WIXLIB

Tech Note--Audit Support forMcAfee Web GatewaySymantec CloudSOC Tech Note

Tech Note--Audit Support for McAfee Web GatewayCopyright statementCopyright (c) Broadcom. All Rights Reserved.The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks ofBroadcom.The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information,please visit www.broadcom.com.Broadcom reserves the right to make changes without further notice to any products or dataherein to improve reliability, function, or design. Information furnished by Broadcom is believedto be accurate and reliable. However, Broadcom does not assume any liability arising out of theapplication or use of this information, nor the application or use of any product or circuitdescribed herein, neither does it convey any license under its patent rights nor the rights ofothers.2

Tech Note--Audit Support for McAfee Web GatewayTable of ContentsIntroductionSupported Web Gateway firewall versionSupported log formatsSpecifying custom log file headersDefault log file header formatMandatory fieldsAdding additional properties to LogsConfiguring McAfee Web Gateway for auto log push to SpanVASample access logReferencesRevision historyIntroductionThis Tech Note describes how the CloudSOC Audit application supports log files from McAfeeWeb Gateway devices.Supported Web Gateway firewall versionMcAfee Web Gateway minimum supported version is 7.x3

Tech Note--Audit Support for McAfee Web GatewaySupported log formatsCloudSOC Audit App only supports logs from McAfee Web Gateway in space delimited valuesformat.Based on how you have configured your McAfee Web Gateway, it can generate the logs with orwithout a header row. Different log file format and corresponding configuration is describedbelow.Note: In general all files uploaded for the datasource must have the same log format.The preferred option is to configure the Web Gateway to embed the headers inside the log file.The headers field is included as the first row in the log file starting with a ‘#’ symbol. If a headerrow is available, the CloudSOC Audit application parses the fields in the log file(s) based on thefield names and ordering as specified in the header row.An example of embedded headers is shown in the snippet below, which shows first two rows of alog file.#time stamp "auth user" src ip status code "req line" "categories" "rep level""media type" bytes to client "user agent" "virus name" "block res"[27/May/2014:23:59:43 0530] "800069682" 58.2.97.194 304 9380.cms HTTP/1.1" "General News""Minimal Risk" "" 307 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0;SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC6.0; .NET4.0C; .NET4.0E)" "" "0"4

Tech Note--Audit Support for McAfee Web GatewaySpecifying custom log file headersIf your log files do not have the header row as the first row, and the order of the fields in the logfiles do not match the defaults described in Default Log File Header Format , use the CustomHeaders tools in Audit to specify the custom headers that apply to your McAfee Web Gateway.Otherwise CloudSOC cannot process the logs correctly for use in the Audit application.For full procedures on uploading device logs to CloudSOC, see the CloudSOC Tech NoteUploading Device Logs to CloudSOC Audit. Important: Do not put any spaces between field names in the Custom Headers specification.Audit considers a space to be part of the delimiter, causing it to parse such headers incorrectly inyour logs.Default log file header formatThe Audit application assumes the following default log format for log files without embeddedheader fields, and where you have not specified custom headers as described in SpecifyingCustom Log File Headers :time stamp "auth user" src ip status code "req line" "categories" "rep level" "media type"bytes to client bytes from client "user agent" "virus name" "block res" "application name"If your logs do not adhere to this format, you must either embed the headers or specify customheaders in CloudSOC.5

Tech Note--Audit Support for McAfee Web GatewayMandatory fieldsThe following fields must be present in the logs uploaded to the CloudSOC Audit application: time stamp bytes to client bytes from client req line or urlAdding additional properties to LogsWe recommend that you configure the Web Gateway to include the following additional fields ifpractical: server ip - Identifies destination locations of the traffic. uuid - Identifies the gateway device and when multiple devices are sending logs toCloudSOC. You can filter traffic on this identifier in the Audit app.If you have multiple McAfee Web Gateway devices in your network, you can either definemultiple datasource entries in CloudSOC, one per device, or you can send logs from all thosedevices using the same CloudSOC datasource entry. The latter approach is simpler, and if youchoose to do so, you can add an additional attribute to the logs to identify the device that issending the logs. If CloudSOC sees any field in the log header named as device id, uuid orhostname, it uses the first such field’s value as the identifier of the gateway sending the logs.That lets you use a single datasource to collect logs from all your gateways while still retainingthe ability to drill down to logs from a single gateway.To configure a Web Gateway to include the server ip and uuid in its logs:1.In the Web Gateway console, navigate to Policy Rule Sets Log Handler Access Logas shown below.6

