IBM Security Network IPS (GX)
The IBM Security Network IPS (GX) DSM for JSA collects LEEF-based events from IBM Security Network IPS appliances by using the syslog protocol.
The following table identifies the specifications for the IBM Security Network IPS (GX) DSM:
Parameter |
Value |
---|---|
Manufacturer |
IBM |
DSM |
Security Network IPS (GX) |
RPM file name |
DSM-IBMSecurityNetworkIPS-JSA_version-Build_number.noarch.rpm |
Supported versions |
v4.6 and later (UDP) v4.6.2 and later (TCP) |
Protocol |
syslog (LEEF) |
JSA recorded events |
Security alerts (including IPS and SNORT) Health alerts System alerts IPS events (Including security, connection, user defined, and OpenSignature policy events) |
Automatically discovered? |
Yes |
Includes identity? |
No |
To integrate the IBM Security Network IPS (GX) appliance with JSA, use the following steps:
If automatic updates are not enabled, download and install the most recent version of the IBM Security Network IPS (GX) RPMs from the Juniper Downloads onto your JSA Console.
For each instance of IBM Security Network IPS (GX), configure your IBM Security Network IPS (GX) appliance to enable communication with JSA.
If JSA does not automatically discover the log source, create a log source for each instance of IBM Security Network IPS (GX) on your network.
Configuring Your IBM Security Network IPS (GX) Appliance for Communication with JSA
To collect events with JSA, you must configure your IBM Security Network IPS (GX) appliance to enable syslog forwarding of LEEF events.
Ensure that no firewall rules block the communication between your IBM Security Network IPS (GX) appliance and JSA.
Log in to your IPS Local Management Interface.
From the navigation menu, select Manage System Settings >Appliance >LEEF Log Forwarding.
Select the Enable Local Log check box.
In the Maximum File Size field, configure the maximum file size for your LEEF log file.
From the Remote Syslog Servers pane, select the Enable check box.
In the Syslog Server IP/Host field, type the IP address of your JSA console or Event Collector.
In the TCP Port field, type 514 as the port for forwarding LEEF log events.
Note:If you use v4.6.1 or earlier, use the UDP Port field.
From the event type list, enable any event types that are forwarded to JSA.
If you use a TCP port, configure the crm.leef.fullavp tuning parameter:
From the navigation menu, select Manage System Settings >Appliance >Tuning Parameters.
Click Add Tuning Parameters.
In the Name field, type crm.leef.fullavp.
In the Value field, type true.
Click OK.
Syslog Log Source Parameters for IBM Security Network IPS (GX)
If JSA does not automatically detect the log source, add an IBM Security Network IPS (GX) log source on the JSA Console by using the Syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect Syslog events from IBM Security Network IPS (GX):
Parameter |
Value |
---|---|
Log Source type |
IBM Security Network IPS (GX) |
Protocol Configuration |
Syslog |
Log Source Identifier |
The IP address or host name for the log source as an identifier for events from your IBM Security Network IPS (GX) appliance. |