Firewall auditing and security using EventLog Analyzer

This tutorial will help navigate the capabilities of EventLog Analyzer in auditing and monitoring firewalls. Please ensure logging is enabled for your firewall for the syslogs to be forwarded to Eventlog Analyzer.

Auditing firewalls using EventLog Analyzer: Use cases

EventLog Analyzer covers the below firewall auditing use cases with its security auditing reports and alerts. These reports are predefined and can be scheduled to be generated at specific times and distributed over email.

Use Case Description Why implement? Available reports and alerts
Traffic monitoring Provides documentation and analysis of the network traffic that is permitted or allowed to pass through a firewall based on defined security policies and rules. Monitoring firewall-allowed traffic summarizes authorized network connections, traffic patterns, application usage, and other relevant information about allowed traffic flow.
  • Allowed Traffic
  • Top Traffic based on Source
  • Top Traffic based on Destination
  • Top Traffic based on Protocol
  • Top Traffic based on Port
Monitoring denied traffic Provides documentation and analysis of the network traffic that is not permitted to pass through a firewall based on defined security policies and rules. Monitoring firewall-denied traffic provides critical insights into attempted unauthorized access and possible malicious activity, enabling proactive threat mitigation and incident response capabilities.
  • Denied Connections
  • Top Denied Connections based on source
  • Top Denied Connections on device
  • Top Denied Connections based on protocol
  • Top Denied Connections based on port
  • Denied Connections Trend
Audit firewall logons Captures details about user authentication and login activities related to accessing and managing the firewall itself. Reviewing who is accessing the firewall, when they are accessing it, and what actions they are performing will help in securing your network from malicious sources.
  • Firewall Logons
  • Firewall Failed Logons
  • Top logons based on users
  • Top logons based on remote devices
  • Top logons based on ports
  • Top failure logons based on users
  • Top Failure Logons based on remote devices
  • Top failure logons based on port
  • Logons Trend
  • Failed Logons Trend
User accountmanagement Captures details about user accounts, access permissions, and administrative activities related to firewall management. Monitoring and managing Firewall accounts provides critical information regarding firewall access, enforcing security policies, and ensuring accountability within the network infrastructure.
  • Users Added
  • Users Deleted
  • Added Group policies
  • Deleted group policies
  • Changed user privilege levels
  • Command executed
Inspect firewall VPN users Monitor VPN users and active VPN sessions through analytical dashboards. Helps you detect anomalous user activities and abnormal VPN connections through trends.
  • Firewall VPN user Connected
  • Firewall VPN user disconnected
  • Top firewall VPN logons by users
  • Top firewall VPN logons from remote hosts
  • Firewall VPN user logon trends

Auditing firewalls using EventLog Analyzer: Use cases

Threat detection

The below table lists out-of-the-box threat detection use cases for firewalls by EventLog Analyzer. The solution also offers a custom correlation rule builder for creating detection rules by users. Please refer to the instructions here to build your own detection rules.

Use Case Description Why implement? Correlation rules
Firewall rule change monitoring Detect unauthorized changes to firewall rules by continuous monitoring of firewall rule changes. Ensure firewall rules are optimized by auditing their purpose and ensure the rules do not conflict or create vulnerabilities. Effective firewall rule management monitoring helps enterprises prevent malicious intrusions, detect threats at their early stages, and meet compliance requirements.
  • Rule Added
  • Rule Modified
  • Rule Deleted
  • Rule Enabled
  • Rule Disabled
  • Rule Restored

Firewall security: Use cases

The below table elaborates some more threat detection use cases covered by EventLog Analyzer for firewalls and their corresponding detection rules.

Use Case Description Relevant MITRE ATT&CK TTPs Detection rules
Routing table attack A routing table attack is a type of network attack where threat actors manipulate the routing tables in a network. Routing tables are crucial components of network devices like routers and switches; they store the routes (paths) to various network destinations.
  • T1572 - Protocol Tunneling
  • T1574 - Hijack Execution Flow
 Routing Table Attack
SYN flood attack A SYN flood attack is a type of denial-of-service (DoS) attack that exploits the TCP three-way handshake process used to establish a connection between a client and a server. The attack involves sending a large number of SYN (synchronize) packets to a target server, consuming its resources and preventing legitimate users from establishing connections.
  • T1496 - Resource Hijacking
  • T1210 - Exploitation for Client Execution
  • T1499 - Endpoint Denial of Service
 SYN Flood Attack
Malicious traffic detection Detect inbound traffic from and outbound traffic to malicious sources by correlating the firewall traffic logs with the Central Threat Repository of EventLog Analyzer. Command and Scripting Interpreter (T1059) Threat Alert
Data exfiltration detection Analyze network traffic logs for abnormal behavior, such as an extremely high volume of traffic to a specific website to detect command and control (C2) techniques or data exfiltration. Enable Smart Threshold for Allowed Traffic and Denied Traffic alert profiles to detect abnormal volume of data transfer.

