# Cisco ASA (syslog)

In this guide, you'll configure Cisco ASA to send alerts and events to Radiant Security. Cisco ASA is an enterprise-grade firewall that uses access control lists (ACLs) to manage network traffic and includes features like IPS and VPN, which generate valuable security data for detection and analysis.

### Prerequisites

* [ ] The ASDM and CLI user should have Admin privileges (privilege 15)

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings** > **Data Connectors** and click **+ Add Connector**.
3. Search for and select the **Radiant Agent** option and then click **Data Feeds**.
4. Under **Select your data feeds**, select **Cisco ASA** and click **Credentials**.
5. Under **Credential Name**, give the Radiant Agent integration an identifiable name (e.g. `Radiant Agent integration` ). If you will reuse a Radiant Agent, select it from the drop-down menu.
6. In the **Connector tag** field, enter a random value. This value will act as the salt to randomize the **Token** you’ll download in the next step.
7. Click **Add Connector**.
8. Copy and save the **Token** value using the clipboard option or downloading the **Token** file. Download the **SSL certificate**, as you will need it when configuring the syslog source (Cisco ASA) in the next section.
9. Click **Done** to save your changes.

### Licenses

No additional license is required to forward syslog events, but an additional license is required to activate the IPS module.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FCOetPKI2j0cyulBYJgDP%2FCisco_ASA_05.png?alt=media&#x26;token=14a0d15e-57e0-48c3-ae23-692a26fb38e5" alt=""><figcaption></figcaption></figure></div>

<figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2F4jq1GyAzWnUXJ6FhuigI%2FCisco_ASA_06.png?alt=media&#x26;token=0cdda421-d9c3-4caa-9a82-ba2ed3675775" alt=""><figcaption></figcaption></figure>

### Import a digital certificate via Cisco ASDM

In this step, you will upload the Radiant Security certificate via Cisco Adaptive Security Device Manager (ASDM).

1. Log into the Cisco ASDM.
2. Navigate to **Configuration** > **Device Management** > **Certificate Management** > **CA Certificates**.
3. Click **Add**.
4. On the **Install Certificate** pane, fill in the following details:
   1. **Trustpoint Name**: `Radiant-Security-Syslog`
   2. Select either **Install from a file** to import the .PEM file, or select **Paste certificate in PEM format** to paste the encoded certificate into the text box.
5. Click **Install Certificate**.
6. Click **OK**.

<figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FyyihzoaAbdVRXWp2UTpR%2FCisco_ASA_07.png?alt=media&#x26;token=91935234-f21e-4b86-9bee-b0ec59bd335b" alt=""><figcaption></figcaption></figure>

### Import a digital certificate via CLI

Optionally, you can choose to import the Radiant Security certificate via CLI on the Cisco ASA.

1. Log into the Cisco ASA CLI.
2. Enter `enable` to access privileged mode.
3. Enter `conf t` to access the configuration mode.
4. Create a new Trustpoint by entering: `crypto ca trustpoint radiant-security-syslog`
5. Enter `exit` to exit the Trustpoint configuration.
6. Copy the base64 encoded certificate provided by Radiant Security.
7. Import the CA Certificate by entering: `crypto ca authenticate radiant-security-syslog`
8. Paste the encoded digital certificate into the terminal.
9. On the last line of the certificate's text, hit **Enter** to skip a line and then type `quit`.
10. Enter `yes` to accept the certificate.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FGsCU0kvIG0lbtVAn2UB4%2FCisco_ASA_08.png?alt=media&#x26;token=abe5b406-09ae-4d09-85ab-8ed034256fd8" alt=""><figcaption></figcaption></figure></div>

11. Enter `exit` to exit the configuration mode.
12. Enter `write mem` to save the configuration.

### Forward syslog events

Before you begin, it's important to have security features enabled and properly configured to generate detections and block malicious behavior on the network. Here's a list of the security features and how to check their status:

* Threat Detection
  * [Cisco ASA Configuration Guide](https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/asdm712/firewall/asdm-712-firewall-config/conns-threat.html)
  * [Cisco CLI Configuration Guide](https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/conns-threat.html)
* IPS
  * [Cisco ASA Quick Start Guide](https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html)
  * [Cisco CLI IPS configuration](https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/modules_ips.html#42923)

1. Log into the Cisco ASA device CLI.
2. Enter `enable` to access privileged mode.
3. Enter `conf t` to access the configuration mode.
4. Enter `logging enable` to enable logging.
5. Enable the timestamp field by entering: `logging timestamp rfc5424`
6. Setup the firewall to include the Token provided by Radiant during the connector setup (substitute \<TOKEN> by the token generated for you at connector creation): `logging device-id string <TOKEN>`
7. Enable the username field by entering: `no logging hide username`
8. Enable the device to keep receiving connections if the syslog connection is down: `logging permit-hostdown`
9. Set the firewall to use IP addresses instead of object names with: `no names`
10. Set the logging level to informational: `logging trap informational`
11. Setup syslog forwarding by entering the following command: \
    `/logging host {external_interface} cluster.syslog.radiantsecurity.ai TCP/6514 secure`
12. Enter `exit` to the configuration.
13. Enter `write mem` to save the configuration and write it to memory.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/cisco-asa-syslog.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.