Configure Generic Firewall Denylist for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform network-based response actions in your network using various firewall applications.

Generic Firewall Denylist supports these response actions:

  • Add a malicious IP address to a denylist

For more information, see Response action descriptions.

These resources are required:

  • Access to the AWS Management Console
  • An AWS user or AWS Identity and Access Management (IAM) role with administrator permissions or an equivalent IAM policy
  • An administrator account for the firewall product that you are integrating
  • If you want to use AWS CLI, AWS CLI
  • Contact your CST to validate the Active Response integration. Have an IP address ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Configure an AWS S3 bucket for firewall Active Response

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Resources > Downloads.
  3. In the Active Response section, click Download CloudFormation Template.
    This CloudFormation template contains all required resources for Arctic Wolf to update the denylist.
    The deny_list_cfn zip file automatically downloads to your Downloads folder.
  4. Navigate to your Downloads folder, and then extract the contents of the deny_list_cfn zip file.
  5. Deploy the stack using one of these methods:

Deploy the CloudFormation stack using AWS CLI

  1. Open a local terminal with AWS CLI installed, or open AWS CloudShell in a browser.
  2. Optional: If you are using CloudShell, select Actions > Upload file to upload the JSON file from Configure an AWS S3 bucket for firewall Active Response.
  3. Run this command:
    CODE 
    aws cloudformation deploy \
  --template-file <template_filepath> \
  --stack-name <stack_name> \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameter-overrides \
  FirewallIPs='<firewall_ip_addresses>'
    Where:
    • template_filepath is the filepath for the deny_list_cfn JSON template. If you are using CloudShell, the filepath is simply the name of the file. For example, deny_list_cfn.json.
    • stack_name is the name of the stack, for example firewall-deny-list.
    • firewall_ip_addresses is a comma-separated list of the IP addresses for the firewalls that require access to the denylist to apply it to your network traffic. For example 0.0.0.0,8.8.8.8.
      Note: These are IP addresses that need to read the denylist, not the IP addresses included in the denylist. The IP addresses should be public WAN IP addresses, not management IP addresses.
    Expected output:
    CODE 
    Waiting for changeset to be created..
Waiting for stack create/update to complete
Successfully created/updated stack - firewall-deny-list

Deploy the CloudFormation stack using the AWS console

  1. Sign in to the AWS CloudFormation console.
  2. Click Create stack > With new resources (standard).
  3. In the Prepare template section, keep Choose an existing template selected.
  4. In the Specify template section, click Upload a template file.
  5. Click Choose file, and then select the deny_list_cfn JSON file.
  6. Click Next.
  7. Enter a stack name.
    For example, firewall-deny-list.
  8. Enter a comma-separated list of the IP addresses for the firewalls that require access to the denylist to apply it to your network traffic. For example, 0.0.0.0,8.8.8.8.
  9. Note: These are IP addresses that need to read the denylist, not the IP addresses included in the denylist. The IP addresses should be public WAN IP addresses, not management IP addresses.
    Click Next.
  10. On the Configure stack options page, keep the default options selected.
  11. Select the I acknowledge that AWS CloudFormation might create IAM resources checkbox.
    This stack creates a lambda role with access to read the bucket that contains the denylist.
  12. Click Next.
  13. Click Submit.

Confirm stack deployment and gather credentials

  1. Sign in to the AWS CloudFormation console.
  2. In the top navigation bar, click your account name.
  3. In the Account ID section, click Copy Account Id to copy your account ID, and then save it in a safe, encrypted location.
    You will provide it to Arctic Wolf later.
  4. In the top navigation bar, click the region.
  5. Locate the name of the region that you created the bucket in, and then save it in a safe, encrypted location.
    For example, us-east-2. You will provide it to Arctic Wolf later.
  6. On the Stacks page, filter for the denylist that you created in Configure an AWS S3 bucket for firewall Active Response.
    For example, search for firewall-deny-list.
  7. Click the name of the stack.
  8. If the stack status is CREATE_IN_PROGRESS, wait a few minutes and then click Refresh.
  9. When the stack status is CREATE_COMPLETE, click the Outputs tab.
  10. Confirm that there are two outputs: BucketName and DenyListUrl.
  11. Copy the value of the DenyListURL output, and then save it in a safe, encrypted location.
    You will provide it to your third-party application later.

Optional: Upload your existing denylist

If you have an existing denylist, you can upload it to the S3 bucket.

Note: Arctic Wolf only supports CSV and text files, and the files must meet these requirements:
  • Text file — Each IP address needs to be on a new line.
  • CSV file — Each IP address needs to be in its own column.
  1. Rename the file to denyList.
  2. Sign in to the Amazon S3 console.
  3. In the navigation menu, click General purpose buckets.
  4. Filter for the denylist that you created in Configure an AWS S3 bucket for firewall Active Response.
    For example, search for firewall-deny-list.
  5. Click the name of the bucket.
  6. Click Upload.
  7. Upload your denylist.
  8. Click Upload.

Provide Generic Firewall Denylist Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click Generic Firewall Denylist.
  5. On the New Active Response Integration page, configure these settings:
  6. In the List Separator Type field, do one of these actions:
    • If you uploaded your own CSV file denylist, choose Comma Separated (CSV File).
    • If you uploaded your own text file denylist, choose New Line (Text File).
    • If you did not upload your own denylist, choose the option that aligns with the requirements of your firewall application.
  7. Click Save Integration.
    If you did not upload your own denylist, a denylist is automatically created in the S3 bucket.

Configure the denylist in the third-party application

  1. Follow the instructions from the application that you are integrating with to connect the firewall to the URL of the denylist.
    For example:
  2. For the URL, enter
    CODE 
    <cloudformation_output_url>/<file_name>
    Where: