Monitoring Cisco ASA Firewall With Cacti Web Application

1. Overview


Cacti web application can be used to monitor various network device types such as switches, routers, firewalls as well as Linux and Windows servers and various device vendors with graphing bases using SNMP protocol with a fast poller that can support up to hundreds of devices.

In this instruction will show you how to monitor Cisco ASA Firewall with Cacti web application base on SNMP protocol.

2. Prerequisites


In this article, it is supposed that:

a. You have already done the initial server setup. Please refer to this link Minimal RHEL/CentOS 7 Initial Server Setup.
b. You have already installed Cacti server. Please refer to this link. Installing Cacti Web-based Network Monitoring on RHEL/CentOS 7

3. Configure SNMP on Device


First of all, we need to login to Cisco ASA Firewall that we want to add and monitor it with Cacti and configure SNMP server as the following. We will configure a read-only SNMP community string as “T@S9aMon” along with an ACL name “ACL-SNMP” to allow only a Cacti server with IP address of to be accessible to this device.

# ip access-list standard ACL-SNMP
# snmp-server community T@S9aMon RO ACL-SNMP
# snmp-server location DC
# snmp-server contact
# ip domain-name

To test if the SNMP server on Cisco ASA Firewall is configured properly and working, we need to login to Cacti server and execute the following snmpwalk command. In the following command it is assumed that the IP address of Cisco ASA Firewall is

# snmpwalk -v2c -c T@S9aMon

4. Imports Device Template


Cacti can monitor Cisco ASA Firewall base on SNMP protocol. In SNMP protocol, if we want to monitor something of a device, we need to know its OID or MIBs. Luckily, we don’t have to worry about it since many people had developed many Cacti template. So, we just need to import that template into Cacti application. We will use a host template name “cacti_host_template_cisco_asa_-_security_appliance” to monitor Cisco ASA Firewall. You can download it from Cacti website or here cacti_host_template_cisco_asa_-_security_appliance.xml.

To import a Cacti template, simply go to “Console” and then click on “Import Templates”. Click “Browse” and then navigate the location where you have downloaded the template and then click “Imports”.

5. Adds Device In Cacti


After successfully import the Cisco ASA Firewall host template, then we need to add a device using that host template. Go to “Console”, then “Devices” and click “Add”.

Enter the device description and IP address of the the device and on “Device Template” select a template name “Cisco ASA – Security Appliance”.

In the “SNMP Options” sections, select SNMP version 2 and enter the SNMP community that we have configured on Cisco ASA Firewall.

Select “SNMP Uptime” from the “Downed Device Detection” box as the following and then click “Create”.

6. Creates Graph For The Device


After the device is added, we need to create the graphs for the at particular device. In top of the added device windows, click  “Create Graphs for this Device”.

The following windows will appear, so we need to select the graphs that we have to create and the click “Create” at the bottom of windows.

7. Places Device In The Graph Tree


After the graphs are created, then we need to place that device under the graph tree. So, we will be able to the graph this device in the “graphs” tab of Cacti windows. To place a device under a graph tree, to go Console tab and the click “Device”. Check the device, and select “Place on Tree (Default Tree)” from the drop-down list and then click “Go”

To see the graphs that we have created on Cisco ASA Firewall, on Cacti windows click on “graphs” tab and then select the device that you want to see its graphs.


8. Conclusion


That’s all about using Cacti web application to monitor Cisco ASA Firewall from Tech Space KH. Hopefully, you can find this guide informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.