IQ Server and Firewall for Artifactory


The Nexus Firewall for Artifactory plugin uses audit and quarantine features to help protect your development environment from risky or undesirable components. These features use IQ Server policy management to identify, and if desired, prevent proxy repositories from serving unwanted components.


Requirements to use Nexus Firewall for Artifactory:


  1. Download the latest version of the plugin from here
  2. Extract the contents of the plugin zip file into ${ARTIFACTORY_HOME}/etc/plugins. The zip file includes an example configuration file for the plugin, and all necessary files for the operation of the plugin. The final folder structure should resemble:


  3. Rename to to use as a base for your configuration.
  4. Configure which repositories you would like to enable in the file.


To upgrade to the latest version of the plugin, simply repeat the installation steps above and overwrite the nexusFirewallForArtifactoryPlugin.groovy file and the lib/nexus-iq-artifactory-plugin.jar file. The sample configuration file can be extracted as well, but is not required. Your actual configuration file will be named so there is no danger of overwriting your configuration.


All plugin configuration is done through the When changes are made to this file they can be applied by restarting Artifactory.

# These properties are to configure the connection to the IQ server.
# The values below are example values and should be updated with your own.

# Define repositories with a 'firewall.repo.' prefix. Possible options are 'quarantine' and 'audit'.
# firewall.repo.<example-repository-name>=quarantine
# firewall.repo.<other-example-repository-name>=audit

The username defined here must exist in IQ and have the "Component Evaluator" role. See Role Management for further information.

The plugin only supports the 'remote' repository type, usually configured as a remote proxy of Maven Central at The 'virtual' repository type is indirectly supported in that if your virtual repository includes a remote repository that has Firewall enabled, then components can be quarantined or audited.

Removing the will have the effect of disabling the plugin. Any repositories that were previously enabled with quarantine or audit will no longer perform quarantine or audit actions on artifacts in those repositiories.


When the plugin is configured and Artifactory is restarted, the following events will take place

  1. When Artifactory is started, the configuration file will be read and any configured repositories will be enabled in IQ. The enabled repositories can be viewed in IQ in the 'Repositories' view under 'Organization and Policies'.
  2. The Firewall quarantine feature only applies to new components that are added after quarantine is enabled. When a new component violates policy, Firewall prevents it from being served from the remote repository.
  3. When repositories are enabled in audit mode, new components added to remote repositories are evaluated against IQ policy. This information is then included in the repository results.

Reviewing Results

Every repository that has Firewall enabled will receive its own Application Composition report URL. To obtain this URL, make the following call to the Artifactory server:

curl -u yourusername:yourpassword ""

In the above example you will need to substiute your appropriate username, password, Artifactory URL, and virtual repository name. Note: An administrator account is required to access this endpoint.

The result is a JSON response with details on the repository:


The reportUrl can be appended to your IQ Server URL to get to the report. For example if your IQ Server was at https://myiqserver:8070 then the final URL would be https://myiqserver:8070/ui/links/repository/0396e6d401d143399d53493e57c106e8/result. You will be forwarded to the static policy report URL which can be bookmarked for future access.

About Timestamps

The plugin will only process components which are new to the repository since Firewall was enabled on it. Components that have been served by Artifactory prior to this will always be allowed regardless of their policy status. This is to prevent any existing builds from breaking.


The Nexus Firewall for Artifactory plugin ships with some basic informative logging by default, and additional logs are available for debugging if necessary. Specifically per component blocking is not logged by default as this can result in an excessive amount of log entries.

Artifactory uses the Logback library for logging. To understand Artifactory logging and how to change what is logged, see the JFrog documentation here: Artifactory Log Files - Configuring Log Verbosity

In order to increase logging for the Firewall plugin, add this section to the logback.xml file:

<logger name="">
    <level value="debug"/>

Release notes



Initial release

Known Limitations

  • The plugin is currently untested on highly available (HA) environments
  • The plugin currently does not support http proxy connections to the IQ Server