Security Reporting Center

Version: 2.1b. Last Revision: July 21, 2006

These notes are additional to the Security Reporting Center User Guide and supersede information supplied in that Guide.

Table of Contents

What's New
Upgrading Security Reporting Center
Backing Up Databases
Configuration Hints
Change History
Known Issues

What's New

For more information about additional minor features and bug fixes, see the change history.

Features New in Security Reporting Center 2.1b

Version 2.1b is a maintenance release. No new features have been included. See Change History.

Features New in Security Reporting Center 2.1a

Support for New Firewalls

With version 2.1a, Security Reporting Center adds support for:

• Checkpoint NG R55 and R60
• Cisco PIX v7.0

Added choice of graph style when exporting static reports.
 

Features New in Security Reporting Center 2.1

Reduction in Memory Usage

Customers with large installations will find that in v2.1 the Proxy Reporting module uses far less memory. This improvement in memory usage should be especially helpful to enterprises experiencing virus attacks and port scans.

Report Styles and Templates

Security Reporting Center can now match Firewall Suite's powerful report customization technology. Choose custom collections of report chapters and save them as templates, and design brand- or project-specific report styles with custom fonts, colors, backgrounds, and images.

New Report Formats

Security Reporting Center can now save or email static reports in three new formats: Microsoft Excel, Adobe PDF, and CSV.

Express Interface for Quick Report Access

A new Express interface makes report generation simple for new users. Event status panels now auto-refresh for convenient information updates. Icon legends provide a quick reference for navigating list panels.

Improved Help Usability

A new tri-pane Help system provides online access to the User Guide and Firewall Configuration Guide, plus full-text search capability, a comprehensive index, and a complete Table of Contents.

Support for New Firewalls

With version 2.1, Security Reporting Center adds support for Clavister Firewall and Neoteris IVE
 

Upgrading Security Reporting Center

To upgrade from previous versions, install the new version over an existing version. You do not need to uninstall your existing version.
 

Upgrading from SRC 2.1 or 2.1a

SRC 2.1b no longer supports SurfControl URL Categorization. Installing this version removes the SurfControl related items. No additional steps are required.

Note
Historical URL categorization data will not be deleted and can be used for reporting. New data will not have categorizations unless the custom categorization database is configured. See Help for instructions on how to configure this database.

Upgrading from SRC 2.0

To upgrade from version 2.0, first upgrade to 2.1 then upgrade the 2.1 installation to 2.1b. For detailed instructions about the upgrade to version 2.1, see the Release Notes for SRC 2.1.

Upgrading from Version 1.0b

To upgrade from version 1.0b, first upgrade to version 1.1, then to version 2.1. When you upgrade from version 1.0b to version 1.1, all FastTrends and Content databases are deleted. However, the upgrade preserves all profiles, events, users, teams, and other configuration settings.

Warning
Use the same user name and password for the database, and the same login name and password for the User Interface, when you install each version. If you use a different user name and password, the database will not be accessible.

Upgrading from earlier versions

You cannot upgrade from a version earlier than version 1.0b. If you are using an earlier version of Firewall Reporting Center, you must uninstall it before installing Security Reporting Center.
 

Backing up Databases

We recommend backing up your databases before you attempt to upgrade Security Reporting Center. Backing up the databases secures your data in case of a system failure during the upgrade. For example, if you lose power during an upgrade, the databases may be corrupted. To secure data, copy it to a directory outside the installation directory. By default, databases reside in the /common/mysql/data directory. When you restore the databases, you must install Security Reporting Center on the same computer where the databases were created.

Note
The following procedure has not been tested with versions earlier than version 1.1.

To back up databases before upgrading to version 2.1b:

1. Stop all Firewall or Security Reporting Center program services.
2. Copy the InstallDir/common/mysql/data directory to a location outside the installation directory.
3. Install the new version of Security Reporting Center.
   
   Warning
   Use the same database user name and password, and the same User Interface login name and password to install the newer version that you used to install the earlier version. If you use a new user name and password, the databases will not be accessible.

To restore the databases and upgrade to version 2.1b after a failure during upgrade:

1. Uninstall Security Reporting Center v2.1b.
2. Reinstall the earlier version (Firewall Reporting Center v1.1 or Security Reporting Center v2.x).
   
   Warning
   Use the same user name and password, and the same User Interface login name and password to install the earlier version of the program that you used to install version 2.1b. If you use a new user name and password, the databases will not be accessible.
    
3. Stop all Firewall or Security Reporting Center program services.
4. Delete the InstallDir/common/mysql/data directory.
5. Copy the saved data folder from the folder where you installed it to the InstallDir/common/mysql directory.
6. Restart the Firewall or Security Reporting Center program services.
7. Install Security Reporting Center version 2.1.
   
   Warning
   Use the same database user name and password, and the same User Interface login name and password to install version 2.1 that you used to install the earlier version. If you use a new user name and password, the databases will not be accessible.

Upgrading User-Defined Databases from v2.0a

If you are upgrading from v2.0a, and you created a Content Database in the Proxy Reporting module using any location or settings other than the defaults, you need a special script to upgrade your MySQL database.

Please see the instructions included in the Release Notes for Security Reporting Center version 2.1.
 

Configuration Hints

Configuring Distributed Installations

If you plan to install components of Security Reporting Center on multiple computers, then the Database component must be installed before all other components.

You must install the Database Server, the User Interface Server, and the Reporting agents in the same network environment. Each computer where a Security Reporting Center component is installed must be able to connect to the Database server.

