Elastic Stack 8 - Filebeat to monitor Cisco Firepower Firewalls

Last updated: Apr 16, 2022

Cisco Firepower are the worst firewalls in the entire universe, but this is not the object here… I'm only going to talk about monitoring this crap in a Elastic Stack environment.

To do this, we're going to work with the Filebeat module.

One good thing is that Filebeat comes with a Cisco module that can handle Firepower logs sent via syslog. The bad thing is that there is no preset dashboard so we will have to create one manually.

Kibana | Firepower Dashboard — Cisco Firepower Dashboard.

Filebeat Architecture

SIEM | Filebeat schema with elasticsearch and kibana — Filebeat Architecture.

Configuring Cisco Firepower

The first thing we need to do is to configure our Cisco Firepower to send syslog informations to our Filebeat agent. To do this, we need to declare the syslog server and enable syslog to the rules we want to monitor.

Add syslog server object

Go to Objects > Syslog servers and click Add button :

Enter Syslog server informations (which is our elastic server) then click OK :

Configure logging

From main Firewall configuration page go to Logging Settings :

Go to Logging Settings menu and configure Logging :

FirePower | System settings, Logging Settings menu

Enable syslog to rules

Edit Firewall rule(s) you want to monitor :

Enable Logging :

Installing Filebeat

Note : I'll install filebeat on the same machine than the Elasticsearch engine.

If you have not yet imported Elasticsearch PGP key and add repository definition, see part I.

Install Filebeat :

root@host:~# apt install filebeat

Edit /etc/filebeat/modules.d/cisco.yml to enable ftd/firepower module :

  ftd:
    enabled: true

    var.syslog_host: 0.0.0.0
    var.syslog_port: 514

Edit /etc/filebeat/filebeat.yml to set filebeat :

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "elastic_password;)"
  ssl.verification_mode: none


# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "https://X.X.X.X:5601"
  ssl.verification_mode: none