Cisco Secure Firewall Threat Defense Integration Guide๐
The following is a guide for configuring Cisco Secure Firewall Threat Defense (FTD) to send logs via syslog to the Taegisโข XDR Collector using Cisco Secure Firewall Device Manager (FDM) or Cisco Secure Firewall Management Center (FMC). Instructions for creating an eStreamer certificate to retrieve all security event logs from the device are also included.
Connectivity Requirements๐
| Source | Destination | Port/Protocol | Reason |
|---|---|---|---|
| XDR Collector (mgmt IP) | FMC Management Interface | TCP/8302 | Intrusion, Flow and File event data via eStreamer |
| FMC Management Interface FTD Logical Device Management interface FXOS Chassis |
XDR Collector (mgmt IP) | UDP/514 | Audit and Firewall logs via Syslog |
Data Provided from Integration๐
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Cisco FTD Firewall (Syslog only, see eStreamer via eNCore for NIDS) | DHCP, Managementevent | Auth, DNS, HTTP, Netflow | NIDS |
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Detection Rules to generate detections based on normalized data from a data source.
Configuring Syslog from the FMC or FDM๐
Configure FTD to send data to your XDR Collector.
Note
These steps presume that there is no existing syslog configuration in the platform settings policy for the FTD logical device(s). If there is, then some of this may already be configured or enabled, and you may only need to add the remote syslog server.
The steps you follow depend on the version of FMC or FDM and the Cisco management method you are using.
For firewalls running Firepower Threat Defense (FTD) versions 6.4 and later, click the tab for the management method you're using. You can use FMC or FDM.
Follow the procedure in the Cisco documentation to configure syslog from the FMC.
- IP Address โ Enter the IP address of the XDR Collector
- Protocol โ Select UDP
- Port โ Enter 514
Follow the procedure in the Cisco documentation to configure syslog from the FDM.
- IP Address โ Enter the IP address of the XDR Collector
- Protocol โ Select UDP
- Port โ Enter 514
Configure eStreamer (optional)๐
Follow these instructions to create an eStreamer certificate to retrieve all security event logs from the device.
Create eStreamer Certificate for XDR Collector (Security Events)๐
eStreamer is the API that is used to retrieve all security events and logs from the FMC to the XDR Collector. It requires a certificate that is installed on the XDR Collector to secure the connection. For further information, see Add the eStreamer App.
Note
If the device is part of an HA pair, you must provision a second XDR Collector, repeat these steps in both FMCs, and then use the secondary eStreamer certificate to add a discrete eStreamer app instance to the second XDR Collector.
-
Follow the procedure in the Cisco documentation to configure eStreamer.
- Hostname โ Enter the IP address of the XDR Collector that this eStreamer certificate will be imported into.
- eStreamer Event Configuration โ Select all necessary event types from the list.
Note
Discovery Events and Connection Events result in many events.
-
Use the eStreamer certificate to add the eStreamer app to the XDR Collector. For further information, see Add the eStreamer App.