NDR: Firewall Syslog Forwarding

Notice

• This guide is intended to serve as an example only. Users must modify applicable details, such as IP addresses, subnets, and device names, to align with their specific environment.

•  

  Exercise caution when making changes to your firewall or environment, as unplanned modifications can result in downtime, depending on the complexity of the configuration and infrastructure.

•  

  Your experience may vary if you are using a different software version or a product from another brand or manufacturer. Please note that you are solely responsible for the configuration and management of your devices.

CAUTION: The examples below are intended to be serve as general guidelines. Your platform or software version may differ, resulting in variations in images, screens, options, or other elements. 

Prerequisites/Requirements

You must have already completed one of the NDR: Step 1. Integration Guides which ensures the devices being configured in this article have access to the SIEM. If you have not already done so, please reach out via your integration ticket for more information.

Step 1: Configuring Firewall Syslog Forwarding

We DO NOT have specific instructions for how to do this for all firewall manufacturers. If you are unsure on how to configure your firewall, we recommend opening a support case with your firewall’s manufacturer’s support team.

DISCLAMIER - Examples provided are to be used as reference ONLY.

• MSS is providing the below non-SonicWall firewall configuration steps for reference only. The below instructions have been provided by MSS partners in order to provide screenshots & references. Your experience might be different if you’re using a different model, firmware version, or another brand/manufacturer altogether. You are responsible for the configuration of your own device.

SonicWall Firewall Syslog Forwarding

As MSS specializes in SonicWall configuration, deployment, and management, instructions for SonicWall firewalls are below.

• Did you know that MSS is a Tier 1 Services Delivery Provider for SonicWall?
• If you would like assistance with making these SIEM/SOCaaS changes on your SonicWall Firewall, please reply to your ticket and your implementation engineer will be happy to assist you.

1. Enable Syslog forwarding:
   1. Go to Device → Log → Syslog → Syslog Servers and click Add.
      1. Name or IP Address:
         1. This will be the IP address of the virtual or physical security sensor that was deployed.
      2. Port: 5152
      3. Syslog ID: Specify your firewall’s name/unique identifier
      4. Click Add

Syslog Settings

The normal syslog setting for SonicWall firewalls is Inform/Error.

Fortinet/FortiGate Firewall Syslog Forwarding

1. Open command prompt and use the following commands to configure syslog forwarding
   1. config log syslogd setting
      1. set status enable
      2. set server
         1. This will be the IP address of the virtual or physical security sensor that was deployed.
      3. set port 5517
      4. set format default
      5. set facility user
      6. set source-ip [LAN IP address of Firewall]
   2. Confirm settings
      1. show log syslogd setting
   3. Check syslog filters to make sure they are all enabled
      1. config log syslogd filter
      2. show full-configuration
   4. Confirm everything is enabled:
      1. config log syslogd filter
      2. set severity information
      3. set forward-traffic enable
      4. set local-traffic enable
      5. set multicast-traffic enable
      6. set sniffer-traffic enable
      7. set anomaly enable
      8. set voip enable
      9. set dns enable
      10. set ssh enable
      11. set filter "
      12. set filter-type include
   5. If filters are not enabled, please enable them for full functionality
2. Please ensure that the syslog traffic source is the LAN IP of your firewall provided to MSS.

Syslog Settings

The normal syslog setting for SonicWall firewalls is Inform/Error. Other manufacturers might have different settings. The main thing to be sure of is that you’re sending all possible syslogs fields. Here is an example of possible SonicWall syslogs fields

Other Firewall Syslog Forwarding

For other brands/manufacturers of firewalls, follow these general instructions to setup syslog forwarding:

1. The Syslog Server should be:
   1. This will be the IP address of the virtual or physical security sensor that was deployed.
2. The Syslog Port should be:
   1. Use the NDR: Integration Guide - Syslog Port Index to find the correct syslog port for your brand of firewall.
3. The Syslog Format (If Available) should be Default
4. The Syslogs Facility (If Available) should be Local Use 0
5. The Syslog ID should be the name of the firewall (should be specific/different for each firewall)
6. Please ensure that the syslog traffic source is the LAN IP of your firewall provided to MSS.

Syslog Settings

The normal syslog setting for SonicWall firewalls is Inform/Error. Other manufacturers might have different settings. The main thing to be sure of is that you’re sending all possible syslogs fields. Here is an example of possible SonicWall syslogs fields

Step 2: Data Verification

Once complete, please reply to your engineer’s email with the following information so we can confirm that we are seeing logs coming in from your firewall and being processed correctly.

Device Details

• The Name, IP Address, and Syslog Port of the firewall(s) sending syslogs.