1.1 Virtual Machine Specifications

1.2 Network Requirements

1. Prerequisites

2. Install Docker & Docker Compose

3. Prepare Your Deployment Directory

4. Create docker-compose.yml

5. Launch the Agent

6. Verify Operation

How to install and run World Crime Feeds (WCF) by OneFirewall

WCF Installation

OneFirewall Documentation

Welcome to the documentation portal of OneFirewall Alliance

OneFirewall Alliance Documentation

OneFirewall Coins

Proof of Value

Virtual Private Server

Threat Intelligence

Integrations

OneFirewall Mobile

Active, reliable sources of blocklists are essential for threat intelligence, offering real-time data on malicious IPs, domains, URLs, and files. Updating and verifying these sources ensures proactive threat mitigation and enhances organizational resilience against evolving threats

Reliable Sources in Threat Intelligence

Enterprise-Grade Reliability

Release: v2025-01-10

Sizing Requirements

A High-Level Design (HLD) architecture of a OneFirewall (White-label)

High Level Design

OneFirewall: Cloud-Native Solution with Automated Deployment via GitLab and Canary Strategy

Automated Deployment

How we stopped 35.000 attacks daily - The Tactical Advantage of Threat Intelligence: A Case Study with OneFirewall

35.000 attacks daily

Integrating HAProxy Logs with OneFirewall Using Fluent Bit

HAProxy with Fluent Bit

Checkpoint Secure XL

ClosedVPN

Research and Development projects within OneFirewall

R&D Projects

Guide to integrate and utilize OneFirewall's NetFlow Security Analysis API

NetFlow Security

Introduction

Authorization

OpenAPI 3.0

You can call the API `/api/v1/ips` in order to receive an array of the latest IPv4 feeds collected at the OneFirewall Data lake.

Latest IPv4

This API is similar with the `IP addresses [FLAT]` however have some advantages and disadvantages in respect:

##### Advantages

1. Real time calculation of the OneFirewall Crime Score
2. Equipped with the new (v3.2) Scoring algorithm
3. Can be integrated into directly Fortigate, Checkpoint, etc..

##### Disadvantages

1. Use pagination (therefore you have to call multiple times the IP if the list is bigger than 10000)
2. Is relatively 6x slower than `IP addresses [FLAT]`

Live IPv4

You can call the API `/api/v1/ips/<IPv4>` in order to receive information for the IPv4 feeds in request if is presented at the OneFirewall Data lake. This API is useful when you want to verify if OneFirewall have an information for the actor in request.

One IPv4

If you need a simple list (example CSV) to retrieve all the IPv4 feeds based on their score, you can use the below API

Pre-compiled IPv4

Post information about threat intelligence in relation to a IPv4

Report IPv4

Domains by Score

Retrieve the latest malicious domains recorded

Domains by TS

This API is used to change / overwrite the decision based on score, in other words setting manually a IoC in whitelist or blacklist.

Overwrite Decision

Enable users to report domains suspected of serving malware, viruses, or trojans.

Report Domain

Retrieve metadata for over a million known malicious domains.

Scan Domain

URLs by Score

Retrieve the latest malicious url recorded

URLs by TS

Enable users to report url suspected of serving malware, viruses, or trojans.

Report URL

Retrieve metadata for over a million known malicious feeds.

Scan URL

Files by Score

Files by TS

Report Digest

Files

STIX2 (Structured Threat Information eXpression version 2) is a standardized language for representing cyber threat intelligence (CTI) that enables the sharing of threat intelligence across organizations and security tools. It is important to Threat Intel because it allows security professionals to more easily and effectively analyze and respond to cyber threats, improving their overall threat intelligence capabilities.
At OneFirewall, our mission is to deliver a trustworthy and effective cybersecurity platform that safeguards against cyber attacks. To accomplish this goal, we leverage STIX2 structured information to proactively identify and block malicious actors. We also empower our users with access to this critical threat intelligence data, enabling them to enhance their own cybersecurity defenses.

STIX2.0

Use this method to get an array of active VPN for your organization

Get all

Create

Get Information and Installation instruction of a given VPN License ID

Get VPN ID

Delete VPN ID

The end point is used to retreive a list of WCF Agent installed, along with configuration presented and how each WCF Agent is performing

Get WCF Installation

Delete Agent from the DB (this does not make the agent to stop working, you must disable the running before deleting)

Delete an Agent

End-point to submit changes to the WCF Agent, the configuration set it here, will be saved into the DB and will be retreived from the WCF Installed agent, next time is synced

Handle WCF Configuration

OneFirewall revertive each file flagged as malware and associates it with a specific file type (when possible), or more precisely, a MIME type. Currently, OneFirewall only accepts file types from a predetermined list provided by this API.

File types

The \`/version\` API endpoint is primarily used to verify the operational status of the API service. When accessed, it responds with basic information indicating the current version of the API, along with a confirmation that the service is active and available. This endpoint typically does not require authentication and serves as a straightforward health check to ensure that the API is up and running correctly.

Health Check

You can call the API `/api/v1/info/<IPv4>` in order to receive GeoIP information for the IPv4. This API is useful when you want to verify public data in regards to the GeoIP of any IPv4

IP Metadata

To retrieve a list of well-known Content Delivery Network (CDN) providers along with their respective edge IP addresses, you can utilize the `/api/v1/info/cdn/list` endpoint. The data provided by this API is generally static, yet the R&D team at OneFirewall periodically updates it. It’s worth noting that CDN providers frequently acquire new IP addresses, making it impossible to guarantee that the following list is exhaustive at any given moment.

List of CDNs

You can call the API `/api/v1/info/domain/<domani_name>` in order to receive an array IPs resolved for the Domain name.

Direction	Protocol / Port	Purpose
Inbound	UDP 514	Receive syslog events from your SIEM
Inbound	TCP 443 (HTTPS)	Serve threat feeds to firewalls
Outbound	TCP 443 → OneFirewall	Sync config & retrieve instructions
Outbound	TCP 443 → Firewalls	Push automated-blocking commands (optional)

Get Started

Essentials

Releases

Case Studies

WCF Agent

Products

WCF Installation

1. Prerequisites

1.1 Virtual Machine Specifications

1.2 Network Requirements

2. Install Docker & Docker Compose

3. Prepare Your Deployment Directory

4. Create docker-compose.yml

5. Launch the Agent

6. Verify Operation

Get Started

Essentials

Releases

Case Studies

WCF Agent

Products

​1. Prerequisites

​1.1 Virtual Machine Specifications

​1.2 Network Requirements

​2. Install Docker & Docker Compose

​3. Prepare Your Deployment Directory

​4. Create docker-compose.yml

​5. Launch the Agent

​6. Verify Operation

1. Prerequisites

1.1 Virtual Machine Specifications

1.2 Network Requirements

2. Install Docker & Docker Compose

3. Prepare Your Deployment Directory

4. Create docker-compose.yml

5. Launch the Agent

6. Verify Operation