FireEye Integration With BlueCoat Proxy

This tutorial will assist you with integrating FireEye and BlueCoat a bit, by using a URL list populated by FireEye to use in the BlueCoat as another web filter. This filter can then be used in BlueCoat policy just like the BCWF, McAfee Smartfilter, etc…

FireEye Configurations:

Step 1 – Enable all FireEye WebMPS devices to populate their individual URL list.
The standalone WebMPS appliances will forward what they populate in their URL list to the CMS – and that is where we will configure BlueCoat to pull the list from.

FireEye Command Line Interface
 FireEye-WebMPS-1 > ena
 FireEye-WebMPS-1 # conf t
 FireEye-WebMPS-1(config) # swg scan enable
 FireEye-WebMPS-1(config) # swg scan period callback-url past 168 hours
 FireEye-WebMPS-1(config) # swg scan period malicious-url past 24 hours
 FireEye-WebMPS-1(config) # wr mem
 Saving configuration file ... Done!
 FireEye-WebMPS-1(config) #

If you have a CMS:
Having a CMS allows you to utilize the “cmc execute” command to push the same configuration to all CMS-managed devices. This is much faster than you logging into all of the devices separately. But if repetitive work is your thing, please feel free to jump back up to the CLI window above 😉

FireEye Command Line Interface
 FireEye-CMS-1 > ena
 FireEye-CMS-1 # conf t
 FireEye-CMS-1(config) # cmc execute group all command "swg scan enable"
 FireEye-CMS-1(config) # cmc execute group all command "swg scan period callback-url past 168 hours"
 FireEye-CMS-1(config) # cmc execute group all command "swg scan period malicious-url past 24 hours"
 FireEye-CMS-1(config) # cmc execute group all command "wr mem"
 Saving configuration file ... Done!
 FireEye-CMS-1(config) #

NOTE:
The max past timeframe for callback-url is 168 hours (1 week)
The max past timeframe for malicious-url is 24 hours (1 day)

Step 2 – Enable the CMS to populate the URL lists from all standalone FireEye appliances

FireEye Command Line Interface
 FireEye-CMS-1 > ena
 FireEye-CMS-1 # conf t
 FireEye-CMS-1(config) # swg scan enable
 FireEye-CMS-1(config) #

Step 3 – Check the URL list to see if it is populating (it should be otherwise you are doing something wrong)

Open a web browser to http://FireEye-IP-Address/urllist.txt
You should be presented with something similar to the below output

FireEye URL List – Populated in a syntax that BlueCoat can ingest

FireEye URL List on FireEye-CMS-1
 ;FireEye version: 2014-01-22 23:00:00.266830
 ;Creates regexs for any URLs with "=" in them
 ;Callbacks and malicious URLs are blocked, and are aged separately through variables in the configuration file
 ;Tested on Bluecoat SG210 series model 210-25 SGOS 6.1.2.1
 ;Tested on FireEye version 6.2
 ;FireEye condition definitions

define condition FireEye_Callbacks
 url.regex="http\://fenhelua\.com/cmd\?version=.*$"
 url=http://fedeploycheck.fireeye.com/appliance-test/alert.html
 url=http://fedeploycheck.fireeye.com/appliance-test/block.html
 End

define condition FireEye_MaliciousURL

End

;This policy layer matches the defined FireEye conditions and returns a content_filter_denied exception page

condition=FireEye_Callbacks exception(content_filter_denied)
 condition=FireEye_MaliciousURL exception(content_filter_denied)

;This section rewrites the access log entry to a FireEye category name.

condition=FireEye_Callbacks log.rewrite."cs-categories"[main]("FireEye Callback") log.suppress."cs-categories"[main](no)
 condition=FireEye_MaliciousURL log.rewrite."cs-categories"[main]("FireEye Malicious URL") log.suppress."cs-categories"[main](no)

NOTE: URL’s in the list will vary based on your FireEye detection of outbound web traffic that it can see.
In the screen above, you can see that the URL’s listed are actually the FireEye deployment check URL’s:

url=http://fedeploycheck.fireeye.com/appliance-test/alert.html
url=http://fedeploycheck.fireeye.com/appliance-test/block.html

BlueCoat Configurations:

Now that we have the FireEye side set up, we need to configure BlueCoat to use the FireEye output as input for the “Central Policy” file.

Step 1 is to tell BlueCoat where to get the FireEye urllist.
Proxy - Local DB Config

Step 2 is to tell BlueCoat how often to poll FireEye for updates to the list. We will be choosing a very proactive blocking approach and polling FireEye every 5 minutes.

BlueCoat Command Line Interface
 BlueCoat-SG1>ena
 Enable Password:
 BlueCoat-SG1#
 BlueCoat-SG1# configure terminal
 BlueCoat-SG1#(config) policy poll-interval 5
   ok
 BlueCoat-SG1#(config)

NOTE:
The ProxySG does not have a command similar to Cisco’s write memory command. When changes are made via the command line interface (CLI), the changes are automatically saved to the appliance, and are immediately active.

At this point if you were pointing through the BlueCoat-SG1 proxy, and attempt to access a URL that is on the FireEye-WebMPS-1 urllist.txt file, the access would be blocked by BlueCoat-SG1.

Huzzah, success!

Now most people would stop here, as they have now enabled the proxy to use FireEye as a URL source. However, there may be a case (albeit a very very miniscule case) where you may need to override a URL that FireEye has provided to BlueCoat for blocking. In this case, there are 2 ways you can go about building the override function:

Option 1: Use a CPL layer at the end of the VPM policy
VPM-FireEyeOverride

Option 2: Use the Local Policy file
NOTE: Using the Local Policy file option will require it to be evaluated after the Central Policy file, and depending on your setup, maybe after the VMP Policy file as well. To modify policy order GoTo:
Config –> Policy –> Policy Options -> Policy Evaluation Order

VPM-FireEyeOverride

==========================================================================================================
Here is the test I used in the above examples, if you are feeling lazy 😉

;BlueCoat-SG1 Local Policy File
 ;===================================
 ;FIREEYE BLOCK LIST OVERRIDE FUNCTION
 ;===================================
 ;
 ;If you feel FireEye has blocked something that should not be blocked please enter 
 ;the addresses below, but remove the ';' in front of the address to make it active
 ;
 ;SAMPLE SYNTAX
 ;url.domain=http://false-positive-URL.com/abc/123 allow
 ;url.domain=http://11.22.33.44 allow
 ;
 ;===================================
 ;===ADD ADDRESSES BELOW THIS LINE===
 ;===================================

Enjoy, and thanks for stopping by. Don’t forget to jump over to my post about creating a better Splash Page that can be used for FireEye. As always, feel free to ask questions if needed, and I will do my best to respond in 24hrs or less