In this article, you will learn about the External Firewall component of the Threat-hunting & Action Center (TAC)
1. Description
2. How does External Firewall work?
3. Overview
4. Action Center
5. External Firewall settings
DESCRIPTION
External Firewall is a TAC component, it enables real-time ingestion, normalization, and actionability of external firewall telemetry, starting with Meraki Firewall alerts, alongside devices and user security signals in the same consolidated security console. Traditionally, firewall alerts live in vendor-specific consoles and can generate noisy, isolated data. With External Firewall, these alerts are brought directly into TAC, where they become meaningful MXDR signals, alerting users without overwhelming them, and enabling consistent investigation and response workflows.
HOW DOES EXTERNAL FIREWALL WORK?
External Firewall telemetry works by importing supported firewall alert data through API integration and mapping it into Heimdal’s TAC pipeline. After configuration, firewall alerts flow into TAC alongside device and user security events.
TAC normalizes alert data, calculates risk scores, and presents findings in geo-visualizations, notifications, and Action Center views.
OVERVIEW
A. Reseller level
A reseller can visualize all its Enterprise/Corp customers grouped geographically with a pin on the globe, and also their highest risk score. Pins are displayed on the map ONLY if there is data registered within the selected timeframe.On the left side of the page, there is an overview containing the total number of customers for that reseller, with the External Firewall configured and the correlated list sorted in descending order based on the External Firewall average risk score.
When clicking a pin (node) on the globe, a panel opens in the top-right corner of the page, displaying a list of customers that have their location data positioned in the same geographical region as the selected pin (node), sorted in descending order based on the External Firewall average risk score.
Clicking on a customer name from the panel will impersonate that specific customer.
B. Customer level
In External Firewall (using the designated toggle), a customer can view all of their end users, grouped geographically with a pin on the globe, and their corresponding risk score. Pins are displayed on the map ONLY if there is data registered within the selected timeframe.
On the left side of the page, we display the total number of end users under the impersonated customer and the list of users, sorted in descending order by the Risk Score.
When clicking a pin (node) on the globe, a panel opens in the top-right corner of the page, displaying a list of users who have their location data positioned in the same geographical region as the selected pin (node), sorted in descending order based on the user’s risk score.
Action Center widget
In all the visualizations (Threat Telemetry, XTP/MITRE ATT&ACK - Globe/Map) and in both Reseller and Corporate Customer scenarios, the bottom-center section of the pages includes a collapsed widget (which can be expanded by clicking the blue arrow). The widget provides a relevant summary of the protection stats, average/endpoint risk score (used as a strategic score), number of notifications (considered as a tactical counter), and risk evolution during the last 30 days.
ACTION CENTER
The External Firewall Action Center (expanded by pressing the blue arrow at the bottom of the page) displays details about the end users’ risk score and notifications (count + quick access to the M365 Action Center), in a very similar way to the TAC bottom widget.
The External Firewall is comprised of two tabs: Notifications and Aggregated Notifications.
A. The Aggregated Notifications one (containing identical External Firewall notifications grouped under one notification with multiple hits).
Groups identical firewall alerts by device (or source IP + alert type if no hostname exists).
Displays number of hits (occurrences) and enables actions (Exclude, Investigate, Resolve).
After selecting the desired action, the user is prompted with a confirmation modal in which they can choose to Confirm or Cancel the action.
After selecting Exclude and applying the action, a pop‑up window appears allowing the user to choose the exclusion criteria (Source IP, Destination IP, Notification, or Device Name), specify the exclusion duration (7, 30, 90 days, or permanent), and then either Confirm or Cancel the action.
Offers search, filters (Severity + Resolution), and sorting options.
B. The Notifications tab (displaying a grid with all External Firewall notifications, including an Alert Body column to reveal full JSON payloads for detailed analysis)
EXTERNAL FIREWALL settings
Meraki Firewall integration becomes available in a dedicated Firewall Integrations → Meraki Firewall tab under Guide → Customer Settings.
Configuration is available at both reseller and corporate customer levels (when Miraki is enabled at both reseller and corp-customer level, the reseller settings will be applied)
IMPORTANT: To ensure correct operation, customers must allowlist the source IP address 20.160.60.23 in their firewall environment for Meraki notifications to be retrieved via API.
External Firewall Exclusions is a dedicated tab under Network Settings: enables users to manage firewall exclusion rules created either from the TAC portal (External Firewall Action Center, Aggregated Notifications or Notifications views) or directly within this view.
IMPORTANT: This functionality is available exclusively at corporate customer level.
Users can create a new exclusion by clicking Add new exclusion, which opens a configuration view where all rule details can be defined. Edit existing rules or delete them.
Additionally, users are able to search by primary or secondary criteria value, and it also supports exporting all exclusions to a CSV file.
The External Firewall Exclusions tab is regulated by ACLs and:
The tab is visible for a Heimdal user who has View permissions for the externalFirewallExclusions claim.
Heimdal users who have the Edit rights can add, modify, or delete any exclusion rules.