Cisco FirePower Threat Defense (FTD)

Cisco Firepower Threat Defense (FTD) combines the power of Cisco’s ASA firewall with its own IDS, previously called SourceFire IDS.

For versions v6.3 and higher, you forward syslog from your Cisco FTD device in order for events to appear in InsightIDR.

Configure Syslog Forwarding from Cisco FTD

To configure syslog forwarding, you must complete four separate steps:

  1. Enable Logging
  2. Configure Logging Level
  3. Configure Syslog Settings
  4. Configure Syslog Alerting for Intrusion Events

Enable Logging

Logging must be enabled to configure syslog forwarding from Cisco FTD.

To enable logging, follow Cisco’s documentation at: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html#anc7

Configure Logging Level

You must configure logging levels to define the number of messages to be sent to InsightIDR.

To configure logging levels, follow Cisco's documentation at: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html#anc9

Configure Syslog Settings

You must configure syslog settings to configure the facility values included in the syslog messages.

To configure syslog settings, follow Cisco's documentation at: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html#anc10

Configure Syslog Alerting for Intrusion Events

You must configure syslog alerting for intrusion events.

To do so, follow Cisco's documentation at: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Configuring_External_Alerting_for_Intrusion_Rules.html#ID-2212-000001bf

This configuration shows the event ids 430001, 430002, and 430003 in your syslog settings, and sends them to InsightIDR for parsing.

Configure Cisco FTD in InsightIDR

Now that you’ve configured syslog forwarding from Cisco FTD, you can configure this event source in InsightIDR.

  1. From the left menu, select Data Collection.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the Security Data section, click the Firewall icon. The Add Event Source panel appears.
  4. Choose your collector.
  5. In the Select Event Source Type field, choose the option that corresponds to your Cisco Security Solution as outlined in the following table:
Cisco Security SolutionInsightIDR Event Source Type
ASACisco ASA event-source
NGIPSCisco ASA event-source
NGFWCisco ASA event-source
Any other firepower serviceCisco ASA event-source
Cisco ASA with FirePower servicesCisco ASA event-source
Cisco FirePower Threat Defense (FTD)Cisco FTD event-source
Sourcefire 3DCisco FirePower (Sourcefire 3D) event-source

You can also name your event source if you want.

  1. Choose the timezone that matches the location of your event source logs.
  2. Optionally choose to send unfiltered logs.
  3. Select an attribution source.
  4. Configure your default domain and any advanced settings.
  5. Select syslog and specify a port and a protocol.
  • Optionally choose to encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  1. Click the Save button.

Attribution source options

Cisco FTD product logs can contain information about hosts and accounts. When setting up Cisco FTD as an event source, you will have the ability to specify the following attribution options:

  1. Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

  1. Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

  1. Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

  1. Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.

Verify the Configuration

To see Cisco FTD logs in InsightIDR: From the left menu, click Log Search to view your logs to ensure events are being forwarded to the Collector. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Cisco FTD” if you did not name the event source. Cisco FTD logs flow into these Log Sets:

  • Unified Asset Authentication
  • Ingress Authentication
  • Firewall
  • VPN Session
  • Web Proxy
  • Intrusion Detection System (IDS)

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source.

Example Input Log

The following logs are examples of parsed syslog events from Cisco FTD.

To learn about what these codes mean, see the Cisco documentation here: https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.html

Event ID

Description

Log Example(s)

FTD-6-430003

Identifies a connection event logged at the end of the connection.

Mar 22 2019 16:51:29 firepower %FTD-6-430003: AccessControlRuleAction: Allow, SrcIP: 10.101.11.21, DstIP: 10.178.219.10, SrcPort: 46915, DstPort: 391, Protocol: udp, IngressZone: Inside, EgressZone: R7_Outside, ACPolicy: Access_Control, AccessControlRuleName: Allow_All_Outbound, Prefilter Policy: Prefilter, User: Unknown, Client: CLDAP client, ApplicationProtocol: CLDAP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 131, ResponderBytes: 0, NAPPolicy: Unknown

<118>2020-02-04T11:00:54Z %FTD-6-430003: DeviceUUID: 90e14378-2081-11e8-a7fa-d34972ba379f, AccessControlRuleAction: Allow, SrcIP: 75.150.94.75, DstIP: 172.30.0.2, SrcPort: 59698, DstPort: 8027, Protocol: tcp, IngressInterface: Outside2, EgressInterface: DMZ, IngressZone: Outside, EgressZone: DMZ, ACPolicy: Rapid7 5525X, AccessControlRuleName: Allow MDM - Out to DMZ, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, ConnectionDuration: 600, InitiatorPackets: 0, ResponderPackets: 0, InitiatorBytes: 31, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity

FTD-6-430002

Identifies a connection event logged at the beginning of the connection.

