This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Heath
Collaborator
‎2025-09-18 11:04 AM
Jump to solution

Using Identity Awareness Collector with Cisco FTD Syslogging

We currently have Cisco ASA's as VPN Concentrators and have syslogging to a CP IDA Collector to populate the identities for access rules on our CP firewalls.

We are migrating from the Cisco ASA's to Cisco FTD's and are having issues. We've verified the IPs and verified the traffic is getting allowed to the IDA Collector but it doesn't look like the CP IDA Collector is parsing out any identities from the Cisco FTD's syslogs. When migrating to the Cisco FTD's we are using the same syslog events as was configured and working on the ASA's as well.

In CP IDA there is only the option for Cisco ASA 9.1 on the syslog options and not anything for the FTD but I'd be surprised if there are differences in the format as you can still get to the ASA CLI under the hood of the FTD code.

I'm only assuming that we aren't the only ones to do this as the FTD's have been out there for a good bit.

Has anyone else got experience with this setup?

0 Kudos
1 Solution

Accepted Solutions
Heath
Collaborator
‎2025-09-26 01:23 PM
In response to CaseyB
Jump to solution

Ended up creating a custom syslog parser. Here are the settings:

Parser Name : "Cisco FTD (7.6)"
Message Subject : "<148>"
Event Type : "Login"
Delimiter : ">"
Username Prefix : " User <"
Username : "([^>]*)"
Address Prefix : " IPv4 Address <"
Address : "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

Picture1adfas.png

View solution in original post

5 Replies
Heath
Collaborator
‎2025-09-18 02:56 PM
Jump to solution

Screenshot 2025-09-18 165601.png

0 Kudos
Heath
Collaborator
‎2025-09-22 10:42 AM
Jump to solution

No one using IDA Collectors with Cisco FTDs?

0 Kudos
CaseyB
Advisor
‎2025-09-22 01:09 PM
Jump to solution

Have you tried creating a new Syslog Parser for the FTD?

CPIDC_SysLog.png

CPIDC_SysLog2.png

Heath
Collaborator
‎2025-09-22 01:11 PM
In response to CaseyB
Jump to solution

That would certainly be my last resort. No, we have not gone down that road yet. We were hoping this was something someone had already overcame and we just had a setting wrong or something. I can't see anything wrong except for, like you were saying, maybe we need a custom parser for this.

0 Kudos
Heath
Collaborator
‎2025-09-26 01:23 PM
In response to CaseyB
Jump to solution

Ended up creating a custom syslog parser. Here are the settings:

Parser Name : "Cisco FTD (7.6)"
Message Subject : "<148>"
Event Type : "Login"
Delimiter : ">"
Username Prefix : " User <"
Username : "([^>]*)"
Address Prefix : " IPv4 Address <"
Address : "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"

Picture1adfas.png

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events