Firemon Firewall¶
About¶
FireMon provides a comprehensive suite of security policy management (NSPM) solutions, including Policy Manager, Asset Manager, and Cloud Defense, to help organizations manage firewall and cloud security policies, automate workflows, and ensure continuous compliance.
Product Details¶
Vendor URL: Firemon
Product Type: NSPM
Product Tier: Tier II
Integration Method: Syslog
Log Guide: Syslog Guide
Parser Details¶
Log Format: SYSLOG + JSON
Expected Normalization Rate: 100%
Data Label: FIREMON_FIREWALL
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| after.object.description | security_result.description |
| after.object.devicePack.artifactId | target.asset.software.name |
| after.object.devicePack.deviceName | target.resource.name |
| after.object.devicePack.deviceType | target.resource.resource_subtype |
| after.object.devicePack.groupId | target.group.group_display_name |
| after.object.devicePack.id | target.resource.id |
| after.object.devicePack.vendor | target.asset.software.vendor_name |
| after.object.devicePack.version | target.asset.software.version |
| after.object.managementIp | target.ip |
| after.object.name | target.hostname |
| after.object.username | target.user.userid |
| after.objectType | additional.fields |
| Assessment SCI | security_result.summary |
| category | security_result.category_details |
| changes.devicePack.after.collectionConfig.lastModifiedDate | target.asset.attribute.last_update_time |
| changes.parents.after.0.deviceType | target.resource_ancestors.resource_subtype |
| changes.parents.after.0.id | target.resource_ancestors.id |
| changes.parents.after.0.managementIp | target.asset.ip |
| changes.parents.after.0.name | target.resource_ancestors.name |
| check_id | principal.resource.name |
| check_state | security_result.action_details |
| COMMAND | target.process.command_line |
| daemon | observer.application |
| environment | target.asset.attribute.labels |
| from | principal.ip |
| observer | observer.hostname |
| pid | observer.process.pid |
| port | principal.port |
| principal_user | principal.user.userid |
| PWD | target.file.full_path |
| report_name | additional.fields |
| SCI | security_result.detection_fields |
| status | security_result.action_details |
| target_host | target.hostname |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Device Updated | RESOURCE_WRITTEN |
| Generic | GENERIC_EVENT |
| Login | USER_LOGIN |
| Logout | USER_LOGOUT |
Log Sample¶
<30>2025-04-01T00:07:55+00:00 example123.int.ex.com secmgrd: [FireMon] Event Log - Date: 2025-04-01T00:07:55.862407898 Event Name: Device Updated User: john_doe Detail: {"changes":{"devicePack":{"before":{"id":68,"artifactId":"palo_alto_vsys","groupId":"com.fm.sm.dp.palo-alto-vsys","version":"2023.1.33","buildDate":"2024-04-08T16:43:13.000Z","deviceName":"VSYS","deviceType":"FIREWALL","vendor":"Palo Alto Networks","collectionConfig":{"id":38,"name":"default","devicePackId":68,"devicePackVendor":"Palo Alto Networks","devicePackDeviceType":"FIREWALL","devicePackDeviceName":"VSYS","devicePackGroupId":"com.fm.sm.dp.palo-alto-vsys","devicePackArtifactId":"palo_alto_vsys","buildDate":"2024-04-08T16:43:13.000Z","deviceName":"VSYS","deviceType":"FIREWALL","vendor":"Palo Alto Networks","collectionConfig":{"id":38,"name":"default","devicePackId":68,"devicePackVendor":"Palo Alto Networks","devicePackDeviceType":"FIREWALL","devicePackDeviceName":"VSYS","devicePackGroupId":"com.fm.sm.dp.palo-alto-vsys","devicePackArtifactId":"palo_alto_vsys","changePattern":"(?:CONFIG|SYSTEM)","changeCriterion":{"pattern":"SYSTEM.+?Commit.+?succeeded.+?ser.(?<userName>[^ |,\"]+)","timeoutSeconds":10,"continueMatch":false,"parentUserName":"panorama","retrieveOnMatch":true,"stopMatching":false},"createdDate":"2021-03-01T22:51:34.833Z","lastModifiedDate":"2021-03-01T22:51:34.833Z","createdBy":"firemon","lastModifiedBy":"firemon","usageKeys":["RULE_NAME"],"activatedForDevicePack":true},"behaviorTranslator":"LogicalPolicyBehavior","normalization":true,"usage":true,"change":true,"usageSyslog":true,"changeSyslog":true,"active":false,"supportsDiff":true,"supportsManualRetrieval":true,"implicitDrop":false,"diffDynamicRoutes":false,"automation":false,"lookupNoIntfRoutes":true,"automationCli":false,"ssh":true,"sharedNetworks":false,"sharedServices":false,"supportedTypes":["USERS","SCOPES","ZONES","POLICY_ROUTES","URL_MATCHERS","PROFILES","APPLICATIONS"],"diffIgnorePatterns":["Next update at","\\<age\\>\\d+\\<\\/age\\>","^Configuration last modified by .*"],"devicePackMaskedFields":[],"convertableTo":[]}},"parents":{"before":[{"id":1,"domainId":1,"name":"PANO1.int.mgc.com","managementIp":"10.32.50.155","vendor":"Palo Alto Networks","deviceType":"DEVICE_MGR","state":"ACTIVE","licenses":["SM","PP","AUTO","PO"]}],"after":[{"id":1,"domainId":1,"name":"PANO1.int.mgc.com","managementIp":"10.32.50.155","vendor":"Palo Alto Networks","deviceType":"DEVICE_MGR","state":"ACTIVE","licenses":["SM","PP","AUTO","PO"]}]}},"after":{"object":{"id":309,"name":"New-BR-EXT-FW-1/aws","description":"Discovered by Panorama - 10.32.50.155","managementIp":"10.32.64.13","devicePack":{"deviceName":"VSYS","deviceType":"FIREWALL","vendor":"Palo Alto Networks","id":68,"artifactId":"palo_alto_vsys","groupId":"com.fm.sm.dp.palo-alto-vsys","version":"2023.1.33"}},"objectType":"DeviceDTO"}}}
Sample Parsing¶
additional.fields["objectType"] = "DeviceDTO"
metadata.event_type = "RESOURCE_WRITTEN"
metadata.log_type = "FIREMON_FIREWALL"
metadata.product_event_type = "Device Updated"
metadata.product_name = "Firewall"
metadata.vendor_name = "FireMon"
observer.application = "secmgrd"
observer.hostname = "example123.int.ex.com"
principal.user.userid = "john_doe"
security_result.description = "Discovered by Panorama - 10.32.50.155"
target.asset.attribute.labels.key = "Environment"
target.asset.attribute.labels.value = "aws"
target.asset.attribute.last_update_time.seconds = 1614639094
target.asset.attribute.last_update_time.nanos = 833000000
target.asset.hostname = "New-BR-EXT-FW-1"
target.asset.ip = "10.32.50.155"
target.asset.software.name = "palo_alto_vsys"
target.asset.software.vendor_name = "Palo Alto Networks"
target.asset.software.version = "2023.1.33"
target.group.group_display_name = "com.fm.sm.dp.palo-alto-vsys"
target.hostname = "New-BR-EXT-FW-1"
target.ip = "10.32.64.13"
target.resource_ancestors.id = "1"
target.resource_ancestors.name = "PANO1.int.mgc.com"
target.resource_ancestors.resource_subtype = "DEVICE_MGR"
target.resource.id = "68"
target.resource.name = "VSYS"
target.resource.resource_subtype = "FIREWALL"