EventTracker Integration Guide

This document describes how to configure a WatchGuard Firebox™ or WatchGuard XTM™ to send log data to EventTracker Manager™ and monitor events using EventTracker Enterprise™. 

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • WatchGuard Firebox or XTM with Fireware v11.11.x installed
  • EventTracker Enterprise v8.1

Configuration

To complete this integration, you must first deploy EventTracker Enterprise. In our integration tests, we installed EventTracker Enterprise on a virtual appliance.

To set up EventTracker Enterprise, see the EventTracker Enterprise Installation Guide.

Configure the Firebox to Send Syslog Messages

  1. Select System > Logging.
  2. In the Syslog Server section, select the Send log messages to the syslog server at this IP address check box.
  3. In the IP Address text box, type the IP address for the syslog server.
  4. In the Port text box, the default syslog server port (514) appears.
  5. From the Log Format drop-down list, select Syslog.

  1. Click Save.

Configure Logging for a Policy

To see information about a policy in your log files, you must enable logging for that policy.

  1. Select Firewall > Firewall Policies.
  2. Add a policy, or double-click an existing policy.
  3. On the Policy Configuration page, select the Properties tab.
  4. In the Logging section, select Send a log message.

  1. Click Save.

EventTracker Knowledge Pack (KP)

After EventTracker receives log messages, you can configure categories, alerts, reports, and dashboards.

Three Knowledge Packs are available in EventTracker v8.1 that support WatchGuard event monitoring.

Category Knowledge Pack

These category-based reports contain information about WatchGuard events:

  • WatchGuard XTM: Authentication failure
  • WatchGuard XTM: Authentication success
  • WatchGuard XTM: Configuration changed
  • WatchGuard XTM: DHCP activity
  • WatchGuard XTM: Firewall allowed traffic
  • WatchGuard XTM: Firewall denied traffic
  • WatchGuard XTM: Interface status
  • WatchGuard XTM: IPS attack detected
  • WatchGuard XTM: PPOE session details
  • WatchGuard XTM: Proxy policy allowed traffic
  • WatchGuard XTM: Proxy policy denied traffic
  • WatchGuard XTM: Security services error
  • WatchGuard XTM: VPN session details

Alerts Knowledge Pack

These alerts are generated when a specific WatchGuard event occurs:

  • WatchGuard XTM: Authentication failure 
  • WatchGuard XTM: Configuration changed
  • WatchGuard XTM: IPS attack detected
  • WatchGuard XTM:  Security services error

Reports Knowledge Pack

These reports contain information about WatchGuard events:

  • WatchGuard XTM Proxy Policy Traffic Details
  • WatchGuard XTM Firewall User Logon Details
  • WatchGuard XTM Configuration Change Details
  • WatchGuard XTM Firewall Attack Details
  • WatchGuard XTM Firewall Authentication Failure
  • WatchGuard XTM Firewall Authentication Success
  • WatchGuard XTM Firewall Traffic Details

Import Knowledge Packs into EventTracker

  1. Launch the EventTracker Control Panel.
  2. Double-click Export Import Utility, and then select the Import tab.

  1. Import categories, alerts, and reports, as well as token templates and knowledge objects as described in the next section.

Import Categories

  1. Select Category and click .

  1. Find the All WatchGuard group categories.iscat file. The default file directory is C:\Program Files (x86)\Prism Microsystems\EventTracker\Configuration Files. Click Open.
  2. To import categories, click Import.
    This dialog box appears if the import succeeds.

  1. Click OK, and then click Close.

Import Alerts

  1. Select Alerts and click .

  1. Find All WatchGuard group alerts.isalt file, and then click Open.
  2. To import alerts, click Import.
    This dialog box appears if the import succeeds.

  1. Click OK, and then click Close.

Import Reports

  1. Select Reports and click .

  1. Find All Watchguard group reports.issch file, and then click Open.
  2. To import categories, click Import.
    This dialog box appears if the import succeeds.

Import Token Template

  1. Log on to EventTracker Enterprise.
  2. Click Admin, and then click Parsing rule.
  3. Select Template, and then click .

  1. Click Browse.

  1. Find the WatchGuard XTM token template.ettd file, and then click Open.
  2. Select the check box and then click .
    If the import succeeds, the message “Template(s) imported successfully” appears.

  1. Click OK.

Import Knowledge Object

  1. Log on to EventTracker Enterprise.
  2. Click Admin, and then click Knowledge Objects.
  3. Click .

  1. In the Import section, click Browse.

  1. Find the WatchGuard KO.etko file, and then click Upload.
  2. Select the check box and then click Merge.
    If the import succeeds, the message “File imported successfully” appears.

  1. Click OK.

Verify that Knowledge Packs Imported Successfully

To verify that the Categories Knowledge Packs imported successfully:

  1. Log on to EventTracker Enterprise.
  2. Select Admin, and then select Categories.
  3. From the Category tree, expand the WatchGuard XTM group folder.

