cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1710
Views
4
Helpful
6
Replies

Cisco FMC IPS syslog configuration.

vivarock12
Level 1
Level 1

Hello,

FMC 7.0.4, FTD 7.0.4.

Can anyone tell me how to syslog the IPS, i havent been able to do it.

the information i have found is:
https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/external_alerting_for_intrusion_events.html#ID-2212-000001bf

in the link the section

Configuring Syslog Alerting for Intrusion Events

the instruction on the link said this:

The intrusion policy editor's navigation pane, click Advanced Settings.

but i cant find that option can anybody show me how to do this and thanks for the help by the way.

note:

my user has the following privileges:

vivarock12_0-1701120622412.png

do i need the intrusion admin to?

saludos,

Gerardo Andree Mejia Garcia

6 Replies 6

Intrusion policy-> advance setting->external response 

Do this in fmc and check log in syslog server 

Thanks for the help first finaly found the option,
but one question is it only posible to do it on SNORTv2 and not with V3, because i only saw the option on the V2.

vivarock12_0-1701123059587.png

vivarock12_1-1701123181414.png

Saludos,

Gerardo Andree Mejia Garcia

 

I will check this point.

thanks for the help going to double check that and ill tell you if its works.

Besides the configuration we did previously in a case with cisco TAC we did the snort2 configuration to:

we enter to the snortv2 configuration and enable the Syslog and the ip of the syslog server.

heres all that is configured at the moment:

Policies>Intrusion>you click on SNORT 2 version (for the rule you want to change):

vivarock12_5-1702575719694.png

 

vivarock12_0-1702575244642.png

vivarock12_1-1702575274904.png

The configuration on the ACP policy to (i think this migth be redundant but i didnt care all show you all the config):

Policies>Access control>(the rule you want to change)>logging>IPS Settings (this migth be redundant)

vivarock12_3-1702575413411.png

and on the platform setting for this FTD we change the severity(not sure but aparently this one is the one that made the IPS logs work)

Device>plaform settings

vivarock12_4-1702575505611.png

and on the platform setting we change the severity to informational,

 

IMPORTANT:
remember that the logs from IPS should be the ones with the code:

 

  • 430001: Intrusion event

    This ID was introduced in release 6.3.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/security-event-syslog-messages.html

vivarock12_6-1702575907142.png

this is the guide were i took that from.

and this is how the LOG LOOKS LIKE:

 
this id the format the log has:

<114>2023-12-12T16:55:49Z (this is a tag you can add on the syslog-object) IPS   %FTD-2-430001: DeviceUUID: asedfasdfasdfasdfasdfasdfasdfasdfasdasdf, InstanceID: 4, FirstPacketSecond: 2023-12-12T16:55:49Z, ConnectionID: 1290, SrcIP: 8.8.8.8, DstIP: 172.26.214.182, ICMPType: Echo Reply, ICMPCode: No Code, Protocol: icmp, IngressInterface: outside, EgressInterface: inside, IngressZone: FTD-OUTSIDE, EgressZone: FTD-INSIDE, Priority: 3, GID: 1, SID: 408, Revision: 8, Message: PROTOCOL-ICMP Echo Reply, Classification: Misc Activity, Client: ICMP client, ApplicationProtocol: ICMP, IntrusionPolicy: YOUR_IPS_POLICY, ACPolicy: YOUR_AControl_POLICY, AccessControlRuleName: ICMP_IPS_TEST, NAPPolicy: Balanced Security and Connectivity, InlineResult: Dropped, IngressVRF: Global, EgressVRF: Global

 

and for some reaseon the format is diferent from the other logs that come from the firewall:

 Dec 12 2023 16:53:19   %FTD-1-430003: EventPriority: Low, DeviceUUID: asedfasdfasdfasdfasdfasdfasdfasdfasdasdf, InstanceID: 4, FirstPacketSecond: 2023-12-12T16:53:19Z, ConnectionID: 57192, AccessControlRuleAction: Allow, SrcIP: 172.26.214.182, DstIP: 8.8.8.8, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: inside, EgressInterface: outside, IngressZone: FTD-INSIDE, EgressZone: FTD-OUTSIDE, IngressVRF: Global, EgressVRF: Global, ACPolicy: YOUR_AControl_POLICY, AccessControlRuleName: ICMP_IPS_TEST, Prefilter Policy: Default Prefilter Policy, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 74, ResponderBytes: 74, NAPPolicy: Balanced Security and Connectivity

 

but thats for the Syslog tool in case your have to do something else.

thanks for the help @MHM Cisco World.

 

 

Review Cisco Networking for a $25 gift card