topic Firewall Email Alert config in Network Security https://community.cisco.com/t5/network-security/firewall-email-alert-config/m-p/2835575#M165957 <P>We have one outside interface connection to ISP. The ISP wanted to do some maintaince work and informed us the link will do down for half and hour. therefore I configured the email alert on our production network where is configured the IPSLA with syslog, SMTP and with email address could verify this will work. as i can not test this as we do not have a spare ASA in our workshop.</P> <P></P> <P>please find the below config.</P> <P></P> <P>logging enable<BR />logging timestamp<BR />logging list SLA-LIST message 622001<BR />logging buffer-size 9055<BR />logging buffered debugging<BR />logging trap SLA-LIST<BR />logging history SLA-LIST<BR />logging asdm debugging<BR />logging mail SLA-LIST<BR />logging from-address asa@netrevuca.co.uk<BR />logging recipient-address sherazrose@netrevuca.co.uk level debugging<BR />logging recipient-address itservicesdesk@netrevuca.co.uk level critical<BR />logging device-id ipaddress inside<BR />logging host inside 10.178.5.117<BR />no logging message 106015<BR />no logging message 313001<BR />no logging message 313008<BR />no logging message 106023<BR />no logging message 710003<BR />no logging message 106100<BR />no logging message 302015<BR />no logging message 302014<BR />no logging message 302013<BR />no logging message 302018<BR />no logging message 302017<BR />no logging message 302016<BR />no logging message 302021<BR />no logging message 302020<BR /><BR />snmp-server host inside 10.178.5.49 community ***** version 2c udp-port 161<BR />snmp-server host inside 10.178.5.117 community ***** version 2c<BR />snmp-server location GH<BR />snmp-server contact IT<BR />snmp-server community *****<BR />snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart<BR />snmp-server enable traps syslog<BR />snmp-server enable traps ipsec start stop<BR />snmp-server enable traps entity config-change fru-insert fru-remove<BR />snmp-server enable traps memory-threshold<BR />snmp-server enable traps interface-threshold<BR />snmp-server enable traps remote-access session-threshold-exceeded<BR />snmp-server enable traps connection-limit-reached<BR />snmp-server enable traps cpu threshold rising<BR />sysopt connection tcpmss 1350<BR />sla monitor 1<BR />&nbsp;type echo protocol ipIcmpEcho 8.8.8.8 interface outside<BR />&nbsp;num-packets 2<BR />&nbsp;timeout 2000<BR />&nbsp;threshold 2000<BR />&nbsp;frequency 5<BR />sla monitor schedule 1 life forever start-time now<BR /><BR /><BR /><BR />class-map global-class<BR />&nbsp;description NetFlow_LCT_Export<BR />&nbsp;match any<BR />class-map inspection_default<BR />&nbsp;match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />&nbsp;parameters<BR />&nbsp; message-length maximum client auto<BR />&nbsp; message-length maximum 512<BR />policy-map global_policy<BR />&nbsp;description NetFlow_LCT_Export<BR />&nbsp;class inspection_default<BR />&nbsp; inspect dns preset_dns_map<BR />&nbsp; inspect ftp<BR />&nbsp; inspect h323 h225<BR />&nbsp; inspect h323 ras<BR />&nbsp; inspect rsh<BR />&nbsp; inspect esmtp<BR />&nbsp; inspect sqlnet<BR />&nbsp; inspect skinny<BR />&nbsp; inspect sunrpc<BR />&nbsp; inspect xdmcp<BR />&nbsp; inspect sip<BR />&nbsp; inspect netbios<BR />&nbsp; inspect tftp<BR />&nbsp; inspect ip-options<BR />&nbsp;class global-class<BR />&nbsp; flow-export event-type all destination 10.178.5.117<BR />&nbsp;class class-default<BR />&nbsp; user-statistics accounting<BR />!<BR />service-policy global_policy global<BR />smtp-server 10.178.1.113<BR />prompt hostname context<BR />no call-home reporting anonymous<BR />hpm topN enable<BR />Cryptochecksum:029395f06d6cc864531760c0e5210db9<BR />: end</P> Tue, 12 Mar 2019 06:53:34 GMT Sheraz.Salim 2019-03-12T06:53:34Z Firewall Email Alert config https://community.cisco.com/t5/network-security/firewall-email-alert-config/m-p/2835575#M165957 <P>We have one outside interface connection to ISP. The ISP wanted to do some maintaince work and informed us the link will do down for half and hour. therefore I configured the email alert on our production network where is configured the IPSLA with syslog, SMTP and with email address could verify this will work. as i can not test this as we do not have a spare ASA in our workshop.</P> <P></P> <P>please find the below config.