To verify that the Alerts Knowledge Packs imported successfully:

  1. Log on to EventTracker Enterprise.
  2. Select Admin, and then select Alerts.
  3. In the search box, type WatchGuard, and then click Search.
    The Alert Management page displays all the imported alerts.

  1. To activate the imported alerts, select the associated check boxes in the Active column and then click Activate Now.
    This dialog box appears if the import succeeds.

  1. Click OK.

To verify that the Reports Knowledge Packs imported successfully:

  1. Log on to EventTracker Enterprise.
  2. Select Reports, and then select Configuration.
  3. Select the Defined report type.
  4. From the Report Groups section, scroll down and click the WatchGuard group folder.
    Scheduled reports are displayed in the Reports Configuration section.

To verify that the Token Templates imported successfully:

  1. Select Admin, and then select Parsing Rule.
  2. Select Template.
  3. Scroll down to find imported WatchGuard token templates.

Verify Knowledge Object

  1. Select Admin, and then select Knowledge Objects.
  2. From the Objects section, scroll down and select WatchGuard.
    Details about the imported WatchGuard object appear.

Test the Integration

To view log data from EventTracker:

  1. Log on to EventTracker Enterprise.
  2. Click the Search menu.
  3. Scroll down and select WatchGuard XTM.

  1. Double-click the specified WatchGuard XTM category to view the log data.

To view reports from EventTracker:

  1. Log on to EventTracker Enterprise.
  2. Select Reports, and then select Configuration.
  3. Select the Defined report type.
  4. From the Report Groups section, scroll down and click the WatchGuard group folder.
  5. Look for the scheduled reports in the Reports section.

Some reports and sample log examples are shown in the next section.

WatchGuard XTM Firewall – Authentication Failure

Report

Sample Log Data
Jun 19 09:17:14 192.168.90.9 Jun 19 09:18:19 CADM-XTM-520 (2015-06-19T13:18:19) authentication-management [2021]: Authentication of firewall user [user1@RADIUS] failed. RADIUS authentication method MSCHAP_V1 is not supported.

WatchGuard XTM Firewall – Attack Details

Report

Sample Log Data
Jun 19 11:19:11 192.168.90.9 Jun 19 11:20:17 Nyt-XTM-520 (2015-06-19T15:20:17) packet filter-firewall [2127]: IPSEC flood attack against 32.27.56.78 from 127.34.243.67 detected.
Feb 08 09:33:52 172.17.1.6 Feb 8 09:33:51 Crows-2-810 80B502F5EBE2E Crows-810-Cluster (2016-02-08T14:33:51) firewall: msg_id="3000-0150" Deny tun0 1-Trusted 820 tcp 20 62 192.168.16.79 172.16.14.34 51870 445 offset 5 A 2325226339 win 8003 signature_name="SMB Microsoft DLL Planting Remote Code Exectution Vulnerability" signature_cat="Misc" signature_id="1130527" severity="4" msg="IPS detected" src_user="Leo@Production" (Allow SSLVPN-Users-00)

WatchGuard XTM Firewall – Configuration Change Details

Report

Sample Log Data
Nov 06 11:19:11 192.168.90.9 Jun 19 11:20:17 CADM-XTM-520 (2015-06-19T15:20:17) configd[758]: msg_id="0101-0001" admin deleted Blocked_Sites Exceptions
Jun 19 11:19:11 192.168.90.9 Jun 19 11:20:17 CADM-XTM-520 (2015-06-19T15:20:17) configuration-management[2127]: admin deleted Blocked Sites Exceptions

WatchGuard XTM - Firewall Logon Details

Report

Sample Log Data
Jun 19 09:17:14 192.168.90.9 Jun 19 09:18:19 CADM-XTM-520 (2015-06-19T13:18:19) accounting-management [2021]: Management user admin from 10.0.1.2 log in attempt was rejected.

WatchGuard XTM Firewall – Traffic Details

Report

Sample Log Data
Jun 19 11:19:35 192.168.90.9 Jun 19 11:20:41 Nrty-XTM-520 (2015-06-19T15:20:41) firewall: Allow 1-Trusted 6-External main 60 tcp 20 63 192.168.90.20 208.70.74.8 59109 443 offset 10 S 2730632788 win 61690 (HTTPS-00)
Jun 19 11:19:33 192.168.90.9 Jun 19 11:20:39 NFMC-XTM-520 (2015-06-19T15:20:39) dns-proxy[2128]: Allow 1-Trusted 6-External main udp 192.168.90.4 205.171.3.26 51235 53 msg="DNS Request" proxy_act="DNS-Outgoing.4" query_type="PTR" question="25.66.17.96.in-addr.arpa" (DNS-proxy-00)
Jun 19 11:19:22 192.168.90.9 Jun 19 11:20:28 CADM-XTM-520 (2015-06-19T15:20:28) Allow Firebox 0-External 52 tcp 20 127 10.0.1.2 125.156.60.25 62443 80 offset 8 S 832026162 win 8192 (HTTP-00)