Fastvue Integration with WatchGuard Firebox

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, go to the documentation and support resources for that product.

This document describes how to integrate Fastvue with your WatchGuard Firebox to gain visibility into your network traffic, web usage, and user activity.

Contents

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox
    • Fireware v12.11 or higher
  • Windows server
    • Fastvue Reporter for WatchGuard

Integration Topology

This diagram outlines the topology used for the Fastvue Reporter and WatchGuard Firebox integration.

Topology of Fastvue Integration with WatchGuard Firebox

Before You Begin

Before you begin these procedures, make sure that:

  • You have a Fastvue account

Firebox Configuration

This example uses the Firebox internal trusted IP address of 192.168.150.1 and the Windows server at 192.168.150.3.

Syslog logging output from the WatchGuard Firebox is unencrypted. We recommend that you do not send unencrypted log messages on public networks.

Enable Syslog

To enable Syslog for your Cloud-managed Firebox:

  1. Log in to WatchGuard Cloud with your WatchGuard Cloud operator account credentials.
    If you log in with a Service Provider account, you must select a Subscriber account from Account Manager.
  2. Select Configure > Devices, then select the cloud-managed Firebox.
  3. Select Device Configuration.
    The Firebox Device Configuration page opens.
  4. Click the Log Servers tile.
    The Log Servers page opens. If the device is subscribed to a template that includes a log server, you cannot edit the page. To edit the page, you must remove the template.

    5. Screenshot of the Device Configuration page with the Log Servers tile highlighted.

  5. Select the Send Log Messages to Syslog Server check box.

    6. Screenshot of the Log Servers page with the Send Log Messages to Syslog Server check box enabled.

  6. Click Add Syslog Server.
    The Add Syslog Server page opens.
  7. In the IP Address text box, type the IP address of your Windows server.
  8. In the Port text box, keep the 514 as default.
  9. From the Format drop-down list, select IBM LEEF.
  10. Clear the Include syslog headers check box.

    11. Screenshot of Cloud-Firebox, Configure Syslog 2

  11. Click Save to save the Syslog Server configuration.
  12. Click Save to save the Log Servers configuration.
  13. To apply the configuration to your Firebox, in the message banner, click Schedule Deployment.
    The Schedule Deployment dialog box opens.
  14. Select Deploy changes now.
  15. In the Description text box, type a description for the deployment. For this example, we entered Configure Syslog for Fastvue.

    16. Screenshot of Cloud-Firebox, Configure Syslog 3

  16. Click Deploy.
  17. Click Close.

Configure Outbound Policy

You can configure an Outbound policy to log all outbound traffic on your Firebox and report it to Fastvue.

To configure an outbound policy for your cloud-managed Firebox:

  1. Log in to WatchGuard Cloud with your WatchGuard Cloud operator account.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. Select Configure > Devices, then select the cloud-managed Firebox.
  3. Select Device Configuration.
  4. Click the Firewall Policies tile.
    The Firewall Policies page opens.
  5. Click Add Firewall Policy.
    The Add Firewall Policy page opens.
  6. Select Outbound.

    7. Screenshot of Cloud-Firebox, Configure Outbound Policy 1

  7. Click Next.
    The Add Outbound Policy page opens.
  8. In the Name text box, enter a name for the policy.
  9. Select the Settings tab
  10. In the Action drop-down list, select Allow.
  11. In the Web Traffic section, select the Web Traffic (Ports 80, 443) and Decrypt HTTPS Traffic check boxes.
  12. Enable the Fastvue toggle.

    13. Screenshot of Cloud-Firebox, Configure Outbound Policy 2

  13. In the Traffic Types section, click Add Traffic Types.
    The Add Traffic Types page opens.
  14. From the traffic types list, select All TCP and UDP.

    15. Screenshot of Cloud-Firebox, Configure Outbound Policy 3

  15. Click Add.
  16. In the Source and Destination section, click Add Source.
    The Add Source Address dialog box opens.
  17. In the Type drop-down list, select Built-in Aliases.
  18. From the Built-in Aliases drop-down list, select Any-Internal.

    19. Screenshot of Cloud-Firebox, Configure Outbound Policy 4

  19. Click Add.
  20. In the Source and Destination section, click Add Destination.
    The Add Destination Address dialog box opens.
  21. From the Type drop-down list, select Built-in Aliases.
  22. From the Built-in Aliases drop-down list, select Any-External.

