Integrate Cisco Firepower Threat Defense with the Security Data Lake
- 20 Aug 2025
- 2 Minutes to read
- PDF
Integrate Cisco Firepower Threat Defense with the Security Data Lake
- Updated on 20 Aug 2025
- 2 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Cisco Firepower Threat Defense (FTD) is a popular firewall solution that combines a firewall, intrusion prevention system, and malware protection into a single platform. This integration can be used for Managed Detection and Response (MDR) and can be stored in the Security Data Lake.
How does it work?
This ingest method works by creating a Red Canary-managed syslog server that you can use to receive logs from your Cisco Firepower. You will be provided the fully qualified hostname and port of the syslog server to which you will point your Cisco Firepower appliance. Authentication is handled via TLS.
By integrating your security logs with the Red Canary Security Data Lake, you can meet data retention requirements, export logs when needed for investigation or reporting, and ensure greater visibility into your security infrastructure for your team and Red Canary. To integrate Cisco Firepower with Red Canary through syslog, follow the procedure below from beginning to end.
Prerequisites
Before you start the syslog integration, please make sure the following requirements are met:
You have an active Red Canary Security Data Lake license.
You have appropriate admin permissions to make configuration changes in Cisco Firepower.
1 | Red Canary | Add a new data lake integration
From your Red Canary homepage, navigate to Integrations and click Add Integration.
.png?sv=2022-11-02&spr=https&st=2025-08-29T21%3A38%3A51Z&se=2025-08-29T21%3A48%3A51Z&sr=c&sp=r&sig=agaityej90IvyfDKls6n0oIrAZU9SFd6i%2FLTfvOXLy8%3D)
In the modal that appears, search for “Cisco Firepower”. When the tile appears, click Configure.
.png?sv=2022-11-02&spr=https&st=2025-08-29T21%3A38%3A51Z&se=2025-08-29T21%3A48%3A51Z&sr=c&sp=r&sig=agaityej90IvyfDKls6n0oIrAZU9SFd6i%2FLTfvOXLy8%3D)
Enter a name for your integration.
.png?sv=2022-11-02&spr=https&st=2025-08-29T21%3A38%3A51Z&se=2025-08-29T21%3A48%3A51Z&sr=c&sp=r&sig=agaityej90IvyfDKls6n0oIrAZU9SFd6i%2FLTfvOXLy8%3D)
Choose how Red Canary will receive this data:
Under Ingest Format / Method, select Cisco Firepower via Syslog.
.png?sv=2022-11-02&spr=https&st=2025-08-29T21%3A38%3A51Z&se=2025-08-29T21%3A48%3A51Z&sr=c&sp=r&sig=agaityej90IvyfDKls6n0oIrAZU9SFd6i%2FLTfvOXLy8%3D)
Click the Next button.
Configure Red Canary to retrieve data from this integration:
Click the Provision button.
.png?sv=2022-11-02&spr=https&st=2025-08-29T21%3A38%3A51Z&se=2025-08-29T21%3A48%3A51Z&sr=c&sp=r&sig=agaityej90IvyfDKls6n0oIrAZU9SFd6i%2FLTfvOXLy8%3D)
This will save and activate your integration. If successful, you should get a “Collector provisioned successfully” notification.
.png?sv=2022-11-02&spr=https&st=2025-08-29T21%3A38%3A51Z&se=2025-08-29T21%3A48%3A51Z&sr=c&sp=r&sig=agaityej90IvyfDKls6n0oIrAZU9SFd6i%2FLTfvOXLy8%3D)
Under Send data to Red Canary, there will be a URL and Port that you can use to set up log forwarding in your external data source. Copy and save these values. You will use them in a later step.
.png?sv=2022-11-02&spr=https&st=2025-08-29T21%3A38%3A51Z&se=2025-08-29T21%3A48%3A51Z&sr=c&sp=r&sig=agaityej90IvyfDKls6n0oIrAZU9SFd6i%2FLTfvOXLy8%3D)
Check I’ve configured this integration to send data to Red Canary.
.png?sv=2022-11-02&spr=https&st=2025-08-29T21%3A38%3A51Z&se=2025-08-29T21%3A48%3A51Z&sr=c&sp=r&sig=agaityej90IvyfDKls6n0oIrAZU9SFd6i%2FLTfvOXLy8%3D)
Under Configure transport encryption, leave the default selection for now.
.png?sv=2022-11-02&spr=https&st=2025-08-29T21%3A38%3A51Z&se=2025-08-29T21%3A48%3A51Z&sr=c&sp=r&sig=agaityej90IvyfDKls6n0oIrAZU9SFd6i%2FLTfvOXLy8%3D)
Click the Next button.
Customize how data from this integration is handled:
For the Security Data Lake, this section is not applicable.
Customize how this data is retained:
Check Store in the Security Data Lake.
.png?sv=2022-11-02&spr=https&st=2025-08-29T21%3A38%3A51Z&se=2025-08-29T21%3A48%3A51Z&sr=c&sp=r&sig=agaityej90IvyfDKls6n0oIrAZU9SFd6i%2FLTfvOXLy8%3D)
Specify the desired data retention period in days and click Save.
2 | Cisco Firepower | Configure log forwarding
From Cisco Firepower, set up log forwarding using the URL and Port values noted in the previous section.
For detailed instructions on how to set up syslog forwarding for FTD devices, refer to the Cisco documentation.
When configuring syslog message settings:
Make sure that Enable timestamp on each syslog message is checked.
The selected Timestamp Format is “RFC 5424 (yyyy-MM-ddTHH:mm:ssZ)”.
Make sure Enable Syslog Device ID is checked and “Host Name” is selected under the type of ID.
When configuring the syslog server settings:
Make sure that Allow user traffic to pass when TCP syslog server is down (Recommended) is checked.
The protocol for the syslog server is “TCP”.
Make sure Enable Secure Syslog is checked.
Under the Devices > Certificates page, the appropriate Certificate Authority (CA) root certificate is uploaded. If you did not configure a custom TLS certificate earlier, you will need to install the ISRG Root X1 certificate. You can download the ISRG Root X1
.pemcertificate and upload it to Cisco manually.
How can I access my Cisco Firepower data in the Security Data Lake?
Data from this integration is currently not queryable from the Search page of the Security Data lake, but is still accessible from the Export page.
Was this article helpful?