🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Cisco ASA Integration Guide

integrations network cisco firewall


Secureworks® Taegis™ XDR can be configured to accept data from the Cisco ASA Firewall using the Taegis™ XDR Collector. Please follow the instructions below to configure the ASA logging, keeping in mind that syslog_IP may be the IP address of the Taegis™ XDR Collector. Furthermore, the following steps provide monitoring by Secureworks.

Data Provided from Integration

  Antivirus Auth DHCP DNS Email Encrypt File HTTP Management Netflow NIDS Process Thirdparty
Cisco ASA Firewall   D Y D       D Y D V    

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Add Cisco ASA Integration

To set up the integration directly in Secureworks® Taegis™ XDR, do the following:

  1. Follow the instructions to configure an On-Premises Data Collector found at On-Premises Data Collector. You can use the On-Premises Data Collector in your environment to collect and forward data from your Cisco ASA Firewall to Secureworks® Taegis™ XDR. If you have a Taegis™ XDR Collector already set up, you can use it for Cisco integrations, or you can set up another one.

  2. Once you have the Taegis™ XDR Collector set up, you must configure your Cisco ASA Firewall to forward its logs to Secureworks® Taegis™ XDR. For more information, see Log Forwarding below.

Log Forwarding

This section provides the necessary actions and steps to configure log forwarding on Cisco firewalls.

Connectivity Requirements

Source Destination Port/Protocol
Firewall_*interface Taegis™ XDR Collector UDP/514

*The source interface of the log messages is the adjacent interface to the Taegis™ XDR Collector. This may be your DMZ interface if the Taegis™ XDR Collector is in your DMZ.

Disable Names Feature

The names feature of Cisco ASA should be disabled if you are forwarding syslog data to Secureworks® Taegis™ XDR. The names feature allows IP addresses to be assigned a common name (alias) on the ASA. When this feature is used, the alias is displayed in log messages in lieu of the IP address. This feature negatively impacts Secureworks® Taegis™ XDR’s ability to effectively monitor the firewall and should be disabled. In the following example, the names feature is disabled:

ciscoasa(config)# show names
no names
ciscoasa(config)#

If this feature is currently enabled for your Cisco ASA Firewall, it can be disabled by issuing the no names command.

Log the Hostname of the Firewall

Because the syslog message does not contain the hostname or IP address of the originating firewall, you must run the logging device-id hostname command so you can distinguish which ASA log belongs to which firewall.

Configure Logging for Standalone or Active/Standby

The following template demonstrates the commands to enable logging on a standalone or active/standby pair of firewalls. If your Cisco ASA is running multiple contexts, please see Configure Logging with Multiple Contexts.

Configuration Notes

ciscoasa(config)# sh run log
logging enable
no logging hide username
no logging console
logging buffered informational
logging trap informational
logging host inside 192.168.1.55
no logging message 302015
no logging message 302013
logging device-id hostname
ciscoasa(config)#

If these log messages were manually disabled, they must be re-enabled by issuing the logging message 302015 and logging message 302013 commands. For example:

ciscoasa(config)# logging message 302015
ciscoasa(config)# logging message 302013

Configure Logging with Multiple Contexts

The following template demonstrates the commands to enable logging on a multiple context implementation:

ciscoasa(config)# logging enable
ciscoasa(config)# no logging console
ciscoasa(config)# no logging hide username
ciscoasa(config)# logging host <interface> <Taegis&#8482; XDR Collector IP>
ciscoasa(config)# logging buffered informational
ciscoasa(config)# logging trap informational
ciscoasa(config)# logging standby

Configuration Notes

ciscoasa(config)# sh run log
logging enable
no logging hide username
no logging console
logging buffered informational
logging trap informational
logging host inside 192.168.1.55
no logging message 302015
no logging message 302013
ciscoasa(config)#
ciscoasa(config)# logging device-id <context-name>

More Information

For more on Cisco ASA software and hardware compatibility, see Cisco ASA Compatability Matrices.

 

On this page: