Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=barracuda-cloudgen-overview

Barracuda CloudGen integration

Log collector Firewall

You can integrate Barracuda CloudGen with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Barracuda CloudGen overview

Barracuda CloudGen Firewall offers comprehensive security solutions for cloud and hybrid networks. The firewall improves site-to-site connectivity and enables uninterrupted access to applications hosted in the cloud. With multi-layered defenses, including advanced threat protection and global intelligence networks, Barracuda ensures real-time protection against diverse cyber threats such as ransomware and zero-day attacks. Deployable across physical and cloud environments, it provides integrated SD-WAN capabilities for seamless connectivity and centralised management tools for simplified deployment and comprehensive network visibility.

Sophos documents

Integrate Barracuda CloudGen

What we ingest

Sample alerts seen by Sophos:

  • Login from IP_ADDRESS: Denied: Firewall Rule RULE
  • rolled out network relevant configuration files
  • Load Config from FILE
  • Plug and Play ACPI device, ID (active)
  • starting vpn client
  • FW UDP Connection Limit Exceeded
  • FW Rule Warning
  • FW Flood Ping Protection Activated

Alerts ingested in full

We advise you to configure the Detailed Firewall Reporting syslog output from Barracuda CloudGen firewall, but this is subject to significant filtering so that it only only processes useful security alerts.

Most alerts are standardised with regex.

Filtering

We currently filter the noisiest alerts. Filters include the following:

  • UDP-NEW\\(Normal Operation,0\\)
  • Session Idle Timeout
  • \\[Request\\] Allow
  • \\[Request\\] Remove
  • \\[Sync\\] Changed: Transport
  • Session PHS: Authentication request from user
  • Tunnel has now one working transport
  • Session -------- Tunnel
  • Abort TCP transport
  • Info CHHUNFWHQ-01 Session
  • : Accounting LOGIN
  • State: REM\\(Unreachable Timeout,20\\)
  • read failed\\(IOStreamSock: Receive\\(\\) end of file\\) closing connection
  • DH attributes found in request, generating new key
  • \\[Sync\\] Changed: Checking Transports
  • State: UDP-FAIL\\(Port Unreachable,3\\)
  • DH key agreement successful
  • Request Timeout \\(HandshakeRequest ReqState=Init RepState=Init\\) -> terminate session
  • \\[Sync\\] Local: Update Transport
  • send fast reply
  • \\[Sync\\] Session Command
  • \\[HASYNC\\] update
  • Transport .* State changed to
  • Accounting LOGOUT
  • TCP.*close on command
  • Rule: Authentication Login
  • Rule: Authentication Logout
  • Error.*Request Timeout
  • Info.*Delete Transport
  • Info.*\\[HASYNC\\]
  • Notice.*\\[HASYNC\\]
  • Warning.*Tunnel Heartbeat failed
  • Info.*Worker Process.*timeout
  • Error.*Operation: Poll.*Timeout
  • Info.*\\(New Request
  • Info.*\\(Normal Operation

Sample threat mappings

We use fields.message for threat mappings where it's present, or look up a code from the info field of standard event types. See Security Events.

"alertType": "=> searchRegexList(fields.message, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) ? searchRegexList(fields.message, [_.referenceValues.code_translation.regex_alert_type, _.globalReferenceValues.code_translation.regex_alert_type]) : fields.message"

Samples:

{"alertType": "Number of child processes automatically set to N based on number of CPU cores and size of RAM", "threatId": "T1057", "threatName": "Process Discovery"}
{"alertType": "found no explicit phase1 aggressive configuration in IP_ADDRESS for client", "threatId": "T1573", "threatName": "Encrypted Channel"}

Vendor documentation