Apr 14 2019 12:52:31 firepower %FTD-6-430002: AccessControlRuleAction: Block with reset, SrcIP: 10.10.5.76, DstIP: 53.119.122.22, SrcPort: 49905, DstPort: 443, Protocol: tcp, IngressInterface: 0005_Inside, EgressInterface: 0005_Outside, IngressZone: Inside, EgressZone: Outside, ACPolicy: IZ1235WH02_Access_Control, AccessControlRuleName: Blocked Countries Outbound, Prefilter Policy: IZ1235WH02_Prefilter, User: Unknown, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Office 365, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 459, ResponderBytes: 78, NAPPolicy: Unknown, URL: https://nexus.randomapps.live.com

Mar 22 2019 16:50:24 firepower %FTD-6-430002: AccessControlRuleAction: Block with reset, SrcIP: 192.178.3.87, DstIP: 179.210.1.120, SrcPort: 60450, DstPort: 443, Protocol: tcp, IngressZone: Guest_Internet_DMZ, EgressZone: RandomCorp_Outside, ACPolicy: IZ1235WH02_Access_Control, AccessControlRuleName: Block High Risk Apps, Prefilter Policy: IZ1235WH02_Prefilter, User: Unknown, Client: SSL client, ApplicationProtocol: HTTPS, WebApplication: Doubleclick, InitiatorPackets: 3, ResponderPackets: 1, InitiatorBytes: 408, ResponderBytes: 78, NAPPolicy: Unknown, URL: https://sanitised.words.fakeclick.net

NGIPS-1-430003

Identifies a connection event logged at end of connection

<113>2020-02-04T08:45:34Z r7Firepower FP1 %NGIPS-1-430003: EventPriority: Low, DeviceUUID: e8566508-eaa9-11e5-860f-de3e305d8269, InstanceID: 3, FirstPacketSecond: 2020-02-04T08:45:34Z, ConnectionID: 34774, AccessControlRuleAction: <br/>Block with reset, SrcIP: 93.157.158.93, DstIP: 10.1.9.9, SrcPort: 13723, DstPort: 80, Protocol: tcp, IngressInterface: outside, EgressInterface: seversDMZ, ACPolicy: Basic IPS/IDS and GeoIP block foreign contries, AccessControlRuleName: GeoBlock other Countries, Prefilter Policy: Unknown, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 0, InitiatorBytes: 54, ResponderBytes: 0, NAPPolicy: Balanced Security and Connectivity

Cisco FTD can also produce logs in the same format as some Sourcefire 3D log lines. These log lines do not contain an Event ID. Here is an example of these logs:

<113>Mar 18 11:38:39 Sourcefire3D sfdc1500avc: [Primary Detection Engine (11727814-7b90-11e2-b768-a8d573eb9cc3)][MHPSA] Connection Type: Start, User: Unknown, Client: SSL client, Application Protocol: HTTPS, Web App: Unknown, Access Control Rule Name: CatchAll-Scan_for_Malware, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Parked Domains, URL Reputation: Well known, URL: https://rapid7.com, Interface Ingress: s1p1, Interface Egress: s1p2, Security Zone Ingress: Internal, Security Zone Egress: External, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 4, Responder Packets: 4, Initiator Bytes: 608, Responder Bytes: 4368, Context: Unknown, SSL Rule Name: N/A, SSL Flow Status: N/A, SSL Cipher Suite: N/A, SSL Certificate: 0000000000000000000000000000000000000000, SSL Subject CN: N/A, SSL Subject Country: N/A, SSL Subject OU: N/A, SSL Subject Org: N/A, SSL Issuer CN: N/A, SSL Issuer Country: N/A, SSL Issuer OU: N/A, SSL Issuer Org: N/A, SSL Valid Start Date: N/A, SSL Valid End Date: N/A, SSL Version: N/A, SSL Server Certificate Status: N/A, SSL Actual Action: N/A, SSL Expected Action: N/A, SSL Server Name: (null), SSL URL Category: N/A, SSL Session ID: 0000000000000000000000000000000000000000000000000000000000000000, SSL Ticket Id: 0000000000000000000000000000000000000000, {TCP} 10.7.30.21:53431 -> 66.55.15.70:443