Reporting

How to generate a report showing Cisco ASA Firewall Rules being used by users?

kgangulw
Engager

Hi,

We have a Cisco ASA which logs directly to Splunk. We want to generate a report that shows which Firewall Rules are being hit the most on the ASA by users. Does anyone know how I could generate a report of that nature?

Thanks

0 Karma
1 Solution

mikaelbje
Motivator

How about this?

sourcetype="cisco:asa" | stats count BY rule

If you are using Identity Based Firewall and have the users identified by the ASA try this search:

sourcetype="cisco:asa" | chart count OVER rule BY user  

These searches will work if you have the Cisco ASA Add-on installed.

See http://docs.splunk.com/Documentation/Splunk/6.2.2/Report/Createandeditreports for a primer on creating reports.

View solution in original post

0 Karma

dhaertel
Path Finder

I ended up with a very large result with the basic count search, so I added a couple of things to ignore, so instead of:

sourcetype="cisco:asa" | chart count OVER rule BY user      

I went with:

sourcetype="cisco:asa"  description!="Warning conditions"  description!="Normal but significant conditions" | chart  count OVER rule BY user

This returns error and Immediate action needed results only. I don't ignore the others, I just don't run the count with those included as often. Basically I run the immediate action needed and error type daily and the full count weekly.

0 Karma

mikaelbje
Motivator

How about this?

sourcetype="cisco:asa" | stats count BY rule

If you are using Identity Based Firewall and have the users identified by the ASA try this search:

sourcetype="cisco:asa" | chart count OVER rule BY user  

These searches will work if you have the Cisco ASA Add-on installed.

See http://docs.splunk.com/Documentation/Splunk/6.2.2/Report/Createandeditreports for a primer on creating reports.

0 Karma

kgangulw
Engager

Hi there,

Thank you for the reply, but my Splunk only have sourcetype=syslog only. i don't get any results for the 2 queries you have given. Do I need to install the Cisco Addon to get any meaningful information like that?

We have juniper firewalls as well and for them no new addon was required. maybe cisco logs differently.

Thank you nevertheless. if you have any other ideas let me know and I will try the addon as well.

0 Karma

mikaelbje
Motivator

Yes, that add-on will provide the necessary field extractions for ASA. There's Add-ons for other technologies too. They offer similar functionality.

Using the add-ons saves you time creating regular expressions.

I don't have any experience with Juniper, but do a search for the app and you're likely to find something that works.

Link to the ASA Add-on: https://splunkbase.splunk.com/app/1620/

Other apps you might be interested in:
- Cisco Networks App for IOS and WLC: https://splunkbase.splunk.com/app/1352/
- Cisco Networks Add-on for IOS and WLC: https://splunkbase.splunk.com/app/1467

kgangulw
Engager

Thanks a lot. I will certainly be trying the Add-on. Will come back here if i run into issues :).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...