1. Manuals
  2. Brands
  3. Solida systems Manuals
  4. Security System
  5. SL-1000
  6. User manual

Solida systems SL-1000 User Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
USER MANUAL
SL-1000 Security Appliance
Version 1.0
January 2017
WWW.SOLIDASYSTEMS.COM

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SL-1000 and is the answer not in the manual?

Questions and answers

Summary of Contents for Solida systems SL-1000

  • Page 1 USER MANUAL SL-1000 Security Appliance Version 1.0 January 2017 WWW.SOLIDASYSTEMS.COM...

  • Page 2: Table Of Contents

    Table of Contents 1. INTRODUCTION ..............................4 ............................4 EPUTATION ASED ETECTION ......................... 4 NTRUSION ETECTION AND REVENTION ..............................4 ONITORING AND OGGING 2. HARDWARE INSTALLATION ..........................5 ..............................6 YPICAL ONFIGURATION 3. ACCESSING THE WEB APPLICATIONS ......................7 ................................7 ANAGEMENT ..................................8 ANAGING SERS 4. CONFIGURING THE APPLIANCE ........................9 ............................9 THERNET ORT ONFIGURATION ..................................9 PPLIANCE ........................10 EEP ACKET NSPECTION ONFIGURATION...

  • Page 3: Events And Event Severity

    10. SUPPORT BUNDLE GENERATION ....................... 2 8 10.1 ........................... 28 ENERATING A SUPPORT BUNDLE 10.2 ..........................28 OWNLOADING A UPPORT UNDLE 11. DATA LOGGING .............................. 3 0 11.1 ................................30 ACKET OGGING 11.2 ............................30 ROPPED ACKET OGGING 11.3 ................................. 30 VENT OGGING 11.4 HTTP .................................. 31 OGGING 11.5 ............................... 31 OWNLOADING ILES 11.8 .

  • Page 4: Introduction

    1. Introduction This manual contains instructions for how to configure and use the following Solida System network security appliances: SL-1000 Dual Gigabit Ethernet ports The SL-1000 appliance represents the latest in network security technology. It combines functionality otherwise requiring several different devices. This next generation firewalls offers reputation based detection, intrusion detection and prevention, network traffic monitoring and packet logging. The next sections will describe what some of these features mean for your network. 1.1 Reputation Based Detection Solida Systems provides reputational threat intelligence in the form of a data feed hosted in the cloud. This threat feed is updated hourly and includes malicious URLs, domain names and IP addresses. These are harvested from various international threat intelligence sources. The threat feed includes information about current threats such as ransomware, phishing sites, trojans and many other threat categories. 1.2 Intrusion Detection and Prevention Intrusion detection and prevention is implemented through a rule engine and deep packet inspection (DPI). Solida Systems provide pre-defined rules and rule sets through the cloud based threat feed. A simple and intuitive configuration page is provided for users interested in writing custom rules. 1.3 Monitoring and Logging Tools are available to facilitate monitoring and evidence collection. Logs and evidence files are written in PCAP format and are compatible with most industry standard analysis tools. SOLIDA SYSTEMS INTERNATIONAL 2016 ©...

  • Page 5: Hardware Installation

    2. Hardware Installation The appliances include a set of four Gigabit Ethernet ports. They are located at the back of the appliance. Figure 2.1 SL-1000 backside view. The Ethernet ports to the right side in the back are the high-speed ports used for the network traffic and for the management. The connectors to the left (USB, VGA, COM) are not used and must be left unplugged. The appliance includes a 12 Volt power supply. Connect this power source to the small circular connector on the bottom left side. The high-speed Ethernet ports are named Port 0 and Port 1 on the SL-1000. The management port is marked MGNT The default factory configuration for the high-speed Ethernet ports is: Port 0 (WAN) WAN side Internet connected router Port 1 (LAN1) LAN side LAN side network switch Port 2 (LAN2) MGNT Configuration and monitoring Port 3 (LAN3) Unused The default factory settings can be changed through the web configuration utility that is accessed through a browser over the management port. The default IP address for this management port is 192.168.1.250. This address can be changed through the configuration application. To access the configuration tool, enter the following in the browser: 192.168.1.250/config To access the monitoring tool , enter only the IP address in the browser: 192.168.1.250 See chapter 3. Accessing the Web Applications below, for further information. SOLIDA SYSTEMS INTERNATIONAL 2016...

  • Page 6: Typical Configuration

    2.1 Typical Configuration The most common setup is using the Solida appliance as an endpoint device. This allows for all incoming and outgoing data packets to be inspected. This offers the best protection against any type of malicious traffic. The SL-1000 appliance operates in stealth mode. It does not require any IP addresses for its ports other than for the MGNT (management) port. Figure 2.2 Typical Installation For larger networks it might be necessary to protect multiple sections of the network with dedicated security appliances. For those installations make sure that the WAN port is connected upwards (towards the Internet router side). Conversely make sure the LAN side is connected to the sub-partitioned network. SOLIDA SYSTEMS INTERNATIONAL 2016 ©...

  • Page 7: Accessing The Web Applications

    3. Accessing the Web Applications The appliance contains two different applications. One application is used for system configuration and another for monitoring. Both applications are password protected to prevent unauthorized use. These applications are both accessed through the appliance management port. 3.1 Management Port To access the configuration and monitoring applications, connect the management port to a switch on the LAN side of the network. Open a browser on a computer connected to the same network. Enter the MGNT port IP address in the browser as follows: 192.168.1.250/config for the configuration application 192.168.1.250 for the monitoring application If everything is configured correctly, a login page will appear in the browser window. Enter the supplied user name and password to log in. Some networks might use another IP address range other than 192.168.x.x, for example 10.32.x.x. If this is the case it will be required to change the management ports IP address before the appliance is connected to the LAN side switch. To change the default IP address, direct connect a computer with the appliance through an Ethernet cable. Make sure the computers IP address is set manually since direct connecting bypasses any DHCP server. Start the configuration utility by entering the default IP address into the browser followed by /config (http://192.168.1.250/config) Log into the application and then navigate to the page named “Configuration”. Locate the box called “Change Management Port IP Settings”. Change the IP address, netmask and gateway fields to match the ones used in the network. An example is shown below: Figure 3.1 Change management port IP setting box. SOLIDA SYSTEMS INTERNATIONAL 2016 ©...

  • Page 8: Managing Users

    Once the “Activate” button is pressed, the appliance will be reconfigured with this new address information. Remove the direct connected computer and connect the appliance to the LAN side switch. 3.2 Managing Users The first time the user logs into either Web application a default factory username and password will be used. After the first login it is recommended to create new users that will be allowed to login to the applications. Creating and managing the user credentials is done through the configuration application. First navigate to the “Configuration” page and then locate the box named “Manage Users”. To create a new user, press the button named “Add User” and enter the new credentials in the indicated fields. Figure 3.2 Add new user box. The drop down menu at the top of the “Add New User” window contains two options. “Monitoring Only” and “Configuration & Monitoring”. Select “Monitoring Only” for users that are only allowed to log into the monitoring application. The monitoring application does not allow for changing any configuration parameters or modifying the detection rules. SOLIDA SYSTEMS INTERNATIONAL 2016 ©...

  • Page 9: Configuring The Appliance

    4. Configuring The Appliance The configuration page contains several different user configurable areas. Each configuration window includes a help button that provides a detailed help for the option. 4.1 Ethernet Port Configuration The two network packet transferring ports, port 0 and 1 can be configured to either face the Internet side or the LAN side. It makes no technical difference how these ports are configured. It is recommended to keep the factory default setting. Figure 4.1 Ethernet Port Configuration Operating Mode – The only supported operation mode is Single LAN/WAN ports. Port 0 usage – Selects if port 0 should be facing the Internet side or the LAN side. Port 1 usage – Selects if port 0 should be facing the Internet side or the LAN side. 4.2 Appliance Name An appliance should be given a name. The name can be used as an identifier if more than one appliance is installed in a network or if Solida Multi will be used for multi appliance monitoring. The name can refer to the appliance geographical location or be a simple name such as solida_1. The below figure shows how to set the application name: SOLIDA SYSTEMS INTERNATIONAL 2016 ©...

