Cisco Secure Firewall (Firepower Threat Defense)

Samurai [Local] Collector	Samurai [Cloud] Collector

This guide describes the steps required to configure Cisco Secure Firewall Threat Defense (FTD) (previously entitled Firepower Threat Defense) to send syslog to a Samurai Local Collector.

Cisco Secure Firewall Management Center (FMC) is required.

1) Ensure Connectivity Requirements are in place

Connectivity Requirements

2) From Cisco Secure Firewall Management Center console:

3) From the Samurai MDR portal

Complete the Cisco Firepower Threat Defense Integration

Connectivity Requirements

You must ensure the following connectivity requirements are available:

Source	Destination	Ports	Description
FTD	Samurai Local Collector	UCP/514 (syslog)	For log transmission
Samurai Local Collector	FMC	TCP/1500 & TCP/2000	Database access

Send Security Event Syslog Messages from FTD Devices

Follow the steps outlined within the Cisco documentation:

Send Security Event Syslog Messages from FTD Devices

Default settings should be used unless otherwise specified in the listed parameters.

Cisco Documentation Step 1:

Use the following parameters:

You can also refer to Configure a Syslog Server if you have queries based on options available.

Cisco Documentation Step	Field Name	Parameter
1d	IP Address	Samurai Local Collector IP address (verify or add the address)
1d	Protocol	UDP
1d	Port	514
1d	Security Zones or Named Interface	Select the interface/zone on which the Samurai Local Collector is reachable
1e	Time Stamp Format	RFC 5424 (yy-MM-ddTHH:mm:ssZ)
1e	Enable Syslog Device ID	Enabled (Host Name)
1f	Send syslogs in EMBLEM format	Unchecked

Cisco Documentation Step 2:

Use the following parameters:

Field Name	Field Name	Parameter
2f	IPS Settings	Send Syslog Messages for IPS Events (Selected)
2f	File and Malware Settings	Send Syslog messages for File and Malware events (Selected)

Cisco Documentation Step 3:

Complete the steps outlined.

Cisco Documentation Step 4:

Use the following parameters:

Field Name	Field Name	Parameter
4d	Logging	Log at End of Connection (Selected)

Cisco Documentation Step 5:

Complete the steps outlined.

This step if only applicable if using Snort 2

Enabling External Access to the Database

Follow the steps outlined within the Cisco documentation:

Enabling External Access to the Database

Use the following parameters when completing the steps:

Field Name	Parameter
Allow External Database Access	Enabled
Server Hostname	If this is blank, enter the IP address of the Cisco Firepower Management Center that is being configured.
Add Hosts > IP Address	IP address of your Samurai Local Collector

Database User Creation

Follow the steps outlined within the Cisco documentation:

Add an Internal User

Use the following parameters when completing the steps:

Field Name	Parameter
User Name	Whatever you want
Authentication > Use External Authentication Method	Unchecked
Password	Whatever you want, but need to comply with Password Policy
Options	Only check Check Password Strength. Other than that, unchecked.
Default User Roles	Only check External Database User. Other than that, unchecked.

Complete the Cisco Secure Firewall (Firepower Threat Defense) Integration

Login to the Samurai MDR portal
Click Telemetry and select Integrations from the main menu
Click Create
Find and select Cisco Secure Firewall (Firepower Threat Defense)
Select the relevant Local Collector and click Next
You will be presented with the Local Collector IP Address
Click Next
Complete the fields required including the Database Username and Password you created in Database user creation
Click on Finish

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.