Supported Target Versions
Firepower Device Manager(FDM) 6.7
Firepower Management Center(FMC) 6.1

Application Version and Upgrade Details

Application VersionBug fixes / Enhancements
2.1.0
  • Feasibility to give Api Timeouts from UI.
  • Metric Labels support.
2.0.0API statistics and Full discovery support.
1.0.2Alert custom Macros support to the Metric and Component level.
Click here to view the earlier version updates
Application VersionBug fixes / Enhancements
1.0.1Alerting on gateway in initial Case of Discovery Failure.

Introduction

Cisco Firepower Threat Defense is an integrative software image combining Cisco ASA and Firepower features into one hardware and software inclusive system.

The Cisco Firepower NGIPS is a next generation intrusion prevention system that shares a management console with the Cisco firewall offerings, called the Firepower Management Center.

Cisco ASA Firepower Services provides the following key capabilities:

  1. Access control: This policy based capability allows a network security administrator to define, inspect, and log the traffic that traverses a firewall. Access control policies determine how traffic is permitted or denied in a network. For instance, you can configure a default action to inspect all traffic or block or trust all traffic without further inspection. You can achieve a more complete access control policy with enrichment data based on security threat intelligence. Whether you configure simple or complex rules, you can control traffic based on security zones, network or geographical locations, ports, applications, requested URLs, and per user.

  2. Intrusion detection and prevention: Intrusion detection and prevention help you detect attempts from an attacker to gain unauthorized access to a network or host, create performance degradation, or steal information. You define intrusion detection and prevention policies based on your access control policies. Create and tune custom policies at a very granular level to specify how traffic is inspected in a network.

  3. AMP and file control: You can detect, track, capture, analyze, and optionally block the transmission of files, including malware files and nested files inside archive files in network traffic. File control enables you to detect and block users from sending or receiving files of different specific types over a multitude of application protocols. You can configure file control as part of the overall access control policies and application inspection.

  4. Application programming interfaces (APIs): Cisco ASA Firepower Services supports several ways to interact with the system using APIs.

Prerequisites

  • OpsRamp Classic Gateway 14.0.0 and above.
  • OpsRamp NextGen Gateway 14.0.0 and above.
    Note: OpsRamp recommends using the latest Gateway version for full coverage of recent bug fixes, enhancements, etc.

Supported Metrics

Click here to view the supported metrics
Native TypeMetric NameUnitApplication VersionDescription
Cisco FMCcisco_ftd_event_Statistics2.0.0Cisco FTD Event Statistics
Cisco FTD Devicecisco_ftd_health_status1.0.0Health status of Ftd device
cisco_ftd_mem_freeBytes1.0.0The total free memory.
cisco_ftd_mem_usedBytes1.0.0The total memory available.
cisco_ftd_mem_used_percentage_lina%1.0.0The percent of memory used by the data plane.
cisco_ftd_mem_used_percentage_snort%1.0.0The percent of memory used by the Snort process
cisco_ftd_mem_used_percentage_system_and_swap%1.0.0The percent of memory used by the system and swap combined.
cisco_ftd_cpu_lina_cp_avg%1.0.0The average CPU utilization for the control plane
cisco_ftd_cpu_lina_dp_avg%1.0.0The average CPU utilization for the data plane.
cisco_ftd_cpu_snort_avg%1.0.0The average CPU utilization for the Snort process.
cisco_ftd_cpu_system_avg%1.0.0The average CPU utilization for the system processes.
cisco_ftd_cpu_lina_avg%1.0.0The average CPU utilization for all the cores.
cisco_ftd_packets_bypassed_snort_busycount1.0.0The number of packets that bypassed inspection when Snort was too busy to handle the packets.
cisco_ftd_packets_bypassed_snort_downcount1.0.0The number of packets that bypassed inspection when Snort was down.
cisco_ftd_packets_drops_rxq_fullcount1.0.0The number of packets bypassed due to a receive queue full.
cisco_ftd_disk_total_usedBytes1.0.0The total space used on the device disk.
cisco_ftd_disk_used_percentage%1.0.0The percent of disk space used by different partitions.
cisco_ftd_critical_process_restart_countcount1.0.0Restart count of each critical processes.
cisco_ftd_critical_process_cpu_util%1.0.0Cpu utilization of each critical process.
cisco_ftd_critical_process_status1.0.0The status of critical processes
cisco_ftd_critical_process_used_memBytes1.0.0The memory used for each critical process
cisco_ftd_critical_process_uptimes1.0.0The uptime of each critical process.
cisco_ftd_connection_in_usecount1.0.0Shows the number of connections in use
cisco_ftd_connection_most_usedcount1.0.0Shows the maximum number of simultaneous connections.
cisco_ftd_cps_udpcount1.0.0The connections-per-second for UDP connection types.
cisco_ftd_cps_tcpcount1.0.0The connections-per-second for TCP connection types.
Cisco FTD Interfacescisco_ftd_interface_drop_packetscount1.0.0The number of packets dropped.
cisco_ftd_interface_input_bytesBytes1.0.0The total incoming bytes.
cisco_ftd_interface_input_packetscount1.0.0The total incoming packets.
cisco_ftd_interface_output_bytesBytes1.0.0The total outgoing bytes.
cisco_ftd_interface_output_packetscount1.0.0The total outgoing packets.

