cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4478
Views
0
Helpful
3
Replies

ASA log analyzer

Michal Valach
Level 1
Level 1

Hello, on ASA interface is "permit any any" rule, and I need to create ACL based on that log. Is anybody aware about any tool which can do it?

Many thanks for advice

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Can you please explain some more?

Do you want to see all connections and flows transiting the firewall?

If so, you can just turn your system logging up to level 6 (informational). All TCP connections, UDP and ICMP flows will then create a syslog message that you can see either in the logging buffer, ASDM log screen or on any third party syslog server destination you have defined.

The log messages are just plain text records so you can parse and analyze them on your external syslog server using anything from simple text sorting, to *nix tools like grep and sed, to the capabilities of a commercial syslog analyzer like Kiwi syslog analyzer. You can also use the capability built into a fuill feature network management tool like Cisco Prime Infrastructure or Solarwinds NPM.  

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Can you please explain some more?

Do you want to see all connections and flows transiting the firewall?

If so, you can just turn your system logging up to level 6 (informational). All TCP connections, UDP and ICMP flows will then create a syslog message that you can see either in the logging buffer, ASDM log screen or on any third party syslog server destination you have defined.

The log messages are just plain text records so you can parse and analyze them on your external syslog server using anything from simple text sorting, to *nix tools like grep and sed, to the capabilities of a commercial syslog analyzer like Kiwi syslog analyzer. You can also use the capability built into a fuill feature network management tool like Cisco Prime Infrastructure or Solarwinds NPM.  

Hello Marvin,

We have 4 interfaces, were last ACL rule is " permit any any ( level 6)", and those logs are sent to some syslog. So yes what I did was usign grep/pipe and excel to create flow from the logs.

I was asking if there is any tool, but I believe there is not. Algosec/Tufin can do it as Ji Won mentioned it, but they are analysing flow online. But I have txt file and have to extract it.

Thank you

Ji-Won Park
Level 1
Level 1

Hi,

There are a few tools available for your need, none of them is free though as this is one critical piece that lots of security admins want to address.

The one I've used is called AFA (AlgoSec Firewall Analyzer) featured called Intelligent Policy Tuning (there are FireMON, Tuffin as well) You have to connect this appliance to the FW and send specific logs to the appliance so that the appliance will give you more tighter rules and objects instead of any any.

Hope this helps.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: