- ASA FirePOWER Module User Guide
- Introduction to the Cisco ASA FirePOWER Module
- Managing Reusable Objects
- Managing Device Configuration
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Network Analysis and Intrusion Policies
- Using Layers in a Network Analysis or Intrusion Policy
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Policies Using Rules
- Detecting Specific Threats
- Globally Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Viewing Events
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Using the ASA FirePOWER Dashboard
- Using ASA FirePOWER Reporting
- Scheduling Tasks
- Managing System Policies
- Configuring ASA FirePOWER Module Settings
- Licensing the FireSIGHT System ASA FirePOWER Module
- Updating ASA FirePOWER Module Software
- Monitoring the System
- Using Backup and Restore
- Generating Troubleshooting Files
- Importing and Exporting Configurations
- Viewing the Status of Long-Running Tasks
- Security, Internet Access, and Communication Ports
Configuring External Alerting
While the ASA FirePOWER module provides various views of events within the module interface, you may want to configure external event notification to facilitate constant monitoring of critical systems. You can configure the module to generate alerts that notify you via email, SNMP trap, or syslog when one of the following is generated:
- a network-based malware event or retrospective malware event
- a connection event, triggered by a specific access control rule
To have the ASA FirePOWER module send these alerts, you must first create an alert response, which is a set of configurations that allows the module to interact with the external system where you plan to send the alert. Those configurations may specify, for example, SNMP alerting parameters or syslog facilities and priorities.
After you create the alert response, you associate it with the event that you want to use to trigger the alert. Note that the process for associating alert responses with events is different depending on the type of event:
- You associate alert responses with malware events using their own configuration pages.
- You associate SNMP and syslog alert responses with logged connections using access control rules and policies.
There is another type of alerting you can perform in the ASA FirePOWER module, which is to configure SNMP and syslog intrusion event notifications for individual intrusion events. You configure these notifications in intrusion policies; see Configuring External Alerting for Intrusion Rules and Adding SNMP Alerts. The following table explains the licenses you must have to generate alerts.
|
|
---|---|
Working with Alert Responses
The first step in configuring external alerting is to create an alert response, which is a set of configurations that allows the ASA FirePOWER module to interact with the external system where you plan to send the alert. You can create alert responses to send alerts via email, a simple network management protocol (SNMP) trap, or a system log (syslog).
The information you receive in an alert depends on the type of event that triggered the alert.
When you create an alert response, it is automatically enabled. Only enabled alert responses can generate alerts. To stop alerts from being generated, you can temporarily disable alert responses rather than deleting your configurations.
You manage alert responses on the Alerts page ( ASA FirePOWER Configuration > Policies > Actions Alerts). The slider next to each alert response indicates whether it is active; only enabled alert responses can generate alerts. The page also indicates whether the alert response is being used in a configuration, for example, to log connections in an access control rule. You can sort alert responses by name, type, in use status, and enabled/disabled status by clicking the appropriate column header; click the column header again to reverse the sort.
- Creating an SNMP Alert Response
- Creating a Syslog Alert Response
- Modifying an Alert Response
- Deleting an Alert Response
- Enabling and Disabling Alert Responses
Creating an SNMP Alert Response
You can create SNMP alert responses using SNMPv1, SNMPv2, or SNMPv3.
Note If you want to monitor 64-bit values with SNMP, you must use SNMPv2 or SNMPv3. SNMPv1 does not support 64-bit monitoring.
To create an SNMP alert response:
Step 1 Select Configuration > ASA FirePOWER Configuration > Policies > Actions Alerts.
Step 2 From the Create Alert drop-down menu, select Create SNMP Alert.
The Create SNMP Alert Configuration pop-up window appears.
Step 3 In the Name field, type the name that you want to use to identify the SNMP response.
Step 4 In the Trap Server field, type the hostname or IP address of the SNMP trap server, using alphanumeric characters.
Note that the system does not warn you if you enter an invalid IPv4 address (such as 192.169.1.456) in this field. Instead, the invalid address is treated as a hostname.
Step 5 From the Version drop-down list, select the SNMP version you want to use.
SNMP v3 is the default. If you select SNMP v1 or SNMP v2, different options appear.
Step 6 Which version of SNMP did you select?
- For SNMP v1 or SNMP v2, type the SNMP community name, using alphanumeric characters or the special characters
*
or$,
in the Community String field and skip to step 12. - For SNMP v3, type the name of the user that you want to authenticate with the SNMP server in the User Name field and continue with the next step.
Step 7 From the Authentication Protocol drop-down list, select the protocol you want to use for authentication.
Step 8 In the Authentication Password field, type the password required for authentication with the SNMP server.
Step 9 From the Privacy Protocol list, select None to use no privacy protocol or DES to use Data Encryption Standard as the privacy protocol.
Step 10 In the Privacy Password field, type the privacy password required by the SNMP server.
Step 11 In the Engine ID field, type an identifier for the SNMP engine, in hexadecimal notation, using an even number of digits.
When you use SNMPv3, the system uses an Engine ID value to encode the message. Your SNMP server requires this value to decode the message.
Cisco recommends that you use the hexadecimal version of the ASA FirePOWER module’s IP address. For example, if the ASA FirePOWER module has an IP address of 10.1.1.77
, use 0a01014D0
.
Step 12 Click Store ASA FirePOWER Changes.
The alert response is saved and is automatically enabled.
Creating a Syslog Alert Response
When configuring a syslog alert response, you can specify the severity and facility associated with the syslog messages to ensure that they are processed properly by the syslog server. The facility indicates the subsystem that creates the message and the severity defines the severity of the message. Facilities and severities are not displayed in the actual message that appears in the syslog, but are instead used to tell the system that receives the syslog message how to categorize it.
Tip For more detailed information about how syslog works and how to configure it, refer to the documentation for your system. On UNIX systems, the man
pages for syslog
and syslog.conf
provide conceptual information and configuration instructions.
Although you can select any type of facility when creating a syslog alert response, you should select one that makes sense based on your syslog server; not all syslog servers support all facilities. For UNIX syslog servers, the syslog.conf
file should indicate which facilities are saved to which log files on the server.
The following table lists the syslog facilities you can select.
The following table lists the standard syslog severity levels you can select.
|
|
---|---|
Conditions that are not error conditions, but require attention. |
|
Before you start sending syslog alerts, make sure that the syslog server can accept remote messages.
Step 1 Select Configuration > ASA FirePOWER Configuration > Policies > Actions Alerts.
The Alerts page appears.From the Create Alert drop-down menu, select Create Syslog Alert.
The Create Syslog Alert Configuration pop-up window appears.
Step 2 In the Name field, type the name you want to use to identify the saved response.
Step 3 In the Host field, type the hostname or IP address of your syslog server.
Note that the system does not warn you if you enter an invalid IPv4 address (such as 192.168.1.456) in this field. Instead, the invalid address is treated as a hostname.
Step 4 In the Port field, type the port the server uses for syslog messages.
By default, this value is 514.
Step 5 From the Facility list, select a facility.
See the Available Syslog Facilities table for a list of the available facilities.
Step 6 From the Severity list, select a severity.
See the Syslog Severity Levels table for a list of the available severities.
Step 7 In the Tag field, type the tag name that you want to appear with the syslog message.
Use only alphanumeric characters in tag names. You cannot use spaces or underscores.
As an example, if you wanted all messages sent to the syslog to be preceded with From
DC, type From
DC in the field.
Step 8 Click Store ASA FirePOWER Changes.
The alert response is saved and is automatically enabled.
Modifying an Alert Response
For most types of alerting, if an alert response is enabled and in use, changes to the alert response take effect immediately. However, for alert responses used in access control rules to log connection events, changes do not take effect until you reapply the access control policy.
Step 1 Select Configuration > ASA FirePOWER Configuration > Policies > Actions Alerts.
Step 2 Next to the alert response you want to edit, click the edit icon ().
A configuration pop-up window for that alert response appears.
Step 3 Make changes as needed.
Step 4 Click Store ASA FirePOWER Changes.
Deleting an Alert Response
You can delete any alert response that is not in use.
Step 1 Select Configuration > ASA FirePOWER Configuration > Policies > Actions Alerts.
Step 2 Next to the alert response you want to delete, click the delete icon ().
Step 3 Confirm that you want to delete the alert response.
The alert response is deleted.
Enabling and Disabling Alert Responses
Only enabled alert responses can generate alerts. To stop alerts from being generated, you can temporarily disable alert responses rather than deleting your configurations. Note that if an alert is in use when you disable it, it is still considered in use even though it is disabled.
To enable or disable an alert response:
Step 1 Select Configuration > ASA FirePOWER Configuration > Policies > Actions Alerts.
Step 2 Next to the alert response you want to enable or disable, click the enable/disable slider.
If the alert response was enabled, it is disabled. If it was disabled, it is enabled.