Cisco Secure Firewall (ASA Appliances)

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we'll get it updated.

This guide describes the steps required to configure Cisco Secure Firewall (ASA Appliances) to send logs to the Samurai XDR

To complete this Integration you will need to:

1) Configure the Samurai XDR application

• Complete the Cisco Secure Firewall Integration from Samurai XDR Application

2) Configure your Cisco Secure Firewall (ASA Appliances)

• Configure syslog

Configure the Samurai XDR Application

To complete the configuration to receive logs:

1. Login to your Samurai XDR application tenant
2. Click Telemetry > Integrations from the main menu
3. Click Create
4. In the Create Integration screen, find and select Cisco Secure Firewall (ASA Appliances)
5. The screen will show the Telemetry Collection and parameters.
6. Make note of the IP Address and Port on the screen, they will be used in the device configuration below.
7. Click on Finish

Configure Cisco Secure Firewall (ASA Appliances)

Configure syslog destination

1. Launch Cisco ASDM.
2. Navigate to Configuration > Device Management > Logging > Syslog Servers
3. Add a Syslog Server. 
4. IP Address: (provided in the previous step, adding the Integration in Samurai XDR)
5. Protocol: TCP
6. Port: (provided in the previous step, adding the Integration in Samurai XDR)
7. "Enable secure syslog using SSL/TLS", checked
8. Reference Identity: none
9. Timestamp, checked
10. Timestamp, checked, radio button "RFC5424"
11. "Enable Analytics on syslog messages", unchecked
12. Click on "OK"

Configure CA Certificate

 For the Cisco ASA to trust the remote (server) syslog TLS connection, a certificate must be installed on the firewall.

For the Samurai XDR configuration we will use an intermediate CA certificate.

1. Launch Cisco ASDM
2. Navigate to Configuration > Device Management > Certificate Management > CA Certificates
3. Install a new Certificate
4. Trustpoint Name: (something descriptive, default is ASDM_Trustpoint0)
5. Select radio button: "Paste certificate in PEM format:"
6. Open the Secure syslog digital certificate in notepad. Copy the contents from "---BEGIN CERTIFICATE ---" to "--- END CERTIFICATE ---" and Paste into the screen.
7. Click "Install Certificate"
8. An information popup will present on the screen showing the Fingerprint and acceptance of the certificate.
9. You will now see the newly added certificate.
10. Open the newly added certificate from ASDM, "Edit Options for CA Certificate"
11. Navigate to the tab "Advanced"
12. Under "Validation Usage, Specify the type of connections that can be validated by this CA."
13. Check the box "SSL Server". Leave "IPsec Client", "SSL Client" unchecked.
14. Ensure "Accept certificates issued by this CA" under "Other options" is checked
    
15. Click "OK"

For further information from Cisco on CLI configuration you can refer to Cisco ASA Series General Operations CLI Configuration Guide.

Once you have completed the configuration of your firewall to send logs to Samurai XDR, your integration will automatically be discovered once Samurai XDR starts receiving logs from your firewall.