AXS Guard Cloud
Introduction
The AXS Guard Cloud is part of AXS Guard’s Observe & Protect solution. It provides a web-based management interface with various tools and dashboards, allowing authorized administrators and MSSPs to remotely and securely oversee AXS Guard UTM deployments. This document provides guidance on how to use the AXS Guard Cloud for efficient monitoring, management, and analysis of threat intelligence data, generated by its various components.
Features
Tasks | Description |
---|---|
Manage large-scale installations | Configure settings to be pushed out and register new UTM appliances. |
View operational information | Access license status and customer contract details. |
Troubleshoot systems | Identify and resolve issues within deployed systems. |
Configure SecureDNS & DNS filters | Customize settings for the SecureDNS agent and configure AXS Guard DNS filters. |
Consult threat intelligence data | Access and use threat intelligence data from multiple sources for analysis and decision-making. |
Requesting Cloud Access
To access the AXS Guard Cloud, first-time users must complete and submit the required form. This form serves as a crucial step in the onboarding process, facilitating the collection of necessary information and ensuring that users adhere to the prescribed protocols for cloud access.
Requirements
Login
The AXS Guard Cloud requires users to sign in using Google or Microsoft credentials, which can include third-party email addresses linked to Google or Microsoft (e.g., user@yourdomain.com
). A web browser is needed for interaction with its diverse web-based dashboards.
Browser Extensions
Browser extensions can impact the performance and user experience, as they have the ability to run extra code on every page you open, potentially causing pages to hang or become unresponsive.
If you encounter any issues while interacting with a dashboard or if it becomes invisible, ensure that all your browser plugins are disabled or add a security exception for the AXS Guard Cloud.
Threat Intelligence
Data Filters
Filtering threat intelligence data, provided through the various dashboards, is achievable using KQL and Lucene query syntax. UI filters are also available for convenience, allowing authorized users to narrow down data sets or options based on specific criteria.
With filters, administrators and MSSPs can quickly identify issues, isolate devices for closer inspection, and troubleshoot systems more efficiently. This capability also enables them to adjust their cybersecurity strategy more effectively.
Tutorial
For users looking to enhance their proficiency in navigating dashboards and utilizing filters, we offer a comprehensive online tutorial. This tutorial is designed to provide step-by-step guidance on maximizing the effectiveness of dashboards, along with insights into leveraging filters for refined data analysis.
Dashboards
AXS Guard Central
Introduction
The AXS Guard Central dashboard provides a clear overview of all deployed UTM appliances, their license number, contract IDs, current operational status and health.
Via this dashboard, authorized system administrators and MSSPs can register new appliances and securely log in to deployed AXS Guard UTM appliances or PAX units (version restrictions apply).
The AXS Guard central dashboard simplifies routine system maintenance tasks, such as pushing new firewall rules to a UTM appliance and allows MSSPs or system administrators to remotely identify and troubleshoot issues.
Registering UTM Appliances
Requirements
The following is required to register your AXS Guard appliance:
- The Contract Number (e.g.,
AXGK-1234-56789
orEVAL-1234-56789
for product evaluation), as found in your AXS Guard order confirmation. - The
systeminfo.txt
file, which must be downloaded directly from your AXS Guard appliance when running the License Wizard.
To register an appliance, log in to the AXS Guard cloud, then navigate to the AXS Guard Central dashboard. Click on register appliance to start the registration proces and follow the on-screen instructions.
Contact Management
-
If no contacts are found during registration, you will be required to add an administrator contact in step 2 of the registration process.
-
In case of existing contact information: Select an existing contact within your company context. This contact will automatically become the administrator, responsible for managing AXS Guard appliances and serving as a potential customer support contact. You can also add a new administrator profile if you do not wish to select an existing contact for this role.
Best Practices
Administrators should ensure that contact information in the AXS Guard Cloud is accurate and current. Only cloud users with the admin role can manage contact information.
Remote Login
Secure remote login capabilities, helpful for system administration and troubleshooting, require AXS Guard version 11.0.15
or PAX version 4.2.0
or later.
