USM Anywhere™

Configuring the AlienApp for Cisco Secure Firewall ASA

Role Availability Read-Only Analyst Manager

To use the AlienApp for Cisco Secure Firewall Adaptive Security Appliance (ASA) in USM Anywhere, you need to perform the following steps in you Cisco Secure Firewall ASA environment:

  • Download and install the Cisco Secure Firewall ASA Representational State Transfer (REST) API agent.
  • Enable the REST API agent.
  • Create a Cisco Secure Firewall ASA user profile with a privilege level of 15 to be able to communicate with USM Anywhere.

To install and configure the Cisco Secure Firewall ASA REST API agent

  1. Follow the steps listed in Install and Configure the Secure Firewall ASA REST API Agent and Client from the Cisco Secure Firewall ASA REST API Quick Start Guide.
  2. Open the command-line interface (CLI), and enter the following:

    username <USER_NAME> password <PASSWORD> privilege 15

    This creates the user account with a privilege level 15.

To enable AlienApp for Cisco Secure Firewall ASA in USM Anywhere

  1. In USM Anywhere, go to Data Sources > AlienApps.
  2. Click the Available Apps tab.
  3. Search for the AlienApp, and then click the tile.
  4. Click Configure API.
  5. If you have more than one deployed USM Anywhere Sensor, select the sensor that you want to use for the enabled AlienApp.

    AlienApps operate through a deployed sensor and use APIs to integrate with the connected third-party technology. Select the sensor that can access the integration endpoint. The HTTPS connections to the API will originate from this sensor, so it is important to make sure the sensor has network access to the AlienApp API endpoints.

  6. Enter the Cisco Secure Firewall ASA Management IP Address or Host Name, Port, Username, and Password.
  7. (Optional.) Select Require CA certificate and Validate HTTPS host name if you want to use this option, and then enter the certificate authority (CA) certificate.
  8. Click Save.
  9. Verify the connection.

    After USM Anywhere completes a successful connection to the Cisco Secure Firewall ASA REST APIs, a icon displays in the Health column.

    If the icon displays, there is a problem with the connection. The Message column provides information about the issue. Repeat the steps to fix the configuration or troubleshoot your Cisco Secure Firewall ASA connection.

Forward Cisco Secure Firewall ASA Syslog Messages to USM Anywhere

To fully integrate USM Anywhere with the AlienApp for Cisco Secure Firewall ASA, you need to configure syslog forwarding in the Cisco Secure Firewall ASA device to send the logs to your sensor. You can use the Cisco Adaptive Security Device Manager (ASDM) to enable logging and send all the syslog messages to the USM Anywhere Sensor IP address. See ASA 8.2: Configure Syslog using ASDM for detailed instructions from the vendor.

Assign Your Assets

Because the AlienApp for Cisco ASA is not auto-discoveredA secure long-term log retention mechanism. By default, AT&T Cybersecurity stores all data associated with a customer’s subdomain in cold storage for the life of the active USM Anywhere subscription at no additional charge., you must manually assign the AlienApp to the asset representing the Cisco ASA device or management server’s IP address in USM Anywhere. If the AlienApp isn't assigned to any assets, the Cisco ASA events will be handled by the AlienVault Generic Data Source, which will result in some of the data from the log not being properly parsed or associated with the AlienApp.

See Assign Assets to AlienApps for instructions on how to assign your assets to AlienApp for Cisco ASA.