Integrate Flowmon ADS with Hillstone iNGFW for Ultimate Protection

22/06/18

Network Behavior Analysis and firewall solutions nicely complements each other. Let’s check how to integrate Flowmon ADS with Hillstone iNGFW for comprehensive network security.

Signaruless detection based on Network Behavior Analysis provided by Flowmon ADS allows security teams to detect insider threats and breaches undetectable by traditional security solutions. Combining this technology with perimeter protection - firewalls- it is possible to proactively block all attempts of malicious communications flowing from & into the network infrastructure and get maximum value from both technologies. Integration can be done pretty simply using integration script.

Following steps shows how to configure Hillstone iNGFW and Flowmon ADS using the script. The script extracts source IP address from event information, connects NGFW via SSH and notifies NGFW to block the IP address for a given time. The integration script is available on request.

1. Create a user on Hillstone iNGFW

First step is to create user and set permissions using following CLI commands on Hillstone iNGFW.
SG-6000# configure
SG-6000(config)# admin user flowmon
SG-6000(config-admin)# password flowmon
SG-6000(config-admin)# role operator
SG-6000(config-admin)# access ssh
SG-6000(config-admin)# end

2. Upload integration script to ADS and set reporting

Second step is to insert integration script in Flowmon ADS - Settings - Custom scripts.

Edit custom script form

The script has six parameters to configure:
Required parameters:
--fw-ip : IP address of the Hillstone NGFW
--user : Hillstone NGFW user
--passwd : Hillstone NGFW password
Optional parameters:
--fw-port : SSH service port to connect to on the Hillstone NGFW
--ssh-timeout : Maximum time allowed for SSH connection [1-5 seconds]
--block-timeout : Timeout for IP blocking [60-3600 seconds]

Next step is to set event reporting in Flowmon ADS - Processing - Event reporting - Custom scripts. Click on the “plus” icon and in pop-up for choose the integration script. You can change the prefilled parameters. Selection of perspective and minimal priority determines what detected events will used for reporting the IP addresses to the Hillstone iNGFW.

Edit custom script action form

 

3. Check the integration on NGFW

After the event detected, you can check whether the script works as expect by running “show block-ip” on the Hillstone NGFW. IPs in the list will be blocked for block timeout period defined in Flowmon ADS.

Blocked IP list in Hillstone iNGFW
 

With this simple integration Hillstone Networks iNGFW and Flowmon ADS constitute a network security protection solution, which effectively intercept the threats from the Internet and internal networks. Check out Hillstone Networks products page and Flowmon ADS to get more information about joint solution components or Flowmon & Hillstone whitepaper to learn more about the joint solution.