netscreen attack logs not parsing
Hello I`m testing trial version of FA Build Version 4.0.3 Build Number 4033 with our Juniper SSG-140 netscreen firewall (version 5.4.0r5.0). All traffic log is nice and reports are OK except attack logs. I checked that logs are on firewall analyzer server, but in security statistic justs shows denied events and attack reports ar empty. where could be problem?
Live reports for an IP
Hi, Is it possible to make a custom live report for a single IP or subnet? Thanks. BR, Gabi.
Name resolving by the hosts file
Hello Is there any way to force FA to resolve DNS names not only with DNS servers, but with the local hosts file as well (the way it is done by operating system itself, hosts file first, then DNS) Mariusz
URL's from Cisco firewall
Hi, apologies if this appears a strange question, but i didnt initially configure our firewall analyzer. We are monitoring a Cisco firewall, but i'm noticing all reports that are coming back are only IP, We're hoping to be able to monitor users web traffic, but this becomes a bit tricky when the reports are IP only - the url report is blank if this helps at all. Could anyone point me in the right direction to get this configured to report on url's? Thanks in advance Chris
Frustrated with Firewall Analyzer performance
FW Analyzer is a terrific tool when our university network is quiet, but since the students have returned in the past few weeks, it has completely collapsed under the load. I spoke with a support engineer and ended up dialing back the logging level on our PIX and logging only specific messages, but it still can't keep up. Are there are performance tuning tricks besides the MySQL memory tweak? Anything else I can try? The system I am running on is a dual core 2.33 GHz Intel Xeon with 2 Gb of memory,
PIX Error Message
%PIX-6-106015: Deny TCP (no connection) from x.x.x.x/13290 to y.y.y.y/25 flags ACK on interface outside Dear All, I am getting hit by this message a lot. Due to this my e-mails are being rejected and my bandwidth is utilized to the maximum. My e-mails are recieved from a hosted service. I have gone through the net and have read that that there is nothing much we can do. Please let me know if there is any other alternate solution. Regards,
Hight CDP usage and login not possibe
Hello, I wrote you a mail with the content of this thread yesterday. Unfortunately, I did not receive an answer so far. So I try it this way ;-) for a short time I have problems to login in the FW Anylysers Dashboard. What I can see, is that I have a high CPU usage for java.exe on the server which is running the Software. After a reboot it is possible to login again. But after a short period of time I have the same problem again. I have been running the FW Analyser (Latest Build 4030) on Windows
VPN LOG - SHOWING NO DATA AVAILABLE(fire wall analizer)
hi, I have imported vpn log succesfully, but vpn reports, its saying no data available, pls.help me on this. Thanks and regards, Annappa
FwA not showing data
Hello folks, i am new to the firewall analyzer, but want to give it a try. I'd like to try the tool by analyzing our last sundays traffic logs from a cluster of Forti800's. Since our FortiAnalyzer als well as our FortiGate cluster is already beyond high load, the poor thing, i do not want to burden them by sending logs to the FwA. So i tried to feed my testing instance of firewall analyzer by http with Forti logs taken from our DWH. I copied those to a linux box, where i would gunzip them, then feed
Squid logs reports and database size
Hello, I'm trying your software since 3 days for squid logs analysis and I find it really good but I've some trouble with several things. 1st) On the reports, the time that the users have been watching websites is totally wrong. I mean, for one hour of logs, they say that the user has been watching the website for 36 hours for example and this value is so big for all users... Really wierd and in another report tool I've got correct values so.... Where can I correct this? 2nd) My database has grow
FwA 4 stops accepting syslogs (shows No Data)
Hi We recently purchased FwA4 Professional with 30 licenses. Currently we have 12 Cisco Pix firewalls sending logs to it. It receives these logs fine for a day or so and then stops displaying data as it is received. I can see that syslogs are still hiting the server (Redhat Linux - by the way), but it appears it is no longer accepted into the FwA software. Any way I can further troubleshoot this? I do a netstat -l which shows syslog port as listening and traffic hits the queue. The diskspace is still
PIX515E report_ no data in admin report and traffic
I'm doing a 30days PIX515E logs, all looks good except several reports contain no data. 1. admin report no data I found it was count into Error message. Top Event Messages Top messages generated with Critical severity Message Host # Events %PIX-2-109011: Authen Session Start: user 'cahe', sid 156120 0.0.0.0 2 %PIX-2-109011: Authen Session Start: user 'rhg', sid 156112 0.0.0.0 2 %PIX-2-109011: Authen Session Start: user 'jgu', sid 156074 0.0.0.0 PIX is doing AAA authentication for certain inbound
Generate personal report
Hi, im trying to do the next report: Attack Report for IP Spoofing January 5000 attacks February 6500 attacks March 3200 attacks I want to obtain this results from the attack year table, but.. i dont know the logical of each one because I imagine that after more than 500,000 records another table is created. I will query something like this: SELECT ATTACK, COUNT(*) AS CTN FROM attack_vs_cli_year WHERE ATTACK='"ip spoofing"' and hour between "2007-12-01 00:00:00" and "2008-01-01 00:00:00" In which
Live Reports showing no data
I am currently running the Firewall Analyzer against a Zywall 70 Firewall. The live reports feature is no presenting any data. Please advise.
