Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4251
Views
0
Helpful
3
Replies

How reliable is the Firepower-CTR integration?

Go to solution
hoffa2000
Level 3
Level 3

‎11-25-2019 04:56 AM

Greetings

I've recently rolled out a FTD 6.4.0.4 and FMC 6.5 setup of two FMCs and eight pairs of FTDs running 2110s and 5516-Xs. Today I started looking into the CTR integration since it's supposed to be included with the Firepower licenses witch are all malware/URL/IPS by the way. I've been looking into this for most part of a day and so far nothing is shown in the cloud event viewers which is odd since the guides are pretty straight forward.

I set up the Cisco Security account earlier today, in the EU at first since that's where we operate and linked it to our Cisco account where the smart licenses are. All good and the FMCs showed up in the SSE as well ass the CTR, but no events.

I then realized the limitations of the EU cloud was all 6.5 which we don't have on the FTDs yet. I set up a Cisco security account for the US as well and linked it to the same Cisco account as the EU account. Somehow the US SSE ingested all our devices having a smart license, not only the FMC as the EU cloud but a complete list of all FTDs connected to the FMC and some older Firepower modules as well. That's nice but still no events in the SSE and even stranger is the US CTR dashboard show no managed devices while the EU CTR does.

 

Is this normal behavior? Is there a longer wait period that the 2+ hours I've been waiting for events?

Regards

Fredrik

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hoffa2000
Level 3
Level 3
In response to ben.greenbaum

‎11-26-2019 09:59 PM

Hi

Thank you for the answer. I raised the question with TAC and it seems the problem is me having 6.5 on the FMC and 6.4.X on the FTDs which isn't supported, apparently it has to be either 6.4 or 6.5 all over the board.

 

/Fredrik

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ben.greenbaum
Cisco Employee
Cisco Employee

‎11-26-2019 04:44 PM - edited ‎11-26-2019 04:46 PM

Hi Fredrik,

Thank you for trying out Threat Response, and for your question.

 

The Firepower-CTR integration is entirely reliable, for what it was designed to do. Where and how are you expecting to see those events? At no point is CTR going to show you an unfiltered list of all events; that's not the goal and you can already see that in the FMC. What it will do, is show you in the Threat Response Incident Manager a selection of more urgent events from the total alert set available in FMC, and also allow you to see matches from your FirePower device alerts when you are conducting other investigations. 

 

Most SOCs are inundated with alerts, many of which get ignored or missed. The Incident Manager is here to help alleviate that problem by performing some simple first-level triage. There are three ways an event from your Firepower devices can be promoted from SSE to the Incident Manager:

  • The external IP has a negative TALOS reputation
  • The IP is in a range specified by the user to be always promoted
  • The user logs into SSE and promotes the event manually

If you want to test the event flow:

  1. Log into SSE and see that you have events showing. If not, there is something misconfigured in the Firepower device or in FMC. Refer to the Quick Start Guide.
  2. If you have events in SSE, select one and promote it to an Incident. Wait a few minutes, and you should see it in Threat Response's Incident Manager.
  3. Pick an event in SSE that did not get promoted, and select an external IP from that event. Investigate that IP in CTR, and you should see results from your Firepower module. (Did you configure a Firepower module?)

If all three of these steps work, then everything is working as intended. If you want to see more events than the ones that are getting promoted due to external IP reputation, select a few high value subnets in your organization and add them to auto-promotion rules in SSE. 

 

For more information about what the Firepower and Threat Response integration brings, see this article, here in the CTR Community:
https://community.cisco.com/t5/security-documents/firepower-ngfw-ngips-what-capabilities-does-it-provide-and-how/ta-p/3928694


0 Helpful

Go to solution
hoffa2000
Level 3
Level 3
In response to ben.greenbaum

‎11-26-2019 09:59 PM

Hi

Thank you for the answer. I raised the question with TAC and it seems the problem is me having 6.5 on the FMC and 6.4.X on the FTDs which isn't supported, apparently it has to be either 6.4 or 6.5 all over the board.

 

/Fredrik

0 Helpful

Go to solution
ben.greenbaum
Cisco Employee
Cisco Employee
In response to hoffa2000

‎11-27-2019 06:10 AM

Ah yes I missed that in your description; my apologies. Glad you got it sorted out.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents