Barracuda CloudGen Firewall Custom Response Integration

Barracuda CloudGen Firewall Custom Response Integration

This article shows how to leverage the Lumu Defender API and Barracuda CloudGen Firewall API to mitigate security risks.

Response integration between Barracuda CloudGen Firewall and Lumu

Requirements

  • A Barracuda CloudGen Firewall on version 9.0 or above
    • You must enable the API service on the Firewall.
  • Lumu Defender API key
    • To retrieve an API token, please refer to the Defender API document.
  • Script host.
    • A scripting host is required to deploy the integration. This host must have Internet visibility over Lumu Defender API endpoints and Barracuda Firewall. According to the deployment model you select, you will need a host with:
      • Python 3.10+
        or
      • A Docker-enabled host.
  • Script package
    • Contact the Lumu support team to request the package we created to deploy the required files.

Contacted hosts

Allow all traffic to the following hosts. These are required for the operation of this integration:
  • Barracuda Firewall IP
  • defender.lumu.io

Integration’s overview

The integration leverages the Custom External Network Objects feature in the Dynamic Network Objects module, supporting IP addresses. It manages IP addresses related to Lumu-detected adversarial contacts. Then, you attach the Lumu-related custom external object to an Access Rule in the Forwarding-Firewall configuration seccion

The Custom External Network Objects support a maximum of 10,000 IP addresses.

Configure Barracuda CloudGen Firewall

Follow these steps to set up your Barracuda console for Lumu integration.

Create a Manager Account

We encourage you to create a specific manager account for the integration. Follow these steps inside your Barracuda Firewall Admin console to create it.

To generate the token, follow these steps inside your Barracuda Firewall Admin console:

1. Go to CONFIGURATION in the navigation menu. Click on the Box menu (the one with the appliance icon)
2. Double-click on Administrators
3. In the Administrators tab, click on the Accounts menu of the left
4. Click Lock, then click on the Plus sign to create the user. Fill in the required data by following these guidelines:
a. Give the user a distinctive name
b. Assign it the Manager role
c. Select the No OS Login under the System Level Access field
d. Set its Authentication Level to Password
e. Select Against Local Password as the Password Validation method
f. Fill in the password
g. (Recommended) Set the IP that will be used by the integration component under the Peer IP Restriction section
5. Save your integration user by clicking the OK button. Then click on Send Changes, and finally on Activate

Save the User and Password, they will be used to configure the integration

Enable Rest API Service

To Enable the Rest API Service, follow these steps inside your Barracuda Firewall Admin console:

1. Go to CONFIGURATION in the navigation menu. Click on the Box menu (the one with the appliance icon)
2. Double-click on Infrastructure Services > Rest API Service
3. In the Rest API Service tab, click on the General menu on the left
4. In to the HTTPS Interface section set the following:
a. Mark the Enable HTTPS Interface check
b. Mark the Bind to Management IPs check
c. (Optional) Change the HTTPS Port
d. Generate a Private Key and a Explicit Certificate by clicking on the gear icon next to each item
5. Save your configuration by clicking on the Send changes. Then on Activate

For further reference, check Barracuda's documentation.

You can authenticate API calls by generating and assigning tokens to users. To generate the token, follow these steps inside your Barracuda Firewall Admin console:

1. Go to CONFIGURATION in the navigation menu. Click on the Box menu (the one with the appliance icon)
2. Double-click on Infrastructure Services > Rest API Service
3. In the REST API Service tab, click on the Access Tokens menu on the left
4. Click Lock, then click on the Plus sign to create a new Access Token associated with the created integration user.
5. Click on the Generate new token button. Fill in the Time to live fields with the number of days you want. Copy the access token for further reference. Finally, click on the OK button
6. Click on Send changes. Finally on Activate

Keep note of the token. It will be used later to configure the integration

We recommend giving the token a time to live no greater than 365 days. You must regenerate it to keep the integration working after it expires

Select the Custom External Network Object for the integration

Barracuda CloudGen Firewall has 4 Custom External Network Objects. You need to select one to exclusively manage Lumu-related IOCs. The selected object must not be managed even by using an SSH console, this could lead to overwriting and other unexpected behaviors.

Collect the required data from Lumu portal

The integration set-up process needs you to collect this information from Lumu portal:
  • Lumu Defender API key
  • Company UUID
Log in to your Lumu portal and run the following procedures to collect these data.

Collect the Lumu Defender API key

To collect the Lumu Defender API key, please refer to the Defender API document.

