Juniper Secure Access SSL VPN Log Configuration Guide

(1)

Juniper Secure Access SSL VPN

Log Configuration Guide

Document Release: March 2012

Part Number: LL600049-00ELS01000000

(2)

Proprietary Information

This document contains proprietary and confidential information of LogLogic, Inc. and its licensors.  In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.

Trademarks

LogLogic® and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners.

Notice

The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation.

(3)

Juniper Secure Access SSL VPN Log Configuration Guide 3

The LogLogic® Appliance-based solution enables you to capture and manage log data from all types of sources in your enterprise. LogLogic support for Juniper Secure Access SSL VPN enables LogLogic Appliances to capture logs from machines running Juniper Secure Access SSL VPN. Once the logs are captured and parsed, you can generate reports and create alerts. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help.

Technical Support

LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable,

experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support:

Telephone: Toll Free, US—1 800 957 LOGS (5647) Toll—1 408 834 7480

Telephone: Toll Free, Canada—1 800 957 LOGS (5647) Toll—1 408 834 7480

Telephone: Toll Free, Mexico—1 800 957 LOGS (5647) Toll—1 408 834 7480

Telephone: Toll Free, United Kingdom—00 800 0330 4444 Toll—01480 479391

Telephone: Toll Free, Mainland Europe—00 800 0330 4444 Toll— +44 1480 479391

Telephone: Toll Free, Japan IDC—0061 800 0330 4444 Toll— Not Available

Telephone: Toll Free, Japan KDD—0010 800 0330 4444 Toll— Not Available

Telephone: Toll Free, Brazil—0021 800 0330 4444 Toll— Not Available

Email: [email protected]

You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support.  When contacting Customer Support, be prepared to provide:

Your name, email address, phone number, and fax number Your company name and company address

Your machine type and release version

(6)

Documentation Support

Your feedback on LogLogic documentation is important to us. Send e-mail to

[email protected] if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team.

In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation.

Conventions

LogLogic documentation uses the following conventions to highlight code and command-line elements:

A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs).

A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example:

username: system

home directory: home\app

A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: 

LogLogic_home_directory\upgrade\

(7)

Chapter 1 – Configuring LogLogic’s Juniper Secure

Access SSL VPN Log Collection

This chapter describes configuration steps that enable a LogLogic Appliance to capture Juniper Secure Access SSL VPN logs. The configuration steps assume that you have a functioning

LogLogic Appliance that can be configured to capture Juniper Secure Access SSL VPN-related log data.

Introduction to Juniper Secure Access SSL VPN . . . 7

Prerequisites . . . 7

Configuring Juniper Secure Access SSL VPN. . . 8

Enabling the LogLogic Appliance to Capture Log Data . . . 12

Verifying the Configuration . . . 14

Introduction to Juniper Secure Access SSL VPN

The Juniper Networks Secure Access SSL VPN device is suitable for large enterprises and service providers. It features best-in-class performance, scalability and redundancy for organizations with high-volume secure access and authorization requirements.

The Juniper Secure Access SSL VPN hardware platforms are designed to scale to the largest enterprise deployments and to optimize application delivery, with redundant, hot-swappable hard disks and fans, optional second power supply, as well as multiple Ethernet ports for redundant or meshed configurations.

Figure 1 Juniper Networks Secure Access SSL VPN device

Prerequisites

Prior to configuring Juniper Secure Access SSL VPN and the LogLogic Appliance, ensure that you meet the following prerequisites:

Juniper Secure Access SSL VPN SA versions 5.5, 6.0 R3, 6.1 R1, 6.2, 6.5, 7.0 and 7.1 Proper access permissions to make configuration changes

LogLogic Appliance running Release 5.1 or later with a Log Source Package that includes Juniper Secure Access SSL VPN support

(8)

Configuring Juniper Secure Access SSL VPN

You must enable and configure Syslog on Juniper Secure Access SSL VPN prior to configuring the LogLogic Appliance.

Note: This document does not describe all features and functionality within Juniper Secure Access SSL VPN regarding configuration and syslog. For more information on these areas, see Juniper Secure Access SSL VPN Product Documentation.

Use options in the Settings tab to specify what the IVE writes to the log file, which syslog servers it uses to store the log files, and the maximum file size. To log in to the Appliance server.

Note: You may also use the Archiving page to automatically save the logs to an FTP accessible location. For more information, see Archiving IVE Binary Configuration Files in the Juniper Networks Secure Access Administration Guide. Open Internet Explorer on your workstation and connect to the Appliance server by entering https://10.0.0.11 in the browser address line.

