ArcSight Integration

Applies To: Wi-Fi Cloud-managed Access Points (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420) This topic applies to Wi-Fi 5 access points you manage in Wi-Fi Cloud (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420).

Integration with the ArcSight Enterprise Security Management (ESM) system and a Cloud Integration Point (CIP) enables Wi-Fi Cloud to send events to the designated ArcSight server. The ArcSight server is configured to accept messages that contain detailed event information in ArcSight Common Event Format (CEF). Wi-Fi Cloud requires the IP address or the host name and port on which the ArcSight server receives events. You can also send audit log messages from Wi-Fi Cloud to an ArcSight server.

For more information about CIP mode, see Wi-Fi Cloud Integration with Third-Party Controllers using CIP.

To add an ArcSight server:

1. Open Discover.
2. Select System > Third-party Servers > ArcSight Integration.

3. Select the Enable ArcSight Servers check box.
4. Click Add ArcSight Server.

5. Configure these options:

• ArcSight Server IP Address / Hostname — IP address or host name of the ArcSight server the Wi-Fi Cloud communicates with.
• Port Number — Port number of the ArcSight server to which data is sent.
• Cloud Integration Point (CIP) — If you use a Cloud Integration Point on your network, select a primary and secondary CIP-enabled WatchGuard AP that you want to use to communicate with Wi-Fi Cloud.
• Enabled — Click this check box to enable CEF messages and audit logs generated by Wi-Fi Cloud to be sent to the ArcSight server.
• Forward Events — Send CEF messages to the ArcSight server.
• Forward Audit Logs — Send audit log messages to the ArcSight server.

6. Click Done.

Current Status displays the status of the ArcSight integration service.

• Running — The service is running.
• Stopped — The service has stopped.

If the host name of the server cannot be resolved, the status displays an error: "Cannot resolve hostname for one or more destination servers”.