McAfee Enterprise Security Manager Integration Guide

The McAfee® security information and event management (SIEM) solution brings event, threat, and risk data together to provide security intelligence, incident response, log management, and compliance reports. McAfee Enterprise Security Manager, at the core of McAfee's SIEM solution, delivers actionable intelligence and the real-time situational awareness required to identify, understand, and respond to threats, while the embedded compliance framework simplifies compliance.

McAfee Event Receiver is an add-on to Enterprise Security Manager. You can use it to collect log data from WatchGuard Fireboxes and provide the data to Enterprise Security Manager.

This document describes the steps to integrate Enterprise Security Manager and Event Receiver with your Firebox to enable log analysis on the SIEM system.

Platform and Software

The hardware and software used to complete the steps outlined in this document include:

  • Firebox or WatchGuard XTM device installed with Fireware v12.8.1
  • McAfee Enterprise Security Manager v11.5.4 (Web Login)
  • McAfee Event Receiver v11.5.4

Test Topology

This diagram shows the test topology for this integration. You can use either a Trusted or Optional interface.

   Diagram of the test topology

Set Up the Firebox

Use these steps to set up a Firebox with a syslog server.

  1. Log in to Fireware Web UI at:
    https://<your firebox IP address>:8080
  2. Select System > Logging > Syslog Server.
  3. Select the Send Log Messages to These Syslog Servers check box.
  4. To add a new syslog server, click Add.
    The Syslog Server dialog box shows.
  5. In the IP Address text box, type the IP address of the computer with the McAfee Event Receiver install.
  6. In the Port text box, type the port configured on McAfee Event Receiver to receive syslog data. The default setting is port 514.
  7. From the Log Format drop-down list, select Syslog.
  8. Keep other settings as the default values.

Screen shot of the Firebox_001

  1. Click OK.
    The newly added server shows in the Syslog Server tab in Fireware Web UI.

Screen shot of Firebox_002

  1. Click Save.

Set Up McAfee Enterprise Security Manager and Event Receiver

Use these steps to set up McAfee Enterprise Security Manager, add a McAfee Event Receiver, and add a data source.

  1. Log in to McAfee Enterprise Security Manager Web UI with the default user name NGCP and the default password security.4u.
  2. Configure any other initialization settings that you must set before you can add an Event Receiver.
    In this guide, when the enable FIPS dialog box shows, we select No to remain in non-FIPS mode. For more information, see the McAfee Enterprise Security Manager documentation.
  3. Click icon_001 to expand the left navigation bar.

Screen shot of McAfee ESM_001

  1. Click More Settings.
    The ESM Administrator App page opens.

Screen shot of the ESM_002

  1. To begin to configure ESM, click Download.exe (Windows).
  2. Run the installer and install the program on your local computer.
  3. Click Launch.
  4. In the pop-up window, click Open McAfee ESM Administrator App.
  5. Select Confirm.
  6. Log in to the McAfee Enterprise Security Manager App with your user name and password.
    The Configuration page opens.

Screen shot of the ESM_003

  1. To add a McAfee Event Receiver, click .
    The Add Device Wizard opens.
  2. From the Select the Type of Device You Want to Install list, select McAfee Event Receiver.

Screen shot of the ESM_004

  1. Click Next.
  2. In the Device Name text box, type a name.

Screen shot of the step: Enter a name that will be used to identify this device

  1. Click Next.
  2. In the Target IP Address or URL text box, type the IP address of the computer where you installed McAfee Event Receiver.

Screen shot of ESM_006

  1. Click Next.
  2. In the Enter Your New Password and Re-type Your New Password to Confirm text boxes, type and confirm a password for your device. For the added device, this password is the root password.

Screen shot of ESM_007

  1. Click Next.
    The Your Device has Been Successfully Keyed page opens.

Screen shot of the success dialog box.

  1. Click Finish.
    Your device shows on the Configuration page.

Screen shot of the ESM_009

  1. Select the event receiver you added. In this example, the name is Event Receiver For WatchGuard .
  2. To add a data source, click icon_003 .
    The Add Data Source dialog box opens.
  3. From the Data Source Vendor drop-down list, select WatchGuard Technologies.
  4. From the Data Format drop-down list, select Default.
  5. From the Data Retrieval drop-down list, select SYSLOG (Default).
  6. In the Name text box, type a name for the data source.
  7. In the IP Address text box, type the IP address of the data source. This is the IP address of the Firebox interface.
  8. From the Support Generic Syslogs drop-down list, select Parse as generic syslog.
  9. From the Generic Rule Assignment drop-down list, select User Defined 1.
  10. From the Time Zone drop-down list, select the time zone of the Firebox.
  11. Keep other settings as the default values.

Screen shot of the Network Interface Settings

  1. Click OK.
  2. Select Yes.
    The Firebox is added to the Physical Display section. The Rollout window opens.
  3. From the Device section, select WatchGuard Firebox.

Screen shot of ESM_011

  1. Click OK.

Test the Integration

To verify that your integration was successful, use a web browser to visit a website through the WatchGuard Firebox. Then verify that the Firebox sent log data to McAfee Enterprise Security Manager.

To see the data:

  1. Click to expand the left navigation bar.
  2. Select Investigation Tools > Dashboard.
  3. Verify that the expected log-related information shows.

Screen shot of ESM_012