Security Analytics and Logging (SaaS) for Cloud-Delivered Firewall Management Center-Managed Devices

Requirements, Guideline, and Limitations for the SAL (SaaS) Integration

Type

Description

Cisco Secure Firewall Threat Defense

  • Security Cloud Control-managed standalone Firewall Threat Defense devices, Version, 7.2 and later.

  • To send events using syslog, you must have Firewall Threat Defense device version 6.4 or later.

  • To send events directly, you must have Firewall Threat Defense device version 7.2 or later.

  • To optionally exclude Firewall Threat Defense devices from sending events directly, you must have Firewall Threat Defense device version 7.4.1 or later.

  • Your firewall system must be deployed and successfully generating events.

Regional cloud

  • Determine the regional cloud that you want to send events to.

  • Events cannot be viewed from or moved between different regional clouds.

  • If you use a direct connection to send events to the Cisco Security Cloud for integration with Cisco SecureX, or Cisco SecureX threat response, or Cisco XDR, you must use the same cloud region for this integration.

  • If you send events directly, the regional cloud you specify in Security Cloud Control must match the region of your Security Cloud Control tenant.

Data plan

  • You must buy a data plan that reflects the number of events the Cisco cloud receives from your threat defense devices daily. This is called your daily ingest rate.

  • Use the Logging Volume Estimator Tool to estimate your data storage requirements.

Accounts

When you purchase a license for this integration, you are provided with a Security Cloud Control tenant account to support the integration.

Connectivity

The Firewall Threat Defense devices must be able to connect outbound on port 443 to the Cisco Security Cloud at the following addresses:

  • US region:

    • api-sse.cisco.com

    • mx*.sse.itd.cisco.com

    • dex.sse.itd.cisco.com

    • eventing-ingest.sse.itd.cisco.com

    • registration.us.sse.itd.cisco.com

    • us.manage.security.cisco.com

    • edge.us.cdo.cisco.com

  • EU region:

    • api.eu.sse.itd.cisco.com

    • mx*.eu.sse.itd.cisco.com

    • dex.eu.sse.itd.cisco.com

    • eventing-ingest.eu.sse.itd.cisco.com

    • registration.eu.sse.itd.cisco.com

    • eu.manage.security.cisco.com

    • edge.eu.cdo.cisco.com

  • Asia (APJ) region:

    • api.apj.sse.itd.cisco.com

    • mx*.apj.sse.itd.cisco.com

    • dex.apj.sse.itd.cisco.com

    • eventing-ingest.apj.sse.itd.cisco.com

    • registration.apj.sse.itd.cisco.com

    • apj.cdo.cisco.com

    • edge.apj.cdo.cisco.com

  • Australia region:

    • api.aus.sse.itd.cisco.com

    • mx*.aus.sse.itd.cisco.com

    • dex.au.sse.itd.cisco.com

    • eventing-ingest.aus.sse.itd.cisco.com

    • registration.au.sse.itd.cisco.com

    • aus.cdo.cisco.com

  • India region:

    • api.in.sse.itd.cisco.com

    • mx*.in.sse.itd.cisco.com

    • dex.in.sse.itd.cisco.com

    • eventing-ingest.in.sse.itd.cisco.com

    • registration.in.sse.itd.cisco.com

    • in.cdo.cisco.com

Send Cloud-Delivered Firewall Management Center-Managed Events to SAL (SaaS) Using Syslog

This procedure provides information about the configuration for sending syslog messages for security events (connection, security intelligence, intrusion, file, and malware events) from devices managed by Security Cloud Control.

Before you begin

  • Configure policies to generate security events, and verify that the events you expect to see are displayed in the applicable tables under the AnalyticsEvents & Logs menu.

  • Gather information relating to the syslog server IP address, port, and protocol (UDP or TCP).

  • Ensure that your devices can reach the syslog server.

Procedure

Step 1

In the left pane, click Administration > Firewall Management Center to open the Services page.

Step 2

Click and select Cloud-Delivered FMC and then click Configuration.

Step 3

Configure the syslog settings for your threat defense device:

  1. Click Devices > Platform Settings and edit the platform settings policy that is associated with your threat defense device.

  2. In the left-side navigation pane, click Syslog and configure the syslog settings as follows:

    Click this UI Element...

    To Do the Following:

    Logging Setup

    Enable logging, specify FTP server settings, and the Flash usage.

    Logging Destination

    Enable logging to specific destinations and to specify filtering by message severity level, event class, or by a custom event list.

    E-mail Setup

    Specify the email address that is used as the source address for syslog messages that are sent as emails.

    Events Lists

    Define a custom event list that includes an event class, a severity level, and an event ID.

    Rate Limit

    Specify the volume of messages being sent to all the configured destinations and define the message severity level to which you want to assign the rate limits.

    Syslog Settings

    Specify the logging facility, enable the inclusion of a time stamp, and enable other settings to set up a server as a syslog destination.

    Syslog Servers

    Specify the IP address, protocol that is used, format, and security zone for the syslog server that is designated as a logging destination.

  3. Click Save.

Step 4

Configure the general logging settings for the access control policy (including file and malware logging):

  1. Click Policies > Access Control and then edit the access control policy that is associated with your threat defense device.