To specify events log settings:

1. In the admin console, choose System > Log/Monitoring.

Figure 2 Log Monitoring

(9)

Figure 3 User Access > Settings

3. In the Maximum Log Size field, specify the maximum file size for the local log file. (The limit is 500 MB.) The system log displays data up to the amount specified.

Note: Maximum Log Size is an internal setting that most closely corresponds with the size of logs formatted with the Standard format. If you choose to use a more verbose format such as WELF, your log files may exceed the limit that you specify here.

4. Under Select Events to Log, select the checkbox for each type of event that you want to capture in the local log file:

 Login/Logout  SAM/Java  User Settings  Secure Terminal  Network Connect  File Requests

(10)

Figure 4 User Access > Settings > Select Events to Log

5. Under Syslog Servers, enter information about the syslog servers where you want to store your log files (optional):

a.Enter the name or IP address of the Syslog server.

b.Enter a facility for the server. The IVE provides 8 facilities (LOCAL0-LOCAL7) which you can map to facilities on your Syslog server.

c.(Central Manager only) Choose which filter you want to apply to the log file. d.Click Add.

e.Repeat for multiple servers if desired, using different formats and filters for different servers and facilities.

(11)

Figure 5 User Access > Settings > Syslog Servers

(12)

Figure 6 User Access > Settings > Save Changes

Enabling the LogLogic Appliance to Capture Log Data

The following sections describe how to enable the LogLogic Appliance to capture the Juniper Secure Access SSL VPN device log data.

Adding a Juniper Secure Access SSL VPN Device

With the auto-identification feature, the LogLogic Appliance recognizes Juniper Secure Access SSL VPN log messages by default. As the log messages come into the Appliance, they are

automatically identified and a new device type is added to the log source device list. Default values are used for certain properties, such as the device name.

If you do not want to utilize the auto-identification feature, you can manually add a Juniper Secure Access SSL VPN device to the LogLogic Appliance before you redirect the logs. To add Juniper Secure Access SSL VPN as a new device:

1. Log in to the LogLogic Appliance.

(13)

3. Click Add New.

The Add Device tab appears.

4. Type in the following information for the device:

 Name—Name for the Juniper Secure Access SSL VPN device

 Description (optional)—Description of the Juniper Secure Access SSL VPN device  Device Type—Select Juniper Secure Access SSL VPN from the drop-down menu  Host IP—IP address of the Juniper Secure Access SSL VPN appliance

 Enable Data Collection—Select the Yes radio button

 Refresh Device Name through DNS Lookups (optional)—Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign.

Figure 7 LogLogic Appliance Add Devices Tab

5. Click Add.

(14)

Verifying the Configuration

The section describes how to verify that the configuration changes made to Juniper Secure Access SSL VPN device and the LogLogic Appliance are applied correctly.

To verify the configuration:

1. Log in to the LogLogic Appliance.

2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears.

3. Locate the IP address for each Juniper SAccessecure Access SSL VPN device.

If the device name (Juniper Secure Access SSL VPN) appears in the list of devices (see Figure 8 on page 14), then the configuration is correct.

Figure 8 Verification of the Juniper Secure Access SSL VPN Configuration

If the device does not appear in the Log Source Status tab, check the Juniper Secure Access SSL VPN logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Juniper Secure Access SSL VPN configuration and the LogLogic Appliance configuration.

(15)

Chapter 2 – How LogLogic Supports Juniper Secure

Access SSL VPN

This chapter describes LogLogic's support for Juniper Secure Access SSL VPN. LogLogic enables you to capture Juniper Secure Access SSL VPN log data to monitor events. LogLogic supports Juniper Secure Access SSL VPN device logs.

How LogLogic Captures Juniper Secure Access SSL VPN Data . . . 16 LogLogic Real-Time Reports . . . 16

How LogLogic Captures Juniper Secure Access SSL VPN Data

The Juniper Secure Access SSL VPN device supports various streamed event formats through Syslog (for example, Standard (Juniper's Standard Syslog format), WebTrends Extended Logging Format (WELF), W3C Extended Logging Format (HTTP), and so on).

Regardless of the Juniper Secure Access SSL VPN version, the LogLogic Appliance supports only Juniper Secure Access SSL VPN events in Standard format. The Juniper Secure Access SSL VPN device generates Syslog messages in Standard format; then messages are sent via UDP or TCP to the Syslog Listener on the LogLogic Appliance.

