Integrating Cloud SWG Hosted Reporting with Edge SWG
search cancel

Integrating Cloud SWG Hosted Reporting with Edge SWG

book

Article ID: 388436

calendar_today

Updated On:

Products

ProxySG Software - SGOS Reporter Cloud Secure Web Gateway - Cloud SWG Cloud Reporting for On-Prem

Issue/Introduction

How to configure Edge SWG to forward access logs to Cloud SWG Hosted Reporting service directly via SCP

Environment

Sending ProxySG appliance logs to Cloud Secure Web Gateway requires the use of secure copy (SCP). You must create and download a private key and use it to copy the logs to the service.

Resolution

During WSS add-on - Hosted Reporting initial setup wizard download the client private key. If needed, the same key can be re-created logging into the Cloud Secure Web Gateway portal (@https://cloudswg.symantec.com/) and going to "Account Configuration -> Hosted Reporting" and clicking on the "Recreate and Download SCP Key" button.

 

In the Edge SWG set the specific access log (example "main") client to use SCP and set the Cloud SWG Hosted Reporting provided server, example:




  • Set SGOS to produce the access log file in "gzip" format:


SSH to the Edge SWG and set the specific access log (example "main") SCP client to authenticate thanks to RSA key:

  • EdgeSWG#(config)access-log
    EdgeSWG#(config access-log)edit log main
    EdgeSWG#(config log main)scp-client authentication client-key


All Edge SWG ciphers, HMACs, and known hosts for outbound SSH connections stored on the appliance are available for selection and review in the Management Console ("Configuration > Authentication > SSH Outbound Connections"), example:

  • Click on "Known Hosts -> Add host" button and insert the seen Cloud SWG Hosted Reporting server. Example key-type: ssh-rsa host: "upload-us1.threatpulse.com" port 22


    In the Edge SWG CLI add the client private key thanks to:

  • EdgeSWG#(config)ssh-client
    EdgeSWG#(config ssh-client)client-keys
    EdgeSWG#(config ssh-client client-keys)view
    % No keys defined

    EdgeSWG#(config ssh-client client-keys)# inline rsa my_eof_marker
    -----BEGIN RSA PRIVATE KEY-----
    MIIJJwIBAAKCAgEAqekg236CruqwnA/PFeQ6732gEsyPNDRx2MqytA7XT/+4yMQz
    ...
    ISsH+c2stDoGNSQjqydabj9ypHdadvryswplwNdUT2/MJt0/h1R+7Eik5g==
    -----END RSA PRIVATE KEY-----
    my_eof_marker
       ok

    EdgeSWG#(config ssh-client client-keys)view
    RSA public key:
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCp6SDbfoK ...

Test specific access log upload from Edge SWG "Administration -> Logging -> Access Logging" "Logs -> (example) main" either clicking on "Test Upload" or "Upload Now" buttons. Check SGOS event log records, example of a successful test and upload:

  • XXXX-02-19 11:35:40-00:00UTC  "Access Log (main):Test Upload: User test upload request in process. Released client to perform a test upload."  0 E0000:96  alog_facility_impl.cpp:3927
    XXXX-02-19 11:35:40-00:00UTC  "Config admin at 10.0.200.2 'admin', starting a test access log upload per user request for log main"  0 140002:7D  cli_parse.hpp:316
    XXXX-02-19 11:35:41-00:00UTC  "SSH: Authenticated to upload-us1.threatpulse.com ([##.###.##.##]:22)."  0 45000C:96  sgos_log.cpp:150
    ...
  • XXXX-02-19 11:43:26-00:00UTC  "SSH: Authenticated to upload-us1.threatpulse.com ([##.###.##.##]:22)."  0 45000C:96  sgos_log.cpp:150
    XXXX-02-19 11:43:35-00:00UTC  "Access Log (main): Upload completed successfully.  Maximum bandwidth used was 1.00 KB/sec."  0 E0009:96  alog_manager.cpp:1302
    XXXX-02-19 11:43:35-00:00UTC  "Access Log (main): Last remote filename: SG_main__800217114325.log.gz size: 698 bytes"  0 E0009:96  alog_manager.cpp:1309

Check in the Cloud SWG tenant Reports that the on premises Edge SWG forwarded access log records are present. It can take up to 5-10 minutes for the data to be processed and displayed. Example:

 

 

 

 

 

 

 

 

Powered by Wolken Software