Cisco Secure Firewall Management Center and Security Analytics and Logging (SaaS) Integration Guide

Comparison of Cisco Security Analytics and Logging Remote Event Storage Options

Different options are available for storing event data externally to your Firewall Management Center:


On Premises	SaaS
Purchase, obtain the license for, and set up the storage system behind your firewall.	Purchase licenses and a data storage plan and send your data to the Cisco Security Cloud.
Supported event types: Connection Security-related connection Intrusion File and Malware AI Defense LINA	Supported event types: Connection Security-related connection Intrusion File and Malware AI Defense
Supports both syslog and direct integration.	Supports both syslog and direct integration. See Comparison of Methods for Sending Events to the Cloud.
View all events on the Secure Network Analytics Manager. Cross-launch from Firewall Management Center event viewer to view events on the Secure Network Analytics Manager. View remotely stored connection and Security-related connection events in Firewall Management Center	View events in Security Cloud Control or Secure Network Analytics, depending on your license. Cross-launch from Firewall Management Center event viewer.
For more information, refer to the Data Purge and Storage chapter in the Cisco Secure Firewall Management Center Administration Guide.

Comparison of Methods for Sending Events to the Cloud


Sending via Syslog	Sending Directly
Requires Secure Event Connector (SEC). The SEC is beneficial for high log emission rates from firewall devices. It can support up to 100,000 events per second. SEC can be set up for Security Cloud Control or non-Security Cloud Control-managed devices. Reduces the event processing strain on the firewall, thereby freeing its resources for the firewall function. Centralization may not be possible or desirable in geographically distributed environments. Requires a separate installation.	Ideal for branch offices as it supports geographically distributed environments. Requires Smart Licensing. Not supported if you are using a Cisco Smart Software Manager On-Prem server or air-gapped deployment. No separate installation or service is needed. The strain on the firewall resources is relatively higher.

Requirements and Prerequisites for SAL (SaaS) Integration

The following requirements apply to both methods of sending events to SAL (SaaS).


Requirement or Prerequisite Type	Requirement
Devices and manager	Firewall Management Center managing Firewall Threat Defense devices To send via syslog: version 6.4 or later To send directly: version 7.0 The required version applies to the Firewall Management Center and all managed Firewall Threat Defense devices. Your system must be deployed and successfully generating events.
Regional cloud	Determine the Cisco regional cloud that you want to use for sending firewall events. You cannot merge or aggregate data in different regional clouds. To aggregate data from multiple regions, devices in all the regions must send data to the same regional cloud. Events cannot be viewed from or moved between different regional clouds. If you use a direct connection to send events to the Security Cloud Control for integration with Cisco XDR, you must use the same regional cloud for this integration as well.
Data plan	Determine the amount of cloud storage that your system requires. For more information, see See Calculate Storage Requirements and Purchase a Data Plan.
Licensing	Cisco Security Analytics and Logging licenses: Any For licensing options and descriptions, see SAL (SaaS) Licenses. Security Cloud Control licenses: No additional Security Cloud Control licensing is required. Secure Cloud Analytics licenses: No additional licensing is required. Firewall Management Center Licenses: No additional licensing is required.
Accounts	When you purchase license for this integration, you will be provided with a Security Cloud Control tenant account to support this functionality.
Supported event types	Intrusion, connection, Security-related connection, AI Defense, file, and malware events.
User roles	In Firewall Management Center: Admin Access Admin Network Admin Security Approver
Additional requirements when sending events directly	See Prerequisites for Direct Integration.

SAL (SaaS) Licenses

Security Analytics and Logging (SaaS) subscription overview

You can combine Security Analytics and Logging (SaaS) with your Security Cloud Control subscription. When managing your firewalls with Security Cloud Control, you can obtain Security Analytics and Logging entitlement in these ways:

Device management with unlimited logging: This option provides a per-device license. It includes device management capabilities for your Firewall Threat Defense device and unlimited log storage for a rolling period of 90 days.
Device management only with optional cloud logging: This option involves purchasing a per-device license for management only. You can then add Security Analytics and Logging as a separate cloud logging subscription. This allows you to customize logging data storage and log retention based on your specific operational and compliance needs.

90-day free trial

You can request a 90-day trial to accurately estimate your daily ingest rate by logging in to Security Cloud Control and navigating to Events & Logs > Events > Event Logging tab. You can purchase the desired subscription plan to continue the service by following the instructions in the Security Cloud Control Firewall Management Ordering Guide.

Security Analytics and Logging paid subscription tiers

If you don’t want to use the device management with unlimited logging option, you can purchase logging capacity separately. This standalone Security Analytics and Logging subscription offering provides greater flexibility, longer default retention, and increased storage entitlements. The default minimum retention period for these subscription tiers is 1 year.

