Watchguard Firebox Out-of-the-Box Response Integration

Watchguard Firebox Out-of-the-Box Response Integration

This article describes the required procedure to integrate Watchguard Firebox with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations.

Requirements

  • A Watchguard Firebox Firewall operating on Fireware OS v12.7.1 or above
  • An active Lumu Defender Subscription or a Lumu MSP Account.
  • A Docker-enabled host with Internet visibility over Lumu and the Watchguard Firebox Firewall

Preliminary Setup - Watchguard Firebox

In order to set up the integration, you will need to prepare Watchguard Firebox to communicate with the Lumu integration. To do this, you will need to have the following items:
  • Encryption Keys
    • Public Encryption Key
    • Private Encryption Key.
    • Both are generated in the same step of this guide.
  • OpenSSL
  • API Key
In the following steps, you will find how to obtain all four of these requirements.

Encryption Keys

The Watchguard Firebox Out-of-the-Box response integration uses asymmetric encryption keys to secure integration configuration data. The Lumu Portal will ask you for a public key as part of the configuration process.
To generate the keys you will need to install OpenSSL. Follow the steps in the next session to install the required tools if needed, and generate the required keys.
Notes
You can use an existing public key to configure the integration. Make sure you have access to the matching private key. Both are required to successfully complete the configuration process.

Install OpenSSL

Notes
Most Unix-based systems already have openssl installed. If this is your case, you can jump forward to the Generate the encryption keys section.
Follow the instructions given for your operating system below.

Windows systems

Notes
If you already have OpenSSL installed in your Windows system, you can skip forward to the Generate the encryption keys section.
If you don’t have OpenSSL installed on your Windows system, you can use the WinGet command line tool to install it. Follow these instructions to install OpenSSL on Windows:
1. Open a Command Prompt with Administrator privileges. To do so, open your Start menu, and search for “cmd”. The “Command Prompt” app will appear. Choose “Run as administrator.” from the panel on the right.

2. Once in the Command Prompt, run the following command and follow the on-screen instructions:
winget install -e --id ShiningLight.OpenSSL.Light

3. Open your system settings by opening your Start menu and search for System Settings. The View Advanced System Settings app will appear. Click on it.

4. A window with five tabs will appear. The Advanced tab should be currently active. If not, click on it. Then, once you’re on the Advanced tab, click on the Environment Variables button found on the lower right corner.

5. A window will appear with two fields. What you need for the following step is found in the field located on the lower half, System Variables. This field has two columns, Variable and Value. Using the Variable column, locate the Path variable and double click on it. The Edit environment variable window will appear

6. In the Edit Environment Variable window that just opened, click on the New button to add a new variable record. In the text field that requests your input, copy and paste the following value
%PROGRAMFILES%\OpenSSL-Win64\bin.

Finish by clicking the OK buttons until you reach the Settings window again.

7. To test the installation, open a new Command Prompt window and run the openssl command. You must get the following:

Unix-based systems

Most Unix-based distributions have OpenSSL installed. If your system doesn’t have it, you can install it using the package manager of your operating system. To do so, install the openssl package.
To check if your Unix-based distribution has OpenSSL installed, use your distro package manager. To check this in Ubuntu, input the following command:

sudo apt list openssl

If you see the word installed between brackets at the end of the line, it means OpenSSL is already installed

To install OpenSSL in case your distro doesn’t already have it, use your package manager to install it. To install it in Ubuntu, you must run the following command:

sudo apt update
sudo apt install openssl -y

Generate the encryption keys

To configure the integration you will need to generate a new encryption key pair, public and private. These keys will be stored in a .pem file that will be created in the same folder your command prompt is in when you run the command. In the following example, the .pem file would be created in the Util folder under the H drive.

You will need to input these commands in a Command Prompt on Windows systems or a Terminal in Unix-based systems.
1. First, generate the private key, it will be needed to generate the public key. Run the following command:
openssl genrsa -out PRIVATE_KEY.pem [KEY_LENGTH]

Replace the parameters in red as follows:

PRIVATE_KEY is the name of the .pem file where the private key will be stored.
KEY_LENGTH is the length of the generated key. The recommended value is minimum 2048

2. Now, generate the public key using the private key. To do so, run the following command:
openssl rsa -in PRIVATE_KEY.pem -pubout -out PUBLIC_KEY.pem

Replace the parameters in red as follows:

PRIVATE_KEY is the name of the .pem file where the private key was stored. It is the same name as in the previous step.
PUBLIC_KEY is the name of the .pem file where the public key will be stored.
Notes
Store the keys in a safe place. Both keys are required to configure the integration and for its proper operation.
Notes
The .pem files can be opened in a text editor to access the key stored within.

