Radware DefensePro Custom Response Integration

Radware DefensePro Custom Response Integration

This article shows how to leverage the Lumu Defender API and Radware DefensePro via Cyber Controller API to mitigate security risks leveraging the Network Classes feature.

Requirements

  • A Radware Cyber Controller administrator user. The user will be used to prepare the Radware environment for the integration.
  • Lumu Defender API key. To retrieve an API token, please refer to the Defender API document.
  • A Docker-enabled host. This host will be used to deploy the integration component. This host must have Internet visibility over the Lumu Defender API endpoints and the Radware Cyber Controller Web Console.
  • Component and Script package. Contact the Lumu support team to request for indication or visit the component documentation in our  DockerHub site.
  • Contacted hosts. Ensure your integration host can communicate with the following hosts. These are required for the operation of this integration.
    • Radware Instance Cybercontroller Service
    • defender.lumu.io
    • docker.io
    • ghcr.io
    • *.ubuntu.com
    • *.launchpad.net
    • canonical.com
    • debian.org
    • *.debian.org
    • debian-security.org
    • pypi.python.org
    • pypi.org
    • pythonhosted.org
    • files.pythonhosted.org

Integration’s overview

Lumu Custom Response integration with Radware DefensePro uses its API to manage the entries of a dedicated Network Entries by updating IP addresses related to Lumu detections. This Network Class can be referenced in blocklists to avoid further outbound contacts within your Radware DefensePro deployment.

Preliminary Setup - Create an integration user in the Radware Cybercontroller

To set up the integration, you must prepare your Radware DefensePro deployment to communicate with the Lumu integration. To do this, you need to:

  • Identify your Cyber Controller IP address or hostname.
  • Create a dedicated integration user.
  • Identify the IP address of your DefensePro appliance.

The following sections will guide you on how to perform these tasks.

Identify your Cyber Controller IP address or hostname

The IP address information can be obtained in two ways:

  • From the URL of your web console: For example, by looking at a URL like https://x.x.x.x/systemDashboard
  • From the Dashboard view: Check the General Information section within the Dashboard.

Create the Lumu integration user

The creation of a dedicated User is highly recommended for this integration.

AlertAvoiding the reuse of credentials across multiple instances or with a console user is critical for congruency, stability, and proper auditing of the integration because of the lock/unlock function for editing. If the integration uses the same credentials as a human console user, manual actions taken by that user can inadvertently interfere with the integration's automated processes, leading to unpredictable or temporary failures. 
NotesThe user account created for this integration must have at least the Device Administrator role. This level of access is required to execute actions such as locking the configuration, applying updates, and managing the network table utilized by the component.

Log in to your Radware Cyber Controller console and follow these steps:

1. Navigate to the Configuration menu (gear icon), select User Management, and then Local Users.

2. Click the plus icon to create a new user. Fill in the user data as follows:

    1. Enter the User Name.
    1. Move to the Permissions section. Add the Device Administrator role by clicking the plus button and selecting it from the Role list. The Scope indicates the DefensePro device you want to integrate with. If you are not sure, select [ALL]. When finished, click Submit.
    1. Move to the Password section. Type in and confirm the password for your integration user. Ensure the User Must Change Password on Next Login option is disabled.

When finished, click the Submit button.

Identify the IP address of your DefensePro appliance

You must provide the integration with the IP address of the DefensePro appliance you want to integrate. From where you left off in the previous section, use the right navigation tree, identify your Radware appliance, and click on it. Extract the IP address labeled Mgmt IP.

Preliminary setup - Lumu portal

You must to collect the following information from the Lumu portal:

  • Lumu Defender API key.
  • Company UUID.

Follow the steps in the sections below to collect the information.

Collect the Lumu Defender API key

To collect the Lumu Defender API key, please refer to the Defender API document.

Collect your Lumu company UUID

To collect your Lumu company UUID, log in to your Lumu portal. Once you are in the main window, copy the string below your company name.

Preliminary Setup - Docker-enabled host

NotesFollow the steps below if your integration host does not have Docker installed. You must follow the Docker installation documentation that corresponds to your OS. Ensure you follow the Post-installation steps for Linux before deploying the integration.
NotesFor Windows users, follow the Install Docker Desktop for Windows documentation to install the Docker Engine.

Deploy the integration

The following section will guide you through the deployment process.

Set up the Management Script

Lumu prepared a short snippet that allows you to manage your integration. Create a file named manage.sh in your integration host. Copy and paste the following code in the file.

