Cisco ASA Activity

Owned by Steve Challans
Last updated: Feb 09, 2024
2 min read

The Cisco ASA Activity dashboard provides an overview of common activity from a Cisco ASA firewall. The page provides an overview of many aspects of a firewall network usage including traffic flows over time, data allowed and blocked, IDS activity in this case Snort alerting, Firewall change activity with and admin access, source and destination IPs and ports and protocols. and a drill through to see the raw data for the selected time. The drill through at the bottom of the screen will show the details of the dashboards as the user clicks on either the status block or the dashboard element. Some parts of the dashboard only show data for the last 4 hours as firewalls can generate massive events. If longer search times are desired then its best to use the event search feature to search for logs over longer time period.

Key indicators are:

  • Firewall All activity - spikes in usage can indicate abnormal activity which could be the result of a denial of service, data downloads or data be ex filtrated from the network. What is normal for one company may not be normal for another so threshold settings should be adjusted to suit the reporting needs for your company. 

  • All Logs by Firewall - when there are multiple firewalls in the network then this helps to see which firewall are generating more logs than others.

  • Cisco Drop Logs - this shows logs that have been dropped by the firewall based on its policy. Unusual rates on this can indicate the firewall is being scanned or probed to find weak points to gain access.

  • Firewall accepted activity - this is activity allowed through the firewall.  Anything allowed in or out maybe normal or unauthorized activity depending if data is leaking out using approved protocols.  Many variations of malware and hackers link onto DNS, HTTP, HTTPS, SMTP protocols as they are allowed in most cases as staff need to access the internet. So spikes in activity can be an indicator of compromise.

  • Source and Destination Port Activity and Address Activity - these charts allow analysis of high usage systems ports and protocols.   Low usage ones that are trying to be hidden can also be highlighted by filtering out the busy systems. These charts allow the analyst to review and understand what is normal activity and traffic that may be unauthorized with information leakage or high volumes of traffic of data being ex filtrated out of the company. 

image-20240209-062554.png

 

Â