Barracuda CloudGen Firewall

Overview

Barracuda CloudGen Firewall offers a comprehensive set of next-generation firewall technologies to ensure real-time network protection against a broad range of network threats, vulnerabilities, and exploits, including SQL injections, cross-site scripting, denial of service attacks, trojans, viruses, worms, spyware, and many more.

Barracuda CloudGen Firewall is available for use in:

D3 SOAR	V15.1.34.0+
Category	Network Security
Deployment Options	Option I, Option III

Connection

To connect to Barracuda CloudGen Firewall from D3 SOAR, please follow this part to collect the required information below:

Parameter	Description	Example
Server URL	The server URL of your Barracuda CloudGen Firewall instance.	https://19.******.145
API Token	The API token to authenticate the connection.	GArt************************wYYv
API Version	The API version to use for the connection.	v1

Permission Requirements

Each endpoint in the Barracuda Firewall API requires a certain permission scope. The following are required scopes for the commands in this integration: All commands will require the "Root" permission or the "Manager" role to run in D3 SOAR.

As Barracuda Firewall is using role-based access control (RBAC), the API access token is generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the Barracuda Firewall console for each command in this integration.

Reader Note

Barracuda Firewall’s default user profiles (sorted from the most permissions to the least) are as follows:

Root
Manager
Operator
Mail
Security
Audit
Cleanup

For authentication against the REST API, a user with the respective permissions must be present either on the Control Center for centrally managed firewalls or on the firewall itself for stand-alone firewalls. In both cases, the user must have the Manager role assigned.

Please refer to Administrative Role Permission and restrictions and Create an Administrator Profile for details on configuring user profiles.

Configuring Barracuda CloudGen Firewall to Work with D3 SOAR

Log in to the Barracuda Firewall Admin console with your credentials.
Navigate to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > REST API Service. Enable the HTTPS Interface.
Select the Access Tokens tab from the left side menu. Click + in under Access Tokens.
Enter a name for the token and click OK. The Access Tokens window will open. Click Generate new token.
Enter the admin name for the user used for authentication. In the Time to live field, enter the number of days the token should be valid for, then click OK.
Copy the access token. It will be required to build the integration connection in D3 SOAR.

Reader Note

For more information on Barracuda CloudGen Firewall's API, including how to enable it for HTTP, enable it for HTTPS, and authentication, see REST API | Barracuda Campus.

Configuring D3 SOAR to Work with Barracuda CloudGen Firewall

Log in to D3 SOAR.
Find the Barracuda CloudGen Firewall integration.
1. Navigate to Configuration on the top header menu.
2. Click on the Integration icon on the left sidebar.
3. Type Barracuda CloudGen Firewall in the search box to find the integration, then click it to select it.
4. Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Barracuda CloudGen Firewall.
1. Connection Name: The desired name for the connection.
2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
5. Description (Optional): Add your desired description for the connection.
6. Configure User Permissions: Defines which users have access to the connection.
7. Active: Check the tick box to ensure the connection is available for use.
8. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
  1. Input your domain level Server URL.
  2. Input your API Token.
  3.Input your API Version. The Default value is v1.
9. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
10. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
  To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Test the connection.
1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
2. Click OK to close the alert window.
3. Click + Add to create and add the configured connection.

Commands

Barracuda CloudGen Firewall includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Barracuda CloudGen Firewall API, please refer to the Barracuda CloudGen Firewall API reference.

Reader Note

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring Barracuda CloudGen Firewall to Work with D3 SOAR for details.

Add IPs To Blocklist

Adds IP addresses to the IP blacklist. Note: To block the entered IPs, a network object (block list) must be created, and an access control policy must be added to prevent access from the IPs in the block list. The Create IP Block Rule command can be used to create an IP block list and the corresponding access rule. Once the block list and access rule have been created, adding or removing IPs to or from the block list can be done as needed without the need to recreate the list or rule again.

Reader Note

The parameter Blocklist Name is required to run this command.