Tech Note--Audit Support for McAfee Web Gateway2. Click on the currently enabled rule, then click copy and paste. The console creates a copyof the rule as shown below.3. Choose the new rule and click Edit .4. On the Edit Rule box, enter a new name for the rule as shown below.5. In the Steps area of the Edit Rule box, click Events and click in the text box to select it asshown below.7

Tech Note--Audit Support for McAfee Web Gateway6. On the Events toolbar, click Edit to open the Edit Set Property box as shown below.7. On the "To concatenation of these strings:" toobar, click Add to add a new string.8. On the Enter a String box, type a double-quote followed by a space as shown below, thenclick OK . This action creates a separator that CloudSOC requires in order to parse thelogs.8

Tech Note--Audit Support for McAfee Web Gateway9. On the Edit Set Property box, choose Filter Type IP as shown below.10. In the "To concatenation of these strings:" toolbar, click Add .11. Mark the Parameter Property radio button.12. In the "Type to filter properties" box, type ip , then choose IP.ToString(IP) from the list asshown below.13. In the IP.ToString(IP) entry, click Parameters to open the Parameters for Property box.9

Tech Note--Audit Support for McAfee Web Gateway14. Mark the radio button for Parameter property , then choose URL.Destination.IP as shownbelow.15. Click OK to add the destination IP to the string.16. Click OK on the Enter a String box to add the string with the destination IP to the property.17. Click OK on the Edit Set Property box to add the property to the rule.18. On the Edit Rule box, click in the text box, then click Edit .19. On the Events toolbar, click Edit to open the Edit Set Property box again.20. On the "To concatenation of these strings:" toobar, click Add to add a new string.21. On the Enter a String box, type a double-quote followed by a space, then click OK . Thisaction creates a new separator.22. Add to add a new string.23. On the Enter a String box, mark Parameter property and search for "System.UUID" asshown below.10

Tech Note--Audit Support for McAfee Web Gateway24. Click System.UUID to highlight it, then click OK on the Enter a String box.25. On the Edit Set Property box, click OK .26. On the Edit Rule box, click Finish .27. On the Web Gateway console, mark the checkboxes to disable the previously active rule,and enable your new copy of the rule as shown below.28. On the Web Gateway console, navigate to Policy Settings Engines File SystemLogging Access Log Configuration as shown below.11

Tech Note--Audit Support for McAfee Web Gateway29. In the Log header box, add a space and then "server ip uuid" to the end of the logheader string as shown below.30. On the console toolbar, click Save Changes .You have now updated the Log Header to include the uuid field in the end of the default AccessLog format:time stamp "auth user" src ip status code "req line" "categories" "rep level" "media type" bytes to clientbytes from client "user agent" "virus name" "block res" "application name" server ip uuidYou can also configure the Web Gateway to automatically push logs to SpanVA, as described inthe next section.Configuring McAfee Web Gateway for auto log push to SpanVAMcAfee Web Gateway can automatically push logs periodically or on rotation to an externalmonitoring device over FTP, HTTP or HTTPS. Typically, you setup and configure a local server tocollect logs from firewall and proxy devices and then write a script to periodically transfer theselogs to CloudSOC servers over SFTP.12

Tech Note--Audit Support for McAfee Web GatewayA simpler alternative is to use the CloudSOC SpanVA log collector appliance to collect logs fromall your network devices including Web Gateways. Your gateways can then push logs directly toSpanVA which optionally anonymizes, compresses, and transfers the logs to CloudSOC forprocessing. We recommend this approach because it simplifies your job. This Tech Note doesnot go into details of configuring SpanVA but focuses on how you can configure your WebGateway.1.In CloudSOC, create a SpanVA datasource for the Web Gateway as described in theCloudSOC Tech Note Installing and Configuring SpanVA .For a SpanVA datasource of type SCP/SFTP/FTP/HTTPS Server, note the destinationdirectory, username, and password shown on the SpanVA Datasource Details panel.2. In the Web Gateway console, navigate to Policy Settings File System Logging Access Log Configuration as shown below.Note: Do not change the logging settings in Configuration Log File Manager . Thosesettings apply globally, and changing them may have unintended consequences.3. In the Settings for Rotation, Pushing, and Deletion area, mark the checkbox for Enablespecific settings for user defined log as shown below.4. In the Auto Pushing area, mark the checkbox for Enable Auto Pushing .5. In the Destination box, combine the SpanVA hostname or IP address and the destinationdirectory from the SpanVA Datasource Details panel, for example:https:///ds mycompanyco/484848041ce7c1829f5c855086. In the Username and Password boxes, enter the username and password from theSpanVA Datasource Details panel as shown below.13