Date published: 2020-07-30, Version: 1.0

User Guide

1 Docker Installation

  • docker pull synapsa/platform:latest
  • docker network create --driver bridge synapsanetwork
  • docker run --name synapsaredis --network=synapsanetwork -p 6379:6379 -d --restart always redis
  • docker run --name synapsaweb --network=synapsanetwork --dns=8.8.8.8 --cap-add=NET_ADMIN -e PARTNER=dockertest -p 514:514/udp -p 514:514/tcp -p 80:80 -p 443:443 -p 3306:3306 -d --restart always synapsa/platform:latest

Please specify your own Partner name.

In case you are not sure try our Install guide for docker.


2 Default Login

By default there is user "admin" with password "synapsa" which has super-user privileges. Please change the default password after the first login to the system. We also encourage you to create multiple users with role defined privileges.


3 Dashboard

user-guide-user-guide-user-guide-3-Dashboard

It’s full of widgets showing you data and charts about various categories.

3.1 Dashboard widgets

Active Rules Display the number of active SYNAPSA rules, meaning the rules which have ticked “Active rule” in the rule configuration
Received Logs Displays the number of received logs in total, before parsing them to threats
Total Disk Size (Total File Size) Showing total and free disk space. You can make more available space by deleting old events and logs.
Most Reported Sources Displays list of top 15 reported source IP addresses in the received Threats, sorted by the most reported. By clicking on a public IP address, new window is opened to check it IP in virus-total database.
Most Reported Destinations Displays list of top 15 reported destination IP addresses in the received Threats, sorted by the most reported. By clicking on a public IP address, new window is opened to check IP in virus-total database.
Security policies Showing the current number of active security policies, how many were revoked and rejected.
Threats Displays the graphs showing the ratio of received Threats from miners.
Timeline chart Displays the time line of API events and received Threats
Miner logs Displays the log rate by a specific miner. You can enable/disable a specific miner by clicking on its name.

3.2 Dashboard customization

You can select which widgets to keep on your dashboard in the widgets filter.

It might be necessary to have more dashboards with a specific set of widgets. Create new dashboard or edit your dashboards by using the buttons “New dashboard” and “Edit dashboards”.

3.3 Dashboard controls

There are 3 additional controls in the widgets:

synapsa-icon-move

This icon takes the chart into a separate large window.

synapsa-icon-time

This icon gives you a dropdown menu to select the data from, e.g. the last 24 hours, last month, etc.

synapsa-icon-chart

This icon hides the chart and keeps only data.


4 Awaiting approval

user-guide-user-guide-user-guide-4-Awaiting-Approval

This section shows all the processed events by existing Rules, which are type On-Approval. Click on a prepared event where you can either allow or reject the event to be processed. Output from the event will be stored in the API call logs.

4.1 Security Policy

Under this section you see the security polices deployed by SYNAPSA on the firewalls based on user defined rules.

  • Active - (green) - security policy is deployed and active on the firewall
  • Not active - (red) - security policy is not active on the firewall anymore, probably deleted or disabled by device administrator.

By clicking on a security policy you see the complete API calls log; how the policy was deployed.

  • Revoke - will delete the policy from the firewall
  • Revoke & Commit - will delete the policy and commit configuration, if vendor supports config commits

4.2 Data feeds

user-guide-user-guide-user-guide-4-2-Data-Feeds

Data Feeds are lists of IP addresses, Domains or URLs which are filled according to configured Rules. Each rule can either do API calls or fill Data Feeds or do both actions.

  • Title - name of the list
  • Lifetime - lifetime of record which started counting when record was added to the list. If there is another event adding the same record to the same list, the lifetime will restart. If there is no event adding the same record, the record will disappear from the list when lifetime is reached
  • Count - showing how many records are active in the list

5 Events

The Events page contains three sections:

  • Auditor alert
  • API calls
  • Syslog

5.1 Auditor alert

5.1.1 Ruleset

Showing active and confirmed alerts generated by Auditor rule type Ruleset. Each event shows the name of the rule which is generating the alert and all the devices with faulty configuration. The number at the end of the line is number of the matching security policies.

By clicking on the Firewall, you will see the exact violating security policies found by auditor rule.

user-guide-user-guide-user-guide-5-1-1-Ruleset
Ruleset
user-guide-user-guide-user-guide-5-1-1-Confirmed
Confirmed
user-guide-user-guide-user-guide-5-1-1-Fixed
Fixed
user-guide-user-guide-user-guide-5-1-1-Active-FIX
Active FIX

5.1.2 CVE

Showing active and confirmed alerts generated by Auditor rule type CVE. By Clicking on a specific alert, you can confirm and move it to confirmed.

Each CVE has a complete description, solution and mitigation steps, which comes directly from the vendor's CVE feed.

user-guide-user-guide-user-guide-5-1-2-Active
Active
user-guide-user-guide-user-guide-5-1-2-Confirmed
Confirmed

5.2 API calls

Successful Logs of the successfully created security policies on the firewalls based on the configured SYNAPSA rules. Each API call is considered to be successful, if API code and response message matches the value configured for the call in SYSTEM->API
Unsuccessful Logs of API call which have a different value than expected. The whole call sequence is considered as not successful if at least one of the call has non expected response.
Rejected Logs of the prepared security policies which were rejected manually by a SYNAPSA operator. This only applies on rules type “On Approval”
Revoked Policy Logs of the successfully created security policies which were later revoked by a SYNAPSA operator. This applies on both rule types “Automatic” and “On Approval”
user-guide-user-guide-user-guide-5-2--Succesful
Succesful
user-guide-user-guide-user-guide-5-2-Rejected
Rejected
user-guide-user-guide-user-guide-5-2-Revoked-policy
Revoked

5.3 Syslog

Threat This is a subset of all received logs from miners, showing only the Threats. Syslog from a miner is parsed based on the selected parser and then by the pre-defined threats which you want to accept from that miner. This table shows all the threats from all the configured miners.
System Logs SYNAPSA generated logs for internal events like login, configuration edit, firewall connection lost, etc..
All Syslog Displays all the syslog received from the miners, before they are parsed and turned into threats. This table is regularly cleared by the task “Delete Syslog Events”, in order to delete redundant logs which do not carry any threat.
user-guide-user-guide-user-guide-5-3-Threats
Threat
user-guide-user-guide-user-guide-5-3-System-logs
System Logs
user-guide-user-guide-user-guide-5-3-All-syslog
All Syslog

6 Security policy

This page shows all deployed security policies. You can switch the toggle button to show Active Firewall policies only or delete the inactive ones. The calls can be revoked by clicking on the active security policy.

user-guide-user-guide-user-guide-5-4-Security-policy
user-guide-user-guide-user-guide-5-4-Security-policy-detail

7 Data Feeds

Data Feeds are lists of IP addresses, Domains or URLs which are filled according to configured Rules. Each rule can either do API calls or fill Data Feeds or do both actions.

  • Title – name of the list
  • Lifetime – is lifetime of the records which starts counting when record was added to the list. If there is another event adding the same record to the same list, the lifetime will restart. If there is no event adding the same record, the record will disappear from the list when lifetime is reached
  • Count – showing how many records is active in the list
Data Feeds page contains three main parts:

  • Address Lists
  • Domain Lists
  • URL Lists

7.1 Address Lists

This list types can only contain valid IP address or subnet.

Add a Custom List

  • Title - name of the list
  • Lifetime - life time of a newly added record in hours. If the same IP address is added again, the timer will refresh to it's original value. If you want to keep records forever or delete only by user, user "0" to disable lifetime
  • Allow - configure, which addresses are allowed to be added into the list. You can allow only Private, Public or a specific subnet.
user-guide-user-guide-user-guide-7-1-Adress-list-custom

If you click on a record in the list, you can modify or delete a specific record.

  • ADD SOURCE IP - add a new record to the list
  • FEED URL - Show the List publicly accessible URL, which you can use a source for External Dynamic Lists in your firewall object
user-guide-user-guide-user-guide-7-1-Adress-list-custom-detail-destination
Destination
user-guide-user-guide-user-guide-7-1-Adress-list-custom-detail-source
Source

7.1.1 Predefined

SYNAPSA system has built-in URL lists, which are automatically updated. You cannot modify these lists, but you can use them the same way as user defined lists.