Run the List Forwarding Firewall Rules command to obtain Blocklist Names. Blocklist Names can be found from the returned raw data at the path $.name.

Input

Input Parameter	Required/Optional	Description	Example
Blocklist Name	Required	The name of the blocklist to add IPs. Blocklist names can be obtained using the List Forwarding Firewall Rules command.	BlockList1
IPs	Required	The IP addresses to add to the blocklist. You can enter any valid IPv4 or IPv6 addresses, or CIDR address ranges.	[ "1.1.11", "2.2.2.2" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "included": [
        {
            "entry": {
                "ip": "1.1.1.1"
            }
        },
        {
            "entry": {
                "ip": "2.2.2.2"
            }
        }
    ],
    "excluded": [],
    "name": "BlockList1",
    "type": "generic",
    "shared": false,
    "dynamic": false
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "BlocklistName": "\"BlockList1\"",
    "IPs": "\"[ \\\"1.1.1.1\\\", \\\"2.2.2.2\\\" ]\""
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE

entry{'ip': '1.1.1.1'}{'ip': '2.2.2.2'}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Add IPs To Blocklist failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Barracuda CloudGen Firewall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Network object not found.

Error Sample Data

Add IPs To Blocklist failed.

Status Code: 404.

Message: Network object not found.

Block URLs

Creates an access rule to block URLs.

Reader Note

When URL domains are entered to be blocked, a new forward-firewall rule is generated with the same name as the URL.

Input

Input Parameter	Required/Optional	Description	Example
URLs	Required	The URL domains to block (e.g. phishing.sample.com).	["phishing.sample.com"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

[
    {
        "source": {
            "references": "Any"
        },
        "destination": {
            "references": "xmr.pool.minergate.com"
        },
        "service": {
            "references": "Any"
        },
        "policies": {
            "application": {
                "applicationControl": false,
                "sslInspection": false,
                "urlFilter": false,
                "virusScan": false,
                "atp": false,
                "fileContentScan": false,
                "archiveContentScan": false,
                "mailDnsblCheck": false,
                "linkProtection": false,
                "safeSearch": false,
                "googleAccounts": false
            },
            "sslInspectionPolicy": {
                "type": "default"
            },
            "schedule": {
                "type": "always"
            },
            "ips": "Default"
        },
        "action": {
            "type": "block"
        },
        "name": "xmr-pool-minergate-com",
        "deactivated": false,
        "dynamic": false,
        "ipVersion": "IPv4"
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "AccessRuleNames": "\"[\\\"phishing-sample-com\\\"]\""
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

SOURCE	DESTINATION	SERVICE	POLICIES	ACTION	NAME	DEACTIVATED	DYNAMIC	IPVERSION
{'references': 'Any'}	{'references': 'xmr.pool.minergate.com'}	{'references': 'Any'}	{'application': {'applicationControl': False, 'sslInspection': False, 'urlFilter': False, 'virusScan': False, 'atp': False, 'fileContentScan': False, 'archiveContentScan': False, 'mailDnsblCheck': False, 'linkProtection': False, 'safeSearch': False, 'googleAccounts': False}, 'sslInspectionPolicy': {'type': 'default'}, 'schedule': {'type': 'always'}, 'ips': 'Default'}	{'type': 'block'}	xmr-pool-minergate-com	False	False	IPv4

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Block URLs failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Barracuda CloudGen Firewall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 409.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Rule with this name already exists.

Error Sample Data

Block URLs failed.

Status Code: 409.

Message: Rule with this name already exists.

Create Access Rule For Blocklist

Creates an access rule to block IPs in the blocklists, and positions the rule to the top.

Reader Note

The parameter Blocklist Name is required to run this command.

Run the List Forwarding Firewall Rules command to obtain Blocklist Names. Blocklist Names can be found from the returned raw data at the path $.name.

