Different firewall vendors on a single FWA
Hi support, I would like to ask if it is possible to have different firewall vendors configured on a single FWA? (e.g. I have Check Point and Fortinet on different machines). Would there be any special configuration? Thanks, Jenesis
FW support Cisco VPN Concentrator?
Hi, With the new version of Firewall Analyzer (Build 4020), does it support the Cisco VPN Concentrator? Can I send log information from the VPN Concentrator to Firewall Analyzer and generate VPN reports? Please let me know. Thanks, Herman
Incorrect Reports
I am currently running the Firewall Analyzer evaluation version. I am wondering about the event summary report page. It appears the totals for the different graphs on the report do not match. For example in the event summary graph the event total is reported as 231500 events. In the top hosts graph the event total is reported as 90830. Why the difference? do these two totals track different statistics?
Upgrade path.
Is there somewhere on your web site that relates a PROCEDURE if you're at a build 4012 to change to the 4020 build? Regards, --Ron
Cyberguard support
Any idea, whether Cyberguard Firewall is supported by Firwall Analyzer? Thanks
Cisco IOS syslogs
Hi, I am currently running the evaluation copy of the firewall Analyzer and straight up I can tell it will suit my organisations requirements but for one thing - Does it support Cisco IOS syslogs for routers running the advanced security feature-set? I have not seen a positive reply to this question on the forums. With my eval I am not seeing the host discovered or even entries in the unsupported logs received area. I have confirmed that syslogs are making it to the physical server using kiwisyslog.
Import Logs Duplicating
Anyone, Could you tell me what happens if you import the same file twice, it seems to duplicate and if so how can you remove the data so the reports clear back down? The reason why I ask is because we want to import from our WatchGuard system for logs going back six months, however someone imported a file twice which duplicated that days data, I understand you have to be careful when importing files but can you role back the data or could you tell me how to reset the whole database and start over
Import Logs Duplicated
Can you tell me what happens if you import the same file twice, it seems to duplicated and if so how can you remove the data so the reports clear back down? The reason why I ask is because we want to import from our WatchGuard system for logs going back six months, however someone imported a file twice which duplicated that days data, I understand you have to be careful back can you role back the data or could you tell me who you wipe the data and start over without uninstalling the product? Kind
Auto refreshing Firewall Analyzer
We are using FA Build 4020 on a Windows 2003 Server for our Netscreen25 device. Is there a way to keep my session open (web client) without timing out? I would have liked to keep Firewall Analyzer open, and just have it auto refresh, (ideally in a pre-configured interval). Would be nice to see the Live reports auto refresh by itself. This would make us pro-active in assessing the current state of our network usage. However, the web client times out and we have to login again. Maybe you can add this
Alerts
Hi, I have created an Alert profile to receive emails whenever firewall analyzer receives a syslog entry that contains login attempt. The rule I have created is: Match all of the following - The message contains login attempt The new rule does not seem to work. Any idea what could be the problem. Bellow is a sample syslog entry: Oct 16 09:24:37 192.168.x.y hostname: NetScreen device_id=hostname [Root]system-notification-00002: Admin user "usename" login attempt for Web(http) management (port 80)
Alert!!
Hi, I have been testing Firewall Log Analyzer for the last 2 weeks. I would like to suggest something to the setting of alerts. Right now alert can be set only as <"Severity/Attack/etc .."> <"is/isnt/etc.."><string> that means I have to give some entry as string..But it would be nice if a condition like ANY can be set. So the alert would look like <"Severity/Attack/etc .."> <"is/isnt/etc.."><"[any/{string}]"> I will tell you the reason because I want to set an alert which gets triggered when an Attack
ManageEngine Firewall Analyzer Service Pack 2 (Build 4020)
We are happy to announce the availability of ManageEngine Firewall Analyzer Service Pack 2 (Build 4020). The new release empowers Network Administrators & MSSP's with user specific device views, anomaly detection filters for network behavioral analysis, firewall administration reports for regulatory compliance, support for more number of devices, and many other new feature additions as listed below. To get the complete build (4020) follow the below URL. http://manageengine.adventnet.com/products/firewall/download.html
Cannnot start
Out Fedora 5 Box had rebooted and now we cannot start the program anymore STATUS | wrapper | 2006/10/14 14:46:46 | --> Wrapper Started as Daemon STATUS | wrapper | 2006/10/14 14:46:46 | Launching a JVM... INFO | jvm 1 | 2006/10/14 14:46:47 | Wrapper (Version 3.1.1) INFO | jvm 1 | 2006/10/14 14:46:47 | INFO | jvm 1 | 2006/10/14 14:46:48 | This evaluation copy is valid for 29 days INFO | jvm 1 | 2006/10/14 14:47:14 | Failed to start the server. Please refer logs for more details INFO | jvm 1 | 2006/10/14
Checkpoint LEA not getting the action field
Hi I've successfully setup a LEA connection with my Checkpoint management station, enabled tracknig and reporting is working. Though I'm not getting any data in "Security Reports" and 'VPN Reports'. After checking out the retrieved log in <fwa_dir>/Firewall/server/default/archive/<ip> I can't see the action of each log entry. This is probably why I can't see "Top Denied Hosts' etc. So my question, how do I get the action (drop, accept, etc.) into the logs? And will this also solve my empty 'VPN Reports'?
