WEBVTT 1 00:00.000 --> 00:04.050 In this video, we get to take a closer look at working with logs, specifically 2 00:04.050 --> 00:05.760 viewing and searching logs. 3 00:05.760 --> 00:09.530 And I also want to point out, I mentioned earlier, but I want to point out that 4 00:09.530 --> 00:11.920 based on the version of 40 Analyze we're using, 5 00:11.920 --> 00:16.260 and as time marches on, there'll be newer and newer versions, the features are 6 00:16.260 --> 00:19.840 going to still exist, but they may move it around in the interface. 7 00:19.840 --> 00:22.970 So as long as you're aware of what can be done with some examples we're going 8 00:22.970 --> 00:24.160 to go through right now, 9 00:24.160 --> 00:27.840 you can use these features on pretty much any version of 40 Analyzer. 10 00:27.840 --> 00:31.410 Even if they choose to move some little aspect from one section of the WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 10 00:27.840 --> 00:31.410 Even if they choose to move some little aspect from one section of the 11 00:31.410 --> 00:32.800 interface to another. 12 00:32.800 --> 00:36.480 So let's start off by logging into the 40 Analyzer and just confirm that these 13 00:36.480 --> 00:40.970 three firewalls and this firewall are all logging to our root administrative 14 00:40.970 --> 00:41.440 domain. 15 00:41.440 --> 00:45.640 So here is our 40 Analyzer. It's currently showing us the administrative domain 16 00:45.640 --> 00:47.600 we're in. It's the root administrative domain. 17 00:47.600 --> 00:52.550 I also want to verify with device manager that we have these four 48 firewalls 18 00:52.550 --> 00:54.240 that are all reporting in, which they are. 19 00:54.240 --> 00:58.590 And they're all showing status of a fantastic. So for viewing the logs on the 20 00:58.590 --> 01:02.190 left hand side, we're going to go to log view and then under log view, we're WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 20 00:58.590 --> 01:02.190 left hand side, we're going to go to log view and then under log view, we're 21 01:02.190 --> 01:03.360 going to go to logs. 22 01:03.360 --> 01:06.640 Now currently it's in the same state I left it in from the previous video, 23 01:06.640 --> 01:09.440 which is only looking at branch firewall. 24 01:09.440 --> 01:13.450 And so let's take this from the top. So under logs, I currently have selected 25 01:13.450 --> 01:16.080 four net logs, and then I have selected 40 gate. 26 01:16.080 --> 01:20.060 And then from the 40 gates, I now have selected just firewall one. I'm going to 27 01:20.060 --> 01:21.680 go ahead and say now all devices. 28 01:21.680 --> 01:26.560 So now once I click on OK, we're looking at logs from all devices, but just for 29 01:26.560 --> 01:28.160 the last five minutes. 30 01:28.160 --> 01:31.960 So if the traffic logs you want to see, for example, forever, you can say WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 30 01:28.160 --> 01:31.960 So if the traffic logs you want to see, for example, forever, you can say 31 01:31.960 --> 01:32.560 anytime. 32 01:32.560 --> 01:35.080 And those are the login information, not just for the last five minutes or a 33 01:35.080 --> 01:38.480 period of time, but all log information from all devices. 34 01:38.480 --> 01:41.760 So if we click this icon right here, it'll move the four net logs, thread 35 01:41.760 --> 01:43.480 hunting and log browse over to the side. 36 01:43.480 --> 01:46.640 So I'll go ahead and do that just to show you that. If you want it back at the 37 01:46.640 --> 01:49.040 top, you can click here on toggle horizontal menu. 38 01:49.040 --> 01:52.320 And again, they may change the interface from time to time, but all the 39 01:52.320 --> 01:55.360 features and options are going to be there regardless of the version. 40 01:55.360 --> 01:58.960 So just be prepared for things to move around a little bit over time. 41 01:58.960 --> 02:03.300 So currently I've got four net logs at the top. I've got 40 gate firewall WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 41 01:58.960 --> 02:03.300 So currently I've got four net logs at the top. I've got 40 gate firewall 42 02:03.300 --> 02:06.320 selected and currently all devices are selected. 43 02:06.320 --> 02:09.810 And I have no constraint on the time range. Now, this is looking at the 44 02:09.810 --> 02:13.240 historical logs, meaning it's not going to automatically refresh. 45 02:13.240 --> 02:16.880 If you want to refresh, we click right here on refresh, and that would go get 46 02:16.880 --> 02:20.200 the latest and greatest logs that have come in since that last screen. 