firewall.stonegate
Introduction
The tags beginning with firewall.stonegate
 identify log events generated by the Stonesoft "StoneGate" Firewall (later Forcepoint NGFW).
Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and forwarded securely to the Devo Cloud.Â
Tag structure
The full tag must have at least three levels. The first two are fixed as firewall.stonegate
.
Product / Service | Tags | Data tables |
---|---|---|
StoneGate Firewall  |
|
|
|
| |
|
|
For more information, read more about Devo tags.
Devo Relay rule
You will need to define a relay rule that applies the firewall.stonegate.leef
tag to all events that are received on the port of your choosing. We'll use port 13004 in the example.
Source port →Â
13004
Target tag →
firewall.stonegate.leef
Check the Sent without syslog tag checkboxÂ
Stonesoft (StoneGate) Configuration
Stonesoft is capable of exporting logs in xml, csv, cef, leef, netflow and ipfix formats. For instructions for configuring a remote syslog server (in this case, the Devo Relay), see the vendor documentation.
Specify the log export format as LEEF and enter the IP address and port of your Devo Relay.
Table structure
These are the fields displayed in these tables:
firewall.stonegate.ips
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
machine |
| vmachine | Â |
severity |
| Â | Â |
compid |
| Â | Â |
src_port |
| Â | Â |
dst_port |
| Â | Â |
src_host |
| Â | Â |
dst_host |
| Â | Â |
event_id |
| Â | Â |
excerpt |
| Â | Â |
excerpt_pos |
| Â | Â |
http_method |
| Â | Â |
http_uri |
| Â | Â |
http_response_code |
| Â | Â |
http_request_host |
| Â | Â |
if_logical |
| Â | Â |
if_physical |
| Â | Â |
src_ip |
| Â | Â |
dst_ip |
| Â | Â |
attacker_ip |
| Â | Â |
target_ip |
| Â | Â |
ip_version |
| Â | Â |
event_count |
| Â | Â |
vuln_refs |
| Â | Â |
icmp_type |
| Â | Â |
icmp_code |
| Â | Â |
logid |
| Â | Â |
nodeid |
| Â | Â |
node_conf |
| Â | Â |
node_dyn_up |
| Â | Â |
node_version |
| Â | Â |
src_mac |
| Â | Â |
dst_mac |
| Â | Â |
onelan |
| Â | Â |
port_src |
| Â | Â |
port_dest |
| Â | Â |
protocol |
| Â | Â |
receptiontime |
| Â | Â |
recordid |
| Â | Â |
ruleid |
| Â | Â |
sender_moduleid |
| Â | Â |
sender_type |
| Â | Â |
service |
| Â | Â |
situation |
| Â | Â |
info_msg |
| Â | Â |
tcp_handshake |
| Â | Â |
tcp_option_kind |
| Â | Â |
timestamp |
| Â | Â |
action |
| Â | Â |
facility |
| Â | Â |
srv_helperid |
| Â | Â |
ethtype |
| Â | Â |
unknown |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
| rawSource | ✓ |
firewall.stonegate.leef
Field | Type | Field transformation | Source field name | Extra fields |
---|---|---|---|---|
eventdate |
| Â | Â | Â |
machine |
| Â | vmachine | Â |
devTime |
| Â | Â | Â |
eventID |
| Â | Â | Â |
action |
| Â | Â | Â |
proto |
| Â | Â | Â |
protoStr |
| (proto = 6) ? "TCP" : (proto = 17) ? "UDP" : (proto = 1) ? "ICMP" : null("") | proto | Â |
srcIp |
| Â | Â | Â |
srcPort |
| Â | Â | Â |
dstIp |
| Â | Â | Â |
dstPort |
| Â | Â | Â |
username |
| Â | Â | Â |
msg |
| Â | Â | Â |
sender |
| Â | Â | Â |
severity |
| Â | Â | Â |
vulnRef |
| Â | Â | Â |
origSituation |
| Â | Â | Â |
srcPostNAT |
| Â | Â | Â |
srcPostNATPort |
| Â | Â | Â |
dstPostNAT |
| Â | Â | Â |
dstPostNATPort |
| Â | Â | Â |
version |
| Â | Â | Â |
unknown |
| Â | Â | Â |
hostchain |
|  |  | ✓ |
tag |
|  |  | ✓ |
rawMessage |
|  | rawSource | ✓ |
firewall.stonegate.xml
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
machine |
| vmachine | Â |
event_timestamp |
| Â | Â |
logid |
| Â | Â |
nodeid |
| Â | Â |
event_facility |
| Â | Â |
type |
| Â | Â |
event |
| Â | Â |
action |
| Â | Â |
src |
| Â | Â |
dst |
| Â | Â |
service |
| Â | Â |
protocol |
| Â | Â |
protoStr |
| protocol | Â |
src_port |
| Â | Â |
dst_port |
| Â | Â |
rule_id |
| Â | Â |
flag |
| Â | Â |
src_if |
| Â | Â |
compid |
| Â | Â |
infomsg |
| Â | Â |
receptiontime |
| Â | Â |
sender_type |
| Â | Â |
situation |
| Â | Â |
event_id |
| Â | Â |
srv_helper_id |
| Â | Â |
alert |
| Â | Â |
alert_severity |
| Â | Â |
unknown |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
| rawSource | ✓ |