Web: Example for Outputting IPv4 Session Logs to the eLog Log Host

The administrator checks IPv4 session logs on the eLog to understand the creation of sessions by IPv4 packets on the FW.

Networking Requirements

As shown in Figure 1, a FW is deployed at the border of a network as a gateway. A PAT-mode NAT policy is configured on the FW to perform the address and port translation for packets that access external networks from the internal network.

You need to check PAT-mode IPv4 session logs on the eLog to understand the creation of sessions by packets in a timely manner and, when necessary, perform NAT source tracing.

Figure 1 Networking diagram of checking IPv4 session logs on the eLog

Configuration Roadmap

To meet the requirements, you need to consider the following key configuration points:

Configure a PAT-mode NAT policy on the firewall, set the interfacing parameters, and output the logs to the eLog. FW of different product forms and versions have different logging functions and output modes.
After the eLog is installed, discover the log source (that is, the FW) on the eLog and associate the collector with the log source.

Data Planning

In this case, data planning for the FW and eLog is shown in Table 1.

**Table 1** Data planning
Data Planning on the FW		Data Planning on the eLog		Description
Interface and IP Address	Security Policy	IP Address	Collection Mode	Description
Interface connecting to the eLog: GigabitEthernet 0/0/1 Associated security zone: DMZ IP address: 172.16.81.1/16	Security policy for service traffic: Source security zone: Trust Destination security zone: Untrust Source IP address: 192.168.0.0/24 Action: Permit NAT policy for service traffic: Source security zone: Trust Destination security zone: Untrust Source IP address: 192.168.0.0/24 Action: NAT translation NAT address pool: addr1	172.16.110.168	Collection mode: Session Port: 9002	The session collection mode is used for the eLog, and port 9002 is used to receive log information.

Procedure

Important check items before configuration
Before configuring the FW and eLog, pay attention to the following important check items and complete the configuration based on the actual situation:
- The time zone and time of the FW shall be the same as those of the eLog.
  
  If the time zone or time of the FW is different from that of the eLog collector, log query results will be affected. You are advised to use NTP to make the FW and eLog as the clients to synchronize time from the clock source. If NTP is not deployed on the network, you can manually adjust the time on the FW to ensure time consistency between the FW and eLog.
- Specify the method of managing the log source (that is, the FW) on the eLog.
  
  Currently, the eLog supports two FW management methods: manual adding and automatic discovery. You are advised to manually add the FW because this method is simple and you do not need to perform extra configuration on the FW. When there are a large number of FW, you can use the other method, automatic discovery. If this method is used, you need to set SNMP parameters on the FW.

Configure the FW.

Check whether the time zone and time of the FW are the same as those of the eLog collector. In the case of inconsistency, choose System > Setup > Time to adjust the time zone or time of the FW. Check whether the time zone and time of the FW are consistent with those on the eLog collector. If not, choose System > Setup > Time to adjust the time zone and time of the FW.
If the eLog manages FWs through automatic discovery, SNMP parameters must be configured on the FWs. However, if the eLog manages FWs through manual adding, skip this step. Configure SNMP parameters on FWs, so that they can be automatically discovered by the eLog. As SNMPv3 is securer than SNMPv1 or SNMPv2c, you are advised to use SNMPv3. At the same time, you are advised to use SHA2-256 as the authentication protocol and AES128 as the encryption protocol for higher security.

When SNMP parameters are set using the web UI, the authentication algorithm is SHA2-256 and the encryption algorithm is AES128 by default, and cannot be changed. If you need to change these algorithms, run related commands.
Configure security policies.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add and configure a security policy from Trust to Untrust.

Configure a NAT policy.

Configure the NAT address pool and use the PAT mode (also the default mode).

Choose Policy > NAT Policy > NAT Policy.
Click the Source Translation Address Pool tab. Click Add and create a NAT address pool as follows. Click OK.
Name

addr1

IP Address Range

192.168.5.100-192.168.5.120

Name	addr1
IP Address Range	192.168.5.100-192.168.5.120

Configure the NAT policy and reference the NAT address pool.

Choose Policy > NAT Policy > NAT Policy > NAT Policy, click Add in NAT Policy List, and configure the NAT policy as follows. Click OK.

