2. Tier 2 Firewall/Router Device Configuration

2.1. Cisco Network Router Syslog Configuration

2.1.1. Cisco IOS

  1. In order to ensure that logging is enabled, issue the ‘’logging on’’ command.

Router(config)# logging on

  1. In order to specify the Essentials server that is to receive the router syslog messages, issue the ‘’logging ip_address’’ command. ip_address is the address of the server that collects the syslog messages.

Router(config)# logging 1.1.1.1

  1. In order to limit the types of messages that can be logged to the Essentials server, set the appropriate logging trap level with the ‘’logging trap informational’’ command. The informational portion of the command signifies severity level 6. This means all messages from level 0-5 (from emergencies to notifications) are logged to the Essentials server.

Router(config)# logging trap informational

Valid logging facilities are ‘’local0’’ through ‘’local7’’. Valid levels are:

  • emergency

  • alert

  • critical

  • error

  • warning

  • notification

  • informational

  • debug

In order to verify if the device sends syslog messages, run the ‘’sh logging’’ command.

You see all the syslog messages that are sent. If you do not see syslog messages, ensure that this is configured:

logging on logging console debug logging monitor debug logging trap debug

2.1.2. Cisco Catalyst

  1. Ensure sure logging is enabled with the set logging server enable command.

Catalyst> (enable) set logging server enable

  1. Specify the Essentials server that is to receive the router syslog messages, with the logging server_ip command. server ip is the IP address of the Essentials server.

Catalyst> (enable) set logging server 1.1.1.1

  1. Limit the types of messages logged to the Essentials server. Enter set logging level informational, where informational signifies severity level 6. This means that all messages from level 0-5 (from emergencies to notifications) are logged to the Essentials server.

Catalyst> (enable) set logging server severity 6

  1. In order to see if syslog messages are sent, use the sh logging buffer command.

You see syslog messages that are sent. If you experience problems with switches, try this configuration:

set logging level all 7 default

set logging server enable

set logging server 1.1.1.1 (your unix syslog server ip address)

set logging server facility LOCAL7

set logging server severity 7
#syslog set logging console enable
set logging server enable
set logging server 1.1.1.1
set logging level cdp 7 default
set logging level mcast 7 default
set logging level dtp 7 default
set logging level dvlan 7 default set logging level earl 7 default
set logging level fddi 7 default
set logging level ip 7 default
set logging level pruning 7 default
set logging level snmp 7 default
set logging level spantree 7 default
set logging level sys 7 default
set logging level tac 7 default
set logging level tcp 7 default
set logging level telnet 7 default
set logging level tftp 7 default
set logging level vtp 7 default
set logging level vmps 7 default
set logging level kernel 7 default
set logging level filesys 7 default
set logging level drip 7 default
set logging level pagp 7 default
set logging level mgmt 7 default
set logging level mls 7 default
set logging level protfilt 7 default
set logging level security 7 default
set logging level radius 7 default
set logging level udld 7 default
set logging level gvrp 7 default
set logging server facility LOCAL7

Enter sh logging

You will see this output:

Logging buffer size: 500
timestamp option: enabled
Logging history size: 1
Logging console: enabled
Logging server: enabled
{1.1.1.1}
server facility: LOCAL7
server severity: debugging(7)
Current Logging Session: enabled

2.2. Juniper Network Router Remote Syslog Configuration

By default, messages directed to a remote machine retain the facility to which they belong on the local machine. In other words, the logging utility on the remote machine handles the messages in the same way as messages that belong to that facility even if they are generated on the remote machine.

To direct system log messages to a remote machine, include the host statement at the [edit system syslog] hierarchy level:

[edit system syslog]

host hostname {

   facility level;

   facility-override facility;

   log-prefix string;

}

Specify the remote machine’s IP address or fully qualified hostname. The remote machine must be running either the standard syslogd utility or the JUNOS software, but we do not recommend directing messages to another router.

The JUNOS logging utility includes the following features to help you separate, aggregate, and label messages directed to a remote machine:

  • Assign an Alternate Facility

  • Prepend a Prefix

2.3. Check Point Network Firewall Device Configuration

Download fw1-loggrabber-1.11.1-linux.tar.gz <http://sourceforge.net/projects/fw1-loggrabber/files/fw1-loggrabber/1.11.1/fw1-loggrabber-1.11.1-linux.tar.gz/download> and opsec-tools.tar.gz <http://sourceforge.net/projects/fw1-loggrabber/files/opsec-tools/NG-FP3/>

fw1-loggrabber comes with an install script (INSTALL.sh)

2.3.1. Initial Installation

Run the install script with the default install directory of /usr/local/fw1-loggrabber

user@host# ./INSTALL.sh

Additionally, 32-bit runtime libraries are necessary, since this system deploys on a 64-bit architecture.

user@hsot# yum install glibc.i686 pam.i686

2.3.2. Gateway Configuration (SSL CA Authentication)

  • On the SmartDashboard, create a host object for HAWK

  • Click Manage ‣ Servers ‣ Opsec Applications

  • Click New ‣ OPSEC Application

  • Name it (ie, HAWK_opsec)

  • Select the HAWK network object from the drop-down menu

  • For Vendor select “User Defined”

  • Type in a name like “hawk”

