Log forwarding, filtering and auto tag

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

Log forwarding, filtering and auto tag

Hi there

 

I've played with this feature for a while on my own FW, but must be doing something wrong. I'm adding the log forwarding profile, and when checking the filter I make, I get many log lines. But I don't get any output in the DAG. I've tried with threat and traffic logs. 

 

Documentation is rather slim on this topic. Anyone done this with success, that can share with me the details needed to make it work?

 

Thanks

Highlighted
L7 Applicator

I've been successful in using it to provide a "block-ip" action that lasts longer than 3600 seconds.  This particular one looks for threat-type eq scan, takes the sources of those who are scanning and tags them with a 'scanners' tag.  Next, there's a dynamic address group that matches on tag = scanners.  Finally, I have a security policy at the top that blocks all inbound traffic from that dynamic address group.  So far it's picked up over 400 scanners and doing a semi-permanent shun:

 

log-fwd-tag.pngscanners-dag.pngblock-scanners-policy.png

 

 

Highlighted
L1 Bithead

Hi jvalentine

 

Thanks for the interesting input of your Scanner Blocking via DAG.

I've got one question about it though: What is the process for getting tagged Source-IPs untagged (to get them unblocked)?

 

Thanks

Andi

Highlighted
L4 Transporter

I've actually got a TAC case open right now for Log Forwarding.  I had one open for Auto Tagging but I ended up abandoning the implementation I was needing it for and going with something else.

 

For the log forwarding, it's almost as if the filter builder isn't fully featured.  I've implemented filters that show results in the filter test but then never forward anything (mine is set up to fire emails off on Correlation Event matches).  I've had other times where a filter built in the standard Threat Monitor tab will then not show the same results when I try it in the filter test for the Log Forwarder.

 

I'm on 8.0.7 on Panorama with our firewalls running 7.1.14.  I'm upgrading the firewalls later this week but I'm not sure the upgrade will make any difference since the Log Forwarding is actually configured on Panorama.

Highlighted
Cyber Elite

Highlighted
L1 Bithead

Hi,

thanks for the reply.

I have to say as for a process I am more looking for some automatic mechanism: Something like a "ageing out".

I guess it could be done using MineMeld.

 

Best Regards

Andi

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!