The Barracuda CloudGen Firewall allows administrators to stream relevant security events to the Barracuda XDR platform to detect and provide an incident response to malicious events. A 24x7 SOC team streamlines responses to incidence, which reduces the damage of the attack. For more information on the Barracuda XDR solution, please refer to: https://barracudamsp.com/product-details/extended-detection-and-response-xdr/
For Barracuda CloudGen Firewall firmware 8.3.2 or lower, streaming events to Barracuda XDR requires a Firewall Insights subscription assigned to the box. The license is provided by the Barracuda XDR team.
Enable Streaming to Barracuda XDR Platform for Standalone Firewalls
- Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Syslog Streaming.
- In the left menu, click Firewall Insights. On Barracuda CloudGen Firewall firmware 8.3.3 and above, click Reporting.
- Expand the Configuration Mode menu and select Switch to Advanced.
- Click Lock.
- Enable the service and select Use Generic Logstash.
- Enable Verify Server Certificate.
- In the Hostname field, enter the endpoint FQDN:
cloudgenfw.ingest.skoutsecure.com:5044
- Click Send Changes and Activate.
Enable Streaming to Barracuda XDR Platform for Managed Firewalls
- Go to CONFIGURATION > Configuration Tree > Range > Cluster > Boxes > Box > Infrastructure Services > Syslog Streaming.
- In the left menu, click Firewall Insights.
- Expand the Configuration Mode menu and select Switch to Advanced.
- Click Lock.
- Enable the service and select Use Generic Logstash.
- Enable Verify Server Certificate.
- In the Hostname field, enter the endpoint FQDN:
cloudgenfw.ingest.skoutsecure.com:5044
Set Use Remote Management Tunnel to No.
- Click Send Changes and Activate.
(Optional) Link the Syslog Streaming node to a Repository
- Make sure repositories are enabled, for more information, see Repositories.
- Within the Configuration Tree, right click on the Syslog Streaming node that has been configured, and select Copy to Repository.
- Select the repository and enter appropriate object name.
- Right-click the created repository object and select Multiple Object Action.
- Select all firewalls in your Control Center you want to activate the integration for.
- Select Link to Repository as the Action on selected Nodes, and click Go.
- Click OK.
- On the top-right of the window, click Activate.