Cisco FTD
- Aparna Rr
About the Device
Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. This unified software is capable of offering the function of ASA and FirePOWER in one platform, both in terms of hardware and software features.
Device Information
 Entity | Particulars |
|---|---|
Vendor Name | Cisco |
Product Name | FTD |
Type of Device | Hosted |
Collection Method
Log Type | Â Ingestion label | Preferred Logging Protocol - Format | Log Collection Method |
|---|---|---|---|
Cisco Firepower NGFW | Â CISCO_FIREPOWER_FIREWALL | Syslog | CyberHub |
Port Requirements
Source | Destination | Port |
|---|---|---|
Cisco FTD | CyberHub | 601 (TCP) |
To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.
While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 6514 for seamless integration.
In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.
Device Configuration
To send events to an external syslog server, edit each rule, default action, or policy that enables connection logging and select a syslog server object in the log settings.
To send Audit Log Messages to the Syslog
Choose Devices > Platform Settings
Click Audit Log.
Choose Enabled from the Send Audit Log to SyslogÂ
Designate the destination host for the audit information by using the IP address or the fully qualified name of the syslog server in the Host field.
From the Facility list, choose a facility described in below.
From the Severity list, choose a severity described in below.
Optionally, in the Tag field, enter the tag name that you want to appear with the syslog message. For example, if you want all audit log records sent to the syslog to be preceded withÂ
FROMMC, enterÂFROMMC in the field.Click Save
To Configure Syslog Alerts
Choose Policies > Actions > Alerts, create a new syslog object for MSS.
In Name, Specify name for the syslog server object.
In Host, enter the CyberHub IP address.
In Port, enter 514
From the Facility list, choose a facility
From the Severity list, choose a severity
Optionally, in the Tag field, enter the tag name that you want to appear with the syslog message. For example, if you want all audit log records sent to the syslog to be preceded withÂ
FROMMC, enterÂFROMMC in the field.Click Save
Apply the created object to the rest of the tabs.
Syslog settings for the FTD device
Step 1
Choose Devices > Platform Settings > FTD Device > Syslog
 Step 2
In Logging Setup, select the following:
Enable logging
Enable logging on the failover standby unit
Send debug messages as syslog
Set the memory size of the internal buffer
Adaptive MxDR doesn't support Names Feature and Cisco EMBLEM format logging. These feature need to be kept disabled.
Step 3
In logging destinations, select the events as listed below,
Event List | Description |
|---|---|
IP | IP Stack |
auth | User Authentication |
bridge | Transparent Firewall |
ca | PKI Certification Authority |
config | Command Interface |
ha | Failover |
ids | Intrusion Detection System |
np | Network Processor |
rip | RIP Routing |
rm | Resource Manager |
session | User Session |
snmp  | SNMP |
sys | System |
vpdn | PPTP and L2TP Sessions |
vpn | IKE and IPsec |
vpnc | VPN Client |
webvpn  | WebVPN and AnyConnect Client |
vpnfo  | VPN Failover |
Step 4
In Rate Limit, specify the Logging Level and Number of messages.
Step 5
In Syslog Settings, set Facility as LOCAL4
Select Enable timestamp for syslog messages.
Select timestamp format as RFC 5424 ( yyyy-MM-ddTHH:mm:ssZ )
Select Enable syslog ID as Host name.
Enable the syslog ID's as need.Â
Step 6
In Syslog Server, specify the CyberHub IP address.
Select the protocol TCP/UDP
Specify the port number as 514/601
Select Device management Interface.
Click OK
To Configure Syslog Alerting for Access Control
After Creation of Access policy, enable logging to send the access policy log to Syslog or the SNMP trap.
 2. Following options are available:
Log at Beginning of Connection
Log at End of Connection
File Events: Log Files
Send Connection Events to: Event Viewer, Syslog Server and SNMP Trap
To Configure File Events:
Create a file policy from Policies > Malware & File
Select Log Files, if you want to enable logging of prohibited files or malware events. You must select a file policy in the rule to configure this option. The option is enabled by default if you select a file policy for the rule.
To Select a File Policy, click on Inspection and select a File Policy Previously created
3. After selecting the Log file, it will be automatically highlighted and selected. It can be enabled or disabled based on the needs.
To Configure Syslog Alerting for Intrusion Events
In the intrusion policy editor's navigation pane, click Advanced Settings.
Make sure Syslog Alerting is Enabled, then click Edit.
A message at the bottom of the page identifies the intrusion policy layer that contains the configuration. The Syslog Alerting page is added under Advanced Settings.
Enter the IP addresses of the Logging Hosts where you want to send syslog alerts.
If you leave the Logging Hosts field blank, the logging hosts details are taken from the Logging tab in the associated Access Control Policy.
Choose Facility and Severity levels as described above
Syslog Alert Facilities
Facility | Description |
|---|---|
AUTH | A message associated with security and authorization. |
AUTHPRIV | A restricted access message associated with security and authorization. On many systems, these messages are forwarded to a secure file. |
CRON | A message generated by the clock daemon. |
DAEMON | A message generated by a system daemon. |
FTP | A message generated by the FTP daemon. |
KERN | A message generated by the kernel. On many systems, these messages are printed to the console when they appear. |
LOCAL0-LOCAL7 | A message generated by an internal process. |
LPR | A message generated by the printing subsystem. |
A message generated by a mail system. | |
NEWS | A message generated by the network news subsystem. |
SYSLOG | A message generated by the syslog daemon. |
USER | A message generated by a user-level process. |
UUCP | A message generated by the UUCP subsystem. |
Severity Levels Available
Level Number | Severity Level | Description |
|---|---|---|
0 | emergencies | System is unusable. |
1 | alert | Immediate action is needed. |
2 | critical | Critical conditions. |
3 | error | Error conditions. |
4 | warning | Warning conditions. |
5 | notification | Normal but significant conditions. |
6 | informational | Informational messages only. |
7 | debugging | Debugging messages only. |
 7. To save changes you made in this policy since the last policy commit, choose Policy Information, then click Commit Changes.
If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy.
Integration Parameters
Parameters required from customer for Integration.
Property | Default Value | Description |
|---|---|---|
IP Address | Cisco FTD interface IP address | Hostname or IP address of the device which forwards logs to the CyberHub |
About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.
About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.