Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
912
Views
1
Helpful
4
Replies

ASA rest-api install

zietgiestt
Level 1
Level 1

‎08-19-2025 02:34 PM

Hello,

ASA 5516x, v 9.16(4)82 HA pair

I'm unfamiliar with rest-api so I'm a little nervous about the unknown...I need to install rest-api to start monitoring and collecting logs (for now) for a new siem we are going to start using.

Can't find anywhere that says what impact this has on a production firewall.

Is installing this something that should be done during scheduled maintenance?

Will it require a reboot?

 

Also, a little confused on Cisco's documentation example config:

Step 2

Using the CLI, ensure the HTTP server is enabled on the ASA, and that API clients can connect to the management interface. For example:

http server enable
http 0.0.0.0 0.0.0.0 <management interface nameif>

This would be my syslog server ip?


Step 4

Using the CLI, create a static route on the ASA for API traffic. For example:

route <management interface nameif> 0.0.0.0 0.0.0.0 <gwip> 1

Is this supposed to all traffic routed to my syslog server as the DG? 

 

Thanks,


D

 

 

 

 

Labels:
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎08-19-2025 03:02 PM

http 0.0.0.0 0.0.0.0 <management interface nameif> <<- this command use to allow any IP can access to your mgmt interface

route <management interface nameif> 0.0.0.0 0.0.0.0 <gwip> 1 <<- this not need if server IP and mgmt IP in same subnet

MHM

0 Helpful

bigevilbeard
VIP
VIP

‎08-20-2025 03:10 AM

I did this some years back on 5585-X SSP-60 which were in HA also. No reboot. Once you have copied it over, just enable the feature. 

Just note in the HA pair, install the REST API on both the active and standby units and installation is done on each device individually, one after the other. It wont cause a failover as the process doesn't disrupt the state of the firewall or the traffic it's processing.

It is highly recommended to install on the standby unit first, then the active unit, to ensure a smooth process!

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io
0 Helpful

zietgiestt
Level 1
Level 1
In response to bigevilbeard

‎08-20-2025 09:41 AM

Good to know. so I installed and enabled rest-api on my active first and then did the standby. Now, entering config mode, my standby is telling me:

**** WARNING ****
Configuration Replication is NOT performed from Standby unit to Active unit.
Configurations are no longer synchronized.

 

Not really sure if this is normal considering this is the standby unit and the running config syncs from active>standby. 

I'm not seeing any sync errors.

I'm not in the standby firewall very often so can't remember if I've ever seen this message before .

0 Helpful

bigevilbeard
VIP
VIP
In response to zietgiestt

‎08-20-2025 09:45 AM

Sorry what i mean is, upload to the standby, then active one - once both have the image, add the cli command on the active, this will push over to the standby. The message is normal when you enter configuration mode on the standby. Itsan informational message to remind you that any changes you make on the standby will not be replicated back to the active one, and doing so will cause the two firewalls to have a mismatched configuration (not ideal!)

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io
Customers Also Viewed These Support Documents