Application Notes for ManageEngine Firewall Analyzer

1,151 views
1,071 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,151
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Application Notes for ManageEngine Firewall Analyzer

  1. 1. Page 1 of 20 Application Notes for AdventNet ManageEngine® Firewall Analyzer version 5.0 – Build 5000 and 3Com® X5 Unified Security Platform TOS software version 3.0.0.2094 Version: 1.2 Date: March 27th, 2008 Authors: Saravanakumar (AdventNet Inc.) and Joe Santos (3Com Corporation) Abstract: These application notes describe the configuration procedure required to allow testing of ManageEngine® Firewall Analyzer version 5.0 – Build 5000 with 3Com® X5 Unified Security Platform TOS software version 3.0.0.2094. Firewall Analyzer is a web based, agent-less, firewall log analysis and reporting software that monitors, collects, analyzes, archives, and generates reports on enterprise-wide Firewall, VPN, IDS, and Proxy servers. 3Com Open Network™ Solutions Lab Application Notes
  2. 2. Page 2 of 20 Table of Contents Revision History ....................................................................................................3 References ...........................................................................................................3 Objective...............................................................................................................4 AdventNet Company and Product Details.............................................................4 AdventNet Overview..........................................................................................6 Configuration Technical Details ............................................................................6 How it Works .....................................................................................................6 Hardware Revisions..............................................................................................7 Software Revisions ...............................................................................................8 Installation Overview.............................................................................................9 Network Topology ...............................................................................................10 Configuration Details...........................................................................................12 X5 Configuration steps: ...................................................................................12 AdventNet Configuration Details .....................................................................17 Verification Tests ................................................................................................18 Product Support ..................................................................................................19 3COM product support: ...................................................................................19 AdventNet Product Support:............................................................................19 Conclusion ..........................................................................................................20 3Com Open Network™ Solutions Lab Application Notes
  3. 3. Page 3 of 20 Revision History Revision Date Author Reason for change 1.0 04/20/2007 Saravanakumar Initial Version 1.1 04/24/2008 Joe Santos Initial Reviewed 1.2 04/27/2008 Joe Santos Final Review References Date Document Name Revision Company 3Com Open Network™ Solutions Lab Application Notes
  4. 4. Page 4 of 20 Objective To outline the configuration procedures required to test ManageEngine® Firewall Analyzer version 5.0 – Build 5000 with 3Com® X5 Unified Security Platform TOS software version 3.0.0.2094. AdventNet Company and Product Details • Technical Summary http://www.fwanalyzer.com • Datasheet http://manageengine.adventnet.com/products/firewall/firewall_analyzer.pdf • Features, Functions, and Benefits http://www.fwanalyzer.com 3Com Open Network™ Solutions Lab Application Notes
  5. 5. Page 5 of 20 3Com Open Network™ Solutions Lab Application Notes
