Table of Contents
This page is used to setup the characteristics of the device of which you want NOVAXE® to analyze its log files. This version supports Juniper Networks and Checkpoint FW-1 firewalls, but in the future other vendor's devices may be added. The left column will be filled with entries of the supported devices. Some entries, althoug present, may be disabled, meaning that support is planned in the forthcoming versions but at the moment are not available.
The device section allows you to setup the firewall name, which is an important parameter because NOVAXE® will filter out all log entries which do not have such name in the device_id field.
Depending on the firewall you select into the left column, other options are presented which are specific for each brand.
The page allows you to setup which zones/interfaces have to be considered external (see Chapter 4, The Firewall Model for more information). It is also possible to configure up to 5 ports (both TCP and UDP are considered) to monitor for incoming traffic, which means that for external hosts connecting to your internal network, all source IPs are recorded and their traffic is categorized depending on the port, if belonging to the set specified, or as [other] to account for all the traffic not done on those ports.
Notice that the external ports set is used only on memory models large and (partially on) medium; on small memory model it's simply ignored and inbound traffic per source IP is not present in the report.
This is done because to prevent resources exhaustion. Tracking ports per source IP in inbound traffic is very memory expensive (typically there are far many external hosts accessing inside resources than internal hosts accessing outside resources).
It's threfore crucial to set the proper memory model according to your resources availability and which data you expect in the report. You may also want to see the section called “Report template” for further information.
Name: label to match in the device_id field of log entries in order to process the line. It's important to match this identification, otherwise chances are the report will turn out empty.
External interfaces: name of the interfaces which NOVAXE® has to consider external. By default the Untrust interface is external.
External ports to monitor: a list of at most 5 numbers identifying the ports of inbound traffic which have to be monitored (works only on large and medium memory models: see the section called “Report template”).
The page allows you to edit a table which defines dummy zones by using the buttons: Insert, Modify and Remove accordingly. . Each entry in the table is formed by:
ID: an incremental number which is automatically assigned by the program when the entry is created. It cannot be modified.
Name: a label which identifies an zone/interface. It will be displayed in various places in the log files and is generally associated to a subnet.
Match: a string typically identified a subnet. For example: 192.168.* means 192.168.0.0/16 or if you prefer: 192.168.0.0 with a subnet 255.255.0.0.
Internal/Trusted: a boolean flag which tells the reporter whether the defined zone is to be considered internal or external to the perimeter. See Chapter 4, The Firewall Model for more information.
Once this table is properly defined, the logs are interpreted according to the firewall model defined earlier. (again, see Chapter 4, The Firewall Model for more information).
In the log section you may configure the path where log files produced by the syslog are stored and a filtering logic to decide which files in that folder have to be considered.
Log folder (on server): folder where log files are located (note that this path is relative to the computer on which NOVAXE® is installed).
Filtering logic: you can choose to either use a simple expression (which supports only wildards '*' and '?') or a more complex pattern, called regular expression, to match log filenames. For example using a simple expression you may set firewall_*.log to match all files starting with firewall_ and ending with .log.
Simple or regular expression: string to use for pattern matching (see previous bullet).
Fast logskip: when checked the reporter attempts to save time by reading completely only those log files which have dates and time in the range specified. NOVAXE® assumes that log files have entries which are roughly increasing in time, therefore it attempts first to read a fraction of the file at the beginning and a fraction on the end. If the dates and times found in that portions of the file do not intersect with the range set, it skips the file (because it assumes that all the entries between them have date/times within that time range). Although not always true, this options can be used to speed up the log pasing.