Submit a ticketCall us

AnnouncementsAre You “Flying Blind?”

When it comes to your complex IT infrastructure, you want to ensure you have a good grasp of what’s going on to avoid any fire drills that result from guesswork. Read our white paper to learn how proactively monitoring your IT environment can help your organization while giving you peace of mind.

Get your free white paper.

Home > Success Center > Log & Event Manager (LEM) > Log & Event Manager (LEM) Documentation > LEM Administrator Guide > Configure LEM to monitor firewalls for unauthorized access

Configure LEM to monitor firewalls for unauthorized access

Updated: September 15, 2017

Configure LEM Manager to monitor your firewalls and detect unauthorized access such as port scans, unusual data packets, network attacks, and unusual traffic patterns.

To set up a firewall monitor, configure your firewalls to log to LEM, and then configure a new connector in the LEM Manager. When an unauthorized user attempts to access your LEM VM or appliance, the event displays in the default Firewall filter running on the LEM console. You can also create custom filters that display network traffic to and from specific computers, as well as view web traffic and other traffic events across your network.

Configure a firewall to log to a LEM appliance

You can configure your LEM appliance to collect firewall information from firewalls manufactured by Cisco®, Check Point® Software Technologies, Juniper® Networks, and others. Set your firewall to log to LEM to centralize its log data with your LEM events. See the SolarWinds Success Center or contact Technical Support for more information.

Configure a firewall connector on a LEM Manager

After you configure your firewall to log to LEM , configure the corresponding connector on the LEM Manager. Many of the firewall connectors are similar, and some will include unique settings.

This example describes how to configure a Cisco ASA firewall and IOS connector on your LEM Manager.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log into the SolarWinds LEM Manager as an administrator.
  2. Click the Manage tab and select Appliances.
  3. Click button-gear(gray)_17x14.png next to the SolarWinds LEM Manager and select Connectors.
  4. In the Connector Configuration window, enter Cisco ASA in the search box.
  5. Click button-gear(gray)_17x14.png next to the Cisco ASA and IOS connector, and click New.
  6. Replace the Alias value with a descriptive connector alias.

    For example:

    ASA Firewall

    Include firewall in the Alias field to ensure the default Firewall filter captures your firewall data.

  7. Verify the Log File value matches the local facility defined in your firewall settings.
  8. Click Save.
  9. Click button-gear(gray)_17x14.png next to the new connector instance (indicated by an icon in the Status column) and select Start.
  10. Click Close to close the Connector Configuration window.

    The firewall connector is configured in the LEM console.

View network traffic from specific computers

You can create custom filters that highlight specific firewall events. For example, to monitor traffic from a specific computer, create a filter for all network traffic coming from the targeted computer. Use connector profiles and other groups to broaden or refine the scope of custom filters.

The following procedure provides an example of creating a filter to monitor all traffic from a targeted computer.

Use a Connector instead of a Text Constant to filter for all network traffic coming from a group of similar computers.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log into the SolarWinds LEM Manager as an administrator.
  2. Click the Monitor tab.
  3. In the Filters pane, click  button-plus(gray)_17x13.png and select New Filter.
  4. Enter a Name and Description for the filter.
  5. In the Filter Creation pane, click Event Groups and select Network Audit Alerts.
  6. In the Fields: Network Audit Alerts list, click and drag SourceMachine into the Conditions box.
  7. In the Constant field (highlighted with a pencil icon), enter a wild card character (*) to avoid entering the fully qualified domain name of the computer.
  8. Click Save.

Clone and enable a LEM rule to identify port scanning traffic

To identify suspicious firewall traffic indicative of port scanning, clone and enable the PortScans rule. This rule generates a default TCPPortScan event, which the SolarWinds LEM console displays in the default Security Events filter. Use this event to monitor suspicious network traffic and prevent unauthorized access to your firewall.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log into the SolarWinds LEM Manager as an administrator.
  2. Click the Build tab and select Rules.
  3. In the Refine Rules pane, enter:


  4. Click button-gear(gray)_17x14.png next to the rule and select Clone.
  5. Select the folder to store the cloned rule, and click OK.
  6. In the Rule Creation window, select Enable.
  7. (Optional) Tune the rule to match your environment.

    For example, you can:

    • Subscribe to the rule to track activity in the Subscriptions report.
    • Increase the number of events in the Correlation Time box to modify how frequently the rule fires.
    • Omit vulnerability scanners from the Correlations by changing the TCPTrafficAudit "exists" condition to

      TCPTrafficAudit .SourceMachine = Your Scanners

      where Your Scanners is a user-defined group, connector profile, or directory service group that represents the targeted group of computers.

    • Modify the default action or add additional actions to perform tasks such as send an email message or block an IP address.
  8. When completed, click Save.
  9. In the main Rules screen, click Activate Rules.
Last modified