Cisco ASA/FWSM Context

Details:

  • Support: Levels 1-5 / Automation

  • A Cisco ASA device is configured with a device pack that supports the following automation:

    • NETWORK_INLINE_MEMBER

    • SERVICE_INLINE_MEMBER

    • RULE_SINGLE_VALUE_PER_COLUMN

  • The device pack also has the layout templateOptions configured with:

    • supportsInlineObjects

    • singleValuePerColumn

This setup using the Cisco Context Device adapter is required only if you want to limit Security Manager's connection to the Cisco security devices using one administrator or physical device IP address. Adding virtual devices as context devices removes the need to allow SIP direct SSH access to connect to every Context VIP address located within each ASA/FWSM device. Each context acts as an independent device with its own assigned resources, policies, users, login, and syslog instance.

To add a Cisco ASA/FWSM Context device, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

  1. Create an Admin Context by entering the following command: hostname(config)# admin-context name
  2. Additional contexts can be added by entering the following command: hostname(config)# context name

The context name is case sensitive and can include up to 32 characters with a combination of letters, numbers, and hyphens.

  1. The following account credentials are required:

    An account on the Cisco device with level 15 permissions so that the data collector can retrieve data from the devices.

The credentials for the Enable user, or an account on the Cisco device with privilege level 15 rights (super user/read-only). To create a privilege level 15 account, complete the following steps:

  1. Log into your Cisco device to access privileged EXEC mode using the command enable and then enter the enable password at the prompt.
  2. Run the following commands:

aaa authorization command LOCAL
username <name> password <password> privilege <level>
wr

Any specific “exec” commands such as running-config is allowed for any privilege level account. The same is also true for command configure privileges for modifying specific sections of a configuration. The above example to create a level 15 privilege user should be taken as a non-manipulated vendor default privilege access level setup. The example also does not call out TACACS+ or Radius for this level 15 user. If your environment utilizes either authentication mediums for these user accounts, you can modify the correct sections in the first two lines of the example.

If you will be using Policy Automation (only supported for ASA 9.6 and above), you will need to create a secondary level 15 account with HTTPS access.

  1. Enable logging.
  2. Syslog packets are forwarded directly from each individual context, so for each individual context you need to run the following commands:
    1. hostname/contextname(config)# logging enable
    2. hostname/contextname(config)# logging trap informational

    3. hostname/contextname(config)# logging host logging host <interface_ name> <IP of data collector>

    4. hostname/contextname(config)# logging device-id context-name
  3. Create a Central Syslog Server. This server's IP address is the one that logs will be sent to.

Step 2: Onboard the Device in the Administration Module

  1. On the toolbar, click Device > Devices.
  2. Click Create, and then click Cisco > ASA/FWSM Context.
  1. General Properties section.

To prevent errors in device group-level device maps and incorrect reporting data, all devices added in Administration must have unique IP addresses. If devices with duplicate IP addresses must be added within a domain, it is strongly recommended that those devices be separated into discrete device groups, where no duplicate IP addresses are included in the same device group. Devices with duplicate IP addresses will cause errors in the All Devices device map, and may cause incorrect data in reports, even if they are in discrete device groups.

  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Names box, type the syslog match name (optional). You can enter multiple comma-separated names.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. Collection Configuration is enabled on the management station or by duplicating and then editing the default configuration (DeviceCollection Configuration). Default is what is set on the installed device pack.
  1. Device Settings section.
  • Managed By will display the Cisco management station for this device.
  • In the Context Name box, type the context name.

Credentials

  1. In the User Name box, type the user name for a device with level 15 permissions.
  2. In the Password box, type the password for the level 15 account listed above.

Note for the Enable account information below. In the Enable User Name and Password fields, you can enter the Enable user name (blank, by default) and password, or you can enter credentials for an account with privilege level 15 rights (super user/read-only).

  1. In the Enable User Name box, type the user name that is used to log into “enable” mode, which restricts administrative access to this device.

Cisco's default Enable User Name is blank. If you have not updated the Enable User Name, simply leave this field blank to represent the default system user name. However, you must enter a password in the Enable Password field.

  1. In the Enable Password box, type the password that is used to log into “enable” mode, which restricts administrative access to this device.

Retrieval

  • By default, the Protocol is SSH and the Port is 22. HTTPS is available and uses ASDM API over port 443.

Normalization

  • If your device retrieval method will be set to "FromServer" then the Use Unified CSM Normalization check box (Monitoring section) must be selected for Hit Counter tracking to work properly.

  1. Policy Automation section.

    A valid Policy Automation license is required to complete this section and you needed to create a secondary level 15 account with HTTPS access in the Cisco UI.

The Policy Automation Credentials User Name and Password fields are associated with a level 15 account with HTTPS access. ASA Policy Automation is only supported for ASA 9.6 and above.

Credentials

  1. In the User Name box, type the user name used for the secondary administrator account.
  2. In the Password box, type the password used for the secondary administrator account.
  3. In the Re-enter Password box, retype the password entered above.

Advanced Automation Options

  • Select the Generate CLI Automation Commands check box if you want automation to generate CLI commands rather than attempt API calls.
  1. Monitoring section.

