Applies To: PoliWall Security Appliance version 1.21.00
Overview
The Bandura’s PoliWall is an in-line appliance which reduces noise at the network perimeter, thereby decreasing workloads of systems deeper inside the network, making routers, firewalls, and IPS/IDS more effective. EventTracker receives syslog data from PoliWall and helps in efficient visualization and analysis of allowed or blocked traffic by employing alerts, reports, dashboards and knowledge objects. EventTracker also utilizes IP VOID to identify blacklisted IP addresses in allowed traffic and generates alert to tip-off concerned IT Admin.
EventTracker Knowledge Pack for PoliWall allows you to monitor the following:-
- Operations - Identify new source or destination IP addresses in allowed traffic using behavior rules.
- Security - Monitor malicious traffic with risk score and track blacklisted IP addresses in allowed traffic.
- Compliance - Monitor allowed or blocked traffic passing through PoliWall.
Once PoliWall is configured to deliver events to EventTracker Manager; alerts, reports, behavior rules, knowledge objects and dashboards can be configured into EventTracker.
Some of the Knowledge Packs available in EventTracker are listed below. For more information, please refer Integration Guide.
Report
- PoliWall-Allowed traffic details: This report provides information related to inbound or outbound traffic permitted by PoliWall which includes Traffic Direction, Protocol Type, Source IP, Source Port, Source Country, Destination IP, Destination Port and Destination Country fields.
- PoliWall-Blocked traffic details: This report provides information related to inbound or outbound traffic prohibited by PoliWall which includes Traffic Direction, Protocol Type, Source IP, Source Port, Source Country, Destination IP, Destination Port, Destination Country, Block Reason and Block Details fields.
Alert
- PoliWall: New IP detected in allowed traffic– This alert is generated when new source or destination IP address is detected in allowed traffic.
Alerts
- PoliWall-Threat detected: This alert is generated when malicious activity is detected in transient traffic. E.g. spam, malware.
- PoliWall-Blacklisted IP detected in allowed traffic: This alert is generated when blacklisted source or destination IP address is detected in allowed traffic.
Reports
- PoliWall-Threat traffic details: This report provides information related to malicious activity detected in inbound or outbound traffic which includes Traffic Direction, Protocol Type, Action Type, Source IP, Source Port, Source Country, Destination IP, Destination Port and Destination Country, Block Reason and Risk Score fields.
- PoliWall-Blacklisted IP activity details: This report provides information related to blacklisted source or destination IP address detected in allowed traffic which includes Analysis Date, AS Number, AS Owner, Blacklist Status, City, Continent, Country Code, IP Address, ISP, Longitude\Latitude, Region, Reverse DNS and Source Log fields.
Scope
The configurations detailed in this guide are consistent with EventTracker Enterprise version 7.x and later, PoliWall Security Appliance version 1.21.00
Documentation:
For more information please refer the Integration guide