application notes for manageengine firewall analyzer

of 20

3Com Open Network™ Solutions Lab Application Notes

Application Notes for AdventNet ManageEngine® Firewall Analyzer version 5.0 – Build 5000 and 3Com® X5 Unified Security Platform TOS software version 3.0.0.2094 Version: 1.2 Date: March 27th, 2008 Authors: Saravanakumar (AdventNet Inc.) and Joe Santos

(3Com Corporation) Abstract: These application notes describe the configuration

procedure required to allow testing of ManageEngine® Firewall Analyzer version 5.0 – Build 5000 with 3Com® X5 Unified Security Platform TOS software version 3.0.0.2094.

Firewall Analyzer is a web based, agent-less, firewall

log analysis and reporting software that monitors, collects, analyzes, archives, and generates reports on enterprise-wide Firewall, VPN, IDS, and Proxy servers.

of 20


Table of Contents

Revision History ....................................................................................................3 References ...........................................................................................................3 Objective...............................................................................................................4 AdventNet Company and Product Details.............................................................4

AdventNet Overview..........................................................................................6 Configuration Technical Details ............................................................................6

How it Works .....................................................................................................6 Hardware Revisions..............................................................................................7 Software Revisions ...............................................................................................8 Installation Overview.............................................................................................9 Network Topology ...............................................................................................10 Configuration Details...........................................................................................12

X5 Configuration steps: ...................................................................................12 AdventNet Configuration Details .....................................................................17

Verification Tests ................................................................................................18 Product Support ..................................................................................................19

3COM product support: ...................................................................................19 AdventNet Product Support:............................................................................19

Conclusion ..........................................................................................................20

of 20


Revision History Revision Date Author Reason for change

1.0 04/20/2007 Saravanakumar Initial Version

1.1 04/24/2008 Joe Santos Initial Reviewed

1.2 04/27/2008 Joe Santos Final Review

References Date Document Name Revision Company

of 20


Objective To outline the configuration procedures required to test ManageEngine® Firewall Analyzer version 5.0 – Build 5000 with 3Com® X5 Unified Security Platform TOS software version 3.0.0.2094.

AdventNet Company and Product Details

• Technical Summary http://www.fwanalyzer.com

• Datasheet http://manageengine.adventnet.com/products/firewall/firewall_analyzer.pdf

• Features, Functions, and Benefits http://www.fwanalyzer.com

http://www.fwanalyzer.com/

of 20


of 20


AdventNet Overview Enabling Management Your Way™ Founded in 1996, AdventNet is a software company with a broad portfolio of elegantly designed, affordable products and web services. AdventNet offerings span a spectrum of vertical areas, including network & systems management (ManageEngine.com), security (SecureCentral.com), collaboration, CRM & office productivity applications (Zoho.com), database search and migration (SQLOne.com), and test automation tools (QEngine.com). AdventNet has a large and rapidly growing global customers base, and has presence in all the major markets. The company is based in Pleasanton, California with offices worldwide. Visit us at www.adventnet.com

Configuration Technical Details ManageEngine Firewall Analyzer is a web based, agent-less, firewall log analysis and reporting software that monitors, collects, analyses, archives, and generates reports on enterprise-wide Firewall's, VPN's, IDS, and Proxy servers (see supported devices). Firewall Analyzer will help network security administrators & MSSP (Managed Security Service Providers) to monitor bandwidth usage, detect intrusions & anomaly behaviors, audit traffic, and monitor employee web usage activities efficiently.

How it Works 3Com devices are be configured to send syslog to the Firewall Analyzer server installed machine. Firewall Analyzer has an in-built syslog server that listens for syslog packets at port 514 and 1514. After receiving the syslog, it normalizes, aggregates and displays reports on various parameters such as traffic, rule, attack and denied requests.

of 20


Hardware Revisions The minimum hardware requirements for installing and working with Firewall Analyzer are given below.

• 1GHz Pentium 4 processor or equivalent • 512 MB of RAM* • 1 GB of disk space* • Monitor that supports 1024x768 resolution

Log Volume RAM Harddisc required per month to store

Archived logs 50/sec or 1.5 GB per day 512 MB 30 GB 100/sec or 3 GB per day 1 GB 90 GB 300/sec or 9 GB per day 2 GB 270 GB 500/sec 15 GB per day 2 GB 450 GB 1000/sec 30 GB per day 3 GB 900 GB 2000/sec 60 GB per day 4 GB 1.8 TB

• Dedicated machine has to be allocated to process more than 200 logs second.

• Number of firewalls is having some effect on the above RAM values. So it is better to have RAM value higher than the suggested value in case of having >10 firewalls.

• Dual core processors are needed to process > 500 logs second. • Quadra processors are needed to process 2000 logs second. • Firewall Analyzer server and Mysql can be installed in separate machines

in case of higher log rate with lower cpu machines. • Above Hard disc is required per month, you need to multiply with the

number of months based on your requirement.

of 20


Software Revisions AdventNet http://manageengine.adventnet.com/products/firewall/download.html 3Com http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CRTPX5-25-96&order=desc

http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CRTPX5-25-96&order=desc

http://www.3com.com/products/en_US/result.jsp?selected=6&sort=effdt&sku=3CRTPX5-25-96&order=desc

of 20


Installation Overview For Windows:

• Download FirewallAnalyzer.exe and double click to install the build. Follow the simple instructions to install the build.

• Select the directory at which it has to be installed, check the service box if you want it to be installed as Windows services.

