Skip to content

Cisco Firepower

Cisco FirePOWER is a set of management services for Cisco routers. It provides application control, intrusion protection, anti-malware, and URL filtering. There is a management software application called FirePOWER Management Center. FirePOWER log messages can originate both from individual FirePOWER devices and from the FirePOWER Management Center software.

Rule Function

This app has three rules.

The purpose of the first rule is to read Cisco log messages and extract the data elements in the message as certain user tags. This rule recognizes a large number of Cisco log messages.

The purpose of the second rule is to parse certain key-value pairs in the FMC application log message and convert them into corresponding user tags. It also it identifies Cisco log message event types. Last, it detects torrent connections and sets an appropriate user tag.

The purpose of the third rule is to extract the User and Group information from the FirePOWER firewalls, according to the log message format relating to the particular Cisco mnemonic.

Note that the rule behavior is governed in part by the Cisco message code mnemonic. There is overlap between the FTD- and ASA- mnemonics, and for the purposes of this app, those mnemonics are considered identical.

Vendor Documentation

Log Source Details

Item Value
Vendor Cisco
Device Type Firepower
Collection Method Syslog
Configurable Log Output? yes
Log Source Type key-value
Exceptions N/A

Currently Supported Log Types

The two rules deal with two different log message formats. The log message format for the first rule is a list of comma-separated key-value pairs; the key and value in each pair are separated by a colon (:). This type of log message is sent by the FMC application

The log message for the second rule is a common Cisco format consisting of the Cisco mnemonic code followed by variable message text corresponding to the log event type. For purposes of this rule the log event types parsed all contain information about User and Group, as indicated below. This type of log message is sent by Cisco Firepower firewalls.

Parsed Metadata Fields

The first rule, which recognizes the largest set of Cisco log messages, parses the following user tags:

Field Tag Name Example
Source IP SrcIP
Source Port SrcPort dynamic
Destination IP DstIP
Destination Port DstPort dynamic
Source Interface SrcInterface n/a
Destination Interface DstInterface n/a
Mapped Source IP SrcIP Mapped
Mapped Source Port SrcPort Mapped dynamic
Mapped Destination IP DstIP Mapped
Mapped Destination Port DstPort Mapped dynamic
User User n/a

The second rule is restricted to a certain set of key-values to convert to user tags. Those log message keys and the corresponding user tags are:

Key Tag Name Example
Protocol Protocol TCP
SrcPort SrcPort dynamic
EgressInterface Egress Interface outside
EgressZone Egress Zone Outside-ASA
IngressInterface Ingress Interface inside
IngressZone Ingress Zone Inside-ASA
AccessControlRuleAction Access Control Rule Action Allow
AccessControlRuleName Access Control Rule Name IPS_and_AMP_Catch_all
DstPort DstPort http
HTTPReferer HTTP Referer
NAPPolicy NAP Policy Balanced Security and Connectivity
(based on mnemonic) Security Alert Intrusion
(based on connection details) Torrent ->

The third rule deals with a different set of mostly-homogeneous log messages and a smaller set of user tags:

Key Tag Name Example
User User TCP
Group Group TCP
TunnelGroup TunnelGroup TCP
GroupPolicy GroupPolicy TCP

High-Cardinality (HC) Tags

  • SrcIP
  • DstIP
  • SrcIP Mapped
  • DstIP Mapped

Log Examples

Log Examples Rule 1 (FMC application)

Intrusion Detected

Protocol: UDP, SrcIP:, OriginalClientIP: ::, DstIP:,
SrcPort: 42542, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside,
EgressInterface: outside, IngressZone: Inside-ASA, EgressZone:
Outside-ASA, DE: Primary Detection Engine (99ea7fcc-d26a-11e6-ab37-b0df04229f05),
Policy: Corp-FirePower-Policy, ConnectType: End, AccessControlRuleName: Unknown,
AccessControlRuleAction: Allow, Prefilter Policy: Unknown,
UserName: No Authentication Required, InitiatorPackets: 3, ResponderPackets: 3,
InitiatorBytes: 1226, ResponderBytes: 1247, NAPPolicy: Balanced Security and Connectivity,
DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown,
URLReputation: Risk unknown"```

Connection End

EventPriority: Low, DeviceUUID: cefd21fe-afd3-11e8-ac26-a1f3a00f1023,
InstanceID: 2, FirstPacketSecond: 2021-07-20T13:30:45Z, ConnectionID: 60241,
AccessControlRuleAction: Allow, SrcIP:, DstIP:,
SrcPort: 57395, DstPort: 9080, Protocol: tcp, IngressInterface: vlan-91,
EgressInterface: vlan-21, IngressZone: inside, EgressZone: inside,
IngressVRF: Global, EgressVRF: Global, ACPolicy: 91-Cyber-ACP,
AccessControlRuleName: Permit Any, Prefilter Policy: Default Prefilter Policy,
InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 128,
ResponderBytes: 70, NAPPolicy: Balanced Security and Connectivity

Log Examples Rule 2 (Firepower firewall)

New TCP Connection

%FTD-svc-5-722034: Group <GP_corpUSA_SplitTunnel> User <jdoe> IP
<> New TCP SVC connection, no existing connection.

No IP Address Available

%FTD-4-722041: TunnelGroup <corpUSA> GroupPolicy <GP_corpUSA_SplitTunnel>
User <jdoe> IP <> No IPv6 address available for SVC connection