Threat remediation: Supported SOAR actions

The below table covers the workflows supported by EventLog Analyzer for different firewall vendors. These workflows can be associated with alert profiles and correlation alerts for automated executions, thereby remediating the threat condition without manual intervention.

Workflow actions Supported firewall vendors
Deny Inbound Rules Cisco ASA
Deny Outbound Rules Cisco ASA
Deny Access Rules
  • Fortigate
  • Palo Alto
  • SophosXG
  • Barracuda

Supported firewall vendors

  • Windows Firewalls
  • Cisco
  • Sophos
  • Barracuda
  • SonicWall
  • Fortinet
  • Juniper
  • PaloAlto
  • Meraki
  • WatchGuard
  • Huawei
  • NetScreen
  • Arista
  • CheckPoint
  • pfSense
  • F5
  • Cisco FirePower
  • H3C
  • Stormshield
  • ForcePoint

Compliance use cases

The below segment outlines the firewall auditing reports, alerts, and other necessary use cases needed to meet the requirements of regulatory mandates such as PCI DSS, FISMA, SOX, HIPAA, GDPR, and more.

Compliance requirement to solution mapping
EventLog Analyzer capabilities Regulatory mandates Requirements
Summary reports and alerts Rules
  • Successful Logons
  • Failed Logons
  • Logoff Events
  • Successful VPN Logons
  • Failed VPN Logons
  • Configuration Errors
  • Command Executed
  • Command Failed
  • Configuration Changes
  • Website Traffic
  • Denied Connections
  • Attacks
  • VPN Logoff
  • Routing Table Attack
  • Syn Flood Attack
 FISMA
  • Configuration Management
  • SI-4: Information System Monitoring
  • AC-3: Access Enforcement
PCI-DSS
  • PCI-DSS requirements 6.6
  • PCI-DSS requirements 10.1
  • PCI-DSS requirements 10.2.1
  • PCI-DSS requirements 10.2.2
  • PCI-DSS requirements 10.2.3
SOX
  • SEC 302.2
  • SEC 302.4.D
  • SEC 302.5 (A & B)
  • SEC 404.A.2
  • SEC 404.B
HIPAA
  • 164.306 (a) (1)
  • 164.306 (a) (1) (i)
  • 164.308 (a) (1) (ii) (D)
GLBA
  • Section 314.4(b)(1)
  • Section 314.4(b)(3)
  • Section 314.4(c)
ISO 27001:2013
  • Control A 9.4
  • Control A 13.1.1
  • Control A 13.1.3
GPG
  • Suspicious Activity at The Boundary (PMC Rule 3)
  • Suspicious Internal Network Activity (PMC Rule 5)
ISLP
  • ARTICLE 20.2
  • ARTICLE 20.3
  • ARTICLE 20.10
GDPR
  • GDPR ARTICLE 32 (1B)
  • GDPR ARTICLE 32 (2)
NRC
  • ACT B.1.3
  • ACT B.1.6
  • ACT B.1.7
  • ACT B.1.11
  • ACT B.1.15
  • ACT B.3.11
  • ACT C.11.4
Cyber Essentials
  • Secure Configuration
  • Malware Protection
  • Boundary firewalls and internet gateways
COCO
  • 1.(d) Protective monitoring and intrusion detection
  • 3. Boundary Protection and Interfaces
NERC
  • CIP 005-6 R1.3
  • CIP 005-6 R1.5
  • CIP 007-6 R3.1
PDPA
  • RULE VI Section 25
  • RULE VII Section 30
NIST CSF Data Security (PR.DS)
CMMC C041 - SI.5.222
POPIA Chapter 3 - Section 22 (5) (a)
QCF
  • 5.2.1 Network Configuration Management Service
  • 5.2.2 Network Access Control Management Service
  • 5.2.3 Network Monitoring Management Service
  • 8.2.2 Vulnerability Management and Penetration Testing
TISAX
  • 4.1.2
  • 5.2.4
  • 5.2.7
SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.1.2 Cyber Security Risk Analysis
  • 3.2.1.3 Cyber Security Risk Response
  • 3.3.12 Payment Systems
ECC
  • 2-2 Identity and Access Management
  • 2-5 Networks Security Management
  • 2-7 Data and Information Protection
PDPL
  • Article 19 - Information Security
  • Article 20 - Controls and Procedures for Dealing with Health Data
UAE-NESA
  • T3.2.1
  • T5.2.2
  • T5.4
  • T8.3.2
SOC 2
  • 3.4.04
  • 5.2.03
  • 6.2.03
  • 6.8.04
  • 7.4.11
LGPD
  • Art 6 VII
  • Art 7 II
  • Art 7 VIII
  • Art 46
 

Additional Resource

The importance of firewall logging and monitoring in network security Firewall auditing with EventLog Analyzer How to analyze and monitor firewall rule changes
 
 

Relevant Videos

SQL Auditing Using EventLog Analyzer