Adding NSS Feeds for Firewall Logs

You can configure up to eight NSS feeds to specify the data from the firewall logs that the NSS will send to the SIEM. For each feed, you can configure multiple types of filters. For example, you can configure separate feeds for each location or for different policy rules. Note that a large number of filters or complex filters, such as string search, might impact the performance of the NSS.

Before you start configuring a feed for firewall logs, consider the guidelines for configuring feeds.

To configure a feed for firewall logs:

  1. Go to Administration > Settings > Nanolog Streaming Service.
  2. From the NSS Feeds tab, click Add and complete the following:
    • Feed Name: Enter or edit the name of the feed. Each feed is a connection between NSS and your SIEM.
    • NSS Type: Select NSS for Firewall.
    • NSS Server: Choose an NSS from the list.
    • Status: It is Enabled by default. Click Disabled if you want to activate it at a later time.
    • SIEM IP Address and SIEM TCP Port: Enter the IP address and port of the SIEM to which the logs are streamed. Ensure that the SIEM is configured to accept the feed from NSS.
    • Log Type: Choose Firewall Logs.
    • Choose the Firewall Log Type:
      • Full Session Logs: Logs all sessions of the rule individually, except HTTP(S).
      • Aggregate Logs: Individual sessions are grouped together based on { user, rule, network service, network application } and recorded periodically.
      • Both Session and Aggregate Logs
    • Feed Output Type: The output is a comma-separated (CSV) list by default. You can choose Name-Value Pairs or Tab-separated, if your SIEM accepts any of these formats.
    • Feed Escape Character: Optionally, type a character that you would like to hex encode when it appears in a URL, host name or referer URL. For example, type a comma (,) to encode it as %2C. This is useful if you are using this character as your delimiter and would like to ensure it does not cause erroneous delimitation. If custom encoding was done for a record, the %s{eedone} field will be YES for that record.
    • Feed Output Format: These are the fields that will be displayed in the output. See NSS Feed Output Format for information about the available fields and their syntax.
    • User Obfuscation: You can enable user obfuscation. When you do, it displays a random string instead of the user names. If this is enabled, the ‘login’ field in Feed Format Output automatically changes to ‘ologin’ field which outputs the obfuscated login name. Choose Disable to display the user names.
    • Timezone: By default, this is set to the organization's time zone. The time zone you set applies to the time field in the output file. The time zone automatically adjusts to changes in daylight savings in the specific time zone. The configured time zone can be output to the logs as a separate field. The list of time zones is derived from the IANA Time Zone database. Direct GMT offsets can also be specified.
    • Duplicate Logs: To ensure that no logs are skipped during any down time, specify the number of minutes that NSS will send duplicate logs.
  3. Define filters for firewall logs as follows:
    • Action
      • NAT Action: Use this filter to limit the logs to traffic on which the service performed destination NAT and redirected traffic to specific IP addresses and optionally, ports.
      • DNAT Destination Names: Use this filter to limit the logs to traffic that was redirected to specific FQDNs after the service performed destination NAT. (Available with advanced firewall subscription)
      • Policy Actions: Use this filter to limit the logs based on the action the service took, in accordance with the firewall filtering policy. You can choose multiple actions.
        • Allow: The service allows packets that matched the rule to pass through the firewall.
        • Block/Drop: The service silently drops packets that matched the rule.
        • Block/ICMP: The service drops all packets that matched the rule and sent the client an ICMP error message of Type 3 (Destination unreachable) and code 9 or 10 (network/host administratively prohibited).
        • Block/Reset: For TCP traffic, the Zscaler service drops all packets that match the rule and sent the client a TCP reset. (A TCPpacket with the reset (RST) flag is set to 1 in the TCPheader, indicating that the TCP connection must be instantly stopped.) For non-TCP traffic, same as Block/Drop.
      • Rule Names: Use this filter to limit the logs based on specific rules in the firewall policies. Choose the rules from the list.
    • Who
      • Users: Use this filter to limit the logs to specific users who generated transactions. To use the Search function, enter either the user name or email address in the Search box and click Search. There is no limit on the number of users that you can select. Users that are deleted after they are selected appear with a strikethrough line.
      • Departments: Use this filter to limit the logs to specific departments that generated transactions. To use the Search function, enter the department name in the Search box and click Search. There is no limit on the number of departments that you can select. Departments that are deleted after they are selected appear with a strikethrough line.
    • Source
      • Locations: Use this filter to limit the logs to specific locations and sublocations. To use the Search function, enter the location name in the Search box and click Search. There is no limit on the number of locations that you can select. Locations that are deleted after they are selected appear with a strikethrough line.
      • Client Source IP Addresses: Use this filter to limit the logs based on a client’s private IP address. You can enter:
        • An IP address (for example, 198.51.100.100)
        • A range of IP addresses (for example, 192.0.2.1-192.0.2.10)
        • An IP address with a netmask (for example, 203.0.113.0/24)

