- Ingest security events from SIEMs (via syslog)
- Serve threat feeds to firewalls (FortiGate, pfSense, etc.)
- Serve threat feeds indicators for Ipv4, Domains, urls and files/hashes as file lists txt.
- Automate blocking of malicious activity

1. Prerequisites
1.1 Virtual Machine Specifications
- RAM: 8 GB (minimum 4 GB)
- vCPU: 4 cores (minimum 2 cores)
- Disk: 50 GB (minimum 20 GB)
1.2 Network Requirements
Direction | Protocol / Port | Purpose |
---|---|---|
Inbound | UDP 514 | Receive syslog events from your SIEM |
Inbound | TCP 443 (HTTPS) | Serve threat feeds to firewalls |
Inbound | TCP 8080 (HTTP) | Serve threat feeds to firewalls without SSL |
Outbound | TCP 443 → OneFirewall | Sync config & retrieve instructions |
Outbound | TCP 443 → Firewalls | Push automated-blocking commands (optional) |
2. Install Docker & Docker Compose
3. Prepare Your Deployment Directory
- Download the docker-compose.yml file for the ONE-F3D-Agent from https://app.onefirewall.com/install-agent.html, or from your on-premises installation (e.g., https://LOCAL_IP/install-agent.html).
- The docker-compose.yml file includes environment variables required for the ONE-F3D-Agent to interact with its components. Make sure the FIREWALL_PARSER variable (e.g., FIREWALL_PARSER: “fortigate_parser”) matches the firewall log type sent by your SIEM.
- Save the docker-compose.yml file to the ~/one-f3d-agent directory.
4. Example docker-compose.yml
Contact OneFirewall support team with access to download ONE-F3D-Agent required binary images
4.1 Example docker-compose.yml with SSL enabled
Prepare your tls certs or use your own SSL certificate Example with Self-Signed Cert Go to the one-f3d-agent folder (i.e. ~/one-f3d-agent)5. Launch the Agent
docker compose up -d
runs containers in the background.docker compose logs -f
streams the agent’s output for troubleshooting.
6. Verify Operation
- Visit
https://app.onefirewall.com/agent-status.html
to see the Agent is working and blocking malicious connections - Visit
https://app.onefirewall.com/live.html
to see the traffic captured in real time