  • Page 10: Deep Packet Inspection Configuration

    Figure 4.2 Setting the appliance name. Enter the desired name and press the Activate button. 4.3 Deep Packet Inspection Configuration Deep packet inspection (DPI) refers to the process that inspects all incoming and outgoing network packets. The factory default setting applies DPI on all packets, including incoming and outgoing packets. Only under very special circumstances should the factory default be changed. Changing the factory default will prohibit the appliance from detecting all possible malwares and other threats. To change the factory default setting, start the configuration utility and navigate to “Configuration”. Locate the block titled “Deep Packet Inspection Configuration”. It will look as shown in the picture below. Figure 4.3 Deep packet inspection configuration window. The following settings are available: Packets from the Internet Inspect all packets (Factory default) Disable Inspection SOLIDA SYSTEMS INTERNATIONAL 2016 ©...

  • Page 11: Email Notification

    Packets from the LAN Inspect all packets (Factory default) Disable Inspection Malformed Packets Drop all malformed packets (Factory default) Do not drop malformed packets Hackers sometimes intentionally generate network packets that are malformed. The reason might be to try and confuse, or even crash the system stacks in the computers connected to the network. Letting the appliances drop these packets guarantees that they will not cause any damage in the protected LAN. 4.4 Email Notification The appliances have support for sending regular emails containing information about the number of events in the system and their severity. This is a useful feature since it will not be required to constantly monitor the appliance through the monitoring application. 4.4.1 Setting Up Email Notification To set up email notification, login to the configuration application and navigate to Admin – Configuration. Locate the box called “Email Notifications. The box will look as follows: Figure 4.4 Email notification setup box. 4.4.2 Email Notification This dropdown box contains four options. Disabled - Email notification disabled. Enabled, once per day - Generates one email per day with event information. Enabled, once per 6 hours - Generates four emails per day with event information. SOLIDA SYSTEMS INTERNATIONAL 2016 ©...

  • Page 12: Instant Critical

    Enabled, once per hour - Generates one email per hour with event information. 4.4.3 Instant Critical This option, if enabled, will send out one email each time a critical event is generated. These critical events require user intervention. Therefore it is important that such events are forwarded to the user with minimum delay. 4.4.4 Current Email Addr This text box shows the current email address in use, assuming this feature is enabled. This address will be the recipient for the event status emails. 4.4.5 New Email Addr Enter a valid email address into this box. This is the new address that will be used to receive these emails. Once the above fields have been filled in, press the “Activate” button. This will activate the new configuration. 4.4.6 Event Notification Emails The event notification emails are short but contain vital information a user will need. Figure 4.5 Example of an event notification email. SOLIDA SYSTEMS INTERNATIONAL 2016 ©...

  • Page 13: Reputation Threat List Updates

    The most recent events for the past hour and the past 6 hours are shown separately to give a clearer overview of the current status. Critical events require immediate user intervention and are therefore marked clearly as critical for easy identification. 4.4 Reputation Threat List Updates The Solida appliances obtain their threat information by downloading proprietary threat list from a cloud-based server. There are three categories of lists. They are domain reputation blacklist, IP reputation blacklist and Tor exit node list. The factory default is to allow for all these lists to be included in the cloud updates. Changing this factory default should only be done in very special cases. Disabling a list results in the possibility of malicious packets being able to penetrate the network and cause escalating damage. To change the factory default setting, start the configuration utility and navigate to “Configuration”. Locate the block titled “Reputation Threat List Updates”. It will look as shown in the picture below. Figure 4.6 Reputation threat list updates window The following settings are available: Domain Reputation Blacklist Enabled – update once per hour (default) Disabled IP Reputation Blacklist Enabled – update once per hour (default) Disabled Tor Exit Nodes Enabled – update once per hour (default) SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 14: About Tor Exit Nodes

