Cisco FTD FirePower Threat Defense

Blumira’s modern cloud SIEM platform integrates with Cisco FTD Firewall to detect cybersecurity threats and provide an automated response to remediate when a threat is detected.

When configured, the Blumira integration with Cisco FTD Firewall will stream security event logs to the Blumira service for threat detection and automated threat response.

When Blumira’s Dynamic Blocklist capabilities are configured with the Cisco FTD Firewall, Blumira can provide automated blocking of known threats, automatically add new block rules when threats are detected and provide blocking based on Blumira’s community of customers that have detected new threats. All through automation without requiring any human interaction.

Learn more about Cisco FTD integration with Blumira >

Cisco FTD Firewall Log Collection

Collecting logs from the Cisco Firepower Threat Defense appliance is slightly different from the ASA with Firepower mechanism. In this document, we’ll identify the initial setup steps to collect logs from the Firepower Threat Defense appliance on FMC. Over time, Blumira will recommend modifications to these configurations depending on output.

For vendor documentation, please click here.

Configuring Syslog and an Output Destination

Select Devices – Platform Settings and create or edit a Firepower Threat Defense policy.
Select Syslog – Syslog Server.
Check the Allow user traffic to pass when TCP syslog server is down check box to allow traffic if any syslog server that is using the TCP protocol is down to ensure delivery.
Enter a size of the queue for storing syslog messages on the security appliance when syslog server is busy in the Message queue size (messages) field. The default is 512. Input 0 to allow an unlimited number of messages to be queued, however, this is subject to available block memory. If your Firepower Appliance is heavily used, leave at 512 for the initial configuration.
Click Add to add a new syslog server.
- In the IP Address drop-down list, select a network host object that contains the IP address of the Blumira Sensor.
- Choose UDP as the protocol and enter the 514 as the port number for communications between the Firepower Threat Defense device and Blumira Sensor.
  - The default ports for syslog are 514 for UDP and TCP, this should not require any changes.
- Do not check the Log messages in Cisco EMBLEM format check box.
- Add the zones that contain the interfaces used to communicate with the syslog server. For interfaces not in a zone, you can type the interface name into the field below the Selected Zones/Interface list and click Add. These rules will be applied to a device only if the device includes the selected interfaces or zones.
Note: If the syslog server is on the network attached to the physical Management interface, you must type the name of that interface into the Interface Name field below the Selected Security Zones list and click Add. You must also configure this name (if not already configured), and an IP address, for the Diagnostic interface (edit the device from the Device Management page and select the Interfaces tab).
- Click OK.

Click Save.

You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them. At this point the Blumira sensor will start receiving syslog communication from your Cisco Firepower appliance.