Cisco ASA
You can integrate a Cisco Adaptive Security Appliance (ASA) with JSA.
A Cisco ASA DSM accepts events through syslog or NetFlow by using NetFlow Security Event Logging (NSEL). JSA records all relevant events. Before you configure JSA, you must configure your Cisco ASA device to forward syslog or NetFlow NSEL events.
Choose one of the following options:
Forward events to JSA by using syslog. See Integrate Cisco ASA Using Syslog
Forward events to JSA by using NetFlow (NSEL). See Integrate Cisco ASA for NetFlow by Using NSEL
Integrate Cisco ASA Using Syslog
Integrating Cisco ASA by using syslog involves the configuration of a log source, and syslog forwarding.
Use the following information to help you Cisco ASA by using the syslog protocol:
Configuring Syslog Forwarding
To configure Cisco ASA to forward syslog events, some manual configuration is required.
Log in to the Cisco ASA device.
Type the following command to access privileged EXEC mode:
enable
Type the following command to access global configuration mode:
conf t
Enable logging:
logging enable
Configure the logging details:
logging console warning
logging trap warning
logging asdm warning
Note:The Cisco ASA device can also be configured with logging trap informational to send additional events. However, this may increase the event rate (Events Per Second) of your device.
Type the following command to configure logging to JSA:
logging host <interface> <IP address>
Where:
<interface> is the name of the Cisco Adaptive Security Appliance interface.
<IP address> is the IP address of JSA.
Note:Using the command show interfaces displays all available interfaces for your Cisco device.
Disable the output object name option:
no names
Disable the output object name option to ensure that the logs use IP addresses and not the object names.
Exit the configuration:
exit
Save the changes:
write mem
The configuration is complete. The log source is added to JSA as Cisco ASA syslog events are automatically discovered. Events that are forwarded to JSA by Cisco ASA are displayed on the Log Activity tab of JSA.
Syslog Log Source Parameters for Cisco ASA
If JSA does not automatically detect the log source, add a Cisco ASA log source on the JSA Console by using the syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect syslog events from Cisco ASA:
Parameter |
Description |
---|---|
Log Source type |
Cisco Adaptive Security Appliance (ASA) |
Protocol Configuration |
Syslog |
Log Source Identifier |
Type the IP address or host name for the log source. The identifier helps you determine which events came from your Cisco ASA appliance. |
Integrate Cisco ASA for NetFlow by Using NSEL
Integrating Cisco ASA for Netflow by using NSEL involves two steps.
Use the following information to help you integrate Cisco ASA for Netflow by using the NSEL protocol:
Configuring NetFlow Using NSEL
You can configure Cisco ASA to forward NetFlow events by using NSEL.
Log in to the Cisco ASA device command-line interface (CLI).
Type the following command to access privileged EXEC mode:
enable
Type the following command to access global configuration mode:
conf t
Disable the output object name option:
no names
Type the following command to enable NetFlow export:
flow-export destination <interface-name> <ipv4-address or hostname> <udp-port>
Where:
<interface-name> is the name of the Cisco Adaptive Security Appliance interface for the NetFlow collector.
<ipv4-address or hostname> is the IP address or host name of the Cisco ASA device with the NetFlow collector application.
<udp-port> is the UDP port number to which NetFlow packets are sent.
Note:JSA typically uses port 2055 for NetFlow event data on JSA Flow Processors. You must configure a different UDP port on your Cisco Adaptive Security Appliance for NetFlow by using NSEL.
Type the following command to configure the NSEL class-map:
class-map flow_export_class
Choose one of the following traffic options:
To configure a NetFlow access list to match specific traffic, type the command:
match access-list flow_export_acl
To configure NetFlow to match any traffic, type the command:
match any
Note:The Access Control List (ACL) must exist on the Cisco ASA device before you define the traffic match option in Step 7.
Type the following command to configure the NSEL policy-map:
policy-map flow_export_policy
Type the following command to define a class for the flow-export action:
class flow_export_class
Type the following command to configure the flow-export action:
flow-export event-type all destination <IP address>
Where <IP address> is the IP address of JSA.
Note:If you are using a Cisco ASA version before v8.3 you can skip Step 10 as the device defaults to the flow-export destination. For more information, see your Cisco ASA documentation.
Type the following command to add the service policy globally:
service-policy flow_export_policy global
Exit the configuration:
exit
Save the changes:
write mem
You must verify that your collector applications use the Event Time field to correlate events.
Cisco NSEL Log Source Parameters for Cisco ASA
If JSA does not automatically detect the log source, add a Cisco ASA log source on the JSA Console by using the Cisco NSEL protocol.
Your system must be running the current version of the NSEL protocol to integrate with a Cisco ASA device that uses NetFlow and NSEL. The NSEL protocol is available on https://support.juniper.net/support/downloads/ or through auto updates in JSA.
The following table describes the parameters that require specific values to collect Cisco NSEL events from Cisco ASA:
Parameter |
Description |
---|---|
Log Source type |
Cisco Adaptive Security Appliance (ASA) |
Protocol Configuration |
Cisco NSEL |
Log Source Identifier |
Type the IP address or host name for the log source. The identifier helps you determine which events came from your Cisco ASA appliance. |
Collector Port |
Type the UDP port number that is used by Cisco ASA to forward NSEL events. The valid range of the Collector Port parameter is 1-65535. JSA typically uses port 2055 for NetFlow event data on the JSA Flow Processor. You must define a different UDP port on your Cisco Adaptive Security Appliance for NetFlow that uses NSEL. |
Removing leading domain names from usernames when Cisco ASA events are processed
If you want to change the way that JSA processes Cisco Adaptive Security Appliance (ASA) events, use the DSM Editor to remove leading domain names from usernames.
By default, Cisco ASA events include leading domain names in usernames.
-
On the Admin tab, in the Data Sources section, click DSM Editor.
-
From the Select Log Source Type window, select Cisco Adaptive Security Appliance (ASA) from the list, and then click Select.
-
Click the Configuration tab, and then set Display DSM Parameters Configuration to on.
-
From the Event Collector list, select the event collector for the log source.
-
Set Remove leading domain name from username to on.
-
Click Save and then close the DSM Editor.
Collecting IP addresses for Cisco ASA Teardown TCP connection events
If you want JSA to collect IP addresses for Teardown TCP collection events from Cisco Adaptive Security Appliance (ASA), use the DSM Editor.
-
On the Admin tab, in the Data Sources section, click DSM Editor.
-
From the Select Log Source Type window, select Cisco Adaptive Security Appliance (ASA) from the list, and then click Select.
-
Click the Configuration tab, and then set Display DSM Parameters Configuration to on.
-
Set Teardown IP Connection to on.
-
Click Save and then close the DSM Editor.
Cisco ASA Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Cisco ASA Sample Message When you Use the Syslog protocol
The following sample event message shows that the Internet Key Exchange (IKE) protocol obtained an address for the client private IP address from DHCP, or from the address pool. The sample event message also shows that the IP address is assigned to the client.
Aug 11 08:10:34 cisco.asa.test %ASA-6- 713228 : Group = groupx , Username = userx , IP = 192.0.2.10 , Assigned private IP address 192.0.2.11 to remote user
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
713228 |
Source IP |
192.0.2.10 |
Username |
userx |
Post NAT Source IP |
192.0.2.11 |
Identity IP |
192.0.2.11 |
Identity Group Name |
groupx |
Identity Username |
userx |
Device Time |
Aug 11 08:10:34 |