The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Starting from threat defense release 6.4, you can configure your threat defense devices to send supported firewall events directly to the Cisco Security Cloud. The devices send events to the Security Services Exchange, from where the events can be promoted to various cloud services, including Cisco XDR, to improve your event analysis and investigations.
|
Requirement Type |
Requirement |
|---|---|
|
Secure Firewall Version |
|
|
Licensing |
|
|
Connectivity |
The management center and the managed devices must be able to connect outbound on port 443 to the Cisco Security Cloud at the following addresses:
|
|
General |
Your firewall deployment is generating events as expected. |
The following describes the guidelines for integrating firewall high availability deployment with Cisco Security Cloud.
To integrate threat defense high availability or cluster deployment with Cisco Security Cloud, you must integrate all peers with Security Services Exchange.
Security Services Exchange integration requires all threat defense devices in the high availability deployment to have connectivity to the internet.
When integrating a management center high availability deployment with Cisco Security Cloud, you must enable Cisco Security Cloud integration in the active peer.
If you promote the standby management center peer to the active role, the Cisco Security Cloud integration gets transferred between the active and standby peers.
If you break management center high availability deployment, both the peers remain integrated with Cisco Security Cloud.
For more information about configuring and managing a high availability deployment, see the High Availability section in Cisco Secure Firewall Management Center Administration Guide.
|
Do This |
More Information |
|||
|---|---|---|---|---|
| Step 1 |
Decide the following:
|
See About Secure Firewall Threat Defense and Cisco XDR Integration. | ||
|
Step 2 |
Meet the requirements for direct integration. |
|||
|
Step 3 |
Access Security Services Exchange, the cloud portal that you will use for managing devices and filtering events for the Cisco XDR integration. |
|||
|
Step 4 |
In Security Services Exchange, enable the eventing service. |
Click Cloud Services and enable the following options:
|
||
|
Step 5 |
If you are using Security Cloud Control to manage configurations on your threat defense device or to register your devices with Cisco Security Cloud, merge your Security Cloud Control account with the Security Services Exchange account you use for this integration. |
See Link Your Security Cloud Control and Security Services Exchange Accounts. |
||
|
Step 6 |
If you are using Smart Licensing account to register your devices with Cisco Security Cloud, link your Smart Licensing account with the Security Services Exchange account you use for this integration. |
See Link Smart Licensing Accounts with Security Services Exchange. |
||
|
Step 7 |
In your firewall manager, enable integration with the Cisco Security Cloud. |
|
||
|
Step 8 |
In Security Services Exchange, configure the system to automatically promote significant events. |
For more information, see About Promoting Events to Incidents in the Security Services Exchange Online Help |
||
|
Step 9 |
(Optional) In Security Services Exchange, configure automatic deletion of certain non-significant events. |
For more information, see Events in the Security Services Exchange Online Help |
||
|
Step 10 |
Verify that your integration is set up correctly. If necessary, troubleshoot issues. |
See: |
||
|
Step 11 |
In Cisco XDR, verify that promoted events appear as expected in the Incident Manager. |
For instructions, see Cisco XDR Help Center. |
If your register your threat defense device with Cisco Security Cloud using Security Cloud Control account and you want to send events to Security Services Exchange, you must link your Security Cloud Control account with the Security Services Exchange account.
Note that only one Security Cloud Control account can be linked with one Security Services Exchange account. If you have tenant accounts on more than one regional cloud, you must link tenant accounts separately for each regional cloud.
 Note |
This operation is not reversible. |
You must be able to sign in to Security Cloud Control and to the applicable regional cloud with your Security Cloud Sign On account.
Your Security Cloud Control account must have Admin or Super Admin privileges.
