WatchGuard Firebox System 4.6 User Guide
WatchGuard Firebox System 4.6 User Guide WatchGuard Firebox System 4.6 User Guide
WatchGuard logging architecturelog messages to the second Event Processor. It continues through the list until it findsan Event Processor capable of recording events.Multiple Event Processors operate in failover mode, not redundancymode—that is, events are not logged to multiple Event Processorssimultaneously; they are logged only to the primary Event Processor unlessthat host becomes unavailable. Then the logs are passed on to the nextavailable Event Processor according to the order of priority. As soon as ahigher-priority Event Processor becomes available again, the logs areshifted to that host. The highest-ranking Event Processor available alwaysreceives the logs.The LiveSecurity Event Processor software must be installed on each EventProcessor. For more information, see “Setting up the LiveSecurity EventProcessor” on page 73.WatchGuard logging architectureThe flexible architecture of the Firebox System makes it possible to separate thelogging and notification responsibilities to multiple machines. By default, the PolicyManager and the log and notification application – the LiveSecurity Event Processor– are installed on the same computer. You can, however, install the Event Processorsoftware on a separate or multiple computers.You must complete the following tasks to configure the firewall for logging andnotification:Policy Manager- Add logging and notification host(s)- Customize preferences for services and packet handling options- Save the configuration file with logging properties to the FireboxLiveSecurity Event Processor- Install the software on each Event Processor- Set global logging and notification preferences for the host- Set the log encryption key on the Event Processor identical to the key set inPolicy Manager.Designating Event Processors for a FireboxYou should have at least one Event Processor to run the WatchGuard Firebox System.The default primary Event Processor is the Management Station, which is set whenyou run the QuickSetup wizard. You can specify a different primary Event Processoras well as multiple backup Event Processors.• IP address of each Event Processor• Encryption key to secure the connection between the Firebox and EventProcessors• Priority order of primary and backup Event Processors70
Designating Event Processors for a FireboxAdding an Event ProcessorFrom Policy Manager:1 Select Setup => Logging.2 Click Add.3 Enter the IP address to be used by the Event Processor.4 Enter the encryption key that secures the connection between the Firebox and theEvent Processor.The default encryption key is the monitoring passphrase set in the QuickSetup wizard. You mustuse the same log encryption key for both the Firebox and the LiveSecurity Event Processor.5 Click OK.Repeat until all primary and backup Event Processors appear in the LiveSecurity EventProcessors list.Enabling Syslog loggingNote that Syslog logging is not encrypted; therefore, do not set the Syslog server to ahost on the External interface. From Policy Manager:1 Select Setup => Logging.The Logging Setup dialog box appears.2 In the Logging Setup dialog box, click the Syslog tab.3 Enable the Enable Syslog Logging checkbox.4 Enter the IP address of the Syslog server.Editing an Event Processor settingModify an Event Processor entry to change the log encryption key. From PolicyManager:1 Select Setup => Logging.The Logging Setup dialog box appears.2 Click the host name. Click Edit.3 Modify the IP address or log encryption key fields. Click OK.You must use the same log encryption key for both the Firebox and the LiveSecurity EventProcessor. To change the log encryption key on the Event Processor, see “Setting the logencryption key” on page 75.Removing an Event ProcessorRemove an Event Processor when you no longer want to use it for any loggingpurpose. From Policy Manager:1 Select Setup => Logging.The Logging Setup dialog box appears.2 Click the host name. Click Remove.User Guide 71
- Page 29 and 30: PART IIIConfiguring a SecurityPolic
- Page 31 and 32: CHAPTER 4Firebox BasicsThis chapter
- Page 33 and 34: Opening a configuration fileOpening
- Page 35 and 36: Setting the time zone• Use a comb
- Page 37 and 38: CHAPTER 5Using the WatchGuardContro
- Page 39 and 40: Control Center componentsThe first
- Page 41 and 42: Policy ManagerManipulating the Traf
- Page 43 and 44: Historical ReportsHistorical Report
- Page 45 and 46: CHAPTER 6Configuring a NetworkConfi