    Disabled 4.4.1 About Tor Exit Nodes The Tor exit nodes list contain IP addresses of known Tor network end point IP addresses. It is common by hackers to use Tor exit nodes for their attack traffic to mask its origin. In some rare cases, the use of the Tor network is valid. Examples would be in countries that censor their citizens Internet traffic. In those circumstances the Tor network can be used to circumvent such censorship. Then it is recommended to disable the inclusion of Tor endpoints in the IP blacklist. 4.5 Set Mobile Application Password The appliance can be monitored with a mobile phone application. This application requires a password to log into the cloud server that will provide the events and notifications to the application. Figure 4.7 Setting the mobile application password SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 15: Setting The Time Zone

    4.5 Setting The Time Zone The appliance use time stamps for various events. Therefore it is required to set the time zone, which the appliance is operating in. Figure 4.7 Setting the time zone Select the desired time zone and press the Activate button. SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 16: Overview

    5. Reputation Based Detection 5.1 Overview The most basic form of intrusion and malware detection goes under the category of reputation- based detection. This type of detection is performed by attempting to identify communication with unfriendly hosts on the Internet. These are ones that are believed to be malicious, based upon a reputation for previous or ongoing malicious activities. Reputation based detection is performed by comparing requested IP addresses or domain names, against a reputation list of hosts with negative reputations. Solida appliances allow for downloading lists based on domain names and IP addresses. The data in these lists are processed and stored in hash tables, so that fast lookups can be performed against them in real time. These lists are automatically downloaded from a cloud-based service provided by Solida Systems. Both DNS queries and HTTP requests are monitored and compared against the reputation list. If a hit is detected the request can be either flagged as suspicious or completely dropped. It is important to recognize that a hit in a reputation blacklist doesn’t always mean a host is malicious. Hosts that were previously infected might have been cleaned up, and the maintainers of the reputation lists might not yet have registered this. 5.2 DGA List The most important data in the threat-feed, is the list of Domain Generation Algorithm (DGA) generated domain names. Many ramsomware and other serious malware, use DGAs to generate a large number of domain names. These domain names are used to try and connect with their command and control servers (C2). The large number of auto generated domain names makes it difficult to track and shut down these C2 servers. Most DGA engines use time as the deciding factor for what domain name to generate. Using this method, a hacker will be able to predict what domain names their malware will generate. So they can be ready when the malware attempts to connect to it at any given time. When the hacker decides it is time to provide C2 access to his malware. The hacker simply registers a domain name with a commercial DNS service, for a domain that the malware DGA will generate in the near future. When the malware tries this specific DGA generated domain, a connection will suddenly be made. At that point the malware knows it has found its C2 server. The Solida threat list contains a very large amount of DGA domain names. These domain names are generated from actual DGA engines, harvested from malwares collected from the Internet. These DGA engines are running in a server, generating their time based domain names. This way it is possible to know in advance what domain names similar malwares will generate in the wild at SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 17: List Updates

    5.3 List Updates The reputation lists are constantly being updated through a cloud based threat feed offered by Solida. The appliance automatically connects with this cloud service once every hour, to download new updated versions of the lists. This guarantees that the appliance always contains information, about the latest threats seen in the wild. To monitor the list update process and the list sizes, start the configuration application and navigate to “Threat Intelligence – Threat Lists”. A similar page is available at the same location in the monitoring application. The page will look as follows: Figure 5.1 Threat lists overview In the box named “Reputation List Control Center” the following information is provided: Next cloud update – Shows the time at which the next list update will be performed. DGA Ransomware Entries – The number of DGA generated domain names in this list. SOLIDA SYSTEMS INTERNATIONAL © 2016...
  • Page 18 Domain Reputation Entries – The number of domain names in this list. IP Reputation Entries – The number of IP addresses (both IPv4 and IPv6) in this list. TOR endpoints – The number of Tor endpoints provided this list is included. The above threat lists are not user modifiable. SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 19: Rule Overview

