Fastvue

Fastvue Reporter: What to do when no data is being received from your firewall

Image of a laptop secured with a padlock and shield, highlighting a lack of data from the firewall in Fastvue Reporter.

by

Scott Glew

So, you’ve downloaded Fastvue Reporter and are ready for next-level network visibility, real-time alerts, and insights into inappropriate content and suspicious activity. The dashboard is open, and you're ready to start running detailed reports on internet security and network activity—but there's just one problem.

No data. No reports. Nothing.

Computer screen displaying website settings with a note indicating no data received from the firewall in Fastvue Reporter.

Before you start pulling your hair out, let's go through the key troubleshooting steps to get data flowing from your firewall to Fastvue Reporter so you can begin to manage threats, policies, and security logs with ease.

We also have specific firewall-based articles in our knowledge base if that’s more your style:

Fastvue Reporter for Sophos Firewall

Fastvue Reporter for Barracuda

Fastvue Reporter for Cisco Firepower

Fastvue Reporter for Cisco Umbrella SIG

Fastvue Reporter for ContentKeeper

Fastvue Reporter for FortiGate

Fastvue Reporter for Palo Alto Networks

Fastvue Reporter for SonicWall

Fastvue Reporter for WatchGuard

Check your Firewall’s web filtering feature

In order for Fastvue Reporter to process incoming log data and generate network activity reports, your firewall must have web filtering enabled and be actively filtering and categorizing web traffic. Navigate to your firewall and ensure that:

Ensure Web Filtering is Enabled and Applied: Check that web filtering is turned on and functioning correctly. A great way to test this is to try visiting a website you believe should be blocked.

Depending on your firewall, you may need to activate a web filtering or content filtering license or enable the feature in your settings. Then, ensure your firewall policies are actively using web filtering to allow or block specific URL categories (e.g., Pornography, Search Engines). For firewall-specific guidance, visit the firewall-specific knowledge base articles above.

Users are actively browsing: If no one is using the internet, there is nothing to log. You can test this by visiting websites from a network-connected device. 

Traffic is being logged: Many firewalls let you view real-time logs:

  • Look for a Live Log, Web Filter Log, or Log Viewer section in your firewall's dashboard.

  • Confirm that allowed and blocked traffic is being recorded

Logging exceptions are not bypassing filtering: Some firewalls allow rules that bypass logging for certain traffic types. Check if there are any exceptions or exclusions stopping web activity from being recorded. Perhaps you have an “allow any -> any” rule above your web filtering policy to try and make that darn app work that one time…

Verify Fastvue Reporter's database is operational (Green)

It may seem like a no-brainer, but for Fastvue Reporter to process syslog data and generate real-time alerts and network reports, its internal database must be fully operational. If the database is down, no data can be imported or stored. Here's how to check Fastvue Reporter's database status:

  1. Open Fastvue Reporter and go to Settings > Diagnostic > Database

  2. The database status should be Operational (Green)

  3. If the status is Not Operational, refer to this guide: Database status is not operational

Verify that your Firewall is sending logs

Most Fastvue Reporter products work by importing log data from your firewall over the syslog protocol. 

However, there are a couple of exceptions:

Fastvue Reporter for Cisco Umbrella SIG retrieves logs from AWS S3 instead of syslog. If you’re using Umbrella SIG, head over here for instructions. 

Fastvue Reporter for Microsoft TMG (our ‘OG’ product) uses an agent installed on your TMG server (but surely you’re not still using TMG right?!?)

For those of you using firewalls that send logs via syslog, here’s how to check that everything is configured correctly:

Check your firewall’s syslog settings:

  • Navigate to your firewall’s Syslog Server Settings (often under Logging and Reporting or System Services).

  • Ensure the IP address of the syslog server defined on your firewall matches the Fastvue Reporter machine’s IP.

To confirm the Fastvue Reporter machine’s  IP address:

  • Log into the Fastvue Reporter server.

  • Open Command Prompt (cmd) and Run ipconfig to verify that this matches the IP address configured in your firewall’s syslog settings.

