Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Forcepoint Stonesoft Management Center

 

The JSA DSM for Forcepoint Stonesoft Management Center collects events from a StoneGate device by using syslog.

The following table describes the specifications for the Stonesoft Management Center DSM:

Table 1: Stonesoft Management Center DSM Specifications

Specification

Value

Manufacturer

FORCEPOINT

DSM name

Stonesoft Management Center

RPM file name

DSM-StonesoftManagementCenter-

JSA_version-build_number.noarch.rpm

Supported versions

5.4 to 6.1

Protocol

Syslog

Event format

LEEF

Recorded event types

Management Center, IPS, Firewall, and VPN events

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

FORCEPOINT website (https://www.forcepoint.com)

To integrate FORCEPOINT Stonesoft Management Center with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:

    • DSMCommon RPM

    • Stonesoft Management Center DSM RPM

  2. Configure your StoneGate device to send syslog events to JSA.

  3. If JSA does not automatically detect the log source, add a Stonesoft Management Center log source on the JSA console. The following table describes the parameters that require specific values to collect events from Stonesoft Management Center:

    Table 2: Stonesoft Management Center Log Source Parameters

    Parameter

    Value

    Log Source type

    Stonesoft Management Center

    Protocol Configuration

    Syslog

    Log Source Identifier

    Type a unique name for the log source.

  4. Verify that JSA is configured correctly.

    The following table shows a sample normalized event message from Stonesoft Management Center:

    Table 3: Stonesoft Management Center Sample Message

    Event name

    Low level category

    Sample log message

    Generic_UDP-Rugged-

    Director-Denial-Of-Service

    Misc DoS

    LEEF:1.0|FORCEPOINT |IPS|5.8.5|Generic_UDP-Rugged- Director-Denial-Of-Service|dev TimeFormat=MMM dd yyyy HH:mm: ss srcMAC=00:00:00:00:00: 00 sev=2 dstMAC=00:00:00: 00:00:00 devTime=Feb 23 2017 10:13:58 proto=17 dstPort= 00000 srcPort=00000 dst= 127.0.0.1 src=127.0.0.1 action=Permit logicalInter face=NY2-1302-DMZ_IPS_ASA_Primary sender="username" Sensor

Configuring FORCEPOINT Stonesoft Management Center to Communicate with JSA

Configure Stonesoft Management Center to communicate with JSA by editing the LogServerConfiguration.txt file. Configuring the text file allows Stonesoft Management Center to forward events in LEEF format by using syslog to JSA.

  1. Log in to the appliance that hosts your Stonesoft Management Center.
  2. Stop the Stonesoft Management Center Log Server.
  3. In Windows, select one of the following methods to stop the Log Server.
    • Stop the Log Server in the Windows Services list.

    • Run the batch file <installation path>/bin/sgStopLogSrv.bat.

    In Linux - To stop the Log Server in Linux, run the script <installation path>/bin/sgStopLogSrv.sh

  4. Edit the LogServerConfiguration.txt file. The configuration file is located in the following directory:

    <installation path>/data/LogServerConfiguration.txt

  5. Configure the following parameters in the LogServerConfiguration.txt file:

    Table 4: Log Server Configuration Options

    Parameter

    Value

    Description

    SYSLOG_EXPORT_FORMAT

    LEEF

    Type LEEF as the export format to use for syslog.

    SYSLOG_EXPORT_ALERT

    YES | NO

    Type one of the following values:

    • Yes - Exports alert entries to JSA by using the syslog protocol.

    • No - Alert entries are not exported.

    SYSLOG_EXPORT_FW

    YES | NO

    Type one of the following values:

    • Yes - Exports firewall and VPN entries to JSA by using the syslog protocol.

    • No - Firewall and VPN entries are not exported.

    SYSLOG_EXPORT_IPS

    YES | NO

    Type one of the following values:

    • Yes - Exports IPS logs to JSA by using the syslog protocol.

    • No - IPS logs are not exported.

    SYSLOG_PORT

    514

    Type 514 as the UDP port for forwarding syslog events to JSA.

    SYSLOG_SERVER_ADDRESS

    JSA IPv4 Address

    Type the IPv4 address of your JSA console or Event Collector.

  6. Save the LogServerConfiguration.txt file.
  7. Start the Log Server.
    • Windows - Type <installation path>/bin/sgStartLogSrv.bat.

    • Linux - Type <installation path>/bin/sgStartLogSrv.sh.

    For detailed configuration instructions, see the StoneGate Management Center Administrator's Guide.

You are now ready to configure a traffic rule for syslog.

Note

A firewall rule is only required if your JSA console or Event Collector is separated by a firewall from the Stonesoft Management Server. If no firewall exists between the Stonesoft Management Server and JSA, you need to configure the log source in JSA.

Configuring a Syslog Traffic Rule for FORCEPOINT Stonesoft Management Center

If your Stonesoft Management Center and JSA are separated by a firewall in your network, you must modify your firewall or IPS policy to allow traffic between the Stonesoft Management Center and JSA.

  1. From the Stonesoft Management Center, select one of the following methods for modifying a traffic rule.
    • Firewall policies Select Configuration >Configuration >Firewall.

    • IPS policies Select Configuration >Configuration >IPS.

  2. Select the type of policy to modify.
    • Firewall - Select Firewall Policies >Edit Firewall Policy.

    • IPS - Select IPS Policies >Edit Firewall Policy.

  3. Add an IPv4 Access rule by configuring the following parameters for the firewall policy:

    Parameter

    Value

    Source

    Type the IPv4 address of your Stonesoft Management Center Log server.

    Destination

    Type the IPv4 address of your JSA console or Event Collector.

    Service

    Select Syslog (UDP).

    Action

    Select Allow.

    Logging

    Select None.

    Note

    In most cases, you might want to set the logging value to None. Logging syslog connections without configuring a syslog filter can create a loop. For more information, see the StoneGate Management Center Administrator's Guide.

  4. Save your changes and then refresh the policy on the firewall or IPS.

You are now ready to configure the log source in JSA.