Your Security Services Exchange account must have Admin privileges.
|
Step 1 |
Sign in to the Security Cloud Control account that contains the tenant you wish to link with Security Services Exchange. |
|
Step 2 |
Choose the tenant to link with Security Services Exchange. |
|
Step 3 |
Generate a new API token for your account:
For more information about API tokens, see API Tokens. |
|
Step 4 |
In Security Services Exchange, click the Tools ( |
|
Step 5 |
Paste the token that you copied from Security Cloud Control. |
|
Step 6 |
Verify that you are linking the tenant that you intended to link. |
|
Step 7 |
Click Link CDO Account. |
|
Step 8 |
Sign out of your Security Cloud Control account, and then sign back in. |
Events generated by devices before linking tenants will have a different device ID than events generated by the same device after linking tenants.
If you do not need to map events to the devices that generated them, you can delete the "Unregistered" device entries for devices that are now associated with the linked tenant.
To integrate products registered under different Smart Licensing accounts into a single view in the cloud, you must link those Smart Licensing accounts to the Security Services Exchange tenant.
To link Smart Licensing accounts, you must have administrator-level privileges for all of the Smart Licensing accounts and the Security Services Exchange tenant that you are using for this integration.
|
Step 1 |
In the top right corner of any page in Security Services Exchange, click the Tools button ( |
|
Step 2 |
Click Link more accounts. |
|
Step 3 |
Select the accounts to integrate with this cloud account. |
|
Step 4 |
Click Link Smart/Virtual Accounts. |
|
Step 5 |
Click OK. |
Note |
Available options depend on your device manager version. Skip any step that is not applicable to your version. For example, the ability to select region and event types are version-dependent. |
Register the device with cloud services before you continue with this procedure. For more information, see Configuring Cloud Services section in Cisco Secure Firewall Device Manager Configuration Guide.
If you are using Security Cloud Control register your device with cloud services, link your Security Cloud Control account with the Security Services Exchange tenant. For more information, see Link Your Security Cloud Control and Security Services Exchange Accounts.
If you are using Smart License to register your device with cloud services, link your Smart Licensing account with the Security Services Exchange tenant. For more information, see Link Smart Licensing Accounts with Security Services Exchange
In the device manager:
Make sure that your device has a unique name. If not, click and assign a name.
Verify that the threat defense device is successfully generating events.
Make sure you have your Cisco Security Cloud Sign On credentials and can sign in to the regional cloud on which your account was created.
|
Step 1 |
In the device manager: Click Device, then click the link. |
|
Step 2 |
Click Enable for the Send Events to the Cisco Cloud option. |
|
Step 3 |
Select the types of events to send to the cloud and click OK. Later, you can change the event selection by clicking Edit next to the list of selected events. If you choose to send connection events, only security-related connection events are used in this integration. |
|
Step 4 |
Verify that your device has registered successfully in Security Services Exchange: |
Sending firewall events to the cloud allows you to use external tools to investigate the firewall incidents. The devices send firewall events to the Security Services Exchange, from where they can be forwarded to various cloud services to unify visibility and enhance your threat investigations.
To allow your devices to send firewall events to Cisco Security Cloud, you must either register the management center with the smart license (System (
)) or integrate with Cisco Security Cloud. Integrating with Cisco Security Cloud associates the management center with your Security Cloud Control account and brings your secure firewall deployment onboard to the Cisco cloud tenancy, allowing it to connect to Cisco's
integrated security cloud services.
Note |
Your management center must be between version 7.0.2 and 7.0.x, or version 7.2 and later to integrate management center with Cisco Security Cloud. For more information about integrating management center with Cisco Security Cloud, see Integrate Management Center With Cisco Security Cloud. |
This procedure describes how to integrate the management center with Cisco Security Cloud. By enabling Cisco Security Cloud integration, your management center gets registered to the Cisco cloud tenancy. This allows you to send firewall events to the Cisco cloud and use the various cloud services, such as Cisco XDR, to view and analyze the events.
Security Cloud Control uses Security Cloud Sign On as its identity provider and Duo for multifactor authentication. Ensure that you have your Security Cloud Sign On credentials and can sign in to the Cisco regional cloud where your account was created. For the regional cloud URLs, refer to Regional Clouds.
