WatchGuard Firebox Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

WatchGuard's Firebox is a unified security platform that covers traditional traffic protection, protecting an environment from intrusions, phishing attempts, malware, ransomware, and more. Both hardware and virtual appliances are available. This technology pack processes Firebox event log messages, providing normalization and enrichment of common events of interest.

Supported Versions

  • Fireware 12.x and later

Requirements

  • WatchGuard Firebox running Fireware 12.x

  • Graylog Server with valid Enterprise license, version 4.2.5, 4.3.0, or later

  • WatchGuard Firebox configured to send logs via syslog to Graylog

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:WatchGuard Device Messages"

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "WatchGuard Device Logs"

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection and Delivery

WatchGuard Firebox logs are delivered to Graylog via syslog. The Firebox must be configured to send logs to a Graylog syslog input. A local Syslog input must be created on the Graylog server with a port that matches the Firebox configuration.

Fireware Web UI Configuration

Configure the Firebox to send logs to Graylog:

  1. Select System > Logging.

  2. Click the Syslog Server tab.

  3. Select Send log messages to these syslog servers.

  4. Click Add, then enter the Graylog server IP address.

  5. Configure the port to match the Graylog Syslog input.

  6. Select Syslog format.

  7. Select the timestamp and serial number boxes.

  8. Select a syslog facility (Local0-7), and set Alarm to Local0 for high priority.

  9. Click Save.

Log Format Example

DEV01 0011223344556 (2022-09-01T13:58:33) firewall: msg_id="3000-0148" Allow External Inside 44 tcp 20 238 10.11.12.13 192.168.1.10 58325 60951 offset 6 S 3172487743 win 4 geo_src="USA" geo_dst="USA" (Inbound Policy-00)

What is Provided

  • Parsing rules to extract WatchGuard Firebox logs into Graylog schema compatible fields

  • GIM event type categorization and enforcement fields for supported WatchGuard Firebox events

  • Spotlight dashboard and saved searches

GIM Categorization

GIM categorization is provided for the following event types:

Event Category Event IDs gim_event_type_code gim_event_category gim_event_subcategory gim_event_type
User authentication succeeded/failed 1100-0004, 1100-0005 100000 authentication authentication.logon logon
User login succeeded 3E00-0002 100000 authentication authentication.logon logon
User logout 3E00-0004 102500 authentication authentication.logoff logoff
Firewall traffic (allow/deny) 3000-0148, 3000-0149, 3000-0150, 3000-0173 120000 network network.network connection network connection
Policy alarm, blocked site/port, spoofing 3000-0167, 3000-0168, 3000-0169, 3000-0172 120000 network network.network connection network connection
VPN tunnel established 0207-0001 120000 network network.network connection network connection
HTTP/HTTPS/TCP-UDP proxy events 1AFF-, 2CFF-, 2DFF-* 120000 network network.network connection network connection
Operational events (address, server status, connections, interface, host blocking) 3000-0029/002A/003C/0040/00CB/012D/0170/0171, 3001-1001/1002, 3100-0030 219999 service service.default service event
Device configuration change 0101-0001 220500 audit audit.policy audit policy changed
Signature update 2E02-0065, 2E02-0066, 2E02-0067 280100 agent agent.update agent update
Signature version check 2E02-0069 280200 agent agent.status agent status
DHCP Request 1600-0003, DHCPREQUEST 290000 dhcp dhcp.request dhcp request
DHCP Offer 1600-0002, DHCPOFFER 290100 dhcp dhcp.offer dhcp offer
DHCP Discovery 1600-0001, DHCPDISCOVER 290200 dhcp dhcp.discovery dhcp discovery
DHCP Acknowledgement DHCPACK 290300 dhcp dhcp.acknowledgement dhcp acknowledgement
IPS/GAV/APT detection in proxy 1AFF-0025/0026/0028/0029/0034, 2CFF-0005, 2DFF-0001 300000 detection detection.network_detection ids_detection
Attack events (flood, scan, DDoS, spoofing) 3000-0152 through 3000-0166 300000 detection detection.network_detection ids_detection

WatchGuard Firebox Spotlight

This spotlight offers a dashboard with 5 tabs:

Overview (1)

Overview (2)

Status

Saved Search: Log Viewer

Saved Search: Traffic Log