Cisco FireSIGHT and FirePower Threat Defense | External Systems Configuration Guide (2024)

Cisco Firepower Management Center (FMC) - Formerly FireSIGHT and FirePower Threat Defense

Cisco Firepower Management Center (FMC) provides complete and unified management over firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection. It can easily go from managing a firewall to controlling applications to investigating and remediating malware outbreaks.

This section describes how FortiSIEM collects logs from Cisco FireSIGHT console and FirePower Threat Defense via the eStreamer API integration. FortiSIEM provides two integrations options, either through the FortiSIEM built-in eStreamer integration or via the Cisco FirePower eStreamer eNcore client.

The Cisco eNcore client Collects System intrusion, discovery, and connection data from the Firepower Management Center or managed device (also referred to as the eStreamer server) to external client applications, in this case via Syslog to FortiSIEM.

  • What is Discovered and Monitored
  • Event Types
  • Rules
  • Reports
  • Configuration
  • Using Cisco eStreamer Client

What is Discovered and Monitored

Protocol Information Discovered Logs Collected Used For
eStreamer API Intrusion Events, Malware Events. File Events. Discovery Events, User Activity Events, Impact Flag Events Security Monitoring

Event Types

FortiSIEM obtains events from Cisco FireSIGHT via eStreamer protocol. Event types follow.

  • Intrusion events: PH_DEV_MON_FIREAMP_INTRUSION

    [PH_DEV_MON_FIREAMP_INTRUSION]:[eventSeverity]=PHL_CRITICAL,[fileName]=phFireAMPAgent.cpp,[lineNumber]=381,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[snortEventId]=393258,[deviceTime]=1430501705,[eventType]=Snort-1,[compEventType]=PH_DEV_MON_FIREAMP_INTRUSION,[ipsGeneratorId]=137,[ipsSignatureId]=2,[ipsClassificationId]=32,[srcIpAddr]=10.131.10.1,[destIpAddr]=10.131.10.120,[srcIpPort]=34730,[destIpPort]=443,[ipProto]=6,[iocNum]=0,[fireAmpImpactFlag]=7,[fireAmpImpact]=2,[eventAction]=1,[mplsLabel]=0,[hostVLAN]=0,[userId]=3013,[webAppId]=0,[clientAppId]=1296,[appProtoId]=1122,[fwRule]=133,[ipsPolicyId]=63098,[srcIntfName]=b16c69fc-cd95-11e4-a8b0-b61685955f02,[destIntfName]=b1a1f900-cd95-11e4-a8b0-b61685955f02,[srcFwZone]=9e34052a-9b4f-11e4-9b83-efa88d47586f,[destFwZone]=a7bd89cc-9b4f-11e4-8260-63a98d47586f,[connEventTime]=1430501705,[connCounter]=371,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[phLogDetail]=

  • Malware events: PH_DEV_MON_FIREAMP_MALWARE

    [PH_DEV_MON_FIREAMP_MALWARE]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=487,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[deviceTime]=1430502934,[srcIpAddr]=10.110.10.73,[destIpAddr]=10.0.112.132,[srcIpPort]=21496,[destIpPort]=80,[ipProto]=6,[fileName]=CplLnk.exe ,[filePath]=,[fileSize64]=716325,[fileType]=1,[fileTimestamp]=0,[hashAlgo]=SHA,[hashCode]=f1bfab10090541a2c3e58b4b93c504be8b65cdc823209c7f4def24acc38d7fd1 ,[fileDirection]=1,[fireAmpFileAction]=3,[parentFileName]=,[parentFileHashCode]=,[infoURL]=http://wrl/wrl/CplLnk.exe ,[threatScore]=0,[fireAmpDisposition]=3,[fireAmpRetrospectiveDisposition]=3,[iocNum]=1,[accessCtlPolicyId]=125870424,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[applicationId]=676,[connEventTime]=1430502933,[connCounter]=409,[cloudSecIntelId]=0,[phLogDetail]=

  • File events: PH_DEV_MON_FIREAMP_FILE

    See Also
    Fortinet FortiGate Firewall | External Systems Configuration GuideHow to Open Port in Windows Firewall: Step-by-Step Guide[KB3327] Configure firewall profiles and zones in ESET Cyber Security ProVIDEO solution: Enable the Windows Firewall for the private network and enable "block all connections to apps that are not on the list of allowed apps." Please attach the screenshot below.

