Fastvue Integration with WatchGuard Firebox

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, go to the documentation and support resources for that product.

This document describes how to integrate Fastvue with your WatchGuard Firebox to gain visibility into your network traffic, web usage, and user activity.

Contents

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox
    • Fireware v12.10.4 or higher
  • Windows server
    • Fastvue Reporter for WatchGuard

Integration Topology

This diagram outlines the topology used for the Fastvue Reporter and WatchGuard Firebox integration.

Topology of Fastvue Integration with WatchGuard Firebox

Before You Begin

Before you begin these procedures, make sure that:

  • You have a Fastvue account

Firebox Configuration

This example uses the internal trusted IP address of 192.168.150.1 and the Windows server at 192.168.150.3. The configuration steps in this section use Fireware Web UI.

Syslog logging output from the WatchGuard Firebox is unencrypted. We recommend that you do not send unencrypted log messages on public networks.

Enable Syslog

To enable syslog for your Firebox:

  1. Log in to Fireware Web UI at:
    https://<your Firebox IP address>:8080
  2. Select System > Logging.
    The Logging page opens.
  3. Select the Syslog Server tab.
  4. Select the Send Log Messages to These Syslog Servers check box.
  5. Click Add.
    The Syslog Server dialog box opens.
  6. In the IP Address text box, type the IP address of your Windows server.
  7. In the Port text box, type 514. This is the default port of the Syslog protocol.
  8. From the Log Format drop-down list, select IBM LEEF.
  9. In the Description text box, enter a description to describe this syslog server.
  10. Select the The serial number of the device check box.
  11. Clear the The syslog header check box.

Screenshot of firebox, config syslog server

  1. Click OK.
  2. Click Save.

Configure Referer and Content Type Logging

To use Fastvue Site Clean technology, you must configure your Firebox to log referrer URLs and content types.

To configure referer and content type logging for HTTP Request:

  1. Log in to Fireware Web UI at:
    https://<your Firebox IP address>:8080
  2. Select Firewall > Proxy Actions.
    The Proxy Actions page opens

Screenshot of Firebox, Proxy Actions page

  1. Select HTTP-Client.Standard (Predefined) and click Clone to clone a new HTTP proxy action template.
    The Clone page opens
  2. From the HTTP Request drop-down list, select Header Fields.

Screenshot of Firebox, add HTTP proxy header fields

  1. Click Add.
    The Add Rule dialog box opens.
  2. Type Content-Type:* in both the Rule name and Value text boxes.
  3. From the Match type drop-down list, select Pattern Match.
  4. From the Action drop-down list, select Allow.
  5. Select the Log check box.

Screenshot of Firebox, add Header Fields rule

  1. Click OK.
  2. In the table, select the Enabled and Log check boxes for the rule named Referer:*.

Screenshot of Firebox, enable Header Fields rule

  1. Click Save.
  2. (Optional) You can clone and set up proxy actions to better inspect your network. For the rest of this section, we outline an example configuration for an HTTPS-Client proxy action. For more information on proxy actions, go to WatchGuard Fireware Proxies.
  3. Select Firewall > Proxy Actions.
  4. Select HTTPS-Client.Standard (Predefined), then click Clone to clone a new HTTPS proxy action template.
    The Clone page opens.
  5. In the Domain Names section, click Add to add a new Domain Name for content inspection.
    The Add Rule dialog box opens.

Screenshot of Firebox, HTTPS Proxy Action Pag

  1. In the Rule Name and Value text boxes, enter a pattern of a domain in which you want to do a content inspection. For this example, we used *.bing.com.
  2. From the Match Type drop-down list, select Pattern Match.
  3. From the Action drop-down list, select Inspect.
  4. Select the Log check box.
  5. From the Proxy Action drop-down list, select the HTTP proxy action you just created. In this example, we selected HTTP-Client.Standard.1.