Default monitoring configurations

Cisco Firepower Threat Defense has default Global Device Management Policies, Global Templates, Global Monitors and Global metrics in OpsRamp. You can customize these default monitoring configurations as per your business use case by cloning respective Global Templates and Global Device Management Policies. OpsRamp recommends doing this activity before installing the app to avoid noise alerts and data.

  1. Default Global Device Management Policies

    OpsRamp has a Global Device Management Policy for each Native Type of Cisco FTD. You can find these Device Management Policies at Setup > Resources > Device Management Policies, search with suggested names in global scope. Each Device Management Policy follows below naming convention:

    {appName nativeType - version}

    Ex: cisco-firepower-threat-defense Cisco FTD Interfaces - 1 (i.e, appName =cisco-firepower-threat-defense, nativeType = Cisco FTD Interfaces, version = 1)

  2. Default Global Templates

    OpsRamp has a Global Template for each Native Type of Cisco FirePower Threat Defense. You can find these templates at Setup > Monitoring > Templates, search with suggested names in global scope. Each template follows below naming convention:

    {appName nativeType 'Template' - version}

    Ex: cisco-firepower-threat-defense Cisco FTD Interfaces Template - 1 (i.e, appName = cisco-firepower-threat-defense, nativeType = Cisco FTD Interfaces Template, version = 1)

  3. Default Global Monitors

    OpsRamp has a Global Monitors for each Native Type which has monitoring support. You can find those monitors at Setup > Monitoring > Monitors, search with suggested names in global scope. Each Monitors follows below naming convention:

    {monitorKey appName nativeType - version}

    Ex: Cisco FTD Interface Monitor cisco-firepower-threat-defense Cisco FTD Interfaces 1(i.e, monitorKey =Cisco FTD Interface Monitor, appName = cisco-firepower-threat-defense, nativeType = Cisco FTD Interfaces, version = 1)

Configure and Install the Cisco Firepower Threat Defense Integration

  1. From All Clients, select a client.
  2. Go to Setup > Account.
  3. Select the Integrations and Apps tab.
  4. The Installed Integrations page, where all the installed applications are displayed.
    Note: If there are no installed applications, it will navigate to the ADD APP page.
  5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
    Note: You can even search for the application using the search option available. Also you can use the All Categories option to search.
Cisco FirePower
  1. Click ADD in the Cisco Firepower Threat Defense application.
  2. In the Configurations page, click + ADD. The Add Configuration page appears.
  3. Enter the below mentioned BASIC INFORMATION:
FunctionalityDescription
NameEnter the name for the configuration.
IP Address/Host NameIP address/host name of the target.
PortPort

Note: By default 443 is added.
Managed BySelect Managed By from the drop-down list.

Note: As of now the application only supports discovery and monitoring for FTDs managed by:
- Firepower management Center (FMC)
- Firepower device manager (FDM)
CredentialsSelect the credentials from the drop-down list.

Note: Click + Add to create a credential.