PDF reports logical sequence
Hi, a customer generates automatically 10 reports everyweek, all are stored in the server in folders with a number, which sequence does the folders have? We found a folder with reports with a lot of numbers: 2 3 202 302 602 1002 etc How can this be explained?
Firewall Analyzer says Syslog server is down
I have just installed Firewall Analyzer for the first time. I want to use it for my Cisco Pix 515e. I can see my syslog server being populated with informational and above logs from the firewall, but when I got to add a syslog server and type the Server IP of the syslog server and the port of udp/514 (which is what my Cisco Pix is using) it says the status is down. If I change the port to udp/1514 or any other port it says the status is up. Is this because that port is already in use on that server?
Firewall Analyzer demo site will be down for maintenance
Due to system upgradation Firewall Analyzer demo web site will be down from 19th January 2008 12:00 AM PST to 22nd January 12:00 AM PST. We are sorry for the inconvenience. Thanks Firewall Team
Adding Device
Hi, I would like to know how to add a device in Firewall Analyzer. We have a pix 515e. I have configured pix to send logs to FWanalyzer on 514UDP. regards Venkat
Cisco PIX 515e Setup Help
just installed Firewall Analyzer and configured the PIX but for some reason the FWA web site still says that "No firewall is currently exporting logs to Firewall Analyzer". Here is the sh logging from the PIX: Syslog logging: enabled Facility: 20 Timestamp logging: enabled Standby logging: disabled Deny Conn when Queue Full: disabled Console logging: disabled Monitor logging: disabled Buffer logging: disabled Trap logging: level informational, facility 20, 274062 messages logged Logging to outside
refresh screen
Is there a option to refresh the screen. I want to view the live reports with a refresh every 5 minutes Thanks
Fortigate Firewall configuration
I have configured the FW Analyzer on the Fortigate. I notice FW analyzer server is also receiving the traffic. But on the reports, it shows nothin? I have configured Information and local 7 in the syslog configuration. But still that does not seesm to workout.
Streaming & Chat site question
I'm demoing this software and have a question. We use a Juniper SSG-550. While the firewall analyzer software is displaying all of our traffic, it has a hard time with certain chat sites. For example, yahoo messenger/chat is accessed by our users via a web address that starts with httpes://..., but our Netscreen just shows it as port 80, regular http traffic. Is there any way to configure the analyzer software to recognize that traffic as chat, or am I confined strictly to ports numbers? Thank you.
Alert acknowledgement
Hi Is there any way to delete or acknowledge alerts, so I know that they have been already checked by me or another administrator? Alex
Password Recovery
How do you reset the admin password? I am unable to get in with the admin admin login.
Create and alerte where source is a network?
I am trying to setup an alert based on a certain number of events in a specific time when the source is from any of four networks. When defining the criteria can I use the CIDR (Ex: 123.123.123.0/24) for the source? Or, do I have to create an "anomaly alert" for each network?
Moving Firewall Analyzer to a new server
What are the required steps for moving firewall analyzer to a new server? Are there any licensing issues? We'll be moving off of Windows 2000 and onto Windows 2003, also hopefully using the most recent version of FA. Current FA version: Build Version : 4.0.3 Build Number : 4033 Thanks,
WatchGuard Firebox X Edge 50 Syslog not recognized
I'm in day 2 of my eval and I'm having problem with Firewall Analyzer recognizing syslogs from a WatchGuard Firewall X Edge 50. Other Watchguard models (Firebox XCore 700 and Firebox iii 700) work fine using syslog but Firewall Analyzer doesn't like the Edge. Here's a snippet of syslog from the Edge 50 (I modified the external address in the log to xxx.xxx.xxx.xxx): <134> IP: allowed from 10.1.2.12 port 1417 to 170.97.67.125 port 443 TCP(allow by Outgoing) <132> IP: discard from 202.97.238.204 port
"Unassigned" and "Unknown" protocols
Is there a way for me in reports section to see the unassigned protocol numbers? i.e. a report. Would it not be better in detailed reports to show unassinged number not "unknown"? e.g. I have a server with 100 www hits and 1000 unknowns. I want to know what the protocol numbers are so 1) I can assigned them 2) discover attacks 3) find weaknesses in policies. Seems a useful feature..yes?
