There are two core components of the OneFirewall platform, each offering extensive configuration capabilities. These components are designed to be highly adaptable, ensuring they align with the specific needs and use cases of every alliance member based on how they interact with the platform.

To support a developer-friendly approach without compromising the user experience, we’ve adopted a JSON-based configuration model for managing changes. This page serves to provide clear guidance and a comprehensive understanding of how to work with these configurations.

The two configurable components are:

Organization Level

If you are an Admin on the platform, you can navigate to the Organizations section, where all registered organizations are listed. By clicking Edit on any organization, you’ll open a configuration panel that displays key settings such as allowed token usage, trust level, and more.

One of the core elements in this panel is the Configuration Settings section, presented as an editable JSON block.

Example

{
  "live": {
    "index_name": "poc_traffic",
    "score_name": "score",
    "elastic_url": "default",
    "action_name": "action",
    "date_time_name": "@timestamp",
    "allow_value": [
      "Allow",
      "pass"
    ],
    "deny_value": [
      "Deny",
      "decline"
    ],
    "low_score": [
      1,
      60
    ],
    "medium_score": [
      60,
      120
    ],
    "high_score": [
      120,
      150
    ],
    "critical_score": [
      150,
      1000
    ],
    "device_name": [
      "firewall"
    ],
    "direction_name": [
      "direction"
    ],
    "service_name": [
      "service"
    ]
  },
  "reserved_ips": [
    "1.1.1.1",
    "62.49.0.0/16",
    "125.209.84.250",
    "1.4.6.7",
    "6.7.8.9"
  ],
  "blocking_roule": {
    "score": 20,
    "tags": [
      "tor_exit_nodeXXX"
    ]
  }
}

Explanation of the keys

KeyDescription
liveA JSON object including all configurable settings on how LIVE page should parase the data for the final report
live.index_nameThe ELK Index where the data are saved. Default poc_traffic
live.score_nameThe OFA Crime Score name, on how is saved during the parsing. Default score
live.elastic_urlThe ElasticSearch URL used, in case in not saved on the default. Default default
live.action_nameThe name of the how the data should be read for Allow or Deny the traffic. Default action
live.date_time_nameThe name of the TimeStamp used to save the data. Default @timestamp
live.allow_valueAn Array of Strings with the values that used to define the traffic is accepted/allowed from the customers firewalls. Default ["Allow"]
live.deny_valueAn Array of Strings with the values that used to define the traffic is not-accepted/blocked from the customers firewalls. Default ["Deny"]
live.low_scoreAn Array of 2 elements, representing the minimum and maximum value for LOW score. Default [1, 60]
live.medium_scoreAn Array of 2 elements, representing the minimum and maximum value for MEDIUM score. Default [60, 120]
live.high_scoreAn Array of 2 elements, representing the minimum and maximum value for HIGH score. Default [120, 150]
live.critical_scoreAn Array of 2 elements, representing the minimum and maximum value for CRITICAL score. Default [150, 1000]
live.device_nameAn array with all possible strings used to representing the Device in the parsed data. Default ["firewall"]
live.direction_nameAn array with all possible strings used to representing the Direction in the parsed data. Default ["direction"]
live.service_nameAn array with all possible strings used to representing the Service in the parsed data. Default ["service"]
reserved_ipsAn array with all possible IPs (in CIDR format) used by the organization, these IPs will not be allowed to be reported as malicious or involved in cyber attacks, these list can be also viewed as an Whitelisted list affecting only the given organization. Read more Release notes
blocking_rouleAn Object of and if additional rules are needed to block based on specific tags and score. Read more Release notes
blocking_roule.scoreMinimum Score for blocking. Is working in AND with the tags
blocking_roule.tagsAn array of tags (in OR) that the IP should have assocated, before is blocked (this works in AND with blocking_roule.score)

WCF Agent Level

Each installed WCF Agent comes with a set of configurable settings that can be centrally managed by the server. To view or modify these settings, navigate to the Agent Status section. For any listed agent, click the Edit button to access a JSON configuration panel that defines the rules and behaviors the WCF Agent should follow.

