A very valuable source of data for SIEM solutions is that of your firewall. These logs give an excellent view of not just your network permitter, but of traffic behaviour in all directions.
These instructions will help you configure your forward correctly to send logs to QRadar SIEM.
Note: You will need administrator access to your firewall to perform these tasks.
Regardless of which Firewall Vendor you have implemented, it should be capable of sending syslog events to an external log repository. In our case, the repository is the QRadar Appliance that has been deployed into your SOC/QR Network.
Your firewall documentation may need to be referenced to see where and how this is applied, and you will need the IP Address of your local QRadar Appliance. If unsure of the IP, check with your Secure-ISS SOC Deployment main contact.
If available, the syslog events that are forwarded to the Appliance should be sent in the LEEF format. The Log Event Extended Format (LEEF) is a customized event format for IBM® Security QRadar®.
Each firewall vendor has a different way of configuring syslog and formatting syslog to LEEF (if available). Here are instructions for some commonly deployed firewall vendors. If your firewall vendor is not listed here, check with your Secure-ISS SOC Deployment main contact.
Syslog configuration - https://www.ibm.com/docs/en/dsm?topic=point-integrate-check-by-using-syslog#c_dsm_guide_checkpoint_firewall1_syslogintegration
LEEF Format Configuration - https://www.ibm.com/docs/en/dsm?topic=point-configuring-check-forward-leef-events-qradar
Syslog and LEEF configuration - https://wiki.secure-iss.com/en/Public/SOC/Palo-Alto-Log-Fowarding
Syslog and LEEF configuration - https://www.ibm.com/docs/en/dsm?topic=wfo-configuring-your-watchguard-fireware-os-appliance-in-policy-manager-communication-qradar
Syslog configuration (LEEF Not supported) - https://www.ibm.com/docs/en/dsm?topic=sonicwall-configuring-forward-syslog-events
Syslog configuration (LEEF Not supported)
config log syslogd setting
set status enable
set facility syslog
set reliable enable
set port 514
set mode udp
set server <IP_address>
end