Ctrlk
ProductBook a demoOpen app
linkedinyoutube

WatchGuard Firewall

Connect WatchGuard Firewall to Radiant Security to forward syslog for AI triage.

WatchGuard Firewall (Firebox) is a network firewall and unified threat management appliance that inspects perimeter traffic and blocks intrusions, malware, and policy violations. Connecting WatchGuard Firewall forwards firewall traffic, intrusion alerts, and diagnostic logs to Radiant Security via syslog through the Radiant Agent. Radiant uses these logs for AI triage, giving analysts perimeter context for verdicts on suspicious network activity.

Prerequisites

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, click Settings > Data Connectors, then click + Add Connector.

  3. Search for and select Radiant Agent, then click Data Feeds.

  4. Under Select your data feeds, select WatchGuard Firebox Firewall, then click Credentials.

  5. Under Credential Name, enter an identifiable name for the Radiant Agent integration (e.g., Radiant Agent integration). To reuse an existing Radiant Agent credential, select it from the drop-down menu.

  6. Click Add Connector.

Configure WatchGuard Firebox to forward syslog

Before starting, confirm the IP address of the Radiant Agent and the port configured to receive WatchGuard Firewall data. If you do not know the port, contact your Customer Success representative.

For vendor instructions, refer to WatchGuard's Send Log Messages to a Syslog Server guide. Multiple syslog servers are supported in Fireware v12.4 and higher for locally-managed Fireboxes.

  1. In Fireware Web UI or Policy Manager, select System > Logging

  2. Click the Syslog Server tab.

  3. Select the Send log messages to these syslog servers checkbox.

  4. Click Add.

  5. In the IP Address field, enter the IP address of the Radiant Agent.

  6. In the Port field, enter the port configured on the Radiant Agent to receive WatchGuard Firewall data.

  7. From the Log Format drop-down list, select Syslog.

  8. In the Description field, enter a description for the server (e.g., Radiant Security Connector).

  9. Select the Time Stamp and Serial Number checkboxes.

  10. In the Syslog Settings section, leave the default facility values and set Performance to None:

    • Alarm: Local0

    • Traffic: Local1

    • Event: Local2

    • Diagnostic: Local3

    • Performance: None

  11. Click Save.

Verify ingestion

After WatchGuard Firewall begins forwarding, confirm alerts and events are reaching Radiant.

  1. In Radiant, navigate to Log Management.

  2. Filter by rs_connectorType:"watchguard_firebox".

  3. Confirm recent alerts and events appear.

Allow several minutes for alerts and events to be parsed, indexed, and available for search.

PreviousWazuh Correlation Rule Alerts via WebhookNextWindows Event Logs

Last updated

Was this helpful?