Integrate Juniper Secure Access VPN

Similar documents
Integrate TippingPoint EventTracker Enterprise

Integrate pfsense EventTracker Enterprise

Integrate Microsoft Hyper-V Server

Integrate Meraki WAP. EventTracker Enterprise. EventTracker 8815 Centre Park Drive Columbia MD

Integrate Windows PowerShell

Integrating Barracuda SSL VPN

Integrate Trend Micro InterScan Web Security

Integration of Phonefactor or Multi-Factor Authentication

Integrate Malwarebytes EventTracker Enterprise

Integrate Sophos Enterprise Console. EventTracker v8.x and above

Integrate HP ProCurve Switch

Integrate F5 BIG-IP LTM

Integrate MySQL Server EventTracker Enterprise

Integrate Sophos UTM EventTracker v7.x

Integrating Terminal Services Gateway EventTracker Enterprise

Integrate Cisco IOS Publication Date: April 15, 2016

Integrating Cyberoam UTM

Integrate Cisco IronPort Security Appliance (ESA)

Integrate Fortinet Firewall. EventTracker v8.x and above

Integrate Cisco Sourcefire

Integrate IIS SMTP server. EventTracker v8.x and above

Integrate EMC Isilon. EventTracker v8.x and above

Integrate NGINX. EventTracker v8.x and above

Integrate Microsoft Antimalware. EventTracker v8.x and above

Integrate Viper business antivirus EventTracker Enterprise

Integrate Citrix NetScaler

Integrate Dell FORCE10 Switch

Integrate Sophos Appliance. EventTracker v8.x and above

Integrate Barracuda Spam Firewall

Integrate Cb Defense. EventTracker v8.x and above

Integrate Saint Security Suite. EventTracker v8.x and above

Integrating Microsoft Forefront Unified Access Gateway (UAG)

Integrate Cisco Switch

Integrate Akamai Web Application Firewall EventTracker v8.x and above

Integrating Cisco Distributed Director EventTracker v7.x

Integrate Kaspersky Security Center

Integrate Veeam Backup and Replication. EventTracker v9.x and above

Integrate Bluecoat Content Analysis. EventTracker v9.x and above

Integrate A10 ADC Publication Date: September 3, 2015

Integrate Palo Alto Traps. EventTracker v8.x and above

Integrate McAfee Firewall Enterprise VPN

Integrating Imperva SecureSphere

Integrating Microsoft Forefront Threat Management Gateway (TMG)

Integrate Microsoft Office 365. EventTracker v8.x and above

Integrate Microsoft ATP. EventTracker v8.x and above

Integrate Apache Web Server

Integrate Microsoft IIS

EventTracker v7.x. Integrating Cisco Catalyst. EventTracker 8815 Centre Park Drive Columbia MD

Integrate Check Point Firewall. EventTracker v8.x and above

SECURE FILE TRANSFER PROTOCOL. EventTracker v8.x and above

Product Update: ET82U16-029/ ET81U EventTracker Enterprise

Integrate Symantec Messaging Gateway. EventTracker v9.x and above

Integrate Cisco VPN Concentrator

Receive and Forward syslog events through EventTracker Agent. EventTracker v9.0

Enhancement in Network monitoring to monitor listening ports EventTracker Enterprise

Enhancement in Agent syslog collector to resolve sender IP Address EventTracker Enterprise

Integrate Aventail SSL VPN

Agent Installation Using Smart Card Credentials Detailed Document

8815 Centre Park Drive Columbia MD Publication Date: Dec 04, 2014

Integrate Salesforce. EventTracker v8.x and above

Port Configuration. Configure Port of EventTracker Website

Remote Indexing Feature Guide

Enable Auditing in Open LDAP on Linux Server

Integrate APC Smart UPS

Integrate WatchGuard XTM. EventTracker Enterprise

Integrate VMware ESX/ESXi and vcenter Server

How To Embed EventTracker Widget to an External Site

Integrate Clavister Firewall

Integrating LOGbinder SP EventTracker v7.x

EventTracker v8.2. Install Guide for EventTracker Log Manager. EventTracker 8815 Centre Park Drive Columbia MD

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:

EventVault Introduction and Usage Feature Guide Version 6.x

Agent health check enhancements Detailed Document

Upgrade Guide. Upgrading to EventTracker v6.4 b50. Upgrade Guide Centre Park Drive Publication Date: Feb 17, 2010.

Security Scorecard in Flex Dashboard

Geolocation and hostname resolution while Elasticsearch indexing. Update Document

How to Configure ASA 5500-X Series Firewall to send logs to EventTracker. EventTracker

Integrate Citrix Access Gateway

Feature List. EventTracker v7.6. EventTracker 8815 Centre Park Drive Columbia MD Publication Date: Sep 15, 2014

Integrate Routing and Remote Access Service (RRAS) EventTracker v8.x and above

New Features Guide EventTracker v6.2

Secure IIS Web Server with SSL

Integrate Grizzly steppe attacks detection script

Agent Direct Log Archiver Configuration Guide

Integrate Trend Micro Control Manager. EventTracker v8.x and above

Installation Guide Install Guide Centre Park Drive Publication Date: Feb 11, 2010

Service Pack ET90U Feature Document

Upgrade Guide. Upgrading to EventTracker v6.4 b50. Upgrade Guide Centre Park Drive Publication Date: Feb 17, 2010.

Upgrade Guide. Upgrading to EventTracker v6.4 b50. Upgrade Guide Centre Park Drive Publication Date: Feb 17, 2010.

Configure Alerts. EventTracker v6.x. EventTracker 8815 Centre Park Drive Columbia MD Publication Date: Jun 12, 2009

Monitoring SharePoint 2007/ 2010/ 2013 Server using EventTracker

Upgrade Guide. Upgrading to EventTracker v7.1 Enterprise. Upgrade Guide Centre Park Drive Publication Date: Apr 11, 2011.

Upgrade Guide. Upgrading to EventTracker v6.4 b50. Upgrade Guide Centre Park Drive Publication Date: Feb 17, 2010.

IIS Web Server Configuration Guide EventTracker v8.x

Configuring TLS 1.2 in EventTracker v9.0

IIS Web Server Configuration Guide EventTracker v9.x

Check Point Guide. Configure ETAgent to read CheckPoint Logs. EventTracker 8815 Centre Park Drive Columbia MD

Event Correlator. EventTracker v8.x

Adding Tokens in Flex Report

EventTracker Upgrade Guide. Upgrade to v9.0

Transcription:

Integrate Juniper Secure Access VPN EventTracker Enterprise Publication Date: Jan. 5, 2017 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com

About this Guide This guide will facilitate a Juniper Secure Access VPN user to send syslog to EventTracker Enterprise. Scope The configurations detailed in this guide are consistent with EventTracker Enterprise 7.x or later and Juniper Secure Access VPN. Audience Administrators who want to monitor Juniper Secure Access VPN using EventTracker Enterprise. The information contained in this document represents the current view of Prism Microsystems Inc. on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, and Prism Microsystems cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism Microsystems MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism Microsystems may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. 2016 Prism Microsystems Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 1

Table of Contents About this Guide...1 Scope...1 Audience...1 Introduction...3 Pre-requisites...3 How to enable Juniper Secure Access VPN Event Logs and Send logs to EventTracker?...3 EventTracker Knowledge Pack...8 Categories...9 Alerts...9 Reports...10 Behavior rules...14 Importing Juniper Secure Access VPN knowledge pack into EventTracker...15 Category...15 Alerts...17 Tokens...18 Flex Reports...19 Token Templates...20 Behavior Rules...21 Verifying Juniper Secure Access VPN knowledge pack in EventTracker...23 Categories...23 Alerts...23 Tokens...25 Reports...25 Token Template...26 Behavior Rules...27 Create Flex Dashboards in EventTracker...27 Schedule Reports...27 Create Dashlets...30 Sample Dashboards...34 2

Introduction The Juniper Networks Secure Access SSL VPN device is suitable for large enterprises and service providers. It features best-in-class performance, scalability and redundancy for organizations with high-volume secure access and authorization requirements. The Juniper Secure Access VPN SSL VPN hardware platforms are designed to scale to the largest enterprise deployments and to optimize application delivery, with redundant, hot-swappable hard disks and fans, optional second power supply, as well as multiple Ethernet ports for redundant or meshed configurations. Pre-requisites EventTracker 7.x or later should be installed. Port 514 must be opened on Juniper Networks Secure Access SSL VPN. Port 514 must not be used by other services of Juniper Networks Secure Access SSL VPN. An exception should be added into Windows Firewall on EventTracker machine for Syslog port 514. How to enable Juniper Secure Access VPN Event Logs and Send logs to EventTracker? To specify events log settings: Login to the Juniper secure access VPN using the user credentials and follow the below steps: Step 1: In the admin console, choose System > Log/Monitoring. 3

