This document describes how to integrate ThreatSTOP’s Policy and Reporting services with a Cisco Firepower device:
- Automated retrieval and updates of IP Defense policies from ThreatSTOP’s systems to the Firepower.
- Automated collection and upload of log files from the Firepower sensors to ThreatSTOP’s systems.
The integration is performed by a Linux-based virtual machine provided by ThreatSTOP, named ThreatSTOP Centralized Manager (TSCM). After its initial installation, the TSCM will retrieve the list of subnets matching the policy configured via the ThreatSTOP Admin portal and make them available as a new Security Intelligence feed for Firepower. Optionally, the Firepower sensors can be configured to send the connection log events to the TSCM via syslog and the TSCM will package and upload log files to ThreatSTOP’s Portal, for analysis and reporting.
Fig 1. : Network traffic between ThreatSTOP services, the TSCM, and the Firepower Console and Sensors. (click to expand)
Web Automation features
This document provides the steps when using the Web Automation features of ThreatSTOP. For the command line-based installation, please read this document instead. The Web Automation features are:
- Client configuration settings are managed on the ThreatSTOP portal, instead of using the TSCM command line.
- Changes to the policy selection are automatically propagated from the portal to the TSCM
- The TSCM reports problems applying policies or uploading logs to the ThreatSTOP Portal, providing more visibility into potentials system or network problems.
The current version of TSCM is compatible with all Firepower devices running Firepower version 6.x.
This includes Firepower series 2100, 4100, 9300, NGFWv as well as Cisco ASA with Firepower (ASA 5500-FTD-X)
The Maximum Policy Size is the maximum number of ACLs that your device can support. It depends on the hardware and memory available on the device. The performance specifications for Firepower devices are listed here
Current version of TSCM
The current version of the TSCM virtual machine is 1.48. If your TSCM image is older, please download the latest version from the device configuration page in the Admin Portal. You can find out the TSCM version by running
$ tsadmin version
The current version of the Firepower module is 1.04-02 (included with TSCM 1.48 images)
Installation parameters for experienced users
If you have already created a device entry in the portal, and are familiar with the installation procedure, you can access the TSCM parameters below if you access this document from the Portal Device page.
|Device ID||Retrieved from the device settings page|
|Device Key||Retrieved from the device settings page|
$ tsadmin add --type auto --device_id=[Device ID] --auto_key=[Device Key]
The TSCM is delivered as an OVA or VHD image, built using Ubuntu 20.04 as the base Operating System. It is preconfigured with:
- 2 CPUs
- 2 GB of RAM
- 20 GB of disk space
You will need a Hypervisor such as vSphere, ESXi, Virtualbox or Hyper-V to deploy the image.
To retrieve its configuration and policy, and to upload log data, the TSCM needs the following connectivity:
- DNS over TCP - Policy service
- Hostname: dns.threatstop.com
- IP Range: 126.96.36.199/24
- Outbound TCP port 53 or 5353
- DNS over TLS - Configuration service
- Hostname: ts-ctp.threatstop.com
- IP Range: 188.8.131.52/28
- Outbound TCP port 5353
- HTTPS - Log service
- Hostname: logs.threatstop.com
- IP range: 184.108.40.206/28
- Outbound TCP port 443
- Direct Connection or via Proxy
- Hostname: ntp.ubuntu.com
- Outbound UDP port 123
It must also be able to communicate with the Cisco devices:
- TCP Port 8001
- From the FMC (Console) to the TSCM
- TCP Port 514
- From each NGFW/ASA (Sensor) to the TSCM
Cisco Firepower credentials
To perform this installation, you need an admin account on the FMC.
Integration ThreatSTOP with a Cisco Firepower device using Web Automation is performed in 4 steps:
- Configuring the device settings on the Admin Portal
- Downloading and loading the VM image
- Linking the TSCM to the Portal device configuration
- Add and enable a new Security Intelligence Feed using the Firepower FMC
Step 1: Portal
During this step, you will create a device entry on the Admin Portal. You will select a device type (Cisco Firepower) and enter the configuration settings. A minimum configuration only requires a handful of settings but optional, advanced options are also available.
To create a Cisco Firepower device entry:
- Log into the Admin Portal with your ThreatSTOP account
- Browse to the Device page and click Add Device
- Select the Firepower model:
- Type: IP Defense
- Manufacturer: Cisco
- Model: Firepower
- Integration Type: TSCM with Web Automation
The Admin Portal will display a form to enter the device settings described below and the links to retrieve the TSCM image.
