NetScreen Firewall

Release Details

 

Package Details

The application consist of the components:

1. Dashboard Package
   
   • LP_NetScreen Firewall 
2. Normalization Package
   
   • LP_NetScreen Firewall 
3. Label Package
   
   • LP_NetScreen Firewall 

Enhancement

A minor update has been done in the application’s normalizer for better signature handling.

General Description

The NetScreen Firewall application normalizes NetScreen Firewall events and enables you to analyze NetScreen Firewall data using pre-set dashboard views. You can further customize the dashboard and searches to perform in-depth analysis.

Installation 

Follow these steps to install the Netscreen Firewall v5.0.0 plugin:

1. Download the Netscreen Firewall package from the Download section above.
2. Add the firewall as a device in LogPoint.
3. Create a collection policy with the Syslog collector and appropriate processing policy. 
4. Assign the policy to the device.
5. Add the dashboard.

Supported Version

The supported version of Windows with LogPoint in this configuration is:

• NetScreen Firewall - ScreenOS v5.4.0.

Configuration Of Sources

Configuration of Juniper Networks NetScreen

Configure using Command Line Interface

Type the following commands to configure the Juniper Networks NetScreen via command line:

• • Set syslog config <ip_address> <security_facility> <local_faciltiy>
  • Set syslog config <ip_address> port 514
  • Set syslog config <ip_address> log all
  • Set syslog enable

Configure using WebUI    

Follow these steps to configure the Juniper Networks NetScreen via WebUI:

1. Open WebUI. Refer to KB4317 - [ScreenOS] Accessing your Juniper firewall device using the WebUI for more information.
2. From the console menu, click on Configuration. Then click on Report Settings, and then select Syslog.
   
3. Select Enable Syslog Messages from the syslog page. From the ‘Source Interface’ drop-down menu, select the interface from which syslog packets are sent.
   
4. Enter the necessary information for each syslog server that is being added. Maximum of 4 syslog servers can be used to send the syslog messages.
   
   • Enable: Select this option to enable the syslog server.
   • IP/Hostname: Enter the IP address of the syslog host.
   • Port: Enter the port to which the syslog messages is to be sent by the security devices. The default port selected is UDP 514.
   • Security Facility: It classifies and sends security messages to the syslog host.
   • Facility: It classifies and sends all other messages for events unrelated to security.
   • Event Log: Select this option to send logs to the host.
   • Traffic Log: Select this option to send traffic logs to the host.
   • TCP: Select this option to use TCP as the protocol for the communication between syslog server and the device.
     
     Note: Consult KB14982 - Device May Become Unmanageable after Enabling TCP Syslog before selecting the TCP option. 
     
5. Click Apply and the configuration will be saved.

Log Format

Netscreen Firewall

Expected Log Format

• Space delimited key-value pairs

Log Sample

<133>ipxx-xx-xxxxx-x: NetScreen device_id=ipxx-xx-xxxxxx-xx  [pp]system-notification-00257(traffic): start_time="2014-04-09 08:19:59" duration=63 policy_id=55 service=Web Service proto=17 src zone=Web dst zone=Untrust action=Deny sent=402 rcvd=304 src=1.1.1.1 dst=1.1.1.1 src_port=1 dst_port=2 src-xlated ip=1.1.1.1 port=59834 dst-xlated ip=1.1.1.1 port=123 session_id=1004244 reason=Close - AGE OUT

To export data to LogPoint use Syslog collector on port 514 on the LogPoint server.

Support

If you have any queries or require assistance, please feel free to contact our support team:

Email:             servicedesk@logpoint.com

Phone:           +45 7060 6100

Best regards,