Configure Cisco FTD firewall log forwarding using Cisco FMC version 6.3 and newer

You can configure Cisco Firepower Threat Defense (FTD)® to send the necessary logs to Arctic Wolf® for security monitoring.

Note: Changing the severity level of a log message after initial setup causes unexpected alerts. Contact your Concierge Security® Team (CST) before changing a severity level.

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • Access to the Cisco Firepower Management Console (FMC) web UI with administrator permissions

Create a new policy

  1. Sign in to the FMC web UI.
  2. In the menu bar, click Devices > Platform Settings.
  3. Create a new policy:
    Note: You can edit an existing policy instead.
    1. Click New Policy > Threat Defense Settings.
    2. In the New Policy dialog, configure these settings:
      • Name — Enter a name for the new policy.
      • Available Devices — Select a Cisco FTD device.
    3. Click Add to Policy.

      The device appears in the Selected Devices list.

    4. Click Save.

Configure syslog servers using Cisco FMC version 6.3 and newer

  1. Find the policy you want to configure, and then click Edit.
  2. In the navigation pane, click Syslog.
  3. On the Logging Setup tab, in the Basic Logging Settings section, select the Enable Logging checkbox.
  4. Optional: If the device is in a high-availability (HA) pair, select the Enable Logging on the failover standby unit checkbox.
  5. In the Logging Destinations tab, click Add.
  6. On the Add Logging Filter dialog, configure these settings:
    • Logging Destination — Select Syslog Servers.
    • Event Class — Select Filter on Severity.
    • Severity — Select Informational.
  7. Click OK.
  8. On the Syslog Settings tab, configure these settings:
    • Enable timestamp on each syslog message — Select the checkbox.
    • Timestamp Format — Select one of these timestamp formats:
      • Legacy — Matches your system time.
      • RFC5424 — Uses UTC time.
    • (Optional) Enable Syslog Device ID — If you want to add a device identifier prefix to syslog messages, select the checkbox, and then select the type of ID. For example, select Host Name to apply the host name of the device as a prefix to the syslog message.
  9. On the Syslog Servers tab, click Add to add a syslog server.
  10. In the Add Syslog Server dialog, configure these settings:
    • IP Address — Enter the IP address of the Arctic Wolf Sensor.
    • Protocol — Select UDP.
    • Port — Enter 514.
    • Reachable By — Select Device Management Interface.
  11. Click OK.
  12. Click Save.
  13. Click Deploy > Deployment.
  14. Select your device, and then click Deploy.

    The Deployment Confirmation dialog box opens.

  15. In the Deployment Confirmation dialog, click Deploy.

Update access control policy

  1. In the menu bar, click Policies > Access Control.
  2. Click Edit next to the access control policy targeting your Cisco FTD device.
  3. Click More > Logging.
  4. Configure these settings:
    1. Select the Use the syslog settings configured in the FTD Platform Settings policy deployed on the device checkbox.
    2. In the Syslog Severity list, select INFO.
    3. Select the Send Syslog messages for IPS events checkbox.
    4. Select the Send Syslog messages for File and Malware events checkbox.
  5. Click Save.
  6. Click the Access Control tab.
  7. Select the Select all rules from this page checkbox.
  8. In the Select Bulk Action list, select Edit.
  9. Select the Log at end of connection checkbox and select Yes from the dropdown.
  10. Click Apply.
  11. Deploy your changes to your Cisco FTD devices.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.