7205fce0e2 | ||
---|---|---|
.. | ||
Connector/ForcepointSMCApiConnector | ||
Playbooks | ||
ConsolidatedTemplate.json | ||
LinkedTemplate.json | ||
readme.md |
readme.md
#Forcepoint NGFW Logic Apps Custom Connectors and playbook templates
Table of Contents
- Overview
- Deploy 2 Custom Connectors + 6 Playbook templates
- Authentication
- Prerequisites
- Deployment
- Post Deployment Steps
- References
- Limitations
Overview
Forcepoint Next Generation Firewall (NGFW) connects and protects people and the data they use throughout the enterprise network – all with the greatest efficiency, availability and security.
Deploy 2 Custom Connectors + 6 Playbook templates
This package includes:
- Two Custom connectors for ForcepointNGFW.
- Six playbook templates leverage ForcepointNGFW custom connectors.
You can choose to deploy the whole package : two connectors + all six playbook templates, or each one seperately from it's specific folder.
ForcepointNGFW documentation
Authentication
No Authentication
Prerequisites for using and deploying 2 Custom Connectors + 6 playbooks
- Forcepoint SMC API Key should be known.Refer here
- Forcepoint SMC Version number should be known. Refer here
- Forcepoint SMC service endpoint should be known. (e.g. Https://{forcepointdomain:PortNumber/})
- Forcepoint FUID service endpoint should be known. (e.g. https://{forcepointdomain:PortNumber/})
- IP address list name for blocking IP address present in SMC should be known.
- URL list name for blocking URLs present in SMC should be known.
- Users must have access to Microsoft Teams and they should be a part of a Teams channel and also Power Automate app should be installed in the Microsoft Teams channel.
Deployment instructions
- Deploy the Custom Connectors and playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters for deploying custom connector and playbooks
Parameter | Description |
---|---|
For Playbooks | |
Block IP Response On Teams PlaybookName | Enter the Block IP Response On Teams Playbook Name here without spaces. |
Block IP By Username PlaybookName | Enter the Block IP By Username Playbook Name here without spaces. |
Block IP PlaybookName | Enter the Block IP Playbook Name here without spaces. |
Block URL PlaybookName | Enter the Block URL Playbook Name here without spaces. |
Enrichment IP PlaybookName | Enter the Enrichment IP Playbook Name here without spaces. |
Enrichment URL PlaybookName | Enter the Enrichment URL Playbook Name here without spaces. |
Forcepoint SMC Api Key | Enter the SMC API Key. |
SMC Version Number | Enter the version number of SMC. |
IP List Name | Enter IP List Name. |
URL List Name | Enter URL List Name. |
For Custom Connectors | |
Service EndPoint FUID Connector | Enter the Forcepoint FUID Service End Point. |
SMC Connector name | Enter the name of your Forcepoint SMC Connector without spaces. |
Service EndPoint SMC Connector | Enter the Forcepoint SMC Service End Point. |
Post-Deployment Instructions
a. Authorize API connections
- Once deployment is complete, go under deployment details and authorize teams connection.
- Click the Teams connection resource
- Click Edit API connection
- Click Authorize
- Sign in
- Click Save
- In Logic App designer, go to "Post an adaptive card to teams channel" action and select your Teams name and Channel name from the dropdown.
- In In Logic App designer again, go to "Post adaptive card in a chat or channel" action and select your Teams name, Channel name, and "Flow bot" for "Post as" parameter from the dropdown.
b. Configurations in Sentinel
- In Azure sentinel analytical rules should be configured to trigger an incident with risky IP address or URL.
- Configure the automation rules to trigger the playbooks.
Reference to the playbook templates and the connectors
Connector
Playbooks
- ResponseOnTeamsBlockIP-ForcepointNGFW
- BlockIPbyUsername-ForcepointNGFW
- BlockIP-ForcepointNGFW
- BlockURL-ForcepointNGFW
- Enrichment-IP-ForcepointNGFW
- Enrichment-URL-ForcepointNGFW
Known Issues and Limitations
- We need to authorize the teams connection after deploying the playbooks.