Administration Archives - Page 5 of 14 - Wavecrest Knowledge Base

Configuring log forwarding from Palo Alto Panorama to Cyfin Syslog Server

With your firewalls already forwarding logs to Panorama, the high-level steps to forward Palo Alto Panorama logs to Cyfin Syslog Server include the following:

Configure the server profile that defines how Panorama and Log Collectors connect to the external service, that is, Cyfin Syslog Server.
Assign the server profile to the log settings of Panorama and to Collector Groups.

STEP 1: Configure a server profile for Cyfin Syslog Server that will receive log information.

Select Panorama – Server Profiles and select Syslog.
Configure the syslog server profile.

STEP 2: Configure destinations for:

Logs that the Panorama management server and Log Collectors generate.
Firewall logs that a Panorama virtual appliance in Legacy mode collects.

Select Panorama – Log Settings.
Add one or more match list profiles for each log type.

The profiles specify log query filters, forwarding destinations, and automatic actions such as tagging. For each match list profile:

1. Enter a Name to identify the profile.
2. Select the Log Type.
3. In the Filter drop-down field, select Filter Builder. Specify the following and then Add each query:
  - Connector logic (and/or)
  - Log Attribute
  - Operator to define inclusion or exclusion logic
  - Attribute Value for the query to match
4. Add the server profile you configured for Cyfin Syslog Server.
5. Click OK to save the profile.

STEP 3: Configure destinations for firewall logs that Log Collectors receive.

Select Panorama – Collector Groups and edit the Collector Group that receives the firewall logs.
Select Collector Log Forwarding and see step Add one or more match list profiles for each log type above.
Click OK to save your changes to the Collector Group.

STEP 4: Commit and verify your configuration changes.

Select Commit – Commit and Push to commit your changes to Panorama and push the changes to device groups, templates, and Collector Groups.
Verify that Cyfin Syslog Server is receiving the log information in one of the following ways:
- In the log folder, check for the syslog.txt file.
- In Cyfin, go to Data Management – Log Data Source – Viewer to check for syslog.txt.

Additional Resources:

Updated steps from Palo Alto: Configure Log Forwarding Panorama

Wavecrest video on setting up Cyfin Syslog: Cyfin Syslog setup video

Black screen appears when starting Cyfin VM

Category: Administration

When starting the Cyfin virtual machine, a black screen may appear and the VM will not start. This may be due to the video setting on the VM. Ensure that “3D Acceleration” is disabled and then try to restart the VM.

If you have any questions, please contact Technical Support at (321) 953-5351, Ext. 4 or support@wavecrest.net.

E-mailing reports with an Office 365 account

Category: Administration, Reporting

If the administrator’s e-mail address is an Office 365 account and you are experiencing an issue when e-mailing a report from Reports – Manager, Option 2 in the following article may resolve the issue:

How to set up a multifunction device or application to send email using Office 365

In the Step-by-step instructions for direct send section of the article, note the MX record POINTS TO ADDRESS value, and enter it in the Server Name field on the Settings – E-Mail screen in the product. Run the report again with the E-Mail Report Delivery option.

If you have any questions, please contact Technical Support at (321) 953-5351, Ext. 4 or support@wavecrest.net.

Excluding Office 365 URLs from reports

Category: Administration, Reporting

If Office 365 URLs are showing in the Personal E-Mail category in reports and you want to exclude them from the reports, run a Category Audit Summary report to identify the specific Office 365 URLs. Use these URLs in one of the following ways to exclude them from reports.

Add URLs to a custom category

Go to Categorization – Customize – URLs to create a custom category.
Add the Office 365 URLs to be excluded to the custom category and submit your change.
Go to Categorization – Customize – Categories and set the custom category to “Off.”
Submit your change. The URLs should no longer appear on reports for new log files.

Note: Imported data is not affected, that is, the URLs will still show from previously imported data. You may delete and reimport the data to exclude these URLs.

