WatchGuard Support Center

Knowledge Base - Article

000017088
 Firebox Does Not Appear in TDR Web UI

Information
If you have configured Threat Detection and Response on your Firebox but it does not appear in the TDR Web UI, follow these instructions to troubleshoot.
 
Find the status of the TDR Connection
You can use the Log Configuration section of the Status Report to see the status of all Firebox connections. You can see the status report in the Firebox System Manager > Status Report tab. 

Search for the Log Configuration section:

1. Press Ctrl+F on your keyboard. The Find bar opens. 
2. In the Find text box, type Log Configuration. As soon as you start typing, the Find feature searches for the text you type. 
3. Look at the TDR Instance status to determine next steps.

Status: Connected
TDR Instance
Primary Server: tdr-fbla-na.watchguard.com (IP address)
Status: Connected 
Active: tdr-fbla-na.watchguard.com

 
If you see this status, the Firebox is able to connect to the TDR Web UI and has a successful TCP port 4115 connection. 
 
To troubleshoot this status:
  • Verify the Account UUID is correct. If the Account UUID is invalid or unknown, log messages are dropped. Re-enter the Account UUID and save the configuration. 
  • Check the Firebox feature key to verify the region is correct:
    • America region: Feature: TDR@Nov-11-2018;AMER
    • Europe region: Feature: TDR@Nov-11-2018;EUR
  • Check the Firebox feature for TDR: Feature: TDR@Nov-11-2018;EUR 
Update the feature key and check the Status Report again. The primary server hostname should be one of the following:
  • NA Region: tdr-fbla-na.watchguard.com
  • EU Region: tdr-fbla-eu.watchguard.com
  • AP Region: tdr-fbla-ap.watchguard.com
Status: Not Connected, error: DNS Lookup Failed
TDR Instance
Primary Server: tdr-fbla-na.watchguard.com(IP Address)
Primary server error: Host unreachable
Status: Not Connected
Active: None

 
If you see this status, the Firebox cannot resolve the TDR IP address.
 
To troubleshoot this status:
  • Use the DNS tools in Firebox System Manager (FSM) to confirm that the hostname of the primary server can resolve to an IP address. Try it several times because each TDR instance has two IP addresses. You should see both IP addresses after resolving it a few times with FSM. 
  • If the hostname cannot resolve, either replace the configured DNS servers with ones that can resolve this address or troubleshoot your DNS servers.
Status: Not Connected, error: Connection refused
TDR Instance
Primary Server: tdr-fbla-na.watchguard.com(54.186.109.37)
Primary server error: Connection refused
Status: Not Connected
Active: None

 
The Firebox is unable to send logs to TDR because TCP port 4115 traffic is blocked.
 
To troubleshoot this status:
Run a TCPdump on the external interface for TCP port 4115 traffic going to the TDR servers. You may have to use the DNS diagnostic to find both TDR IP addresses. Once you have verified the connection blocked, investigate your upstream network. The Firebox needs TCP port 4115 open to communicate with the TDR servers.
 
Status: Not Connected, error: Host unreachable
TDR Instance
Primary Server: tdr-fbla-na.watchguard.com (54.186.109.37)
Primary server error: Host unreachable
Status: Not Connected
Active: None

 
The Firebox is unable to send logs to TDR because it does not have a route to the host or TCP port 4115 traffic is being dropped.
 
To troubleshoot this status:
Run a TCPdump to confirm the TCP port 4115 traffic is leaving the Firewall's external interface. If you do not see any port 4115 traffic, there may be a routing problem. 
 
To determine which external interface is used for logging traffic:
1. In Firebox Policy Manager, select Setup > Logging
2. Click Diagnostic log level.
3. Select Enable logging for traffic sent from this device.
4. Click OK to save the settings and exit.
5. Save the file to the Firebox.  
6. Start Firebox System Manager for the Firebox.
7. Select the Traffic Monitor tab.
8. Search for 4115 to find the exit interface for the connection.
 
If this does not resolve the issue, make sure an upstream device is not dropping TCP port 4115 traffic.