format to the
ESM.

2 Prerequisites
McAfee Enterprise Security Manager Version 9.2.0 and above.
Version 7 of Stonesoft
In order to configure the McAfee Next Generation Firewall (Stonesoft) Syslog service, appropriate
administrative level access is required to perform the necessary changes documented below.

McAfee NGFW Page 4 of 7


3 Specific Data Source Configuration Details
3.1 McAfee NGFW v. Configuration
1. Select Monitoring → System Status.
2. Expand the Servers branch.
3. Right-click the Log Server from which you want to forward log data, and select
Properties. The Log Server Properties dialog will open.
4. Switch to the Log Forwarding tab.

5. Click the Add button to create a new Log Forwarding rule. A new row is added to the
table.
6. Configure the Log Forwarding rule to point to your SIEM. Ensure that the Format is set
to McAfee ESM.
7. Click OK.

3.2 McAfee Receiver Configuration


After successfully logging into the McAfee ESM console the data source will need to be added to
a McAfee Receiver in the ESM hierarchy.
1. Select the Receiver you are applying the data source setting to.
2. Select the Receiver properties.
3. From the Receiver Properties listing, select “Data Sources”.
4. Select “Add Data Source”.
OR
1. Select the Receiver you are applying the data source setting to.
2. After selecting the Receiver, select the “Add Data Source” icon.

Data Source Screen Settings


1. Data Source Vendor – McAfee
2. Data Source Model – Next Generation Firewall – Stonesoft (ASP)
3. Data Format – Default
4. Data Retrieval – Default
5. Enabled: Parsing/Logging/SNMP Trap – <Defaults>
6. Name – Name of data source
7. IP Address/Hostname – The IP address and host name associated with the data source
device.
8. Syslog Relay – None
9. Mask – 32
10. Require Syslog TLS – Enable to require the Receiver to communicate over TLS.
11. Support Generic Syslogs – Do nothing
12. Time Zone – Time zone of data being sent.
Note – Refer to Appendix A for details on the Data Source Screen options

McAfee NGFW Page 5 of 7


4 Data Source Event to McAfee Field Mappings
4.1 Log Sample
This is a sample log from a McAfee Next Generation Firewall (Stonesoft) device:
Timestamp="2013-11-21 00:00:00",LogId="1615132411",NodeId="10.1.0.2",Facility="Cluster
protocol",Type="Diagnostic",Event="Cluster protocol event",CompId="148",InfoMsg="p0 load: 3
(passed: 1111111 netload_factor: 2 all: 2222222 p: 19",ReceptionTime="2013-11-21
00:00:00",SenderType="Firewall",SituationId="2011",Situation="System_Cluster-Protocol-
Event",EventId="5809198281527719675"
4.2 Mappings
The table below shows the mappings between the data source and McAfee ESM fields.
Log Fields McAfee ESM Fields

ReceptionTime firsttime/lasttime
NodeId Device_IP.Device_IP
Facility application
Type/AlertSeverity severity
Situation/Event/SenderType : Facility message
Action action
Src src_ip
Dst dst_ip
Protocol protocol
SrcPort/IcmpType src_port
DstPort/IcmpCode dst_port
SrcIF Interface.Interface
AccTxBytes Bytes_Sent.Bytes_Sent
AccRxBytes Bytes_Received.Bytes_Received
Username/AuthName src_username
Sendertype objectname
Situation sid

McAfee NGFW Page 6 of 7


5 Appendix A - Generic Syslog Configuration Details
Once you select the option to add a data source, you are taken to the “Add Data Source” menu. The
general options for adding a data source are shown. As you select different options, additional
parameters may show. Each of these parameters will be examined in more detail.
1. Use System Profiles – System Profiles are a way to use settings that are repetitive in nature,
without having to enter the information each time. An example is WMI credentials, which are
necessary to retrieve Windows Event Logs if WMI is the chosen mechanism.
2. Data Source Vendor – List of all supported vendors.
3. Data Source Model – List of supported products for a vendor.
4. Data Format – “Data Format” is the format the data is in. Options are “Default”, “CEF”, and
“MEF”.
Note – If you choose CEF it will enable the generic rule for CEF and may not parse
data source-specific details.
5. Data Retrieval – “Data Retrieval” allows you to select how the Receiver is going to collect the
data. Default is over syslog.
6. Enabled: Parsing/Logging/SNMP Trap – Enables parsing of the data source, logging of the
data source, and reception of SNMP traps from the data source. If no option is checked, the
settings are saved to the ESM, but not written to the Receiver or utilized. Default is to select
“Parsing”.
7. Name – This is the name that will appear in the Logical Device Groupings tree and the filter
lists.
8. IP Address/Hostname – The IP address and host name associated with the data source
device.
9. Syslog Relay – “Syslog Relay” allows data to be collected via relays and bucketed to the
correct data source. Enable syslog relay on relay sources such as Syslog-NG.
10. Mask – Enables you to apply a mask to an IP address so that a range of IP addresses can
be accepted.
11. Require Syslog TLS – Enable to require the receiver to communicate over TLS.
12. Support Generic Syslog – “Generic Syslog” allows users to select “Parse generic syslog” or
“Log ‘unknown syslog event”. Both these options will create an alert for an auto-learned
syslog event if there is no parsing rule.
13. Time Zone - If syslog events are sent in a time zone other than GMT, you need to set the
time zone of the data source so the date on the events can be set accordingly.
14. Interface – Opens the receiver interface settings to associate ports with streams of
information.
15. Advanced – Opens advanced settings for the data source.

6 Appendix B - Troubleshooting
• If a data source is not receiving events, verify that the data source settings have been written out
and that policy has been rolled out to the Receiver.
• If you see errors saying events are being discarded because the “Last Time” value is more than
one hour in the future, or the values are incorrect, you may need to adjust the “Time Zone”
setting.

McAfee NGFW Page 7 of 7

You might also like