This article describes the required procedure to integrate Google Cloud NGFW with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations.

Requirements

• Google Cloud Platform Account
  • GCP administrator account with an active project.
• An Active Lumu Defender Subscription or a Lumu for MSP account.
  

Preliminary Checklist

In order to set up the integration, you will need the following for the integration to communicate with Google Cloud NGFW:

• The Google Cloud Project ID you wish to integrate Lumu with.
• A Network Firewall Policy. You can create a new policy for the integration, or use an already existing one.
• An Admin role with Compute Organization Firewall Policy permissions.

You will find a list with specific permissions needed for the integration in the Admin role creation step, which is Step 5 of the Create Admin Role section.

• API Key, in JSON format.

In the following steps, you will learn how to obtain all of these requirements.

Integration Setup - Configure Google Cloud NGFW

Obtain the Google Cloud Project ID

1. Go to the IAM & Admin > Manage Resources module and identify the project you want Lumu to integrate with. Take note of the value you find under the ID
column.

Keep on hand the ID of the project. This information will be asked later to configure the integration.

Create a Network Firewall Policy

1. Open your web browser and access the GCP Portal. Log in using an active GCP account and click on VPC Network
.

2. In the VPC Network section, click on the Firewall button on the left side bar. Then, click on the Create Firewall Policy button in the upper middle of the screen to create a new firewall policy.

In case you already have an existing network firewall policy you want to use with the Lumu integration, skip directly to Step 5.

3. In the next screen, fill out the information as follows:

a. Provide a unique and descriptive Policy Name(1)

b. Optionally, enter a Description(2) for the Firewall Policy.

c. Under Deployment Scope(3) you can choose whether the policy is applied Globally, or on a Regional basis. Choose the scope that best suits your needs.

To learn more about Firewall Policy scopes, consult Google’s documentation.

d. In the Add Rules(4) section, you can add specific Firewall Rules that might be required.

e. As a final step, you can associate this firewall policy with any previously configured VPC Networks in the Associate policy with VPC networks(5) section. Adding the firewall policy to a VPC Network will apply the policy rules to targets in the corresponding network.

f. Once you’re done, click on the Create button.

4. Wait for the deployment to complete. Once created, you will be able to see it on the Network firewall policies table.

Create an Admin role with Compute Organization Firewall Policy permissions

1. Back in the dashboard, Click on IAM & Admin, and in this module, click on the Roles button. Create a new role and grant the permissions for the Compute Organization Firewall Policy Admin
role or for more fine-grained control, assign the following permissions:

• compute.firewallPolicies.get
• compute.firewallPolicies.list
• compute.firewallPolicies.update
• compute.firewallPolicies.use
• compute.globalOperations.get
• compute.globalOperations.list
• compute.regionFirewallPolicies.get
• compute.regionFirewallPolicies.list
• compute.regionFirewallPolicies.update
• compute.regionFirewallPolicies.use
• compute.regionOperations.get
• compute.regionOperations.list

2. Access to the APIs & Services > Credentials module and click on the Create Credentials button and choose Service Account. Fill in the required data as follows:

a. Under Service account name(1) choose a descriptive display name for the account.

b. Under Service account ID(2) input a descriptive ID name for the account.

c. When done, click on the Create and Continue(3) button.

3. In the Grant this service account access to project step, click on Select a role and use the panel that opens to assign the role created on step 1 of this section to the Service Account. Then, click on the Done
button.

Lumu strongly discourages granting users access to this service account.

4. Once created, select the Service Account from the table. Now go to the Keys tab, select the Add Key button and choose the JSON format. Keep this .JSON file on hand, it will be needed for a future step.

You can access the contents of the .JSON file by opening it with Notepad.

Integration Setup - Lumu Portal

Integrations are also available for Lumu MSP accounts. To access them, log into the Lumu MSP Portal.

1. In the Lumu Portal, head to the panel on the left and open the Integrations drop-down menu. Then,click on Apps. Click on the Response
tab on the right to filter the available integrations accordingly.

2. Locate the Google Cloud Response integration. The list is organized in alphabetical order from A to Z. Click on the Add button.

3. Familiarize yourself with the integration details in the app description and click the Activate button to start the integration setup process.

4. Provide a meaningful Name. Under Threat Types, choose the specific threat mappings you want to push to Google Cloud Firewall. Select the option Include IP Indicators to include IP addresses in the information sent to your feed list. When done, click on the orange Next button.

If you leave the Include IP Indicators option unselected, you won’t be able to change it later. You will need to remove the integration and repeat all the steps again.

Please note that you cannot modify the information on this screen. Exercise caution when selecting Threat Types, as changes cannot be made later.

5. Next, you will be asked to fill in the following information:

a. Under Google Cloud Project ID(1) input the ID you obtained in the Obtain the Google Cloud Project ID section.

b. Under Service Account Key(2), you will need to copy and paste the contents of the JSON file you downloaded in Step 8 of the Create an Admin role with Compute Organization Firewall Policy permissions section.

When done, click on the Next button. Lumu will validate if the credentials provided are correct.

6. In the next step, select the Firewall Policy where you want indicators to be pushed. This is the same Firewall Policy you created in Step 3 of the Create a Network Firewall Policy section. Once selected, click the Next button.

7. The integration is now created and active. The Lumu Portal will display the details of the created integration.

Final Steps - Validate the Integration

1. Once the integration is activated, a firewall rule with the highest available priority will be created and updated with confirmed compromises found by Lumu within the preceding 3 days. You can access this screen by clicking on the Firewall Policies sub-header of the Cloud NGFW section, and locating the corresponding policy.