Choose these flexible Security Analytics and Logging subscription tiers if:

You have already purchased your Firewall Threat Defense devices as part of a different order.
You have specific logging estimates and want to buy a tier based on a fixed amount of ingest, storage, and logging retention.
You want a log retention period that is more than 90 days.

Security Analytics and Logging subscription is categorized into three tiers—Essentials, Advantage, and Premier. This table describes the storage capacities and log retention periods available for each tier.


Description	Retention Period	Storage Limit	Subscription Term
Cisco SAL Essentials Subscriptions	1, 2, or 3 year	2 TB	0-5 years
Cisco SAL Advantage Subscriptions	1, 2, or 3 year	4 TB	0-5 years
Cisco SAL Premier Subscriptions	1, 2, or 3 year	10 TB	0-5 years

For more information, refer to Security Cloud Control Firewall Management Ordering Guide.

Estimate your daily ingest rate

You need to purchase a subscription plan that reflects the number of events the Cisco cloud receives from your on-boarded Firewall Threat Defense devices on a daily basis. This is called your daily ingest rate. You can use the Logging Volume Estimator tool to estimate your daily ingest rate and as that rate changes you can update your subscription plan

Calculate Storage Requirements and Purchase a Data Plan

You need to buy a data plan that reflects the number of events the Cisco cloud receives from your Firewall Threat Defenses on a daily basis. This is called your "daily ingest rate."

To estimate your data storage requirements:

(Recommended) Participate in a free trial of Cisco Security Analytics and Logging (SaaS) before you buy it. See SAL (SaaS) Licenses.
Use the Logging Volume Estimator Tool at https://ngfwpe.cisco.com/ftd-logging-estimator.

Data plans are available in various daily volumes, and in various yearly terms. For more information, refer to Security Cloud Control Firewall Management Ordering Guide.

Note

If you have a SAL (SaaS) license and data plan, then obtain a different license at a later date, that alone does not require you to obtain a different data plan. If your network traffic throughput changes and you obtain a different data plan, that alone does not require you to obtain a different SAL (SaaS) license.

How to Send Events from Firewall Management Center to SAL SaaS

To successfully deploy this integration, follow all of the steps in one of these topics:

How to Set Up Event Data Storage in SAL (SaaS) Using a Direct Connection
How to Set Up Event Data Storage in SAL (SaaS) Using Syslog

How to Set Up Event Data Storage in SAL (SaaS) Using Syslog


	Do This	More Information
Step	Review requirements and prerequisites	See Requirements and Prerequisites for SAL (SaaS) Integration.
Step	Obtain required licenses, accounts, and a data storage plan	Contact your authorized Cisco sales representative.
Step	Set up Security Cloud Control access using multi-factor authentication	For more information, refer to the Sign in to Security Cloud Control section in Security Cloud Control's online help.
Step	Set up an on-premises Secure Device Connector (SDC) on a VMWare virtual machine	This component is required solely to enable installation of the SEC, which is the component to which your devices will send events. Use one of the following, as described in the Security Cloud Control online help: You can install one SEC on the same virtual machine as a Secure Device Connector, if you have one; or you can install the SEC on it's own Security Cloud Control Connector virtual machine that you maintain in your network. For more information, refer to the Secure Event Connector section in Security Cloud Control's online help.
Step	Install the Secure Event Connector (SEC) on the SDC virtual machine you just created.	This is the component to which your devices will send events. For more information, refer to the Secure Event Connector section in Security Cloud Control's online help.
Step	Configure your Firewall Management Center to have managed devices send syslog events to the SEC.	Send Security Event Syslog Messages from Firewall Threat Defense Devices
Step	Verify that your events are being sent successfully	See View and Work with Events.
Step	(Optional) If you are sending connection events to the cloud and you don't want to store them on the Firewall Management Center, disable that storage on the Firewall Management Center.	In the Firewall Management Center online help, see information about connection events in the Database Event Limits topics.
Step	(Optional) Configure cross-launches from Firewall Management Center to Security Cloud Control so you can easily pivot from events displayed in Firewall Management Center to related events in the cloud.	See the online help in Firewall Management Center.
Step	(Optional) Create Security Cloud Control user accounts for colleagues to view and work with your events.	For more information, refer to the Manage Tenants and Users section in Security Cloud Control's online help.

Overview of Sending Events to SAL (SaaS) Using Syslog


	The Firewall Management Center-managed devices generate events.
	The Firewall Threat Defense devices send supported events as syslog messages to a Secure Event Connector (SEC) installed on a virtual machine on your network.
	The SEC forwards the events to Security Services Exchange (SSE), a secure intermediary cloud service that handles cloud-to-cloud and premises-to-cloud identification, authentication, and data storage for use in Cisco cloud security products.
	The SSE forwards the events to the Cisco Security Analytics and Logging (SAL) Cloud Data Store.
	The Security Cloud Control Event Viewer queries SAL Cloud Data Store for events and provides the SOC analyst with additional context.
	(Only with Analytics License) Cisco Secure Cloud Analytics (formerly SWC) receives the events from the SAL Cloud Data Store and provides the SOC analyst access to the analytics features of the product.

