External Alerting with Alert Responses

The following topics describe how to send external event alerts from the Secure Firewall Management Center using alert responses:

External alerts configuration with alert responses

An alert response is a configuration that defines a connection to external servers or services, such as email servers, Simple Network Management Protocol (SNMP) servers, syslog servers, or webhook endpoints. Alert response in Firewall Management Center enables you to send notifications about security events from Firewall Management Center to external monitoring servers or designated recipients. These configurations are called “responses” because they send alerts in response to events detected by the Firewall Threat Defense device.

To send external alerts from Firewall Management Center:

  1. Create alert responses for supported protocols (SNMP, syslog, email, webhooks). Specify required parameters like server addresses, ports, credentials, and message formats.

  2. Assign alert responses to specific alert types or event categories to send alerts based on event characteristics.

You can configure multiple alert responses to send different types of alerts to different monitoring servers or personnel (recipients).

External alert configurations supporting alert responses

After you create an alert response, you can use it to send the following external alerts from the Firewall Management Center.

Table 1. External alert configurations supporting alert responses

Event and alert type

For more information, refer to

Intrusion events, by impact flag

Configure impact flag alerts

Discovery events, by type

Configure discovery event alerts

Malware and retrospective malware events detected by Malware Defense ("network-based")

Configure Malware defense alerts

Correlation events, by correlation policy violation

Adding Responses to Rules and Allow Lists

Connection events, by the logging rule or default action (email alerts not supported)

Other Connections You Can Log

Health events, by health module and severity level

Creating Health Monitor Alerts

Prerequisites for external alerting with alert responses

Model support

Any.

Supported domains

Any

User roles

  • Admin

Guidelines for external alerting with alert responses

  • Firewall Management Center sends alerts using alert responses. It also sends intrusion email alerts, which do not use alert responses. By contrast, SNMP and syslog alerts triggered by individual intrusion rules are sent directly by the managed devices. For more information, see External Alerting for Intrusion Events.

  • Depending on your Firewall Threat Defense version and device model, alert responses may not be the best way to send syslog messages. For more information, see About Syslog in Cisco Secure Firewall Management Center Device Configuration Guide and Best Practices for Configuring Security Event Syslog Messaging.

  • When you create a new alert response, it gets enabled automatically. If you want to temporarily stop alert generation, disable the alert response instead of deleting it.

  • When you modify an alert response, your changes take effect immediately. However, if you are using alert response to send connection logs to an SNMP trap or syslog server, deploy the configuration to ensure your changes are applied.

Alert responses

Create alert responses for supported protocols (SNMP, syslog, email, webhooks) with required parameters like server addresses, ports, credentials, and message formats.

Create an SNMP alert response

Configure an SNMP alert response in Firewall Management Center using SNMP versions SNPMv1, SNPMv2, or SNMPv3 to monitor network events.


Note

When you select an SNMP version for the SNMP protocol, note that:

  • The recommended version for SNMP alert response is SNMPv3 as it supports advanced encryption.

  • SNMPv2 supports only read-only communities. SNMPv3 supports only read-only users and provides encryption with AES128.

  • To monitor 64-bit values with SNMP, you must use either SNMPv2 or SNMPv3. SNMPv1 does not support 64-bit monitoring.

Before you begin

If your network management system requires the Firewall Management Center’s management information base (MIB) file, obtain it at /etc/sf/DCEALERT.MIB.

Procedure

Step 1

Choose Administration > Alerts.

Step 2

From the Create Alert drop-down menu, choose Create SNMP Alert.

Step 3

Edit the SNMP Alert Configuration fields:

  1. Name―Enter a name to identify the SNMP response.

  2. Trap Server―Enter the hostname or IP address of the SNMP trap server.

    Attention

     

    Firewall Management Center does not warn you if you enter an invalid IPv4 address (such as 192.169.1.456) in this field. Instead, Firewall Management Center treats the invalid address as a hostname.

  3. Version―Choose the SNMP version you want to use from the drop-down list. SNMPv3 is the default.

    These protocols are available:

    • SNMPv1 or SNMPv2: Enter a read-only SNMP community name in the Community String field, and then skip to the final step of this task.

      Note

       

      Allowed characters for this field include alphanumeric characters, underscore (_), hyphen (-), asterisk (*), and dollar sign ($). The maximum length allowed is 128 characters.

    • For SNMPv3: Enter the name of the user that you want to authenticate with the SNMP server in the User Name field and continue to the next step.

  4. Authentication Protocol―Choose the protocol you want to use to encrypt authentication from the drop-down list.

    Choose from:

    • MD5—Message Digest 5 (MD5) hash function.

