Have you verified there is connectivity between the firewall and Splunk? Are you looking in the right place for the received logs?
To Open UDP:514 in Standard Windows Firewall
netsh firewall add portopening UDP 514 "Open UDP 514"
To Open UDP:514 in Advance Windows Firweall
netsh advfirewall firewall add rule name="Open UDP 514" dir=in action=allow protocol=UDP localport=514
I am assuming Linux all the way around. You need to make sure that at each stage the port is active. You can do this with
netstat. You also need to make sure you are using UDP everywhere (or TCP everywhere). You also need to make sure that your ports are open everywhere to allow the traffic and lastly that you have routes from each machine that allow the data to travel back AND forth. You can test the ports using
nc; with this you can both receive data (act as Splunk forwarder) and also inject data (act as firewall sender).