SOCFortress Integrations — Cisco Firepower Management Center (FMC)

SOCFortress
4 min readOct 15, 2024

--

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Intro

SOCFortress integration and visualization tools allow security analysts the visualization and triage of Cisco Firepower Management Center (FMC) events and alerts using a single pane of glass.

About Cisco FMC

Cisco Firepower Management Center (FMC) is the centralised management platform for Cisco’s Firepower Threat Defense (FTD) security products, which are part of Cisco’s next-generation firewall (NGFW) solutions.

FMC provides visibility, control, and automation for security policies across Cisco’s network security appliances, such as firewalls, intrusion prevention systems (IPS), and advanced malware protection (AMP).

FMC serves as a powerful and comprehensive management solution for security operations, providing a unified platform to manage, monitor, and respond to threats across complex networks. It is particularly valuable for organisations seeking to streamline their security operations while gaining real-time visibility and control over their network environment.

FMC features

  • Centralized Management:
    — Device Management: FMC allows you to manage multiple Cisco FTD devices from a single interface. You can deploy, configure, and monitor firewalls and security policies across distributed networks.
    — Security Policy Management: You can create and enforce security policies for access control, intrusion detection/prevention (IDS/IPS), and content filtering.
  • Advanced Threat Protection:
    — Intrusion Detection and Prevention (IDP): FMC integrates with Cisco’s Snort-based IPS to detect and prevent intrusions and security threats in real time.
    — Advanced Malware Protection (AMP): FMC provides deep visibility into malware activity and helps to block malware across networks by integrating with Cisco AMP.
    — URL Filtering: It offers URL filtering to restrict access to malicious or inappropriate websites.
  • Comprehensive Visibility:
    — Network and Application Visibility: FMC gives administrators deep visibility into network traffic, applications, users, and devices. This includes network behavior analysis and detection of anomalies.
    — Security Event Correlation: It correlates network events to identify potential threats and anomalies.
    — Real-time Monitoring and Reporting: FMC provides detailed dashboards, alerts, and reports about security events, vulnerabilities, and network activities.
  • Automated Threat Intelligence:
    — Cisco Talos Integration: FMC is integrated with Cisco’s Talos Security Intelligence and Research Group, which provides threat intelligence feeds and updates in real-time to defend against new and emerging threats.
    — Dynamic Threat Control: With real-time threat intelligence, FMC can automatically update signatures, policies, and threat detection parameters to improve defenses.
  • Policy and Rule Automation:
    — FMC provides policy automation features that allow administrators to dynamically adjust security rules based on detected threats, network changes, or predefined triggers.
  • High Availability and Scalability:
    — FMC supports high availability configurations for redundancy and failover to ensure business continuity.
    — It is also scalable, capable of managing a large number of security devices across geographically dispersed networks.
  • VPN Management:
    — It supports VPN management, allowing you to configure and manage site-to-site and remote access VPNs to secure communications over untrusted networks.
  • Integrations with Other Cisco Products:
    — FMC integrates with other Cisco security solutions like Cisco Identity Services Engine (ISE) for identity-based policies and network access control, Cisco Umbrella for DNS-layer security, and Cisco SecureX for extended detection and response (XDR) across the entire security ecosystem.

Ingesting Cisco FMC Security Logs and Events

Cisco FMC supports remote syslog configuration to send logs, events, and alerts to an external log collector or SIEM (Security Information and Event Management) system.

Syslog Configuration in FMC

  • Enabling Syslog:
    — You can configure FMC to send different types of logs (such as intrusion events, connection events, malware events, and other security alerts) to an external syslog server.
  • Customising Syslog Messages:
    — FMC allows you to customise the format of the syslog messages (e.g., CEF format for ArcSight, LEEF format for QRadar).
  • Event Types Sent via Syslog:
    — Security Events: Intrusion detection/prevention events, malware detection, URL filtering events, etc.
    — Connection Events: Logs related to network traffic, including source/destination IP, ports, protocols, and actions taken.
    — Audit Events: Administrative activities and configuration changes made in FMC.
    — Alerts: Security-related alerts and notifications for policy violations or detected threats.
  • Syslog Destination:
    — You can specify one or more external syslog destinations (IP address and port of the syslog server) to receive the logs.
    — Logs can be sent over UDP or TCP, with the option to enable TLS for secure log transmission.
  • Rate Limiting and Filtering:
    — FMC allows you to apply rate limits and filters to avoid overloading the syslog server with too many events, sending only the most critical or relevant logs.
  • Redundancy:
    — You can configure multiple syslog servers for redundancy, ensuring logs are sent to backup destinations if the primary log collector becomes unavailable.

Once set up, logs and events will be forwarded in real-time from FMC to an external log collector, allowing for continuous monitoring, correlation, and analysis in the external SIEM or log management system.

Visualisations

SOCFortress landing page

Total traffic logs, by policy and application protocol:

Logs by client app and firewall action:

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

No responses yet