    • SHA—Secure Hash Algorithm (SHA) hash function.

  5. Authentication Password―Enter the password to enable authentication.

  6. Privacy Protocol―Choose the protocol you want to use to encrypt a private password from the drop-down list.

    Choose from:

    • DES—Data Encryption Standard (DES) using 56-bit keys in a symmetric secret-key block algorithm.

    • AES—Advanced Encryption Standard (AES) using 56-bit keys in a symmetric cipher algorithm.

    • AES128—AES using 128-bit keys in a symmetric cipher algorithm. A longer key provides higher security but a reduction in performance.

  7. Privacy Password―Enter the privacy password required by the SNMP server. Specifying a private password enables privacy and requires you to also specify an authentication password.

  8. Engine ID―Enter an identifier for the SNMP engine, in hexadecimal notation, using an even number of digits.

    When you use SNMPv3, the system uses an Engine ID value to encode the message. Your SNMP server requires this value to decode the message.

    Cisco recommends using the hexadecimal version of the Firewall Management Center’s IP address. For example, if the Firewall Management Center has an IP address of 10.1.1.77, use 0a01014D0.

Step 4

Click Save.

What to do next

If you are using SNMP alert responses to send connection logs to a SNMP trap server, you must deploy configuration changes after you modify the SNMP alert response.

Syslog alert responses

A syslog alert response is a connection to an external syslog server. It enables you to send alerts triggered by various events detected by Firewall Management Center.

Syslog messages are transmitted over either UDP or TCP, depending on the configuration of the syslog server.


Tip

For more information about syslog and configuration steps, see the documentation for your system. If you use UNIX, review the man pages for syslog and syslog.conf for conceptual and configuration information.

Facility and severity

When configuring a syslog alert response, you can specify the facility and severity associated with the syslog messages to ensure that they are processed properly by the syslog server.

  • Facility specifies the subsystem that creates the syslog message. Severity defines the severity of the syslog message.

  • The actual syslog message does not display facility and severity. The system that receives the syslog message uses these values to categorize the message.

  • You can choose any type of facility when creating a syslog alert response. However, you should choose one compatible with your syslog server, since not all syslog servers support all facilities. For UNIX syslog servers, the syslog.conf file should indicate which facilities are saved to which log files on the server.

The facility and severity values in the syslog messages are not used to filter event types.

Syslog alert facilities

This table lists the syslog facilities you can select.

Table 2. Syslog facilities

Facility

Description

AUTH

A message associated with security and authorization.

AUTHPRIV

A restricted access message associated with security and authorization. On many systems, these messages are forwarded to a secure file.

CONSOLE

An alert message.

CRON

A message generated by the clock daemon.

Syslog servers that run a Linux operating system use the CRON facility.

DAEMON

A message generated by a system daemon.

FTP

A message generated by the File Transfer Protocol (FTP) daemon.

KERN

A message generated by the kernel. On many systems, these messages are printed to the console when they appear.

LOCAL0-LOCAL7

A message generated by an internal process.

LPR

A message generated by the printing subsystem.

MAIL

A message generated by a mail system.

NEWS

A message generated by the network news subsystem.

NTP

A message generated by the Network Time Protocol (NTP) daemon.

SECURITY

A message generated by the audit subsystem.

SYSLOG

A message generated by the syslog daemon.

SOLARIS-CRON

A message generated by the clock daemon.

Syslog servers that run a Windows operating system use the CLOCK facility.

USER

A message generated by a user-level process.

UUCP

A message generated by the Unix-to-Unix Copy Program (UUCP) subsystem.

Syslog severity levels

This table lists the standard syslog severity levels you can select.

Table 3. Syslog severity levels

Severity level

Description

ALERT

A condition that should be corrected immediately.

CRIT

A critical condition.

DEBUG

Messages that contain debugging information.

EMERG

A panic condition broadcast to all users.

ERR

An error condition.

INFO

Informational messages.

NOTICE

Conditions that are not error conditions, but require attention.

WARNING

Warning messages.

Create a syslog alert response

Create a syslog alert response to connect to an external syslog server. This enables you to send event alerts to an external syslog server with customizable severity and facility settings.

Before you begin
Procedure

Step 1

Choose Administration > Alerts.

Step 2

From the Create Alert drop-down menu, choose Create Syslog Alert.

Step 3

Enter a Name that you want to use for the alert.

Step 4

In the Host field, enter the hostname or IP address of your syslog server.

Note

 

If you enter an invalid IPv4 address (such as 192.168.1.456), Firewall Management Center treats it as a hostname and does not display a warning.

