Cisco Firepower Threat Defense
The JSA DSM for Cisco Firepower Threat Defense (FTD) collects syslog events from a Cisco Firepower Threat Defense appliance. The syslog events that are collected by the Cisco Firepower Threat Defense DSM were previously collected by the Cisco Firepower Management Center DSM.
JSA collects the following event types from Cisco Firepower Threat Defense appliances:
Device health and network-related logs from FTD devices
Connection, security intelligence, and intrusion logs from FTD devices
Logs for file and malware events.
To integrate Cisco Firepower Threat Defense with JSA, complete the following steps:
- If automatic updates are not enabled, download and install
the most recent version of Cisco Firepower Threat Defense RPM on
your JSA Console.
DSM Common RPM
Cisco Firepower Threat Defense DSM RPM
Cisco Firewall Devices DSM RPM
- Configure your Cisco Firepower Threat Defense device to send Syslog events to JSA. Fore more information, see Configuring Cisco Firepower Threat Defense to Communicate with JSA.
- If JSA does not automatically detect the log source, add Cisco Firepower Threat Defense log source on the JSA Console.
Cisco Firepower Threat Defense DSM Specifications
When you configure the Cisco Firepower Threat Defense, understanding the specifications for the Cisco Firepower Threat Detection DSM can help ensure a successful integration. For example, knowing what the supported version of Cisco Firepower Threat Defense is before you begin can help reduce frustration during the configuration process.
The following table describes the specifications for the Cisco Firepower Threat Defense DSM..
Table 1: Cisco Firepower Threat Defense DSM Specifications
Cisco Firepower Threat Defense
RPM file name
Comma-separated values (CSV)
Name-value pair (NVP)
Recorded event types
Includes custom properties?
Configuring Cisco Firepower Threat Defense to Communicate with JSA
To send intrusion or connection events to JSA by using the syslog protocol, you need to enable external logging and configure basic settings on your Cisco Firepower appliance.
- Log in to your Cisco Firewall appliance.
- Enable external logging.
- Enable Logging Destinations.
- Deploy changes.
Sample Event Messages
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage returns or line feed characters.
Cisco Firepower Threat Defense sample message when you use the Syslog protocol
The following sample shows an intrusion event that has a Generator ID (GID) and Snort IDs (SID).
Aug 14 08:59:30 192.168.0.7 SFIMS : % FTD - 5 -
430001 : Protocol: tcp , SrcIP: 10.1.1.57 , DstIP: 10.5.12.209 , SrcPort:
2049 , DstPort: 746 , Priority: 1, GID: 1 , SID: 648 , Revision: 18,
Message: \"INDICATOR-SHELLCODE x86 NOOP\", Classification: Executable
Code was Detected, User: No Authentication Required, ACPolicy: test,
NAPPolicy: Balanced Security and Connectivity, InlineResult: Blocked
Table 2: Highlighted fields
JSA field name
Highlighted payload field name
As an intrusion event, a concatenation of the GID and SID is used.
As an intrusion event, the category is set to Snort.
If not provided in the DSM, Aug 14 08:59:30 is taken from the syslog header.
The value in this field is converted and mapped to an appropriate JSA severity value.