TABLE OF CONTENTS

• 1.0 Overview
• 2.0 System Configuration
• 3.0 Netflow Configuration 

1.0 Overview

We are providing you with the steps to integrate your Sophos Firewall with ARIA so that you can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE (Analytics and Policy Engine) via CCE (Collection and Control Engine). In this document, we are guiding you through the steps for Syslog forwarding.

2.0 System Configuration

You can configure the Sophos Firewall to send syslog messages to the ARIA CCE by following the instructions below. 

2.1 Login to the Webadmin GUI for the Sophos XG Firewall and go to System services. 

2.2 Select Log settings and click Add to configure a Syslog server.

2.3 Specify the settings that will be used to send logs to the ARIA CCE VM.  

2.3.1 Enter a Name for the CCE VM. 

2.3.2 Enter the IP Address of your CCE VM. Messages from the device will be sent to the entered IP Address. 

2.3.3 Enter Port number 514, which the device will use for communicating with the CCE VM. The device will send messages using this selected port. 

2.3.4 Select the Facility from the available options. The facility informs the CCE VM of the log message's source. It is defined by the syslog protocol. You can configure the facility to distinguish log messages from different devices. This parameter helps you identify the device that recorded a specific log file. 

• DAEMON (Default): Information on the services running in the device as a daemon. 
• KERNEL: Kernel log. 
• LOCAL0 - LOCAL7: Log level information. 
• USER: Logging based on users who are connected to the Server. 

2.3.5 Select the Severity Level from the available options. The severity level is the severity of the message that has been generated. The firewall logs all messages with a severity level equal to or greater than the level you select. For example, select Error to log all messages tagged as Error as well as any messages tagged with Critical, Alert, and Emergency. Select Debug to log all messages. 

• Emergency (Default): The System is not usable. 
• Alert: Action must be taken immediately. 
• Critical: Critical problem/error. 
• Error: An Error has occurred.
• Warning: Warning of a problem/error. (Please select this one for CCE VM). 
• Notification: Normal, but significant. 
• Information: Informational. 
• Debug Debug-level messages. 

2.3.6 Select the Format from the available options. Note: Currently, the firewall can only produce logs in its standard format. 

2.4 Click Save to save the configuration. 

2.5 Specify the log types that will be sent to the CCE VM. Go to System Services > Log Settings and scroll down to Log settings.  Under the name of your ARIA CCE VM, select all the logs to be sent. 

3.0 Netflow Configuration 

You can configure the Sophos Firewall to send netflow messages to the ARIA CCE VM by following the instructions below. 

3.1 Login to the Webadmin GUI for the Sophos XG Firewall. 

3.2 Navigate to Administration > Netflow. 

3.3 Inside the Netflow section, complete the following sections: 

• Server Name: Enter a Name for the CCE VM. 
• Netflow Server IP/Domain: Enter the IP Address of the CCE VM.  
• Netflow Server Port: Use port 9995 for the CCE VM. 

Note: Traffic of only those firewall rules that have Log firewall Traffic enabled will be sent to the CCE VM. 

3.4 Click Apply.

A message will pop up confirming that the Netflow configuration has been completed successfully.