Firepower Threat Defense (FTD)
Introduction
Intrusion events will be generated if the access rule has the property eventLogAction=LOG_BOTH. The user may also configure a single syslog server to receive all intrusion events. For intrusion events, the syslog server must be reachable by the management interface, or the gateway interface if you route through data interfaces.
To Configure a Syslog Server for Intrusion Events
Step 1
Send an syslog server POST request to create a new syslog server that is reachable via the management (or gateway) interface. Specify the parameters for your remote syslog server, and set the useManagementInterface propert to true.
Bash_Request
Python_Request
JSON_Text
Copycurl -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS_TOKEN_GOES_HERE>" -d @json.txt "https://ftd.example/api/fdm/latest/object/syslogalerts"
Copydef post_syslog_server(host, port, access_token, syslog_server):
"""
Requires Python v3.0 or greater and requests lib.
Send syslog server POST request.
:param host: ftd host address
:param port: ftd port
:param access_token: OAUTH token for device access
:param syslog_server: object representing the syslog server
:return: True if successful, otherwise False
"""
headers = {
"Accept": "application/json",
"Authorization": "Bearer {}".format(access_token)
}
syslog_server_url = 'api/fdm/latest/object/syslogalerts'
response = requests.post(
'https://{host}:{port}/{url}'.format(host=host, port=port, url=syslog_server_url),
data=json.dumps(syslog_server), verify=False, headers=headers)
if response.status_code != 200 and response.status_code != 204:
print("Failed POST syslog server response {} {}".format(response.status_code, response.json()))
syslog_server = None
elif response.status_code == 200:
syslog_server = response.json()
print(response.json())
return syslog_server
Copy{
"host":"192.168.1.1",
"useManagementInterface":true,
"port":"514",
"protocol":"UDP",
"type":"syslogserver"
}
````Response
{
"version" : "dwpxt7wz56tdd",
"name" : "192.168.1.1:514",
"deviceInterface" : null,
"useManagementInterface" : true,
"protocol" : "UDP",
"id" : "7f99673c-e086-11e9-8be7-2f04a9025802",
"host" : "192.168.1.1",
"port" : "514",
"type" : "syslogserver",
"links" : {
"self" : "https://ftd.example/api/fdm/latest/object/syslogalerts/7f99673c-e086-11e9-8be7-2f04a9025802"
}
}
Step 2
Send an intrusion settings GET request to obtain the device intrusion settings.
Bash_Request
Python_Request
Response
Copycurl -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS_TOKEN_GOES_HERE>" -d @json.txt "https://ftd.example/api/fdm/latest/object/intrusionsettings"
Copydef get_intrusion_settings(host, port, access_token):
"""
Requires Python v3.0 or greater and requests lib.
Send an intrusion settings GET request.
:param host: ftd host address
:param port: ftd port
:param access_token: OAUTH token for device access
:return: intrusion settings object
"""
headers = {
"Accept": "application/json",
"Authorization": "Bearer {}".format(access_token)
}
intrusion_settings = None
intrusion_settings_url = 'api/fdm/latest/object/intrusionsettings'
response = requests.get(
'https://{host}:{port}/{url}'.format(host=host, port=port, url=intrusion_settings_url),
verify=False, headers=headers)
if response.status_code != 200:
print("Failed GET intrusion settings response {} {}".format(response.status_code, response.json()))
else:
intrusion_settings = response.json().get('items')[0]
print('Intrusion settings found: {}'.format(str(intrusion_settings)))
return intrusion_settings
Copy{
"items" : [ {
"version" : "dlcr6u5ijbab7",
"name" : null,
"syslogServer" : null,
"id" : "8d9ac658-c427-11e9-afa9-d3032878a4c7",
"type" : "intrusionsettings",
"links" : {
"self" : "https://ftd.example/api/fdm/latest/object/intrusionsettings/8d9ac658-c427-11e9-afa9-d3032878a4c7"
}
} ],
"paging" : {
"prev" : [ ],
"next" : [ ],
"limit" : 10,
"offset" : 0,
"count" : 1,
"pages" : 0
}
}
Step 3
Send an intrusion settings PUT request to update the device intrusion settings with the syslog server. Append the id from the Step 2 response to the request URL. The JSON text should include the id and type property values from the response to step 1, and the version, id, and type property values from the response to Step 2.
Bash_Request
Python_Request
JSON_Text
Response
Copycurl -X PUT -H "Accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS_TOKEN_GOES_HERE>" -d @json.txt "https://ftd.example/api/fdm/latest/object/intrusionsettings/8d9ac658-c427-11e9-afa9-d3032878a4c7"
Copydef update_intrusion_settings(host, port, access_token, intrusion_settings):
"""
Requires Python v3.0 or greater and requests lib.
Send an intrusion settings PUT request.
