cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
372
Views
5
Helpful
4
Replies

ASA with any any rule

Bhardwajp
Level 1
Level 1

Hi All,

We had cyber attach due to which my vASA and backup conf of ASA lost for immediate requirement vASA is configured again however with no rules it it and all traffic are allowed.

What will be the best way to conf the vASA on the base of logging. I have installed syslog server and getting the log however the ther are lot of logs what levels(1-7) will be required if i put some filter to get specific information required to apply the rules.

 

4 Replies 4

@Bhardwajp it's not practical to log everything.

You probably want to create a list of syslog message IDs that you do wish to be sent to the syslog server. Review this guide for logging for ACLs - https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/acl_logging.pdf

And this guide to configure a list of message IDs to send to syslog server - https://integratingit.wordpress.com/2023/02/09/asa-logging/

 

access-list MHM log level 

there is level with access list you can use it, this level make the permit/deny log message appear in any level you want. 
so you dont need to make logging level to be 7, you can make logging level 4 and make the level of ACL log 4, which hence make any ACL log appear in level 4.

In addition to that, you might want to set some email notifications for some specific logs that might require urgent interaction.

A tool you could use is AlgoSec.  Setup AlgoSec and then send logging to AlgoSec.  It is a subscription based license though.  But it will give you a GUI interface where it will give you suggestions on how to improve and / or tighten up your ACL entries.  It is a good tool which we use on all our clients.

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card