NetIQ Sentinel Enterprise Integration Guide

This document describes how to configure a WatchGuard Firebox or WatchGuard XTM to send log data to Sentinel® Enterprise and monitor events with Sentinel Enterprise.

Test Topology

This diagram shows the test topology for this integration.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Firebox device installed with Fireware version 11.12.4
  • NetIQ Sentinel Enterprise version 8.0.0.0
  • Sentinel Plugin of WatchGuard Firewall version 2011.1r1
  • Java 8

Configuration

To complete this integration, you must have:

  • WatchGuard Firebox
  • NetIQ Sentinel™ Enterprise
  • Sentinel Plugin of WatchGuard Firewalls

Configure NetIQ Sentinel Enterprise

To Configure NetIQ Sentinel Enterprise:

  1. Log in to Sentinel Web Console interface (https://<IP_Address/DNS_Sentinel_server:8443>).

  1. Select Collection > Event Source Servers.

  1. Confirm that the Syslog Servers are on, the Syslog Server UDP port is available, and that the port number is 1514 (default setting).

  1. Select Collection > Advanced.
  2. Click Launch Control Center.
    The Sentinel Control Center appears.

  1. Select Event Source Management > Live View.
    The Event Source Management Center appears.
  2. Select Tools > Import plug-in.
    The Import Plug-in Wizard appears.

  1. Click Next to complete the plug-in import. The WatchGuard Firewalls plug-in is listed in the Collectors tab and in Event Source Palette.

Configure Firebox to Send Syslog Messages to Sentinel Server

  1. Log in to Firebox Web UI at https://<IP address of Firebox>:8080.
  2. Select System > Logging.
  3. Select the Syslog Server tab.
  4. Select the Send log messages to the syslog server at this IP address check box.
  5. In the IP Address text box, type the Sentinel Enterprise IP address. In our example, that IP address is 10.0.1.80.
  6. In the Port text box, type the port configured in Sentinel to receive syslog sourced messages.
  7. From the Log Format drop-down list, select Syslog.
  8. The other settings are optional. In this example we enabled the time stamp and the serial number of the device.

  1. Click Save.

Configure Java 8

You must install Java 8 for the Sentinel Web Console interface.

Test the Integration

  1. Log in to Sentinel Web Console interface (https://<IP_Address/DNS_Sentinel_server:8443>)
  2. Select Collection > Overview to display events.

  1. Select Event Sources.

  1. Select the Advanced tab.
  2. Click Launch Control Center.
  3. Select Event Source Management > Live View.
    The Event Source Management Center appears.

  1. Select the Table tab.
  2. Select Sentinel > Sentinel Server > Syslog Connector.

  1. Right-click WatchGuard-XTM:Syslog:Map OutPut (universal) and select Open Raw Data Tap.
    Raw Data Tap displays syslog details.

  1. In the Sentinel Web Console, select Real-time Views > Events From Devices.
    The event view summary appears.

  1. Click on one summary in a time range.

  1. Click the sector diagram for details.