AXS Guard Cloud

Introduction

The AXS Guard Cloud is part of AXS Guard’s Observe & Protect solution. It provides multiple tools and dashboards, enabling authorized administrators and MSSPs to remotely and securely manage AXS Guard UTM deployments. This document provides guidance on how to use the AXS Guard Cloud for efficient monitoring and management.

Features

Tasks	Description
Manage large-scale installations	Configure settings to be pushed out and register new UTM appliances.
View operational information	Access license status and customer contract details.
Troubleshoot systems	Identify and resolve issues within deployed systems.
Configure SecureDNS & DNS filters	Customize settings for the SecureDNS agent and configure AXS Guard DNS filters.
Consult threat intelligence data	Access and use threat intelligence data from multiple sources for analysis and decision-making.

Data Filters

Filtering threat intelligence data, provided through the various dashboards, is achievable using KQL and Lucene query syntax. UI filters are also available for convenience, allowing authorized users to narrow down data sets or options based on specific criteria.

With filters, administrators and MSSPs can quickly identify issues, isolate devices for closer inspection, and troubleshoot systems more efficiently. This capability also enables them to adjust their cybersecurity strategy more effectively.

For users looking to enhance their proficiency in navigating dashboards and utilizing filters, we offer a comprehensive online tutorial. This tutorial is designed to provide step-by-step guidance on maximizing the effectiveness of dashboards, along with insights into leveraging filters for refined data analysis.

Requesting Cloud Access

To access the AXS Guard Cloud, first-time users must complete and submit the required form. This form serves as a crucial step in the onboarding process, facilitating the collection of necessary information and ensuring that users adhere to the prescribed protocols for cloud access.

Requirements

The AXS Guard Cloud requires users to sign in using Google or Microsoft credentials, which can include third-party email addresses linked to Google or Microsoft (e.g., user@yourdomain.com). A web browser is needed for interaction with its diverse web-based dashboards.

Browser extensions can impact the performance and user experience, as they have the ability to run extra code on every page you open, potentially causing pages to hang or become unresponsive.

If you encounter any issues while interacting with a dashboard or if it becomes invisible, ensure that all your browser plugins are disabled or add a security exception for the AXS Guard Cloud.

Dashboards

AXS Guard Central

Introduction

The AXS Guard Central dashboard provides a clear overview of all deployed UTM appliances, their license number, contract IDs, current operational status and health.

Via this dashboard, authorized system administrators and MSSPs can register new appliances and securely log in to deployed AXS Guard UTM appliances or PAX units (version restrictions apply).

The AXS Guard central dashboard simplifies routine system maintenance tasks, such as pushing new firewall rules to a UTM appliance and allows MSSPs or system administrators to remotely identify and troubleshoot issues.

Registering UTM Appliances

Before initiating the registration process, ensure you have access to the following key information:

• The Contract Number (e.g., AXGK-1234-56789 or EVAL-1234-56789 for product evaluation), as found in your AXS Guard order confirmation.
• The specific Serial Number, also available in your AXS Guard order confirmation (only required to register your very first AXS Guard appliance).
• The systeminfo.txt file, which must be downloaded directly from your AXS Guard appliance during the License Wizard process.

To register an appliance, log in to the AXS Guard cloud, then navigate to the AXS Guard Central dashboard. Click on register appliance to start the registration proces and follow the on-screen instructions.

Remote Login

Secure remote login capabilities, helpful for system administration and troubleshooting, require AXS Guard version 11.0.15 or PAX version 4.2.0 or later.

IT administrators can use remote login to manage and troubleshoot appliances without being physically present at the location. This capability is particularly valuable for maintaining and updating systems in different geographical locations, reducing downtime, and minimizing the need for on-site assistance.

AXS Guard UTM Appliances

AXS Guard version 11.0.15 or later is required.

1. Log in to the AXS Guard Cloud.
2. Navigate to the AXS Guard Central dashboard.
3. Enter your license number or contract ID into the search field.
4. Click on the login button.

PAX Units

PAX software version 4.2.0 or later is required.

1. Log in to the AXS Guard Cloud.
2. Select the AXS Guard Central dashboard and enter the contract ID or license number of your AXS Guard appliance, e.g. 0000-00012345.

3. Click on the license number.

   

4. Select the Personal AXS Guard tab.

5. To access the PAX unit you'd like to log into, click on the corresponding license ID, e.g. 0001-00012345.

   

6. Click on the login button.

   

The login page of the PAX unit will open in a new browser tab. Log in with the credentials that you configured on the server side.

System Details

Log in to the AXS Guard cloud, navigate to the AXS Guard Central dashboard and click on the license number of an appliance to access its details.

