Quick Links

Integrating with Cisco ASA Firewall

Overview

Blumira’s modern cloud SIEM platform integrates with Cisco Adaptive Security Appliance (ASA) firewall to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected. 

Additionally, enabling Blumira’s dynamic blocklist capabilities on your integrated next-generation firewall allows us to provide automated blocking of known threats.

Learn more about enabling Blumira’s blocklists to block malicious source IP addresses and domains for automated threat response.

Also see:

Before you begin

This integration requires a Blumira sensor to be installed before you can complete the steps below. Ensure that you complete the steps in Building a Blumira sensor with Ubuntu before you continue.

Note: This integration requires the Logger Module, which is included by default in all Blumira sensors upon installation.

Gather the IP address of your Blumira sensor to use when configuring the external service.

To find and copy the IP address of the sensor, do the following:

  1. In Blumira, navigate to Settings > Sensors.
  2. Click the sensor row to open the details page.
  3. In the Overview section, next to Host Details, copy the IP address.

Enabling logging from the firewall

To configure the ASA firewall, do the following:

  1. Log in to the Cisco ASA firewall using the command-line interface and run the following command:
    logging enable
    logging host <interface_name> <sensor_ip> udp/514
    logging permit-hostdown
    logging timestamp
    logging device-id hostname
    no logging emblem

    Note: The interface_name argument specifies the interface through which you access the Blumira sensor. The sensor_ip argument specifies the IP address of the Blumira sensor.

  2. Ensure your ACL definitions have a log tag associated with them; otherwise, they will not log out traffic matches associated with them. See Cisco's Configuring Logs for Access Lists

  3. Complete the steps in Logging to a Syslog Server, which provides information on how to configure a Syslog server on the firewall by using the Adaptive Security Device Manager (ASDM) graphical user interface.

Troubleshooting logging issues

If logging is enabled and you do not see any traffic, check the logging buffered setting. It may need to be changed to "logging buffered informational."

If you are still not receiving logs from the Cisco ASA, ensure that Logging Filters for Syslog Server are configured to send “Severity: Informational” and that Emblem formatting is disabled.