rss logo

Monitoring Cisco Firepower Firewalls with Filebeat on Elastic Stack 8

Beats logo

Cisco Firepower is the worst firewall in the entire universe, but this is not the object here… I'm only going to talk about monitoring this crap in a Elastic Stack environment.

To do this, we're going to work with the Filebeat module.

One good thing is that Filebeat comes with a Cisco module that can handle Firepower logs sent via syslog. The bad thing is that there is no preset dashboard so we will have to create one manually.

Elastic Stack Dashboard visualizing Cisco Firepower traffic, ports, and ACL policies using Filebeat
Cisco Firepower Dashboard.

Filebeat Architecture

Architecture diagram showing Cisco Firepower logs sent via syslog to Filebeat, then processed by Elasticsearch and visualized in Kibana
Filebeat Architecture.

Configuring Cisco Firepower

The first step is to configure our Cisco Firepower device to send syslog information to our Filebeat agent. We need to declare the syslog server and enable syslog for the rules we want to monitor.

Add syslog server object

  • Go to Objects > Syslog servers and click Add button:
Cisco Firepower interface showing the plus button to add a new Syslog server
  • Enter Syslog server information (which is our elastic server) then click OK:
Cisco Firepower dialog to configure a Syslog server with IP, protocol and interface selection

Configure logging

  • From main Firewall configuration page go to Logging Settings:
Cisco Firepower System Settings menu with Logging Settings option highlighted
  • Go to Logging Settings menu and configure Logging:
Cisco Firepower logging configuration showing syslog server, severity levels, and file/malware logging options

Enable syslog to rules

  • Edit Firewall rule(s) you want to monitor:
Cisco Firepower interface highlighting the edit icon for a firewall rule under Access Control policies
  • Enable Logging:
Cisco Firepower logging settings for an access rule showing connection log actions and syslog destination IP

Installing Filebeat

Note: I'll install filebeat on the same machine as the Elasticsearch engine.

If you have not yet imported Elasticsearch PGP key and add repository definition, see part I.

  • Install Filebeat:
root@host:~# apt install filebeat
  • Edit /etc/filebeat/modules.d/cisco.yml to enable ftd/firepower module:
  ftd:
    enabled: true

    var.syslog_host: 0.0.0.0
    var.syslog_port: 514
  • Edit /etc/filebeat/filebeat.yml to set filebeat:
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "elastic_password;)"
  ssl.verification_mode: none


# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "https://X.X.X.X:5601"
  ssl.verification_mode: none
  • Restart Filebeat:
root@host:~# systemctl restart filebeat

Kibana

Check logs

Wait some minutes and open kibana.

  • Go to Analytics > Discover:
Kibana menu with Analytics section expanded and Discover option highlighted
  • Select filebeat-* and verify that your data is arriving:
Kibana Discover view displaying filebeat-* index and incoming log data from Cisco Firepower

Dashboard

There is no predefined dashboard for Firepower devices, so we need to create a new one.

  • Open main menu and go to Kibana > Dashboard:
Kibana menu navigation from main menu to Dashboard section
  • Click Create dashboard:
Kibana interface showing the button to create a new dashboard

Maps

Goal
Geographic traffic map in Kibana showing data distribution by region using choropleth visualization
Procedure
  • Click Create new Maps icon:
Kibana interface with Create Visualization and Maps option highlighted for new geospatial dashboard
  • Click Add layer > Choropleth:
Kibana Maps layer selection showing Choropleth option to visualize data by region
  • Set Boundaries source and Statistics source parameters, then click Save and return:
Kibana map configuration showing how to set boundaries and statistics source for a choropleth layer

Gauge

Goal
Gauge chart in Kibana showing the number of denied events with color-coded thresholds
Procedure
  • Click Select type > Aggregation based > Gauge and search for filebeat:
Kibana gauge visualization setup with filebeat index pattern selected for data source
  • Add Filter select Aggregation then click Save and return:
Gauge visualization in Kibana configured to display count of blocked events using filter and aggregation options

Tag cloud

Goal
Kibana metric visualization displaying the top source IP address from Cisco Firepower logs
Procedure
  • Click Select type > Aggregation based > Tag cloud and search for filebeat:
Kibana visualization menu with Tag Cloud option selected and filebeat index chosen as data source
  • Add Filter set Aggregation parameters then click Save and return:
Kibana tag cloud visualization filtered to show blocked source IP addresses from Cisco Firepower logs

Pie

Goal
Kibana donut charts showing distribution of source and destination ports by protocol type (UDP/TCP)
Procedure
  • Click Select type > Aggregation based > Pie and search for filebeat:
Kibana interface showing selection of Pie chart visualization and filebeat index pattern as data source
Source Port and Transport
  • Set Metrics and Buckets parameters then click Save and return:
Kibana pie chart settings showing configuration for visualizing source ports and protocols from firewall data
Destination Port and Transport
  • Set Metrics and Buckets parameters then click Save and return:
Kibana pie chart configuration for visualizing destination ports and transport types with count metrics

Data table

Goal
Table in Kibana displaying ACL rule names and count of blocked events
Procedure
  • Click Select type > Aggregation based > Data table and search for filebeat:
Kibana interface showing creation of a data table visualization filtered on blocked ACL rules
  • Add Filter set Metrics and Buckets parameters then click Save and return:
Kibana data table settings showing filter on blocked rules and configuration to display ACL rule names
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address