For Linux:

• Download FirewallAnalyzer.bin and save. • Execute chmod a+x FirewallAnalyzer.bin to give executable

permission. • Execute ./FirewallAnalyzer.bin to start installation UI.

of 20


Network Topology Topology #1

Topology #2

of 20


Topology #3

Topology #4

of 20


Configuration Details The following configuration details represent the configuration under test.

X5 Configuration steps: High Level Configuration Steps

1. Enable remote syslog on the X-Family device, and configure it with the information required to communicate with the AdventNet Server(s).

2. Install the AdventNet Server and start it running. 3. Open a web browser on a PC and login to the AdventNet Server to see

the current status of the Firewall Analyzer server. 4. Wait for a while for the AdventNet server to gather enough data to create

meaningful statistical reports. X5 Remote SysLog Configuration To ensure that all the relevant syslog traffic is sent to the AdventNet Server, the X-family device needs configuration on several pages of the LSM.

1. Open a SHTTP session and browse to the X5 Web interface. 2. Login and navigate to “System> Configuration> Syslog Servers. 3. Configure all four logs to be sent to the AdventNet Server address.

4. Click “Apply”.

of 20


5. Navigate to IPS> Action Sets> NotificationContacts> Remote System Log and complete the forma as shown below.

6. Click “Add to table below”.

7. click “Apply” 8. Navigate to “Firewall> Firewall Rules“and click “Create Firewall Rule”.

Complete the form as shown below.

of 20


Note that later versions of TOS do not have separate checkboxes for Enable local logging and Enable syslog logging – they just have a checkbox for Enable logging which enables both.

of 20


9. Click “Create”. A new rule will be created at the bottom of the table, 10. Click “Create Firewall Rule”. Complete the form as shown below.

11. click “Create”. A new rule will be created at the bottom of the table. Please note that these last two rules must remain the last two rules in the Firewall Rule table. They replace two implicit “hidden” rules that are always present but do not support logging.

12. Click the pencil icon next to the first rule in the Firewall Rule table. This will open the rule for edit, as in the example below.

of 20


13. Click the “Enable syslog logging” checkbox as shown, then click “Save”. 14. Repeat steps 12 and 13 for every Firewall Rule until syslog logging is

enable on all of them.

of 20


AdventNet Configuration Details Nothing needs to be configured. Product has to be started through following steps.

• If you have installed Firewall Analyzer as Service, start that service, Firewall Analyzer client would be opened in the browsers.

• If you have not installed as service, click Start --> Programs ---> ME Firewall Analyzer --> Firewall Analyzer. Or execute <FWAHome>/bin/run.bat to start Firewall Analyzer server.

• In linux execute <FWAHome>/bin/run.sh to start Firewall Analyzer server or if you have installed as a service start firewallanalyzer service.

Automatic Discovery of 3Com device:

• Start sending syslog to Firewall Analyzer machine. • Firewall Analyzer should recognize these packets and should generate

initial reports. • Check the packet count icon in the top right corner of Firewall Analyzer UI

to verify Firewall Analyzer is able to receive packets.

Traffic Reports:

• Go to Settings --> Intranet Settings to set the LAN network range. • Select Traffic Reports in the left side tree and see IPAddress, Sent,

Received values are populated correctly. • Check drilling down of the above reports. • Check Inbound/Outbound reports, Intranet and Internet reports to verity

whether they are showing correct IPAddress and bytes values. Rules Reports:

• Rules reports should be populated correctly with appropriate rule name. VPN Reports:

• VPN users with their attempts should be shown correctly. Security Reports:

• Whenever there are denied/dropped connections, these reports should be populated. Also higher severity Events should also be populated here.

of 20


Attack Reports:

• Attacks identified by 3Com devices should be listed here. Check Top Attackers and drilldown details of those reports.

Live Reports:

• Verify bandwidth utilization values here. Additional Firewalls:

• Make more than one firewall sending data to Firewall Analyzer and see Firewall Analyzer correctly recognize second firewall too.

Verification Tests

• Automatic Discovery of 3Com Logs • Traffic Reports • Rules Report • VPN Reports • Security Reports • Attack Reports • Live Reports • Admin Reports • Multiple Firewall Discovery

of 20


Product Support

3COM product support: Main 3COM Support link: http://www.3com.com/products/en_US/support/index.html 3COM X5 Unified Security Platform Product Link http://www.3com.com/products/en_US/searchbyproduct.jsp?path=download&searchby=prodname&search=x5

Asia Pacific Telephone: +65 6543 6645 Fax: +65 6543 6518 E-mail: [email protected]

Europe, Middle East and Africa Telephone: +44 (0)1442 435529 (Option 4) Fax : +44 (0)1442 435811 E-mail: [email protected]

North America and Latin America Telephone: 866-326-6222 (Option 3) Fax : 408-326-7140 E-mail: [email protected]

AdventNet Product Support: Main AdventNet ManageEngine® Link: http://manageengine.adventnet.com/support.html AdventNet ManageEngine® Firewall Analyzer Support Link: http://manageengine.adventnet.com/products/firewall/support.html Support: US: +1 888 720 9500 Intl: +1 925 924 9500 [email protected]

http://manageengine.adventnet.com/products/firewall/support.html

of 20


Conclusion These Application Notes describe the configuration steps required to configure AdventNet’s ManageEngine® Firewall Analyzer to collect firewall logos from 3com® X5 Unified Security Platform.

application notes for manageengine firewall analyzer

Documents

adventnet company

saravanakumar adventnet

adventnet product support

adventnet offerings

firewall analyzer server

software company

com product support

network topology