Skip to content
Find out how we support MDR.

Cisco Firepower

Log collector

Adds alerts from Cisco Firepower firewalls to the Sophos Data Lake.

You can integrate Firepower with Sophos Central so that it sends audit data to Sophos for analysis.

This integration uses a log collector on a virtual machine (VM). The log collector receives third-party data and sends it to the Sophos Data Lake.

Note

A VM can host integrations for multiple products, but can't host more than one integration of the same product.

The key steps are as follows:

  • Add an integration for this product. This configures an Open Virtual Appliance (OVA) file.
  • Deploy the OVA file on your ESXi server. This becomes your log collector.
  • Configure Firepower to send data out. The steps you follow depend on the device you have.
  • Connect Firepower to your VM.

Add an integration

To integrate Firepower with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center and click Integrations.
  2. Click Cisco Firepower.

    If you've already set up connections to Firepower, you see them here.

  3. Click Add integration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration steps appears.

Configure the VM

In Integration steps you configure your VM to receive data from Firepower. You can use an existing VM, or create a new one.

You might have to go to Firepower to get some of the information you need to fill in the form.

To configure the VM, do as follows:

  1. Add a name and description for the new integration.
  2. Enter a name and description for the VM.
  3. Select the virtual platform. (Currently we only support VMware).
  4. Specify the internet-facing network ports.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

    You'll need the VM's address later, when you configure Firepower to send data to it.

  5. Select a Protocol.

  6. Select a Syslog format.
  7. Complete any remaining fields.
  8. Click Save.

    We create the integration and it appears in your list. It may take a few minutes for the OVA file to be ready for download.

Deploy the VM

Restriction

The OVA file is verified with Sophos Central, so it can only be used once. After it's been deployed, it can't be used again.

If you have to deploy a new VM, you must do all these steps again to link this integration to Sophos Central.

Use the OVA file to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click Download OVA.
  2. When the OVA file download finishes, deploy it on your ESXi server. An assistant guides you through the steps. See Deploy a VM for integrations.

When you've deployed the VM, the integration shows as Connected.

Configure Firepower

Now configure Firepower to send data to your log collector.

The steps you follow depend on the type of device device you're configuring. Click the Firepower version you're using.

To connect Firepower Threat Defense version 6.3 or later to your Sophos log collector, do as follows:

Note

Avoid special characters, including commas, in object names such as policy and rule names. The log collector on the VM may treat the characters as separators.

Configure syslog settings

  1. Click Devices > Platform Settings.
  2. In the left menu, click Syslog.
  3. Click Syslog Servers and click Add.
  4. Enter the server, protocol, interface, and related information for your Sophos log collector.

    For more details, see Configure a Syslog Server.

  5. Click Syslog Settings and configure the settings as follows:

    1. Turn on Timestamp on Syslog Messages.
    2. Enter Timestamp Format.
    3. Turn on Syslog Device ID.

    See FTD Platform Settings That Apply to Security Event Syslog Messages.

  6. Click Logging Setup.

  7. Select whether or not to send syslogs in EMBLEM format.
  8. Click Save.

Configure logging settings for access control

You must configure logging settings for the access control policy, including file and malware logging.

  1. Click Policies > Access Control.
  2. Edit the applicable access control policy.
  3. Click Logging.
  4. Select FTD 6.3 and later. Use the syslog settings configured in the FTD Platform Settings policy deployed on the device.
  5. (Optional) Select Syslog Severity.
  6. If you want to send file and malware events, select Send Syslog messages for File and Malware events.
  7. Click Save.

Enable logging for Security Intelligence events

  1. In the same access control policy, click the Security Intelligence tab.
  2. In each of the following locations, click Logging. Enable the Syslog Server and the start and end of connections:

    1. Beside DNS Policy.
    2. In the Block List box, for Networks and for URLs.
  3. Click Save.

Enable syslog logging for each access control rule

  1. In the same access control policy, click the Rules tab.
  2. Click a rule to edit.
  3. Click the Logging tab in the rule.
  4. Choose whether to log the start or end of connections, or both.

    Connection logging generates a lot of data. Logging both start and end generates roughly twice as much. Not every connection can be logged both at start and end.

  5. If you want to log file events, select Log Files.

  6. Enable Syslog Server.
  7. Verify that the rule is Using default syslog configuration in Access Control Logging.
  8. Click Add.
  9. Repeat for each rule in the policy.

Enable logging for intrusion events

  1. Go to the intrusion policy associated with your access control policy.
  2. In your intrusion policy, click Advanced Settings > Syslog Alerting > Enabled.
  3. If necessary, click Edit.
  4. Enter options as follows:

    • Logging Host

      Unless you want to send intrusion event syslog messages to a different syslog server than the one where you send other syslog messages, leave this blank. The settings you've configured above will be used.

    • Facility

      This setting is applicable only if you specify a logging host on this page.

      For descriptions, see Syslog Alert Facilities.

    • Severity

      This setting is applicable only if you specify a logging host on this page.

      For descriptions, see Syslog Severity Levels.

  5. Click Back.

  6. Click Policy Information in the left menu.
  7. Click Commit Changes.

For more details on this process refer to the Cisco documentation. See Creating a Syslog Alert Response.

Note

Avoid special characters, including commas, in object names such as policy and rule names. The log collector on the VM may treat the characters as separators.

To connect Firepower classic devices to your Sophos log collector, do as follows:

Configure syslog settings

  1. Sign in to your Firepower Management Center (FMC).
  2. Click Policies > Actions > Alerts.
  3. In Create Alert, select Create Syslog Alert.
  4. Enter a Name for the alert, for example SophosIntegration
  5. Enter the IP address of your Sophos log collector in Host.
  6. Enter the port configured on your Sophos data collector in Port.
  7. Select the Facility.

    The Sophos log collector accepts any facility data. You can find the list of data options in the Cisco documentation. See Table 1. Available Syslog Facilities.

  8. Select the Severity level.

    The Sophos log collector accepts any severity level you choose. You can find the list of options in the Cisco documentation. See Table 2. Syslog Severity Levels.

  9. Click Save.

When you turn on Send Audit Log to Syslog and provide Host information, syslog messages are sent to the host as well as audit logs. If you want to change this, you can find out how in the Cisco documentation. See Filter Syslogs from Audit Logs.

Configure syslog settings for access control

  1. Sign in to your device.
  2. Click Policies > Access Control.
  3. Edit the applicable access control policy.
  4. Click Logging.
  5. Select Send using specific syslog alert.
  6. Select the syslog alert you created above.
  7. Click Save.

Turn on logging for file and malware events

  1. Select Send Syslog messages for File and Malware events.
  2. Click Save.

Turn on logging for intrusion events

  1. Go to the intrusion policy associated with your access control policy.
  2. In your intrusion policy, click Advanced Settings > Syslog Alerting > Enabled.
  3. If necessary, click Edit.
  4. Enter the following options:

    • Logging Host

      Unless you want to send intrusion event syslog messages to a different syslog server than the one where you send other syslog messages, leave this blank. The settings you have configured above will be used.

    • Facility

      This setting is applicable only if you specify a logging host on this page.

      See Syslog Alert Facilities.

    • Severity

      This setting is applicable only if you specify a logging host on this page.

      See Syslog Severity Levels.

  5. Click Back.

  6. Click Policy Information in the left menu.
  7. Click Commit Changes.