:param host: ftd host address
:param port: ftd port
:param access_token: OAUTH token for device access
:param intrusion_settings: intrusion settings object
:return: True if successful, otherwise false
"""
headers = {
"Accept": "application/json",
"Authorization": "Bearer {}".format(access_token)
}
intrusion_settings_url = 'api/fdm/latest/object/intrusionsettings/{}'.format(intrusion_settings['id'])
response = requests.put(
'https://{host}:{port}/{url}'.format(host=host, port=port, url=intrusion_settings_url),
data=json.dumps(intrusion_settings), verify=False, headers=headers)
if response.status_code != 200 and response.status_code != 204:
print("Failed PUT intrusion settings response {} {}".format(response.status_code, response.json()))
intrusion_settings = None
result = False
elif response.status_code == 200:
intrusion_settings = response.json()
print(response.json())
return intrusion_settings
Copy{
"version" : "dlcr6u5ijbab7",
"syslogServer" : {
"id" : "7f99673c-e086-11e9-8be7-2f04a9025802",
"type" : "syslogserver"
},
"id" : "8d9ac658-c427-11e9-afa9-d3032878a4c7",
"type" : "intrusionsettings"
}
Copy{
"version" : "nqjwtn2sjclq2",
"name" : null,
"syslogServer" : {
"version" : "dwpxt7wz56tdd",
"name" : "192.168.1.1:514",
"id" : "7f99673c-e086-11e9-8be7-2f04a9025802",
"type" : "syslogserver"
},
"id" : "8d9ac658-c427-11e9-afa9-d3032878a4c7",
"type" : "intrusionsettings",
"links" : {
"self" : "https://ftd.example/api/fdm/latest/object/intrusionsettings/8d9ac658-c427-11e9-afa9-d3032878a4c7"
}
}*
Step 4
Perform a deployment to commmit the changes.
Complete Intrusionsetting With Syslog Server Script
Combining all of the Python functions from the previous steps
Complete_Python_Script
Copy'''
Copyright (c) 2019 Cisco and/or its affiliates.
This software is licensed to you under the terms of the Cisco Sample
Code License, Version 1.1 (the "License"). A copy of the License
can be found in the LICENSE.TXT file of this software or at
https://developer.cisco.com/site/license/cisco-sample-code-license/
All use of the material herein must be in accordance with the terms of
the License. All rights not expressly granted by the License are
reserved. Unless required by applicable law or agreed to separately in
writing, software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
express or implied.
'''
import json
import requests
def get_access_token(host, port, user, passwd):
"""
Requires Python v3.0 or greater and requests lib.
Login to FTD device and obtain an access token. The access token is required so that the user can
connect to the device to send REST API requests.
:param host: ftd host address
:param port: ftd port
:param user: login user name
:param passwd: login password
:return: OAUTH access token
"""
access_token = None
requests.packages.urllib3.disable_warnings()
payload = '{{"grant_type": "password", "username": "{}", "password": "{}"}}'.format(user, passwd)
auth_headers = {"Content-Type": "application/json", "Accept": "application/json"}
try:
response = requests.post("https://{}:{}/api/fdm/latest/fdm/token".format(host, port),
data=payload, verify=False, headers=auth_headers)
if response.status_code == 200:
access_token = response.json().get('access_token')
print("Login successful, access_token obtained {}".format(access_token))
else:
print("Login failed {} {}".format(response.status_code, response.json()))
except Exception as e:
print("Exception in POST access token request: {}".format(str(e)))
return access_token
def post_syslog_server(host, port, access_token, syslog_server):
"""
Requires Python v3.0 or greater and requests lib.
Send syslog server POST request.
:param host: ftd host address
:param port: ftd port
:param access_token: OAUTH token for device access
:param syslog_server: object representing the syslog server
:return: True if successful, otherwise False
"""
headers = {
"Accept": "application/json",
"Authorization": "Bearer {}".format(access_token)
}
syslog_server_url = 'api/fdm/latest/object/syslogalerts'
response = requests.post(
'https://{host}:{port}/{url}'.format(host=host, port=port, url=syslog_server_url),
data=json.dumps(syslog_server), verify=False, headers=headers)
if response.status_code != 200 and response.status_code != 204:
print("Failed POST syslog server response {} {}".format(response.status_code, response.json()))
syslog_server = None
elif response.status_code == 200:
syslog_server = response.json()
print(response.json())
return syslog_server
def get_intrusion_settings(host, port, access_token):
"""
Requires Python v3.0 or greater and requests lib.
Send an intrusion settings GET request.
:param host: ftd host address
:param port: ftd port
:param access_token: OAUTH token for device access
:return: intrusion settings object
"""
headers = {
"Accept": "application/json",
"Authorization": "Bearer {}".format(access_token)
}
intrusion_settings = None
intrusion_settings_url = 'api/fdm/latest/object/intrusionsettings'
response = requests.get(
'https://{host}:{port}/{url}'.format(host=host, port=port, url=intrusion_settings_url),
verify=False, headers=headers)
if response.status_code != 200:
print("Failed GET intrusion settings response {} {}".format(response.status_code, response.json()))
else:
intrusion_settings = response.json().get('items')[0]
print('Intrusion settings found: {}'.format(str(intrusion_settings)))
return intrusion_settings
def update_intrusion_settings(host, port, access_token, intrusion_settings):
"""
Requires Python v3.0 or greater and requests lib.