Step 5

In the Port field, enter the port the server uses for syslog messages. By default, this value is 514.

Step 6

From the Facility list, choose a facility. For more information, see Syslog alert facilities.

Step 7

From the Severity list, choose a severity. For more information, see Syslog severity levels.

Step 8

In the Tag field, enter the tag name that you want to appear with the syslog message.

For example, if you wanted all messages sent to the syslog to be preceded with FromMC, enter FromMC in the field.

Step 9

Click Save.

What to do next

  • If you are using syslog alert responses to send connection logs to a syslog server, you must deploy configuration changes after you modify the syslog alert responses.

  • To use this alert response for security events, you must specify the alert response in a policy. For more information, see Configuration Locations for Security Event Syslogs.

Create an email alert response

Email alert response configuration enables you to send email alerts about critical system events through configured mail relay hosts.

Before you begin

  • Configure your mail relay host as described in Configuring a Mail Relay Host and Notification Address.


    Note

    You cannot use email alerting to log connections.

  • Ensure that the Firewall Management Center can reverse-resolve its own IP address. Some email servers use reverse DNS lookups to confirm the sender's identity and prevent spam and unauthorized access.

Procedure

Step 1

Choose Administration > Alerts.

Step 2

From the Create Alert drop-down menu, choose Create Email Alert.

Step 3

Enter a Name for the alert response.

Step 4

In the To field, enter the email addresses where you want to send alerts, separated by commas.

Step 5

In the From field, enter the email address that you want to appear as the sender of the alert.

Step 6

Next to Relay Host, verify the listed mail server is the one that you want to use to send the alert.

Tip

 

To change the email server, click Edit (edit icon).

Step 7

Click Save.

Create a webhook alert response

The webhook alert response configuration allows you to send Firewall Management Center alerts to external monitoring systems or custom applications that can receive and process webhook payloads.

Before you begin

  • Ensure that your Firewall Management Center has network connectivity to the webhook endpoint.

  • If you want to use TLS authentication, ensure you have the required CA certificate, client certificate, and client key files available for upload.

Procedure

Step 1

Choose Administration > Alerts.

Step 2

From the Create Alert drop-down menu, choose Create Webhook Alert.

Step 3

In the Name field, enter a descriptive name for the webhook alert response.

Step 4

In the URL field, enter the URL of your webhook endpoint.

If you enter a relative URL, Firewall Management Center automatically adds the prefix http:// or https:// based on your TLS type selection in the next step.

Step 5

From the TLS type drop-down list, choose the TLS authentication type. You have these options:

  • CLIENT: Choose this option to configure one-way TLS authentication. Upload the CA certificate for the client to validate the authenticity of the server.
  • MUTUAL: Choose this option to configure two-way TLS authentication. Upload the CA certificate, client certificate, and the client certificate key for both the client and the server to authenticate mutually.
  • None: Choose this option to not configure TLS authentication.

Step 6

If you use TLS authentication, enter the credentials required for authentication with the webhook endpoint.

Step 7

(Optional) Click Test Connection to verify that your webhook endpoint is reachable and authentication is successful. This test verifies connectivity and authentication only. It does not test the ability to send alerts to the webhook endpoint.

Step 8

Click Save.

External alerts

Firewall Management Center supports sending external alerts to various systems using its alert response functionality. Assign alert responses to specific alert types or event categories, such as intrusion impact flags, discovery events, or malware detections. This assignment ensures that relevant alerts are sent to the appropriate external systems based on event characteristics.

Configure impact flag alerts

Configuring impact flag alerting allows you to receive notifications when intrusion events with specific impact flags are detected in your network. Impact flags help you assess the impact an intrusion has on your network by correlating intrusion data, network discovery data, and vulnerability information. Firewall Management Center provides options to select alert responses for different impact types, and you can customize which impact flags will trigger alerts.

For more information about impact flags, see Intrusion Event Impact Levels.

Before you begin

You must have the IPS Smart License to configure impact flag alerts.

Procedure

Step 1

Choose Administration > Alerts.

Step 2

Click Impact Flag Alerts.

Step 3

In the Alerts section, choose the alert response that you want to use for impact flag alerting.

Tip

 

To create a new alert response, choose New from the drop-down list.

Step 4

In the Impact Flag Configuration section, check the appropriate check boxes to specify the alerts you want to receive for each impact flag.

Tip

 

Check the check box next to the name of the notification to select all the impact flags.

Step 5

Click Save.

Configure discovery event alerts

Configuring discovery event alerting allows you to receive notifications whenever a specific type of discovery event occurs in your network. Firewall Management Center provides options to select alert responses for different discovery event types, and you can customize which discovery event will trigger alerts.

