Cisco Secure Firewall, FTD, and XDR: How Firewall Telemetry Powers Better Detection

Most teams buy a firewall to block traffic and a detection platform to find threats, then treat the two as separate worlds. That separation is exactly where attackers thrive. Cisco Firepower Threat Defense (FTD), the unified software image that runs on Cisco Secure Firewall appliances, generates connection events, intrusion events, file and malware verdicts, and security intelligence hits that describe network behavior in detail no endpoint agent can match. The question is whether that data sits in a syslog archive nobody reads, or whether it actively drives detection.

This post is about the second path. We will walk through how FTD and the Cisco Secure Firewall Management Center feed telemetry into Cisco XDR, why firewall data is one of the six native sources XDR treats as critical, and what that integration changes for a Security Operations Center (SOC) trying to catch multi-stage attacks. If you are evaluating Cisco firewalls and a detection platform together, understanding this pairing is the difference between two tools and one outcome.

What Cisco Firepower Threat Defense (FTD) actually is

Cisco Firepower Threat Defense is the converged software image that combines classic ASA firewalling with next-generation capabilities: application visibility and control, the Snort intrusion prevention engine, URL filtering, and Advanced Malware Protection. FTD runs on Cisco Secure Firewall hardware (the 1000, 3100, and 4200 Series, plus virtual form factors) and is managed centrally through the Cisco Secure Firewall Management Center (FMC), formerly Firepower Management Center. If you are sizing or sourcing those appliances, our team scopes them as part of a broader Cisco security architecture rather than as a standalone box.

The important point for detection is what FTD sees. As an inline enforcement point, it inspects every flow crossing a security boundary. It records who talked to whom, on what application and port, for how long, how much data moved, and whether the connection tripped an intrusion signature, hit a known-bad reputation list, or carried a malicious file. That is a behavioral record of the network, and behavior is where lateral movement, command-and-control beaconing, and data exfiltration leave fingerprints that endpoint-only tools miss.

FTD and FMC versus the older Firepower naming

Cisco has rationalized the branding over time. Firepower Threat Defense is now positioned under the Cisco Secure Firewall umbrella, and Firepower Management Center became Secure Firewall Management Center. Functionally, FTD is still the threat-defense image and FMC is still the on-premises management and analytics console. When you read older documentation referring to Firepower, assume it maps to today's Secure Firewall and FTD. The telemetry model and the way that data can be exported to a detection platform have only gotten richer.

Why firewall telemetry is one of XDR's six critical sources

Cisco XDR is a cloud-native, SaaS-delivered extended detection and response platform that natively analyzes the six telemetry sources SOC operators consider critical: endpoint, network, firewall, email, identity, and DNS. Firewall is a first-class source, not an afterthought. That matters because the firewall sits at the chokepoints attackers must cross. An endpoint agent can be evaded, disabled, or simply absent on an unmanaged or IoT device. The firewall still logs the connection.

When FTD telemetry flows into XDR, the platform's built-in analytics engine correlates those firewall events with endpoint, identity, email, and DNS signals over time, then plots them on a timeline and an attack graph. A blocked connection to a suspicious domain stops being an isolated log line. It becomes one node in a story that might include a phishing email, a credential anomaly from Cisco Identity Services Engine, and a malware verdict from Cisco Secure Endpoint. You can read the full platform overview on our Cisco XDR page, but the short version is that firewall data supplies the network-layer evidence that ties the other sources together.

How FTD and FMC telemetry reaches Cisco XDR

There are several supported paths to get Cisco Secure Firewall data into XDR, and the right one depends on your deployment. Cisco Secure Firewall and the Adaptive Security Appliance are listed among the native Cisco integrations for XDR, so the connection is a built-in capability rather than a custom build.

• Direct integration of Cisco Secure Firewall / FTD as a source, so connection events, intrusion events, and security intelligence data enrich XDR incidents and become available to response actions.
• The XDR Connector (formerly Secure Cloud Analytics Sensor / ONA) or Cisco Telemetry Broker to collect NetFlow / IPFIX, SPAN, and NGFW logs from on-premises and cloud environments and forward them to the cloud platform.
• Flow-based telemetry from the broader network, including endpoint flow logs via the Network Visibility Module in cloud-managed Cisco Secure Client, and agentless flow logs from AWS, Azure, and Google Cloud, which contextualize what the firewall sees at the perimeter with what is happening east-west and in the cloud.

Once connected, FTD events are ingested, normalized, and correlated alongside the other five sources. By default XDR retains data for 90 days, with 180- and 365-day options, and default ingestion is 2 GB per user per month with add-on capacity available. Firewall logging can be voluminous, so ingestion sizing and retention tier are real planning decisions, not afterthoughts. Getting them right is part of scoping the deployment correctly the first time.

