Please enable JavaScript in your browser!
Responding through Ideco NGFW
Expand all | Collapse all
Ideco NGFW is a solution that acts as a filter for the internet traffic in corporate and private networks. It allows you to block IP addresses and URLs detected by Kaspersky Next XDR Expert, if you previously configured integration between Kaspersky Next XDR Expert and the script launch service .
Ideco NGFW version 16.0 or later is supported.
The login and password to access Ideco NGFW are stored in the script for integration with Ideco NGFW. You can download the script by clicking the following link:
Download script
To use the script:
Install the script in one of the following ways:Via pip, for example:pip install -r requirements.txt
From the WHL file, for example:pip install ./dist/kaspersky_xdr_ideco_integration-<version>-py3-none-any.whl
Offline installation.If you do not have internet access, you must install the script offline. In this case, do the following:
Download the dependencies on a computer that has internet access, by running the following command:pip download -r requirements.txt
Move the downloaded dependencies to the device on which you will run the script. Install the dependencies by using the command:pip install --no-index --find-links <folder_path_to_downloaded_dependencies> -r requirements.txt
Configure the script in one of the following ways:Via the ENV file, for example:cp .env.sample .env
nano .env
In the body of the script (ideco.py), edit the parameters in the following strings:BASE_URL: str = getenv("BASE_URL", "https://your-ip:your-port")
LOGIN: str = getenv("LOGIN", "your-login")
PASSWORD: str = getenv("PASSWORD", "your-password")
IP_DENY_LIMIT: int = int(getenv("IP_DENY_LIMIT", 1000))
Add deny rules for the IP addresses detected by Kaspersky Next XDR Expert and for malicious URLs. To add a firewall rule that will block IP addresses:
Run the script by using the add_firewall_rule command .The command has the following logic:
Check if the IP addresses exist in the Ideco NGFW object list.If they exist, the current IP address is not added.
If they do not exist, the current IP address is added.
Check if the list of IP addresses named XDR exists. If the list exists, it is reused, and IP addresses are added to it.
If it does not exist, a new list is created, and IP addresses are added to it.
Check if the firewall rule named XDR exists. If the firewall rule exists, it is reused, and the list of IP addresses from step 2 is added to it.
If it does not exist, a new firewall rule is created, and the list of IP addresses from step 2 is added to it.
Specify the IP addresses that you want to block. By default, the maximum number of IP addresses is 1000. You can edit this value, as described at step 2 Configure the script .
You must add valid IPv4 addresses, separated with commas and without spaces, for example:
python ideco.py add_firewall_rule --ip_address "12.12.12.12, 13.13.13.13"
The deny rule for the selected IPv4 addresses is added, for example:
To add a filtering rule that will block malicious URLs:
Run the script by using the add_content_filter_file command .The command has the following logic:
Check if a category named XDR exists.If it exists, the URLs are added to this category.
If it does not exist, a new category is created, and then the URLs are added to it.
Check if the content filtering rule named XDR exists. If the content filtering rule exists, the category from step 1 is added to it.
If it does not exist, a new content filtering rule is created, and then the category from step 1 is added to it.
Specify the URLs that you want to block.The URLs must be separated with commas, and have http:// or https:// prefixes, for example:
python ideco.py add_content_filter_rule --url "https://url_1.com, http://url_2.com.uk, http://qwerty.nl, http://zxc.xc"
The deny rule for the specified URLs is added, for example:
Page top