</P> <P></P> <P>logging enable<BR />logging timestamp<BR />logging list SLA-LIST message 622001<BR />logging buffer-size 9055<BR />logging buffered debugging<BR />logging trap SLA-LIST<BR />logging history SLA-LIST<BR />logging asdm debugging<BR />logging mail SLA-LIST<BR />logging from-address asa@netrevuca.co.uk<BR />logging recipient-address sherazrose@netrevuca.co.uk level debugging<BR />logging recipient-address itservicesdesk@netrevuca.co.uk level critical<BR />logging device-id ipaddress inside<BR />logging host inside 10.178.5.117<BR />no logging message 106015<BR />no logging message 313001<BR />no logging message 313008<BR />no logging message 106023<BR />no logging message 710003<BR />no logging message 106100<BR />no logging message 302015<BR />no logging message 302014<BR />no logging message 302013<BR />no logging message 302018<BR />no logging message 302017<BR />no logging message 302016<BR />no logging message 302021<BR />no logging message 302020<BR /><BR />snmp-server host inside 10.178.5.49 community ***** version 2c udp-port 161<BR />snmp-server host inside 10.178.5.117 community ***** version 2c<BR />snmp-server location GH<BR />snmp-server contact IT<BR />snmp-server community *****<BR />snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart<BR />snmp-server enable traps syslog<BR />snmp-server enable traps ipsec start stop<BR />snmp-server enable traps entity config-change fru-insert fru-remove<BR />snmp-server enable traps memory-threshold<BR />snmp-server enable traps interface-threshold<BR />snmp-server enable traps remote-access session-threshold-exceeded<BR />snmp-server enable traps connection-limit-reached<BR />snmp-server enable traps cpu threshold rising<BR />sysopt connection tcpmss 1350<BR />sla monitor 1<BR />&nbsp;type echo protocol ipIcmpEcho 8.8.8.8 interface outside<BR />&nbsp;num-packets 2<BR />&nbsp;timeout 2000<BR />&nbsp;threshold 2000<BR />&nbsp;frequency 5<BR />sla monitor schedule 1 life forever start-time now<BR /><BR /><BR /><BR />class-map global-class<BR />&nbsp;description NetFlow_LCT_Export<BR />&nbsp;match any<BR />class-map inspection_default<BR />&nbsp;match default-inspection-traffic<BR />!<BR />!<BR />policy-map type inspect dns preset_dns_map<BR />&nbsp;parameters<BR />&nbsp; message-length maximum client auto<BR />&nbsp; message-length maximum 512<BR />policy-map global_policy<BR />&nbsp;description NetFlow_LCT_Export<BR />&nbsp;class inspection_default<BR />&nbsp; inspect dns preset_dns_map<BR />&nbsp; inspect ftp<BR />&nbsp; inspect h323 h225<BR />&nbsp; inspect h323 ras<BR />&nbsp; inspect rsh<BR />&nbsp; inspect esmtp<BR />&nbsp; inspect sqlnet<BR />&nbsp; inspect skinny<BR />&nbsp; inspect sunrpc<BR />&nbsp; inspect xdmcp<BR />&nbsp; inspect sip<BR />&nbsp; inspect netbios<BR />&nbsp; inspect tftp<BR />&nbsp; inspect ip-options<BR />&nbsp;class global-class<BR />&nbsp; flow-export event-type all destination 10.178.5.117<BR />&nbsp;class class-default<BR />&nbsp; user-statistics accounting<BR />!<BR />service-policy global_policy global<BR />smtp-server 10.178.1.113<BR />prompt hostname context<BR />no call-home reporting anonymous<BR />hpm topN enable<BR />Cryptochecksum:029395f06d6cc864531760c0e5210db9<BR />: end</P> Tue, 12 Mar 2019 06:53:34 GMT https://community.cisco.com/t5/network-security/firewall-email-alert-config/m-p/2835575#M165957 Sheraz.Salim 2019-03-12T06:53:34Z Hi, https://community.cisco.com/t5/network-security/firewall-email-alert-config/m-p/2835576#M165958 <P>Hi,</P> <P>From configuration if looks fine. It should work. Make sure reachability to SMTP server is there.</P> <P><B>Note </B><IMG src="http://www.cisco.com/c/dam/en/us/td/i/templates/blank.gif" alt="" width="1" height="2" border="0" /><SPAN>We do not recommend using a severity level greater than 3 with the </SPAN><B class="cCN_CmdName">logging recipient-address</B><SPAN> command. Higher severity levels are likely to cause dropped syslog messages because of buffer overflow.</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/l2.html#wp1774041</SPAN></P> <P><SPAN></SPAN></P> <P>Also from the configuration, i could see that :</P> <P><SPAN>logging mail SLA-LIST</SPAN><BR /><SPAN>logging from-address asa@netrevuca.co.uk</SPAN><BR /><SPAN>logging recipient-address sherazrose@netrevuca.co.uk level debugging</SPAN><BR /><SPAN>logging recipient-address itservicesdesk@netrevuca.co.uk level critical</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>You have configured Logging list with specific message and simultaneously you have configured severity level in receipient-address. Recipient address's level always overrdes the one configured in logging mail. Therefore first recipient would get messages till debugging, and 2nd with critical. However as mentioned earlier, debugging level is too high. So you could thing of changing it to low level.</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Hope it helps.</SPAN></P> <P><SPAN>Regards,</SPAN></P> <P><SPAN>Akshay Rastogi</SPAN></P> Mon, 16 Nov 2015 16:08:57 GMT https://community.cisco.com/t5/network-security/firewall-email-alert-config/m-p/2835576#M165958 Akshay Rastogi 2015-11-16T16:08:57Z