47 02:20.200 --> 02:25.270 Or we could get a more and say a real time log, and that's just going to update 48 02:25.270 --> 02:27.480 the screen as new logs come in. 49 02:27.480 --> 02:31.870 So we wait just a moment here. This is our at the moment, the last log that has WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 49 02:27.480 --> 02:31.870 So we wait just a moment here. This is our at the moment, the last log that has 50 02:31.870 --> 02:32.600 come in. 51 02:32.600 --> 02:35.840 But because I have several PCs on, I just got a whole bunch of new logs and it 52 02:35.840 --> 02:38.520 's coming in and we could go ahead and pause it right here. 53 02:38.520 --> 02:41.540 Just be aware that we have those options. So I'm going to go back to more 54 02:41.540 --> 02:44.840 historical log. And if we want to click on refresh, we certainly can. 55 02:44.840 --> 02:47.980 But this way the screen's not going to move on us and I don't have to hit pause 56 02:47.980 --> 02:50.440 and resume. And we can just do refresh when we need to. 57 02:50.440 --> 02:55.610 So regarding the four, 48 firewalls that we have, we have three sets of logs 58 02:55.610 --> 02:56.920 that we can look at. 59 02:56.920 --> 03:00.890 The traffic is referring to traffic logs. And again, that depends on whether or WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 59 02:56.920 --> 03:00.890 The traffic is referring to traffic logs. And again, that depends on whether or 60 03:00.890 --> 03:05.640 not the 48 firewalls have logging set up for traffic, meaning all traffic. 61 03:05.640 --> 03:10.430 So for example, we go back to firewall one and we go to our policy and objects 62 03:10.430 --> 03:12.440 and we go to our firewall policy right here. 63 03:12.440 --> 03:17.330 This policy right here called in out with LDAP off. If we scroll down as far as 64 03:17.330 --> 03:20.280 logging goes, we're logging all sessions. 65 03:20.280 --> 03:24.220 And so as a result, the traffic logs on this firewall are going to be sent over 66 03:24.220 --> 03:25.480 to the 40 analyzer. 67 03:25.480 --> 03:29.430 Now in addition on this 48 firewall, I've also got several security profiles 68 03:29.430 --> 03:31.480 associated with the security policy. WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 68 03:29.430 --> 03:31.480 associated with the security policy. 69 03:31.480 --> 03:35.530 And as a result, we're also going to have additional logs, including security 70 03:35.530 --> 03:37.760 logs that are going to be sent over as well. 71 03:37.760 --> 03:41.300 And those will be based on how these profiles are set up and when they're 72 03:41.300 --> 03:43.520 matched as part of the firewall policy. 73 03:43.520 --> 03:46.640 So click on cancel there. Let's go back to the 40 analyzer. 74 03:46.640 --> 03:50.540 All right, so back to the 40 analyzer, looking at the historical logs and the 75 03:50.540 --> 03:51.440 traffic logs. 76 03:51.440 --> 03:54.700 The other type of logs that we can look at is under security. Now if we click 77 03:54.700 --> 03:59.420 on security, it's going to show us a summary, which will show us all the 78 03:59.420 --> 04:01.440 effectively the security profiles associated with the traffic logs. WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 78 03:59.420 --> 04:01.440 effectively the security profiles associated with the traffic logs. 79 04:01.440 --> 04:04.440 And with the policies that it's received, where there's been logging 80 04:04.440 --> 04:05.240 information. 81 04:05.240 --> 04:09.040 So if we click here on antivirus, it'll show us antivirus logs. 82 04:09.040 --> 04:11.960 So I've got some that look like they're going to Germany. 83 04:11.960 --> 04:15.280 Fantastic. That would be our I car test file under security. 84 04:15.280 --> 04:19.130 If we go down to IPS for intrusion prevention, here it's showing some and I did 85 04:19.130 --> 04:23.050 some testing that went out to looks like the Russian Federation and it was 80s 86 04:23.050 --> 04:24.040 or three. 87 04:24.040 --> 04:28.160 And if I go down to DNS, for example, here's log matches based on my DNS 88 04:28.160 --> 04:30.960 security profile associated with that policy. WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 88 04:28.160 --> 04:30.960 security profile associated with that policy. 89 04:30.960 --> 04:33.860 Or if we want to take a look at the summary, we can simply go to security 90 04:33.860 --> 04:35.920 summary and it'll give us a nice big picture. 91 04:35.920 --> 04:40.000 Now take a look at this. It's now sorted by the last hour. 92 04:40.000 --> 04:43.200 So if we want to make sure we see longer than that, we can say, you know what, 93 04:43.200 --> 04:46.000 I want to see the last two weeks and just change it. 94 04:46.000 --> 04:50.560 So one thing that gets me a lot is I'll forget to look at the filters in place. 95 04:50.560 --> 04:52.600 Also forget to look at the time range. 96 04:52.600 --> 04:55.650 So just make sure when you don't see something you think you should see, just 97 04:55.650 --> 04:59.510 make sure you have the time range set up correctly and you don't have a filter 98 04:59.510 --> 05:00.920 in place that's filtering out content. WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 98 04:59.510 --> 05:00.920 in place that's filtering out content. 99 05:00.920 --> 05:01.920 You think you should be seeing. 