Send an intrusion settings PUT request.
:param host: ftd host address
:param port: ftd port
:param access_token: OAUTH token for device access
:param intrusion_settings: intrusion settings object
:return: True if successful, otherwise false
"""
headers = {
"Accept": "application/json",
"Authorization": "Bearer {}".format(access_token)
}
intrusion_settings_url = 'api/fdm/latest/object/intrusionsettings/{}'.format(intrusion_settings['id'])
response = requests.put(
'https://{host}:{port}/{url}'.format(host=host, port=port, url=intrusion_settings_url),
data=json.dumps(intrusion_settings), verify=False, headers=headers)
if response.status_code != 200 and response.status_code != 204:
print("Failed PUT intrusion settings response {} {}".format(response.status_code, response.json()))
intrusion_settings = None
result = False
elif response.status_code == 200:
intrusion_settings = response.json()
print(response.json())
return intrusion_settings
def main():
"""
End to end example of code that assigns an intrusion rule syslog server.
Requires Python v3.0 or greater and the reqeusts library.
You must update the values for host, port, user, and password to connect to your device.
"""
host = 'ftd.example'
port = '443'
user = 'admin'
passwd = 'Admin123'
access_token = get_access_token(host, port, user, passwd)
if not access_token:
print("Unable to obtain an access token. Did you remember to set host, port, user, and password?")
return
syslog_server = {
"host": "192.168.100.1",
"useManagementInterface": True,
"port": "514",
"protocol": "UDP",
"type": "syslogserver"
}
syslog_server = post_syslog_server(host, port, access_token, syslog_server)
if not syslog_server:
print('Unable to post syslog server')
return
intrusion_settings = get_intrusion_settings(host, port, access_token)
intrusion_settings["syslogServer"] = syslog_server
intrusion_settings = update_intrusion_settings(host, port, access_token, intrusion_settings)
if not intrusion_settings:
print('Unable to update intrusion settings')
return
if __name__ == '__main__':
main()
Login successful, access_token obtained eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1NzA4MTk3MTUsInN1YiI6ImFkbWluIiwianRpIjoiYmFlYjY2ZmQtZWM1Ny0xMWU5LWEwYzItNmQ0NmM1ODBkNDJmIiwibmJmIjoxNTcwODE5NzE1LCJleHAiOjE1NzA4MjE1MTUsInJlZnJlc2hUb2tlbkV4cGlyZXNBdCI6MTU3MDgyMjExNTM4MSwidG9rZW5UeXBlIjoiSldUX0FjY2VzcyIsInVzZXJVdWlkIjoiMjcxYmNkOTEtYWNjYy0xMWU5LWIxOTUtNDlmNzk4YTg1NTk2IiwidXNlclJvbGUiOiJST0xFX0FETUlOIiwib3JpZ2luIjoicGFzc3dvcmQiLCJ1c2VybmFtZSI6ImFkbWluIn0.y-43ENDS6_HyEZSncBN7IX1SfA2xyx8G2cf8M1GNiiI {'port': '514', 'links': {'self': 'https://ftd.example/api/fdm/latest/object/syslogalerts/bb36048f-ec57-11e9-a0c2-bb1f1129779b'}, 'name': '192.168.100.1:514', 'id': 'bb36048f-ec57-11e9-a0c2-bb1f1129779b', 'deviceInterface': None, 'version': 'essqcyadbhq7x', 'type': 'syslogserver', 'host': '192.168.100.1', 'protocol': 'UDP', 'useManagementInterface': True} Intrusion settings found: {'links': {'self': 'https://ftd.example/api/fdm/latest/object/intrusionsettings/5e31c866-accb-11e9-9a9e-9bfd9eef7b33'}, 'name': 'Intrusion-Settings', 'type': 'intrusionsettings', 'version': 'idrtzp3nc5cmf', 'syslogServer': None, 'id': '5e31c866-accb-11e9-9a9e-9bfd9eef7b33'} {'links': {'self': 'https://ftd.example/api/fdm/latest/object/intrusionsettings/5e31c866-accb-11e9-9a9e-9bfd9eef7b33'}, 'name': 'Intrusion-Settings', 'type': 'intrusionsettings', 'version': 'fhltm3vk4poqw', 'syslogServer': {'name': '192.168.100.1:514', 'version': 'essqcyadbhq7x', 'type': 'syslogserver', 'id': 'bb36048f-ec57-11e9-a0c2-bb1f1129779b'}, 'id': '5e31c866-accb-11e9-9a9e-9bfd9eef7b33'} ````