Run report to view attempted access to firewall
I'm pretty new to RSA, but have a quick question. I'm curious as to how I can run a report to pull attempts to the firewall and also I'm having trouble viewing any type of vulnerabilities to the system. Thanks in advance, as I stated I'm new to the product.
Usually Firewall logs are stored in the Firewall family of tables, or only in the Firewall table if your device is a content 2.0 one. First, you need to make sure that the messages you are interested in are parsed correctly by enVision and then you can run the report based on event categories, message ids or certain variables in the messages
you first have to know the exact messgeID or EventID to filter on. what worked for me is...
1 - workout what table to query for your device
- to do this select 'manage messgaes to parse' from Overview\system configuration\messages
- select the firewall device, there will be a number of tables - take a note of these.
2 - generate some logon, logoff, failed attempts on the firewall - these will be sent to envision.
3 - on envision select 'create new query' from Analysis\query
- in 'select table to query' use the ones that you made a note of earlier
- select a device group of your firewall
- use a time range that will ensure your login traffic is selected and not much else
4 - now you will manually have to check through the page(s) of results and look for 'operation' of login or other 'information' that shows the info you want.
5 - use the same table if you are creating a report for these events too