circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

Troubleshooting Watchguard Firewall

hashtag
Common Issues and Solutions

Installation Issues

Issue: Integration fails to install

  • Solution: Verify Logpoint version compatibility (v7.4.0 or later)

  • Solution: Check available disk space and system resources

  • Solution: Ensure proper administrative privileges

Issue: Integration not visible after installation

  • Solution: Refresh the browser and check under Settings >> System Settings >> Plugins

  • Solution: Restart Logpoint if necessary

Configuration Issues

Issue: Cannot configure syslog forwarding on WatchGuard device

  • Solution: Verify you have administrative access to WatchGuard device

  • Solution: Ensure Logpoint IP address is reachable from WatchGuard device

  • Solution: Check firewall rules allow syslog traffic (typically UDP port 514)

  • Solution: Consult WatchGuard documentation for proper syslog configuration

Issue: Wrong normalizer or normalization package selected

  • Solution: Use WatchguardCompiledNormalizer for all WatchGuard logs

  • Solution: Select appropriate normalization package based on WatchGuard version:

    • LP_Watchguard Firewall v11_9 for v11.9

    • LP_Watchguard Firewall v11_10 for v11.10

    • LP_Watchguard Firewall for general logs

    • LP_Watchguard WifiCloud for WiFi Cloud logs

  • Solution: Verify log format from WatchGuard matches selected package

Issue: Processing policy configuration errors

  • Solution: Ensure normalization policy is created before processing policy

  • Solution: Verify the correct normalizer is selected in the normalization policy

  • Solution: Check that routing and enrichment policies are properly configured

Data Ingestion Issues

Issue: No logs being ingested

  • Solution: Verify WatchGuard device is configured to forward syslog to Logpoint

  • Solution: Check if syslog service is running on WatchGuard device

  • Solution: Confirm syslog collector is active in Logpoint

  • Solution: Test network connectivity from WatchGuard to Logpoint

  • Solution: Verify WatchGuard syslog configuration includes correct destination IP and port

Issue: Incomplete log ingestion

  • Solution: Check routing criteria configuration - ensure it matches WatchGuard log structure

  • Solution: Verify the correct normalizer and normalization packages are selected

  • Solution: Monitor collector logs for errors or warnings

  • Solution: Check if specific log types are disabled on WatchGuard

Issue: Logs not normalized correctly

  • Solution: Verify WatchguardCompiledNormalizer is selected

  • Solution: Ensure appropriate normalization package for your WatchGuard version is selected

  • Solution: Check log format matches expected format (space-delimited, semi-colon delimited, or syslog)

  • Solution: Ensure SyslogParser is selected as the parser

  • Solution: Verify WatchGuard firmware version is v11.x

Issue: Date/timestamp parsing errors

  • Solution: Check WatchGuard timezone configuration matches Logpoint device timezone

  • Solution: Ensure date and time fields are present in WatchGuard logs

  • Solution: Verify timestamp format in logs matches expected format

  • Solution: Check if WatchGuard is sending timestamps in correct format

Issue: Message ID not recognized

  • Solution: Verify WatchGuard firmware version is v11.x

  • Solution: Check if newer message IDs need updated normalization packages

  • Solution: Update WatchGuard integration to latest version

  • Solution: Consult WatchGuard message ID documentation for unknown IDs

Issue: Mixed log formats causing parsing issues

  • Solution: WatchGuard supports multiple log formats (space-delimited, semi-colon delimited, syslog)

  • Solution: Verify consistent log format configuration across all WatchGuard devices

  • Solution: If using multiple formats, ensure appropriate normalization packages are selected

  • Solution: Consider standardizing on one log format for all devices

Dashboard and Analytics Issues

Issue: Dashboard widgets not displaying data

  • Solution: Verify repository selection matches where WatchGuard logs are stored

  • Solution: Check time range settings on dashboard

  • Solution: Confirm normalization is working correctly using search query: norm_id = "Watchguard*"

  • Solution: Ensure device timezone matches log source timezone

Issue: Denied connections widget showing no data

  • Solution: Verify deny actions are being logged by WatchGuard

  • Solution: Check that action field contains "deny" value

  • Solution: Ensure traffic logging is enabled on WatchGuard policies

  • Solution: Verify denied connections are being generated

Issue: IPS detection widget showing no data

  • Solution: Verify IPS is enabled and actively detecting threats on WatchGuard

  • Solution: Check that signature_name field is populated

  • Solution: Ensure IPS signatures are up to date on WatchGuard

  • Solution: Verify message_id "3000-0150" logs are being generated

Issue: Authentication widgets showing no data

  • Solution: Verify user authentication logging is enabled on WatchGuard

  • Solution: Check for message IDs: 3E00-0002 (success), 3E00-0003 (failure), 3E00-0004 (logout)

  • Solution: Ensure authentication events are being forwarded

  • Solution: Verify user field is populated in authentication logs

Issue: Virus detection widget empty

  • Solution: Verify antivirus scanning is enabled on WatchGuard

  • Solution: Check for virus-related message IDs: 1AFF-0028, 1BFF-000C, 1CFF-000E

  • Solution: Ensure virus detection logs are being generated

  • Solution: Verify Gateway AV subscription is active

Issue: Temporary blocked IPs widget showing no data

  • Solution: Verify temporary IP blocking is enabled on WatchGuard

  • Solution: Check for message_id "3001-1001"

  • Solution: Ensure blocked host events are being logged

  • Solution: Verify intrusion prevention blocking is configured

Issue: HTTP proxy widgets showing no data

  • Solution: Verify HTTP proxy is enabled and in use

  • Solution: Check for HTTP proxy message IDs (1AFF-xxxx range)

  • Solution: Ensure web filtering policies are active

  • Solution: Verify proxy logs are being forwarded to Logpoint

Issue: Service reputation widget not working

  • Solution: Create Watchguard_Reputation table with reputation scores

  • Solution: Table should contain: reputation values and corresponding scores

  • Solution: Map: Inconclusive (-1), OK (0-10), AV Scan (11-89), Bad (90-100)

  • Solution: Verify reputation data is being enriched correctly

Issue: Bandwidth widgets showing incorrect data

  • Solution: Verify sent_bytes and rcvd_bytes fields are populated

  • Solution: Check that data size calculations are correct

  • Solution: Ensure bandwidth logging is enabled on WatchGuard

  • Solution: Verify field mapping for sent_datasize and received_datasize

Alert Issues

Issue: Alerts not triggering

  • Solution: Review alert queries and ensure they match WatchGuard log format

  • Solution: Check alert policy configuration and notification settings

  • Solution: Verify logs contain expected message IDs and labels

  • Solution: Test alert query manually in search to confirm matching events exist

Issue: False positive alerts

  • Solution: Tune alert thresholds to reduce noise

  • Solution: Add exclusion criteria for known benign events

  • Solution: Review alert query logic for overly broad matching

  • Solution: Implement correlation rules for more accurate detection

Issue: Port scan alerts too frequent

  • Solution: Adjust threshold for message_id "3000-0159"

  • Solution: Add time-based aggregation to reduce alert frequency

  • Solution: Exclude known scanning sources (vulnerability scanners)

  • Solution: Implement baseline for normal scanning activity

Issue: Failed authentication alerts too sensitive

  • Solution: Increase threshold for failed login attempts before alerting

  • Solution: Add time window for multiple failures (e.g., 5 failures in 10 minutes)

  • Solution: Exclude service accounts with expected failures

  • Solution: Implement user-based thresholds

Performance Issues

Issue: Slow query performance

  • Solution: Optimize queries by adding time range constraints

  • Solution: Use indexed fields in search queries where possible

  • Solution: Consider data retention policies to manage repository size

  • Solution: Filter by specific message IDs or labels to reduce scope

Issue: High resource usage

  • Solution: Monitor syslog collector resource consumption

  • Solution: Implement log filtering using routing criteria to reduce unnecessary data ingestion

  • Solution: Monitor and tune normalization policies

  • Solution: Consider adjusting WatchGuard logging levels to reduce volume

Issue: High log volume from WatchGuard

  • Solution: Adjust logging levels on WatchGuard to reduce verbosity

  • Solution: Disable logging for low-priority traffic policies

  • Solution: Configure WatchGuard to log only security-relevant events

  • Solution: Use log filtering on WatchGuard before forwarding to Logpoint

  • Solution: Implement selective routing criteria in Logpoint

Event-Specific Issues

Issue: VPN events not appearing

  • Solution: Verify VPN logging is enabled on WatchGuard

  • Solution: Check for IPSec message IDs (020x-xxxx, 021A-xxxx ranges)

  • Solution: Ensure VPN tunnels are active and generating logs

  • Solution: Verify mobile VPN logging is enabled if using mobile clients

Issue: IPS events not being captured

  • Solution: Verify IPS subscription is active on WatchGuard

  • Solution: Check for message_id "3000-0150"

  • Solution: Ensure IPS signatures are up to date

  • Solution: Verify IPS is enabled on appropriate policies

Issue: DLP events missing

  • Solution: Verify DLP is licensed and enabled on WatchGuard

  • Solution: Check for DLP message IDs: 1AFF-002F, 1BFF-0024, 1CFF-0011

  • Solution: Ensure DLP policies are configured and active

  • Solution: Verify DLP scanning is working on configured proxies

Issue: APT threat events not detected

  • Solution: Verify APT Blocker subscription is active

  • Solution: Check for APT message IDs: 0F00-0015, 1AFF-0034, 1BFF-0028, 1CFF-0015, 21FF-001F

  • Solution: Ensure APT detection is enabled on proxies

  • Solution: Verify cloud-based APT scanning is functional

Issue: Wireless events missing

  • Solution: Verify WatchGuard WiFi Cloud or Wireless Controller is deployed

  • Solution: Check that LP_Watchguard WifiCloud normalization package is selected

  • Solution: Ensure wireless access points are properly configured

  • Solution: Verify wireless logs are being forwarded to Logpoint

Issue: Cluster/HA events not appearing

  • Solution: Verify High Availability is configured on WatchGuard

  • Solution: Check for cluster message IDs (3800-xxxx, 3900-xxxx, 3A00-xxxx, 3B00-xxxx ranges)

  • Solution: Ensure cluster synchronization is working

  • Solution: Verify both cluster members are forwarding logs

Issue: Configuration change events missing

  • Solution: Verify audit logging is enabled on WatchGuard

  • Solution: Check for message_id "0101-0001"

  • Solution: Ensure administrative actions are being logged

  • Solution: Verify configuration change notifications are enabled

GeoIP and Enrichment Issues

Issue: Geographic data not appearing in dashboards

  • Solution: Verify GeoIP enrichment policy is configured in Logpoint

  • Solution: Check that source_address and destination_address fields are populated

  • Solution: Ensure GeoIP database is up to date in Logpoint

  • Solution: Verify IP addresses are public (not RFC 1918 private IPs)

Issue: Source/destination country fields empty

  • Solution: Ensure enrichment policy includes GeoIP lookups

  • Solution: Check that geo_src and geo_dst fields are being mapped correctly

  • Solution: Verify IP addresses are being extracted correctly from logs

  • Solution: Update GeoIP database if outdated

Report Issues

Issue: Reports not generating

  • Solution: Verify report templates are properly configured

  • Solution: Check that selected repositories contain WatchGuard data

  • Solution: Ensure time range includes events in the repository

  • Solution: Verify report generation service is running

Issue: Reports missing data

  • Solution: Check that WatchGuard dashboard is enabled and populated

  • Solution: Verify repository selection matches WatchGuard log storage

  • Solution: Ensure normalization is producing expected fields

  • Solution: Check report template queries for syntax errors

Integration-Specific Issues

Issue: WiFi Cloud logs not normalizing

  • Solution: Verify LP_Watchguard WifiCloud normalization package is selected

  • Solution: Check WiFi Cloud log format compatibility

  • Solution: Ensure WiFi Cloud is forwarding logs correctly

  • Solution: Verify network connectivity from WiFi Cloud to Logpoint

Issue: Multiple WatchGuard versions logging inconsistently

  • Solution: Select appropriate normalization packages for each version

  • Solution: Use LP_Watchguard Firewall v11_9 for v11.9 devices

  • Solution: Use LP_Watchguard Firewall v11_10 for v11.10 devices

  • Solution: Use LP_Watchguard Firewall for general/mixed versions

Issue: Proxy-specific logs not processing correctly

  • Solution: Verify appropriate proxy is enabled (HTTP, SMTP, FTP, DNS, POP3, SIP)

  • Solution: Check for proxy-specific message ID ranges:

    • HTTP Proxy: 1AFF-xxxx

    • SMTP Proxy: 1BFF-xxxx

    • FTP Proxy: 1CFF-xxxx

    • DNS Proxy: 1DFF-xxxx

    • SIP Proxy: 2AFF-xxxx, 28FF-xxxx

    • POP3 Proxy: 21FF-xxxx

  • Solution: Ensure proxy logging is enabled

  • Solution: Verify proxy policies are active and processing traffic

Issue: Label-based searches not working

  • Solution: Verify LP_Watchguard Firewall label package is installed

  • Solution: Check that message IDs are being parsed correctly

  • Solution: Ensure labels are being applied during normalization

  • Solution: Use correct label syntax in searches (e.g., label = "Attack")

Last updated

Was this helpful?