Nickname: this is a mnemonic name used to identify the device. It can be set to any string (A-Z, 0-9, - and _). If you create multiple device entries, each entry must have a unique nickname. The Nickname will be used to identify the device on the TSCM and in the Reporting user interface.
Policy: select a pre-defined policy or a customized policy. It must be an IP Defense Policy.
IP Type: Access to the ThreatSTOP services is controlled in part using an ACL allowing the device IP to connect. If your device has a static public IP address (the most common case), select static. If your device has a dynamic public IP address, the ThreatSTOP services can lookup the IP address using a DNS fully-qualified name (FQDN).
Public IP address: In static mode, this is the public IP address of the TSCM. It is possible to configure multiple device entries with the same public IP address.
Domain name: In Dynamic mode, this is a DNS FQDN which must be kept up-to-date as an A record pointing to the TSCM’s dynamic IP.
Internal IP address: This is the internal address of the FMC console.
Note: An optional field to store a note of your choice about the device - location, identifiers, model…
Enable Log Upload: If enabled, the TSCM will send logs received from the device to the ThreatSTOP reporting system. This is the recommended setting. When disabled, logs for this device will not be available for reporting in the Portal.
Syslog IP address: While the Firepower retrieves the ThreatSTOP feed using the FMC, log events generated by the policy are sent using syslog (TCP/514) directly by each sensor. If your configuration enables log upload, you need to add the IP address of each sensor to allow the TSCM to receive syslog messages.
Maximum Policy Size: Optioan limit on the number of entries in the policy. If the policy becomes larger than this setting, the TSCM will truncate it down to the Maximum Policy Size.
Upon saving the form, a device entry will be created in ThreatSTOP’s cloud.
The TSCM supports the following advanced settings, which cover uncommon Firepower configurations or network environments.
DNS Port: The TSCM uses TCP Port 53 (outbound connections) to retrieve policy data. If this port is blocked or filtered (for example, networks using a DNS Application Layer Gateway), use this setting to switch to TCP Port 5353.
Log file size: the TSCM will upload logs after 15 minutes and when the log file size is reached. For systems under very heavy network traffic with many blocked connections, lowering this value will cause logs to be uploaded more often.
Enable policy updates: this setting can be used to temporarily disabled policy updates by the TSCM. This is not recommended but can be used if device configuration changes needed to be suspended.
Log Upload Proxy: If your environment requires using a proxy to reach HTTPs URLs, you can specify the address of a proxy. The proxy must support HTTPs using the CONNECT protocol. The proxy address must be http://address:port, where address is either an IP address or a fully-qualified domain name. HTTPs proxies are not supported. If you provide a proxy URL, the TSCM configuration will also prompt you for an optional user and password during the TSCM installation. Provide them if the proxy requires authentication.
Step 2: Download and boot image
After creating the device entry, the next step is the download using FTP and installation of the TSCM image.
You can choose between the OVA format (ESXi/vSphere, VirtualBox, Xen…) and the VHD format (Microsoft Hyper-V).
The download link is listed in the Step 2 section, as shown in this image.
- Click on the Copy Download Link to copy the link to your clipboard.
- Use an ftp client of your choice, or a tool such as curl
- For your security: after downloading the file, we encourage you to validate its SHA 256 checksum. Compute it as shown below and compare it to the checksum in the Portal.
$ shasum -a 256 <filename>
- Import the OVA or VHD file in your Hypervisor to create the virtual machine and start it.
Log into the TSCM
The TSCM virtual machine will use DHCP to obtain its IP address. If your Hypervisor doesn’t show the IP address assigned to the virtual machine, you can retrieve it from the console of the TSCM: it is displayed as part of the login prompt.
The virtual machine will be reachable using ssh:
- The default username is: threatstop
- The default password is: threatstop
Step 3: Link the TSCM to the Device entry
After booting the TSCM and logging in via ssh, the third setup step will link the virtual machine to the device entry created in Step 1.
The TSCM has a configuration utility named tsadmin. A reference for the utility is provided here but we will cover the full installation steps below.
Login with the threatstop account using ssh
Obtain the Device ID and Device Key from the device configuration page. You can copy them to your clipboard by clicking the icon. The Device ID is the string tdid_ followed by 8 alpha-numerical characters.
- Run the following command:
$ tsadmin add --type auto --device_id=[Device ID] --auto_key=[Device Key]
The tsadmin command will first retrieve the device settings from the ThreatSTOP Portal. If the command fails, check the Troubleshooting section.
Once the command completes, the TSCM has succesfully linked itself to the device entry in the portal.
$ tsadmin add --type auto --device_id=tdid_abcd1234 --auto_key=BTFDWvEepY2z3LcSjmp3lgW+jUiVjAIF6lYvd2cnCikKO855YiUKfhmEcWvK1Ztouw== Web Automation - Retrieving configuration from ThreatSTOP Portal Successfully added tstest
You can view the list of devices linked on the TSCM image:
$ tsadmin list | Device name | Type | Device ID | Management IP | Log upload ID | Log | Log uploads | | tstest | firepower | tdid_abcd1234 | 172.16.50.3 | tdid_abcd1234 | 100k | enabled |
- From this point on, the TSCM will retrieve policy data (IP subnets) and make them available over HTTP every hour.
- To force the initial update and proceed with testing, run the following command
$ tsadmin update <device name>
- The block lists and whitelists are made available over HTTP on port 8001. The URLs are:
http://<TSCM IP address>:8081/<device id>/threatstop-block.txt http://<TSCM IP address>:8081/<device id>/threatstop-allow.txt
They can be retrieve by running **tsadmin show <device name>:
threatstop@tsclient:~$ tsadmin show tstest [...] Block List URL http://172.16.70.138:8001/tdid_abcd1234/threatstop-block.txt Allow List URL http://172.16.70.138:8001/tdid_abcd1234/threatstop-allow.txt
Step 4: Firepower configuration
The following steps assume that you have access to the Firepower Management Console (FMC) and a configuration that includes at least one policy and one device.
Configuring the Security Intelligence feeds
- Log into the FMC using its Web interface (https://<FMC IP address>)
- Click on the Objects menu
- In the menu, click on the Network Lists and Feeds link located under Security Intelligence
- Click the Add Networks Lists and Feeds button
- Name: select a name of your choice, such as threatstop-block.
- Type: Feed
- Feed URL: Enter the URL of the ThreatSTOP block list (accessed by running tsadmin show <device name> on the TSCM)
- MD5 URL: Leave empty
- Update Frequency: 30 minutes
You can trigger the feed update (Update feeds) to validate the FMC’s ability to connect to the TSCM to retrieve the feed.
- Repeat this step add add a second feed entry pointed to the ThreatSTOP Allow list
Enabling the ThreatSTOP feed
- In the FMC, browse to the Polices (Policies > Access Control)
- Select the policy that will be configured with the ThreatSTOP policy (this step can be repeated for any number of Firepower policies)
- Click on the Security Intelligence tab
- Select the ThreatSTOP Block feed created above
- Select the zones that the policy will apply too - typically, the zones identifying your external and internal networks. The ThreatSTOP policy will block both inbound from and outbound traffic to the malicious IPs in your policy
- Click Add to BlockList
- Repeat these steps and add the ThreatSTOP allow feed as a whitelist using the Add to Whitelist button.
- To enable logging of the events generated by the ThreatSTOP policy, click on the blue scroll icon next to Networks, under Blacklist
- In the Network Blacklist Logging options popup:
- Enable Log Connections
- Optionally, enable the Event Viewer option
- Enable the Syslog option
- Click the green plus icon to create a new Syslog Alert
- Name: select a name of choice, e.g. threatstop-syslog
- Host: enter the IP address of the TSCM
- Leave other settings as default (Port 514, Facility: Alert, Severity: Alert)
- Note: Firepower doesn’t log events generated by whitelist feeds.
Deploy the configuration
- Deploy the updated policy using the Deploy button. Select the devices to update.
- It can take a couple of minutes for the policy to be propagated and take effect.
Logging and Reporting
If log upload is enabled, the TSCM will now upload logs every 15 minutes, as long as there were connections blocked by the policy since the last upload. The logs can be analyzed in the IP Defense Reports 15 minutes after they’ve been uploaded.
To check that the log upload feature is able to reach the server:
- After deploying the policy, generate log entries by trying to reach our test address through the device. The command should fail to connect.
- Run the following command on the TSCM to rotate and upload the log file
$ tsadmin logs
If the command doesn’t file a log file, it will exit immediately:
threatstop@tsclient:~$ tsadmin logs [INFO ] : Starting log upload client [INFO ] : Log upload client exited
Log files are stored in /var/log/threatstop/devices/<device name>/syslog.
- If no log file is present, check that events are being logged using the Connection Event page (**Analysis > Connection > Events) if the policy is configured to log to the event viewr.