Figure 1 Step 2: Select the Events Log, User Access Log, Admin Access Log, or Sensors Log tab, and then choose Settings. Here we have selected User Access > Settings. 4

Figure 2 In the Maximum Log Size field, specify the maximum file size for the local log file. (The limit is 500 MB.) The system log displays data up to the amount specified. NOTE: Maximum Log Size is an internal setting that most closely corresponds with the size of logs formatted with the Standard format. If you choose to use a more verbose format such as WELF, your log files may exceed the limit that you specify here. Step 3: Under Select Events to Log, select the checkbox for each type of event that you want to capture in the local log file: Login/Logout SAM/Java User Settings Secure Terminal 5

Network Connect File Requests NOTE: If you disable the Statistics checkbox in the Events Log tab, the IVE does not write statistics to the log file, but continues to display them in the System > Log/Monitoring > Statistics tab. For more information, see Viewing system statistics. User Access > Settings > Select Events to Log Figure 3 Step 4: Under EventTracker servers, enter information about the EventTracker servers where you want to store your log files (optional): Enter the name or IP address of the EventTracker server. 6

Enter a facility for the server. The IVE provides 8 facilities (LOCAL0-LOCAL7) which you can map to facilities on your EventTracker server. (Central Manager only) Choose which filter you want to apply to the log file. Click Add. NOTE: Make sure your EventTracker server accepts messages with the following settings: facility = LOG_USER and level = LOG_INFO. User Access > Settings > EventTracker servers Figure 4 Step 5: Click Save Changes. User Access > Settings > Save Changes. 7

Figure 5 EventTracker Knowledge Pack Once Juniper Secure Access VPN events are enabled and Juniper Secure Access VPN events are received in EventTracker; Alerts and Reports can be configured in EventTracker. The following Knowledge Packs are available in EventTracker to support Juniper Secure Access VPN monitoring. 8

Categories Juniper Secure Access VPN: Cache cleaner activity This category provides information related to cache cleaner which removes residual data, such as temporary files or application caches, left on a user s machine after a secure access session on Juniper Secure Access VPN. Juniper Secure Access VPN: User session status This category provides information related to user session whether the user session has started or stopped on Juniper Secure Access VPN. Juniper Secure Access VPN: User login failed This category provides information related to login failed, when the admin tries to login but fails on Juniper Secure Access VPN. Juniper Secure Access VPN: User login success This category provides information related to login success, when the login of the admin is a success on Juniper Secure Access VPN. Juniper Secure Access VPN: Primary authentication failed This category provides information related to primary authentication, where the user tries to authenticate at the initial stage of authentication but fails on Juniper Secure Access VPN. Juniper Secure Access VPN: Primary authentication successful This category provides information related to primary authentication, where the user tries to authenticate at the initial stage of authentication and successfully authenticates on Juniper Secure Access VPN. Juniper Secure Access VPN: File transfer activity This category provides information related to file transfer activity, where the user tries to download or upload a file on Juniper Secure Access VPN. Alerts Juniper Secure Access VPN: Primary authentication failed- This alert is generated when user tries to authenticate on the initial stage of authentication in Juniper secure access VPN. <134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2]Root::jsmith(Intranet)[Employee] - Primary authentication failed for mpanko@juniper.net/acme AD from 172.5.6.87 9