    Log Monitoring

If your device retrieval method is set to "FromServer" then the Use Unified CSM Normalization check box (Device Settings > Normalization) must be selected for Hit Counter tracking to work correctly.

By default, the Enable Log Monitoring check box is selected. To disable this automatic function, clear the check box.

  • By default, Track Usage Via is set to Hit Counters.
  • By default, the Count Retrieval Interval is set to 10 minutes.

    Change Monitoring

  1. By default, the Enable Change Monitoring check box is selected.

    • Enter an optional Alternate Syslog Source IP.

  1. Select the Perform Change Verification check box to allow the Data Collector to verify there are actual changes prior to posting a revision to Security Manager. This will enable more efficient use of disk space by not posting revisions that did not change from the last normalized revision.
  1. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time daily regardless of change.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).
  • Set an optional time in the Check for Change Start Time box. To schedule the first retrieval for a specific time, select the Starting at check box and select a time. The first retrieval will run at the time you enter. All subsequent retrievals will occur at the interval you entered above, based on the time that the first retrieval occurred. If you do not select a Change Start Time, the first scheduled retrieval will occur immediately after you save the settings. Subsequent retrievals will occur at the interval you entered.

Check for Change Retrieval

Select the Enable Check for Change check box to enable checking for configuration changes after the specified interval, and perform a retrieval is changes are detected.

  1. Advanced section.
    • Change Plan Options:
      • Select the Single Value Per Rule Column check box to prevent a user from adding more than one value per column in Policy Planner. Enabling will prevent multiple items from being added to any rule field, which prevents the creation of wrapper groups on the device.
      • Select the Recommend Inline Addresses and Services on Rules check box to have inline addresses and services recommended in Policy Planner. Enabling will prevent the creation of object changes for new addresses and services used on rules.
    • File Retrieval Options
      • Select the Disable Route File Retrieval check box if you want to disable this automatic function. Disabling tells the Data Collector to not retrieve route files from this specific device to prevent a timeout or reduce normalization time.
      • Select the Use Batch Config Retrieval check box only if you are manually sending configurations for this device using your data collector's batchconfig directory. When enabled, online retrievals will be disabled. If enabled, the Management IP Address must be populated.
      • Select the Retrieve Additional Status Commands to enable the additional status commands for the ASA during retrieval.
      • The Retrieval Timeout in Seconds is set to 120 seconds (2 minutes) and is the time to wait for a response during a retrieval.
      • Retrieve Policies Without Interfaces is enabled by default. Clear the check box to disable. Disabling will skip retrieving and normalizing any policies that are not connected to an inbound or outbound interface.
        • If this setting is disabled, the Process Retrievals Without Interfaces must also be disabled. You cannot normalize policies that are not retrieved.
      • Select the Enable Deprecated Ciphers and Algorithms check box to allow the use of weak SSH keys to extend the OpenSSH options with deprecated ciphers and algorithms for devices that cannot update the OS to a supported OpenSSH version.
    • SSH Key Options: Select the Automatically Update SSH Keys check box if you want the data collector to automatically update the SSH key for a device when a conflict occurs.
    • Authentication Options: Select an Enable Level for if your device requires a specific authentication enable level. If left at "Default", no enable level will be specified.
    • Normalization Options:
      • Select the Skip Route Normalization check box if you want to prevent normalization of routes.
      • Enabled by default, clear the Process Policies Without Interfaces check box to disable. Disabling will skip normalizing any policies that are not connected to an inbound or outbound interface.
      • Select the Ignore Implicit Accept/Deny Rules check box to enable to not normalize implicit Accept/Deny rules on this device.

    Ignore Implicit Accept/Deny Rules should not be enabled when Process Policies Without Interfaces is also enabled.

  1. Enforcement section.

Select one of the available enforcement options:

  •  Allow All: All automation is allowed (enforcement, change, manual).

  • Manual Only: When selected all changes must be manually pushed for this device.

  •  Prevent All: No automation is allowed.

  • Window Only: Automation can only take place in the assigned enforcement window.

If this device is assigned to an enforcement or change window, it will be listed. If no assignment, changes must be manually pushed for this device.

  1. Supplemental Routes section.

Supplemental routes cannot be added until after a retrieval normalizes successfully. You can perform a manual retrieval before continuing.

  1. Click Add.

  2. Complete fields in the Add Supplemental Routes dialog box:

  • Select an Interface.

If you select an Interface, you will not need to select a virtual router and next virtual router. If no interface is selected, you will need to select a Virtual Router and Next Virtual Router.

  • Type the Destination IP address.
  • Type the Gateway IP address.
  • Select a Virtual Router.
  • Select a Next Virtual Router.
  • Switch the Drop toggle to enable (disabled = Accept).
  • Click Add.
  1. Click Save

Step 3: Verify Communication

Because automatically retrieving a configuration is enabled by default, there is nothing for you to do. Security Manager will automatically attempt to retrieve a device configuration.

To do a manual retrieval, select the device row, click the Menu icon and then click Retrieve Configuration.

It may take up to 15 minutes to see the status result of the retrieval.