Since a few weeks I am using Tufin SecureTrack in my lab. A product which analyzes firewall policies about their usage and their changes by administrators (and much more). Therefore, the first step is to connect the firewalls to SecureTrack in two directions: SSH from SecureTrack to the device to analyze the configuration, as well as Syslog from the device to SecureTrack to real-time monitor the policy usage.
This blog post shows the adding of the following firewalls into Tufin: Cisco ASA, Fortinet FortiGate, Juniper ScreenOS, and Palo Alto PA.
Continue reading Tufin SecureTrack: Adding Devices
While parsing logfiles on a Linux machine, several commands are useful in order to get the appropriate results, e.g., searching for concrete events in firewall logs.
In this post, I list a few standard parsing commands such as grep, sort, uniq, or wc. Furthermore, I present a few examples of these small tools. However, it’s all about try and error when building large command pipes. 😉
Continue reading Logfile Parsing
In a basic environment with a Cisco ASA firewall I am logging everything to a syslog-ng server. As there aren’t any reporting tools installed, I am using grep to filter the huge amount of syslog messages in order to get the information I want to know. In this blog post I list a few greps for getting the interesting data.
Continue reading Grep Commands for Cisco ASA Syslog Messages
This post shows a guideline for a basic installation of the open source syslog-ng daemon in order to store syslog messages from various devices in a separate file for each device.
I am using such an installation for my routers, firewalls, etc., to have an archive with all of its messages. Later on, I can grep through these logfiles and search for specific events. Of course it does not provide any built-in filter or correlation features – it is obviously not a SIEM. However, as a first step, I think it’s better than nothing. 😉
Continue reading Basic syslog-ng Installation
A few weeks ago I published an article in which I proposed a method on how to capture the MAC- to IPv6-address bindings via sniffing and storing IPv6 DAD messages. Though any IPv6 node MUST send these Duplicate Address Detection messages prior to assign the address, I was not fully assured that *really* each new IPv6 address is stored with this Tcpdump sniffer.
That is, over a whole month I captured the DAD messages on a test BYOD-LAN and furthermore the complete IPv6 connection logs of the corresponding firewall. At best, I should have any IPv6 address that made an outbound connection through the firewall in the DAD logfiles. Here are the results:
Continue reading Reliability of IPv6 DAD Message Sniffing