Scribd
Upload
41 views

Barracuda Web Application Firewall

The document provides information about configuring FortiSIEM to integrate with a Barracuda Web Application Firewall. It describes what is discovered and monitored via syslog, including system logs and firewall logs. It also provides the configuration steps to configure syslog on the Barracuda WAF, including defining the syslog server and options. Sample syslog events that would be sent to FortiSIEM are shown.

Uploaded by

Mohammad Ali
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
41 views

Barracuda Web Application Firewall

The document provides information about configuring FortiSIEM to integrate with a Barracuda Web Application Firewall. It describes what is discovered and monitored via syslog, including system logs and firewall logs. It also provides the configuration steps to configure syslog on the Barracuda WAF, including defining the syslog server and options. Sample syslog events that would be sent to FortiSIEM are shown.

Uploaded by

Mohammad Ali
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Barracuda Web Application Firewall

FortiSIEM Support Added: 6.3.2


Vendor: Barracuda
Product Information: https://www.barracuda.com/products/webapplicationfirewall
⚫ What is Discovered and Monitored

⚫ Configuration

⚫ Sample Events

What is Discovered and Monitored


The following protocols are used to discover and monitor various aspects of Barracuda Web
Application Firewall (WAF).
Protocol Metrics Collected Used For
Syslog System logs, Web Firewall logs, Access logs, Audit logs
and Network Firewall logs
Security and Compliance
Configuration
To configure syslog from your Barracuda WAF, take the following steps:
FortiSIEM 7.0.2 External Systems Configuration Guide 537
Fortinet Inc.
Load Balancers and Application Firewalls
1. Navigate to Advanced > Export Logs > Syslog.
2. Configure the following fields in the table.
Field Description
Name Enter the name of the syslog server.
Syslog Server Enter the IP address of the syslog server.
Log Time Stamp Select "Yes" to log the date and time of system events.
Lot Unit Name Select "Yes" to log the name of the Barracuda Web
Application Firewall unit. The unit name is the same as the
Default Host name located on the BASIC > IP Configuration
page.
Comment Enter any comments about the syslog server.
Select appropriate
facility
Leave as Local7 or default option.
3. When done, click Add to add the settings.
Sample Events
<134>Sep 1 13:10:09 nlb_lab 2021-09-01 13:10:09.163 -0600 nlb_lab NF INFO TCP
192.0.2.105
443 ALLOW traffic:allow
<132>Sep 1 13:10:09 nlb_lab 2021-09-01 13:10:09.550 -0600 nlb_lab WF WARN
UNRECOGNIZED_
COOKIE 98.98.98.22 51415 192.0.2.110 443 global GLOBAL LOG NONE
[Cookie\="_derived_epik"
Service-created\="1565 days back" Reason\="No valid encrypted pair"] GET
test.example.com/random_page TLSv1.2 "-" "Mozilla/5.0 (Linux; Android 11;
SAMSUNG SM-G991U)
AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/15.0 Chrome/90.0.4430.210
Mobile
Safari/537.36" 98.98.98.22 51415 "-" https://test.example.com/
<134>Sep 1 13:10:11 nlb_lab 2021-09-01 13:10:11.342 -0600 nlb_lab TR
192.0.2.105 443
192.0.2.134 53619 "-" "-" POST TLSv1.2 test.example.com HTTP/1.1 200 736974 439
0 104
10.20.20.102 443 103 "-" SERVER DEFAULT PASSIVE VALID
/json/reply/TicketingEventsGetAvailableByEventTypeName "-" "-" "-"
"ServiceStack .NET Client
5.40" 192.0.2.134 53619 "-" "-" "-" "-"
FortiSIEM 7.0.2 External Systems Configuration Guide 538
Fortinet Inc.
Load Balancers and Application Firewalls
Brocade ServerIron ADX
⚫ What is Discovered and Monitored
⚫ Event Types
⚫ Rules
⚫ Reports
⚫ Configuration
⚫ Settings for Access Credentials
What is Discovered and Monitored
Protocol Information
discovered
Metrics/Logs collected Used for
SNMP Host name,
serial number,
hardware
(CPU, memory,
network
interface etc)
Uptime, CPU, Memory, Interface Utilization, Hardware
status, Real Server Statistics
Performance/Availability
Monitoring
Event Types
⚫ PH_DEV_MON_SYS_CPU_UTIL
[PH_DEV_MON_SYS_CPU_UTIL]:[eventSeverity]=PHL_INFO,
[fileName]=deviceBrocadeServerIron.cpp,[lineNumber]=434,[cpuName]=CPU,[hostName
]=lb1-
1008-
qts,[hostIpAddr]=192.0.2.15,[cpuUtil]=55.000000,[pollIntv]=176,[phLogDetail]=
⚫ PH_DEV_MON_SYS_MEM_UTIL
[PH_DEV_MON_SYS_MEM_UTIL]:[eventSeverity]=PHL_INFO,
[fileName]=deviceBrocadeServerIron.cpp,[lineNumber]=456,[memName]=Physical
Memory,[hostName]=lb1-1008-qts,[hostIpAddr]=192.0.2.15,[memUtil]=10.000000,
[pollIntv]=176,[phLogDetail]=
⚫ PH_DEV_MON_NET_INTF_UTIL
[PH_DEV_MON_NET_INTF_UTIL]:[eventSeverity]=PHL_INFO,[fileName]=phIntfFilter.cpp
,
[lineNumber]=323,[intfName]=GigabitEthernet8,[intfAlias]=,[hostName]=lb1-1008-
qts,
[hostIpAddr]=192.0.2.15,[pollIntv]=56,[recvBytes64]=1000000,
[recvBitsPerSec]=142857.142857,[inIntfUtil]=0.014286,[sentBytes64]=2000000,
[sentBitsPerSec]=285714.285714,[outIntfUtil]=0.028571,[recvPkts64]=0,[sentPkts6
4]=0,
[inIntfPktErr]=0,[inIntfPktErrPct]=0.000000,[outIntfPktErr]=0,
[outIntfPktErrPct]=0.000000,[inIntfPktDiscarded]=0,[inIntfPktDiscardedPct]=0.00
0000,
[outIntfPktDiscarded]=0,[outIntfPktDiscardedPct]=0.000000,[outQLen64]=0,
[intfInSpeed64]=1000000000,[intfOutSpeed64]=1000000000,[intfAdminStatus]=up,
FortiSIEM 7.0.2 External Systems Configuration Guide 539
Fortinet Inc.
Load Balancers and Application Firewalls
[intfOperStatus]=up,[daysSinceLastUse]=0,[totIntfPktErr]=0,
[totBitsPerSec]=428571.428571,[phLogDetail]=
⚫ PH_DEV_MON_SERVERIRON_REAL_SERVER_STAT
[PH_DEV_MON_SERVERIRON_REAL_SERVER_STAT]:[eventSeverity]=PHL_INFO,
[fileName]=deviceBrocadeServerIron.cpp,[lineNumber]=507,[hostName]=lb1-1008-
qts,
[hostIpAddr]=192.0.2.15,[realServerIpAddr]=192.0.2.131,[realServerState]=7,
[failedPortExists]=2,[openConnectionsCount]=2,[peakConns]=114,[activeSessions]=
4,
[phLogDetail]=
⚫ PH_DEV_MON_HW_STATUS
[PH_DEV_MON_HW_STATUS]:[eventSeverity]=PHL_INFO,[fileName]=deviceBrocadeServerI
ron.cpp,
[lineNumber]=359,[hostName]=lb1-1008-
qts,[hostIpAddr]=192.0.2.15,[hwStatusCode]=2,
[hwPowerSupplyStatus]=0,[hwTempSensorStatus]=2,[hwFanStatus]=0,[phLogDetail]=
[PH_DEV_MON_HW_STATUS_TEMP_CRIT]:[eventSeverity]=PHL_CRITICAL,[fileName]=device
.cpp,
[lineNumber]=13812,[hostName]=lb1-1008-
qts,[hostIpAddr]=192.0.2.15,[hwStatusCode]=2,
[hwComponentName]=1-Temperature
sensor,[hwComponentStatus]=Critical,[phLogDetail]=
⚫ PH_DEV_MON_HW_TEMP
[PH_DEV_MON_HW_TEMP]:[eventSeverity]=PHL_INFO,[fileName]=deviceBrocadeServerIro
n.cpp,
[lineNumber]=401,[hostName]=lb1-1008-qts,[hostIpAddr]=192.0.2.15,
[hwComponentName]=Temp1,[envTempDegF]=90,[phLogDetail]=
Rules
There are no predefined rules for this device other than covered by generic network devices.
Reports
There are no predefined reports for this device other than covered by generic network devices.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device
as directed in its
product documentation. For more information, refer to sections "Discovery Settings" and "Setting
Credentials" in the
User Guide.
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your device.
FortiSIEM 7.0.2 External Systems Configuration Guide 540
Fortinet Inc.
Load Balancers and Application Firewalls
Setting Value
Name <set name>
Device Type Brocade ServerIron ADX
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration
FortiSIEM 7.0.2 External Systems Configuration Guide 541
Fortinet Inc.
Load Balancers and Application Firewalls
Citrix Netscaler Application Delivery Controller (ADC)
⚫ What is Discovered and Monitored
⚫ Event Types
⚫ Rules
⚫ Reports
⚫ Configuration
⚫ Example Syslog
⚫ Settings for Access Credentials
What is Discovered and Monitored
Protocol Information discovered Metrics/Logs collected Used for
Syslog Permitted and Denied traffic Log analysis and compliance
Event Types
In ADMIN > Device Support > Event Types, search for "netscaler" to see the event types associated
with this device.
Rules
There are no predefined rules for this device.
Reports
In RESOURCES > Reports, search for "netscaler" in the main content panel Search... field to see the
reports
associated with this device.
Configuration
Syslog
FortiSIEM processes events from this device via syslog sent by the device. Configure the device to
send syslog to
FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
⚫ For Syslog Server, or the server where the syslog should be sent, enter the IP address of your

FortiSIEM virtual
appliance.
⚫ For Port, enter 514.

⚫ The syslog format should be the same as that shown in the example.

FortiSIEM 7.0.2 External Systems Configuration Guide 542


Fortinet Inc.
Load Balancers and Application Firewalls
Example Syslog
<182> 07/25/2012:19:56:41 PPE-0 : UI CMD_EXECUTED 473128 : User nsroot -
Remote_ip
10.13.8.75 - Command "show ns hostName" - Status "Success"<181>
07/25/2012:19:56:05 NS2-
MAIL PPE-0 : EVENT DEVICEUP 33376 : Device
"server_vip_NSSVC_SSL_172.17.102.108:443
(accellion:443)" - State UP
<181> 07/25/2012:19:55:35 NS2-MAIL PPE-0 : EVENT DEVICEDOWN 33374 : Device
"server_vip_
NSSVC_SSL_172.17.102.108:443(accellion:443)" - State DOWN
<182> 07/24/2012:15:37:08 PPE-0 : EVENT MONITORDOWN 472795 : Monitor
Monitor_http_of_
Domapps:80(10.50.15.14:80) - State DOWN
Settings for Access Credentials
Use these Access Method Definition settings to allow FortiSIEM to access your device.
Setting Value
Name <set name>
Device Type Citrix NetScalar
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration
FortiSIEM

You might also like