Firewall Status

by David Schwalenberg
August 15, 2014

The Firewall Status dashboard monitors both hourly and daily firewall events, firewall changes, trending of firewall events, and firewall rule enumerations. Utilizing the firewall status dashboard, an IT security analyst can monitor firewall events on the network from a single location. 

Monitoring firewall events and activity can be an overwhelming task, and the security analyst should review the events on a daily basis. Firewalls can generate millions events per day. Firewall devices provide evidence of malicious activity that may be a result of malware or other suspicious activity on the network, thus showing the importance of monitoring firewall devices and understanding the events and information provided.

The SecurityCenter CV (SC CV) Firewall Status dashboard assists in monitoring firewall activity and detecting risks and anomalies on the network. SC CV with Log Correlation Engine (LCE), Passive Vulnerability Scanner (PVS), and Nessus provides continuous monitoring of firewall activity.  This central point of view provides the security analyst with a single view to monitor firewall events, vulnerabilities, and status.

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The dashboard can be easily located in the SecurityCenter Feed by selecting category Monitoring, and then selecting tags firewalls, syslogs, audit. 

The dashboard requirements are:

  • SecurityCenter 4.8.1
  • Nessus 5.2.7
  • PVS 4.0.2
  • Audit files that contain host firewall checks

Listed below are the included components:

  • Event Trending By Type – Firewall: This component displays a trend analysis for firewall events over a 7 day period.  Firewall events denote any type of log from a firewall, an intrusion prevention device, a router or a firewall or application configured at the local host to specifically deny connections. Logs from a firewall about an incorrect configuration, administrator logins, port scan detection or errors would be normalized to other event types. Some Web Application Firewalls (WAFs) have their events normalized to the web-error event type and not the firewall event type.
  • SANS Control 14 - Monitoring and Analysis of Logs: Displays a total for the number of Normalized Events seen over the past 48 hours.  Also displays a matrix of log items that may be of importance, such as DOS events, DNS failures, error, system crashes, and firewall spikes.
  • Firewall Status - Firewall Rule Enumeration: The Firewall Rule Enumeration component uses plugin 56310 (Firewall Rule Enumeration) and audit checks to report on the status of software-based firewall rules.  The indicators of this component use regexes to filter out the different host-based firewall rules.  To detect the Windows computers that have the firewall disabled, the following regex is used: /^.*Windows Firewall is disabled.*$/.  The regex /^.*By running .netsh.*$/ identifies Windows systems with the firewall enabled.  OS X systems with firewall enabled use the regex /^.*By running..sbin.pfctl.*$/, followed by the *nix systems with iptables that use /^.*By running "lsmod.*iptables.*$/.
  • Firewall Status - Firewall Event Summary: This component displays the top 50 normalized firewall events by event count for firewalls such as Cisco, Juniper, Palo Alto, Fortinet and many more. Each event will display the normalized event name, total event count, and trending data of this specific normalized event name. Using SC CV for monitoring the different types of firewall events, a security analyst can determine if any malicious or suspicious firewall activity is occurring on the network.
  • Firewall Status - Firewall Events Last Hour: The Firewall Events Last Hour component will display the most recent 100 firewall events messages that have occurred over the last hour. The firewall events are being forward over to LCE by firewall devices via syslogs. These firewall events could include Cisco, Juniper, Palo Alto, Fortinet and many more.
  • Firewall Events - Firewall Change: This component displays a 25-day trend of firewall change events. When the LCE normalizes logs from various firewalls, if the log indicates a change to the configuration, ACLs or user accounts, a 'Firewall_Change' event is generated. The first trending component of this dashboard displays those events.