Pre-defined lists have no life time for the records, the whole list is refreshed by system task.

user-guide-user-guide-user-guide-7-1-Adress-list-predefined

7.2 Domain Lists

Domain lists can only contains a valid domain name. All the same rules apply as for Address list. You can create own lists which will be used as External Dynamic Lists for the devices loading the records into own configuration.

7.3 URL Lists

URL lists can only contains a valid domain name. All the same rules apply as for Address list. You can create own lists which will be used as External Dynamic Lists for the devices loading the records into own configuration.


8 Toolbox

8.1 Policy tester

Allows you to test what security policy will match the connection with specific parameters. Select a firewall you want to send the test request to and fill out all the required fields.

user-guide-user-guide-user-guide-8-1-Policy-tester

8.2 Threat tester

Allows you to simulate the event the same way as it was sent from a specific miner. The event will be stored in the database and processed exactly the same way as the real event. Please use it with caution!

user-guide-user-guide-user-guide-8-2-Threat-tester

9 Rules

user-guide-user-guide-user-guide-9-Rules

In this section we create SYNAPSA rules, which transforms received events from miners to the actions.

Note: every rule will be processed separately. The is no first match only, but all the events will be processed by all the rules.

Note: If a user intends to remove an existing on-approval rule and if there are on-approval API calls which have not yet been approved, such API calls will be removed as well.

9.1 Specific settings of the rules

user-guide-user-guide-user-guide-9-1-Specific-Settings-Rules-1
user-guide-user-guide-user-guide-9-1-Specific-Settings-Rules-2
user-guide-user-guide-user-guide-9-1-Specific-Settings-Rules-3

9.2 Adding a new Rule

Name Name of the rule
Miner Select a miner, which will trigger the rule to be activated
Mode On Approval – actions will be prepared, but not executed until operator manually approve or reject

Automatic – all the actions configured in the rule will be executed automatically, system and API calls logs will be stored into the appropriate tables.

Description Rule description
Status By selecting, make this rule to be active
Address lists By selecting, SYNAPSA will fill Data Feeds. You can have a rule which only fills the data feeds without any API calls.
user-guide-user-guide-user-guide-9-2-Add-new-rule

9.3 Threats

Select what Threats will be processed in this rule. Threats / Tags will be populated based on the selected miner and the associated parser to the miner. You can use multiple threats in the same rule.

For Flowmon ADS you can also configure DataFeed and Perspective ID. Use "*" to disable the filter.

9.4 Selecting API calls to be performed

Policy Calls Select a sequence of the API calls by ticking them, specifically for a selected firewall, to be performed when SYNAPSA policy is triggered. You can move the calls by dragging the arrow on the left side. The calls will be performed as they are in the list order.
Rollback Calls Select a sequence of the API calls by ticking them, specifically for a selected firewall, to be performed as a rollback, if API calls to create a security policy is not fully successful.

9.5 Resetting rules hit-counts

When a rule is triggered by matching its conditions, the rule’s counter is increased by one. The counter displays how many times was the rule hit since the last counter reset.

Resetting counter globally for all the rules

To reset counter for every rule, click on “RESET COUNTER” at the top of the screen.

user-guide-user-guide-user-guide-9-5-Resetting-counter

Resetting rule specific counter

Open a specific rule by clicking on “+” icon and then click a trash in the hit count row.

user-guide-user-guide-user-guide-9-5-Resetting-counter-detail

10 Auditor

Settings of the Firewall Auditor is described in separate guides bellow.

10.1 Palo Alto Networks NGFW Settings

Synapsa Firewall Auditor – Palo Alto documentation

10.2 Fortinet NGFW Settings

Synapsa Firewall Auditor – Fortinet documentation

Auditor Ruleset
user-guide-user-guide-user-guide-10-Auditor-Edit-General
user-guide-user-guide-user-guide-10-Auditor-Edit-Ruleset

11 Objects

11.1 Emails

user-guide-user-guide-user-guide-11-1-Emails

Email addresses list which can be assigned to a notification profiles

11.2 Syslog

user-guide-user-guide-user-guide-11-2-Syslog

List of syslog servers, which can be assigned to notification profiles. You can specify a format of syslog messages sent by SYNAPSA.

