Watchguard Firewall

Overview

WatchGuard Firewall ingests and normalizes logs from WatchGuard firewall devices in LogPoint. Once ingested, you can explore and analyze the data using LogPoint's search capabilities and available analytics for this integration, including dashboards, reports, and alerts. This gives you clear visibility into threat content, malicious devices or files, content types, denied and allowed connections, ports, user authentication, and firewall actions, enabling faster detection, compliance, and response.

The integration includes:

• Syslog Collector to retrieve raw logs from WatchGuard Firewall devices and ingest them into LogPoint for processing.

• Syslog Parser to extract key fields from raw WatchGuard logs.

• WatchguardCompiledNormalizer to convert the parsed logs into a standardized format for consistent analysis across LogPoint.

• Dashboard package (LP_WatchGuard Firewall) which provides a graphical and interactive overview of WatchGuard activities, highlighting patterns including denied and allowed connections, threat detections, IPS events, user authentication, content filtering, bandwidth usage, and firewall actions. It allows you to quickly spot unusual behavior, monitor compliance, and track operational changes over time.

• Normalization packages (LP_Watchguard Firewall v11_9, LP_Watchguard Firewall v11_10, LP_Watchguard Firewall, LP_Watchguard WifiCloud) that provide version-specific and feature-specific normalization for WatchGuard devices.

• Label package (LP_Watchguard Firewall) that contains event classification labels based on message IDs for enhanced event categorization and analysis.

When WatchGuard Firewall detects threats, intrusions, or events with potential risk to your environment, it triggers security alerts based on predetermined alert rules, enabling early detection and corrective action.

Supported Events

• WatchGuard versions:

  • WatchGuard v11.x (including v11.9 and v11.10)

  • WatchGuard WiFi Cloud

  • WatchGuard Manage

• WatchGuard log types:

  • Traffic Events: Allow/deny actions, connection attempts, session tracking, traffic flows, ports activity

  • Security Events: Threat detection, malicious IP blocking, IPS signatures, hostile traffic

  • Attack Events: Port scans, flood attacks (SYN, UDP, ICMP, IPSec, IKE), DDoS detection, IP spoofing, ARP spoofing

  • IPS Events: Intrusion Prevention Service detections, signature-based attacks, exploit attempts

  • Content Filtering Events: HTTP proxy denials, content type blocking, category filtering, URL filtering

  • User Authentication Events: Successful/failed logins, user logoff, VPN authentication, RADIUS authentication

  • VPN Events: IPSec tunnels, VPN establishment, tunnel status, mobile VPN, gateway events

  • Virus/Malware Events: Virus detection, APT threats, scan errors, file submissions

  • DLP Events: Data leak detection, violation alerts, file scanning

  • Application Control Events: Application matching, protocol detection, service reputation

  • Wireless Events: WiFi Cloud events, access point management, client authentication, EAP events

  • System Events: Configuration changes, feature updates, license management, cluster events

  • Administrative Events: Admin login/logout, configuration updates, policy changes, device management

  • Email Security (SMTP Proxy): Spam detection, virus scanning, email content filtering

  • FTP Proxy Events: File transfers, upload/download monitoring, command filtering

  • DNS Proxy Events: Query monitoring, DNS request filtering, timeout events

  • Bandwidth Events: Data transfer tracking, sent/received data, connection bandwidth usage

  • High Availability Events: Cluster status, failover events, master/backup role changes, synchronization