Notes:

  • By default the Is Secure checkbox is selected.
  • Ip Address/Host Name and Port should be accessible from Gateway.
  • Select the following:
    • App Failure Notifications: if turned on, you will be notified in case of an application failure that is, Connectivity Exception, Authentication Exception.
    • Alert Configuration: map alert configuration for third party alerts into OpsRamp.
  • Below are the default values set for:
    • Alert Severity: possible values of Alert Severity filter configuration property are “RED”,“YELLOW”.
    • Alert Severity Mapping: possible values of Alert Severity Mapping filter configuration property are “RED”:“Critical”,“YELLOW”:“Warning”.
  1. Select the below mentioned Custom Attribute:
FunctionalityDescription
Custom AttributeSelect the custom attribute from the drop down list box.
ValueSelect the value from the drop down list box.

Note: The custom attribute that you add here will be assigned to all the resources that are created by the integration. You can add a maximum of five custom attributes (key and value pair).

  1. In the RESOURCE TYPE section, select:
    • ALL: All the existing and future resources will be discovered.
    • SELECT: You can select one or multiple resources to be discovered.
  2. In the DISCOVERY SCHEDULE section, select recurrence pattern to add one of the following patterns:
    • Minutes
    • Hourly
    • Daily
    • Weekly
    • Monthly
  3. Click ADD.
Aruba Airwave Integrations

Now the configuration is saved and displayed on the configurations page after you save it.
Note: From the same page, you may Edit and Remove the created configuration.

  1. Under the ADVANCED SETTINGS, Select the Bypass Resource Reconciliation option, if you wish to bypass resource reconciliation when encountering the same resources discovered by multiple applications.

    Note: If two different applications provide identical discovery attributes, two separate resources will be generated with those respective attributes from the individual discoveries.

  2. Click NEXT.

  3. (Optional) Click +ADD to create a new collector by providing a name or use the pre-populated name.

Veeam
  1. Select an existing registered profile.
Veeam
  1. Click FINISH.

The application is installed and displayed on the INSTALLED INTEGRATION page. Use the search field to find the installed integration.

Modify the Configuration

View the Cisco Firepower Threat Defense Device Details

The Cisco Firepower Threat Defense application integration is displayed in the below navigation:

  • FMC: Infrastructure > Resources > Server.
Cisco FirePower
Cisco FirePower
  • FTD: Infrastructure > Resources > Network Device > Firewall.
Cisco FirePower
Cisco FirePower

Supported Alert Custom Macros

Customize the alert subject and description with below macros then it will generate alert based on customisation.
Supported macros keys:

Click here to view the alert subject and description with macros

                                ${resource.name}

                                ${resource.ip}

                                ${resource.mac}

                                ${resource.aliasname}

                                ${resource.os}

                                ${resource.type}

                                ${resource.dnsname}

                                ${resource.alternateip}

                                ${resource.make}

                                ${resource.model}

                                ${resource.serialnumber}

                                ${resource.systemId}

                                ${Custome Attributes in the resource}

                                ${parent.resource.name}

Risks, Limitations & Assumptions

  • As of now the application only supports discovery and monitoring for FTDs managed by FMC or FDM.
  • Application can handle Critical/Recovery failure notifications for below two cases when user enables App Failure Notifications in configuration:
    • Connectivity Exception (ConnectTimeoutException, HttpHostConnectException, UnknownHostException)
    • Authentication Exception (UnauthorizedException)
  • Application will not send any duplicate/repeat failure alert notification until the already existed critical alert is recovered.
  • Application cannot control monitoring pause/resume actions based on above alerts.
  • Metrics can be used to monitor FTD resources and can generate alerts based on the threshold values.
  • Event/Alert polling will start only if the user enables Event/Alert Polling in configuration.
  • Possible values of Event/Alert Severity filter configuration property are kWarning, kCritical, kInfo.
  • OpsRamp has given sample mappings to map FTD Severity with OpsRamp Severities as part of the Event/Alert Severity Mapping configuration file. You can modify them as per their use case at any point of time from the SDK application configuration page. Possible OpsRamp Severities are Critical, Warning, Ok, Info.
  • Support for Macro replacement for threshold breach alerts (i.e, customisation for threshold breach alert’s subject, description).
  • No support of showing activity log and applied time.
  • Support for the option to get Latest snapshot metric.
  • Application is not compatible with Cluster Gateway.
  • Interfaces under FTD are represented as Network devices in Opsramp.
  • This application supports both Classic Gateway and NextGen Gateway