Code snippet
#!/usr/bin/env bash

RED='\033[0;31m'
GREEN='\033[0;32m'
CYAN='\033[0;36m'
YELLOW='\033[1;33m'
BOLD='\033[1m'
RESET='\033[0m'

info()    { echo -e "${CYAN}[INFO]${RESET}  $*"; }
success() { echo -e "${GREEN}[OK]${RESET}    $*"; }
warn()    { echo -e "${YELLOW}[WARN]${RESET}  $*"; }
error()   { echo -e "${RED}[ERROR]${RESET} $*" >&2; }
prompt()  { echo -e "${BOLD}${YELLOW}$*${RESET}"; }

IMG=lumutools/radware-defensepro-response:latest
INTEGRATION_NAME=lumu-radware-defensepro-response
INTEGRATION_NAME_IOC=lumu-radware-defensepro-response-ioc
INTEGRATION_DIR=${HOME}/RadwareDefenseProResponse
VOLUME_DATA=${INTEGRATION_DIR}/data:/app/data
VOLUME_CONFIG=${INTEGRATION_DIR}/data/.config.toml:/app/.config.toml:ro
VOLUME_IOC=${INTEGRATION_DIR}/data/ioc.db:/app/data/ioc.db:ro

mkdir -p "${INTEGRATION_DIR}/data"
chmod -R o+w "${INTEGRATION_DIR}/data" > /dev/null 2>&1 

run_config() {
    info "Running configuration script ..."
    if docker run --rm -it -v "${INTEGRATION_DIR}/data:/app/data" "${IMG}" bash run_config; then
        success "Configuration completed."
    else
        error "Configuration script failed."; return 1
    fi
}

start_integration() {
    info "Setting up IOC integration '${INTEGRATION_NAME_IOC}' ..."
    if [[ ! -f "${INTEGRATION_DIR}/data/.config.toml" ]]; then
        error "Please configure the integration first."; return 1
    fi
    if ! docker container inspect "${INTEGRATION_NAME_IOC}" &>/dev/null; then
        info "Integration '${INTEGRATION_NAME_IOC}' does not exist. Creating it ..."
        if ! docker create \
            -v "${VOLUME_DATA}" \
            -v "${VOLUME_CONFIG}" \
            --restart unless-stopped \
            --log-driver json-file \
            --log-opt max-size=30m \
            --log-opt max-file=3 \
            --name "${INTEGRATION_NAME_IOC}" \
            "${IMG}" bash run_ioc; then
            error "Failed to create IOC integration."
            return 1
        fi
    else
        warn "Integration '${INTEGRATION_NAME_IOC}' already exists. Skipping its creation."
    fi
    if docker start "${INTEGRATION_NAME_IOC}"; then
        success "IOC integration started."; sleep 5
    else
        error "Failed to start IOC integration."; return 1
    fi

    info "Setting up main integration '${INTEGRATION_NAME}' ..."
    if ! docker container inspect "${INTEGRATION_NAME}" &>/dev/null; then
        info "Integration '${INTEGRATION_NAME}' does not exist. Creating ..."
        if ! docker create \
            -v "${VOLUME_DATA}" \
            -v "${VOLUME_CONFIG}" \
            -v "${VOLUME_IOC}" \
            --restart unless-stopped \
            --log-driver json-file \
            --log-opt max-size=30m \
            --log-opt max-file=3 \
            --name "${INTEGRATION_NAME}" \
            "${IMG}" bash run_component; then
            error "Failed to create main integration."; return 1
        fi
    else
        warn "Integration '${INTEGRATION_NAME}' already exists. Skipping create."
    fi
    if docker start "${INTEGRATION_NAME}"; then
        success "Main integration started."
    else
        error "Failed to start main integration."; return 1
    fi
}

check_status() {
    info "Checking status of integrations ..."
    if [[ ! -f "${INTEGRATION_DIR}/data/.status.ndjson" ]]; then
        error "Status check failed. Verify if your integration has been deployed."; return 1
    fi
    if docker run --rm -it -v "${VOLUME_DATA}":ro "${IMG}" bash run_status; then
        success "Status check completed."
    else
        error "Status check failed."; return 1
    fi
}

show_logs() {
    echo ""
    prompt "Select which logs to view:"
    echo -e "  ${CYAN}1${RESET}) IOC integration  (${INTEGRATION_NAME_IOC})"
    echo -e "  ${CYAN}2${RESET}) Main integration  (${INTEGRATION_NAME})"
    echo ""
    read -rp "$(prompt 'Enter option [1/2]: ')" choice
    case "${choice}" in
        1)
            info "Showing logs for '${INTEGRATION_NAME_IOC}' ..."
            docker logs --tail 100 -f "${INTEGRATION_NAME_IOC}"
            ;;
        2)
            info "Showing logs for '${INTEGRATION_NAME}' ..."
            docker logs --tail 100 -f "${INTEGRATION_NAME}"
            ;;
        *)
            error "Invalid option '${choice}'."
            return 1
            ;;
    esac
}

usage() {
    echo ""
    prompt "  RADWARE DEFENSEPRO RESPONSE INTEGRATION MANAGEMENT"
    echo -e "  ${BOLD}Usage:${RESET} $0 <command>"
    echo ""
    echo -e "  ${CYAN}config${RESET}   Run configuration"
    echo -e "  ${CYAN}start${RESET}    Start integration"
    echo -e "  ${CYAN}status${RESET}   Check integration status"
    echo -e "  ${CYAN}logs${RESET}     Show integration logs"
    echo ""
}

case "${1}" in
    config) run_config ;;
    start)  start_integration ;;
    status) check_status ;;
    logs)   show_logs ;;
    *)      usage
            [[ -n "${1}" ]] && error "Unknown command '${1}'."
            exit 1 ;;
esac

