Forum Discussion
Integrate ATA with Cisco ASA firewall logs
Hi,
ATA does not integrate with FW logs from any vendor. Today it only collects windows event logs from the DCs which can be captured using a supported SIEM or Windows Event Fowarding.
This is now possible. ATA can receive VPN accounting logs from Cisco ASA. It is using RADIUS accounting events forwarded to ATA.
See this article:
https://docs.microsoft.com/en-us/advanced-threat-analytics/vpn-integration-install-step
- Hi Artom,
the article is for the windows side configuration, do you have a reference for the ASA end configuration?Hongtao,
Please see my post above with link to Cisco ASA config document.
Thanks,
Art.
Hi Artom, to setup the integration between Cisco ASA and ATA as per the documentation, it stated the port 1813 on ATA Gateways and Ligthweight Gateways, what about the authentication port? Reason I ask because Cisco ASA not allow the authentication port left empty.
On the other note, ATA Ligthweight Gateways do not have the "1812" advertising/listening, hence would this cause the integration not working?
Jeffrey,
I'm not exactly familiar with Cisco ASA side of configuration, but ATA Gateway doesn't do the authentication, only reads the "accounting" info.
Here is the Cisco ASA guide on this. Read page 17:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/general/asdm_71_general_config/aaa_radius.pdf
Seems that you have to configure an AAA Sever Group.
Perhaps there a way to add both, the Radius Server and ATA Gateway to the AAA Server Group, and then configure appropriate Authentication port for the Radius server and set Accounting port to 1813 so that ATA Gateway will see that accounting info.
Cheers,
Art.
