Configure Juniper NGFW to send logs to Arctic Wolf

You can configure Juniper Next-Generation Firewall (NGFW)® to send the necessary logs to Arctic Wolf®.

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • Access to a device in the same network as the Juniper SRX device
  • A user account with at least Full Access for the Commit Configuration and Basic Settings permissions for the Juniper SRX device

Configure syslog forwarding

  1. In a terminal, run this command to sign in to the Juniper SRX device:
    CODE 
    ssh <user>@<srx_ip>
    Where:

    • user is the username associated with the account that has at least Full Access for the Commit Configuration and Basic Settings permissions.

    • srx_ip is the IP address of the SRX device.

  2. When prompted, enter your account password.
  3. Run this command to access the CLI:
    CODE 
    cli
  4. Run this command to enter configuration mode:
    CODE 
    configure
  5. Run these commands to configure syslog forwarding with unstructured data:
    CODE 
    set system syslog host <sensor_ip> port 514 user info
set system syslog host <sensor_ip> port 514 authorization info
set system syslog host <sensor_ip> port 514 ftp info
set system syslog host <sensor_ip> port 514 change-log info
set system syslog host <sensor_ip> port 514 interactive-commands info
set system syslog source-address <srx_ip>
    Where:
    • sensor_ip is the IP address of your Arctic Wolf Sensor, Virtual Sensor (vSensor), or Virtual Log Collector (vLC).
    • srx_ip is the IP address of the SRX device.

    For more information about facility names and severity levels, see System Logging Facilities and Message Severity Levels.

  6. Run these commands to configure security logging for security devices, such as IDS, in stream mode:
    CODE 
    set security log mode stream
set security log format syslog
set security log report
set security log stream transport protocol UDP
set security log source-address <srx_ip>
set security log stream <stream_name> category all
set security log stream <stream_name> host <sensor_ip>
set security log stream <stream_name> port 514
    Where:

    • srx_ip is the IP address of the SRX device.

    • stream_name is a descriptive name for the log stream, such as security-log.

    • sensor_ip is the IP address of your Arctic Wolf Sensor, vSensor, or vLC.

  7. Run this command to commit your changes.
    CODE 
    commit
  8. To configure session logging for your firewall policy, run one of these commands: To add session logging to an existing firewall policy, run this command:
    • For new policies:
      CODE 
      set security policies from-zone <zone> to-zone <zone> policy <policy_name> then log <session_event_type>
      Where:
      • zone is the name of the applicable zone, such as trust or untrust.
      • policy_name is the name of a firewall policy.
      • session_event_type is the type of session event, such as session-init or session-close.
    • For existing policies:
      CODE 
      edit security policies from-zone <zone> to-zone <zone> server policy <policy_name> then log <session_event_type>
      Where:
      • zone is the name of the applicable zone, such as trust or untrust.
      • policy_name is the name of a firewall policy.
      • session_event_type is the type of session event, such as session-init or session-close.

    For more information, see Monitoring Security Flow Sessions.

    IDP logging is configured by default. For more information, see Configure Multiple IDP Policies and a Default IDP Policy for Unified Security Policies.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.