# Cisco ASA

Cisco ASA (Adaptive Security Appliance) is a stateful firewall and IPS platform that inspects perimeter and internal traffic to block threats such as exploit attempts, malicious connections, and protocol abuse. Connecting Cisco ASA forwards firewall and IPS syslog alerts to Radiant Security through the Radiant Agent. Radiant triages the syslog alerts and uses the surrounding connection data to determine whether observed traffic reflects a real compromise or benign network activity.

### Prerequisites

* [ ] An ASDM and CLI user with Admin privileges (privilege 15)
* [ ] A deployed [Radiant Agent](/radiant-connectors/data-connectors/install-the-radiant-security-agent.md) reachable from the Cisco ASA
* [ ] An [additional Cisco license](https://community.cisco.com/t5/security-knowledge-base/asa-versions-image-names-and-licensing/ta-p/3126264#toc-hId--1214164938) if you intend to activate the IPS module. No additional license is required to forward syslog alerts
* [ ] Administrator role in Radiant Security

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings** > **Data Connectors**, then click **+ Add Connector**.
3. Search for and select **Radiant Agent**, then click **Data Feeds**.
4. Under **Select your data feeds**, select **Cisco ASA**, then click **Credentials**.
5. Under **Credential Name**, enter an identifiable name for the Radiant Agent integration (e.g., `Radiant Agent integration`). To reuse an existing Radiant Agent, select it from the drop-down menu.
6. In the **Connector tag** field, enter a random value. This value acts as the salt to randomize the **Token** you download in the next step.
7. Click **Add Connector**.
8. Copy the **Token** value or download the **Token** file, then download the **SSL certificate**. You will need both when configuring Cisco ASA.
9. Click **Done** to save your changes.

### Install the Radiant SSL certificate on Cisco ASA

Use either the ASDM GUI or the ASA CLI to import the certificate you downloaded from Radiant.

{% tabs %}
{% tab title="ASDM" %}

1. Log in to Cisco ASDM.
2. Navigate to **Configuration** > **Device Management** > **Certificate Management** > **CA Certificates**.
3. Click **Add**.
4. On the **Install Certificate** pane:
   * In **Trustpoint Name**, enter `Radiant-Security-Syslog`.
   * Select **Install from a file** to import the `.pem` file, or select **Paste certificate in PEM format** to paste the encoded certificate into the text box.
5. Click **Install Certificate**.
6. Click **OK**.

<figure><img src="/files/NVwH6Q1QixWPbxuGVdJF" alt=""><figcaption></figcaption></figure>
{% endtab %}

{% tab title="CLI" %}

1. Log in to the Cisco ASA CLI.
2. Enter `enable` to access privileged mode.
3. Enter `conf t` to access configuration mode.
4. Create a new trustpoint: `crypto ca trustpoint radiant-security-syslog`
5. Enter `exit` to leave trustpoint configuration.
6. Copy the base64-encoded certificate provided by Radiant Security.
7. Import the CA certificate: `crypto ca authenticate radiant-security-syslog`
8. Paste the encoded certificate into the terminal.
9. On the line after the certificate text, press **Enter**, then type `quit`.
10. Enter `yes` to accept the certificate.

<div align="left"><figure><img src="/files/8SSlhv2OhnoPBIJ6B017" alt=""><figcaption></figcaption></figure></div>

11. Enter `exit` to leave configuration mode.
12. Enter `write mem` to save the configuration.
    {% endtab %}
    {% endtabs %}

### Forward syslog from Cisco ASA

{% hint style="info" %}
Before forwarding syslog, confirm that the relevant Cisco ASA security features are enabled and configured so the firewall produces useful security data. See the Cisco documentation for [Threat Detection (ASDM)](https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/asdm712/firewall/asdm-712-firewall-config/conns-threat.html), [Threat Detection (CLI)](https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/conns-threat.html), [IPS quick start](https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/ips/ips_qsg.html), and [IPS CLI configuration](https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/modules_ips.html#42923).
{% endhint %}

1. Log in to the Cisco ASA CLI.
2. Enter `enable` to access privileged mode.
3. Enter `conf t` to access configuration mode.
4. Enable logging: `logging enable`
5. Enable the timestamp field: `logging timestamp rfc5424`
6. Configure the firewall to include the Token from Radiant. Substitute `<TOKEN>` with the token you generated when adding the data feed: `logging device-id string <TOKEN>`
7. Enable the username field: `no logging hide username`
8. Keep the device receiving connections if the syslog connection drops: `logging permit-hostdown`
9. Use IP addresses instead of object names: `no names`
10. Set the logging level to informational: `logging trap informational`
11. Set up syslog forwarding: `logging host {external_interface} cluster.syslog.radiantsecurity.ai TCP/6514 secure`&#x20;
12. Enter `exit` to leave configuration mode.
13. Enter `write mem` to save the configuration.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/cisco/cisco-asa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.