Juniper Networks ScreenOS

Juniper Networks ScreenOS, formerly known as Juniper NetScreen Firewall, is real-time firewall hardware among a series of security devices that you can access through your local internet, or through the Juniper web console.

You can configure Juniper ScreenOS’ Integrated Services Gateway (ISG) to send syslog to your InsightIDR Collector in order to collect firewall events.

To collect ScreenOS ISG events from Juniper:

  1. Configure Syslog
  2. Create a Firewall Event Source

Configure Syslog

To configure syslog forwarding from your ScreenOS device:

  1. Sign in to your Netscreen Management console.
  2. In the left menu, expand the Report Settings tree and select the Syslog page.
    • If you are using an older version of ScreenOS, navigate by Configuration > Report Settings > Syslog.
  3. Check the Enable Syslog box to enable syslog.
  4. Click the + plus button to add a new host.
  5. In the “Config” window, enter the IP address of your InsightIDR Collector.
  6. In the “Port” field, enter the unique port on your Collector that will accept these firewall logs.
  7. In the “Security Facility” dropdown, select the Local0 option. This option logs every single security event to syslog.
  1. In the “Facility” dropdown, select the Local1 option, which will capture events from all of the following levels:
    • Local1 = Info
    • Local2 = Notify
    • Local3 = Warning
    • Local4 = Error
    • Local5 = Critical
    • Local6 = Alert
    • Local7 = Emergency
  2. In the “Transport” dropdown, select TCP as your option.
  3. Click the OK button. The syslog host will appear in the table.
  4. Click the Apply button to finish the configuration.

Create a Firewall Event Source

Now create the Juniper Networks ScreenOS event source in InsightIDR to ingest the logs.

To do so:

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
  4. Choose your collector and select Juniper Netscreen as your event event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unfiltered logs.
  7. Configure your default domain and any advanced settings.
  8. Select Syslog as your data collection method, enter the port you specified in the Juniper configuration, and select TCP as your protocol.
  9. Download the Rapid7 Certificate and install it following the Juniper configuration here: https://kb.juniper.net/InfoCenter/index?page=content&id=KB4777.
  10. Click the Save button.

Verify the Configuration

After you finish creating the event source in InsightIDR, you should see logs appear in Log Search.

InsightIDR expects logs with the following format:

1
<133>netscr_pri_01: NetScreen device_id=nsisg2000a [Root]system-notification-00257(traffic): start_time="2014-04-11 14:11:08" duration=0 policy_id=1245 service=syslog proto=17 src zone=Global dst zone=Global action=Deny sent=0 rcvd=390 src=1.2.3.4 dst=5.6.7.8 src_port=50000 dst_port=500 session_id=0 reason=Traffic Denied
2
3
<133>netscr_pri_01: NetScreen device_id=nsisg2000a [Root]system-notification-00257(traffic): start_time="2014-04-11 14:10:58" duration=9 policy_id=2051 service=http proto=6 src zone=Partners dst zone=DMZ action=Permit sent=817 rcvd=2293 src=1.2.3.4 dst=5.6.7.8 src_port=4000 dst_port=8080 src-xlated ip=1.2.3.4 port=4000 dst-xlated ip=5.6.7.8 port=8080 session_id=123456 reason=Close - TCP FIN
4

The sample logs are from the Integrated Security Gateway (ISG) 2000a series of ScreenOS 6.0 devices.