Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

About the Device

Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. This unified software is capable of offering the function of ASA and FirePOWER in one platform, both in terms of hardware and software features.

Device Information

 Entity

Particulars

Vendor Name

Cisco

Product Name

FTD

Type of Device

Hosted

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol

Log Collection Method

Cisco Firepower NGFW

 CISCO_FIREPOWER_FIREWALL

Syslog

CyberHub

Port Requirements

Source

Destination

Port

Cisco Firepower NGFW

CyberHub

514 (UDP)

Device Configuration

To send events to an external syslog server, edit each rule, default action, or policy that enables connection logging and select a syslog server object in the log settings.

image-20240401-085435.png

To send Audit Log Messages to the Syslog

  1. Choose Devices > Platform Settings

  2. Click Audit Log.

  3. Choose Enabled from the Send Audit Log to Syslog 

  4. Designate the destination host for the audit information by using the IP address or the fully qualified name of the syslog server in the Host field.

  5. From the Facility list, choose a facility described in below.

  6. From the Severity list, choose a severity described in below.

  7. Optionally, in the Tag field, enter the tag name that you want to appear with the syslog message. For example, if you want all audit log records sent to the syslog to be preceded with FROMMC, enter FROMMC in the field.

  8. Click Save

image-20240108-115324.png

To Configure Syslog Alerts

  1. Choose PoliciesActions > Alerts, create a new syslog object for MSS.

  2. In Name, Specify name for the syslog server object.

  3. In Host, enter the CyberHub IP address.

  4. In Port, enter 514

  5. From the Facility list, choose a facility

  6. From the Severity list, choose a severity

  7. Optionally, in the Tag field, enter the tag name that you want to appear with the syslog message. For example, if you want all audit log records sent to the syslog to be preceded with FROMMC, enter FROMMC in the field.

  8. Click Save

  9. Apply the created object to the rest of the tabs.

Syslog settings for the FTD device

Step 1

  • Choose Devices > Platform Settings > FTD Device > Syslog

 Step 2

In Logging Setup, select the following:

  • Enable logging

  • Enable logging on the failover standby unit

  • Send debug messages as syslog

  • Set the memory size of the internal buffer

image-20240108-115355.png

Adaptive MxDR doesn't support Names Feature and Cisco EMBLEM format logging. These feature need to be kept disabled.

Step 3

In logging destinations, select the events as listed below,

Event List

Description

IP

IP Stack

auth

User Authentication

bridge

Transparent Firewall

ca

PKI Certification Authority

config

Command Interface

ha

Failover

ids

Intrusion Detection System

np

Network Processor

rip

RIP Routing

rm

Resource Manager

session

User Session

snmp  

SNMP

sys

System

vpdn

PPTP and L2TP Sessions

vpn

IKE and IPsec

vpnc

VPN Client

webvpn  

WebVPN and AnyConnect Client

vpnfo  

VPN Failover

image-20240108-115431.pngimage-20240108-115504.png

Step 4

  • In Rate Limit, specify the Logging Level and Number of messages.

image-20240108-115527.png

Step 5

  • In Syslog Settings, set Facility as LOCAL4

  • Select Enable timestamp for syslog messages.

  • Select timestamp format as RFC 5424 ( yyyy-MM-ddTHH:mm:ssZ )

  • Select Enable syslog ID as Host name.

  • Enable the syslog ID's as need. 

image-20240108-115555.png

Step 6

  • In Syslog Server, specify the CyberHub IP address.

  • Select the protocol TCP/UDP

  • Specify the port number as 514/601

  • Select Device management Interface.

  • Click OK

image-20240108-115619.png

To Configure Syslog Alerting for Access Control

  1. After Creation of Access policy, enable logging to send the access policy log to Syslog or the SNMP trap.

 2. Following options are available:

  • Log at Beginning of Connection

  • Log at End of Connection

  • File Events: Log Files

  • Send Connection Events to: Event Viewer, Syslog Server and SNMP Trap

image-20240108-115644.png

To Configure File Events:

  1. Create a file policy from Policies > Malware & File

image-20240108-115709.png

Select Log Files, if you want to enable logging of prohibited files or malware events. You must select a file policy in the rule to configure this option. The option is enabled by default if you select a file policy for the rule.

  1. To Select a File Policy, click on Inspection and select a File Policy Previously created

image-20240108-115737.png

3. After selecting the Log file, it will be automatically highlighted and selected. It can be enabled or disabled based on the needs.

image-20240108-115816.png

To Configure Syslog Alerting for Intrusion Events

  1. In the intrusion policy editor's navigation pane, click Advanced Settings.

  2. Make sure Syslog Alerting is Enabled, then click Edit.

  3. A message at the bottom of the page identifies the intrusion policy layer that contains the configuration. The Syslog Alerting page is added under Advanced Settings.

image-20240108-115839.png

  1. Enter the IP addresses of the Logging Hosts where you want to send syslog alerts.

  2. If you leave the Logging Hosts field blank, the logging hosts details are taken from the Logging tab in the associated Access Control Policy.

image-20240108-115916.png

  1. Choose Facility and Severity levels as described above

Syslog Alert Facilities

Facility

Description

AUTH

A message associated with security and authorization.

AUTHPRIV

A restricted access message associated with security and authorization. On many systems, these messages are forwarded to a secure file.

CRON

A message generated by the clock daemon.

DAEMON

A message generated by a system daemon.

FTP

A message generated by the FTP daemon.

KERN

A message generated by the kernel. On many systems, these messages are printed to the console when they appear.

LOCAL0-LOCAL7

A message generated by an internal process.

LPR

A message generated by the printing subsystem.

MAIL

A message generated by a mail system.

NEWS

A message generated by the network news subsystem.

SYSLOG

A message generated by the syslog daemon.

USER

A message generated by a user-level process.

UUCP

A message generated by the UUCP subsystem.


Severity Levels Available

Level Number

Severity Level

Description

0

emergencies

System is unusable.

1

alert

Immediate action is needed.

2

critical

Critical conditions.

3

error

Error conditions.

4

warning

Warning conditions.

5

notification

Normal but significant conditions.

6

informational

Informational messages only.

7

debugging

Debugging messages only.

 7. To save changes you made in this policy since the last policy commit, choose Policy Information, then click Commit Changes.

If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy.

Integration Parameters

Parameters required from customer for Integration.

Property

Default Value

Description

IP Address

Cisco FTD interface IP address

Hostname or IP address of the device which forwards logs to the CyberHub

  • No labels

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.