ASA
ASA Training - Presentation
It can be found below the presentation for Cisco ASA which covers the next main areas:
- Cisco NGFW/NGIPS
- Cisco Firewalls, IPS & Virtual Firewalls,
- Cisco Firewall Typical Use Cases
- Cisco Market Penetration, Strengths and Weaknesses
ASA Metrics Phase 1 - Q3 2019
- Cisco ASA is the first device at indeni which interrogates via SNMP
- SNMP and SSH credentials are needed for a full analysis of the ASA and execution of all the ind scripts mentioned below
The following information is collected for analysis and monitoring by Indeni Release 7.0 (ASA phase 1)
Metric Name | Description | Collection Method | Polling time | Indeni Release Support |
cpu-usage | CPU utilization | SNMP | 1min | 7.0 – ASA phase1 |
memory-usage | Memory Utilization | SNMP | 1min | 7.0 – ASA phase1 |
ssh-version-1-enabled | SSH version | SSH | 59min | 7.0 – ASA phase1 |
ntp-servers | ntp configured servers | SSH | 59min | 7.0 – ASA phase1 |
dns-servers | dns configured servers | SSH | 30min | 7.0 – ASA phase1 |
certificate-expiration | Certificate expiration status | SSH | 59min | 7.0 – ASA phase1 |
license-expiration | License expiration status | SSH | 59min | 7.0 – ASA phase1 |
vpn-ike-state | ISAKMP IKE state IPsec | SSH | 5min | 7.0 – ASA phase1 |
network-interface-admin-state | Interface Admin status | SNMP | 5min | 7.0 – ASA phase1 |
network-interface-speed | Interface speed | SNMP | 5min | 7.0 – ASA phase1 |
network-interface-tx-packets | Interface transmitted packets | SNMP | 5min | 7.0 – ASA phase1 |
network-interface-tx-bytes | Interface transmitted bytes | SNMP | 5min | 7.0 – ASA phase1 |
network-interface-rx-packets | Interface received packets | SNMP | 5min | 7.0 – ASA phase1 |
network-interface-rx-bytes | Interface received bytes | SNMP | 5min | 7.0 – ASA phase1 |
network-interface-rx-dropped | Interface received dropped packets | SNMP | 5min | 7.0 – ASA phase1 |
network-interface-tx-dropped | Interface transmitted dropped packets | SNMP | 5min | 7.0 – ASA phase1 |
network-interface-state | Interface status | SNMP | 5min | 7.0 – ASA phase1 |
vpn-ipsec-pkt-encrypted | Encrypted/Decrypted Packets over IPsec | SSH | 5min | 7.0 – ASA phase1 |
vpn-ipsec-pkt-decrypted | Encrypted/Decrypted Packets over IPsec | SSH | 5min | 7.0 – ASA phase1 |
Tested ASA Hardware/Software
The ASA command outputs used during the tests of the scritps are included to this table.
ASA 5510 Adaptive Security Appliance Cisco Adaptive Security Appliance Software Version 9.1(7)32 |
ASA 5512-X with SW, 6 GE Data, 1 GE Mgmt, AC Cisco Adaptive Security Appliance Software Version 9.9(2)52 |
ASA 5516-X with FirePOWER services, 8GE, AC, DES Cisco Adaptive Security Appliance Software Version 9.12(2)1 |
ASAv Adaptive Security Virtual Appliance Cisco Adaptive Security Appliance Software Version 9.9(1) note: installed at indeni lab for live testing |
ASA 5510 Adaptive Security Appliance Cisco Adaptive Security Appliance Software Version 9.1(7)23 |
In brief, command runner tests include ASA5500, ASAv and ASA5500X series with Firepower and several ASA Releases from 9.1.7.32 to 9.12.2.1
Tested ASA Software CVE
- CVE-2018-0101 – Cisco ASA Remote Code Execution and Denial of Service Vulnerability published in early 2018
- The risk and severity level is the highest 10/10.
- It is expected all the ASA releases for Indeni to start from 9.1.7.23 or later
- More info about this vulnerability can be found to the Indeni Community:https://community.indeni.com/t/cisco-asa-critical-vulnerability-cvss-score-10-10-published-today-by-cisco-alert/324
- Relevant alert by Indeni is on roadmap
Below can be found the affected and recommended ASA releases