Fortinet black logo

External Systems Configuration Guide

Blue Coat Web Proxy

Blue Coat Web Proxy

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

SNMP

Host name, Interfaces, Serial number

CPU utilization, Memory utilization

Performance Monitoring

SNMP

Proxy performance: Proxy cache object count, Proxy-to-server metrics: HTTP errors, HTTP requests, HTTP traffic (KBps); Server-to-proxy metrics: HTTP traffic (KBps), Client-to-proxy metrics: HTTP requests, HTTP Cache hit, HTTP errors, HTTP traffic (KBps); Proxy-to-client metrics: HTTP traffic (KBytes)

Performance Monitoring

SFTP

Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance

Syslog

Admin authentication success and failure

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event, search for "blue coat" in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

The following procedures enable FortiSIEM to discover Bluecoat web proxy.

  1. Log in to your Blue Coat management console.
  2. Go to Maintenance > SNMP.
  3. Under SNMP General, select Enable SNMP.
  4. Under Community Strings, click Change Read Community, and then enter a community string that FortiSIEM can use to access your device.
  5. Click OK.
Syslog

Syslog is used by Blue Coat to send audit logs to FortiSIEM.

  1. Log in to your Blue Coat management console.
  2. Go to Maintenance > Event Logging.
  3. Under Level, select Severe Errors, Configuration Events, Policy Messages, and Informational.
  4. Under Syslog, enter the IP address of your FortiSIEM virtual appliance for Loghost.
  5. Select Enable syslog.
  6. Click Apply.
Sample Parsed Blue Coat Audit Syslog

<2> Sep 14 19:24:39 ao BluecoatAuthWebLog   0       2010-09-14 14:31:13 36 34.159.60.56 hz13321 - - OBSERVED "Audio/Video Clips" - 200 TCP_NC_MISS POST application/x-fcs http 213.200.94.86 80 /idle/WdPmdz02xSLO2sHS/25136 - - "Shockwave Flash" 34.160.179.201 1087 217 -
SFTP

SFTP is used to send access logs to FortiSIEM. Access logs includes the traffic that Blue Coat proxies between the client and the server. The access logs are sent via FTP, where Bluecoat is the client and FortiSIEM is the server. You must configure SFTP in FortiSIEM first, and then on your Blue Coat web proxy server.

Configure FTP in FortiSIEM

  1. Log in to your Supervisor node as root.
  2. Change directory to /opt/phoenix/bin.
  3. Run the ./phCreateBluecoatDestDir command to create an FTP user account.
    The files sent from Blue Coat will be temporarily stored in this account. The script will create an user called ftpuser. If the this user already exists, you do not need to create a new one. The script will ask for the IP address of Blue Coat and the password for the user ftpuser, and will then create the directory /opt/phoenix/cache/bluecoat/<Bluecoat IP>.
  4. Run vi /etc/passwd to change the home directory for ftpuser to /opt/phoenix/cache/bluecoat.
    Change only the home directory, do not change any other value.

Configure an Epilog client in FortiSIEM

The Epilog client converts each line of the log files in the /opt/phoenix/cache/bluecoat/<Bluecoat IP> directory in real time into a syslog, and sends it to the FortiSIEM parser for processing.

  1. Log in to your Supervisor or the Collector node as root.
  2. Update the Epilog configuration in /etc/snare/epilog/epilog.conf as shown in this code block, and then restart the epilog daemon with the /etc/init.d/epilogd restart command.

    Output
    network=localhost:514
    syslog=2
    Input
    log=BluecoatWebLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_main.log
    log=BluecoatImLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_im.log
    log=BluecoatImLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_ssl.log
    log=BluecoatP2pLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_p2p.log

Configure FTP in Blue Coat

  1. Log in to your Blue Coat management console.
  2. Go to Management Console > Configuration > Access Logging > General.
  3. Select Enable Access Logging.
  4. In the left-hand navigation, select Logs.
  5. Under Upload Client, configure these settings.
    SettingValue
    Logmain
    Client TypeFTP Client
    Encryption CertificateNo Encryption
    Keyring SigningNo Signing
    Save the log file astext file
    Send partial buffer after1 seconds
    Bandwidth Class<none>
  6. Next to Client Type, click Settings.
  7. Configure these settings.
    SettingValue
    Settings forPrimary FTP Server
    HostIP address of your FortiSIEM virtual appliance
    Port514
    Path/<Blue Coat IP Address>
    Usernameftpuser
    Change Primary PasswordUse the password you created for ftpuser in FortiSIEM
    FilenameSG_FortiSIEM_bluecoat_main.log
  8. Clear the selections Use Secure Connections (SSL) and Use Local Time.
  9. Select Use Pasv.
  10. Click OK.
  11. Follow this same process to configure the settings for im, ssl and p2p.
    For each of these, you will refer to a different Filename.
    • For im the file name is SG_FortiSIEM_bluecoat_im.log
    • For ssl the file name is SG_FortiSIEM_bluecoat_ssl.log
    • For p2p the file name is SG_FortiSIEM_bluecoat_p2p.log
Sample Parsed Blue Coat Access Syslog

<2> Jun 25 11:15:33 SJ-QA-W-FDR-Test-01.prospect-hills.net BluecoatWebLog	0	2010-06-25 18:13:34 2021 192.168.22.21 200 TCP_TUNNELED 820 1075 CONNECT tcp accelops.webex.com 443 / - - - NONE 172.16.0.141 - - "WebEx Outlook Integration Http Agent" PROXIED "none" - 25.24.23.22

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Blue Coat CacheOS
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration

Blue Coat Web Proxy

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

SNMP

Host name, Interfaces, Serial number

CPU utilization, Memory utilization

Performance Monitoring

SNMP

Proxy performance: Proxy cache object count, Proxy-to-server metrics: HTTP errors, HTTP requests, HTTP traffic (KBps); Server-to-proxy metrics: HTTP traffic (KBps), Client-to-proxy metrics: HTTP requests, HTTP Cache hit, HTTP errors, HTTP traffic (KBps); Proxy-to-client metrics: HTTP traffic (KBytes)

Performance Monitoring

SFTP

Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance

Syslog

Admin authentication success and failure

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event, search for "blue coat" in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

The following procedures enable FortiSIEM to discover Bluecoat web proxy.

