Analyse a Sophos UTM firewall rule

Hello,

I am trying to analyze the data that goes through a precise firewall rule (Sophos firewall) in order to ensure better security. In this goal, I made several Aggregation panels into a Dashboard to daily monitor and analyze these data. The problem that blocks me is that I am using the “fw_rule” field (from Sophos UTM Extractors) to identify the rule that I want to monitor, but when another rule is created above, its number is increased by one. When it is the case, my Aggregation panels then collect data from a wrong rule.
Same thing when a rule is deleted, the position number of the monitored rule is decreased, and from this point, it is not monitored anymore.

I would like to find a solution to identify and monitor this firewall rule in a unique way, no matter what its position number is.
Does anyone encountered a similar issue?

I am using Graylog v4.0.9 and Sophos UTM 9.

Thanks.

Hello,

Is it possible to show a screen shot on this issue?

I’m assuming your talking about a Stream Rule/s?

Hello gsmith,

There is a screen shot of my aggregation panel :

In fact, there is no visible issue on the screen, as Graylog does not make the difference between stream rules. It just collects packets and extracts its firewall rule to display it into the panel. Therefore, I do not have the insurance to monitor the right stream rule.

Can we get a visual on your stream rules?
I think you maybe interpreting stream rule/s for messages fields. In the screenshot there are no stream rules visible. You have two fields that I see which is fw_fwrule and timestamp.

I would need to see what you are seeing to help you further, perhaps I could offer a suggestion on a widget or configuration.

  • What type of INPUT are you using?
  • What fields are available in the messages received?

NOTE: A simple way you can insure that these are the right messages from your (Sophos firewall) is to create a new INPUT.

Then use that input to create your widgets on the dashboard.

Here is an example, the red box in the screenshot is my INPUT for a specific devices.

Here is the widget for just those devices coming in on that INPUT. From there you can filter even more data. I think doing it this way it will solve your problem/s now and in the future.

Hope that helps

Hi gsmith,

Just came back from vacation.

Here is a restricted visual of the stream rules that I am monitoring :

These are firewall rules.

I only have a single INPUT, a raw/plaintext UDP one.
This INPUT receives logfiles from the firewall and extracts data from these into fields thanks to the extractor package that I installed.
This package allows me to use a tons of fields related to the logfile data :

  • full_message
  • fw_action
  • fw_dstip
  • fw_dstmac
  • fw_dstport
  • fw_event
  • fw_function
  • fw_fwrule
  • fw_id
  • fw_initf
  • fw_length
  • fw_line
  • fw_method
  • fw_name
  • fw_outitf
  • fw_prec
  • fw_proto
  • fw_reason
  • fw_severity
  • fw_srcip
  • fw_srcmac
  • fw_srcport
  • fw_sub
  • fw_sys
  • fw_tcpflags
  • fw_tos
  • fw_ttl
  • fw_url
  • fw_user
  • fw_username
  • fw_variant
  • fw_virtual_ip
  • gl2_processing_timestamp
  • gl2_receive_timestamp

But none of these filters allows me to focus my widgets on a specific rule, as the value of the fw_fwrule field changes almost every week.

(As a new member of Graylog Community, I am limited to 1 screenshot per post).

Hello @alapeyre

Ok I’m not quit getting what you want but I did get more information about your environment. I need to ask a couple question to get a better understanding on what’s going wrong or what you want to do.

Let’s sum it up and see if I’m correct :slight_smile:

  1. You have all the fields created through some package you installed?
  2. You can see these fields in the messages received?
  3. The fields that were create by some package you installed don’t work on your widgets?
  4. I think you want to create a widget for the field fw_fwrule?
  5. The value/data of the field fw_fwrule changes every week?

Could you explain the statement above? Are you referring that you can not make a midget from those fields?
When you stated specific rule are you referring to Stream rules?

There is different kinds of rule/s in Graylog specially Streams but if were focusing on Widgets could you show a screenshot of what rule/s are you referring to? or are you referring to fields in that statement?
Screenshot would work really good explaining what you want or trying to do. The screenshot above e doesn’t really tell me much, only that those configuration work for that aggregation widget.

If the field fw_fwrule is always present in the log message and the data changes weekly, that seems normal. Since the Timestamp field data changes every second.

And last, can you explain this statement below, I’m not sure what you mean.

Perhaps showing an example of what your trying to do. I seen your statement that your limited on screenshots.

Maybe try these steps and show what happens. Focusing on the FIELD fw_fwrule .
BTW this is version 4.2 BUT you can adapt it to your version.

Navigate to the the upper left corner of the Web UI and click on “Search”.
On the Left pane click on the “+” sign then click on the Aggregation button shown below.

image

Now you should see this.

image

Click on edit button. There should be “+” signs shown. Click on those to see all your options.

