User Guide
1 Docker Installation
- docker pull synapsa/platform:latest
- docker network create --driver bridge synapsanetwork
- docker run --name synapsaredis --network=synapsanetwork -p 6379:6379 -d --restart always redis
- docker run --name synapsaweb --network=synapsanetwork --dns=8.8.8.8 --cap-add=NET_ADMIN -e PARTNER=dockertest -p 514:514/udp -p 514:514/tcp -p 80:80 -p 443:443 -p 3306:3306 -d --restart always synapsa/platform:latest
Please specify your own Partner name.
In case you are not sure try our Install guide for docker.
2 Default Login
By default there is user "admin" with password "synapsa" which has super-user privileges. Please change the default password after the first login to the system. We also encourage you to create multiple users with role defined privileges.
3 Dashboard
It’s full of widgets showing you data and charts about various categories.
3.1 Dashboard widgets
| Active Rules | Display the number of active SYNAPSA rules, meaning the rules which have ticked “Active rule” in the rule configuration |
| Received Logs | Displays the number of received logs in total, before parsing them to threats |
| Total Disk Size (Total File Size) | Showing total and free disk space. You can make more available space by deleting old events and logs. |
| Most Reported Sources | Displays list of top 15 reported source IP addresses in the received Threats, sorted by the most reported. By clicking on a public IP address, new window is opened to check it IP in virus-total database. |
| Most Reported Destinations | Displays list of top 15 reported destination IP addresses in the received Threats, sorted by the most reported. By clicking on a public IP address, new window is opened to check IP in virus-total database. |
| Security policies | Showing the current number of active security policies, how many were revoked and rejected. |
| Threats | Displays the graphs showing the ratio of received Threats from miners. |
| Timeline chart | Displays the time line of API events and received Threats |
| Miner logs | Displays the log rate by a specific miner. You can enable/disable a specific miner by clicking on its name. |
3.2 Dashboard customization
You can select which widgets to keep on your dashboard in the widgets filter.
It might be necessary to have more dashboards with a specific set of widgets. Create new dashboard or edit your dashboards by using the buttons “New dashboard” and “Edit dashboards”.
3.3 Dashboard controls
There are 3 additional controls in the widgets:
This icon takes the chart into a separate large window.
This icon gives you a dropdown menu to select the data from, e.g. the last 24 hours, last month, etc.
This icon hides the chart and keeps only data.
4 Awaiting approval
This section shows all the processed events by existing Rules, which are type On-Approval. Click on a prepared event where you can either allow or reject the event to be processed. Output from the event will be stored in the API call logs.
4.1 Security Policy
Under this section you see the security polices deployed by SYNAPSA on the firewalls based on user defined rules.
- Active - (green) - security policy is deployed and active on the firewall
- Not active - (red) - security policy is not active on the firewall anymore, probably deleted or disabled by device administrator.
By clicking on a security policy you see the complete API calls log; how the policy was deployed.
- Revoke - will delete the policy from the firewall
- Revoke & Commit - will delete the policy and commit configuration, if vendor supports config commits
4.2 Data feeds
Data Feeds are lists of IP addresses, Domains or URLs which are filled according to configured Rules. Each rule can either do API calls or fill Data Feeds or do both actions.
- Title - name of the list
- Lifetime - lifetime of record which started counting when record was added to the list. If there is another event adding the same record to the same list, the lifetime will restart. If there is no event adding the same record, the record will disappear from the list when lifetime is reached
- Count - showing how many records are active in the list
5 Events
The Events page contains three sections:
- Auditor alert
- API calls
- Syslog
5.1 Auditor alert
5.1.1 Ruleset
Showing active and confirmed alerts generated by Auditor rule type Ruleset. Each event shows the name of the rule which is generating the alert and all the devices with faulty configuration. The number at the end of the line is number of the matching security policies.
By clicking on the Firewall, you will see the exact violating security policies found by auditor rule.
5.1.2 CVE
Showing active and confirmed alerts generated by Auditor rule type CVE. By Clicking on a specific alert, you can confirm and move it to confirmed.
Each CVE has a complete description, solution and mitigation steps, which comes directly from the vendor's CVE feed.
5.2 API calls
| Successful | Logs of the successfully created security policies on the firewalls based on the configured SYNAPSA rules. Each API call is considered to be successful, if API code and response message matches the value configured for the call in SYSTEM->API |
| Unsuccessful | Logs of API call which have a different value than expected. The whole call sequence is considered as not successful if at least one of the call has non expected response. |
| Rejected | Logs of the prepared security policies which were rejected manually by a SYNAPSA operator. This only applies on rules type “On Approval” |
| Revoked Policy | Logs of the successfully created security policies which were later revoked by a SYNAPSA operator. This applies on both rule types “Automatic” and “On Approval” |
5.3 Syslog
| Threat | This is a subset of all received logs from miners, showing only the Threats. Syslog from a miner is parsed based on the selected parser and then by the pre-defined threats which you want to accept from that miner. This table shows all the threats from all the configured miners. |
| System Logs | SYNAPSA generated logs for internal events like login, configuration edit, firewall connection lost, etc.. |
| All Syslog | Displays all the syslog received from the miners, before they are parsed and turned into threats. This table is regularly cleared by the task “Delete Syslog Events”, in order to delete redundant logs which do not carry any threat. |
6 Security policy
This page shows all deployed security policies. You can switch the toggle button to show Active Firewall policies only or delete the inactive ones. The calls can be revoked by clicking on the active security policy.
7 Data Feeds
Data Feeds are lists of IP addresses, Domains or URLs which are filled according to configured Rules. Each rule can either do API calls or fill Data Feeds or do both actions.- Title – name of the list
- Lifetime – is lifetime of the records which starts counting when record was added to the list. If there is another event adding the same record to the same list, the lifetime will restart. If there is no event adding the same record, the record will disappear from the list when lifetime is reached
- Count – showing how many records is active in the list
- Address Lists
- Domain Lists
- URL Lists
7.1 Address Lists
This list types can only contain valid IP address or subnet.
Add a Custom List
- Title - name of the list
- Lifetime - life time of a newly added record in hours. If the same IP address is added again, the timer will refresh to it's original value. If you want to keep records forever or delete only by user, user "0" to disable lifetime
- Allow - configure, which addresses are allowed to be added into the list. You can allow only Private, Public or a specific subnet.
If you click on a record in the list, you can modify or delete a specific record.
- ADD SOURCE IP - add a new record to the list
- FEED URL - Show the List publicly accessible URL, which you can use a source for External Dynamic Lists in your firewall object
7.1.1 Predefined
SYNAPSA system has built-in URL lists, which are automatically updated. You cannot modify these lists, but you can use them the same way as user defined lists.
Pre-defined lists have no life time for the records, the whole list is refreshed by system task.
7.2 Domain Lists
Domain lists can only contains a valid domain name. All the same rules apply as for Address list. You can create own lists which will be used as External Dynamic Lists for the devices loading the records into own configuration.
7.3 URL Lists
URL lists can only contains a valid domain name. All the same rules apply as for Address list. You can create own lists which will be used as External Dynamic Lists for the devices loading the records into own configuration.
8 Toolbox
8.1 Policy tester
Allows you to test what security policy will match the connection with specific parameters. Select a firewall you want to send the test request to and fill out all the required fields.
8.2 Threat tester
Allows you to simulate the event the same way as it was sent from a specific miner. The event will be stored in the database and processed exactly the same way as the real event. Please use it with caution!
9 Rules
In this section we create SYNAPSA rules, which transforms received events from miners to the actions.
Note: every rule will be processed separately. The is no first match only, but all the events will be processed by all the rules.
Note: If a user intends to remove an existing on-approval rule and if there are on-approval API calls which have not yet been approved, such API calls will be removed as well.
9.1 Specific settings of the rules
9.2 Adding a new Rule
| Name | Name of the rule |
| Miner | Select a miner, which will trigger the rule to be activated |
| Mode | On Approval – actions will be prepared, but not executed until operator manually approve or reject
Automatic – all the actions configured in the rule will be executed automatically, system and API calls logs will be stored into the appropriate tables. |
| Description | Rule description |
| Status | By selecting, make this rule to be active |
| Address lists | By selecting, SYNAPSA will fill Data Feeds. You can have a rule which only fills the data feeds without any API calls. |
9.3 Threats
Select what Threats will be processed in this rule. Threats / Tags will be populated based on the selected miner and the associated parser to the miner. You can use multiple threats in the same rule.
For Flowmon ADS you can also configure DataFeed and Perspective ID. Use "*" to disable the filter.