For Security Reporting Center to work correctly on multiple computers, you must configure each component with the correct connection information when you install it. Install the Database server before you install any other components. When you install the Database server, you provide the host name, port number, user name, and password information for both the Database server and the User Interface server. Write this information down and provide the same information when you install components on other computers.

In mixed installations that contain both Windows and Solaris computers, only internal Marshal authentication is supported for the User Interface server. Windows Domain authentication and UNIX authentication are not supported in mixed installations.

Configuring Program Services

If you intend to use network drives to store resources such as log files, or if you have installed Security Reporting Center on multiple computers, you must manually configure Security Reporting Center services to access resources across the network. These services include the NetIQ Scheduler Agent, the NetIQ LEA Service, the NetIQ Syslog Service, and NetIQ Tomcat.

You need to configure services if you will use a network location for any of the following purposes:

• Retrieving log files
• Storing the FTP cache
• Storing uncompressed files
• Storing log files collected using Check Point with OPSEC LEA
• Storing log files collected using the NetIQ Syslog Service
• Storing static HTML or Word reports
• Storing FastTrends databases.

To ensure that product services can access network drives, first configure them to log on under an account with access rights to the drives you want to access. By default, product services are log on using the system account. To access mapped drives, you should typically configure the services to log on under a user account. This involves two steps: selecting an account to use for each service, and giving that account the appropriate rights.

To configure services:

1. Go to the Windows Control Panel and double-click Administrative Tools.
2. In the Administrative Tools window, double-click Component Services.
3. Select Services (local) in the left pane.
4. Right click NetIQ Scheduler Agent in the right pane, and select Properties.
5. Click the Log On tab.
6. Select This account and click Browse to select an account from the list.
7. Enter the password for the account, confirm it, and click OK to exit the dialog box.

To give the account necessary rights:

1. Go to the Windows Control Panel and double-click Administrative Tools.
2. Double-click Local Security Policy.
3. Under Security Settings in the left pane, expand Local Policies.
4. Double-click User Rights Assignment.
5. Double-click Act as Part of the Operating System, and make sure the account you specified earlier is listed.
6. Click Add to add the user account.
7. Repeat this step for Log on as a Service and Log on Locally.
    

Change History

The following item has been changed in SRC 2.1b.

• Removed support for SurfControl URL Categorization

The following additional items have been changed or updated in SRC 2.1a.

• The Check for updates functionality has been updated to use the marshal.com website, and is operational.
• Fixed an issue with keywords parsing while analyzing proxy logs that could cause a program fault.
• Fixed an issue that prevented recognition of a serial number during a fresh install of SRC on Windows XP SP2.
• Fixed an issue with a format change in Blue Coat Cacheflow that produced bad data in reports.
• Fixed an issue with resuming LEA connections after connection failed due to system shutdown or and network failure.
  
   

Known Issues

The following items are being researched as of the date of these Notes. If you need further assistance with any issue, please contact Technical Support (support@Marshal.com).

Data Strings Truncated After 255 Characters

When data strings are identical up to 255 characters but become unique after 255 characters, Security Reporting Center truncates them before storing them in the Content database. Under these conditions, Proxy reports may contain inaccurate counts if they use data from the following Content database tables: CorePage, Download, FileExtension, GenPage, Page, and SearchKeyword.
 

Upgrades to LEA Connections

When you upgrade to v2.1 from v2.0a or earlier, Security Reporting Center runs a script that populates the Check Point LEA Connections panel with your existing connections. If the lea.conf file created for the earlier installation does not contain the IP address of the Check Point Management Server, or if the lea.conf file uses an unfamiliar format, the upgrade substitutes a placeholder connection that does not work. Delete and recreate the connection manually to connect to the Check Point Management Server. This issue primarily affects connections for Check Point v4.x firewalls.
 

Number of Tasks Reset During Upgrade

When you upgrade to a new version, Security Reporting Center resets the number of concurrent tasks each agent can handle to the default, 2 tasks. If you used the Agent Settings panel to set the number of concurrent tasks to a value other than 2, you must set it again after you upgrade.
 

Workaround for Gauntlet Date Logging

Because the year is not logged inside a Gauntlet log file, Security Reporting Center parses the year based on the name of the file. By default, Gauntlet uses one of the following date formats to name log files:

messages.mm.dd.yyyy
messages.dd.mm.yy

• We strongly recommend that you use the default file names for your logs. If you use a file name other than the default, Security Reporting Center determines the year based on the current system date. This can lead to reporting errors.

Two MySQL Services

The current version of MySQL installs two services when you install the Security Reporting Center MySQL database on a Windows computer: the MySQL service and the NetIQ-MySQL service. Only the NetIQ-MySQL service is required to run Security Reporting Center.

• We recommend using the Services panel to set the Startup Type for the MySQL service to Disabled.

Mapped Drives Not Supported for Windows XP

If you have installed Security Reporting Center on Windows XP, and you need to specify a network drive for a log file path or a destination directory, do not use a mapped drive. Use the full UNC path to specify a network drive.
 

Cisco PIX v6.1/v6.2 DNS Port Logging Issue

Because a bug in Cisco PIX 6.1/6.2 causes it to log the DSN ID instead of the port number when logging the DNS source and destination port, Security Reporting Center sees an invalid value for the protocol and will consume large amounts of memory during log data analysis and export. To fix this problem, either upgrade to Cisco PIX v6.2.2 or use a Security Reporting Center Exclude filter to exclude traffic from your DNS servers.
 

Copyright © Marshal Limited 2006