Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Cisco ASA

You can integrate a Cisco Adaptive Security Appliance (ASA) with JSA.

A Cisco ASA DSM accepts events through syslog or NetFlow by using NetFlow Security Event Logging (NSEL). JSA records all relevant events. Before you configure JSA, you must configure your Cisco ASA device to forward syslog or NetFlow NSEL events.

Choose one of the following options:

Integrate Cisco ASA Using Syslog

Integrating Cisco ASA by using syslog involves the configuration of a log source, and syslog forwarding.

Use the following information to help you Cisco ASA by using the syslog protocol:

Configuring Syslog Forwarding

To configure Cisco ASA to forward syslog events, some manual configuration is required.

  1. Log in to the Cisco ASA device.

  2. Type the following command to access privileged EXEC mode:

    enable

  3. Type the following command to access global configuration mode:

    conf t

  4. Enable logging:

    logging enable

  5. Configure the logging details:

    logging console warning

    logging trap warning

    logging asdm warning

    Note:

    The Cisco ASA device can also be configured with logging trap informational to send additional events. However, this may increase the event rate (Events Per Second) of your device.

  6. Type the following command to configure logging to JSA:

    logging host <interface> <IP address>

    Where:

    • <interface> is the name of the Cisco Adaptive Security Appliance interface.

    • <IP address> is the IP address of JSA.

    Note:

    Using the command show interfaces displays all available interfaces for your Cisco device.

  7. Disable the output object name option:

    no names

    Disable the output object name option to ensure that the logs use IP addresses and not the object names.

  8. Exit the configuration:

    exit

  9. Save the changes:

    write mem

The configuration is complete. The log source is added to JSA as Cisco ASA syslog events are automatically discovered. Events that are forwarded to JSA by Cisco ASA are displayed on the Log Activity tab of JSA.

Syslog Log Source Parameters for Cisco ASA

If JSA does not automatically detect the log source, add a Cisco ASA log source on the JSA Console by using the syslog protocol.

When using the syslog protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect syslog events from Cisco ASA:

Table 1: Syslog Log Source Parameters for the Cisco ASA DSM

Parameter

Description

Log Source type

Cisco Adaptive Security Appliance (ASA)

Protocol Configuration

Syslog

Log Source Identifier

Type the IP address or host name for the log source.

The identifier helps you determine which events came from your Cisco ASA appliance.

Integrate Cisco ASA for NetFlow by Using NSEL

Integrating Cisco ASA for Netflow by using NSEL involves two steps.

Use the following information to help you integrate Cisco ASA for Netflow by using the NSEL protocol:

Configuring NetFlow Using NSEL

You can configure Cisco ASA to forward NetFlow events by using NSEL.

  1. Log in to the Cisco ASA device command-line interface (CLI).

  2. Type the following command to access privileged EXEC mode:

    enable

  3. Type the following command to access global configuration mode:

    conf t

  4. Disable the output object name option:

    no names

  5. Type the following command to enable NetFlow export:

    flow-export destination <interface-name> <ipv4-address or hostname> <udp-port>

    Where:

    • <interface-name> is the name of the Cisco Adaptive Security Appliance interface for the NetFlow collector.

    • <ipv4-address or hostname> is the IP address or host name of the Cisco ASA device with the NetFlow collector application.

    • <udp-port> is the UDP port number to which NetFlow packets are sent.

    Note:

    JSA typically uses port 2055 for NetFlow event data on JSA Flow Processors. You must configure a different UDP port on your Cisco Adaptive Security Appliance for NetFlow by using NSEL.

  6. Type the following command to configure the NSEL class-map:

    class-map flow_export_class

  7. Choose one of the following traffic options:

    To configure a NetFlow access list to match specific traffic, type the command:

    match access-list flow_export_acl

  8. To configure NetFlow to match any traffic, type the command:

    match any

    Note:

    The Access Control List (ACL) must exist on the Cisco ASA device before you define the traffic match option in Step 7.