    23. Screenshot of Cloud-Firebox, Configure Outbound Policy 5

  23. Click Add.

    24. Screenshot of Cloud-Firebox, Configure Outbound Policy 6

  24. Leave all other settings as their default values.
  25. Click Save to save the policy.
  26. To apply the configuration to your Firebox, in the message banner, click Schedule Deployment.
    The Schedule Deployment dialog box opens.
  27. Select Deploy changes now.
  28. In the Description text box, enter a description for the deployment. For this example, we entered Configure Outbound Policy for Fastvue.

    29. Screenshot of Cloud-Firebox, Configure Outbound Policy 7

  29. Click Deploy.
  30. Click Close.

Install WatchGuard Proxy Authority Certificate

  1. Download the Proxy Authority certificate used for content inspection from the Certificate Portal at <Firebox Internal IP address>:4126/certportal, and install the certificate on the computer you want to do content inspection on.

    2. Install the Proxy Authority certificate with your Trusted Root Certification Authorities, and restart the browser after installation.

    Screenshot of Firebox, Certificate Portal

Enable Syslog

To enable syslog for your Firebox:

  1. Log in to Fireware Web UI at:
    https://<your Firebox IP address>:8080
  2. Select System > Logging.
    The Logging page opens.
  3. Select the Syslog Server tab.
  4. Select the Send Log Messages to These Syslog Servers check box.
  5. Click Add.
    The Syslog Server dialog box opens.
  6. In the IP Address text box, type the IP address of your Windows server.
  7. In the Port text box, type 514. This is the default port of the Syslog protocol.
  8. From the Log Format drop-down list, select IBM LEEF.
  9. In the Description text box, enter a description to describe this syslog server.
  10. Select the The serial number of the device check box.
  11. Clear the The syslog header check box.

    12. Screenshot of firebox, config syslog server

  12. Click OK.
  13. Click Save.

Configure Referer and Content Type Logging

To use Fastvue Site Clean technology, you must configure your Firebox to log referrer URLs and content types.

To configure referer and content type logging for HTTP Request:

  1. Log in to Fireware Web UI at:
    https://<your Firebox IP address>:8080
  2. Select Firewall > Proxy Actions.
    The Proxy Actions page opens

    3. Screenshot of Firebox, Proxy Actions page

  3. Select HTTP-Client.Standard (Predefined) and click Clone to clone a new HTTP proxy action template.
    The Clone page opens
  4. From the HTTP Request drop-down list, select Header Fields.

    5. Screenshot of Firebox, add HTTP proxy header fields

  5. Click Add.
    The Add Rule dialog box opens.
  6. Type Content-Type:* in both the Rule name and Value text boxes.
  7. From the Match type drop-down list, select Pattern Match.
  8. From the Action drop-down list, select Allow.
  9. Select the Log check box.

    10. Screenshot of Firebox, add Header Fields rule

  10. Click OK.
  11. In the table, select the Enabled and Log check boxes for the rule named Referer:*.

    12. Screenshot of Firebox, enable Header Fields rule

  12. Click Save.
  13. (Optional) You can clone and set up proxy actions to better inspect your network. For the rest of this section, we outline an example configuration for an HTTPS-Client proxy action. For more information on proxy actions, go to WatchGuard Fireware Proxies.
  14. Select Firewall > Proxy Actions.
  15. Select HTTPS-Client.Standard (Predefined), then click Clone to clone a new HTTPS proxy action template.
    The Clone page opens.
  16. In the Domain Names section, click Add to add a new Domain Name for content inspection.
    The Add Rule dialog box opens.
  17. Click Save.
  18. (Optional) You can clone and set up proxy actions to better inspect your network. For the rest of this section, we outline an example configuration for an HTTPS-Client proxy action. For more information on proxy actions, go to WatchGuard Fireware Proxies.
  19. Select Firewall > Proxy Actions.
  20. Select HTTPS-Client.Standard (Predefined), then click Clone to clone a new HTTPS proxy action template.
    The Clone page opens.
  21. In the Domain Names section, click Add to add a new Domain Name for content inspection.
    The Add Rule dialog box opens.

    22. Screenshot of Firebox, HTTPS Proxy Action Pag

  22. In the Rule Name and Value text boxes, enter a pattern of a domain in which you want to do a content inspection. For this example, we used *.bing.com.
  23. From the Match Type drop-down list, select Pattern Match.
  24. From the Action drop-down list, select Inspect.
  25. Select the Log check box.
  26. From the Proxy Action drop-down list, select the HTTP proxy action you just created. In this example, we selected HTTP-Client.Standard.1.

