Cisco ASA Integration Guide
integrations network cisco firewall
Secureworks® Taegis™ XDR can be configured to accept data from
the Cisco ASA Firewall using the Taegis™ XDR Collector. Please follow the instructions below to configure the ASA logging, keeping in mind that syslog_IP
may be the IP address of the XDR Collector. Furthermore, the following steps provide monitoring by Secureworks.
Data Provided from Integration ⫘
Antivirus | Auth | DHCP | DNS | Encrypt | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Cisco ASA Firewall | D | Y | D | D | Y | D | V |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Add Cisco ASA Integration ⫘
To set up the integration directly in XDR, do the following:
-
Follow the instructions to configure an On-Premises Data Collector found at On-Premises Data Collector. You can use the On-Premises Data Collector in your environment to collect and forward data from your Cisco ASA Firewall to XDR. If you have a XDR Collector already set up, you can use it for Cisco integrations, or you can set up another one.
-
Once you have the XDR Collector set up, you must configure your Cisco ASA Firewall to forward its logs to XDR. For more information, see Log Forwarding below.
Log Forwarding ⫘
This section provides the necessary actions and steps to configure log forwarding on Cisco firewalls.
Connectivity Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
Firewall_*interface | XDR Collector |
UDP/514 |
*The source interface of the log messages is the adjacent interface to the XDR Collector. This may be your DMZ interface if the XDR Collector is in your DMZ.
Disable Names Feature ⫘
The names feature of Cisco ASA should be disabled if you are forwarding syslog data to XDR. The names feature allows IP addresses to be assigned a common name (alias) on the ASA. When this feature is used, the alias is displayed in log messages in lieu of the IP address. This feature negatively impacts XDR’s ability to effectively monitor the firewall and should be disabled. In the following example, the names feature is disabled:
ciscoasa(config)# show names
no names
ciscoasa(config)#
If this feature is currently enabled for your Cisco ASA Firewall, it can be disabled by issuing the no names command.
Log the Hostname of the Firewall ⫘
Because the syslog message does not contain the hostname or IP address of the originating firewall, you must run the logging device-id hostname
command so you can distinguish which ASA log belongs to which firewall.
Configure Logging for Standalone or Active/Standby ⫘
The following template demonstrates the commands to enable logging on a standalone or active/standby pair of firewalls. If your Cisco ASA is running multiple contexts, please see Configure Logging with Multiple Contexts.
Configuration Notes ⫘
- The
no logging hide username
command is a new feature for ASA Version 9.3(3) and up, but is not available in 9.4(1). -
The
logging standby
command is an optional setting and is only applicable if this is an Active/Standby HA pair. This feature provides logs for invalid login attempts on the standby device and will lessen the chance of losing logs in the event of a failover. It should be noted that this will result in nearly twice the number of logs to be received by the firewall pair as logs are duplicated from the primary to the standby. -
Log message IDs 302015 and 302013 must not be disabled. These log messages can impact XDR’s ability to properly generate netflow data. In the following example, these log message IDs were manually disabled:
ciscoasa(config)# sh run log
logging enable
no logging hide username
no logging console
logging buffered informational
logging trap informational
logging host inside 192.168.1.55
no logging message 302015
no logging message 302013
logging device-id hostname
ciscoasa(config)#
If these log messages were manually disabled, they must be re-enabled by issuing the logging message 302015
and logging message 302013
commands. For example:
ciscoasa(config)# logging message 302015
ciscoasa(config)# logging message 302013
Configure Logging with Multiple Contexts ⫘
The following template demonstrates the commands to enable logging on a multiple context implementation:
ciscoasa(config)# logging enable
ciscoasa(config)# no logging console
ciscoasa(config)# no logging hide username
ciscoasa(config)# logging host <interface> <XDR Collector IP>
ciscoasa(config)# logging buffered informational
ciscoasa(config)# logging trap informational
ciscoasa(config)# logging standby
Configuration Notes ⫘
- Each security context includes its own logging configuration and generates its own messages. Make sure to enable logging on each context that you wish to monitor.
- Syslog messages generated in the system execution space, including failover messages, are viewed in the admin context along with messages generated in the admin context. You cannot configure logging or view any logging information in the system execution space.
- The
no logging hide username
command is a new feature for ASA Version 9.3(3) and up, but is not available in 9.4(1). - The
logging standby
command is an optional setting and is only applicable if this is an Active/Standby HA pair. This feature provides logs for invalid login attempts on the standby device and will lessen the chance of losing logs in the event of a failover. It should be noted that this will result in nearly twice the number of logs to be received by the firewall pair as logs are duplicated from the primary to the standby. - Log message IDs 302015 and 302013 must not be disabled. These log messages can impact XDR’s ability to properly generate netflow data. In the following example, these log message IDs were manually disabled:
ciscoasa(config)# sh run log
logging enable
no logging hide username
no logging console
logging buffered informational
logging trap informational
logging host inside 192.168.1.55
no logging message 302015
no logging message 302013
ciscoasa(config)#
- You can configure the ASA to include the context name with each message, which helps you differentiate context messages that are sent to a single syslog server. This feature also helps you to determine which messages are from the admin context and which are from the system; messages that originate in the system execution space use a device ID of system, and messages that originate in the admin context use the name of the admin context as the device ID.
ciscoasa(config)# logging device-id <context-name>
More Information ⫘
For more on Cisco ASA software and hardware compatibility, see Cisco ASA Compatability Matrices.