User Guide for Cisco Security Manager 4.3
Health and Performance Monitoring
Downloads: This chapterpdf (PDF - 2.03MB) The complete bookPDF (PDF - 23.01MB) | Feedback

Health and Performance Monitoring

Table Of Contents

Health and Performance Monitoring

Health and Performance Monitor Overview

Trend Information

Monitoring Multiple Contexts

HPM Access Control

Preparing for Health and Performance Monitoring

Launching the Health and Performance Monitor

Managing Monitored Devices

HPM Window

Working with Table Columns

Showing and Hiding Table Columns

Column-based Filtering

Using The List Filter Fields

Monitoring Devices

Managing Device Views

Views: Opening and Closing

Views: Tiling Horizontally or Vertically

Views: Floating and Docking

Views: Custom

HPM Window: Monitoring Display

Monitoring Views: Devices Summary

Monitoring Views: Device Status List

Monitoring Views: Device Details

Monitoring Views: VPN, RA and S2S

Alerts and Notifications

HPM Window: Alerts Display

Alerts: Configuring

Alerts Configuration: IPS

Alerts Configuration: Firewall

Alerts: Viewing

Alerts: Acknowledging and Clearing

Alerts: History


Health and Performance Monitoring


The Health and Performance Monitor (HPM) application lets you monitor key health and performance data for ASA devices, IPS devices, and VPN services by providing network-level visibility into device status and traffic information.

A variety of views are provided—All Devices, Firewall Devices, IPS Devices, VPN Summary, and so on—and you can create your own customized views. A configurable listing of device alerts is also available.

This ability to monitor key network and device metrics lets you quickly detect and resolve device malfunctions and bottlenecks in the network.

This chapter contains the following topics:

Health and Performance Monitor Overview

HPM Access Control

Preparing for Health and Performance Monitoring

Launching the Health and Performance Monitor

Managing Monitored Devices

HPM Window

Monitoring Devices

Alerts and Notifications

Health and Performance Monitor Overview

The Health and Performance Monitor is a stand-alone application that you can launch from the other stand-alone Security Manager applications (Configuration Manager, Event Viewer, Report Manager, and Image Manager); from the Windows Start menu; or from its icon on your desktop.

The HPM application complements the Event Viewer and Report Manager applications, as follows:

Event Viewer - Monitors your network for syslog (system log) events from ASA and FWSM devices and their security contexts, and for SDEE (Secure Device Event Exchange) events from IPS devices and virtual sensors. These events include firewall traffic information, NAT events, failover events, IPS alerts, and so on. Event Viewer collects and displays this information, organized into a variety of views. See Chapter 65 "Viewing Events" for more information.

Report Manager - Collects, displays and exports network usage and security information for ASA and IPS devices, and for remote-access IPsec and SSL VPNs. These reports aggregate security data such as top sources, destinations, attackers, victims, as well as security information such as top bandwidth, duration, and throughput users. Data is also aggregated for hourly, daily, and monthly periods. See Chapter 66 "Managing Reports" for more information.

Health and Performance Monitor (HPM) - Monitors and displays key health, performance and VPN data for ASA and IPS devices in your network. This information includes critical and non-critical issues, such as memory usage, interface status, dropped packets, tunnel status, and so on. You also can categorize devices for normal or priority monitoring, and set different alert rules for the priority devices.

You can add notes to displayed alerts, you can "acknowledge" them, and you can clear them. When an alert is cleared, it is removed from the Alerts display; however, the alert information is retained in a database for 30 days. See Alerts: Acknowledging and Clearing for more information about adding notes, and acknowledging and clearing alerts.


Note You can use the Alerts History window to access and view previously cleared alerts, as described in Alerts: History.


This section contains the following topics:

Trend Information

Monitoring Multiple Contexts

Trend Information

The Health and Performance Monitor periodically polls monitored devices for status and performance data. This information is used for alert generation, and to display real-time views and historical trends based on aggregated data.

Trends are displayed graphically for a specific set of metrics. Each trend for the currently selected device is represented as a graph generated for a chosen time interval. Comparing current values with the weekly averages for CPU and memory usage, for example, can provide an operational context for the selected device. Available trend intervals for monitored devices are one hour, 24 hours, and one week.

Metrics used for generating trends include:

CPU usage

Memory usage (only for single-context devices)

Connections per second (firewall devices)

Translations per second (firewall devices)

Inspection load (IPS devices)

Missed packets as a percentage (IPS devices)

Number of VPN tunnels

Number of RA VPN sessions

Total VPN throughput

Firewall throughput

Total dropped packets (firewall interfaces)

For additional graphical information about the health and performance of a specific device, you can launch the related device manager by right-clicking the device entry and choosing Device Manager from the pop-up menu. See Starting Device Managers for more information about the device managers.

Monitoring Multiple Contexts

The Health and Performance Monitor can monitor single- and multiple-context ASA devices. For multiple-context devices, each context is monitored and displayed as if it was a separate device.

Each context will be polled separately for all applicable metrics, with HPM polling a maximum of five contexts at a time from any given device. For devices with more than five contexts, data will be acquired from each successive batch of five contexts, with each batch being polled progressively during successive polling cycles. This means that all contexts may not be updated at the same time.

For multiple-context devices, basic device health—memory usage, device status, and so on—is monitored only on the physical device (that is, from the system context), while traffic data—number of connections, number of translations, dropped packets and so on—are monitored at context level.

For virtual contexts, CPU usage data are used only for pattern analysis, not for alert generation. Only interface-status alerts will be generated for virtual contexts.

HPM Access Control

The privileges assigned to your user name control what you can do in Health and Performance Monitor. If you use local users, or other types of non-ACS access control, then all users have access to HPM. However, the following access limits are imposed:

You must have system administrator privileges to enable or disable Health and Performance Monitoring in Security Manager, as described in Health and Performance Monitoring Page.

You must have system administrator, network administrator, or approver privileges to select or deselect devices for monitoring, as described in Managing Monitored Devices.

You also must have system administrator, network administrator, or approver privileges to configure alerts and notifications, as described in Alerts: Configuring.

If you use ACS to control access to Security Manager, you can also control the following:

You can control access to the Health and Performance Monitor application using the View > Health and Performance Monitor privilege (part of Role Management in ACS). Using this privilege, you could prevent certain users from accessing HPM, or create roles that allow access to HPM without allowing access to Event Viewer or Report Manager. All default ACS roles are permitted to use the Health and Performance Monitor application.

Use the Modify > Policies > HPM Monitoring privilege to control which users can select and deselect the devices that are monitored (see Managing Monitored Devices), configure alerts and notifications (see Alerts: Configuring), and annotate and acknowledge alerts (see Alerts: Acknowledging and Clearing). All default ACS roles except Help Desk and Super Admin have this permission.

Users can view health and performance information for a device only if they have at least View privileges for the device.

You can control access to the Health and Performance Monitoring administrative settings page (in Security Manager's Configuration Manager) where HPM is enabled or disabled, as described in Health and Performance Monitoring Page. The user must have the Modify > Policies > HPM Admin privilege to access this page (or any other administrative settings page). All default ACS roles except Help Desk can view the page, but only System Administrators can change the setting.

For information on integrating Security Manager with Cisco Secure ACS, see the Installation Guide for Cisco Security Manager.

