Overview
Blumira’s modern cloud SIEM platform integrates with Cisco Firepower Threat Defense Firewall to stream security event logs to the Blumira service for threat detection and automated threat response.
Additionally, enabling Blumira’s dynamic blocklist capabilities on your integrated next-generation firewall allows us to provide automated blocking of known threats.
Learn more about enabling Blumira’s blocklists to block malicious source IP addresses and domains for automated threat response.
Learn more about Cisco FTD integration with Blumira in Automating Detection and Response With Cisco Firewalls & VPN. Also see Cisco's instructions for configuring Security Intelligence Feeds with FTD.
Cisco FTD Firewall log collection
Collecting logs from the Cisco FTD appliance is slightly different from the ASA with Firepower mechanism. In this document, we will identify the initial setup steps to collect logs from the FTD appliance on FMC.
For vendor documentation, see Cisco's Platform Settings for Firepower Threat Defense.
Before you begin
This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.
On the Blumira sensor detail screen, under Host Details, copy the IP address of your Blumira sensor to use when configuring Firepower Threat Defense.
Configuring Syslog and an Output Destination
- Select Devices > Platform Settings and create or edit a Firepower Threat Defense policy.
- Select Syslog > Syslog Server.
- Check the Allow user traffic to pass when TCP syslog server is down check box to allow traffic if any syslog server that is using the TCP protocol is down to ensure delivery.
- In the Message queue size (messages) field, enter a size of the queue for storing syslog messages on the security appliance when syslog server is busy.
Tip: Type 0 to allow an unlimited number of messages to be queued; however, the queue is limited by the availability of block memory. If your Firepower Appliance is heavily used, leave the default value 512 for the initial configuration. - In the IP Address list, select a network host object that contains the IP address of the Blumira Sensor.
- Choose UDP as the protocol, and keep the default port number 514.
- Important: Do not select Log messages in Cisco EMBLEM format.
- Add the zones that contain the interfaces used to communicate with the syslog server.
Note: For interfaces not in a zone, you can type the interface name into the field below the Selected Zones/Interface list and click Add. These rules will be applied to a device only if the device includes the selected interfaces or zones. - Click Add.
Note: If the syslog server is on the network attached to the physical Management interface, you must type the name of that interface into the Interface Name field below the Selected Security Zones list and click Add. You must also configure this name (if not already configured), and an IP address, for the Diagnostic interface (edit the device from the Device Management page and select the Interfaces tab). - Click OK.
- Click Save.
You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them. At this point the Blumira sensor will start receiving syslog communication from your Cisco Firepower appliance.