Deciding Which Connections To Log
License: Any
Using various settings in access control and SSL policies, you can log any connection that your ASA FirePOWER module monitors. In most cases, you can log a connection at its beginning and its end. However, because blocked traffic is immediately denied without further inspection, the system can log only beginning-of-connection events for blocked traffic; there is no unique end of connection to log.
When you log a connection event, you can view it in the event viewer. You can also send connection data to an external syslog or SNMP trap server.
Tip |
To perform detailed analysis of connection data using the ASA FirePOWER module, Cisco recommends you log the ends of critical connections. |
Logging Critical Connections
License: Any
You should log connections according to the security and compliance needs of your organization. If your goal is to limit the number of events you generate and improve performance, only enable logging for the connections critical to your analysis. However, if you want a broad view of your network traffic for profiling purposes, you can enable logging for additional connections. Various settings in access control and SSL policies give you granular control over which connections you log, when you log them, and where you store the data.
Caution |
Logging blocked TCP connections during a Denial of Service (DoS) attack can overwhelm the system with multiple similar events. Before you enable logging for an Block rule, consider whether the rule monitors traffic on an Internet-facing interface or other interface vulnerable to DoS attack. |
In addition to the logging that you configure, the system automatically logs most connections where the system detects a prohibited file, malware, or intrusion attempt. The system saves these end-of-connection events for further analysis. All connection events reflect why they were automatically logged using the Action and Reason fields.
Security Intelligence Blocking Decisions (Optional)
You can log a connection whenever it is blocked by the reputation-based Security Intelligence feature. Optionally, and recommended in passive deployments, you can use a monitor-only setting for Security Intelligence filtering. This allows the system to further analyze connections that would have been blocked, but still log the match.
When you enable Security Intelligence logging, traffic that matches the blacklist generates a Security Intelligence event as well as a connection event. A Security Intelligence event is a special kind of connection event that you can view and analyze separately, and that is also stored and pruned separately. For more information, see Logging Security Intelligence Decisions.
Access Control Handling (Optional)
You can log a connection when it is handled by an access control rule or the access control default action. You configure this logging on a per-access control rule basis so that you only log critical connections. For more information, see Logging Connections Based on Access Control Handling.
Connections Associated with Intrusions (Automatic)
When an intrusion policy invoked by an access control rule (see Tuning Traffic Flow Using Access Control Rules) detects an intrusion and generates an intrusion event, the system automatically logs the end of the connection where the intrusion occurred, regardless of the logging configuration of the rule.
However, when an intrusion policy associated with the access control default action (see Setting Default Handling and Inspection for Network Traffic) generates an intrusion event, the system does not automatically log the end of the associated connection. Instead, you must explicitly enable default action connection logging. This is useful for intrusion prevention-only deployments where you do not want to log any connection data.
For connections where an intrusion was blocked, the action for the connection in the connection log is Block , with a reason of Intrusion Block , even though to perform intrusion inspection you must use an Allow rule.
Connections Associated with File and Malware Events (Automatic)
When a file policy invoked by an access control rule detects a prohibited file (including malware) and generates a file or malware event, the system automatically logs the end of the connection where the file was detected, regardless of the logging configuration of the access control rule. You cannot disable this logging.
Note |
File events generated by inspecting NetBIOS-ssn (SMB) traffic do not immediately generate connection events because the client and server establish a persistent connection. The system generates connection events after the client or server ends the session. |
For connections where a file was blocked, the action for the connection in the connection log is Block even though to perform file and malware inspection you must use an Allow rule. The connection’s reason is either File Monitor (a file type or malware was detected), or Malware Block or File Block (a file was blocked).
Logging the Beginning and End of Connections
License: Any
When the system detects a connection, in most cases you can log it at its beginning and its end.
However, because blocked traffic is immediately denied without further inspection, in most cases you can log only beginning-of-connection events for blocked traffic; there is no unique end of connection to log.
