FortiSIEM Discussions
HafizJasmi
New Contributor

CISCO ASA RULES OR USE CASE

Hi Guys,

I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.

3 REPLIES 3
DanielHanman
Staff
Staff

Hi Muhammad,

There are some specific rules where we mention ASA events by name.

  • Successful VPN Logon From Outside My Country
  • Startup Config Change: with login
  • Running Config Change: with login info
  • Heavy TCP Port Scan: Single Destination
  • Permitted Blacklisted Source
  • Denied Blacklisted Source
  • Permitted Blacklisted Destination
  • Denied Blacklisted Destination

FortiSIEM also categorises Events under different Groups (you can see this under Resources / Event Types) and you will find Rules referencing Event Type Groups rather than individual events. For example "Sudden Increase In Firewall Permitted Outbound Traffic To A Specific TCP/UDP port" rule references the Event Type Group "Permitted Traffic" and that group contains Cisco ASA events (about 20).

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
-------------------------------------------
Original Message:
Sent: Oct 12, 2020 10:11 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: CISCO ASA RULES OR USE CASE

Hi Guys,

I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.

HafizJasmi

Hi Daniel,

Thanks suggestion given, after going through i found out i need to activate some of the rules, maybe someone before me deactivated it.

-------------------------------------------
Original Message:
Sent: Oct 13, 2020 04:03 AM
From: Daniel Hanman
Subject: CISCO ASA RULES OR USE CASE

Hi Muhammad,

There are some specific rules where we mention ASA events by name.

  • Successful VPN Logon From Outside My Country
  • Startup Config Change: with login
  • Running Config Change: with login info
  • Heavy TCP Port Scan: Single Destination
  • Permitted Blacklisted Source
  • Denied Blacklisted Source
  • Permitted Blacklisted Destination
  • Denied Blacklisted Destination

FortiSIEM also categorises Events under different Groups (you can see this under Resources / Event Types) and you will find Rules referencing Event Type Groups rather than individual events. For example "Sudden Increase In Firewall Permitted Outbound Traffic To A Specific TCP/UDP port" rule references the Event Type Group "Permitted Traffic" and that group contains Cisco ASA events (about 20).

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------

Original Message:
Sent: Oct 12, 2020 10:11 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: CISCO ASA RULES OR USE CASE

Hi Guys,

I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.

KarnGriffen

Muhammad,  

You can create a Rule that notifies you when people change Rules.  Helpful for finding when things have been modified:
IF System Event Category = 2 AND Event Type IN PH_AUDIT_OBJECT_CREATED, PH_AUDIT_OBJECT_DELETED, PH_AUDIT_OBJECT_UPDATED AND OS Object Type = Rule
WHERE COUNT(Matched Events) >= 1
GROUPBY User,Object Name,Organization Name
-------------------------------------------
Original Message:
Sent: Oct 14, 2020 11:12 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: CISCO ASA RULES OR USE CASE

Hi Daniel,

Thanks suggestion given, after going through i found out i need to activate some of the rules, maybe someone before me deactivated it.


Original Message:
Sent: Oct 13, 2020 04:03 AM
From: Daniel Hanman
Subject: CISCO ASA RULES OR USE CASE

Hi Muhammad,

There are some specific rules where we mention ASA events by name.

  • Successful VPN Logon From Outside My Country
  • Startup Config Change: with login
  • Running Config Change: with login info
  • Heavy TCP Port Scan: Single Destination
  • Permitted Blacklisted Source
  • Denied Blacklisted Source
  • Permitted Blacklisted Destination
  • Denied Blacklisted Destination

FortiSIEM also categorises Events under different Groups (you can see this under Resources / Event Types) and you will find Rules referencing Event Type Groups rather than individual events. For example "Sudden Increase In Firewall Permitted Outbound Traffic To A Specific TCP/UDP port" rule references the Event Type Group "Permitted Traffic" and that group contains Cisco ASA events (about 20).

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager

Original Message:
Sent: Oct 12, 2020 10:11 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: CISCO ASA RULES OR USE CASE

Hi Guys,

I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.

Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"