I would like to know if there is any way to integrate firebox cloud with Azure sentinel

I would like to know if there is any way to integrate firebox cloud with Azure sentinel or will be planned to do in the future. Thank you.

Comments

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @JZamorano
    At this current point in time there is no integration planned. Our integration team has started looking into it, but it'd be to early to provide a date this might be complete.

    It appears that Sentinel uses SNMP, which the firebox cloud can output. You can read more about setting that up here:

    (About SNMP)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/snmp_about_c.html

    -James Carson
    WatchGuard Customer Support

  • Thank you very much for the information, in other firewalls not yet integrated in Sentinel, I have seen that the integration is done with syslog, configuring an intermediate server that receives the logs and integrates them in Sentinel, is this possible or recommended? Thank you.

  • Any updates on this? We are looking to feed either into Sentinel as well. JZamorano, did you end up uploading data via syslog?

  • edited August 2020

    According to this page you can use the CEF output from Watchguard (misspelled Watchgaurd on the page) to get data into Sentinel. But the Watchguard page they link to is just for AP's. Not too sure what outputs the actual Firebox does, but I assume it has the same data outputs?

    I haven't tried it, but plan on trying it probably in ~3 months. I'd like anyone whom has made it work or not chime in in the meantime :)

  • @Raven Right, that page isn't for WatchGuard firewall products, although the link makes it appear as though it covers WatchGuard products in general.

    We have a syslog forwarder set up and passing WatchGuard syslog to Sentinel. Syslog isn't great, because unless there's a parser, the data is very raw. Sentinel's log searching abilities are very impressive and very, very fast--I've already used it to find something in < 1 s that Dimension seemingly couldn't find--but you're limited pretty much to source="syslog", timestamps, and free text searching. Nonetheless, I've found Sentinel to be brilliant thus far.

    CEF would be a nice step up if WatchGuard offered it. Better still would be if WatchGuard offered an integration similar to other firewall offerings already in Sentinel.

  • I agree Ryan, I'm playing with Sentinel now (a bit earlier than the 3 months I originally thought), and it's been pretty great.

    How do we re-raise this as an issue that needs attention? Most SMBs that need products like the WG and SIEMs are going to be on O365, and have easy, quick access to Sentinel.

    Honestly, if this stays without a connector (or at least CEF), we'll just migrate away sometime in 2021. We're a small shop -- I don't want to spend forever parsing syslog stuff -- buying a new firewall product would cost less than futzing with everything.

  • @Raven I'm really not sure what the escalation path might be, but I agree. Sentinel seems like a great match for companies of any size, but as you point out, perhaps an ideal SIEM product for WatchGuard's market. WatchGuard firewalls leave a lot to be desired from a SIEM standpoint, which wasn't a consideration when we purchased ours. Dimension is ok for canned reports (though _nothing _like Sentinel's Workbooks and other capabilities), but terrible for log searching in my experience. Many competing firewalls already offer Sentinel connectors, so the lack of a Sentinel connector and workbook is an increasingly notable shortcoming. The potential for Sentinel community involvement in producing useful queries, reports, etc. of WatchGuard data to share with all is also very promising.

    @James_Carson Do you have any suggestions?

Sign In to comment.