Configure pfSense Plus Denylist for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform network-based response actions in your network using pfSense Plus.

pfSense Plus supports these response actions:

Add a malicious IP address to a denylist

For more information, see Response action descriptions.

These resources are required:

Administrator access to the pfSense Plus appliance interface, including access to packages, aliases, and firewall rules.

These actions are required:

Complete Configure Generic Firewall Denylist for Arctic Wolf Active Response.

Contact your CST to validate the Active Response integration. Have an IP address ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Create an alias to store IP addresses

Sign in to the pfSense Plus appliance interface.
Your pfSense Plus appliance interface URL is the IP address of your appliance, similar to https://192.168.1.1/.
In the navigation menu, click Firewall > Aliases.
Click the URLs tab, and then click + Add.
Enter a name for the alias.
For example, FirewallAlias.
In the Type list, select URL Table (IPs).
For the URL, enter:
CODE
<cloudformation_output_url>/<file_name>
```
<cloudformation_output_url>/<file_name>
```
Where:
- cloudformation_output_url is the value of the DenyListUrl output from Confirm stack deployment and gather credentials.
- file_name is either denyList.csv or denyList.txt, depending on the file type that you submitted in Optional: Upload your existing denylist or was created for you in Provide Generic Firewall Denylist Active Response credentials to Arctic Wolf.
Click Save.
Click Apply Changes to update the firewall.

Create a firewall rule

In the navigation menu, click Firewall > Rules.
Add a new rule to the top of the list by clicking Add.
In the Action list, select Block.
In the Interface list, select WAN or LAN based on the type of traffic you want to block.

Do one of these actions:

Option	Description
Block IP addresses from communicating with your firewall	For Source, change any to Address or alias. In the Source Address field, enter the name of the alias created in Create an alias to store IP addresses. Keep the Destination as any.
Block your firewall from communicating with IP addresses	Keep the Source as any. For Destination, change any to Address or alias. In the Destination Address field, enter the name of the alias created in Create an alias to store IP addresses.

For the Description, enter a name for the firewall rule.
For example, AWFirewallRule.
Click Save.
Click Apply Changes to update the firewall.

Configure a cron schedule

By default, pfSense Plus polls external lists every 24 hours. For faster policy enforcement, configure a cron schedule to reduce the polling interval to one hour.

If cron is not already installed, install cron:
1. In the navigation menu, click System > Package Manager.
2. Click the Available Packages tab.
3. Search for Cron and click + Install.
4. Click Confirm.
The cron package is installed and Success is displayed in the command line output.
In the navigation menu, click Services > Cron.
Click + Add to add a new cron schedule.
In the Minute field, enter 0.
In the Hour, Day of the Month, Month of the Year, and Day of the Week fields, enter *.
In the User field, enter root.
In the Command field, enter:
CODE
to /usr/bin/nice -n20 /etc/rc.update_urltables now forceupdate <alias_name>
```
to /usr/bin/nice -n20 /etc/rc.update_urltables now forceupdate <alias_name>
```
Where:
- alias_name is the name of the alias created in Create an alias to store IP addresses.
Click Save.

Active Response, Log Forwarding, and Security Monitoring

Active Response, Log Forwarding, and Security Monitoring

Configure pfSense Plus Denylist for Arctic Wolf Active Response

Create an alias to store IP addresses

Create a firewall rule

Configure a cron schedule

On this Page