Configuring WatchGuard Firebox

Firewall Analyzer supports both WELF and native log formats of WatchGuard Firebox Models v 5.x, 6,x, 7.x, 8.x, 10.x, 11, Firebox X series, x550e, x10e, x1000, x750e, x1250e Core and Fireware XTM v11.3.5

Note For 8.x version, the XML log file format can be imported by Firewall Analyzer.

 

 

Virus reports are supported only for WatchGuard v10.x


For analysing native logs, the configuration is straight forward, you just need to forward the native logs from WatchGuard to the syslog listener ports of Firewall Analyzer.

Note By default, WatchGuard Firewall logs do not contain the bytes nformation. It just has the size of the packet and header. So one needs to do the following to enable them,
  • For version 7.3 , you need to go into General Setting area of your proxy and select the check box Send log message with summary of each transaction.
  • For version 7.2.1, you need to select the check box Log accounting/auditing information in your proxy service.
  • For version 8.x , you need to select the check box Send a log message with summary information for each transaction in your proxy service.
  • For version 10.X,
    • For External and VPN interface based logging:
      • Open Policy Manager.
      • Select the Setup > Logging > Performance Statistics menu, enable check box and save configuration.
    • For proxy level tracking:
      • Edit the proxy action and select the check box Turn on logging for reports for each desired proxy and save configuration

Device configuration for Firebox X1250e, XTM 11 series

 

Send Log Information to a Syslog Host

 

To configure the Firebox or XTM device to send log messages to a syslog host, you must have a syslog host configured, operational, and ready to receive log messages.

  • In Policy Manager of WatchGuard device, select System > Logging.
    The Logging page appears.
  • Select the Syslog Server tab.
  • Select the Enable Syslog output to this server check box.
  • In the Enable Syslog output to this server text box, type the IP address of the syslog host.
  • In the Settings section, to select a syslog facility for each type of log message, click the adjacent drop-down lists.
    If you select NONE, details for that message type are not sent to the syslog host.
  • Click Save.

For more details, refer the links given below:

 

http://www.watchguard.com/forum/default.asp?action=9&boardid=15&read=44135&fid=671

 

http://www.watchguard.com/help/docs/webui/11/en-US/index_Left.html#CSHID=en-US%2Flogging%2Fsend_logs_to_syslog_host_web.html|StartTopic=Content%2Fen-US%2Flogging%2Fsend_logs_to_syslog_host_web.html|SkinName=Web%20UI%20%28en-US%29

 

Bytes Information for WatchGuard:

Please follow the steps and configure the same in the Watchguard device to resolve the issue.

  • Ensure that your Watch Guard policies are created with Proxy Action and then follow the steps
  • Action > Proxies and add the new policy as per your requirement

Please follow the Steps to enable bytes information in the logs:

For External and VPN interface based logging:

Setup > Logging > Performance Statistics. Enable check box and save configuration.

For proxy level tracking, edit the proxy action and select 'Turn on logging for reports' for each desired proxy and save configuration.

 

Please refer the link of the forum post reply for your reference.

http://www.watchguard.com/forum/default.asp?action=9&boardid=2&read=19115&fid=43

 

Please refer WatchGuard website/WatchGuard forums for detailed information.

You can also configure WatchGuard to export the logs in WebTrends Enhanced Log File (WELF) format, refer WatchGuard documentation for configuring WELF format in WatchGuard Firewalls. Once the log has been exported to WELF format, login to Firewall Analyzer UI and click Settings > Imported Log Files >Import Log File option to load the file.

Copyright © 2012, ZOHO Corp. All Rights Reserved.
ManageEngine