Go to Group By section and click the down arrow, there should be all your fields that were created.

There you should be able to choose the field fw_fwrule.

Here is my example hope that helps.

Hello,

Yes, the exact name of this package is “Graylog Sophos UTM 9 Extractors”, found on the Graylog marketplace.

Yes, every received message includes fields that belong to the list I sent you.

Hum yes they are working, this is not the point of my problem ^^

Yes, I already created several widgets based on the field fw_fwrule, as shown below :

For example, this widget counts the number of messages tagged with the fw_fwrule field value to 433, and displays it chronologically (thanks to the timestamp).

This value does not change in Graylog, that’s the point. In fact, this value represents the position of the firewall rule in the firewall. It changes when someone adds or deletes a rule, for example, the firewall rule is currently in position 433 (this number is the value of the field fw_fwrule). Someone adds a rule above the number 433, the new number of my rule is now 444. But at the same time, in Graylog, my widget is still collecting logs from rule 433, which is now a completely different rule.

Do this explanation helps you to understand the issue?

Oh no sorry, I did not explain well. By specific rule I meant the one firewall rule (declared on my company’s Sophos equipment) that I want to monitor (by collecting the affiliated logfiles).

@alapeyre - Looks to me like you might have to tag against a different marker than fw_rule (number) to get things to work since that field can be variable if another rule is inserted or moved above. I would look at changing your monitoring/dashboards to look at fw_name instead - that would usually be unique yet stay with the particular rule. For display you could still show the fw_rule number in most cases.

Hello tmacgbay,

In my case, the fw_name field isn’t very useful as it shows me how packets are treated :

image

Among all the available markers, I did not find a way to always stay monitoring the same exact firewall rule :confused:

On paper, the marker fw_id is supposed to contain a value that’s unique for each firewall rule. But in facts, it is not the case.

Argh - I wanted that to be the unique RULE name rather than action taken. I think there are some other items in there that could be examined/compared - fw_id, fw_initf, fw_line… Did you create the extractors yourself… meaning if you picked up someone else’s package, maybe they mislabeled something? Can you give a raw (changed data) message example and perhaps a broken out Graylog fields (with changed data) result? … be sure to use the forum tools like </> for logging text to make it readable. :slight_smile:

1 Like

Nope I didn’t make the extractors by myself, I used a package found on the Graylog Marketplace :

Graylog Sophos UTM 9 Extractors

In fact, I think the extractors are just using the same fields that Sophos uses for its raw log files, but they made them readable for Graylog :

image

Here is a graylog message :

<30>2021:11:18-16:31:24 […] ulogd[6495]: id=“2000” severity=“info” sys=“SecureNet” sub=“packetfilter” name=“Packet logged” action=“log” fwrule=“62040” initf=“lag0.1001” srcmac="…" dstmac="…" srcip="…" dstip="…" proto=“6” length=“52” tos=“0x02” prec=“0x00” ttl=“124” srcport=“60382” dstport=“443” tcpflags=“SYN”

I masked up on both messages sensitive information. You can see that the used markers are identical.

I think we are out of luck unless you can change something on the Sophos side.

I did find myself thinking about watching logs for a rule add/delete/change but then you have to store the change - which would require enterprise license… pull some math to see if it incremented/decremented your rule number… bleh… too complicated!

Alternatively you could create a widget that lists rule numbers (etc.) so you can pick out the correct one and then parameterize it to your dashboard. As long as YOU know the right rule number, you can plug it in…

Hello,

After looking at you logs I was thinking you could filter it out the device name but I don’t see that in the logs.

For example here is my firewall log I received.

<189>date=2021-11-18 time=16:49:10 devname="MYFIREWALL" devid="FGT60D4613454545454" 
logid="0001000014" type="traffic" subtype="local" level="notice" vd="MY-Lab" eventtime=1637275750 
srcip=192.168.1.12 srcport=55968 srcintf="VLAN01" srcintfrole="lan" dstip=192.168.113 dstport=2222 
dstintf="MY-Lab" dstintfrole="undefined" sessionid=3677629587 proto=6 action="deny" policyid=0 
policytype="local-in-policy" service="MY-APP" dstcountry="United States" srccountry="Reserved" trandisp="noop" 
app="MY-APP" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=10 craction=262144 crlevel="medium"

I created two fields devname AND policyid using a Regular expressions.

Then I created a stream to collect all the logs from that specific device called MYFIREWALL that has any policy number Or I can use a specific policy number ( i.e. firewall_rule).

From there I can create alerts/notifications/widgets as need be.

As @tmacgbay stated you might need to make changes in your environment.

1 Like

Hello,

Indeed I think there is no solution on the Graylog side as the log files that I receive do not mention which firewall rule it comes from. I will just continue to manually modify that rule number.

Thanks both of you for your replies, have a good week !

2 Likes