    [PH_DEV_MON_FIREAMP_FILE]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=541,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[deviceTime]=1430497343,[srcIpAddr]=10.131.15.139,[destIpAddr]=10.0.112.137,[srcIpPort]=1587,[destIpPort]=80,[ipProto]=6,[fileName]=Locksky.exe ,[hashAlgo]=SHA,[hashCode]=aa999f5d948aa1a731f6717484e1db32abf92fdb5f1e7ed73ad6f5a21b0737c1,[fileSize64]=60905,[fileDirection]=1,[fireAmpDisposition]=3,[fireAmpSperoDisposition]=4,[fireAmpFileStorageStatus]=11,[fireAmpFileAnalysisStatus]=0,[threatScore]=0,[fireAmpFileAction]=3,[fileType]=17,[applicationId]=676,[destUserId]=2991,[infoURL]=http://wrl/wrl/Locksky.exe ,[signatureName]=,[accessCtlPolicyId]=125869976,[srcGeoCountryCode]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[connCounter]=103,[connEventTime]=1430497343,[phLogDetail]=
  • Discovery events:

    • PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL

      PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=815,[reptDevIpAddr]=10.1.23.177,[destIpPort]=2054,[ipProto]=54,[phLogDetail]=

    • PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT

      [PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=737,[reptDevIpAddr]=10.1.23.177,[fingerprintId]=01f772b2-fceb-4777-8a50-1e1f27426ad0,[osType]=Windows 7,[hostVendor]=Microsoft,[osVersion]=NULL,[phLogDetail]=

    • PH_DEV_MON_FIREAMP_DISCOVERY_CLIENT_APP

      [PH_DEV_MON_FIREAMP_DISCOVERY_CLIENT_APP]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=775,[reptDevIpAddr]=10.1.23.177,[clientAppId]=638,[appName]=Firefox,[phLogDetail]=

    • PH_DEV_MON_FIREAMP_DISCOVERY_SERVER

      [PH_DEV_MON_FIREAMP_DISCOVERY_SERVER]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=853,[reptDevIpAddr]=10.1.23.177,[applicationId]=676,[appTransportProto]=HTTP,[phLogDetail]=

  • User activity events: PH_DEV_MON_FIREAMP_USER_LOGIN

    [PH_DEV_MON_FIREAMP_USER_LOGIN]:[eventSeverity]=PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=672,[reptDevIpAddr]=10.1.23.177,[deviceTime]=1430490441,[user]="User1 ,[userId]=0,[ipProto]=710,[emailId]=,[loginType]=0,[destIpAddr]=198.18.133.1 ,[phLogDetail]=

  • Impact Flag events: PH_DEV_MON_FIREAMP_IMPACT_FLAG

    [PH_DEV_MON_FIREAMP_IMPACT_FLAG]:[eventSeverity]=PHL_CRITICAL,[fileName]=phFireAMPAgent.cpp,[lineNumber]=591,[reptDevIpAddr]=10.1.23.177,[envSensorId]=6,[snortEventId]=34,[deviceTime]=1430491431,[eventType]=Snort-648,[compEventType]=PH_DEV_MON_FIREAMP_IMPACT_FLAG,[ipsGeneratorId]=1,[ipsSignatureId]=14,[ipsClassificationId]=29,[srcIpAddr]=10.131.12.240,[destIpAddr]=10.131.11.46,[srcIpPort]=80,[destIpPort]=8964,[ipProto]=6,[fireAmpImpactFlag]=7,[phLogDetail]=

Rules

There are no predefined rules for this device.

