Setting up ATR for Cisco Adaptive Security Appliance

What ATR does

ATR determines whether an alert is malicious.

If the alert is identified as malicious, the IP Address is automatically added to the firewall or network security solution block list, depending on how malicious ATR determines it to be.

For more information about Automated Threat Response (ATR), see Setting up ATR.

Setting up ATR

To set up ATR for Cisco ASA, do the following:

• Enable the API configuration on the firewall

• Add an Administrator User

• Allow API access

• Create a Network Object Group for BARRACUDA_XDR_BLOCK

• Enable ATR in XDR Dashboard

To enable the API configuration on the firewall

The Cisco ASA REST API is not installed by default. You must install and enable it, then allow access to specific IP addresses.

1. In Cisco ASA, navigate to the Command Line Interface (CLI).

2. Run the following command to check whether the API Server is enabled:

   • show api-server

3. The following IP addresses for ATR must be allowed, as well as any other local IPs/networks required to use the API configuration.

   • 44.239.173.232

   • 35.155.74.247

4. Allow access for the specific IPs:

   • Example Command: api-server manage <Interface> 44.239.173.232 255.255.255.255

5. Enable HTTPS for the IPs:

   • Example Command: http 44.239.173.232 255.255.255.255 <Interface>

Create a dedicated API user account

Create an admin user account to allow the API access to create and modify network groups and network objects. You must use the following account username: asa_api. Create the account using the Cisco ASDM-IDM Launcher or the following CLI command:

• username asa_api password <STRONG_PASSWORD> privilege 15

Create a Network Object Group for BARRACUDA_XDR_BLOCK

Barracuda XDR uses this object group track the IPs and domains that are automatically blocked on the firewall. Add this group to any pre-existing security rules/policies created to block traffic to/from anomalous IP addresses. Otherwise, follow the To create a Firewall Rule to ensure the traffic is blocked procedure, below.

The following steps use the Cisco ASDM-IDM Launcher, CLI commands can also be used and are provided here in the reference.

To create a Network Object Group for BARRACUDA_XDR_BLOCK to block traffic

1. In Cisco ASDM, navigate to Configuration > Firewall > Objects > Network Objects/Groups

2. Click Add Network Object Group.

3. In Group Name, type BARRACUDA_XDR_BLOCK.

3. Add at least one Network Object to the Network Object Group by doing the following:

   • In Cisco ASDM, in Existing Network Objects/Groups, click a Network Object.

   • Select a Network Object.

   • Click Add.

   • Click OK.

     Open

     

4. Repeat step 3 until all the Network Objects you want to add have been added.

5. Click Save.

6. Do one of the following:

   • Add the BARRACUDA_XDR_BLOCK Network Object group to the your existing traffic blocking security rules/policies. This is the most common method.

   • Create a Firewall rule to block traffic by following the procedure below. This method is far less common.

(If required) Create a Firewall rule to block traffic

To create a Firewall Rule to ensure the traffic is blocked

1. In Cisco ASDM, navigate to Configuration > Firewall > Access Rules.

2. Click Add > Add Access Rule.

3. Select the traffic handling interface.

4. In the below areas, select the following:

   • Action: Deny

   • Source or Destination: BARRACUDA_XDR_BLOCK

   • Service: IP

5. Move the rule above any Allow rules.

6. Click Apply.

Enable ATR in XDR Dashboard

1. In Barracuda Managed XDR Dashboard, navigate to ATR Settings > Firewalls.

2. In the Firewall table, click the Cisco ASA row.

3. Click Edit Config.

4. Upload the following data:

   • External IP (Where the API can be reached)

   • Admin Username

   • Admin Password

5. Click Save.