  • Check off LEA in the client entities section

  • Click the Communication button

  • Enter a SIC password

  • Click OK and copy the DN string for later

2.3.3. Edit FW1-Loggrabber Configuration Files

  1. Open the opsec-tools folder (on the HAWK collection engine) and run the command inside:

./opsec_pull_cert -h <ip of checkpoint box> -n <object> -p <SIC password>

Note

The <object> is the name you give to the opsec application (ie, HAWK_opsec)

  1. Copy the opsec.p12 file that was just retrieved, and put it into /usr/local/fw1-loggrabber/

  2. There are two sample config files located at /usr/local/fw1-loggrabber/etc,

  • Rename them to fw1-loggrabber.conf and lea.conf

  1. Edit fw1-loggrabber.conf and change the following:

LOGGING_CONFIGURATION=file
OUTPUT_FILE_PREFIX="/var/log/fw1"

Note

The output file automatically appends the .log extension

  1. Edit lea.conf:

  • Change the server IP to the gateway’s IP

  • Change opsec_sic_name to the DN string copied from above

  • Change lea_server opsec_entity_sic_name to the DN string found in SmartDashboard at the bottom of the gateway node object

  • Change the opsec_sslca_file to point to the opsec.p12 file

  1. Edit /etc/hosts

  • Add an entry for the gateway so that the hawk box can resolve it by name

  1. Optionally edit the file $FWDIR/conf/opsec.conf (on the gateway); there is a line for LEA that defines the LEA port. Remove the comments and issue a cprestart.

  2. Additionally, don’t forget to create a rule to allow HAWK access for the FW1_lea service.

2.4. Cisco PIX/ASA/FWSM Network Firewall

Proactive monitoring of firewall logs is an integral part of a Netadmin’s duties. The firewall syslogs are useful for forensics, network troubleshooting, security evaluation, worm and virus attack mitigation, and so on.

The configuration steps for enabling syslog messaging on a PIX are conceptually similar to those for IOS- or CatOS-based devices.

  1. Enters global configuration mode.

Pixfirewall# config terminal

  1. Specifies that each syslog message should have a timestamp value.

Pixfirewall(config)# logging timestamp

  1. Specifies a syslog server that is to receive the messages sent from the Cisco PIX Firewall. You can use multiple logging host commands to specify additional servers that would all receive the syslog messages. The protocol is UDP or TCP. However, a server can only be specified to receive either UDP or TCP, not both. A Cisco PIX Firewall only sends TCP syslog messages to the Cisco PIX Firewall syslog server.

Pixfirewall(config)# logging host [interface connected to syslog server] ip_address [protocol / port]

  1. Specifies the syslog facility number. Instead of specifying the name, the PIX uses a 2-digit number.

Pixfirewall(config)# logging facility facility

  1. Specifies the syslog message level as a number or string. The level that you specify means that you want that level and those values less than that level. For example, if level is 3, syslog displays 0, 1, 2, and 3 messages. The recommended setting is level 6 (informational).

Pixfirewall(config)# logging trap 6

  1. Starts sending syslog messages to all output locations.

Pixfirewall(config)# logging on

  1. Specifies a message to be suppressed.

Pixfirewall(config)# no logging message <message id>

  1. Exits global configuration mode.

Pixfirewall(config)# exit

2.5. SonicWall Network Firewall

To configure Syslog on SonicWall appliances, please follow the below steps:

  1. Login to the SonicWall device as admin.

  2. Go to Log ‣ Automation, scroll down to Syslog Servers.

  3. Click on Add.

  4. Specify the IP address of the Syslog server in the IP address field and click OK.

  5. After a couple of seconds, the Syslog server should show the logs from the firewall.

2.6. Watchguard Network Firewall Remote Syslog Configuration

Syslog is a log interface developed for UNIX but also used by a number of computer systems. From Policy Manager, you can configure your Firebox or XTM device to send log information to a syslog server. A Firebox or XTM device can send log messages to a WatchGuard Log Server and a syslog server at the same time, or send log messages to only one or the other. Syslog log messages are not encrypted. We recommend that you do not select a syslog host on the external interface.

2.6.1. Configuration

  1. Select Setup ‣ Logging. The Logging Setup dialog box appears.

  2. In the Syslog Server section, select the Send Log Messages to the Syslog server at this IP address check box.

  3. In the address text box, type the IP address of the syslog server.

  4. Click Configure. The Configure Syslog dialog box appears.

  5. To include the timestamp information from your Firebox or XTM device in the log message details, select the Include timestamp in Syslog message check box.

  6. To include the serial number of the Firebox or XTM device in the log message details, select the Include the serial number of Firebox in the Syslog messages check box.

  7. For each type of log message, select the syslog facility to which you want it assigned. If you select NONE, details for that message type are not sent to the syslog host. The syslog facility refers to one of the fields in the syslog packet and the file to which syslog sends a log message. You can use Local0 for high-priority syslog messages, such as alarms. You can use Local1/Local7 to assign priorities for other types of log messages (lower numbers have greater priority). See your syslog documentation for more information on logging facilities.

  8. To lose your settings and restore the default settings for syslog, click Restore Defaults.

  9. Click OK to close the Configure Syslog dialog box.

  10. Click OK to close the Logging Setup dialog box.

  11. Save the Configuration File.