Skip to main content

Syslog - Watchguard Firebox Firewall

Tony Black
  • Updated

TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: SIEM Syslog
ENVIRONMENT: Watchguard Firebox
SUMMARY: Configuration Guide for Watchguard Firebox Firewall

This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Syslog Guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.

Vendor Information

Vendor

Watchguard

Supported Model Name/Number

Firebox Firewalls

Supported Software Version(s)

 

Collection Method

Syslog

Provider Name

Syslog-XTM

Additional Information

Watchguard Firebox Firewall Syslog Configuration

Types of Log Messages

Log Catalog

Please note that Huntress provides third party vendor instructions as a best effort to expedite onboarding. Vendor documentation and versions frequently change and so it may be necessary to find the appropriate documentation for syslog logging for your version of the vendor software or service.

Please note the link in the Vendor Links above to the latest documentation at the time of this writing.

Device Configuration Checklist

  1. Log in to the Fireware Web UI with an administrator account.
  2. Select System > Logging.
  3. Select the Syslog Server tab.
  4. Select the Send log messages to these syslog servers check box.
  5. Watchguard Firebox 1.png
  6. Click Add. The Syslog Server dialog box opens.
  7. In the IP Address text box, enter the Internal IP address of the Huntress agent collecting syslog.
  8. in the Port text box, enter 514. Please note that Huntress SIEM is not compatible with TLS/SSL encrypted syslog messages, which WatchGuard defaults to using if port 6514 is selected. Thus to ensure compatibility do not use port 6514 for WatchGuard devices sending to Huntress SIEM.
  9. From the Log Format drop-down list, select IBM LEEF.
  10. Check both boxes to include The serial number of the device and The syslog header.
  11. For each type of log message, verify they are set to the syslog facility in the below screenshot.
  12. Watchguard Firebox 2.png
  13. Click OK. The server is added to the list.
  14. Click Save.

 

Example Log Messages

HTTPS Request

<142>Feb 25 12:49:50 hostname LEEF:1.0|WatchGuard|XTM|12.6.2.B631387|2CFF0000|serial=ABC123 policy=HTTPS-proxy-00 disp=Allow in_if=Trusted out_if=Fiber proto=tcp src=192.168.1.222 srcPort=58152 dst=34.228.135.247 dstPort=443 proxy_act=HTTPS-STD WEBBLOCKER tls_profile=TLS-Client-HTTPS.Standard.1 tls_version=TLS_V13 sni=eetee.huntress.io cn=eetee.huntress.io cert_issuer=CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US cert_subject=CN=eetee.huntress.io,O=Huntress Labs Inc.,L=Ellicott City,ST=Maryland,C=US action=allow app_id=0 app_cat_id=0 sig_vers=18.190 sent_bytes=700 rcvd_bytes=7515 msg=HTTPS Request

 

VPN Authentication

<150>Feb 25 13:25:55 hostname LEEF:1.0|WatchGuard|XTM|12.10.4.B702217|25000000|host_name=host serial=ABC123 msg=Mobile VPN with SSL user user1 logged in. Virtual IP address is 172.17.0.51. Real IP address is 1.2.3.4.

Related articles