Juniper Secure Access VPN: User login failed- This alert is generated when admin tries to login but fails in Juniper secure access VPN. <134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Login failed using auth server EventTracker Domain. Reason: Failed <134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Login failed using auth server acme AD (LDAP Server). Reason: Failed <134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Login failed using auth server System Local (Local Authentication). Reason: ShortPasswd Juniper Secure Access VPN: User login success- This alert is generated when user successfully login to the Juniper Secure Access VPN. Logs Considered <134>Juniper: 2016-12-21 08:01:22 - connect2a - [192.168.150.2] Root::jsmith(Intranet)[Employee] - Login succeeded for mstest2/mstest from 10.20.30.56. <134>Juniper: 2016-12-20 08:01:22 - connect2a - [192.168.150.22] Root::charles(Intranet)[Employee] - Login succeeded for mstest2/mstest from 10.20.30.159. Reports Juniper Secure Access VPN-File transfer activity: This report provides information related to user activity, where the user tries to download or upload a file on Juniper Secure Access VPN. Logs considered <134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Downloaded Windows file \\GIZMOFILESERVER\public\andrey\Adj_Juniper.xls <134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Uploaded Windows file \\GIZMOFILESERVER\public\\AAA_HU\ldapbrowser\lib\ldap.jar. 10

Sample Report Figure 6 Juniper Secure Access VPN-Primary authentication successful: This report provides information related to primary authentication, where the user tries to authenticate at the initial stage of authentication on Juniper Secure Access VPN. Logs considered <134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Primary authentication successful for mstest2/local-ive from 10.2.6.15 Sample Report Figure 7 Juniper Secure Access VPN-Primary authentication failed: This report provides information related to primary authentication, where the user tries to authenticate at the initial stage of authentication but fails on Juniper Secure Access VPN. Logs considered <134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Primary authentication failed for mpanko@juniper.net/acme AD from 172.5.6.87 11

Sample Report Figure 8 Juniper Secure Access VPN-User login success: This report provides information related to login success, i.e. when the login of the admin is a success on Juniper Secure Access VPN. Logs considered <134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Login succeeded for mstest2/mstest from 10.2.3.56. Sample Report Figure 9 Juniper Secure Access VPN-User login failed: This report provides information related to login failed, i.e. when the admin tries to login but fails on Juniper Secure Access VPN. Logs considered <134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Login failed using auth server EventTracker Domain. Reason: Faile <134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Login failed using auth server acme AD (LDAP Server). Reason: Failed <134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Login failed using auth server System Local (Local Authentication). Reason: ShortPasswd 12

Sample Report Figure 10 Juniper Secure Access VPN-User session status: This report provides information related to user session, i.e. whether the user session has started or stopped on Juniper Secure Access VPN. Logs considered <134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Network Connect: Session started for user with IP 172.20.1.224 <134>Juniper: 2008-08-21 08:01:22 - connect2a - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Network Connect: Session ended for user with IP 172.20.1.224 Sample Report Figure 11 Juniper Secure Access VPN-Cache cleaner activity: This report provides information related to cache cleaner which removes residual data, such as temporary files or application caches, left on a user s machine after a Secure Access session on Juniper Secure Access VPN. Logs considered <134>Juniper: 2008-07-09 08:04:31 - connect2a - [8192.168.0.1] ABCD::connect2.acme.com(Users)[] - Cache Cleaner is running on host 99.202.123.40 for user 'jsmith'. <134>Juniper: 2008-07-09 08:04:31 - connect2a - [192.168.0.1] ABCD::bnelson(Users)[] - System process detected a Cache Cleaner time out on host 169.15.2.1 for user 'bnelson' (last update at 2008-07- 11 07.00.19-0700 PDT) 13

Sample Report Behavior rules Juniper Secure Access VPN user logon success Figure 12 This behavior rule helps in identifying the connections from unknown or new IP addresses used to logon to Juniper Secure Access VPN. Figure 13 14

Importing Juniper Secure Access VPN knowledge pack into EventTracker 1. Launch EventTracker Control Panel. 2. Double click Export Import Utility, and then click Import tab. Import Token Templates/Category/Alert/Tokens/ Flex Reports as given below. NOTE: Importing should be in the same order as mentioned above. Figure 14 Category 1. Click Category option, and then click the browse button. 15

Figure 15 2. Locate All Juniper Secure Access VPN group of Categories.iscat file, and then click the Open button. 3. To import categories, click the Import button. EventTracker displays success message. Figure 16 4. Click OK, and then click the Close button. 16

Alerts 1. Click Alerts option, and then click the browse button. Figure 17 2. Locate All Juniper Secure Access VPN Alerts.isalt file, and then click the Open button. 3. To import alerts, click the Import button. EventTracker displays success message. Figure 18 4. Click OK, and then click the Close button. 17

