Skip to content Skip to main navigation Skip to footer
Wavecrest Knowledge Base

Administration

Forwarding Palo Alto Logs to Cyfin Syslog Server

Category: Administration, Log File Compatibility

The following steps are required to forward Palo Alto logs to Cyfin Syslog Server:

  • Create a syslog server profile.
  • Configure a log forwarding profile to select the logs to be forwarded to Cyfin Syslog Server.
  • Assign the log forwarding profile to security rules.

The logs that must be forwarded are the Threat logs with Informational severity. Informational Threat logs include URL Filtering, Data Filtering, and WildFire logs.

Syslog Server Profile

  1. In your Palo Alto Firewall user interface, go to Device – Server Profiles – Syslog.
  2. Click Add at the bottom of the screen.
  3. Enter the following information:
    • Name – Cyfin
    • Syslog Server – IP address of where Cyfin is installed
    • Transport – UDP
    • Port – 1455
    • Format – BSD
    • Facility – LOG_USER
  4. Click OK to save the server profile.
  5. Click Commit at the top of the screen to commit the change.

serverprofilesmall

Log Forwarding Profile

    1. Go to Objects > Log Forwarding.
    2. Click Add to create a new log forwarding profile.
    3. Enter a Name to identify the profile.

    To forward each log type (Threat, URL, and Traffic), complete the following:

    Step 1: Configure Log Types

    1. Select the Log Type from the list:
      • For Threat logs, select severity Informational in the Filter drop-down menu.
      • For URL logs, select severity Informational in the Filter drop-down menu.
      • For Traffic logs, leave the Filter setting at All Logs.

    Step 2: Configure Syslog Server

    1. Under Syslog, click Add.
    2. Select the Syslog Server Profile created in the previous steps (e.g., Cyfin).
    3. Repeat steps 1 and 2 for each log type (Threat, URL, and Traffic) you want to forward.
    4. Click OK to save the profile.
    5. Click Commit at the top of the screen to save and apply the changes.

LogForwardingProfiles

URL Filtering Profile

To log the traffic from URL Filtering logs, you may need to adjust the Site Access for each allowed URL category.

  1. Go to Objects – URL Filtering – URL Filtering Profile.
  2. Select Categories – Site Access.
  3. Filter by “Allow.”
  4. Change “Allow” to “Alert” for each category listed.

Security Policy Rule

  1. Go to Policies – Security.
  2. Select the rule for which the log forwarding needs to be applied.
  3. Apply the security profile to the rule.
  4. Go to Actions and in the Log Forwarding drop-down field, select the log forwarding profile.
  5. Click OK. By default, when Threat logs are forwarded to Cyfin Syslog Server, the logs will have several fields including source IP address, destination IP address, and URL.
  6. Click Commit at the top of the screen to commit the change.

Now, you can configure Cyfin to write the forwarded Palo Alto log files to syslogYYYYXXXX.txt files. See Cyfin Configurations Steps for more information.

Additional Resources:

Reporting on cloud service activity

Category: Administration, Reporting

Providing a number of cloud service categories, CyBlock/Cyfin categorizes your cloud applications and services and allows you to assess their usage through cloud service reporting. Cloud service categories include Audio Streaming, Cloud Infrastructure, Cloud Storage, Collaboration, CRM, Development, File Sharing, HR, Personal E-Mail, Video Streaming, and VoIP Services.

On the Reports Selection page, in the Cloud Services Reports section, two report templates allow you to generate reports on only cloud service categories.

  • Cloud Services Detail
    • This is a low-level report that shows the specific URLs of cloud services by user, that is, visits to only the cloud service categories. It provides management with a complete view of every cloud service URL the user has clicked. This information can be used for cloud usage audits, identifying the most active users and the most heavily visited sites.
  • Cloud Services Summary
    • This is a high-level report that shows employee Web use of cloud services. It indicates by user the number of visits to sites in the cloud service categories. Information is presented by category and by individual user. The report can be used to identify cloud service usage patterns, better manage cloud subscriptions, and highlight abnormal activity.

How to resolve certificate-issued errors in browser

Category: Administration, Filtering, General

When attempting to go to a blocked secure site (HTTPS), users may experience any one of the following errors depending on the browser:

  • In Internet Explorer: There is a problem with this website’s security certificate.

