Configure NetScreen Firewall

---

Firewall Analyzer supports most versions of NetScreen Firewall Appliance (OS 3.x, 4.x, 5.x,...). You can either enable WELF or Syslog format. 

Enable Syslog Messages and Disable WebTrends Messages using the NetScreen Administration Tools Console 

1. Log in to the NetScreen GUI.
2. Click Configuration> Report Settings> Syslog in the left pane of the NetScreen GUI.
3. Select the Enable Syslog Messages check box.
4. Select the Trust Interface as Source IP for VPN and Include Traffic Log check box.
5. Type the IP address of the Firewall Analyzer server and syslog port (514) in the Syslog Host Name / Port text box.
6. All other fields will have default values.
7. Click Apply to save the changes.
8. Click Configuration> Report Settings> WebTrends in the left pane of the NetScreen GUI
9. Clear the Enable WebTrends Messages check box.
10. Click Apply to save the changes.

To configure Syslog, perform the following steps:

1. Open the WebUI.
2. From the ScreenOS console menu, click Configuration, select Report Settings, and then click Syslog.

 

3. From the Syslog page, click to select Enable Syslog Messages.
   

Note:

From the 'Source interface' drop-down menu, select the interface from which syslog packets are sent.

4. Enter the necessary information for each syslog server you are adding. Syslog messages can be sent to up to 4 designated syslog servers. 

• Enable: Select this option to enable the syslog server.
• IP/ Hostname: The IP address of the syslog host.
• Port: The port to which the security device sends syslog messages. The default port is UDP 514.
• Security Facility: The security facility, which classifies and sends security specific messages to the syslog host.
• Facility: The regular facility, which classifies and sends all other messages for events unrelated to security.
• Event Log: Select this option to send event log entries to the syslog host.
• Traffic Log: Select this option to send traffic log entries to the syslog host.
• TCP: Select this option to use TCP as the transport protocol for communication between the device and syslog server. By default UDP is used. Before selecting TCP option, consult KB14982 - Device May Become Unmanageable after Enabling TCP Syslog

For this example, 192.168.1.2 has been used as the Syslog Host Name. It is recommended to leave the Syslog port as the default value (514):

5. Click APPLY to save the syslog configuration. 

Note:

In certain versions of NetScreen firewall there is an option to record the completion of a transaction. Please select this option (if available) in the NetScreen firewall to enable Firewall Analyzer to measure the sent and received bytes from the firewall traffic logs.

 

Caution:

Uncheck the TCP option. This will make the firewall to send syslogs in the configured UDP port.

If you would like to send NetScreen logs in WELF to Firewall Analyzer, the you need to Disable Syslog Messages and Enable WebTrends Messages in the above steps. For more information, refer the NetScreen documentation.

Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:

Execute the following commands to configure syslog via CLI: 

NOTE: The difference between “security facility” and “facility” is that “security facility” is specific for logging of security related events. Facility logs all other events.

Configure/Enable WebTrends for Netscreen Firewall device using CLI Console:

Execute the following commands to configure WebTrends via CLI:

Syngress > set webtrends host-name 10.23.23.2 Syngress > set webtrends port 514 Syngress > set webtrends enable

 

Configure/Enable SNMP Protocol for Netscreen Firewall device

Using CLI Console:

To add a new SNMP community: (Skip this step, if you have already defined a community) 

set snmp community "<community name>" Read-Only Trap-off version {any | v1 | v2c}

To enable the SNMP Manager running in Firewall Analyzer to make queries to SNMP Agent running in the firewall: 

set snmp host "<community name>" <Firewall Analyzer IP> [src-interface <interface through which Firewall Analyzer is connected>]

Example: The following command example defines the IP address '10.5.1.24' as member of the SNMP community named 'olympia':

set snmp host "olympia" 10.5.1.24 [src-interface inside]

Enable SNMP manageability on the interface through which the SNMP manager in Firewall Analyzer communicates with the SNMP agent in the NetScreen device. 

set interface <interface name> manage snmp

 

Using Web UI:

To add a new SNMP community: (Skip this step, if you have already defined a community)

• Log in to the Netscreen web interface
• Go to Configuration > Report Settings > SNMP > New Community
• Enter the following settings:
  • Community Name: <community name>
  • Permissions:
  • Write: (select)
  • Trap: (clear)
  • Including Traffic Alarms: (clear)
  • Version: ANY (select)
  • Hosts IP Address/Netmask and Trap Version:<Firewall Analyzer IP address>
• Click Apply.

To enable the SNMP Manager running in Firewall Analyzer to make queries to SNMP Agent running in the firewall:

• Go to Configuration > Report Settings > SNMP
• Edit community to add SNMP Manager IP <Firewall Analyzer IP address> and the source interface (interface through which Firewall Analyzer connects firewall) to that community. Under communities section, you will find the option to edit community. If SNMP Agent does not have a community, click 'New Community' button and provide community string, SNMP Manager IP address <Firewall Analyzer IP address> and the source interface (interface through which Firewall Analyzer connects firewall) to that community.
• Click Apply.

Enable SNMP manageability on the interface through which the SNMP manager in Firewall Analyzer, communicates with the SNMP agent in the NetScreen device.

• Go to Network > Interfaces > Edit (for ethernet1)
• Enter the following settings:
  • Service Options:<no change>
  • Management Services: SNMP
• Click OK.