Note

Most features in the Security Cloud Control portal are not applicable to this integration. For example, Security Cloud Control does not manage your devices, so your devices are not onboarded to Security Cloud Control.

Send Security Event Syslog Messages from Firewall Threat Defense Devices

This procedure documents the best practice configuration for sending syslog messages for security events (connection, Security-related connection, intrusion, file, and malware events) from Firewall Threat Defense devices managed by Firewall Management Center.

Note

Many Firewall Threat Defense syslog settings are not applicable to security events. Configure only the options described in this procedure.

Before you begin

In Firewall Management Center, configure policies to generate security events and verify that the events you expect to see appear in the applicable tables under the Analysis menu.
Gather the syslog server IP address, port, and protocol (UDP or TCP):

Sign in to Security Cloud Control. Then, from the user menu at the top right side of the Security Cloud Control browser window, select Secure Connectors. Click Secure Event Connector and you will see the required information at the right side.
Ensure that your devices can reach the syslog server(s).
See additional information in the "Connection Logging" chapter in the Firewall Management Center online help.

Procedure

Step 1	Sign in to your Firewall Management Center web interface.
Step 2	Configure syslog settings for your Firewall Threat Defense device: Click Devices > Platform Settings. Edit the platform settings policy associated with your Firewall Threat Defense device. In the left navigation pane, click Syslog. Click Syslog Servers and click Add to enter server, protocol, interface, and related information. Use the IP address, port, and protocol that you gathered from Security Cloud Control above. EMBLEM format and secure syslog are not supported for this integration. If you have questions about options on this page, see the "Configure a Syslog Server" topic in the Firewall Management Center online help. Click Syslog Settings and configure the following settings: Enable Timestamp on Syslog Messages Timestamp Format Enable Syslog Device ID Click Logging Setup. Make sure Send syslogs in EMBLEM format is NOT selected. Save your settings.
Step 3	Configure general logging settings for the access control policy (including file and malware logging): Click Policies > Access Control. Edit the applicable access control policy. Click Logging. Select FTD 6.3 and later: Use the syslog settings configured in the FTD Platform Settings policy deployed on the device. (Optional) Select a Syslog Severity. If you will send file and malware events, select Send Syslog messages for File and Malware events. Click Save.
Step 4	Enable logging for Security-related connection events for the access control policy: In the same access control policy, click the Security Intelligence tab. In each of the following locations, click Logging () and enable beginning and end of connections and Syslog Server: Beside DNS Policy. In the Block List box, for Networks and for URLs. Click Save.
Step 5	Enable syslog logging for each rule in the access control policy: In the same access control policy, click the Rules tab. Click a rule to edit. Click the Logging tab in the rule. Enable both beginning and end of connections. If you will log file events, select Log Files. Enable Syslog Server. Verify that the rule is "Using default syslog configuration in Access Control Logging." Do NOT configure overrides. Click Add. Repeat for each rule in the policy.
Step 6	If you will send intrusion events: Navigate to the intrusion policy associated with your access control policy. In your intrusion policy, click Advanced Settings > Syslog Alerting > Enabled. Verify that the policy is using the default settings configured for access control logging. Click Back. Click Policy Information in the left navigation pane. Click Commit Changes.

What to do next

If you are done making changes, deploy your changes to managed devices.

How to Set Up Event Data Storage in SAL (SaaS) Using a Direct Connection

This section describes how to set up event data storage in SAL (SaaS) using a direct connection.

How Does It Work

The following diagram shows how the direct integration works.


	The Firewall Management Center-managed devices generate events.
	The Firewall Threat Defense devices send supported events to Security Services Exchange (SSE), a secure intermediary cloud service that handles cloud-to-cloud and premises-to-cloud identification, authentication, and data storage for use in Cisco cloud security products.
	The SSE forwards the events to the Cisco Security Analytics and Logging (SAL) Cloud Data Store.
	The Security Cloud Control queries SAL cloud data store for events and provides the SOC analyst with additional context in the Event Logging page.
	(Only with Analytics License) Cisco Secure Cloud Analytics (formerly SWC) receives the events from the SAL Cloud Data Store and provides the SOC analyst access to the analytics features of the product.