Tokens 1. Click Token value option, and then click the browse button. Figure 19 2. Locate All Juniper Secure Access VPN Tokens.istoken file, and then click the Open button. 3. To import tokens, click the Import button. EventTracker displays success message. 4. Click OK, and then click the Close button. Figure 20 18

Flex Reports 1. Click Report option, and then click the browse button. Figure 21 2. Locate All Juniper Secure Access VPN Flex Report.issch file, and then click the Open button. 3. To import scheduled reports, click the Import button. EventTracker displays success message. Figure 22 4. Click OK, and then click the Close button. 19

Token Templates 1. Click the Admin menu, and then click Parsing rule. 2. Select Template tab, and then click on Import option. 3. Click on Browse button. Figure 23 Figure 24 4. Locate All Juniper Secure Access VPN Token Template.ettd file, and then click the Open button 20

Figure 25 5. Now select the check box and then click on Import option. EventTracker displays success message. 6. Click on OK button. Figure 26 Behavior Rules 1. Click Behavior Rules option, and then click the browse button. 2. Locate the All Juniper Secure Access VPN group of behavior rules.isrule file, and then click Open button. 21

Figure 27 3. To import categories, click the Import button. EventTracker displays success message. Figure 28 7. Click OK. 22

Verifying Juniper Secure Access VPN knowledge pack in EventTracker Categories 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Categories. 3. In Category Tree to view imported categories, scroll down and expand Juniper Secure Access VPN group folder to view the imported categories. Figure 29 Alerts 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Alerts. 23

3. In Search field, type Juniper Secure Access VPN, and then click the Go button. Alert Management page will display all the imported Juniper Secure Access VPN alerts. Figure 30 4. To activate the imported alerts, select the respective checkbox in the Active column. EventTracker displays message box. Figure 31 5. Click OK, and then click the Activate Now button. NOTE: You can select alert notification such as Beep, Email, and Message etc. For this, select the respective checkbox in the Alert management page, and then click the Activate Now button. 24

Tokens 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Parsing Rules. The imported Juniper Secure Access VPN tokens are added in Token-Value Groups list. Reports Figure 32 1. Logon to EventTracker Enterprise. 2. Click the Reports menu, and then select Configuration. 3. In Reports Configuration pane, select Defined option. EventTracker displays Defined page. 4. In search box enter Juniper Secure Access VPN, and then click the Search button. EventTracker displays Flex reports of Juniper Secure Access VPN. 25

Figure 33 Token Template 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Parsing Rules. Figure 34 26

Behavior Rules 1. Select Behavior Rules from Admin drop-down. 2. Scroll down and find Juniper Secure Access VPN rules. Figure 35 Create Flex Dashboards in EventTracker Schedule Reports 1. Open EventTracker in browser and logon. 2. Navigate to Reports>Configuration. Figure 36 27

Figure 37 3. Select Juniper Secure Access VPN in report groups. Check Defined dialog box. 4. Click on schedule to plan a report for later execution. 28

Figure 38 5. Choose appropriate time for report execution and in Step 8 check Persist data in Eventvault explorer box. Figure 39 29

6. Check column names to persist using PERSIST checkboxes beside them. Choose suitable Retention period. 7. Proceed to next step and click Schedule button. 8. Wait for scheduled time or generate report manually. Create Dashlets 1. EventTracker 8 is required to configure flex dashboard. 2. Open EventTracker in browser and logon. Figure 40 3. Navigate to Dashboard>Flex. Flex Dashboard pane is shown. 30

Figure 41 4. Fill suitable title and description and click Save button. 5. Click to configure a new flex dashlet. Widget configuration pane is shown. 31

Figure 42 6. Locate earlier scheduled report in Data Source dropdown. 7. Select Chart Type from dropdown. 8. Select extent of data to be displayed in Duration dropdown. 9. Select computation type in Value Field Setting dropdown. 10. Select evaluation duration in As Of dropdown. 11. Select comparable values in X Axis with suitable label. 12. Select numeric values in Y Axis with suitable label. 13. Select comparable sequence in Legend. 14. Click Test button to evaluate. Evaluated chart is shown. 32

Figure 43 3. If satisfied, click Configure button Figure 44 4. Click customize to locate and choose created dashlet. 5. Click to add dashlet to earlier created dashboard. 33

Sample Dashboards 1. Juniper Secure Access VPN User session status. Figure 45 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback