Configuring your WatchGuard Fireware OS appliance in Policy Manager for communication with QRadar

To collect WatchGuard Fireware OS events, you can use the Policy Manager to configure your third-party appliance to send events to QRadar®.

Before you begin

You must have Device Administrator access credentials.


  1. Open the WatchGuard System Manager.
  2. Connect to your Firebox or XTM device.
  3. Start the Policy Manager for your device.
  4. To open the Logging Setup window, select Setup > Logging.
  5. Select the Send log messages to this syslog server check box.
  6. In the IP address text box, type the IP address for your QRadar Console or Event Collector.
  7. In the Port text box, type 514.
  8. From the Log Format list, select IBM® LEEF.
  9. Optional: Specify the details to include in the log messages.
    1. Click Configure.
    2. To include the serial number of the XTM device in the log message details, select the The serial number of the device check box.
    3. To include the syslog header in the log message details, select the The syslog header check box.
    4. For each type of log message, select one of the following syslog facilities:
      • For high-priority syslog messages, such as alarms, select Local0.
      • To assign priorities to other types of log messages, select an option from Local1 through Local7. Lower numbers have greater priority.
      • To not send details for a log message type, select NONE.
    5. Click OK.
  10. Click OK.
  11. Save the configuration file to your device.