Forcepoint NGFW (syslog)

In this guide, you'll set up a trusted relationship between Forcepoint NGFW and Radiant. Once complete, Radiant will collect and analyze alerts and events from your Forcepoint NGFW environment.

Log entries are traffic-based events that are logged according to policy rules. An audit log entry is a special type of log entry that is not traffic-based, but instead provides a record of SMC administrative actions and some internal events like element updates and scheduled task executions.

Prerequisites

• Admin access to Forcepoint SMC

• At least one running SMC Log Server

Add the data connector in Radiant Security

1. Log in to Radiant Security.

2. From the navigation menu, click Settings > Data Connectors and click + Add Connector.

3. Search for and select the Radiant Agent option from the list and then click Data Feeds.

4. Under Select your data feeds, select Forcepoint NGFW and click Credentials.

5. Under Credential Name, give the Radiant Agent integration an identifiable name (e.g. Radiant Agent Integration).

6. Click Add Connector.

Configure a Radiant Agent for Log Collection

Refer to the Install the Radiant Security Agent guide to set up a local agent to collect the logs.

Configure log forwarding in Forcepoint SMC

1. Sign in to your Forcepoint SMC.

2. Click Home.

3. Click Others > Log Server.

4. Right-click the log server that you want to forward logs from, and then select Properties.

1. Click the Log Forwarding tab.

2. Click Add and enter the following:

   • Service: UDP

   • Port: <port_configured_to_receive_forcepoint_ngfw>

   • Format: select JSON

   • Data Type: select All Log Data

3. Double-click the Target Host cell to open the Select Host dialog box.

   1. Click the Settings icon > New > Host.

   b. Enter Radiant-Security-Syslog

   c. Select the IP field and enter <Radiant Agent's local IP>

4. Click OK.

5. Select the new host and click Select.

6. On the Log Server TLS Certificate box, select No client Authentication.

7. Click OK.