Cisco FTD Integration Guide

Overview

Cisco Firepower Threat Defense (FTD) is a next-generation firewall that provides advanced threat protection, intrusion prevention, and network visibility. This guide will walk you through integrating Cisco FTD with NxtFireGuard using a Threat Feed Aggregator.

Prerequisites

• Running Cisco FTD instance(s)
• Access to Cisco FMC (Firepower Management Center) if managing multiple FTD devices
• Network connectivity from FTD/FMC to your Threat Feed Aggregator

Integration Architecture

Cisco FTD logs security events via syslog. To integrate with NxtFireGuard, you'll use a Threat Feed Aggregator with Syslog to:

1. Receive syslog events from Cisco FTD (or FMC)
2. Parse and transform the data into NxtFireGuard's format
3. Forward threat events to NxtFireGuard’s ingestion endpoint

Syslog Configuration: The aggregator listens on UDP port 514 for incoming syslog messages.

Multi-Device Setup

If you're aggregating multiple Cisco FTD firewalls through Cisco FMC (flow: FTD → FMC → Threat Feed Aggregator → NxtFireGuard):

• Create a separate Threat Sensor for each FTD device you want to integrate
• No Threat Sensor is needed for the FMC itself, as it doesn't act as a log source
• Each FTD's hostname must match its corresponding Threat Sensor hostname

Setup Instructions

Step 1: Create or Configure a Threat Feed Aggregator

You have two options depending on your current setup:

Option A: Create a New Threat Feed Aggregator

If you don't have an existing aggregator, navigate to the Feed Aggregators section in your NxtFireGuard dashboard and create a new one:

1. Click "Create Aggregator"
2. Give it a descriptive name (e.g., "Cisco FTD Aggregator")
3. Proceed through the setup wizard
4. On Step 2, enable "Run Syslog Container"
5. Complete the creation process

After creating your Feed Aggregator:

1. Locate your newly created aggregator
2. Click "Edit"
3. Click "View Instructions"
4. Follow the provided installation guide

Option B: Use an Existing Threat Feed Aggregator

If you already have a Threat Feed Aggregator (for example, if you're also using T-Pot), you can reuse it:

1. Navigate to the Feed Aggregators section
2. Locate your existing aggregator
3. Click "Edit"
4. Enable "Run Syslog Container" if not already enabled
5. Save the changes
6. Click "Logs" to verify the Syslog container started successfully

Note: A single Threat Feed Aggregator can run both Logstash and Syslog containers simultaneously, allowing you to aggregate data from multiple sources (e.g., T-Pot via Logstash and Cisco FTD via Syslog) using the same aggregator.

Step 2: Configure Cisco FTD/FMC Syslog

Configure your Cisco FTD or FMC to forward syslog events to your Threat Feed Aggregator.

Step 3: Create Threat Sensors

For each Cisco FTD device you're integrating:

1. Navigate to Threat Sensors in NxtFireGuard
2. Click "Add Sensor"
3. Enter a name and set the hostname to match your FTD device hostname exactly
4. Complete the sensor creation

Critical: The hostname must match what appears in the syslog messages from your FTD device.

Step 4: Verify Data Flow

After completing the setup:

1. Wait 5-10 minutes for the pipeline to establish
2. Navigate to Threat Events in NxtFireGuard
3. Check for incoming events from your Cisco FTD device(s)

Additional Resources

• Cisco FTD Documentation: https://www.cisco.com/c/en/us/support/security/firepower-ngfw/series.html
• NxtFireGuard Documentation: https://docs.nxtfireguard.de

Support

For issues specific to:

• Cisco FTD/FMC Configuration: Refer to Cisco documentation and support
• NxtFireGuard Integration: Contact NxtFireGuard support or check the documentation