Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=Firepower

Cisco Firepower

Log collector

You must have the Firewall integrations license pack to use this feature.

You can integrate Firepower with Sophos Central so that it sends audit data to Sophos for analysis.

This integration uses a log collector hosted on a virtual machine (VM). Together they're called a appliance. The appliance receives third-party data and sends it to the Sophos Data Lake.

You can add log collectors to an existing VM running the Sophos NDR VA and other log collectors. You can also create a new VM for this integration.

Note

You can add multiple Cisco Firepower firewalls to the same Sophos appliance.

To do this, set up your Cisco Firepower integration in Sophos Central, then configure one firewall to send logs to it. Then configure your other Cisco Firepower firewalls to send logs to the same Sophos appliance.

You don't have to repeat the Sophos Central part of the setup.

The key steps are as follows:

  • Configure an integration for this product. This configures an image to use on a VM.
  • Download and deploy the image on your VM. This becomes your appliance.
  • Configure Firepower to send data out. The steps you follow depend on the device you have.
  • Connect Firepower to your VM.

Requirements

Appliances have system and network access requirements. To check that you meet them, see Appliance requirements.

Configure an integration

To integrate Firepower with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.

  2. Click Cisco Firepower.

    The Cisco Firepower page opens. You can configure integrations here and see a list of any you've already configured.

  3. In Data Ingest (Security Alerts), click Add Configuration.

    Note

    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration setup steps appears.

Configure the VM

In Integration setup steps you configure your VM as an appliance to receive data from Firepower. You can use an existing VM, or create a new one.

You might have to go to Firepower to get some of the information you need to fill in the form.

To configure the VM, do as follows:

  1. Add a name and description for the new integration.

  2. Enter a name and description for the appliance.

    If you've already set up a Sophos appliance, you can choose it from a list.

  3. Select the virtual platform. Currently we support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.

  4. Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the VM.

    • Select DHCP to assign the IP address automatically.

      Note

      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

  5. Select the Syslog IP version and enter the Syslog IP address.

    You'll need this syslog IP address later, when you configure Firepower to send data to your appliance.

  6. Select a Protocol.

    You must use the same protocol when you configure Firepower to send data to your appliance.

  7. Click Save.

    We create the integration and it appears in your list.

    In the integration details, you can see the port number for the appliance. You'll need this later when you configure Firepower to send data to it.

    It might take a few minutes for the VM image to be ready.

Deploy the VM

Restriction

If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.

Use the VM image to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
  2. When the image download finishes, deploy it on your VM. See Deploy a VM for integrations.

Configure Firepower

Now configure Firepower to send data to your appliance. The appliance acts as a syslog server, so you use the syslog server feature of your firewall to send data to it.

The steps you follow depend on the version of firmware on your device, and the Cisco management method you're using.

For firewalls running Firepower Threat Defense (FTD) versions 6.3 or later, click the tab for the management method you're using. You can use Firepower Management Console (FMC) or Firepower Defence Manager (FDM).

For firewalls running Firepower Threat Defense (FTD) versions earlier than 6.3, click the tab for Classic devices.

Note

Avoid special characters, including commas, in object names such as policy and rule names. The appliance on the VM may treat these characters as separators.

To use Firepower Management Console to connect a firewall running Firepower Threat Defense (FTD) version 6.3 or later to your Sophos appliance, do as follows.

Configure syslog settings

  1. In FMC, click Devices > Platform Settings.
  2. Select the platform you want to connect to the appliance and click the edit icon.
  3. Click Syslog.
  4. Click Syslog Servers > Add.

  5. Enter the following connection details for your Sophos appliance.

    1. IP address. This is the syslog IP address you set in Sophos Central.
    2. Protocol type. If you selected UDP, you must not turn on EMBLEM format.
    3. Port number.

    You must enter the same settings you entered in Sophos Central when you added the integration.

