WatchGuard XTM

Overview

WatchGuard XTM is a firewall that produces data about what is happening between your network and the rest of the world, and can monitor things such as how much data is being sent from which computer, where the data is going, and who is receiving the data.

Before You Begin

You must configure WatchGuard to send its log to a syslog server. Instructions on how to do so can be found here and here.

Make sure your Network Interface Card (NIC) does not have spaces

WatchGuard Firewalls print the name of the NIC handling your data in syslog. If the name of the NIC in the firewall has a space in it, it will break the parser because syslog parsers are space-delimited and the names are not escaped in any way, and InsightOps will not be able to parse your data.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select Add Data
  3. Select the Firewall icon from the Security Data section
  4. Select your collector, and optionally name your event source
  5. From the list of event source options, choose WatchGuard XTM
  6. Choose a timezone, or optionally display only US timezones
  7. Optionally choose to send unfiltered logs
  8. Configure any advanced event source settings.
  9. Select either Listen for Syslog or Log Aggregator; both require that you specify a port and a protocol. Optionally choose to Encrypt the event source if choosing TCP
  10. If you are choosing to encrypt, select the button "Download Certificate" which will download Rapid7's certificate. This file will be called Rapid7CA.pem and will allow InsightOps and WatchGuard XTM@nd to "trust" each other during log forwarding.

Advanced Event Source Settings

Fallback Domain(s): If you have event sources running in a multi-domain environment, Rapid7 recommends having a fallback domain in order to resolve any issues with user accounts.

For instance, if your company is the US and in Canada, but both locations have a user named "John Smith" and your main domain is company.com, your fallback domain could be company.ca, which would allow InsightOps to more accurately attribute data to the correct user.