Meraki Firewall Integration with ThreatSync+ NDR

This document describes how to integrate a Cisco Meraki firewall with ThreatSync+ NDR to forward VPN and DHCP logs as syslogs to ThreatSync+ NDR to monitor data from your firewall.

Contents

Firewall Syslog Data Flow to ThreatSync+ NDR

The syslog collector sends logs from your third-party firewall to ThreatSync+ NDR. To install the syslog collector on a computer, you must first install the ThreatSync+ NDR Collection Agent. This diagram shows the data flow of third-party firewall syslogs to ThreatSync+ NDR.

Screenshot of the third-party firewall data flow to ThreatSync+ NDR

Before You Begin

Before you begin these procedures, make sure that:

  • You have a ThreatSync+ NDR or Total NDR license allocated in WatchGuard Cloud.
  • You have the required access and permissions on your Meraki firewall to configure syslog forwarding.
  • You have access to a Linux server to install the ThreatSync+ NDR Collection Agent.

Configure the ThreatSync+ NDR Collection Agent

Make sure the ThreatSync+ NDR Collection Agent is installed on your Linux computer, and the status of the collection agent is Success. For detailed instructions about the ThreatSync+ NDR Collection Agent installation, go to Configure Collection Agents for ThreatSync+ NDR (Linux Computers).

Make sure the ThreatSync+ NDR Collection Agent is v1.0.0.48. You can find the collection agent version in /opt/collector/conf/VERSION.txt.

Screenshot of the command to verify the ThreatSync+ NDR Collection Agent version

The collection agent listens on port 514, which is the default port to receive syslogs.

Screenshot of port 514 for syslog collection

Configure a Meraki Firewall to Forward Syslogs

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with third-party products created by other organizations. The steps to configure syslog forwarding on your device might be different, based on the version of your firewall management software. For the latest syslog forwarding instructions, go to your third-party firewall documentation.

To configure a Meraki firewall to forward syslogs to the ThreatSync+ NDR Collection Agent:

  1. Log in to your Meraki firewall UI.
  2. Select Network-Wide > Configure > General.
  3. Click Add a Syslog Server.
  4. Click Create New.

Screenshot of log settings in the Meraki UI

  1. In the Sever Address text box, enter the IP address of your ThreatSync+ NDR Collection Agent.
  2. In the Port text box, type 514.
  3. From the Protocol drop-down list, select UDP.
  4. From the Roles drop-down list, select Appliance Event Log, Flows, Security Events, IDS Alerts, and URLS.

To include DHCP and VPN syslog, make sure you select Appliance Event Log from the Roles drop-down list.

  1. Select Security Appliance > Configure > Firewall and make sure logging is enabled for all firewall rules.

For more information about Meraki firewall remote logging options, go to Syslog Server Overview and Configuration in the Meraki documentation (external link).

Test the Integration

To test the Meraki firewall integration with ThreatSync+ NDR:

  1. Log in to your WatchGuard Cloud account.
  2. From the navigation menu, select Configure > ThreatSync+ Integrations > Collection Agents. If you have a Service Provider account, you must select an account from Account Manager.
  3. Select the ThreatSync+ NDR Collection Agents tab to view the Last Activity column of your collection agent. This column shows the last time the collection agent uploaded records to ThreatSync+ NDR. It might take a few hours for the first upload.

    4. Screenshot of WatchGuard Cloud, the ThreatSync+ Collectors page, Test Integration 1

  4. From the navigation menu, select Monitor > ThreatSync+ to view the Network Summary page.

    5. Screenshot of WatchGuard Cloud, the ThreatSync+ Network Summary page, Test Integration 2

For more information about ThreatSync+, go to ThreatSync+.