SilverPeak SD WAN
Silver Peak develops products for Wide Area Networks (WAN), like WAN optimisation and Software Defined WAN (SD-WAN). An SD-WAN virtualizes WAN services. It treats them as a resource pool and continuously monitors applications and network resources to steer traffic in accordance to pre-defined policies.
You can send logs to InsightIDR via Syslog format. They produce Firewall alerts in InsightIDR.
To set up the Silver Peak SD WAN event source, you’ll need to:
- Configure Silver Peak SD WAN to send data to your Collector.
- Set up the Silver Peak SD WAN event source in InsightIDR.
- Verify the configuration works.
Configure SilverPeak SD WAN to send data to your Collector
To enable communication between Silver Peak SD WAN and InsightIDR, you must configure remote logging in Silver Peak SD WAN. You can configure logging from Orchestrator or EdgeConnect devices.
Configure Remote Logging from Orchestrator
You need to configure one instance as a SYSLOG Receiver. It can be a cloud-based Orchestrator or an on-premises one. The configuration is the same for both.
To configure remote logging from Orchestrator:
- Log in to Silver Peak SD-WAN.
- Go to Support > Remote Log Receiver.
- Select Add Receiver.
- Configure the SYSLOG Receiver Settings.
If you use a cloud-based Orchestrator, you'll need to specify a public IP and port during configuration to reach your internal log collector. You can restrict access to only allow log traffic from the specific Orchestrator IP. You can send both Audit and Alarm logs via Syslog, where InsightIDR generates Firewall alerts.
Configure Remote Logging from EdgeConnect devices
There are two ways to configure EdgeConnect remote logging. You can configure logging on individual devices, or use Template Groups to manage log settings for multiple devices.
- Log in to Silver Peak SD-WAN, and do one of the following:
- To configure logging for individual devices, go to Appliance Manager > Support > Log Setting.
- To configure logging for multiple devices, go to Orchestrator > Configuration > Templates & Policies > Templates. You can create a new template or add the General Settings > Logging template to an existing group.
- On the Logging screen, under Log Configuration, set severity levels and other details as needed.
- In the Log Facilities Configuration, filter and map events to the default System/Audit/Flow categories.
- Under Remote Log Receivers, click Add. This will set the internal IP address of your log collector (your EdgeConnect devices have a connection to your LAN).
- Apply or reapply the Template Group to your EdgeConnect devices. Changes take effect once the orchestration completes.
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Do one of the following:
- Search for SilverPeak SD WAN in the event sources search bar.
- In the Product Type filter, select Firewall.
- Select the SilverPeak SD WAN event source tile.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unparsed logs.
- Configure your default domain and any Advanced Event Source Settings.
- Select a collection method and specify the port that InsightIDR should use to communicate with Silver Peak SD WAN. Select Syslog through portwatcher datasource as the protocol.
- (Optional) Encrypt the event source. If using TCP, you can download the [Rapid7 Certificate] to encrypt data sent from SilverPeak SD Wan.
- Click Save.
Verify the configuration
Complete the following steps to view your logs and ensure events are making it to the Collector.
- Go to Data Collection > Event Sources.
- On the new event source that was just created, click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
- Click Log Search in the left menu.
- Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “SilverPeakSDWAN” if you did not name the event source. SilverPeak SD WAN logs flow into the Firewall log set.
Logs take a minimum of 7 minutes to appear in Log Search
Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.
Sample Logs
1<149>Sep 25 14:54:52 OTT-01SP netflowd[12104]: [NOTICE] Action:drop, Reason:security policy deny, InputInt:lan0.1, OutputInt:Passthrough_INET1_DefaultOverlay, StartTime:Fri Sep 25 14:54:52 2020, EndTime:Fri Sep 25 14:54:52 2020, RXPkts:1, TXPkts:0, RXOctets:1378, TXOctets:0, Flow-ID:103509, SrcAddr:172.22.50.16, DstAddr:172.217.165.2, SrcPort:50211, DstPort:443, Application:Https, IPTos:be (0x0), Protocol:udp, TCPFlags:0x0, Host:OTT-01SP, FromZone:Green_Trusted, ToZone:Red_Untrusted, Tag:Green_Trusted_Red_Untrusted_65535, Direction:Outbound, Overlay:DefaultOverlay, NATSrcIP:206.47.7.122, NATSrcPort:50211