Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Firewalla Gold & Wazuh

Follow
Avatar
Braedach
  • Edited

Hello,

I have upgraded my RAM to 8GB, current load at 40%

I have a question. 

I have a Wazuh server and a MISP server running inside the Firewalla.

No, MISP and Wazuh are not running on the Firewalla Gold.  Until Firewalla implements a Platinum device with processor upgrade, M2 installation (fitted not used) and RAM upgrade this is not possible.

1.  M2 installation would increase storage for docker containers significantly.
2.  RAM - 8Gb - recommended - see this forum - more means more containers.

I am running docker containers within Firewalla that include at the moment Unifi, NGINX reverse proxy iaw the current guides within this forum.  Happy with this, load on Firewalla is well - great.

I wish to implement a Wazuh Agent and have already done so but it does not persist after a Firewalla Gold restart.  I need to maintain this agent after restart.

Why I have chosen this rather than a syslog forwarding - also to Wazuh.  The Wazuh agent informs me of various other facets going on within the Firewalla Gold box.  I have installed Audited but have left it unconfigured, I don't want to break the box.  Firewalla Gold is after all a rather unique device.

I need to know a number of things.

1.  Maintaining persistence.  On Firewalla Gold restart Wazuh agent is lost along with SSH.
2.  Correct logs - I can configure Wazuh to import the logs from Firewalla Gold
     I am only interested in the logs that are reported to the MSP portal.
    No documentation I have found is helpful on this.  What logs due what and for what.

3.  MISP integration - currently Firewalla Gold has an intel feed of about 1m.  MISP should increase this significantly whether the MISP server belongs to Firewalla or inhouse.  How do we implement this.
4.  Docker Configuration - ugly.  A universal docker compose file via the application (the MSP interface is seriously lacking along with the API).  Anybody who is IT savvy knows about this and a cleaner solution would be beneficial.
5.  Greater API functionality - it's all there within the mobile application.  But it's all manual.  What I would like.  Ability for Firewalla Gold to be enhanced beyond the default, by amalgamation within a SEIM (open source or other).  Current mobile application solutions have API key solutions.  Possibility to enter API key may be beneficial but I understand that the free solution works, but totally relies on Firewalla Inc intel feed.

 

However, my top priority is permanent Wazuh integration.  After all this device is a gateway.  We rely on it to protect our internal systems. I have already subscribed to Firewalla MSP (although on trial), I would like to see better functionality.

 

Sincerely
Leon Scott.

2

Comments

1 comment

Sort by Date Votes
  • Avatar
    Ben Newport

    Hi @Braedach,

    I am looking to implement Wazuh in to our organization also. I have implemented a Firewall Gold SE. 

    What have you managed to get to Wazuh SIEM and how?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post