Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Best way to ID traffic from Cisco ASA

deca2499
Engager
‎01-13-2021 06:41 AM

Hello all,

Serious newbie to Splunk here. I have been tasked with trying to identify traffic and create rules to either allow or block traffic coming and going from our company IT lab.  I installed a Cisco ASA 5525 in transparent mode and now they want me to start locking it down. Thus I need to ID the traffic. I could really use the help on how to go about this with Splunk. I thought maybe trying to use netflow to do this but do not seem to be having much luck with getting it running on our Splunk install. I do not even know if I am doing that correctly at this point.. LOL.. 

One thing of note, as this is a lab, I have been told there is a budget of $0 for this. 😞

Thank you in advance for all of your help!

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2021 07:46 AM

Don't make block/allow decisions in Splunk.  That's not what Splunk is for, plus the latency will be too high.

Have the ASA make those decisions (that's what it's for) and log them to Splunk.  You can then use Splunk to report on what traffic was blocked or allowed.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

deca2499
Engager
‎01-13-2021 08:00 AM

Hi richgalloway,

I apologize to make is sound as if we were going to use Splunk to make the real-time decisions. We will be using the ASA to make those decisions in real time, but at the moment the ASA is just passing everything between production and lab. We want to see what traffic is going on at the moment so we can come up with the proper rules to put on the ASA. Currently we just have the ACLs as 'permit any any' both ways. I just need help in using Splunk to see what traffic is going on so that I can start to come up with a 'valid traffic' list. I hope that helps in clearing things up. Sorry for not being clear in the first post.

Thanks!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2021 05:38 PM

Set up the ASA to send its logs to Splunk.  They'll probably be in syslog format so you'll want to stand up a syslog server for that (consider using the Splunk Connect for Syslog app), although in a lab environment you can get away with sending syslog directly to your indexer.

Once you have the data indexed, run simple searches to see what you have.  Start with something like this to find the ASA events.

index=foo "ASA"

 Look at the events and modify the search to exclude events you don't care about or to show only the events you do care about (like "allow" and "block").  Repeat the process until you've found what you want.

Have a look in splunkbase (apps.splunk.com) to see if any of the apps there can help you shorten this process.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...