Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.
| Product | Samurai [Local] Collector | Samurai [Cloud] Collector |
|---|---|---|
| Cisco Secure Firewall (Firepower Threat Defense) |  |
This guide describes the steps required to configure Cisco Secure Firewall Threat Defense (FTD) (previously entitled Firepower Threat Defense) to send syslog to a Samurai Local Collector.
Cisco Secure Firewall Management Center (FMC) is required.
1) Ensure Connectivity Requirements are in place
2) From Cisco Secure Firewall Management Center console:
- Send Security Event Syslog Messages from FTD Devices
- Enabling External Access to the Database
- Database User Creation
3) From the Samurai application
Connectivity Requirements
You must ensure the following connectivity requirements are available:
| Source | Destination | Ports | Description |
|---|---|---|---|
| FTD | Samurai Local Collector | UCP/514 (syslog) | For log transmission |
| Samurai Local Collector | FMC | TCP/1500 & TCP/2000 | Database access |
Table 1: Connectivity requirements
Send Security Event Syslog Messages from FTD Devices
Follow the steps outlined within the Cisco documentation:
Default settings should be used unless otherwise specified in the listed parameters
Cisco Documentation Step 1:
Use the following parameters:
You can also refer to Configure a Syslog Server if you have queries based on options available
| Cisco Documentation Step | Field Name | Parameter |
|---|---|---|
| 1d | IP Address | Samurai Local Collector IP address (verify or add the address) |
| 1d | Protocol | UDP |
| 1d | Port | 514 |
| 1d | Security Zones or Named Interface | Select the interface/zone on which the Samurai Local Collector is reachable |
| 1e | Time Stamp Format | RFC 5424 (yy-MM-ddTHH:mm:ssZ) |
| 1e | Enable Syslog Device ID | Enabled (Host Name) |
| 1f | Send syslogs in EMBLEM format | Unchecked |
Table 2: Syslog settings
Cisco Documentation Step 2:
Use the following parameters:
| Field Name | Field Name | Parameter |
|---|---|---|
| 2f | IPS Settings | Send Syslog Messages for IPS Events (Selected) |
| 2f | File and Malware Settings | Send Syslog messages for File and Malware events (Selected) |
Table 3: General logging settings
Cisco Documentation Step 3:
Complete the steps outlined.
Cisco Documentation Step 4:
Use the following parameters:
| Field Name | Field Name | Parameter |
|---|---|---|
| 4d | Logging | Log at End of Connection (Selected) |
Cisco Documentation Step 5:
Complete the steps outlined.
This step if only applicable if using Snort 2
Enabling External Access to the Database
Follow the steps outlined within the Cisco documentation:
Use the following parameters when completing the steps:
| Field Name | Parameter |
|---|---|
| Allow External Database Access | Enabled |
| Server Hostname | If this is blank, enter the IP address of the Cisco Firepower Management Center that is being configured. |
| Add Hosts > IP Address | IP address of your Samurai Local Collector |
Table 6: Enable external access to database
Database User Creation
Follow the steps outlined within the Cisco documentation:
Use the following parameters when completing the steps:
| Field Name | Parameter |
|---|---|
| User Name | Whatever you want |
| Authentication > Use External Authentication Method | Unchecked |
| Password | Whatever you want, but need to comply with Password Policy |
| Options | Only check Check Password Strength. Other than that, unchecked. |
| Default User Roles | Only check External Database User. Other than that, unchecked. |
Table 7: User for Database Access
Complete the Cisco Secure Firewall (Firepower Threat Defense) Integration
- Login to the Samurai MDR application
- Click Integrations from the main menu
- Click Create
- Find and select Cisco Secure Firewall (Firepower Threat Defense)
- Select the relevant Local Collector and click Next
- You will be presented with the Local Collector IP Address
- Click Next
- Complete the fields required including the Database Username and Password you created in Database user creation
- Click on Finish
For general information on Integrations refer to the Integrations article.