  6. 6. Page 6 of 20 AdventNet Overview Enabling Management Your Way™ Founded in 1996, AdventNet is a software company with a broad portfolio of elegantly designed, affordable products and web services. AdventNet offerings span a spectrum of vertical areas, including network & systems management (ManageEngine.com), security (SecureCentral.com), collaboration, CRM & office productivity applications (Zoho.com), database search and migration (SQLOne.com), and test automation tools (QEngine.com). AdventNet has a large and rapidly growing global customers base, and has presence in all the major markets. The company is based in Pleasanton, California with offices worldwide. Visit us at www.adventnet.com Configuration Technical Details ManageEngine Firewall Analyzer is a web based, agent-less, firewall log analysis and reporting software that monitors, collects, analyses, archives, and generates reports on enterprise-wide Firewall's, VPN's, IDS, and Proxy servers (see supported devices). Firewall Analyzer will help network security administrators & MSSP (Managed Security Service Providers) to monitor bandwidth usage, detect intrusions & anomaly behaviors, audit traffic, and monitor employee web usage activities efficiently. How it Works 3Com devices are be configured to send syslog to the Firewall Analyzer server installed machine. Firewall Analyzer has an in-built syslog server that listens for syslog packets at port 514 and 1514. After receiving the syslog, it normalizes, aggregates and displays reports on various parameters such as traffic, rule, attack and denied requests. 3Com Open Network™ Solutions Lab Application Notes
  7. 7. Page 7 of 20 Hardware Revisions The minimum hardware requirements for installing and working with Firewall Analyzer are given below. • 1GHz Pentium 4 processor or equivalent • 512 MB of RAM* • 1 GB of disk space* • Monitor that supports 1024x768 resolution Log Volume RAM Harddisc required per month to store Archived logs 50/sec or 1.5 GB per day 512 MB 30 GB 100/sec or 3 GB per day 1 GB 90 GB 300/sec or 9 GB per day 2 GB 270 GB 500/sec 15 GB per day 2 GB 450 GB 1000/sec 30 GB per day 3 GB 900 GB 2000/sec 60 GB per day 4 GB 1.8 TB • Dedicated machine has to be allocated to process more than 200 logs second. • Number of firewalls is having some effect on the above RAM values. So it is better to have RAM value higher than the suggested value in case of having >10 firewalls. • Dual core processors are needed to process > 500 logs second. • Quadra processors are needed to process 2000 logs second. • Firewall Analyzer server and Mysql can be installed in separate machines in case of higher log rate with lower cpu machines. • Above Hard disc is required per month, you need to multiply with the number of months based on your requirement. 3Com Open Network™ Solutions Lab Application Notes
  8. 8. Page 8 of 20 Software Revisions AdventNet http://manageengine.adventnet.com/products/firewall/download.html 3Com http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3C RTPX5-25-96&order=desc 3Com Open Network™ Solutions Lab Application Notes
  9. 9. Page 9 of 20 Installation Overview For Windows: • Download FirewallAnalyzer.exe and double click to install the build. Follow the simple instructions to install the build. • Select the directory at which it has to be installed, check the service box if you want it to be installed as Windows services. For Linux: • Download FirewallAnalyzer.bin and save. • Execute chmod a+x FirewallAnalyzer.bin to give executable permission. • Execute ./FirewallAnalyzer.bin to start installation UI. 3Com Open Network™ Solutions Lab Application Notes
  10. 10. Page 10 of 20 Network Topology Topology #1 Topology #2 3Com Open Network™ Solutions Lab Application Notes
  11. 11. Page 11 of 20 Topology #3 Topology #4 3Com Open Network™ Solutions Lab Application Notes
  12. 12. Page 12 of 20 Configuration Details The following configuration details represent the configuration under test. X5 Configuration steps: High Level Configuration Steps 1. Enable remote syslog on the X-Family device, and configure it with the information required to communicate with the AdventNet Server(s). 2. Install the AdventNet Server and start it running. 3. Open a web browser on a PC and login to the AdventNet Server to see the current status of the Firewall Analyzer server. 4. Wait for a while for the AdventNet server to gather enough data to create meaningful statistical reports. X5 Remote SysLog Configuration To ensure that all the relevant syslog traffic is sent to the AdventNet Server, the X-family device needs configuration on several pages of the LSM. 1. Open a SHTTP session and browse to the X5 Web interface. 2. Login and navigate to “System> Configuration> Syslog Servers. 3. Configure all four logs to be sent to the AdventNet Server address. 4. Click “Apply”. 3Com Open Network™ Solutions Lab Application Notes
  13. 13. Page 13 of 20 5. Navigate to IPS> Action Sets> NotificationContacts> Remote System Log and complete the forma as shown below. 6. Click “Add to table below”. 7. click “Apply” 8. Navigate to “Firewall> Firewall Rules“and click “Create Firewall Rule”. Complete the form as shown below. 3Com Open Network™ Solutions Lab Application Notes
