Ctrlk
ProductBook a demoOpen app
linkedinyoutube

Cisco ASA

Connect Cisco ASA to Radiant Security to forward firewall and IPS syslog alerts for AI triage.

Cisco ASA (Adaptive Security Appliance) is a stateful firewall and IPS platform that inspects perimeter and internal traffic to block threats such as exploit attempts, malicious connections, and protocol abuse. Connecting Cisco ASA forwards firewall and IPS syslog alerts to Radiant Security through the Radiant Agent. Radiant triages the syslog alerts and uses the surrounding connection data to determine whether observed traffic reflects a real compromise or benign network activity.

Prerequisites

Add the data connector in Radiant Security

  1. Log in to Radiant Security.

  2. From the navigation menu, click Settings > Data Connectors, then click + Add Connector.

  3. Search for and select Radiant Agent, then click Data Feeds.

  4. Under Select your data feeds, select Cisco ASA, then click Credentials.

  5. Under Credential Name, enter an identifiable name for the Radiant Agent integration (e.g., Radiant Agent integration). To reuse an existing Radiant Agent, select it from the drop-down menu.

  6. In the Connector tag field, enter a random value. This value acts as the salt to randomize the Token you download in the next step.

  7. Click Add Connector.

  8. Copy the Token value or download the Token file, then download the SSL certificate. You will need both when configuring Cisco ASA.

  9. Click Done to save your changes.

Install the Radiant SSL certificate on Cisco ASA

Use either the ASDM GUI or the ASA CLI to import the certificate you downloaded from Radiant.

  1. Log in to Cisco ASDM.

  2. Navigate to Configuration > Device Management > Certificate Management > CA Certificates.

  3. Click Add.

  4. On the Install Certificate pane:

    • In Trustpoint Name, enter Radiant-Security-Syslog.

    • Select Install from a file to import the .pem file, or select Paste certificate in PEM format to paste the encoded certificate into the text box.

  5. Click Install Certificate.

  6. Click OK.

Forward syslog from Cisco ASA

Before forwarding syslog, confirm that the relevant Cisco ASA security features are enabled and configured so the firewall produces useful security data. See the Cisco documentation for Threat Detection (ASDM), Threat Detection (CLI), IPS quick start, and IPS CLI configuration.

  1. Log in to the Cisco ASA CLI.

  2. Enter enable to access privileged mode.

  3. Enter conf t to access configuration mode.

  4. Enable logging: logging enable

  5. Enable the timestamp field: logging timestamp rfc5424

  6. Configure the firewall to include the Token from Radiant. Substitute <TOKEN> with the token you generated when adding the data feed: logging device-id string <TOKEN>

  7. Enable the username field: no logging hide username

  8. Keep the device receiving connections if the syslog connection drops: logging permit-hostdown

  9. Use IP addresses instead of object names: no names

  10. Set the logging level to informational: logging trap informational

  11. Set up syslog forwarding: logging host {external_interface} cluster.syslog.radiantsecurity.ai TCP/6514 secure

  12. Enter exit to leave configuration mode.

  13. Enter write mem to save the configuration.

Verify ingestion

After Cisco ASA begins forwarding, confirm alerts and events are reaching Radiant.

  1. In Radiant, navigate to Log Management.

  2. Filter by rs_connectorType:"cisco_asa".

  3. Confirm recent alerts and events appear.

Allow several minutes for alerts and events to be parsed, indexed, and available for search.

PreviousCiscoNextCisco Duo

Last updated

Was this helpful?