Arista Next Generation Firewall

Arista Next Generation Firewall (NGFW) simplifies network security with a single, modular, software platform that gives customers visibility into the traffic on their network. This includes content filtering, advanced threat protection, VPN connectivity, and application-based shaping for bandwidth optimization.

You can send logs from Arista Next Generation Firewall to InsightIDR through syslog.

To set up Arista Next Generation Firewall:

1. Configure Arista Next Generation Firewall to send data to InsightIDR.
2. Configure InsightIDR to collect data from the event source.
3. Test the configuration.

Configure Arista Next Generation Firewall to send data to InsightIDR

To enable communication between Arista NGFW and InsightIDR, you must enable syslog forwarding in Arista by following the steps in Arista's documentation: https://wiki.edge.arista.com/index.php/Events#:~:text=tag%20will%20disappear.-,Syslog,-Syslog%20sends%20events

You'll need to specify certain information, including:

• The IP address of the InsightIDR collector that you want to forward the logs to
• The transport protocol and listening port, which determine how the logs will be sent (the default settings are UDP and port 514)

Use syslog rules to prevent overloading Arista and InsightIDR

We recommend controlling which events are sent through syslog to ensure you send only events that contain security value. To set up syslog rules, follow the steps in Arista's documentation: https://wiki.edge.arista.com/index.php/Events#:~:text=default%20is%20UDP.-,Syslog%20Rules,-WARNING%3A%20Syslog

InsightIDR parses these events from Arista:

• Firewall events from Arista's FirewallEvents
• Ingress Authentication events from Arista’s LoginEvents
• Web Proxy events from Arista's HttpRequestEvents, WebFilterEvents, and ThreatPreventionHttpEvents
• IDS events from Arista’s IntrusionPreventionEvents

All other Arista events will be sent to Log Search if the Send Unparsed option is selected during the set up of this event source.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
2. Do one of the following:
   • Search for Arista Next Generation Firewall in the event sources search bar.
   • In the Product Type filter, select Firewall.
3. Select Arista Next Generation Firewall.
4. Name the event source. The name you enter will be used for the log that the event data streams into in Log Search. If you do not name the event source, the log name defaults to Arista Next Generation Firewall.
5. Select a collector.
6. Select the timezone that matches the location of your event source logs.
7. Optionally, choose to send unparsed data.
8. Optionally, change the default period for the Inactivity timeout threshold.
9. Click the Listen on Network Port button.
10. In the Port field, enter the listening port that you want to use for this event source. You can't use a port that is already in use by another event source on this collector.
11. In the Protocol dropdown, select either TCP or UDP. Ensure you select the protocol that you chose when configuring Arista Next Generation Firewall to send data to InsightIDR.
12. Click Save.

Test the configuration

To test that event data is flowing into InsightIDR through the Collector:

1. Verify that data is flowing to the Collector:
   • From the Data Collection Management page, click the Event Sources tab.
   • Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
   • Wait approximately seven minutes, then open the Log Search page in InsightIDR.
2. Verify that log entries are appearing in Log Search:
   • From the left menu, go to Log Search.
   • In the Log Search filter panel, search for the event source you named in step 4 of Configure InsightIDR to collect data from the event source. Arista NGFW logs should flow into these log sets:
     • Firewall
     • Ingress Authentication
     • Web Proxy
     • IDS
   • Select the log sets and the logs within them.
   • Set the time range to Last 10 minutes and click Run.

The Results table displays all events that flowed into InsightIDR in the last 10 minutes. Pay attention to the keys and values that are displayed, which are helpful when you want to build a query and search your logs.

Sample logs

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the log sets: Firewall, Ingress Authentication, Web Proxy, and IDS.

Here is a typical raw log entry that is created by the event source:

Sample Firewall log

 
1
<174>Oct 13 09:32:43 INFO uvm[0]: { "timeStamp": "2023-10-13 09:32:43.224", "flagged": false, "blocked": false, "sessionId": 110945931886335, "ruleId": 0, "class": "class com.untangle.app.firewall.FirewallEvent", "sessionEvent": { "entitled": true, "protocol": 6, "hostname": "192.168.10.128", "CServerPort": 443, "protocolName": "TCP", "serverLatitude": 39.0481, "localAddr": "192.168.10.128", "class": "class com.untangle.uvm.app.SessionEvent", "SServerAddr": "123.123.171.111", "remoteAddr": "123.123.171.111", "serverIntf": 2, "CClientAddr": "192.168.10.128", "serverCountry": "US", "sessionId": 110945931886335, "SClientAddr": "123.233.94.132", "clientCountry": "XL", "policyRuleId": 0, "CClientPort": 58977, "timeStamp": "2023-09-13 09:32:43.224", "serverLongitude": -77.4728, "clientIntf": 3, "policyId": 1, "SClientPort": 58977, "bypassed": false, "SServerPort": 443, "CServerAddr": "123.20.171.153", "tagsString": "" } }