CertError

  • In Chrome: Your connection is not private

CertError_Chrome

  • In Firefox: Your connection is not secure

CertError_Firefox

These are certificate-issued errors that occur if the Wavecrest certificate is not installed in the following scenarios:

  1. SSL Inspection is not enabled, and the user is attempting to go to a blocked secure site.
  2. SSL Inspection is enabled, and the user is is attempting to go to a blocked or allowed secure site.

The user does not receive the CyBlock blocking message for blocked secure sites. This is because even though a standard HTTP blocking page can still be presented to a workstation for blocked secure sites, since it is not part of the secure, encrypted HTTPS connection, the browser automatically ignores it.

To allow the blocking message to render properly for blocked secure sites or to permit users to access allowed secure sites with SSL Inspection enabled, the Wavecrest certificate needs to be installed on the CyBlock server and all client machines. More information and installation instructions can be found in the Wavecrest Certificate Installation Guide.

If you have any questions, please contact Technical Support at (321) 953-5351, Ext. 4 or support@wavecrest.net.

Configuring SonicWall Web traffic URLs for Cyfin syslog

Category: Administration, Log File Compatibility

The following information applies to versions earlier than SonicOS 6.2.6 Content Filtering Service (CFS) release 4.0.

In order to get SonicWall Web traffic URLs into the Cyfin syslog, you must first have the SonicWall Content Filtering Service enabled. You must also enforce the Content Filtering Service within the zone (LAN) in which your traffic will be forwarded. In order to get the service enabled and enforced, follow the steps below:

  1. Log on to your SonicWall interface.
  2. Go to Security Services – Content Filter – Configure.
  3. Select the Log Access to URL box.
  4. Go to Network – Zones. Find the LAN zone and click Configure.
  5. Select the Enforce Content Filtering Service box.
  6. Apply all changes above.

To verify that the changes were made successfully, you can make a copy of the raw syslogs that are generated after the change. These files are in the write location of your Cyfin installation (default location is …Wavecrest\Cyfin\wc\cf\log). You should see files being written called syslogXXXXXXXX.txt, if you have already configured the Cyfin setup correctly.

Make a copy of the most recent file after the change, and use a text editor (Notepad++ works well) to open the file. Search for the fields dstname= and arg= to confirm that they exist. You can use Ctrl+F to find these strings. You may need to wait for a short time after making the changes for them to take effect.

Note:  If the log files are showing as invalid in Cyfin, see Unable to see Web site hits information in SonicWall for a possible resolution.

Additional Resources:

Reports Manager appears blank

Category: Administration, Reporting

If the Reports – Manager screen in Cyfin or CyBlock is blank, that is, there are no reports for you to select, the Reports Manager has most likely become corrupt.

To restore the Reports Manager, do the following:

  1. Go to Settings – Restore Points – Download.
  2. Click a date on which the Reports Manager was working to download that restore point.
  3. Save the restore point.
  4. Uncompress the restore point folder.
  5. For Cyfin, go to the …\cf\reports directory.
  6. For CyBlock, go to the …\cyblock\reports directory.
  7. Copy the system folder from the uncompressed restore point.
  8. Stop the CyBlock or Cyfin service.
  9. Go into your local install folder for the product:
    • For Cyfin: …\Wavecrest\Cyfin\wc\cf\reports
    • For CyBlock: …\Wavecrest\CyBlock\wc\cyblock\reports
  10. Rename the local system folder in this directory (OLDsystem).
  11. Paste the system folder that you have copied from the restore point.
  12. Start the CyBlock or Cyfin service.

After these steps, check your Reports – Manager screen to see that it is no longer blank. If it is, please contact Technical Support.

Web page or application will not load through CyBlock

Category: Administration

When a Web page or application will not load, there is most likely a few possible things that could be in play. Many issues have to do with the site or content delivery network being blocked from another categorized site that is not part of the site you are trying to get to. Below are the troubleshooting steps:

  1. Is there a site being blocked by CyBlock?
    • Check the Real-Time Web Monitor for the IP address of the user in question, and also make sure you have the Authentication Challenge Requests (407) and the Authentication Type check boxes selected.
    • Do you see any URLs that appear in red? These URLs are blocked URLs and must be allowed in one of your filter policies or white lists.
  1. If there are no blocked sites, check for any 407s in the Real-Time Monitor.
    • Copy these URLs with 407s and add them to the User Management – Authentication – Bypass tab. Add the URL in question, with User Agent *.
    • Does the site now load?
  1.  If you have tried the above with still no success, try using another browser such as Firefox or Chrome.
    • Does it work with another browser other than Internet Explorer?
    • If it works with other browsers, it may be the Internet Explorer Compatibility Mode.
    • Open Internet Explorer, go to Tools – Compatibility View settings, and unselect the Display intranet sites in Compatibility View check box.
    • Does the Web page or application now load?

