topic Re: Cisco FMC IPS syslog configuration. in Network Security

Cisco FMC IPS syslog configuration.

vivarock12 — Mon, 27 Nov 2023 21:36:37 GMT

Hello,

FMC 7.0.4, FTD 7.0.4.

Can anyone tell me how to syslog the IPS, i havent been able to do it.

the information i have found is:
https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/external_alerting_for_intrusion_events.html#ID-2212-000001bf

in the link the section

Configuring Syslog Alerting for Intrusion Events

the instruction on the link said this:

The intrusion policy editor's navigation pane, click Advanced Settings.

but i cant find that option can anybody show me how to do this and thanks for the help by the way.

note:

my user has the following privileges:

do i need the intrusion admin to?

saludos,

Gerardo Andree Mejia Garcia

Re: Cisco FMC IPS syslog configuration.

MHM Cisco World — Mon, 27 Nov 2023 21:53:04 GMT

Intrusion policy-> advance setting->external response

Do this in fmc and check log in syslog server

Re: Cisco FMC IPS syslog configuration.

vivarock12 — Mon, 27 Nov 2023 22:14:02 GMT

Thanks for the help first finaly found the option,
but one question is it only posible to do it on SNORTv2 and not with V3, because i only saw the option on the V2.

Saludos,

Gerardo Andree Mejia Garcia

Re: Cisco FMC IPS syslog configuration.

MHM Cisco World — Mon, 27 Nov 2023 22:19:33 GMT

I will check this point.

Re: Cisco FMC IPS syslog configuration.

MHM Cisco World — Tue, 28 Nov 2023 00:05:06 GMT

https://community.cisco.com/t5/network-security/syslog-on-snort-3-intrusion-policy/td-p/4809383

Re: Cisco FMC IPS syslog configuration.

vivarock12 — Tue, 28 Nov 2023 14:32:16 GMT

thanks for the help going to double check that and ill tell you if its works.

Re: Cisco FMC IPS syslog configuration.

vivarock12 — Thu, 14 Dec 2023 17:50:53 GMT

Besides the configuration we did previously in a case with cisco TAC we did the snort2 configuration to:

we enter to the snortv2 configuration and enable the Syslog and the ip of the syslog server.

heres all that is configured at the moment:

Policies>Intrusion>you click on SNORT 2 version (for the rule you want to change):

The configuration on the ACP policy to (i think this migth be redundant but i didnt care all show you all the config):

Policies>Access control>(the rule you want to change)>logging>IPS Settings (this migth be redundant)

and on the platform setting for this FTD we change the severity(not sure but aparently this one is the one that made the IPS logs work)

Device>plaform settings

and on the platform setting we change the severity to informational,

IMPORTANT:
remember that the logs from IPS should be the ones with the code:

430001: Intrusion event

This ID was introduced in release 6.3.

https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/security-event-syslog-messages.html

this is the guide were i took that from.

and this is how the LOG LOOKS LIKE:

this id the format the log has:

<114>2023-12-12T16:55:49Z (this is a tag you can add on the syslog-object) IPS %FTD-2-430001: DeviceUUID: asedfasdfasdfasdfasdfasdfasdfasdfasdasdf, InstanceID: 4, FirstPacketSecond: 2023-12-12T16:55:49Z, ConnectionID: 1290, SrcIP: 8.8.8.8, DstIP: 172.26.214.182, ICMPType: Echo Reply, ICMPCode: No Code, Protocol: icmp, IngressInterface: outside, EgressInterface: inside, IngressZone: FTD-OUTSIDE, EgressZone: FTD-INSIDE, Priority: 3, GID: 1, SID: 408, Revision: 8, Message: PROTOCOL-ICMP Echo Reply, Classification: Misc Activity, Client: ICMP client, ApplicationProtocol: ICMP, IntrusionPolicy: YOUR_IPS_POLICY, ACPolicy: YOUR_AControl_POLICY, AccessControlRuleName: ICMP_IPS_TEST, NAPPolicy: Balanced Security and Connectivity, InlineResult: Dropped, IngressVRF: Global, EgressVRF: Global

and for some reaseon the format is diferent from the other logs that come from the firewall:

Dec 12 2023 16:53:19 %FTD-1-430003: EventPriority: Low, DeviceUUID: asedfasdfasdfasdfasdfasdfasdfasdfasdasdf, InstanceID: 4, FirstPacketSecond: 2023-12-12T16:53:19Z, ConnectionID: 57192, AccessControlRuleAction: Allow, SrcIP: 172.26.214.182, DstIP: 8.8.8.8, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: inside, EgressInterface: outside, IngressZone: FTD-INSIDE, EgressZone: FTD-OUTSIDE, IngressVRF: Global, EgressVRF: Global, ACPolicy: YOUR_AControl_POLICY, AccessControlRuleName: ICMP_IPS_TEST, Prefilter Policy: Default Prefilter Policy, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 74, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity

but thats for the Syslog tool in case your have to do something else.

thanks for the help @MHM Cisco World.