Cisco Firepower Threat Defense

Version: Cisco Firepower Threat Defense (FTD) | Release 6.3 and later

Note – “File Malware and File events” are available from Cisco Firepower release 6.4 and above

Cisco Firepower Threat Defense is an integrative software image combining CISCO ASA and Firepower feature into one hardware and software inclusive system.

The Cisco Firepower NGIPS is a next generation intrusion prevention system. It shares a management console with the Cisco firewall offerings, called the Firepower Management Center.

Netsurion, when integrated with Cisco Firepower NGIPS, collects log from Cisco FTD and creates a detailed reports, alerts, dashboards and saved searches. These features of Netsurion helps users to view the critical and important information on a single platform.

Reports will contain details of activities like, IDS events. (which outlines the targeted host and source of attack. Reports also consists of events of activities such as SSLVPN/ VPN/ WebVPN access, user command execution, and system activities.

IPS events include Blocked connections, File and Malware detection summary, Allowed URL’s summary, and many more. It includes information such as, date, time, the type of exploit, and contextual information about the source of the attack and its target.

Alerts are provided as soon as any critical event is triggered by Cisco FTD. With alerts users will be able to get real time occurrences of events such as, possible attack that is will be carried out, SSLVPN/ VPN/ WebVPN login success, failures and logout events.

For IPS event, connection blocked due to malicious entity is discovered by NGIPS engine, alerts are directly sent to their email services.

Visual/graphical representation consists of events such as blocked/ allowed connections, security event summary count, and geo-location information which can be viewed on Netsurion ‘dashboard’.

Dashboard also displays events related to IDS such as the time of possible attacks from unknown or suspicious sources, information about suspicious URLs, Files, SSL Flow Status, threat name, SHA Disposition, source IP address, and Protocol/service used for establishing connection with FTD etc.

Once Cisco FTD is configured to deliver events to Netsurion Manager; alerts, dashboards, and reports can be configured into Netsurion.

Alerts

Type Name Description
Security Cisco FTD - NGIPS has blocked a suspicious connection This alert is triggered when the Cisco Firepower NGIPS detects a suspicious connection event.
Security Cisco FTD - NGIPS has detected a Malware This alert is triggered when the Cisco Firepower NGIPS detects a File Malware Event.
Security Cisco FTD - NGIPS has blocked an intrusion event This alert is triggered when Cisco Firepower NGIPs detects an intrusion event and blocks it.
Security Cisco FTD - Authorization fail detected for admin user This alert is triggered when Cisco FTD login fails for the admin user.
Security Cisco FTD - Authorization fail detected for network user This alert is triggered when Cisco FTD detects a login failure for network user.
Security Cisco FTD - Device console 'enable' password incorrect This alert is triggered when Cisco FTD receives incorrect credentials for device console that is “enable”.
Security Cisco FTD - Device console login failed This alert is triggered when there is an incorrect login attempt or a failed login to FTD to the console.
Security Cisco FTD - Intrusion detection event has been detected This alert is triggered when the IDS engine discovers a potential attack/scanning on the network.
Security Cisco FTD - SSL-VPN invalid client tried to login This alert is triggered when an invalid/ unknown SSL VPN Client/ AnyConnect client tries to login.
Security Cisco FTD - SSL-VPN login fail detected This alert is triggered when the SSL handshake with remote device fails.
Security Cisco FTD - User session request with IP options has been discarded This alert is triggered when an IP packet is seen with IP options. Because IP options are considered as security risk, the incoming packet is discarded.
Security Cisco FTD - User session with possible ARP poisoning in progress This alert is triggered when the FTD device receives an ARP packet, and the MAC address in the packet differs from the ARP cache entry.
Security Cisco FTD - User session with possible footprint/port scanning in progress This alert is triggered when a real IP packet is denied by ACL. When this event is reoccurring, it becomes suspicious for port scanning/ footprint attempt.
Security Cisco FTD - User session with possible IP address spoof detected This alert is triggered when there is an attack in progress where an adversary is attempting to spoof an IP address on an inbound connection.
Security Cisco FTD - user session with possible spoofing attack in progress This alert is triggered when either FTD device receives a packet with the same IP, but a different MAC address from one of its uauth entries, Or, FTD device receives a packet with exempt MAC address, but a different IP address from the corresponding uauth entry.
Security Cisco FTD - User session with teardrop signature detected This alert is triggered when FTD device discards a packet with a teardrop signature containing either a small offset or fragment overlapping.
Security Cisco FTD - VPN session failed This alert is triggered when a VPN client authentication fails.
Security Cisco FTD - WebVPN/AnyConnect session login failed This alert is triggered when a WebVPN/ AnyConnect authentication is rejected.
Operations Cisco FTD - High memory utilization detected on FTD device This alert is triggered when the FTD system reports high memory utilization.
Operations Cisco FTD - Device configuration erased This alert is triggered when the device configuration is erased by any user.
Operations Cisco FTD - SSL-VPN unsupported client has been rejected This alert is triggered when an unsupported AnyConnect client connection is rejected.
Compliance Cisco FTD - WebVPN/AnyConnect session file access denied This alert is triggered when a file access via a WebVPN/ AnyConnect session is denied for any user.

