Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Forcepoint Sidewinder

 

Forcepoint Sidewinder is formerly known as McAfee Firewall Enterprise. The JSA DSM for Forcepoint Sidewinder collects logs from a Forcepoint Sidewinder Firewall Enterprise device by using the Syslog protocol.

To integrate Forcepoint Sidewinder with JSA, use the following steps:

  1. If automatic updates are not enabled, download and install the Common Forcepoint Sidewinder DSM RPM on your JSA Console.

  2. Configure Forcepoint Sidewinder to communicate with JSA.

  3. If JSA does not automatically detect the log source, add a Forcepoint Sidewinder log source on the JSA Console. The following table describes the parameters that require specific values for Forcepoint Sidewinder event collection:

    The following tables explain how to configure a log source in Syslog and TLS Syslog for FireEye.

    Table 1: Forcepoint Sidewinder Log Source Parameters

    Parameter

    Description

    Log Source type

    Forcepoint Sidewinder

    Protocol Configuration

    Syslog

Forcepoint Sidewinder DSM Specifications

The following table identifies the specifications for the Forcepoint Sidewinder DSM.

Table 2: Forcepoint Sidewinder DSM Specifications

Specification

Value

Manufacturer

Forcepoint

DSM name

Forcepoint Sidewinder

RPM file name

DSM-ForcepointSidewinder-JSA_version-Build_number.noarch.rpm

Supported versions

V6.1

Event format

Syslog

Recorded event types

Forcepoint Sidewinder audit events

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

(https://www.forcepoint.com)

Configure Forcepoint Sidewinder to Communicate with JSA

Before you can configure JSA to integrate with Forcepoint Sidewinder, you must configure syslog on your Forcepoint Sidewinder Firewall Enterprise device.

When you configure your Forcepoint Sidewinder device to forward syslog events to JSA, export the logs in Sidewinder Export Format (SEF).

Sample Event Messages

Use this sample event message as a way of verifying a successful integration with JSA.

The following table provides a sample event message when you use the Syslog protocol for the Forcepoint Sidewinder DSM:

Table 3: Forcepoint Sidewinder Sample Message Supported by Forcepoint Sidewinder

Event name

Low level category

Sample log message

nettraffic@status_conn_close

User Login Success

<131>May 16 11:41:11 auditd: date= "May 16 15:41:11 2006 GMT",fac=f_ftpproxy, area=a_server,type=t_nettraffic,pri=p_major, pid=2718,ruid=0,euid=0,pgid=2718,logid=0,cmd =pftp,domain=PFTx,edomain=PFTx,srcip=192.168 .0.1,srcport=4597,srcburb=internal,dstip=192 .168.0.2,dstport=21,dstburb=external,protocol =6,bytes_written_to_client=0,bytes_written_ to_server=0,service_name=pftp,reason="closi ng connection",status=conn_close,acl_id= default-outgoingrule,cache_hit=0,remote_ logname=anonymous,request_command=QUIT,req uest_status=1,start_time="Tue May 16 11:41 :06 2006",netsessid=4469f2920002870e