100 05:01.920 --> 05:08.140 So here for the summary regarding security logs, we have antivirus, web filter, 101 05:08.140 --> 05:14.060 SSL, DNS, web application firewall, application control, intrusion prevention 102 05:14.060 --> 05:14.920 and SSH. 103 05:14.920 --> 05:16.760 I don't think I have an SSH profile in place. 104 05:16.760 --> 05:18.800 I don't have a day loss prevention profile in place. 105 05:18.800 --> 05:22.880 And I also don't have a file filter profile in places being used. 106 05:22.880 --> 05:24.840 That's why those are showing up as empty. 107 05:24.840 --> 05:29.050 And like most things on the 40 analyzer, if you want more details, you can just 108 05:29.050 --> 05:30.360 go ahead and click. WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 108 05:29.050 --> 05:30.360 go ahead and click. 109 05:30.360 --> 05:31.360 And it can take you there. 110 05:31.360 --> 05:34.660 So for example, here with web filtering, if I click on social networking, it 111 05:34.660 --> 05:36.360 automatically puts a filter in for me. 112 05:36.360 --> 05:39.360 And then furthermore, I could add more filtering to that. 113 05:39.360 --> 05:41.800 For example, if I want to filter on, let's go ahead and scroll the right a 114 05:41.800 --> 05:42.360 little bit. 115 05:42.360 --> 05:46.330 In fact, I'm going to click on this hamburger icon up here to collapse to the 116 05:46.330 --> 05:47.360 left hand side. 117 05:47.360 --> 05:48.360 It gives a little more room. 118 05:48.360 --> 05:52.280 And over here in sent and received, the yellow indicates block and the blue 119 05:52.280 --> 05:54.360 indicates allowing traffic through. 120 05:54.360 --> 05:56.890 So here in your social networking, I further make a filter and say, you know 121 05:56.890 --> 05:59.360 what, I want to go ahead and right click on Facebook and say, 122 05:59.360 --> 06:04.540 I also want to include just Facebook along with the action pass through and WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 122 05:59.360 --> 06:04.540 I also want to include just Facebook along with the action pass through and 123 06:04.540 --> 06:05.360 category social networking. 124 06:05.360 --> 06:07.360 So I'll add Facebook to that. 125 06:07.360 --> 06:10.360 Again, limiting the scope of what we're looking at. 126 06:10.360 --> 06:13.510 And we wanted to find a category social networking where the action wasn't 127 06:13.510 --> 06:16.360 passed through, we could go ahead and remove that from the filter. 128 06:16.360 --> 06:19.360 I'm just going to highlight it and delete it and then click on search. 129 06:19.360 --> 06:20.360 Then we could right click here. 130 06:20.360 --> 06:21.360 For example, a pass through. 131 06:21.360 --> 06:24.360 Again, we're in a security web filter with this time frame. 132 06:24.360 --> 06:27.910 Then I could right click on pass through and say, you know what, I want to see 133 06:27.910 --> 06:30.360 everything except for the action of pass through. WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 133 06:27.910 --> 06:30.360 everything except for the action of pass through. 134 06:30.360 --> 06:32.360 And that should show us those that were blocked. 135 06:32.360 --> 06:36.730 So this indicates that none of the logs I have regarding social media were 136 06:36.730 --> 06:37.360 blocked. 137 06:37.360 --> 06:39.360 Let me go ahead and clear that. 138 06:39.360 --> 06:40.360 And let's use another example. 139 06:40.360 --> 06:45.100 So here I've got web filter and let's go ahead and right click and I'll say 140 06:45.100 --> 06:47.360 action not equal to pass through. 141 06:47.360 --> 06:50.720 And this is going to show us where the action was something other than pass 142 06:50.720 --> 06:51.360 through. 143 06:51.360 --> 06:52.360 And here we have blocked. 144 06:52.360 --> 06:55.360 Then I can further limit this down to specific categories. 145 06:55.360 --> 06:59.780 So if I want to say for example, alcohol, where the action was not passed 146 06:59.780 --> 07:03.650 through and the category was alcohol, I could right click and add that as an WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 146 06:59.780 --> 07:03.650 through and the category was alcohol, I could right click and add that as an 147 07:03.650 --> 07:05.360 additional part of my filter. 148 07:05.360 --> 07:08.260 So this is going to show us where the action is not passed through the 149 07:08.260 --> 07:09.360 categories alcohol. 150 07:09.360 --> 07:11.360 Then we get to roll down into these events as well. 151 07:11.360 --> 07:14.070 So for example, this right here, we can double click and look at the details 152 07:14.070 --> 07:16.360 regarding, you know, what happened, why it happened. 153 07:16.360 --> 07:21.560 So this is being reported from firewall one, so we can just scroll down. There 154 07:21.560 --> 07:24.380 's the action and the profile was called no alcohol, which is a web filtering 155 07:24.380 --> 07:28.360 profile, which is specifically blocking on alcohol category of websites. 156 07:28.360 --> 07:30.360 And they did that just as a demonstration. WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 156 07:28.360 --> 07:30.360 And they did that just as a demonstration. 