Forcepoint Firewall is part of the Stonesoft Security Management Center (SMC). The Stonesoft SMC provides security coverage for firewall, IDS, VPN, and other protective measures in your security environment.
You can export your firewall events from Stonesoft Forcepoint to InsightIDR in a CEF format from the SMC Log Server. You can read about this process here: https://support.forcepoint.com/KBArticle?id=000015002
To start forwarding Stonesoft logs from the Stonesoft SMC Log Server:
- Create Log Forwarding Rules
- Enable Logging from the SMC
- Create Traffic Access Rules
- Add a Firewall Event Source to InsightIDR
Create Log Forwarding Rules
Complete these steps in the Forcepoint SMC.
To create log forwarding rules:
- Sign into your SMC console.
- From your Home dashboard, select the Others tab from the left menu.
- Select the Monitoring tab and click the Add button to add a new Server element.
- Click the Add button to add a new local filter.
- In the “Name” field, provide a name for the InsightIDR collector.
- In the “IP Source” field, enter the IP address of your InsightIDR collector. Click the Save button.
- Click the Log Forwarding tab.
- Click the Add button.
- From the “Target Host” dropdown, select the previously added InsightIDR Collector.
- In the “Service” dropdown, select your protocol.
- In the “Port” field, enter the unique port you want to use.
- In the “Format” dropdown, select the CEF format.
- In the “Data Type” dropdown, select the All Data Types option.
- In the “Filter” dropdown, select the Empty Filter option.
- Leave “TLS Profile” and “TLS Server Identity” blank.
- Click the OK button to save the configuration.
Enable Logging from the SMC
After you’ve properly created a log forwarding rule for the InsightIDR Collector, you must enable logging from the SMC to external servers.
To enable logging from the SMC:
- Navigate to **Configuration NGFW > Policies > Firewall Policy. **
- Right click the Logging policy you want to change and select the Edit option.
- Select the appropriate version for the IP Access tab. Scroll to the right in the cell table and double click on the “Logging” cell. Then choose the Edit option.
- Check the Override Collected Values Set With Continue Rules box.
- From the “Log Level” dropdown, select the Stored or Essential option.
- Click the OK button, and then click the Save button.
Create Access Rules
Lastly, you must allow access from the Firewall to external servers.
To do create access rules for the firewall
- In your SMC, navigate to Configuration NGFW > Policies > Firewall Policy.
- Select the appropriate version for the IP Access tab. Right click on the policy and select the Add Rule option.
- In the “Source” field, select the Management Server option.
- In the “Destination” field, select the host element that represents the InsightIDR Collector.
- In the “Service” field, select the Syslog (UDP) option.
- In the “Action” cell, select the Allow option.
- In the “Logging” cell, select None to avoid a logging loop.
- Click the Save button.
Add a Firewall Event Source
After the SMC configuration is complete, you can add a firewall event source to InsightIDR.
To configure the event source in InsightIDR:
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
- Choose your collector and select Forcepoint Firewall as your event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unfiltered logs.
- Configure your default domain and any advanced settings.
- Select Syslog as your data collection method and select UDP as your protocol.
- Enter the unique port you specified during configuration in the SMC.
- Click the Save button.