Blue Coat Web Proxy

• What is Discovered and Monitored
• Event Types
• Rules
• Reports
• Configuration
• Configure FTP in FortiSIEM
• Configure an Epilog Client in FortiSIEM
• Configure FTP in Blue Coat
• Settings for Access Credentials

What is Discovered and Monitored

Protocol	Information discovered	Metrics collected	Used for
SNMP	Host name, Interfaces, Serial number	CPU utilization, Memory utilization	Performance Monitoring
SNMP		Proxy performance: Proxy cache object count, Proxy-to-server metrics: HTTP errors, HTTP requests, HTTP traffic (KBps);  Server-to-proxy metrics: HTTP traffic (KBps), Client-to-proxy metrics: HTTP requests, HTTP Cache hit, HTTP errors, HTTP traffic (KBps); Proxy-to-client metrics: HTTP traffic (KBytes)	Performance Monitoring
SFTP		Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration	Security Monitoring and compliance
Syslog		Admin authentication success and failure	Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "blue coat" to see the event types associated with this device. 

Rules

There are no predefined rules for this device. 

Reports

There are no predefined reports for this device. 

Configuration

• SNMP
• Syslog
• Sample Parsed Blue Coat Audit Syslog
• SFTP

SNMP

The following procedures enable FortiSIEM to discover Bluecoat web proxy.

1. Log in to your Blue Coat management console. 
2. Go to Maintenance > SNMP.
3. Under SNMP General, select Enable SNMP.
4. Under Community Strings, click Change Read Community, and then enter a community string that FortiSIEM can use to access your device. 
5. Click OK.

Syslog

Syslog is used by Blue Coat to send audit logs to FortiSIEM.

1. Log in to your Blue Coat management console. 
2. Go to Maintenance > Event Logging.
3. Under Level, select Severe Errors, Configuration Events, Policy Messages, and Informational.
4. Under Syslog, enter the IP address of your FortiSIEM virtual appliance for Loghost.
5. Select Enable syslog.
6. Click Apply.

Sample Parsed Blue Coat Audit Syslog

<2> Sep 14 19:24:39 ao BluecoatAuthWebLog   0       2010-09-14 14:31:13 36 34.159.60.56 hz13321 - - OBSERVED "Audio/Video Clips" - 200 TCP_NC_MISS POST application/x-fcs http 213.200.94.86 80 /idle/WdPmdz02xSLO2sHS/25136 - - "Shockwave Flash" 34.160.179.201 1087 217 -

SFTP

SFTP is used to send access logs to FortiSIEM. Access logs includes the traffic that Blue Coat proxies between the client and the server. The access logs are sent via FTP, where Bluecoat is the client and FortiSIEM is the server. You must configure SFTP in FortiSIEM first, and then on your Blue Coat web proxy server.

Configure FTP in FortiSIEM

1. Log in to your Supervisor node as root.
2. Change directory to /opt/phoenix/bin.
3. Run the ./phCreateBluecoatDestDir command to create an FTP user account.
   The files sent from Blue Coat will be temporarily stored in this account. The script will create an user called ftpuser. If the this user already exists, you do not need to create a new one. The script will ask for the IP address of Blue Coat and the password for the user ftpuser, and will then create the directory /opt/phoenix/cache/bluecoat/<Bluecoat IP>.
4. Run vi /etc/passwd to change the home directory for ftpuser  to /opt/phoenix/cache/bluecoat.
   Change only the home directory, do not change any other value.
   

Configure an Epilog Client in FortiSIEM

The Epilog client converts each line of the log files in the /opt/phoenix/cache/bluecoat/<Bluecoat IP> directory in real time into a syslog, and sends it to the FortiSIEM parser for processing.

1. Log in to your Supervisor or the Collector node as root.
2. Update the Epilog configuration in /etc/snare/epilog/epilog.conf as shown in this code block, and then restart the epilog daemon with the /etc/init.d/epilogd restart command.

   Output
   network=localhost:514
   syslog=2
   Input
   log=BluecoatWebLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_main.log
   log=BluecoatImLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_im.log
   log=BluecoatImLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_ssl.log
   log=BluecoatP2pLog:/opt/phoenix/cache/bluecoat/172.16.0.141/SG_FortiSIEM_bluecoat_p2p.log

Configure FTP in Blue Coat

1. Log in to your Blue Coat management console. 
2. Go to Management Console > Configuration > Access Logging > General.
3. Select Enable Access Logging.
4. In the left-hand navigation, select Logs.
5. Under Upload Client, configure these settings.

   Setting	Value
   Log	main
   Client Type	FTP Client
   Encryption Certificate	No Encryption
   Keyring Signing	No Signing
   Save the log file as	text file
   Send partial buffer after	1 seconds
   Bandwidth Class	<none>

6. Next to Client Type, click Settings. 
7. Configure these settings.

   Setting	Value
   Settings for	Primary FTP Server
   Host	IP address of your FortiSIEM virtual appliance
   Port	514
   Path	/<Blue Coat IP Address>
   Username	ftpuser
   Change Primary Password	Use the password you created for ftpuser in FortiSIEM
   Filename	SG_FortiSIEM_bluecoat_main.log

8. Clear the selections Use Secure Connections (SSL) and Use Local Time.  
9. Select Use Pasv.
10. Click OK.
11. Follow this same process to configure the settings for im, ssl and p2p.
    For each of these, you will refer to a different Filename.
    
    • For im the file name is SG_FortiSIEM_bluecoat_im.log
    • For ssl the file name is SG_FortiSIEM_bluecoat_ssl.log
    • For p2p the file name is SG_FortiSIEM_bluecoat_p2p.log

Sample Parsed Blue Coat Access Syslog

<2> Jun 25 11:15:33 SJ-QA-W-FDR-Test-01.example.net BluecoatWebLog	0	2010-06-25 18:13:34 2021 192.168.22.21 200 TCP_TUNNELED 820 1075 CONNECT tcp generic-comp.example.com 443 / - - - NONE 172.16.0.141 - - "Example Outlook Integration Http Agent" PROXIED "none" - 25.24.23.22

Settings for Access Credentials

Set these Access Method Definition values to allow FortiSIEM to communicate with your device.

Setting	Value
Name	<set name>
Device Type	Blue Coat CacheOS
Access Protocol	See Access Credentials
Port	See Access Credentials
Password config	See Password Configuration