Benutzer-Werkzeuge

Webseiten-Werkzeuge


omnivista-2500-advanced-quarantine-manager-aqm

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen RevisionVorhergehende Überarbeitung
Nächste Überarbeitung
Vorhergehende Überarbeitung
omnivista-2500-advanced-quarantine-manager-aqm [2022/05/21 16:28] bennyomnivista-2500-advanced-quarantine-manager-aqm [2023/03/08 09:37] (aktuell) – [Weiterführende Links - Whitepaper / Application Note] benny
Zeile 40: Zeile 40:
 <code> <code>
 benny@tiger:~$ logger -n 192.168.2.15 -d device_id=FGT50xxxxxxxxxxx log_id=0420070000 type=ips subtype=signature pri=alert attack_id=103022660 src=192.168.11.164 dst=1.2.3.4 src_port=2098 dst_port=80 src_int=internal dst_int=n/a status=dropped proto=6 benny@tiger:~$ logger -n 192.168.2.15 -d device_id=FGT50xxxxxxxxxxx log_id=0420070000 type=ips subtype=signature pri=alert attack_id=103022660 src=192.168.11.164 dst=1.2.3.4 src_port=2098 dst_port=80 src_int=internal dst_int=n/a status=dropped proto=6
 +</code>
 +
 +  * Hat man keine Linux-VM/-Maschine zur Verfügung sondern macOS oder Windows10/11 (mit z.B. MobaXterm), kann das Kommando wie folgt verwendet werden
 +
 +<code>
 +% echo device_id=FGT50xxxxxxxxxxx log_id=0420070000 type=ips subtype=signature pri=alert attack_id=103022660 src=192.168.11.164 dst=1.2.3.4 src_port=2098 dst_port=80 src_int=internal dst_int=n/a status=dropped proto=6 | nc -u 192.168.2.15 514
 </code> </code>
  
Zeile 130: Zeile 136:
 <code> <code>
 benny@tiger:~$ logger -n 192.168.2.15 -d device_id=FGT50xxxxxxxxxxx log_id=0420070000 type=ips subtype=signature pri=alert attack_id=103022660 src=192.168.11.164 dst=217.12.6.122 src_port=2098 dst_port=80 src_int=internal dst_int=n/a status=release proto=6 benny@tiger:~$ logger -n 192.168.2.15 -d device_id=FGT50xxxxxxxxxxx log_id=0420070000 type=ips subtype=signature pri=alert attack_id=103022660 src=192.168.11.164 dst=217.12.6.122 src_port=2098 dst_port=80 src_int=internal dst_int=n/a status=release proto=6
 +</code>
 +
 +  * Hat man keine Linux-VM/-Maschine zur Verfügung sondern macOS oder Windows10/11 (mit z.B. MobaXterm), kann das Kommando wie folgt verwendet werden
 +
 +<code>
 +% echo device_id=FGT50xxxxxxxxxxx log_id=0420070000 type=ips subtype=signature pri=alert attack_id=103022660 src=192.168.11.164 dst=1.2.3.4 src_port=2098 dst_port=80 src_int=internal dst_int=n/a status=released proto=6 | nc -u 192.168.2.15 514
 </code> </code>
  
Zeile 135: Zeile 147:
  
 {{ ::aqm:aqm16.png?direct&1000 |}} {{ ::aqm:aqm16.png?direct&1000 |}}
 +
 +===== Benachrichtung per eMail =====
 +
 +Es ist möglich Responder einzurichten die bei Events eine Benachrichtung senden.
 +
 +  * Konfiguration für die eMail
 +
 +<code>
 +Action - The action being taken, a ban or a release.
 +$Action$
 +
 +Reason - The Reason field from the QM object.
 +$Reason$ 
 +
 +MacAddress - The MAC address of the device being banned or release.
 +$MacAddress$
 +
 +IpAddress - The IP address of the device being banned or release. If the IP address is unknown it will be displayed as 0.0.0.0
 +$IpAddress$
 +
 +VlanName - The name of the VLAN that the device was banned to or released from:
 +$VlanName$
 +
 +MacGroupName - The MAC group that the device was banned to or released from:
 +$MacGroupName$
 +
 +Details - Contains a message with the Action, Mac, IP address, Vlan, and MacGroupName:
 +$Details$
 +</code>
 +
 +<code>
 +OmniVista AI/ML disconnected a malicious network device!
 +
 +Action - The action being taken, a ban or a release.
 +Banned
 +
 +Reason - The Reason field from the QM object.
 +<13>1 2022-05-22T17:33:28.004235+02:00 tiger benny - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="215500"] device_id=FGT50xxxxxxxxxxx log_id=0420070000 type=ips subtype=signature pri=alert attack_id=103022660 src=192.168.11.164 dst=217.12.6.122 src_port=2098 dst_port=80 src_int=internal dst_int=n/a status=dropped proto=6
 +
 +MacAddress - The MAC address of the device being banned or release.
 +dca632:554e61
 +
 +IpAddress - The IP address of the device being banned or release. If the IP address is unknown it will be displayed as 0.0.0.0
 +192.168.11.164
 +
 +VlanName - The name of the VLAN that the device was banned to or released from:
 +Quarantined
 +
 +MacGroupName - The MAC group that the device was banned to or released from:
 +Quarantined
 +
 +Details - Contains a message with the Action, Mac, IP address, Vlan, and MacGroupName:
 +Device dca632:554e61 (192.168.11.164) was Banned using the Quarantined VLAN at 5/22/22 5:33 PM.  The device was Banned because <13>1 2022-05-22T17:33:28.004235+02:00 tiger benny - - [timeQuality tzKnown="1" isSynced="1" syncAccuracy="215500"] device_id=FGT50xxxxxxxxxxx log_id=0420070000 type=ips subtype=signature pri=alert attack_id=103022660 src=192.168.11.164 dst=217.12.6.122 src_port=2098 dst_port=80 src_int=internal dst_int=n/a status=dropped proto=6
 +</code>
  
 ===== Weiterführende Links - Whitepaper / Application Note ===== ===== Weiterführende Links - Whitepaper / Application Note =====
-  * [[https://www.spacewalkers.com/wp-content/uploads/2021/03/omnivista-upam-fortinet-sso-application-note-en-SP.pdf|Alcatel-Lucent OmniVista 2500 UPAM and Fortinet Single Sign-On Application Note]] +  * [[https://www.al-enterprise.com/-/media/assets/internet/documents/omnivista-upam-fortinet-sso-application-note-en.pdf|Alcatel-Lucent OmniVista 2500 UPAM and Fortinet Single Sign-On Application Note]] 
-  * [[https://www.spacewalkers.com/wp-content/uploads/2021/03/UPAM-Pan-Firewall-Integration-Application-Note-Eng.pdf|OmniVista UPAM and Palo Alto Networks User-ID Integration Guide]]+  * [[https://www.al-enterprise.com/en/-/media/assets/internet/documents/t-to-z/upam-pan-firewall-integration-application-note-eng.pdf|OmniVista UPAM and Palo Alto Networks User-ID Integration Guide]] 
 + 
 + 
omnivista-2500-advanced-quarantine-manager-aqm.1653150498.txt.gz · Zuletzt geändert: 2022/05/21 16:28 von benny

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki