Accenture MDR Quick Start Guide for Cisco Firepower Threat Defense (FTD) using Syslog configuration

Owned by KS
Last updated: Apr 03, 2024 by Aparna Rr
5 min read

This quick start guide will help Accenture MDR customers configure Cisco Firepower Threat Defense (FTD) to send logs to the Log collection Platform (LCP).

This document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

Cisco FTD 

LCP

514 (UDP) or

601 (TCP)

Default port

Configuring Cisco FTD

You have to configure the below settings to send the FTD events

To configure Audit Log Messages 

  1. Log in to the Cisco Firepower management center console.

  2. Navigate to Devices > Platform Settings

  3. ​Click Audit Log.

  4. Select Enabled from the Send Audit Log to Syslog drop-down menu.

  5. Enter the Syslog IP Address or fully qualified host name of the syslog server in the Host field.

  6. Select Syslog from the Facility drop-down menu. 

  7. Select INFO from the Severity drop-down menu

  8. Click Save.   

 To Configure Syslog Alerts:

  1. Navigate to Policies > Actions > Alerts,.

  2. Create a new syslog object for MDR.

  3. Enter the Name for syslog server object.

  4. Enter the LCP IP Address in the Host field.

  5. Enter the Port 514 in the Port field.

  6. Select Local 4 from the Facility drop-down menu. 

  7. Select INFO from the Severity drop-down menu. 

  8. Click Save.

  9. Apply the created object to the rest of the tabs.

Syslog settings for the FTD device:

  1. Navigate to Devices > Platform Settings > FTD Device > Syslog

  2. Under Logging Setup, check the following:

  • Check the Enable Logging and Enable logging on the failover standby unit

  • Check the send syslog in EMBLEM format

  • Check the Send debug messages as syslogs

  • Set the memory size of the internal buffer.                                                                  

    NOTE: MxDR doesn't support Names feature. This feature needs to be kept disabled. 

  • To send syslog messages in Emblem format - enable checkbox for "Send syslog in EMBLEM format" to start receiving logs in emblem format.

  • Cisco Emblem log forwarding will only be supported by UDP. It does not support TCP as per vendor.

  • Current handling of emblem format is based on versions : versions 7.0.5 and later, and 7.2.x and later. Emblem format for previous versions might change and may not be supported by collector.

image2024-3-28_11-9-52.png

 

3. Under logging destinations, create a new syslog destination by clicking Add or edit the required logging destination from the list.                                                                

  •  Choose the syslog servers as logging destination from the Logging Destination drop-down.

  • Choose Filter on Severity from the Event class drop-down and choose debugging as the logging level.

  • To add the below event classes to this Logging filter, click Add under the Event list tab.

S.NO

Event Class

Description

1

IP

IP Stack

2

auth

User Authentication

3

bridge

Transparent Firewall

4

ca

PKI Certification Authority

5

config

Command Interface

6

ha

Failover

7

ids

Intrusion Detection System

8

np

Network Processor

9

rip

RIP Routing

10

rm

Resource Manager

11

session

User Session

12

snmp

SNMP

13

sys

System

14

vpdn

PPTP and L2TP Sessions

15

vpn

IKE and IPsec

16

vpnc

VPN Client

17

webvpn

WebVPN and Any Connect Client

18

vpnfo

VPN Failover

 

  • Choose the Event Class from above list in the Event Class drop-down list.

  •  Choose the Syslog severity from the Syslog Severity drop-down list. 

4. Under Rate Limit tab, select the logging level and enter the Number of messages.

5. Under Syslog Settings tab,

  • Select the Facility as LOCAL 4 from drop-down menu.

  • Check Enable timestamp for syslog messages box

  • Select the Timestamp Format as RFC 5424 (yyyy-MM-ddTHH:mm:ssZ) from drop-down menu.

  • Check the Enable syslog ID as Host name.

  • Enable the Syslog ID's as need.

6. Under syslog server tab,

  • Select the LCP IP address from the drop-down menu.

  • Choose the protocol as TCP or UDP

  • Enter the port number as 514/601

  • Check Device management Interface.

  • Click OK.                                                                        

 Configuring Syslog Alerting for Access Control

  1. Navigate to Access Control.

  2. Enable the Access policy to send logs to Syslog

  3. Check the box Log at End of Connection

  4. Select Log files as File events . 

  5. Send the connection events to Syslog server                                                                           

Configuring File Events

  1. Navigate to Policies >> Malware & File and create a file policy.                                                                 

Note: Select Log Files in order to enable logging of prohibited files or malware events. File policy must be selected in the rule to configure this option. The option is enabled by default if a file policy is selected for the rule. Cisco recommends to leave this option enabled

  2. Select the Inspection tab and choose already created file policy under MDR drop down menu

3. The log file is automatically highlighted and checked. Log file selection is optional.                                   

Configuring Syslog Alerting for Intrusion Events

  1. Under the intrusion policy editor's navigation pane, click Advanced Settings. 

  2. Make sure Syslog Alerting is enabled and click Edit

Note: A message at the bottom of the page identifies the intrusion policy layer that contains the configuration. The Syslog Alerting page is added under Advanced Settings.                                                       

3. Enter the IP Address of the Logging Hosts where you want to send syslog alerts

Note: If the Logging Hosts field is left blank, the logging hosts details are taken from the Logging tab in the associated Access Control Policy.

4. Choose Facility and Severity levels as described in below.

5. To save the changes, choose Policy Information, then click Commit Changes.

LCP Configuration Parameter

Table 1-2 : The Cisco FTD syslog event collector (Syslog -5003) properties to be configured by MDR are shown in the table

Property

Default Value

Description 

Protocol

UDP

The default protocol for syslog. The collector can also accept logs in TCP.

Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP.

To balance TCP for reliability over UDP for speed/simplicity, contact the Accenture MDR onboarding team.

IP Address

Cisco FTD Interface IP Address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture MDR onboarding team.

Signatures

%FTD

MDR recommended signatures processed by the Cisco FTD event collector.

Port Number

514

The default port for UDP. For TCP, the default port is 601.

Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture MDR onboarding team if this is a requirement.

 

 

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.