    6. Intrusion Detection and Prevention Rules 6.1 Rule Overview To protect against intrusion attacks, Solida appliances rely on a rule engine that can perform deep packet inspection (DPI) of Ethernet packets, flowing through the appliance. The DPI engine can inspect all packets and look for signatures and any combination of data patterns, such as port scans, OS finger printing and vulnerability scans. The DPI engine is controlled by detection rules. These rules instruct the DPI engine what to look for in the packets and what action to take if a pattern match is detected. Solida provides a set of system rules that includes protection from many types of penetration attempts. An expert user can also create custom rules. Writing custom rules requires detailed knowledge of rule writing, and the different types of packets flowing over a network. Such custom rules can be created using the rule editor in the Solida configuration application. In most cases it is recommended to use the system rules provided by Solida through the threat feed. 6.2 Rule List Detection rules can be created and edited trough the configuration application. Start the application and navigate to “Rule List”. This will show a list over all available rules in the appliance. SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 20: Rule Sets

    Figure 6.1 Rule list in the configuration utility. The column named “Category” shows what rules are Solida system rules and which rules that have been created by the user. 6.3 Rule Sets A rule set is a collection of rules. Multiple rule sets can be created, each containing a different set of rules. The appliance can be activated with one single rule set. Once a rule set has been activated, the appliance will start its packet scanning using all the rules included in the rule set. To display and create rule sets, start the configuration utility and navigate to “Rule Sets”. This will show a list over all available rule sets. Figure 6.2 Rule set list in the GUI configuration utility. 6.4 Activating a Rule Set To activate a rule set, select the rule set by clicking on its row in the GUI. Then click the “Activate Ruleset” button. This will perform an implicit sanity check of all the included rules, and then upload these rules to the appliance. Once this activation completes, the appliance will start using the new rules immediately. SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 21: Operating Mode

    6.5 Operating Mode When trialing a new rule set, it is possible to set the appliance to “monitor mode”. The rule set page contains a drop down menu where the desired operating mode can be selected. In monitor mode all network packets are scanned using the rules as well as the reputation detection lists, but no packets will be dropped. Alerts will still be generated the same way as in normal operation mode. This allows the user to check a new rule set to make sure it behaves as expected. Once the user is satisfied with the new rule set, set the operating mode back to “Normal Mode” 6.6 Creating Custom Rules It is beyond this manual to explain in detail how to write custom rules. Please refer to the many tutorials and documentation available on the Internet on how to write detection rules. A rule is created using the configuration application. Start the application and navigate to the “Rule List” page. This page will display a list of all rules currently available in the appliance. At the top left side of this page a blue button labeled “+ Add rule” is located. To create a new custom rule, simply click this button. A new window will pop up called “Create Custom Rule”. Figure 6.3 Create a custom rule pop-up window. This window contains five tabs. Each tab contains different optional rule parameters. These parameters can be filled in to define the new rules behavior. For a detailed description of each SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 22: Rule Id

    6.7 Rule Id The most important parameter of each rule is the “Rule Id”. Each rule must have a unique rule id that identifies the rule. The rule id consists of 9 numbers. It is common practice to group rules into categories. As an example, the first thee numbers identifies the general type of rule. For example UDP rules, TCP rules, ICMP rules. The next three digits identify the type of threat the rule concerns. The last three digits could be a general identifier that is incremented by one for each rule in the category. SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 23: Event Overview

