Integrate Cisco Threat Response andFirepower Contents

IntroductionPrerequisitesRequirementsComponents UsedBackground informationFeature DescriptionDeployment ArchitectureConfigureFTD managed by FMC - Direct CTR IntegrationVerifyFTD managed by FMC - Direct CTR IntegrationTroubleshootConnectivity Problems due to DNS ResolutionProblems with registrationFTD  - Direct CTR Integration log filesa. Event Handler:b. SSE Connector:

Introduction

This document describes the steps required to integrate, verify and troubleshoot Cisco ThreatResponse (CTR) with Firepower.

Contributed by Cisco TAC Engineers.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Firepower Management Center (FMC)●

Optional Virtualization of images ●

Components Used

Firepower Threat Defense (FTD) - 6.3 and later●

Firepower Management Center (FMC) - 6.3 and later●

Security Services exchange (SSE)●

Cisco Threat Response Account (CTR)●

The information in this document was created from the devices in a specific lab environment. All ofthe devices used in this document started with a cleared (default) configuration. If your network islive, ensure that you understand the potential impact of any command.

Background informationThe below table defines the events that are supported to be sent to the Cisco Cloud by the Firepower Management Center (FMC) and Firepower ThreatDefense (FTD).

Feature Devices Managed by FMC FTD Devices managed by fdm

Intrusion (IPS) events6.3 and later (via Syslog)

6.4 and later (via direct connection)

6.3 and later (via Syslog)

6.4 and later (via direct connection)

Firepower devices that run release6.5 support the following event typesConnection events (all) Not supported 6.5

Connection events (high priority only):

Security Intelligence connection events

Connection events related to file and malware events

Connection events related to intrusion events

6.5 Not Supported

File and malware events 6.5 6.5

Feature Description

Cisco Threat Response (CTR) is a cloud-based aggregator of threat intelligence collected orgenerated by Cisco security products as well as other third-party products selected. CTR allowsyou to pull together critical threat intelligence to visualize this intelligence in a single dashboardand add context from your organization to know which systems and devices are impacted by athreat. CTR is accessible through integrations with the next Cisco security products: AMP forEndpoints, Threat Grid, Umbrella, Security Management Appliance with Email Security, and CloudEmail Security.

CTR includes access to an optional feature (called the “Eventing Service”) that can be enabled, itcollects event data from registered Cisco security products, for example, Cisco’s Next GenerationFirewall devices. If the Eventing Service feature is enabled, event data is transferred from theapplicable products to the Eventing Service where some of the events are filtered (e.g. promoted)to incident status. Incidents are then transferred to the applicable customer’s private incidentmanager repository on CTR. You also have the option to enable automatic sharing of raw(unfiltered) event data with Cisco Talos for global threat intelligence research purposes.

The CSSP is an On-premise software that can be installed to forward alerts it receives fromdevices to the cloud-hosted Cisco Security Services Exchange (SSE). From there, these eventscan be selected to forward to other Cisco Security Services, such as Cisco Defense Orchestrator(CDO) or Cisco Threat Response (CTR).

While some Cisco products include the ability to upload to SSE natively, CSSP can be used as abridge for some of those products that cannot. From FTD 6.4 and higher version, the events canbe directly sent to the Cisco Cloud without the need of the CSSP. However, for earlier FTDversions, the CSSP is required to send events to the cloud.

Deployment Architecture

With Firepower release 6.4 or later, you can configure your Firepower system to send supportedevents directly to the Cisco cloud from the FTD devices.

Note: Only FTDs are supported, not NGIPS.

Specifically, your Firepower devices send events to Security Services Exchange (SSE), using thebuilt-in SSE connector, from where they can be automatically or manually promoted to incidentsthat appear in Cisco Threat Response (CTR).

Configure

In order to complete the configuration take into consideration these sections:

In order to useCisco Threat Responseand associated tools, you must have one of the nextaccounts on the regional cloud:

Cisco Security Account●

AMP for Endpoints account●

Cisco Threat Grid account●

FTD managed by FMC - Direct CTR Integration

Requirement Type Requirement

Firepower deviceFirepower Threat Defensedevices

Managed byFirepower Management Center●

Managed by Firepower Device Manager●

Firepower version6.4 or laterSupport for regional clouds was introduced in Firepower version 6.5.

Cisco ThreatResponsecloud

North America cloudThe European cloud,https://visibility.eu.amp.cisco.com, is supported in Firepowerversion 6.5 and later.

Licensing

Smart Licensing is operational on all devices.●

This feature is not supported under an evaluation license.●

Your environment cannot use a Cisco Smart Software Satellite server or bedeployed in an air-gapped environment.

●

Account

ConnectivityFMC and managed devices must be able to connect outbound to the Cisco cloud:North America cloud: api-sse.cisco.com, port 443EU cloud: api.eu.sse.itd.cisco.com, port 443

General Your Firepower system generates events as expected.

Step 1. Navigate to System > License > Smart licensing and register FMC, as shown in theimage.

Step 2. Navigate to Integration > Cloud Services, enable Cisco Cloud Event Configurationand select the events you want to send to the cloud:

High priority connection events (6.5+):  Security intelligence connection eventsConnectionsevents related to file and malware eventsConnections events related to intrusion events

●

File & Malware events (6.5+)●

Intrusion events (6.3+) 6.3 via Syslog6.4 via direct connection●

In order to be redirected to the SSE web page, you need to select Click here to view your CiscoCloud configuration.

When you logon to your SSE account, you have to link your smart account to your SSE account,for that you need to click tools icon and select Link Accounts.

Only the Virtual Account Admin or the Smart Account Admin has the privilege to link the smartaccount with the SSE account, in order to validate the smart account role, navigate tosoftware.cisco.com and under the Administration Menu, select Manage Smart Account.

In order to validate the user role, navigate to Users and validate that under Roles the accounts areset to have Virtual Account Administrator, as shown in the image.

Make sure the Virtual Account that is selected to link on SSE contains the license for the securitydevices if an account that does not contain the security license is linked on SSE, the securitydevices and event does not appear on the SSE portal.

Once the smart account is linked to your SSE, under devices you should see your FMC and FTDwith a registered status, as shown in the image.

Make sure that both, Cisco Threat Response and Eventing are enabled.

Now, navigate to your CTR account, from the FMC select Click here to view your events inCisco Treat Response.

In order to complete integration with Firepower check under Modules that the Firepower module isinstalled.

If the Firepower module is not installed proceed to install it.

On Devices tab your FMC and FTDs appear registered, as shown in the image.

Verify

Use this section to confirm that your configuration works properly.

FTD managed by FMC - Direct CTR Integration

Check for malware events on your FMC.

Check for intrusion events on your FMC.

Check on your SSE that you received events.

You can select one event for more details.

Check on your CTR that the events from your SSE are received.

You can select one event to get on the details, as shown in the image.

Troubleshoot

Connectivity Problems due to DNS Resolution

Step 1. Check that the connectivity works properly.

root@ftd01:~# curl -v -k https://api-sse.cisco.com

* Rebuilt URL to: https://api-sse.cisco.com/

* getaddrinfo(3) failed for api-sse.cisco.com:443

* Couldn't resolve host 'api-sse.cisco.com'

* Closing connection 0

curl: (6) Couldn't resolve host 'api-sse.cisco.com'

The above output shows that the device is unable to resolve the URL https://api-sse.cisco.com, inthis case, we need to validate that the proper DNS server is configured, it can be validated with anslookup from the expert CLI:

root@ftd01:~# nslookup https://api-sse.cisco.com

;; connection timed out; no servers could be reached

The above output shows that the DNS configured is not reached, in order to confirm the DNSsettings, use the show network command:

> show network

===============[ System Information ]===============

Hostname : ftd01

DNS Servers : 10.10.10.10

Management port : 8305

IPv4 Default route

Gateway : 10.10.10.1

======================[ eth0 ]======================

State : Enabled

Link : Up

Channels : Management & Events

Mode : Non-Autonegotiation

MDI/MDIX : Auto/MDIX

MTU : 1500

MAC Address : 00:50:56:94:9D:A5

----------------------[ IPv4 ]----------------------

Configuration : Manual

Address : 10.10.10.27

Netmask : 255.255.255.0

Broadcast : 10.10.10.255

----------------------[ IPv6 ]----------------------

Configuration : Disabled

===============[ Proxy Information ]================

State : Disabled

Authentication : Disabled

In this example the wrong DNS server was used, you can change the DNS settings by running thiscommand:

> configure network dns 10.10.10.11

After this connectivity can be tested again and this time, the connection is successful.

root@ftd01:~# curl -v -k https://api-sse.cisco.com

* Rebuilt URL to: https://api-sse.cisco.com/

* Trying 52.4.85.66...

* Connected to api-sse.cisco.com (52.4.85.66) port 443 (#0)

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

* CAfile: none

CApath: /etc/ssl/certs

* TLSv1.2 (OUT), TLS header, Certificate Status (22):

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Request CERT (13):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Certificate (11):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Client hello (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

* ALPN, server accepted to use http/1.1

* Server certificate:

* subject: C=US; ST=California; L=San Jose; O=Cisco Systems, Inc.; CN=api -sse.cisco.com

* start date: 2019-12-03 20:57:56 GMT

* expire date: 2021-12-03 21:07:00 GMT

* issuer: C=US; O=HydrantID (Avalanche Cloud Corporation); CN=HydrantID S SL ICA G2

* SSL certificate verify result: self signed certificate in certificate c hain (19), continuing

anyway.

>GET / HTTP/1.1

>Host: api-sse.cisco.com

>User-Agent: curl/7.44.0

>Accept: */*

>

<HTTP/1.1 403 Forbidden

<Date: Wed, 08 Apr 2020 01:27:55 GMT

<Content-Type: text/plain; charset=utf-8

<Content-Length: 9

<Connection: keep-alive

<Keep-Alive: timeout=5

<ETag: "5e17b3f8-9"

<Cache-Control: no-store

<Pragma: no-cache

<Content-Security-Policy: default-src 'self'

<X-Content-Type-Options: nosniff

<X-XSS-Protection: 1; mode=block

<Strict-Transport-Security: max-age=31536000; includeSubdomains;

Note: The 403 Forbidden message as the parameters sent form the test is not what SSEexpects but this proves enough to validate connectivity.

Problems with registration

Step 1. Check configuration.

In order to check how SSE connector on FMC is configured on the backend, open following file:

admin@firepower:~$ cat /etc/sf/connector.properties:

registration_interval=180

connector_port=8989

region_discovery_endpoint=https://api-sse.cisco.com/providers/sse/api/v1/regions

connector_fqdn=api-sse.cisco.com

Step 2. Check if a connection can be established to SSE servers.

Connectivity to SSE can be checked with the following CURL on the FMC or FTD respectively tothe cloud used in the settings:

admin@firepower:~$ curl -s https://api-sse.cisco.com/providers/sse/api/v1/regions -x

proxy.prod.wudip.com:8080 | python -m json.tool [ { "description": "US Region", "domain": "api-

sse.cisco.com", "region": "us-east-1" }, { "description": "EU Region", "domain":

"api.eu.sse.itd.cisco.com", "region": "eu-central-1" } ]

Step 3. Verify if DeviceID matches. 

DeviceID must be the same as the one on the SSE portal.

admin@firepower:~$ curl -s http://localhost:8989/v1/contexts/default | grep deviceId

Example output.

"deviceId": "c2e228d6-d17d-432e-9c71-e3107875cc3b",

Step 4. Check logs if something is off.

Problems with registration can be found in the connector's FMC with the following command:

admin@firepower:~$ zgrep -i "registration:"  /var/log/connector/connector.log*

On FTD the path is slightly different.

admin@firepower:~$ zgrep -i "registration:"  /ngfw/var/log/connector/connector.log*

Example output. 

/var/log/connector/connector.log:time="2019-11-06T14:58:10.511829319Z" level=info msg="[ips-

mgmt-ch1-01.wuintranet.net][sm.go:294 registration:NewDevice] New device created."

/var/log/connector/connector.log:time="2019-11-06T14:58:10.511926615Z" level=info msg="[ips-

mgmt-ch1-01.wuintranet.net][methods.go:71 registration:(*device).register] Registration request

received for Device"

/var/log/connector/connector.log:time="2019-11-06T14:58:10.511977085Z" level=info msg="[ips-

mgmt-ch1-01.wuintranet.net][sm.go:482 registration:(*device).updateStatus] Changing device

status: INIT to REGISTERING"

/var/log/connector/connector.log:time="2019-11-06T14:58:11.200785143Z" level=info msg="[ips-

mgmt-ch1-01.wuintranet.net][reg.go:124 registration:(*device).sendRegRequest] Registration

request completed with status code: 201; FlowID: 9d219408-b527-4c91-aa78-c967f8f86e70"

/var/log/connector/connector.log:time="2019-11-06T14:58:11.201142252Z" level=info msg="[ips-

mgmt-ch1-01.wuintranet.net][methods.go:84 registration:(*device).register] Registration success.

Device UUID: c2e228d6-d17d-432e-9c71-e3107875cc3b"

/var/log/connector/connector.log:time="2019-11-06T14:58:11.201184566Z" level=info msg="[ips-

mgmt-ch1-01.wuintranet.net][sm.go:482 registration:(*device).updateStatus] Changing device

status: REGISTERING to REGISTERED"

/var/log/connector/connector.log:time="2019-11-06T14:58:12.969957209Z" level=info msg="[ips-

mgmt-ch1-01.wuintranet.net][methods.go:115 registration:(*device).register] JWT Enrollment

complete for Device with UUID: c2e228d6-d17d-432e-9c71-e3107875cc3b"

/var/log/connector/connector.log:time="2019-11-06T14:58:12.970006791Z" level=info msg="[ips-

mgmt-ch1-01.wuintranet.net][sm.go:482 registration:(*device).updateStatus] Changing device

status: REGISTERED to ENROLLED"

Step 5. If all steps will be deficient check the data which FMC stores.

More information about SSE connector can be found with the command below:

admin@firepower:~$ curl -s http://localhost:8989/v1/contexts/default

{

"clientInfo": {

"version": "6.4.0.6",

"description": "10.46.194.70 ips-mgmt-ch1-01.wuintranet.net",

"name": "ips-mgmt-ch1-01.wuintranet.net",

"guid": "0f0fdba0-dc00-11e6-8431-d83b778ca293",

"type": "Cisco Firepower Management Center 3500",

"ip": "10.46.194.70"

},(...)

FTD  - Direct CTR Integration log files

a. Event Handler:

Statistics file:●

/ngfw/var/log/EventHandlerStats.<date>

   (One stats file per week, starting on Sunday)

Log file: ●

/ngfw/var/log/messages

Look for EventHandler: entries    E.g.: “ EventHandler:E  ventHandler [INFO] Consumer SSEConnector initializationcomplete”

System configuration files:●

/ngfw/var/sf/detection_engines/<UUID>/ids_alert.conf

/ngfw/var/sf/detection_engines/<UUID>/threshold.con

b. SSE Connector:

Log file:●

/ngfw/var/log/connector/connector.log

Check if the connector has established a connection with SSE cloud●

root@firepower:~# lsof -i | grep conn

connector  3701   www    9u  IPv4    20899      0t0  TCP localhost:8989 (LISTEN) connector  3701

  www   10u  IPv4    24751      0t0  TCP firepower:59707->ec2-100-25-93-234.compute-

1.amazonaws.com:https (ESTABLISHED)

Use tcpdump for the port highlighted above to verify if the SSE connector sends events to thecloud

●

Check event service●

root@firepower:~# curl http://localhost:8989/v1/contexts/default

{

"clientInfo": {

"version": "6.5.0",

"description": "10.5.0.50 firepower (FMC managed)",

"name": "firepower",

"guid": "e6e8d1cc-e633-11e9-9851-d7d99b327fc4",

"type": "Cisco Firepower Threat Defense for AWS",

"ip": "10.5.0.50"

},

{

"type": "Events",

"status": "Success",

"name": "",

"description": "Events service module started"

}