  6. Don't select Enable secure syslog.

  7. In Reachable By enter the network details that allow your firewall to reach the Sophos appliance.

  8. Click OK.

    For more information about syslog server settings for Cisco Firepower firewalls, see Configure a Syslog Server.

  9. Click Syslog Settings and configure the settings as follows:

    1. Turn on Enable timestamp on Syslog Messages.
    2. In Timestamp Format select RFC 5424.
    3. Turn on Enable Syslog Device ID and select Host Name.
    4. Don't turn on Netflow Equivalent Settings.

  10. Click Save.

  11. Click Logging Setup.
  12. Select Enable Logging.

  13. You must not select the following:

    1. Enable logging on the failover standby unit
    2. Send syslogs in EMBLEM format
    3. Send debug messages as syslogs

  14. If you want to forward VPN events to the Sophos appliance, do as follows:

    1. In the VPN Logging Settings section, select Enable Logging to Firewall Management Center.
    2. Choose Debug as the Logging Level.

  15. You don't need to enter information for Specify FTP Server Information or Specify Flash Size.

  16. Click Save.

Configure logging settings for access control

You must also configure logging settings for the access control policy, including file and malware logging.

To do this, do as follows.

  1. Click Policies > Access Control.
  2. Click the edit icon for the access control policy you want to configure.
  3. Click Logging.
  4. Select Use the syslog settings configured in the FTD Platform Settings policy deployed on the device.
  5. In Syslog Severity, select ALERT.
  6. Turn on Send Syslog messages for IPS events.
  7. Turn on Send Syslog messages for File and Malware events.
  8. Click Save.

Turn on logging for Security Intelligence events

  1. In the same access control policy, click Security Intelligence.
  2. Click the DNS Policy options icon.

  3. In DNS Blacklist Logging Options, turn on the following:

    • Log Connections.
    • Firewall Management Center
    • Syslog Server.

  4. Click OK.

  5. In Blacklist, click the Network options icon.

  6. In Network Blacklist Logging Options turn on the following:

    • Log Connections
    • Firewall Management Center
    • Syslog Server

  7. Click OK.

  8. Scroll down in Blacklist to find the URL options icon.

  9. In URL Blacklist Logging Options turn on the following:

    • Log Connections
    • Firewall Management Center
    • Syslog Server

  10. Click OK.

  11. Click Save.

Turn on syslog logging for each access control rule

You must make sure that every rule in the access control policy has syslog logging turned on.

To do this, for every rule in the policy, do as follows.

  1. In the same access control policy, click the Rules tab.
  2. Click a rule to edit it.
  3. In Editing Rule click Logging.

  4. Choose whether to log the start or end of connections, or both.

    Connection logging generates a lot of data. Logging both start and end generates roughly twice as much. Not all connections can be logged both at start and end. For more details, log into your Cisco account and go to the Connection Logging section of the Firepower Management Center Configuration Guide, Version 6.2. See Connection, Logging.

  5. If you want to log file events, select Log Files.

  6. Turn on Syslog Server.
  7. Click Save.

Turn on logging for intrusion events

You must also turn on event logging in the intrusion policy that's associated with your access control policy.

  1. Click Policies > Intrusion.
  2. Find the intrusion policy associated with your access control policy and click Snort 2 Version.
  3. In Policy Information click Advanced Settings.
  4. In Advanced Settings go to Syslog Alerting.
  5. Click Enabled.
  6. Click Back.
  7. In Policy Information click Commit Changes.
  8. Enter a description of the changes and click OK.

Note

Avoid special characters, including commas, in object names such as policy and rule names. The appliance on the VM may treat these characters as separators.

To connect a Firepower device to your Sophos appliance using FDM, do as follows.

Turn on logging for file and malware events.

To turn on logging for file and malware events and add the connection details of your Sophos appliance to the firewall, do as follows.

