cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

187
Views
0
Helpful
3
Replies
Participant

How reliable is the Firepower-CTR integration?

Greetings

I've recently rolled out a FTD 6.4.0.4 and FMC 6.5 setup of two FMCs and eight pairs of FTDs running 2110s and 5516-Xs. Today I started looking into the CTR integration since it's supposed to be included with the Firepower licenses witch are all malware/URL/IPS by the way. I've been looking into this for most part of a day and so far nothing is shown in the cloud event viewers which is odd since the guides are pretty straight forward.

I set up the Cisco Security account earlier today, in the EU at first since that's where we operate and linked it to our Cisco account where the smart licenses are. All good and the FMCs showed up in the SSE as well ass the CTR, but no events.

I then realized the limitations of the EU cloud was all 6.5 which we don't have on the FTDs yet. I set up a Cisco security account for the US as well and linked it to the same Cisco account as the EU account. Somehow the US SSE ingested all our devices having a smart license, not only the FMC as the EU cloud but a complete list of all FTDs connected to the FMC and some older Firepower modules as well. That's nice but still no events in the SSE and even stranger is the US CTR dashboard show no managed devices while the EU CTR does.

 

Is this normal behavior? Is there a longer wait period that the 2+ hours I've been waiting for events?

Regards

Fredrik

1 ACCEPTED SOLUTION

Accepted Solutions
Participant

Re: How reliable is the Firepower-CTR integration?

Hi

Thank you for the answer. I raised the question with TAC and it seems the problem is me having 6.5 on the FMC and 6.4.X on the FTDs which isn't supported, apparently it has to be either 6.4 or 6.5 all over the board.

 

/Fredrik

View solution in original post

3 REPLIES 3
Cisco Employee

Re: How reliable is the Firepower-CTR integration?

Hi Fredrik,

Thank you for trying out Threat Response, and for your question.

 

The Firepower-CTR integration is entirely reliable, for what it was designed to do. Where and how are you expecting to see those events? At no point is CTR going to show you an unfiltered list of all events; that's not the goal and you can already see that in the FMC. What it will do, is show you in the Threat Response Incident Manager a selection of more urgent events from the total alert set available in FMC, and also allow you to see matches from your FirePower device alerts when you are conducting other investigations. 

 

Most SOCs are inundated with alerts, many of which get ignored or missed. The Incident Manager is here to help alleviate that problem by performing some simple first-level triage. There are three ways an event from your Firepower devices can be promoted from SSE to the Incident Manager:

  • The external IP has a negative TALOS reputation
  • The IP is in a range specified by the user to be always promoted
  • The user logs into SSE and promotes the event manually

If you want to test the event flow:

  1. Log into SSE and see that you have events showing. If not, there is something misconfigured in the Firepower device or in FMC. Refer to the Quick Start Guide.
  2. If you have events in SSE, select one and promote it to an Incident. Wait a few minutes, and you should see it in Threat Response's Incident Manager.
  3. Pick an event in SSE that did not get promoted, and select an external IP from that event. Investigate that IP in CTR, and you should see results from your Firepower module. (Did you configure a Firepower module?)

If all three of these steps work, then everything is working as intended. If you want to see more events than the ones that are getting promoted due to external IP reputation, select a few high value subnets in your organization and add them to auto-promotion rules in SSE. 

 

For more information about what the Firepower and Threat Response integration brings, see this article, here in the CTR Community:
https://community.cisco.com/t5/security-documents/firepower-ngfw-ngips-what-capabilities-does-it-provide-and-how/ta-p/3928694


Participant

Re: How reliable is the Firepower-CTR integration?

Hi

Thank you for the answer. I raised the question with TAC and it seems the problem is me having 6.5 on the FMC and 6.4.X on the FTDs which isn't supported, apparently it has to be either 6.4 or 6.5 all over the board.

 

/Fredrik

View solution in original post

Highlighted
Cisco Employee

Re: How reliable is the Firepower-CTR integration?

Ah yes I missed that in your description; my apologies. Glad you got it sorted out.