Forcepoint Firewall

integrations firewall forcepoint

The following instructions are for configuring Forcepoint Firewall to facilitate log ingestion into Secureworks® Taegis™ XDR.

Forcepoint Firewall event types normalized by XDR include:

• Authentication
• Browser-Based User Authentication
• DHCP Relay
• Inspection
• Packet Filtering

Connectivity Requirements ⫘

Source	Destination	Port/Protocol
Forcepoint Firewall	Taegis™ XDR Collector (mgmt IP)	UDP/514

Data Provided from Integration ⫘

	Antivirus	Auth	DHCP	DNS	Email	Encrypt	File	HTTP	Management	Netflow	NIDS	Process	Thirdparty
Forecepoint Firewall		D	Y					D		D			V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Configure the Forcepoint Firewall Platform ⫘

Configure Syslog Header ⫘

Follow the instructions in the Configuration Options for the Syslog Header section of the Forcepoint documentation to configure the Syslog header.

• Set SYSLOG_COMPLETE_HEADER=true

Configure Log Forwarding ⫘

Follow the instructions in the Configuring log and audit data forwarding section of the Forcepoint documentation to configure log forwarding.

Enter the following information:

Option	Required Value
Target Host	XDR Collector (mgmt IP)
Service	UDP
Port	514
Format	CEF

Example Query Language Searches ⫘

To search for Forcepoint Firewall events from the last 24 hours:

WHERE sensor_type = 'FORCEPOINT_FIREWALL' and EARLIEST=-24h

To search for auth events associated with user "foo":

FROM auth WHERE sensor_type = 'FORCEPOINT_FIREWALL' and source_user_name = 'foo'

To search for http events associated with a specific source IP address:

FROM http WHERE sensor_type='FORCEPOINT_FIREWALL' AND source_address = '10.19.50.23'

To search Inspection events:

FROM thirdpartyalert WHERE sensor_type='FORCEPOINT_FIREWALL'