sharfuddin2 Absent Member.
Absent Member.
1158 views

"access specified URL" parsing issue with Cisco FW Collector

Cisco Firewall Collector ver 2011.1r4.

"access specified URL" events from ASA Firewall does not get parse properly by the Cisco Firewall Collector ver 2011.1r4. It only shows the source info while target info is missing in webui.




I just opened an SR # 101072001791 for this too.
0 Likes
4 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: "access specified URL" parsing issue with Cisco FW Collector

To help much with this we probably need more information. For example,
which version of the Cisco ASA device are you using, and which version of
Sentinel (including patch level) is also in use?

Ideally it would help if you could provide a connector dump (in CODE tags,
i.e. the little '#' button at the bottom of the web UI's forum input
field) so that we could try this out and use the debugger to see how
parsing actually takes place, or at least to ensure that the data you
think should be there are actually sent to Sentinel in the first place.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Highlighted
sharfuddin2 Absent Member.
Absent Member.

Re: "access specified URL" parsing issue with Cisco FW Colle

Sentinel ver 8.0.1
For Cisco ASA firewall I have to check with customer. Support already logged bug # 1040365 for this issue.
dump is paste below:

\/62106.","s_Pid":null,"i_Minute":"18","s_AppId":"ASA","i_Year":"2017","s_MessageOriginatorHost":"10.200.20.1","s_chainId":"1495525287578","s_sha256Hash":"a679caa7a506f89509095d3e5c0be79a0b4c83a441d4c1bbf757a8b6853a3d82","i_Month":"4","i_syslog_severity":"4","s_chainSequence":"13141","s_MessageOriginatorPort":"514","i_RXBufferLength":"263","i_Type":"0"}
{"i_Second":"13","s_Date":"May 23 13:18:13","i_milliseconds":"1495527493307","i_TrustDeviceTime":"","i_DayOfMonth":"23","s_raw_message2":"<172>%ASA-4-313005: No matching connection for ICMP error message: icmp src HO-WAN-S10:10.201.101.169 dst HO-Servers-S100:10.200.4.51 (type 3, code 3) on HO-WAN-S10 interface. Original IP payload: udp src 10.200.4.51\/53 dst 10.201.101.169\/53036.","i_syslog_facility":"21","s_RV24":"9CD2D2C4-1B84-1035-9ED9-00505684FD3E","s_RV25":"5761A1D9-21BB-1035-9129-00505684FD3E","s_RV22":"9CD2D2C4-1B84-1035-9ED7-00505684FD3E","s_RV23":"9CD2D2C4-1B84-1035-9ED8-00505684FD3E","s_Process":null,"s_RV21":"C76D2820-C395-1029-BB86-001321B5C0B3","CONNECTION_MODE":"map","s_SyslogRelayIp":"10.200.20.1","i_Hour":"13","sf":"","i_syslog_priority":"172","CONNECTION_METHOD":"SYSLOG","s_Version":"2011.1r5-201509220556-release","s_Body":"%ASA-4-313005: No matching connection for ICMP error message: icmp src HO-WAN-S10:10.201.101.169 dst HO-Servers-S100:10.200.4.51 (type 3, code 3) on HO-WAN-S10 interface. Original IP payload: udp src 10.200.4.51\/53 dst 10.201.101.169\/53036.","s_RXBufferString":"May 23 13:18:13 10.200.20.1 %ASA-4-313005: No matching connection for ICMP error message: icmp src HO-WAN-S10:10.201.101.169 dst HO-Servers-S100:10.200.4.51 (type 3, code 3) on HO-WAN-S10 interface. Original IP payload: udp src 10.200.4.51\/53 dst 10.201.101.169\/53036.","s_Pid":null,"i_Minute":"18","s_AppId":"ASA","i_Year":"2017","s_MessageOriginatorHost":"10.200.20.1","s_chainId":"1495525287578","s_sha256Hash":"66cf5b311b0c86821364312e8f5dd5ccbe59f5741e24a08756f444520abbaf79","i_Month":"4","i_syslog_severity":"4","s_chainSequence":"13142","s_MessageOriginatorPort":"514","i_RXBufferLength":"269","i_Type":"0"}
{"i_Second":"14","s_Date":"May 23 13:18:14","i_milliseconds":"1495527494430","i_TrustDeviceTime":"","i_DayOfMonth":"23","s_raw_message2":"<173>%ASA-5-304001: 10.200.8.224 Accessed URL 10.200.103.208:\/getData.json","i_syslog_facility":"21","s_RV24":"9CD2D2C4-1B84-1035-9ED9-00505684FD3E","s_RV25":"5C61A1D9-21BB-1035-9129-00505684FD3E","s_RV22":"9CD2D2C4-1B84-1035-9ED7-00505684FD3E","s_RV23":"9CD2D2C4-1B84-1035-9ED8-00505684FD3E","s_Process":null,"s_RV21":"C76D2820-C395-1029-BB86-001321B5C0B3","CONNECTION_MODE":"map","s_SyslogRelayIp":"10.200.20.1","i_Hour":"13","sf":"","i_syslog_priority":"173","CONNECTION_METHOD":"SYSLOG","s_Version":"2011.1r5-201509220556-release","s_Body":"%ASA-5-304001: 10.200.8.224 Accessed URL 10.200.103.208:\/getData.json","s_RXBufferString":"May 23 13:18:14 10.200.20.1 %ASA-5-304001: 10.200.8.224 Accessed URL 10.200.103.208:\/getData.json","s_Pid":null,"i_Minute":"18","s_AppId":"ASA","i_Year":"2017","s_MessageOriginatorHost":"10.200.20.1","s_chainId":"1495525287578","s_sha256Hash":"93db32f103b1bb99e903866523c75b0997f7594aad0a74b1304d9bd406d35867","i_Month":"4","i_syslog_severity":"5","s_chainSequence":"13143","s_MessageOriginatorPort":"514","i_RXBufferLength":"97","i_Type":"0"}
{"i_Second":"14","s_Date":"May 23 13:18:14","i_milliseconds":"1495527494430","i_TrustDeviceTime":"","i_DayOfMonth":"23","s_raw_message2":"<173>%ASA-5-304001: 10.200.8.224 Accessed URL 10.200.103.202:\/getData.json","i_syslog_facility":"21","s_RV24":"9CD2D2C4-1B84-1035-9ED9-00505684FD3E","s_RV25":"5E61A1D9-21BB-1035-9129-00505684FD3E","s_RV22":"9CD2D2C4-1B84-1035-9ED7-00505684FD3E","s_RV23":"9CD2D2C4-1B84-1035-9ED8-00505684FD3E","s_Process":null,"s_RV21":"C76D2820-C395-1029-BB86-001321B5C0B3","CONNECTION_MODE":"map","s_SyslogRelayIp":"10.200.20.1","i_Hour":"13","sf":"","i_syslog_priority":"173","CONNECTION_METHOD":"SYSLOG","s_Version":"2011.1r5-201509220556-release","s_Body":"%ASA-5-304001: 10.200.8.224 Accessed URL 10.200.103.202:\/getData.json","s_RXBufferString":"May 23 13:18:14 10.200.20.1 %ASA-5-304001: 10.200.8.224 Accessed URL 10.200.103.202:\/getData.json","s_Pid":null,"i_Minute":"18","s_AppId":"ASA","i_Year":"2017","s_MessageOriginatorHost":"10.200.20.1","s_chainId":"1495525287578","s_sha256Hash":"ba82a97dac6c9d88e84483c5140ed8e775cec5673b199ab2aae5f43d1cc58700","i_Month":"4","i_syslog_severity":"5","s_chainSequence":"13144","s_MessageOriginatorPort":"514","i_RXBufferLength":"97","i_Type":"0"}
{"i_Second":"14","s_Date":"May 23 13:18:14","i_milliseconds":"1495527494430","i_TrustDeviceTime":"","i_DayOfMonth":"23","s_raw_message2":"<173>%ASA-5-304001: 10.200.8.224 Accessed URL 10.200.103.205:\/getData.json","i_syslog_facility":"21","s_RV24":"9CD2D2C4-1B84-1035-9ED9-00505684FD3E","s_RV25":"6061A1D9-21BB-1035-9129-00505684FD3E","s_RV22":"9CD2D2C4-1B84-1035-9ED7-00505684FD3E","s_RV23":"9CD2D2C4-1B84-1035-9ED8-00505684FD3E","s_Process":null,"s_RV21":"C76D2820-C395-1029-BB86-001321B5C0B3","CONNECTION_MODE":"map","s_SyslogRelayIp":"10.200.20.1","i_Hour":"13","sf":"","i_syslog_priority":"173","CONNECTION_METHOD":"SYSLOG","s_Version":"2011.1r5-201509220556-release","s_Body":"%ASA-5-304001: 10.200.8.224 Accessed URL 10.200.103.205:\/getData.json","s_RXBufferString":"May 23 13:18:14 10.200.20.1 %ASA-5-304001: 10.200.8.224 Accessed URL 10.200.103.205:\/getData.json","s_Pid":null,"i_Minute":"18","s_AppId":"ASA","i_Year":"2017","s_MessageOriginatorHost":"10.200.20.1","s_chainId":"1495525287578","s_sha256Hash":"d37dac0197ddb66c34b079aa5e184da853b52f7b764a1845499be903d8235bfb","i_Month":"4","i_syslog_severity":"5","s_chainSequence":"13145","s_MessageOriginatorPort":"514","i_RXBufferLength":"97","i_Type":"0"}


Thanks and Regards,
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: "access specified URL" parsing issue with Cisco FW Collector

Sounds good; thank-you for posting the information as I suspect it will
help others doing the same thing in the future.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
sharfuddin2 Absent Member.
Absent Member.

Re: "access specified URL" parsing issue with Cisco FW Colle

Opened the SR on 23rd May; and Support logged the bug # 1040365 for this issue the same day.

Yesterday i.e on 25th they provided the patch Cisco_Firewall_2011.1r5 which is doing the job perfectly. i.e now Targets are properly appearing in the webUI(Sentinel Main)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.