157 07:30.360 --> 07:33.360 They want to clear the filter. We can clear it as well. 158 07:33.360 --> 07:37.790 Also with the filter, let me talk about two different modes here as we look at 159 07:37.790 --> 07:38.360 logs. 160 07:38.360 --> 07:40.360 One mode is the filter mode. 161 07:40.360 --> 07:44.690 And so we just click here and you can just specify what you want. For example, 162 07:44.690 --> 07:48.360 I want the to equal, let's go ahead and say critical and apply. 163 07:48.360 --> 07:51.910 And that's going to show us based on the other components here, any web 164 07:51.910 --> 07:55.360 filtering where the level equal critical and there aren't any. 165 07:55.360 --> 07:58.360 Let's go ahead and remove that and click on add filter. 166 07:58.360 --> 08:02.410 And let's go ahead and say level is notice and click on apply and there we have WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 166 07:58.360 --> 08:02.410 And let's go ahead and say level is notice and click on apply and there we have 167 08:02.410 --> 08:03.360 a whole bunch. 168 08:03.360 --> 08:05.360 Then we get drilled down to that further. 169 08:05.360 --> 08:09.180 Now another option instead of using the filter mode is we could go ahead and we 170 08:09.180 --> 08:12.360 could say text mode, which is more prone to errors because we're typing it out. 171 08:12.360 --> 08:16.590 So there's still help here in text mode. So let's go ahead and say action and 172 08:16.590 --> 08:21.360 then we'll go ahead and say equal and then we go ahead and type in blocked. 173 08:21.360 --> 08:24.520 And you can actually type here and add that as part of your filter and then 174 08:24.520 --> 08:27.360 click on the search icon to have it go ahead and show you that. 175 08:27.360 --> 08:31.450 But I prefer to use filter mode and I'll clear off that previous one and that WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 175 08:27.360 --> 08:31.450 But I prefer to use filter mode and I'll clear off that previous one and that 176 08:31.450 --> 08:35.360 way I can just add it by selecting and not have to worry about typos. 177 08:35.360 --> 08:38.720 So those are examples of how we can use the security logs and is one of our 178 08:38.720 --> 08:39.360 example. 179 08:39.360 --> 08:43.360 Let's go to DNS and let's add a filter and this for the query type. 180 08:43.360 --> 08:45.360 Let's go ahead and say equals an A record. 181 08:45.360 --> 08:50.270 So an A record is just an IPV4 address record and a quad A is for IPV6 and 182 08:50.270 --> 08:51.360 click on apply. 183 08:51.360 --> 08:54.770 And that just shows the A records again we're under security DNS that's 184 08:54.770 --> 08:58.820 regarding DNS profiles that are associated with our security policy that were 185 08:58.820 --> 09:01.360 matched as traffic is going through the firewall. WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 185 08:58.820 --> 09:01.360 matched as traffic is going through the firewall. 186 09:01.360 --> 09:04.390 So here we have this one right here if we want to investigate that we can just 187 09:04.390 --> 09:05.360 double click on it. 188 09:05.360 --> 09:09.360 So as we scroll down here's the user there's the firewall that's reporting it 189 09:09.360 --> 09:13.360 and the action was pass and the profile is our DNS filter. 190 09:13.360 --> 09:18.050 And here protocol 17 that's the protocol number for UDP which is the default 191 09:18.050 --> 09:22.530 protocol used for a traditional kind of old school DNS request which is still 192 09:22.530 --> 09:25.360 done millions of times a day on the Internet. 193 09:25.360 --> 09:31.360 Another alternative to that would be using DNS over HTTPS or DNS using TLS. WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 193 09:25.360 --> 09:31.360 Another alternative to that would be using DNS over HTTPS or DNS using TLS. 194 09:31.360 --> 09:35.360 So based on what we're saying here it's a traditional DNS lookup. 195 09:35.360 --> 09:36.360 So let's take a look at another example. 196 09:36.360 --> 09:40.930 Let's go over to how about let's do application control. So here for 197 09:40.930 --> 09:44.840 application control and also click on the gear and let's add the column for 198 09:44.840 --> 09:45.360 level. 199 09:45.360 --> 09:48.670 And for the moment let me go ahead and take off the date time and the profile 200 09:48.670 --> 09:52.000 just gives a little more reading space here and let's take a look at the output 201 09:52.000 --> 09:52.360 . 