Cisco ASA Firewall

Version: Cisco ASA Firewall 5500 Series and later.

Cisco Adaptive Security Appliance (ASA) Software is the core operating system for the Cisco ASA Family.It delivers enterprise-class firewall capabilities for ASA devices in an array of form factors - standalone appliances, blades, and virtual appliances - for any distributed network environment.

Netsurion's Open XDR platform acts as the Syslog Server for Cisco ASA, where Cisco ASA sends Syslog messages via UDP to Appliance's Syslog Listener. The configuration procedures within this document set up Cisco ASA appliances to send Syslog messages to the Cisco Adaptive Security Device Manager (ASDM). Syslog messages are then forwarded to the Netsurion's Open XDR platform from ASDM.

Netsurion Data Source Integration for Cisco Adaptive Security (ASA) allows you to monitor following:-

  • Operations - Syslog messages for different services, account operations (addition, deletion and modification of user and group) and shutdown/restarting of system.
  • Security - Suspicious network activities, if there is any changes in privileges on user logon/authentication activities. (logon, logoff)
  • Compliance - Changes in policy configuration. (addition and deletion)

Once logs are received in to Netsurion, Flex reports and Alerts can be configured into Netsurion.

The following Data Source Integrations are available in Netsurion v7.x and later to support Cisco ASA Firewall monitoring:

Alerts

Type Name Description
Security Cisco ASA - Authentication failed This alert is generated when authentication failed event occurs.
Security Cisco ASA - Failover messages This alert is generated when failover event occurs. Reports:-
Operations Cisco ASA - Access denied This alert is generated when access denied event occurs.
Compliance Cisco ASA - IDS intrusion detection This alert is generated when IDS intrusion detection event occurs.
Compliance Cisco ASA - Security incidents detected This alert is generated when security incidents detected event occurs.

Reports

Type Name Description
Security Cisco ASA - User authentication failed This flex report provides information related to user authentication failed. It gives the information about authentication failed for Username, Source IP, Source port no. and Target IP, Target port no.
Security Cisco ASA - User authentication success This flex report provides information related to user authentication success. It gives the information about authentication success for Username, Source IP, Source port no. and Target IP, Target port no.
Security Cisco ASA - User login failed This flex report provides information related to user login failed. It gives information which User, from Source IP and port no. login failed and what was the logon type.
Security Cisco ASA - User password changed This flex report provides information related to user password changed. It gives information about for which user password has been changed.
Security Cisco ASA - Connection denied This flex report provides information related to traffic denied by firewall. it gives information about Traffic direction, Source and Destination address and port, Protocol details.
Operations Cisco ASA - User account locked out This flex report provides information related to user account locked out. It gives the User account name and Reason why is it locked out.
Operations Cisco ASA - User account unlocked This flex report provides information related to user account unlocked. It gives the User account name and who has unlocked the user account.
Compliance Cisco ASA - Privilege level changed This flex report provides information related to user privilege level changed. It shows from which level to which level user privlilege changed by whom.
Compliance Cisco ASA - Attack detection This flex report provides information related to failure attacks that has occurred from which source address to which targeted address.
Compliance Cisco ASA - Security incident This flex report provides information related to security incident detection.
Compliance Cisco ASA - Traffic details This flex report provides information related to access and denied traffic. it gives information about Traffic direction, Source and Destination address and port, Bytes transfer, Duration for connection and its status.

Documentation

The configuration details are consistent with Netsurion version 7.X and later, Cisco ASA Firewall 5500 Series and later.

Download Integration Guide and How-to Guide for more information and to configuration instructions.

This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our Privacy Statement to learn more.

I Accept