Skip to content

Consuming Native O/S Firewall Logs for Continuous Monitoring

12Port Horizon can consume, if available, native Windows or Linux Operating System (O/S) firewall logs to discover inbound connections and traffic to each Host managed as an asset. This function generates a comprehensive Connections report to better determine connection attempts to each host which is beneficial when building segmentation policies.

Tip

Neither Windows nor Linux maintains their native firewall logs indefinitely, so it is important that the 12Port Horizon collection script is scheduled frequently enough to capture all traffic events prior to the O/S retention policy removes them.

Enabling Native O/S Firewall Logging

If native firewall logging is already enabled on your Hosts, you may skip this section; otherwise review this section to learn how to enable native firewall logging so Horizon can consume the recorded network traffic events.

Windows Firewall Logging

To enable Windows Defender Firewall Logging using Horizon please perform the following steps on each Host where Horizon collection is to take place:

  1. Log in to Horizon and add the script named Windows Firewall Logs Enable to each Asset's task list where collection is to take place. If the script is already present in the task list, skip to the next step.
  2. Execute this script against each asset one time to enable Windows Defender Firewall Logs on each host. Use the Execute > Windows Firewall Logs Enable option to perform this one-time execution.

Note

To disable Windows Defender Logging you can run the Horizon script Windows Firewall Logs Disable one time against this Host managed by an asset.

To enable Windows Defender Firewall Logging manually please perform the following steps on each Host where Horizon collection is to take place:

  1. Log in to the Host server and open a new PowerShell prompt with Administrator privileges.

  2. Execute the three following PowerShell scripts as-is. They enable firewall logging on the host for each profile (Domain, Private, Public) for dropped and successful connections, with a max file size of 32MB, and to the file system location that 12Port Horizon expects.

    Set-NetFirewallProfile -Profile Domain -LogBlocked True -LogAllowed True -LogIgnored True -LogMaxSizeKilobytes 32767 -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall_domain.log

    Set-NetFirewallProfile -Profile Private -LogBlocked True -LogAllowed True -LogIgnored True -LogMaxSizeKilobytes 32767 -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall_private.log

    Set-NetFirewallProfile -Profile Public -LogBlocked True -LogAllowed True -LogIgnored True -LogMaxSizeKilobytes 32767 -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall_public.log

Note

To manually disable Windows Defender Logging you can run the following PowerShell scripts as-is on the host itself:

Set-NetFirewallProfile -Profile Domain -LogBlocked False -LogAllowed False -LogIgnored False

Set-NetFirewallProfile -Profile Private -LogBlocked False -LogAllowed False -LogIgnored False

Set-NetFirewallProfile -Profile Public -LogBlocked False -LogAllowed False -LogIgnored False


To confirm logging was enabled, open Windows Defender on the host itself, click the Properties option, then the Customize button in the Logging section and confirm the Name, Size, Log dropped packets, Log successful connections and Default path for log files parameters are configured as below for each of the Domain, Private and Public Profiles:

Confirm Windows Defender Logging Enabled


Linux Firewall Logging

To enable Linux Firewall Logging using Horizon please perform the following steps on each Host where Horizon collection is to take place:

  1. Log in to Horizon and add the script named IPTables Firewall Logs Enable to each Asset's task list where collection is to take place. If the script is already present in the task list, skip to the next step.
  2. Execute this script against each asset one time to enable IPTables Firewall Logs on each host. Use the Execute > Linux Firewall Logs Enable option to perform this one-time execution.

Note

To remove this Linux Logging you can run the Horizon script IPTables Firewall Logs Disable one time against this Host managed by an asset.

To enable Linux Firewall Logging manually please perform the following steps on each Host where Horizon collection is to take place:

  1. Log in to the Host server and open a new prompt with sudo privileges.

  2. Execute the following script. This script enables logging on the host for both IPTables and IP6Tables by monitoring the IP output, waiting for two packets followed by SYN and immediately by ACK, and finally logs this event with the tag ZTNA_ALLOW_TCP.

    sudo iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -j LOG --log-prefix "ZTNA_ALLOW_TCP: "

    sudo ip6tables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -j LOG --log-prefix "ZTNA_ALLOW_TCP: "


Note

To manually remove this Linux Logging you can execute the following script on the host itself:

sudo iptables -D OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -j LOG --log-prefix "ZTNA_ALLOW_TCP: " sudo ip6tables -D OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -j LOG --log-prefix "ZTNA_ALLOW_TCP: "


To confirm logging was enabled, run the following script on the host:

sudo iptables -S

Confirm IPTables Rule Created


12Port Horizon expects the logging events, tagged with ZTNA_ALLOW_TCP to be generated in the one of the following locations on the Host server:

   /var/log/kern.log
   /var/log/messages
   /var/log/syslog

If the logging events appear in a different location on your Hosts, please contact our Support Team for further assistance.


Consuming Native Firewall Logging Events

After the native logging is configured appropriately, as described in the previous section of this guide, 12Port Horizon is ready to consume and aggregate the connection events of each host using their native firewall logging. To begin this collection:

  1. Log in with an account that can manage Asset Task Lists.
  2. Navigate to the Asset where native firewall log collection will take place or navigate to the Asset Type page (Management > Asset Type) and add the script to the Asset Task List (Manage > Tasks) or Asset Type Task List (Actions > Task) that is used with the asset.
    • Script: Windows Log Connections (for Windows O/S hosts) or Linux Log Connections (for Linux O/S hosts)
    • Trigger: select the Schedule option
    • Start At: <define a future start at date and time for this script>
    • Schedule: <define a schedule for future script execution>. We recommend a frequency of once a day to start and then adjust as needed.
    • Run As: select the Main option if the credentials in the Asset have native permission on the Host to execute remote scripts, otherwise select another option that will use an account with such native permissions.
  3. Click the Save button to complete the task configuration.

Note

When creating the task's Schedule please ensure it automatically executes more frequently then the native O/S removes their firewall logs. If the task is not executed prior to log removal, some connection events may be lost and not represented in the reporting.

Reviewing the Connections Report

After at least one Connection task has been completed and connection events consumed, you can view the results from the Asset's Connections Report.

To view an Asset's Connection Report, open or view the asset and access the report from the Reports > Connections menu. The Connection Report may also be viewed on the Container to view the collected connections from all child assets by using the Container's Reports > Connections menu.

Connections Report Example

Example Connections Report viewed from an Container