  1. Log in to your Blue Coat management console.
  2. Go to Maintenance > SNMP.
  3. Under SNMP General, select Enable SNMP.
  4. Under Community Strings, click Change Read Community, and then enter a community string that FortiSIEM can use to access your device.
  5. Click OK.
Syslog

Syslog is used by Blue Coat to send audit logs to FortiSIEM.

  1. Log in to your Blue Coat management console.
  2. Go to Maintenance > Event Logging.
  3. Under Level, select Severe Errors, Configuration Events, Policy Messages, and Informational.
  4. Under Syslog, enter the IP address of your FortiSIEM virtual appliance for Loghost.
  5. Select Enable syslog.
  6. Click Apply.
Sample Parsed Blue Coat Audit Syslog

<2> Sep 14 19:24:39 ao BluecoatAuthWebLog   0       2010-09-14 14:31:13 36 34.159.60.56 hz13321 - - OBSERVED "Audio/Video Clips" - 200 TCP_NC_MISS POST application/x-fcs http 213.200.94.86 80 /idle/WdPmdz02xSLO2sHS/25136 - - "Shockwave Flash" 34.160.179.201 1087 217 -
SFTP

SFTP is used to send access logs to FortiSIEM. Access logs includes the traffic that Blue Coat proxies between the client and the server. The access logs are sent via FTP, where Bluecoat is the client and FortiSIEM is the server. You must configure SFTP in FortiSIEM first, and then on your Blue Coat web proxy server.

Configure FTP in FortiSIEM

  1. Log in to your Supervisor node as root.
  2. Change directory to /opt/phoenix/bin.
  3. Run the ./phCreateBluecoatDestDir command to create an FTP user account.
    The files sent from Blue Coat will be temporarily stored in this account. The script will create an user called ftpuser. If the this user already exists, you do not need to create a new one. The script will ask for the IP address of Blue Coat and the password for the user ftpuser, and will then create the directory /opt/phoenix/cache/bluecoat/<Bluecoat IP>.
  4. Run vi /etc/passwd to change the home directory for ftpuser to /opt/phoenix/cache/bluecoat.
    Change only the home directory, do not change any other value.

Configure an Epilog client in FortiSIEM

The Epilog client converts each line of the log files in the /opt/phoenix/cache/bluecoat/<Bluecoat IP> directory in real time into a syslog, and sends it to the FortiSIEM parser for processing.

  1. Log in to your Supervisor or the Collector node as root.
  2. Update the Epilog configuration in /etc/snare/epilog/epilog.conf as shown in this code block, and then restart the epilog daemon with the /etc/init.d/epilogd restart command.

    Output
    network=localhost:514
    syslog=2
    Input
    log=BluecoatWebLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_main.log
    log=BluecoatImLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_im.log
    log=BluecoatImLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_ssl.log
    log=BluecoatP2pLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_p2p.log

Configure FTP in Blue Coat

  1. Log in to your Blue Coat management console.
  2. Go to Management Console > Configuration > Access Logging > General.
  3. Select Enable Access Logging.
  4. In the left-hand navigation, select Logs.
  5. Under Upload Client, configure these settings.
    SettingValue
    Logmain
    Client TypeFTP Client
    Encryption CertificateNo Encryption
    Keyring SigningNo Signing
    Save the log file astext file
    Send partial buffer after1 seconds
    Bandwidth Class<none>
  6. Next to Client Type, click Settings.
  7. Configure these settings.
    SettingValue
    Settings forPrimary FTP Server
    HostIP address of your FortiSIEM virtual appliance
    Port514
    Path/<Blue Coat IP Address>
    Usernameftpuser
    Change Primary PasswordUse the password you created for ftpuser in FortiSIEM
    FilenameSG_FortiSIEM_bluecoat_main.log
  8. Clear the selections Use Secure Connections (SSL) and Use Local Time.
  9. Select Use Pasv.
  10. Click OK.
  11. Follow this same process to configure the settings for im, ssl and p2p.
    For each of these, you will refer to a different Filename.
    • For im the file name is SG_FortiSIEM_bluecoat_im.log
    • For ssl the file name is SG_FortiSIEM_bluecoat_ssl.log
    • For p2p the file name is SG_FortiSIEM_bluecoat_p2p.log
Sample Parsed Blue Coat Access Syslog

<2> Jun 25 11:15:33 SJ-QA-W-FDR-Test-01.prospect-hills.net BluecoatWebLog	0	2010-06-25 18:13:34 2021 192.168.22.21 200 TCP_TUNNELED 820 1075 CONNECT tcp accelops.webex.com 443 / - - - NONE 172.16.0.141 - - "WebEx Outlook Integration Http Agent" PROXIED "none" - 25.24.23.22

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting Value
Name <set name>
Device Type Blue Coat CacheOS
Access Protocol See Access Credentials
Port See Access Credentials
Password config See Password Configuration