WatchGuard Firebox Firewall Custom Response Integration

WatchGuard Firebox Firewall Custom Response Integration

Before going through this article, check our  Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised to use that integration instead.
Due to the lack of API support of WatchGuard Firebox Firewalls (without Firebox Cloud), this example emulates the access and configuration steps a regular admin user would carry out to feed URLs into the Blocked Sites option.  This integration script is offered as-is. No further support will be provided. Any change in the authentication flow within the WatchGuard Firebox Firewall web console will affect the operation of this script.
This article shows how to leverage the Lumu Defender API and the WatchGuard Firebox Blocked Sites feature to mitigate security risks in the organization’s network.
IoC injection from Lumu Defender into WatchGuard Firebox Blocked Sites IoC injection from Lumu Defender into WatchGuard Firebox Blocked Sites

Requirements

  1. Fireware OS v12.7 or above. 
  2. Fireware Admin user.
    1. It is recommended to create an admin user exclusively for this integration. This allows having traceability of all actions run by the script in the Firewall logs.
  3. Lumu Defender API key.
  4. Scripting host with Python v3.6+.
    1. The host must be able to reach both the Firebox admin console and Lumu Defender REST API endpoints.
  5. Script package.
    1. Contact the Lumu support team [add link] to request the package we created to deploy the required files.

Deploy the script

First, contact the Lumu Support Team  to request the implementation package.

Script location

Unpack the deployment package provided by Lumu in your preferred path/folder. Keep in mind this location, as it will be required for further configurations. From now on, we will refer to this folder as <firebox_lumu_root> .

Install requirements

The file requirements.txt contains the list of prerequisites for this data collector. After deploying the package locally, run the following command from the deployment folder:
[sudo] pip install -r ./requirements.txt

Script details

To run the script, you must locate yourself on the path selected for deployment ( <firebox_lumu_root> ). Use the following command to show all options available for the package:

python lumu-firebox.py --help

Usage: lumu-firebox.py [options]

Options
Description
-h, --help
show this help message and exit
--config CONFIG
Load options from config file
--company-key COMPANY_KEY
--company_key COMPANY_KEY
Lumu Company Key (Defender API).

--proxy-host PROXY_HOST
--proxy_host PROXY_HOST
Proxy host (if required)

--proxy-port PROXY_PORT
--proxy_port PROXY_PORT
Proxy port (if required)

--proxy-user PROXY_USER
--proxy_user PROXY_USER
Proxy user (if required)

--proxy-password PROXY_PASSWORD
--proxy_password PROXY_PASSWORD
Proxy password (if required)

--logging {screen,file}
Logging option (default screen).
--verbose, -v
Verbosity level.
--host HOST
Firebox hostname or IP.
--port PORT
Firebox administration port (default 8080).
--user USERNAME
--username USERNAME
Firebox administration user (must have ‘readwrite’ privileges).
--password PASSWORD
Firebox password.
--domain DOMAIN
Firebox authentication server.
--adversary-types {C2C,Malware,DGA,Mining,Spam,Phishing}
--adversary_types {C2C,Malware,DGA,Mining,Spam,Phishing}
Lumu adversary types to be filtered.

--delete-existent --delete_existent    
Delete existent blocked sites from configuration.

Usage examples

Task: Retrieve all Lumu detected adversaries from the last 30 days and push them into Firebox Blocked Sites
Use the following command to fetch and push all adversaries detected by Lumu in the last 30 days to Firebox Blocked Sites.
python lumu-firebox.py --host <firebox-host> --username <firebox-username> --password <firebox-password> --company-key <lumu-defender-api-key>
In this mode, the script will append new adversaries to the existing blocked sites list.
Task: replace existing blocked sites in Firebox configuration
Use the following command to replace existing Firebox blocked sites with all adversaries detected by Lumu in the last 30 days.
python lumu-firebox.py --host <firebox-host> --username <firebox-username> --password <firebox-password> --company-key <lumu-defender-api-key> --delete-existent
If you have recorded blocked sites from sources different to Lumu, these will be deleted.
Task: fetch Lumu detected adversaries filtering by type
To specify the types of adversaries you want to filter in your queries, you can use the option --adversary-types ADVERSARY-TYPE . If you need to set more types of adversaries, you can repeat the option as follows:
python lumu-firebox.py --host <firebox-host> --username <firebox-username> --password <firebox-password> --company-key <lumu-defender-api-key> --adversary-types C2C --adversary-types Mining
In this example, the script will fetch Lumu detected adversaries of types C&C and Mining.

Task: save log output to file
Use the argument --logging file to store a record of all tasks that have been run since the script was executed for the first time. Using this, the entire script output will be redirected to a file named lumu.log in the script’s root path ( <firebox_lumu_root> ).
python lumu-firebox.py --host <firebox-host> --username <firebox-username> --password <firebox-password> --company-key <lumu-defender-api-key> --logging file

Other tasks
The above samples can be combined according to your needs.

Expected results

After running the script, all queried adversaries will be pushed into the Firebox Blocked Sites module. All the access attempts will be blocked and, based on the module's configuration, they will be logged, alerted, or ignored.

Further considerations

To run the script on a timely basis, consider implementing a Scheduled job in Windows or a cron task in Unix-based systems.

Troubleshooting

To identify failures in the script, please use the -v flag. This will allow you to identify failures in the script execution.
        • Related Articles

        • Bitdefender Custom Response Integration

          Bitdefender Custom Response Integration This article shows how to leverage the Lumu Defender API and Bitdefender API to mitigate security risks. Requirements GravityZone Business Security Enterprise, cloud version, ...
        • SentinelOne Custom Response Integration

          This article shows how to leverage the Lumu Defender API and SentinelOne REST API to mitigate security risks. Response setup leveraging Lumu detections with SentinelOne Requirements SentinelOne Singularity Control subscription A SentinelOne ...
        • Sophos XG Firewall Custom Response Integration

          This article shows how to leverage the Lumu Defender API and Sophos XG API to mitigate security risks. Requirements Sophos XG Firewall A Sophos XG Firewall with SFOS 19.0.0 GA-Build317 with the Xstream Protection bundle (Network Protection and Web ...
        • Symantec Endpoint Protection Custom Response Integration

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...
        • Infoblox Custom Response Integration

          Before going through this article, check our Out-of-the-box App Integrations category. This is the recommended way to integrate the components of your cybersecurity stack with Lumu. If the product you are looking to integrate is there, it is advised ...