Report Scheduling
Hi Support I want to configure Report profile such that at every evening (say 5 pm ) I should get the report for the previous 8 hrs. I tried configuring hourly report and scheduled this report to run at 4:30 pm howver I get report only for 1 hour and even in that sometimes I just get a mail without attachment. and the mails says that there is error in report generation. How can I achive this. I am using build 4012. Regards
Manage Engine vs other Firewall analyzers
Hi, We are currently evaluating several firewall log analyzers/reporting products and so far in a google search of "firewall log analyzer" sawmill and manageengine tops the list. Not to mention loglogic, splunk, phpsyslog-ng, etc. etc. Anyone here who have experienced using those products? So far, I am particularly biased to manageengine... My boss really wants me to dig into sawmill further.. I just want to convince him a little more. How does manageengine compares to sawmill? Other log analyzer
Astaro V6
I want to use Astaro6 and need to know how to configure the firewall. At the moment I was able to handle the export of the logs but they are not recognized by the Analyzer. Which logs must be sent to the analyzer to work.
DNS Resolution Not Working Properly
For some reason the DNS resolution feature works but does not resolve all addresses. It resolves all internal addresses with no problem. But for some of the external addresses it does not. If i do a manual nslookup on some of the addresses it resolves them fine, but firewall analyzer does not. Any solutions.
URL not shown
Hi, I am testing Firewall Analyzer. My network is: a DMZ with four servers (mail, dnn, web...) and a local network. In all report, I can't see URL (from my servers) visited by internauts. I see the rate beetween the four servers, their public IP address but no precision about what the has done the visitors. I have a Fortigate 60 firewall. I there a special settiing to do ? Thanks
Traffic reports
Dear Support I would line to seek clarifications on the definition of the "Top hosts - Sent" "Top hosts - Received" in the traffic reports. For eg how is sent traffic to be interpreted It is the traffic sent out of the firewall interface (irrespective of the interface of firewall i.e inside and outside) or it is the traffic sent out from the LAN to the internet Regards
Netscreens
I am using multiple Netscreens and exporting syslogs to FWA. I have everything checked but debug in the Netscreens. FWA reports for attacks is always empty, other reports seem OK. What should I look for ? Also, I would like to look for 'flood' in the logs since I am particularly interested in ICMP and SYNDOS floods. So far I can't find them in reports. Thanks
Features for 4020
Dear Folks, Following are the list of features that we are taking for our next build 4020. Please feel free to pour in your valuable suggestions. New Features: 1. Support for User Based Firewall View i.e certain users can view certain firewalls. 2. Advanced Search with AND, OR options. Options to save Search Result as PDF reports. 3. Anomaly detection based on known trend history. 4. New reports like Peer to Peer reports which helps you to identify scans New Devices Support: 1. Cisco VPN Concentrator,
Syslog in local machine
Hi: I have Linux server and running Firewall Analyzer in the same machine. I can't get the syslog. What happend??? Thanks
Which has more info: WELF or SYSLOG?
Is one format better than the other? I have a Fortigate box that can send logs via syslog or welf formats - does one provide more detail than the other? I notice in a post here there were issue generating the virus report which showed some syslog messages - does welf also provide these messages? Should I send both formats to FA to cover my bases? Thanks in advance, TJ
User Internet Usage/URL monitoring
Hi, I was wondering if someone can tell me about a good (freeware if possible) tool that can be used to monitor user activity from their desktop machines to the internet. Basically I want to montor the websites that each user is accessing. Thanks, HS.
