Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
Integrate Cisco Threat Response andFirepower Contents
IntroductionPrerequisitesRequirementsComponents UsedBackground informationFeature DescriptionDeployment ArchitectureConfigureFTD managed by FMC - Direct CTR IntegrationVerifyFTD managed by FMC - Direct CTR IntegrationTroubleshootConnectivity Problems due to DNS ResolutionProblems with registrationFTD - Direct CTR Integration log filesa. Event Handler:b. SSE Connector:
Introduction
This document describes the steps required to integrate, verify and troubleshoot Cisco ThreatResponse (CTR) with Firepower.
Contributed by Cisco TAC Engineers.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
Firepower Management Center (FMC)●
Optional Virtualization of images ●
Components Used
Firepower Threat Defense (FTD) - 6.3 and later●
Firepower Management Center (FMC) - 6.3 and later●
Security Services exchange (SSE)●
Cisco Threat Response Account (CTR)●
The information in this document was created from the devices in a specific lab environment. All ofthe devices used in this document started with a cleared (default) configuration. If your network islive, ensure that you understand the potential impact of any command.
Background informationThe below table defines the events that are supported to be sent to the Cisco Cloud by the Firepower Management Center (FMC) and Firepower ThreatDefense (FTD).
Feature Devices Managed by FMC FTD Devices managed by fdm
Intrusion (IPS) events6.3 and later (via Syslog)
6.4 and later (via direct connection)
6.3 and later (via Syslog)
6.4 and later (via direct connection)
Firepower devices that run release6.5 support the following event typesConnection events (all) Not supported 6.5
Connection events (high priority only):
Security Intelligence connection events
Connection events related to file and malware events
Connection events related to intrusion events
6.5 Not Supported
File and malware events 6.5 6.5
Feature Description
Cisco Threat Response (CTR) is a cloud-based aggregator of threat intelligence collected orgenerated by Cisco security products as well as other third-party products selected. CTR allowsyou to pull together critical threat intelligence to visualize this intelligence in a single dashboardand add context from your organization to know which systems and devices are impacted by athreat. CTR is accessible through integrations with the next Cisco security products: AMP forEndpoints, Threat Grid, Umbrella, Security Management Appliance with Email Security, and CloudEmail Security.
CTR includes access to an optional feature (called the “Eventing Service”) that can be enabled, itcollects event data from registered Cisco security products, for example, Cisco’s Next GenerationFirewall devices. If the Eventing Service feature is enabled, event data is transferred from theapplicable products to the Eventing Service where some of the events are filtered (e.g. promoted)to incident status. Incidents are then transferred to the applicable customer’s private incidentmanager repository on CTR. You also have the option to enable automatic sharing of raw(unfiltered) event data with Cisco Talos for global threat intelligence research purposes.
The CSSP is an On-premise software that can be installed to forward alerts it receives fromdevices to the cloud-hosted Cisco Security Services Exchange (SSE). From there, these eventscan be selected to forward to other Cisco Security Services, such as Cisco Defense Orchestrator(CDO) or Cisco Threat Response (CTR).
While some Cisco products include the ability to upload to SSE natively, CSSP can be used as abridge for some of those products that cannot. From FTD 6.4 and higher version, the events canbe directly sent to the Cisco Cloud without the need of the CSSP. However, for earlier FTDversions, the CSSP is required to send events to the cloud.
Deployment Architecture
With Firepower release 6.4 or later, you can configure your Firepower system to send supportedevents directly to the Cisco cloud from the FTD devices.
Note: Only FTDs are supported, not NGIPS.
Specifically, your Firepower devices send events to Security Services Exchange (SSE), using thebuilt-in SSE connector, from where they can be automatically or manually promoted to incidentsthat appear in Cisco Threat Response (CTR).
