Collect Juniper NetScreen Firewall logs

Supported in:

This document explains how to set up Juniper NetScreen Firewall logs to be sent to Google Security Operations. The parser extracts fields using grok patterns, handling various syslog formats and JSON payloads. It then maps these extracted fields to the UDM, categorizing events as network connections, user logins, status updates, or generic events based on the presence of specific fields like IP addresses, usernames, and ports.

Before you begin

  • Ensure that you have administrative access to your Juniper NetScreen Firewall.
  • Ensure that you have a Google Security Operations instance.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.
  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
    

Linux installation

  1. Open a terminal with root or sudo privileges.
  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
    

Additional installation resources

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

  1. Access the configuration file:

    1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
    2. Open the file using a text editor (for example, nano, vi, or Notepad).
  2. Edit the config.yaml file as follows:

    receivers:
        tcplog:
            # Replace the port and IP address as required
            listen_address: "0.0.0.0:54525"
    
    exporters:
        chronicle/chronicle_w_labels:
            compression: gzip
            # Adjust the path to the credentials file you downloaded in Step 1
            creds: '/path/to/ingestion-authentication-file.json'
            # Replace with your actual customer ID from Step 2
            customer_id: <customer_id>
            endpoint: malachiteingestion-pa.googleapis.com
            # Add optional ingestion labels for better organization
            ingestion_labels:
                log_type: SYSLOG
                namespace: juniper_firewall
                raw_log_field: body
    
    service:
        pipelines:
            logs/source0__chronicle_w_labels-0:
                receivers:
                    - tcplog
                exporters:
                    - chronicle/chronicle_w_labels
    
    
  3. Replace the port and IP address as required in your infrastructure.

  4. Replace <customer_id> with the actual customer ID.

  5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart bindplane-agent
    
  • To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

    net stop BindPlaneAgent && net start BindPlaneAgent
    

Configure Juniper Networks NetScreen firewall

  1. Sign in to the Juniper NetScreen web interface.
  2. Select Configuration > Report settings > Log settings.
  3. Select all the Event severity checkboxes.
  4. Click Apply.
  5. Select Configuration > Report settings > Syslog.
  6. Select the Enable syslog messages checkbox.
  7. In the Source interface list, select the NetScreen interface from which the syslog packets need to be sent.
  8. In the Syslog servers section, select the Enable checkbox and provide the following:
    1. IP/Hostname: enter the Bindplane IP address.
    2. Port: enter the Bindplane port number.
    3. MDR facility: select Local0 facility level.
    4. Facility: select Local0 facility level.
  9. Click Apply.

