The Category Filters are selected in the toolbar of the Management Client. You can select any combination of Categories. For example, you could apply a Category for a particular geographic location and a Category for critical servers at the same time to view only elements related to the critical servers at one site. Once activated, the Category filtering is applied in all views.
Examples of Categories 69
Examples of Categories
The examples in this section illustrate some a common uses for Categories in StoneGate and general steps on how each scenario is configured.
Creating Separate Categories for a Firewall and an IPS Configuration
Company A is a large enterprise planning a new system. The system will include several firewall and IPS engines. Each firewall and IPS engine has its own policy. The company’s administrators only need to manage the firewall engines and their policies or the IPS engines and their policies at a time. To restrict which engines and policies are displayed, the following steps are taken:
1. The headquarters administrator creates two categories: one for the elements that belong to the firewall configuration and another for the elements that belong to the IPS
configuration.
2. The headquarters administrator creates the elements that represent the firewalls, firewall policies, IPS engines, and IPS policies and selects the appropriate Category to each element while defining its properties.
3. The administrators select the appropriate Category as the Category Filter so that only the elements in the firewall or IPS configuration are displayed.
Combining Categories
Company B has sites in New York, Toronto, and Mexico City. The company’s administrators have defined separate Categories for the elements that belong to each site as the administrators usually work with the elements of only one site at a time. Today, however, Administrator A needs to apply the same configuration changes to the New York and Toronto sites. Administrator A does not want to create a new Category for this temporary need. To be able to filter the elements belonging to both the New York and Toronto sites into view, Administrator A does the following:
1. Selects the New York and Toronto Categories in the Category Filter Toolbar.
2. Applies the filter so that the elements at both the New York and Toronto sites are displayed, and elements in the Mexico City Category are filtered out.
3. Makes the configuration changes on the two sites.
4. Deactivates the Category Filter to display all elements again.
70 Chapter 9 Categories
71
L OGS , A LERTS , A ND R EPORTS
In this section:
Filters - 73 Log Management - 81 Alert Escalation - 89 Reports - 99 Incident Cases - 109
72
73
C HAPTER 10
F ILTERS
Filters are descriptions of log fields and their values combined together with operations for the purpose of sorting log data. Filters can be used, for example, to select which logs are displayed in the Logs view or which logs will be archived or exported.
The following sections are included:
Overview to Filters (page 74)
Configuration of Filters (page 74)
Examples of Filters (page 80)
74 Chapter 10 Filters
Overview to Filters
Network traffic can generate a large amount of log data. Filters serve as a tool for selecting the desired data from among all the log data. The Filters allow you to pinpoint any value or
combination of values that you want to find or exclude; any field that appears in the data can be used for filtering.
You can use Filters for selecting data in the following tasks:
•Browsing logs, alerts, audit data, blacklists, and currently open connections.
•Pruning log data.
•Archiving, exporting, and deleting logged data.
•Creating reports.
•Restricting which logs administrators are allowed to view and selecting different highlight colors for the displayed entries.
Configuration of Filters
Filters can be constructed and saved as elements in the system, which is required for most of the tasks listed in the overview above. When browsing data, filtering criteria can alternatively be added and removed flexibly without explicitly creating an element.
Regardless of the way a Filter is created, it always consists of one or more log fields, a value for each field, and operations which describe how the fields are combined together. Each Filter is matched to the log data field by field. If the value in the entry is identical with the value for the same field in the Filter, the field matches. If the value is different, the field does not match.
Then, the fields are examined together based on the selected operations that combine the fields together as a Filter.
Illustration 10.1 Matching Events with a Filter
Illustration 10.1 shows a Filter with several fields and operations. This Filter matches if the destination IP address is in the 192.168.11.0/24 network AND the destination port is 80 OR if the destination IP address is in the 192.168.12.0/24 network AND the destination port is 80.
A data entry of a connection to host 192.168.11.10 on port 80 matches the first AND operation in the example filter. The same connection does not match the second AND operation in the Filter. Since the two AND operations are combined with OR, the Filter as a whole is considered a match and the data is selected for the task that is being carried out.
Since there are different types of data entries, all entries may not contain any value for some field that a Filter contains. For example, an Alert entry warning you that the monitoring connection from a firewall engine has been lost does not contain any source or destination IP address information, since the entry is not related to traffic processing. If you apply the example
Configuration of Filters 75
filter in the log browser, the Alert is filtered out of the view by default, but you can adjust this behavior in Filters you create. The missing values that cannot be verified as matching or non-matching are called undefined values in the configuration.
Default Elements
There are many predefined filters in the system that you can use for various tasks. You cannot modify the predefined Filters. Filter elements can be imported and updated when you activate new dynamic update packages, so the selection and names of predefined filters may change.
The default filters have the type System or Correlation (for filters used in default IPS Analyzer configurations).
Configuration Workflow
The following sections provide an overview of the configuration tasks. Detailed step-by-step instructions can be found in the Management Client’s Online Help and the Administrator’s Guide PDF.