Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Cisco Adaptive Security Appliance (ASA)

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

SNMP (V1, V2c, V3) Host name, Hardware model, Network interfaces, Hardware component details: serial number, model, manufacturer, software and firmware versions of components such as fan, power supply, network cards etc., Operating system version, SSM modules such as IPS Uptime, CPU and Memory utilization, Free processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability and Performance Monitoring
SNMP (V1, V2c, V3)   Hardware health: temperature, fan and power supply status  
SNMP (V1, V2c, V3) OSPF connectivity, neighbors, state, OSPF Area OSPF state change Routing Topology, Availability Monitoring
SNMP (V1, V2c, V3)   IPSec VPN Phase 1 tunnel metrics: local and remote Vpn Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent BitsPerSec, Received/Sent Packets, Received/Sent BitsPerSec, Received/Sent Dropped Packets, Received/Sent Rejected Exchanges, Received/Sent Invalid Exchanges Invalid Received Pkt Dropped, Received Exchanges Rejected, Received Exchanges Invalid IPSec VPN Phase 2 tunnel metrics: local and remote Vpn Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent BitsPerSec, Received/Sent Packets, Received/Sent BitsPerSec, Received/Sent Dropped Packets, Received/Sent Auth Failed, Sent Encrypted Failed, Received Decrupt failed, Received Replay Failed Performance Monitoring
Telnet/SSH Running and startup configuration, Interface security levels, Routing tables, Image file name, Flash memory size Startup configuration change, delta between running and startup configuration Performance Monitoring, Security and Compliance
Telnet/SSH   Virtual context for multi-context firewalls, ASA interface security levels needed for setting source and destination IP address in syslog based on interface security level comparisons, ASA name mappings from IP addresses to locally unique names needed for converting names in syslog to IP addresses  
Netflow (V9) Open server ports Traffic logs (for ASA 8.x and above) Security and Compliance
Syslog Device type All traffic and system logs Security and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "asa-" to see the event types associated with this device. 

Rules

In RESOURCES > Rules, search for "asa" in the main content panel Search... field to see the rules associated with this device. 

Reports

In RESOURCES > Reports, search for "asa" in the main content panel Search... field to see the reports associated with this device. 

Configuration

  • Don't configure SNMP Trap.
  • Don't configure ASA to send logs via SNMP trap, as FortiSIEM doesn't parse them.

Check Security Levels

Make sure interface security levels are appropriately set in FortiSIEM. In your FortiSIEM Supervisor, go to CMDB > Devices > Network Device > Firewall and select your firewall. Click the Interface tab, and make sure that the inside security level is 100, outside is 0 and other interfaces are in between. This information can either be discovered via SSH or entered manually after SNMP discovery. Without correct security level information, ASA traffic built and teardown logs can not be parsed correctly (they may not have correct source and destination addresses and ports).

Configuration topics are listed here.

SNMP
  1. Log in to your ASA with administrative privileges.
  2. Configure SNMP with this command.

    snmp-server host <ASA Interface name> <FortiSIEM IP> poll community <community string>
Syslog
  1. Log in to your ASA with administrative privileges.
  2. Enter configuration mode (config terminal).
  3. Enter the following commands:
    • no names
    • logging enable
    • logging timestamp
    • logging monitor errors
    • logging buffered errors
    • logging trap debugging
    • logging debug-trace
    • logging history errors
    • logging asdm errors
    • logging mail emergencies
    • logging facility 16
    • logging host <ASA interface name> <FortiSIEM IP>

Example using Cisco ASA + Anyconnect vpn logging / SNMP

Notes regarding example:

Replace content marked with <italicized_text> with your actual content.

Replace “inside” with the egress firewall zone that logging traffic is sent

Avoid whitespace in your passwords, group name, and username.

