McAfee Enterprise Security Manager Integration Guide

The McAfee® security information and event management (SIEM) solution brings event, threat, and risk data together to provide security intelligence, incident response, log management, and compliance reports. McAfee Enterprise Security Manager, at the core of McAfee's SIEM solution, delivers actionable intelligence and the real-time situational awareness required to identify, understand, and respond to threats, while the embedded compliance framework simplifies compliance.

McAfee Event Receiver is an add-on to Enterprise Security Manager. You can use it to collect log data from WatchGuard Fireboxes and provide the data to Enterprise Security Manager.

This document describes the steps to integrate McAfee Enterprise Security Manager and McAfee Event Receiver with your WatchGuard Firebox to enable log analysis on the SIEM system.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Firebox or WatchGuard XTM device installed with Fireware version 12.4.1
  • McAfee Enterprise Security Manager V 11.2.0 (Web Login)
  • McAfee Event Receiver V 11.2.0

Test Topology

This diagram shows the test topology for this integration. You can use either a Trusted or Optional interface.

   Diagram of the test topology

Set Up the Firebox

  1. Log in to Fireware Web UI (https://<your firebox IP address>:8080).
  2. Select System > Logging > Syslog Server.
  3. Select the Send log messages to these syslog servers check box.
  4. To add a new syslog server,click Add .
    The Syslog Server settings appear.
  5. In the IP Address text box, type the IP address of the computer that McAfee Event Receiver is installed on.
  6. In the Port text box, type the port configured on McAfee Event Receiver to receive syslog data. The default setting is port 514.
  7. From the Log Format drop-down list, select Syslog.

Screen shot of the configured syslog server settings

  1. Keep other settings at default values.
  2. Click OK.
    The new server appears in the Syslog Server tab.

Screen shot of the added syslog server

  1. Click Save.

Set Up McAfee Enterprise Security Manager and Event Receiver

  1. Log in to McAfee Enterprise Security Manager Web UI. In our example, we connect to with default username NGCP and default password: security.4u.
  2. Configure other initialization settings required before you can add an Event Receiver.
    For more information, see the McAfee Enterprise Security Manager documentation.
  3. Click to expand left navigation bar.

Screen shot of McAfee ESM System Settings

  1. At the bottom left, click More Settings.

Screen shot of the Configuration tab

  1. To add a McAfee Event Receiver, click .
    The Add Device Wizard launches.
  2. From the list of device types, select McAfee Event Receiver.

Screen shot of the step: Select the type of device you want to install

  1. Click Next.
  2. Type a Device Name for this Event Receiver.

Screen shot of the step: Enter a name that will be used to identify this device

  1. Click Next.
  2. In the Target IP Address or URL text box, type the IP address of the computer where McAfee Event Receiver is installed.

Screen shot of the step: Enter the Target IP and Port to use for communication

  1. Click Next.
  2. Type and confirm a password for your device. The password you type here is used as the root password for the device you add.

Screen shot of the step: Provide a new password for your device.

  1. Click Next.
    The success page appears.

Screen shot of the success dialog box.

  1. Click Finish.

Screen shot of the Configuration tab with the Event Receiver added.

  1. Select the event receiver you added. In this example, it is Event Receiver For WatchGuard .
  2. To add a data source, click .
    The Add Data Source page appears.

Screen shot of the Add Data Source page with the settings configured

  1. From the Data Source Vendor drop-down list, select WatchGuard Technologies.
  2. From the Data Format drop-down list, select Default.
  3. From the Data Retrieval drop-down list, select SYSLOG (Default).
  4. In the Name type box, type a name for this data source.
  5. In the IP Address type box, type Data Source IP address. This is the IP address of the Firebox interface.
  6. From the Support Generic Syslogs drop-down list, select Parse as generic syslog.
  7. From the Generic Rule Assignment drop-down list, select User Defined 1.
  8. From the Time Zone drop-down list, select the time zone of the Firebox.
  9. Keep other settings at default values.
  10. Click Interface.
    The Network Interface Settings page appears.

Screen shot of the Network Interface Settings

  1. On the Network Interface Settings page, in the Interfaces list, set interface 2 to Management, and click Setup.
    The Interface 2 Properties appear.
  2. In the IPv4 text box, type the IP address of the McAfee Event Receiver interface used to receive syslog messages.
  3. In the Netmask text box,type the netmask for the interface IP address.
  4. Click OK to finish Interface Setting.
  5. Click OK to add the Data Source.
    The Firebox is added to the Physical Display section.The Rollout window appears.
  6. In the Rollout esttings, select WatchGuard Firebox.

Screen shot of the Rollout page

  1. Click OK to finish rollout for this Data Source.

Test the Integration

To verify your integration was successful, browse to a website through the WatchGuard Firebox. Then verify that the Firebox sent log data to McAfee Enterprise Security Manager.

To see the data:

  1. Click Physical Display, select the data source WatchGuard Firebox.Click Apply.

Screen shot of McAfee ESM

  1. Verify that the expected log-related information appears.

Screen shot of the log related information