Cisco IronPort

JSA DSM for Cisco IronPort retrieves logs from the following Cisco products: Cisco IronPort, Cisco Email Security Appliance (ESA), and Cisco Web Security Appliance (WSA). The Cisco IronPort DSM retrieves web content filtering events (W3C format), Text Mail Logs, and System Logs.

To integrate Cisco IronPort with JSA, complete the following steps:

If automatic updates are not enabled, download and install the most recent version of the following RPMs to https://support.juniper.net/support/downloads/ onto your JSA Console:
- Log File Protocol RPM
- Cisco IronPort DSM RPM
Configure Cisco IronPort to communicate with JSA.
Optional: Add a Cisco IronPort log source by using the Log File protocol.
Optional: Add a Cisco IronPort log source by using the Syslog protocol.

Cisco IronPort DSM Specifications

The following table describes the specifications for the Cisco IronPort DSM.

Table 1: Cisco IronPort DSM Specifications
Parameter	Value
Manufacturer	Cisco
DSM name	Cisco IronPort
RPM file name	DSM-CiscoIronPort-`JSA_version-build_number`.noarch.rpm
Supported versions	Cisco IronPort: V5.5, V6.5, V7.1, V7.5 Cisco ESA: V10.0 Cisco WSA: V10.0
Protocol	Syslog: Cisco IronPort, Cisco WSA Log File Protocol: Cisco IronPort, Cisco ESA
Event format	Text Mail Logs, System Logs, Web Content, Filtering Events
Recorded event types	No
Automatically discovered?	No
Includes identity?	No
More information	(http://www.cisco.com/ c/en/us/products/security/email-security/index.html) (http://www.cisco.com/c/ en/us/products/security/web-security-appliance/ index.html)

Configuring Cisco IronPort Appliances to Communicate with JSA

Complete the configuration on Cisco IronPort appliances so that they can send events to JSA.

To configure your Cisco IronPort Appliance to push Web Content Filter events, you must configure a log subscription for the Web Content Filter that uses the W3C format. For more information, see your Cisco IronPort documentation.
To configure your Cisco Email Security Appliance (ESA) to push message data, anti-virus events, you must configure a log subscription.
To configure your Cisco Web Security Appliance (WSA) to push Web Proxy filtering and traffic monitoring activity events, you must configure a log subscription.

Configuring a Cisco IronPort and Cisco ESA Log Source by using the Log File Protocol

You can configure a log source on the JSA Console so that Cisco IronPort and Cisco Email Security Appliance (ESA) can communicate with JSA by using the log file protocol.

Configure a Cisco IronPort log source on the JSA Console by using the log file protocol. The following tables describe the Log File log source parameters that require specific values for retrieving logs from Cisco IronPort and Cisco ESA.

