How to Configure Suspicious Objects on EdgeOne – Nozomi Guardians

Summary

EdgeOne provides Suspicious Object (SO) policy integrated with third-party products. With the feature, users can pull suspicious objects to the Edge devices from the EdgeOne global Suspicious Object Pool to configure approved options. Then, users can insert rules or wait until these rules are reviewed and confirmed.

Applicable Version

All versions of EdgeOne

Details

1. Configuring EdgeOne

Creating API Keys

1. Access the EdgeOne.
2. Go to [Administration] > [API Key Management].
3. Click the [Add] button to create a new API key
   a. Input the name of the API client.
   b. Provide a description of the API client if necessary.
   c. The [Add] of the API key will be created. If it is configured, the system will reject API requests from clients’ IP addresses that do not match the given trusted IP address.
   
4. A new API key and API secret will be generated and displayed on the screen. Click the copy buttons to copy the API key and API secret, and paste them onto the API client.
   

2. Configuring Suspicious Object Pool

Suspicious Objects (SO) are suspicious IP addresses (Nodes) or network connections (Links) to be monitored/blocked on the Edge series devices. They are imported to EdgeOne from the external SO sources, such as third-party products, via the Suspicious Object API keys.
The Suspicious Object Pool allows administrators to review the imported suspicious objects and to configure how the system imports objects or ages them out of the pool.

Reviewing Imported Suspicious Objects

1. Access the EdgeOne.
2. Go to [Application] > [Suspicious Object Pool].
3. Click the [Suspicious Object List] tab.
4. Click the checkboxes to select/deselect suspicious objects and choose a desired action,
5. “Approve”, “Reject” or “Delete”, for the selected objects.
6. Click the [Save] button to save the settings.
   

3. Configuring Suspicious Objects

The Suspicious Object screen allows you to define the filter rules to pull suspicious objects from the global Suspicious Object Pool into a device group.

• Enabling Suspicious Object Feature

1. Access the EdgeOne.
2. Go to [Visibility] > [Asset View].
3. Click the device group you want to manage.
4. Click the [Edit Settings] button and an [Edit Settings] pop-up window will appear.
5. Ensure that [Suspicious Object] is enabled, and then click the Continue button.
6. Click the [Save] button to save the settings.
   

• Viewing the Suspicious Objects of Device Group

The system will pull the suspicious objects from the global Suspicious Object Pool to this device group according to the given filter and display them in the table below the configuration panes. EdgeOne will synchronize the suspicious object list to all devices in the group automatically.

• Enabling Suspicious Object Operation Mode of Device Group

1. Access the EdgeOne.
2. Go to [Visibility] > [Asset View].
3. Click the device group you want to manage.
4. Click [Suspicious Objects] > [Settings].
5. Ensure that [Suspicious Object] is enabled, and click the [Save] button to save the settings.
   

4. Integrating the Third-Party Products

1. Access the Nozomi Guardian console.
2. Go to [Administration] > [Firewall integration].
3. Click the “+” add button to create a new firewall.
   
4. Choose the firewall “TXOne Edge IPS”.
   
5. Configure the settings below.
   a. Complete the fields [Host] (input TXOne EdgeOne IP address), [API Key] and [API Secret].
   b. Enable nodes and links blocking.
   c. Click the [Save] button.
   
6. The message "Connected to TXOne EdgeOne !https://< IP >" will be shown on the top of the screen.
   
7. Go back to [Firewall integration] page and the linkage profile will be ready.

For support assistance, please Contact Us at support@txone.com or your Support Provider.