Configuring WatchGuard Firebox
Firewall Analyzer supports both WELF and native
log formats of WatchGuard Firebox Models v 5.x, 6,x, 7.x, 8.x, 10.x, 11, Firebox X series, x550e, x10e, x1000, x750e, x1250e Core and Fireware XTM v11.3.5
Virus reports are supported only for WatchGuard v10.x
For analysing native logs, the configuration is straight forward, you
just need to forward the native logs from WatchGuard to the syslog
listener ports of Firewall Analyzer.
||By default, WatchGuard Firewall logs do not contain the bytes nformation. It just has the size of the packet and header. So one needs
to do the following to enable them,
- For version 7.3 , you need to go into General
Setting area of your proxy and select the check box Send log
message with summary of each transaction.
- For version 7.2.1, you need to select the check
box Log accounting/auditing information in your proxy service.
- For version 8.x , you need to select the check box Send a log message with summary information for each transaction in your proxy service.
- For version 10.X,
- For External and VPN interface based logging:
- Open Policy Manager.
- Select the Setup > Logging > Performance Statistics menu, enable check box and save configuration.
- For proxy level tracking:
- Edit the proxy action and select the check box Turn on logging for reports for each desired proxy and save configuration
Device configuration for Firebox X1250e, XTM 11 series
Send Log Information to a Syslog Host
To configure the Firebox or XTM device to send log messages to a syslog host, you must have a syslog host configured, operational, and ready to receive log messages.
- In Policy Manager of WatchGuard device, select System > Logging.
The Logging page appears.
- Select the Syslog Server tab.
- Select the Enable Syslog output to this server check box.
- In the Enable Syslog output to this server text box, type the IP address of the syslog host.
- In the Settings section, to select a syslog facility for each type of log message, click the adjacent drop-down lists.
If you select NONE, details for that message type are not sent to the syslog host.
- Click Save.
For more details, refer the links given below:
Bytes Information for WatchGuard:
Please follow the steps and configure the same in the Watchguard device to resolve the issue.
- Ensure that your Watch Guard policies are created with Proxy Action and then follow the steps
- Action > Proxies and add the new policy as per your requirement
Please follow the Steps to enable bytes information in the logs:
For External and VPN interface based logging:
Setup > Logging > Performance Statistics. Enable check box and save configuration.
For proxy level tracking, edit the proxy action and select 'Turn on logging for reports' for each desired proxy and save configuration.
Please refer the link of the forum post reply for your reference.
Please refer WatchGuard website/WatchGuard forums for detailed information.
You can also configure WatchGuard to export the logs in WebTrends Enhanced
Log File (WELF) format, refer WatchGuard documentation for configuring
WELF format in WatchGuard Firewalls. Once the log has been exported to
WELF format, login to Firewall Analyzer UI and click Settings > Imported Log Files >Import
Log File option to load the file.