Hello,
FMC 7.0.4, FTD 7.0.4.
Can anyone tell me how to syslog the IPS, i havent been able to do it.
the information i have found is:
https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/external_alerting_for_intrusion_events.html#ID-2212-000001bf
in the link the section
Configuring Syslog Alerting for Intrusion Events
the instruction on the link said this:
The intrusion policy editor's navigation pane, click Advanced Settings.
but i cant find that option can anybody show me how to do this and thanks for the help by the way.
note:
my user has the following privileges:
do i need the intrusion admin to?
saludos,
Gerardo Andree Mejia Garcia
Thanks for the help first finaly found the option,
but one question is it only posible to do it on SNORTv2 and not with V3, because i only saw the option on the V2.
Saludos,
Gerardo Andree Mejia Garcia
Besides the configuration we did previously in a case with cisco TAC we did the snort2 configuration to:
we enter to the snortv2 configuration and enable the Syslog and the ip of the syslog server.
heres all that is configured at the moment:
Policies>Intrusion>you click on SNORT 2 version (for the rule you want to change):
The configuration on the ACP policy to (i think this migth be redundant but i didnt care all show you all the config):
Policies>Access control>(the rule you want to change)>logging>IPS Settings (this migth be redundant)
and on the platform setting for this FTD we change the severity(not sure but aparently this one is the one that made the IPS logs work)
Device>plaform settings
and on the platform setting we change the severity to informational,
IMPORTANT:
remember that the logs from IPS should be the ones with the code:
-
430001: Intrusion event
This ID was introduced in release 6.3.
this is the guide were i took that from.
and this is how the LOG LOOKS LIKE:
<114>2023-12-12T16:55:49Z (this is a tag you can add on the syslog-object) IPS %FTD-2-430001: DeviceUUID: asedfasdfasdfasdfasdfasdfasdfasdfasdasdf, InstanceID: 4, FirstPacketSecond: 2023-12-12T16:55:49Z, ConnectionID: 1290, SrcIP: 8.8.8.8, DstIP: 172.26.214.182, ICMPType: Echo Reply, ICMPCode: No Code, Protocol: icmp, IngressInterface: outside, EgressInterface: inside, IngressZone: FTD-OUTSIDE, EgressZone: FTD-INSIDE, Priority: 3, GID: 1, SID: 408, Revision: 8, Message: PROTOCOL-ICMP Echo Reply, Classification: Misc Activity, Client: ICMP client, ApplicationProtocol: ICMP, IntrusionPolicy: YOUR_IPS_POLICY, ACPolicy: YOUR_AControl_POLICY, AccessControlRuleName: ICMP_IPS_TEST, NAPPolicy: Balanced Security and Connectivity, InlineResult: Dropped, IngressVRF: Global, EgressVRF: Global
and for some reaseon the format is diferent from the other logs that come from the firewall:
Dec 12 2023 16:53:19 %FTD-1-430003: EventPriority: Low, DeviceUUID: asedfasdfasdfasdfasdfasdfasdfasdfasdasdf, InstanceID: 4, FirstPacketSecond: 2023-12-12T16:53:19Z, ConnectionID: 57192, AccessControlRuleAction: Allow, SrcIP: 172.26.214.182, DstIP: 8.8.8.8, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: inside, EgressInterface: outside, IngressZone: FTD-INSIDE, EgressZone: FTD-OUTSIDE, IngressVRF: Global, EgressVRF: Global, ACPolicy: YOUR_AControl_POLICY, AccessControlRuleName: ICMP_IPS_TEST, Prefilter Policy: Default Prefilter Policy, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 74, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity
but thats for the Syslog tool in case your have to do something else.
thanks for the help @MHM Cisco World.