 

logging enable
logging timestamp
no logging hide username
logging host inside <IP_address_of_your_FortiSIEM_collector>
logging class auth trap informational
logging class config trap informational
logging class vpn trap informational
logging class vpnc trap debugging
logging class webvpn trap informational
logging class svc trap informational

snmp-server enable
snmp-server group <SNMP_group_name> v3 priv
snmp-server user <Your_chosen_SNMPv3_username> <SNMP_group_name> v3 auth sha <Your_SHA_password> priv aes 128 <Your_AES_Password>
snmp-server host inside <IP_address_of_your_FortiSIEM_collector> poll version 3 <Your_chosen_SNMPv3_username>
Sample Cisco ASA Syslog

<134>Nov 28 2007 17:20:48: %ASA-6-302013: Built outbound TCP connection 76118 for outside:207.68.178.45/80 (207.68.178.45/80)
to inside:192.168.20.31/3530 (99.129.50.157/5967)
SSH
  1. Log in to your ASA with administrative privileges.
  2. Configure SSH with this command.
    ssh <FortiSIEM IP>  <FortiSIEM IP netmask>  <ASA interface name>
Telnet
  1. Log in to your ASA with administrative privileges.
  2. Configure telnet with this command.
    telnet <FortiSIEM IP>  <FortiSIEM IP netmask>  <ASA interface name>
Commands Used During Telnet/SSH Communication

The following commands are used for discovery and performance monitoring via SSH. Make sure that the accounts associated with the ASA access credentials you set up in FortiSIEM have permission to execute these commands.

Critical Commands

It is critical to have no names and logging timestamp commands in the configuration, or logs will not be parsed correctly.

  1. show startup-config
  2. show running-config
  3. show version
  4. show flash
  5. show context
  6. show ip route
  7. enable
  8. terminal pager 0
  9. terminal length 0

NetFlow

NetFlow is an optimized protocol for collecting high volume traffic logs. You should configure NetFlow with ASM, the ASA device manager. 

Set Up FortiSIEM as a NetFlow Receiver
  1. Login to ASDM.
  2. Go to Configuration > Device Management > Logging > Netflow.
  3. Under Collectors, click Add.
  4. For Interface, select the ASA interface over which NetFlow will be sent to FortiSIEM.
  5. For IP Address or Host Name, enter the IP address or host name for your FortiSIEM virtual appliance that will receive the NetFlow logs.
  6. For UDP Port, enter 2055.
  7. Click OK
  8. Select Disable redundant syslog messages.
    This prevents the netflow equivalent events from being also sent via syslog.
  9. Click Apply
Create a NetFlow Service Policy
  1. Go to Configuration > Firewall > Service Policy Rules.
  2. Click Add.
    The Service Policy Wizard will launch. 
  3. Select Global - apply to all interfaces, and then click Next
  4. For Traffic Match Criteria, select Source and Destination IP Address, and then click Next.
  5. For Source and Destination, select Any, and then click Next
  6. For Flow Event Type, select All
  7. For Collectors, select the FortiSIEM virtual appliance IP address.
  8. Click OK
Configure the Template Refresh Rate

This is an optional step. The template refresh rate is the number of minutes between sending a template record to FortiSIEM. The default is 30 minutes, and in most cases this is sufficient. Since flow templates are dynamic, FortiSIEM cannot process a flow until it knows the details of the corresponding template. This command may not always be needed, but if flows are not showing up in FortiSIEM, even if tcpdump indicates that  they are, this is worth trying. 

flow-export template timeout-rate 1

You can find out more about configuring NetFlow in the Cisco support forum.

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
Telnet Access Credentials for All Devices

These are the generic settings for providing Telnet access to your device from FortiSIEM.

Setting Value
Name Telnet-generic
Device Type generic
Access Protocol Telnet
Port 23
User Name A user who has permission to access the device over Telnet
Password The password associated with the user
SSH Access Credentials for All Devices

These are the generic settings for providing SSH access to your device from FortiSIEM.

Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22
User Name A user who has access credentials for your device over SSH
Password The password for the user

Cisco Adaptive Security Appliance (ASA)

What is Discovered and Monitored

Protocol

Information Discovered

Metrics collected

Used for

SNMP (V1, V2c, V3) Host name, Hardware model, Network interfaces, Hardware component details: serial number, model, manufacturer, software and firmware versions of components such as fan, power supply, network cards etc., Operating system version, SSM modules such as IPS Uptime, CPU and Memory utilization, Free processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability and Performance Monitoring
SNMP (V1, V2c, V3)   Hardware health: temperature, fan and power supply status  
SNMP (V1, V2c, V3) OSPF connectivity, neighbors, state, OSPF Area OSPF state change Routing Topology, Availability Monitoring
SNMP (V1, V2c, V3)   IPSec VPN Phase 1 tunnel metrics: local and remote Vpn Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent BitsPerSec, Received/Sent Packets, Received/Sent BitsPerSec, Received/Sent Dropped Packets, Received/Sent Rejected Exchanges, Received/Sent Invalid Exchanges Invalid Received Pkt Dropped, Received Exchanges Rejected, Received Exchanges Invalid IPSec VPN Phase 2 tunnel metrics: local and remote Vpn Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent BitsPerSec, Received/Sent Packets, Received/Sent BitsPerSec, Received/Sent Dropped Packets, Received/Sent Auth Failed, Sent Encrypted Failed, Received Decrupt failed, Received Replay Failed Performance Monitoring
Telnet/SSH Running and startup configuration, Interface security levels, Routing tables, Image file name, Flash memory size Startup configuration change, delta between running and startup configuration Performance Monitoring, Security and Compliance
Telnet/SSH   Virtual context for multi-context firewalls, ASA interface security levels needed for setting source and destination IP address in syslog based on interface security level comparisons, ASA name mappings from IP addresses to locally unique names needed for converting names in syslog to IP addresses  
Netflow (V9) Open server ports Traffic logs (for ASA 8.x and above) Security and Compliance
Syslog Device type All traffic and system logs Security and Compliance

Event Types

In ADMIN > Device Support > Event Types, search for "asa-" to see the event types associated with this device. 

Rules

In RESOURCES > Rules, search for "asa" in the main content panel Search... field to see the rules associated with this device. 

Reports

In RESOURCES > Reports, search for "asa" in the main content panel Search... field to see the reports associated with this device. 

Configuration

  • Don't configure SNMP Trap.
  • Don't configure ASA to send logs via SNMP trap, as FortiSIEM doesn't parse them.

Check Security Levels

Make sure interface security levels are appropriately set in FortiSIEM. In your FortiSIEM Supervisor, go to CMDB > Devices > Network Device > Firewall and select your firewall. Click the Interface tab, and make sure that the inside security level is 100, outside is 0 and other interfaces are in between. This information can either be discovered via SSH or entered manually after SNMP discovery. Without correct security level information, ASA traffic built and teardown logs can not be parsed correctly (they may not have correct source and destination addresses and ports).

Configuration topics are listed here.

SNMP
  1. Log in to your ASA with administrative privileges.
  2. Configure SNMP with this command.

    snmp-server host <ASA Interface name> <FortiSIEM IP> poll community <community string>
Syslog
  1. Log in to your ASA with administrative privileges.
  2. Enter configuration mode (config terminal).
  3. Enter the following commands:
    • no names
    • logging enable
    • logging timestamp
    • logging monitor errors
    • logging buffered errors
    • logging trap debugging
    • logging debug-trace
    • logging history errors
    • logging asdm errors
    • logging mail emergencies
    • logging facility 16
    • logging host <ASA interface name> <FortiSIEM IP>

Example using Cisco ASA + Anyconnect vpn logging / SNMP

Notes regarding example:

Replace content marked with <italicized_text> with your actual content.

Replace “inside” with the egress firewall zone that logging traffic is sent

Avoid whitespace in your passwords, group name, and username.

