Before going through this article, check our
Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised to use that integration instead.
Due to the lack of API support of WatchGuard Firebox Firewalls (without Firebox Cloud), this example emulates the access and configuration steps a regular admin user would carry out to feed URLs into the Blocked Sites option.
This integration script is offered as-is. No further support will be provided. Any change in the authentication flow within the WatchGuard Firebox Firewall web console will affect the operation of this script.
This article shows how to leverage the Lumu Defender API and the WatchGuard Firebox Blocked Sites feature to mitigate security risks in the organization’s network.
IoC injection from Lumu Defender into WatchGuard Firebox Blocked Sites
Requirements
- Fireware OS v12.7 or above.
- Fireware Admin user.
- It is recommended to create an admin user exclusively for this integration. This allows having traceability of all actions run by the script in the Firewall logs.
- Lumu Defender API key.
- Scripting host with Python v3.6+.
- The host must be able to reach both the Firebox admin console and Lumu Defender REST API endpoints.
- Script package.
- Contact the Lumu support team [add link] to request the package we created to deploy the required files.
Deploy the script
Script location
Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as
<firebox_lumu_root> .
Install requirements
The file requirements.txt contains the list of prerequisites for this data collector. After deploying the package locally, run the following command from the deployment folder:
[sudo] pip install -r ./requirements.txt
Script details
To run the script, you must locate yourself on the path selected for deployment (
<firebox_lumu_root> ). Use the following command to show all options available for the package:
python lumu-firebox.py --help
Usage:
lumu-firebox.py [options]
Options
|
Description
|
|
show this help message and exit
|
|
Load options from config file
|
--company-key COMPANY_KEY
--company_key COMPANY_KEY
|
Lumu Company Key (Defender API).
|
--proxy-host PROXY_HOST
--proxy_host PROXY_HOST
|
|
--proxy-port PROXY_PORT
--proxy_port PROXY_PORT
|
|
--proxy-user PROXY_USER
--proxy_user PROXY_USER
|
|
--proxy-password PROXY_PASSWORD
--proxy_password PROXY_PASSWORD
|
Proxy password (if required)
|
|
Logging option (default screen).
|
|
|
|
|
|
Firebox administration port (default 8080).
|
--user USERNAME
--username USERNAME
|
Firebox administration user (must have ‘readwrite’ privileges).
|
|
|
|
Firebox authentication server.
|
--adversary-types {C2C,Malware,DGA,Mining,Spam,Phishing}
--adversary_types {C2C,Malware,DGA,Mining,Spam,Phishing}
|
Lumu adversary types to be filtered.
|
--delete-existent --delete_existent
|
Delete existent blocked sites from configuration.
|
Usage examples
Task: Retrieve all Lumu detected adversaries from the last 30 days and push them into Firebox Blocked Sites
Use the following command to fetch and push all adversaries detected by Lumu in the last 30 days to Firebox Blocked Sites.
python lumu-firebox.py --host <firebox-host> --username <firebox-username> --password <firebox-password> --company-key <lumu-defender-api-key>
In this mode, the script will append new adversaries to the existing blocked sites list.
Task: replace existing blocked sites in Firebox configuration
Use the following command to replace existing Firebox blocked sites with all adversaries detected by Lumu in the last 30 days.
python lumu-firebox.py --host <firebox-host> --username <firebox-username> --password <firebox-password> --company-key <lumu-defender-api-key> --delete-existent
If you have recorded blocked sites from sources different to Lumu, these will be deleted.
Task: fetch Lumu detected adversaries filtering by type
To specify the types of adversaries you want to filter in your queries, you can use the option
--adversary-types ADVERSARY-TYPE . If you need to set more types of adversaries, you can repeat the option as follows:
python lumu-firebox.py --host <firebox-host> --username <firebox-username> --password <firebox-password> --company-key <lumu-defender-api-key> --adversary-types C2C --adversary-types Mining
In this example, the script will fetch Lumu detected adversaries of types C&C and Mining.
Task: save log output to file
Use the argument
--logging file to store a record of all tasks that have been run since the script was executed for the first time. Using this, the entire script output will be redirected to a file named lumu.log in the script’s root path (
<firebox_lumu_root> ).
python lumu-firebox.py --host <firebox-host> --username <firebox-username> --password <firebox-password> --company-key <lumu-defender-api-key> --logging file
Other tasks
The above samples can be combined according to your needs.
Expected results
After running the script, all queried adversaries will be pushed into the
Firebox Blocked Sites module. All the access attempts will be blocked and, based on the module's configuration, they will be logged, alerted, or ignored.
Further considerations
To run the script on a timely basis, consider implementing a
Scheduled job in Windows or a
cron task in Unix-based systems.
Troubleshooting
To identify failures in the script, please use the -v flag. This will allow you to identify failures in the script execution.