Translated After
Name	policy1
NAT Type	NAT
Source Zone	trust
Destination Type	Destination Zone (untrust)
Source Address	192.168.0.0/24
Translated Mode	IP Address in the IP Address Pool
Address Pool	addr1

Configure the log host.
# Set the IP address of the log host to 172.16.110.168, port number to 9002, and source IP address and source port for sending logs to 172.16.81.1 and 6666 respectively. (The eLog uses the session mode to collect logs.)
1. Choose System > Log Configuration > Log Configuration.
2. Configure binary session logs.
In addition, log collection in netflow mode is supported. To view netflow session logs, set the port number to 9996. This document uses log collection in session mode as an example.
Enable the session log function.

# Enable the record function for session logs in the security policy for service traffic.

Choose Policy > Security Policy > Security Policy, click the created security policy policy1, and enable the function of recording session logs in Other Options > Record Session Logs.

Configure the eLog.
Assume that the eLog has been successfully installed; the collector works normally; and the disk space has been planned. Operations for managing log sources and viewing log reports on the eLog are as follows.

For details about how to install and use the eLog, see the product documentation of the corresponding version in Technical Support > Product Support > Documentation > Security > eLog.
1. Log in to the eLog using an administrator account.
2. Choose System > System Management > Log Source List.
3. Select the log source management method, manual adding or automatic discovery. Manual adding is recommended.
  - Manage log sources by manually adding them:
    1. Click and set the following parameters.
    2. Click OK. A message is displayed, indicating the configuration success.
    3. Click OK.
  - Manage log sources by automatically discovering them:
    1. Click and set the following parameters. The authentication and authorization protocol and password as well as the data encryption protocol and password must be consistent with the configuration on the FW.
      
      If there are many log sources on the network and these log sources are configured with the same SNMP parameters, you can create an SNMP parameter template on the eLog in advance, set the automatic discovery mode, and reference the SNMP parameter template to reduce the configuration workload.
    2. Click Start Discovery.
    3. After discovery is complete, the discovery result shows information about discovered log sources. In the Discovery Result dialog box, click Close.
4. Choose System > System Management > Service Management.
5. Click next to the collector. Then click in the Operation column of the collector.
  The collector configuration window is displayed.
6. Click .
7. Select log sources to be associated, as shown in the following figure:
8. Click Next and configure the log collection mode.
  Configure the log collection mode on the eLog. Set the log collection mode to SESSION, port number to 9002 or Netflow, and port number to 9996. If the FW has the UTM feature, select Enable the UTM feature.
9. Click Finish.

Checking Log Information

After the configurations are complete, when users on internal networks access external networks, corresponding sessions are generated on the FW. After the sessions age, the FW sends the session logs to the eLog. Then you can check the IPv4 session logs on the eLog.

Choose Session Analysis > IPv4 Session Query.
Click the IPv4 PAT tab, set a reasonable query time range, and click Search.
The query results are as shown in the following figure. The log information given here is only an example. Log information in different network environments should conform to the actual conditions.

By checking the log information above, the administrator can know about the creation of sessions by packets in time. You can also learn the information (such as the IP address) before the NAT translation is performed on packets and perform, when necessary, the NAT source tracing.

In addition, the administrator can click , , and and export the query results to corresponding file formats.

Configuration Script

This example provides only the configuration scripts of the part where the FW interworks with the eLog.

#                                                                               
 sysname FW                                                                     
#                                                                         
 firewall log host 1 172.16.110.168 9002                                       
 firewall log source 172.16.81.1 6666                                           
#
interface GigabitEthernet 0/0/1                                                  
 ip address 172.16.81.1 255.255.0.0
#                                                                               
firewall zone dmz                                                               
 set priority 50                                                                
 add interface GigabitEthernet 0/0/1
#                                                                               
 snmp-agent                                                                     
 snmp-agent sys-info version v3                                                 
 snmp-agent group v3 group privacy                                              
 snmp-agent usm-user v3 admin group group
 snmp-agent usm-user v3 admin authentication-mode sha2-256 cipher %^%#ZgL-L2HsZ<5P]s+:6d)LcBG5)~mdl=te 
 snmp-agent usm-user v3 admin privacy-mode aes128 cipher %^%#i!rs46cpF"_)d#.cJ,'1>wE_>wE 
#                                                                               
nat address-group addr1                                                        
 mode pat
 section 0 192.168.5.100 192.168.5.120                                          
#                                                                                
security-policy                                                                 
 rule name policy1                                                              
  session logging                                                                
  source-zone trust                                                             
  destination-zone untrust                                                      
  source-address 192.168.0.0 mask 255.255.255.0
  action permit                                                                 
#                                                                               
nat-policy                                                                      
 rule name policy1                                                              
  source-zone trust                                                             
  destination-zone untrust                                                      
  source-address 192.168.0.0 24                                                 
  action source-nat address-group addr1                                                
# 
return