AlienVault USM Integration Guide

This document describes how to configure a WatchGuard Firebox to send log data to AlienVault USM.

Integration Summary

These devices and services were used to test this integration:

  • Firebox with Fireware v11.11.2
  • AlienVault-USM_trial_5.3.0 with a Virtual Appliance


To complete this integration, you must first deploy AlienVault USM. In our integration tests, we used the AlienVault USM with a Virtual Firebox Appliance.

Before You Begin

To set up the AlienVault environment, please refer to the AlienVault Initial Setup Guide. In this document, we describe how to enable the WatchGuard Plugin on AlienVault USM and how it works with the WatchGuard Firebox.

The WatchGuard Plugin is used with the AlienVault USM Sensor to extract and normalize syslog data received from a WatchGuard Firebox. For more information on how to enable the plugin see the AlienVault Plugins Management Guide.

Set Up AlienVault USM

After AlienVault USM is deployed with a virtual appliance and you have completed the initial setup steps, launch a web browser and connect through the web UI at https://<Management IP>.

Add Assets

There are several ways to add assets on AlienVault USM. In this document, we show you how to add an asset manually. To learn more about adding assets, see the AlienVault documentation.

  1. Navigate to Environment > Assets & Groups > Assets.
  2. Click Add Assets, then click Add Host.
    The New Asset window displays.
  3. In the Name text box, type a name to identify the asset. In our example, we name the asset Firebox.
  4. In the IP Address text box, type the IP address of the Firebox. In our example, we type
  5. The other fields are optional. Click Save to save the configuration.

Enable Plugin

  1. Navigate to Environment > Assets & Groups > Assets.
  2. Select the Firebox asset you just added to your AlienVault configuration.
  3. Click .
  4. Select the Plugins tab.
  5. Click Edit Plugins.

  1. From the Vendor drop-down list, select WatchGuard.
  2. From the Model drop-down list, select XTM Series.
  3. (Optional) From the Version drop-down list, select the version of your Firebox.
  4. Click Save.

Set Up Your Firebox to Send Syslog Messages to AlienVault

  1. Connect to your Firebox with Policy Manager or through the Fireware Web UI. In this document, we use Fireware Web UI.
  2. Select System > Logging.
  3. Select the Syslog Server tab.

  1. Select the Send log messages to the syslog server at this IP address check box.
  2. In the IP Address text box, type the AlienVault Management IP address. In our example, that IP address is
  3. In the Port text box, type the port configured on AlienVault to receive syslog sourced messages. The default port is 514.
  4. From the Log Format drop-down list, select Syslog.
  5. Click Save.

Test the Integration

Use these steps to make sure that Firebox syslog messages are correctly sent to AlienVault USM.

  1. In the AlienVault web UI, navigate to Analysis > Security Events (SIEM).
  2. From the Data Sources drop-down list, select Watchguard. Click Go to search for events that were generated through the WatchGuard plugin. The Events list will look something like this:

  1. Double-click an Event to see details.