Cisco FirePower Threat Defense (FTD)

Cisco Firepower Threat Defense (FTD) combines the power of Cisco’s ASA firewall with its own IDS, previously called SourceFire IDS.

For versions v6.3 and higher, you forward syslog from your Cisco FTD device in order for events to appear in InsightIDR.

Configure Syslog Forwarding from Cisco FTD

To configure syslog forwarding, you must complete these steps:

Enable Logging

Logging must be enabled to configure syslog forwarding from Cisco FTD.

To enable logging, follow Cisco’s documentation at: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html#toc-hId-1970026004

Configure Logging Level

You must configure logging levels to define the number of messages to be sent to InsightIDR.

To configure logging levels, follow Cisco's documentation at: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html#toc-hId--41694258

Configure Syslog Settings

You must configure syslog settings to configure the facility values included in the syslog messages.

To configure syslog settings, follow Cisco's documentation at: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html#toc-hId--614483066

Configure Syslog Alerting for Intrusion Events

You must configure syslog alerting for intrusion events.

To do so, follow Cisco's documentation at: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Configuring_External_Alerting_for_Intrusion_Rules.html#ID-2212-000001bf

This configuration shows the event ids 430001, 430002, and 430003 in your syslog settings, and sends them to InsightIDR for parsing.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Cisco FTD in the event sources search bar.
    • In the Product Type filter, select Firewall.
  3. Select the Cisco FTD event source tile.
  4. Choose your collector.
  5. In the Select Event Source Type field, choose the option that corresponds to your Cisco Security Solution as outlined in the following table:
Cisco Security SolutionInsightIDR Event Source Type
ASACisco ASA event-source
NGIPSCisco ASA event-source
NGFWCisco ASA event-source
Any other firepower serviceCisco ASA event-source
Cisco ASA with FirePower servicesCisco ASA event-source
Cisco FirePower Threat Defense (FTD)Cisco FTD event-source
Sourcefire 3DCisco FirePower (Sourcefire 3D) event-source

You can also name your event source if you want.

  1. Choose the timezone that matches the location of your event source logs.
  2. Optionally choose to send unparsed logs.
  3. Select an attribution source.
  4. Configure your default domain and any advanced settings.
  5. Select syslog and specify a port and a protocol.
  • Optionally choose to encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  1. Click the Save button.

Verify the Configuration

To see Cisco FTD logs in InsightIDR: From the left menu, click Log Search to view your logs to ensure events are being forwarded to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Cisco FTD” if you did not name the event source. Cisco FTD logs flow into these Log Sets:

  • Unified Asset Authentication
  • Ingress Authentication
  • Firewall
  • VPN Session
  • Web Proxy
  • Intrusion Detection System (IDS)

Logs take a minimum of 7 minutes to appear in Log Search

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source.

Example Input Log

The following logs are examples of parsed syslog events from Cisco FTD.

To learn about what these codes mean, see the Cisco documentation here: https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.html

Event ID

Description

Log Example(s)

FTD-6-430003

Identifies a connection event logged at the end of the connection.

Mar 22 2019 16:51:29 firepower %FTD-6-430003: AccessControlRuleAction: Allow, SrcIP: 10.101.11.21, DstIP: 10.178.219.10, SrcPort: 46915, DstPort: 391, Protocol: udp, IngressZone: Inside, EgressZone: R7_Outside, ACPolicy: Access_Control, AccessControlRuleName: Allow_All_Outbound, Prefilter Policy: Prefilter, User: Unknown, Client: CLDAP client, ApplicationProtocol: CLDAP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 131, ResponderBytes: 0, NAPPolicy: Unknown

<118>2020-02-04T11:00:54Z %FTD-6-430003: DeviceUUID: 90e14378-2081-11e8-a7fa-d34972ba379f, AccessControlRuleAction: Allow, SrcIP: 75.150.94.75, DstIP: 172.30.0.2, SrcPort: 59698, DstPort: 8027, Protocol: tcp, IngressInterface: Outside2, EgressInterface: DMZ, IngressZone: Outside, EgressZone: DMZ, ACPolicy: Rapid7 5525X, AccessControlRuleName: Allow MDM - Out to DMZ, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, ConnectionDuration: 600, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 31, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity

FTD-6-430002

Identifies a connection event logged at the beginning of the connection.

