Log Manager for NetScreen Firewalls (Legacy)

Release Notes

Date Published: May 2009

 
 

 

Log Manager for Firewalls collects events from logs and stores them in secure repositories so you can archive this data, create reports for management or auditing purposes, and analyze critical events to research issues. Log Manager for Firewalls collects all syslog messages you configure the NetScreen device to send.

Supported Products

This release supports the following products:

  • NetScreen firewalls with ScreenOS 5.x
  • NetScreen firewalls with ScreenOS 6.x

Return to Top

Why Install This Module?

Log Manager for Firewalls provides the following important new capabilities:

  • Adds support for NetScreen ScreenOS 6.x
  • Adds support for VPN Traffic
  • Improves usability of rules and views

Improvements are made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs.

Return to Top

System Requirements

The following table lists additional requirements for a Windows agent monitoring NetScreen Firewalls. For more information about agent requirements, see the Installation Guide for NetIQ Security Manager.

Category Requirement
Processor 1.5 GHz Intel Pentium III or equivalent.
Memory 40 MB minimum. The amount of memory usage varies and depends on the environment, including event rate and other factors. Memory use for a Windows agent monitoring NetScreen Firewall could reach 256 MB or higher.
Operating System All supported Windows agent platforms.
Software
  • Ensure you have Security Manager 6.0 or later installed.
  • Ensure you have Security Manager Self-monitoring version 6.0 or later installed.
  • A Windows agent can monitor one or more NetScreen firewalls. For more information about the number of instances one agent can support, see the NetIQ Security Manager Knowledge Base article NETIQKB51404 at www.netiq.com/support/sm/.
  • If the NetScreen device and the agent are separated by a firewall, ensure the firewall allows syslog data through.
  • Install each Windows agent on a subnet as physically close to the firewall as possible. Fewer network hops provide better performance.
  • Use a unique agent for each platform sending syslog events. For example, use separate agents to monitor NetScreen and Snort.
  • Install the Windows agent with NetScreen support on a separate computer from the database server or central computer.

Return to Top

Installing This Module

You can install this module using the Module Installer. After you install the module, run the Configuration Wizard to configure the module. For more information about how to follow the Configuration Wizard, click the Help icon in the lower left of the wizard.

Return to Top

Configuring the Agent

Add the name and IP address of the NetScreen firewall device to the Hosts file on the Windows agent computer. For more information about the Hosts file, see the Windows documentation.

Return to Top

Configuring the NetScreen Firewall Device

NetScreen firewalls require configuration before Event Manager or Log Manager can begin monitoring or collecting data from them. Configure each NetScreen firewall device to forward syslog messages to the Windows agent acting as the proxy agent.

To configure support for NetScreen:

  1. Configure the NetScreen firewall to send syslog messages to the Windows agent.

    If you want to receive traffic messages on your Windows agent, turn on Syslog Traffic Messaging.

    You will receive a large number of messages with this option. Security Manager stores them for log analysis, but does not report them as they occur.

  2. Configure the NetScreen firewall to report only the messages with the severity you want to monitor. For example, debug messages should normally be disabled due to the high number of messages created when debug messages are reported.
  3. On the NetScreen device, disable syslog VPN and enable Syslog.
  4. If your NetScreen syslog messages have a time stamp, ensure the time stamp has a year, month, day, hour, minutes, and seconds in the format YYYY-MM-DD-hh-mm-ss.
  5. Note
    If your NetScreen syslog messages do not have a time stamp in the right format, Security Manager uses the local time of the agent for the log message time.

Return to Top

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

Configuration Not Preserved After Upgrade

In some environments, configuration information is not maintained after you upgrade to this release. After you upgrade, run the configuration wizard and verify all information.

Previous Data Not Formatted Correctly in Forensic Report

With this release, Security Manager records data differently than in previous releases. Reports in this release do not properly display data gathered using the old structure. When you perform a forensic query, only use data gathered using this release.

Provider Configuration Not Preserved after Upgrade

In some environments, provider properties are not maintained after you upgrade to this release. If you must customize the provider properties, re-enter the changes after you upgrade. For information about provider properties, see the Security Manager documentation.

Rules Not Upgraded

In some environments, rules provided with this version will not properly install when you grade. The old rule will not work after upgrade. If you see this issue, contact NetIQ Technical Support for assistance in resolving the issue.

Return to Top

Contact Information

Please contact us with your questions and comments. We look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

Return to Top

Legal Notice

Return to Top