  9. Type the following command to configure the NSEL policy-map:

    policy-map flow_export_policy

  10. Type the following command to define a class for the flow-export action:

    class flow_export_class

  11. Type the following command to configure the flow-export action:

    flow-export event-type all destination <IP address>

    Where <IP address> is the IP address of JSA.

    Note:

    If you are using a Cisco ASA version before v8.3 you can skip Step 10 as the device defaults to the flow-export destination. For more information, see your Cisco ASA documentation.

  12. Type the following command to add the service policy globally:

    service-policy flow_export_policy global

  13. Exit the configuration:

    exit

  14. Save the changes:

    write mem

    You must verify that your collector applications use the Event Time field to correlate events.

Cisco NSEL Log Source Parameters for Cisco ASA

If JSA does not automatically detect the log source, add a Cisco ASA log source on the JSA Console by using the Cisco NSEL protocol.

Note:

Your system must be running the current version of the NSEL protocol to integrate with a Cisco ASA device that uses NetFlow and NSEL. The NSEL protocol is available on https://support.juniper.net/support/downloads/ or through auto updates in JSA.

The following table describes the parameters that require specific values to collect Cisco NSEL events from Cisco ASA:

Table 2: Cisco NSEL Log Source Parameters for the Cisco ASA DSM

Parameter

Description

Log Source type

Cisco Adaptive Security Appliance (ASA)

Protocol Configuration

Cisco NSEL

Log Source Identifier

Type the IP address or host name for the log source.

The identifier helps you determine which events came from your Cisco ASA appliance.

Collector Port

Type the UDP port number that is used by Cisco ASA to forward NSEL events. The valid range of the Collector Port parameter is 1-65535.

JSA typically uses port 2055 for NetFlow event data on the JSA Flow Processor. You must define a different UDP port on your Cisco Adaptive Security Appliance for NetFlow that uses NSEL.

Removing leading domain names from usernames when Cisco ASA events are processed

If you want to change the way that JSA processes Cisco Adaptive Security Appliance (ASA) events, use the DSM Editor to remove leading domain names from usernames.

By default, Cisco ASA events include leading domain names in usernames.

  1. On the Admin tab, in the Data Sources section, click DSM Editor.

  2. From the Select Log Source Type window, select Cisco Adaptive Security Appliance (ASA) from the list, and then click Select.

  3. Click the Configuration tab, and then set Display DSM Parameters Configuration to on.

  4. From the Event Collector list, select the event collector for the log source.

  5. Set Remove leading domain name from username to on.

  6. Click Save and then close the DSM Editor.

Collecting IP addresses for Cisco ASA Teardown TCP connection events

If you want JSA to collect IP addresses for Teardown TCP collection events from Cisco Adaptive Security Appliance (ASA), use the DSM Editor.

  1. On the Admin tab, in the Data Sources section, click DSM Editor.

  2. From the Select Log Source Type window, select Cisco Adaptive Security Appliance (ASA) from the list, and then click Select.

  3. Click the Configuration tab, and then set Display DSM Parameters Configuration to on.

  4. Set Teardown IP Connection to on.

  5. Click Save and then close the DSM Editor.

Cisco ASA Sample Event Message

Use this sample event message to verify a successful integration with JSA.

Note:

Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Cisco ASA Sample Message When you Use the Syslog protocol

The following sample event message shows that the Internet Key Exchange (IKE) protocol obtained an address for the client private IP address from DHCP, or from the address pool. The sample event message also shows that the IP address is assigned to the client.

Table 3: JSA Field Names and Highlighted Values in the Event Payload

JSA field name

Highlighted values in the event payload

Event ID

713228

Source IP

192.0.2.10

Username

userx

Post NAT Source IP

192.0.2.11

Identity IP

192.0.2.11

Identity Group Name

groupx

Identity Username

userx

Device Time

Aug 11 08:10:34