Fortinet black logo

External Systems Configuration Guide

Blue Coat Web Proxy

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

SNMP

Host name, Interfaces, Serial number

CPU utilization, Memory utilization

Performance Monitoring

SNMP

Proxy performance: Proxy cache object count, Proxy-to-server metrics: HTTP errors, HTTP requests, HTTP traffic (KBps); Server-to-proxy metrics: HTTP traffic (KBps), Client-to-proxy metrics: HTTP requests, HTTP Cache hit, HTTP errors, HTTP traffic (KBps); Proxy-to-client metrics: HTTP traffic (KBytes)

Performance Monitoring

SFTP

Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance

Syslog

Admin authentication success and failure

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "blue coat" to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

The following procedures enable FortiSIEM to discover Bluecoat web proxy.

  1. Log in to your Blue Coat management console.
  2. Go to Maintenance > SNMP.
  3. Under SNMP General, select Enable SNMP.
  4. Under Community Strings, click Change Read Community, and then enter a community string that FortiSIEM can use to access your device.
  5. Click OK.
Syslog

Syslog is used by Blue Coat to send audit logs to FortiSIEM.

  1. Log in to your Blue Coat management console.
  2. Go to Maintenance > Event Logging.
  3. Under Level, select Severe Errors, Configuration Events, Policy Messages, and Informational.
  4. Under Syslog, enter the IP address of your FortiSIEM virtual appliance for Loghost.
  5. Select Enable syslog.
  6. Click Apply.
Sample Syslog Event

<111>2020-12-04T00:15:15 Bluecoatsyslog time-taken="39", c-ip="105.128.196.10", cs-username="user.example", cs-auth-group="-", cs-categories="Web Ads/Analytics", sc-status="200", cs-uri-scheme="https", cs-host="cdn.somedomain.com", cs-uri-port="443", cs-uri-extension="js", cs(User-Agent)="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36", cs-uri-path="/base_src.js", cs-method="GET", cs-bytes="629", r-ip="123.123.25.25", rs(Content-Type)="application/javascript", s-action="TCP_NC_MISS", s-ip="212.212.212.5", sc-bytes="7205", sc-filter-result="OBSERVED", x-exception-id="-", x-virus-id="-", x-rs-certificate-observed-errors="none", x-cs-ocsp-error="-", x-rs-ocsp-error="-", x-rs-connection-negotiated-cipher-strength="high", x-rs-certificate-hostname="*.somedomain.com", x-rs-certificate-hostname-category="Web Ads/Analytics"
Access Logging

To configure access logging, take the following steps.

  1. Log in to the Blue Coat Management Console.

  2. Select Configuration > Access Logging > Formats.

  3. Select New.

  4. Type a format name for the custom format and paste the following configs:

    <111>$(date)T$(x-bluecoat-hour-utc):$(x-bluecoat-minute-utc):$(x-bluecoat-second-utc) Bluecoatsyslog time-taken=\"$(time-taken)\", c-ip=\"$(c-ip)\", cs-username=\"$(cs-username)\", cs-auth-group=\"$(cs-auth-group)\", cs-categories=$(cs-categories), sc-status=\"$(sc-status)\", cs-uri-scheme=\"$(cs-uri-scheme)\", cs-host=\"$(cs-host)\", cs-uri-port=\"$(cs-uri-port)\", cs-uri-extension=\"$(cs-uri-extension)\", cs(User-Agent)=\"$(cs(User-Agent))\", cs-uri-path=\"$(cs-uri-path)\", cs-method=\"$(cs-method)\", cs-bytes=\"$(cs-bytes)\", r-ip=\"$(r-ip)\", rs(Content-Type)=\"$(rs(Content-Type))\", s-action=\"$(s-action)\", s-ip=\"$(s-ip)\", sc-bytes=\"$(sc-bytes)\", sc-filter-result=\"$(sc-filter-result)\", x-exception-id=\"$(x-exception-id)\", x-virus-id=\"$(x-virus-id)\", x-rs-certificate-observed-errors=\"$(x-rs-certificate-observed-errors)\", x-cs-ocsp-error=\"$(x-cs-ocsp-error)\", x-rs-ocsp-error=\"$(x-rs-ocsp-error)\", x-rs-connection-negotiated-cipher-strength=\"$(x-rs-connection-negotiated-cipher-strength)\", x-rs-certificate-hostname=\"$(x-rs-certificate-hostname)\", x-rs-certificate-hostname-category=$(x-rs-certificate-hostname-category)
  5. Select transport option.

