Watchguard Server - Template Improvement for Logging


We are in the process of setting up a new Syslog server for advanced logging and alerting based on certain criteria (mostly security related) for our clients Watchguards (~150 firewalls) which are all centrally managed.

After getting excited to finally find another use for the templates functionality, I found myself a bit disappointed that the single two check-boxes that generate 95% of the extraneous syslog messages generated by the fireboxes (unhandled internal/exteranal packets), are located not under the general logging section, but under Default Threat Protection -> Default Packet Handling, Logging, and are NOT able to be modified via a template.

In our test scenarios, with default "error level logging" on a mid-size client, we're seeing roughly ~150 log messages a minute coming into the syslog server from a single firebox. With the unhandled packets logging turned off, this is reduced to ~20 log messages a minute. You multiply this by 150+ fireboxes, and you've found the ability to reduce your syslog overhead by 90% in both messages per minute, disk usage, and cpu -- assuming of course you don't care about logging these, which I don't at the moment.

Having to now go and touch 150+ firewalls to implement the syslog services is quite frustrating. Could some effort be made to try and consolidate the logging options for templating purposes even though they are in distinctly different sections of the policy manager?


Sign In to comment.