Preparing for Health and Performance Monitoring

In order to use the Health and Performance Monitor (HPM), you must configure Security Manager, enable the HPM application, and configure device monitoring, as follows:

Basic Threat Detection must be enabled on ASA 8.0+ devices in order to monitor metrics such as ACL Dropped Packets, Scanning Threat Dropped Packets, Inspection Dropped Packets, and Syn Attack Dropped Packets. (Basic Threat Detection is enabled by default on these ASA devices.)

To receive alert notifications via email, you must have configured the SMTP server and administrator email ID on the System Preferences page of the Security Manager server. See the Installation Guide for Cisco Security Manager for more information. (Specifying email addresses for alert notifications from the Health and Performance Monitor application is described in Alerts: Configuring.)

Health and Performance Monitoring must be enabled in Security Manager, as described in Health and Performance Monitoring Page.

In HPM, specify the devices to be monitored, in both Normal and Priority modes, as described in Managing Monitored Devices.

Enable and configure the device threshold values and state-change rules that define when alerts and email notifications are triggered. This process is described in Alerts: Configuring.


Note We also recommend configuring monitored devices to use a Network Time Protocol (NTP) server for synchronized timing. See NTP Page for more information.


After you have completed these steps, HPM begins polling the specified devices and displays health information and alerts.

Launching the Health and Performance Monitor

Use the Health and Performance Monitor (HPM) to view status information and alerts collected from monitored firewall and IPS devices across your network. For more information about selecting devices for monitoring, see Managing Monitored Devices.

To launch HPM, do any one of the following:

Choose All Programs > Cisco Security Manager Client > Health and Performance Monitor from the Windows Start menu (your command path may differ slightly).

Double-click the Health and Performance Monitor icon on your system desktop.

Choose Launch > Health and Performance Monitor from the Configuration Manager, Event Viewer, Image Manager, or Report Manager applications.

Click the Health and Performance Monitor button on the quick-launch toolbar in the Configuration Manager or Image Manager window.

If you are currently not logged into a Security Manager application, you are prompted to log in. (For more information about starting and logging into a Security Manager client application, see Logging In to and Exiting the Security Manager Client). Otherwise, the HPM Window is opened using the same user account you used to log into the other application.


Note As described above, you can "cross-launch" HPM from any of the other Security Manager client applications. You can similarly cross-launch any of the other client applications from Health and Performance Monitor by choosing the desired application from the Launch menu, or clicking the appropriate quick-launch button.


Managing Monitored Devices

The HPM device selector is used to add and remove devices from both the "normal" and "priority" monitoring lists. You can also use the device selector to transfer devices between the two lists.

To use the HPM device selector:


Step 1 Choose Device Selector from the Tools menu to open the device selector window; the device-management screen is displayed.

The All Devices section on the left lists all ASA and IPS devices in the Security Manager inventory that can be monitored. (For example. HPM supports monitoring of version 7.0.1 and later IPS sensors only. Earlier IPS versions are not displayed in the device selector.)

All devices currently assigned to the Normal monitoring list and the Priority monitoring list are displayed in the two sections on the right side of the window.

Step 2 To add a device to the Normal list, select the device in the All Devices list and then click the > button between the All Devices list and the Normal Monitored Devices list.

The procedure for moving a device to the Priority Monitored Devices list is the same: use the > button between the All Devices list and that list.

Step 3 To remove a device from either Monitored list, returning it to the All Devices list, select the device and then click the appropriate < button.

Step 4 To transfer a device from one Monitored list to the other, highlight that entry and click the Up or Down button to move it to the upper or lower list respectively.

Step 5 Click Next at the bottom of the window to display the VPN-selector screen.

All monitored devices are listed; each entry includes a checkbox for remote-access (RA) and one for site-to-site (S2S) VPN selection. You can use the List Filter field on this page to filter the list, as described in Using The List Filter Fields.

Step 6 Select the types of VPN to be monitored on specific devices by checking the appropriate boxes.

Step 7 Click Save to save and apply your changes, and close the device selector.


HPM Window

The Health and Performance Monitor (HPM) application window is where you view status information and alerts collected from monitored firewall and IPS devices, as well as remote-access (RA) and site-to-site (S2S) VPN information, across your network.


Note See Managing Monitored Devices for information about specifying the devices to be monitored.


The following illustration presents the primary features of the HPM window.

Figure 67-1 Health and Performance Monitor Window

1

Monitoring button.

3

Quick-launch buttons.

2

Alerts button.

4

Monitoring/Alerts display area.


The HPM window consists of three main elements:

Monitoring button (1) - Click this button to view device and VPN health and performance data. See HPM Window: Monitoring Display for more information.

Alerts button (2) - Click this button to view a table of alerts in the window's display area. See HPM Window: Alerts Display for more information.

Quick-launch buttons (3) - Click any button to cross-launch the related Security Manager client application.

Monitoring/Alerts display area (4) - This section of the window displays either Monitoring information for devices and VPNs, or a table of alerts generated by monitored devices. The Monitoring and Alerts buttons are used to switch back and forth between these two displays.

Working with Table Columns

You can customize the different tables of information presented in HPM as follows:

Sort a table such entries in a particular column are in ascending or descending order.

Click a column heading—anywhere but on a drop-down menu button—to sort the table such that the column entries are in ascending order (indicated by a small grey up-arrow).

Click the heading again to sort the entries are in descending order (indicated by a small grey down-arrow).

Click the heading again to return the table to its original order of display (the direction icon is removed).

Hide and show various columns; the columns available for display depend on the particular table.

Apply a column filter, meaning the table displays only entries that fit the specified criteria.

This section contains the following topics:

Showing and Hiding Table Columns

Column-based Filtering

Showing and Hiding Table Columns

You can customize the different tables presented in HPM by hiding and showing various columns of information; the columns available for display depend on the particular table.


Note The column headings are menus that you can use to further filter the table by hiding or showing entries according to chosen parameters, as described in Column-based Filtering.


To show or hide specific columns displayed for a table:

1. Click the Columns button on the right side of the column headings to open the Choose Columns to Display dialog box.

All columns available for the current view are listed.

2. Select and deselect the columns to be shown and hidden.

3. Click OK to close the dialog box.

Only the selected columns are displayed for this table.

The following topics describe the individual columns available for various tables:

Table Columns: Device-related Views

Table Columns: VPN-related Views

Alert Table Columns

Table Columns: Device-related Views

You can customize the tables presented in the Monitoring pane for the device-related views by hiding and showing various columns of information; the columns available for display depend on the particular view.

The order of the entries in the Choose Columns to Display dialog box reflects the ordering of the columns when displayed. (However, the ordering of the rows in the following table does not necessarily reflect ordering of the columns as displayed.) See Showing and Hiding Table Columns for information about opening the Choose Columns to Display dialog box.

The following table presents all available data columns for the device-related Monitoring views: Priority Devices, IPS Devices, Firewall Devices, All Devices, and all custom views based on these system views. Some of the listed columns are not available for specific views, as indicated.

Table 67-1 Available Table Columns for Device-related Views 

Column Name
Available in View *
Description

Priority (always selected)

IPS, Firewall

Priority monitoring is indicated by a star; this field is blank for a normally monitored device.

Alerts

IPS, Firewall

Device alerts—a red dot indicates one or more critical alerts (and possibly warnings), while a yellow dot indicates one or more warnings only. The field is blank for a device with no alerts.