  1. Sign in to FDM on the device you want to configure and go to the Device:<name> tab.
  2. In System Settings click Logging Settings.
  3. Turn on FILE/MALWARE LOGGING.
  4. Click Syslog Server to see the available servers.
  5. If you've already added your Sophos appliance to this device, select it. If not, click Create new Syslog Server.

  6. Enter the following connection details for your Sophos appliance.

    1. IP address. This is the Syslog IP address you set in Sophos Central.
    2. Protocol type.
    3. Port number.

    You must enter the same settings you entered in Sophos Central when you added the integration.

  7. If necessary, select a Data Interface or Management Interface to suit your network environment.

  8. Click OK.
  9. Your new server appears in Syslog Servers. Click it to select it.
  10. In Log at Severity Level select Debug.
  11. Click SAVE.

Configure policies

In each policy, you must turn on logging for the activities you want to send to your Sophos appliance. You can turn on access control and intrusion events.

To do this, do as follows.

  1. Click Policies > Access Control.
  2. Find the policy you want to configure and click the edit icon.
  3. Click Logging.
  4. In SELECT LOG ACTION choose whether you want to log at the beginning or end of connections, or neither.
  5. In FILE EVENTS turn on Log Files
  6. If you want to log intrusion events, in Intrusion Policy turn on INTRUSION POLICY.
  7. Select the Intrusion Policy you want to apply.

  8. If you want to log file events, in File Policy select the file policy you want to apply. Choose from:

    • Block Malware All
    • Malware Cloud Lookup - No Block

  9. In SEND CONNECTION EVENTS TO: select your Sophos appliance.

  10. Click OK.
  11. Click Intrusion.
  12. Find the policy you want to configure and click the settings icon.
  13. In Edit Logging Settings click the plus icon and select your Sophos appliance.
  14. Click OK.

Repeat these steps for each policy that should send data to your Sophos appliance.

Save your changes

Your changes aren't active on the device until you deploy them. To do this, do as follows.

  1. Click the Deployment icon.

    The dot on the icon appears when you have undeployed changes.

  2. In Pending Changes review the changes.

  3. Click DEPLOY NOW.

For more details on this process refer to the Cisco documentation. See Creating a Syslog Alert Response.

Note

Avoid special characters, including commas, in object names such as policy and rule names. The appliance on the VM may treat these characters as separators.

To connect Firepower classic devices to your Sophos appliance, do as follows.

Configure syslog settings

  1. Sign in to your Firepower Management Center (FMC).
  2. Click Policies > Actions > Alerts.
  3. In Create Alert, select Create Syslog Alert.
  4. Enter a Name for the alert, for example SophosIntegration
  5. Enter the IP address of your Sophos appliance in Host.
  6. Enter the port configured on your Sophos appliance in Port.

  7. Select the Facility.

    The Sophos appliance accepts any facility data. You can find the list of data options in the Cisco documentation. See Table 1. Available Syslog Facilities.

  8. Select the Severity level.

    The Sophos appliance accepts any severity level you choose. You can find the list of options in the Cisco documentation. See Table 2. Syslog Severity Levels.

  9. Click Save.

When you turn on Send Audit Log to Syslog and provide Host information, syslog messages are sent to the host as well as audit logs. If you want to change this, you can find out how in the Cisco documentation. See Filter Syslogs from Audit Logs.

Configure syslog settings for access control

  1. Sign in to your device.
  2. Click Policies > Access Control.
  3. Edit the applicable access control policy.
  4. Click Logging.
  5. Select Send using specific syslog alert.
  6. Select the syslog alert you created above.
  7. Click Save.

Turn on logging for file and malware events

  1. Select Send Syslog messages for File and Malware events.
  2. Click Save.

Turn on logging for intrusion events

  1. Go to the intrusion policy associated with your access control policy.
  2. In your intrusion policy, click Advanced Settings > Syslog Alerting > Enabled.
  3. Click Back.
  4. In Policy Information click Commit Changes.
  5. Enter a description of the changes and click OK.

Your Cisco Firepower alerts should appear in the Sophos Data Lake after validation.