Monitoring Firewalls

[Alvaro Victoriano]

Hello

I would like to ask a question please, what it would be the best way to monitor a cuantity of 100 of firewalls remotly

I have the listed types of firewalls which iam going to monitor

Sonicwall

Cisco Meraki

CISCO

Fortinet

SONICWALL

SonicWall

Dell

MERAKI

Cyberoam

MikroTik

watch guard

Netgear

as i saw of your documentation, there is two methods

1- Connecting by SSH then configuer the folders to monitor in the manager (Which i dont need, because i need the logs)

2- Configuer the Firewall to send his logs to the Manager

I would like to go with the second method but i wanted make sure of you,* if the rules of Wazuh can analyze this kind of firewalls?

*if it posible to configuer theoe firewalls  to send thier logs?

Iam here to ask you what it would be the best method to monitor 100 firewalls together, if there would be kind of implementing another tools if there is to get logs of the firewalls then send them again to Wazuh

please to suggest for me accoarding to your experiences.

thank you so much

[Eva Lopez]

Hello Alvaro,

Yes, I recommend that you configure the firewalls to send the logs to the manager.  Wazuh must also be configured to receive these logs, this is done with the remote tag.

The only drawback is that the connection is not encrypted.

Unfortunately, we don't have rules for all indicated firewalls. There are only rules for Fortinet, Sonicwall, and CISCO.

I don't think that's a problem, in case you want rules to detect a specific event you can ask the Wazuh community.

Regards, Eva

[Alvaro Victoriano]

Thank you so much Eva

iam going to check this 

[Alvaro Victoriano]

Than you again Eva

you are right, i have checked this again in another post with those configuration of yours and its working  

[Van Than Vu]

Dear Alvaro Victoriano, 

Please be allow me to ask you a question on this topic. 

1- Is this possible to send the logs directly from Fortinet, Sonicwall, and CISCO to Wazuh Manager ( Fortinet/Cisco ==> Wazuh Manager) instead of Fortinet/Cisco => Syslogs => Wazuh Manager. I'm asking you that I have Wazuh Manager & Firewall/Cisco in two different locations. I can't send Fortinet/Cisco => Wazuh Manager directly through the internet with 514 if Syslog without encryption. 

Please could you share with me your idea or let me know a solution to resolve this problem?

Regards,

[mauro.e...@wazuh.com]

Hi,

Unfortunately, Wazuh does not provide encryption on the socket being used to ingest syslog messages directly. My recommendation, if you can't/don't want to use a local file to store syslog messages forwarded by an encrypted method is to setup a third party application to work as a proxy and forwarding messages to the manager.

As far as I can tell, you could use something like stunnel to directly encrypt the connection between your firewalls and the Wazuh manager.

Another possiblity would be to configure rsyslog to use encrypted sockets and have it forward messages to a local unix socket instead of logging to a file. You can then use a <socket> stanza on your manager to ingest logs from it directly.

Hope this helps with your problem!

Best regards,

Mauro.

[Van Than Vu]

Hi Mauro,

Thank you for your reply,

One more question if you can help clarify, as far I know in a few topics, with the network device ==> Syslogs ==> Wauzh Manager, 

https://groups.google.com/g/wazuh/c/YcorESRruRs/m/x7nnxyJ3BgAJ

1- We just only saw predecoder.hostname field containing the hostname of the network device correctly. 

2- The agent.name field is the name of wazuh manager 

I saw one solution here but from my point of view it's too much resource not needed.

" you may need to redirect the logs to each agent (using a syslog server on each agent which need to receive logs) and then use localfile to forward them to the manager."

How can I map precoder. hostname of the network device <==> Agent.name with another solution?

Regards, 

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/FIx4IA7nNwA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/71734fb1-7e97-437d-a599-fe99631d1f15n%40googlegroups.com.

[mauro.e...@wazuh.com]

Hi again,

The thing is, since network devices are not Wazuh agents, the agent.name field will correspond to the name of the agent that collected the log (in your case, the manager). If you need to create custom rules or decoders for your network devices, I would try to avoid using the agent.name field and use the hostname directly. If on the other hand you are trying to forward email alerts like the example you provided, I would focus on using the <event_location> or <group> tags on granular email alerts.

In my opinion, your best bet would be to create rules that expand on existing ones and group together network devices according to a criteria of your own, you can read more on how to create custom rules in the following links:

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

https://documentation.wazuh.com/current/learning-wazuh/replace-stock-rule.html

https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/

Best reagards,

Mauro.

[Allex]

Hi guys,

About WatchGuard Firebox decoder and rule, I found this:

https://github.com/wazuh/wazuh/pull/10122/files#diff-9df72a285b4dc9170e96275338a752fba630e9e20e62e1331f9b008645569cc8

The decoder developer is in need of feedback. Let's help you with this.

Best regards,

Allex.

[Mohamed Ansarullah]

Hi,

I installed wazuh through ova template on a vmware and the server is up and running in a DMZ zone, with necessary firewall rules I have installed agent on a Windows server (LAN zone) and its showing on the wazuh, but firewall logs not showing up. I configured the remote tag (/var/ossec/etc/ossec.conf) I enabled syslog on the firewall to send the logs to wazuh server, I restarted the sevrvices but still the logs not getting there, I checked the rules and everything seems fine but still the firewall logs not showing. am I missing anything ?

Thanks

[Arun Pandiyan]

Mohamed,

You need to add firewall IP address in the remote container as <allowed-ips>

And confirm the protocol you are using on the server to receive syslog which is available in <remote> container. 

Thanks and Regards

Arun Pandiyan P

Sent from my iPhone

On 16-Oct-2022, at 03:29, Mohamed Ansarullah <mohame...@gmail.com> wrote:

Hi,

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/62dbbefa-b1c0-4180-afc7-6deebf09d8een%40googlegroups.com.