After clicking on the license number, additional details will be visible, including status information, license information, contacts, software details, update events, appliance statistics, connected Personal AXS Guard units, configuration backups, and licensed features.

System administrators can download the license.dat file via the License tab, which is required to make an AXS Guard appliance fully operational.

Pushing Config Settings

Via system details, authorized users can also propagate AXS Guard configuration settings, such as firewall rules, GeoIP filters, DNS filters, and web filters, to a single UTM appliance. This is achieved by using the Push AXS Guard Cloud Config button and requires the creation of a configuration profile via the Management page.

Important

The use of the Push AXS Guard Cloud Config button is only required if you encounter issues with automated configuration updates. Configuration updates are automatically handled by the AXS Guard Cloud, provided that a configuration profile has been assigned.

Endpoint Central

The IBM Security^® QRadar^® EDR dashboard delivers comprehensive visibility into your network infrastructure, empowering real-time endpoint analysis and facilitating extended searches to uncover and counteract dormant threats. Installation of a QRadar^® EDR agent (Nano OS) on each endpoint is a prerequisite.

Contracts

Through this page, authorized users can access contract information, consult a list of activated system features, find details about software bundles, and download contract certificates by clicking on a specific contract ID in the table.

DNS Security

The DNS security dashboard serves as a centralized interface, providing real-time insights and analytics into malicious DNS queries generated by networked devices. This comprehensive tool enables administrators to monitor and analyze DNS traffic, detect potential threats, and assess the overall health of the network.

DNS queries are categorized based on the threat they represent. Filtering data is possible through the use of KQL syntax.

Examples of KQL filters

• ag.dns.category.keyword: dns-filter: shows all blocked DNS queries that matched a DNS filter.
• host.name.keyword: axsguard.yourdomain.com: shows all DNS queries blocked by this AXS Guard appliance.
• ag.dns.category.keyword: botnet: shows all blocked DNS queries that matched a botnet filter.
• source.hostname: johndoe-laptop: shows all blocked DNS queries originating from this host.
• source.ip.keyword: 192.0.2.50: shows all blocked DNS queries originating from this IP address.

Combine multiple filter conditions with the AND and OR operators, e.g.:

host.name.keyword: "axsguard.example.com" and ag.dns.category.keyword: "botnet"

Filters can also be created by clicking on elements in the dashboard, as demonstrated in the example below.

For users looking to enhance their proficiency in navigating dashboards and utilizing filters, we offer a comprehensive online tutorial. This tutorial is designed to provide step-by-step guidance on maximizing the effectiveness of dashboards, along with insights into leveraging filters for refined data analysis.

Alerts

Via this dashboard, MSSPs and administrators can view various types of alerts:

• Endpoint Alerts: Notifications or warnings generated by IBM Security QRadar EDR when suspicious or potentially malicious activities are detected on endpoints within a network. Endpoints are individual devices such as computers, servers, laptops, smartphones or other devices that connect to a network.
• SecureDNS: Events related to APTs and botnets that are blocked by AXS Guard’s DNS security feature.
• Configuration: Configuration alerts play a vital role in proactive IT management, allowing administrators to promptly address issues and maintain a secure and well-functioning IT environment.
• AG Alerts: Alerts that are generated by AXS Guard UTM appliances, e.g. certificate expiration warnings and failed login notifications.

Filtering alert data is possible through the use of KQL syntax. To effectively manage security alerts, consider setting up alert forwarding, which sends notifications directly to administrators via email according to their specified preferences.

Examples of KQL filters

• subtype.keyword: apt: shows all events related to advanced persistent threats (APT).
• type: SecureDNS: shows all events related to SecureDNS.
• type: Event and subtype: warning: shows warnings generated by AXS Guard.
• event.description: shutdown: shows system shutdown events.

Combine multiple filter conditions with the AND and OR operators, e.g.:

type: "Event" and subtype: "fatal"

Filters can also be created by clicking on elements in the dashboard, as demonstrated in the example below.

For users looking to enhance their proficiency in navigating dashboards and utilizing filters, we offer a comprehensive online tutorial. This tutorial is designed to provide step-by-step guidance on maximizing the effectiveness of dashboards, along with insights into leveraging filters for refined data analysis.

Monitoring

This dashboard allows authorized users to review and analyze AXS Guard UTM appliances for availability, operations, performance, security incidents and other related processes.

It is only accessible to authorized administrators and MSSPs to ensure that AXS Guard appliances are performing as expected and to mitigate problems as they become apparent.

Customization

Click in the top right corner of a metric to customize its settings.

Data filters can be created with KQL syntax or by clicking on elements in the dashboard, as demonstrated in the examples below.

link_license: 0000-00012345 and @timestamp >= 90: Events related to license 0000-00012345 that are 90 days old or more.

For users looking to enhance their proficiency in navigating dashboards and utilizing filters, we offer a comprehensive online tutorial. This tutorial is designed to provide step-by-step guidance on maximizing the effectiveness of dashboards, along with insights into leveraging filters for refined data analysis.

UTM Configuration Profiles

Management

Configuration profiles enable administrators or MSSPs to efficiently configure and manage various aspects of AXS Guard UTM systems through centralized and automated configuration.

They provide a standardized approach for controlling settings, encompassing firewall rules, GeoIP filters, DNS filters, and web filters.

1. Navigate to the Management page.

2. Click on the Add button.

   

3. Enter an appropriate profile name and description, then press the Submit button.

   

Assignment

Profiles must be assigned to UTM appliances, which are identified by their license number, in order to allow the AXS Guard Cloud to push configuration settings in bulk. To use the Push AXS Guard Cloud config functionality, ensure that the selected appliances are running AXS Guard software version 11.0.15 or higher.

1. Navigate to the Assignment page.

2. Select the relevant UTM licenses and click on Update Profile.

   

3. Choose the desired profile(s) for assignment.

4. Complete the assignment process by adding the selected profile(s).

   

Firewall

Via the firewall rule pages, authorized users can configure AXS Guard firewall rules for deployment to large-scale installations. For a detailed explanation of AXS Guard firewall rules, please refer to the AXS Guard firewall documentation.

Towards Rules

Towards rules pertain to network traffic destined for a process running on the AXS Guard appliance, such as OpenVPN or SSTP client traffic.

1. Navigate to Towards Rules and click on the Add button in the top right corner.

2. Enter the requested information and make sure to assign the new rule to the correct configuration profile.

3. Click on the Submit button.

   

Important - AXS Guard Configuration Required

In the AXS Guard user interface, rules configured via the AXS Guard Cloud will be shown with a cm-e (central management) prefix, e.g., cm-e-rulename.

For rules to take effect, they must be assigned to a policy by a system administrator. Refer to the AXS Guard firewall documentation for additional information and configuration steps.

Through Rules

Through rules apply to network traffic passing through the AXS Guard appliance from one firewall zone to another, for example, from a client in the Secure LAN to a server in the DMZ or on the Internet.

To configure new rules, navigate to through rules and follow the same steps as explained in the towards rules section.

Important - AXS Guard Configuration Required

In the AXS Guard user interface, rules configured via the AXS Guard Cloud will be shown with a cm-e (central management) prefix, e.g., cm-e-rulename.

For rules to take effect, they must be assigned to a policy by a system administrator. Refer to the AXS Guard firewall documentation for additional information and configuration steps.

DNS Security

This page allows authorized users to configure various API settings and options for the SecureDNS agent in large-scale deployments. Settings are applied on three levels: global, company, and device.

graph LR
  A[Global Settings] -->|inherit| B[Company Settings] -->|inherit| C[Device Settings];
  B -->|override| A;
  C -->|override| B;

Global settings can be configured via DNS Security > Agents. To configure company-level and device-level settings, click on the appropriate end user.

Getting Help

Context-sensitive help is available for each option by clicking the i icon.

• Global Settings: Apply to all companies or organizations under your management and are enforced on all SecureDNS agents within these organizations.
• Company Settings: Apply to a single company or organization and are enforced on all SecureDNS agents within that organization. Can be used to override global settings.

• Device Settings: Apply to a specific device within a company, with the configuration enforced on that specific device. Can be used to override company settings.

  

GeoIP Filtering

GeoIP filtering or geo-blocking, a technology that can block network traffic to and from entire countries, can be an effective way to stop hackers from attacking your organization. As its name suggests, it blocks network connections based on geographic location – information it gets based on IP addresses.

Through the Country Groups page, authorized users can configure GeoIP filters, for deployment to large-scale AXS Guard installations.

Please note that the AXS Guard Cloud configuration always takes precedence over configurations that were made directly on an AXS Guard appliance. Using the Cloud configuration means that local GeoIP configurations may be overwritten.

1. Navigate to Country Groups to add a new filter.
2. Configure the appropriate settings, select the desired countries and make sure to assign the new filter to the correct configuration profile.
3. Click on the Submit button.

Web and DNS Filters

Through the URL Lists page, authorized users can configure web and DNS filters for deployment to large-scale AXS Guard installations. These filters control access to specific URLs and websites.

1. Navigate to URL Lists to add a new filter.
2. Configure the appropriate settings and make sure to assign the new filter to the correct configuration profile.
3. Click on the Submit button.

Important - AXS Guard Configuration Required

In the AXS Guard user interface, filters configured via the AXS Guard Cloud will be shown with a cm-e (central management) prefix, e.g., cm-e-filtername.