 

logging enable
logging timestamp
no logging hide username
logging host inside <IP_address_of_your_FortiSIEM_collector>
logging class auth trap informational
logging class config trap informational
logging class vpn trap informational
logging class vpnc trap debugging
logging class webvpn trap informational
logging class svc trap informational

snmp-server enable
snmp-server group <SNMP_group_name> v3 priv
snmp-server user <Your_chosen_SNMPv3_username> <SNMP_group_name> v3 auth sha <Your_SHA_password> priv aes 128 <Your_AES_Password>
snmp-server host inside <IP_address_of_your_FortiSIEM_collector> poll version 3 <Your_chosen_SNMPv3_username>
Sample Cisco ASA Syslog

<134>Nov 28 2007 17:20:48: %ASA-6-302013: Built outbound TCP connection 76118 for outside:207.68.178.45/80 (207.68.178.45/80)
to inside:192.168.20.31/3530 (99.129.50.157/5967)
SSH
  1. Log in to your ASA with administrative privileges.
  2. Configure SSH with this command.
    ssh <FortiSIEM IP>  <FortiSIEM IP netmask>  <ASA interface name>
Telnet
  1. Log in to your ASA with administrative privileges.
  2. Configure telnet with this command.
    telnet <FortiSIEM IP>  <FortiSIEM IP netmask>  <ASA interface name>
Commands Used During Telnet/SSH Communication

The following commands are used for discovery and performance monitoring via SSH. Make sure that the accounts associated with the ASA access credentials you set up in FortiSIEM have permission to execute these commands.

Critical Commands

It is critical to have no names and logging timestamp commands in the configuration, or logs will not be parsed correctly.

  1. show startup-config
  2. show running-config
  3. show version
  4. show flash
  5. show context
  6. show ip route
  7. enable
  8. terminal pager 0
  9. terminal length 0

NetFlow

NetFlow is an optimized protocol for collecting high volume traffic logs. You should configure NetFlow with ASM, the ASA device manager. 

Set Up FortiSIEM as a NetFlow Receiver
  1. Login to ASDM.
  2. Go to Configuration > Device Management > Logging > Netflow.
  3. Under Collectors, click Add.
  4. For Interface, select the ASA interface over which NetFlow will be sent to FortiSIEM.
  5. For IP Address or Host Name, enter the IP address or host name for your FortiSIEM virtual appliance that will receive the NetFlow logs.
  6. For UDP Port, enter 2055.
  7. Click OK
  8. Select Disable redundant syslog messages.
    This prevents the netflow equivalent events from being also sent via syslog.
  9. Click Apply
Create a NetFlow Service Policy
  1. Go to Configuration > Firewall > Service Policy Rules.
  2. Click Add.
    The Service Policy Wizard will launch. 
  3. Select Global - apply to all interfaces, and then click Next
  4. For Traffic Match Criteria, select Source and Destination IP Address, and then click Next.
  5. For Source and Destination, select Any, and then click Next
  6. For Flow Event Type, select All
  7. For Collectors, select the FortiSIEM virtual appliance IP address.
  8. Click OK
Configure the Template Refresh Rate

This is an optional step. The template refresh rate is the number of minutes between sending a template record to FortiSIEM. The default is 30 minutes, and in most cases this is sufficient. Since flow templates are dynamic, FortiSIEM cannot process a flow until it knows the details of the corresponding template. This command may not always be needed, but if flows are not showing up in FortiSIEM, even if tcpdump indicates that  they are, this is worth trying. 

flow-export template timeout-rate 1

You can find out more about configuring NetFlow in the Cisco support forum.

Settings for Access Credentials

SNMP Access Credentials for All Devices

Use these Access Method Definition settings to allow FortiSIEM to access your device over SNMP. Set the Name and Community String.

Setting Value
Name <set name>
Device Type Generic
Access Protocol SNMP
Community String <your own>
Telnet Access Credentials for All Devices

These are the generic settings for providing Telnet access to your device from FortiSIEM.

Setting Value
Name Telnet-generic
Device Type generic
Access Protocol Telnet
Port 23
User Name A user who has permission to access the device over Telnet
Password The password associated with the user
SSH Access Credentials for All Devices

These are the generic settings for providing SSH access to your device from FortiSIEM.

Setting Value
Name ssh-generic
Device Type Generic
Access Protocol SSH
Port 22
User Name A user who has access credentials for your device over SSH
Password The password for the user