Installation and Configuration:-
Installation is required to be done on SH.
Configuration - Once you are getting data from Zyxel Add-on for splunk as provided documentation there. Post installing Zyxel Firewall app need to edit Macro:
In the Zyxel App which is installed on Search Head –
Go to Settings -> Advanced Search -> search macros
Edit zywall_idx macro and add your index name
Dashboards:-
1) ZyXEL Home
This is the home page of the app, shows all important details of the firewall like firmware version, model name, device id, Current CPU and Memory levels in single value panel. Also includes introduction page along with the links to Edit event types used in app for modularity.
2) Security
The Security Tab will give the details of Failed Logins to VPN, Locked Sources for both Internal and External Users. It also detects the Intrusion of Source IP which has scanned Destination IP and ports and Outsiders attacks on the internal network and ports.
3) Traffic
This gives all the data usage statistics of firewall with chart showing data usage over the week. You can also view the data usage by the users and devices connected to firewall. These details get automatically captured by the Alerts and Reports running in the app. You may need to set the configurations for the alerts and reports as per your need.
4) VPN
This tab will give the overview of Users logging VPN with respect to their number of attempts made to login VPN, Total Sessions they used into login VPN in a particular Time range, details of the users who tried to login in out of office hours. Their total disconnects. The VPN IP they get when logged in to VPN along with these details get automatically captured by the Alerts and Reports.
5) Network Viz Firewall
This Tab will give a architectural Network Diagram of Users connecting to VPN, which VPN IP are they allocated. with that IP how many destinations they hit and the traffic data used in uploading and downloading data in MB.
Reports:-
1) Zyxel VPN login by new users
This report runs daily on 00:00 AM and collects the data into lookup if any new devices connected to the network.
2) Zyxel Out Of Office hours logins between 3 AM and 6 PM
This Report will run on every 24 hours and give the results of the users who had logged in to VPN in out of office hours
3) Zyxel Total Data Uploaded and Downloaded by all Users
This Report is scheduled for 24hrs it collects all the traffic uploaded and downloaded data by all users
Alerts:-
1) Zyxel Firewall CPU/Memory Usage > 70
Triggers when firewall CPU/Memory usage goes beyond 70, runs at every one hour.
you can change the trigger condition as per requirement in query.
2) Zyxel Firewall Upload/Download Data Limit > 15GB
Sends alert when total downloaded data from organization goes beyond 15 GB. and upload data from organization goes beyond 1.5 GB. you can change the trigger condition as per requirement in query.
3) Zyxel Failed VPN Login Attempts > 3
This Alert will run for every hour and give the results for the users who has attempted failed VPN login by 3 consecutive times.
4) Zyxel Locked Users by Failed VPN Login Attempts
This Alert will trigger when an Internal user get locked by more than 3 consecutive failed attempts in VPN.
5) Zyxel User Download Data > 1GB
This alert will trigger when total downloaded data from employee's goes beyond 1 GB (default)
6) Zyxel VPN Not Connected By Users From Last 5 Days
This alert will trigger when a user has not logged in VPN from last 5 days.
7) Zyxel VPN not connected by users from last 24 hrs
This alert will get triggered for users who are not connected to VPN for last 24 hrs.
References
To learn more about configuration on Splunk and Zyxel app steps are give in app homepage
Cloud Compatibility
Splunk Cloud Compatibility issue solved & BugFixes
Fixed the props.conf for obtaining correct ports, the regex has been modified to work efficiently.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.