Forcepoint Firewall
integrations firewall forcepoint
The following instructions are for configuring Forcepoint Firewall to facilitate log ingestion into Secureworks® Taegis™ XDR.
Forcepoint Firewall event types normalized by XDR include:
- Authentication
- Browser-Based User Authentication
- DHCP Relay
- Inspection
- Packet Filtering
Connectivity Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
Forcepoint Firewall | Taegis™ XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integration ⫘
Antivirus | Auth | DHCP | DNS | Encrypt | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Forecepoint Firewall | D | Y | D | D | V |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configure the Forcepoint Firewall Platform ⫘
Configure Syslog Header ⫘
Follow the instructions in the Configuration Options for the Syslog Header section of the Forcepoint documentation to configure the Syslog header.
- Set
SYSLOG_COMPLETE_HEADER=true
Configure Log Forwarding ⫘
Follow the instructions in the Configuring log and audit data forwarding section of the Forcepoint documentation to configure log forwarding.
Enter the following information:
Option | Required Value |
---|---|
Target Host | XDR Collector (mgmt IP) |
Service | UDP |
Port | 514 |
Format | CEF |
Example Query Language Searches ⫘
To search for Forcepoint Firewall events from the last 24 hours:
WHERE sensor_type = 'FORCEPOINT_FIREWALL' and EARLIEST=-24h
To search for auth
events associated with user "foo":
FROM auth WHERE sensor_type = 'FORCEPOINT_FIREWALL' and source_user_name = 'foo'
To search for http
events associated with a specific source IP address:
FROM http WHERE sensor_type='FORCEPOINT_FIREWALL' AND source_address = '10.19.50.23'
To search Inspection events:
FROM thirdpartyalert WHERE sensor_type='FORCEPOINT_FIREWALL'