Reports

The following reports are provided:

See Also
6 Best Single Sign-On (SSO) Providers & Solutions in 2024

  • Top Cisco FireAMP Malware Events
  • Top Cisco FireAMP File Analysis Events
  • Top Cisco FireAMP Vulnerable Intrusion Events
  • Top Cisco FireAMP Discovered Login Events
  • Top Cisco FireAMP Discovered Network Protocol
  • Top Cisco FireAMP Discovered Client App
  • Top Cisco FireAMP Discovered OS

Configuration

  • Cisco FireSIGHT Configuration

  • FortiSIEM Configuration

Cisco FireSIGHT Configuration
  1. Login to Cisco FIRESIGHT console.
  2. Go to System > Local > Registration > eStreamer
  3. Click Create Client
    1. Enter IP address and Password for FortiSIEM. The password can only contain alpha (a-z, A-Z) and numeric (0-9) characters. Special characters are not allowed.
    2. Click Save.
  4. Select the types of events that should be forwarded to FortiSIEM.
  5. Click Download Certificate and save the certificate to a local file.
FortiSIEM Configuration

Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

  • Define Cisco FireSIGHT console and FirePower Threat Defense Credential in FortiSIEM

  • Create IP Range to Credential Association and Test Connectivity

Define Cisco FireSIGHT console and FirePower Threat Defense Credential in FortiSIEM
  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials, click New to create a new credential.
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:
    1. Settings Description
      Name Enter a name for the credential
      Device Type Cisco FireAMP
      Access Protocol eStreamer SDK
      Password Enter the Password as in Step 3a from Cisco FireSIGHT Configuration.
      Certificate File Click Upload and enter/select the certificate downloaded in Step 5 from Cisco FireSIGHT Configuration.
      Organization The organization the device belongs to.
      Description Description of the device.
    • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps (In ADMIN > Setup > Credentials).

    1. In Step 2: Enter IP Range to Credential Associations, click New to create a mapping.
      1. Enter the IP address of the FireSIGHT console in the IP/Host Name field.
      2. Select the name of the credential created in Define Cisco FireSIGHT console and FirePower Threat Defense Credential in FortiSIEM from the Credentials drop-down list.
      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity. FortiSIEM will start collecting events from the FIRESIGHT console.

    Using Cisco eStreamer Client

    Cisco has published a free eStreamer client to pull events from FireAMP server. This client is more up-to-date than FortiSIEM’s own eStreamer client.

    If you decide to use Cisco’s eStreamer client instead of FortiSIEM’s eStreamer client, follow these steps.

    • Step 1: Install a New Version of Python with a New User 'estreamer'

    • Step 2: Download and Configure eStreamer Client

    • Step 3: Start eStreamer Client

    Step 1: Install a New Version of Python with a New User 'estreamer'

    This is required because the python version used by FortiSIEM is compiled with PyUnicodeUCS2, while eStreamer client requires the standard version of python built with PyUnicodeUCS4.

