firewall.stonegate

[ 1 Introduction ] [ 2 Tag structure ] [ 3 Devo Relay rule ] [ 4 Stonesoft (StoneGate) Configuration ] [ 5 Table structure ]

Introduction

The tags beginning with firewall.stonegate identify log events generated by the Stonesoft "StoneGate" Firewall (later Forcepoint NGFW).

Since there is no facility for applying the Devo tag in the source system, the events should be forwarded to a Devo Relay to be identified, tagged, and forwarded securely to the Devo Cloud.

Tag structure

The full tag must have at least three levels. The first two are fixed as firewall.stonegate.

Product / Service	Tags	Data tables

Product / Service

Tags

Data tables

StoneGate Firewall

firewall.stonegate.ips

firewall.stonegate.leef

firewall.stonegate.xml

For more information, read more about Devo tags.

Devo Relay rule

You will need to define a relay rule that applies the firewall.stonegate.leef tag to all events that are received on the port of your choosing. We'll use port 13004 in the example.

Source port → 13004
Target tag → firewall.stonegate.leef
Check the Sent without syslog tag checkbox

Stonesoft (StoneGate) Configuration

Stonesoft is capable of exporting logs in xml, csv, cef, leef, netflow and ipfix formats. For instructions for configuring a remote syslog server (in this case, the Devo Relay), see the vendor documentation.

Specify the log export format as LEEF and enter the IP address and port of your Devo Relay.

Table structure

These are the fields displayed in these tables:

firewall.stonegate.ips
firewall.stonegate.leef
firewall.stonegate.xml

firewall.stonegate.ips

Field	Type	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
machine	`str`	vmachine
severity	`str`
compid	`str`
src_port	`int4`
dst_port	`int4`
src_host	`ip4`
dst_host	`ip4`
event_id	`str`
excerpt	`str`
excerpt_pos	`int4`
http_method	`str`
http_uri	`str`
http_response_code	`int4`
http_request_host	`str`
if_logical	`str`
if_physical	`int4`
src_ip	`ip4`
dst_ip	`ip4`
attacker_ip	`ip4`
target_ip	`ip4`
ip_version	`int4`
event_count	`int4`
vuln_refs	`str`
icmp_type	`int4`
icmp_code	`int4`
logid	`str`
nodeid	`ip4`
node_conf	`str`
node_dyn_up	`int8`
node_version	`str`
src_mac	`str`
dst_mac	`str`
onelan	`str`
port_src	`int4`
port_dest	`int4`
protocol	`int4`
receptiontime	`timestamp`
recordid	`str`
ruleid	`str`
sender_moduleid	`str`
sender_type	`str`
service	`str`
situation	`str`
info_msg	`str`
tcp_handshake	`bool`
tcp_option_kind	`int4`
timestamp	`timestamp`
action	`str`
facility	`str`
srv_helperid	`str`
ethtype	`int4`
unknown	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`	rawSource	✓

firewall.stonegate.leef

Field	Type	Field transformation	Source field name	Extra fields

Field	Type	Field transformation	Source field name	Extra fields
eventdate	`timestamp`
machine	`str`		vmachine
devTime	`str`
eventID	`str`
action	`str`
proto	`int4`
protoStr	`str`	`(proto = 6) ? "TCP" : (proto = 17) ? "UDP" : (proto = 1) ? "ICMP" : null("")`	proto
srcIp	`ip4`
srcPort	`int4`
dstIp	`ip4`
dstPort	`int4`
username	`str`
msg	`str`
sender	`str`
severity	`int4`
vulnRef	`str`
origSituation	`str`
srcPostNAT	`ip4`
srcPostNATPort	`int4`
dstPostNAT	`ip4`
dstPostNATPort	`int4`
version	`str`
unknown	`str`
hostchain	`str`			✓
tag	`str`			✓
rawMessage	`str`		rawSource	✓

firewall.stonegate.xml

Field	Type	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
machine	`str`	vmachine
event_timestamp	`timestamp`
logid	`int8`
nodeid	`ip4`
event_facility	`str`
type	`str`
event	`str`
action	`str`
src	`ip4`
dst	`ip4`
service	`str`
protocol	`int4`
protoStr	`str`	protocol
src_port	`int4`
dst_port	`int4`
rule_id	`str`
flag	`str`
src_if	`str`
compid	`str`
infomsg	`str`
receptiontime	`timestamp`
sender_type	`str`
situation	`str`
event_id	`str`
srv_helper_id	`str`
alert	`str`
alert_severity	`str`
unknown	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`	rawSource	✓