Integrate Watchguard Firewall with Splunk

on under Homelab
3 minute read

I recently got this done, and it was pretty simple.
The Watchguard documentation is HERE:
https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/splunk_integration_V2.html

Pre-requisites:

  • Splunk Server
  • Watchguard Firebox

Order of Operations:

  1. Tell Watchguard to send it’s syslogs to your Splunk server
  2. Tell your Splunk server to accept syslogs from your Watchguard
  3. Install a Splunk Watchguard Add-On
  4. Install a Splunk Watchguard Firebox App

1. Tell Watchguard to send it’s syslogs to your Splunk server

  • Log in to the Fireware Web UI with an administrator account.
  • Select System > Logging.
  • Select the Syslog Server tab.

  • Select the Send log messages to the syslog server at this IP address check box.
  • In the IP Address text box, type the IP address of the server on which Splunk is installed. In this example, we use 10.0.1.86.
  • In the Port text box, type 514.
  • From the Log format drop-down list, select Syslog.
  • To include the time stamp and serial number, select the The time stamp and The serial number of the device check boxes (optional).
  • Click Save. The Firebox is now sending syslog messages to Splunk. Next up, Splunk needs to know to ingest these messages.

2. Tell your Splunk server to accept syslogs from your Watchguard

  • Log in to Splunk Enterprise at http://localhost:8000/en-US/account/login. The first time you log in, use the default user name admin and the password you set during installation. You can then change the password and log in again with your new password.
  • From the Splunk home page, select Add Data.
  • To get data from TCP and UDP ports, on the Add Data page, select Monitor.
  • Select TCP/UDP.
  • Select the UDP tab. (Firebox syslog support is available only for UDP.)

  • In the Port text box, type 514. This port must match the port configured on the Firebox for the syslog server.
  • In the Only accept connection from text box, type the IP address of your Firebox. In our example, we type 10.0.1.40.
  • Click Next.
  • From the Select Source Type drop-down list, select Operating System > syslog.
  • To continue, click Review.
  • Click Submit. Splunk is now configured to receive syslog messages from the Firebox IP address you specified. Next up is adding two very specific dashboards.

3. Install a Splunk Watchguard Add-On

  • Download the WatchGuard Firebox Add-on from https://splunkbase.splunk.com/app/3978/.
  • Log in to Splunk Enterprise.
  • On the Apps menu, click Manage Apps.
  • Locate the .tar.gz file you just downloaded, and then click Open.
  • Click Upload.
  • Click Restart Now, and then confirm that you want to restart.
  • On the Splunk Enterprise home page, click Choose a home dashboard.
  • Click dashboards listing page.
  • Select WatchGuard Firebox Add-on for Splunk
  • Click … (Elipses)
  • Select Set as Home Dashboard. The WatchGuard Firebox Add-On for Splunk appears on the Splunk Enterprise Home Dashboard. You can click this to start seeing some sparse information. Next up is adding the Firebox App.

4. Install a Splunk Watchguard Firebox App

  • Download the WatchGuard Firebox App from https://splunkbase.splunk.com/app/3979/
  • Log in to Splunk Enterprise.
  • From the Apps menu, select Manage Apps.
  • Click Install app from file.
  • In the Upload app window, click Choose File
  • Locate the .tar.gz file you just downloaded, and then click Open.
  • Click Upload. The WatchGuard Firebox App for Splunk should now appear in the Splunk Enterprise Apps list.
    Note: The source and destination ports…they are written poorly. I will mess with them, get them working, and update blog with how to fix.
Homelab, Splunk, Firewall
comments powered by Disqus