Cisco FTD FirePower Threat Defense

Cloud SIEM for Cisco FTD Firepower Threat Defense Firewall

Click here for the most updated version of this documentation.

Blumira’s modern cloud SIEM platform integrates with Cisco FTD Firewall to detect cybersecurity threats and provide an automated response to remediate when a threat is detected.

When configured, the Blumira integration with Cisco FTD Firewall will stream security event logs to the Blumira service for threat detection and automated threat response.

When Blumira’s Dynamic Blocklist capabilities are configured with the Cisco FTD Firewall, Blumira can provide automated blocking of known threats, automatically add new block rules when threats are detected and provide blocking based on Blumira’s community of customers that have detected new threats. All through automation without requiring any human interaction.

Learn more about Cisco FTD integration with Blumira >

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.

Cisco FTD Firewall Log Collection

Collecting logs from the Cisco Firepower Threat Defense appliance is slightly different from the ASA with Firepower mechanism. In this document, we’ll identify the initial setup steps to collect logs from the Firepower Threat Defense appliance on FMC. Over time, Blumira will recommend modifications to these configurations depending on output.

For vendor documentation, please click here.

Before you begin

Determine the Blumira sensor you will use as a syslog server to collect log data. On the Blumira sensor detail screen, under Host Details, copy the IP address of your Blumira sensor to use when configuring Firepower Threat Defense.

Configuring Syslog and an Output Destination

Select Devices > Platform Settings and create or edit a Firepower Threat Defense policy.
Select Syslog > Syslog Server.
Check the Allow user traffic to pass when TCP syslog server is down check box to allow traffic if any syslog server that is using the TCP protocol is down to ensure delivery.
In the Message queue size (messages) field, enter a size of the queue for storing syslog messages on the security appliance when syslog server is busy.
Tip: Type 0 to allow an unlimited number of messages to be queued; however, the queue is limited by the availability of block memory. If your Firepower Appliance is heavily used, leave the default value 512 for the initial configuration.
In the IP Address list, select a network host object that contains the IP address of the Blumira Sensor.
Choose UDP as the protocol, and keep the default port number 514.
Important: Do not select Log messages in Cisco EMBLEM format.
Add the zones that contain the interfaces used to communicate with the syslog server.
Note: For interfaces not in a zone, you can type the interface name into the field below the Selected Zones/Interface list and click Add. These rules will be applied to a device only if the device includes the selected interfaces or zones.
Click Add.
Note: If the syslog server is on the network attached to the physical Management interface, you must type the name of that interface into the Interface Name field below the Selected Security Zones list and click Add. You must also configure this name (if not already configured), and an IP address, for the Diagnostic interface (edit the device from the Device Management page and select the Interfaces tab).
Click OK.
Click Save.

You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them. At this point the Blumira sensor will start receiving syslog communication from your Cisco Firepower appliance.