McAfee Next Generation Firewall (Stonesoft): Load balancing and QoS using Multi-Link

Overview

McAfee Multi-Link is a very useful feature for organization that need reliable and scalable internet connection. It's reliable since it allows user to have seamless internet connectivity during downtime of their primary ISP. It is scable since organization can easily add a new ISP over their existing without downtime.

The following videos will show you how to configure Multi-Link in various requirements

Note: For diagram, kindly reference to this post: http://nidofortified.blogspot.com/2014/06/configuring-mcafee-next-generation.html

Requirement 1: I want to make sure all High Priority traffic to pass on my ISP with larger bandwidth

In this video, I will show you how to use Multi-Link ratio mode with QoS.

I change my ISP A netlink bandwidth information from 100kbps into 300kbps

After security engine refresh, notice now that the NAT source IP change.

Requirement 2: I want to use QoS on my firewall policy

If you want to make sure that specific rule is being route on your most reliable or larger pipe ISP,

Make sure first that you applied QoS on your rule.

After that. Modify your Multi-Link to choose which ISP will handle your QoS.

Refresh security engine and verify it on your log viewer.

So that's it for now, if you have any question or have requirements you need to check if NGFW can support, just leave a comment. :-)

Configuring McAfee Next Generation Firewall (Stonesoft) Multi-Link Feature

Overview

Multi-Link is a unique feature for McAfee NGFW. It helps organization reduce cost from buying large bandwidth from ISP. This is done by combining multiple ISP to create a single route for all network traffic.
Aside from reducing cost, it also improves reliability for organization that needs 24/7 operations since its capable enough to switch automatically on active/best ISP link.

Multi-Link also enables organization to have augmented VPN which again help improve operations and reliability.

Last, but not the least, Multi-Link can also be use for inbound traffic. So for example, you can have multiple link/route going to your web server to avoid service downtime for external users/costumers.

For more info, visit McAfee NGFW site here: http://www.mcafee.com/us/products/network-security/next-generation-firewall-technologies/multi-link.aspx

Configuration

Configuring Multi-Link is very simple, you will just need typically a multiple ISP connection and a popcorn (yes a popcorn, watching the logs as being load balance by NGFW by default :-) )

For this tutorial, my environment will have 2 ISP. ISP A will have 50kbps UP and 100kbps DOWN while ISP B will have 100kbps UP and 200kbps DOWN but has 1 extra hop before reaching the internet.

Now that you have an idea about my test environment, let's proceed for the configuration.

Step 1: Configure Physical Interface IP

Provide the IP address that will communicate on external network.

Step 2: Configure NetLinks

Just like adding normal static route, right click on the interface network and choose New -> Static Netlink (as shown below)

Note: There are two types of Netlink. Static and Dynamic, what they do will be discuss on separate tutorial.

A pop-up window will show for NetLink configuration.

Name - The unique name for this NetLink

Gateway - The next-hop IP address (Mostly your ISP router IP)

Network - The network segment given/assigned by your ISP

Probing settings - Useful for identifying active links and measuring the speed of each link.

Note: When adding IP address for probing, it is recommended to put IP address from external server instead of using the ISP router address (i.e. ISP router connection is not reliable since during downtime, you can still probably ping your ISP but does not have internet connection)

Input speed - The incoming bandwidth speed of this ISP

Output speed - The outgoing bandwidth speed for this ISP

Note: Placing a speed is mandatory if you need to configure QoS/load balancing

Click Ok then repeat steps in creating another NetLink for ISP B.

Below is an example of a complete NetLink configuration

Step 3: Creating Outbound Multi-Link

Select Outbound Multi-Link

Add the NetLink created for each ISP

From the NetLink Member window, provide the IP range that can be use by Multi-Link. The above shows that I only want single IP address to be use by my firewall. Leave QoS blank for now and click Ok.

Step 4: Creating NAT Rule

With this rule, it is saying that any outgoing connection will use either of the two ISP connection.

Step 5: Test Configuration

Start browsing and view the logs from SMC. You will notice here that the outgoing traffic is being NATed by different external IP of the firewall.

And that's it! You now have Multi-Link enabled for Outbound traffic.

I will update again this post to show you how I configured NGFW to solve the following scenario. Should you have request for certain scenario, do leave your comment. :-)

Scenario A: Apply Load Balancing
Scenario B: Restrict Specific Traffic from Specific Link
Update 1:
I combined Scenario A and B to this single post: Advance Setting for McAfee NGFW Multi-Link

Suricata with Logstash - Part 3: Setup and Configure Logstash

Pre-Installation Requirements

Dependencies
The following are what I need to install when I use Ubuntu 10.04 as my host. Check first on your system if you have this already.

$sudo apt-get install apache2 eve-log libjansson

Java 6 and later
Make sure you have the Java installed on your system, if none, the following will help you install on your Ubuntu:

$sudo add-apt-repository ppa:webupd8team/java
$sudo apt-get update
$sudo apt-get install oracle-java6-installer
$java -version

Geo-Location
To make Suricata provide Geo-Location on its dashboard, this will help you achieve it

$mkdir GeoLocation
$cd /GeoLocation
$wget -N http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
$tar -xvzf GeoLiteCity.dat.gz

Download Logstash

$mkdir logstash
$cd /logstash
$wget https://download.elasticsearch.org/logstash/logstash/logstash-1.3.3-flatjar.jar

Setup and Configure Logstash

Create a logstash conf file

$sudo vim /etc/init/logstash.conf

Insert the following on the conf file

input {
  file { 
    path => ["/var/log/suricata/eve.json"]
    codec =>   json 
    type => "SuricataIDPS-logs" 
  }

}

filter {
  if [type] == "SuricataIDPS-logs" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
  }

  if [src_ip]  {
    geoip {
      source => "src_ip" 
      target => "geoip" 
      database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat" 
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
    }
  }
}

output { 
  elasticsearch {
    host => localhost
  }
}

On the src_ip field, replace the geolocation database path with your own where you extract it.

Configure Suricata

Edit your suricata.yaml to accept JSON events

# "United" event log in JSON format
  - eve-log:
      enabled: yes
      type: file #file|syslog|unix_dgram|unix_stream
      filename: eve.json
      # the following are valid when type: syslog above
      #identity: "suricata" 
      #facility: local5
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
      types:
        - alert
        - http:
            extended: yes     # enable this for extended logging information
        - dns
        - tls:
            extended: yes     # enable this for extended logging information
        - files:
            force-magic: yes   # force logging magic on all logged files
            force-md5: yes     # force logging of md5 checksums
        #- drop
        - ssh

Run

I like logstash to run on its own terminal since I can be sure that logs and other information can be seen immediately.
This can be done by triggering the following:

$cd [Logstash Directory]
$sudo java -jar logstash-1.3.3-flatjar.jar agent -f /etc/init/logstash.conf -- web

Below is what you should see when logstash run's successfully

Access

You can access the Logstash using any browser

http://localhost:9292

What's next?

Now that you have Suricata with Logstash running on your system, the next part is doing some fine tune to make sure that you can see the important events only.

Aside from that, we will create our own dashboard in Logstash since the default one included are just plain log viewer.

If you really plan to use this on your enterprise network, I suggest you include the Emerging Threat rules so that you will have more signature detection.

For the latest version of using Logstash for Suricata, you may always visit this link: Suricata Official Site