Send Cloud-delivered Firewall Management Center-Managed Events to SAL (SaaS) Using Syslog

Step 1

Log in to CDO.

Step 2

From the CDO menu, click Tools & Services > Firewall Management Center to open the Services page.

Step 3

Click and select Cloud-Delivered FMC and then click Configuration.

Step 4

Configure the syslog settings for your threat defense device:

1. Click Devices > Platform Settings and edit the platform settings policy that is associated with your threat defense device.

2. In the left-side navigation pane, click Syslog and configure the syslog settings as follows:

   Click this UI Element...	To Do the Following:
   Logging Setup	Enable logging, specify FTP server settings, and the Flash usage.
   Logging Destination	Enable logging to specific destinations and to specify filtering by message severity level, event class, or by a custom event list.
   E-mail Setup	Specify the email address that is used as the source address for syslog messages that are sent as emails.
   Events Lists	Define a custom event list that includes an event class, a severity level, and an event ID.
   Rate Limit	Specify the volume of messages being sent to all the configured destinations and define the message severity level to which you want to assign the rate limits.
   Syslog Settings	Specify the logging facility, enable the inclusion of a time stamp, and enable other settings to set up a server as a syslog destination.
   Syslog Servers	Specify the IP address, protocol that is used, format, and security zone for the syslog server that is designated as a logging destination.

3. Click Save.

Step 5

Configure the general logging settings for the access control policy (including file and malware logging):

1. Click Policies > Access Control and then edit the access control policy that is associated with your threat defense device.

2. Click More and then choose Logging. Configure the general logging settings for the access control policy (including file and malware logging) as follows:

   Click this UI Element...	To Do the Following:
   Send using specific syslog alert	Select a syslog alert from the list of existing predefined alerts or add one by specifying the name, logging host, port, facility, and severity.
   Use the syslog settings configured in the FTD Platform Settings policy deployed on the device	Unify the syslog configuration by configuring it in Platform Settings and reuse the settings in the access control policy. The selected severity is applied to all the connection and intrusion events. The default severity is ALERT.
   Send Syslog messages for IPS events	Send events as syslog messages. The default syslog settings are used unless you override them.
   Send Syslog messages for File and Malware events	Send file and malware events as syslog messages. The default syslog settings are used unless you override them.

3. Click Save.

Step 6

Enable logging for security intelligence events for the access control policy:

1. In the same access control policy, click the Security Intelligence tab.

2. Click Logging and enable security intelligence logging using the following criteria:

   • By Domain Name—Click logging next to the DNS Policy drop-down list.

   • By IP address—Click logging next to Networks.

   • By URL—Click logging next to URLs.

3. Click Save.

Step 7

Enable syslog logging for each rule in the access control policy:

1. In the same access control policy, click the Rules tab.

2. Click a rule to edit.

3. Click the Logging tab in the rule.

4. Check the Log at beginning of connection and Log at end of connection check boxes.

5. If you want to log file events, check the Log Files check box.

6. Check the Syslog Server check box.

7. Verify that the rule is Using default syslog configuration in Access Control Logging.

8. Click Save.

9. Repeat steps 7.a through 7.h for each rule in the policy.