202 09:52.360 --> 09:55.390 So here I have a couple options if we want to sort through this one is I can 203 09:55.390 --> 09:58.590 say you know I don't want to see information so I can go ahead and click on 204 09:58.590 --> 10:00.360 information and then say don't show that. WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 204 09:58.590 --> 10:00.360 information and then say don't show that. 205 10:00.360 --> 10:09.360 So I'm showing us for application control. I don't have any that are not at the 206 10:09.360 --> 10:09.360 informational level. All right, so I go ahead and close that and let's use a 207 10:09.360 --> 10:09.360 different security log. 208 10:09.360 --> 10:13.290 Let's go to IPS. And so here's our severity here so we do say you know what I 209 10:13.290 --> 10:17.000 only want to see high severity so we could right click here and include a 210 10:17.000 --> 10:22.360 filter there or we're going to add filter good severity and say hi either way 211 10:22.360 --> 10:23.360 is great and click and apply. 212 10:23.360 --> 10:26.830 They would both create the filters for us now for these are very high it also 213 10:26.830 --> 10:30.440 shows the action of detected but it implies that that traffic was not dropped WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 213 10:26.830 --> 10:30.440 shows the action of detected but it implies that that traffic was not dropped 214 10:30.440 --> 10:33.360 as a result so we double click on one of these and take a look. 215 10:33.360 --> 10:37.990 So here the details it's a threat level high and looks like a sequel injection 216 10:37.990 --> 10:41.360 attack reported by firewall one but it was allowed. 217 10:41.360 --> 10:45.760 So because it says here user to look at the source IP address as well 10200102 218 10:45.760 --> 10:51.710 let's bring up that computer. So here is PC to confirm its IP address and it's 219 10:51.710 --> 10:55.360 at 1020 0.102 fantastic so if we bring up a browser. 220 10:55.360 --> 10:59.080 I've got it there's a test site provided I think it's by IBM on the Internet 221 10:59.080 --> 11:04.060 that's vulnerable. It's called all thorough mutual and the URL is test fire.net WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 221 10:59.080 --> 11:04.060 that's vulnerable. It's called all thorough mutual and the URL is test fire.net 222 11:04.060 --> 11:04.360 . 223 11:04.360 --> 11:08.780 So if we click here on log in check this out I've got a little sequel injection 224 11:08.780 --> 11:13.290 attack right here it's a single quote space or space one equals one space dash 225 11:13.290 --> 11:17.720 dash space I'm going to copy that and I'm going to go ahead and I'm going to 226 11:17.720 --> 11:21.360 paste it as the user name and also paste it in as the password and click log in 227 11:21.360 --> 11:21.360 and 228 11:21.360 --> 11:25.430 share enough hello admin user so that just happens so we could just go back to 229 11:25.430 --> 11:29.470 the 40 analyzer and say you know what let's go ahead and take a look at the 230 11:29.470 --> 11:34.360 last five minutes and there it is right there AD user to and that traffic was WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 230 11:29.470 --> 11:34.360 last five minutes and there it is right there AD user to and that traffic was 231 11:34.360 --> 11:36.360 identified and if you double click. 232 11:36.360 --> 11:40.190 So there's the threat the sequel injection and we scroll up here's the firewall 233 11:40.190 --> 11:43.960 that's reporting it and if you scroll back down it's also showing the location 234 11:43.960 --> 11:46.360 that the user was going to when they did this. 235 11:46.360 --> 11:51.010 So that's effectively one of our users doing a sequel injection attack against 236 11:51.010 --> 11:55.360 a server on the Internet so here for the application all default pass. 237 11:55.360 --> 11:59.170 That's the profile that allowed that to happen so we could just go back to 238 11:59.170 --> 12:02.910 firewall one let's do that right now and at firewall one let's go down to WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 238 11:59.170 --> 12:02.910 firewall one let's do that right now and at firewall one let's go down to 239 12:02.910 --> 12:08.360 security profiles and there's intrusion prevention there's all default pass and 240 12:08.360 --> 12:09.360 sure enough it has monitor. 241 12:09.360 --> 12:13.020 So all default passes being used to show you the reference column one that 242 12:13.020 --> 12:16.860 means we're having applied to this firewall policy and there's actually two 243 12:16.860 --> 12:22.360 ways of stopping a sequel injection attack we can do it IPS profile we can also 244 12:22.360 --> 12:26.430 do a web application firewall which would also do it but since we're looking at 245 12:26.430 --> 12:29.740 intrusion prevention let's go ahead and take a look at how about this block 246 12:29.740 --> 12:31.360 severity levels four and five. WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 246 12:29.740 --> 12:31.360 severity levels four and five. 247 12:31.360 --> 12:34.550 So this will go ahead and block the high and critical let's go ahead and use 248 12:34.550 --> 12:37.910 that instead so we'll go back to our firewall policy and then right here let's 249 12:37.910 --> 12:42.610 go ahead and just click on edit and for IPS instead we'll say blocks have 250 12:42.610 --> 12:44.360 already level four and five click on apply 251 12:44.360 --> 12:48.350 and bought a Bing bought a boom that client should