Screenshot of Firebox, HTTPS Proxy Action Add Rule

  1. Keep the default values for all other settings.
  2. Click OK.
  3. Repeat steps 16 through 23 to add more domain names.
  4. Click Save.

Configure Proxy Policy

You can configure a TCP-UDP-Proxy to log all outbound traffic on your Firebox and report it to Fastvue.

To configure TCP-UDP-Proxy:

  1. Log in to Fireware Web UI at:
    https://<Firebox IP Address>:8080
  2. Select Firewall > Firewall Policies.
    The Policies page opens.
  3. Click Add Policy.
    The Add Firewall Policy page opens.
  4. In the Select a policy type section, select Proxies.
  5. From the Select a proxy drop-down list, select TCP-UDP-proxy.
  6. From the Select a Proxy action drop-down list, select TCP-UDP-Proxy.Standard.

Screenshot of Firebox, add TCP-UDP Proxy

  1. Click Add Policy.
    The Add page opens.
  2. Select the Proxy Action tab.
  3. From the Proxy Action drop-down list, select Clone the current proxy action.
  4. From the HTTP drop-down list in the Redirection section, select the HTTPS-Client proxy action you just added. In this example, we selected HTTP-Client.Standard.1.
  5. (Optional) You can change the proxy actions of the redirection if you have other customized proxy actions. In this example, we selected HTTPS-Client.Standard.1 from the HTTPS drop-down list. For more information on proxy actions, go to About Proxy Actions.

Screenshot of Firebox, config TCP-UDP Proxy Redirection

  1. Select the General tab.
  2. Select the Enable logging for reports check box.

Screenshot of Firebox, config TCP-UDP Proxy General

  1. Keep the default values for all other settings.
  2. Click Save.
  3. (Optional) If you configured a custom HTTPS redirection, download the Proxy Authority certificate used for content inspection from the Certificate Portal at http://<Firebox IP address>:4126/certportal, and install the certificate on the computer you want to do content inspection on.

Install the Proxy Authority certificate with your Trusted Root Certification Authorities, and restart browser after installation.

Screenshot of Firebox, Certificate Porta

Configure Fastvue Reporter for WatchGuard

Use these instructions to install and configure Fastvue Reporter for WatchGuard on your Windows server:

  1. Log in to your Fastvue account.
  2. On the Fastvue Downloads page, click Download to download Fastvue Reporter for WatchGuard.

Screenshot of Fastvue, download the Fastvue Reporter supports WatchGuard

  1. Run the installation wizard for Fastvue Reporter for WatchGuard.
  2. Open Fastvue Reporter for WatchGuard.

Screenshot of Windows Server, open Fastvue

  1. In the WatchGuard Host or IP text box, enter the IP address of your Firebox.

Screenshot of Fastvue Reporter, start dialog

  1. Click Let's go!.

Test the Integration

To test the Fastvue integration with WatchGuard Firebox:

  1. Open Fastvue Reporter for WatchGuard at:
    http://<your Windows Server machine IP address>:80
  2. Select Settings > Sources to check the records in the source page (it can take several seconds for the records to import).

Screenshot of Fastvue Reporter, sources in settings page

  1. Select Dashboard > Overview to check the network overview analytical charts.

Screenshot of Fastvue Reporter, dashboard

  1. Select Reports > Overview Report > All Usage.
  2. Use the Date From and Date To date pickers to select the start and end dates for the report.
  3. Click Run Report to generate the report.

Screenshot of Fastvue Reporter, report

  1. (Optional) To test content inspection, add a custom keyword group or use the default keyword group. For this example, we added the keywords watchguard&fastvue in the keyword group My Keyword Group.

Screenshot of Fastvue Reporter, add keyword group

  1. (Optional) Add a custom alert with the keyword group you just created.

Screenshot of Fastvue Reporter, add alert

  1. (Optional) Use the computer with the Proxy Authority certificate installed to search for the keywords you added and to verify that alerts appear. In this example, we use Bing to search for the keywords watchguard&fastvue.

Screenshot of Fastvue Reporter, test alert