Figure 9 Juniper Secure Access SSL VPN with LogLogic Appliance as the Syslog Server

Once the data is captured and parsed, you can generate reports or create alerts. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help.

Table 1 on page 18 lists the Juniper Secure Access SSL VPN Syslog messages that are supported by the LogLogic Appliance.

Note: The LogLogic Appliance captures all messages from the Juniper Secure Access SSL VPN logs, but includes only specific messages for report/alert generation. For more information, see,

(16)

LogLogic Real-Time Reports

LogLogic provides pre-configured Real-Time Reports for Juniper Secure Access SSL VPN log data. The following Real-Time Reports are available:

User Access—Displays data access and changes done to data during a specified time interval

User Authentication—Displays identity and access related events during a specified time interval

User Last Activity—Displays user specific details; used to track user activity during a specified time interval

To access LMI 5 Real-Time Reports:

1. In the top navigation pane, click Reports. 2. Select Access Control.

The following Real-Time Reports are available:  User Access

 User Authentication  User Last Activity

(17)

Appendix A – Event Reference

This appendix lists the LogLogic-supported Juniper Secure Access SSL VPN events. The LogLogic Juniper Secure Access SSL VPN event table identifies events which can be analyzed through the LogLogic Agile Reports, as well as a sample log message. All sample log messages were captured by the LogLogic file pull utility.

LogLogic Support for Juniper Secure Access SSL VPN Events

The following list describes the contents of each of the columns in the tables below. Event ID—Not Applicable (N/A)

Agile Reports/Search – Defines if the Juniper Secure Access SSL VPN event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Operating System—Operating System (OS) where the event can be triggered. In some instances,

duplicate Event IDs exist for different OSs. Title/Comments—Not Applicable (N/A) Event Category—Not Applicable (N/A)

Event Type—Type of event such as Type of event such as Cache Cleaner or File Rewrite Reports Appears In—LogLogic-provided reports that the event appears in

(18)

Table 1 Juniper Secure Access SSL VPN Events Event ID Agile Reports/ Search Title Event Category

Event Type Reports Appears

In

Sample Log Message

1 N/A Agile N/A N/A Cache Cleaner User Access/User

Last Activity

<134>Juniper: 2008-07-09 08:04:31 - connect2a - [8192.168.0.1]

ABCD::connect2.acme.com(Users)[] - Cache Cleaner is running on host 99.202.123.40 for user 'jsmith'.

2 N/A Agile N/A N/A Cache Cleaner User Access/User

Last Activity

<134>Juniper: 2008-07-09 08:04:31 - connect2a - [192.168.0.1] ABCD::bnelson(Users)[] - System process detected a Cache Cleaner time out on host 169.15.2.1 for user 'bnelson' (last update at 2008-07-11 07.00.19 -0700 PDT).

3 N/A Agile N/A N/A File Rewrite User Access/User

Last Activity

<134>Juniper: 2008-07-11 10:52:59 - connect2a - [5.5.6.4] WX-Demo::mnichols(Users)[Users] - Connected to SHAREPOINT port 445

Last Activity

<134>Juniper: 2008-07-10 08:07:51 - connect2a - [2.3.4.5] Root::apawl002(Intranet)[Employee] - NFS server intranet: Permission denied to /home/ NFSshare.

Last Activity

<134>Juniper: 2008-08-20 00:33:45 - connect2a - [192.16.0.1] Root::jsmith(Managed)[Common, Office] - NFS directory intranet.acme.com: / home/NFSshare 8 items listed.

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Downloaded file(s) ARROWD.GIF ARROWR.GIF pj%20jump-09-23-04-07-27.jpg from

\\GIZMOFILESERVER\public as Zip file aaa.zip.

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - NFS server intranet.acme.com: Uploaded NFS file Phone_Ent.pdf to intranet.acme.com: /home/ NFSshare.

8 N/A Agile N/A7 N/A File Rewrite User Access/User

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - NFS server intranet.acme.com: Downloaded file / home/NFSshare///1jack1new.jpg.

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Downloaded Windows file

\\GIZMOFILESERVER\public\andrey\Adj_Junipe r.xls.

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Uploaded Windows file

(19)

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Created new folder Case Studies on

\\LOGLOGIC-SBS\documents and information\3.2 Reseller disk.

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Access denied to Windows directory

\\\\3.2.1\V321_Supplement.

