Forcepoint Stonesoft Management Center
The JSA DSM for Forcepoint Stonesoft Management Center collects events from a StoneGate device by using syslog.
The following table describes the specifications for the Stonesoft Management Center DSM:
Specification |
Value |
---|---|
Manufacturer |
FORCEPOINT |
DSM name |
Stonesoft Management Center |
RPM file name |
DSM-StonesoftManagementCenter- JSA_version-build_number.noarch.rpm |
Supported versions |
5.4 to 6.1 |
Protocol |
Syslog |
Event format |
LEEF |
Recorded event types |
Management Center, IPS, Firewall, and VPN events |
Automatically discovered? |
Yes |
Includes identity? |
No |
Includes custom properties? |
No |
More information |
FORCEPOINT website (https://www.forcepoint.com) |
To integrate FORCEPOINT Stonesoft Management Center with JSA, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:
DSMCommon RPM
Stonesoft Management Center DSM RPM
Configure your StoneGate device to send syslog events to JSA.
If JSA does not automatically detect the log source, add a Stonesoft Management Center log source on the JSA console. The following table describes the parameters that require specific values to collect events from Stonesoft Management Center:
Table 2: Stonesoft Management Center Log Source Parameters Parameter
Value
Log Source type
Stonesoft Management Center
Protocol Configuration
Syslog
Log Source Identifier
Type a unique name for the log source.
Verify that JSA is configured correctly.
The following table shows a sample normalized event message from Stonesoft Management Center:
Table 3: Stonesoft Management Center Sample Message Event name
Low level category
Sample log message
Generic_UDP-Rugged-Director-Denial-Of-Service
Misc DoS
LEEF:1.0|FORCEPOINT|IPS|5.8.5| Generic_UDP-Rugged-Director-Denial-Of- Service|devTimeFormat=MMM dd yyyy HH:mm:ss srcMAC=00:00:00:00:00:00 sev=2 dstMAC=00:00:00:00:00:00 devTime=Feb 23 201710:13:58 proto=17 dstPort=00000 srcPort=00000 dst=127.0.0.1 src=127.0.0.1action=Permit logicalInterface=NY2-1302- DMZ_IPS_ASA_Primary sender="username" Sensor
Configuring FORCEPOINT Stonesoft Management Center to Communicate with JSA
Configure Stonesoft Management Center to communicate with JSA by editing the LogServerConfiguration.txt file. Configuring the text file allows Stonesoft Management Center to forward events in LEEF format by using syslog to JSA.
Log in to the appliance that hosts your Stonesoft Management Center.
Stop the Stonesoft Management Center Log Server.
In Windows, select one of the following methods to stop the Log Server.
Stop the Log Server in the Windows Services list.
Run the batch file <installation path>/bin/sgStopLogSrv.bat.
In Linux - To stop the Log Server in Linux, run the script
<installation path>/bin/sgStopLogSrv.sh
Edit the LogServerConfiguration.txt file. The configuration file is located in the following directory:
<installation path>/data/LogServerConfiguration.txt
Configure the following parameters in the LogServerConfiguration.txt file:
Table 4: Log Server Configuration Options Parameter
Value
Description
SYSLOG_EXPORT_FORMAT
LEEF
Type LEEF as the export format to use for syslog.
SYSLOG_EXPORT_ALERT
YES | NO
Type one of the following values:
Yes - Exports alert entries to JSA by using the syslog protocol.
No - Alert entries are not exported.
SYSLOG_EXPORT_FW
YES | NO
Type one of the following values:
Yes - Exports firewall and VPN entries to JSA by using the syslog protocol.
No - Firewall and VPN entries are not exported.
SYSLOG_EXPORT_IPS
YES | NO
Type one of the following values:
Yes - Exports IPS logs to JSA by using the syslog protocol.
No - IPS logs are not exported.
SYSLOG_PORT
514
Type 514 as the UDP port for forwarding syslog events to JSA.
SYSLOG_SERVER_ADDRESS
JSA IPv4 Address
Type the IPv4 address of your JSA console or Event Collector.
Save the LogServerConfiguration.txt file.
Start the Log Server.
Windows - Type <installation path>/bin/sgStartLogSrv.bat.
Linux - Type <installation path>/bin/sgStartLogSrv.sh.
For detailed configuration instructions, see the StoneGate Management Center Administrator's Guide.
You are now ready to configure a traffic rule for syslog.
A firewall rule is only required if your JSA console or Event Collector is separated by a firewall from the Stonesoft Management Server. If no firewall exists between the Stonesoft Management Server and JSA, you need to configure the log source in JSA.
Configuring a Syslog Traffic Rule for FORCEPOINT Stonesoft Management Center
If your Stonesoft Management Center and JSA are separated by a firewall in your network, you must modify your firewall or IPS policy to allow traffic between the Stonesoft Management Center and JSA.
From the Stonesoft Management Center, select one of the following methods for modifying a traffic rule.
Firewall policies Select Configuration >Configuration >Firewall.
IPS policies Select Configuration >Configuration >IPS.
Select the type of policy to modify.
Firewall - Select Firewall Policies >Edit Firewall Policy.
IPS - Select IPS Policies >Edit Firewall Policy.
Add an IPv4 Access rule by configuring the following parameters for the firewall policy:
Parameter
Value
Source
Type the IPv4 address of your Stonesoft Management Center Log server.
Destination
Type the IPv4 address of your JSA console or Event Collector.
Service
Select Syslog (UDP).
Action
Select Allow.
Logging
Select None.
Note:In most cases, you might want to set the logging value to None. Logging syslog connections without configuring a syslog filter can create a loop. For more information, see the StoneGate Management Center Administrator's Guide.
Save your changes and then refresh the policy on the firewall or IPS.
You are now ready to configure the log source in JSA.