no longer be able to you 252 12:48.350 --> 12:52.790 know do a sequel injection against some server on the Internet so we'll go back 253 12:52.790 --> 12:57.200 to our client and go ahead and open a browser once again we'll go to that test 254 12:57.200 --> 12:58.360 site and let me also copy into my buffer 255 12:58.360 --> 13:03.570 that sequel injection that we can try again click on copy minimize that we'll WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 255 12:58.360 --> 13:03.570 that sequel injection that we can try again click on copy minimize that we'll 256 13:03.570 --> 13:07.910 click on sign in and I'll go ahead and paste that in in both fields click on 257 13:07.910 --> 13:10.360 login and this time the firewall killed it didn't let us go through 258 13:10.360 --> 13:14.660 and also that information should be showing up inside of our logs as well so go 259 13:14.660 --> 13:18.470 ahead and close that minimize the client and let's go back to 40 analyzer so 260 13:18.470 --> 13:22.360 now if we come back and we'll put the last five minutes here and click on 261 13:22.360 --> 13:22.360 refresh 262 13:22.360 --> 13:25.770 it's now showing the action of dropped let's go back a little bit further let's 263 13:25.770 --> 13:29.530 go back 30 minutes and here is showing the initial on where it was allowed and 264 13:29.530 --> 13:33.090 all these others when the client in the background was attempting and WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 264 13:29.530 --> 13:33.090 all these others when the client in the background was attempting and 265 13:33.090 --> 13:33.360 attempting 266 13:33.360 --> 13:36.510 and all of that was blocked and if we're curious about what that user has been 267 13:36.510 --> 13:39.990 doing for example another option we need to go ahead and just right click on 268 13:39.990 --> 13:44.690 user to create a filter matching just on that and it's IP address and then 269 13:44.690 --> 13:47.820 remove security equals high and that would show us all of our activity for that 270 13:47.820 --> 13:48.360 specific user 271 13:48.360 --> 13:52.680 now the other cool thing that we can do with any of these logs traffic security 272 13:52.680 --> 13:56.030 and event is we can also say you know what if we want to bring up the same 273 13:56.030 --> 14:00.560 query in the future instead of going through and creating a filter we can also WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 273 13:56.030 --> 14:00.560 query in the future instead of going through and creating a filter we can also 274 14:00.560 --> 14:03.810 go ahead and create a custom view so let me add one more filter let me right 275 14:03.810 --> 14:08.970 click on this and add a filter looking for exactly user to and the source 276 14:08.970 --> 14:12.360 address of 10, 20, 0, 1, 0, 2 let's imagine we wanted to be able to use this in 277 14:12.360 --> 14:14.360 the future but get to it really quick 278 14:14.360 --> 14:18.230 this option right here create custom view is the perfect way to do that let's 279 14:18.230 --> 14:22.540 call it user to severity high from 102 address and we can name it whatever we'd 280 14:22.540 --> 14:26.170 like and so what we can do now is we can click on OK and now that's created as 281 14:26.170 --> 14:30.350 a custom view where it's going to be exactly this so let me show you where it WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 281 14:26.170 --> 14:30.350 a custom view where it's going to be exactly this so let me show you where it 282 14:30.350 --> 14:31.360 put us to expand the left hand side 283 14:31.360 --> 14:34.970 it took us to custom views and so we're going back to logs if we have a whole 284 14:34.970 --> 14:38.960 bunch of custom views that are saved we're going to custom views and boom we 285 14:38.960 --> 14:42.760 can just launch it again so let's create one more let's go back to logs and let 286 14:42.760 --> 14:43.360 's imagine we want to create a custom view for what we want to do 287 14:43.360 --> 14:48.650 we want to create a custom view for web filtering for the last 30 minutes based 288 14:48.650 --> 14:51.980 on traffic going to YouTube.com so we'll add that as part of our filter and let 289 14:51.980 --> 14:57.020 's also go ahead and search just on blocked so we'll add that as a filter so it 290 14:57.020 --> 15:00.580 's host name YouTube.com and action blocked for the last 30 minutes we can WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 290 14:57.020 --> 15:00.580 's host name YouTube.com and action blocked for the last 30 minutes we can 291 15:00.580 --> 15:01.360 create a custom view 292 15:01.360 --> 15:05.800 call it blocked YouTube for past 30 click on OK and that's going to save it as 293 15:05.800 --> 15:09.790 yet another custom view so here are the custom views up here we have user to 294 15:09.790 --> 15:12.360 very high from 102 address 295 15:12.360 --> 15:15.880 another custom view called blocked YouTube past 30 so we can just click on 296 15:15.880 --> 15:19.070 those and automatically have those