Collect your Lumu company UUID

To collect your Lumu company UUID, log in to your Lumu portal. Once you are in the main window, copy the string below your company name.

Deploy the integration

There are 2 environment options to deploy the script, select the one that best fits your current infrastructure.
  • Run it as a Python script executing the install.sh bash file
    • Creates a Python virtual run time and its dependencies for you
    • Installs the crontab line in the host
  • Run it as a Docker container.
Whichever alternative you select, you need to first unpack the integration package shared by our Support team.
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <app_lumu_root>.
If you use the install script, use the uninstall.sh bash file to remove the integration from the host

Set up the configuration files

To set up the integration, you need to add and edit two configuration files:
  • companies.yml: this file contains the information collected from the Lumu portal
  • integrations.yml: this file contains the information collected from your Barracuda instance

Inside the integration package, you will find sample files you can use to build your configuration files. These files are companies_template.yml and integration_template.yml.

Complete the companies file

The companies file is in charge of defining how the integration connects to Lumu and extracts the information of the incidents and related indicators of compromise.

  1. -
  lumu:
    uuid: "<COMPANY-UUID>"
    [name: "<COMPANY-NAME>"]
    [contact_name: "<CONTACT_NAME>"]
    [contact_email: "<CONTACT_EMAIL>"]
    defender_key: "<DEFENDER_API_KEY>"
    hash_type: "<HASH_ALG>" # sha256 | sha1 | md5
    ioc_types: # list of ioc types, option one, many or all
      - ip
      - domain
      - url
      - hash
    adversary:  # list of adversary types, option one, many or all
      - C2C
      - Malware
      - Mining
      - Spam
      - Phishing
    days: 30 # MIN 1, MAX 30

Within this file, COMPANY_UUID and DEFENDER_API_KEY fields are mandatory. Please use the values captured in the previous steps. The ioc_types values must match with the IOC types required by the integration, in this case, ip.

Complete the integrations file

The integration file contains the information required for the integration to connect and interact with your deployment:

  1. - lumu:
    uuid: "<COMPANY_UUID>"
    adversaryTypes: [ "C2C", "Malware", "Mining", "Spam", "Phishing"] # ["C2C", "Malware", "Mining", "Spam", "Phishing"]
    days: 10 # INTEGER=(get incidents from X days of the ioc manager local db)
  app:
    name: <Unique-Name>
    CustomExternalNetworkObjects: 1 # Range [1 - 4]
    clean: false # true | false
    ioc: [ ip ]
    max: 1000 # [0 - 1000]
    api:
      server: "<IP/HOSTNAME:PORT>" #
      username: "<USERNAME>"
      password: "<PASSWORD>" # password OR token OR both
      token: "<TOKEN>" # password OR token OR both

Prepare Python on your environment

If Docker is your chosen deployment method, you may skip this step.

If Python is your chosen deployment method, you will need to create a Virtual environment for each integration to avoid conflicts between them and your operating system tools. Make sure you follow the steps in our Preparing Environment for Custom Integrations article.

Deploy Integration as script

To deploy the integration as script, you need to run the install.sh script inside the integration package.
Make sure the install.sh script has the execution permission before running it.
To run the installation script, locate yourself in the app_lumu_root folder, then execute this line through CLI.
./install.sh all

The installation script will set up the Python environment and two different cron jobs.
If you want to modify the default running interval set up by the installation script, you can modify the latest crob job entries based on your environment requirements.
If you want to restart or uninstall the integration run the ./restart all and ./uninstall all respectively

Script details

To use the script, you must locate yourself on the path selected for deployment (<app_lumu_root>). Use the following command to show all options available for the package:
python run.py -h


Usage: run [-h] [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH] [-v] [-l {screen,file}][--hours HOURS]

Options

Description

-h, --help

show this help message and exit

--config CONFIG

default: integrations.yml, CONFIG FILE PATH of the companies, follow the nex YML template.

--ioc-manager-db-path IOC_MANAGER_DB_PATH

default path: ./ioc.db, PATH where the integration goes to read the Lumu Incidents

--logging {screen,file}

Logging option (default screen).

--verbose, -v

Verbosity level.

