Problem Statement:

We tried configuring access logs for our FTP proxy service. We tried have a dedicated policy layer for FTP access and there we set to enable logging to our main SIEM log target, for any connections via the FTP proxy service on port 21. We have a similar setup for our SOCKS proxy service and for our HTTP proxy service, which works well, with the main SIEM log target we have configured. However for the FTP proxy log setting does not seem to work. We would like to enable FTP proxy access logging to SIEM?

Please note that access logging on Proxy is a global functionality and works for all implemented Proxy engines, be it HTTP(S)/SOCKS/FTP, and the information logged to the access logs depend of what log fields are available in the log format used, and the log formats are determined by design.

Release : 7.3.14.1

With FTP Proxy, we have only the following policy applications:

ftp.method= 

Example

Deny FTP uploads for the specified users/groups. 

Usage:

<Proxy>
   realm=LDAP user="CN=Users1,CN=Users2,dc=test,dc=local1,dc=local2" ftp.method=(STOR,STOU) deny

ftp.match_client_data_ip(yes|no)

where:

• yes: Make the data connection using the control connection's IP address.
• no: Make the data connection using the local physical IP address.

Example

Make the data connection using the control connection's IP address. 

Usage:

<Proxy>
   ftp.match_client_data_ip(yes)

ftp.match_server_data_ip(yes|no) 

where:

• yes: Make the data connection using the control connection's IP address.
• no: Make the data connection using the local physical IP address. 

Example

Make the data connection using the control connection's IP address.

<Proxy>
     ftp.match_server_data_ip(yes)

ftp.server_connection(deferred|immediate) 

The default value is immediate. 

Determines when the control connection to the server is established. If set to deferred, the proxy defers establishing the control connection to the server. 

ftp.server_data(auto|active|passive) 

where:

• auto: First attempt a passive (PASV for IPv4, EPSV for IPv6) data connection. If this fails, switch to active (PORT for IPv4, EPRT for IPv6).

• active: Use an active data connection.

• passive: Use a passive data connection. Note that passive data connections are not allowed by some firewalls. 

Layers: <Forward>

response.icap_service.force_rescan(yes|no)

where:

• yes : ICAP service scans cached objects every time they are requested.

• no: (Default behavior) ICAP service rescans cached objects only when the ICAP server’s ISTAG has changed since the last scan. 

Example 

Rewrite ICAP headers, substituting 'test' headers with 'substitution' headers.

define action custom_ICAP_headers
  set(icap_respmod.request.x_header.test1, "substitution1")
  set(icap_respmod.request.x_header.test2, "substitution2")
end

; force ICAP service to rescan headers

<Proxy>
   response.icap_service.force_rescan(yes)

Note: There isn't any documented policy that would specifically log FTP Proxy sessions/transactions to an external syslog server (SIEM)

So, there is only one recommended way to enable Access Logging and also one way to implement log forwarding from ProxySG to an external syslog server, like a SIEM solution, regardless of what Proxy engine is implemented (HTTP(S)/SOCKS/FTP). Please see the Tech. docs. with the URLs below, for reference.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/enabling-or-disabling-access-logging.html 

https://knowledge.broadcom.com/external/article/166529/sending-access-logs-to-a-syslog-server.html 

Now, with FTP, you will need to ensure the "s-source-port" log field is part of the log format used. This represents the source port of the ProxySG appliance when attempting to access a remote site or URL Note: This field is available for HTTP, HTTPS, and FTP proxies.

Ref.: https://knowledge.broadcom.com/external/article/240610/proxysg-access-log-fields.html 

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/common/LogFieldsSubs.pdf 

Important:

With HTTP & SOCKS, these fields log information such as details from request lines, request header and body, statues lines, and policy-determined quota details. Refer to pages 96 > 102 in the resource doc. with the URL below.

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/proxysg/common/LogFieldsSubs.pdf

For the log fields specific to SOCKS, please refer to the below.

• s-connect-type
• x-cs-socks-ip
• x-cs-socks-port
• x-cs-socksmethod
• x-cs-socksversion
• x-cs-sockscompression
• x-sr-sockscompression

For FTP Proxy, only the "s-source-port" is logged. So, for the access logs, you would only see information related to the source port of the ProxySG appliance when attempting to access a remote site, with respect to the FTP Proxy.

In ending, please note that access logging on Proxy is a global functionality and works for all implemented Proxy engines, be it HTTP(S)/SOCKS/FTP, and the information logged to the access logs depend of what log fields are available in the log format used, and the log formats are determined by design.