    1. Log in to FortiSIEM Collector or the node where eStreamer client is going to be installed.
    2. Install openssl-devel and openssl-devel.i686 by running the following command.
      yum install openssl-devel openssl-devel.i686
    3. Create eStreamer user using the following command.
      1. useradd estreamer
    4. Download the python library using the following commands.
      1. su estreamer
      2. mkdir ~/python
      3. cd ~/python
      4. wget https://www.python.org/ftp/python/2.7.18/Python-2.7.18.tgz
    5. Install python library by using the following commands.
      1. tar zxfv Python-2.7.18.tgz
      2. find ~/python -type d | xargs chmod 0755
      3. cd Python-2.7.18
      4. ./configure --prefix=$HOME/python --enable-unicode=ucs4
      5. make && make install
      6. Add the following two lines to ~/.bashrc.
        export PATH=$HOME/python/Python-2.7.18/:$PATH
        export PYTHONPATH=$HOME/python/Python-2.7.18
      7. source ~/.bashrc
    Step 2: Download and Configure eStreamer Client
    1. SSH to FortiSIEM Collector or the node where eStreamer client is going to be installed as estreamer user.
    2. Git clone: git://github.com/CiscoSecurity/fp-05-firepower-cef-connector-arcsight.git
    3. Change directory using the following command.
      cd fp-05-firepower-cef-connector-arcsight
    4. Login to eStreamer server and take the following steps.
      1. Go to System > Integration > eStreamer.
      2. Create a New client and enter the IP address of the Supervisor/Collector as the host.
      3. Download the pkcs12 file and save it to directory.
        fp-05-firepower-cef-connector-arcsight
    5. Go back to fp-05-firepower-cef-connector-arcsight directory.
    6. Run sh encore.sh, and type 2 for selection of output in CEF as prompted. An estreamer.conf file is generated.
    7. Edit estreamer.conf with the below settings (in JSON format).
      • handler.outputters.stream.uri : "udp://VA_IP:514"
      • servers.host : eStreamer_Server_IP
      • servers.pkcs12Filepath : /path/to/pkcs12
    8. Run the following two commands.
      • openssl pkcs12 -in "client.pkcs12" -nocerts -nodes -out "/path/to/fp-05-firepower-cef-connector-arcsight/{eStreamer_Server_IP}-{port}_pkcs.key"
      • openssl pkcs12 -in "client.pkcs12" -clcerts -nokeys -out "/path/to/fp-05-firepower-cef-connector-arcsight/{eStreamer_Server_IP}-{port}_pkcs.cert"

      9. Notes:

    1. 8302 is the default port.
    2. The public IP of the device must be used to create client.pkcs12 according to Cisco FireSIGHT Configuration documentation. The command curl ifconfig.co can be used to get the public IP of the device.
    Step 3: Start eStreamer Client

    SSH to FortiSIEM Collector or the node where eStreamer client is installed, as eStreamer user.Start eStreamer client by entering:
    sh encore.sh start

    Now eStreamer client is ready for use. FortiSIEM 5.2.5 contains an updated parser for the events generated by Cisco eStreamer client. Trigger a few events in eStreamer server and query from FortiSIEM to verify if everything is working.

    Cisco FireSIGHT and FirePower Threat Defense | External Systems Configuration Guide (2024)

    FAQs

    What is the difference between firepower and FireSIGHT? ›

    Firepower is the term Cisco uses for most of the products aquired from Sourcefire. Firepower Management Center aka Firesight Management Center aka Defense Center. If you need further information let me know. Firepower is the term Cisco uses for most of the products aquired from Sourcefire.

    Know More
    What is a key difference between Cisco Firepower and Cisco ASA? ›

    Cisco Firepower provides identity based access control while Cisco ASA does not.

    Get More Info Here
    What is the Cisco Firepower Threat Defense? ›

    Cisco Firepower Threat Defense is an integrative software image combining CISCO ASA and Firepower feature into one hardware and software inclusive system. The Cisco Firepower NGIPS is a next generation intrusion prevention system.

    Read More
    What is the difference between Cisco Firepower and FTD? ›

    FTD runs on either the new 4100 and 9300 series or the ASA appliances (except 5585-X). FirePOWER appliances run only the legacy FirePOWER image and will not run FTD image. Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

    View More
    What is Cisco Firepower used for? ›

    Cisco® ASA with FirePOWER™ Services delivers an integrated threat defense across the entire attack continuum — before, during, and after an attack. It combines the proven security capabilities of the Cisco ASA Firewall with industry-leading Sourcefire® threat and advanced malware protection features in a single device.

    Explore More
    Which tool is used to manage Cisco Firepower devices? ›

    The Cisco Secure Firewall Management Center (FMC) is your administrative nerve center for managing critical Cisco network security solutions.

