Cisco FirePower Threat Defense

Cisco Firepower Threat Defense (FTD) combines the power of Cisco’s ASA firewall with its own IDS, previously called SourceFire IDS.

For versions v6.3 and higher, you forward syslog from your Cisco FTD device in order for events to appear in InsightIDR.

Configure Syslog Forward from Cisco FTD

To configure syslog forward, you must complete three separate steps:

  1. Enable Logging
  2. Configure Logging Level
  3. Configure Syslog Settings

Enable Logging

  1. Sign in to your Cisco FTD appliance.
  2. Click the Devices tab and select the Platform Settings page on the right.
  3. Find your existing Cisco FTD appliance and click the edit or pencil icon.
  4. Select the Logging Setup tab.
  5. Check the Enable Logging box in order to enable syslog logging.
  6. Optionally check on the Send debug messages as syslog box.
  7. Click the Save button to save the information on the Logging Setup tab.

Configure Logging Level

  1. Select the Rate Limiting tab and choose the Logging Level tab.
  2. Click the +Add button to add a new logging level.
  3. Set the Logging Level field to 6 - Informational Messages.
  4. Click the OK button to save the logging configuration.
  5. Click the Save button to save the configuration in that tab.

Configure Syslog Settings

  1. Select the Syslog Settings tab.
  2. Check on the Enable Timestamp on each Syslog Message box.
  3. Click the Save button to save this part of the configuration.
  1. Select the Syslog Servers tab.
  2. Click the +Add button.
  3. In the IP address field, click the + icon to add the IP address of your InsightIDR Collector.
  4. Select the protocol radio button that you want to use.
  5. Enter the unique port you want to send syslog data to on your Collector.
  6. Click the OK button to save the new Syslog Server settings.
  7. Click the Save button on the Syslog Server tab to complete the Cisco FTD syslog configuration.

For additional information on Cisco FTD configuration, read their documentation here: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html#anc10

Configure Cisco FTD in InsightIDR

Now that you’ve configured syslog forwarding from Cisco FTD, you can configure this event source in InsightIDR.

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the Security Data section, click the Firewall icon. The Add Event Source panel appears.
  4. Choose your collector.
  5. Choose Cisco FTD for your event source. You can also name your event source if you want.
  6. Choose the timezone that matches the location of your event source logs.
  7. Optionally choose to send unfiltered logs.
  8. Configure your default domain and any advanced settings.
  9. Select syslog and specify a port and a protocol.
    • Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  10. Click the Save button.

Verify the Configuration

To see Cisco FTD logs in InsightIDR: From the left menu, click Log Search to view your logs to ensure events are being forwarded to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Cisco FTD” if you did not name the event source. Cisco FTD logs flow into these Log Sets:

  • Unified Asset Authentication
  • Ingress Authentication
  • Firewall
  • VPN Session
  • Web Proxy
  • Intrusion Detection System (IDS)

Logs take a minimum of 7 minutes to appear in Log Search

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source.

Example Input Log

The following logs are examples of parsed syslog events from Cisco FTD.

To learn about what these codes mean, see the Cisco documentation here: https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.html

Event ID

Description

Log Example(s)

FTD-6-430003

Identifies a connection event logged at the end of the connection.

Mar 22 2019 16:51:29 firepower %FTD-6-430003: AccessControlRuleAction: Allow, SrcIP: 10.101.11.21, DstIP: 10.178.219.10, SrcPort: 46915, DstPort: 391, Protocol: udp, IngressZone: Inside, EgressZone: R7_Outside, ACPolicy: Access_Control, AccessControlRuleName: Allow_All_Outbound, Prefilter Policy: Prefilter, User: Unknown, Client: CLDAP client, ApplicationProtocol: CLDAP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 131, ResponderBytes: 0, NAPPolicy: Unknown

<118>2020-02-04T11:00:54Z %FTD-6-430003: DeviceUUID: 90e14378-2081-11e8-a7fa-d34972ba379f, AccessControlRuleAction: Allow, SrcIP: 75.150.94.75, DstIP: 172.30.0.2, SrcPort: 59698, DstPort: 8027, Protocol: tcp, IngressInterface: Outside2, EgressInterface: DMZ, IngressZone: Outside, EgressZone: DMZ, ACPolicy: Rapid7 5525X, AccessControlRuleName: Allow MDM - Out to DMZ, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, ConnectionDuration: 600, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 31, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity

FTD-6-430002

Identifies a connection event logged at the beginning of the connection.

