Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Monitoring network security with LEM > Monitor firewalls for unauthorized access

Monitor firewalls for unauthorized access

Created by Caroline Juszczak, last modified by Caroline Juszczak on Sep 06, 2016

Views: 43 Votes: 0 Revisions: 4

Configure LEM manager to monitor your firewalls and detect unauthorized access such as port scans, unusual data packets, network attacks, and unusual traffic patterns.

To set up a firewall monitor, configure your firewalls to log to your LEM appliance, and then configure a new connector in the LEM manager. When an unauthorized user attempts to access your LEM appliance, the event displays in the default Firewall filter running on your LEM console. You can also create custom filters that display network traffic to and from specific computers, as well as view web traffic and other traffic events across your network.

Click the video File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/020/Button_videoCamera_18x12.png icon to view a tutorial on the threat intelligence feed available in LEM.

Configure a firewall to log to a LEM appliance

You can configure your LEM appliance to collect firewall information from firewalls manufactured by Cisco®, Check Point® Software Technologies, and Juniper Networks. Set your firewall to log to your LEM appliance to centralize its log data with your LEM events.

See the SolarWinds Success Center or contact Technical Support for more information.

Configure a firewall connector on a LEM manager

After you configure your firewall to log to your LEM appliance, configure the corresponding connector on your SolarWinds LEM Manager. Many of the firewall connectors are similar, and some will include unique settings.

This example describes how to configure a Cisco PIX firewall and IOS connector on your LEM manager.

  1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator.
  2. Click the Manage tab and select Appliances.
  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/020/Button-Gear(Gray)_17x14.png next to the SolarWinds LEM Manager and select Connectors.
  4. In the Connector Configuration window, enter Cisco PIX in the search box.
  5. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/020/Button-Gear(Gray)_18x15.png next to the Cisco PIX and IOS® connector, and click New.
  6. Replace the Alias value with a descriptive connector alias.

    For example:

    PIX Firewall

    Include firewall in the Alias field to ensure the default Firewall filter captures your firewall data.

  7. Verify the Log File value matches the local facility defined in your firewall settings.
  8. Click Save.
  9. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/020/Button-Gear(Gray)_19x15.png next to the new connector instance (indicated by an icon in the Status column) and select Start.
  10. Click Close to close the Connector Configuration window.

    The firewall connector is configured in the LEM console.

View network traffic from specific computers

You can create custom filters that highlight specific firewall events. For example, to monitor traffic from a specific computer, create a filter for all network traffic coming from the targeted computer. Use connector profiles and other groups to broaden or refine the scope of custom filters.

The following procedure provides an example of creating a filter to monitor all traffic from a targeted computer.

Use a Connector instead of a Text Constant to filter for all network traffic coming from a group of similar computers.

  1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator or auditor.
  2. Click the Monitor tab.
  3. In the Filters pane, click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/020/Button-Plus(Gray)_17x13.png and select New Filter.
  4. Enter a Name and Description for the filter.
  5. In the Filter Creation pane, click Event Groups and select Network Audit Alerts.
  6. In the Fields: Network Audit Alerts list, click and drag SourceMachine into the Conditions box.
  7. In the Constant field (highlighted with a pencil icon), enter a wild card character (*) to avoid entering the fully qualified domain name of the computer.
  8. Click Save.

Clone and enable a LEM rule to identify port scanning traffic

To identify suspicious firewall traffic indicative of port scanning, clone and enable the PortScans rule. This rule generates a default TCPPortScan event, which the SolarWinds LEM Console displays in the default Security Events filter. Use this event to monitor suspicious network traffic and prevent unauthorized access to your firewall.

  1. Open the SolarWinds LEM Console and log into the SolarWinds LEM Manager as an administrator.
  2. Click the Build tab and select Rules.
  3. In the Refine Rules pane, enter:

    PortScans

  4. Click File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0A0/020/Button-Gear(Gray)_17x14.png next to the rule and select Clone.
  5. Select the folder to store the cloned rule, and click OK.
  6. In the Rule Creation window, select Enable.
  7. (Optional) Tune the rule to match your environment.

    For example, you can:

    • Subscribe to the rule to track activity in the Subscriptions report.
    • Increase the number of events in the Correlation Time box to modify how frequently the rule fires.
    • Omit vulnerability scanners from the Correlations by changing the TCPTrafficAudit "exists" condition to

      TCPTrafficAudit .SourceMachine = Your Scanners

      where Your Scanners is a user-defined group, connector profile, or directory service group that represents the targeted group of computers.

    • Modify the default action or add additional actions to perform tasks such as send an email message or block an IP address.
  8. When completed, click Save.
  9. In the main Rules screen, click Activate Rules.

 

 
Last modified
15:47, 6 Sep 2016

Tags

Classifications

Public