Configure
In order to complete the configuration take into consideration these sections:
In order to useCisco Threat Responseand associated tools, you must have one of the nextaccounts on the regional cloud:
Cisco Security Account●
AMP for Endpoints account●
Cisco Threat Grid account●
FTD managed by FMC - Direct CTR Integration
Requirement Type Requirement
Firepower deviceFirepower Threat Defensedevices
Managed byFirepower Management Center●
Managed by Firepower Device Manager●
Firepower version6.4 or laterSupport for regional clouds was introduced in Firepower version 6.5.
Cisco ThreatResponsecloud
North America cloudThe European cloud,https://visibility.eu.amp.cisco.com, is supported in Firepowerversion 6.5 and later.
Licensing
Smart Licensing is operational on all devices.●
This feature is not supported under an evaluation license.●
Your environment cannot use a Cisco Smart Software Satellite server or bedeployed in an air-gapped environment.
●
Account
ConnectivityFMC and managed devices must be able to connect outbound to the Cisco cloud:North America cloud: api-sse.cisco.com, port 443EU cloud: api.eu.sse.itd.cisco.com, port 443
General Your Firepower system generates events as expected.
Step 1. Navigate to System > License > Smart licensing and register FMC, as shown in theimage.
Step 2. Navigate to Integration > Cloud Services, enable Cisco Cloud Event Configurationand select the events you want to send to the cloud:
High priority connection events (6.5+): Security intelligence connection eventsConnectionsevents related to file and malware eventsConnections events related to intrusion events
●
File & Malware events (6.5+)●
Intrusion events (6.3+) 6.3 via Syslog6.4 via direct connection●
In order to be redirected to the SSE web page, you need to select Click here to view your CiscoCloud configuration.
When you logon to your SSE account, you have to link your smart account to your SSE account,for that you need to click tools icon and select Link Accounts.
Only the Virtual Account Admin or the Smart Account Admin has the privilege to link the smartaccount with the SSE account, in order to validate the smart account role, navigate tosoftware.cisco.com and under the Administration Menu, select Manage Smart Account.
In order to validate the user role, navigate to Users and validate that under Roles the accounts areset to have Virtual Account Administrator, as shown in the image.
Make sure the Virtual Account that is selected to link on SSE contains the license for the securitydevices if an account that does not contain the security license is linked on SSE, the securitydevices and event does not appear on the SSE portal.
Once the smart account is linked to your SSE, under devices you should see your FMC and FTDwith a registered status, as shown in the image.
Make sure that both, Cisco Threat Response and Eventing are enabled.
Now, navigate to your CTR account, from the FMC select Click here to view your events inCisco Treat Response.
In order to complete integration with Firepower check under Modules that the Firepower module isinstalled.
If the Firepower module is not installed proceed to install it.
On Devices tab your FMC and FTDs appear registered, as shown in the image.
Verify
Use this section to confirm that your configuration works properly.
FTD managed by FMC - Direct CTR Integration
Check for malware events on your FMC.
Check for intrusion events on your FMC.
Check on your SSE that you received events.
You can select one event for more details.
Check on your CTR that the events from your SSE are received.
You can select one event to get on the details, as shown in the image.
Troubleshoot
Connectivity Problems due to DNS Resolution
Step 1. Check that the connectivity works properly.
root@ftd01:~# curl -v -k https://api-sse.cisco.com
* Rebuilt URL to: https://api-sse.cisco.com/
* getaddrinfo(3) failed for api-sse.cisco.com:443
* Couldn't resolve host 'api-sse.cisco.com'
* Closing connection 0
curl: (6) Couldn't resolve host 'api-sse.cisco.com'
The above output shows that the device is unable to resolve the URL https://api-sse.cisco.com, inthis case, we need to validate that the proper DNS server is configured, it can be validated with anslookup from the expert CLI:
root@ftd01:~# nslookup https://api-sse.cisco.com
;; connection timed out; no servers could be reached
The above output shows that the DNS configured is not reached, in order to confirm the DNSsettings, use the show network command:
> show network
===============[ System Information ]===============
Hostname : ftd01
DNS Servers : 10.10.10.10
Management port : 8305
IPv4 Default route
Gateway : 10.10.10.1
======================[ eth0 ]======================
State : Enabled
Link : Up
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 00:50:56:94:9D:A5
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 10.10.10.27
Netmask : 255.255.255.0
Broadcast : 10.10.10.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled
===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled
In this example the wrong DNS server was used, you can change the DNS settings by running thiscommand:
> configure network dns 10.10.10.11
After this connectivity can be tested again and this time, the connection is successful.
