Achieve security excellence without breaking the budget!

Download guide

Integrating CrowdSec with Firewall appliances

The majority of modern IT infrastructures already includes some form of the security appliance. Our users requested some way to integrate CrowdSec at the appliance level, within their pre-existing ecosystem. In this article, we’ll show you how to make it happen, using the new crowdsec-blocklist-mirror component.  

Overview

Leveraging the firewall’s ability to pull IP blocklists from external HTTP URLs, we’ll deploy a crowdsec-blocklist-mirror in the network and configure the appliance to pull IP lists from it.

For this example we are going to use FortiGate, but the steps are similar for other vendors.

Deploying Blocklist Mirror

For this, you’ll need a machine that is accessible from the appliance. You can deploy the blocklist mirror in multiple ways, either by installing from a Linux package manager or deploying with docker. This machine should also be able to access the CrowdSec Local API. The Local API can either be installed on the same machine or can be deployed elsewhere.

For this tutorial we’ll assume that CrowdSec Local API is already installed and listening at port 8080. The OS being used here is ubuntu.

Install Blocklist Mirror

Make sure you have set up the CrowdSec repository. See this to learn how. Then run: 

sudo apt install crowdsec-blocklist-mirror

Or if you’re using a RPM-based Linux distribution, run 

‍sudo yum install crowdsec-blocklist-mirror

Configure Blocklist Mirror

After this, we will check and eventually modify the config file located at /etc/crowdsec/bouncers/crowdsec-blocklist-mirror.yaml

Make sure that the lapi_url parameter is correct. If your Local API is deployed on some other machine, please change the lapi_url to the appropriate address and set the lapi_key to a key generated by running the command sudo cscli bouncers add blocklistMirror on the LAPI machine.

By default the blocklist mirror server listens at 127.0.0.1:41412, let’s change this to 0.0.0.0:80 to make this simpler. We can do this by setting listen_uri parameter to 0.0.0.0:80

To load a new configuration use this command:

sudo systemctl restart crowdsec-blocklist-mirror

You can now see the blocklist being served at http://127.0.0.1/security/blocklist.

You can do things like setting authentication, multiple endpoints, TLS etc by tweaking the configuration. Learn more here.

Configure firewall appliance to pull blocklist

This tutorial assumes you are using a FortiGate firewall. Please note that for other vendors steps may vary.

Configuring external blocklist

Open the FortiGate dashboard and navigate to Security Fabric -> External Connectors  and click on Create New button.

Scroll down and select Threat Feed -> IP Address and create a connector

Make sure that the appliance can access the URL. This URL should be the one where the blocklist we deployed earlier is serving the IP-list. Finally, click OK.

After a while you can see that this threat feed will be filled. These are from blocklist mirror. 

Create a firewall policy referencing the blocklist

You can now create a firewall policy/policy which will deny access to your infrastructure if the incoming IP is present in blocklist. To do this you can navigate to Policy & Objects and click on the Create New button. 

Specify the fields as required, and you need to reference the blocklist by selecting it in the Source dropdown

All you have to do next is save the policy and enable it by clicking OK.

Great job!

To sum up

In this way we leveraged CrowdSec in a firewall appliance by using blocklist mirror bouncer. You can further configure the blocklist mirror with authentication, TLS and other security goodies. If you have a question or a suggestion feel free to reach out to us on Discord.

You may also like

Protect Your Applications with AWS WAF and CrowdSec: Part I
Tutorial

Protect Your Applications with AWS WAF and CrowdSec: Part I

Learn how to configure the AWS WAF Remediation Component to protect applications running behind an ALB that can block both IPs and countries.

Protect Your Serverless Applications with AWS WAF and CrowdSec: Part II
Tutorial

Protect Your Serverless Applications with AWS WAF and CrowdSec: Part II

Learn how to protect your serverless applications hosted behind CloudFront or Application Load Balancer with CrowdSec and the AWS WAF.

Securing A Multi-Server CrowdSec Security Engine Installation With HTTPS
Tutorial

Securing A Multi-Server CrowdSec Security Engine Installation With HTTPS

In part II of this series, you learn about the three different ways to achieve secure TLS communications between your CrowdSec Security Engines in a multi-server setup.