?
Solved

Watchguard Firebox Date/Time is Incorrect

Posted on 2005-04-22
17
Medium Priority
?
3,651 Views
Last Modified: 2015-09-23
I am helping to troubleshoot an issue with a Watchguard Firebox III/1000.  This firewall is up and operating correctly.  However, the date/time indicated in the "Traffic Monitor" and "Status Report" is way off.  I have seen in the documentation that the unit should have a "Management Station" connected to it via Serial and Ethernet.  It does not currently have a station connected.  A user logs into it through a program called "Watchguard Firebox System 7.0".  They are able to view logs and real-time statistics through this program but it is not connected as the "management station" (at least not via a Serial Cable or directlly through CAT5).

Does anyone have any advice on this problem?  The date/time need to be sychronized for a number of reasons.  I am also concerned b/c I want to make sure this isn't a signal of any type of OS corruption.  Thanks.
0
Comment
Question by:heatfan07
  • 9
  • 7
17 Comments
 
LVL 3

Expert Comment

by:Paul_Howard_D7
ID: 13865571
You should now be running Core V8.0 Mangement software for the Firebox III Series, you can download this from the Watchguard website with a valid livesecurity subscription,

Install this on a machine that can run 24/7 and configure it to log in to the firewall over ethernet, you will need to know the LAN IP address for this, then set up the Log server using IP address of Firewalls LAN IP and existing encryption key, launch this from the taskbar on this version of software.

Next check you time zone is correct in the policy manager under setup, also check the logging is set correctly here too, by putting in the IP address of the machine you have the software installed on, then save changes to the firewall.

Rgds

Paul
0
 
LVL 3

Expert Comment

by:Paul_Howard_D7
ID: 13865577
Oh btw dont let the management station thing confuse you, the machine your using to launch the WFS 7.0 from is the management station effectivley
0
 
LVL 3

Author Comment

by:heatfan07
ID: 13866505
Thanks for your response.  The machine with the 7.0 software installed seems to be able to complete all of the normal tasks described for the Management Station.  I can look at HostWatch, Policy Manager, and the regular console with all tabs active and reporting information.

The only initial indicator that something was wrong was when I noticied that both the Traffic Monitor and Status Report were showing a date from 1981 and an incorrect time.  

On the machine that runs the software, nothing is loading at Startup (no log server process, etc.)  I can simply connect to the Firebox and look at whatever I need at random.  Also, this machine is not running 24/7 as it is a simple client PC on my LAN.

As an additional note, the date/time stamp listed in the HostWatch module is correct.  I am wondering if possibly the Traffic Monitor and Status Report were just thrown off at some point.

I am in need of additional advice on how the Traffice Monitor and Status Report synchronize their time, how to be certain the time/date of the Firebox machine is not corrupted, and how to synchronize all time functions of this Firebox and have it set up under the "best practices" for its use.

Thanks again for all assistance.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 3

Expert Comment

by:Paul_Howard_D7
ID: 13867131
Understood,

The firebox gets its time from the log host which would be the management server you have specified, this is why it should be on 24/7, you need to set it up as a log server for it to sync, which i mentioned above, hostwatch gets its time from the local machine, you need to open the policy manager and goto setup, set the time zone first, then goto logging set the IP address of the management server, and assign a log encryption key "your choice", then save this to the firebox, then on the little red icon in the systray, goto WSEP configuration and set up the loging host connection there, using the encryption key you assigned earlier, also make sure your running the simple TCP/IP service and the watchguard needs to have TCP port 4107 access to the machine your using as the management server.

I forgot to mention for all this to happen you acctually need the event logging service is installed as part of the instalation of the WFS software application.

I wouldnt have thought that the Firebox firmware was corrupt this is very unusual, if in any doubt the we can reflash it, go to the policy manager, select save from the top left, enter the configuration passphrase, on the next screen check the save to firebox checkbox, and save configuration file and new flash image radio buttons and press ok, this should then create a new flash image and flash the Firebox with this.

Let me knoww how you get on.

Paul
0
 
LVL 3

Author Comment

by:heatfan07
ID: 13877829
I think the information you provided above has given me some idea of what is going on.  I would like to make sure i'm on the right track before moving on.  First, I can verify that the 'event logging service' was not installed along with this installation of Firebox System Manager that is currently on my PC.  The service does not have a line item entry in the Services list for Windows and when i initialize WSEP on the local PC, BOTH 'Start Service' and 'Stop Service' are greyed out.