MS RADIUS (IAS)
Is it supported? It seems like FA expects radius logs via syslog (which IAS doesn't appear to support - only logging to a file, local event log and a SQL box). I suppose if FA could read a local table we could log direct from IAS to a MySQL table in FA... Is there any chance FA could just download and parse the log files via FTP or UNC etc? I guess the only other way around this would be to run an eventlog-> syslog client on the IAS server and given the format of the syslog message FA is expecting,
Logs archived but cannot load
Dear Support I have enabled the log archiving in the fw analzer. But in the file archived it doed not show me " load " button to load in database instead it aonly shows me delete. secondly I have confirured the Netscreen firewall 208 to export logs to mange engine FW analyser and syslog server. On the syslog server a days file size is almost 3 GB where as in fw analyser it is just of 220 - 250 MB. I see something fishy in the log generation by the fw analyzer. Pls guide. Regards
Report not generating....Critical
Hai , We have been testing and analysing the Firewall Log Analyzer for the last one week.We have found out the following problems in this tool.. 1. I have set the file creation interval and archiving with the default values.But I have found that archiving is not happending automatically. I have to manually give the Zip now command from the Archive options. Why it is not archiving automatically? 2. Today I have found another problem which I am not able to correct till the moment. The disk space on
Time based Report + Unassigned Traffic
I have two queries 1 . Is it possibel to get time based report i.e for a particular time slot in a day. 2. Most of the traffic paasing is marked as unassigned. So how can be that analyzed. Is there any patch available for fixing that. Regards
Firewall Analyzer Service Pack 1 (Build 4010) Available !!!
Dear All, We are very happy to announce Firewall Analyzer 4 Service Pack 1 (Build 4010) is released. To get the complete build follow the below URL. manageengine.adventnet.com/products/firewall/download.html To get the Service Pack follow the below URL. This Service Pack can be applied over build number 4002 or 4003. Users who are using build number 4000 or 4001 kindly contact us through support@fwanalyzer.com. Same Service Pack can be applied for both Windows and Linux. manageengine.adventnet.com/products/firewall/service-packs.html
Real-Time Live Reports
hi support, are the reports generated by the firewall analyzer real-time? the reports that im getting are not changing (the graphs/data) even if i do something at the client's machine connected in the firewall. i only see the graphs/data change if i restart the firewall analyzer. please advise. thanks
MS Radius
i'm running FW analyzer Build Version : 4.0.1 Build Number : 4012 to analyze a PIX firewall logs,my problem is that Microsoft Radius report show me nothing.
blocked port reports
hi, is the firewall analyzer capable of generating report regarding the number of ports blocked? what are the ports blocked, the source of who is "attacking" the ports, etc. thanks
Resolving DNS
hi support, when resolving DNS, some IP addresses cannot be determined. is there any work-around so i can add these paticular ip addresses into hostnames? so, by the next time that the firewall analyzer generates the report, it will display the hostnames instead of the ip adds? thanks
Importing Checkpoint Audit logs + more
Hai, I would like to have some clarifications regarding the FWA. 1) I would like to know whether i am able to import Checkpoint audit and account logs from the Checkpoint machine.Then in which part would be the logs be displayed? 2) I would like to know on what basis is the Event overviews generated? I am having this query because it is showing a whole list of events under different devices and i dont fine any specifics in it (like Device_A having #Events as 10000)..It would be nice if the Events
Alerts on PPTP terminations
We're using FA with a PIX firewall. We'd like to set up email alerts for PPTP connections terminating against the PIX, but only for certain users - that is we want to exclude some users from generating alerts. How do we do this?
Logging using different firewall
Hi support, i would like to ask if the manage engine is capable of different access depending on the firewall? Example, client A is using a FG1 firewall, client B is using a FG2 firewall, and client C is using a Check Point firewall. All of the 3 firewalls is configured to send syslogs to the Manage Engine. Now, what I want to do is that client A can access the Manage Engine but will only see the reports generated by his firewall, which is FG1. Same goes with the other 2 clients with their respective
Monitor Web URLs.
I like what i see so far with this product. Is there away to monitor what users are accessing what websites and how often?
Live Report not quite right
We love the software, it works great. However, we are getting mixed results with the Live Report. It shows current traffic just fine, but historical is not so good. The week and monthly data stops recording all of a sudden. The data is coming in, It is reported in all other reports and screens. Just the historical data disappears. Some times it will start up again, and then stop reporting. Any ideas?
Starts Fine but has /fw/mindex.do error
I have installed the Firewall Analyzer on an Ubuntu 6.06 system. It installed fine and appears to start fine, but when I pull up the web page I get the following error. type Status report message /fw/mindex.do description The requested resource (/fw/mindex.do) is not available. I've searched the forum and saw a similar post, with an issue dealing with libpamso.0, and I do have that file located in /lib. Also, I've installed the application in /usr/local. I've included the entire log directory in
Next Page