- Page 47 and 48: Setting up a routed network• All
- Page 49 and 50: Defining a host routeDefining a hos
- Page 51 and 52: Defining a Firebox as a DHCP server
- Page 53 and 54: CHAPTER 7Blocking Sites and PortsMa
- Page 55 and 56: Blocking a port permanently3 In the
- Page 57 and 58: CHAPTER 8Configuring ServicesThe Se
- Page 59 and 60: Defining service properties8 In the
- Page 61 and 62: Modifying a serviceThe following ex
- Page 63 and 64: Setting up proxy servicesSelecting
- Page 65 and 66: Setting up proxy servicesand transm
- Page 67 and 68: Service precedencecheck. In the lat
- Page 69 and 70: CHAPTER 9Controlling Web TrafficWeb
- Page 71 and 72: Configuring the WebBlocker serviceP
- Page 73 and 74: CHAPTER 10Setting Up NetworkAddress
- Page 75 and 76: Using service-based NATUsing servic
- Page 77 and 78: Configuring a service for incoming
- Page 79: CHAPTER 11Setting Up Logging andNot
- Page 83 and 84: Setting up the LiveSecurity Event P
- Page 85 and 86: Setting global logging and notifica
- Page 87 and 88: Customizing logging and notificatio
- Page 89 and 90: CHAPTER 12Connect with Out-of-Band
- Page 91 and 92: Configuring the Firebox for OOB5 En
- Page 93: PART IVAdministering a SecurityPoli
- Page 96 and 97: Using host aliasesAdding a host ali
- Page 98 and 99: Configuring Firebox authenticationC
- Page 100 and 101: Configuring CRYPTOCard server authe
- Page 102 and 103: Using authentication to define remo
- Page 104 and 105: Firebox MonitorsSetting Firebox Mon
- Page 106 and 107: Firebox MonitorsLogging optionsLogg
- Page 108 and 109: HostWatchARP tableA snapshot of the
- Page 110 and 111: HostWatch6 To change playback prope
- Page 112 and 113: HostWatch102
- Page 114 and 115: Viewing files with LogViewer2 Confi
- Page 116 and 117: Working with log filesIP header len
- Page 118 and 119: Working with log files108
- Page 120 and 121: Specifying report sectionsCreating
- Page 122 and 123: Exporting reports6 Enter the number
- Page 124 and 125: Scheduling and running reportsDelet
- Page 126 and 127: Report sections and consolidated se
- Page 128 and 129: Report sections and consolidated se
<strong>WatchGuard</strong> logging architecturelog messages to the second Event Processor. It continues through the list until it findsan Event Processor capable of recording events.Multiple Event Processors operate in failover mode, not redundancymode—that is, events are not logged to multiple Event Processorssimultaneously; they are logged only to the primary Event Processor unlessthat host becomes unavailable. Then the logs are passed on to the nextavailable Event Processor according to the order of priority. As soon as ahigher-priority Event Processor becomes available again, the logs areshifted to that host. The highest-ranking Event Processor available alwaysreceives the logs.The LiveSecurity Event Processor software must be installed on each EventProcessor. For more information, see “Setting up the LiveSecurity EventProcessor” on page 73.<strong>WatchGuard</strong> logging architectureThe flexible architecture of the <strong>Firebox</strong> <strong>System</strong> makes it possible to separate thelogging and notification responsibilities to multiple machines. By default, the PolicyManager and the log and notification application – the LiveSecurity Event Processor– are installed on the same computer. You can, however, install the Event Processorsoftware on a separate or multiple computers.You must complete the following tasks to configure the firewall for logging andnotification:Policy Manager- Add logging and notification host(s)- Customize preferences for services and packet handling options- Save the configuration file with logging properties to the <strong>Firebox</strong>LiveSecurity Event Processor- Install the software on each Event Processor- Set global logging and notification preferences for the host- Set the log encryption key on the Event Processor identical to the key set inPolicy Manager.Designating Event Processors for a <strong>Firebox</strong>You should have at least one Event Processor to run the <strong>WatchGuard</strong> <strong>Firebox</strong> <strong>System</strong>.The default primary Event Processor is the Management Station, which is set whenyou run the QuickSetup wizard. You can specify a different primary Event Processoras well as multiple backup Event Processors.• IP address of each Event Processor• Encryption key to secure the connection between the <strong>Firebox</strong> and EventProcessors• Priority order of primary and backup Event Processors70