Integrate Barracuda CloudGen
You must have the Firewall integrations license pack to use this feature.
You can integrate Barracuda CloudGen with Sophos Central so that it sends alerts to Sophos.
This integration uses a log collector hosted on a virtual machine (VM). Together they're called an integration appliance. The appliance receives third-party data and sends it to the Sophos Data Lake.
This page describes integration using an appliance on ESXi or Hyper-V. If you want to integrate using an appliance on AWS, see Integrations on AWS.
Key steps
The key steps in an integration are as follows:
- Add an integration for this product. In this step, you create an image of the appliance.
- Download and deploy the image on a VM. This becomes your appliance.
- Configure Barracuda CloudGen to send data to the appliance.
Requirements
Appliances have system and network access requirements. To check that you meet them, see Appliance requirements.
Add an integration
To add the integration, do as follows:
- In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
-
Click Barracuda CloudGen.
The Barracuda CloudGen page opens. You can add integrations here and see a list of any you've already added.
-
In Data Ingest (Security Alerts), click Add Configuration.
Note
If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.
Integration setup steps appears.
Configure the appliance
In Integration setup steps, you can configure a new appliance or use an existing one.
We assume here that you configure a new appliance. To do this, create an image as follows:
- Enter an integration name and description.
- Click Create new appliance.
- Enter a name and description for the appliance.
- Select the virtual platform. Currently we support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.
-
Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the appliance.
-
Select DHCP to assign the IP address automatically.
Note
If you select DHCP, you must reserve the IP address.
-
Select Manual to specify network settings.
-
-
Select the Syslog IP version and enter the Syslog IP address.
You'll need this syslog IP address later, when you configure Barracuda CloudGen to send data to your appliance.
-
In Protocol, TCP is pre-selected. You can't change it.
When you configure Barracuda CloudGen to send data to your appliance, you must make sure it uses the same protocol.
-
Click Save.
We create the integration and it appears in your list.
In the integration details, you can see the port number for the appliance. You'll need this later when you configure Barracuda CloudGen to send data to it.
It might take a few minutes for the appliance image to be ready.
Deploy the appliance
Restriction
If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.
Use the image to deploy the appliance, as follows:
- In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
- When the image download finishes, deploy it on your VM. See Deploy an appliance.
Configure Barracuda CloudGen
Now configure Barracuda CloudGen to send alerts to us, using syslog forwarding.
Note
You can configure multiple instances of Barracuda CloudGen to send data to Sophos via the same appliance. After you finish integration, repeat the steps in this section for your other instances of Barracuda CloudGen. You don't need to repeat the steps in Sophos Central.
Enable syslog streaming
Enable syslog streaming on the Barracuda CloudGen Firewall as follows:
- Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Syslog Streaming.
- Click Lock.
- Set Enable Syslog Streaming to yes.
- Click Send Changes and Activate.
Enable detailed firewall reporting
- Go to Configuration Tree > Infrastructure Services > General Firewall Configuration.
- Click Lock.
- In the left menu, select Audit and Reporting.
- Under Log Policy, set the Activity Log Mode to Log-Pipe-Separated-Key-Value-List.
- Click Send Changes and Activate.
Example output with Log-Pipe-Separated-Key-Value-List:
2024 05 07 10:02:51 +00:00 Info Allow: type=LOUT|proto=TCP|srcIF=dhcp|srcIP=10.0.0.4|srcPort=47542|srcMAC=00:0d:3a:46:14:a3|dstIP=168.63.129.16|dstPort=32526|dstService=|dstIF=|rule=PASSALL|info=0|srcNAT=10.0.0.4|dstNAT=168.63.129.16|duration=0|count=1|receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=|protocol=|application=|target=|content=|urlcat=
Configure logdata filters
Specify the log file types to stream.
- Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Syslog Streaming .
- In the left menu, select Logdata Filters.
- Click Lock.
-
In the Filters table, click "+" to add a new filter.
The Filters window opens.
-
Enter a Name, for example "Sophos MDR integration".
- Click OK.
-
In the Data Selection table, add the Top Level Logdata log files to be streamed. You can select:
- Fatal_log
- Panic Log
- Firewall_Audit_Log
For Firewall_Audit_Log, the firewall audit log must be enabled and configured, and Audit Delivery must be set to Syslog Proxy. See How to Enable the Firewall Audit Log Service.
Configure Sophos as the logstream destination
Configure the firewall to send the syslog stream to Sophos Central.
- Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Syslog Streaming.
- In the left menu, select Logstream Destinations.
- Click Lock.
-
In the Destinations table, click "+" to add a new filter.
The Destinations page opens.
-
Enter a Name and click OK.
- In Logstream Destination, select the name you entered when you configured the logdata filters ("Sophos MDR integration" in our example).
- In Destination IP Address and Destination Port enter the IP address and port you configured in Sophos Central earlier.
- Click Send Changes and Activate.
Configure the logdata stream
Combine the logdata filters and logstream destination to set up a logdata stream.
- Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Syslog Streaming.
- In the left menu, select Logdata Streams.
- Click Lock.
-
In the Streams table, click "+" to add a new syslog stream.
The Streams window opens.
-
Enter a Name. Use the same name used in previous sections ("Sophos MDR integration" in our example).
- Click OK.
- Set Active Stream to yes.
- In the Log Destinations table, click "+" and select the logstream destination you configured earlier.
- In the Log Filters table, click "+" and select the logdata filter you configured earlier.
- Click OK.
- Click Send Changes and Activate.
All logs covered by the logdata filter are now streamed to Sophos.