Before you begin

Configure your network discovery policy to log the discovery event types for which you want to receive alerts. For more information, see the Network Discovery Policies chapter in the Cisco Secure Firewall Management Center Device Configuration Guide.

Procedure

Step 1

Choose Administration > Alerts.

Step 2

Click Discovery Event Alerts.

Step 3

In the Alerts section, choose the alert response that you want to use for discovery event alerting.

Tip

 

To create a new alert response, choose New from the drop-down list.

Step 4

In the Events Configuration section, check the check boxes that correspond to the discovery event type for which you want to receive alerts.

Tip

 

Check the check box next to the name of the notification to select all discovery event types.

Step 5

Click Save.

Configure Malware defense alerts

Configuring Malware defense alerting allows you to receive notifications whenever any malware event, including a retrospective event, is generated by Malware defense (network-based malware event). You cannot receive alerts for malware events generated by Secure Endpoint (endpoint-based malware events).

Before you begin

  • You must have the Malware Defense license to configure Malware defense alerts.

  • Configure a file policy to perform malware cloud lookups and associate that policy with an access control rule.

Procedure

Step 1

Choose Administration > Alerts.

Step 2

Click Advanced Malware Protections Alerts.

Step 3

In the Alerts section, choose the alert response you want to use for each alert type.

Tip

 

To create a new alert response, choose New from the drop-down list.

Step 4

In the Event Configuration section, check the check boxes that correspond to the alerts you want to receive for each malware event type.

Keep in mind that All network-based malware events includes Retrospective Events.

Network-based malware events do not include events generated by Secure Endpoint.

Step 5

Click Save.

Troubleshoot external alerts and alert response configuration

Alerts are not being sent from the Firewall Management Center

  1. Verify that alert responses are enabled on the Alerts page (Administration > Alerts) and correctly linked to the relevant policies or event types.

  2. Check that SNMP trap servers, syslog servers, email addresses, or webhook URLs are accurate.

  3. Ensure that you deploy the configuration after making changes.

Connection logs are not sent to the syslog server

  1. Ensure that connection log forwarding to the remote syslog server is enabled by configuring the access control policy to include logging options and selecting the appropriate syslog server. For more information, see Logging Connections with Access Control Rules.

  2. Connection logs may fail to send if you have not deployed configuration changes after editing alert responses and the access control rules. Save and deploy all changes to apply the updated settings.

Email alerts are not delivered or are rejected by the mail server

Email alerts can be rejected due to mail server policies or reverse DNS lookup failures.

  1. Verify the mail relay host configuration. For more information, see Configuring a Mail Relay Host and Notification Address.

    You can also check the error messages for mail relay host configuration from the Firewall Management Center CLI. Navigate to expert and enter the command cat /var/log/messages | grep -i "email\|smtp" to view mail relay host configuration error messages. 

    > expert
admin@firepower:~$ cat /var/log/messages | grep -i "email\|smtp"
Oct 16 17:57:38 firepower msmtp: host=example.host.com tls=on auth=off from=alertfmc760@****.com recipients=example@org.com mailsize=286 smtpstatus=250 smtpmsg='250 2.0.0 Ok: queued as ****' exitcode=EX_OK

  2. Verify that your DNS servers are reachable, and they can resolve the email relay hostname.

    admin@firepower:~$ ping example.host.com
ping: example.host.com: Name or service not known

  3. Verify that the Firewall Management Center can reverse-resolve its own IP address.

Webhook alert response connection test failed

  1. Verify network connectivity from the Firewall Management Center to the webhook endpoint.

  2. Confirm TLS authentication settings and certificates (CA, client certificate, client key) are correctly uploaded and valid.

  3. Use the Test Connection feature to validate connectivity and authentication.

History for external alerting with alert responses

Table 4. History table

Feature

Minimum Firewall Management Center

Minimum Firewall Threat Defense

Details

Create a webhook alert response

7.7.0

Any

The Firewall Management Center supports webhook alert configuration, allowing you to integrate Firewall Management Center alerts with external systems or custom applications that can receive and process webhook payloads.

New/modified screens: Choose Administration > Alerts and then from the Create Alert drop-down menu, choose Create Webhook Alert.

Send alerts about security events from Firewall Management Center to external monitoring servers .

6.4.0

Any

This release introduces the alert response configuration and external alerting feature, enabling the Firewall Management Center to send alerts to external monitoring systems. Alert responses can be configured to notify via email, syslog, or SNMP when specific events occur. These alerting options allow integration with monitoring and management tools for timely external notifications.

New/modified screens: Choose Administration > Alerts.