  • RAW - syslog payload will be a plain text as it is logged in the local syslog events
  • JSON - syslog payload will be JSON formatted

Note: These are servers that SYNAPSA will send notification to, it can be the same miner SYNAPSA received syslog from, then after the Threat mitigation ,it will notify the miner back. This is used mostly with SIEMs.

11.3 Notification profiles

In notification profile you can select existing emails and syslog server, customize the message SYNAPSA will send in the body and the Objects and Severities which will be notified. You can have as many profiles as you need.

user-guide-user-guide-user-guide-11-3-Notification-profiles-General
General settings
user-guide-user-guide-user-guide-11-3-Notification-profiles-Emails
E-mails
user-guide-user-guide-user-guide-11-3-Notification-profiles-Syslog
Syslog
user-guide-user-guide-user-guide-11-3-Notification-profiles-DataType
Data type

11.4 Remote servers

Create remote servers to backup your data elsewhere in XML format.

user-guide-user-guide-user-guide-11-4-Notification-profiles-Remote-servers
Remote servers

12 Settings

12.1 Miners

Miner is a log source for the SYNAPSA system. By adding a new miner you open TCP and UDP port 514 for the IP specified as a miner IP Address.
All the received logs from the miner are stored but only processed when there is an existing Rule which uses the miner as input for further processing.

If there is no Rule to process threats reported from a specific miner, syslog will be automatically deleted from "All syslog" database, based on the automatic task which can be configured under System -> Tasks

user-guide-user-guide-user-guide-12-1-Miners

12.2 Firewall

API key has to be already generated and key needs to have permissions to perform all the necessary operations on the firewall.

You can only add a new firewall if check is successful. Check button will connect to the firewall IP address and perform simple API call. This only checks the connectivity and the key, however does not check all the permissions. Make sure the API key is able to modify configuration.

user-guide-user-guide-user-guide-12-2-Firewall

12.3 Firewall groups

You can group the firewalls under groups, to be able to assign the whole group to a SYNAPSA rule for Interconector and Auditor rules.

user-guide-user-guide-user-guide-12-3--Firewall-group

12.4 Parser

Parser is a set of regular expressions which are used to parse a raw syslog message into variables which are used for creating a security policy. You cannot modify a built-in parser, but you can select what Threats you want to process in a Rule where miner having a specific parser is used.

user-guide-user-guide-user-guide-12-4-Parser

12.5 API

Under the API tab, you can see and modify all the pre-defined ÀPI calls which SYNAPSA system uses to communicate to devices.

You can also define your own rules with specific parameters and variables. The documentation for API call is included into the SYNAPSA GUI.

user-guide-user-guide-user-guide-12-5-API

13 System

13.1 Backup

  • EXPORT – export full configuration to a single backup file
  • RESTORE – restore previously backed up configuration. The restore will rewrite currently running configuration.
user-guide-user-guide-user-guide-13-1-Backup-Config
Backup Config
user-guide-user-guide-user-guide-13-1-Backup-Full
Backup Full

13.2 Logs

  • DOWNLOAD – download system logs for SYNAPSA troubleshooting purpose. The download will not contain any system events or received syslog from the mainers

13.3 Tasks

SYNAPSA does multiple tasks automatically every few minutes, depending on the specific task for its internal purposes. You can manually run a specific task or change the timer to how often the task is executed in the future.

ATTENTION: DO NOT CHANGE ANY SETTING UNLESS YOU FULLY UNDERSTAND THE INTERNAL ENGINE!

13.4 User

Local users with their privileges within the SYNAPSA GUI. You can add new user or change password, role or delete existing users.

13.5 Roles

Internal user roles settings. Every user has to belong to a user role, giving him permissions. You can either add a new user role or edit pre-configured roles by clicking on its name.

Every menu element in the list has 3 level of permissions to be given to users:

  • No permission
  • View only
  • Full

13.6 Version

Displays SYNAPSA version and check for available updates

13.7 License

Displays installed SYNAPSA license and expiration date

13.8 SSL

SSL settings for SYNAPSA GUI. You can either generate a new certificate directly from the menu, or import an external certificate

13.9 SYNAPSA

In this section you can setup the URL address SYNAPSA is running on and mail server settings, to be used as mail gateway.

You can also setup a Date and Time Format to be used in the whole system.