Integrating Stormshield Network Security (SNS)
In order to set up the Stormshield Network Security Collector, follow the procedures below:
To enable Stormshield Network Security (SNS)
To configure Stormshield
To open the ports on the XDR Collector Host
To test the setup
To enable Stormshield Network Security (SNS)
In Barracuda XDR Dashboard, navigate to Administration > Integrations.
On the Stormshield Network Security (SNS) card, click Setup.
Select the Enabled check box.
If the default UDP port set in the integration can’t be forwarded because it is already in use, type a different UDP port number.
Click Save.
To install the XDR Collector
Before integrating Stormshield Network Security (SNS), ensure your XDR Collector is set up and working properly:
https://documentation.campus.barracuda.com/wiki/spaces/SKOUT/pages/6947639
https://documentation.campus.barracuda.com/wiki/spaces/SKOUT/pages/6947951
To configure Stormshield
To configure Stormshield, do the following in Stormshield's web administration interface:
Add a syslog server
Select log types to export
Configure the detail level of logs
Apply syslog to log profiles
Allow traffic to the syslog server
Apply and save the configuration
For security monitoring, in Step 4 below, export the following log types at minimum:
Traffic
Alarm (IPS)
System
Log in to Stormshield's web administration interface.
In the left navigation menu, click Configuration > Notifications > Logs-Syslog-ipfix.
To add a syslog server, click Add or New syslog server, then enter the following:
In Name,
XDR_Syslog_Server.In IP Address, the IP address of your collector.
In Port,
9275.In Format,
Default(RFC3164 or RFC5424 if supported).
NOTE Barracuda recommends RFC5424 for modern logging.
To select the log types to export, under Syslog settings, select the logs you want to send:
Traffic logs (connections, firewall rules)
Alarm logs (IPS, attacks)
VPN logs
System logs
Authentication logs
Filter Policy
To configure the log detail level, navigate to Configuration > Logs > Log settings and do the following:
Set the verbosity to either Normal or Detailed.
NOTE Barracuda recommends Normal. Detailed provides a higher volume of logs.Enable the following:
Log all connections
Log dropped packets
To apply syslog to log profiles, navigate to Configuration > Security Policy > Filter - NAT, then do the following:
NOTE Stormshield uses log policies tied to rules.Identify the security rules you want to collect logs for.
Double-click a rule to open its properties.
Click the Action menu or the General tab.
Set the Log level to Standard (connection log).
Click OK and then click Apply at the top of the interface to deploy the policy change.
To allow traffic to the syslog server, add a firewall rule with the following elements:
Source:
FirewallDestination:
XDR Syslog serverService:
9275
To apply and save the configuration, click Apply and save the configuration to persistent storage.
To open the ports on the XDR Collector Host
To ensure traffic is allowed, ensure you whitelist the following: tcp://fleet36.ingest.skout-build.com:5046
If you have a firewall protecting your collector, ensure that it allows incoming traffic on the TCP port. Do this for all ports of the feeds configured for Stormshield Network Security (firewall, alerts, etc.).
Ensure you open the the UDP port used in step 4 of To enable Stormshield Network Security (SNS) above.
Here are some examples for commonly used firewalls:
Linux ufw
sudo ufw allow <XXXX>/tcp , where <XXXX> is the port number.
Linux Iptables
sudo iptables -A INPUT -p tcp --dport <XXXX> -j ACCEPT, where <XXXX> is the port number.
Linux firewalld
sudo firewall-cmd --permanent --add-port=<XXXX>/tcp, where <XXXX> is the port number.
Windows
netsh advfirewall firewall add rule name="Zscaler Firewall" dir=in action=allow protocol=TCP localport=<XXXX>, where <XXXX> is the port number.
To test the setup
You can test the setup by generating traffic or events, such as the following:
Block a connection
Trigger IPS rule
Login attempt