    7. Events and Event Severity 7.1 Event Overview Each time a network packet registers a hit with a blacklist entry or a detection rule, an “event” is generated. An event contains information that describes what caused the event to be generated. The IP address of the offending packet is included, as well as a short description of the meaning of the event and a timestamp. Events are stored in a database in the appliance to allow for tracking and statistics gathering. Events are also written to log files that can easily be downloaded from the appliance through the GUI. These event files can then be correlated with other down loadable packet log files, so that a security analyst can investigate the root cause of the event. Events can be monitored using the built-in monitoring application. Figure 7.1 Event summary view in the GUI monitoring application. 7.2 Event Severity Events are grouped into three categories depending on their severity, which are Low, medium and critical. SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 24: Low Severity (Colored Green In The Gui)

    7.2.1 Low severity (colored green in the GUI) These events are typically generated by trying to visit known phishing sites, or sites containing various types of malware. The appliance will automatically drop these network packets. This will prevent malware from infecting the protected network. These events require no further action from the user. 7.2.2 Medium severity (colored orange in the GUI) Events with a medium severity rating include known C2 domains, domains with severe drive-by malware, Trojans and more. Network packets destined to these domains will be automatically dropped, in an effort to maintain network integrity. These events require no further action from the user. 7.2.3 Critical severity (colored red in the GUI) Critical events will be generated if the appliance detects malicious activities occurring inside the network. This would indicate the network has been compromised. Where malware is already present that requires user intervention to remove. Examples of such events are DNS queries generated by a ransomware DGA engine, or malwares trying to connect with a C2 server. All network packets resulting in critical events will be automatically dropped, to mitigate further infection to the network. The event includes the source and destination IP addresses of the offending packets. Which allows for prompt identification of the infected computer on the network. The user will be required to remove the malware from the infected computer using a suitable removal tool. All events can be viewed using the monitor application, included with the appliances. Optionally, emails containing the event count and severity can be automatically generated and sent out. A mobile phone application is also available, that allows the user to monitor events in real time. 7.3 Source and Destination IP Addresses Each rule event includes the source and destination IP addresses, of the packet that generated the rule hit. Logging these IP addresses allows for a more detailed examination of the source of the threat. The Internet offers many “whois” services where an IP address can be entered for analysis. This information also includes geographical information regarding an IP address. SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 25: Responding To Critical Events 2

    8. Responding To Critical Events A majority of all events will require no further action by the user. These events are marked with a low or medium severity. Critical events require immediate user intervention. Examples of such events are the DGA events. They will be generated if ransomware infects a computer in the network. In this case it is extremely important to remove the infected computer from the rest of the network. Some advanced ransomwares are capable of propagate through the network and infect additional computers. The critical events will be listed with the source and destination IP addresses visible. Use the destination IP address from the event and match that with a computer in the LAN that uses this IP address. This is the computer that has become infected. Disconnect this computer from the rest of the network. Once the infected computer has been removed from the network, use google to search for any available removal tools. SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 26: System Software Updates 2

    9. System Software Updates Solida Systems will occasionally release updated system software for the appliances. These releases might contain bug fixes as well as new features. New releases are published to the cloud for distribution. The appliances will automatically check with the cloud server, to see if any new updates are available. The user can decide if the appliance should be updated or not. It is not required to perform any updates, unless it is specifically said so in the features text for the release. To check for a new software release or to perform an update, start the configuration application and navigate to “Software Updates” in the menu side bar. This will present the following window: Figure 9.1 Software update GUI window. The upper System Control Center box contains the following: Firmware version - Displays the currently active internal firmware version number. JSOSD version - Displays the version of the current security OS daemon. The button named “Generate Support Bundle” starts a support feature that collects useful information from the appliance. See the “Support Bundle Generation” chapter for further information regarding this. The lower box titled “Solida Software Versions Available For Updates” contains a list of available software updates. The list will only include versions that are later than the version currently running in the appliance. SOLIDA SYSTEMS INTERNATIONAL © 2016...
  • Page 27 To perform an update, simply double click on the row with the desired new version. Please note it will take as long as 5 minutes for a software update to complete. During this time no network traffic will be able to flow through the appliance. After the update has completed, please reset the browser history to guarantee the browser will display the latest version of the web utilities. SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 28: Generating A Support Bundle