Input

Input Parameter	Required/Optional	Description	Example
Blocklist Name	Required	The name of the IP blocklist to apply to the access rule. Blocklist names can be obtained using the List Forwarding Firewall Rules command.	BlockList2
Block Direction	Required	The block direction of the access rule. The available options are Inbound, Outbound and bi-direction. The default value is bi-direction (i.e., inbound and outbound).	Inbound
IP Version	Required	The version of the IP access rule.	Inbound

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

[
    {
        "source": {
            "references": "BlockList2"
        },
        "destination": {
            "references": "Any"
        },
        "service": {
            "references": "Any"
        },
        "policies": {
            "application": {
                "applicationControl": false,
                "sslInspection": false,
                "urlFilter": false,
                "virusScan": false,
                "atp": false,
                "fileContentScan": false,
                "archiveContentScan": false,
                "mailDnsblCheck": false,
                "linkProtection": false,
                "safeSearch": false,
                "googleAccounts": false
            },
            "sslInspectionPolicy": {
                "type": "default"
            },
            "schedule": {
                "type": "always"
            },
            "ips": "Default"
        },
        "action": {
            "type": "block"
        },
        "name": "BlockList",
        "deactivated": false,
        "dynamic": false,
        "ipVersion": "IPv4"
    },
    {
        "source": {
            "references": "Any"
        },
        "destination": {
            "references": "BlockList2"
        },
        "service": {
            "references": "Any"
        },
        "policies": {
            "application": {
                "applicationControl": false,
                "sslInspection": false,
                "urlFilter": false,
                "virusScan": false,
                "atp": false,
                "fileContentScan": false,
                "archiveContentScan": false,
                "mailDnsblCheck": false,
                "linkProtection": false,
                "safeSearch": false,
                "googleAccounts": false
            },
            "sslInspectionPolicy": {
                "type": "default"
            },
            "schedule": {
                "type": "always"
            },
            "ips": "Default"
        },
        "action": {
            "type": "block"
        },
        "name": "BlockList",
        "deactivated": false,
        "dynamic": false,
        "ipVersion": "IPv4"
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "AccessRuleNames": "\"BlockList\""
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

SOURCE	DESTINATION	SERVICE	POLICIES	ACTION	NAME	DEACTIVATED	DYNAMIC	IPVERSION
{'references': 'BlockList2'}	{'references': 'Any'}	{'references': 'Any'}	{'application': {'applicationControl': False, 'sslInspection': False, 'urlFilter': False, 'virusScan': False, 'atp': False, 'fileContentScan': False, 'archiveContentScan': False, 'mailDnsblCheck': False, 'linkProtection': False, 'safeSearch': False, 'googleAccounts': False}, 'sslInspectionPolicy': {'type': 'default'}, 'schedule': {'type': 'always'}, 'ips': 'Default'}	{'type': 'block'}	BlockList	False	False	IPv4
{'references': 'Any'}	{'references': 'BlockList2'}	{'references': 'Any'}	{'application': {'applicationControl': False, 'sslInspection': False, 'urlFilter': False, 'virusScan': False, 'atp': False, 'fileContentScan': False, 'archiveContentScan': False, 'mailDnsblCheck': False, 'linkProtection': False, 'safeSearch': False, 'googleAccounts': False}, 'sslInspectionPolicy': {'type': 'default'}, 'schedule': {'type': 'always'}, 'ips': 'Default'}	{'type': 'block'}	BlockList	False	False	IPv4

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create Access Rule For Blocklist failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Barracuda CloudGen Firewall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Rule name contains invalid characters.

Error Sample Data

Create Access Rule For Blocklist failed.

Status Code: 400.

Message: Rule name contains invalid characters.

Create Blocklist

Creates a blocklist object containing the IP black list. You only need to create a blocklist.

Input

Input Parameter	Required/Optional	Description	Example
Blocklist Name	Required	The name of the IP block list.	BlockList2
IPs	Required	The IP addresses to add to the blocklist. You can enter any valid IPv4 or IPv6 addresses, or CIDR address ranges. You must enter at least one IP address to create the block list.	[ "1.1.1.1" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "included": [
        {
            "entry": {
                "ip": "1.1.1.1"
            }
        }
    ],
    "excluded": [],
    "name": "BlockList2",
    "type": "generic",
    "shared": false,
    "dynamic": false
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "BlocklistName": "\"BlockList2\"",
    "IPs": "\"[ \\\"1.1.1.1\\\" ]\""
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE

ENTRY
{'ip': '1.1.1.1'}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create Blocklist failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Barracuda CloudGen Firewall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Invalid IPV6 address.