Apr 14 2019 12:52:31 firepower %FTD-6-430002: AccessControlRuleAction: Block with reset, SrcIP: 10.10.5.76, DstIP: 53.119.122.22, SrcPort: 49905, DstPort: 443, Protocol: tcp, IngressInterface: 0005_Inside, EgressInterface: 0005_Outside, IngressZone: Inside, EgressZone: Outside, ACPolicy: IZ1235WH02_Access_Control, AccessControlRuleName: Blocked Countries Outbound, Prefilter Policy: IZ1235WH02_Prefilter, User: Unknown, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Office 365, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 459, ResponderBytes: 78, NAPPolicy: Unknown, URL: https://nexus.randomapps.live.com

Mar 22 2019 16:50:24 firepower %FTD-6-430002: AccessControlRuleAction: Block with reset, SrcIP: 192.178.3.87, DstIP: 179.210.1.120, SrcPort: 60450, DstPort: 443, Protocol: tcp, IngressZone: Guest_Internet_DMZ, EgressZone: RandomCorp_Outside, ACPolicy: IZ1235WH02_Access_Control, AccessControlRuleName: Block High Risk Apps, Prefilter Policy: IZ1235WH02_Prefilter, User: Unknown, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Doubleclick, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 408, ResponderBytes: 78, NAPPolicy: Unknown, URL: https://sanitised.words.fakeclick.net

NGIPS-1-430003

Identifies a connection event logged at end of connection

<113>2020-02-04T08:45:34Z r7Firepower FP1 %NGIPS-1-430003: EventPriority: Low, DeviceUUID: e8566508-eaa9-11e5-860f-de3e305d8269, InstanceID: 3, FirstPacketSecond: 2020-02-04T08:45:34Z, ConnectionID: 34774, AccessControlRuleAction: <br/>Block with reset, SrcIP: 93.157.158.93, DstIP: 10.1.9.9, SrcPort: 13723, DstPort: 80, Protocol: tcp, IngressInterface: outside, EgressInterface: seversDMZ, ACPolicy: Basic IPS/IDS and GeoIP block foreign contries, AccessControlRuleName: GeoBlock other Countries, Prefilter Policy: Unknown, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 54, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity

Cisco FTD can also produce logs in the same format as some Sourcefire 3D log lines. These log lines do not contain an Event ID. Here is an example of these logs:

<113>Mar 18 11:38:39 Sourcefire3D sfdc1500avc: [Primary Detection Engine (11727814-7b90-11e2-b768-a8d573eb9cc3)][MHPSA] Connection Type: Start, User: Unknown, Client: SSL client, Application Protocol: HTTPS, Web App: Unknown, Access Control Rule Name: CatchAll-Scan_for_Malware, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Parked Domains, URL Reputation: Well known, URL: https://rapid7.com, Interface Ingress: s1p1, Interface Egress: s1p2, Security Zone Ingress: Internal, Security Zone Egress: External, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 4, Responder Packets: 4, Initiator Bytes: 608, Responder Bytes: 4368, Context: Unknown, SSL Rule Name: N/A, SSL Flow Status: N/A, SSL Cipher Suite: N/A, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, SSL Version: N/A, SSL Server Certificate Status: N/A, SSL Actual Action: N/A, SSL Expected Action: N/A, SSL Server Name: (null), SSL URL Category: N/A, SSL Session ID: 0000000000000000000000000000000000000000000000000000000000000000, SSL Ticket Id: 0000000000000000000000000000000000000000, {TCP} 10.7.30.21:53431 -> 66.55.15.70:443