cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

How to configure Cisco Security Monitoring Analysis and Response System (CS-MARS) rules to match WebVPN session creation on Adaptive Security Appliance(ASA)

1629
Views
0
Helpful
0
Comments

Resolution

To configure the rules ,perform these steps:

  1. Make sure that the ASA is configured at informational level logging.

  2. The keyword field can be used when making a new rule that looks for
    text within an event. For example, to make a rule that looks for the start of a WebVPN session, click on the keyword cell in the new rule, and enter the %ASA-6-716001 string.

  3. To save the change, click the Activate button on the top right of the MARS Graphical User Interface (GUI).

These are the syslog messages to identify when a Secured Sockets Layer (SSL) VPN connection is established or terminated on the MARS device:

  • %ASA-6-716001: Group group User user WebVPN session started

  • %ASA-6-716002: Group group User user WebVPN session terminated:


For a full list of ASA version 7.0 syslog messages, refer to Messages Listed by Severity Level.