This program is meant to automate configuration of a SonicWall firewall via the SonicOS TI API. Currently this program is just meant to insert IP's from our Azure Sentinel TI pool. The program triggers by listening to a toppic on a message provider. (Currently only Azure Service Bus)
Currently the app is bundled with the runtime environment and does not need any installation. However if you want to install it as a service/daemon follow the instructions in the next sections.
- Grab the latest windows release and place it in a folder together with the
appsettings.json. - Configure the appsettings to your liking.
- Run the
FirewallBlocker.exe
- Use the
sc.exe(Windows Service Control Manager) to create a windows service:sc.exe create "Firewall Blocker" binpath="C:\Path\To\FirewallBlocker.exe --contentRoot C:\Path\To\appsettings.json" - More info can be found here.
- Grab the latest windows release and place it in a folder together with the
appsettings.json. - Configure the appsettings to your liking.
- Make the
FirewallBlockerfile executable withchmod +x FirewallBlocker. - Run the executable.
- After downloading the file create a user to run the service
- Finaly create a the
fw_blocker.servicefile inside/etc/systemd/system/ - Use the following template as input for your
fw_blocker.servicefile.
[Unit]
Description=ingest_threat_intel
After=network.target
[Service]
User=USER_ID
Group=GROUP_ID
ExecStart=/Location/Of/Executable/FirewallBlocker
Type=notify
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
{
"Logging":
{
"LogLevel":
{
"Default": "Information",
"Microsoft": "Warning",
"Microsoft.Hosting.Lifetime": "Information"
},
//Only needed if running on Windows
"EventLog": {
"SourceName": "Firewall Blocker",
"LogName": "Application",
"LogLevel": {
"Default": "Information",
"Microsoft": "Information",
"Microsoft.Hosting.Lifetime": "Information"
}
}
},
"FirewallConfig":
{
"SonicWalls":
[
{
"FireWallEndpoint": "https://firewall:8443",
"Username": "USERNAME",
"Password": "PASSWORD",
"ValidateSSL": true
}
]
},
//SourceConfig is used to specify where your TI comes from.
"SourceConfig": {
//CSVConfig is used to ingest a CSV file
"CSVConfig": {
"URI": "",
"AuthValue": "",
"AuthSchema": "Bearer",
"ValidateSSL": true,
"MaxCount": 100,
"SortBy": [
"SCORE",
"TIME"
],
//The Schema of the CSV.
//WARNING: It is currently not supported to use a CSV file with no headers!
"Schema": [
{
"Name": "IP",
"CSVType": "IP"
},
{
"Name": "Score",
"CSVType": "SCORE"
},
{
"Name": "Time",
"CSVType": "TIME"
}
]
},
"ThreatIntelApiConfig": {
"ClientId": "",
"TenantId": "",
"ClientSecret": "",
"WorkspaceId": "",
"MinConfidence": 25,
"ExclusionListAlias": "",
"IPv4CollumName": ""
}
},
"AppConfig": {
"SiteName": "TestSite"
},
"ServiceBusConfig":
{
"ConnectionString": "CONNECTION_STRING"
},
"AllowedHosts": "*",
"Kestrel": {
"Endpoints": {
"Http":{
"Url": "http://0.0.0.0:80"
},
"HttpsDefaultCert":{
"Url": "https://0.0.0.0:443"
}
},
"Certificates": {
"Default": {
"Path": "cert.pem",
"KeyPath": "key.pem"
}
}
}
}
To see the confiugration for the sonicwall you can look at this link: SonicOS TI API
Kestrel is a basic HTTP server used in ASP.NET. You can change the given configuration to limit it to a specific interface or add custom Certificates. Full configuration documentation can be found here. To access the list of IP addresses you can go to the interface & Port specified in the URL configuration.
A few things you should know.
- At the moment collecting the TI from the Graph API does not work.
- It is not reccomended to set the MinConfidence at 0. (A lot of IPs will be given.)
- The CSV Source must have headers and need to be defined in the Schema section.
- RabbitMQ
- Other TI Sources
- Docker image
- Install script
- Fix Graph API
- Support other Firewalls