Configure Watchguard Firebox

The integration requires a Watchguard Firebox Firewall user with the Device Administrator role to push IOCs into the Firewall.
We strongly recommend you create a new user besides the box admin user to streamline auditing purposes. For further reference on how to create this user, follow the Manage Users and Roles on Your Firebox documentation.

Integration Setup - Lumu Portal

This section of the article describes the steps that must be completed on the Lumu Portal to properly set up the Watchguard Firebox Integration. To start, log into your Lumu account through the Lumu Portal.
Notes
Integrations are also available for Lumu MSP accounts. To access them, log into the Lumu MSP Portal.
1. In the Lumu Portal, head to the panel on the left and open the Integrations drop-down menu. Then,click on Apps. Click on the Response tab on the right to filter the available integrations accordingly.

2. Locate the Watchguard Firebox integration. The list is organized in alphabetical order from A to Z. Click on the Add button.


3. Familiarize yourself with the integration details in the app description and click the Activate button to activate the integration.


4. Provide a meaningful Name. Under Threat Types, choose the specific threat mappings you want to push to Watchguard Firebox. Select the option Include IP Indicators to include IP addresses in the information sent to your feed list. When done, click on the orange Next button.
Notes
If you leave the Include IP Indicators option unselected, you won’t be able to change it later. You will need to remove the integration and repeat all the steps again.
Notes
Please note that you cannot modify the information on this screen. Exercise caution when selecting Threat Types, as changes cannot be made later.

5. In the next window you will need to enter the Public Key generated in Step 2 of the Generate the encryption keys section. You can do so in two different ways:
a. You can copy and paste the contents of the .pem file you generated by opening the file in a text editor and placing them in the text field that awaits your input.
b. You can upload it directly. To do so, click on the Upload from your device button under the text field. Head to the location where you stored the .pem file to do so.
This will be used by Lumu to safely store the secrets related to the integration. Click the orange Next button to continue.

Notes
This public key must be the pair of the private key you will use in later steps of the configuration process.
6. The next window will ask you to fill in the following information in order to connect to your Watchguard Firebox Firewall:
a. User Name: The user the integration will use to manage the IOCs in your Firewall. This is the user defined in the Configure Watchguard Firebox section of this guide.
b. Passphrase: The password of the user above.
c. Authentication Server: The authentication server the integration will use to log into the Firewall. You have three options here:
  • For the default method, use Firebox-DB.
  • For LDAP authentication, use LDAP.
  • For Active Directory type the name of your domain following the format 'PREFIX.SUFFIX'
d. Firewall URL: The Web Administration access URL

7. The integration is now created and active. Now, the Lumu Portal will display the details of the created integration:

Deploy and configure the integration component

Now, it is time to deploy and configure the Watchguard Integration component. You can find detailed instructions on how to deploy it in our Dockerhub repository.

Final Steps - Validate the Integration on the Watchguard Firewall

You can validate that the integration is functioning properly in the Watchguard Firewall. Detailed instructions for both management methods are provided. Choose the one that best suits your needs.

Validate the Integration using the Fireware Web UI

When the integration is working correctly, the Firewall > Blocked Sites list in your Watchguard Firebox Firewall will be updated with confirmed compromises detected since the integration is activated and the integration component is deployed and operative. You can obtain this information following these steps:
1. In your Watchguard Fireware Web UI, under the FIREWALL section, click on Blocked Sites.

2. The Blocked Sites list will be updated with confirmed compromises detected since the integration is activated and the integration component is deployed and operative.

Validate the Integration using the Watchguard System Manager

1. Click on the Blocked Sites tab under your Watchguard System Manager window

2. The Blocked Sites list will be updated with confirmed compromises detected since the integration is activated and the integration component is deployed and operative.

    Still can’t find an answer?
    Send a message to our experts.
    Contact Us

        • Related Articles

        • Infoblox Threat Defense Out-of-the-Box Response Integration

          This article describes the required procedure to integrate Infoblox Threat Defense with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements Below you will find the technical ...

        • Cisco Firepower Out-of-the-box Response Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. The Lumu Defender API offers a framework to help you leverage Lumu’s integrations with your existing cybersecurity stack, including Security Information ...

        • Lumu Out-of-the-box Integrations

          For getting started with Lumu integrations with third-party solutions, consult our Integrations guide. Lumu's Out-of-the-box (OOTB) integrations are a seamless and convenient way to integrate Lumu with other solutions in your cyberdefense stack to ...

        • Cylance Endpoint Security Out-of-the-Box Response Integration

          This article describes the required procedure to integrate Cylance Endpoint Security with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements Below you will find the technical ...

        • Bitdefender GravityZone Out-of-the-Box Response Integration

          This article describes the required procedure to integrate Bitdefender GravityZone with Lumu for automated response procedures. This is one of our featured Out-of-the-Box Response Integrations. Requirements Bitdefender GravityZone Business Security ...