Top External Sites also showing internal sites
Had FWA a while but restarting use today for new year. The Top External Sites in "Internet Reports" shows internal (all intranet networks, see below) and external IP addresses. I have set setup intranet private ip networks. And other reports seems to holding to that. I have about 5 networks across various interfaces on Juniper ssg140s. Is that the problem FWA is using logs without appling intranet filter settings?
Duplication of filter criteria in Alert Profile
Whenever I go to edit an Alert Profile all of the filter criteria is duplicated. How can I fix this? I've tried to "remove" it, but when I go back in to edit, it has added instead of removed.
Audit Logs from Checkpoint.
Hi, We have patched our Firewall Log Analyzer with the latest bulid version 4020. The new patch seems to be working fine. I have found that in the reports area , there is a new addition called as Admin reports ( which we were looking forward for a long time ). But I have found that it now supports only the Cisco PIX firewalls. I would like to know whether it could support audit logs from Checkpoint also. So that we can keep track of the users activity in the Checkpoint management server. Regards,
What Is <23>?
Happy New Year. I am new to AdventNet FW Analyzer and would appreciate if you could tell me the meaning of <23> at the start of each syslog message. For example: <23>Scan [15439]: ...... <23>Inbound/pass1 [15451]..... <23>outbound/smtp [14504] .... I am not sure if it means port 23. So I would like to ask you for sure. Thankyou very much. HD
Page Numbers overlapping footer logo
We are adding custom graphics to the PDF reports. However, although our footer picture is the correct size, the page number information always overlaps the graphic. Is there something wrong? Do we simply need to make the footer graphic wider? Right now it isd 547x37 as specified. Jason Bottjen
Edit Report Profiles
Is there a way to edit a report profile after you create it? Deleting and remaking from scratch over and over while you are tweaking things is very tiresome. Jason Bottjen
Operator cant see alerts
Hi, I create a profile type OPERATOR. but this operator cant see the alerts. In the documentation the only thing that isnt possible was the configuration of intranet. Any Idea what could be occuring? Thanks
Multiple apps on server
I am currently running FW analyzer build 4030, wifi manager build 5600, event log analyzer build 4030 and OpUtils build 4312, all on a single win2K3 server. Performance is good, but would it be possible to run a single instance of mySql server instead of separate ones for each product? If so, could you provide the necessary configuration steps? Even if I can only combine 2 or 3, would I see an improvement? Thanks, Gene
No firewall is currently exporting logs to Firewall Analyzer
I have two Checkpoint Firewall-1 at two different offices, both are Check Point VPN-1 & FireWall-1 NG with Application Intelligence (R55) HFA_20, Hotfix 969 - Build 015. I have followed the set up in the installation manual for an unauthorized LEA connection to the "T". The one server is pulling through data successfully, the other server is telling me that "No firewall is currently exporting logs to Firewall Analyzer". I have double checked everything and cannot find anything different between the
SMTP not working
I recently purchased Firewall Analyzer. I am trying to setup the mail server settings so that reports can be automatically emailed out. I can send mail from this same machine through Outlook Express, so I know the ports are open, etc. When I put in the Mail Server and then try to test it, I get the following error: Failed :Sending failed; nested exception is: class javax.mail.MessagingException: Could not connect to SMTP host: DEVPDMTS1, port: 25; nested exception is: java.net.SocketException: Software
Creating an Alert Profile with Exclusions.
Currently I used both KiwiSyslog and The FW Analyzer for parsing of the pix syslog messages. I am trying to create a rule on the FW Analyzer that will allow me to monitor Login Events that are genereated from specific hosts. I am able to create a rule that will alert me of all login attempts. However I need to create one that will exlcude specific hosts from the alert. We have a script that runs on one of our servers that automatically logs into our devices to download configs every hour using ssh
I receive logs but got no data in reports
I can see logs included in couple of file in the following directory but I get no data in any reports. /opt/AdventNet/ME/Firewall/server/default/archive/192.168.10.14 I have change the MySQL port to 33337 because I was running another MySql instance but nothing change. I can capture syslog message also using Wireshark. Then I'm sure I received them. A clue? I testing FA to log messages from 4 Cisco ASA 5520. Thanks Ben
Next Page