You need a Security Cloud Control tenant to integrate the management center with Cisco Security Cloud. If you do not already have a Security Cloud Control tenant, request one. For more information, refer to Request a Security Cloud Control Tenant.
Link your Security Cloud Control tenant, the one you want to use for onboarding the management center, to your Security Services Exchange account. For more information, refer to Link Your Security Cloud Control and SecureX or Cisco XDR Tenant Accounts.
Ensure that you are modifying the configuration from the global domain.
Ensure that Cisco SecureX threat response or Cisco XDR and Eventing services are enabled in Security Services Exchange. Verify this setting under Cloud Services.
Your management center must be between version 7.0.2 and 7.0.x, or version 7.2 and later to perform this procedure.
|
Step 1 |
Depending on the version of your management center:
|
||
|
Step 2 |
(Optional) Choose a Cisco regional cloud from the Current Region drop-down list.
|
||
|
Step 3 |
Depending on the version of your management center:
A separate browser tab opens to log you in to your Security Cloud Control account. Make sure this page is not blocked by a pop-up blocker. |
||
|
Step 4 |
Click Continue to Cisco SSO. 
|
||
|
Step 5 |
Log in to your Security Cloud Control account. 
If you do not have a Security Cloud Sign On account to log in to Security Cloud Control and you want to create one, click Sign up now in the Security Cloud Sign On page. Refer to Create a New Cisco Security Cloud Sign On Account. |
||
|
Step 6 |
Choose a Security Cloud Control tenant that you want to use for this integration. The management center and the managed devices get onboarded to the Security Cloud Control tenant that you choose here. 
If you do not already have a Security Cloud Control tenant or if you want to use a new tenant for this integration, create a new tenant. See Request a Security Cloud Control Tenant for more information. |
||
|
Step 7 |
Verify that the code displayed in the Security Cloud Control login page matches the code provided by the management center. 
|
||
|
Step 8 |
Click Authorize FMC. |
||
|
Step 9 |
In the management center UI, click Save to save the configuration. You can view the task progress under . The registration task can take up to 90 second to complete. If you must use management center while the registration task is in progress, open the management center in a new window. |
Configure your management center to have the managed devices send events directly to Cisco Security Cloud. The cloud region and event types that you configure in this page can be used for multiple integrations when applicable and enabled.
In the management center:
Go to the System > Configuration page and give your management center a unique name to clearly identify it in the Devices list in the cloud.
Add your threat defense devices to the management center, assign licenses to them, and ensure that the system is working correctly. Ensure that you have created necessary policies and the generated events are displayed as expected in the management center UI under the Analysis menu.
Register the management center with the Smart License or enable Cisco Security Cloud integration.
Determine the Cisco regional cloud you want to use for sending firewall events. For more information, see Guidelines and Limitations for Choosing a Regional Cloud.
If you are using Cisco Security Cloud integration to register your devices with cloud services, you must link your Security Cloud Control account with the Security Services Exchange tenant. For more information, see Link Your Security Cloud Control and Security Services Exchange Accounts.
Important |
If you were already sending events to Cisco Security Cloud using a SecureX subscription, you can continue to send events to Cisco XDR. However, if you now register your management center to the cloud tenancy using your Security Cloud Control account, your Security Cloud Control account must have a Security Analytics and Logging license to forward events to Cisco XDR. |
If you are using Smart License to register your devices with cloud services, you must link your Smart Licensing account with the Security Services Exchange tenant. For more information, see Link Smart Licensing Accounts with Security Services Exchange.
Ensure that you can sign-in to the regional cloud using your Security Cloud Sign On credentials.
Link your smart account or the Security Cloud Control tenant to your Security Services Exchange account.
