Accenture MDR Quick Start Guide for Cisco Firepower® (Sourcefire eStreamer® IPv6) Logging Configuration
- KS
- Dinesh Murugaiyan
This quick start guide will help Accenture MDR customers configure Cisco Firepower® to allow log collection from the Log Collection Platform (LCP).Â
The guide details the GUI configuration process of Cisco Firepower® Management Center (FMC). Please refer to the vendor document for more information on CLI and 3D Sensor configuration.
Â
This document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for eStreamer communication.
Source | Destination | Port | Description |
LCP | Sourcefire DC | 8302 (TCP) | Communication between the LCP and server |
Configuring Cisco Firepower®
To configure Cisco Firepower® Device Version 5.3 and 5.4:
Sourcefire Event Streamer (also known as eStreamer) allows you to stream event data from the FMC or 3D Sensor to the LCP. All communication with eStreamer is initiated by the LCP, occurs over a TCP SSL connection on port 8302,  and requires a password-protected certificate (.pkcs12).
To configure Cisco Firepower®, follow the steps below.
Login to the FMC web interface as Administrator.
Based on the DC version, do one of the following:
For DC versions 4.9 and 4.10, from the main screen, click Operations > Configuration > eStreamer.Â
For DC versions 5.x, from the main screen, click System > Local > Registration > eStreamer.Â
3. On the eStreamer Event Configuration page, check the specified check boxes to send events to the LCP.
     Â
4. Click Save.
5. At the top-right corner, click Create Client to create a new eStreamer client for the LCP.      Â
6. In the Hostname text box, enter the IP address or DNS-resolvable hostname of the LCP.      Â
7. In the Password text box, enter your preferred password and click Save.
8. After successful client creation, the Success message appears and the newly added client appears under the eStreamer tab.      Â
9. Click the Download icon corresponding to the newly created client, save the certificate file on your local computer, and then send the file to Accenture MDR.
To configure Sourcefire eStreamer IPv6 Device Version 6.1 and above version:
Log on to the Defense Center Web interface as a user with administrator privileges.
Go to System > Integration > eStreamer and select Registration.
3. On the eStreamer Event Configuration page, select the types of events for eStreamer to send. Make sure that all types of events are selected.
 Note : IPv6 source and IPv6 destination addresses for Intrusion events are stored in a new Intrusion Event Extra Data Record. In order for the collector to retrieve this information, you must select Intrusion Event Extra Data in Sourcefire eStreamer Event Configuration page.Â
4. Click Save.
5. Click Create Client to create an eStreamer client for the collector computer.
6. In the Hostname text box, enter the IP address or DNS-resolvable hostname of the LCP.
7. In the Password text box, enter your preferred password and click Save.
Â
To log blacklisted connections:
Login to the Sourcefire DC web interface as Administrator.
Select Policies > Access Control and the Access Control Policy window appears.
At the right corner, click the Pencil icon to edit the first policy.
Go to the Security Intelligence tab and at the right corner on the Blacklist Networks section, click Logging.Â
Check the Log Connections check box. This will generate a log at the beginning of each connection event when the traffic meets Security Intelligence conditions.
In the Send Connection Events to section, check the Event Viewer check box. This will display the blacklisted logs as connection events on Sourcefire DC.
Click OK.
Follow the above steps for all the configured policies.
Once logging is enabled for all the configured policies, click Save.
Note: Accenture MDR recommends additional logging configuration for this device and please follow Accenture MDR recommended logging configuration for Sourcefire eStreamer guide for details.
Creating New Request for Monitoring
Once the device is configured as outlined in the steps above and all network pre-requisites have been made, you are now ready to onboard it for MDR monitoring. To complete this process, submit a New Request via the MDR Portal. This new request should contain the following information:
Reporting LCP Hostname/IPAddress:
Defense Center IP:Â
Individual Sensor IP:Â
Attach eStreamer Client Certificate
eStreamer Client Certificate Password:Â
Product Version (include minor version):Â
Â
Note: If you have any questions about this process, please contact the Accenture MDR onboarding team.
LCPÂ Configuration Parameters
Table 1-2: The Sourcefire eStreamer IPv6 event collector (API – 3622) sensor properties to be configured by MDR are shown in the table.
Property | Default Value | Description |
Server Address | DC or 3D Sensor IP address | Specify the Sourcefire DC or 3D Sensor server IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture MDR onboarding team. |
eStreamer Client Certificate Path | Custom Value | Copy the eStreamer certificate and specify the path and filename where the eStreamer certificate is stored in the LCP. |
eStreamer Client Certificate Password | Custom Value | Password for the eStreamer certificate mentioned in the PIQ. |
Product Version | Custom Value | Sourcefire DC software version mentioned in the PIQ. Specify the version of Sourcefire Defense Center. Supported product version strings are as follows:
 Note: For version greater than or equal to 7.0 Please provide the version as 7.0 For version lower than 7.0 please refer below. For version Greater than 6.6 and smaller than 7.0 Please provide the version as 6.6 For version greater than 5.3 and smaller than 6.0 provide the version as 5.4 Please, find the nearest version and apply those in the product version for the new on-boarding.  |
Â
Â
Â
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.