Reports

Type Name Description
Security Cisco FTD - NGIPS (Intrusion Events) This report generates a summary of intrusion events as detected by Cisco Firepower NGIPS. It includes, date, time, the type of exploit, and contextual information about the source of the attack and its target.
Security Cisco FTD - IDS scanning report This report contains a summary of IDS events when a host is being targeted/ attacked. It includes the destination subnet, or endpoint IP address with action that is being performed on the target system.
Security Cisco FTD - SSLVPN failed connections This report has a summary of failed SSLVPN handshakes. This includes source IP/ Source port, destination IP/ destination port, and type of peer type i.e. ‘client’ or ‘server’.
Security Cisco FTD - VPN client failed connections This report consists summary of failed VPN client connections. It includes source Ip address and username.
Security Cisco FTD - WebVPN failed connections This report is generated when there is a failed login attempt from WebVPN/ AnyConnect client. This includes, the user group name, username, and session type, e.g. ‘WebVPN’ or ‘admin’.
Operations Cisco FTD - NGIPS (Network connection) This report outlines a summary of network connections at the beginning and at the end of a session. This includes SSL flow status, access control rule action, URL accessed, etc.
Operations Cisco FTD - User command execution This report provides a detailed summary of commands executed by the user, like show config, or run diagnostics.
Operations Cisco FTD – System login success This report generates a detailed summary of successful login by a user to FTD device. It includes, username, source IP/ source port, destination IP/ destination port, and event timestamp.
Operations Cisco FTD – Allowed traffic activities This report generates a detailed summary of allowed traffic connection, like TCP, UDP, or ICMP. It includes, protocol type, source IP/ source port, destination IP/ destination port, and event timestamp.
Compliance Cisco FTD - SSLVPN successful connections This report generates a detailed summary of successful SSLVPN handshake with client. This includes, the protocol version used to establish connection, along with peer type, source IP/ source port, and destination Ip/ destination port.
Compliance Cisco FTD - VPN client successful connections This report is generated for successful VPN client connections. It includes, username and source IP address.
Compliance Cisco FTD - WebVPN successful connections This report includes a summary of successful WebVPN/AnyConnect client connections/ sessions. This includes the username, user group name, and source IP address.
Compliance Cisco FTD - Device configuration changes This report is generated for the configuration changes on the FTD device by any user. This includes, username, time of command execution, and the actual command that was executed to make any changes in device configuration.
Compliance Cisco FTD – User privilege changed This report is generated when there is a user privilege change. It includes, username, old privilege level, new privilege level and event timestamp.
Compliance Cisco FTD – User management This report generates a detailed summary of event which includes new user creation in FTD database, and user deletion from FTD database. It includes, username and privilege level assigned to that user.
Compliance Cisco FTD – System login failed This report generates a detailed summary of failed login attempt in Cisco FTD device. It includes, username, source IP/ source port, destination IP/ destination port, and event timestamp.
Compliance Cisco FTD – Traffic activity (TCP denied) This report generates a detailed summary of failed TCP connections. It includes, source IP/ source port, destination IP/ destination port, and event timestamp.
Compliance Cisco FTD – Traffic activity (UDP denied) This report generates a detailed summary of failed UDP connections. It includes, source IP/ source port, destination IP/ destination port, and event timestamp.

Documentation:

The configuration details are consistent with Netsurion version 9.x and later, and Cisco FTD release 6.3 and above.

Download Integration Guide and How-to Guidefor more information and to configuration instructions.