Apr 14 2019 12:52:31 firepower %FTD-6-430002: AccessControlRuleAction: Block with reset, SrcIP: 10.10.5.76, DstIP: 53.119.122.22, SrcPort: 49905, DstPort: 443, Protocol: tcp, IngressInterface: 0005_Inside, EgressInterface: 0005_Outside, IngressZone: Inside, EgressZone: Outside, ACPolicy: IZ1235WH02_Access_Control, AccessControlRuleName: Blocked Countries Outbound, Prefilter Policy: IZ1235WH02_Prefilter, User: Unknown, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Office 365, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 459, ResponderBytes: 78, NAPPolicy: Unknown, URL: https://nexus.randomapps.live.com

Mar 22 2019 16:50:24 firepower %FTD-6-430002: AccessControlRuleAction: Block with reset, SrcIP: 192.178.3.87, DstIP: 179.210.1.120, SrcPort: 60450, DstPort: 443, Protocol: tcp, IngressZone: Guest_Internet_DMZ, EgressZone: RandomCorp_Outside, ACPolicy: IZ1235WH02_Access_Control, AccessControlRuleName: Block High Risk Apps, Prefilter Policy: IZ1235WH02_Prefilter, User: Unknown, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Doubleclick, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 408, ResponderBytes: 78, NAPPolicy: Unknown, URL: https://sanitised.words.fakeclick.net

NGIPS-1-430003

Identifies a connection event logged at end of connection

<113>2020-02-04T08:45:34Z r7Firepower FP1 %NGIPS-1-430003: EventPriority: Low, DeviceUUID: e8566508-eaa9-11e5-860f-de3e305d8269, InstanceID: 3, FirstPacketSecond: 2020-02-04T08:45:34Z, ConnectionID: 34774, AccessControlRuleAction: <br/>Block with reset, SrcIP: 93.157.158.93, DstIP: 10.1.9.9, SrcPort: 13723, DstPort: 80, Protocol: tcp, IngressInterface: outside, EgressInterface: seversDMZ, ACPolicy: Basic IPS/IDS and GeoIP block foreign contries, AccessControlRuleName: GeoBlock other Countries, Prefilter Policy: Unknown, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 54, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity

Cisco FTD can also produce logs in the same format as some Sourcefire 3D log entries. These log entries do not contain an Event ID. Here is an example of these logs:

<113>Mar 18 11:38:39 Sourcefire3D sfdc1500avc: [Primary Detection Engine (11727814-7b90-11e2-b768-a8d573eb9cc3)][MHPSA] Connection Type: Start, User: Unknown, Client: SSL client, Application Protocol: HTTPS, Web App: Unknown, Access Control Rule Name: CatchAll-Scan_for_Malware, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Parked Domains, URL Reputation: Well known, URL: https://rapid7.com, Interface Ingress: s1p1, Interface Egress: s1p2, Security Zone Ingress: Internal, Security Zone Egress: External, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 4, Responder Packets: 4, Initiator Bytes: 608, Responder Bytes: 4368, Context: Unknown, SSL Rule Name: N/A, SSL Flow Status: N/A, SSL Cipher Suite: N/A, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, SSL Version: N/A, SSL Server Certificate Status: N/A, SSL Actual Action: N/A, SSL Expected Action: N/A, SSL Server Name: (null), SSL URL Category: N/A, SSL Session ID: 0000000000000000000000000000000000000000000000000000000000000000, SSL Ticket Id: 0000000000000000000000000000000000000000, {TCP} 10.7.30.21:53431 -> 66.55.15.70:443