IT administrators can use remote login to manage and troubleshoot appliances without being physically present at the location. This capability is particularly valuable for maintaining and updating systems in different geographical locations, reducing downtime, and minimizing the need for on-site assistance.
AXS Guard UTM Appliances
AXS Guard version 11.0.15
or later is required.
- Log in to the AXS Guard Cloud.
- Navigate to the AXS Guard Central dashboard.
- Enter your license number or contract ID into the search field.
- Click on the login button.
PAX Units
PAX software version 4.2.0
or later is required.
- Log in to the AXS Guard Cloud.
- Select the AXS Guard Central dashboard and enter the contract ID or license number of your AXS Guard appliance, e.g.
0000-00012345
. -
Click on the license number.
-
Select the Personal AXS Guard tab.
-
To access the PAX unit you'd like to log into, click on the corresponding license ID, e.g.
0001-00012345
. -
Click on the login button.
The login page of the PAX unit will open in a new browser tab. Log in with the credentials that you configured on the server side.
System Details
Log in to the AXS Guard cloud, navigate to the AXS Guard Central dashboard and click on the license number of an appliance to access its details.
After clicking on the license number, additional details will be visible, including status information, license information, contacts, software details, update events, appliance statistics, connected Personal AXS Guard units, configuration backups, and licensed features.
System administrators can download the license.dat
file via the License tab, which is required to make an AXS Guard appliance fully operational.
Pushing Config Settings
Via system details, authorized users can also propagate AXS Guard configuration settings, such as firewall rules, GeoIP filters, DNS filters, and web filters, to a single UTM appliance. This is achieved by using the Push AXS Guard Cloud Config button and requires the creation of a configuration profile via the Management page.
Important
The use of the Push AXS Guard Cloud Config button is only required if you encounter issues with automated configuration updates. Configuration updates are automatically handled by the AXS Guard Cloud, provided that a configuration profile has been assigned.
Endpoint Central
The IBM Security® QRadar® EDR dashboard delivers comprehensive visibility into your network infrastructure, empowering real-time endpoint analysis and facilitating extended searches to uncover and counteract dormant threats. Installation of a QRadar® EDR agent (Nano OS) on each endpoint is a prerequisite.
Contracts
Through this page, authorized users can access contract information, consult a list of activated system features, find details about software bundles, and download contract certificates by clicking on a specific contract ID in the table.
DNS Security
The DNS security dashboard serves as a centralized interface, providing real-time insights and analytics into malicious DNS queries generated by networked devices. This comprehensive tool enables administrators to monitor and analyze DNS traffic, detect potential threats, and assess the overall health of the network.
DNS queries are categorized based on the threat they represent. Filtering data is possible through the use of KQL syntax.
Examples of KQL filters
ag.dns.category.keyword: dns-filter
: shows all blocked DNS queries that matched a DNS filter.host.name.keyword: axsguard.yourdomain.com
: shows all DNS queries blocked by this AXS Guard appliance.ag.dns.category.keyword: botnet
: shows all blocked DNS queries that matched a botnet filter.source.hostname: johndoe-laptop
: shows all blocked DNS queries originating from this host.source.ip.keyword: 192.0.2.50
: shows all blocked DNS queries originating from this IP address.
Combine multiple filter conditions with the AND and OR operators, e.g.:
host.name.keyword: "axsguard.example.com" and ag.dns.category.keyword: "botnet"
Filters can also be created by clicking on elements in the dashboard, as demonstrated in the example below.
For users looking to enhance their proficiency in navigating dashboards and utilizing filters, we offer a comprehensive online tutorial. This tutorial is designed to provide step-by-step guidance on maximizing the effectiveness of dashboards, along with insights into leveraging filters for refined data analysis.
Alerts
Via this dashboard, MSSPs and administrators can view various types of alerts:
- Endpoint Alerts: Notifications or warnings generated by IBM Security QRadar EDR when suspicious or potentially malicious activities are detected on endpoints within a network. Endpoints are individual devices such as computers, servers, laptops, smartphones or other devices that connect to a network.
- SecureDNS: Events related to APTs and botnets that are blocked by AXS Guard’s DNS security feature.