  14. 14. Page 14 of 20 Note that later versions of TOS do not have separate checkboxes for Enable local logging and Enable syslog logging – they just have a checkbox for Enable logging which enables both. 3Com Open Network™ Solutions Lab Application Notes
  15. 15. Page 15 of 20 9. Click “Create”. A new rule will be created at the bottom of the table, 10. Click “Create Firewall Rule”. Complete the form as shown below. 11. click “Create”. A new rule will be created at the bottom of the table. Please note that these last two rules must remain the last two rules in the Firewall Rule table. They replace two implicit “hidden” rules that are always present but do not support logging. 12. Click the pencil icon next to the first rule in the Firewall Rule table. This will open the rule for edit, as in the example below. 3Com Open Network™ Solutions Lab Application Notes
  16. 16. Page 16 of 20 13. Click the “Enable syslog logging” checkbox as shown, then click “Save”. 14. Repeat steps 12 and 13 for every Firewall Rule until syslog logging is enable on all of them. 3Com Open Network™ Solutions Lab Application Notes
  17. 17. Page 17 of 20 AdventNet Configuration Details Nothing needs to be configured. Product has to be started through following steps. • If you have installed Firewall Analyzer as Service, start that service, Firewall Analyzer client would be opened in the browsers. • If you have not installed as service, click Start --> Programs ---> ME Firewall Analyzer --> Firewall Analyzer. Or execute <FWAHome>/bin/run.bat to start Firewall Analyzer server. • In linux execute <FWAHome>/bin/run.sh to start Firewall Analyzer server or if you have installed as a service start firewallanalyzer service. Automatic Discovery of 3Com device: • Start sending syslog to Firewall Analyzer machine. • Firewall Analyzer should recognize these packets and should generate initial reports. • Check the packet count icon in the top right corner of Firewall Analyzer UI to verify Firewall Analyzer is able to receive packets. Traffic Reports: • Go to Settings --> Intranet Settings to set the LAN network range. • Select Traffic Reports in the left side tree and see IPAddress, Sent, Received values are populated correctly. • Check drilling down of the above reports. • Check Inbound/Outbound reports, Intranet and Internet reports to verity whether they are showing correct IPAddress and bytes values. Rules Reports: • Rules reports should be populated correctly with appropriate rule name. VPN Reports: • VPN users with their attempts should be shown correctly. Security Reports: • Whenever there are denied/dropped connections, these reports should be populated. Also higher severity Events should also be populated here. 3Com Open Network™ Solutions Lab Application Notes
  18. 18. Page 18 of 20 Attack Reports: • Attacks identified by 3Com devices should be listed here. Check Top Attackers and drilldown details of those reports. Live Reports: • Verify bandwidth utilization values here. Additional Firewalls: • Make more than one firewall sending data to Firewall Analyzer and see Firewall Analyzer correctly recognize second firewall too. Verification Tests • Automatic Discovery of 3Com Logs • Traffic Reports • Rules Report • VPN Reports • Security Reports • Attack Reports • Live Reports • Admin Reports • Multiple Firewall Discovery 3Com Open Network™ Solutions Lab Application Notes
  19. 19. Page 19 of 20 Product Support 3COM product support: Main 3COM Support link: http://www.3com.com/products/en_US/support/index.html 3COM X5 Unified Security Platform Product Link http://www.3com.com/products/en_US/searchbyproduct.jsp?path=downlo ad&searchby=prodname&search=x5 Asia Pacific Telephone: +65 6543 6645 Fax: +65 6543 6518 E-mail: ap_service@3com.com Europe, Middle East and Africa Telephone: +44 (0)1442 435529 (Option 4) Fax : +44 (0)1442 435811 E-mail: focalpoint_services@3com.com North America and Latin America Telephone: 866-326-6222 (Option 3) Fax : 408-326-7140 E-mail: ecso_contracts@3com.com AdventNet Product Support: ® Main AdventNet ManageEngine Link: http://manageengine.adventnet.com/support.html ® AdventNet ManageEngine Firewall Analyzer Support Link: http://manageengine.adventnet.com/products/firewall/support.html Support: US: +1 888 720 9500 Intl: +1 925 924 9500 support@fwanalyzer.com 3Com Open Network™ Solutions Lab Application Notes
  20. 20. Page 20 of 20 Conclusion These Application Notes describe the configuration steps required to configure ® AdventNet’s ManageEngine Firewall Analyzer to collect firewall logos from ® 3com X5 Unified Security Platform. 3Com Open Network™ Solutions Lab Application Notes

×