https://community.checkpoint.com/t5/General-Topics/Using-Identity-Awareness-Collector-with-Cisco-FTD-Syslogging/m-p/258342#M43602 <P>Ended up creating a custom syslog parser. Here are the settings:</P><P>Parser Name : "Cisco FTD (7.6)"<BR />Message Subject : "&lt;148&gt;"<BR />Event Type : "Login"<BR />Delimiter : "&gt;"<BR />Username Prefix : " User &lt;"<BR />Username : "([^&gt;]*)"<BR />Address Prefix : " IPv4 Address &lt;"<BR />Address : "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1adfas.png" style="width: 487px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/31549i378B07065FE18BCD/image-size/large?v=v2&amp;px=999" role="button" title="Picture1adfas.png" alt="Picture1adfas.png" /></span></P> Fri, 26 Sep 2025 20:23:48 GMT Heath 2025-09-26T20:23:48Z https://community.checkpoint.com/t5/General-Topics/Using-Identity-Awareness-Collector-with-Cisco-FTD-Syslogging/m-p/257656#M43443 <P>We currently have Cisco ASA's as VPN Concentrators and have syslogging to a CP IDA Collector to populate the identities for access rules on our CP firewalls.</P><P>We are migrating from the Cisco ASA's to Cisco FTD's and are having issues. We've verified the IPs and verified the traffic is getting allowed to the IDA Collector but it doesn't look like the CP IDA Collector is parsing out any identities from the Cisco FTD's syslogs. When migrating to the Cisco FTD's we are using the same syslog events as was configured and working on the ASA's as well.</P><P>In CP IDA there is only the option for Cisco ASA 9.1 on the syslog options and not anything for the FTD but I'd be surprised if there are differences in the format as you can still get to the ASA CLI under the hood of the FTD code.</P><P>I'm only assuming that we aren't the only ones to do this as the FTD's have been out there for a good bit.</P><P>Has anyone else got experience with this setup?</P> Thu, 18 Sep 2025 18:04:25 GMT https://community.checkpoint.com/t5/General-Topics/Using-Identity-Awareness-Collector-with-Cisco-FTD-Syslogging/m-p/257656#M43443 Heath 2025-09-18T18:04:25Z https://community.checkpoint.com/t5/General-Topics/Using-Identity-Awareness-Collector-with-Cisco-FTD-Syslogging/m-p/257672#M43447 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2025-09-18 165601.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/31495i4249501B3B0AC293/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2025-09-18 165601.png" alt="Screenshot 2025-09-18 165601.png" /></span></P> Thu, 18 Sep 2025 21:56:39 GMT https://community.checkpoint.com/t5/General-Topics/Using-Identity-Awareness-Collector-with-Cisco-FTD-Syslogging/m-p/257672#M43447 Heath 2025-09-18T21:56:39Z https://community.checkpoint.com/t5/General-Topics/Using-Identity-Awareness-Collector-with-Cisco-FTD-Syslogging/m-p/257937#M43495 <P>No one using IDA Collectors with Cisco FTDs?</P> Mon, 22 Sep 2025 17:42:57 GMT https://community.checkpoint.com/t5/General-Topics/Using-Identity-Awareness-Collector-with-Cisco-FTD-Syslogging/m-p/257937#M43495 Heath 2025-09-22T17:42:57Z https://community.checkpoint.com/t5/General-Topics/Using-Identity-Awareness-Collector-with-Cisco-FTD-Syslogging/m-p/257949#M43498 <P>Have you tried creating a new Syslog Parser for the FTD?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CPIDC_SysLog.png" style="width: 412px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/31510i6C7E6A03AC4B8C83/image-size/large?v=v2&amp;px=999" role="button" title="CPIDC_SysLog.png" alt="CPIDC_SysLog.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CPIDC_SysLog2.png" style="width: 555px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/31511iC1CC4C019C9F33DF/image-size/large?v=v2&amp;px=999" role="button" title="CPIDC_SysLog2.png" alt="CPIDC_SysLog2.png" /></span></P> Mon, 22 Sep 2025 20:09:20 GMT https://community.checkpoint.com/t5/General-Topics/Using-Identity-Awareness-Collector-with-Cisco-FTD-Syslogging/m-p/257949#M43498 CaseyB 2025-09-22T20:09:20Z https://community.checkpoint.com/t5/General-Topics/Using-Identity-Awareness-Collector-with-Cisco-FTD-Syslogging/m-p/257950#M43499 <P>That would certainly be my last resort. No, we have not gone down that road yet. We were hoping this was something someone had already overcame and we just had a setting wrong or something. I can't see anything wrong except for, like you were saying, maybe we need a custom parser for this.</P> Mon, 22 Sep 2025 20:11:47 GMT https://community.checkpoint.com/t5/General-Topics/Using-Identity-Awareness-Collector-with-Cisco-FTD-Syslogging/m-p/257950#M43499 Heath 2025-09-22T20:11:47Z https://community.checkpoint.com/t5/General-Topics/Using-Identity-Awareness-Collector-with-Cisco-FTD-Syslogging/m-p/258342#M43602 <P>Ended up creating a custom syslog parser. Here are the settings:</P><P>Parser Name : "Cisco FTD (7.6)"<BR />Message Subject : "&lt;148&gt;"<BR />Event Type : "Login"<BR />Delimiter : "&gt;"<BR />Username Prefix : " User &lt;"<BR />Username : "([^&gt;]*)"<BR />Address Prefix : " IPv4 Address &lt;"<BR />Address : "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1adfas.png" style="width: 487px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/31549i378B07065FE18BCD/image-size/large?v=v2&amp;px=999" role="button" title="Picture1adfas.png" alt="Picture1adfas.png" /></span></P> Fri, 26 Sep 2025 20:23:48 GMT https://community.checkpoint.com/t5/General-Topics/Using-Identity-Awareness-Collector-with-Cisco-FTD-Syslogging/m-p/258342#M43602 Heath 2025-09-26T20:23:48Z