- Also check that the IP address of the sensor is included in the syslog IP setting of the TSCM (account for NAT if applicable) and that the sensor can reach the TSCM over TCP/514.
threatstop@tsclient:~$ tsadmin logs [INFO ] : Starting log upload client [INFO ] : [Uploader] Loading device configuration [INFO ] : Processing logs for device [devicename] [INFO ] : Starting ThreatSTOP logupload operation v2.00 at 24/05/2018 19:34:05 [INFO ] : Verifying log file [/var/log/threatstop/devices/firepower136/syslog.1] stats [INFO ] : Processing [/var/log/threatstop/devices/devicename/syslog.1] log file [INFO ] : Start sending data [INFO ] : Preparing connection data [INFO ] : Connecting to https://logs.threatstop.com:443/logupload.pl [INFO ] : Upload was successful [200 OK] [INFO ] : Completed processing for device [firepower136] [INFO ] : Finish ThreatSTOP logupload operation at 24/05/2018 19:34:10 after 00:00:05 [INFO ] : Log upload client exited
If the command attempts to upload a log but fails, check the connectivity of the TSCM to ThreatSTOP’s log service, described in the connectivity section of this document.
Support for multiple Firepower devices
A single TSCM image and a single device entry can be configured to publish a policy to multiple Firepower sensors. In this configuration, the same policy will be made available to each sensor, and logs for every sensor will appear under the same, unique device entry in the ThreatSTOP Reports.
It is possible to create multiple device entries in the portal, and link one (or different TSCMs) to these entries. In this configuration, multiple feeds can be added to the FMC, and associated with different sensors. This also allows reporting on each sensor independently.
To view the current settings on the TSCM, run
$ tsadmin show <device name>
- After the initial configuration is completed, settings can be edited on the Admin Portal and will be reflected on the device within 5 minutes, including Policy configuration changes.
The TSCM update process wil report failures such as:
- failure to download the policy
- failure to connect to the log upload service
Failures are reported on the Device List page of the portal.
To update the TIP and retrieve new versions of the ThreatSTOP software, login as threatstop and run the following command:
$ sudo apt-get update && sudo apt-get -y dist-upgrade
- To disable the integration, the first step is the removal of the feed from the policy using the FMC
- Once the feed has been removed from the policy and the configuration has been deployed, the Firepower sensors will stop enforcing the policy
- To remove the configuration entirely, remove the ThreatSTOP feeds from the Objects > Security Intelligence feeds and remove the syslog configuration (Policies > Actions > Alerts)
- Next, delete the device on the TSCM. This will stop policy retrieval and log forwarding.
$ tsadmin remove <devicename>
- The last step is to delete the device entry on the Portal, using the Device List page. This step will caused the log data from the device to be unavailable in the Reporting interface of the Portal. If needed, you can recreate a new device entry for the same device, with the same or different settings. Note that the new entry will have a different Device ID for linking the TSCM.
Failure to link the device: tsadmin add fails with this error: “Failed to connect to Web Automation services”. The common cause is a network connectivity problem using DNS over TLS (Outbound TCP connection to ts-ctp.threatstop.com on port 5353).
- Failure to link the device: tsadmin add fails with this error: “Failed to retrieve settings using Web Automation. There are three common causes:
- The Device ID or Device Key is not correct.
- The system time is not correct. The virtual machine run an NTP client which must be up-to-date. Check its status with the timedatectl command.
- The new device entry has not been activated yet. Wait 2-3 minutes and retry.
- Failure to retrieve policy: tsadmin add fails with this error: “block or allow list [name] could not be fetched from ThreatSTOP DNS servers.” There are two common causes:
- A network connectivity problem using DNS over TCP (Outbound connection to ts-dns.threatstop.com on Port 53).
- The policy is not available yet. It typically takes less than 15 minutes for new devices and new policies to be activated in the Policy Service.
- If the network connectivity is ok, and 15 minutes have elapsed since the device entry was created, please contact ThreatSTOP Support at firstname.lastname@example.org.
|1.38||2018-10-09||Support for proxy-based log uploads|
|1.37||2018-10-04||Added network configuration tool|
|1.36||2018-08-08||Remove uncessessary duplicate IP warning; support for Firepower|
|1.35||2018-05-08||Support for advanced settings|
|1.31||2018-03-26||Fix for log upload script|
|1.30||2018-02-06||Support for Web Automation|
- Cisco Firepower Module