The documentation below outlines the requirements for the Barracuda XDR Security Orchestration, Automation, and Response (SOAR) for SonicWall Firewall. When you've set this up, all required data is uploaded to the Customer Security Dashboard in the SOAR Settings > Firewalls section.
To set up SOAR for SonicWall Firewall, do the following
- To select an authentication method for SonicOS API
- To create an Admin user for the API
- To obtain the HTTPS port number for API calls
- To ensure the HTTPS User Login option is enabled
- To create an address group
- To add the IP address to the Trusted Users group
- To configure the Barracuda XDR Dashboard
To select an authentication method for SonicOS API
The SonicOS API is enabled by default in SonicOS 7.0 and SonicOSX.
- Navigate to Device > Settings > Administration > Audit/SonicOS API.
Toggle the switch to RFC-2617 HTTP Basic Access authentication.
- Click Accept.
To create an Admin user for the API
- Log in to SonicWall Firewall.
- Click Device.
- Navigate to Users > Local Users & Groups.
- Click Local Users
- Click Add User.
- In Name, type the username
BarracudaXDRAdmin. - In Password, type a password for the user.
- Click on Groups.
- Click the group you want to give the user Administrator.
Select the SonicWall Administrators group to allow the user to make configuration changes.
- Click Save.
- Send the Username and Password to the Barracuda XDR team.
To obtain the HTTPS port number for API calls
You can find the the port can be found in the URL along with the external IP address. For example, in https://<IP Address>:<port>, where <IP Address> is the external IP address and <port> is the port number.
Another way to verify the port number would be to do the following:
- Navigate to Home > API.
- Click on the link https://sonicos-api.sonicwall.com. Swagger will prepopulate your SonicWalls’s IP, MGMT Port, Firmware. The port number should be visible in the URL when you navigate to the website.
- Provide the port number to the Barracuda XDR team.
To ensure the HTTPS User Login option is enabled
- Log in to SonicWall Firewall.
- Navigate to Network > System > Interfaces.
- Click the Edit button of the interface.
- In Management & User Login, select HTTPS.
Click Save.
- Navigate to Policy > Access Rules.
- Modify the WAN -> WAN default rule to lock down the Source Address to 44.209.49.222.
To create an address group
In SonicWall Firewall, navigate to Object > Match Objects > Addresses > Address Groups.
- Click Add to add the new address group called Barracuda_XDR_Blocked_IPs.
Barracuda XDR uses the Address Group when automatically blocking IPs on the firewall. If you do not have a preexisting policy in place, create one and add the address group. For more information, see https://www.sonicwall.com/support/knowledge-base/using-firewall-access-rules-to-block-incoming-and-outgoing-traffic/170503532387172/#Resolution1. - Add the Barracuda_XDR_Blocked_IPs group to any preexisting firewall policies that were created to block traffic to/from anomalous IP addresses.
- Send the Address Group Name to the Barracuda XDR team.
To add the IP address to the Trusted Users group
44.209.49.222 is the static address of Barracuda XDR's SOAR platform Barracuda XDR authenticates from this IP to remediate threats.
- Follow this procedure to add the IP address 44.209.49.222 to the Trusted Users Group: How to add IPs to Connection Management and Trusted Networks.
To configure the Barracuda XDR Dashboard
- In Barracuda XDR Dashboard, click SOAR Settings > Firewalls.
- Click Config.
- In the Edit Config dialog box, enter the following:
- External IP
- API Access Port
- Username
- Credential
- Group Name
- Click Save.