filters in place if you don't like them 297 15:19.070 --> 15:22.120 anymore when I get rid of them just double click on the three dots and then you 298 15:22.120 --> 15:24.360 can click on delete and that would remove that 299 15:24.360 --> 15:27.970 however if you have a few that are really handy you can just have them ready as 300 15:27.970 --> 15:31.690 custom views and then select them and away you go now another option that can WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 300 15:27.970 --> 15:31.690 custom views and then select them and away you go now another option that can 301 15:31.690 --> 15:37.000 be kind of useful is the raw log view so let's imagine we are going to a 302 15:37.000 --> 15:39.360 summary of our security events here 303 15:39.360 --> 15:42.370 currently let's go ahead and say the last two weeks great great great and so 304 15:42.370 --> 15:45.900 here for web filtering let's go down to the category of alcohol where it was 305 15:45.900 --> 15:50.460 blocked so we'll click on that it currently implemented the filter for us and 306 15:50.460 --> 15:52.360 it looks like we had two attempts from the same exact user 307 15:52.360 --> 15:55.660 so to get even more detail we can of course double click on one to see this 308 15:55.660 --> 16:00.760 information however we can also click here on more and go to raw log now this WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 308 15:55.660 --> 16:00.760 information however we can also click here on more and go to raw log now this 309 16:00.760 --> 16:05.380 wouldn't be for the average you know days use but if we want to go into details 310 16:05.380 --> 16:08.360 and see what's happening and take a look behind the scenes this could be a 311 16:08.360 --> 16:08.360 helpful option 312 16:08.360 --> 16:12.700 so if we go more and go to format log that would show us a nice friendly format 313 16:12.700 --> 16:17.380 once again and again the blue is showing traffic that was sent and received 314 16:17.380 --> 16:20.900 that was permitted and the yellow color here is indicating traffic that was 315 16:20.900 --> 16:21.360 blocked 316 16:21.360 --> 16:24.840 and if we wanted this to be a custom view once again just with it in place 317 16:24.840 --> 16:29.020 click on create custom view and we'll call it alcohol blocked and we'll click 318 16:29.020 --> 16:34.090 on okay so now under our custom views we have the user 2 is very high from 1 or WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 318 16:29.020 --> 16:34.090 on okay so now under our custom views we have the user 2 is very high from 1 or 319 16:34.090 --> 16:37.360 2 blocked YouTube past 30 minutes and we have alcohol blocked 320 16:37.360 --> 16:41.150 which is super convenient if you have certain searches that you want to do just 321 16:41.150 --> 16:44.450 with the click of a button this is how you can set up those custom views again 322 16:44.450 --> 16:47.360 if you don't like them you can just go ahead and delete them and away they go 323 16:47.360 --> 16:51.950 so going back to logs us also take a look at how we could view the 40 analyzer 324 16:51.950 --> 16:56.360 logs so if you click on the 40 analyzer these are logs based at the 40 analyzer 325 16:56.360 --> 17:01.240 so events things are going on I think of it like the brains of the 40 analyzer WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 325 16:56.360 --> 17:01.240 so events things are going on I think of it like the brains of the 40 analyzer 326 17:01.240 --> 17:03.360 in the background with performance statistics and so forth 327 17:03.360 --> 17:07.750 and there's also an application sub tab here for the 40 analyzer and things 328 17:07.750 --> 17:10.470 like configuration changes and other details are happening in the background on 329 17:10.470 --> 17:15.010 the 40 analyzer but once again to go back to the 40 gates these are all the 330 17:15.010 --> 17:19.020 traffic security and event logs from the 40 gates that are selected from this 331 17:19.020 --> 17:19.360 list here 332 17:19.360 --> 17:22.620 and also with the time constraint here and we go to events and go to summary is 333 17:22.620 --> 17:25.990 showing us here for the last two weeks and here's the legend with the color 334 17:25.990 --> 17:29.360 coding we scroll down here system events widget router events 335 17:29.360 --> 17:34.450 SD WAN events VPN events scroll down user events and if you have a widget that WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 335 17:29.360 --> 17:34.450 SD WAN events VPN events scroll down user events and if you have a widget that 336 17:34.450 --> 17:37.550 you're not needing or you don't use you can simply go ahead and remove it if 337 17:37.550 --> 17:42.360 you want to add a widget it's also super easy to add a widget just by going to 338 17:42.360 --> 17:43.360 here and adding it back in 339 17:43.360 --> 17:47.390 and if you like these tabs for net logs threading log browse over on the side 340 17:47.390 --> 17:51.200 here you can click this button in the upper right right