Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=watchguard

WatchGuard Firebox

Log collector Firewall

You must have the Firewall integrations license pack to use this feature.

You can integrate WatchGuard Firebox firewalls with Sophos Central. This lets WatchGuard Firebox send firewall alerts to Sophos for analysis.

This integration uses a log collector hosted on a virtual machine (VM). Together they're called an integration appliance. The appliance receives third-party data and sends it to the Sophos Data Lake.

This page describes integration using an appliance on ESXi or Hyper-V. If you want to integrate using an appliance on AWS, see Add integrations on AWS.

Key steps

The key steps in an integration are as follows:

  • Add an integration for this product. In this step you create an image of the appliance.
  • Download and deploy the image on your VM. This becomes your appliance.
  • Configure WatchGuard Firebox to send data to the appliance.

Requirements

Appliances have system and network access requirements. To check that you meet them, see Appliance requirements.

Add an integration

To add the integration, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.

  2. Click WatchGuard Firebox.

    The WatchGuard Firebox page opens. You can add integrations here and see a list of any you've already added.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See Provide your domain and IP details.

    Integration setup steps appears.

Configure the VM

In Integration setup steps, you can configure a new appliance or use an existing one.

We assume here that you configure a new appliance. To do this, create an image as follows:

  1. Enter an integration name and description.
  2. Click Create new appliance.
  3. Enter a name and description for the appliance.
  4. Select the virtual platform. Currently we only support VMware ESXi 6.7 update 3 or later, and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.

  5. Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the appliance.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

  6. Select the Syslog IP version and enter the Syslog IP address.

    You'll need this syslog IP address later, when you configure WatchGuard Firebox to send data to your appliance.

  7. Select a Protocol.

    You must use the same protocol when you configure WatchGuard Firebox to send data to your appliance.

  8. Click Save.

    We create the integration and it appears in your list.

    In the integration details, you can see the port number for the appliance. You'll need this later when you configure WatchGuard Firebox to send data to it.

    It might take a few minutes for the appliance image to be ready.

Deploy the appliance

Restriction

If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.

Use the image to deploy the appliance as follows:

  1. In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
  2. When the image download finishes, deploy it on your VM. See Deploy appliances.

Configure WatchGuard Firebox

You now configure WatchGuard Firebox firewalls to send alerts to us, using syslog forwarding.

Note

You can configure multiple instances of WatchGuard Firebox to send data to Sophos via the same appliance. After you finish integration, repeat the steps in this section for your other instances of WatchGuard Firebox. You don't need to repeat the steps in Sophos Central.

To configure WatchGuard Firebox, you can sign in to a firewall using WatchGuard System Manager, or use WatchGuard Web UI.

Click the tab for the method you want to use.

To configure your firewall using WatchGuard System Manager, do as follows.

  1. Sign in to WatchGuard System Manager.
  2. Click File > Connect to Device.
  3. Select a firewall and sign in to it.
  4. Click the Policy Manager icon.

  5. In Policy Manager click Setup > Logging.

    In Logging Setup you add the connection details for the Sophos appliance as a syslog server.

  6. Go to Syslog Server and turn on Send log messages to these syslog servers.

  7. Click Add.

  8. In Configure Syslog enter the following connection details for your Sophos appliance.

    • Address
    • Port

    You must enter the same settings you entered in Sophos Central when you added the integration.

  9. In Format select IBM LEEF.

  10. Add a Description to identify this syslog server as the Sophos appliance.
  11. Turn on the settings to include the device serial number and syslog header in syslog messages.
  12. Accept the default settings in Select the syslog facility for each type of device log message.
  13. You don't need to change Performance Statistics or Diagnostic Log Level.
  14. Click OK.

Save and activate settings

To save the changes to the firewall and activate them, do as follows.

  1. Click File > Save > To Firebox.

    The menu item may differ depending on your WatchGuard product.

  2. In Save To Firebox check the details and enter your Administrator Passphrase.

  3. Click OK.

Your WatchGuard Firebox alerts should now appear in the Sophos Data Lake after validation.

Repeat the configuration steps for any other firewalls you want to configure.

To configure your firewall using WatchGuard Web UI, do as follows.

  1. Sign in to the firewall's Web UI.
  2. Click System > Logging.
  3. Click the lock icon to unlock the user interface so that you can make changes.
  4. Click Syslog Server.
  5. Turn on Send log messages to these syslog servers.
  6. Click ADD.

  7. In Syslog Server enter the following connection details for your Sophos appliance.

    • Address
    • Port

    You must enter the same settings you entered in Sophos Central when you added the integration.

  8. In Format select IBM LEEF.

  9. Add a Description to identify this syslog server as the Sophos appliance.
  10. Turn on the settings to include the device serial number and syslog header in syslog messages.
  11. Accept the default settings in Select the syslog facility for each type of device log message.
  12. Click OK.
  13. Click SAVE. This saves the changes to the firewall and activates them.

Your WatchGuard Firebox alerts should now appear in the Sophos Data Lake after validation.

Repeat the configuration steps for any other firewalls you want to configure.