Integrating pfSense

The pfSense integration lets Barracuda XDR ingest syslog events from pfSense Security Gateway (firewall, VPN, gateway monitor, and routing daemon events). pfSense is configured to forward syslog over UDP to an on-premise Barracuda XDR Collector running the pfsense package, which normalizes and ships events to Barracuda XDR for monitoring, investigation, and alerting (e.g., logins from suspicious locations, brute-force attempts).

Prerequisites

A pfSense appliance with administrator access to the web configuration interface.
A Barracuda XDR On-Premise collector deployed on the same network segment as pfSense (or otherwise routable from pfSense). The collector must be reachable from pfSense over UDP.
A listening port open to the collector. The default is UDP 9272, but you can configure a different port in the procedure below.

The pfsense integration package (version 1.25.1) is provisioned automatically on the collector when the integration is enabled in Barracuda XDR.

To set up the integration, follow these procedures

https://cuda.atlassian.net/wiki/spaces/SKOUT/pages/856852865/Integrating+pfSense#To-enable-the-integration-in-Barracuda-XDR

https://cuda.atlassian.net/wiki/spaces/SKOUT/pages/856852865/Integrating+pfSense#To-configure-pfSense-to-forward-Syslog

https://cuda.atlassian.net/wiki/spaces/SKOUT/pages/856852865/Integrating+pfSense#To-verify-the-integration

For troubleshooting, see https://cuda.atlassian.net/wiki/spaces/SKOUT/pages/856852865/Integrating+pfSense#Troubleshooting.

To enable the integration in Barracuda XDR

In Barracuda XDR Dashboard, navigate to Integrations.
On the pfSense card, click Setup.
The pfSense integration card
Select the Enabled box.
The pfSense integration page
Click Save.

To configure pfSense to forward Syslog

Sign in to the pfSense web configuration interface.
From the main menu, select Status > System Logs.
Click the Settings tab.
Scroll down to the Remote Logging Options section.
Check Send log messages to a remote syslog server.
Configure the fields as follows:
- Source Address: LAN (or the interface that can reach the Barracuda XDR Collector)
- IP Protocol: IPv4
- Remote log servers: <collector_ip>:<udp_port> — e.g., 192.168.10.25:9272
- Remote Syslog Contents — enable these categories:
- Firewall Events
- VPN Events
- Gateway Monitor Events
- Routing Daemon Events
Click Save.

To verify the integration

In pfSense, generate a test event (e.g., trigger a firewall block by attempting a connection that matches a deny rule, or restart a VPN).
In Barracuda XDR Dashboard, do the following:
- Click Home.
- Confirm the pfSense data source appears with a good status and at least one active instance.
Optionally, search the events index for the tag pfsense to confirm events are flowing.

Troubleshooting

Issue	Solution

Issue	Solution
No events arriving in Barracuda XDR	Verify the collector IP is reachable from pfSense; a firewall rule may be blocking outbound UDP. Confirm the configured UDP port (default `9272`) is open end-to-end.
Events arrive but some categories are missing (e.g., no VPN events)	In pfSense, open Status > System Logs > Settings. Confirm the relevant categories are checked under Remote Syslog Contents.
Data source shows a "bad" status	In Barracuda XDR dashboard, confirm the following: The integration is Enabled in Barracuda XDR The on-prem collector is online, and `pfsense` package was provisioned
Multiple pfSense appliances	Each appliance must be configured to forward to the same collector IP/port. Tag-based separation can be added later if needed.
Port 9272 already in use on the collector	Change the UDP Port field on the Barracuda XDR pfSense setup screen, click Save, and configure pfSense to send to the new port.

Reference / Further Reading

pfSense official documentation — Status: System Logs Settings