Firewalls track all data in and out of your network, and can be crucial to understanding what's happening at the edge of your network. Firewalls monitor what is happening between your network and the rest of the world, and can monitor things such as how much data is being sent from which computer, where the data is going, and who is receiving the data. With an IP address, firewall can also indicate the location of the machine sending data. In combination with legacy detection rules (formerly known as User Behavior Analytics), InsightIDR can indicate who exactly owns that machine and who is completing the actions.

Adding firewall data allows InsightIDR to track visits to malicious domains and cloud service utilization. Note that rather than just collect configuration and change logs, InsightIDR is interested in connection events, as the solution is able to automatically attribute these events to the users and endpoints generating the traffic.

You can configure the following Firewall event sources:

Send Firewall Logs to InsightIDR

This event source can be configured two ways:

  • send all of the log data from the device to the same port, in which case you will have one event source in InsightIDR for the device.
  • send each type of log data to different ports, in which case you will have **separate event sources ** for each type of log data.

Technically, it does not matter which way you send the log data to InsightIDR; using one port for all traffic means you will have one event source, while using different ports means you will have multiple event sources.

Configuring Multiple Firewalls

If you have several firewalls that are the same manufacturer and model, you can configure all of them to send their log data over the same port, or you can configure each firewall to send to a unique port.

Viewing Firewall Logs

You should see Raw Events and Events Per Minute (EPM) register within minutes of configuring a firewall event source.

As soon as firewall connection events are processed, you'll be able to view and query the raw events in Log Search as "Firewall Activity."

Once available for Log Search, InsightIDR will complete several things:

  • Automatically identify the asset responsible for an event by correlating the internal IP address with DHCP lease events and/or endpoint monitoring.
  • Automatically identify the user associated with the asset and attribute the connection event to that user.
  • Identify an external IP address and perform a geoip lookup to provide geographic information about this external IP.
  • Preserve the raw firewall event in the source_data field.