The Cisco ASA firewall produces thousands of Syslog messages for many different events every day. Auditing and alerting Syslog helps you to monitor network activities in real time and get notified about suspicious events. In this article, I will show you how to set up email notifications on your Cisco ASA device for firewall configuration changes, account login activities, and major hardware-related alerts.
Before configuring the Cisco ASA device SMTP settings, I set up a local SMTP relay server since the Cisco ASA device not supported SMTP with authentication. Therefore let’s see how to set up an SMTP relay server.
Setup Local SMTP Relay Server
Using Postfix (free and open-source mail transfer agent (MTA) that routes and delivers emails) to send email notifications to any email provider causes relay issues like spamming, delay in email delivery, etc. So I had to figure out delivering email notifications quickly to avoid any delay in response to the alerts generated by the Cisco ASA firewall.
AWS has a highly reliable email service called SES (Simple Email Service) which can be used to deliver such emails. In this section, I will be configuring Postfix to relay the email alerts from the ASA firewall to use the AWS SES for delivering emails to recipients. If you already have a secured verified SMTP server, you can use it for this.
If you are like to use Amazon SES, you can refer to Amazon SES Documentations to simply configure and implement the SES solution.
Create SMTP Credentials on Amazon SES
For the authentication between Postfix and Amazon SES, we need to create SMTP Credentials.
Log in to the AWS SES console and navigate to the SMTP settings on the left menu. Then click on the button Create My SMTP Credentials.
Enter the IAM User Name and click on the button Create.
Once created, copy and save the SMTP Username and SMTP Password for later usage.
Install & Configure the SMTP Relay Host
Install the Postfix SMTP server.
apt update apt install postfix
During the installation, it will ask for Postfix Configuration, for that select the Internet Site.
Then give the mail name as FQDN of the server.
Now open the Postfix configuration file
/etc/postfix/main.cf . Then remove the empty relayhost line and add the following lines at the end of the file:
#The relayhost needs to be replaced depending on the AWS region you are using. relayhost = [email-smtp.eu-west-2.amazonaws.com]:587 smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_use_tls = yes smtp_tls_security_level = encrypt smtp_tls_note_starttls_offer = yes
Create the authentication file
/etc/postfix/sasl_passwd and add the SMTP Credentials in the following format:
Hash the authentication file and set the required owner and file permissions as follows:
#Hash the authentication file sudo postmap hash:/etc/postfix/sasl_passwd #Change permissions sudo chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db sudo chown -R root:root /etc/postfix/ sudo chmod -R 655 /etc/postfix/
Finally restart the Postfix service to apply changes:
sudo systemctl restart postfix
Configure SMTP & Logging on to Cisco ASA
Before configuring the SMTP server to the ASA firewall, check the SMTP server IP is reachable by the firewall using CLI. The following steps will show you configure using Cisco ASDM.
Configure SMTP Server
Navigate through Configuration -> Device management – > Logging -> SMTP. Then add the IP address of the SMTP server which you created in the previous step.
Create Event List
In this step, you can define from which Syslog events you need to get email alerts. There are two ways to configure Syslog events Event Class/Severity and Message ID. In this example, I’m going to configure all Alerts severity levels and the following Syslog message IDs.
You can see more details about Syslog message IDs from Cisco’s official website: Messages Listed by Severity Level
%ASA-3-113021: Attempted console login failed. User username did NOT have appropriate Admin Rights. %ASA-3-772002: PASSWORD: console login warning, user username, cause: password expired %ASA-3-772004: PASSWORD: session login failed, user username, IP ip, cause: password expired %ASA-6-605004: Login denied from source-address/source-port to interface:destination/service for user “username” %ASA-6-605005: Login permitted from source-address/source-port to interface:destination/service for user “username” %ASA-6-606001: ASDM session number number from IP_address started %ASA-6-606002: ASDM session number number from IP_address ended %ASA-6-611101: User authentication succeeded: IP, IP address: Uname: user %ASA-6-611102: User authentication failed: IP = IP address, Uname: user %ASA-5-111008: User user executed the command string %ASA-5-111010: User username, running application-name from IP ip addr, executed cmd %ASA-6-308001: console enable password incorrect for number tries (from IP_address) %ASA-6-315011: SSH session from IP_address on interface interface_name for user user disconnected by SSH server, reason: reason
Navigate through Configuration -> Device management – > Logging -> Event List. Click Add to add a new event list and add Event Class/Severity and Message IDs accordingly. I have named the event list “email-alerts“.
Modify the Email Logging Filter
In the Logging, section selects the Logging Filters from the left pane and edit the E-Mail filter by selecting created event list for the “Use event list” field.
Add the Recipient Emails
Now it is time to add recipients’ emails who needs to get the email alerts. Go to the E-Mail Setup section and add the Source E-Mail Address and the E-Mail Recipients. When you are adding the E-Mail Recipients, make sure to set the Syslog Severity level to Informational.
Finally, you need to enable logging.
Once all the above steps are done, Apply and Save the changes to take effect.
Here I’ll also describe how to do all the above steps using the command line.
#Enter to the Global Configuration Mode conf t #Enable Logging logging enable logging timestamp #Create Custom Event List logging list email-alerts level alerts logging list email-alerts message 611101-611102 logging list email-alerts message 606001-606002 logging list email-alerts message 605004-605005 logging list email-alerts message 772004 logging list email-alerts message 111008 logging list email-alerts message 315011 logging list email-alerts message 772006 logging list email-alerts message 111010 logging list email-alerts message 113021 logging list email-alerts message 308001 logging list email-alerts message 772002 #Setup SMTP Settings smtp-server 192.168.1.50 logging mail email-alerts logging from-address [email protected] logging recipient-address [email protected] level informational
Test Email Notifications from Cisco ASA
Once all the above steps are completed, you can test it by login into the ASA firewall via SSH or HTTPS and running some commands on it. Then you will get email alerts as follows.
That should be it. Have fun! 🙂