Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            WatchGuard Firewall Device Integration

            Modified on Fri, 21 Nov at 10:24 AM

            TABLE OF CONTENTS


            Overview

            This guide provides detailed steps to configure a WatchGuard Firewall for forwarding both Syslog logs and NetFlow traffic data to ADR using the CCE (Collection and Control Engine). The configuration allows the firewall to send:

            • Syslog logs (firewall logs and security events) forwarded on UDP port 514.
            • NetFlow/IPFIX traffic metadata forwarded on UDP port 9995.

            Once properly configured, ADR ingests and correlates these logs and flow data to provide comprehensive visibility and proactive threat detection.


            Prerequisites

            • Admin access to the WatchGuard Firewall Web UI or CLI.
            • Admin access to ADR dashboard
            • Ensure firewall connectivity to the ADR CCE on the following ports and IP address:
              • UDP port 514 for Syslog.
              • UDP port 9995 for NetFlow.
              • The IP address of the CCE server.


            Syslog Configuration (WatchGuard)

            Step 1: Enable Syslog Logging

            1. Log in to the WatchGuard Web UI.
            2. Navigate to: System → Logging → Syslog Server.
            3. Enable Send log messages to syslog server.


            Step 2: Configure Syslog Server

            1. Add a new Syslog server:
              • Server IP = <CCE_IP>
              • Port = 514
              • Protocol = UDP
              • Log Format: LEEF
              • Facility = Local7 (recommended)
              • Severity = Warning (or lower to capture more logs).
            2. Select the log categories to forward:
              • Traffic logs
              • Security events (IPS, AV, Threat Detection, VPN)
              • System events
            3. Apply the settings.



            NetFlow Configuration (WatchGuard)

            Step 1: Enable NetFlow

            1. In the WatchGuard Web UI, go to: System → NetFlow Settings.
            2. Enable NetFlow Export.


            Step 2: Configure NetFlow Collector

            1. Add a NetFlow collector:
              • Collector IP = <CCE_IP>
              • Port = 9995
              • Version = V5
              • Active Timeout = 1 min
              • For each interface to be monitored → Enable NetFlow export.
            2. Save and apply.



            Verification

            Login to the ADR Dashboard

            Navigate: System → Logs and Flows Collection Status.

            Confirm that WatchGuard Firewall IP is listed under Source Device IP for both logs and flows.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0