  2. Click More and then choose Logging. Configure the general logging settings for the access control policy (including file and malware logging) as follows:

    Click this UI Element...

    To Do the Following:

    Send using specific syslog alert

    Select a syslog alert from the list of existing predefined alerts or add one by specifying the name, logging host, port, facility, and severity.

    Use the syslog settings configured in the FTD Platform Settings policy deployed on the device

    Unify the syslog configuration by configuring it in Platform Settings and reuse the settings in the access control policy. The selected severity is applied to all the connection and intrusion events. The default severity is ALERT.

    Send Syslog messages for IPS events

    Send events as syslog messages. The default syslog settings are used unless you override them.

    Send Syslog messages for File and Malware events

    Send file and malware events as syslog messages. The default syslog settings are used unless you override them.

  3. Click Save.

Step 5

Enable logging for security intelligence events for the access control policy:

  1. In the same access control policy, click the Security Intelligence tab.

  2. Click the logging icon and enable security intelligence logging using the following criteria:

    • By Domain Name—Click the logging icon next to the DNS Policy drop-down list.

    • By IP address—Click the logging icon next to Networks.

    • By URL—Click the logging icon next to URLs.

  3. Click Save.

Step 6

Enable syslog logging for each rule in the access control policy:

  1. In the same access control policy, click the Access Control tab.

  2. Click a rule to edit.

  3. Click the Logging tab in the rule.

  4. Check the Log at beginning of connection and Log at end of connection check boxes.

  5. If you want to log file events, check the Log Files check box.

  6. Check the Syslog Server check box.

  7. Verify that the rule is Using default syslog configuration in Access Control Logging.

  8. Click Confirm.

  9. Click Apply to save the rule.

  10. Repeat steps 7.a through 7.h for each rule in the policy and click Save to save the policy.

What to do next

If you have made all the required changes, deploy your changes to the managed devices.

Send Cloud-Delivered Firewall Management Center-Managed Event Logs to SAL (SaaS) Using a Direct Connection

Configure the cloud-delivered Firewall Management Center to send events directly to SAL (SaaS). Follow this procedure to enable the Cisco cloud event global setting in the cloud-delivered Firewall Management Center. When needed, you can exclude individual FTD devices from sending event logs to SAL (SaaS). For more information, see Enable or Disable Threat Defense Devices to Send Event logs to SAL (SaaS) Using a Direct Connection.

Before you begin

  • Onboard devices to the cloud-delivered Firewall Management Center, assign licenses to these devices, and configure these devices to send events directly to SAL (SaaS).

  • Enable connection logging on a per-rule basis by editing a rule and choosing the Log at Beginning of Connection and Log at End of Connection options.

Procedure

Step 1

Log in to Security Cloud Control.

Step 2

In the left pane, click Administration > Firewall Management Center.

Step 3

Click Cloud-Delivered FMC, and in the System pane that is located at the right-side, click Cisco Cloud Events.

Step 4

In the Configure Cisco Cloud Events widget, do the following:

  1. Click the Send Events to the Cisco Cloud toggle button to enable the overall configuration.

  2. Check the Send Intrusion Events to the cloud check box to send the intrusion events to the cloud.

  3. Check the Send File and Malware Events to the cloud check box to send the file and malware events to the cloud.

  4. Choose an option to send the connection events to the cloud:

    • Click the None radio button to not send connection events to the cloud.

    • Click the Security Events radio button to send only security intelligence events to the cloud.

    • Click the All radio button to send all the connection events to the cloud.

  5. Click Save.

Enable or Disable Threat Defense Devices to Send Event logs to SAL (SaaS) Using a Direct Connection

Enable or disable the FTD devices managed by the Cloud-Delivered Firewall Management Center to send events directly to SAL (SaaS). This device-level control allows you to optionally exclude specific FTD devices from sending event logs to the Cisco cloud to reduce traffic or to maintain a combination of SAL and on-premises event log storage.


Note

  • To enable or disable sending events to the Cisco cloud from the FTD devices, enable the Cisco cloud event global setting in the Cloud-Delivered Firewall Management Center. For more information on enabling the Cisco cloud event global setting, see Send Cloud-Delivered Firewall Management Center-Managed Event Logs to SAL (SaaS) Using a Direct Connection.

    Sending events to the Cisco cloud is enabled by default for all FTD devices when the Cisco cloud event global setting is enabled in the Cloud-Delivered Firewall Management Center.

  • The option to enable or disable FTD devices to send event logs to the cloud is supported on FTD Version 7.4.1 or later.

Before you begin

  • Onboard devices to the Cloud-Delivered Firewall Management Center, assign licenses to these devices, and configure these devices to send events directly to SAL (SaaS).

  • Enable connection logging on a per-rule basis by editing a rule and choosing the Log at Beginning of Connection and Log at End of Connection options.

Procedure

Step 1

Log in to Security Cloud Control.

Step 2

From the left pane, click InventorySecurity Devices.

Step 3

Click the Devices tab to view the device.

Step 4

Click the FTD tab to view FTD devices.

Step 5

Choose the FTD devices whose configurations you want to edit, from the Security Devices list.

Step 6

In the Device Management pane, click Cloud Events.

Step 7

Click the Send Events to the Cisco Cloud toggle button to enable or disable the configuration.

Step 8

Click Save.