Example

{
  "gaid": "OFA-AGENT-ID-D6NmSW62hUZW",
  "score_threshold": 150,
  "version": "v4.60.4",
  "proxy": "CLOUD",
  "sync_time": 1,
  "maximum_rules": 99999998,
  "ids": {
    "iptables": {
      "active": false
    },
    "ebtables": {
      "active": false
    },
    "pflist": {
      "active": false
    },
    "modsec": {
      "active": false,
      "modsec_logs": "/var/log/apache2/modsec_audit.log"
    },
    "cloudflare": {
      "active": false,
      "cloudflare_x_auth_email": "",
      "cloudflare_x_auth_key": ""
    },
    "luna": {
      "active": false,
      "json": []
    },
    "sshlog": {
      "active": false,
      "ssh_log_location": "/var/log/auth.log"
    }
  },
  "ips": {
    "httpd": {
      "active": true,
      "command": "cp blacklist_onefirewall.txt httpd/blacklist.txt"
    },
    "iptables": {
      "active": true,
      "acl": "/opt/onefirewall/acl/ipset.txt",
      "reload_command": "sudo ipset flush blacklist && sudo ipset restore < /opt/onefirewall/acl/ipset.txt "
    },
    "checkpoint": {
      "active": false,
      "username": "admin",
      "password": "",
      "address": "https://10.47.2.48",
      "group": "OneFirewall_IPS",
      "policy": "standard",
      "domain": "Test_domain_Server",
      "gateways": "Test_gw"
    },
    "checkpoint_securexl": {
      "active": false,
      "connections": "[email protected]",
      "password": "************",
      "command": "bash artifacts/checkpoint/install-securexl.sh",
      "vsids": "1,2"
    },
    "fortigate": {
      "active": false,
      "connections": "[email protected]",
      "password": "************",
      "command": "bash artifacts/fortigate/install-fortigate-url-feed.sh",
      "feeds": "/api/v1/feeds",
      "updates": "5"
    },
    "csp": {
      "active": false,
      "connections": "[email protected]",
      "password": "************",
      "command": "bash artifacts/csp.sh",
      "feeds": "onefirewall.txt",
      "updates": "5"
    },
    "ebtables": {
      "active": false
    },
    "pflist": {
      "active": false,
      "ofa_ips_txt": "/opt/apps/onefirewall-cloud-client/ofa-ips.txt",
      "pflist_reload_command": "sudo pfctl -f /etc/pf.conf;"
    },
    "modsec": {
      "active": false,
      "ruleset": "/usr/share/modsecurity-crs/rules/onefirewall_rules.conf",
      "modsec_reload_command": "sudo apachectl -k graceful;"
    },
    "cloudflare": {
      "active": false,
      "cloudflare_x_auth_email": "",
      "cloudflare_x_auth_key": ""
    },
    "cisco": {
      "active": false,
      "cisco_host": "",
      "cisco_user": "",
      "cisco_password": ""
    },
    "haproxy": {
      "active": false,
      "haproxy_logs": "/opt/onefirewall/acl/haproxy.txt",
      "haproxy_reload_command": "sudo service haproxy reload"
    },
    "csv": {
      "active": false,
      "csv_logs": "/opt/onefirewall/feeds.csv",
      "csv_reload_command": "wc /opt/onefirewall/feeds.csv"
    },
    "aws": {
      "active": false,
      "accessKeyId": "",
      "secretAccessKey": "",
      "region": ""
    },
    "sophos": {
      "active": false,
      "user": "",
      "password": "",
      "address": "",
      "command": "bash artifacts/sophos/update_blacklist_sophos.sh"
    },
    "trellix": {
      "active": false,
      "username": "",
      "password": "",
      "api": "",
      "fileslist_file": "",
      "broker_ca_bundle": "",
      "cert_file": "",
      "private_key": ""
    },
    "infoblox": {
      "active": false,
      "username": "",
      "password": "",
      "api": "",
      "group": "",
      "policy": "",
      "action": "",
      "view": "",
      "domains_file": "",
      "domains_file_whitelist": "",
      "api_whitelist_url": ""
    },
    "forcepoint": {
      "active": false,
      "username": "",
      "password": "",
      "api": "",
      "group": "",
      "policy": "",
      "action": "",
      "parent": null,
      "urls_file": ""
    }
  },
  "running": "yes"
}

Explanation of the keys

KeyDescription
gaidUnique ID for the agent. Generated during the Agent Install procedure
score_thresholdMinimum value of Score for the Agent to instruct the IPs (Firewall) to block the traffic
versionFor troubleshooting reason, a version of Agent installed
sync_timeHow often the Agent should communicated with the server to be considered alive (numeric value of minutes)
maximum_rulesThe maximum rules to block, this is used in case the firewall in question is not capable to handle more the X amount of rules
runningIf the Agent is considered active or not active (possible values are yes or no). Default behavior is yes
idsList of Intrusion Detection systems in place. From where to read the data
ids.activeTrue or False, if the specific Agent is in use
ids.[*]Dynamic configurations used in any specific Agent. Consult the Install Agent page for the details
ipsList of Intrusion Prevention systems in place (firewall). Where the Agent shoudl inject/prevent traffic
ips.activeTrue or False, if the specific Agent is in use
ips.[*]Dynamic configurations used in any specific Agent. Consult the Install Agent page for the details