9.4 Selecting API calls to be performed
| Policy Calls | Select a sequence of the API calls by ticking them, specifically for a selected firewall, to be performed when SYNAPSA policy is triggered. You can move the calls by dragging the arrow on the left side. The calls will be performed as they are in the list order. |
| Rollback Calls | Select a sequence of the API calls by ticking them, specifically for a selected firewall, to be performed as a rollback, if API calls to create a security policy is not fully successful. |
9.5 Resetting rules hit-counts
When a rule is triggered by matching its conditions, the rule’s counter is increased by one. The counter displays how many times was the rule hit since the last counter reset.
Resetting counter globally for all the rules
To reset counter for every rule, click on “RESET COUNTER” at the top of the screen.
Resetting rule specific counter
Open a specific rule by clicking on “+” icon and then click a trash in the hit count row.
10 Auditor
Settings of the Firewall Auditor is described in separate guides bellow.
10.1 Palo Alto Networks NGFW Settings
Synapsa Firewall Auditor – Palo Alto documentation
10.2 Fortinet NGFW Settings
Synapsa Firewall Auditor – Fortinet documentation
11 Objects
11.1 Emails
Email addresses list which can be assigned to a notification profiles
11.2 Syslog
List of syslog servers, which can be assigned to notification profiles. You can specify a format of syslog messages sent by SYNAPSA.
- RAW - syslog payload will be a plain text as it is logged in the local syslog events
- JSON - syslog payload will be JSON formatted
Note: These are servers that SYNAPSA will send notification to, it can be the same miner SYNAPSA received syslog from, then after the Threat mitigation ,it will notify the miner back. This is used mostly with SIEMs.
11.3 Notification profiles
In notification profile you can select existing emails and syslog server, customize the message SYNAPSA will send in the body and the Objects and Severities which will be notified. You can have as many profiles as you need.
11.4 Remote servers
Create remote servers to backup your data elsewhere in XML format.
12 Settings
12.1 Miners
Miner is a log source for the SYNAPSA system. By adding a new miner you open TCP and UDP port 514 for the IP specified as a miner IP Address.
All the received logs from the miner are stored but only processed when there is an existing Rule which uses the miner as input for further processing.
If there is no Rule to process threats reported from a specific miner, syslog will be automatically deleted from "All syslog" database, based on the automatic task which can be configured under System -> Tasks
12.2 Firewall
API key has to be already generated and key needs to have permissions to perform all the necessary operations on the firewall.
You can only add a new firewall if check is successful. Check button will connect to the firewall IP address and perform simple API call. This only checks the connectivity and the key, however does not check all the permissions. Make sure the API key is able to modify configuration.
12.3 Firewall groups
You can group the firewalls under groups, to be able to assign the whole group to a SYNAPSA rule for Interconector and Auditor rules.
12.4 Parser
Parser is a set of regular expressions which are used to parse a raw syslog message into variables which are used for creating a security policy. You cannot modify a built-in parser, but you can select what Threats you want to process in a Rule where miner having a specific parser is used.
12.5 API
Under the API tab, you can see and modify all the pre-defined ÀPI calls which SYNAPSA system uses to communicate to devices.
You can also define your own rules with specific parameters and variables. The documentation for API call is included into the SYNAPSA GUI.
13 System
13.1 Backup
- EXPORT – export full configuration to a single backup file
- RESTORE – restore previously backed up configuration. The restore will rewrite currently running configuration.
13.2 Logs
- DOWNLOAD – download system logs for SYNAPSA troubleshooting purpose. The download will not contain any system events or received syslog from the mainers
13.3 Tasks
SYNAPSA does multiple tasks automatically every few minutes, depending on the specific task for its internal purposes. You can manually run a specific task or change the timer to how often the task is executed in the future.
ATTENTION: DO NOT CHANGE ANY SETTING UNLESS YOU FULLY UNDERSTAND THE INTERNAL ENGINE!
13.4 User
Local users with their privileges within the SYNAPSA GUI. You can add new user or change password, role or delete existing users.
13.5 Roles
Internal user roles settings. Every user has to belong to a user role, giving him permissions. You can either add a new user role or edit pre-configured roles by clicking on its name.
Every menu element in the list has 3 level of permissions to be given to users:
- No permission
- View only
- Full
13.6 Version
Displays SYNAPSA version and check for available updates
13.7 License
Displays installed SYNAPSA license and expiration date
13.8 SSL
SSL settings for SYNAPSA GUI. You can either generate a new certificate directly from the menu, or import an external certificate13.9 SYNAPSA
In this section you can setup the URL address SYNAPSA is running on and mail server settings, to be used as mail gateway.
You can also setup a Date and Time Format to be used in the whole system.