Home Networking Setup Critical Email Alerts on Cisco ASA Firewall

Setup Critical Email Alerts on Cisco ASA Firewall

by Lakindu Jayasena
4.3k views 10 mins read
Cisco ASA Firewall Email Alerts

The Cisco ASA firewall produces thousands of Syslog messages for many different events every day. Auditing and alerting Syslog helps you to monitor network activities in real-time and get notify about suspicious events. In this article, I will show you how to set up email notifications on your Cisco ASA device for firewall configuration changes, account login activities, and major hardware-related alerts.

Before configuring the Cisco ASA device SMTP settings, I have set up a local SMTP relay server since the Cisco ASA device not supported SMTP with authentication. Therefore let’s see how to set up SMTP relay server.

Setup Local SMTP Relay Server

Using Postfix (free and open-source mail transfer agent (MTA) that routes and delivers emails) to send email notifications to any email provider causes relay issues like spamming, delay in email delivery and, etc. So I had to figure out delivering email notifications quickly to avoid any delay in response to the alerts generated by the Cisco ASA firewall.

AWS has a highly reliable email service called SES (Simple Email Service) which can be used to deliver such emails. In this section, I will be configuring Postfix to relay the email alerts from the ASA firewall to use the AWS SES for delivering emails to recipients. If you already have any secured verified SMTP server, you can use it for this.

If you are like to use Amazone SES, you can refer to Amazon SES Documentations to simply configure and implement the SES solution.

Create SMTP Credentials on Amazon SES

For the authentication between Postfix and Amazon SES we need to create SMTP Credentials.

Log in to the AWS SES console and navigate to the SMTP settings on the left menu. Then click on the button Create My SMTP Credentials.

Amazon SES SMTP Settings

Enter the IAM User Name and click on the button Create.

SES Create My SMTP Credintials

Once create it copy and save the SMTP Username and SMTP Password for later usage.

Install & Configure the SMTP Relay Host

Install the Postfix SMTP server.

 apt update apt install postfix 

During the installation it will ask for Postfix Configuration, for that select the Internet Site.

Postfix Configuration

Then give the mail name as FQDN of the server.

Postfix Mail name

Now open the Postfix configuration file /etc/postfix/main.cf . Then remove the empty relayhost line and add the following lines at the end of the file:

 #The relayhost needs to be replaced depending on the AWS region you are using. relayhost = [email-smtp.eu-west-2.amazonaws.com]:587 smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_use_tls = yes smtp_tls_security_level = encrypt smtp_tls_note_starttls_offer = yes 
Note: Change the followings according to your requirements.
mynetworks = 192.168.1.1/32 127.0.0.0/8 (Restrict specifically for network device IP/Subnet)
inet_interfaces = 192.168.1.50 (IP address of SMTP host)

Create the authentication file /etc/postfix/sasl_passwd and add the SMTP Credentials in the following format:

 [SMTP_HOST]:587 SMTP_USERNAME:SMTP_PASSWORD 

Hash the authentication file and set the required owner and file permissions as follows:

 #Hash the authentication file sudo postmap hash:/etc/postfix/sasl_passwd #Change permissions sudo chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db sudo chown -R root:root /etc/postfix/ sudo chmod -R 655 /etc/postfix/ 

Finally restart the Postfix service to apply changes:

 sudo systemctl restart postfix 

Configure SMTP & Logging on Cisco ASA

Before configuring the SMTP server to the ASA firewall, check the SMTP server IP is reachable by the firewall using CLI. The following steps will show you configure using Cisco ASDM.

Configure SMTP Server

Navigate through Configuration -> Device management – > Logging -> SMTP. Then add the IP address of the SMTP server which you created in previous step.

ASA Configure SMTP Server

Create Event List

In this step you can define from which syslog events you need to get email alerts. There are two ways to configure syslog events by Event Class/Severity and Message ID. This example I’m going to configure all Alerts severity level and following syslog message IDs.

You can see more details about Syslog message IDs form cisco official website: Messages Listed by Severity Level

 %ASA-3-113021: Attempted console login failed. User username did NOT have appropriate Admin Rights. %ASA-3-772002: PASSWORD: console login warning, user username, cause: password expired %ASA-3-772004: PASSWORD: session login failed, user username, IP ip, cause: password expired %ASA-6-605004: Login denied from source-address/source-port to interface:destination/service for user “username” %ASA-6-605005: Login permitted from source-address/source-port to interface:destination/service for user “username” %ASA-6-606001: ASDM session number number from IP_address started %ASA-6-606002: ASDM session number number from IP_address ended %ASA-6-611101: User authentication succeeded: IP, IP address: Uname: user %ASA-6-611102: User authentication failed: IP = IP address, Uname: user %ASA-5-111008: User user executed the command string %ASA-5-111010: User username, running application-name from IP ip addr, executed cmd %ASA-6-308001: console enable password incorrect for number tries (from IP_address) %ASA-6-315011: SSH session from IP_address on interface interface_name for user user disconnected by SSH server, reason: reason 

Navigate through Configuration -> Device management – > Logging -> Event List. Click Add to add a new event list and add Event Class/Severity and Message IDs accordingly. I have named the event list “email-alerts“.

ASA Create Logging Event List

Modify the Email Logging Filter

In the Logging section select the Logging Filters from left pane and edit the E-Mail filter by selecting created event list for “Use event list” field.

ASA Configure Logging Filters

Add the Recipient Emails

Now it is time to add recipients emails who needs to get the email alerts. Go to the E-Mail Setup section and add the Source E-Mail Address and the E-Mail Recipients. When you are adding the E-Mail Recipients, make sure to set the Syslog Severity level to Informational.

ASA Add Recipient Email Addresses

Enable Logging

Finally you need to enable the logging.

Enable Logging on Cisco ASA

Once all the above steps are done, Apply and Save the changes to take effect.

Here I’ll describe how to do all above steps using the command line as well.

 #Enter to the Global Configuration Mode conf t #Enable Logging logging enable logging timestamp #Create Custom Event List logging list email-alerts level alerts logging list email-alerts message 611101-611102 logging list email-alerts message 606001-606002 logging list email-alerts message 605004-605005 logging list email-alerts message 772004 logging list email-alerts message 111008 logging list email-alerts message 315011 logging list email-alerts message 772006 logging list email-alerts message 111010 logging list email-alerts message 113021 logging list email-alerts message 308001 logging list email-alerts message 772002 #Setup SMTP Settings smtp-server 192.168.1.50 logging mail email-alerts logging from-address [email protected] logging recipient-address [email protected] level informational 

Test Email Notifications from Cisco ASA

Once all above steps are completed, you can test it by login to the ASA firewall via SSH or HTTPS and run some commands on it. Then you will get email alerts as follows.

Cisco ASA Sample Email Alerts

That should be it. Have fun! 🙂

Related Articles

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.