Watchguard Firebox Out-of-the-Box Response Integration

Watchguard Firebox Out-of-the-Box Response Integration

Requirements

  • A Watchguard Firebox Firewall operating on Fireware OS v12.7.1 or above
  • An active Lumu Defender Subscription
  • A Docker-enabled host with Internet visibility over Lumu and the Watchguard Firebox Firewall

Create encryption keys

The Watchguard Firebox Out-of-the-Box response integration operates with asymmetric encryption keys to secure integration configuration data. The Lumu Portal will ask you for a public key as part of the configuration process. Follow these steps to install the required tools and generate the required keys.

You can use an existing public key to configure the integration. Make sure you have access to the matching private key. This key will be used later in the configuration process.

Install OpenSSL

Most Unix-based systems already have openssl installed. If this is your case, you can proceed with the Create encryption keys section.

Follow the instructions given for your operating system below.

Windows systems

If you don’t have OpenSSL installed on your Windows system, you can use the WinGet command line tool to install it. Follow these instructions to install OpenSSL on Windows:

1. Open a Command prompt. Run the following command and follow the on-screen instructions

winget install -e --id ShiningLight.OpenSSL.Light

2. Open your system settings. Navigate to System > About > Advanced System Settings. Click on the Environment Variables button in the System Properties window.

3. Double-click on the System variables > Path section in the Environment Variables window. The Edit environment variable window will appear

4. Click on the New button to add a new variable record. Copy and paste the value %PROGRAMFILES%\OpenSSL-Win64\bin. Finish by clicking the OK buttons until you reach the Settings window again.

To test the installation, open a new Command prompt window and run the openssl command. You must get the following:

Unix-based systems

Most Unix-based distributions have OpenSSL installed. If your system doesn’t have it, you can install it using the package manager of your operating system. Just install the openssl package.

Create encryption keys

To generate a new encryption key pair, public and private, follow these instructions on a Command prompt on Windows systems or a Terminal in Unix-based systems.

1. Generate the private key. Run the following command:

openssl genrsa -out PRIVATE_KEY.pem [KEY_LENGTH]

Where:

PRIVATE_KEY is the name of the private key file
KEY_LENGTH is the length of the generated key. The recommended value is minimum 2048

2. Generate the public key using the private key. Run the following command:

openssl rsa -in PRIVATE_KEY.pem -pubout -out PUBLIC_KEY.pem

Where:
PRIVATE_KEY is the name of the private key file
PUBLIC_KEY is the name of the public key

Store both keys in a safe place. Both keys are required to configure the integration and for its proper operation.

Configure Watchguard Firebox

The integration requires a Watchguard Firebox Firewall user with the Device Administrator role to push IOCs into the Firewall. We strongly recommend you create a new user besides the box admin user. You can use this for auditing purposes. For further reference on how to create this user, follow the Manage Users and Roles on Your Firebox documentation.

Add Integration

1. Log in to your Lumu account through the Lumu Portal and navigate to the available apps screen.

2. Locate the Watchguard Firebox integration in the available apps area and click on the Add button

3. Familiarize yourself with the integration details in the app description and click the Activate button to activate the integration.

4. In the integration window, provide a meaningful Name and select the Threat Types. Choose the option Include IP indicators to include IP addresses in your feed list (If you leave this option unselected, you won't be able to change it later, even in editing). Go ahead and click the Next button.

Please note that you cannot modify the information on this screen. Exercise caution when selecting Threat Types, as changes cannot be made later.

5. Paste or upload the public key generated in the previous steps. This will be used by Lumu to safely store the secrets related to the integration. Click the Next button to continue.

This public key must match the private key you will use in later steps of the configuration process.

6. Finally, fill in the information to connect to your Watchguard Firebox Firewall as follows:


User Name: the user the integration will use to manage the IOCs in your Firewall.
Passphrase: the password of the user above.
Authentication Server: The authentication server the integration will use to log into the Firewall. For the default method, use Firebox-DB. For LDAP authentication, use LDAP. For Active Directory type the name of your domain following the format 'PREFIX.SUFFIX'

7. The integration is now created and active. Now, the Lumu Portal will display the details of the created integration:

The Firewall > Blocked Sites list in your Watchguard Firebox Firewall will be updated with confirmed compromises detected since the integration is activated and the integration component is deployed and operative.

Deploy and configure the integration component

Now, it is time to deploy and configure the Watchguard Integration component. You can find detailed instructions on how to deploy it in our Dockerhub repository.


        • Related Articles

        • WatchGuard Firebox Firewall Custom Response Integration

          Due to the lack of API support of WatchGuard Firebox Firewalls (without Firebox Cloud), this example emulates the access and configuration steps a regular admin user would run to feed URLs into the Blocked Sites option. This integration script is ...
        • Cisco Firepower Out-of-the-box Response Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. In this article, you will find out how to configure Cisco Firepower to receive and block adversaries detected by Lumu and improve the detection & ...
        • Trend Vision One Out-of-the-Box Response Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. Requirements Trend Vision One Make sure you read the Suspicious Object Management article on the Trend Micro documentation thoroughly to ensure a smooth ...
        • Harmony Endpoint Out-of-the-Box Response Integration

          Requirements An active Harmony Endpoint Basic or above subscription An account with administrative privileges that allows you to access the Infinity Portal and manage API keys for the Endpoint service. An active Lumu Defender subscription Create API ...
        • Juniper SRX Firewall Out-of-the-box Response Integration

          To learn more about Out-of-the-box Integrations and their benefits, please refer to this article. In this article, you will find out how to configure Juniper SRX Firewall to receive and block adversaries detected by Lumu and improve the detection & ...