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Cannot write Windows file Loglogic\reseller's disk\Evaluation Forms\Evaluation

Implementation formv1 5 to \\LOGLOGIC-SBS\documents and

information\3.2 Reseller disk\Evaluation Forms with error 13.

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Failed to list Windows share

\\LOGLOGIC-SBS\ClientApps in wrkgrp/domain loglogic.com for user amorris with error 13.

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Failed to read Windows directory

\\LOGLOGIC\LOGLOGIC-SBS\Users\%usernam e% with error 2.

16 N/A Agile N/A N/A Host Checker User Access/User

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Host Checker policy 'JP Demo' passed on host 172.16.26.11 .

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Host Checker policy 'Demo' passed on host 10.1.2.3 for user 'mmcguirl' .

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Host Checker policy 'Demo' failed on host 10.4.5.6 . Reason: 'found notepad.exe'.

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Host Checker policy 'JP Demo' failed on host 172.16.2.3 for user 'apawl002'. Reason: ''.

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - System process detected a Host Checker time out on host 172.16.2.5 for user 'bnelson' (last update at 2008-07-11 07.04.49 -0700 PDT). Event ID Agile Reports/ Search Title Event Category

In

(20)

21 N/A Agile N/A N/A Info User Access/User Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Max session timeout for mnichols/Users.

22 N/A Agile N/A N/A Login User Authentication/

User Access/User Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Primary authentication successful for mstest2/ LOCAL-IVE from 10.2.6.15

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Primary authentication failed for

[email protected]/acme AD from 172.5.6.87

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Login succeeded for mstest2/mstest from 10.2.3.56.

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Login failed using auth server Loglogic Domain. Reason: Failed

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Login failed using auth server acme AD (LDAP Server). Reason: Failed

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Login failed using auth server System Local (Local Authentication). Reason: ShortPasswd

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Connected to TUN-VPN port 443

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Connected to 172.20.1.17 port 1494

30 N/A Agile N/A N/A Logoff User Access/User

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Closed connection to TUN-VPN port 443 after 29 seconds, with 325 bytes read (in 1 chunks) and 419 bytes written (in 6 chunks)

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Closed connection to 172.20.1.17 port 1494 after 241 seconds, with 11680 bytes read (in 40 chunks) and 4793 bytes written (in 156 chunks)

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Logout from 172.16.2.6

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Session for user pjeffers on host 192.168.1.2 has Event ID Agile Reports/ Search Title Event Category

In

(21)

34 N/A Agile N/A N/A Network Connect User Access/User

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Network Connect: Session started for user with IP 172.20.1.224

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Network Connect: Session ended for user with IP 172.20.1.224

36 N/A Agile N/A N/A Telnet/SSH User Access/User

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Connected to intranet.acme.net port 23

37 N/A Agile N/A N/A Telnet/SSH User Access/User

Last Activity

<134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Request to connect to 10.60.0.9 port 22 permission denied

2011-01-25 18:26:50 - ive - [10.40.1.31] afong(Users)[Users] - Login succeeded for af/ Users (session:00000000) from 10.40.1.31.

Last Activity

2011-01-20 17:53:48 - ive - [172.16.1.55] afong(Users)[Users] - Network Connect: Session started for user with IP 10.60.0.220, hostname AdamDesktop

40 N/A Agile N/A N/A Logout User Access/User

Last Activity

2011-01-25 15:17:00 - ive - [172.16.1.55] afo(Users)[Users] - Logout from 172.16.1.55 (session:00000000)

Last Activity

2011-01-25 15:04:18 - ive - [172.16.1.55] afon(Users)[Users] - Fail to list shares \\LOGLABS\10.60.0.22 for user with error 13.

Last Activity

Juniper: 2011-01-24 14:45:20 - ive - [10.40.1.31] cotto(Users)[Users] - Host Checker policy 'Advanced Endpoint Defense: Malware Protection' passed on host 10.40.1.31 for user 'cotto'.

Last Activity

<134>Juniper: 2011-01-21 19:00:34 - ive - [172.16.1.55] afong(Users)[Users] - Host Checker realm restrictions successfully passed for afon/Users

Last Activity

<134>Juniper: 2011-01-24 14:11:13 - ive - [10.40.1.31] cott(Users)[Users] - Cache Cleaner realm restrictions successfully passed for cott/ Users

Last Activity

2011-01-25 15:40:31 - ive - [172.16.1.55] System()[] - Host Checker running on host 172.16.1.55 will exit as the user login timed out. Event ID Agile Reports/ Search Title Event Category

In

Juniper Secure Access SSL VPN Log Configuration Guide