FAQ(ECL2.0)
Network-based Security - FAQ
- All(120)
-
What is the session retention time of the Managed WAF?ECL2.0, Network-based Security
The Managed WAF holds the session for 2 minutes after it goes out of communication.
-
Is it possible to change the menu from Managed Firewall to Managed UTM, or vice versa?ECL2.0, Network-based Security
You can change the menu from Managed Firewall to Managed UTM without restart of the device. On the other hand, you cannot change the menu from Managed UTM to Managed Firewall.
Turorials - Security - Managed Firewall / Managed UTM - Menu/Plan Modification (Single Constitution)
Turorials - Security - Managed Firewall / Managed UTM - Menu/Plan Modification (HA Constitution) -
Please tell me the difference between Antivirus function by Managed UTM Firewall Policy and Antivirus scan function by Managed WAF File Upload Restriction Policy.ECL2.0, Network-based Security
Managed UTM Antivirus function inspects communication on a signature basis and detects/protects communication judged to be a virus, and Managed WAF File Upload Restriction Policy restricts the file upload to the customer's Web Server. It becomes a function to set up. Antivirus function is an additional function and it is the virus scan function for attachments.
Main differences are as follows.
The corresponding protocol is different.
- Managed UTM: HTTP, FTP, SMTP, POP3, IMAP, MAPI, NNTP
- Managed WAF: HTTP, HTTPSThe action against the file size over a threshold is different.
- Managed UTM doesn't detect it and allows it to pass.
- Managed WAF can detect/block it.Please refer to the following URL for other differences.
Service Decriptions - Managed UTM - Available Functions - Security
Service Decriptions - Managed WAF - Available Functions - Security -
Let me know viewable / searchable log retention period on Log Analysis function of Managed WAF.ECL2.0, Network-based Security
Detailed logs over the obtained portal Firewall Function: 1 week (7 days).
Log acquired in the security function (security detection logs): 3 monthsIt does not ensure integrity of obtained logs. In the event that the Customers would like to obtain the log results for a longer span of time to review the search result, then Customers are advised to transmit to sys log server which Customers are managing.
Reference: Service Descriptions - Managed WAF - Control Panel Functions
-
Let me know viewable / searchable log retention period on Log Analysis function of Managed UTM.ECL2.0, Network-based Security
Detailed logs over the obtained portal Firewall Function: 1 week (7 days).
Log acquired in the security function (security detection logs): 3 monthsIt does not ensure integrity of obtained logs. In the event that the Customers would like to obtain the log results for a longer span of time to review the search result, then Customers are advised to transmit to sys log server which Customers are managing.
Reference: Service Descriptions - Managed UTM - Control Panel Functions
-
Let me know viewable / searchable log retention period on Log Analysis function of Managed Firewall.ECL2.0, Network-based Security
Detailed logs over the obtained portal Firewall Function: 1 week (7 days).
It does not ensure integrity of obtained logs. In the event that the Customers would like to obtain the log results for a longer span of time to review the search result, then Customers are advised to transmit to sys log server which Customers are managing.
Reference: Service Descriptions - Managed Firewall - Control Panel Functions
-
Is there no problem even if the web server protected by Managed WAF exists in a separate segment from Managed WAF?ECL2.0, Network-based Security
There is no problem as long as the Managed WAF network settings are correctly configured.
Reference: Tutorial - Managed WAF
-
In Managed WAF log analysis function,please tell me the meaning of each item displayed in the field of Raw log.ECL2.0, Network-based Security
In Managed WAF log analysis function,the main items in the Raw log and their meanings are as follows.
Reference: Tutorial - Managed WAF - Log Analytics
1.These are descriptions when the log type is traffic.
Item Meaning of item date= The date is displayed. time= The time is displayed. log_id= The ID used internally is displayed. msg_id= The ID used internally is displayed. vd= The ID used internally is displayed. timezone= The time zone of Managed WAF is displayed. type= Displays the type of log. [Traffic] is output in case of Traffic related Log. subtype= Displays the type of log. In case of Traffic related Log [http] is output. ※ It becomes [http] also in case of HTTPS communication.
pri= The log priority is displayed. proto= The protocol described in the IP header is displayed. service= [http] or [https] is displayed. status= If communication succeeds in the traffic log related output, it will be output as [success], and if failure, it will output [failure]. reason= The status reason is displayed. policy= Server Policy is displayed. src= Displays the IP address of the communication source. src_port= The port number of the communication source is displayed. dst= The IP address of the communication destination is displayed. dst_port= Displays the port number of the communication destination. http_request_time= Displays the time (ms) taken to process the request. http_response_time= The time (ms) taken to process the response is displayed. http_request_bytes= Displays the number of bytes for the request. http_response_bytes= The number of bytes of the response is displayed. http_method= The HTTP method is displayed. http_url= The URL is displayed. http_agent= The User Agent is displayed. http_retcode= The HTTP return code is displayed. msg= A message will be displayed. srccountry= The country from which the communication was sent is displayed. server_pool_name= The Real Server Name is displayed. http_host= host is displayed. 2.These are descriptions when the log type is Security detection.
Item Meaning of item date= The date is displayed. time= The time is displayed. log_id= The ID used internally is displayed. msg_id= The ID used internally is displayed. vd= The ID used internally is displayed. timezone= The time zone of Managed WAF is displayed. type= Displays the type of log. In case of detection related log in WAF [attack] is output. subtype= Displays the type of log. For security detection log, the detected function such as [subtype = waf_signature_detection] is displayed. pri= The log priority is displayed. trigger_policy= Displays the policy name that detected the attack. severtity_level= The severity level of the log is displayed. proto= The protocol described in the IP header is displayed. service= [http] or [https] is displayed. action= Displays output about security detection logs and one of the following actions upon detection: Alert_Deny ... This blocks communication.
Alert ... This does not block communication. (Displayed if the signature is set to alert only.)Erace ... This communicates by removing some information from the HTTP response.
*In addition, in monitor mode, there is no change in the display of the action, but the operation is as follows.Alert_Deny ... This does not block communication.
Alert ... This does not block communication.
Erace ... It communicates without erasing information.policy= The ServerPolicy that matches the communication in Managed WAF is displayed. src= Displays the IP address of the communication source. src_port= The port number of the communication source is displayed. dst= The IP address of the communication destination is displayed. dst_port= Displays the port number of the communication destination. http_method= The HTTP method is displayed. http_url= The URL is displayed. http_host= host is displayed. http_agent= The User Agent is displayed. http_session_id= The Session ID is displayed. msg= The content at the time of detection is displayed. signature_subclass= The subclass name of the signature is displayed. signature_id= The signature ID is displayed. srccountry= The country from which the communication was sent is displayed. server_pool_name= The applied Server Pool is displayed. false_positive_mitigation= Display whether to execute syntax check in addition to SQL injection signature. -
In Managed Firewall / UTM log analysis function, please tell me the meaning of each item displayed in the field of Raw log.ECL2.0, Network-based Security
The main items in the Raw log and their meanings are as follows.
1.The meaning of each item displayed in the field of Raw log.
Item Meaning of item type = Displays the type of log. For traffic logs, [type = traffic] is displayed. For security logs, [type = utm] is displayed.
subtype = Displays the type of log.
For traffic logs, [subtype = forward] is displayed. For security logs, UTM functions detected [subtype = ips etc.] are displayed.srcip = Displays the source IP address. srcintf = Displays the interface for which communication has been entered (received) on the Managed Firewall / UTM. dstip = Displays the destination IP address. dstintf = Displays the interface for which communication has been output (sent) on Managed Firewall / UTM. proto = Displays the protocol number described in the IP header.
ICMP: [proto = 1], TCP: [proto = 6] and UDP: [proto = 17].action = Displays the process result of the corresponding communication in Managed Firewall / UTM.
When communication is permitted, UDP / ICMP: [action = accept] and TCP: [action = close].
# When TCP communication ends, the log is output as [action = close].policyid = Displays the Policy ID of Firewall Policy that matched communication with Managed Firewall / UTM. trandisp = dnat Displayed when SourceNAT or DestinationNAT is applied.
For SourceNAT, [trandisp = snat] is displayed. For DestinationNAT, [trandisp = dnat] is displayed.tranip = Displays the IP address translated when Destination NAT is applied. tranport = Displays the port number (translated by Port Forward) when Destination NAT is applied.
# If you do not set Port Forward, the destination port will be displayed as [tranport =].duration = Displays the time (in seconds) from the start of communication to the end. Reference: Tutorials - Managed Firewall / Managed UTM - Log Analytics
-
On "Web filter function" of Managed UTM, is it possible to set a white list format in which all deny is set for Web access and only permitted URLs are registered?ECL2.0, Network-based Security
It can be realized by setting as below. However, wildcards can not be used in Global URL List. Please check the tutorial for details.
ex)
1 URL:AAA.co.jp Type:simple Action:exempt
2 URL:BBB.co.jp Type:simple Action:exempt
3 URL:* Type:wildcard Action:blockTutorials - Managed Firewall / Managed UTM - Web Fileter [ Web Filter Function Profile ]