Firepower 1120 Remote SYSLOG Servers

dasadmin · ‎03-05-2024

Hello

I have a pair of Firepower 1120 running FTD configured a HA pair and managed locally with FDM. Should I need to manage the units directly, each has a MGT IP and they share the main and standby address on the INSIDE interface:

UNIT 1: Management: x.x.101.241/24
UNIT 2: Management: x.x.101.242/24
GATEWAY: Use the Data Interfaces as the Gateway

INSIDE: x.x.101.250/24 (standby x.x.101.249/24)

I'm coming from using ASA and I have a few issues with remote SYSLOG servers. With ASA, I set the two remote SYSLOG servers and set the log level as say WARNING and that was it. All the SYSLOGS were forwarded to both SYSLOG servers.

With Firepower 1120, I can still define two SYSLOG servers under System Settings / Logging Settings. However, I have these issues:

1. For a given policy, on the Logging tab, I can Select Log Action - At Beginning and End of Connection and Send Connection Events to: (SYSLOG server) - however I can only select a single SYSLOG server in the drop-down, - how can send messages to both?

2. The SYSLOG output is missing the HOSTNAME and IP Address of the device - how can I add this to the SYSLOG output?

3. Under Objects / Syslog Servers, if I edit the remote SYSLOG server, I choose Interface: INSIDE - however, there is a note that says: For connection, intrusion, files and malware message, the source IP address will either be for the management interface, or for the gateway interface if you route through data interfaces. My Management and Inside interfaces are on the same subnet and I am getting SYSLOG messages from both Management IP addresses and the INSIDE IP Address - how can I change this so I only get SYSLOG message from the INSIDE IP address?

Thanks in advance

tvotna · ‎03-05-2024

In my understanding you should not override your device syslog settings in ACP. You configure multiple syslog servers under Devices > Platform Settings. There you can also enable syslog-id, such as a hostname or a IP address or arbitrary string to include into syslog messages:

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/interfaces-settings-platform.html#id_84926

When configuring you can choose "Device Management Interface or Security Zones or Named Interfaces to communicate with the syslog server". If it sends from both, it's a bug.

In ACP use "Use the syslog settings configured in the Threat Defense Platform Settings policy deployed on the device" option and choose severity:

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/access-policies.html#AC_Policy_Syslog_Settings

In this case connection/intrusion syslogs should be sent to all syslog servers configured under Platform Settings.

Unfortunately, all of syslog messages generated by NGFW code will have same severity level and same syslog id, which is quite stupid, but this is simply because of the Sourcefire product architecture where sftunnel logging to FMC has always been the primary logging mechanism. Syslog ids:

- 430001: Intrusion event
- 430002: Connection event logged at beginning of connection
- 430003: Connection event logged at end of connection
- 430004: File event
- 430005: File malware event

Another drawback is that ASA/Lina and FMC generate syslogs independently from NGFW code and follow their own rules. E.g. FTD/Lina still sends same messages as ASA, although few syslog-ids are suppressed by default (look at "show run").

HTH

MHM Cisco World · ‎03-05-2024

I think the source of syslog is the IP of interface through which the FTD can reach the Syslog server

and from FTD 6.3 you can select mgmt interface to be the source of syslog
this need FMC

MHM

dasadmin · ‎03-05-2024

Hello

Thanks for the replies.

I'm not using FMC, instead using the local Firewall Device Manager UI so I'm not sure I have the settings you are saying?

Here is the UI for adding the Syslog server (x.x.101.5 - same subnet) - I am explicitly selecting the inside interface:

And here is the UI for selecting the Logging Settings:

As you can see, I don't appear to be able to add the hostname or IP address?

I am getting syslog messages from three sources - management IP addresses and the inside IP address

Is this a bug, when I have specified the inside interface?

Thanks

tvotna · ‎03-06-2024

Sorry, I misread your message and didn't notice that you use FDM. I don't have FDM, but it appears that FDM logging config is indeed completely different, and I'd say that the feature design is completely broken. From documentation it appears that system logging settings are for Lina logging and NGFW file/malware logging only. Connection event logging is configured in ACP and Intrusion event logging is configured in Intrusion Policy. This is not inline with what we have in FMC.

https://www.cisco.com/c/en/us/td/docs/security/firepower/740/fdm/fptd-fdm-config-guide-740/fptd-fdm-system.html#id_88125

So, I'm afraid you cannot achieve what you need with FDM. Open a TAC case if you can and complain. They must provide enhancement id(s) for all of the issues and a bug id for duplicate messages. If no such enh/bugs were opened yet, insist on opening new ones. Post all ids here.