Configure LEM to monitor firewalls for unauthorized access

Configure LEM Manager to monitor your firewalls and detect unauthorized access such as port scans, unusual data packets, network attacks, and unusual traffic patterns.

To set up a firewall monitor, configure your firewalls to log to LEM, and then configure a new connector in the LEM Manager. When an unauthorized user attempts to access your LEM VM or appliance, the event displays in the default Firewall filter running on the LEM console. You can also create custom filters that display network traffic to and from specific computers, as well as view web traffic and other traffic events across your network.

Click the video icon to view a tutorial about the threat intelligence feed available in LEM.

For more information, see Using the Threat Intelligence Feed in LEM in the SolarWinds Success Center.

Configure a firewall to log to a LEM appliance

You can configure your LEM appliance to collect firewall information from firewalls manufactured by Cisco®, Check Point® Software Technologies, Juniper® Networks, and others. Set your firewall to log to your LEM appliance to centralize its log data with your LEM events. See the SolarWinds Success Center or contact Technical Support for more information.

Configure a firewall connector on a LEM Manager

After you configure your firewall to log to your LEM appliance, configure the corresponding connector on your SolarWinds LEM Manager. Many of the firewall connectors are similar, and some will include unique settings.

This example describes how to configure a Cisco ASA firewall and IOS connector on your LEM Manager.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log in as an administrator.

  2. On the LEM toolbar, navigate to Manage > Appliances.

  3. Next to the SolarWinds LEM Manager, click , and then select Connectors.

  4. In the Connector Configuration window search box, enter Cisco ASA.

  5. Next to the Cisco ASA and IOS connector, click , and then click New.

  6. Replace the Alias value with a descriptive connector alias.

    For example:

    ASA Firewall

    Include firewall in the Alias field to ensure the default Firewall filter captures your firewall data.

  7. Verify the Log File value matches the local facility defined in your firewall settings.

  8. Click Save.

  9. Next to the new connector instance (indicated by an icon in the Status column), click , and then select Start.

  10. To close the Connector Configuration window, click Close.

    The firewall connector is configured in the LEM console.

View network traffic from specific computers

You can create custom filters that highlight specific firewall events. For example, to monitor traffic from a specific computer, create a filter for all network traffic coming from the targeted computer. Use connector profiles and other groups to broaden or refine the scope of custom filters.

The following procedure provides an example of creating a filter to monitor all traffic from a targeted computer.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log in as an administrator.

  2. On the LEM toolbar, click Monitor.

  3. In the Filters pane, click , and then select New Filter.

  4. Enter a Name and Description for the filter.

  5. In the Filter Creation pane, click Event Groups, and then select Network Audit Alerts.

  6. In the Fields: Network Audit Alerts list, drag SourceMachine into the Conditions box.

  7. In the Constant field (highlighted with a pencil icon), enter a wild card character (*) to avoid entering the fully qualified domain name of the computer.

  8. Use a Connector instead of a Text Constant to filter for all network traffic coming from a group of similar computers.

  9. Click Save.

Clone and enable a LEM rule to identify port scanning traffic

To identify suspicious firewall traffic indicative of port scanning, clone and enable the PortScans rule. This rule generates a default TCPPortScan event, which the SolarWinds LEM console displays in the default Security Events filter. Use this event to monitor suspicious network traffic and prevent unauthorized access to your firewall.

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

    Log in as an administrator.

  2. On the LEM toolbar, navigate to Build > Rules.

  3. In the Refine Rules pane, enter PortScans.
  4. Next to the rule, click , and then select Clone.

  5. Select the folder to store the cloned rule, and then click OK.

  6. In the Rule Creation window, select Enable.

  7. (Optional) Tune the rule to match your environment.

    For example, you can:

    • Subscribe to the rule to track activity in the Subscriptions report.

    • Increase the number of events in the Correlation Time box to modify how frequently the rule fires.

    • Omit vulnerability scanners from the Correlations by changing the TCPTrafficAudit exists condition to TCPTrafficAudit .SourceMachine = Your Scanners where Your Scanners is a user-defined group, connector profile, or directory service group that represents the targeted group of computers.

    • Modify the default action or add additional actions to perform tasks such as send an email message or block an IP address.

  8. When completed, click Save.

  9. In the main Rules screen, click Activate Rules.