Enable TLS protection for log or audit data forwarding

You can optionally enable TLS protection for log or audit data forwarding to an external syslog server.

Before you begin

Because there is a connection to an external system, public key infrastructure (PKI) integration, including certificate revocation list (CRL) checking, must already be configured.

You can optionally configure TLS server identity to verify the identity of the syslog server to which log data is forwarded from the Management Server or the Log Server.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Dashboard > Servers / Devices.
  2. Browse to Log Server or Management Server.
  3. Right-click the Log Server or Management Server from which you want to forward log or audit data, then select Properties.
  4. Click the Log Forwarding or Audit Forwarding tab.
  5. Add rules for log or audit data forwarding.
    1. To add a rule, click Add.
    2. To select the external host to which the log or audit data is forwarded, double-click the Target Host cell, select a Host element, then click Select.
    3. In the Service cell, select a network protocol with TLS option from the drop-down list.
    4. In the Port, Format, Data Type (Log Server only), and Filter cells, select the settings according to your needs.
    5. Double-click the Kafka Topic cell to specify a name for the kafka topic, only if you have selected the Kafka with TLS option from the Service drop-down list.
    6. To select the TLS profile for TLS-protected log data forwarding, double-click the TLS Profile cell, select a TLS Profile element, then click Select.
  6. (Optional) Configure the TLS Server Identity.
    1. Double-click the TLS Server Identity cell.
    2. From the TLS Server Identity drop-down list, select the server identity type field to be used.
    3. (Optional) Click Fetch from Certificate to fetch the value of the server identity type field from a certificate.
      Note: You can fetch the value of the server identity field from a certificate only if the server identity field is Distinguished Name, SHA-1, SHA-256, SHA-512, or MD5).
    4. In the Identity Value field, enter the value of the server identity field.
  7. Define the Log Server or Management Server TLS certificate options.
    This certificate is used as the client certificate when connecting to the external syslog server.
    • To use the server's internal certificate, select Use Internal Certificate.
    • To use the certificate contained in a TLS Credentials element, select Use Imported Certificate, then click Select.

      Select a TLS Credentials element.

    • To leave the server's certificate unauthenticated, select No Client Authentication.
  8. Click OK.

TLS Profile Properties dialog box

Use this dialog box to define a TLS profile for enabling TLS protection for traffic to and from external components.

Option Definition
Name The name of the element.
TLS Cryptography Suite Set The cryptographic suite for TLS connections.
Trusted Certificate Authorities

Specifies which certificate authorities to trust.

  • Trust any
  • Trust selected

Click Add to add an element to the list, or Remove to remove the selected element.

Version The TLS version used.
Use Only Subject Alt Name

(Optional)

Uses only Subject Alternative Name (SAN) certificate matching.
Accept Wildcard Certificate

(Optional)

Allows the use of wildcards in certificate matching.
Check Revocation

(Optional)

Checks against certificate revocation lists (CRLs) whether the certificate has been revoked. The certificate must be signed by a valid certificate authority.
Delay CRL Fetching For

(Optional, NGFW Engine only)

The time interval for the NGFW Engine to fetch the CRL. If the CRL expires sooner than the specified interval, the CRL expiration value defines the interval for fetching the CRL.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Ignore OCSP Failures For

(Optional, NGFW Engine only)

The number of hours for which the NGFW Engine ignores OCSP failures.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Ignore Revocation Check Failures if There Are Connectivity Problems

(Optional, NGFW Engine only)

When selected, the NGFW Engine ignores all CRL check failures if connectivity problems are detected.

This setting is ignored when the TLS Profile element is used for a Management Server or a Log Server.

Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Comment

(Optional)

A comment for your own reference.

TLS Server Identity dialog box

Use this dialog box to define the identity of a TLS server for TLS-protected audit or log data forwarding to an external syslog server, or the identity of an external LDAP or Active Directory server.

Option Definition
TLS Server Identity Field

Select the server identity type field to be used.

  • DNS Name — Use the DNS name of the server.
  • IP Address — Use the IP address of the server.
  • Common Name — Use the common name (CN) of the server.
  • Distinguished Name — Use the distinguished name (DN) of the server.
  • SHA-1 — Use SHA (Secure Hash Algorithm) hash function 1.
  • SHA-256 — Use SHA (Secure Hash Algorithm) hash function 256.
  • SHA-512 — Use SHA (Secure Hash Algorithm) hash function 512.
  • MD5 — Use MD5 Message-Digest Algorithm.
  • Email — Use the email address associated with the server.
  • User Principal Name — Use the user principal name (UPN) of the server.
Fetch From Certificate Opens the Import Certificate dialog box for fetching the value of the server identity field from a certificate.
Note: You can fetch the value of the server identity field from a certificate only if the server identity field is Distinguished Name, SHA-1, SHA-256, SHA-512, or MD5.
Server Identity Value Specifies the value for the selected field type.

Import Certificate dialog box

Use this dialog box to import an externally signed certificate.

Option Definition
From File Allows you to import a certificate from a file on your computer. Click Browse to select the file.
As Text Allows you to paste the contents of the certificate as text in the text field.