    27. Screenshot of Firebox, HTTPS Proxy Action Add Rule

  27. Keep the default values for all other settings.
  28. Click OK.
  29. Repeat steps 16 through 23 to add more domain names.
  30. Click Save.

Configure Proxy Policy

You can configure a TCP-UDP-Proxy to log all outbound traffic on your Firebox and report it to Fastvue.

To configure TCP-UDP-Proxy:

  1. Log in to Fireware Web UI at:
    https://<Firebox IP Address>:8080
  2. Select Firewall > Firewall Policies.
    The Policies page opens.
  3. Click Add Policy.
    The Add Firewall Policy page opens.
  4. In the Select a policy type section, select Proxies.
  5. From the Select a proxy drop-down list, select TCP-UDP-proxy.
  6. From the Select a Proxy action drop-down list, select TCP-UDP-Proxy.Standard.

    7. Screenshot of Firebox, add TCP-UDP Proxy

  7. Click Add Policy.
    The Add page opens.
  8. Select the Proxy Action tab.
  9. From the Proxy Action drop-down list, select Clone the current proxy action.
  10. From the HTTP drop-down list in the Redirection section, select the HTTPS-Client proxy action you just added. In this example, we selected HTTP-Client.Standard.1.
  11. (Optional) You can change the proxy actions of the redirection if you have other customized proxy actions. In this example, we selected HTTPS-Client.Standard.1 from the HTTPS drop-down list. For more information on proxy actions, go to About Proxy Actions.

    12. Screenshot of Firebox, config TCP-UDP Proxy Redirection

  12. Select the General tab.
  13. Select the Enable logging for reports check box.

    14. Screenshot of Firebox, config TCP-UDP Proxy General

  14. Keep the default values for all other settings.
  15. Click Save.
  16. (Optional) If you configured a custom HTTPS redirection, download the Proxy Authority certificate used for content inspection from the Certificate Portal at <Firebox Internal IP address>:4126/certportal, and install the certificate on the computer you want to do content inspection on.

    17. Install the Proxy Authority certificate with your Trusted Root Certification Authorities, and restart the browser after installation.

    Screenshot of Firebox, Certificate Porta

Configure Fastvue Reporter for WatchGuard

Use these instructions to install and configure Fastvue Reporter for WatchGuard on your Windows server:

  1. Log in to your Fastvue account.
  2. On the Fastvue Downloads page, click Download to download Fastvue Reporter for WatchGuard.

    3. Screenshot of Fastvue, download the Fastvue Reporter supports WatchGuard

  3. Run the installation wizard for Fastvue Reporter for WatchGuard.
  4. Open Fastvue Reporter for WatchGuard.
    The Fastvue Reporter WebUI is at http://localhost:80

    5. Screenshot of Windows Server, open Fastvue

  5. In the WatchGuard Host or IP text box, enter the Internal IP address of your Firebox.

    6. Screenshot of Fastvue Reporter, start dialog

  6. Click Let's go!.

Test the Integration

To test the Fastvue integration with WatchGuard Firebox:

  1. Open Fastvue Reporter for WatchGuard at:
    http://<your Windows Server IP address>:80
  2. Select Settings > Sources to check the records in the source page (it can take several seconds for the records to import).

    3. Screenshot of Fastvue Reporter, sources in settings page

  3. Select Dashboard > Overview to check the network overview analytical charts.

    4. Screenshot of Fastvue Reporter, dashboard

  4. Select Reports > Overview Report > All Usage.
  5. Use the Date From and Date To date pickers to select the start and end dates for the report.
  6. Click Run Report to generate the report.

    7. Screenshot of Fastvue Reporter, report

  7. (Optional) To test content inspection, add a custom keyword group or use the default keyword group. For this example, we added the keywords watchguard&fastvue in the keyword group My Keyword Group.

    8. Screenshot of Fastvue Reporter, add keyword group

  8. (Optional) Add a custom alert with the keyword group you just created.

    9. Screenshot of Fastvue Reporter, add alert

  9. (Optional) Use the computer with the Proxy Authority certificate installed to search for the keywords you added and to verify that alerts appear. In this example, we use Microsoft Bing to search for the keywords watchguard&fastvue.

    10. Screenshot of Fastvue Reporter, test alert