WatchGuard Firebox

Version: WatchGuard Firebox v11.10.0 to v12.7.0

WatchGuard Firebox Series appliances combine firewall VPN with robust security services and flexible management tools.

WatchGuard Firebox uses the Syslog protocol to forward logs to Netsurion Open XDR. It provides information about possible attacks, suspicious network traffic, device configuration changes, user login and authentication activities. Using these reports, one can track which user has logged in successfully and failed to log in along with the reason. With the help of these reports one can inspect endpoints for analysis of attack types and suspicious traffic like IP spoofing, intrusion prevention traffic detected.

Dashboards display a graphical representation of user logon activities, device configuration changes, and attack detected. Using the geolocation dashboard, one can track IP traffic by country/ ISO code.

Alerts are triggered when a user performs any of the following: configuration changes on the endpoints, user login failed, user authentication failed, etc.

  • Security: Anti-Spam service and WLAN IDS activity.
  • Operations: High availability activity, Link monitoring, DHCP relay activity, User activity, and Content filtering.
  • Compliance: Login and authentication activity, Network access activity, Firewall alerts, VPN tunnel, and client activity.

After WatchGuard Firebox is configured to deliver events to Netsurion Open XDR, alerts, dashboards, and reports can be configured into Netsurion Open XDR.

The following are the key Data Source Integration available in Netsurion Open XDR.

Alerts

Type Name Description
Security WatchGuard Firebox – Device configuration changed This alert is triggered when a user changes a device configuration.
Security WatchGuard Firebox- Attack detected This alert is triggered when the WatchGuard Firebox detects an attack.
Operations WatchGuard Firebox – User authentication failed This alert is triggered when a user tries to authenticate and then fails. (e.g., When a user tries to log in using SSL/VPN or similar services).
Operations WatchGuard Firebox – User login failed This alert is triggered when a user tries to log in but fails. For e.g., Incorrect username or password. (e.g., user tries to log in from GUI).
Compliance WatchGuard Firebox – Customized certificate generation error This alert is triggered when a customized certificate generation error occurs.
Compliance WatchGuard Firebox: System shutdown or restart This alert is triggered when a system is shut down or restarted.

Reports

Type Name Description
Security WatchGuard Firebox – Device configuration change details This report provides information related to a device configuration change when a user performs any changes in WatchGuard Firebox. This report captures the item information in the message details column and shows the time and the firewall device configuration on which the changes are made.
Security WatchGuard Firebox – Attack detected This report provides information related to the attack detected by WatchGuard Firebox. It contains the Columns Log Time, Computer or Device name, Attack Type, Source Address, and Target Address. It briefs an administrator about attacks detected from suspicious hosts with target IP and attack details.
Security WatchGuard Firebox – IPS traffic detected This report provides information related to the intrusion prevention traffic detected. It contains the source IP Address, Source port, Destination IP Address, Destination Port, policy name, signature name, signature category, signature id, and status.
Operations WatchGuard Firebox – Proxy details This report provides information related to traffic allowed or denied by the proxy policy, including Host Address, Source Address, Source port, Destination Address, Destination Port, Action, Message, and Policy Name fields. It briefs an administrator about proxy traffic passing through the firewall with actions consistent with the applied policy.
Operations WatchGuard Firebox – IP spoofing and blocked site traffic detected This report provides information related to the IP spoofing and blocked site traffic detected. It contains the source IP address, targets IP address, and traffic type.
Compliance WatchGuard Firebox – User authentication failed This report provides information related to the user authentication failed events. when the user authentication fails, it explains failed authentication. (e.g., When a user tries to log in using SSL/VPN or similar services)
Compliance WatchGuard Firebox – User authentication success This report provides information related to the user authentication success events. When a user tries to authenticate and succeeds.
Compliance WatchGuard Firebox – User login failed This report provides information related to the user logon failed events. When a user tries to log in, it fails. It has the column Log Time, Computer or Device name, Username, User Type and Source Address, and Assigned Virtual Client IP Address.
Compliance WatchGuard Firebox – Traffic details This report provides inbound and outbound traffic information. The report includes- Log Time, Computer or Device name, Status, In Interface Name, Out Interface Name, Source IP Address, Source Port, Destination IP Address, Destination Port, Application Behavior Name, Application Category ID, Application ID, Application Name, Category Name, Message, Policy Name. It briefs an administrator about traffic passing through the firewall with actions consistent with the applied policy.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.x and later, and WatchGuard Fireware.

Download Integration Guide and How-to Guide for configuration instructions and more information.