there and if you want 341 17:51.200 --> 17:54.120 to move max just click here on toggle horizontal menu and then it'll come back 342 17:54.120 --> 17:54.360 at the top 343 17:54.360 --> 17:57.600 and while we're here looking at logs there's one other option called thread 344 17:57.600 --> 18:01.840 hunting which is quite amazing as well so with thread hunting you can specify WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 344 17:57.600 --> 18:01.840 hunting which is quite amazing as well so with thread hunting you can specify 345 18:01.840 --> 18:04.360 your time range for example let's go ahead and say the last 346 18:04.360 --> 18:08.650 how about last 14 days is showing us the log counts and the dates involved 347 18:08.650 --> 18:12.790 there and then we can click right here for example on threat type and then for 348 18:12.790 --> 18:15.990 the threat type let's double click on botnet which will open that up as a 349 18:15.990 --> 18:18.360 filter for us where the threat type is botnet 350 18:18.360 --> 18:21.470 and further we could go ahead and double click on one of these for example let 351 18:21.470 --> 18:24.550 's go ahead and double click on that one right there that gives us the details 352 18:24.550 --> 18:28.360 over on the right hand side we're getting what's going on so this is reported 353 18:28.360 --> 18:28.360 by 354 18:28.360 --> 18:33.150 headquarters firewall one the event was a botnet command control communication WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 354 18:28.360 --> 18:33.150 headquarters firewall one the event was a botnet command control communication 355 18:33.150 --> 18:37.490 the profile was all default pass which implies based on the title of that 356 18:37.490 --> 18:41.880 profile that it was allowing that traffic to go so the threat action was 357 18:41.880 --> 18:44.360 detected and here is the threat name and the pattern it saw as well 358 18:44.360 --> 18:48.750 then it has information on the threat pattern and the threat type of botnet and 359 18:48.750 --> 18:53.000 if we scroll down here's our user ad user 3 which might cause us to start 360 18:53.000 --> 18:57.160 investigating ad user 3 and or that source IP address to find out what else 361 18:57.160 --> 18:57.360 that user is doing 362 18:57.360 --> 19:01.840 so if we close that and we right click on user 3 here we could add a filter for WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 362 18:57.360 --> 19:01.840 so if we close that and we right click on user 3 here we could add a filter for 363 19:01.840 --> 19:06.360 just user 3 it looks like also user 2 is doing it as well so to add additional 364 19:06.360 --> 19:11.420 filter for botnet and user 3 we could right click on user 3 here and say add 365 19:11.420 --> 19:13.360 user 3 to the filter and that would filter just user 3 366 19:13.360 --> 19:16.010 then we could also say you know what I want to go ahead and take a look at 367 19:16.010 --> 19:19.380 these ones that are level notice we can adapt to the filter and just building 368 19:19.380 --> 19:23.590 the filter for us as we go through and that gives us a great opportunity with 369 19:23.590 --> 19:27.390 filtering just by using the log view by filtering down and finding out what's 370 19:27.390 --> 19:28.360 going on on the network 371 19:28.360 --> 19:31.830 and one other cool thing about 40 analyzer that I'm going to allude to right WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 371 19:28.360 --> 19:31.830 and one other cool thing about 40 analyzer that I'm going to allude to right 372 19:31.830 --> 19:35.200 now is that if we see something that looks suspicious or you know like we need 373 19:35.200 --> 19:41.360 to look at it further we can very easily create an incident in 40 analyzer and 374 19:41.360 --> 19:42.360 then add information to it 375 19:42.360 --> 19:46.430 tell triangulate and figure out what's going on with a specific user or 376 19:46.430 --> 19:50.030 specific device as it communicates over the network and we'll cover event 377 19:50.030 --> 19:53.760 handling and incident management in a separate set of videos but all this 378 19:53.760 --> 19:57.360 information that we're digging into from the logs can help us in identifying 379 19:57.360 --> 20:00.360 and confirming something that's negative happening on the network WEBVTT X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000 379 19:57.360 --> 20:00.360 and confirming something that's negative happening on the network 380 20:00.360 --> 20:05.340 now another really cool option that for net provides for us in the 40 analyzer 381 20:05.340 --> 20:10.610 is something called for to view and for view is going to be usable after the 40 382 20:10.610 --> 20:14.360 analyzer receives data the log information and then puts it into the sequel 383 20:14.360 --> 20:17.360 database we can then start leveraging it here with 384 20:17.360 --> 20:23.780 40 view which is exactly what we're going to do in the very next video so I'll 385 20:23.780 --> 20:30.360 see you there in just a moment