Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=forcepoint-index

Forcepoint integration

Log collector Firewall

You can integrate Forcepoint Next-Generation Firewall (NGFW) with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Forcepoint product overview

Forcepoint Next-Generation Firewall (NGFW) functions by employing sophisticated mechanisms that provide visibility, control, and contextual analysis of network traffic, enabling dynamic adjustments to security policies and defenses. By harnessing advanced technologies and a user-centric approach, the firewall facilitates robust threat prevention and detection, safeguarding an organization's assets, data, and network infrastructure.

Sophos documents

What we ingest

Sample alerts we see:

  • China.Chopper.Web.Shell.Client.Connection
  • Easy.Hosting.Control.Panel.FTP.Account.Security.Bypass
  • HTTP.URI.SQL.Injection
  • Malicious.HTTP.URI.Requests
  • Joomla!.com_fields.SQL.Injection

Alerts ingested in full

We recommend that you configure the standard syslog output from Forcepoint, which includes the following topics:

  • Clock daemon for BSD systems
  • Clock daemon for System V systems
  • File transfer protocol
  • Kernel messages
  • Line printer subsystem
  • Mail system
  • Messages generated internally by syslogd
  • Network news subsystem
  • Network time protocol
  • Random user-level messages
  • Security/authorization messages
  • Security/authorization messages (private)
  • System daemons
  • UUCP subsystem

For the standard syslog output, see Syslog entries.

Filtering

We filter alerts as follows.

Allow

Valid CEF

Drop

Description

These entries are categorized as non-security-related events based on our MDR analyst team’s feedback. They primarily include routine VPN activities, standard network operations, and automated system messages that are repetitive and generally non-critical, so logging isn't necessary.

Regex Patterns

  • msg=Connection dropped
  • msg=Delete notification received for .* SPI
  • \\|File-Filtering-Policy_Buffering-Limit-Exceeded\\|
  • \\|FW_New-SSL-VPN-Connection\\|
  • msg=IPsec SA Import succeeded
Examples
  • msg=IPsec SA initiator done. Rekeyed SPI: .* Encryption:.*, mac:.*
  • msg=IPsec SA responder done
  • msg=IKE SA deleted
  • msg=IKEv2 SA error: Timed out
  • msg=IKEv2 SA initiator failed, Local auth method: Reserved, Remote auth method: Reserved
  • msg=IPsec SA initiator error: Timed out
  • msg=Message type ack. XID: .* Relay ip .* Server ID: .* DNS: .* DNS: .* Domain: .*
  • msg=Message type offer. XID: .* Relay ip .* Server ID: .* DNS: .* DNS: .* Domain: .*
  • msg=Sending Dead Peer Detection notify \\(.*\\)
  • msg=Starting IKEv2 initiator negotiation
  • \\|TCP_Option-Unknown\\|
  • \\|URL_Category-Accounting\\|
  • msg=New engine upgrades available on Forcepoint web site: Engine upgrades NGFW upgrade .* build \\d+ for .*
  • \\|TCP_Segment-SYN-No-Options\\|
  • msg=Connection was reset by client
  • \\|FW_New-Route-Based-VPN-Connection\\|0\\|.* act=Discard
  • \\|TCP_Checksum-Mismatch\\|
  • msg=Notifications: N\\(HTTP_CERT_LOOKUP_SUPPORTED\\), N\\(MESSAGE_ID_SYNC_SUPPORTED\\), N\\(ESP_TFC_PADDING_NOT_SUPPORTED\\), N\\(NON_FIRST_FRAGMENTS_ALSO\\)
  • \\|FW_New-IPsec-VPN-Connection\\|
  • \\|FW_Related-Connection\\|
  • \\|Connection_Progress\\|
  • msg=Connection was reset by server
  • msg=Connection timeout in state TCP_SYN_SEEN
  • \\|Connection_Rematched\\|
  • \\|Connection_Allowed\\|
  • \\|Connection_Discarded\\|
  • \\|Connection_Closed\\|
  • \\|Log_Compress-SIDs\\|
  • act=Allow msg=Referred connection
  • \\|FW_New-Route-Based-VPN-Connection\\|0\\|.* act=Allow
  • \\|HTTP_URL-Logged\\|1\\|.* act=Permit
  • msg=Message type \\w+. XID: .*. Relay ip .*. Relayed to .*
  • \\|Generic\\|0\\|.*msg=Rekeyed IPsec SA installed. Inbound
  • msg=HISTORY: PID\\W+\\d+ UID\\W+\\d+ USER\\W+\\w+
  • msg=\\[I\\]\\[.*\\] Gid map: inside_gid:\\d+ outside_gid:\\d+ count:\\d+
  • msg=\\[I\\]\\[.*\\] Jail parameters
  • msg=\\[I\\]\\[.*\\] Uid map: inside_uid:\\d+ outside_uid:\\d+ count:\\d+
  • msg=\\[I\\]\\[.*\\] pid\\W+\\d+ \\(\\[STANDALONE MODE\\]\\) exited with status: \\d+, \\(PIDs left: \\d+\\)
  • msg=\\[I\\]\\[.*\\] Mount: .* flags:.* type:.* options:.* dir:.*
  • \\|DNS_Client-Type-Unknown\\|2\\|.* act=Permit
  • \\|File_Allowed\\|1\\|.* act=Permit
  • \\|HTTP_Request-with-redirect-capability\\|1\\|
  • \\|FW_Info-Request\\|0\\|
  • \\|Generic\\|0\\|.*msg=\\[\\d+\\.\\d+\\].*

Sample threat mappings

"alertType": "Mirai.Botnet", "threatId": "T1498", "threatName": "Network Denial of Service",
"alertType": "WIFICAM.P2P.GoAhead.Multiple.Remote.Code.Execution", "threatId": "T1203", "threatName": "Exploitation for Client Execution",
"alertType": "TCP.Split.Handshake", "threatId": "T1082", "threatName": "System Information Discovery",
"alertType": "WePresent.WiPG1000.Command.Injection", "threatId": "T1203", "threatName": "Exploitation for Client Execution",
"alertType": "Open.Flash.Chart.PHP.File.Upload", "threatId": "T1105", "threatName": "Ingress Tool Transfer",

Vendor documentation