Support

Support for business applications

Kaspersky XDR Expert

Threat response

Response actions

Responding through Ideco NGFW

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

Responding through Ideco NGFW

May 15, 2024

ID 269790

Get as PDF

Expand all | Collapse all

Ideco NGFW is a solution that acts as a filter for the internet traffic in corporate and private networks. It allows you to block IP addresses and URLs detected by Kaspersky Next XDR Expert, if you previously configured integration between Kaspersky Next XDR Expert and the script launch service.

Ideco NGFW version 16.0 or later is supported.

The login and password to access Ideco NGFW are stored in the script for integration with Ideco NGFW. You can download the script by clicking the following link:

Download script

To use the script:

  1. Install the script in one of the following ways:
    • Via pip, for example:

      pip install -r requirements.txt

    • From the WHL file, for example:

      pip install ./dist/kaspersky_xdr_ideco_integration-<version>-py3-none-any.whl

    • Offline installation.

      If you do not have internet access, you must install the script offline. In this case, do the following:

      1. Download the dependencies on a computer that has internet access, by running the following command:

        pip download -r requirements.txt

      2. Move the downloaded dependencies to the device on which you will run the script.
      3. Install the dependencies by using the command:

        pip install --no-index --find-links <folder_path_to_downloaded_dependencies> -r requirements.txt

  2. Configure the script in one of the following ways:
    • Via the ENV file, for example:

      cp .env.sample .env

      nano .env

    • In the body of the script (ideco.py), edit the parameters in the following strings:

      BASE_URL: str = getenv("BASE_URL", "https://your-ip:your-port")

      LOGIN: str = getenv("LOGIN", "your-login")

      PASSWORD: str = getenv("PASSWORD", "your-password")

      IP_DENY_LIMIT: int = int(getenv("IP_DENY_LIMIT", 1000))

  3. Add deny rules for the IP addresses detected by Kaspersky Next XDR Expert and for malicious URLs.

To add a firewall rule that will block IP addresses:

  1. Run the script by using the add_firewall_rule command.
  2. Specify the IP addresses that you want to block.

    By default, the maximum number of IP addresses is 1000. You can edit this value, as described at step 2 Configure the script.

    You must add valid IPv4 addresses, separated with commas and without spaces, for example:

    python ideco.py add_firewall_rule --ip_address "12.12.12.12, 13.13.13.13"

The deny rule for the selected addresses is added, for example:

![Adding content filtering rule](./assets/screencasts/ideco_add_firewall_rule.gif)

To add a filtering rule that will block malicious URLs:

  1. Run the script by using the add_content_filter_file command.
  2. Specify the URLs that you want to block.

    The URLs must be separated with commas, and have http:// or https:// prefixes, for example:

    python ideco.py add_content_filter_rule --url "https://url_1.com, http://url_2.com.uk, http://qwerty.nl, http://zxc.xc"

The deny rule for the specified URLs is added, for example:

![Adding content filtering rule](./assets/screencasts/ideco_add_content_filtering_rule.gif)

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.