Cisco Secure Firewall (Firepower Threat Defense)

Samurai [Local] CollectorSamurai [Cloud] CollectorSamurai [Cloud Native] Collector
Picture1.svg

This guide describes the steps required to configure Cisco Secure Firewall Threat Defense (FTD) (previously entitled Firepower Threat Defense) to send syslog to a Samurai Local Collector. 

mceclip0.png Cisco Secure Firewall Management Center (FMC) is required.

1) Ensure Connectivity Requirements are in place

2) From Cisco Secure Firewall Management Center console:

3) From the Samurai MDR portal

Connectivity Requirements

You must ensure the following connectivity requirements are available:

SourceDestinationPortsDescription
FTDSamurai Local CollectorUCP/514 (syslog)For log transmission
Samurai Local CollectorFMCTCP/1500 & TCP/2000Database access

Table 1: Connectivity requirements

Send Security Event Syslog Messages from FTD Devices

Follow the steps outlined within the Cisco documentation:

mceclip0.png Default settings should be used unless otherwise specified in the listed parameters

Cisco Documentation Step 1:

Use the following parameters:

mceclip0.png You can also refer to Configure a Syslog Server if you have queries based on options available

Cisco Documentation StepField NameParameter
1dIP AddressSamurai Local Collector IP address (verify or add the address)
1dProtocolUDP
1dPort514
1dSecurity Zones or Named InterfaceSelect the interface/zone on which the Samurai Local Collector is reachable
1eTime Stamp FormatRFC 5424 (yy-MM-ddTHH:mm:ssZ)
1eEnable Syslog Device IDEnabled (Host Name)
1fSend syslogs in EMBLEM formatUnchecked

Table 2: Syslog settings

Cisco Documentation Step 2:

Use the following parameters:

Field NameField NameParameter
2fIPS SettingsSend Syslog Messages for IPS Events (Selected)
2fFile and Malware SettingsSend Syslog messages for File and Malware events (Selected)

Table 3: General logging settings

Cisco Documentation Step 3:

Complete the steps outlined.

Cisco Documentation Step 4:

Use the following parameters:

Field NameField NameParameter
4dLoggingLog at End of Connection (Selected)

Cisco Documentation Step 5:

Complete the steps outlined.

mceclip0.png This step if only applicable if using Snort 2

Enabling External Access to the Database

Follow the steps outlined within the Cisco documentation:

Use the following parameters when completing the steps:

Field NameParameter
Allow External Database AccessEnabled
Server HostnameIf this is blank, enter the IP address of the Cisco Firepower Management Center that is being configured.
Add Hosts > IP AddressIP address of your Samurai Local Collector

Table 6: Enable external access to database

Database User Creation

Follow the steps outlined within the Cisco documentation:

Use the following parameters when completing the steps:

Field NameParameter
User NameWhatever you want
Authentication > Use External Authentication MethodUnchecked
PasswordWhatever you want, but need to comply with Password Policy
OptionsOnly check Check Password Strength. Other than that, unchecked.
Default User RolesOnly check External Database User. Other than that, unchecked.

Table 7: User for Database Access

Complete the Cisco Secure Firewall (Firepower Threat Defense) Integration

  1. Login to the Samurai MDR portal
  2. Click Telemetry and select Integrations from the main menu
  3. Click Create
  4. Find and select Cisco Secure Firewall (Firepower Threat Defense)
  5. Select the relevant Local Collector and click Next
  6. You will be presented with the Local Collector IP Address 
  7. Click Next
  8. Complete the fields required including the Database Username and Password you created in Database user creation
  9. Click on Finish

mceclip0.png For general information on Integrations refer to the Integrations article.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.