TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: Firewall Syslog
ENVIRONMENT: Watchguard Firebox
SUMMARY: Configuration Guide for Watchguard Firebox Firewall

• Vendor Information
• Device Configuration Checklist
• Example Log Messages
  • HTTPS Request
  • VPN Authentication

Vendor Information

Device Configuration Checklist

1. Log in to the Fireware Web UI with an administrator account.
2. Select System > Logging.
3. Select the Syslog Server tab.
4. Select the Send log messages to these syslog servers check box.
5. 
6. Click Add. The Syslog Server dialog box opens.
7. In the IP Address text box, enter the IP address of the Huntress agent collecting syslog.
8. in the Port text box, enter 514.
9. From the Log Format drop-down list, select IBM LEEF.
10. Check both boxes to include The serial number of the device and The syslog header.
11. For each type of log message, verify they are set to the syslog facility in the below screenshot.
12. 
13. Click OK. The server is added to the list.
14. Click Save.

Example Log Messages

HTTPS Request

<142>Feb 25 12:49:50 hostname LEEF:1.0|WatchGuard|XTM|12.6.2.B631387|2CFF0000|serial=ABC123 policy=HTTPS-proxy-00 disp=Allow in_if=Trusted out_if=Fiber proto=tcp src=192.168.1.222 srcPort=58152 dst=34.228.135.247 dstPort=443 proxy_act=HTTPS-STD WEBBLOCKER tls_profile=TLS-Client-HTTPS.Standard.1 tls_version=TLS_V13 sni=eetee.huntress.io cn=eetee.huntress.io cert_issuer=CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US cert_subject=CN=eetee.huntress.io,O=Huntress Labs Inc.,L=Ellicott City,ST=Maryland,C=US action=allow app_id=0 app_cat_id=0 sig_vers=18.190 sent_bytes=700 rcvd_bytes=7515 msg=HTTPS Request

VPN Authentication

<150>Feb 25 13:25:55 hostname LEEF:1.0|WatchGuard|XTM|12.10.4.B702217|25000000|host_name=host serial=ABC123 msg=Mobile VPN with SSL user user1 logged in. Virtual IP address is 172.17.0.51. Real IP address is 1.2.3.4.