New Feature Series - 2 :: Firewall Analyzer 7 provides user names in the reports
Often, the SEM/SIEM solutions roll out reports with IP Addresses or DNS names of the machines from where the security incident has emanated. But, if the exact user can be pinpointed, during whose session the particular incident has occurred, it will be much more useful to arrive at accurate security assessment.
Firewall Analyzer 7 comes with a unique feature to associate IP address of machines with user names available in the Firewall log entries. Association is done either from proxy server log entries or DHCP server log entries.
To get the benefit of this feature carry out the configuration mentioned below:
In the Firewall Analyzer 7 UI, select Settings > System Settings > User-IP Mapping Configuration menu. The 'IpAddress to User Mapping' page appears. In that page the following options are displayed:
By default, the third option 'None' is selected. With this only the IP address or DNS name of the machine is displayed in the reports.
Select one of the options as per your requirement.
If you want to get the User Names available in the proxy server logs to be associated with the IP address of the Firewall logs, select the first option. On selecting this option, Proxy Server, Firewall association table drops down. In that, all the Proxy Servers, whose logs imported to the Firewall Analyzer are listed. If no Proxy Server is displayed, import Proxy Server logs and configure the same to be imported periodically. Now the Proxy Servers whose logs imported will appear. Using the Assign / Edit Devices menu link, assign the preferred Firewalls to the particular Proxy Server. Refer the detailed procedure in the User Guide.
If you want to get the User Names/MAC address available in the DHCP server logs to be associated with the IP address, select the second option. On selecting this option, DHCP Server, Firewall association table drops down. In that, all the DHCP Servers, whose logs imported to the Firewall Analyzer are listed. If no DHCP Server is displayed, import DHCP Server logs and configure the same to be imported periodically. Now the DHCP Servers whose logs imported will appear. Using the 'Assign / Edit Devices' menu link, assign the preferred Firewalls to the particular DHCP Server. Refer the detailed procedure in the User Guide.
Choosing the 'Add DHCP Server as separate device' option allows you to carry out raw log search function of the DHCP Server logs. Otherwise, no DHCP Server specific reports are generated.
In case of Linux/Unix machines, the Proxy/DHCP server logs can be collected via syslog daemon port.
One point to note: Only the reports generated for Firewall logs collected after the above configuration will contain the associated User Name. The reports generated prior to the configuration will continue to remain as IP Address or DNS name.
I think the elaborate description will make this feature easier for you to use and reap the full benefit of getting the User wise Firewall information.
Thanks
Ragavan S
Firewall Analyzer Team
Firewall Analyzer 7 comes with a unique feature to associate IP address of machines with user names available in the Firewall log entries. Association is done either from proxy server log entries or DHCP server log entries.
To get the benefit of this feature carry out the configuration mentioned below:
In the Firewall Analyzer 7 UI, select Settings > System Settings > User-IP Mapping Configuration menu. The 'IpAddress to User Mapping' page appears. In that page the following options are displayed:
- Get User Names from Proxy logs and associate with Firewall logs
- Get UserName / MACAddress from DHCP logs and associate with Firewall logs
- None [Default]
By default, the third option 'None' is selected. With this only the IP address or DNS name of the machine is displayed in the reports.
Select one of the options as per your requirement.
If you want to get the User Names available in the proxy server logs to be associated with the IP address of the Firewall logs, select the first option. On selecting this option, Proxy Server, Firewall association table drops down. In that, all the Proxy Servers, whose logs imported to the Firewall Analyzer are listed. If no Proxy Server is displayed, import Proxy Server logs and configure the same to be imported periodically. Now the Proxy Servers whose logs imported will appear. Using the Assign / Edit Devices menu link, assign the preferred Firewalls to the particular Proxy Server. Refer the detailed procedure in the User Guide.
If you want to get the User Names/MAC address available in the DHCP server logs to be associated with the IP address, select the second option. On selecting this option, DHCP Server, Firewall association table drops down. In that, all the DHCP Servers, whose logs imported to the Firewall Analyzer are listed. If no DHCP Server is displayed, import DHCP Server logs and configure the same to be imported periodically. Now the DHCP Servers whose logs imported will appear. Using the 'Assign / Edit Devices' menu link, assign the preferred Firewalls to the particular DHCP Server. Refer the detailed procedure in the User Guide.
Choosing the 'Add DHCP Server as separate device' option allows you to carry out raw log search function of the DHCP Server logs. Otherwise, no DHCP Server specific reports are generated.
In case of Linux/Unix machines, the Proxy/DHCP server logs can be collected via syslog daemon port.
One point to note: Only the reports generated for Firewall logs collected after the above configuration will contain the associated User Name. The reports generated prior to the configuration will continue to remain as IP Address or DNS name.
I think the elaborate description will make this feature easier for you to use and reap the full benefit of getting the User wise Firewall information.
Thanks
Ragavan S
Firewall Analyzer Team