Note |
For a single non-blocked connection, the end-of-connection event contains all of the information in the beginning-of-connection event, as well as information gathered over the duration of the session. |
Note that monitoring a connection for any reason forces end-of-connection logging; see Understanding Logging for Monitored Connections.
The following table details the differences between beginning and end-of-connection events, including the advantages to logging each.
Context |
Beginning-of-Connection Events |
End-of-Connection Events |
---|---|---|
Can be generated... |
when the system detects the beginning of a connection (or, after the first few packets if event generation depends on application or URL identification) |
when the system:
|
Can be logged for... |
all connections evaluated by Security Intelligence or access control rules |
all connections are configurable, though the system cannot log the end of blocked connections |
Contain... |
only information that can be determined in the first packet (or the first few packets, if event generation depends on application or URL identification) |
all information in the beginning-of-connection event, plus information determined by examining traffic over the duration of the session, for example, the total amount of data transmitted or the timestamp of the last packet in the connection |
Are useful... |
if you want to log:
|
if you want to:
|
Logging Connections to the ASA FirePOWER Module or External Server
License: Any
You can log connection events to the ASA FirePOWER module, as well as to an external syslog or SNMP trap server. Before you can log connection data to an external server, you must configure a connection to that server called an alert response ; see Working with Alert Responses.
Understanding How Access Control and SSL Rule Actions Affect Logging
License: feature dependent
Every access control and SSL rule has an action that determines not only how the system inspects and handles the traffic that matches the rule, but also when and how you can log details about matching traffic.
Understanding Logging for Monitored Connections
License: feature dependent
The system always logs the ends of the following connections to the ASA FirePOWER module, regardless of the logging configuration of the rule or default action that later handles the connection:
-
connections matching a Security Intelligence blacklist set to monitor
-
connections matching an access control Monitor rule
In other words, if a packet matches a Monitor rule or Security Intelligence monitored blacklist, the connection is always logged, even if the packet matches no other rules and you do not enable logging on the default action. Whenever the system logs a connection event as the result of Security Intelligence filtering, it also logs a matching Security Intelligence event, which is a special kind of connection event that you can view and analyze separately; see Logging Security Intelligence Decisions.
Because monitored traffic is always later handled by another rule or by the default action, the action associated with a connection logged due to a monitor rule is never Monitor . Rather, it reflects the action of the rule or default action that later handles the connection.
The system does not generate a separate event each time a single connection matches an SSL or access control Monitor rule. Because a single connection can match multiple Monitor rules, each connection event logged to the ASA FirePOWER module can include and display information on the first eight Monitor access control rules that the connection matches, as well as the first matching Monitor SSL rule.
Similarly, if you send connection events to an external syslog or SNMP trap server, the system does not send a separate alert each time a single connection matches a Monitor rule. Rather, the alert that the system sends at the end of the connection contains information on the Monitor rules the connection matched.
Understanding Logging for Trusted Connections
License: feature dependent
A trusted connection is one that is handled by a Trust access control rule or the default action in an access control policy. You can log the beginnings and ends of these connections; however, keep in mind that trusted connections, regardless of whether they are encrypted, are not inspected for intrusions, or prohibited files and malware. Therefore, connection events for trusted connections contain limited information.
Understanding Logging for Blocked and Interactively Blocked Connections
License: feature dependent
For access control rules and access control policy default actions that block traffic (including interactive blocking rules), the system logs beginning-of-connection events. Matching traffic is denied without further inspection.
Connection events for sessions blocked by an access control or SSL rule have an action of Block or Block with reset . Blocked encrypted connections have a reason of SSL Block .
Interactive blocking access control rules, which cause the system to display a warning page when a user browses to a prohibited website, log ends of connections. This is because if the user clicks through the warning page, the connection is considered a new, allowed connection which the system can monitor and log; see Understanding Logging for Allowed Connections.
Therefore, for packets that match an Interactive Block or Interactive Block with reset rule, the system can generate the following connection events:
-
a beginning-of-connection event when a user’s request is initially blocked and the warning page is displayed; this event has an associated action of Interactive Block or Interactive Block with reset
-
multiple beginning- or end-of-connection events if the user clicks through the warning page and loads the originally requested page; these events have an associated action of Allow and a reason of User Bypass
Note that only devices deployed inline can block traffic. Because blocked connections are not actually blocked in passive deployments, the system may report multiple beginning-of-connection events for each blocked connection.
Caution |
Logging blocked TCP connections during a Denial of Service (DoS) attack can overwhelm the system with multiple similar events. Before you enable logging for an Block rule, consider whether the rule monitors traffic on an Internet-facing interface or other interface vulnerable to DoS attack. |
Understanding Logging for Allowed Connections
License: feature dependent
Decrypt SSL rules, Do not decrypt SSL rules, and Allow access control rules permit matching traffic to pass to the next phase of inspection and traffic handling.
When you allow traffic with an access control rule, you can use an associated intrusion or file policy (or both) to further inspect traffic and block intrusions, prohibited files, and malware before the traffic can reach its final destination.
Connections for traffic matching an Allow access control rule are logged as follows:
-
When an intrusion policy invoked by an access control rule detects an intrusion and generates an intrusion event, the system automatically logs the end of the connection where the intrusion occurred to the ASA FirePOWER module, regardless of the logging configuration of the rule.
-
When a file policy invoked by an access control rule detects a prohibited file (including malware) and generates a file or malware event, the system automatically logs the end of the connection where the file was detected to the ASA FirePOWER module, regardless of the logging configuration of the access control rule.
-
Optionally, you can enable beginning- and end-of-connection logging for any allowed traffic, including traffic that the system deems safe or that you do not inspect with an intrusion or file policy.
For all of the resulting connection events, the Action and Reason fields reflect why the events were logged. Note that:
-
An action of Allow represents explicitly allowed and user-bypassed interactively blocked connections that reached their final destination.
-
An action of Block represents a connection that was at first allowed by an access control rule, but where an intrusion, prohibited file, or malware was detected.
Disabling File and Malware Event Logging for Allowed Connections
License: Protection or Malware
When you allow unencrypted or decrypted traffic with an access control rule, you can use an associated file policy to inspect transmitted files, and block prohibited files and malware before it can reach its destination; see Tuning Intrusion Prevention Performance.
When the system detects a prohibited file, it automatically logs one of the following types of event to the ASA FirePOWER module:
-
file events , which represent detected or blocked files, including malware files
-
malware events , which represent detected or blocked malware files only
-
retrospective malware events , which are generated when the malware disposition for a previously detected file changes
If you do not want to log file or malware events, you can disable this logging on a per-access-control-rule basis by clearing the Log Files check box on the Logging tab of the access control rule editor.
Note |
Cisco recommends you leave file and malware event logging enabled. |
Regardless of whether you save file and malware events, when network traffic violates a file policy, the system automatically logs the end of the associated connection to the ASA FirePOWER module, regardless of the logging configuration of the invoking access control rule; see Connections Associated with File and Malware Events (Automatic).
License Requirements for Connection Logging
License: feature dependent
Because you configure connection logging in access control and SSL policies, you can log any connection that those policies can successfully handle.
Although you can create access control and SSL policies regardless of the licenses on your ASA FirePOWER module, certain aspects of access control require that you enable specific licensed capabilities before you can apply the policy.
The following table explains the licenses you must have to successfully configure access control, and therefore to log connections handled by an access control policy.
To log connections... |
License |
---|---|
for traffic handled using, network, port, or literal URL criteria |
Any |
for traffic handled using geolocation data |
Any |
associated with:
|
Protection |
associated with malware detected in unencrypted or decrypted traffic |
Malware |
for traffic handled by user control or application control |
Control |
for traffic that the system filters using URL category and reputation data, and to display URL category and URL reputation information for URLs requested by monitored hosts |
URL Filtering |