Key Components of This Integration


Component	Description
Firewall Threat Defense	A next generation firewall with capabilities such as protection from malware and application-layer attacks, integrated intrusion prevention, and cloud-delivered threat intelligence.
Firewall Management Center	An administrative nerve center for select Cisco security products running on multiple platforms. It provides unified management of Firewall Threat Defense software for port and protocol control, application control, IPS, URL filtering, and malware protection functions.
Security Services Exchange	A secure intermediary cloud service that handles cloud-to-cloud and premises-to-cloud identification, authentication, and data storage for use in Cisco cloud security products.
Security Cloud Control	A cloud-based multidevice manager you can use to manage security policy changes across various security products. This platform enables the efficient management of policies in branch offices and other highly distributed environments to achieve a consistent security implementation. In direct integration, both the Firewall Management Center and its managed devices get onboarded to the Security Cloud Control tenant. This integration connects the Firewall Management Center to a suite of Cisco cloud services. When the Firewall Management Center is onboarded to Security Cloud Control, you can view its managed devices, view managing network objects, and cross-launch to Firewall Management Center UI to manage associated devices and objects.
Cisco Secure Cloud Analytics (formerly Secure Network Analytics Cloud)	A cloud platform that applies dynamic entity modeling to Firewall Threat Defense events, generating detections based on this information. This provides a deeper analysis of telemetry gathered from your network, allowing you to identify trends and examine anomalous behavior in your network traffic.

Prerequisites for Direct Integration


Prerequisite Type	Requirement
General requirements for sending events to SAL (SaaS)	In addition to the requirements in this table, you must satisfy the items in Requirements and Prerequisites for SAL (SaaS) Integration and subtopics.
Licensing	Register your Firewall Management Center with the Cisco Smart Software Manager. In the Firewall Management Center web interface, click System () > Smart Licenses, and verify that: The Usage Authorization status is Authorized. The Product Registration status is Registered. Keep in mind that: This integration is not supported under a evaluation license. Your environment cannot be using a Cisco Smart Software Manager On-Prem server (formerly known as Smart Software Satellite Server) or be deployed in an air-gapped environment.
Account	You must have administrator privileges for the Cisco Smart Account from which your products are licensed. To determine your Smart Account user role: Go to https://software.cisco.com. Click Manage Smart Account. Select a Smart Account in the top-right area (above the Help link) of the page. Click the Users tab. Search for your User ID. Your Firewall Management Center account must have one of the following user roles: Admin Access Admin Network Admin Security Approver To determine your user role, click System () > Users in the Firewall Management Center web interface. Your Security Cloud Control account must have one of the following user roles: Admin Super Admin
Connectivity	The Firewall Management Center and managed devices must be able to connect outbound on port 443 to the Cisco cloud at the following addresses: North America cloud: api-sse.cisco.com mx.sse.itd.cisco.com eventing-ingest.sse.itd.cisco.com defenseorchestrator.com edge.us.cdo.cisco.com EU cloud: api.eu.sse.itd.cisco.com mx.eu.sse.itd.cisco.com eventing-ingest.eu.sse.itd.cisco.com defenseorchestrator.eu edge.eu.cdo.cisco.com Asia (APJC) cloud: api.apj.sse.itd.cisco.com mx.apj.sse.itd.cisco.com eventing-ingest.apj.sse.itd.cisco.com apj.cdo.cisco.com edge.apj.cdo.cisco.com Australia api.aus.sse.itd.cisco.com mx.aus.sse.itd.cisco.com eventing-ingest.aus.sse.itd.cisco.com aus.cdo.cisco.com India api.in.sse.itd.cisco.com mx*.in.sse.itd.cisco.com eventing-ingest.in.sse.itd.cisco.com in.cdo.cisco.com

Set Up Event Data Storage in SAL (SaaS) Using a Direct Connection

Perform the following tasks to set up event data storage in SAL (SaaS) using a direct integration.


		Workspace
	Firewall Management Center	Configure the Firewall Management Center (version 7.1 and earlier) to Send Events to Security Services Exchange. Configure the Firewall Management Center (version 7.2 and later) to Send Events to Security Services Exchange.
	Security Services Exchange	Launch Security Services Exchange
	Security Services Exchange	Link Smart or Virtual Accounts on Security Services Exchange
	Security Services Exchange	Link Security Cloud Control Accounts on Security Services Exchange
	Security Services Exchange	Configure Cloud Services on Security Services Exchange
	Security Cloud Control	View and Work with Events
	Security Cloud Control	View and Work with Events in Cisco Secure Cloud Analytics: Cross-launch into Secure Cloud Analytics
	Cisco Secure Cloud Analytics	View and Work with Events in Cisco Secure Cloud Analytics

Configure the Firewall Management Center (version 7.1 and earlier) to Send Events to Security Services Exchange

If your Firewall Management Center version is 7.1 or earlier (except version 7.0.2 to 7.0.X), follow this procedure to configure your Firewall Management Center to have the managed Firewall Threat Defense devices send events directly to SSE. If your Firewall Management Center version is 7.0.2 to 7.0.X, follow the steps in Configure the Management Center (version 7.2 and later) to Send Events to Security Services Exchange.