Syslog originating on FTD - send through site to site?

Mike_997 · ‎08-31-2024

I have a network with several remote sites that have a single FTD 1120 all with site to site VPNs connecting back to a central location. The FTD's are all managed via their public IP by the FMC at the central location. The site to site VPNs connect from the main site, to each spoke for the few things that are managed remotely that sit behind the FTD's. On the protected side of the central site there is a log server.

I now need to be able to send syslog messages from the FTD's to the syslog server that is back at the central site, basically I need traffic that originates on the FTD to get into the IPSEC tunnel that the FTD is establishing. I could send the syslog out the public side of the spoke FTD's point the syslog destination to the public interface of the central site and NAT to the syslog server but I really do not want the syslog going across the Internet in the clear.

All FTD's and the FMC are running 7.2.5.2, I see loopbacks became available in 7.3. Could a loopback be used in this case? Any other suggestions? Thanks!

balaji.bandi · ‎08-31-2024

This should be working if you select as Inside interface and inside traffic going via Tunnel interface.

you can configure SYSLOG Server select zone inside that should work.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html

example :

logging trap informational

logging host Inside 192.168.100.100 format emblem

as i have seen some issue on 7.2.3.X there is bug in VTI interface having issue. (don't remember the bug in hand)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Mike_997 · ‎09-02-2024

Here is a basic diagram to help. If on the spoke site FTD I point to the inside to get to the logging server it has nowhere to go. The logging server is on the "inside" of the main site. I need traffic that originates from the FTD, to get inside of the tunnel. Maybe a loopback available in 7.3 is the answer, or a VTI. I am not using VTI's with my site to site tunnels.

Rob Ingram · ‎09-02-2024

@Mike_997 loopback support for SYSLOG (and AAA, BGP, DNS, HTTP, ICMP, IPsec flow offload, NetFlow, SNMP, SSH) was introduced with 7.4, so you would need to upgrade.https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/roadmap/management-center-new-features-by-release.html

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/interfaces-settings-ifcs-firewall.html

MHM Cisco World · ‎09-02-2024

you use OUT interface as source ? if yes
then add new IPsec ACL permit host <outside IP> host <server IP>

try this and check

MHM

Mike_997 · ‎09-02-2024

No, the syslogs need to traverse the IPSEC VPN, I do not want to send syslog across the Internet in the clear.

MHM Cisco World · ‎09-02-2024

The traffic will pass through tunnel and encrypt.

This method I see it as workaround in cisco bug detail.

Try it and check.

MHM

Marius Gunnerud · ‎09-02-2024

Any reason why you are not using the management interface? If it is because you are not able to reach the management interface after enabling management via data interface then you need to add static route for the relevant IP or subnet via CLI.

configure network static-routes ipv4 add management0 1.2.3.0 255.255.255.0 10.1.1.1

where 1.2.3.0 255.255.255.0 are the subnet and network mask of the remote network, 10.1.1.1 is the default gateway for the management interface. Then, depending on if you are using policy based or route based VPN, be sure that the subnet is in the crypto ACL or advertised so it is reachable as well as have access rules in place to allow the traffic.

--
Please remember to select a correct answer and rate helpful posts

Mike_997 · ‎09-13-2024

These sites do not have anything connected to the mgmt interface, all of the management is done via the public interface from the FMC.

MHM Cisco World · ‎09-13-2024

Did you try what I suggest?

MHM

AigarsK · ‎06-23-2025

Hi All,

I know this is an old post, but wanted to add instructions for anyone else who might encounter a need to send Syslog from FTD that is a spoke aka remote office to HQ.

Please note that I believe these instructions work with FMC or cdFMC deployment:
• Under Device Management, select firewall in question and the proceed to the Interfaces tab
• Create a Loopback interface and assign /32 IP address, please make sure that IP address is part of your "interesting traffic" and has necessary NAT exemption in place.
• Under Object - Object Management - Interface, create Interface Group (I called it FW-MGMT) and add the Loopback interface that you created earlier (I am not particularly sure that this step is needed as you technically can later manually enter interface name where the Syslog will originate, but doing this way, there is at least an object in list along with your security zones that you can select without any need of manual entry)
• Then proceed with editing or creating Platform Settings policy under Device Management and make sure that it is assigned to your FTD firewall.
• In Platform Settings policy, configure Syslog section, and select Syslog Servers tab, press Add and then go about specifying Ip address of the Syslog server and for the "Reachable By" select "Security Zones or named Interfaces" and specify Interface Group you created earlier, FW-MGMT in my case and press OK.
• Now it is necessary to ensure that you have Access Control Policy (ACP) rule in place that allows the traffic to the the Syslog server. I recall that I created wide open rule for my S2S VPN traffic without specifying Source Security Zone or Source Network, but did specify that traffic is allow as long it is going to the Syslog server on Syslog port. If you need to be more specific, then you might need to do some debug to see what is actual Source Security Zone for this traffic.

With the above config, you should be getting Syslog messages that relate to firewall itself and not the ACP rule hits, to get ACP rule hits to be logged, there is an extra steps to be done:

• Edit your ACP and under More where you see Advanced Settings, HTTP Response, Inheritance Settings, select Logging and then place a tick against "Use the syslog settings configured in the FTD Platform Settings policy deployed on the device"
• Go about configuring any ACP rule that requires that logs are sent over tot he Syslog server

Now along with the firewall logs, you should get the ACP rule hits as well.

Loopback as a source does require that you are running version 7.3 or later.

Hope this helps others as I spent a month with TAC who where trying to configure cdFMC managed FTD to send Syslog's using Management Interface that resulted in FTD connection been lost between the cdFMC, pushing out numerous Flex configs and in the end got closed down as they did not get what we were after, having FTD's sftunnel established over Outside data interface and still have means to receive syslog at HQ.
This same Loopback interface can be used for SSH access as long you configure the Platform Settings for it.