Collect Firewall Metadata with Lumu VA and Cisco Firepower

The Lumu Virtual Appliance  (VA) offers the option to create Collectors, a seamless way to integrate the network metadata of your entire enterprise into the Lumu cloud with the lowest impact on the network operation .

In cases where attacks avoid domain resolution, the traces of adversarial contact can lie in the access logs of firewalls. This option is also available for accommodating networks where DNS configuration is not possible. In this scenario, the firewall forwards the logs to Lumu’s VA for processing traffic. If the firewall has URL filtering enabled, and the URLs can be included in the logs, all the IT assets using the firewall would be monitored. This approach ensures compromise visibility without having to make major changes.

In this guide, we provide you with instructions and resources on how to configure Cisco Firepower Firewall to forward all Firewall logs to Lumu through a Virtual Appliance.

Requirements

• Admin access to configure a Syslog server on Cisco Firepower firewall.
• The most recent version of the Lumu Virtual Appliance  installed .

These are the general steps you should follow to configure a Syslog server on a Cisco Firepower firewall to send all metadata to Lumu:

Deploy and Set Up Lumu VA

All the detailed steps and guidance to create, download, and install a virtual appliance on your preferred hypervisor or Cloud solution are available in our documentation:

• Deploy Virtual Appliances
  
• Configure Virtual Appliances and set up Collectors
  

Go to the Lumu Virtual Appliance and refresh the VA Collectors settings by running the command lumu-appliance collectors refresh.  If the appliance is running, it should be stopped for setting up collectors.

Select the option that refers to Check Point and the format that suits you best, then inform the following data:

• Protocol type: you can select between TCP and UDP according to your infrastructure and your Cisco Check Point ’s settings.
• Port number: provide a number between 1024 and 65535, inclusive.
• Timezone: The timezone for setting up the VA. Use the canonical ID (e.g. America/Chicago). You can use this external article   [Add link]  for reference.

Configure Cisco Firepower to Send Metadata to Lumu VA

Once you have installed and configured a Lumu Virtual Appliance with the respective firewall collector, the next step is to set up Cisco Firepower to forward firewall metadata to Lumu. Following, you will find the overall steps to configure the forwarding of the required events. The detailed guide can be found in Cisco’s official documentation:

• Configuring System Logging Settings - FTD 7.2
• Configuring System Logging Settings - FTD 7.1
• Configuring System Logging Settings - FTD 7.0
• Configuring System Logging Settings - FTD 6.7

Events of interest

Cisco Firepower classifies its events using a specific ID and a severity level. In the next table, you can find the events of interest for Lumu:

Add event list filter

It’s recommended to create a custom event list filter to avoid sharing non-required events with your Lumu VA. This allows you to optimize resources on your Firewall and also bandwidth. To create an event list filter follow these steps:

1. On your Firepower console (FTD), go to Objects > Event List Filters.
   
2. Click on the Create Event List Filter button. On the Add Event List Filter window, fill in the required information
   
1. Fill in the Name and Description fields with an easily identifiable name.
   
2. Add three Syslog ranges: 106100, 302013-302016, and 430002-430003.
   

        3. Click the OK button.

Add Lumu VA as a Syslog server

You need to add your Lumu VA as a Syslog server object inside Cisco Firepower Firewall. Follow these steps to add a new Syslog server object:

1. On your Firepower console (FTD), go to Objects > Event List Filters.
   
2. Click on the + (plus) icon on the Syslog Servers screen. Fill in the required data according to how you configured the VA collector in the previous steps. According to your network topology, select the data interface you want to use to send Syslog messages to your VA. Click the OK button.
   
3. Go to the System Settings > Logging Settings menu. This menu is under the Device screen.
   
   
   
4. Under the Logging Settings window, toggle Data logging under the Remote Servers section. Add the Syslog Server you have created and select the Custom Logging Filter object. Click on the Save button.      

Remember to deploy your changes.