Disable sending events to the cloud using syslog to avoid duplication.
|
Step 1 |
Depending on the version of your management center:
|
|||||||||||||||
|
Step 2 |
(Optional) Choose a regional cloud from the Current Region drop-down list. |
|||||||||||||||
|
Step 3 |
Check the Send events to the cloud check box. |
|||||||||||||||
|
Step 4 |
Choose the event types that you want to send to the cloud.
|
|||||||||||||||
|
Step 5 |
Click Save. |
Enable this setting to allow the automated workflows created by Cisco XDR users to interact with your management center resources.
Cisco XDR automation provides a no-to-low code approach for building automated workflows and they can be set to run in response to different schedules and events. Cisco XDR automation helps you to automate data collection and incident generation. You can rectify threats using automation and guided response recommendations across all relevant control points.
For more information about the Cisco XDR automation capabilities, see the Cisco XDR documentation.
|
Step 1 |
Click . |
|
Step 2 |
Check the Enable Cisco XDR Automation check box. |
|
Step 3 |
Choose the management center user role that you want to assign to the Cisco XDR automation workflows. The Access Admin role is set as the default, allowing access to access control policy and associated functionality in the Policies menu. |
|
Step 4 |
Click Save. |
In your browser, disable pop-up blocking.
|
Step 1 |
In a browser window, go to the Security Services Exchange admin portal using the URL: https://admin.sse.itd.cisco.com. |
|
Step 2 |
Sign in using the credentials for your Cisco security cloud sign on, Secure Endpoint , Secure Malware Analytics, or Cisco Security account. Note that your account credentials are specific to the regional cloud. |
Verify that the events you expect appear in device as expected.
|
Step 1 |
Login to your Security Services Exchange account. For more information, see Access Security Services Exchange. |
|
Step 2 |
In Security Services Exchange, click Events. |
|
Step 3 |
Look for events from your device. If you do not see expected events, see Troubleshoot a Direct Integration. |
If you activate your cloud account immediately before attempting to configure this integration and you encounter problems implementing this integration, wait for an hour or two and then log in to your cloud account.
Make sure you are accessing the correct URL for the regional cloud associated with your account.
(Releases earlier than 6.4.0.4) Manually give the device a unique name: Click the Edit icon for each row in the Devices list. Suggestion: Copy the IP address from the Description.
This change is valid only for this Devices list; it does not appear anywhere in your deployment.
(Releases from 6.4.0.4 to 6.6) Device name is sent from the management center to Security Services Exchange only at initial registration to Security Services Exchange and is not updated on Security Services Exchange if the device name changes in the management center.
Make sure you are looking at the correct regional cloud and account.
Make sure that your devices can reach the cloud and that you have allowed traffic through your firewall to all required addresses.
Click the Refresh button on the Events page to refresh the list and verify that the expected events appear.
Check your configurations for automatic deletion (filtering out events) in the Eventing settings on the Cloud Services page in Security Services Exchange.
For more troubleshooting tips, see the online help in Security Services Exchange.
If you send all connection events to the cloud, Cisco XDR uses only security connection events.
If you are using custom Security Intelligence objects in the management center including global block or allow lists and threat intelligence director, you must configure Security Services Exchange to auto-promote events that are processed using those objects. For more information, see the Security Services Exchange online help.
If the management center page fails to save the Cisco Security Cloud configuration,
Verify that the management center has connectivity to the cloud.
Ensure that you modify Cisco Security Cloud configuration from the global domain.
After starting the configuration, management center page waits 15 minutes to receive the authorization before it times out. Ensure that you complete the authorization within 15 minutes. Click EnableCisco Security Cloud to start a new authorization request after a timeout.
When management center fails to register managed devices to Security Services Exchange using the Security Cloud Control account, a message appears under . The management center restores the original configuration. When device registration fails, verify the following:
Your Security Cloud Control account has administrator privileges.
Management Center has connectivity to Security Services Exchange.
Disable and enable the Cisco Security Cloud configuration to register firewall devices to Security Services Exchange again.
) icon on the top-right and click 
Feedback