  6. Save your format.

  7. Click OK.

  8. Specify the IP address for the client that is receiving the logs.

  9. Click Apply.

What is Discovered and Monitored

Protocol

Information discovered

Metrics collected

Used for

SNMP

Host name, Interfaces, Serial number

CPU utilization, Memory utilization

Performance Monitoring

SNMP

Proxy performance: Proxy cache object count, Proxy-to-server metrics: HTTP errors, HTTP requests, HTTP traffic (KBps); Server-to-proxy metrics: HTTP traffic (KBps), Client-to-proxy metrics: HTTP requests, HTTP Cache hit, HTTP errors, HTTP traffic (KBps); Proxy-to-client metrics: HTTP traffic (KBytes)

Performance Monitoring

SFTP

Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance

Syslog

Admin authentication success and failure

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event Types, search for "blue coat" to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

The following procedures enable FortiSIEM to discover Bluecoat web proxy.

  1. Log in to your Blue Coat management console.
  2. Go to Maintenance > SNMP.
  3. Under SNMP General, select Enable SNMP.
  4. Under Community Strings, click Change Read Community, and then enter a community string that FortiSIEM can use to access your device.
  5. Click OK.
Syslog

Syslog is used by Blue Coat to send audit logs to FortiSIEM.

  1. Log in to your Blue Coat management console.
  2. Go to Maintenance > Event Logging.
  3. Under Level, select Severe Errors, Configuration Events, Policy Messages, and Informational.
  4. Under Syslog, enter the IP address of your FortiSIEM virtual appliance for Loghost.
  5. Select Enable syslog.
  6. Click Apply.
Sample Syslog Event

<111>2020-12-04T00:15:15 Bluecoatsyslog time-taken="39", c-ip="105.128.196.10", cs-username="user.example", cs-auth-group="-", cs-categories="Web Ads/Analytics", sc-status="200", cs-uri-scheme="https", cs-host="cdn.somedomain.com", cs-uri-port="443", cs-uri-extension="js", cs(User-Agent)="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36", cs-uri-path="/base_src.js", cs-method="GET", cs-bytes="629", r-ip="123.123.25.25", rs(Content-Type)="application/javascript", s-action="TCP_NC_MISS", s-ip="212.212.212.5", sc-bytes="7205", sc-filter-result="OBSERVED", x-exception-id="-", x-virus-id="-", x-rs-certificate-observed-errors="none", x-cs-ocsp-error="-", x-rs-ocsp-error="-", x-rs-connection-negotiated-cipher-strength="high", x-rs-certificate-hostname="*.somedomain.com", x-rs-certificate-hostname-category="Web Ads/Analytics"
Access Logging

To configure access logging, take the following steps.

  1. Log in to the Blue Coat Management Console.

  2. Select Configuration > Access Logging > Formats.

  3. Select New.

  4. Type a format name for the custom format and paste the following configs:

    <111>$(date)T$(x-bluecoat-hour-utc):$(x-bluecoat-minute-utc):$(x-bluecoat-second-utc) Bluecoatsyslog time-taken=\"$(time-taken)\", c-ip=\"$(c-ip)\", cs-username=\"$(cs-username)\", cs-auth-group=\"$(cs-auth-group)\", cs-categories=$(cs-categories), sc-status=\"$(sc-status)\", cs-uri-scheme=\"$(cs-uri-scheme)\", cs-host=\"$(cs-host)\", cs-uri-port=\"$(cs-uri-port)\", cs-uri-extension=\"$(cs-uri-extension)\", cs(User-Agent)=\"$(cs(User-Agent))\", cs-uri-path=\"$(cs-uri-path)\", cs-method=\"$(cs-method)\", cs-bytes=\"$(cs-bytes)\", r-ip=\"$(r-ip)\", rs(Content-Type)=\"$(rs(Content-Type))\", s-action=\"$(s-action)\", s-ip=\"$(s-ip)\", sc-bytes=\"$(sc-bytes)\", sc-filter-result=\"$(sc-filter-result)\", x-exception-id=\"$(x-exception-id)\", x-virus-id=\"$(x-virus-id)\", x-rs-certificate-observed-errors=\"$(x-rs-certificate-observed-errors)\", x-cs-ocsp-error=\"$(x-cs-ocsp-error)\", x-rs-ocsp-error=\"$(x-rs-ocsp-error)\", x-rs-connection-negotiated-cipher-strength=\"$(x-rs-connection-negotiated-cipher-strength)\", x-rs-certificate-hostname=\"$(x-rs-certificate-hostname)\", x-rs-certificate-hostname-category=$(x-rs-certificate-hostname-category)
  5. Select transport option.

  6. Save your format.

  7. Click OK.

  8. Specify the IP address for the client that is receiving the logs.

  9. Click Apply.