Blocking message displays wrong user ID

Category: Administration, Filtering

If the blocking message shows the wrong user ID and the user is on Windows 7, it is most likely a cached user ID issue.

Please check the following:

  • Open User Accounts by clicking the Start button, and selecting Control Panel and then User Accounts.
  • In the left pane, click Manage your credentials.
  • If the user has any entries under Windows Credentials, remove these stored/cached IDs.

Open a new browser, and the user should now be utilizing his normal Windows domain logon.

Group policy proxy settings with Windows Server 2008 R2

Category: Administration, Proxy Settings

Windows Server 2008 R2 does not have GPO settings to force Windows 7 or any other Windows machines with Internet Explorer 9+ to go through the proxy with the usual Internet Explorer Maintenance option that forces proxy settings. Below are helpful articles on how to get this working with the new Group Policy Preferences within Server 2008 R2 registry settings:

Log file setup for Check Point Syslog in Cyfin

Category: Administration, Log File Compatibility

In order to set up Check Point Syslog firewall logs in Cyfin, you must first get the CPLogToSyslog utility. Contact Check Point Support to request the hotfix that contains the utility. If you are running Check Point R77.30, the utility may not be needed. Confirm with Check Point Support. The utility gives Check Point the ability to port the syslog data from the firewall to a specified IP address and port. You will want to forward the “URL filtering” logs from Check Point to the Cyfin syslog server.

Once the CPLogToSyslog utility is installed, Check Point must be configured to have the syslog data pointed to an IP address and port. These will point to the Cyfin server’s IP address and port of choice (default port is UDP 514 for syslog). Once this part is completed in Check Point, you can then open Cyfin, go to Data Management – Log Data Source – Setup, and run through the Log Data Source Setup wizard. Select the Check Point Syslog log file type and the same port you chose in the Check Point setup.

Upon completing the Log Data Source Setup wizard, you should start to see data in the file “SyslogXXXXXXX.txt” in the log file directory that you chose in the wizard.

How to interpret cloud report dates/times for your time zone

Category: Administration, Reporting

In Wavecrest reports, dates and times are displayed in several places, such as in the Report Request Parameters–Current Date/Time, Report Start Date/Time, and Report Stop Date/Time. In addition, in Audit Detail reports, all hits including visits have a date and time associated with each URL that is displayed.

Cloud Customers

For cloud customers who are using a CyBlock Cloud instance that is not located in their local time zone, the dates/times in reports are specific to the time zone set in your cloud account, that is, the time zone in which your Web activity is occurring.

For example, if you are in Pacific Time, running a User Audit Detail report for the selection, Previous 24 Hours, and going through central.cloud.cyblock.com which is in Central Time, the URLs in the report would have times of your local time if this time zone is set in your cloud account. So if the date is Sep 11 and your local time is 11:02 a.m., “Previous 24 Hours” would be Sep 10, 11:00:00 a.m. to Sep 11, 10:59:59 p.m. in Pacific Time, and the URL times would span this time period.

The dates and times in the report e-mail will also reflect the time zone set in your cloud account.

Hybrid Cloud Customers

For Hybrid cloud customers, reporting is based on your local CyBlock instance time. Reports will show all traffic as it occurred in the time zone of each of your cloud accounts for the same local CyBlock instance time. When running reports for all cloud accounts, managers can see traffic for all time zones at the same time and hour.

For example, if your local CyBlock instance time is Eastern Time, cloud Web activity is in Central Time and Mountain Time, and you are running a Site Analysis report for 10:00 a.m. for all configurations, the report will show 10:00 a.m. Central Time traffic and 10:00 a.m. Mountain Time traffic.

If you have any questions, please contact Technical Support at (321) 953-5351, Ext. 4 or support@wavecrest.net.