So, my understanding from above is simply that i will need to start from scratch with the Management Server by installing the identical software on a dedicated PC (24/7 uptime) and making sure that choose to install the event logging service along with it during the install.

With that being said, I have also noted that from Policy Manager it appears that no logs are currently enabled.  I am slightly confused b/c I do not want to actually change much of the Firewall configuration (adding logs, enabling services, etc.) but DO want the date/time readout in 'Traffic Monitor' and 'Status Report' to change to the correct date/time.

Will I actually be making any configuration changes to the Firebox itself if/when I install 'Firebox System Manager' on a dedicated PC?  My understanding is that the actual config file is stored on the Firebox's own HDD and then can be copied down to the Management Server for investigation/editing.  

Can you please walk me through the necessary steps to have a correct setup for the Management Server and all relevant details for precautions, etc?  I want to be sure that I do not lose or inadvertently change any of the current firewall configurations.  I appreciate the additional help.
0
 
LVL 3

Author Comment

by:heatfan07
ID: 13889332
Hello Paul and other experts,

I have now doubled the points value for this question.  I will continue to increase the value daily as I have points to dedicate to it.  I am in need of an answer on this one.

My last question (last paragraph above) summarizes where I stand with this issue.  I need to know how to successfully "reconnect" a 24/7 Management Server to this Firebox unit.  In addition, it is IMPERATIVE that no settings on the actual Firebox unit are inadvertently changed.  Lastly, the original (and current) overall goal is to synchronize or correct the time/date displays for 'Status Report' and 'Traffic Monitor'.  I want to be certain that all aspects of this firewall are set up as they should be (best practices).

Thanks for all previous and future responses.
0
 
LVL 3

Expert Comment

by:Paul_Howard_D7
ID: 13889457
Do you have a current livesecurity certificate ?
0
 
LVL 3

Author Comment

by:heatfan07
ID: 13889465
Unfortunately I do not.
0
 
LVL 3

Expert Comment

by:Paul_Howard_D7
ID: 13889496
Ok what the version that your trying to re-install, is it WFS V7.0 ?
0
 
LVL 3

Author Comment

by:heatfan07
ID: 13889536
WatchGuard Firebox System Manager Version 7.00

It is running on my PC right now (connected to domain) but as we discussed in the thread, I am not running this PC 24/7 neither am I pulling any logs or running any log services on this PC.
0
 
LVL 3

Expert Comment

by:Paul_Howard_D7
ID: 13889729
Ok im going to post a link to the manual for WFS 7.0

http://www.department7.co.uk/public/docs/watchguard/v70UserGuide.pdf

There are no real best practices for the connection as it either connects or doesnt, it would take far to long to type the whole configuration from start to finish.

1. You really need a machine you can run 24/7 to be used as a log server
2. You wont reconfigure the firewall just re-enbling logging its ok
3. If you install a fresh copy of the WFS7.0 on a new machine it will just ask you when you open the policy manger .cfg it wont overwrite it on the firebox.
4. If your going to use the existing machine ill post an exerpt from watchguards site how to trouble shoot the time.
0
 
LVL 3

Accepted Solution

by:
Paul_Howard_D7 earned 580 total points
ID: 13889751
Troubleshooting the log host

There are a few reasons why the log host would not appear to be connected properly to the Firebox. We will present the common solutions here.

There are several items that must be configured properly for successful logging...


The Firebox must be configured with the correct encryption key and IP address of the Log Host
The Log Host must be running the logging service (the WG Security Event Processor service)
The Log Host must be configured with the same encryption key as the Firebox
The Log Host must be able to accept connections from the Firebox (any software firewall must allow the connection)



--------------------------------------------------------------------------------


Is the Firebox configured for the correct encryption key and IP address of the Log Host?

Verify that the static IP address and encryption key of the log host is correctly configured on the Firebox.

Open the Policy Manager with your current configuration file.
Click Setup => Logging.
The "WSEP Log Hosts" tab displays a list of Watchguard Security Event Processors (Log Hosts that run the WatchGuard Security Event Processor service) to which the Firebox can log. The static IP address of the primary log host should appear at the top of this list.
Remove all entries in this list by highlighting them and clicking Remove.
Click Add. Enter the log host static IP address and Log Encryption Key. Click OK.

Note:  The machine configured as the log host must have a static IP address. The Firebox must be configured with the IP address of the log host, so the IP address of the log host cannot change.

Click OK to close the Logging Setup dialog box. Save the new configuration file to your Firebox.
The Firebox will immediately attempt to send log information to the log host.


--------------------------------------------------------------------------------



Is the WG Security Event Processor service installed and running on my log host?

To verify that the logging service is installed and running on a Windows XP or Windows 2000 or Windows NT log host:

Open the Windows Control Panel. Double-click Services. (On Windows 2000 and Windows XP, go to Administrative Tools in Control Panel to see the Services applet.) You should see WG Security Event Processor with the status Started. If this is the case, then your log host is running the logging process.


Figure 1: Windows Services

If you do not see the WG Security Event Processor process, continue with these steps.

Open a command prompt.

Change directories to the WatchGuard installation directory.
The default location is C:\Program Files\WatchGuard.

Enter the following command:

      controld -nt-install

Enter the following command:

      controld -nt-start

This will install and start the necessary service.




--------------------------------------------------------------------------------


Is the Log Host configured with the correct log encryption key?

The key is used to encrypt traffic between the two devices. If it is not the same as the encryption key configured on the Firebox, the Firebox will send log messages to the log host that it can not interpret or store.

In the Windows System Tray, look for a red Firebox-like icon:



This represents the WatchGuard Security Event Processor.


Note:  If you do not see the red icon, open the Firebox System Manager and click on the Main Menu button. Click Tools=>Logging=>Event Processor Interface. See Figure 2 below:


Figure 2: Bringing up the WatchGuard Security Event Processor icon

The red icon will then appear in the System Tray.

Right-click the WatchGuard Security Event Processor icon. Select WSEP Status/Configuration.


Select File => Set Log Encryption Key. Enter the Log Encryption Key. This must be the same key entered in the Firebox configuration file for this log host:



Figure 3: Set the log encryption key in the WatchGuard Security Event Processor interface



Click OK.
The CONTROLD service restarts with the new log encryption key. After a few seconds, a message appears in the lower right corner of the dialog box with the message "Connected to the Service."



--------------------------------------------------------------------------------


Can the log host accept connections from the Firebox?

WatchGuard logging uses TCP port 4107. If the log host has a software-based firewall installed, there must be an exception in the firewall settings that allows the log host to accept connections over TCP port 4107 from the Firebox IP address.

For the Windows Firewall included with Windows XP SP2, you can add an exception by application name or by port. To add an exception to the Windows Firewall for an application, click on the Windows Firewall Exceptions tab, and then click on the Add Program button. Finally, browse to the directory where you installed the WatchGuard software. Add an exception for controld.exe.
0
 
LVL 3

Author Comment

by:heatfan07
ID: 13889797
Thanks very much.  Is it alright to set my PC up as the log host even though it will not be on all of the time?
0
 
LVL 3

Expert Comment

by:Paul_Howard_D7
ID: 13889880
Iv'e never setup a machine as a log sever that wasnt on 24/7, i cant recommend it as the firebox will be trying to connect to a machine thats not there and be throwing error events to itself.

I can only say try it, it should correct your time issues once connected though.

Paul
0
 
LVL 3

Author Comment

by:heatfan07
ID: 13889908
Thanks again for all of your help.  I appreciate your diligence on such a detailed topic.  Just for the record, this one could possibly be a big helper to folks like me who don't have the LiveSecurity subscription and have some things like this left undone by the last admin.  I wish I had more points to award but I'll be sure to keep your name in mind as I work on questions here from time to time.  Maybe there's something I can help you out with someday.  Thanks again!!!
0
 
LVL 3

Expert Comment

by:Paul_Howard_D7
ID: 13889968
My pleasure,

Just bear in mind that without a current livesecurity subscription you are not getting the latest updates to the firewall software and its relatively inexpensive, i would invest in this ASAP as you will be vulnerable to new threats unless you do.

Paul
0
 

Expert Comment

by:Star-MIS
ID: 40992095
Just my 2cents, and I know this topic is old, but why the aversion to leaving the log server on 24/7? A networked computer that is turned off is useless.  The ones who turn off their computers at night are the first ones to ring my phone in the morning saying their computers are slow because all the tasks that run at night kick off when they restart.
Or maybe it is just so they have an excuse to get coffee?
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month16 days, 17 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question