Introduction
In this document, the integration processes of Logsign and Barracuda CloudGen Firewall responses will be explained. Upon the successful implementation of the procedures outlined in this document, effective communication will be established between Logsign, a security announcement and incident management system, and Barracuda CloudGen Firewall. This document will provide a step-by-step explanation of the integration of Logsign with Barracuda CloudGen Firewall responses. This will include configuring settings, establishing connections, and creating rules or triggers within Logsign, enabling block or unblock operations on Barracuda CloudGen Firewall.
Qualification
The Barracuda CloudGen Firewall product offers API support, allowing integration processes to be facilitated through APIs.
As depicted in the above diagram, in the event of a malicious occurrence, you can initiate blocking either through alarm automation or within the incident management area for IP addresses deemed harmful. The steps to enable blocking are outlined below.
Requirements
- Barracuda CLoudGen Firewall v8.0/ v8.2 / v8.3 / v9.0
- Logsign 6.4.7+
Integration
When Logsign is integrated with Barracuda, it enables operations such as blocking or unblocking an IP address. For blocking, Logsign adds the IP address to the Custom External Object lists in Barracuda. These lists are then used within rules in Barracuda to automate the process.
Use Cases Of The Integration
- Blocking any IP address (Method -1)
- Removing the blocked IP with Logsign (Method -2)
Compatibility
It does not support versions below 8.0, and it has not been tested on versions 9 and above.
Compatibility Versions |
|
|
|
|
Barracuda CloudGen Firewall Configuration
In Barracuda, the process of blocking is facilitated by posting IP addresses into the Custom External Network Objects, thereby enabling the addition of IPs to this list. Automation is achieved by adding this custom external network object to a rule within the firewall, thereby enabling the blocking process.
The Barracuda Firewall Admin agent facilitates the following operations:
Authentication tokens are required for operations to be conducted via the API. These tokens are generated on a per-user basis.
Configuration -> Configuration Tree -> Box (Expand) -> Administrators
To ensure that changes can be made without being affected by other operations, we click on the Lock button.
We define the marked values and fill in the other fields according to your organization's security policy. Afterward, we apply the changes by clicking OK, Send Changes, and Active buttons.
We open the Configuration -> Configuration Tree -> Box (Expand) -> Infrastructure Services -> REST API Service section.
We lock it.
If the API service and "Bind to Management IPs" are not active, we activate them.
We proceed to the Access Tokens section to generate the token.
We note the token code, close the window with OK, and apply the changes using the Send Changes and Active buttons.
Token : iE8Na3fB5FJ47oMm7K0T93rbeqEdy06v
The operations in Barracuda CloudGen Firewall product are limited to this extent.
If we want to control Logsign IP addresses through the firewall;
The IP addresses and networks in the custom external network objects are not displayed on the CONFIGURATION > Configuration Tree > Box > Assigned Services > Firewall > Firewall Rules page. Go to FIREWALL > Forwarding Rules directly on the firewall to see the content of the dynamic network objects.
Limitation
Custom External Network Objects
- IP addresses must be written in CIDR notation.
- Each IP address must be entered in a separate line.
- Limited to 10,000 IP addresses per file.
- The file used for importing IP addresses must be encoded in ASCII or at least UTF-8. Importing files encoded in UTF-8-BOM will not work.
Custom External Object Number
In Block and Unblock operations, the number of the object to which we will send the IP address is default to four: CustomExternalObject1, CustomExternalObject2, CustomExternalObject3, and CustomExternalObject4. One of these objects' numbers must be determined. The reason we ask this option at input is that the limit for these external objects is 10,000. If this limit is reached, the object's address can be changed.
In addition to these, you can define different rules for these objects within the firewall. For example, you can use object 2 for blocking DDoS IPs and object 1 for malicious IPs.
Including the List in the Rule on Barracuda CloudGen Firewall
If you are implementing this step to automate the blocking process, please be cautious as we advise against using automation block operations in alarms with a high false positive trigger rate.
Configuration -> Configuration Tree -> Box (Expand) -> Assigned Services -> NGFW -> Forwarding Rules
Ensure that you have locked it.
Once you've defined the firewall rule according to your company policy, you can complete the automation process by selecting "Send Changes -> Active".
Logsign Responses Configuration
1- A user with admin authority must log in to logsign;
Settings -> Responses -> Configure ;
After completing the information, click on the Test button. Once you receive a Success confirmation, finalize the process by clicking on the Create button.
Finally, click the create button to complete the process.