Watchguard Firebox
  • 16 Nov 2022
  • 3 Minutes to read
  • Dark
    Light

Watchguard Firebox

  • Dark
    Light

Watchguard Firebox

About Watchguard Firebox:

WatchGuard's Firebox is a unified security platform that covers traditional traffic, protecting an environment from intrusions, phishing attempts, malware, ransomware, and more. Both the hardware and virtual Firebox appliances are feature rich, allowing the appliance to run features such as stateful firewall, IPS, application control, web blocker, VPN, and more. This technology pack will process Firebox event log messages, providing normalization and enrichment of common events of interest.

Requirement(s):

  • Watchguard Firebox running Fireware 12.x
  • Graylog Server with a valid Enterprise license, running Graylog version 4.2.5, 4.3.0, or later.
  • Watchguard Firebox configured to send logs to Graylog via syslog

Stream Configuration:

This technology pack includes one stream:

  • "Illuminate:WatchGuard Device Messages”
About Illuminate Streams

If this stream does not exist prior to the activation of this pack, then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration:

This technology pack includes one index set definition:

  • “WatchGuard Device Logs”
About Illuminate Index Set Definitions

If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with default retention settings of a daily rotation and 90 days of retention, with 4 shards per index. It is strongly recommended to review and adjust these settings to best suit your environment.

Log Format Example:

DEV01 0011223344556 (2022-09-01T13:58:33) firewall: msg_id="3000-0148" Allow External Inside 44 tcp 20 238 10.11.12.13 192.168.1.10 58325 60951 offset 6 S 3172487743 win 4  geo_src="USA"  geo_dst="USA"  (Inbound Policy-00)

What is Provided:

  • Rules to normalize and enrich event log messages
  • A Spotlight content pack
    • Dashboard
    • Saved search

Log Message Processing

Illuminate will identify Watchguard Firebox event log messages and add the field event_source_product with the value watchguard_firebox.

The Illuminate processing of Watchguard Firebox log messages provides the following:

  • Field extraction, normalization and message enrichment for Watchguard Firebox log messages
  • Graylog Schema compliance

Spotlight Content Pack

The Spotlight content pack contains:

  • Dashboard: Illluminate:WatchGuard Firebox Overview
    • Overview tab: Summary of Firebox device operations

      Watchguard Firebox Overview 1

      Watchguard Firebox Overview 2

      Watchguard Firebox Oveview 3

    • Saved search: Two widgets and a tailored log view
      Saved Search - Watchguard Firebox Log Viewer

Configuring Log Delivery

This process assumes that a local Syslog input has been created on the Graylog server. The port configured for the input must match what's configured on the Firebox side.

Configuration from the Fireware Web UI and Policy Manager

  1. Select System > Logging in the Fireware Web UI or Setup > Logging in Policy Manager
  2. Click the Syslog Server tab
  3. Select the Send log messages to these syslog servers
  4. Click Add
  5. Type the Graylog server IP address in the IP Address text box
  6. In the Port text box, match the port configured on the input side of the Graylog server
  7. Select Syslog from the Log Format drop-down list
  8. Check off the time stamp and serial number of the device boxes so they are included
  9. Select the syslog facility for each type of log message (Local0-7). Alarm should be set to Local0 for high priority.
  10. Click Save

Appendix A: Log Event Catalog

  • The Illuminate Watchguard Firebox content will process the following events:
event_id gim_event_category gim_event_subcategory gim_event_type
1100-0004 authentication authentication.logon logon
1100-0005 authentication authentication.logon logon
1AFF-0005 - - -
1AFF-0018 - - -
1AFF-001A - - -
1AFF-001B - - -
1AFF-0021 - - -
1AFF-0024 - - -
1AFF-0025 - - -
1AFF-0026 - - -
1AFF-002C - - -
1AFF-002E - - -
1AFF-0033 - - -
1AFF-0036 - - -
1AFF-003D - - -
2CFF-0000 - - -
2CFF-0001 - - -
2CFF-0005 - - -
2DFF-0001 - - -
2DFF-0005 - - -
3000-0148 - - -
3000-0149 - - -
3000-0150 - - -
3000-0152 - - -
3000-0153 - - -
3000-0154 - - -
3000-0155 - - -
3000-0156 - - -
3000-0157 - - -
3000-0158 - - -
3000-0159 - - -
3000-0160 - - -
3000-0161 - - -
3000-0162 - - -
3000-0163 - - -
3000-0164 - - -
3000-0165 - - -
3000-0166 - - -
3000-0167 - - -
3000-0168 - - -
3000-0169 - - -
3000-0170 - - -
3000-0171 - - -
3000-0172 - - -
3000-0173 - - -

Was this article helpful?

What's Next