Maximize your protection, eliminate business risks.
Optimize and modernize with cloud transformation.
Empower your people to work securely from anywhere.
Let us handle IT so you can focus on growing your business.
Get multichannel 24/7/365 expert end-user support.
Protect, detect, and respond—Dataprise keeps your business secure.
Maximize uptime with with industry-leading DRaaS.
Swiftly mitigate cyber threats and restore security.
Improve efficiency, productivity and outcomes with cloud.
Ensure all mobile devices, everywhere, are secure.
Gain a competitive edge with strategic IT solutions.
This battle-tested checklist enables your team to swiftly initiate a ransomware response.
IT for businesses of all sizes, in any industry.
Empower institution growth with custom IT solutions.
Ensure your firm is always in compliance.
Improve patient care and staff morale.
Deal with pressing legal matters, not IT.
Keep up with the evolving digital landscape.
Focus on your mission by outsourcing IT.
Accelerate PE client deals and secure data.
Empower Your Municipality with Secure, Reliable IT Services
Execute initiatives and develop IT strategies.
Get the latest industry insights and trends.
Join us at events in person and online.
Hear from clients and learn more about strategic IT.
See how Dataprise can make IT your greatest asset.
Get informative technical resources from IT experts.
Stay on stop of emerging cybersecurity threats.
Discover the key areas of DR your organization needs to address to ensure downtime is minimized.
Gain a strategic asset by bringing harmony to IT.
Ensure 24/7 support and security with dedicated teams.
Drive business forward by partnering with Dataprise.
Meet our one-of-a-kind leadership team.
Discover the recognition Dataprise has earned.
Help us help businesses with strategic IT.
Grow through acquisition and partnership with Dataprise.
Embracing different perspectives and backgrounds.
Find a Dataprise location near you.
Dataprise is committed to empowering more women to consider a career in technology.
Explore our trusted partnerships with leading tech innovators.
Posts
By: Stephanie Hamrick
Table of content
This document describes our basic standard for syslog configuration on ASA firewalls.
First, let me say you should never trust another device’s time. Always use local time stamps for anything received when you setup a syslog server. That being said, the first thing you should do when configuring a device to send syslog, is to make sure the time is properly configured and NTP is setup. This is not to be friendly to the syslog server (which should be using local time for all received messages), but to make the logs useful when accessed locally for troubleshooting.
ASA(config)# ntp server 128.138.140.44
ASA(config)# show ntp status Clock is unsynchronized, stratum 16, no reference clock nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6 reference time is dd108a3a.a67f3cc0 (11:44:58.650 GMT Wed Jul 12 2017) clock offset is 28960349.9706 msec, root delay is 35.39 mse root dispersion is 28976241.07 msec, peer dispersion is 16000.00 msec
ASA(config)# show ntp status Clock is synchronized, stratum 2, reference is 128.138.140.44 nominal freq is 99.9984 Hz, actual freq is 99.9984 Hz, precision is 2**6 reference time is dd10fb9a.ffde64f0 (19:48:42.999 GMT Wed Jul 12 2017) clock offset is 11.0599 msec, root delay is 35.11 msec root dispersion is 15902.16 msec, peer dispersion is 15890.63 msec
ASA(config)# clock timezone MST -6
ASA(config)# logging timestamp
ASA(config)# logging buffered debugging
ASA(config)# logging buffer-size 409600
ASA(config)# show log Jul 12 2017 14:14:19: %ASA-7-609002: Teardown local-host outside:xxxxx duration 0:12:34 Jul 12 2017 14:14:19: %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:xxxxx dst inside:xxxx (type 3, code 3) on outside interface. Original IP payload: udp src xxxx/53 dst xxxx/xxxx. Jul 12 2017 14:14:19: %ASA-4-106023: Deny icmp src outside:xxxx dst inside:xxxx (type 3, code 1) by access-group “outside_access_in” [0x0, 0x0] Jul 12 2017 14:14:20: %ASA-6-106015: Deny TCP (no connection) from xxxx/xxxx to xxxxx/xxxx flags FIN ACK on interface inside Jul 12 2017 14:14:20: %ASA-4-313005: No matching connection for ICMP error message: icmp src inside:xxxxx dst outside:xxxxx (type 3, code 10) on inside interface. Original IP payload: tcp src xxxxx/xxxx dst xxxxx/xxxxx.
By default the ASA will log all connection setup and teardown, which creates quite a bit of noise in the logs. It is now time to whittle that down. Here are the messages that we will be excluding as identified by Cisco in this handy-dandy document.
ASA(config)# no logging message 305012 ASA(config)# no logging message 305011 ASA(config)# no logging message 302015 ASA(config)# no logging message 302014 ASA(config)# no logging message 302013 ASA(config)# no logging message 302016 ASA(config)# no logging message 302021 ASA(config)# no logging message 302020
Now we need to add logging for all configuration changes, for this we only really care about about the last message in this list:
ASA(config)# logging list CONFIG_CHANGES message 111010 ASA(config)# logging list CONFIG_CHANGES level informational
ASA(config)# sh log | i 111010 Jul 12 2017 14:55:20: %ASA-5-111010: User ‘peiadmin’, running ‘CLI’ from IP x,x,x,x, executed ‘write memory'</P
If the syslog server is down, and you are configured to send syslog over TCP, by default the ASA will deny all traffic and you will basically brick your ASA until you can console into it. To prevent this behavior, we go ahead and run the following command:
ASA(config)# logging permit-hostdown
Pretty simple, just point at an IP and interface to send the traffic out of. Of course, one should never stream syslog over the internet, so assume you will always log to the inside interface.
ASA(config)# logging host inside 10.222.2.202
Max Fuller, PEI
INSIGHTS
Subscribe to our blog to learn about the latest IT trends and technology best practices.