- Configuration: Configuration alerts play a vital role in proactive IT management, allowing administrators to promptly address issues and maintain a secure and well-functioning IT environment.
- AG Alerts: Alerts that are generated by AXS Guard UTM appliances, e.g. certificate expiration warnings and failed login notifications.
Filtering alert data is possible through the use of KQL syntax. To effectively manage security alerts, consider setting up alert forwarding, which sends notifications directly to administrators via email according to their specified preferences.
Examples of KQL filters
subtype.keyword: apt
: shows all events related to advanced persistent threats (APT).type: SecureDNS
: shows all events related to SecureDNS.type: Event and subtype: warning
: shows warnings generated by AXS Guard.event.description: shutdown
: shows system shutdown events.
Combine multiple filter conditions with the AND and OR operators, e.g.:
type: "Event" and subtype: "fatal"
Filters can also be created by clicking on elements in the dashboard, as demonstrated in the example below.
For users looking to enhance their proficiency in navigating dashboards and utilizing filters, we offer a comprehensive online tutorial. This tutorial is designed to provide step-by-step guidance on maximizing the effectiveness of dashboards, along with insights into leveraging filters for refined data analysis.
Monitoring
This dashboard allows authorized users to review and analyze AXS Guard UTM appliances for availability, operations, performance, security incidents and other related processes.
It is only accessible to authorized administrators and MSSPs to ensure that AXS Guard appliances are performing as expected and to mitigate problems as they become apparent.
Customization
Click in the top right corner of a metric to customize its settings.
Data filters can be created with KQL syntax or by clicking on elements in the dashboard, as demonstrated in the examples below.
link_license: 0000-00012345 and @timestamp >= 90
: Events related to license 0000-00012345 that are 90 days old or more.
For users looking to enhance their proficiency in navigating dashboards and utilizing filters, we offer a comprehensive online tutorial. This tutorial is designed to provide step-by-step guidance on maximizing the effectiveness of dashboards, along with insights into leveraging filters for refined data analysis.
UTM Configuration Profiles
Management
Configuration profiles enable administrators or MSSPs to efficiently configure and manage various aspects of AXS Guard UTM systems through centralized and automated configuration.
They provide a standardized approach for controlling settings, encompassing firewall rules, GeoIP filters, DNS filters, and web filters.
- Navigate to the Management page.
-
Click on the Add button.
-
Enter an appropriate profile name and description, then press the Submit button.
Assignment
Profiles must be assigned to UTM appliances, which are identified by their license number, in order to allow the AXS Guard Cloud to push configuration settings in bulk.
To use the Push AXS Guard Cloud config functionality, ensure that the selected appliances are running AXS Guard software version 11.0.15
or higher.
- Navigate to the Assignment page.
-
Select the relevant UTM licenses and click on Update Profile.
-
Choose the desired profile(s) for assignment.
-
Complete the assignment process by adding the selected profile(s).
Firewall
Via the firewall rule pages, authorized users can configure AXS Guard firewall rules for deployment to large-scale installations. For a detailed explanation of AXS Guard firewall rules, please refer to the AXS Guard firewall documentation.
Towards Rules
Towards rules pertain to network traffic destined for a process running on the AXS Guard appliance, such as OpenVPN or SSTP client traffic.
-
Navigate to Towards Rules and click on the Add button in the top right corner.
-
Enter the requested information and make sure to assign the new rule to the correct configuration profile.
-
Click on the Submit button.
Important - AXS Guard Configuration Required
In the AXS Guard user interface, rules configured via the AXS Guard Cloud will be shown with a cm-e
(central management) prefix, e.g., cm-e-rulename
.
For rules to take effect, they must be assigned to a policy by a system administrator. Refer to the AXS Guard firewall documentation for additional information and configuration steps.
Through Rules
Through rules apply to network traffic passing through the AXS Guard appliance from one firewall zone to another, for example, from a client in the Secure LAN to a server in the DMZ or on the Internet.
To configure new rules, navigate to through rules and follow the same steps as explained in the towards rules section.
Important - AXS Guard Configuration Required
In the AXS Guard user interface, rules configured via the AXS Guard Cloud will be shown with a cm-e
(central management) prefix, e.g., cm-e-rulename
.
