Reporting

How to generate a report showing Cisco ASA Firewall Rules being used by users?

Engager

Hi,

We have a Cisco ASA which logs directly to Splunk. We want to generate a report that shows which Firewall Rules are being hit the most on the ASA by users. Does anyone know how I could generate a report of that nature?

Thanks

0 Karma
1 Solution

Motivator

How about this?

sourcetype="cisco:asa" | stats count BY rule

If you are using Identity Based Firewall and have the users identified by the ASA try this search:

sourcetype="cisco:asa" | chart count OVER rule BY user  

These searches will work if you have the Cisco ASA Add-on installed.

See http://docs.splunk.com/Documentation/Splunk/6.2.2/Report/Createandeditreports for a primer on creating reports.

View solution in original post

0 Karma

Path Finder

I ended up with a very large result with the basic count search, so I added a couple of things to ignore, so instead of:

sourcetype="cisco:asa" | chart count OVER rule BY user      

I went with:

sourcetype="cisco:asa"  description!="Warning conditions"  description!="Normal but significant conditions" | chart  count OVER rule BY user

This returns error and Immediate action needed results only. I don't ignore the others, I just don't run the count with those included as often. Basically I run the immediate action needed and error type daily and the full count weekly.

0 Karma

Motivator

How about this?

sourcetype="cisco:asa" | stats count BY rule

If you are using Identity Based Firewall and have the users identified by the ASA try this search:

sourcetype="cisco:asa" | chart count OVER rule BY user  

These searches will work if you have the Cisco ASA Add-on installed.

See http://docs.splunk.com/Documentation/Splunk/6.2.2/Report/Createandeditreports for a primer on creating reports.

View solution in original post

0 Karma

Engager

Hi there,

Thank you for the reply, but my Splunk only have sourcetype=syslog only. i don't get any results for the 2 queries you have given. Do I need to install the Cisco Addon to get any meaningful information like that?

We have juniper firewalls as well and for them no new addon was required. maybe cisco logs differently.

Thank you nevertheless. if you have any other ideas let me know and I will try the addon as well.

0 Karma

Motivator

Yes, that add-on will provide the necessary field extractions for ASA. There's Add-ons for other technologies too. They offer similar functionality.

Using the add-ons saves you time creating regular expressions.

I don't have any experience with Juniper, but do a search for the app and you're likely to find something that works.

Link to the ASA Add-on: https://splunkbase.splunk.com/app/1620/

Other apps you might be interested in:
- Cisco Networks App for IOS and WLC: https://splunkbase.splunk.com/app/1352/
- Cisco Networks Add-on for IOS and WLC: https://splunkbase.splunk.com/app/1467

Engager

Thanks a lot. I will certainly be trying the Add-on. Will come back here if i run into issues :).

0 Karma