Host Firewall Automation and Multi-Factor Authentication
Alert on unauthorized firewall changes
Halo Logging and Alerting
Halo logging and alerting is a built-in service that captures event information generated by all of the Halo security modules, by Halo user actions, and by actions on Halo-protected servers. Halo stores these events centrally, and reports on them in a variety of forms, including summaries and details displayed in the Halo portal, email alerts sent to administrator inboxes, and event data exported to third-party analytical tools.
Logging and alerting is always "on" and available to all Halo users, but you decide what and how much you want logged and who needs to be notified. For example:
- Most of Halo's policy-based security modules allow you to separately turn logging or alerting on or off for each rule in a policy, to flag the more serious ones as Critical, and to generate email alerts for the most serious of them.
- You can implement a special events policy to control the logging and alerting of server-related events across your infrastructure.
- You can control which routine audit events (logins, policy assignments, password changes, and so on) should be logged or alerted on.
- You can create alert profiles, which control who should receive email alerts for various events
To review logged events, you can view alerts in your email inbox, you can view event summaries on the Halo portal dashboard page, you can view and search for events on several other portal pages.
Integrating Events with Analytical Tools. The Halo API includes the capability to export complete or filtered event information that you can then feed into a variety of third-party analytical tools. CloudPassage has used this capability to create an integration tool (Halo Event Connector) that you can use out-of-the-box for this purpose.
You can configure Halo to alert you to potentially malicious alterations of your server firewalls. You will receive an alert whenever any Halo firewall is altered outside of Halo.
- If you haven't done it yet, create and assign an alert profile as described in Set up Halo alerts.
- Create a special events policy:
- In the Portal, go to Policies > Special Events Policies and click Add New Special Events Policy.
- Enter a name and optional description for the policy, then select the Log Event and Generate an Alert checkboxes for the "Server firewall modified" event. (Select Flag Critical to flag this event as critical in the Halo Portal.)
(If you already have a special events policy, you can add this event to it instead of creating a new policy.)
- Click Save to save the policy.
- Assign the special policy to your server group—navigate to the Portal Dashboard page, click Edit Details for your server group, and select your policy from the Special Events Policy drop-down list. Then click Save Group Settings.
Now, if anybody accesses any of your Halo-protected servers and locally modifies its firewall, the people on this server group's alert profile will receive emails notifying them of the occurrence.
For more details on special-events handling and policies, see Set Up a Special Events Policy in Halo Issues, Events, and Alerts.