This document describes the steps required to integrate, verify, and troubleshoot SecureX with Firepower Firepower Threat Defense (FTD).
Cisco recommends that you have knowledge of these topics:
Firepower Management Center (FMC)
Firepower Threat Defense (FTD)
Optional Virtualization of images
Firepower Threat Defense (FTD) - 6.5
Firepower Management Center (FMC) - 6.5
Security Services exchange (SSE)
Smart License Portal
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Virtual Account Roles:
Only the Virtual Account Admin or the Smart Account Admin has the privilege to link the smart account with the SSE account.
Step 1. In order to validate the smart account role, navigate to software.cisco.com and under the Administration Menu, select Manage Smart Account.
Step 2. In order to validate the user role, navigate to Users, and validate that under Roles the accounts are set to have Virtual Account Administrator, as shown in the image.
Step 3. Ensure the Virtual Account that is selected to link on SSE contains the license for the security devices if an account that does not contain the security license is linked on SSE, the security devices and the event does not appear on the SSE portal.
Step 4. To validate that the FMC was registered to the correct Virtual Account, Navigate to System>Licenses>Smart License:
Link your accounts to SSE and register the devices.
Step 1. When you logon to your SSE account, you have to link your smart account to your SSE account, for that you need to click tools icon and select Link Accounts.
Once the account is linked you see the Smart Account with all the Virtual Accounts on it.
Register the devices to SSE
Step 1. Ensure these URLs are allowed on your environment:
Step 2. Log in to the SSE portal with this URL https://admin.sse.itd.cisco.com, Navigate to Cloud Services, and enable both options Eventing and Cisco SecureX threat response, as shown in the next image:
Step 3. Log in to the Firepower Management Center and navigate to System>Integration>Cloud Services, enable Cisco Cloud Event Configuration and select the events you want to send to the cloud:
Step 4. You can go back to the SSE portal and validate that now you can see the devices enrolled on SSE:
The Events are sent by the FTD devices, navigate to the Events on the SSE portal to verify the events sent by the devices to SSE, as shown in the image:
Configure Custom Dashboards On SecureX
Step 1. To create your Dashboard click in the + New Dashboard icon, Select a name and Tile that you want to use for the Dashboard, as shown in the image:
Step 2. After this you are able to see the Dashboard information populated from SSE, you can select any of the Threats detected and the SSE portal launches with the Event Type filter on it:
Validate that the FTDs generate events (malware or intrusion), for intrusion events navigate to Analysis>Files>Malware Events, for intrusion events navigate to Analysis>Intrusion>Events.
Validate the events are registered on the SSE portal as mentioned on the Register the devices to SSE section step 4.
Validate that information is displayed on the SecureX dashboard or check the API logs so you can see the reason for a possible API failure.
Detect Connectivity Problems
You can detect generic connectivity problems from the action_queue.log file. In cases of failure you can see such logs present in the file:
ActionQueueScrape.pl: [SF::SSE::Enrollment] canConnect: System (/usr/bin/curl -s --connect-timeout 10 -m 20 -L --max-redirs 5 --max-filesize 104857600 --capath /ngfw/etc/sf/keys/fireamp/thawte_roots -f https://api.eu.sse.itd.cisco.com/providers/sse/api/v1/regions) Failed, curl returned 28 at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/System.pmline 10477.
In this case exit code 28 means operation timed out and we should check connectivity to the Internet. You may also see exit code 6 which means problems with DNS resolution
Connectivity Problems due to DNS Resolution
Step 1. Check that the connectivity works properly.
The above output shows that the device is unable to resolve the URL https://api-sse.cisco.com, in this case, we need to validate that the proper DNS server is configured, it can be validated with a nslookup from the expert CLI:
root@ftd01:~# nslookup api-sse.cisco.com ;; connection timed out; no servers could be reached
The above output shows that the DNS configured is not reached, in order to confirm the DNS settings, use the show network command:
> show network ===============[ System Information ]=============== Hostname : ftd01 DNS Servers : x.x.x.10 Management port : 8305 IPv4 Default route Gateway : x.x.x.1
======================[ eth0 ]====================== State : Enabled Link : Up Channels : Management & Events Mode : Non-Autonegotiation MDI/MDIX : Auto/MDIX MTU : 1500 MAC Address : x:x:x:x:9D:A5 ----------------------[ IPv4 ]---------------------- Configuration : Manual Address : x.x.x.27 Netmask : 255.255.255.0 Broadcast : x.x.x.255 ----------------------[ IPv6 ]---------------------- Configuration : Disabled
===============[ Proxy Information ]================ State : Disabled Authentication : Disabled
In this example the wrong DNS server was used, you can change the DNS settings with this command:
> configure network dns x.x.x.11
After this connectivity can be tested again and this time, the connection is successful.
In order to send events from the FTD device to SEE a TCP connection needs to be established with https://eventing-ingest.sse.itd.cisco.com This is an example of a connection not established between the SSE portal and the FTD:
Note: Noticed that the IP addresses displayed x.x.x.246 and 1x.x.x.246 belong to https://eventing-ingest.sse.itd.cisco.com might change, this is why the recommendation is to allow the traffic to SSE Portal based on URL instead of IP addresses.
If this connection is not established, the events are not sent to the SSE portal. This is an example of an established connection between the FTD and the SSE portal: