WatchGuard Cloud Visibility
edited April 2019 in Firebox - Dimension, Logging and Reporting
Today's email: Now Released: WatchGuard Cloud Visibility
How do we enable logging for it?
This is all the email says:
Enable logging in WatchGuard Cloud today by accessing it from the Support Center.
Where on the support center ?????
Looks like I need to enable a feature key for Dimension Total.
The current feature key on the support site does not include feature key for Dimension Total.
Nor is Dimension Total listed as an expiring option.
Sign In to comment.
It was there while the beta licence was still active, but now that it has expired I see that Dimension Basic now has the same expiry date as my Firebox. So my guess is that you have to pay for Dimension Total. Not something I am fussed on doing while there is a 30 day limit on data retention and no visibility of detailed connections in the Policy Map view.
Adrian from Australia
The beta said that it would be included with the security suites.
As I recall, basic was for 1 day and Total was for 30 days retention, with longer at a cost.
Out of town for the weekend- will check when I get back.
You can add a device to Dimension cloud by following the directions here:
(Add a Firebox to WatchGuard Cloud)
Data retention will vary by device and subscription type, but can be expanded to meet your needs. You can view retention settings by looking in WG-Cloud here:
(Manage Data Retention Licenses)
WatchGuard Customer Support
The issue was that the Dimension Basic feature was not in the Feature Key on the support site on the same day that this e-mail came out from WG.
It is there now. It should have been there prior to the e-mail being sent out.
To James Carson:
Access to WatchGuard Cloud Visibility is still non-intuitive - as a number of us stated in the beta.
Actually, the question was why don't we see Dimension Total in the Firebox. My understanding is that Dimension Basic is for 1 day, as Bruce has already stated, while Dimension Total was for one month. I also understood that if you have a Total Security Suite on your Firebox then you should have Dimension Total. My Firebox only shows Dimension Basic.
Adrian from Australia
Data retention is enforced in the cloud not on the Firebox. the Firebox just sends logs/data to the cloud. In beta Dimension_Total in the feature key existed. After Beta there is no Dimension_Total in feature keys. Only Dimension_Basic. All Fireboxes with Basic Security or Total Security will see Dimension_Basic in the feature key. The expiration on that line item will match the Support expiration for that Firebox. 1 yr/ 3yr etc. If you still have Dimension_Total in your feature key you will need to refresh the feature key to remove that line item.
In regards to Bruce's concern about the Dimension_Basic not being in the feature key for his device at Visibility GA. There were problems with the grandfathering process to add the Dimension_Basic to the features keys for Fireboxes that have Basic or Total Security, some Fireboxes did not get updated prior to GA of Visibility. . Those problems were fixed and all feature keys should be updated now.
Let me know if this information helps.
So that means that we are all on the one day expiry regardless of having Basic or Total Security?
None of this seems consistent with slide 7 "Feature Key Requirements" of the WatchGuard Cloud Visibility presentation.
Adrian from Australia
No - I have more than 1 days worth of logs there.
The Dimension Basic feature just allows logging to Cloud.
Visibility determines how much to have available based on your licenses.
Hi Bruce and Adrian -
The DIMENSION_BASIC and DIMENSION_TOTAL feature key was codified way back in 12.0, and unfortunately we're a bit stuck with it now because of how hard it is to change feature key names. The original idea was that _BASIC was for Management and _TOTAL was for Visibility (or vice versa, it was 2 years ago when that discussion was meaningful), and but the Firebox exposes the WatchGuard Cloud (WGC) option for either FK entry. There is no connection between Basic Security Suite or Total Security Suite and data retention in WGC - the FK item just determines whether the box is allowed to talk to WGC. As George mentioned, we found an issue in the Firebox with how that _BASIC / _TOTAL logic was implemented as we were provisioning existing devices for GA. We were already planning on only using _BASIC, but thought we could just let _TOTAL age out, but code gremlins had other plans for us (if either _BASIC or _TOTAL is expired in the FK, it disables the WGC option in Fireware). This should have only been an issue for Beta participants, and resyncing the FK will clear it up (also as George mentions).
TL;DR - Bruce is right. DIMENSION_BASIC is all you need in the FK, and data retention is entirely determined on the backend by BSS (1-day) or TSS (30-days).
Has pricing been released for WGC Data Retention? I'm all for moving to WGC but that's totally dependent on $$ for data retention. I would want 6 months minimum (just in case something bad happens).
Pricing for WatchGuard Cloud monthly data retention per firebox model is available in the April Price List. Please reach out to your Distribution or Reseller/MSP Partner for the same. You can purchase multiple quantities (in this case 5 if you have Total Security Suite on the Firebox, or 6 if you have Basic Security Suite on the Firebox) to enable a total of 6 months Data Retention on the respective Firebox Model.
Trying to diagnose a device that is not connecting to WG Cloud. Can anyone confirm what ports are used for communication from Firebox to WG Cloud?
For logging to WatchGuard Cloud Visibility, TCP port 4115.
You don't need an added firewall policy to allow this.
Verify that you do have Dimension Basic in your Feature Keys.
If not, you need to get a new feature key from the support site.
Thank you. Just trying to confirm traffic is getting past an upstream firewall.
@MattN - your best path forward is to open a Support Case. The Firebox uses port 443 to communicate with WatchGuard Cloud (assuming you're running Fireware 12.3 or newer), so unless your upstream Firebox imposes any sort of Authentication requirements you should be good to go.
edit: port 4115 is for logging to an on-premise Dimension server, and does not need to be opened if you are only logging to WatchGuard Cloud.
Then why am I seeing TCP port 4115 from my firewall external IP addr to 220.127.116.11 - allowed by Any From Firebox-00 policy ?
Also, the only TCP 443 I am seeing from my firewall external interface is to 18.104.22.168, which is SurfControl, Inc.
So does logging to WG Cloud not use Any from Firebox policy ???
@Bruce - what Fireware version are you running? The switch for Cloud using 443 was finalized in 12.3.1. Even then, prior to 12.3.1 it should have been using 8883 and not 4115. Do you happen to be running a Dimension instance that you're hosting in AWS, since that IP address is owned by Amazon per Arin?
To answer your last question, logging to WGC uses whatever outbound 443 policy you have set in your configuration (possibly your outbound HTTPS policy).
Dimension is local.
My only cloud stuff is WG related.
Why would logs to WGC use a policy other than Any from Firebox ?
Bruce is TDR configured on your appliance?
Looks like there are a few contexts here being discussed:
Yes, TDR is enabled.
@Bruce_Briggs I can confirm that the Logging you are seeing to :4115 is for TDR.
Ricardo Arroyo | Principal Product Manager / ThreatSync Guru
WatchGuard Technologies, Inc.
Firebox uses TCP port 4115 for TDR communications with Cloud. This is the traffic observed in that case.
However, I did not see any other outgoing packets from Any from Firebox which could be for WGC logging.
Does anyone have a reason why this is ?
It's a persistent connection. A policy match won't be logged unless a new connection is opened to the destination. If you disable/reenable cloud logging, you'll see an Any from Firebox policy match emitted in the Traffic Monitor.