Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Cisco ASA

 

You can integrate a Cisco Adaptive Security Appliance (ASA) with JSA.

A Cisco ASA DSM accepts events through syslog or NetFlow by using NetFlow Security Event Logging (NSEL). JSA records all relevant events. Before you configure JSA, you must configure your Cisco ASA device to forward syslog or NetFlow NSEL events.

Choose one of the following options:

Integrate Cisco ASA Using Syslog

Integrating Cisco ASA by using syslog involves the configuration of a log source, and syslog forwarding.

Complete the following tasks to integrate Cisco ASA by using syslog:

Configuring Syslog Forwarding

To configure Cisco ASA to forward syslog events, some manual configuration is required.

  1. Log in to the Cisco ASA device.
  2. Type the following command to access privileged EXEC mode:

    enable

  3. Type the following command to access global configuration mode:

    conf t

  4. Enable logging:

    logging enable

  5. Configure the logging details:

    logging console warning

    logging trap warning

    logging asdm warning

    Note

    The Cisco ASA device can also be configured with logging trap informational to send additional events. However, this may increase the event rate (Events Per Second) of your device.

  6. Type the following command to configure logging to JSA:

    logging host <interface> <IP address>

    Where:

    • <interface> is the name of the Cisco Adaptive Security Appliance interface.

    • <IP address> is the IP address of JSA.

    Note

    Using the command show interfaces displays all available interfaces for your Cisco device.

  7. Disable the output object name option:

    no names

    Disable the output object name option to ensure that the logs use IP addresses and not the object names.

  8. Exit the configuration:

    exit

  9. Save the changes:

    write mem

The configuration is complete. The log source is added to JSA as Cisco ASA syslog events are automatically discovered. Events that are forwarded to JSA by Cisco ASA are displayed on the Log Activity tab of JSA.

Configuring a Log Source

JSA automatically discovers and creates a log source for syslog events from Cisco ASA. The following configuration steps are optional.

To manually configure a log source for Cisco ASA syslog events:

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.

    The Data Sources pane is displayed.

  4. Click the Log Sources icon.

    The Log Sources window is displayed.

  5. Click Add.

    The Add a log source window is displayed.

  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select Cisco Adaptive Security Appliance (ASA).
  9. From the Protocol Configuration list, select Syslog.

    The syslog protocol configuration is displayed.

  10. Configure the following values:

    Table 1: Syslog Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source as an identifier for events from your OSSEC installations.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.

    The configuration is complete.

Integrate Cisco ASA for NetFlow by Using NSEL

Integrating Cisco ASA for Netflow by using NSEL involves two steps.

This section includes the following topics:

Configuring NetFlow Using NSEL

You can configure Cisco ASA to forward NetFlow events by using NSEL.

  1. Log in to the Cisco ASA device command-line interface (CLI).
  2. Type the following command to access privileged EXEC mode:

    enable

  3. Type the following command to access global configuration mode:

    conf t

  4. Disable the output object name option:

    no names

  5. Type the following command to enable NetFlow export:

    flow-export destination <interface-name> <ipv4-address or hostname> <udp-port>

    Where:

    • <interface-name> is the name of the Cisco Adaptive Security Appliance interface for the NetFlow collector.

    • <ipv4-address or hostname> is the IP address or host name of the Cisco ASA device with the NetFlow collector application.

    • <udp-port> is the UDP port number to which NetFlow packets are sent.

    Note

    JSA typically uses port 2055 for NetFlow event data on JSA Flow Processors. You must configure a different UDP port on your Cisco Adaptive Security Appliance for NetFlow by using NSEL.

  6. Type the following command to configure the NSEL class-map:

    class-map flow_export_class

  7. Choose one of the following traffic options:

    To configure a NetFlow access list to match specific traffic, type the command:

    match access-list flow_export_acl

  8. To configure NetFlow to match any traffic, type the command:

    match any

    Note

    The Access Control List (ACL) must exist on the Cisco ASA device before you define the traffic match option in Step 7.

  9. Type the following command to configure the NSEL policy-map:

    policy-map flow_export_policy

  10. Type the following command to define a class for the flow-export action:

    class flow_export_class

  11. Type the following command to configure the flow-export action:

    flow-export event-type all destination <IP address>

    Where <IP address> is the IP address of JSA.

    Note

    If you are using a Cisco ASA version before v8.3 you can skip Step 10 as the device defaults to the flow-export destination. For more information, see your Cisco ASA documentation.

  12. Type the following command to add the service policy globally:

    service-policy flow_export_policy global

  13. Exit the configuration:

    exit

  14. Save the changes:

    write mem

    You must verify that your collector applications use the Event Time field to correlate events.

Configuring a Log Source

To integrate Cisco ASA that uses NetFlow with JSA, you must manually create a log source to receive NetFlow events.

JSA does not automatically discover or create log sources for syslog events from Cisco ASA devices that use NetFlow and NSEL.

Note

Your system must be running the current version of the NSEL protocol to integrate with a Cisco ASA device that uses NetFlow and NSEL. The NSEL protocol is available on https://support.juniper.net/support/downloads/, or through auto updates in JSA.

To configure a log source:

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.

    The Data Sources pane is displayed.

  4. Click the Log Sources icon.

    The Log Sources window is displayed.

  5. Click Add.

    The Add a log source window is displayed.

  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select Cisco Adaptive Security Appliance (ASA).
  9. Using the Protocol Configuration list, select Cisco NSEL.

    The syslog protocol configuration is displayed.

  10. Configure the following values:

    Table 2: Syslog Parameters

    Parameter

    Description

    Log Source Identifier

    Type the IP address or host name for the log source.

    Collector Port

    Type the UDP port number that is used by Cisco ASA to forward NSEL events. The valid range of the Collector Port parameter is 1-65535.

    JSA typically uses port 2055 for NetFlow event data on the JSA flow processor. You must define a different UDP port on your Cisco Adaptive Security Appliance for NetFlow that uses NSEL.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.

    The log source is added to JSA. Events that are forwarded to JSA by Cisco ASA are displayed on the Log Activity tab. For more information on configuring NetFlow with your Cisco ASA device, see your vendor documentation.