Using the Management Script

With the management script, you can:

  • Configure the integration.
  • Start the integration.
  • Check the status of the integration.
  • Check the audit logs of the integration.

You can check these options by running the following command:

bash manage.sh

When running the configuration options, a wizard will guide you through a series of prompts. If the provided credentials are correct, the wizard will confirm this. If the credentials fail, you will receive an error message and have the option to re-enter the credentials or proceed despite the error.

Set up the configuration parameters

Execute the following command and type in all parameters gathered during the Preliminary Setup of the third-party solution. Fix any errors in your inputs if prompted.

NotesWe strongly recommend correcting any credential errors before attempting to start the integration using the start command.

Run the Integration

Run the integration by running this command:

bash manage.sh start

Notes If you have run this process before, you may receive warning messages about the existence of running components. To ensure you have the latest version of the integration, we recommend removing the existing integration containers before entering the start command.

Check the integration status

The integration is now active. Run the following command to check its current status

bash manage.sh status

For additional debugging or information, you can execute the relevant Docker commands detailed in the troubleshooting section of this document.

NotesMonitor the console output for any unexpected errors. If there are any errors present, fix them and run the command again. Check the Troubleshooting section for further reference.

Show Logs

The logs option allows you to view the integration's logs. You will be prompted to choose between viewing the IOC logs or the main component logs; follow the guided steps.

Option 1: IOC integration

Option 2: The main integration

Expected results

After the integration runs, any Indicators of Compromise (IoC) present in your instance will be visible in the Network class created by the integration. To verify the uploaded IOCs, log in to your Cyber Controller instance and navigate to the configuration menu. Select the DefensePro appliance. Then, go to the Classes -> Network menu. In the list of network classes, you will find a new entry named as the configured integration name ending in -LumuIOCs.

After clicking the network name, you will be able to view any active Lumu indicators.

NotesRadware has a limit of up to 255 entries for each Network table. Any number exceeding this threshold will be disregarded, and the integration will adhere strictly to this maximum.

Further steps. Adding the Network Class to your Blocklist

The newly created Network Table for this integration is versatile. Based on your network topology, you can configure it as either the source or destination for both existing and new blocklists.

After updating the blocklist, remember to apply the changes by clicking Update Policies.

Troubleshooting

You can use the manage snippet for general troubleshooting. Here, you will find additional commands to run additional diagnostics if they are needed.

  • Stopping the integration
    Run the following command if you need to stop the integration.
    docker stop lumu-radware-defensepro-response
    docker stop lumu-radware-defensepro-response-ioc

  • Starting the integration
    Run the following command to start the integration.
    docker start lumu-radware-defensepro-response
    docker start lumu-radware-defensepro-response-ioc

Known issues

In this section, we collect all the potential issues you will find after you run the troubleshooting commands from the above section.

Docker permission execution

If you got some error building the integration related to docker: permission denied while trying to connect to the Docker daemon socket, there is an official documentation post installation to fix this issue.



Network Connection Problems

Logs indicating a connection problem will often contain keywords such as timeout or connection error. These terms are suggestive of an underlying network issue, which should prompt a check of the network and internet status.


    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

      Get an AI Summary

          • Related Articles

          • Guardicore Custom Response Integration

            This article shows how to leverage the Lumu Defender API and Guardicore API to mitigate security risks. Response integration between Guardcore and Lumu Requirements An active Guardicore Centra subscription A Guardicore administrator user. Lumu ...

          • Illumio Custom Response Integration

            Learn how to leverage the Lumu Defender API and Illumio API to mitigate security risks. Response integration between Illumio and Lumu Requirements An active Illumio Segmentation subscription. You need an Illumio administrator user to set up the ...

          • DNSFilter Custom Response Integration

            This article shows how to leverage the Lumu Response API and DNSFilter API to mitigate security risks. Requirements An active DNSFilter subscription. A DNSFilter Pro subscription or up is required. Script host. A scripting host is required to deploy ...

          • Bitdefender Custom Response Integration

            Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...

          • Akamai SIA Custom Response Integration

            This article shows how to leverage the Lumu Defender API and Akamai SIA (ETP) Configuration API to mitigate security risks. Requirements An Akamai SIA subscription. An Akamai Control Center access is required for setting up and collecting Akamai ...