Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

ON THIS PAGE

Cisco ASA

 

You can integrate a Cisco Adaptive Security Appliance (ASA) with JSA.

A Cisco ASA DSM accepts events through syslog or NetFlow by using NetFlow Security Event Logging (NSEL). JSA records all relevant events. Before you configure JSA, you must configure your Cisco ASA device to forward syslog or NetFlow NSEL events.

Choose one of the following options:

Integrate Cisco ASA Using Syslog

Integrating Cisco ASA by using syslog involves the configuration of a log source, and syslog forwarding.

Use the following information to help you Cisco ASA by using the syslog protocol:

Configuring Syslog Forwarding

To configure Cisco ASA to forward syslog events, some manual configuration is required.

  1. Log in to the Cisco ASA device.
  2. Type the following command to access privileged EXEC mode:

    enable

  3. Type the following command to access global configuration mode:

    conf t

  4. Enable logging:

    logging enable

  5. Configure the logging details:

    logging console warning

    logging trap warning

    logging asdm warning

    Note

    The Cisco ASA device can also be configured with logging trap informational to send additional events. However, this may increase the event rate (Events Per Second) of your device.

  6. Type the following command to configure logging to JSA:

    logging host <interface> <IP address>

    Where:

    • <interface> is the name of the Cisco Adaptive Security Appliance interface.

    • <IP address> is the IP address of JSA.

    Note

    Using the command show interfaces displays all available interfaces for your Cisco device.

  7. Disable the output object name option:

    no names

    Disable the output object name option to ensure that the logs use IP addresses and not the object names.

  8. Exit the configuration:

    exit

  9. Save the changes:

    write mem

The configuration is complete. The log source is added to JSA as Cisco ASA syslog events are automatically discovered. Events that are forwarded to JSA by Cisco ASA are displayed on the Log Activity tab of JSA.

Syslog Log Source Parameters for Cisco ASA

If JSA does not automatically detect the log source, add a Cisco ASA log source on the JSA Console by using the syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from Cisco ASA:

Table 1: Syslog Log Source Parameters for the Cisco ASA DSM

Parameter

Description

Log Source type

Cisco Adaptive Security Appliance (ASA)

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source.

The identifier helps you determine which events came from your Cisco ASA appliance.

Integrate Cisco ASA for NetFlow by Using NSEL

Integrating Cisco ASA for Netflow by using NSEL involves two steps.

Use the following information to help you integrate Cisco ASA for Netflow by using the NSEL protocol:

Configuring NetFlow Using NSEL

You can configure Cisco ASA to forward NetFlow events by using NSEL.

  1. Log in to the Cisco ASA device command-line interface (CLI).
  2. Type the following command to access privileged EXEC mode:

    enable

  3. Type the following command to access global configuration mode:

    conf t

  4. Disable the output object name option:

    no names

  5. Type the following command to enable NetFlow export:

    flow-export destination <interface-name> <ipv4-address or hostname> <udp-port>

    Where:

    • <interface-name> is the name of the Cisco Adaptive Security Appliance interface for the NetFlow collector.

    • <ipv4-address or hostname> is the IP address or host name of the Cisco ASA device with the NetFlow collector application.

    • <udp-port> is the UDP port number to which NetFlow packets are sent.

    Note

    JSA typically uses port 2055 for NetFlow event data on JSA Flow Processors. You must configure a different UDP port on your Cisco Adaptive Security Appliance for NetFlow by using NSEL.

  6. Type the following command to configure the NSEL class-map:

    class-map flow_export_class

  7. Choose one of the following traffic options:

    To configure a NetFlow access list to match specific traffic, type the command:

    match access-list flow_export_acl

  8. To configure NetFlow to match any traffic, type the command:

    match any

    Note

    The Access Control List (ACL) must exist on the Cisco ASA device before you define the traffic match option in Step 7.

  9. Type the following command to configure the NSEL policy-map:

    policy-map flow_export_policy

  10. Type the following command to define a class for the flow-export action:

    class flow_export_class

  11. Type the following command to configure the flow-export action:

    flow-export event-type all destination <IP address>

    Where <IP address> is the IP address of JSA.

    Note

    If you are using a Cisco ASA version before v8.3 you can skip Step 10 as the device defaults to the flow-export destination. For more information, see your Cisco ASA documentation.

  12. Type the following command to add the service policy globally:

    service-policy flow_export_policy global

  13. Exit the configuration:

    exit

  14. Save the changes:

    write mem

    You must verify that your collector applications use the Event Time field to correlate events.

Cisco NSEL Log Source Parameters for Cisco ASA

If JSA does not automatically detect the log source, add a Cisco ASA log source on the JSA Console by using the Cisco NSEL protocol.

Note

Your system must be running the current version of the NSEL protocol to integrate with a Cisco ASA device that uses NetFlow and NSEL. The NSEL protocol is available on https://support.juniper.net/support/downloads/ or through auto updates in JSA.

The following table describes the parameters that require specific values to collect Cisco NSEL events from Cisco ASA:

Table 2: Cisco NSEL Log Source Parameters for the Cisco ASA DSM

Parameter

Description

Log Source type

Cisco Adaptive Security Appliance (ASA)

Protocol Configuration

Cisco NSEL

Log Source Identifier

Type the IP address or host name for the log source.

The identifier helps you determine which events came from your Cisco ASA appliance.

Collector Port

Type the UDP port number that is used by Cisco ASA to forward NSEL events. The valid range of the Collector Port parameter is 1-65535.

JSA typically uses port 2055 for NetFlow event data on the JSA Flow Processor. You must define a different UDP port on your Cisco Adaptive Security Appliance for NetFlow that uses NSEL.