Firewall Monitoring 1.1 Security Use Case Guide


Updated branding only, no change to content

How to install, configure, and use the Antivirus Monitoring security use case version 1.0.

You can download this use case from the ArcSight Marketplace portal under the Classic Packages category:


Security Use Cases
Comment List
  • Looks good. There is a lot of system resources in this package with the ArcSight Core, why include them?

  • You can download the packages from the ArcSight Marketplace portal:



  • Hi ,

    Thank for your document. Where can I download the packages?



  • Hi Dustin,

    I will be following up on your scenario and your feedback is greatly appreciated. I also need to know some details about your configuration so I will send you an offline message to gather more info around your deployment.

    Given the fact that not all environments are the same it will be very challenging to suggest you a definitive solution for fine-tuning your ESM resources, but we can surely give you advise on some options that you may want to try:

    First of all, based on the description of the current condition, the high number of partial matches is mostly related with the Repetitive Firewall Blocks rule, so we will focus on it for now:

    Let's understand the scope of this rule before modifying it to cover your environment specs.The main reason to have this rule is to monitor Inbound and Outbound Traffic and catch possible internal assets attempting connections that violate the Firewall Corporate policy as well as external devices attempting to break into your protected network.

    • The 1st. change that we would recommend is to put outbound traffic aside and focus in inbound traffic to identify how the memory behaves after this change (we can always create a second rule that could be focused in outbound traffic later).

    To perform this step,  you need to edit the the filter embedded in the rule under "Conditions" tab adding a new matchesfilter condition to include only INBOUND events to the current configuration. This filter exists under the following URI: "/All Filters/ArcSight Foundation/Common/Network Filters/Location Filters/Inbound Events". Add this filter just right after the matches filter condition "/All Filters/Downloads/Network Monitoring/Firewall Monitoring/Firewall Connections/Connection Initiations through a Firewall" and before "Category Outcome != Success".

    • The 2nd thing that you may want to try is to lower the Time Frame under the Aggregation Tab from 3 minutes to 1 minute and the number of matches from 10 to 4. Having the default setting of 10 matches reduces the false positives, but you saw that according to the quantity and quality of traffic in your environment these conditions already created a big number of partial matches.

      A combination of 1 and 2 will help you to narrow even more the traffic monitored by these rules and fewer events to focus on.

    Please send me an email directly with your results (this would be very helpful for us) and I'm going to be glad to help you with further tuning steps, if necessary.


    Javier Inclan

    ArcSight Security Intelligence Solutions Development, Manager

  • Thanks Dustin. I have forwarded your comment to our content developers, who will respond ASAP.


  •   Thank you for this package, we installed it on four of our ESM's and are already using it to find some misconfigured devices and will be using it in our hunting role.

    Unfortunately 2 of our ESM's crashed in the days after the package was installed due to the ESM running out of java memory (Red Zone).    The Rules Status dashboard shows that the Repetitive Firewall Blocks rule has over 900,000 partial matches and is using 2092518 bytes of Memory which is twice as much as every other rule combined!   2nd on the list is the Firewall Pass After Repetive Blocks rule which only has 13000 partial matches but is using 166170 bytes of memory which is by far more than all the other rules except for the Repetive Firewall Blocks rule.

    Is there any way that I could tune these two rules so that they dont have as many partial matches and use as much memory?  I'd really prefer not to have to disable them if I could tune them in some way.