Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard

Published 20 hours ago verified publisher icon Azure

Barracuda CloudGen Firewall connector not enabling/CGFWFirewallActivity syslog format?

Open fallmake opened this issue 4 years ago • 8 comments

The Barracuda CloudGen Firewall connector doesn't enable, despite syslog events from the firewall being present in the log analytics workspace for sentinel. I've ran the query provided at https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Barracuda/CGFWFirewallActivity. See the syslog event example below. The format parsed in CGFWFirewallActivity doesn't match this format.

What version or settings in Cloudgen Firewall is the format supplied for CGFWFirewallActivity based on?

Expected behavior CGFWFirewallActivity returning the result expected by the Barracuda Barracuda CloudGen Firewall connector and results being available in sentinel.

Additional context Firewall firmware version is 8.0.3-137

Example syslog event: TenantId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx SourceSystem: Linux TimeGenerated [UTC]: 2020-06-15T08:57:31.52Z Computer: cloudgen-fw EventTime [UTC]: 2020-06-15T08:57:31Z Facility: user HostName: cloudgen-fw SeverityLevel: info SyslogMessage: Allow: FWD|UDP|eth0|172.16.123.123|34701|ab:cd:ef:12:f7:13|172.16.123.124|53|dns|eth0|Domain-Services|4|172.16.123.123|172.16.123.124|0|1|0|0|0|0|||||| HostIP: Unknown IP ProcessName: box_Firewall_Activity MG: 00000000-0000-0000-0000-000000000002 Type: Syslog _ResourceId: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/rg-name/providers/microsoft.compute/virtualmachines/cloudgen-fw

fallmake avatar Jun 15 '20 10:06 fallmake

@fallmake - just want to confirm you are meaning the parser doesn't work after you have connected the data into Azure Sentinel? The title and subject didn't match, so I want to be clear. If you are referring to the parser, then @morshabi can you comment here?

shainw avatar Jun 23 '20 23:06 shainw

Yes, the parser doesn't work for me after "connecting the data".

  • The frewall is configured for syslog streaming and connected to the log analytics workspace linked with Azure Sentinel
  • The barracuda cloudgen firewall connector in azure sentinel show status "not connected" and in the connectors properties the "Syslog (Barracuda)" data type is not connected (no green indicator).
  • The prerequisites info in the azure portal for the connector says The queries and workbooks are dependent on a Kusto function to work as expected. Refer to the function Follow the steps provided in the function to use the function alias “CGFWFirewallActivity” in queries and workbooks. but that sentence is self-referential and does not provide the required info about where to find this function. In this github repo I found the query for "CGFWFirewallActivity" mentioned in the prerequisites on the connector page. The function "CGFWFirewallActivity" doesn't exist in log analytics and seemingly has to be created manually from what I can tell from the code comments.
  • I executed the query retrieved from github, but it returns no results while I can see that there is in fact sylog data from the cloudgen firewall in the log analytics workspace in the format shown in my original post.
  • The regular expressions for barracuda cloudgen FW syslog data in the query for "CGFWFirewallActivity" in this repository don't match the format of syslog events streamed from the firewall that I can see in log analytics.

fallmake avatar Jun 29 '20 11:06 fallmake

Hi,

I have the same issue, did you find a solution?

Cheers

Jon

azjon avatar Aug 06 '20 12:08 azjon

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Jun 25 '21 00:06 github-actions[bot]

is this able to be fixed? It seems the names are all wrong for the WaaS exports from Barracuda as this is the format in the portal

FW Format %header cat=%lt dst=%ai dpt=%ap act=%at msg=%adl duser=%au src=%ci spt=%cp requestMethod=%m app=%p requestContext=%r rt=%tarc request=%u requestClientApplication=%ua dvchost=%un cn2=%pp cn2Label=ProxyPort cs1=%ri cs1Label=RuleID cs2=%fa cs2Label=FollowUpAction cs3=%rt cs3Label=RuleType cs4=%ag cs4Label=AttackGroup cs5=%px cs5Label=ProxyIP cs6=%sid cs6Label=SessionID destinationServiceName=%sn

Access Log Format %header cat=%lt dvc=%ai duser=%au in=%br out=%bs suser=%cu src=%ci spt=%cp requestCookies=%c dhost=%h outcome=%s suid=%id requestMethod=%m app=%p msg=%q requestContext=%r dst=%si dpt=%sp rt=%tarc request=%u requestClientApplication=%ua dvchost=%un cs1Label=ClientType cs1=%ct cs2Label=Protected cs2=%pf cs3Label=ProxyIP cs3=%px cs4Label=ProfileMatched cs4=%pmf cs6Label=WFMatched cs6=%wmf cn1Label=ServicePort cn1=%ap cn2Label=CacheHit cn2=%ch cn3Label=ProxyPort cn3=%pp flexNumber1Label=ServerTime(ms) flexNumber1=%st flexNumber2Label=TimeTaken(ms) flexNumber2=%tt flexString1Label=ProtocolVersion flexString1=%v BarracudaWafCustomHeader1=%cs1 BarracudaWafCustomHeader2=%cs2 BarracudaWafCustomHeader3=%cs3 BarracudaWafResponseType=%rtf BarracudaWafSessionID=%sid destinationServiceName=%sn

mcconnellt150 avatar Jul 08 '21 16:07 mcconnellt150

fallmake are you still facing the same issue ?

v-laanjana avatar Nov 14 '22 05:11 v-laanjana

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Jan 10 '23 11:01 github-actions[bot]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Jan 10 '23 11:01 github-actions[bot]

Hi @fallmake, thank you for flagging this. Apologies for the delayed response. If you still need assistance, please reply here within 5 business days.

v-amolpatil avatar Jan 18 '23 07:01 v-amolpatil

Since we have not received a response in the last 5 days, we are closing your issue #752 as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.

v-amolpatil avatar Jan 31 '23 14:01 v-amolpatil

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Jan 31 '23 14:01 github-actions[bot]