Configure Cisco FTD firewall syslog forwarding using standalone FDM version 6.4 and newer

You can configure Cisco Firepower Threat Defense (FTD)® to send the necessary logs to Arctic Wolf® for security monitoring.

Note: Changing the severity level of a log message after initial setup causes unexpected alerts. Contact your Concierge Security® Team (CST) before changing a severity level.

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • Access to the Cisco Firepower Management Console (FMC) interface with administrator permissions

Add a syslog server

  1. Sign in to the FDM interface.
  2. In the menu bar, select Device: <device_name>, where device_name is the name of the device.
  3. In the Systems Settings section, click Logging Settings.
  4. On the Logging Settings page, in the Remote Servers section, click the Data Logging toggle to the on position.
  5. In the Syslog Servers section, click +.
  6. In the dialog, select Add Syslog Server.
  7. In the Add Syslog Server dialog, configure these settings:
    • IP Address — Enter the management IP address of the Arctic Wolf Sensor.
    • Protocol Type — Select UDP.
    • Port Number — Enter 514.
    • Interface for Device Logs — Select either Data Interface or Management Interface, and then select the appropriate value from the interface list.
      Tip: This interface is usually named Inside or similar.
  8. Click OK.
  9. On the toolbar, click Device: <device_name>, where device_name is the name of the device.
  10. On the Logging Settings page, in the Remote Servers section, select your syslog server.
  11. Configure these settings:
    • Severity Level for FXOS chassis logs — Select Information.
    • Message Filtering for Firepower Threat Defense section — Select Security level for filtering all events, and then select Information.
    • File/Malware Logging — Click the toggle to the on position, and then select your syslog server.
    • Log at Severity Level — Select Information.
  12. Click Save.

Configure access rules using standalone FDM version 6.4 and newer

  1. Sign in to the FDM interface.
  2. In the menu bar, click Policies.
  3. For each rule that you want Arctic Wolf to log, complete these steps:
    1. Click Edit.
    2. On the Logging tab, in the Select Log Action section, select one of these values:
      • At Beginning and End of Connection
      • At End of Connection
    3. In the Edit logging settings dialog, in the Send connection events field, enter the IP address of the Arctic Wolf Sensor.
    4. Click OK.
  4. For each policy that you want Arctic Wolf to log, complete these steps:
    1. Click Edit.
    2. In the Edit logging settings dialog, in the Send connection events field, enter the IP address of the Arctic Wolf Sensor.
    3. Click OK.
  5. On the toolbar, click Deployment to review the pending changes.
  6. Select Deploy to deploy the changes.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.