Error Sample Data

Create Blocklist failed.

Status Code: 400.

Message: Invalid IPV6 address.

Create IP Block Rule

Creates a blocklist object containing the IP blacklist and creates an access rule to block traffic from those IPs.

Reader Note

The parameter Blocklist Name is required to run this command.

Run the List Forwarding Firewall Rules command to obtain Blocklist Names. Blocklist Names can be found from the returned raw data at the path $.name.

This command only allows you to create a new blocklist and specify the IP addresses to be blocked. It is not possible to add IP addresses to an existing blocklist using this command. To do this, you may use the Add IPs To Blocklist command instead.

Input

Input Parameter	Required/Optional	Description	Example
Blocklist Name	Required	The name of the IP blocklist to use for the block rule. Blocklist names can be obtained using the List Forwarding Firewall Rules command.	BlockList2
IPs	Required	The IP addresses to add to the blocklist. You can enter any valid IPv4 or IPv6 addresses, or CIDR address ranges. You must enter at least one IP address to create the block list.	[ "1.1.1.1" ]
Block Direction	Required	The block direction of the access rule. The available options are Inbound, Outbound and bi-direction. The default value is bi-direction (i.e., inbound and outbound).	Inbound
IP Version	Required	The version of the IP access rule (i.e., IPv4 or IPv6). The default value is IPv4.	Inbound

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

[
    {
        "source": {
            "references": "BlockList2"
        },
        "destination": {
            "references": "Any"
        },
        "service": {
            "references": "Any"
        },
        "policies": {
            "application": {
                "applicationControl": false,
                "sslInspection": false,
                "urlFilter": false,
                "virusScan": false,
                "atp": false,
                "fileContentScan": false,
                "archiveContentScan": false,
                "mailDnsblCheck": false,
                "linkProtection": false,
                "safeSearch": false,
                "googleAccounts": false
            },
            "sslInspectionPolicy": {
                "type": "default"
            },
            "schedule": {
                "type": "always"
            },
            "ips": "Default"
        },
        "action": {
            "type": "block"
        },
        "name": "BlockList",
        "deactivated": false,
        "dynamic": false,
        "ipVersion": "IPv4"
    },
    {
        "source": {
            "references": "Any"
        },
        "destination": {
            "references": "BlockList2"
        },
        "service": {
            "references": "Any"
        },
        "policies": {
            "application": {
                "applicationControl": false,
                "sslInspection": false,
                "urlFilter": false,
                "virusScan": false,
                "atp": false,
                "fileContentScan": false,
                "archiveContentScan": false,
                "mailDnsblCheck": false,
                "linkProtection": false,
                "safeSearch": false,
                "googleAccounts": false
            },
            "sslInspectionPolicy": {
                "type": "default"
            },
            "schedule": {
                "type": "always"
            },
            "ips": "Default"
        },
        "action": {
            "type": "block"
        },
        "name": "BlockList",
        "deactivated": false,
        "dynamic": false,
        "ipVersion": "IPv4"
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "AccessRuleNames": "\"BlockList2\""
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

