Altor CEF Certified Configuration Guide 12/20/209

Summary:

The "Common Event Format Configuration Guide" for Altor Networks' VF 1.0 virtual firewall is designed to help administrators set up the device for effective integration with ArcSight SmartConnector. Key steps include enabling external logging in the Altor Center Interface, updating the database table to support the CEF format, and creating a network rule with the 'log' setting enabled. The document outlines specific mappings between ArcSight data fields and Altor's vendor-specific event definitions, such as time, type of firewall event, source/destination IP addresses, priority, device vendor/product, port numbers, and protocol types. This setup aims to facilitate seamless transfer and mapping of events across different devices, improving overall system interoperability in a security information management (SIEM) context.

Details:

The "Common Event Format Configuration Guide" is a document provided by Altor Networks to help administrators configure their virtual firewall (VF 1.0) to work with ArcSight for event collection. Here's a summary of the guide: 1. **Document Information**:

• Title: Common Event Format Configuration Guide

• Author: Altor Networks

• Version: VF 1.0

• Date: First edition (10-2-2008), Revision with CEF Certified logo added (10-2-2009)

2. **Purpose**:

• The guide is intended to provide information on configuring Altor's VF 1.0 virtual firewall for syslog event collection, specifically for integration with ArcSight.

3. **Supported Devices and Versions**:

• The connector is supported on Altor’s virtual machine for VMware, version 1.0.

4. **Overview of Altor VF 1.0**:

• Designed for the virtual environment, it automatically synchronizes with VMWare VirtualCenter and secures VMotion.

• Enables rule-based policy enforcement for each VM in the virtual network.

5. **Configuration Steps**:

• **Step 1: Enable External Logging** in Altor Center Interface.

• **Step 2: Update Database Table** to support ArcSight CEF format by logging into the Altor Center VM console and issuing a PostgreSQL command to insert data into the `property` table.

```sql sudo -u postgres psql -c "INSERT INTO property (key, value) VALUES ('syslog.message.format', 'CEF:0|Altor|VF|1.0|100|$a$||3|src=$s$ dst=$d$ spt=$sp$ dpt=$dp$ proto=$p$ act=$a$ start=$tm$');" vbrix_db sudo service tomcat restart ```

• **Step 3: Create a Network Rule** with the 'log' setting to enable event logging.

6. **Event Actions**:

• Supported actions are 'allow', 'drop', 'reject', and 'mirror'.

• Events include details such as dst, src, sp, dp, time, protocol, etc., but some protocols (like icmp) may not have port information.

7. **Disclaimer**:

• The document contains confidential and proprietary information marked by ArcSight Technical Note – Contains Confidential and Proprietary Information.

This guide is designed to assist administrators in setting up their Altor VF 1.0 virtual firewall for effective integration with ArcSight, ensuring comprehensive event collection and logging capabilities within the virtual environment. The article discusses the interoperability standard for event handling between a vendor-specific device (Altor) and ArcSight SmartConnector. It explains that information from vendor-specific event definitions is transferred to the ArcSight platform, where it undergoes mapping to corresponding ArcSight data fields. A table provided in the document details the mappings of ArcSight data fields to Altor's vendor-specific event definitions: 1. **Time**: Represented as milliseconds since epoch, this field captures the time when the event occurred. 2. **Type of firewall event**: This includes specific types of events generated by the firewall and is represented under the "Name" field in ArcSight. 3. **Source IP address** and **Destination IP address**: These are mapped to "Attacker or Source Address" and "Target or Destination Address" respectively, based on their roles in the event. 4. **Priority**: This indicates the urgency of the event and is captured under the "Priority" field in ArcSight. 5. **Altor Device Vendor** and **VF Device Product**: These fields identify the specific device vendor and product type from Altor. 6. **TCP/UDP Port numbers**: The source and destination port numbers are mapped to "Source Port" and "Destination Port" fields, respectively. 7. **ICMP, TCP, UDP Protocols**: This field specifies the protocol used in the communication event as captured by the device. This mapping process is crucial for ensuring that events from different devices can be effectively integrated into a unified security information management (SIEM) platform like ArcSight, enhancing overall system interoperability and functionality.