    Learn More Now
    Is Cisco getting rid of ASA? ›

    Cisco announces the end-of-sale and end-of-life dates for the Cisco Adaptive Security Appliance (ASA) Release 9.8(x), Adaptive Security Virtual Appliance (ASAv) Release 9.8(x) and Adaptive Security Device Manager (ASDM) Release 7.8(x). The last day to order the affected product(s) is February 4, 2022.

    Find Out More
    Is Cisco ASA still used? ›

    The Cisco ASA Next-Generation Firewall Services has been retired and is no longer supported.

    Know More
    Is Cisco FirePOWER a firewall? ›

    The Cisco Firepower™ Next-Generation Firewall (NGFW) is the industry's first fully integrated, threat-focused NGFW.

    View Details
    Does the military use Cisco? ›

    Cisco is a longstanding partner in the development and delivery of military operational networks in the Maritime, Land and Air domains.

    Explore More

    Is Cisco FirePower an IPS? ›

    Cisco Firepower Next-Generation IPS (NGIPS) threat appliances provide network visibility, security intelligence, automation and advanced threat protection.

    Continue Reading
    What is the vulnerability of Cisco ASA FirePower? ›

    CVE-2024-20358: A vulnerability in the Cisco ASA restore functionality that is available in Cisco ASA and Cisco FTD that could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges.

    Read More
    What is the alternative to Cisco Firepower? ›

    Top Competitors and Alternatives of Cisco Firepower NGFW

    The top three of Cisco Firepower NGFW's competitors in the Perimeter Security And Firewalls category are SiteLock with 20.85%, Cisco ASA with 19.29%, Fortinet FortiGate with 15.02% market share.

    Find Out More
    Does Cisco Firepower require a subscription? ›

    Your purchase of a managed device that uses Smart Licenses automatically includes a Base license. This license is perpetual and enables system updates. All service subscriptions are optional for Firepower Threat Defense devices.

    Read The Full Story
    What is a Cisco firepower sensor? ›

    Cisco Firepower Threat Defense is Cisco's premier network security option. It provides a comprehensive. suite of security features, such as firewall capabilities, monitoring, alerts, and Intrusion Detection System.

    See Details
    Is Cisco Firepower a firewall? ›

    The Cisco Firepower™ Next-Generation Firewall (NGFW) is the industry's first fully integrated, threat-focused NGFW.

    Continue Reading
    Is firepower a firewall? ›

    Cisco Firepower Next-Generation Firewall Overview

    It delivers comprehensive, unified policy management of firewall functions, application control, threat prevention, and advanced malware protection from the network to the endpoint. Cisco Firepower Benefits: Leverage your existing investments with Cisco.

    Get More Info Here
    Is Cisco Firepower a NGFW? ›

    The Cisco Firepower 2100 Series is a family of four threat-focused NGFW security platforms that deliver business resiliency through superior threat defense.

    See More
    Top Articles
    Fig Focaccia | Fig Rosemary Focaccia Recipe | Eat the Love
    Behold, the best pot brownie recipe on the internet
    Comment transférer de l'argent d'une carte de crédit vers un compte bancaire
    4 meilleurs mélanges montagnards au supermarché et 6 à éviter
    Latest Posts
    Orange Creamsicle Fudge Recipe
    Sautéed Swiss Chard Recipe with Miso Butter (Gluten-Free, Soy-Free)
    Article information

    Author: Roderick King

    Last Updated:

    Views: 6038

    Rating: 4 / 5 (51 voted)

    Reviews: 90% of readers found this page helpful

    Author information

    Name: Roderick King

    Birthday: 1997-10-09

    Address: 3782 Madge Knoll, East Dudley, MA 63913

    Phone: +2521695290067

    Job: Customer Sales Coordinator

    Hobby: Gunsmithing, Embroidery, Parkour, Kitesurfing, Rock climbing, Sand art, Beekeeping

    Introduction: My name is Roderick King, I am a cute, splendid, excited, perfect, gentle, funny, vivacious person who loves writing and wants to share my knowledge and understanding with you.