For rules to take effect, they must be assigned to a policy by a system administrator. Refer to the AXS Guard firewall documentation for additional information and configuration steps.
DNS Security
Introduction
This page allows authorized users to configure various API settings and options for the SecureDNS agent in large-scale deployments. Settings are applied on three levels: global, company, and device.
graph LR
A[Global Settings] -->|inherit| B[Company Settings] -->|inherit| C[Device Settings];
B -->|override| A;
C -->|override| B;
Global settings can be configured via DNS Security > Agents. To configure company-level and device-level settings, click on the appropriate end user.
Getting Help
Context-sensitive help is available for each option by clicking the i
icon.
- Global Settings: Apply to all companies or organizations under your management and are enforced on all SecureDNS agents within these organizations.
- Company Settings: Apply to a single company or organization and are enforced on all SecureDNS agents within that organization. Can be used to override global settings.
-
Device Settings: Apply to a specific device within a company, with the configuration enforced on that specific device. Can be used to override company settings.
DNS Filters
DNS filters are used to control how DNS queries must be handled by the SecureDNS agent. These filters are based on predefined domain lists and allow administrators to create rules that determine whether specific domains should be allowed or blocked. By implementing filters, organizations can enhance network security, improve user experience, and enforce specific policies related to domain access.
List Type | Description |
---|---|
Allow Lists | If a domain is included here, the client will be allowed to resolve it, regardless of any blocks imposed by Secutec DNS servers. |
Block Lists | Domains in this list are blacklisted, and the blocks are recorded in the DNS security dashboard. |
Notification Lists | Domains in this list are monitored for frequent access. While DNS resolution isn't blocked, user activity is tracked in the DNS security dashboard to assist administrators in identifying potential security risks. |
This is the DNS resolution priority, from highest to lowest:
- Company-Level Allow Lists: Domains on these lists are processed first.
- Company-Level Block Lists: Domains on these lists are processed next, unless they are allowed by a company-level allow list.
- Global-Level Allow Lists: Domains on these lists are processed next, unless blocked by company-level filters.
- Global-Level Block Lists: Domains on these lists are processed next, unless allowed by company-level or global-level allow lists.
- Secutec Filter: Finally, if a domain is flagged as malicious by Secutec and is not on any allow list, it will be blocked.
GeoIP Filtering
GeoIP filtering or geo-blocking, a technology that can block network traffic to and from entire countries, can be an effective way to stop hackers from attacking your organization. As its name suggests, it blocks network connections based on geographic location – information it gets based on IP addresses.
Through the Country Groups page, authorized users can configure GeoIP filters, for deployment to large-scale AXS Guard installations.
Please note that the AXS Guard Cloud configuration always takes precedence over configurations that were made directly on an AXS Guard appliance. Using the Cloud configuration means that local GeoIP configurations may be overwritten.
- Navigate to Country Groups to add a new filter.
- Configure the appropriate settings, select the desired countries and make sure to assign the new filter to the correct configuration profile.
- Click on the Submit button.
Web and DNS Filters
Through the URL Lists page, authorized users can configure web and DNS filters for deployment to large-scale AXS Guard installations. These filters control access to specific URLs and websites.
- Navigate to URL Lists to add a new filter.
- Configure the appropriate settings and make sure to assign the new filter to the correct configuration profile.
- Click on the Submit button.
Important - AXS Guard Configuration Required
In the AXS Guard user interface, filters configured via the AXS Guard Cloud will be shown with a cm-e
(central management) prefix, e.g., cm-e-filtername
.
For web and DNS filters to take effect, they must be assigned to an AXS Guard proxy ACL or domain filter (DNS) by a system administrator. See the AXS Guard Web Access and DNS Security documentation for further information and configuration steps.
Alert Forwarding
Overview
Alert forwarding enables administrators and Managed Security Service Providers (MSSPs) to receive alerts via email, providing a straightforward method for standard monitoring purposes.