What FMC keeps doing after the integration

Feeding XDR does not retire the Secure Firewall Management Center. FMC remains your policy authority for the firewalls: access control rules, intrusion policies, Snort tuning, and the granular packet-level forensics an analyst needs when investigating a specific FTD event. XDR is the correlation and response layer that sits above the firewall and the rest of the stack. Think of FMC as where you manage the firewall and XDR as where you understand what the firewall is telling you in the context of everything else. The two complement each other rather than overlap.

What the integration changes for SOC workflows

The practical payoff shows up in how analysts spend their time. Without correlation, a firewall generates thousands of intrusion and connection events a day, most of them noise, and someone has to triage them. With XDR, those events are folded into a smaller number of correlated incidents, each carrying a priority score from 1 to 1000. That score combines a Detection Risk score (built from MITRE ATT&CK technique financial-risk scoring, the number of techniques observed, and source severity) with an Asset Value you assign to the systems behind the firewall. Analysts work the most materially impactful incidents first instead of chasing the loudest alert.

Cisco XDR also maps native detections to MITRE ATT&CK tactics and techniques and models detection coverage across your integrated tools. That lets you see, concretely, which adversary techniques your firewall plus endpoint plus identity stack actually covers and where the gaps are. For a firewall-heavy environment, this is a useful reality check: a strong perimeter does not equal full coverage, and the coverage view makes that visible.

Investigation and response in minutes, not hours

When an FTD-sourced incident surfaces, XDR's Attack Storyboard uses agentic AI to autonomously verify whether the alert reflects a real attack and assembles the sequence of events, a process that is included across all license tiers, including Essentials. From there, analysts can pivot into the Investigate feature to query every integration for prior sightings and render an artifact relations graph. Response is built in too: guided playbooks follow the SANS PICERL model, and XDR Automation workflows can trigger actions, including instructing the firewall and other tools to contain a threat, via a drag-and-drop editor and one-click content from the Automation Exchange.

License tiers and where firewall telemetry fits

Cisco XDR comes in three tiers, and firewall correlation value starts at the entry point. XDR Essentials delivers the full feature set with built-in integrations across the Cisco Security portfolio, which includes Secure Firewall, plus analytics and correlation, Cisco Talos threat intelligence, the 1-to-1000 prioritization, asset and user context, custom automation, and the Attack Storyboard. XDR Advantage adds commercially supported, Cisco-curated integrations with select third-party tools (third-party EDR, email defense, NGFW, NDR, and SIEM) and XDR Forensics, which collects more than 350 endpoint artifacts plus remote interactive response. XDR Premier delivers the Advantage capabilities as a Cisco-managed detection and response (MXDR) service with around-the-clock monitoring and select Talos Incident Response retainer services.

Cisco does not publish a flat list price for XDR, and you should be wary of any source that quotes one. The cost drivers are the tier you choose, the number of users or endpoints, your data retention period, the ingestion volume (firewall logging can push this up), and the subscription term, alongside any firewall hardware refresh. The way to get a real number is to scope those variables against your environment, which is what a quote does.

Public sector and compliance considerations

For federal, DoD, SLED, and healthcare buyers, the FTD-plus-XDR pairing maps cleanly onto zero-trust priorities. XDR's native MITRE ATT&CK mapping supports threat-informed defense, and its correlation across identity, endpoint, network, and DNS aligns with the pillars of the CISA Zero Trust Maturity Model, including the cross-cutting visibility and analytics and automation and orchestration capabilities. Firewall telemetry is a core part of the network-pillar evidence. XDR also supports US Government Community Cloud (GCC) integrations, including Microsoft Defender for Office 365 GCC and Defender for Endpoint GCC, which matters for agencies on government clouds.

A few procurement realities to keep straight. Cisco XDR is a cloud service, so buyers should verify FedRAMP authorization status per component on the FedRAMP Marketplace at time of purchase rather than assuming a particular impact level. XDR relies on Cisco Security Cloud Control for identity data, and several adjacent Cisco cloud services have achieved or are pursuing FedRAMP authorization. On the hardware side, Cisco Secure Firewall appliances need to be sourced through Trade Agreements Act (TAA) compliant channels, and FIPS-validated cryptography on integrated Cisco hardware supports regulated environments. Government Purchase Card (GPC) eligibility and contract-vehicle scoping are things an authorized partner confirms before you buy. As an authorized Cisco partner, Uniqcli can scope the compliant SKU, retention tier, and ingestion sizing so the firewall and the detection platform land on the right contract path together.

Bringing the firewall and the SOC together

Cisco Secure Firewall with FTD is more than a perimeter control. It is one of the six telemetry sources Cisco XDR treats as critical, and when its connection, intrusion, and file events flow into XDR, the network-layer evidence is correlated with endpoint, identity, email, and DNS signals into prioritized incidents your team can actually action. The firewall keeps doing its job while XDR turns its output into faster, more confident detection and response. To plan the integration, size ingestion and retention, and confirm TAA and GPC compliance for the hardware, start with our Cisco XDR overview and request a tailored quote, or browse current Cisco firewall and security pricing in the shop.