For web and DNS filters to take effect, they must be assigned to an AXS Guard proxy ACL or domain filter (DNS) by a system administrator. See the AXS Guard Web Access and DNS Security documentation for further information and configuration steps.

Alert Forwarding

Overview

Alert forwarding enables administrators and Managed Security Service Providers (MSSPs) to receive alerts via email, providing a straightforward method for standard monitoring purposes.

Administrators can access an overview of all available alert forwardings under Alerts > Forwarding. There, administrators will find:

Field	Description
Name	The name of the forwarding rule.
Description	A short explanation of what the rule does.
Severity Range	The range of alert severity levels this rule applies to.
Event Classes	The type of events this rule will forward alerts for.
Enabled	Whether the rule is currently active.

Points of attention

• Quick Updates: The overview screen allows administrators to quickly enable or disable rules using the checkboxes next to each entry. The changes are saved automatically.
• Group-Level Configuration: It's important to note that alert forwarding rules are configured at the group level. This means they apply to all users within a specific group. Each rule is independent, meaning changes to one rule won't affect others.
• Duplicate emails: If a user belongs to multiple groups with overlapping forwarding rules, they might receive the same alert twice.

Adding New Rules

The standard toolbar at the top of the screen includes an Add button for creating new forwarding rules. Clicking this button will take you to a dedicated screen for setting up a new rule.

Field	Description
Enabled	Specifies whether alert forwarding is enabled or disabled. Emails will never be sent when a rule is disabled. Rules are enabled by default.
Name	The designation for the alert forwarding. This field is used solely within the AXS Guard Cloud to facilitate easy recognition of the configured alert forwardings. It must not be left empty.
Description	Similar to the name, but it can remain empty.
Min and Max severity	Sets the minimum and maximum severity levels for the alerts that the user wishes to receive. By default, they are set to 0 and 100, respectively, which encompasses all alerts. Both limits are inclusive, ensuring that the severity range covers the entire spectrum.
Security and Operational	All alerts are classified as either security or operational alerts. The checkboxes allow administrators to specify which class of alerts they would like to receive. Both classes are checked by default.
Template subject and body	Allows administrators to create templates for the email subject and body when alerts are forwarded. Emails can be customized by inserting alert details within curly braces like this: {{alert.reason}}. These placeholders will automatically be replaced with the corresponding information. The system provides default templates in both HTML and JSON formats, which can be modified to fit your specific needs.
Email addresses	A list builder for entering email addresses. If an alert matches the rule, an email will be sent to each address using the specified templates.
End-users	Lastly, administrators can specify which group of end-users should receive alerts.

Two timestamps will be added when an alert is created: created at and updated at.

Tips

• Edit, duplicate, or delete rules directly from the overview page.
• Sort by name or description for easier organization.
• Bulk update and advanced filters are not yet available.
• The table headers allow sorting by name or description.

Template Customization

The AXS Guard Cloud uses Jinja2 to process email templates, but some limitations apply.

Allthough Jinja2 offers powerful features, some are restricted for security reasons. Firstly, statements like {% for loop %}) are not allowed, while comments {# this is a comment #} are permitted. The following expressions are allowed: {{ variable }}. System administrators can use any available alert variable to configure email templates. The use of Jinja2 operators, for example, to divide severity by 10, is not permitted.

Viewing Alerts

All alerts contain the same fields with a consistent naming convention. They can be viewed by expanding an alert via Dashboards > Alerts.

Cloud Access Management

Introduction

Through the Cloud Access Management page, authorized users can manage AXS Guard Cloud user accounts, and grant or revoke access to specific parts of the system as needed.

User Management

There are three roles: Admin, Sales, and Technical. Each role has specific access privileges. Users can be assigned one or more roles and are required to sign in with an email address linked to Google or Microsoft. Depending on the role, certain components on detail pages may either become visible or remain hidden.

Role	Access
Sales	View contract-related information and sales data. Also has access to the download center.
Technical	Access to license-related information and basic technical actions. Also has access to the download center.
Admin	Broad administrative capabilities; has access to additional buttons based on other roles. Also has access to Cloud Access Management and the download center.

Navigate to Users to add, modify or remove a user account.

User Preferences

By clicking on the username in the top right corner and selecting preferences, users can customize their personal AXS Guard Cloud settings, such as homepage preferences and the session timeout.

Download Center

The download center provides a centralized and organized location for users to securely download software, such as the SecureDNS agent.

Support

If you encounter a problem

If you encounter any issues with the AXS Guard Cloud, don't hesitate to reach out to our technical support department.

Contact Information

(+32) 15-504-400
support@axsguard.com