Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Cisco Firepower Threat Defense (FTD)

Event Types

In ADMIN > Device Support > Event Types, search for "cisco-ftd" to see the event types associated with this device. 

Rules

There are no specific rules available for Cisco Firepower Threat Defense. Matches device agnostic firewall rules.

Reports

There are no specific reports available for Cisco Firepower Threat Defense. Matches device agnostic firewall rules.

Configuration

Before configuring, you may want to see a comparison of Syslog and eStreamer for Security Eventing first.

FirePower Threat Defense SNMP Configuration through Firepower Management Center

Cisco Firepower Threat Defense (FTD) supports SNMPv1, v2c, and SNMPv3. Take the following steps to configure:

  1. Login to the Firepower Management Center (FMC) GUI, and navigate to Devices > Platform Settings > (Policy) > SNMP.

  2. Check the Enable SNMP Servers checkbox, and configure the SNMPv2 settings.

  3. Click on the Hosts tab.

  4. Click on Add, and specify your SNMP server settings in the Add SNMP Management Hosts window.

  5. Deploy the policy.

For the latest configuration instructions and information, see Configuring SNMP for FTD at https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw/white-paper-c11-741739.html.

FirePower Threat Defense Syslog Configuration through Firepower Management Center

To configure Syslog, take the following steps:

  1. Login to the Firepower Management Center (FMC) GUI, and navigate to Device > Platform Setting > Threat Defense Policy > Syslog > Logging Destinations.

  2. Click Add to add a Logging Filter for a specific logging destination.

  3. From the Logging Destination drop-down list, choose the logging destination.

For the latest configuration instructions and information, see https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html.

 

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
Telnet Access Credentials for All Devices

These are the generic settings for providing Telnet access to your device from FortiSIEM.

Setting Value
Name Telnet-generic
Device Type generic
Access Protocol Telnet
Port 23
User Name A user who has permission to access the device over Telnet
Password The password associated with the user
SSH Access Credentials for All Devices

These are the generic settings for providing SSH access to your device from FortiSIEM.

Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22
User Name A user who has access credentials for your device over SSH
Password The password for the user

 

Comparison of Syslog and eStreamer for Security Eventing

The following content is taken from https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/analyze_events_using_external_tools.html#id_102110.

Generally, organizations that do not currently have significant existing investment in eStreamer should use syslog rather than eStreamer to manage security event data externally.

Syslog eStreamer
No customization required Significant customization and ongoing maintenance required to accommodate changes in each release
Standard Propriety
Sends directly from devices Sends from FMC, adding processing overhead
Support for file and malware events, connection events (including security intelligence events) and intrusion events. Support for all event types listed in eStreamer Server Streaming.
Some event data can be sent only from FMC. See Data Sent Only via eStreamer, Not via Syslolog. Includes data that cannot be sent via syslog directly from devices. See Data Send Only via eStreamer, Not via Syslog.

 

Cisco Firepower Threat Defense (FTD)

Event Types

In ADMIN > Device Support > Event Types, search for "cisco-ftd" to see the event types associated with this device. 

Rules

There are no specific rules available for Cisco Firepower Threat Defense. Matches device agnostic firewall rules.

Reports

There are no specific reports available for Cisco Firepower Threat Defense. Matches device agnostic firewall rules.

Configuration

Before configuring, you may want to see a comparison of Syslog and eStreamer for Security Eventing first.

FirePower Threat Defense SNMP Configuration through Firepower Management Center

Cisco Firepower Threat Defense (FTD) supports SNMPv1, v2c, and SNMPv3. Take the following steps to configure:

  1. Login to the Firepower Management Center (FMC) GUI, and navigate to Devices > Platform Settings > (Policy) > SNMP.

  2. Check the Enable SNMP Servers checkbox, and configure the SNMPv2 settings.

  3. Click on the Hosts tab.

  4. Click on Add, and specify your SNMP server settings in the Add SNMP Management Hosts window.

  5. Deploy the policy.

For the latest configuration instructions and information, see Configuring SNMP for FTD at https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw/white-paper-c11-741739.html.

FirePower Threat Defense Syslog Configuration through Firepower Management Center

To configure Syslog, take the following steps:

  1. Login to the Firepower Management Center (FMC) GUI, and navigate to Device > Platform Setting > Threat Defense Policy > Syslog > Logging Destinations.

  2. Click Add to add a Logging Filter for a specific logging destination.

  3. From the Logging Destination drop-down list, choose the logging destination.

For the latest configuration instructions and information, see https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html.

 

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
Telnet Access Credentials for All Devices

These are the generic settings for providing Telnet access to your device from FortiSIEM.

Setting Value
Name Telnet-generic
Device Type generic
Access Protocol Telnet
Port 23
User Name A user who has permission to access the device over Telnet
Password The password associated with the user
SSH Access Credentials for All Devices

These are the generic settings for providing SSH access to your device from FortiSIEM.

Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22
User Name A user who has access credentials for your device over SSH
Password The password for the user

 

Comparison of Syslog and eStreamer for Security Eventing

The following content is taken from https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/analyze_events_using_external_tools.html#id_102110.

Generally, organizations that do not currently have significant existing investment in eStreamer should use syslog rather than eStreamer to manage security event data externally.

Syslog eStreamer
No customization required Significant customization and ongoing maintenance required to accommodate changes in each release
Standard Propriety
Sends directly from devices Sends from FMC, adding processing overhead
Support for file and malware events, connection events (including security intelligence events) and intrusion events. Support for all event types listed in eStreamer Server Streaming.
Some event data can be sent only from FMC. See Data Sent Only via eStreamer, Not via Syslolog. Includes data that cannot be sent via syslog directly from devices. See Data Send Only via eStreamer, Not via Syslog.