Skip to content

yasirhamza/wazuh-firewalla

BranchesTags

Repository files navigation

Firewalla-Wazuh SIEM Integration

Integrate your Firewalla network security device with Wazuh SIEM for centralized security monitoring, threat intelligence correlation, and custom alerting.

Features

  • MSP API Integration - Polls Firewalla MSP API for alarms, flows, and device inventory
  • Threat Intelligence - Automatic correlation with Feodo Tracker and ThreatFox C2 feeds
  • Custom Detection Rules - 40+ Wazuh rules for Firewalla events with MITRE ATT&CK mappings
  • Security Dashboard - Pre-built OpenSearch dashboard for network visibility
  • Store-and-Forward - Resilient to container downtime with 30-day MSP API retention

Quick Start

# Clone the repository
git clone https://github.com/yasirhamza/wazuh-firewalla.git
cd wazuh-firewalla

# Configure credentials
cp .env.example .env
nano .env  # Set your passwords and MSP token

# Generate SSL certificates
docker compose -f generate-certs.yml run --rm generator

# Start the stack
docker compose up -d

# Wait ~2 minutes, then access dashboard
# https://localhost:443
# Username: admin
# Password: (your INDEXER_PASSWORD from .env)

Architecture

┌─────────────────┐     ┌──────────────────┐     ┌─────────────────┐
│  Firewalla MSP  │────▶│   msp-poller     │────▶│  Wazuh Manager  │
│      API        │     │   (sidecar)      │     │   + Filebeat    │
└─────────────────┘     └──────────────────┘     └────────┬────────┘
                                                          │
┌─────────────────┐     ┌──────────────────┐     ┌────────▼────────┐
│  Threat Feeds   │────▶│  threat-intel    │────▶│  Wazuh Indexer  │
│ (Feodo/ThreatFox)     │   (sidecar)      │     │  (OpenSearch)   │
└─────────────────┘     └──────────────────┘     └────────┬────────┘
                                                          │
                                                 ┌────────▼────────┐
                                                 │ Wazuh Dashboard │
                                                 │   (port 443)    │
                                                 └─────────────────┘

Detection Rules

Rule ID Range Category Description
100200-100299 Alarms Firewalla security alerts (new device, port scan, spoofing)
100300-100399 Devices Device inventory changes
100400-100449 Flows Network flow analysis (blocked, high bandwidth)
100450-100499 Threat Intel C2 IP correlation matches
100500-100504 Sidecar Poller health monitoring

Requirements

  • Docker Engine 20.10+
  • Docker Compose v2
  • 4GB RAM minimum
  • Firewalla MSP account (for API access)

Documentation

License

MIT License - see LICENSE for details.

Acknowledgments

  • Wazuh - Open source security platform
  • Firewalla - Network security appliance
  • abuse.ch - Threat intelligence feeds

About

Wazuh SIEM integration for Firewalla with threat intelligence and Windows SRP monitoring

Topics

docker security siem threat-intelligence wazuh firewalla

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 - Initial Release Latest
Dec 31, 2025

Packages

 
 
 

Contributors

Languages