root@ftd01:~# curl -v -k https://api-sse.cisco.com
* Rebuilt URL to: https://api-sse.cisco.com/
* Trying 52.4.85.66...
* Connected to api-sse.cisco.com (52.4.85.66) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=San Jose; O=Cisco Systems, Inc.; CN=api -sse.cisco.com
* start date: 2019-12-03 20:57:56 GMT
* expire date: 2021-12-03 21:07:00 GMT
* issuer: C=US; O=HydrantID (Avalanche Cloud Corporation); CN=HydrantID S SL ICA G2
* SSL certificate verify result: self signed certificate in certificate c hain (19), continuing
anyway.
>GET / HTTP/1.1
>Host: api-sse.cisco.com
>User-Agent: curl/7.44.0
>Accept: */*
>
<HTTP/1.1 403 Forbidden
<Date: Wed, 08 Apr 2020 01:27:55 GMT
<Content-Type: text/plain; charset=utf-8
<Content-Length: 9
<Connection: keep-alive
<Keep-Alive: timeout=5
<ETag: "5e17b3f8-9"
<Cache-Control: no-store
<Pragma: no-cache
<Content-Security-Policy: default-src 'self'
<X-Content-Type-Options: nosniff
<X-XSS-Protection: 1; mode=block
<Strict-Transport-Security: max-age=31536000; includeSubdomains;
Note: The 403 Forbidden message as the parameters sent form the test is not what SSEexpects but this proves enough to validate connectivity.
Problems with registration
Step 1. Check configuration.
In order to check how SSE connector on FMC is configured on the backend, open following file:
admin@firepower:~$ cat /etc/sf/connector.properties:
registration_interval=180
connector_port=8989
region_discovery_endpoint=https://api-sse.cisco.com/providers/sse/api/v1/regions
connector_fqdn=api-sse.cisco.com
Step 2. Check if a connection can be established to SSE servers.
Connectivity to SSE can be checked with the following CURL on the FMC or FTD respectively tothe cloud used in the settings:
admin@firepower:~$ curl -s https://api-sse.cisco.com/providers/sse/api/v1/regions -x
proxy.prod.wudip.com:8080 | python -m json.tool [ { "description": "US Region", "domain": "api-
sse.cisco.com", "region": "us-east-1" }, { "description": "EU Region", "domain":
"api.eu.sse.itd.cisco.com", "region": "eu-central-1" } ]
Step 3. Verify if DeviceID matches.
DeviceID must be the same as the one on the SSE portal.
admin@firepower:~$ curl -s http://localhost:8989/v1/contexts/default | grep deviceId
Example output.
"deviceId": "c2e228d6-d17d-432e-9c71-e3107875cc3b",
Step 4. Check logs if something is off.
Problems with registration can be found in the connector's FMC with the following command:
admin@firepower:~$ zgrep -i "registration:" /var/log/connector/connector.log*
On FTD the path is slightly different.
admin@firepower:~$ zgrep -i "registration:" /ngfw/var/log/connector/connector.log*
Example output.
/var/log/connector/connector.log:time="2019-11-06T14:58:10.511829319Z" level=info msg="[ips-
mgmt-ch1-01.wuintranet.net][sm.go:294 registration:NewDevice] New device created."
/var/log/connector/connector.log:time="2019-11-06T14:58:10.511926615Z" level=info msg="[ips-
mgmt-ch1-01.wuintranet.net][methods.go:71 registration:(*device).register] Registration request
received for Device"
/var/log/connector/connector.log:time="2019-11-06T14:58:10.511977085Z" level=info msg="[ips-
mgmt-ch1-01.wuintranet.net][sm.go:482 registration:(*device).updateStatus] Changing device
status: INIT to REGISTERING"
/var/log/connector/connector.log:time="2019-11-06T14:58:11.200785143Z" level=info msg="[ips-
mgmt-ch1-01.wuintranet.net][reg.go:124 registration:(*device).sendRegRequest] Registration
request completed with status code: 201; FlowID: 9d219408-b527-4c91-aa78-c967f8f86e70"
/var/log/connector/connector.log:time="2019-11-06T14:58:11.201142252Z" level=info msg="[ips-
mgmt-ch1-01.wuintranet.net][methods.go:84 registration:(*device).register] Registration success.
Device UUID: c2e228d6-d17d-432e-9c71-e3107875cc3b"
/var/log/connector/connector.log:time="2019-11-06T14:58:11.201184566Z" level=info msg="[ips-
mgmt-ch1-01.wuintranet.net][sm.go:482 registration:(*device).updateStatus] Changing device
status: REGISTERING to REGISTERED"
/var/log/connector/connector.log:time="2019-11-06T14:58:12.969957209Z" level=info msg="[ips-
mgmt-ch1-01.wuintranet.net][methods.go:115 registration:(*device).register] JWT Enrollment
complete for Device with UUID: c2e228d6-d17d-432e-9c71-e3107875cc3b"
/var/log/connector/connector.log:time="2019-11-06T14:58:12.970006791Z" level=info msg="[ips-
mgmt-ch1-01.wuintranet.net][sm.go:482 registration:(*device).updateStatus] Changing device
status: REGISTERED to ENROLLED"
Step 5. If all steps will be deficient check the data which FMC stores.
More information about SSE connector can be found with the command below:
admin@firepower:~$ curl -s http://localhost:8989/v1/contexts/default
{
"clientInfo": {
"version": "6.4.0.6",
"description": "10.46.194.70 ips-mgmt-ch1-01.wuintranet.net",
"name": "ips-mgmt-ch1-01.wuintranet.net",
"guid": "0f0fdba0-dc00-11e6-8431-d83b778ca293",
"type": "Cisco Firepower Management Center 3500",
"ip": "10.46.194.70"
},(...)
FTD - Direct CTR Integration log files
a. Event Handler:
Statistics file:●
/ngfw/var/log/EventHandlerStats.<date>
(One stats file per week, starting on Sunday)
Log file: ●
/ngfw/var/log/messages
Look for EventHandler: entries E.g.: “ EventHandler:E ventHandler [INFO] Consumer SSEConnector initializationcomplete”
System configuration files:●
/ngfw/var/sf/detection_engines/<UUID>/ids_alert.conf
/ngfw/var/sf/detection_engines/<UUID>/threshold.con
b. SSE Connector:
Log file:●
/ngfw/var/log/connector/connector.log
Check if the connector has established a connection with SSE cloud●
root@firepower:~# lsof -i | grep conn
connector 3701 www 9u IPv4 20899 0t0 TCP localhost:8989 (LISTEN) connector 3701
www 10u IPv4 24751 0t0 TCP firepower:59707->ec2-100-25-93-234.compute-
1.amazonaws.com:https (ESTABLISHED)
Use tcpdump for the port highlighted above to verify if the SSE connector sends events to thecloud
●
Check event service●
root@firepower:~# curl http://localhost:8989/v1/contexts/default
{
"clientInfo": {
"version": "6.5.0",
"description": "10.5.0.50 firepower (FMC managed)",
"name": "firepower",
"guid": "e6e8d1cc-e633-11e9-9851-d7d99b327fc4",
"type": "Cisco Firepower Threat Defense for AWS",
"ip": "10.5.0.50"
},
{
"type": "Events",
"status": "Success",
"name": "",
"description": "Events service module started"
}