You can "hover" the mouse pointer over the dot to view a pop-up displaying the number of critical alerts and the number of warnings on the device.

Receive Time

IPS, Firewall

Poll date and time for this entry (format is: day-of-week MMM DD HH:MM:SS your-time-zone YYYY).

Device Name

IPS, Firewall

Name of this device, as provided in the Security Manager inventory.

IP Address

IPS, Firewall

IP address of this device.

Health Status

IPS, Firewall

Current overall health of the device: Critical, Warning, or Normal.

Note Overall health is defined by the most critical of any of the health metrics. For instance, if all the selected metrics on the device are normal except for one that is critical, overall device health becomes critical.

Connection Status

IPS, Firewall

Status of the device's connection to the network: Connected, Not Connected, or Authentication Error.

Any information displayed for a Not Connected device is from the indicated Receive Time, prior to connection failure.

Memory (%)

IPS, Firewall

Memory usage as a percentage of the total available.

CPU (%)

IPS, Firewall

CPU usage as a percentage of the total available.

Model

IPS, Firewall

Device type and model number. For example, ASA 5510, or IPS 4270.

Version

IPS, Firewall

Software version running on this device.

Inspection Load (%)

IPS

Inspection load on the device when polled, as a percentage.

Missed Packet(%)

IPS

Dropped packets as a percentage of total packets inspected.

SensorApp Status

IPS

Current SensorApp (Analysis Engine) status: Up or Down.

MainApp Status

IPS

Current MainApp status: Up or Down.

CollaborationApp Status

IPS

Current CollaborationApp status: Up or Down.

License Expiration Status

IPS

Status of the sensor's license, based on red and yellow threshold values set on the sensor: Normal, Warning, or Critical.

Bypass Mode

IPS

Whether bypass mode is enabled on the sensor: Yes or No.

Event Retrieval Status

IPS

Status of the IPS event retrieval: Normal, Warning, or Critical.

Global Correlation Status

IPS

For a sensor participating in global correlation, its update status: Normal (last update was successful), Warning (no successful update within the past day [86,400 seconds]), or Critical (no successful update within the last three days [259,200 seconds]).

Signature Level

IPS

The number of the most recent signature update applied to this sensor; for example, S574.

Analysis Engine Memory (%)

IPS

Percentage of memory assigned to the Analysis Engine currently in use.

Firewall Mode

Firewall

Operating mode of this device: Routed or Transparent.

Context Mode

Firewall

Context mode of this device: Single or Multiple.

Connections

Firewall

Number of active connections when device was polled.

Xlates

Firewall

Address translation counter.

Connection Rate

Firewall

Number of connections established per second.

Translation Rate

Firewall

Number of translations per second.

Failover Status

Firewall

If this device is part of a failover pair, its current state: Active or Standby.

Host Role

Firewall

If this device is part of a failover pair, its current role: Primary or Secondary.

Peer Role

Firewall

If this device is part of a failover pair, current role of its peer device: Primary or Secondary.

Peer Status

Firewall

If this device is part of a failover pair, current status of its peer: Active or Standby Ready.

Used Memory (MB)

Firewall

Amount of memory (in megabytes) in use when device was polled.

Free Memory (MB)

Firewall

Amount of memory available (in megabytes) when device was polled.

Max. Connections

Firewall

Peak number of connections.

Max. Xlates

Firewall

Peak number of address translations.

Throughput (Kbps)

Firewall

Average device throughput in kilobits per second.

ACL Dropped Packets

Firewall

The number of packets dropped because they failed an access control list rule.

Scanning Threat Dropped Packets

Firewall

If scanning threat detection is enabled, the number of packets dropped because they failed scanning threat inspection. If not enabled, "NA" is displayed.

Inspection Dropped Packets

Firewall

If application inspection is enabled, the number of packets dropped because they failed application inspection. If not enabled, "NA" is displayed.

Syn Attack Dropped Packets

Firewall

Number of packets dropped because of SYN flooding.

Total Interface Dropped Packets

Firewall

Total number of dropped packets on all interfaces.

Note You can view the number of per-interface dropped packets on the tabbed Interface panel presented in the detail section for the selected device.

* All of these columns are available in the All Devices and Priority Devices views.


Table Columns: VPN-related Views

You can customize the tables presented in the Monitoring pane for the VPN-related views by hiding and showing various columns of information; the columns available for display depend on the particular view.

The order of the entries in the Choose Columns to Display dialog box reflects the ordering of the columns when displayed. (However, the ordering of the rows in the following table does not necessarily reflect ordering of the columns as displayed.) See Showing and Hiding Table Columns for information about opening the Choose Columns to Display dialog box.

The following table presents all available data columns for the VPN-related Monitoring views: Remote Access Users (RA), Site-to-Site Tunnels (S2S), VPN Summary, and all custom views based on these system views. Some of the listed columns are not available for specific views, as indicated.

Table 67-2 Available Table Columns for VPN-related Views 

Column Name
Available in View
Description

Receive Time (always selected)

RA, S2S, Summary

Poll date and time for this entry (format is: day-of-week MMM DD HH:MM:SS your-time-zone YYYY).

User Name

RA

User log-in name used to establish this session.

User Group Policy

RA

The name of the ASA VPN user group to which this user belongs.

Gateway

RA

IP address of the VPN gateway to which the user is connected.

Assigned IP

RA

Private IP address assigned to the remote client for this session; also known as the "inner" or "virtual" IP address.

Public IP

RA

Publicly routable IP address assigned to the client.

Connection Initiation Time

RA

Time and date (HH:MM:SS day-of-week MMM DD YYYY) when connection was initiated. Time is displayed in 24-hour Coordinated Universal Time (UTC) notation.

Duration

RA

Elapsed time (HH:MM:SS) between the session initiation and the most-recent device poll.

Client Version

RA

VPN client software, and version, running on the remote peer; for example, AnyConnect Windows 3.0, or Mozilla 4.0.

EndPoint OS

RA

Operating system in use on remote peer; for example, Windows or Windows NT.

Authentication Method

RA

User password, certificate, or preshared key.

Encryption

RA, S2S

Data encryption algorithm this session is using.

Tunnel Type

RA, Summary (as "Type")

Connection protocol: DTLS, TLS, or IPsec.

Throughput

RA, S2S

Bytes received plus bytes transmitted.

Session ID

RA

Identifier assigned to this session.

Device ID

RA

Identifier assigned to the device, if available.

Inactive Time

RA

Amount of time this session has been inactive.

Firewall Name

S2S, Summary

Name of this device, as provided in the Security Manager inventory.

IP Address

S2S, Summary

IP address of this device.

Local Endpoint

S2S

IP address of local tunnel interface.

Remote Endpoint

S2S

IP address of remote tunnel interface.

Local Subnet

S2S

Address of local protected subnet.

Remote Subnet

S2S

Address of remote protected subnet.

Uptime

S2S

Current duration of this tunnel.

Connection Time

S2S

Time and date (HH:MM:SS day-of-week MMM DD YYYY) when connection was initiated. Time is displayed in 24-hour Coordinated Universal Time (UTC) notation.

Status

S2S

Tunnel connection status; this will always be Up. (HPM cannot present information about tunnels that have gone down.)

Active

Summary

Current active sessions (S2S, IPSec RA, client-based SSL RA, and clientless SSL RA).

Peak

Summary

Peak numbers of concurrent sessions (S2S, IPSec RA, client-based SSL RA, and clientless SSL RA).

Users

Summary

Current remote user total (S2S, IPSec RA, client-based SSL RA, and clientless SSL RA).

Inactive Sessions

Summary

Number of inactive sessions.

Total VPN Throughput

Summary

Sum of all VPN traffic; that is, sum of RA and S2S throughput values.


Alert Table Columns

You can customize the Alerts table by hiding and showing various columns of information.

The order of the entries in the Choose Columns to Display dialog box reflects the ordering of the columns when displayed. (However, the ordering of the rows in the following table does not necessarily reflect ordering of the columns as displayed.) See Showing and Hiding Table Columns for information about opening the Choose Columns to Display dialog box.

Table 67-3 Available Data Columns for the Alerts Table 

Column Name
Description

Device Name (always selected)

Name of this device on which this alert was triggered, as provided in the Security Manager inventory.

Device Type

Type of device: ASA or IPS.

Severity

Alert severity: Critical, Warning, or Normal.

Status

Current device status: Active or Acknowledged.

Description

Description of the alert. For example, "Device Health Critical" or "Device Polling: Authentication Error."

First Seen

Date and time when this alert was first logged (day-of-week MMM DD, YYYY HH:MM:SS AM/PM). Time is based in your time zone.

Last Seen

Date and time when this alert was first logged (day-of-week MMM DD, YYYY HH:MM:SS AM/PM). Time is based in your time zone.

Notes

You can annotate an alert when you acknowledge it. Any annotations are displayed in this field. See Alerts: Acknowledging and Clearing for more information.


Column-based Filtering

You can filter the various tables in HPM based on the contents of specific columns. When you apply a column filter, the table is filtered to include only those entries with the specified criteria in that column.


Note See Working with Table Columns for other methods of altering table displays.


Tips

Column filters are cumulative: for an entry to appear in the filtered table, it must meet all column filter criteria. You cannot create a set of ORed column filters.

You can filter on the contents of most but not all columns. If a column does not have a down arrow, you cannot filter on it. For example, you cannot filter on Receive Time in All Devices view.

The filter icon (a funnel) appears in the heading of a filtered column.

For a description of the available columns, see Showing and Hiding Table Columns.

To filter a table according to a particular column parameter:


Step 1 Click the down-arrow in the heading of a column and choose one of the following from the drop-down menu:

All - Choose All to remove or "undo" a filter from this column. The table is updated to show all entries for this parameter. For example, if you filtered the Severity column of the Alerts table to display only Critical alerts, choosing this option will re-display all Critical and Warning alerts.

Custom - Choose Custom to open the Custom Filter dialog box where you can create a custom filter based on the information in that column. See Custom Filtering for more information.

A specific entry - The drop-down menu includes all values relevant to the column; choose one to display only that group of entries. For example, choosing Critical from the Severity column of the Alerts table filters the table to display only Critical alerts.


Custom Filtering

The following procedure explains how to create a custom column-based filter, one in which you are not simply selecting a value from the column's drop-down list. Refer to Column-based Filtering for information about other column-based filtering options.


Step 1 Click the down-arrow in the heading of a column and choose (Custom) from the drop-down menu.

The Custom Filter dialog box for that column opens.

Step 2 In the Custom Filter dialog box, select the desired values. The following illustration shows a typical example of this dialog box.

These are the controls you might find in the Custom Filter dialog box (not all controls appear for every instance):

Condition - Choose the condition applied to the selected Values.

Typically this is is in, meaning each of the Values you select must be "in" a column in order for that entry to be displayed in the filtered table.

Not - Check this box to create a negative Condition.

With is in as the chosen Condition, this would mean the selected Values cannot be in the column. In other words, the table is filtered such that entries with these Values in the column are not displayed.

Values list - A few instances of the dialog box present one list of Values from which to select: simply check the desired options.

Available and selected Values lists - In most cases, the dialog box presents two Values lists, as shown in the previous illustration. To select a value for the custom filter, highlight it in the left list, which contains available values for the column, and click the right arrow to add it to the list of selected values on the right. You can select multiple values.

The items in the available Values list are determined by the values currently present in the selected column of the source table.

If there are a lot of available values, you can search for a specific value by typing in the List Filter field above the list. For more information, see Using The List Filter Fields.

You can also select, or deselect, values using the following techniques:

Type a Value name into the text field above the selected Values list and click the + button; the Value is added to the selected Values. This technique is useful if there is a large number of available Values, or if you want to filter on a value that is not present in the available Values list.

Double-click an item in either list to move it to the other list.

Click one of the double-arrow buttons to move all items from one list to the other, regardless of any selected values.

Step 3 Click OK to close the dialog box.

The table is updated to show only those entries that satisfy all currently applied filters.


Using The List Filter Fields

A List Filter field is provided above the devices and VPNs lists in the Monitoring display, above the alerts table in the Alerts display, above the device list on the VPN page of the Device Selector, and in the View Cleared Alerts window. In each case, you can use the List Filter field to quickly locate any entries in the related table that contain a specified text string.


Note The found text can be part of any data field associated with an entry. For example, as you type "license" into the Alerts List Filter field, the Alerts table is filtered to show only those alerts related to imminent license expiration. (Any matched entries are listed even if the relevant data column—in this example, Detail—is not displayed, which could cause confusion. See Showing and Hiding Table Columns for more information about hiding table columns.)


Figure 67-2 Health and Performance Monitor: List Filter Field

1

Filter-parameters button.

2

Clear button.


To search for a specific text string in the devices list, the VPNs list, the Alerts table, or the View Cleared Alerts window:

Click in the List Filter field to place the text cursor, and then begin typing.

These are "live filter" fields. That is, as you type each character, entries that do not include your current text string are removed from the list or table. For example, suppose in an extensive list of alerts there is one with a Status of "Device Health Critical," and that none of the other alerts include any text strings containing the letters hea. You want to use the List Filter field to quickly locate that one alert, so you begin to enter the word "health." That alert is the only one displayed after you have typed the first three letters.

To clear a List Filter field:

Click the clear button at the right side of the field.

This button appears when you begin typing in the field. (You also can highlight the characters and press the Delete or Backspace key on your keyboard.)

When you clear the List Filter field, all entries in the list are again displayed.

You can tune the filter results by specifying the information (columns) searched, by selecting case sensitivity or insensitivity, by allowing wildcards or regular expressions, and by specifying where in a returned string your characters must be located.

To change the List Filter criteria:

1. Click the filter-parameters button (magnifying glass) at the left side of the List Filter field to open the parameters menu.

2. Choose an option.

The menu consists of four sections:

A list of all available information types—these entries correspond to the columns that can be displayed for that particular list or table. You can choose All, or alternatively you can choose individual entries.

Case sensitive and Case insensitive - Choose one or the other. If you choose Case sensitive, found text must match not only the characters you enter, but also their as-typed case.

Use wildcards and Use regular expression - Choose one or the other. The following wildcards are recognized:

* (asterisk) - Match zero or more characters at that location in the string.

? (question mark) - Match one character at that location in the string.

Match from start, Match exactly, and Match anywhere - Choose one. Match from start means that the string you enter must be found at the beginning of an entry, although it can be part of a larger set of characters. Match exactly requires that the string you enter exactly match the entire column entry. Match anywhere means the string can be found anywhere within an entry, and it can be part of a larger set of characters.

3. Repeat Steps 1 and 2 to change another parameter.

Monitoring Devices

The HPM Monitoring display presents View controls, view panels, and detailed information about the currently selected device, as described in HPM Window: Monitoring Display.

To switch to the Monitoring screen:

Click the Monitoring button below the HPM menu bar.

(Click the Alerts button to return to the Alerts screen.)


Note See Managing Monitored Devices for information about specifying the devices to be monitored.


This section contains the following topics:

Managing Device Views

HPM Window: Monitoring Display

Managing Device Views

"Views" provide the means to filter and organize the information displayed in the Monitoring pane of the HPM application. Various system views are provided—for example, All Devices, Firewall Devices, Remote Access Users Details, and so on—and you can create custom views that organize the information in other ways, such as geographic device location.

The left pane of the HPM main window displays a list of available views as shown in the following illustration.

Figure 67-3 Health and Performance Monitor: Views Pane

The Views pane includes the following controls:

(1) Push Pin button - Click the Push Pin button to control display of the Views list. When the list is displayed as a pane of the HPM window (the pin is vertical), click the button to collapse the pane into the left edge of the window, leaving a labeled tab; the Monitoring pane is expanded to fill the HPM window.

You can "hover" your mouse pointer over the tab to "pop out" the Views list; it remains visible as long as the pointer is over the tab or in the list area (the pin is horizontal). You also can click anywhere in the title bar—except on the pin itself—to keep the list "popped out."

Click the pin once again to re-establish the Views list as an open pane; the Monitoring pane contracts to make room for it.

(2) List of views - The list is organized into folders: System Views and My Views. Click an entry in either folder to open that view in the Monitoring pane, as described in Views: Opening and Closing. See Views: Custom for information about creating new views in the My Views folder.

Right-click shortcut menu - You can right-click any entry in the View list to access a pop-up menu of view-related commands:

Edit - Edit the name and description of the existing custom view. See Views: Custom.

Save As - Save the view as a new custom view. See Views: Custom.

Delete - Delete that custom view.

Set as default view - Use this command to designate the view that is always displayed whenever you launch the HPM application.

This section contains the following topics:

Views: Opening and Closing

Views: Tiling Horizontally or Vertically

Views: Floating and Docking

Views: Custom

Views: Opening and Closing

All available views are listed in the Views pane, on the left side of the HPM window. The Monitoring pane displays open views, with each open view presented as a separate tabbed panel. (See HPM Window: Monitoring Display for more information about this window.)


Note You can detach views so they "float" in separate windows. For more information, see Views: Floating and Docking.


To display a new view in the Monitoring pane:

Click the desired entry in the Views list.

The view appears as a tabbed panel in the Monitoring pane; it is automatically selected and displayed.

To switch to another open view:

Click the desired tab in the Monitoring pane; that view is displayed.

Right-click any tab and choose Next or Previous to display the view to the right or left of that tabbed view.

Click the Scroll Back and Scroll Forward buttons to the right of the tabs to display the view to the left or right of the current view.

To close a view:

Click the close button in that tab.

Right-click the tab and choose the Close.

Right-click the tab and choose Close Others to close all open views except the one you right-clicked.

Right-click any tab and choose Close All to close all open views.

Views: Tiling Horizontally or Vertically

Rather than displaying a single view such that it fills the Monitoring pane, you can tile two or more of the views, either horizontally or vertically, for easy comparison.

For example, if you tile two views horizontally, one view fills the upper half of the Monitoring pane, while the other fills the lower half. Similarly, tiling two views vertically fills the left-hand half of the pane with one view, with the other view filling the right half. Further, you can tile more than two views—the pane is subdivided equally for each view.

To create two horizontal or vertical tiles:

Right-click one of the tabs and choose New Horizontal Group or New Vertical Group.

The selected view and the other view(s) are distributed to share the Monitoring pane equally, either horizontally or vertically depending on your choice.

Note that if there are more than two views open when you choose one of these commands, the selected view is tiled, with the remaining group of tabbed views displayed as the other tile. You can then repeat this process with the remaining tabbed views, increasing the number of visible tiles, as desired.

You can also move an existing tile to another tile:

Right-click the tab and choose Move to Next Tab Group or Move to Previous Tab Group.

The selected view is added to the next tile (below or to the right, depending on tile orientation), or to the previous tile (above or to the left). These commands are available only if the tiled views are arranged in a manner where such movement is possible.

To change the orientation of the views, switching from horizontal to vertical tiling, or vice versa:

Right-click any tab and choose Change Tab Groups Orientation.

This command is available only when two or more tiled views are displayed.

Views: Floating and Docking

You can detach tabbed views so they "float" as separate windows, and you can "dock" floating views, returning them to the Monitoring pane as tabbed views.

To detach a view as a floating window:

Right-click that tab and choose Floating.

A standard window opens, displaying the selected view.

To move another tabbed view from the Monitoring pane to an already-open floating-view window:

Right-click the tab and choose the window from the Floating to submenu.

The right-clicked view is added to the existing window as another tabbed panel.

To return a floating view to the Monitoring pane as a tabbed panel:

Right-click the view's tab in the window and choose Docking.

That view is returned to the Monitoring pane.


Note As a standard window, you can minimize, maximize and close a floating view, as you would any other window.


Views: Custom

The Health and Performance Monitor provides seven System Views. In addition, you can create any number of custom views, each of which is based on an existing view. You also can edit and delete custom views.

The various views are presented in the Views pane of the Monitoring display, organized into two folders: System Views and My Views (the latter folder contains your custom views). The Monitoring display is described in HPM Window: Monitoring Display.

Follow these steps to create a new custom view:

1. In the Views list, select the view on which the new view is to be based.

This can be a System View or an existing custom view.

2. Choose Save As from the File menu to open the Save View As dialog box.

You also can right-click the selected view and choose Save As from the pop-up menu to open the dialog box.

3. Provide a Name for the new view, and optionally a Description.

4. Specify the devices to be monitored for this view: check and clear entries in the device-selector area of the dialog box.

5. Click Save to close the dialog box and add the new view to the My Views folder.

Follow these steps to edit an existing custom view:

1. Under My Views, select the view.

2. Choose Edit from the File menu to open the Save View As dialog box.

You also can right-click the selected view and choose Edit from the pop-up menu.

3. Edit the Name and Description, as necessary.

4. Check and clear entries in the device selector to change the devices monitored for this view.

5. Click Save to close the dialog box.

Follow these steps to delete an existing custom view:

1. Under My Views, select the view.

2. Choose Delete from the File menu.

You also can right-click the selected view and choose Delete from the pop-up menu.

3. Confirm that you want the view deleted.

That view is removed from the Views list.

HPM Window: Monitoring Display

The HPM window provides two different information displays: Monitoring and Alerts. Click the Monitoring button to access the Monitoring display.

The Monitoring display consists of two primary panes: Views and Monitoring. The Views pane presents a list of available views. Click an entry in this list to open that View as a tabbed panel in the Monitoring pane.

The Monitoring pane can present multiple tabbed views, most of which display several sections. Click a tab to bring that view to the front.


Note The Remote Access Users and the Site-to-Site Tunnels views each display only a single table of information, as described in Monitoring Views: VPN, RA and S2S. The following descriptions focus mainly on the other available system views.


The following illustration presents the primary features of the Monitoring display and the panel sections.

Figure 67-4 Health and Performance Monitor: the Monitoring Display

1

Views list.

4

Status of devices and VPNs.

2

Monitoring view controls.

5

Selected device details.

3

Summary of all devices.

 

 


The Monitoring display consists of five main elements:

Views list (1) - This pane lists all views available—click an entry in this list to open that view in the Monitoring pane. The views are organized into System Views, provided as part of the program, and My Views, which are custom views you have created. See Managing Device Views for information about the Views pane, and Views: Custom for information about managing custom views.

Monitoring view controls (2) - A labeled tab appears here for each view you open; click any tab to bring that view to the front. You also can use the Scroll Backward and Scroll Forward buttons to step backward or forward through the tabbed views. Alternately, open the Show List drop-down menu on the right and choose a label to make that the active view.

Summary of all devices (3) - Provides aggregate information for all devices represented by this view. Expand or collapse this section by clicking the button on the right side. The device-summary section is described in greater detail in Monitoring Views: Devices Summary.

Device-status list (4) - All devices or VPNs included in this view are listed here; see Monitoring Views: Device Status List for more information about this list. Use the List Filter field in this section to filter the list, as described in Using The List Filter Fields.

Selected device details (5) - This section provides detailed information about the device or VPN currently highlighted in the device list. The device-details section is described in greater detail in Monitoring Views: Device Details.

This section contains the following topics:

Monitoring Views: Devices Summary

Monitoring Views: Device Status List

Monitoring Views: Device Details

Monitoring Views: VPN, RA and S2S

Monitoring Views: Devices Summary

The HPM Monitoring display presents tabbed views, each of which provides detailed information about the device or VPN currently selected, as described in HPM Window: Monitoring Display. All device-related views (that is, all but the Remote-Access Users and Site-to-Site Tunnels views), include a Summary section, as described here.

This devices Summary, which you can show and hide by clicking the button on the right side of its title bar, displays a snapshot of the aggregate Health Status and Alert Status for all the devices or VPNs relevant to the current view. For example, if you are viewing the Firewall Devices panel, the status summaries are for all monitored firewall devices only.

Monitoring Views: Device Status List

The HPM Monitoring display presents detailed information about the device or VPN currently selected, as described in HPM Window: Monitoring Display. All device-related Views (that is, all but the Remote-Access Users and Site-to-Site Tunnels views), include a table of monitored devices or VPNs relevant to the current view.

This table displays "at-a-glance" status information for every monitored device or VPN—each is represented by an entry in this table. (Again, the list includes only those elements relevant to the current view. For example, the list in the Firewall Devices view does not include entries for IPS devices.)

You can resize the table columns, you can show and hide columns, and the column headings are menus you can use to filter the table by hiding or showing devices according to chosen parameters. See Showing and Hiding Table Columns for more information about these options.

When you select an entry in this list, detailed information for that device is displayed in the device-details area below the table, as described in Monitoring Views: Device Details.


Tip With the All Devices, Firewall Devices, IPS Devices, and Priority Devices views (and any custom device-related views), you can right-click the highlighted entry and choose Device Manager from the pop-up menu to open the appropriate external device manager for that device—that is, ASDM for an ASA, and IDM for an IPS sensor—where you can "drill down" into the health and performance data for that device. See Starting Device Managers for more information about the device managers.


Monitoring Views: Device Details

The HPM Monitoring display presents views and detailed information about the device or VPN currently selected, as described in HPM Window: Monitoring Display. All device-related Views (that is, all but the Remote-Access Users and Site-to-Site Tunnels views), provide three or four tabbed panels of detailed information for the individual device or VPN currently selected in the device-status table above it.

For the All Devices, Firewall Devices, IPS Devices, and Priority Devices views, the tabbed panels are:

Health - A "snapshot" of device status, including graphic displays for certain metrics. With firewall and IPS devices, the top section of this panel includes:

The Health field indicates general overall status, and can be Normal, Warning, or Critical, based on number and type of alerts triggered on the device. Click the i button for a pop-up view of current device metrics.

The Alerts field indicates current alert level; also can be Normal, Warning, or Critical. The numbers of triggered Critical and Warning alerts are indicated, followed by a View hyperlink. Click the link to switch to the Alerts display with only the alerts for this device listed.


Note For IPS devices, certain health-metric thresholds must be configured separately on the individual devices—that is, outside of HPM. Therefore, it is possible for the health of an IPS device to be critical, for example, without any indication in HPM. See Alerts Configuration: IPS for additional information.


Device Information - A read-only listing of device-specific information such as device name, IP address, device type and model number, and so on.

Traffic - Device-specific traffic information, some of which is also presented in graphical form. For example, average number of connections and number of translations for firewall devices (over the most-recent polling period), and average inspection load and percentage of missed packets for IPS sensors (over the most-recent polling period).

Interfaces - A listing of all interfaces defined on the device, with current status information.

For the VPN Summary view, the tabbed panels are:

VPN Usage - Several graphs presenting information such as active site-to-site tunnels, active remote-access sessions, and total throughput. This includes historical trending information for active Site-to-Site tunnels, active IPSec remote-access users, active SSL VPN clientless users, and active SSL VPN with client users.

License Information - A read-only listing of IPSec and SSL license and load information.

Other Details - Certificate and trustpoint details.

See Managing Monitored Devices for information about selecting devices for VPN monitoring.

Monitoring Views: VPN, RA and S2S

The HPM Monitoring display presents a variety of device- and VPN-related data views, as described in HPM Window: Monitoring Display. These include the Remote Access Users and Site-to-Site Tunnels views, which unlike the other views, are simply tables of current users and tunnels.

See Managing Monitored Devices for information about selecting devices for VPN monitoring.


Note HPM supports VPN monitoring on ASA 7.2.x and 8.0+ devices only.


In both of these views, you can resize the table columns, you can show and hide columns, and the column headings are menus you can use to filter the table by hiding or showing entries according to chosen parameters. See Showing and Hiding Table Columns for more information about these options.

The Remote Access Users view lists the remote-access users currently logged into network resources via the devices being monitored by HPM. Note that remote-access user information is updated every 20 minutes (for normal monitoring; for Priority monitoring the interval is 15 minutes), rather than the five minutes that is standard for the other views. Also, no historical or trending data is available for remote-access users.

Further, you may notice a mismatch between RA user count in the VPN Summary view and the Remote Access Users view. This is because the VPN Summary is updated at ten-minute/five-minute (normal/Priority) intervals.


Tip In the Remote Access Users view, you can right-click a user entry and choose Log Off User from the pop-up menu to terminate that remote-access connection.


The Site-to-Site Tunnels view provides current VPN tunnel information through all monitored devices.


Note VPN polling occurs on a fixed time interval, so it is not possible to log status changes within that time interval. For example, if a site-to-site tunnel goes down immediately after polling and comes back up just before the next poll, that status change cannot be detected.


Alerts and Notifications

The Health and Performance Monitor (HPM) provides trend information, alerts, and notifications regarding the performance and health of monitored devices. You can monitor the overall health of your network—including network user and device resource utilization—by quickly scanning the status of individual devices and groups of devices.

Specific device-level trend information is available for hourly, daily and weekly intervals. Alerts are displayed prominently, with easy navigation to the relevant HPM data. You also can acknowledge and annotate individual alerts.

These alerts are based on threshold values and state-change rules that you have configured: you specify thresholds that define Critical, Warning, and Normal levels for various metrics, and you can configure rules for certain state changes such as interface failure.

Further, there are two levels of device monitoring. Initially all devices are unmonitored. However, you can designate devices to be monitored at a "normal" level, or at a "Priority" level—you define a separate set of alert definitions for each level. Priority devices are polled and reported on more frequently, and failure parameters are more stringent.

You also can enable email alert notifications. If configured, an email is sent to the specified address(es) whenever an alert is generated. You can provide multiple addresses for each category of alerts (Firewall and IPS).


Note An email notification is sent the first time an alert is logged, and when the severity of an alert changes from warning to critical (but not vice-versa). No notification is issued if a device returns to the Normal state.


This section contains the following topics:

HPM Window: Alerts Display

Alerts: Configuring

Alerts: Viewing

Alerts: History

HPM Window: Alerts Display

The HPM window provides two different information displays: Monitoring and Alerts. Click the Alerts button to access the Alerts display.

The following illustration presents the primary features of the Alerts display.

Figure 67-5 Health and Performance Monitor: Alerts Display

1

Alerts button.

5

Clear button.

2

List Filter field.

6

Acknowledge button.

3

Alerts table.

7

View Cleared Alerts button.

4

Refresh button.

   

The Alerts display consists of seven main elements:

Alerts button (1) - The HPM window displays either Monitoring information for devices and VPNs, or a table of alerts generated by monitored devices. Click the Alerts button to view the alerts table.

List Filter field (2) - You can use this field to filter the alerts displayed in the table; only those alerts containing the specified text are listed. Refer to Using The List Filter Fields for more information.

Alerts table (3) - This table lists all alerts for all currently monitored devices. The alerts displayed can be filtered using the List Filter field. You also can show and hide various columns of information for each alert. See Alerts and Notifications for more information.

Refresh button (4) - Click this button to update all alerts ahead of the normal polling cycles.

Clear button (5) - When one or more alerts are selected, you can click this button to open the Clear dialog box. Click the Clear button in the dialog box to close it and clear the highlighted alerts from the table.


Note See Alerts: Acknowledging and Clearing for additional information about clearing and acknowledging alerts.


Acknowledge button (6) - When one or more alerts are selected, you can click this button to open the Acknowledge dialog box. If desired, you can enter a note that will be applied to the selected alerts. Click the Acknowledge button to close the dialog box and mark all highlighted alerts as acknowledged.


Tip You can add a note to any previously acknowledged alert. Click the Note field for that alert to open the Enter Notes dialog box. This is the only method of accessing the Enter Notes dialog box.


View Cleared Alerts button (7) - Click this button to open the View Cleared Alerts window where you can access and view previously cleared alerts; you specify a set of devices and a time range. See Alerts: History for more information about using this window.

Alerts: Configuring

The alerts and email notifications provided by HPM are based on threshold values and state-change rules that you configure in the Alerts Configuration dialog box.

The Alerts Configuration dialog box consists of two tabbed panels: IPS for IPS sensor-related alerts, and FW for firewall-related alerts. Each panel presents groups of options in sections—use the expand/collapse button to show or hide a particular section.


Note You can enable and disable a particular alert without expanding that section; simply check or clear the box preceding the section heading—the current settings are used and retained.


There are two levels of device monitoring: normal or "standard" priority and "active" priority. Active priority devices are polled and reported on more frequently, and failure parameters are more stringent. You can designate up to 10% of all monitored devices for Priority monitoring. See Managing Monitored Devices for more information about device selection.

Follow these steps to configure alert reporting and notifications for both Standard and Priority devices:


Step 1 Choose Alert Configuration from the Tools menu to open the Alerts Configuration dialog box.

Step 2 On the IPS panel, configure IPS-related alerts—if necessary, click the IPS tab to display the panel.

1. To enable email Notifications when IPS alerts are generated, enter one or more valid addresses in the Email Addresses field; separate multiple addresses with commas.

2. Use the checkboxes in the section headings to enable and disable specific alerts. Expand a section to update those alert definitions. The IPS parameters are described in Alerts Configuration: IPS.


Note An email notification is sent the first time an alert is logged, and when the severity of an alert changes from warning to critical (but not vice-versa). No notification is issued if a device returns to the Normal state.


Step 3 On the FW panel, configure firewall-related alerts—click the FW tab to display the panel.

1. To enable email Notifications when firewall alerts are generated, enter one or more valid addresses in the Email Addresses field; separate multiple addresses with commas.

2. Use the checkboxes in the section headings to enable and disable specific alerts. Expand a section to update those alert definitions. The FW parameters are described in Alerts Configuration: Firewall.

Step 4 Click Save to save your changes and close the dialog box.


Alerts Configuration: IPS

The alerts and status information collected from monitored IPS devices are configured on the IPS panel of the Alerts Configuration dialog box. Refer Alerts: Configuring to for information about opening the dialog box, accessing the IPS panel, and providing email addresses for IPS-related Notifications.

The IPS-alert configuration parameters are grouped into sections that can be expanded and collapsed. Each section includes a checkbox next to its heading; use this checkbox to enable or disable that alert. When expanded, each section provides access to the settings used to define the alert.

The IPS alert and status configuration parameters are described in the following table. Each parameter can be configured separately for Priority Devices and Standard Devices. (Specifying devices for priority and standard monitoring is described in Managing Monitored Devices.)


Note Some of the following alert settings require specific related parameters to be configured on the monitored IPS sensors themselves. For example, if license-expiration-policy (health-monitor command) is not enabled on a particular sensor, license-expiration messages are not generated by that sensor and therefore no occurrences are tallied for it by HPM.


Table 67-4 IPS Alerts Configuration 

Setting

Description

CollaborationApp Status

Errors generated by the CollaborationApp application are tallied. Alerts and Notifications are generated when the number of errors tallied reaches the specified Occurrences value.

SensorApp Status

Errors generated by the SensorApp application are tallied. Alerts and Notifications are generated when the number of events reaches the specified Occurrences value.

Bypass Mode

Any time bypass mode is triggered, one Occurrence is tallied for this setting. Alerts and Notifications are generated when the number of Occurrences reaches the value specified.

Interface Status

The status of each enabled interface is polled periodically. Each "down" result for any given interface is tallied as one Occurrence for that interface. Alerts and Notifications are generated when the number of Occurrences reaches the value specified.

License Expiration

A license-expiration threshold can be configured on each IPS sensor, and whenever this threshold is crossed, a status message is issued.

Memory Usage

A memory-usage threshold can be configured on each IPS sensor, and whenever this threshold is exceeded, a status message is issued.

An Occurrence is tallied for each memory-usage message. Alerts and Notifications are generated when the number of Occurrences reaches the value specified here.

Missed Packets

A missed-packets threshold can be configured on each IPS sensor, and whenever this threshold is exceeded, a status message is issued.

An Occurrence is tallied for each missed-packets message. Alerts and Notifications are generated when the number of Occurrences reaches the value specified here.

Inspection Load

A traffic inspection-load threshold can be configured on each IPS sensor, and whenever this threshold is exceeded, a status message is issued.

An Occurrence is tallied for each load-exceeded message. Alerts and Notifications are generated when the number of Occurrences reaches the value specified.


Alerts Configuration: Firewall

The alerts and status information collected from monitored firewall devices are configured on the FW panel of the Alerts Configuration dialog box. Refer Alerts: Configuring to for information about opening the dialog box, accessing the FW panel, expanding and collapsing sections, and providing email addresses for FW-related Notifications.

The firewall-alert configuration parameters are grouped into sections that can be expanded and collapsed. Each section includes a checkbox next to its heading; use this checkbox to enable or disable that alert. When expanded, each section provides access to the settings used to define the alert.

Some section headings also include Consider for Device Health checkboxes. Checking one of these boxes means that particular information is considered when determining overall health of each device.

The FW alert and status configuration parameters are described in the following table.

Table 67-5 Firewall Alerts Configuration 

Setting

Description

Peer Status

The status of the link to the device's failover peer is polled periodically. Each failed contact attempt is tallied as one Occurrence. Alerts and notifications are generated when the number of occurrences reaches the values specified here.

For Priority devices and for Standard devices: choose Critical or Warning to specify the type of alert generated, and then specify the number of occurrences necessary to trigger the alert.

Interface Status

The status of each enabled device interface is polled periodically. Each "down" result for any given interface is tallied as one Occurrence for that interface. Alerts and notifications are generated when the number of occurrences reaches the values specified here.

For Priority devices and for Standard devices: choose Critical or Warning to specify the type of alert generated, and then specify the number of occurrences necessary to trigger the alert.

Note Check Consider for Device Health in the header to include these data in device-health calculations.

CPU Usage

An Occurrence is tallied each time CPU usage exceeds the specified Threshold percentage. Alerts and notifications are generated when the number of occurrences reaches the values specified here.

Note Check Consider for Device Health in the header to include these data in device-health calculations.

For Priority devices and for Standard devices, you can enable either or both Critical and Warning CPU Usage alerts:

1. Check the appropriate box to enable the Threshold and Occurrence fields.

2. Specify a Threshold percentage by clicking the up or down arrows, or by highlighting the existing value and typing a number.

3. In the Occurrence field, specify the number of times the specified Threshold must be exceeded before the critical or warning alert is issued.

Memory Usage

An Occurrence is tallied each time memory usage exceeds the specified Threshold percentage. Alerts and notifications are generated when the number of occurrences reaches the values specified here.

Note Check Consider for Device Health in the header to include these data in device-health calculations.

For Priority devices and for Standard devices, you can enable either or both Critical and Warning Memory Usage alerts:

1. Check the appropriate box to enable the Threshold and Occurrence fields.

2. Specify a Threshold percentage by clicking the up or down arrows, or by highlighting the existing value and typing a number.

3. In the Occurrence field, specify the number of times the specified Threshold must be exceeded before the critical or warning alert is issued.


Alerts: Viewing

All alerts generated for monitored devices are displayed as a table in an alternate screen of the HPM window. The Alerts table is updated automatically as devices are polled for status information. You can also click the Refresh button, above the table on the right side, to update the table.

These alerts are based on the threshold values and state-change rules you have configured. See Alerts: Configuring for more information.


Note See Managing Monitored Devices for information about specifying the devices to be monitored.


To switch to the Alerts screen:

Click the Alerts button below the HPM menu bar.

(Click the Monitoring button to return to the Monitoring screen.)

The Alerts listing is a basic table, consisting of rows and columns, with each row representing one alert from a given device. Each column provides specific information about that alert: device name, alert severity, time recorded, and so on. (See HPM Window: Alerts Display for more about the Alerts screen.)


Note The column headings are menus that you can use to filter the table by hiding or showing alerts according to chosen parameters. For example, you might choose to display alerts for only a particular device, and then choose only critical alerts for that device. See Working with Table Columns for more information.


In addition to scrolling the Alerts table, you can view sets of specific alerts:

Use the List Filter field above this table to filter the list. See Using The List Filter Fields for more information.

Use the View Cleared Alerts window to view previously cleared alerts for a selected set of devices over a specified time range. See Alerts: History for more information.

You also can acknowledge alerts, clear alerts, and edit alert notes:

You can acknowledge an alert, or clear it, as described in Alerts: Acknowledging and Clearing.

To add to an existing alert note, click Notes field for that entry in the table to open the Enter Notes dialog box—used to view and add notes to an alert. Available only when a single alert with an existing note is selected in the table.

Alerts: Acknowledging and Clearing

All alerts generated for monitored devices are displayed in the Alerts table, as described in Alerts: Viewing. You can add notes to individual alerts, and you can acknowledge or clear alerts individually or in groups.

To select an alert, click that entry in the Alerts table. You can Shift-click another alert to select the group between the two, and you can Ctrl-click various rows to select multiple non-contiguous alerts.

When an alert is selected in the table, you can:

Click the Acknowledge button to open the Acknowledge Alert dialog box, used to add a note to, and then mark the selected alert(s) as acknowledged. You can acknowledge multiple alerts at one time.

Enter text in the Notes field in this dialog box (this is optional), and then click OK. The dialog box closes and the alerts are marked as acknowledged with a timestamp displayed in the Notes column.

Click the Clear button to open the Clear Alert dialog box, used to add a note to, and then remove the selected entries from the Alerts table.

Enter text in the Notes field in this dialog box (this is optional), and then click OK. The dialog box closes and the selected alerts are removed from the Alerts table.


Note Alerts can be cleared automatically by HPM if you change the relevant threshold(s). Like alerts you have cleared, these alerts can be viewed in the View Cleared Alerts window (see Alerts: History).


Notes and other information for cleared alerts are saved in an Alerts database for 30 days.

Alerts: History

All alerts generated for monitored devices are displayed as a table in the HPM window. You can filter the table by any visible column parameter, as described in Alerts: Viewing.

You also can use the View Cleared Alerts window to access and view previously cleared alerts; you specify a set of devices and a time range. (Clearing alerts is described in Alerts: Acknowledging and Clearing.)


Note Notes and other information for cleared alerts is maintained in an Alerts database for 30 days—you cannot access alerts more than 30 days old.


Follow these steps to open and use the View Cleared Alerts window:

1. In the Alerts screen, click the View Cleared Alerts button next to the List Filter field to open the View Cleared Alerts window. (See Alerts: Viewing for more information about accessing the Alerts screen of the HPM window.)

2. Specify the alert View Settings; these define the set of alerts you wish to view:

Specify the devices of interest; All devices are selected by default. To select a particular set of devices:

a. Click the Select button to open the Select Devices dialog box.

b. Select the desired device(s); deselect any devices you wish to exclude.

c. Click OK to close the Select Devices dialog box.

Specify the types of Alerts to display: select or deselect Critical, Warning and Normal.

Define the desired Time Range by choosing a From date and time, and a To date and time. All alerts with a First Seen time within this range will be displayed.

From and To each present a standard drop-down calendar used to select a month and day.

Use the time field below each calendar to specify the precise start or end time, respectively. Highlight a digit and click the up or down arrow, or simply type the desired number. You can also click the Now button to specify the present moment.

3. Click the Search button to display the defined set of alerts.

Note that the View Cleared Alerts window provides a List Filter field that you can use to filter the cleared-alerts display. Using this field is described in Using The List Filter Fields.

Refer to Working with Table Columns for other methods of filtering this table.