AhnLab TrusGuard Series

To add an AhnLab TrusGuard Series device, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

  1. On the TrusGuard Series device, you will add an administrator account for the data collector. Note, this account is for passive data collection only. Security Manager will never attempt to make changes on your devices.
    • Select All for Permission, which grants full permissions of both read and write to the created administrator account.
  2. Allow access to TrusGuard, the IP address of the data collector must be registered. Access to IP addresses that are not registered in the Administrative IP address are denied.
  3. Register the IP range to allow access to TrusGuard.
  4. Add log server to transfer syslog data from TrusGuard to the data collector. Specify the following settings:
    1. Log Server IP: type the IP address of the Data Collector and then click Add.
    2. Port: enter the default port number of 514.
    3. Event Log: select whether to record the event logs.
    4. Logging Level: select Information.
    5. Security Log: select which types of security logs to record.
    6. Firewall Policy Log: select which types of firewall policy logs to record.
    7. VPN Log: select which types of VPN logs to record.
    8. Transfer Method: select Normal Transfer.

Step 2: Onboard the Device in the Administration Module

Contact FireMon Support to receive a specific device pack (a .jar file) if it was not included in the FMOS GA release. Review the steps to upload a device pack.

After onboarding, if you change any device settings, confirm that those updates were automatically applied to the discovered devices.

  1. On the toolbar, click Device > Devices.
  2. Click Create, and then click AhnLab > TrusGuard Series.
  1. General Properties section.

Caution! To prevent errors in device group-level device maps and incorrect reporting data, all devices added in Administration must have unique IP addresses. If devices with duplicate IP addresses must be added within a domain, it is strongly recommended that those devices be separated into discrete device groups, where no duplicate IP addresses are included in the same device group. Devices with duplicate IP addresses will cause errors in the All Devices device map, and may cause incorrect data in reports, even if they are in discrete device groups.

  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Name box, type the syslog match name (optional).
  2. By default, the Automatically Retrieve Configuration checkbox is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. Collection Configuration is enabled on the management station or by duplicating and then editing the default configuration. Default is what is set on the installed device pack.
  1. Device Settingssection.

    Credentials

  1. In the User Name box, type the administrator user name. By default the user name is Admin, but this should reflect the administrative ID set used when creating a new administrator account on the TrusGuard device.
  2. In the Password box, type the password used for the TrusGuard device administrator account.
  3. In the Re-enter Password box, retype the password entered above.

Retrieval

  • By default, the Protocol is SSH and the Port is 22.
  1. Monitoring section.

    1. By default, the Enable Log Monitoring checkbox is selected. To disable this automatic function, clear the checkbox.

      • By default, the Log Update Interval is set to 10 minutes. This number determines how often usage data is sent to the application server.

  1. By default, the Enable Change Monitoring checkbox is selected.

    • Enter an optional Alternate Syslog Source IP.

  1. Select the Perform Change Verification checkbox to allow the Data Collector to verify there are actual changes prior to posting a revision to Security Manager. This will enable more efficient use of disk space by not posting revisions that did not change from the last normalized revision.

  1. Retrieval section

    1. Select the Enable Scheduled Retrieval to perform a retrieval at a set time daily regardless of change detection.

      • Set the Scheduled Retrieval Time.

      • Set the Scheduled Retrieval Time Zone.

  1. Select the Enable Check for Change checkbox to enable checking for configuration changes after the specified interval, and perform a retrieval is changes are detected.

    • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

  1. Advanced section.
    • Select a Device Charset Encoding from the list to be used for File Retrieval Options.
    • Select the Automatically Update SSH Keys checkbox if you want the data collector to automatically update the SSH key for a device when a conflict occurs.
  2. Enforcement section.

    3. Select one of the available enforcement options:

    •  Allow All: All automation is allowed (enforcement, change, manual).

    • Manual Only: When selected all changes must be manually pushed for this device.

    •  Prevent All: No automation is allowed.

    • Window Only: Automation can only take place in the assigned enforcement window.

    If this device is assigned to an enforcement or change window, it will be listed. If no assignment, changes must be manually pushed for this device.

  1. Supplemental Routes section.

Supplemental routes cannot be added until after a retrieval normalizes successfully. You can perform a manual retrieval before continuing.

  1. Click Add.

  2. Complete fields in the Add Supplemental Routes dialog box:

  • Select an Interface.

If you select an Interface, you will not need to select a virtual router and next virtual router. If no interface is selected, you will need to select a Virtual Router and Next Virtual Router.

  • Type the Destination IP address.
  • Type the Gateway IP address.
  • Select a Virtual Router.
  • Select a Next Virtual Router.
  • Switch the Drop toggle to enable (disabled = Accept).
  • Click Add.
  1. Click Save.
  2. You will need to manually enable the TrusGuard device to allow for Level 3 support. To do this, complete the following steps.
    1. Log in as the user created during setup to the Data Collector that is monitoring the device
    2. At the command prompt enter: cd /etc/firemon
    3. Using a text editor, such as Vi or Nano, edit the dc.conf file (/etc/firemon/dc.conf)
    4. Set DataCollector.SyslogServer.IgnorePrivFieldCheck to "true"
    5. Restart the data collector by entering the command: fmos restart dc

Step 3: Verify Communication

Because automatically retrieving a configuration is enabled by default, there is nothing for you to do. Security Manager will automatically attempt to retrieve a device configuration.

To do a manual retrieval, select the device row, click the Menu icon and then click Retrieve Configuration.

It may take up to 15 minutes to see the status result of the retrieval.