Documentation Center
AlienVault® USM Anywhere™

D-Link UTM Firewall

When you configure D-Link UTM Firewall to send log data to USM Anywhere, you can use the D-Link UTM Firewall plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor D-Link
Device Type Firewall
Connection Type Syslog

Integrating D-Link UTM Firewall

Before you configure the D-Link UTM Firewall integration, you must have the IP Address of the USM Anywhere Sensor.

To configure the D-Link UTM Firewall to send log data to USM Anywhere using the Syslog protocol

  1. Log in to the firewall. After logging in, set your firewall’s WAN settings as required by your Internet provider and your organization's own guidelines.

    Note: The default URL used to access the firewall is https://192.168.10.1. The default username is admin and password is admin.

  2. Enable logging for the desired IP rules. To monitor outgoing traffic, you need to enable logging in the main NAT rule. To do that, select Policies > Main IP Rules > lan_to_wan > edit the “allow_standard” rule from the D-Link admin program and select the “Enable logging” check box on the Log Settings tab page.
  3. Specify the server to receive log and event information.
    1. Select Objects > Address Book from the D-Link admin program and add the IP4 address of the USM Anywhere Sensor.
    2. Select System > Device > Log and Event Receivers and add a new Syslog Receiver that points to your USM Anywhere Sensor's IP address.

Plugin Enablement

The D-Link UTM Firewall plugin will automatically process all messages when the raw message contains "FW: ARP:", "FW: CONN:", "FW: IP_PROTO:", "FW: RULE:", "FW: TCP_FLAG" or "FW: TCP_OPT:".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol
  • bytes_in
  • bytes_out
  • customfield_0
  • customfield_1
  • customfield_2
  • customfield_3
  • customfield_4
  • customfield_5
  • customfield_6
  • customfield_7
  • customfield_8
  • customfield_9
  • customfield_10
  • customfield_11
  • customfield_12
  • customfield_13
  • customfield_14
  • customheader_0
  • customheader_1
  • customheader_2
  • customheader_3
  • customheader_4
  • customheader_5
  • customheader_6
  • customheader_7
  • customheader_8
  • customheader_9
  • customheader_10
  • customheader_11
  • customheader_12
  • customheader_13
  • customheader_13
  • customheader_14
  • destination_address
  • destination_mac
  • destination_nat_address
  • destination_nat_port
  • destination_port
  • duration
  • event_action
  • event_category
  • event_description
  • event_name
  • event_severity
  • rep_device_address
  • rep_device_inbound_interface
  • rep_device_mac
  • rep_device_outbound_interface
  • rep_device_rule_id
  • source_address
  • source_mac
  • source_nat_address
  • source_nat_port
  • source_port
  • transport_protocol

Additional Resources and Troubleshooting

https://www.manualslib.com/download/663992/D-Link-Netdefend-Dfl-210.html

https://www.manualslib.com/manual/663992/D-Link-Netdefend-Dfl-210.html#product-DFL-860

For troubleshooting, see the vendor documentation.