UDM Mapping Table

Log Field UDM Mapping Logic
ACTION security_result.action_details Directly mapped from the ACTION field extracted via GROK and KV filters.
APPLICATION principal.application Directly mapped from the APPLICATION field extracted via GROK and KV filters.
application target.application Directly mapped from the application field extracted via GROK.
attack-name security_result.threat_name Directly mapped from the attack-name field extracted via GROK.
bytes-from-client network.sent_bytes Directly mapped from the bytes-from-client field extracted via GROK.
bytes-from-server network.received_bytes Directly mapped from the bytes-from-server field extracted via GROK.
command target.process.command_line Directly mapped from the command field extracted via GROK.
destination-address target.ip Directly mapped from the destination-address field extracted via GROK.
destination-port target.port Directly mapped from the destination-port field extracted via GROK.
destination-zone additional.fields[].value.string_value Directly mapped from the destination-zone field extracted via GROK and KV filters. The key is set to destination-zone.
destination_zone-name security_result.detection_fields[].value Directly mapped from the destination_zone-name field extracted via GROK. The key is set to dstzone.
dst-nat-rule-name security_result.detection_fields[].value Directly mapped from the dst-nat-rule-name field extracted via GROK. The key is set to dst-nat-rule-name.
dst-nat-rule-type security_result.detection_fields[].value Directly mapped from the dst-nat-rule-type field extracted via GROK. The key is set to dst-nat-rule-type.
elapsed-time network.session_duration.seconds Directly mapped from the elapsed-time field extracted via GROK.
encrypted security_result.detection_fields[].value Directly mapped from the encrypted field extracted via GROK. The key is set to encrypted.
event_time metadata.event_timestamp The timestamp is extracted from the raw log using various GROK patterns, prioritizing event_time, then TIMESTAMP_ISO8601, and finally SYSLOGTIMESTAMP. It is then converted to a timestamp object.
host principal.hostname, intermediary.hostname If type is NetScreen, mapped to intermediary.hostname. Otherwise, mapped to principal.hostname.
host_ip intermediary.ip Directly mapped from the host_ip field extracted via GROK.
icmp-type network.icmp_type Directly mapped from the icmp-type field extracted via GROK.
ident target.application Directly mapped from the ident field extracted via GROK and JSON filters.
inbound-bytes network.received_bytes Directly mapped from the inbound-bytes field extracted via GROK.
inbound-packets network.received_packets Directly mapped from the inbound-packets field extracted via GROK.
ip principal.ip, intermediary.ip If type is NetScreen, mapped to intermediary.ip. Otherwise, mapped to principal.hostname.
message security_result.description If the message is JSON and the log_message_data field is not present, the message field is used as the description.
msg_data security_result.summary Directly mapped from the msg_data field extracted via GROK.
nat-destination-address target.nat_ip Directly mapped from the nat-destination-address field extracted via GROK.
nat-destination-port target.nat_port Directly mapped from the nat-destination-port field extracted via GROK.
nat-source-address principal.nat_ip Directly mapped from the nat-source-address field extracted via GROK.
nat-source-port principal.nat_port Directly mapped from the nat-source-port field extracted via GROK.
outbound-bytes network.sent_bytes Directly mapped from the outbound-bytes field extracted via GROK.
outbound-packets network.sent_packets Directly mapped from the outbound-packets field extracted via GROK.
packets-from-client network.sent_packets Directly mapped from the packets-from-client field extracted via GROK.
packets-from-server network.received_packets Directly mapped from the packets-from-server field extracted via GROK.
packet-incoming-interface security_result.detection_fields[].value Directly mapped from the packet-incoming-interface field extracted via GROK. The key is set to packet-incoming-interface.
pid target.process.pid Directly mapped from the pid field extracted via GROK and JSON filters.
policy-name security_result.rule_name Directly mapped from the policy-name field extracted via GROK.
PROFILE additional.fields[].value.string_value Directly mapped from the PROFILE field extracted via GROK and KV filters. The key is set to PROFILE.
protocol-id, protocol-name network.ip_protocol Mapped from the protocol-id or protocol-name field extracted via GROK. The value is converted to the corresponding IP protocol enum.
REASON additional.fields[].value.string_value Directly mapped from the REASON field extracted via GROK and KV filters. The key is set to REASON.
reason security_result.description Directly mapped from the reason field extracted via GROK.
rule-name security_result.rule_name Directly mapped from the rule-name field extracted via GROK.
SESSION_ID network.session_id Directly mapped from the SESSION_ID field extracted via GROK and KV filters.
service-name security_result.detection_fields[].value Directly mapped from the service-name field extracted via GROK. The key is set to srvname.
source-address principal.ip Directly mapped from the source-address field extracted via GROK.
source-port principal.port Directly mapped from the source-port field extracted via GROK.
source-zone additional.fields[].value.string_value Directly mapped from the source-zone field extracted via GROK and KV filters. The key is set to source-zone.
source_zone-name security_result.detection_fields[].value Directly mapped from the source_zone-name field extracted via GROK. The key is set to srczone.
src-nat-rule-name security_result.detection_fields[].value Directly mapped from the src-nat-rule-name field extracted via GROK. The key is set to src-nat-rule-name.
src-nat-rule-type security_result.detection_fields[].value Directly mapped from the src-nat-rule-type field extracted via GROK. The key is set to src-nat-rule-type.
subtype metadata.product_event_type Directly mapped from the subtype field extracted via GROK.
threat-severity security_result.severity_details Directly mapped from the threat-severity field extracted via GROK.
time metadata.event_timestamp Directly mapped from the time field extracted via GROK and JSON filters. Converted to timestamp object.
username target.user.userid Directly mapped from the username field extracted via GROK.
metadata.log_type Hardcoded to JUNIPER_FIREWALL. Hardcoded to JUNIPER_FIREWALL or NetScreen based on the type field. Hardcoded to JUNIPER_FIREWALL. Set to ALLOW or BLOCK based on logic in the parser. Set to LOW, MEDIUM, HIGH, INFORMATIONAL, or CRITICAL based on the subtype and severity_details fields.

Need more help? Get answers from Community members and Google SecOps professionals.