SOURCE	DESTINATION	SERVICE	POLICIES	ACTION	NAME	DEACTIVATED	DYNAMIC	IPVERSION
{'references': 'BlockList2'}	{'references': 'Any'}	{'references': 'Any'}	{'application': {'applicationControl': False, 'sslInspection': False, 'urlFilter': False, 'virusScan': False, 'atp': False, 'fileContentScan': False, 'archiveContentScan': False, 'mailDnsblCheck': False, 'linkProtection': False, 'safeSearch': False, 'googleAccounts': False}, 'sslInspectionPolicy': {'type': 'default'}, 'schedule': {'type': 'always'}, 'ips': 'Default'}	{'type': 'block'}	BlockList	False	False	IPv4
{'references': 'Any'}	{'references': 'BlockList2'}	{'references': 'Any'}	{'application': {'applicationControl': False, 'sslInspection': False, 'urlFilter': False, 'virusScan': False, 'atp': False, 'fileContentScan': False, 'archiveContentScan': False, 'mailDnsblCheck': False, 'linkProtection': False, 'safeSearch': False, 'googleAccounts': False}, 'sslInspectionPolicy': {'type': 'default'}, 'schedule': {'type': 'always'}, 'ips': 'Default'}	{'type': 'block'}	BlockList	False	False	IPv4

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create IP Block Rule failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Barracuda CloudGen Firewall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Network object not found.

Error Sample Data

Create IP Block Rule failed.

Status Code: 404.

Message: Network object not found.

Get Blocklist IPs

Retrieves blocked IPs from the blocklist.

Reader Note

The parameter Blocklist Name is required to run this command.

Run the List Forwarding Firewall Rules command to obtain Blocklist Names. Blocklist Names can be found from the returned raw data at the path $.name.

Input

Input Parameter	Required/Optional	Description	Example
Blocklist Name	Required	The name of the IP blocklist to retrieve IPs. Blocklist names can be obtained using the List Forwarding Firewall Rules command.	BlockList1

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "included": [
        {
            "entry": {
                "ip": "1.1.1.1"
            }
        },
        {
            "entry": {
                "ip": "2:2:2:2b::1"
            }
        },
        {
            "entry": {
                "ip": "3.3.3.0/3"
            }
        }
    ],
    "excluded": [],
    "name": "BlockList1",
    "type": "generic",
    "shared": false,
    "dynamic": false
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "BlocklistName": "\"BlockList1\"",
    "IPs": "\"[ \\\"1.1.1.1\\\",\\\"2:2:2:2b::1\\\", \\\"3.3.3.0/3\\\"  ]\""
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE

ENTRY
{'ip': '1.1.1.1'}
{'ip': '2:2:2:2b::1'}
{'ip': '3.3.3.0/3'}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get Blocklist IPs failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Barracuda CloudGen Firewall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Network object not found.

Error Sample Data

Get Blocklist IPs failed.

Status Code: 404.

Message: Network object not found.

List Forwarding Firewall Rules

Retrieves all forwarding firewall rules.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "rules": [
        {
            "source": {
                "references": "Any"
            },
            "destination": {
                "references": "BlockList2"
            },
            "service": {
                "references": "Any"
            },
            "policies": {
                "application": {
                    "applicationControl": false,
                    "sslInspection": false,
                    "urlFilter": false,
                    "virusScan": false,
                    "atp": false,
                    "fileContentScan": false,
                    "archiveContentScan": false,
                    "mailDnsblCheck": false,
                    "linkProtection": false,
                    "safeSearch": false,
                    "googleAccounts": false
                },
                "sslInspectionPolicy": {
                    "type": "default"
                },
                "schedule": {
                    "type": "always"
                },
                "ips": "Default"
            },
            "action": {
                "type": "block"
            },
            "name": "BlockList",
            "deactivated": false,
            "dynamic": false,
            "ipVersion": "IPv4"
        }
    ]
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "RuleNames": "\"BlockList\"",
    "Actions": "\"[ \\\"block\\\"  ]\"",
    "Deactivated": "\"[ false  ]\""
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

SOURCE	DESTINATION	SERVICE	POLICIES	ACTION	NAME	DEACTIVATED	DYNAMIC	IPVERSION
{'references': 'Any'}	{'references': 'BlockList2'}	{'references': 'Any'}	{'application': {'applicationControl': False, 'sslInspection': False, 'urlFilter': False, 'virusScan': False, 'atp': False, 'fileContentScan': False, 'archiveContentScan': False, 'mailDnsblCheck': False, 'linkProtection': False, 'safeSearch': False, 'googleAccounts': False}, 'sslInspectionPolicy': {'type': 'default'}, 'schedule': {'type': 'always'}, 'ips': 'Default'}	{'type': 'block'}	BlockList	False	False	IPv4

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Forwarding Firewall Rules failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Barracuda CloudGen Firewall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 403.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Connection timeout.

