CLI: Example for Sending Intrusion Prevention Logs to the eLog Log Host

You can check intrusion prevention logs on the eLog to learn intrusion behaviors and threats on the network.

Networking Requirements

As shown in Figure 1, a FW is deployed at the border of a network as a gateway. The intrusion prevention function is configured on the FW to protect users on the internal network against attacks from malicious web servers.

The network administrator wants to check intrusion prevention logs on the eLog to learn the attacks from malicious web servers on external networks and thereby make timely policy adjustment or implement proactive attack defense.

Figure 1 Networking diagram of checking intrusion prevention logs on the eLog

Configuration Roadmap

To meet the preceding requirements, you need to consider the following key points of configuration:

Configure the intrusion prevention function on the FW, set interconnection parameters, and output the logs to the eLog.
After the installation of the eLog is completed, find the log source (that is, the FW) on the eLog and associate the collector with the log source.

Data Planning

In this case, data planning for the FW and eLog is shown in Table 1.

**Table 1** Data planning
Data Planning on the FW		Data Planning on the eLog		Description
Interface and IP Address	Security Policy	IP Address	Collection Mode	Description
Interface connecting to the eLog: GigabitEthernet 0/0/1 Associated security zone: DMZ IP Address: 172.16.81.1/16	Security policy for service traffic: Source security zone: Trust Destination security zone: Untrust Destination IP address: 192.168.0.0/24 Action: Permit Intrusion prevention profile: default	172.16.110.168	Collection mode: Dataflow Port: 9002 Log hosts that support dataflow service logs and session logs are configured using the firewall log host host-id ip-address port command. When outputting logs in the dataflow format, the FW uses port 9903 by default, irrelevant to the port number set on the log host. To allow users to send both dataflow service logs and session logs, you are advised to set the log host's port number the same as the port number for session logs. For example, to send binary session logs and dataflow service logs, you are advised to set the port number to 9002. Port 9002 is used as an example.	The dataflow collection mode is used for the eLog, and port 9903 is used to receive log information.

Procedure

Important check items before configuration
Before configuring the FW and eLog, pay attention to the following important check items and complete the configuration based on the actual situation:
- The time zone and time of the FW shall be the same as those of the eLog.
  
  If the time zone or time of the FW is different from that of the eLog collector, log query results will be affected. You are advised to use NTP to make the FW and eLog as the clients to synchronize time from the clock source. If NTP is not deployed on the network, you can manually adjust the time on the FW to ensure time consistency between the FW and eLog.
- Specify the method of managing the log source (that is, the FW) on the eLog.
  
  Currently, the eLog supports two FW management methods: manual adding and automatic discovery. You are advised to manually add the FW because this method is simple and you do not need to perform extra configuration on the FW. When there are a large number of FW, you can use the other method, automatic discovery. If this method is used, you need to set SNMP parameters on the FW.
Configure the FW.
1. Check whether the time zone and time of the FW are the same as those of the eLog collector. In the case of inconsistency, run the following commands to adjust the time zone or time of the FW.
  
  # Adjust the time zone of theFW to keep consistency with that of the eLog collector. Assume that the eLog collector is in the Beijing time zone. The time of the collector is 8 hours earlier than Universal Time Coordinated (UTC). Use the add 08:00:00 parameter. If the eLog collector is in a time zone where the time is later than UTC, use the minus parameter.
```
<FW> clock timezone BJ add 08:00:00
```
  # Adjust the time of the FW to keep consistency with that of the eLog collector. Assume that the current time of the eLog collector is 00:00:00 on December 1, 2018.
```
<FW> clock datetime 0:0:0 2018/12/01
```
  After the preceding configuration, run the display clock command to view configuration results.
```
<FW> display clock
2018-12-01 00:00:06
Tuesday
Time Zone(Default Zone Name) : UTC
Daylight saving time :
         Name        : utc
         Repeat mode : repeat
         Start year  : 2011
         End year    : 2018
         Start time  : 01-01 12:11:00
         End time    : 12-04 01:00:00
         Saving time : 01:00:00
```
2. If the eLog manages FW through automatic discovery, SNMP parameters must be configured on the FW. However, if the eLog manages FW through manual adding, skip this step.
  
  # Configure SNMP parameters on FW, so that they can be automatically discovered by the eLog. As SNMPv3 is securer than SNMPv1 or SNMPv2c, you are advised to use SNMPv3. At the same time, you are advised to use SHA2-256 as the authentication protocol and AES128 as the encryption protocol.
```
<FW> system-view 
[FW] snmp-agent sys-info version v3 
[FW] snmp-agent group v3 group privacy 
[FW] snmp-agent usm-user v3 admin group group
[FW] snmp-agent usm-user v3 admin authentication-mode sha2-256
Please configure the authentication password (8-64) 
Enter Password:                                                                  
Confirm Password:
[FW] snmp-agent usm-user v3 admin privacy-mode aes128 
Please configure the authentication password (8-64) 
Enter Password:                                                                  
Confirm Password:
```
3. Complete the basic configuration such as the configuration of the IP address and security zone of the interface.
  
  # Configure the IP address of the interface and assign the interface to the security zone. Here the interface connecting the firewall to the eLog is taken as an example. If the firewall and eLog belong to different networks, configure a route on the firewall to the eLog.
```
[FW] interface GigabitEthernet 0/0/1 
[FW-GigabitEthernet 0/0/1] ip address 172.16.81.1 16 
[FW-GigabitEthernet 0/0/1] quit 
[FW] firewall zone dmz 
[FW-zone-dmz] add interface GigabitEthernet 0/0/1 
[FW-zone-dmz] quit
```
  If the eLog manages firewalls through automatic discovery, you need to run the service-manage SNMP permit command to enable the access permission on SNMP after running the ip address 172.16.81.1 16 command; if the eLog manages firewalls through manual adding, you do not need to run the command.
4. Configure security policies.
  
