Configure Cisco FTD firewall log forwarding using Cisco FMC version 6.2 and older

You can configure Cisco Firepower Threat Defense (FTD)® to send the necessary logs to Arctic Wolf® for security monitoring.

Note: Changing the severity level of a log message after initial setup causes unexpected alerts. Contact your Concierge Security® Team (CST) before changing a severity level.

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • Access to the Cisco Firepower Management Console (FMC) web UI with administrator permissions

Create a new policy

  1. Sign in to the FMC web UI.
  2. In the menu bar, click Devices > Platform Settings.
  3. Create a new policy:
    Note: You can edit an existing policy instead.
    1. Click New Policy > Threat Defense Settings.
    2. In the New Policy dialog, configure these settings:
      • Name — Enter a name for the new policy.
      • Available Devices — Select a Cisco FTD device.
    3. Click Add to Policy.

      The device appears in the Selected Devices list.

    4. Click Save.

Configure syslog servers using Cisco FMC version 6.2 and older

  1. On the Syslog Settings tab, configure these settings:
    • Enable timestamp on each syslog message — Select the checkbox.
    • Timestamp Format — Select one of these timestamp formats:
      • Legacy — Matches your system time.
      • RFC5424 — Uses UTC time.
    • (Optional) Enable Syslog Device ID — If you want to add a device identifier prefix to syslog messages, select the checkbox, and then select the type of ID. For example, select Host Name to apply the host name of the device as a prefix to the syslog message.
  2. On the Syslog Servers tab, click Add.
  3. In the dialog, configure these settings:
    • IP Address — Enter the IP address of the Arctic Wolf Sensor.
    • Protocol — Select UDP.
    • Port — Enter 514.
  4. If the firewall is in:
    • Routed mode — In the Selected Zones/Interfaces section, add the zone through which the sensor is reachable.
    • Transparent mode — In the Selected Zones/Interfaces section, enter the logical name of the Cisco FTD diagnostic interface. The default name is diagnostic.
  5. Save and close the dialog.
  6. Click Save.
  7. Click Deploy.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.