Skip to main content
HafizJasmi
HafizJasmi
New Member
October 13, 2020
Question

CISCO ASA RULES OR USE CASE

  • October 13, 2020
  • 1 reply
  • 1119 views

Hi Guys,

I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.

    1 reply

    FSM_FTNT
    Staff
    FSM_FTNT
    Staff
    October 13, 2020
    Hi Muhammad,

    There are some specific rules where we mention ASA events by name.

    • Successful VPN Logon From Outside My Country
    • Startup Config Change: with login
    • Running Config Change: with login info
    • Heavy TCP Port Scan: Single Destination
    • Permitted Blacklisted Source
    • Denied Blacklisted Source
    • Permitted Blacklisted Destination
    • Denied Blacklisted Destination

    FortiSIEM also categorises Events under different Groups (you can see this under Resources / Event Types) and you will find Rules referencing Event Type Groups rather than individual events. For example "Sudden Increase In Firewall Permitted Outbound Traffic To A Specific TCP/UDP port" rule references the Event Type Group "Permitted Traffic" and that group contains Cisco ASA events (about 20).

    Thanks

    Dan

    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------
    -------------------------------------------
    Original Message:
    Sent: Oct 12, 2020 10:11 PM
    From: Muhammad Hafiz Safwan Bin Jasmi
    Subject: CISCO ASA RULES OR USE CASE

    Hi Guys,

    I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

    It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.

    HafizJasmi
    HafizJasmiAuthor
    New Member
    October 15, 2020

    Hi Daniel,

    Thanks suggestion given, after going through i found out i need to activate some of the rules, maybe someone before me deactivated it.

    -------------------------------------------
    Original Message:
    Sent: Oct 13, 2020 04:03 AM
    From: Daniel Hanman
    Subject: CISCO ASA RULES OR USE CASE

    Hi Muhammad,

    There are some specific rules where we mention ASA events by name.

    • Successful VPN Logon From Outside My Country
    • Startup Config Change: with login
    • Running Config Change: with login info
    • Heavy TCP Port Scan: Single Destination
    • Permitted Blacklisted Source
    • Denied Blacklisted Source
    • Permitted Blacklisted Destination
    • Denied Blacklisted Destination

    FortiSIEM also categorises Events under different Groups (you can see this under Resources / Event Types) and you will find Rules referencing Event Type Groups rather than individual events. For example "Sudden Increase In Firewall Permitted Outbound Traffic To A Specific TCP/UDP port" rule references the Event Type Group "Permitted Traffic" and that group contains Cisco ASA events (about 20).

    Thanks

    Dan

    ------------------------------
    Daniel
    FortiSIEM Product Manager
    ------------------------------

    Original Message:
    Sent: Oct 12, 2020 10:11 PM
    From: Muhammad Hafiz Safwan Bin Jasmi
    Subject: CISCO ASA RULES OR USE CASE

    Hi Guys,

    I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

    It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.

    KarnGriffen
    KarnGriffen
    Explorer II
    October 15, 2020
    Muhammad,  

    You can create a Rule that notifies you when people change Rules.  Helpful for finding when things have been modified:
    IF System Event Category = 2 AND Event Type IN PH_AUDIT_OBJECT_CREATED, PH_AUDIT_OBJECT_DELETED, PH_AUDIT_OBJECT_UPDATED AND OS Object Type = Rule
    WHERE COUNT(Matched Events) >= 1
    GROUPBY User,Object Name,Organization Name
    -------------------------------------------
    Original Message:
    Sent: Oct 14, 2020 11:12 PM
    From: Muhammad Hafiz Safwan Bin Jasmi
    Subject: CISCO ASA RULES OR USE CASE

    Hi Daniel,

    Thanks suggestion given, after going through i found out i need to activate some of the rules, maybe someone before me deactivated it.


    Original Message:
    Sent: Oct 13, 2020 04:03 AM
    From: Daniel Hanman
    Subject: CISCO ASA RULES OR USE CASE

    Hi Muhammad,

    There are some specific rules where we mention ASA events by name.

    • Successful VPN Logon From Outside My Country
    • Startup Config Change: with login
    • Running Config Change: with login info
    • Heavy TCP Port Scan: Single Destination
    • Permitted Blacklisted Source
    • Denied Blacklisted Source
    • Permitted Blacklisted Destination
    • Denied Blacklisted Destination

    FortiSIEM also categorises Events under different Groups (you can see this under Resources / Event Types) and you will find Rules referencing Event Type Groups rather than individual events. For example "Sudden Increase In Firewall Permitted Outbound Traffic To A Specific TCP/UDP port" rule references the Event Type Group "Permitted Traffic" and that group contains Cisco ASA events (about 20).

    Thanks

    Dan

    ------------------------------
    Daniel
    FortiSIEM Product Manager

    Original Message:
    Sent: Oct 12, 2020 10:11 PM
    From: Muhammad Hafiz Safwan Bin Jasmi
    Subject: CISCO ASA RULES OR USE CASE

    Hi Guys,

    I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

    It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.

    Terms & ConditionsCookie settingsAccessibility statement