Forcepoint integration
You can integrate Forcepoint Next-Generation Firewall (NGFW) with Sophos Central so that it sends alerts to Sophos for analysis.
This page gives you an overview of the integration.
Forcepoint product overview
Forcepoint Next-Generation Firewall (NGFW) functions by employing sophisticated mechanisms that provide visibility, control, and contextual analysis of network traffic, enabling dynamic adjustments to security policies and defenses. By harnessing advanced technologies and a user-centric approach, the firewall facilitates robust threat prevention and detection, safeguarding an organization's assets, data, and network infrastructure.
Sophos documents
What we ingest
Sample alerts we see:
- China.Chopper.Web.Shell.Client.Connection
- Easy.Hosting.Control.Panel.FTP.Account.Security.Bypass
- HTTP.URI.SQL.Injection
- Malicious.HTTP.URI.Requests
- Joomla!.com_fields.SQL.Injection
Alerts ingested in full
We recommend that you configure the standard syslog output from Forcepoint, which includes the following topics:
- Clock daemon for BSD systems
- Clock daemon for System V systems
- File transfer protocol
- Kernel messages
- Line printer subsystem
- Mail system
- Messages generated internally by syslogd
- Network news subsystem
- Network time protocol
- Random user-level messages
- Security/authorization messages
- Security/authorization messages (private)
- System daemons
- UUCP subsystem
For the standard syslog output, see Syslog entries.
Filtering
We filter alerts as follows.
Allow
Valid CEF
Drop
Description
These entries are categorized as non-security-related events based on our MDR analyst team’s feedback. They primarily include routine VPN activities, standard network operations, and automated system messages that are repetitive and generally non-critical, so logging isn't necessary.
Regex Patterns
msg=Connection dropped
msg=Delete notification received for .* SPI
\\|File-Filtering-Policy_Buffering-Limit-Exceeded\\|
\\|FW_New-SSL-VPN-Connection\\|
msg=IPsec SA Import succeeded
Examples
msg=IPsec SA initiator done. Rekeyed SPI: .* Encryption:.*, mac:.*
msg=IPsec SA responder done
msg=IKE SA deleted
msg=IKEv2 SA error: Timed out
msg=IKEv2 SA initiator failed, Local auth method: Reserved, Remote auth method: Reserved
msg=IPsec SA initiator error: Timed out
msg=Message type ack. XID: .* Relay ip .* Server ID: .* DNS: .* DNS: .* Domain: .*
msg=Message type offer. XID: .* Relay ip .* Server ID: .* DNS: .* DNS: .* Domain: .*
msg=Sending Dead Peer Detection notify \\(.*\\)
msg=Starting IKEv2 initiator negotiation
\\|TCP_Option-Unknown\\|
\\|URL_Category-Accounting\\|
msg=New engine upgrades available on Forcepoint web site: Engine upgrades NGFW upgrade .* build \\d+ for .*
\\|TCP_Segment-SYN-No-Options\\|
msg=Connection was reset by client
\\|FW_New-Route-Based-VPN-Connection\\|0\\|.* act=Discard
\\|TCP_Checksum-Mismatch\\|
msg=Notifications: N\\(HTTP_CERT_LOOKUP_SUPPORTED\\), N\\(MESSAGE_ID_SYNC_SUPPORTED\\), N\\(ESP_TFC_PADDING_NOT_SUPPORTED\\), N\\(NON_FIRST_FRAGMENTS_ALSO\\)
\\|FW_New-IPsec-VPN-Connection\\|
\\|FW_Related-Connection\\|
\\|Connection_Progress\\|
msg=Connection was reset by server
msg=Connection timeout in state TCP_SYN_SEEN
\\|Connection_Rematched\\|
\\|Connection_Allowed\\|
\\|Connection_Discarded\\|
\\|Connection_Closed\\|
\\|Log_Compress-SIDs\\|
act=Allow msg=Referred connection
\\|FW_New-Route-Based-VPN-Connection\\|0\\|.* act=Allow
\\|HTTP_URL-Logged\\|1\\|.* act=Permit
msg=Message type \\w+. XID: .*. Relay ip .*. Relayed to .*
\\|Generic\\|0\\|.*msg=Rekeyed IPsec SA installed. Inbound
msg=HISTORY: PID\\W+\\d+ UID\\W+\\d+ USER\\W+\\w+
msg=\\[I\\]\\[.*\\] Gid map: inside_gid:\\d+ outside_gid:\\d+ count:\\d+
msg=\\[I\\]\\[.*\\] Jail parameters
msg=\\[I\\]\\[.*\\] Uid map: inside_uid:\\d+ outside_uid:\\d+ count:\\d+
msg=\\[I\\]\\[.*\\] pid\\W+\\d+ \\(\\[STANDALONE MODE\\]\\) exited with status: \\d+, \\(PIDs left: \\d+\\)
msg=\\[I\\]\\[.*\\] Mount: .* flags:.* type:.* options:.* dir:.*
\\|DNS_Client-Type-Unknown\\|2\\|.* act=Permit
\\|File_Allowed\\|1\\|.* act=Permit
\\|HTTP_Request-with-redirect-capability\\|1\\|
\\|FW_Info-Request\\|0\\|
\\|Generic\\|0\\|.*msg=\\[\\d+\\.\\d+\\].*
Sample threat mappings
"alertType": "Mirai.Botnet", "threatId": "T1498", "threatName": "Network Denial of Service",
"alertType": "WIFICAM.P2P.GoAhead.Multiple.Remote.Code.Execution", "threatId": "T1203", "threatName": "Exploitation for Client Execution",
"alertType": "TCP.Split.Handshake", "threatId": "T1082", "threatName": "System Information Discovery",
"alertType": "WePresent.WiPG1000.Command.Injection", "threatId": "T1203", "threatName": "Exploitation for Client Execution",
"alertType": "Open.Flash.Chart.PHP.File.Upload", "threatId": "T1105", "threatName": "Ingress Tool Transfer",