Table 2: Cisco IronPort Log Source Parameters for Log File
Parameter	Value
Log Source type	Cisco IronPort
Protocol Configuration	Cisco IronPort
Log Source Identifier	The Log Source Identifier can be any valid value, including the same value as the Log Source Name parameter, and doesn't need to reference a specific server.
Service Type	From the list, select the protocol that you want to use when retrieving log files from a remote server. The default is SFTP. or the SCP and SFTP service type requires that the server that is specified in the Remote IP or Hostname field has the SFTP subsystem enabled.
Remote IP or Hostname	Type the IP address or host name of the device that contains the event log files.
Remote Port	Type the port that is used to communicate with the remote host. The valid range is 1 - 65535. The options include ports: FTP - TCP Port 21 SFTP - TCP Port 22 SCP - TCP Port 22 If the host for your event files is using a non-standard port number for FTP, SFTP, or SCP, you must adjust the port value.
Remote User	Type the user name necessary to log in to the host that contains the event files.
Remote Password	Type the password necessary to log in to the host.
Confirm Password	Confirm the password necessary to log in to the host.
SSH Key file	If the system is configured to use key authentication, type the path to the SSH key. When an SSH key file is used, the Remote Password field is ignored.
Remote Directory	Type the directory location on the remote host from which the files are retrieved. The directory path is relative to the user account that is used to log in. Note: For FTP only. If the log files are in the remote user’s home directory, you can leave the remote directory blank. A blank remote directory field supports systems where a change in the working directory (CWD) command is restricted.
Recursive	Select this check box to enable the file pattern to search sub folders. By default, the check box is clear. This option is ignored for SCP file transfers.
FTP File Pattern	Must use a regular expression that matches the log files that are generated. The FTP file pattern that you specify must match the name that you assigned to your event files. For example, to collect files that end with .log, type the following command: `.*\.log`. The FTP file pattern that you specify must match the name that you assigned to your event files. For example, to collect files that start with zOS and end with .gz, type the following code: For more information, see the (http://docs.oracle.com/javase/tutorial/essential/regex/ ).
Start Time	Type the time of day for the log source to start the file import. This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files.
Recurrence	Type a time interval to determine how frequently the remote directory is scanned for new event log files. The minimum value is 15 minutes. The time interval can include values in hours (H), minutes (M), or days (D). For example, a recurrence of 2H scans the remote directory every 2 hours.
Run On Save	Select this check box to start the log file import immediately after the administrator saves the log source. After the first file import, the log file protocol follows the start time and recurrence schedule that is defined by the administrator. When selected, this check box clears the list of previously downloaded and processed files.
EPS Throttle	Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 5000. The valid range is 100 - 5000.
Processor	From the list, select gzip.
Ignore Previously Processed File(s)	Select this check box to track files that were processed by the log file protocol. JSA examines the log files in the remote directory to determine if a file was previously processed by the log file protocol. If a previously processed file is detected, the log file protocol does not download the file for processing. All files that weren't previously processed are downloaded. This option only applies to FTP and SFTP Service Types.
Change Local Directory?	Select this check box to track and ignore files that are already processed by the Log File protocol. Administrators can leave this check box clear for more configurations. When this check box is selected, the Local Directory field is displayed so that you can configure the local directory to use for storing files.
Event Generator	W3C. The Event Generator uses W3C to process the web content filter log files.
File Encoding	From the list box, select the character encoding that is used by the events in your log file.
Folder Separator	Type the character that is used to separate folders for your operating system. The default value is /. Most configurations can use the default value in Folder Separator field. This field is intended for operating systems that use a different character to define separate folders. For example, periods that separate folders on mainframe systems.

Configuring a Cisco IronPort and Cisco WSA log source by using the Syslog protocol

You can configure a log source on the JSA Console so that the Cisco IronPort Appliance and Cisco Web Security Appliance (WSA) can communicate with JSA by using the Syslog protocol.

Configure a Cisco IronPort log source on the JSA Console by using Syslog. The following tables describe the Syslog log source parameters that require specific values for retrieving logs from Cisco IronPort and Cisco WSA.

Table 3: Log Source Parameters
Parameter	Value
Log Source type	Cisco IronPort
Protocol Configuration	Syslog
Log Source Identifier	The IPv4 address or host name that identifies the log source. If your network contains multiple devices that are attached to a single management console, specify the IP address of the individual device that created the event. A unique identifier, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.

Cisco IronPort Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA. Replace the sample IP addresses, etc. with your own content.

The following table shows a sample event message from Cisco IronPort:

Table 4: Cisco IronPort Sample Message Supported by the Cisco IronPort Device
Event name	Low level category	Sample log message
Mailserver_info	Information	Mon Apr 17 19:57:20 2003 Info: MID 6 ICID 5 From: <username@example.com>
TCP_CONNECT	Information	timestamp=1296564861. 465 x-latency=72 cip= 127.0.0.1 xresultcodehttpstatus= TCP_MISS_ SSL/200 scbytes= 0 csmethod= TCP_CONNE CT csurl=192.0.2.1:443 cs-username=- xhierarchyorigin= DIRECT/192.0.2.1 cs(MIME_type) =- xacltag= DECRYPT_WE BCAT_7-DefaultGroup- DefaultGroup-NONENONENONEDefaultGroup

Table 4: Cisco IronPort Sample Message Supported by the Cisco IronPort Device

Event name

Low level category

Sample log message

Mailserver_info

Information

Mon Apr 17 19:57:20
2003 Info: MID 6 ICID
5 From:
<username@example.com>

TCP_CONNECT