Help
FortiSIEM Discussions
HafizJasmi
New Contributor

Created on ‎10-12-2020 10:12 PM

CISCO ASA RULES OR USE CASE

Hi Guys,

I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.

255
0 Kudos
3 REPLIES 3
DanielHanman
Staff
Staff

Created on ‎10-13-2020 04:03 AM

Hi Muhammad,

There are some specific rules where we mention ASA events by name.

  • Successful VPN Logon From Outside My Country
  • Startup Config Change: with login
  • Running Config Change: with login info
  • Heavy TCP Port Scan: Single Destination
  • Permitted Blacklisted Source
  • Denied Blacklisted Source
  • Permitted Blacklisted Destination
  • Denied Blacklisted Destination

FortiSIEM also categorises Events under different Groups (you can see this under Resources / Event Types) and you will find Rules referencing Event Type Groups rather than individual events. For example "Sudden Increase In Firewall Permitted Outbound Traffic To A Specific TCP/UDP port" rule references the Event Type Group "Permitted Traffic" and that group contains Cisco ASA events (about 20).

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------
-------------------------------------------
Original Message:
Sent: Oct 12, 2020 10:11 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: CISCO ASA RULES OR USE CASE

Hi Guys,

I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.

255
0 Kudos
HafizJasmi
New Contributor
In response to DanielHanman

Created on ‎10-14-2020 11:12 PM

Hi Daniel,

Thanks suggestion given, after going through i found out i need to activate some of the rules, maybe someone before me deactivated it.

-------------------------------------------
Original Message:
Sent: Oct 13, 2020 04:03 AM
From: Daniel Hanman
Subject: CISCO ASA RULES OR USE CASE

Hi Muhammad,

There are some specific rules where we mention ASA events by name.

  • Successful VPN Logon From Outside My Country
  • Startup Config Change: with login
  • Running Config Change: with login info
  • Heavy TCP Port Scan: Single Destination
  • Permitted Blacklisted Source
  • Denied Blacklisted Source
  • Permitted Blacklisted Destination
  • Denied Blacklisted Destination

FortiSIEM also categorises Events under different Groups (you can see this under Resources / Event Types) and you will find Rules referencing Event Type Groups rather than individual events. For example "Sudden Increase In Firewall Permitted Outbound Traffic To A Specific TCP/UDP port" rule references the Event Type Group "Permitted Traffic" and that group contains Cisco ASA events (about 20).

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager
------------------------------

Original Message:
Sent: Oct 12, 2020 10:11 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: CISCO ASA RULES OR USE CASE

Hi Guys,

I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.

255
0 Kudos
KarnGriffen
New Contributor III
In response to HafizJasmi

Created on ‎10-15-2020 09:14 AM

Muhammad,  

You can create a Rule that notifies you when people change Rules.  Helpful for finding when things have been modified:
IF System Event Category = 2 AND Event Type IN PH_AUDIT_OBJECT_CREATED, PH_AUDIT_OBJECT_DELETED, PH_AUDIT_OBJECT_UPDATED AND OS Object Type = Rule
WHERE COUNT(Matched Events) >= 1
GROUPBY User,Object Name,Organization Name
-------------------------------------------
Original Message:
Sent: Oct 14, 2020 11:12 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: CISCO ASA RULES OR USE CASE

Hi Daniel,

Thanks suggestion given, after going through i found out i need to activate some of the rules, maybe someone before me deactivated it.


Original Message:
Sent: Oct 13, 2020 04:03 AM
From: Daniel Hanman
Subject: CISCO ASA RULES OR USE CASE

Hi Muhammad,

There are some specific rules where we mention ASA events by name.

  • Successful VPN Logon From Outside My Country
  • Startup Config Change: with login
  • Running Config Change: with login info
  • Heavy TCP Port Scan: Single Destination
  • Permitted Blacklisted Source
  • Denied Blacklisted Source
  • Permitted Blacklisted Destination
  • Denied Blacklisted Destination

FortiSIEM also categorises Events under different Groups (you can see this under Resources / Event Types) and you will find Rules referencing Event Type Groups rather than individual events. For example "Sudden Increase In Firewall Permitted Outbound Traffic To A Specific TCP/UDP port" rule references the Event Type Group "Permitted Traffic" and that group contains Cisco ASA events (about 20).

Thanks

Dan

------------------------------
Daniel
FortiSIEM Product Manager

Original Message:
Sent: Oct 12, 2020 10:11 PM
From: Muhammad Hafiz Safwan Bin Jasmi
Subject: CISCO ASA RULES OR USE CASE

Hi Guys,

I am new to fortisiem, i have question, currently our Fortisiem monitor Cisco ASA firewall, but as for now it did not flag any rules from Fortisiem.

It is i have to manually create rules for any security incident for Cisco ASA? If anyone could share rules for  ASA or any use case that you guys used.

255
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.