Skip to content

Cisco Firepower Management Center (FMC)

The Cisco Firepower Management Center (FMC) is a virtual application for managing critical Cisco network security solutions. It provides complete and unified management over firewalls, application control, intrusion prevention, URL filtering, and advanced malware protection.

Rule Function

This app has two rules.

The purpose of the first rule is to parse certain key-value pairs in the FMC application log message and convert them into corresponding user tags. Secondarily it detects torrent connections and sets an appropriate user tag.

The purpose of the second rule is to extract the User and Group information from the Firepower firewalls, according to the log message format relating to the particular Cisco mnemonic.

Vendor Documentation

Log Source Details

Item Value
Vendor Cisco
Device Type Firepower
Collection Method Syslog
Configurable Log Output? yes
Log Source Type key-value
Exceptions N/A

Currently Supported Log Types

The two rules deal with two different log message formats. The log message format for the first rule is a list of comma-separated key-value pairs; the key and value in each pair are separated by a colon (:). This type of log message is sent by the FMC application

The log message for the second rule is a common Cisco format consisting of the Cisco mnemonic code followed by variable message text corresponding to the log event type. For purposes of this rule the log event types parsed all contain information about User and Group, as indicated below. This type of log message is sent by Cisco Firepower firewalls.

Parsed Metadata Fields

The first rule is restricted to a certain set of key-values to convert to user tags. Those log message keys and the corresponding user tags are:

Key Tag Name Example
Protocol Protocol TCP
SrcPort SrcPort dynamic
EgressInterface Egress Interface outside
EgressZone Egress Zone Outside-ASA
IngressInterface Ingress Interface inside
IngressZone Ingress Zone Inside-ASA
AccessControlRuleAction Access Control Rule Action Allow
AccessControlRuleName Access Control Rule Name IPS_and_AMP_Catch_all
DstPort DstPort http
HTTPReferer HTTP Referer
NAPPolicy NAP Policy Balanced Security and Connectivity
ReferencedHost Referenced Host
URLCategory URL Category Unknown
URLReputation URL Reputation Risk unknown
(based on mnemonic) Security Alert Intrusion
(based on connection details) Torrent ->

The second rule deals with a different set of mostly-homogeneous log messages and a smaller set of user tags:

Key Tag Name Example
User User TCP
Group Group TCP
TunnelGroup TunnelGroup TCP
GroupPolicy GroupPolicy TCP

High-Cardinality (HC) Tags

  • SrcIP

Log Examples

Log Examples Rule 1 (FMC application)

Intrusion Detected

Protocol: UDP, SrcIP:, OriginalClientIP: ::, DstIP:,
SrcPort: 42542, DstPort: 443, TCPFlags: 0x0, IngressInterface: inside,
EgressInterface: outside, IngressZone: Inside-ASA, EgressZone:
Outside-ASA, DE: Primary Detection Engine (99ea7fcc-d26a-11e6-ab37-b0df04229f05),
Policy: Corp-FirePower-Policy, ConnectType: End, AccessControlRuleName: Unknown,
AccessControlRuleAction: Allow, Prefilter Policy: Unknown,
UserName: No Authentication Required, InitiatorPackets: 3, ResponderPackets: 3,
InitiatorBytes: 1226, ResponderBytes: 1247, NAPPolicy: Balanced Security and Connectivity,
DNSResponseType: No Error, Sinkhole: Unknown, URLCategory: Unknown,
URLReputation: Risk unknown"```

Connection End

EventPriority: Low, DeviceUUID: cefd21fe-afd3-11e8-ac26-a1f3a00f1023,
InstanceID: 2, FirstPacketSecond: 2021-07-20T13:30:45Z, ConnectionID: 60241,
AccessControlRuleAction: Allow, SrcIP:, DstIP:,
SrcPort: 57395, DstPort: 9080, Protocol: tcp, IngressInterface: vlan-91,
EgressInterface: vlan-21, IngressZone: inside, EgressZone: inside,
IngressVRF: Global, EgressVRF: Global, ACPolicy: 91-Cyber-ACP,
AccessControlRuleName: Permit Any, Prefilter Policy: Default Prefilter Policy,
InitiatorPackets: 2, ResponderPackets: 1, InitiatorBytes: 128,
ResponderBytes: 70, NAPPolicy: Balanced Security and Connectivity

Log Examples Rule 2 (Firepower firewall)

New TCP Connection

%FTD-svc-5-722034: Group <GP_corpUSA_SplitTunnel> User <jdoe> IP
<> New TCP SVC connection, no existing connection.

No IP Address Available

%FTD-4-722041: TunnelGroup <corpUSA> GroupPolicy <GP_corpUSA_SplitTunnel>
User <jdoe> IP <> No IPv6 address available for SVC connection