  # Configure the security policy for service traffic.
```
[FW] security-policy 
[FW-policy-security] rule name policy1 
[FW-policy-security-rule-policy1] source-zone trust 
[FW-policy-security-rule-policy1] destination-zone untrust 
[FW-policy-security-rule-policy1] source-address 192.168.0.0 24 
[FW-policy-security-rule-policy1] action permit 
[FW-policy-security-rule-policy1] quit
```
5. Configure the log host.
  # Set the IP address of the log host to 172.16.110.168 and port to 9002. (the eLog adopts the dataflow mode to collect logs.)
```
[FW] firewall log host 1 172.16.110.168 9002
```
6. Configure the source address and source port to be used by the firewall for sending service logs.
```
[FW] firewall log source 172.16.81.1 6666
```
7. Configure the function of sending dataflow logs.
```
[FW] dataflow enable
```
8. Configure the function of sending intrusion prevention logs.
```
[FW] dataflow type ips enable
```
9. Configure the intrusion prevention function. The CLI configuration is used as an example. In practice, the configuration on the web UI is recommended. Ensure that the IPS signature database is successfully loaded, and you are advised to update the IPS signature database to the latest version.
  
  # Reference the intrusion prevention profile into the security policy for service traffic. The default profile is used here. You can select another profile according to the actual conditions.
```
[FW] security-policy
[FW-policy-security] rule name policy1
[FW-policy-security-rule-policy1] profile ips default
[FW-policy-security-rule-policy1] quit
[FW-policy-security] quit
```
10. Enable the logging function of the intrusion prevention module.
  
  # Enable the logging function of the intrusion prevention module. This step is optional. The logging function of the intrusion prevention module is enabled by default. If this function is disabled, run the following command to enable it.
```
[FW] engine log ips enable
```
Configure the eLog.
Assume that the eLog has been successfully installed; the collector works normally; and the disk space has been planned. Operations for managing log sources and viewing log reports on the eLog are as follows.

For details about how to install and use the eLog, see the product documentation of the corresponding version in Technical Support > Product Support > Documentation > Security > eLog.
1. Log in to the eLog using an administrator account.
2. Choose System > System Management > Log Source List.
3. Select the log source management method, manual adding or automatic discovery. Manual adding is recommended.
  - Manage log sources by manually adding them:
    1. Click and set the following parameters.
    2. Click OK. A message is displayed, indicating the configuration success.
    3. Click OK.
  - Manage log sources by automatically discovering them:
    1. Click and set the following parameters. The authentication and authorization protocol and password as well as the data encryption protocol and password must be consistent with the configuration on the FW.
      
      If there are many log sources on the network and these log sources are configured with the same SNMP parameters, you can create an SNMP parameter template on the eLog in advance, set the automatic discovery mode, and reference the SNMP parameter template to reduce the configuration workload.
    2. Click Start Discovery.
    3. After discovery is complete, the discovery result shows information about discovered log sources. In the Discovery Result dialog box, click Close.
4. Choose System > System Management > Service Management.
5. Click next to the collector. Then click in the Operation column of the collector.
  The collector configuration window is displayed.
6. Click .
7. Select log sources to be associated, as shown in the following figure:
8. Click Next. Configure the log collection mode.
  Configure the log collection mode on the eLog, select DATAFLOW, and set the port number to 9903. If the FW supports the UTM feature, select Enable the UTM feature.
  
  Take the USG6000E as an example. The configuration is shown in the following figure.
9. Click Finish.

Checking Log Information

After the preceding configurations are completed, if a user of an internal network accesses a malicious web server on an external network, the FW performs prevention and sends the log to the eLog. Then the intrusion prevention log can be queried on the eLog.

Choose Network Security Analysis > IPS.
Click the Statistical Analysis tab, set a reasonable query time range, and click Search.
The query results are as shown in the following figure. The log information given here is only an example. Log information in different network environments should conform to the actual conditions.
You can also click the Log Details tab to view detailed policy matching logs.

The query results are as shown in the following figure. The log information given here is only an example. Log information in different network environments should conform to the actual conditions.

Configuration Script

This example provides only the configuration scripts of the part where the FW interworks with the eLog.

#                                                                               
 sysname FW                                                                   
#                                                                               
 dataflow enable
 dataflow type ips enable                                                      
#                                                                               
 firewall log host 1 172.16.110.168 9002                                        
 firewall log source 172.16.81.1 6666                      
#
 engine log ips enable
#
interface GigabitEthernet 0/0/1                                                  
 ip address 172.16.81.1 255.255.0.0
#                                                                               
firewall zone dmz                                                               
 set priority 50                                                                
 add interface GigabitEthernet 0/0/1
#                                                                               
 snmp-agent                                                                     
 snmp-agent sys-info version v3                                                 
 snmp-agent group v3 group privacy                                              
 snmp-agent usm-user v3 admin group group
 snmp-agent usm-user v3 admin authentication-mode sha2-256 cipher %^%#ZgL-L2HsZ<5P]s+:6d)LcBG5)~mdl=te 
 snmp-agent usm-user v3 admin privacy-mode aes128 cipher %^%#i!rs46cpF"_)d#.cJ,'1>wE_>wE
#                                                                               
security-policy                                                                 
 rule name policy1                                                              
  source-zone trust                                                             
  destination-zone untrust                                                      
  source-address 192.168.0.0 mask 255.255.255.0
  profile ips default
  action permit                                                                 
#
return