Administrators can access an overview of all available alert forwardings under Alerts > Forwarding. There, administrators will find:
Field | Description |
---|---|
Name | The name of the forwarding rule. |
Description | A short explanation of what the rule does. |
Severity Range | The range of alert severity levels this rule applies to. |
Event Classes | The type of events this rule will forward alerts for. |
Enabled | Whether the rule is currently active. |
Points of attention
- Quick Updates: The overview screen allows administrators to quickly enable or disable rules using the checkboxes next to each entry. The changes are saved automatically.
- Group-Level Configuration: It's important to note that alert forwarding rules are configured at the group level. This means they apply to all users within a specific group. Each rule is independent, meaning changes to one rule won't affect others.
- Duplicate emails: If a user belongs to multiple groups with overlapping forwarding rules, they might receive the same alert twice.
Adding New Rules
The standard toolbar at the top of the screen includes an Add button for creating new forwarding rules. Clicking this button will take you to a dedicated screen for setting up a new rule.
Field | Description |
---|---|
Enabled | Specifies whether alert forwarding is enabled or disabled. Emails will never be sent when a rule is disabled. Rules are enabled by default. |
Name | The designation for the alert forwarding. This field is used solely within the AXS Guard Cloud to facilitate easy recognition of the configured alert forwardings. It must not be left empty. |
Description | Similar to the name, but it can remain empty. |
Min and Max severity | Sets the minimum and maximum severity levels for the alerts that the user wishes to receive. By default, they are set to 0 and 100 , respectively, which encompasses all alerts. Both limits are inclusive, ensuring that the severity range covers the entire spectrum. |
Security and Operational | All alerts are classified as either security or operational alerts. The checkboxes allow administrators to specify which class of alerts they would like to receive. Both classes are checked by default. |
Template subject and body | Allows administrators to create templates for the email subject and body when alerts are forwarded. Emails can be customized by inserting alert details within curly braces like this: {{alert.reason}} . These placeholders will automatically be replaced with the corresponding information. The system provides default templates in both HTML and JSON formats, which can be modified to fit your specific needs. |
Email addresses | A list builder for entering email addresses. If an alert matches the rule, an email will be sent to each address using the specified templates. |
End-users | Lastly, administrators can specify which group of end-users should receive alerts. |
Two timestamps will be added when an alert is created: created at
and updated at
.
Tips
- Edit, duplicate, or delete rules directly from the overview page.
- Sort by name or description for easier organization.
- Bulk update and advanced filters are not yet available.
- The table headers allow sorting by name or description.
Template Customization
The AXS Guard Cloud uses Jinja2 to process email templates, but some limitations apply.
Allthough Jinja2 offers powerful features, some are restricted for security reasons. Firstly, statements like {% for loop %})
are not allowed, while comments {# this is a comment #}
are permitted. The following expressions are allowed: {{ variable }}
. System administrators can use any available alert variable to configure email templates. The use of Jinja2 operators, for example, to divide severity by 10
, is not permitted.
Viewing Alerts
All alerts contain the same fields with a consistent naming convention. They can be viewed by expanding an alert via Dashboards > Alerts.
Cloud Access Management
Introduction
Through the Cloud Access Management page, authorized users can manage AXS Guard Cloud user accounts, and grant or revoke access to specific parts of the system as needed.
User Management
There are three roles: Admin, Sales, and Technical. Each role has specific access privileges. Users can be assigned one or more roles and are required to sign in with an email address linked to Google or Microsoft. Depending on the role, certain components on detail pages may either become visible or remain hidden.
Role | Access |
---|---|
Sales | View contract-related information and sales data. Also has access to the download center. |
Technical | Access to license-related information and basic technical actions. Also has access to the download center. |
Admin | Broad administrative capabilities; has access to additional buttons based on other roles. Can manage contact information. Also has access to Cloud Access Management and the download center. |
Navigate to Users to add, modify or remove a user account.
User Preferences
By clicking on the username in the top right corner and selecting preferences, users can customize their personal AXS Guard Cloud settings, such as homepage preferences and the session timeout.
Download Center
The download center provides a centralized and organized location for users to securely download software, such as the SecureDNS agent.
Support
If you encounter a problem
If you encounter any issues with the AXS Guard Cloud, don't hesitate to reach out to our technical support department.
Contact Information
(+32) 15-504-400
support@axsguard.com