The Lumu Virtual Appliance (VA) offers the option to create VA collectors, a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation. 

Collecting metadata other than DNS requests is important since some attacks avoid domain resolution, leaving traces of their contacts in the access logs of firewalls, proxies, etc. This option is also available for accommodating networks where DNS configuration is not possible. In this scenario, companies can monitor IP traffic with the Lumu Virtual Appliance acting as a network metadata collector on your enterprise perimeter.

This approach ensures compromise visibility without having to make major changes, as almost every cybersecurity vendor solution can forward metadata externally without impacting their operation.

Requirements

1. Admin access and prerequisites to configure your vendor solution.
   
2. The most recent version of the Lumu Virtual Appliance installed.
   

These are the general steps you should follow to configure the vendor solutions to send all metadata such as firewall and proxy logs to Lumu:

Deploy and Set Up Lumu VA

All detailed steps to create, download, and install a virtual appliance on your preferred hypervisor or Cloud solution are available in our documentation:

1. Deploy Virtual Appliances
2. Configure Virtual Appliances and VA collectors

Set up a Lumu VA Log Collector

Go to the Lumu Virtual Appliance and refresh the VA collectors settings by running the command lumu-appliance collectors refresh. If the appliance is running, it should be stopped for setting up collectors.

Example of options when selecting a collector

Select the option that refers to the collection you want to deploy and inform the requested data.

Example of screen when setting up a collector

The following are some examples of data you can be requested to input in this process:

1. Protocol type: you can select between TCP and UDP according to your infrastructure and your vendor solution.
2. Port number: provide a number between 1024 and 65535, inclusive.
3. Timezone: The timezone for setting up the VA. Use the canonical ID (e.g. America/Chicago). You can use this external article for reference.
   

Configure Vendor Solution to Send Metadata to Lumu VA

Once you have installed and configured a Lumu Virtual Appliance with the respective collector, the next step is to set up the vendor solution to forward metadata to Lumu. Please consult the vendor documentation on instructions to set up or forward logs to the Lumu Virtual Appliance.

You can find documentation from Lumu with more specific guidance and links to the following vendors:

1. Collect DNS packets with Lumu VA and Packetbeat
   
2. Collect DNS queries with Lumu VA and Infoblox
   
3. Collect Firewall Metadata with Lumu VA and Check Point
   
4. Collect Firewall metadata with Lumu VA and Cisco Meraki
   
5. Collect Firewall metadata with Lumu VA and Palo Alto NGFW
   
6. Collect Firewall metadata with Lumu VA and WatchGuard
   
7. Collect Firewall metadata with Lumu VA and SonicWall
   
8. Collect Firewall metadata with Lumu VA and FortiGate