Cisco ASA Firewall Insight Pack

Posted: December 24, 2015 Modified: December 24, 2015


Overview

The Cisco ASA Firewall Insight Pack gives operational administrators and users the ability to use IBM Operations Analytics – Log Analysis to analyze traffic on their installed Cisco ASA devices. This includes using dynamic dashboards to view the rate of critical messages with the ability to drill down into messages needing attention.

The following Dashboard charts depict Cisco ASA devices error log messages based on Severity, Source and MsgType fields of the ingested log records. The default time to capture the dashboard data is set to 1 day and can be configured as needed.

Cisco ASA Dashboards Showing Source / Destination vs Action
Cisco ASA Dashboards Showing Source / Destination vs Action

The charts reflect the following:

  • Blocked/Rejected messages distribution based on the Source and Destination.
  • Different protocols that have been blocked by the Cisco ASA.
  • Reflecting denied, blocked and rejected messages over a time period.
Cisco ASA Insight Pack Actions vs Protocols and Denials
Cisco ASA Insight Pack Actions vs Protocols and Denials

Quick Searches

With the included Quick Search feature, users can create saved searches for a keyword or a series of keywords. The searches are added to the saved searches pane for running at a later time. All the Quick Searches in the ASA Firewall Insight pack are based on the Cisco ASA log message severity and action. The quick searches are provided for the top 3 severity like alerts, critical, error and for actions like denied/blocked.

The following quick searches are provided with the default Insight Pack:

  • Alerts Last Day: This search query displays log records where the Cisco ASA log level is alert (1-Alert).
  • Critical Last Day: This search query displays log records where the Cisco ASA log level is critical (2-Critical).
  • Errors Last Day: This search query displays log records where the Cisco ASA log level is Error (3-Error).
  • Denials Last Day: This search displays all the log records which are being denied, blocked or rejected during the traffic flow through ASA.

Reference the Insight Pack User’s Guide for adjusting the dynamic dashboards and quick searches to reflect additional data elements.

Additional information

The log file is used to capture messages and events generated by the ASA devices during Network operations. Administrators use this log to troubleshoot issues raised by the ASA devices. Cisco ASA Log files are retrieved as syslog messages to a syslog server, the log file naming convention can be configurable.

Note that the messages syslog should be a syslog standalone message file for the Cisco ASA messages. It should not be combined with syslog messages from other sources. If other messages are found in the log file, the Insight Pack processing will ignored the none Cisco ASA messages. For more information on setting up the Cisco ASA log file please refer to the Data Loading Best Practices section of the users guide.

Training Information

Review the following video for information on using and setting up the Insight Pack.


Training and overview presentation used in the training video.

View US Price & Buy

IBM Operations Analytics-Log Analysis Insight Packs for Networks- Standard Install License

Released: 17 December 2015
Version: 1.1.0.0
Cost: License Fee
Support: Supported

Resources

Product Information
Product Documentation
Documentation
Forum

Requirements

  • IBM Operations Analytics – Log Analysis version 1.3.0 or above
  • Cisco ASA 5500 Series, V 8.2x or later.
  • Syslog Server to receive the syslogs transferred from Cisco ASA devices and capture them in a local accessible file.
  • Cisco ASA must be configured to send the log messages to a Linux syslog server.
  • Purchased “IBM Operations Analytics-Log Analysis Insight Packs for Networks- Standard Install License” for each installed Insight Pack.

Support

This package is subject to the License terms included with the Insight Pack, along with those displayed upon download.

To report a problem with deploying this entry, entitled customers may contact the country specific IBM support channel, reference the IBM Worldwide Directory. Also use the “Support” link to access the support site for IBM Operations Analytics – Log Analysis information.