Layer7 Gateway v61 CEF Configuration Guide 2012

Summary:

The "CEF Connector Configuration Guide" is a document intended for informational purposes only, detailing that HP ArcSight CEF connectors can process events from compatible devices. It emphasizes errors should be reported to HP as no warranties or liability coverage are provided. The guide covers the compatibility of an event format with HP ArcSight Common Event Format (CEF), ensuring proper processing within HP products like ArcSight. The "Layer 7 Gateway Configuration Guide" is focused on configuring Layer 7 SecureSpan or CloudSpan Gateways to collect events via syslog in a formatted event message. It supports versions starting from 6.1 and applies to devices with these versions or newer. The gateways function as policy enforcement points, collecting events through various interfaces like web services, APIs, etc. To configure the Layer 7 Gateway for syslog event collection: 1. Obtain an "Log Message to Syslog" assertion from Layer 7 support, install it using the provided manual. 2. Configure initial connectivity in Layer 7 Policy Manager's "Manage Audit/Log Sinks" task by creating a new Log Sink named 'Syslog', selecting Type as 'Syslog' and setting severity threshold to 'All'. 3. Set Protocol to UDP and provide ArcSight host and port info. Leave default values for other fields. Complete configuration by clicking OK. 4. If the assertion is installed correctly, it appears in the Assertion palette under Logging, Auditing, and Alerts. Use it in any policy to log relevant events. 5. Configure Syslog connection to select 'ArcSight CEF' checkbox for CEF-formatted output. Customize Signature-ID, Name, and Severity as needed; most CEF header fields are predetermined. 6. Define additional fields and values on the CEF Extension tab using customizable keys or predefined/user-defined context variables for transaction metadata. 7. The effectiveness of this configuration depends significantly on the policy being built and defined logging requirements by ArcSight administrators. It involves creating a detailed record of every request, including responses, interactions like access control and threat protection assertions, and logs user identities, credential tokens, traffic routing, specific details like request methods, URLs, and sizes. The system uses ArcSight as a monitoring tool to capture events from Layer 7 Gateway, categorizing them into inbound requests, outbound responses, access control operations, message routing operations, violations of authentication or threat protection policies, and other relevant data. Each event is correlated using a unique request ID across all related transactions. These events are mapped to specific ArcSight data fields based on the type of information they contain, such as protocol, IP address, port numbers, user identities, URLs, response sizes, timestamps, and more, for efficient organization and analysis.

Details:

The "CEF Connector Configuration Guide" is meant for informational purposes only, with information subject to change without notice. Report errors to HP. HP doesn't provide warranties or liability coverage for this info. It certifies that an event format is compatible with HP ArcSight Common Event Format (CEF), meaning the HP ArcSight CEF connector can process events correctly and they are usable within HP products like ArcSight. The document also applies to devices compliant with the standard SmartConnector requirements, ensuring proper categorization for correlation rules, reports, and dashboards. The guide "Layer 7 Gateway Configuration Guide" is specifically about configuring Layer 7 SecureSpan or CloudSpan Gateways to collect events via syslog in a formatted event message. It supports all platforms starting from version 6.1 and applies to devices with this version or newer. The gateways act as policy enforcement points between service providers and consumers, ensuring security, monitoring, and adapting enterprise applications through various interfaces like web services, APIs, etc. To configure the Layer 7 Gateway for syslog event collection: 1. Request "Log Message to Syslog" Assertion from Layer 7 support. Install it using the provided manual. 2. Configure initial connectivity via "Manage Audit/Log Sinks" task in Layer 7 Policy Manager. Create a new Log Sink named conventionally, select 'Syslog' as Type and set severity threshold to 'All'. 3. Set Protocol to UDP and provide ArcSight host and port info. Leave default values for other fields. Complete configuration by clicking OK. 4. If assertion installed correctly, it appears in Assertion palette under Logging, Auditing, and Alerts. Use it in any policy to log relevant events. 5. Upon adding the assertion, configure Syslog connection and select 'ArcSight CEF' checkbox for CEF-formatted output. Most CEF header fields are predetermined; customize Signature-ID, Name, and Severity as needed. 6. Define additional fields and values on the CEF Extension tab using customizable keys or predefined/user-defined context variables to include transaction metadata automatically updated with each request. For more details on available keys, refer to "CEF Keys Overview" tab. 7. The effectiveness of this configuration will depend significantly on the policy being built and defined logging requirements by ArcSight administrator. The policy described involves creating a detailed record of every request, including the response and relevant interactions such as access control and threat protection assertions. This includes logging user identities, credential tokens, traffic routing, and capturing specific details like request methods, URLs, and sizes. The system uses ArcSight as a monitoring tool which captures events from Layer 7 Gateway, categorizing them into inbound requests, outbound responses, access control operations, message routing operations, violations of authentication or threat protection policies, and other relevant data. Each event is correlated using a unique request ID, ensuring that all related transactions are tracked together. The system maps these events to specific ArcSight data fields based on the type of information they contain, such as protocol, IP address, port numbers, user identities, URLs, response sizes, timestamps, and more. This mapping helps in organizing and analyzing the vast amount of data generated by Layer 7 Gateway operations efficiently.