Error Sample Data

List Forwarding Firewall Rules failed.

Status Code: 403.

Message: Connection timeout.

Remove IPs From Blocklist

Removes IP addresses from the IP blacklist. Note: To unblock the entered IPs, a network object (block list) must be created, and an access control policy must be added to prevent access from the IPs in the block list. You can use the Create Block List command to create an IP block list, and the Create Access Rule For Block List command to create the access rule. Once the block list and access rule have been created, adding or removing IPs to or from the block list can be done as needed without the need to recreate the list or rule again.

Reader Note

The parameter Blocklist Name and IPs are required to run this command.

Run the List Forwarding Firewall Rules command to obtain Blocklist Names. Blocklist Names can be found from the returned raw data at the path $.name.
Run the Get Blocklist IPs command to obtain IPs. IPs can be found from the returned raw data at the path $.included[*].entry.ip.
The input IPs must be on the specified blocklist. It is recommended to use the List Forwarding Firewall Rules to obtain the desired blocklist, and use the blocklist name to run the Get Blocklist IPs command. Finally, use the resulting pairs to run this command.

Input

Input Parameter	Required/Optional	Description	Example
Blocklist Name	Required	The name of the IP blocklist to remove IPs. Blocklist names can be obtained using the List Forwarding Firewall Rules command.	BlockList1
IPs	Required	The IP addresses to remove from the blocklist. You can enter any valid IPv4 or IPv6 addresses, or CIDR address ranges. You can obtain a list of currently blocked IPs using the Get Blocklist IPs command.	[ "1.1.1.1", "2.2.2.2" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "included": [
        {
            "entry": {
                "ip": "1.1.1.1"
            }
        },
        {
            "entry": {
                "ip": "2:2:2:2b::1"
            }
        },
        {
            "entry": {
                "ip": "3.3.3.0/3"
            }
        }
    ],
    "excluded": [],
    "name": "BlockList1",
    "type": "generic",
    "shared": false,
    "dynamic": false
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "BlocklistName": "\"BlockList1\"",
    "IPs": "\"[ \\\"1.1.1.1\\\", \\\"2:2:2:2b::1\\\", \\\"3.3.3.0/3\\\" ]\""
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE

ENTRY
{'ip': '1.1.1.1'}
{'ip': '2:2:2:2b::1'}
{'ip': '3.3.3.0/3'}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Remove IPs From Blocklist failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Barracuda CloudGen Firewall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Network object not found.

Error Sample Data

Remove IPs From Blocklist failed.

Status Code: 404.

Message: Network object not found.

Unblock URLs

Unblocks URL(s) from access rules.

Reader Note

The input parameter URLs is required to run this command.

Run List Forwarding Firewall Rules command to obtain blocked URLs.
Ensure your input URLs are currently blocked by Barracuda CloudGen Firewall, otherwise an error message will be returned.

Input

Input Parameter	Required/Optional	Description	Example
URLs	Required	The URL domains to unblock (e.g. phishing.sample.com). Blocked URls can be obtained using the List Forwarding Firewall Rules command.	["phishing.sample.com"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

[
    {
        "url": "xmr.pool.minergate.com",
        "Message": "Unblock URL successfully."
    }
]

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

URL	MESSAGE
xmr.pool.minergate.com	Unblock URL successfully.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Unblock URLs failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Barracuda CloudGen Firewall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message:URLs not found.

Error Sample Data

Unblock URLs failed.

Status Code: 404.

Message: URLs not found.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

SAMPLE DATA

CODE

Successful

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Test Connection failed. Failed to check the connector.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Barracuda CloudGen Firewall portal. Refer to the HTTP Status Code Registry for details.	Status Code: 404.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Token not found.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 404.

Message: Token not found.