          You can enter multiple entries. Hit Enter after each entry.
      • Client Source Ports: Use this filter to limit the logs to specific client source ports. For aggregated sessions, this is the client source port of the last session in the aggregate. You can specify individual ports and a range of ports.
      • Client Destination Names: Use this filter to limit the logs to specific client destination FQDNs. For aggregated sessions, this is the client destination FQDN of the last session in the aggregate. (Available with advanced firewall subscription)
      • Client Destination IP Addresses: Use this filter to limit the logs to specific client destination IP addresses. For aggregated sessions, this is the client destination IP address of the last session in the aggregate. You can enter:
        • An IP address (for example, 198.51.100.100)
        • A range of IP addresses (for example, 192.0.2.1-192.0.2.10)
        • An IP address with a netmask (for example, 203.0.113.0/24)

          You can enter multiple entries. Hit Enter after each entry.
      • Client Destination Ports: Use this filter to limit the logs to specific client destination ports. For aggregated sessions, this is the client destination port of the last session in the aggregate. You can specify individual ports and a range of ports.
      • Client Public IP Addresses: Use this filter to limit the logs based on a client’s public IP address. The internal IP address is available if traffic forwarding is forwarded to the service through a GRE tunnal or from the XFF header. If the internal IP address is not available, the value will be same as the client IP address. You can enter:
        • An IP address (for example, 198.51.100.100)
        • A range of IP addresses (for example, 192.0.2.1-192.0.2.10)
        • An IP address with a netmask (for example, 203.0.113.0/24)

          You can enter multiple entries. Hit Enter after each entry.
      • Traffic Forwarding: Use this filter to limit the logs based on the traffic forwarding mechanism used to send traffic to the Zscaler firewall. Choose one or more of the listed methods or choose Any.
    • Server
      • Server Source IP Addresses: Use this filter to limit the logs to specific server source IP addresses. You can enter:
        • An IP address (for example, 198.51.100.100)
        • A range of IP addresses (for example, 192.0.2.1-192.0.2.10)
        • An IP address with a netmask (for example, 203.0.113.0/24)

          You can enter multiple entries. Hit Enter after each entry.
      • Server Source Ports: Use this filter to limit the logs to specific server source ports. For aggregated sessions, this is the server source port of the last session in the aggregate. You can specify individual ports and a range of ports.
      • Server Destination IP Addresses: Use this filter to limit the logs to specific server destination IP addresses. For aggregated sessions, this is the server destination IP address of the last session in the aggregate. You can enter:
        • An IP address (for example, 198.51.100.100)
        • A range of IP addresses (for example, 192.0.2.1-192.0.2.10)
        • An IP address with a netmask (for example, 203.0.113.0/24)

          You can enter multiple entries. Hit Enter after each entry.
      • Server Destination Port: Use this filter to limit the logs to specific sever destination ports. For aggregated sessions, this is the server destination port of the last session in the aggregate. You can specify individual ports and a range of ports.
      • Tunnel IP Addresses: Tunnel IP address of the server. For aggregated sessions, this is the server's tunnel IP address corresponding to the last session in the aggregate.
      • Server IP Classes: URL class that corresponds to the server IP address.
      • Server IP Super Categories: URL super category that corresponds to the server IP address.
      • Server IP Categories: URL category that corresponds to the server IP address.
      • Countries: Country code that  corresponds to the server IP address.
    • Session
      • Inbound Bytes: Use this filter to limit the logs based on the number of bytes sent from the server to the client. For aggregated sessions, this is the total bytes sent from the server across all sessions in the aggregate. You can specify numbers or ranges.
      • Outbound Bytes: Use this filter to limit the logs based on the number of bytes received by the server. For aggregated sessions, this is the total bytes received by the server across all sessions in the aggregate. You can specify numbers or ranges.
      • Durations: Use this filter to limit the logs based on the duration of the sessions, in seconds. For aggregated sessions, this indicates the average session duration. You can specify numbers or ranges.
      • Number of Sessions: For aggregated logs, you can filter by the number of sessions. You can specify numbers or ranges.
    • Protocol Classification
      • Network Applications: Use this filter to limit the logs to specific network applications associated with the session or aggregated sessions.
      • Network Services: Use this filter to limit the logs to specific network services associated with the session or aggregated sessions.
  4. Click Save and activate the change.