Add URLs to PAC file exceptions (CyBlock)

Go to Settings – Proxy – PAC File.
Under IP/Domain Exceptions, add the Office 365 URLs that you want to exclude from going through the proxy.
The URLs will be excluded from Web traffic and hence, not appear on reports.

Add URLs to browser exceptions

Internet Explorer
- Go to Tools – Internet options – Connections – LAN settings.
- If Internet Explorer is configured to go through the proxy, the Use a proxy server for your LAN check box may already be selected.
- Click Advanced.
- In the Exceptions box, enter the URLs to exclude.
Chrome (uses system settings by default)
- At the top-right of the browser, click the Customize and control Google Chrome icon and select Settings.
- At the bottom, click Show advanced settings…
- Scroll down to Network and click Change proxy settings…
- Click LAN settings and follow the instructions for Internet Explorer above.
Firefox
- At the top-right of the browser, click the Open menu icon and select Options.
- Go to Advanced – Network – Connection and click Settings.
- If Firefox is configured to go through the proxy, the Manual proxy configuration option may already be selected.
- In the No Proxy for box, enter the URLs to exclude.
- Alternately, if you already have proxy settings configured in Internet Explorer, you can select Use system proxy settings.

Cyfin VM support

Category: Administration

For the Cyfin VM deployment, the .ova files were created with VMware. Cyfin VM supports ESXi 6.0, ESXi 5.5, and ESXi/ESX 4.x. Ensure your hardware is compliant with the VMware requirements for your particular solution for optimal performance and reliability.

If you have any questions, please contact Technical Support at (321) 953-5351, Ext. 4 or support@wavecrest.net.

Selecting a Dashboard database

Category: Administration, Data Manager

This information applies to version 9.2.8 and earlier.

The default Dashboard (high-level) database is Derby. However, if you have over 2,500 users, we recommend that you use SQL Server. The latest version, SQL Server 2016, is supported.

Supporting Chromebooks

Category: Administration

The operating system, Chrome OS 57, is supported and works with CyBlock and Cyfin. This operating system is used on Chromebooks.

For CyBlock, you can set the proxy in a Chromebook’s network connection settings in one of the following two ways:

Click the panel in the bottom-right corner of your Chrome OS desktop, and select Settings.
- See How to Configure a Proxy Server on a Chromebook for more information.

In the Chrome browser window, in the top-right, click the Customize and control Google Chrome icon and then select Settings. See How to manually configure proxy settings in browser for configuring the Chrome browser.

Unable to see Web site hits information in SonicWall

Category: Administration, Log File Compatibility

In SonicWall, if the Content Filtering Service (CFS) is enabled, but the log file is not receiving Web traffic data and therefore not showing as valid in Cyfin, then you need to check the Priority setting for “Syslog Website Accessed.”

Go to Log – Settings and set the Logging Level field to “Inform.”

Then under Category, go to Log – Syslog – Syslog Website Accessed.

Adjust the priority to match the selected logging level.

The log file should now receive Web traffic data and show as valid in Cyfin.

What are the log file fields needed by Cyfin?

Category: Administration, Log File Compatibility

Cyfin needs certain log file fields to process your logs. The following log file fields are required:

Date/Time
URL – If the file contains the protocol, domain/host name, and path separately, the URL can be created from these fields.
IP Address

In addition, the following optional fields are optimal for more detailed reporting:

User
Size/Bytes
Reason/Status

If you have any questions, please contact Technical Support at (321) 953-5351, Ext. 4 or support@wavecrest.net.

Signing in to iTunes causes verification error with Apple ID server

Category: Administration

When signing in to your iTunes app, you may encounter the following verification error:

There was an error connecting to Apple ID server.

To resolve this issue, do the following:

In CyBlock, go to Settings – SSL Inspection.
In the Domain Exceptions list, add the domain *.apple.com

If you continue to get this error, add the following bypass entry:

On the User Management – Authentication – Bypass tab, click the green button .
Enter the following:
- URL or Domain = *
- User-Agent = iTunes (unknown version) CFNetwork/*
Click the Add button.

You should no longer be getting the connecting error when attempting to sign in to your iTunes app.