Home Networking Setup Critical Email Alerts on Cisco ASA Firewall

Setup Critical Email Alerts on Cisco ASA Firewall

by Lakindu Jayasena
4.9k views 10 mins read
Cisco ASA Firewall Email Alerts

The Cisco ASA firewall produces thousands of Syslog messages for many different events every day. Auditing and alerting Syslog helps you to monitor network activities in real time and get notified about suspicious events. In this article, I will show you how to set up email notifications on your Cisco ASA device for firewall configuration changes, account login activities, and major hardware-related alerts.

Before configuring the Cisco ASA device SMTP settings, I set up a local SMTP relay server since the Cisco ASA device not supported SMTP with authentication. Therefore let’s see how to set up an SMTP relay server.

Setup Local SMTP Relay Server

Using Postfix (free and open-source mail transfer agent (MTA) that routes and delivers emails) to send email notifications to any email provider causes relay issues like spamming, delay in email delivery, etc. So I had to figure out delivering email notifications quickly to avoid any delay in response to the alerts generated by the Cisco ASA firewall.

AWS has a highly reliable email service called SES (Simple Email Service) which can be used to deliver such emails. In this section, I will be configuring Postfix to relay the email alerts from the ASA firewall to use the AWS SES for delivering emails to recipients. If you already have a secured verified SMTP server, you can use it for this.

If you are like to use Amazon SES, you can refer to Amazon SES Documentations to simply configure and implement the SES solution.

Create SMTP Credentials on Amazon SES

For the authentication between Postfix and Amazon SES, we need to create SMTP Credentials.

Log in to the AWS SES console and navigate to the SMTP settings on the left menu. Then click on the button Create My SMTP Credentials.

Amazon SES SMTP Settings

Enter the IAM User Name and click on the button Create.

SES Create My SMTP Credintials

Once created, copy and save the SMTP Username and SMTP Password for later usage.

Install & Configure the SMTP Relay Host

Install the Postfix SMTP server.

apt update
apt install postfix

During the installation, it will ask for Postfix Configuration, for that select the Internet Site.

Postfix Configuration

Then give the mail name as FQDN of the server.

Postfix Mail name

Now open the Postfix configuration file /etc/postfix/main.cf . Then remove the empty relayhost line and add the following lines at the end of the file:

#The relayhost needs to be replaced depending on the AWS region you are using.
relayhost = [email-smtp.eu-west-2.amazonaws.com]:587

smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
Note: Change the followings according to your requirements.
mynetworks = 192.168.1.1/32 127.0.0.0/8 (Restrict specifically for network device IP/Subnet)
inet_interfaces = 192.168.1.50 (IP address of SMTP host)

Create the authentication file /etc/postfix/sasl_passwd and add the SMTP Credentials in the following format:

[SMTP_HOST]:587 SMTP_USERNAME:SMTP_PASSWORD

Hash the authentication file and set the required owner and file permissions as follows:

#Hash the authentication file
sudo postmap hash:/etc/postfix/sasl_passwd

#Change permissions
sudo chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
sudo chown -R root:root /etc/postfix/
sudo chmod -R 655 /etc/postfix/

Finally restart the Postfix service to apply changes:

sudo systemctl restart postfix

Configure SMTP & Logging on to Cisco ASA

Before configuring the SMTP server to the ASA firewall, check the SMTP server IP is reachable by the firewall using CLI. The following steps will show you configure using Cisco ASDM.

Configure SMTP Server

Navigate through Configuration -> Device management – > Logging -> SMTP. Then add the IP address of the SMTP server which you created in the previous step.

ASA Configure SMTP Server

Create Event List

In this step, you can define from which Syslog events you need to get email alerts. There are two ways to configure Syslog events Event Class/Severity and Message ID. In this example, I’m going to configure all Alerts severity levels and the following Syslog message IDs.

You can see more details about Syslog message IDs from Cisco’s official website: Messages Listed by Severity Level

%ASA-3-113021: Attempted console login failed. User username did NOT have appropriate Admin Rights.
%ASA-3-772002: PASSWORD: console login warning, user username, cause: password expired
%ASA-3-772004: PASSWORD: session login failed, user username, IP ip, cause: password expired
%ASA-6-605004: Login denied from source-address/source-port to interface:destination/service for user “username”
%ASA-6-605005: Login permitted from source-address/source-port to interface:destination/service for user “username”
%ASA-6-606001: ASDM session number number from IP_address started
%ASA-6-606002: ASDM session number number from IP_address ended
%ASA-6-611101: User authentication succeeded: IP, IP address: Uname: user
%ASA-6-611102: User authentication failed: IP = IP address, Uname: user
%ASA-5-111008: User user executed the command string
%ASA-5-111010: User username, running application-name from IP ip addr, executed cmd
%ASA-6-308001: console enable password incorrect for number tries (from IP_address)
%ASA-6-315011: SSH session from IP_address on interface interface_name for user user disconnected by SSH server, reason: reason

Navigate through Configuration -> Device management – > Logging -> Event List. Click Add to add a new event list and add Event Class/Severity and Message IDs accordingly. I have named the event list “email-alerts“.

ASA Create Logging Event List

Modify the Email Logging Filter

In the Logging, section selects the Logging Filters from the left pane and edit the E-Mail filter by selecting created event list for the Use event list” field.

ASA Configure Logging Filters

Add the Recipient Emails

Now it is time to add recipients’ emails who needs to get the email alerts. Go to the E-Mail Setup section and add the Source E-Mail Address and the E-Mail Recipients. When you are adding the E-Mail Recipients, make sure to set the Syslog Severity level to Informational.

ASA Add Recipient Email Addresses

Enable Logging

Finally, you need to enable logging.

Enable Logging on Cisco ASA

Once all the above steps are done, Apply and Save the changes to take effect.

Here I’ll also describe how to do all the above steps using the command line.

#Enter to the Global Configuration Mode
conf t

#Enable Logging
logging enable
logging timestamp

#Create Custom Event List
logging list email-alerts level alerts
logging list email-alerts message 611101-611102
logging list email-alerts message 606001-606002
logging list email-alerts message 605004-605005
logging list email-alerts message 772004
logging list email-alerts message 111008
logging list email-alerts message 315011
logging list email-alerts message 772006
logging list email-alerts message 111010
logging list email-alerts message 113021
logging list email-alerts message 308001
logging list email-alerts message 772002

#Setup SMTP Settings
smtp-server 192.168.1.50
logging mail email-alerts
logging from-address [email protected]
logging recipient-address [email protected] level informational

Test Email Notifications from Cisco ASA

Once all the above steps are completed, you can test it by login into the ASA firewall via SSH or HTTPS and running some commands on it. Then you will get email alerts as follows.

Cisco ASA Sample Email Alerts

That should be it. Have fun! 🙂

Related Articles

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.