Verify that Fastvue Reporter is using the correct firewall source

  • Open Settings > Sources in Fastvue Reporter.

  • Ensure that your firewall is listed as a source using the correct name or IP address.

  • If using an IP address, verify that it is the correct interface that connects to Fastvue Reporter.

Hot Tip:

  • Click Add Source, wait a few seconds, and check if your firewall appears in the dropdown.

If the firewall appears, select it and confirm Add Source.

Note: This works only if your firewall is sending syslog data on a port Fastvue Reporter is listening on. By default, Fastvue Reporter listens on port 514, or any additional ports configured in Settings > Sources.

Ensure syslog ports match on both ends

If the syslog port configured in your firewall settings does not match the port in Fastvue Reporter, logs will not be received.

  • The default syslog port is 514.

  • If data is not coming in, verify that both the firewall and Fastvue Reporter are set to the same syslog port.

  • If port 514 is in use, change the port on both Fastvue Reporter and your firewall (e.g., 49514 UDP).

Disable secure log transmission (if enabled)

Some firewalls have Secure Log Transmission enabled by default, which may prevent Fastvue Reporter from receiving logs.

  • Check if Secure Log Transmission is enabled in your firewall’s Syslog Server Settings.

  • If enabled, disable it and save the settings.

Check for Firewall or Network Blockages

Syslog traffic can be blocked by security policies or network firewalls.

  • Ensure no firewall rules (Windows Firewall, third-party security tools, or network security policies) are blocking port 514 (or your configured syslog port).

Ensure there are no routing issues

If Fastvue Reporter and your firewall are on separate subnets, ensure:

  • No routers or network policies are blocking syslog traffic.

  • The correct routing rules are in place.

  • If using a WAN link, configure a site-to-site VPN to ensure syslog traffic can traverse the WAN successfully, especially if using UDP.

  • Be aware of where Network Address Translation (NAT) may be applied, as this may change the IP address of the syslog sending device from Fastvue Reporter’s perspective, and you’ll need to update the Source to listen for the correct IP.

Troubleshooting port conflicts

To find out whether there is a port conflict on the Fastvue Reporter machine for port 514, open a command prompt and enter:

netstat -ano | find "514"

This will list all the processes on the machine using port 514 (it may also include other processes that have a substring of 514). Note the Process ID, and then open Task Manager and go to the Services tab. You should be able to identify the other process by looking for the matching Process ID (PID).

If there is another process listening on Port 514, the easiest solution is to change the port being used both in the syslog settings on your firewall and in the source in Fastvue Reporter (Settings | Sources). As an example, try port 49514 (UDP)

Use Wireshark to ensure syslog data is being received

Install and launch Wireshark on the Fastvue Server and select the appropriate network interface to begin capturing packets

Apply the following display filter to isolate syslog traffic:
tcp.port == 514 or udp.port == 514

(Change 514 if you’re using a different port)

Review the captured packets to ensure that syslog messages from the firewall are present. Verify that the source IP addresses match the IP address you have in your Fastvue Reporter Source and that the message payloads contain your firewall’s log events. 

Still no data? Enable diagnostic logging

If Fastvue Reporter still isn’t receiving logs, please collect some diagnostic logs and send them to our support team, so we can help you get to the bottom of the issue!

  1. Go to Settings | Diagnostic.

  2. Set the logging level to Full (slide all the way to the right).

  3. Let Fastvue Reporter run for 20 minutes.

  4. Zip and upload the latest Diagnostic Log file to: Fastvue Support.

Make sure you refer to our firewall-specific articles above for a more specific step-by-step guide.

By following these steps, you should be able to restore syslog data flow, real-time alerts, and security reports in Fastvue Reporter.

Have another question?

Got another question? We're here to help. Visit our support section for more information.

  • Share this story
    facebook
    twitter
    linkedIn

Optimizing Firewall Logging for Accurate Reporting in Fastvue Reporter

Fastvue

Understanding firewalls for internet safety: A beginner's guide for educators

Fastvue