    10. Support Bundle Generation A support bundle is a compressed file that contains critical system files and data. A support bundle should only be generated after a request from Solida Systems, or the local distributor. A support bundle is typically only generated if the appliance is having difficulties performing as expected. The files in the support bundle will help a support engineer to determine the cause of a problem. 10.1 Generating a support bundle To generate a support bundle, start the configuration application on the appliance experiencing a problem. Navigate to “Software Updates”. This will display a window that contains a blue button with the text “Generate Support Bundle”. Pressing this button, and answering Yes in the confirmation box, will start generating a support bundle. Note that it might take up to 5 minutes or more for the bundle generation to complete. 10.2 Downloading a Support Bundle Once a support bundle has been generated, it will be placed in a directory called “support” in the log file storage area. Figure 10.1 Log File Management window with support directory opened. To download a support bundle file, start the configuration application and navigate to “Log File management”. Then click on the “support” directory icon in the file viewer. This will display all SOLIDA SYSTEMS INTERNATIONAL © 2016...
  • Page 29 Please note it will take up to 5 minutes for a new support bundle to appear in this directory. SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 30: Data Logging

    11. Data Logging The appliances have a wide selection of logging options. The factory default is to log all rule events as well as all dropped network packets but the user has the option to enable further logging, including full packet capture. Network packet data is written to the log files in the industry standard PCAP format. This makes it possible to use tools such as Wireshark to open these files, and perform analysis on the packet content. 11.1 Packet Logging Packet logging will log every single packet passing through the appliance. This mode is typically only used during troubleshooting of the network. The resulting log files can become very large so it is important to select an appropriate rollover option to avoid filling up the disk space in the appliance. Packet logging should be disabled during normal usage. 11.2 Dropped Packet Logging This option will log all network packets that are dropped by the appliance. Packets will be dropped by the rule engine as well as by the reputation detection engine. This logging option is enabled by default. These log files can be used during forensic analysis to determine the exact reason a packet was dropped. 11.3 Event Logging Event logging is enabled by default and it is strongly recommended to always keep it enabled. The resulting log files contain information about all events occurring in the appliance. The default settings are as shown in the picture below: Figure 11.1 Event logging configuration window. SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 31: Http Logging

    11.4 HTTP Logging This option allows for logging all domain names that are being accessed through browsers in the network. Figure 11.2 HTTP logging configuration window 11.5 Downloading Log Files Log files can be downloaded using either the configuration application or the monitoring application. To download a log file, navigate to the “Log File Management” menu option. This will open up a file management interface as shown in the picture below: Figure 11.3 Log file management window. SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 32: Deleting Log Files

    Each category of log file will be stored in its own dedicated directory. Open the directory containing the desired log file to download. Then double click on the log file. A popup window will ask for a final confirmation before the file download starts. 11.8 Deleting Log Files The log files can easily be deleted if needed. Navigate into a log file directory. To delete a file within the directory, right-click on the file and select ‘Delete’. The file will be permanently deleted from the appliance. It is also possible to rename a log file. Right-click on the file to rename it. Even though possible, never delete a log file directory. Please note that some log files become very large. The appliance has limited space for log files. Therefore always download important log files and save them away outside the appliance. The appliance performs log rotation, which means older log files will be deleted if needed by the appliance. SOLIDA SYSTEMS INTERNATIONAL © 2016...

  • Page 33: Solida Multi Introduction

    - The domain name for the reporting server. Login Username - User name the appliance will use when logging in to the reporting server Login Pawssword - The password the appliance will use when logging in to the reporting server. SOLIDA SYSTEMS INTERNATIONAL © 2016...
  • Page 34 SOLIDA SYSTEMS INTERNATIONAL CO., LTD. 1000/19-20 Liberty Plaza Building, Floor 12A, Thonglor, Sukhumvit Soi 55, Klongtan Nua, Wattana, Bangkok , Thailand, 10110 Tel +66 2-714-8900 Email info@solidasystems.com Website www.solidasystems.com...

Table of Contents