--hours HOURS

keep db log record from [x hours], for auto maintenance local db purpose

Usage Examples

Task: query IOCs related to Lumu incidents with default options

To query all the hashes related to Lumu incidents triggered in the days defined in your configuration files, run the following command.

python3 run.py

Task: query IOC related to specific parameters

By default, the integration script will query incidents related to all adversary types. If you need to filter the query to specific adversary types, you can use the adversaryTypes parameter inside your integrations.yml file and run the command as follows

python3 run.py --config integrations.yml --ioc-manager-db-path /<ioc-manager-path>/ioc.db

Task: Clean records

To clean the existing records in Barracuda, just set up the clean flag in the integrations.yml file to true.

clean: true

Then, run the integration script as follows:

python3 run.py [--config CONFIG] [--ioc-manager-db-path IOC_MANAGER_DB_PATH]

The records not manipulated by the integration will be preserved

Other tasks

According to your needs, you can combine the examples shown, also, adding the –logging {file, screen} and –verbose argument can be used for better understanding of what can be rolling wrong.

Deploy as a Docker container (Optional)

If you have a Docker environment, you can select this option to run the integration as a Docker process. To deploy and run your integration as a docker container, locate yourself at the <app_lumu_root> folder, and follow these instructions:

1. Build the container by running the following command.

docker build \
[--build-arg IOC_MAN_CONFIG='companies.yml'] \
[--build-arg APP_CONFIG='integrations.yml'] \
--tag img-barracuda-response \
--file DockerfileAllInOne .
Do not forget the dot "."

2. Run the container by using the following command.

docker run -d \
--restart unless-stopped \
--log-driver json-file \
--log-opt max-size=30m \
--log-opt max-file=3 \
--name lumu-barracuda-response \
img-barracuda-response

With this mode, your integration will run every 5 minutes.

Troubleshooting

For troubleshooting purposes, you can run the following commands:

To log in to your container using an interactive shell:

docker exec -it lumu-barracuda-response bash

To collect integration logs:

docker logs -f lumu-barracuda-response

Expected results

After running the integration, you will see new items in the Dynamic Network Objects section, if there was any detection with related IP addresses.

Troubleshooting and known issues

To identify failures in the script execution, use the -v flag. The script execution log will show more detailed information.

The application logs will be redirected to the lumu.log file. The file errors.log stores only the errors to make them easier to find and aid the troubleshooting process.

Another instance is running

If you receive the following error.

Stopping the integration 4075129, it might have another older instance running, check if is feasible or not
older pid: 4075120 - cwd: /home/lumu/Documents/repos/barracuda-cloudgenfirewall-response - since: 2024-09-26 18:14:05.390000
cmdline: /home/lumu/Documents/repos/barracuda-cloudgenfirewall-response/venv31014/bin/python /home/lumu/Documents/repos/barracuda-cloudgenfirewall-response/run.py

There could be another instance running. To check this, open the pid.pid file in the integration folder. This file stores the process ID if it’s running.

Further steps

Now that the integration is managing IP IOCs in the depicted Custom External Object, you must create a new Forwarding rule blocking all traffic to these destinations. Follow these steps in your Barracuda Admin console to create a Blocking forwarding rule at the top of your Firewall configuration.

1. Go to CONFIGURATION in the navigation menu. Click on the Box menu (the one with the appliance icon)
2. Double-click on Assigned Services > NGFW (Firewall) > Forwarding Rules
3. Click on the Access Rules menu on the left
4. Click Lock, then click on the Plus sign to create a new Forwarding Rule. Fill in the rule data by following these guidelines:
a. Select Block in the Action
b. Select Any as the Source
c. Select Any in the Service field
d. Select the Custom External Object group managed by the integration
5. Click on the OK button
6. Make sure your new rule is at the top of your configuration. If not, you can move it by dragging and dropping it at the top of your configuration
7. Click on Send Changes. Then, click on Activate




    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • WatchGuard Firebox Firewall Custom Response Integration

          Due to the lack of API support of WatchGuard Firebox Firewalls (without Firebox Cloud), this example emulates the access and configuration steps a regular admin user would run to feed URLs into the Blocked Sites option. This integration script is ...

        • Azure Custom Response Integration

          This article shows how to leverage Azure Virtual Networks REST API and Lumu Defender API to enhance your Response capabilities. Response integration between Azure and Lumu Requirements An Azure subscription with Compute services deployed. An Azure ...

        • Bitdefender Custom Response Integration

          Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...

        • DNSFilter Custom Response Integration

          This article shows how to leverage the Lumu Response API and DNSFilter API to mitigate security risks. Requirements An active DNSFilter subscription. A DNSFilter Pro subscription or up is required. Script host. A scripting host is required to deploy ...

        • Symantec Endpoint Protection Custom Response Integration

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...