ASA with any any rule

Bhardwajp · ‎04-21-2023

Hi All,

We had cyber attach due to which my vASA and backup conf of ASA lost for immediate requirement vASA is configured again however with no rules it it and all traffic are allowed.

What will be the best way to conf the vASA on the base of logging. I have installed syslog server and getting the log however the ther are lot of logs what levels(1-7) will be required if i put some filter to get specific information required to apply the rules.

Rob Ingram · ‎04-21-2023

@Bhardwajp it's not practical to log everything.

You probably want to create a list of syslog message IDs that you do wish to be sent to the syslog server. Review this guide for logging for ACLs - https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/acl_logging.pdf

And this guide to configure a list of message IDs to send to syslog server - https://integratingit.wordpress.com/2023/02/09/asa-logging/

MHM Cisco World · ‎04-21-2023

access-list MHM log level

there is level with access list you can use it, this level make the permit/deny log message appear in any level you want.
so you dont need to make logging level to be 7, you can make logging level 4 and make the level of ACL log 4, which hence make any ACL log appear in level 4.

Aref Alsouqi · ‎04-21-2023

In addition to that, you might want to set some email notifications for some specific logs that might require urgent interaction.

Marius Gunnerud · ‎04-21-2023

A tool you could use is AlgoSec. Setup AlgoSec and then send logging to AlgoSec. It is a subscription based license though. But it will give you a GUI interface where it will give you suggestions on how to improve and / or tighten up your ACL entries. It is a good tool which we use on all our clients.

--
Please remember to select a correct answer and rate helpful posts