Cisco PIX Firewall Auditing Overview
Cisco PIX Firewall Auditing Overview
The Firewalls Knowledge Pack expands the auditing and reporting capabilities of InTrust to Cisco PIX. The necessary data is provided by the Cisco PIX log in plain text format.
Use the following InTrust objects to work with data related to Cisco PIX Firewall:
- “Cisco PIX text Log” data source
- “Cisco PIX Firewall: All Events” gathering policy
- “Cisco PIX Firewall: All Events” import policy
- “Cisco PIX Firewall log daily collection” task
- “Cisco PIX Firewall weekly reporting” task
- “All syslog servers for Cisco PIX firewalls” site
The Knowledge Pack includes the Cisco PIX report pack. You can schedule the reports with the “Cisco PIX Firewall weekly reporting” task.
Getting Started with Cisco PIX Auditing
The predefined Cisco PIX data source works with Cisco PIX Firewall log data in ASCII format. The log files are located on a Syslog server, which receives Syslog messages from the Cisco PIX Firewall computer.
The data source works with the following log formats:
- <date/time> <facility>.<severity> <hostname> <message>
- <date>,<time>,<host>,<facility>,<severity>,<DateTime_generated>: <message>
An example of a message in the log is as follows:
%PIX-6-605005: Login permitted from 192.168.0.3/2629 to inside:192.168.0.1/https for user "enable_15"
The format depends on the syslogd daemon used and its settings. You may need to change the data source to suit your log format.
To configure gathering of the Cisco PIX Firewall log
- On the Cisco Firewall computer, configure sending of Syslog messages to a Syslog server, which will act as an intermediary computer. For detailed information about the settings, see Cisco PIX documentation.
- Install the InTrust agent on the Syslog server to gather the log. The agent is not required if the log files are located in a share on a Windows computer or an SMB share on a Unix computer.
- In InTrust Manager, edit the Cisco PIX data source. Specify the log file name and location; you can use regular expressions and wildcards.
If you want to gather without an agent, specify the path using the %COMPUTER_NAME% variable and a share name (\\%COMPUTER_NAME%\share_name).
- Make sure the “All Syslog servers for Cisco PIX firewalls” site includes the intermediary computer.
If the log is located in an SMB share on a Unix host, and you want to gather the log without an agent, you need to manually create a site under the Microsoft Windows Network node, and include the Unix computer in it. This is necessary because InTrust currently supports gathering from network shares only in Microsoft Windows Environment sites; this workaround makes InTrust aware of the share even though the processed computer is not actually running Windows.
- Schedule the “Cisco PIX Firewall log daily collection” task. Make sure the gathering job within this task uses the “Cisco PIX Firewall: All Events” gathering policy.
For agentless gathering from an SMB share on a Unix host, you need to create a separate gathering policy under the Gathering | Gathering Policies | Microsoft Windows Network node and use the policy in the gathering job instead of “Cisco PIX Firewall: All Events”. In this scenario, the Use agents to execute this job on target computers option must be turned off for the gathering job.
- Schedule the “Cisco PIX Firewall log weekly reporting” task. Configure the reporting job within this task to create the reports you need.
