Cisco Secure Firewall (Firepower Threat Defense)
Samurai [Local] Collector | Samurai [Cloud] Collector | Samurai [Cloud Native] Collector |
---|---|---|
This guide describes the steps required to configure Cisco Secure Firewall Threat Defense (FTD) (previously entitled Firepower Threat Defense) to send syslog to a Samurai Local Collector.
Cisco Secure Firewall Management Center (FMC) is required.
1) Ensure Connectivity Requirements are in place
2) From Cisco Secure Firewall Management Center console:
- Send Security Event Syslog Messages from FTD Devices
- Enabling External Access to the Database
- Database User Creation
3) From the Samurai MDR portal
Connectivity Requirements
You must ensure the following connectivity requirements are available:
Source | Destination | Ports | Description |
---|---|---|---|
FTD | Samurai Local Collector | UCP/514 (syslog) | For log transmission |
Samurai Local Collector | FMC | TCP/1500 & TCP/2000 | Database access |
Table 1: Connectivity requirements
Send Security Event Syslog Messages from FTD Devices
Follow the steps outlined within the Cisco documentation:
Default settings should be used unless otherwise specified in the listed parameters
Cisco Documentation Step 1:
Use the following parameters:
You can also refer to Configure a Syslog Server if you have queries based on options available
Cisco Documentation Step | Field Name | Parameter |
---|---|---|
1d | IP Address | Samurai Local Collector IP address (verify or add the address) |
1d | Protocol | UDP |
1d | Port | 514 |
1d | Security Zones or Named Interface | Select the interface/zone on which the Samurai Local Collector is reachable |
1e | Time Stamp Format | RFC 5424 (yy-MM-ddTHH:mm:ssZ) |
1e | Enable Syslog Device ID | Enabled (Host Name) |
1f | Send syslogs in EMBLEM format | Unchecked |
Table 2: Syslog settings
Cisco Documentation Step 2:
Use the following parameters:
Field Name | Field Name | Parameter |
---|---|---|
2f | IPS Settings | Send Syslog Messages for IPS Events (Selected) |
2f | File and Malware Settings | Send Syslog messages for File and Malware events (Selected) |
Table 3: General logging settings
Cisco Documentation Step 3:
Complete the steps outlined.
Cisco Documentation Step 4:
Use the following parameters:
Field Name | Field Name | Parameter |
---|---|---|
4d | Logging | Log at End of Connection (Selected) |
Cisco Documentation Step 5:
Complete the steps outlined.
This step if only applicable if using Snort 2
Enabling External Access to the Database
Follow the steps outlined within the Cisco documentation:
Use the following parameters when completing the steps:
Field Name | Parameter |
---|---|
Allow External Database Access | Enabled |
Server Hostname | If this is blank, enter the IP address of the Cisco Firepower Management Center that is being configured. |
Add Hosts > IP Address | IP address of your Samurai Local Collector |
Table 6: Enable external access to database
Database User Creation
Follow the steps outlined within the Cisco documentation:
Use the following parameters when completing the steps:
Field Name | Parameter |
---|---|
User Name | Whatever you want |
Authentication > Use External Authentication Method | Unchecked |
Password | Whatever you want, but need to comply with Password Policy |
Options | Only check Check Password Strength. Other than that, unchecked. |
Default User Roles | Only check External Database User. Other than that, unchecked. |
Table 7: User for Database Access
Complete the Cisco Secure Firewall (Firepower Threat Defense) Integration
- Login to the Samurai MDR portal
- Click Telemetry and select Integrations from the main menu
- Click Create
- Find and select Cisco Secure Firewall (Firepower Threat Defense)
- Select the relevant Local Collector and click Next
- You will be presented with the Local Collector IP Address
- Click Next
- Complete the fields required including the Database Username and Password you created in Database user creation
- Click on Finish
For general information on Integrations refer to the Integrations article.
Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.