-
User Guide for Cisco Security Manager 3.2
-
Preface
-
Getting Started with Security Manager
-
Managing User Accounts
-
Working with the Security Manager User Interface
-
Using Map View
-
Preparing Devices for Management
-
Managing the Device Inventory
-
Managing Policies
-
Managing Activities
-
Managing Objects
-
Managing Site-to-Site VPNs
-
Managing Remote Access VPNs
-
Managing SSL VPNs
-
Managing Firewall Services
-
Managing IPS Services
-
Managing Routers
-
Managing Firewall Devices
-
Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
-
Managing IPS Devices
-
Managing Deployment
-
Managing FlexConfigs
-
Managing the Security Manager Server
-
Using Monitoring, Troubleshooting, and Diagnostic Tools
-
Administrative Settings User Interface Reference
-
Map View User Interface Reference
-
Device Inventory User Interface Reference
-
Policy User Interface Reference
-
Activities User Interface Reference
-
Policy Object Manager User Interface Reference
-
Site-to-Site VPN User Interface Reference
-
Remote Access VPN User Interface Reference
-
SSL VPN User Interface Reference
-
Firewall Services User Interface Reference
-
Router Platform User Interface Reference
-
PIX/ASA/FWSM Platform User Interface Reference
-
Catalyst Platform User Interface Reference
-
IPS User Interface Reference
-
Deployment User Interface Reference
-
FlexConfig User Interface Reference
-
Index
-
Table Of Contents
Using Monitoring, Troubleshooting, and Diagnostic Tools
Device OS Version Interoperability with Device Managers
Performance Monitor (Status Provider)
Understanding Performance Monitor as a Status Provider
Configuring Performance Monitor as a Status Provider
Understanding the Events to be Monitored
Supported Services and Platforms for Monitoring and Reports
Supported Event Types for Each Service Type
Guidelines for Working with IEV from Security Manager
Navigating to IPS Signature Policy in Security Manager from IEV
IPS Signature Policy Lookup from the Realtime Dashboard
IPS Signature Policy Lookup from the Views Tab
Security Manager Access Rule Lookup from Device Manager Syslog
Navigating to ACL in Security Manager from ASDM Syslog
Navigating to ACL from the Log Buffer Viewer
Navigating to ACL from the Real-time Log Viewer
Navigating to ACL in Security Manager from SDM Syslog
Security Manager Policy Table Lookup from a MARS Event
Taskflow for Policy Table Query from MARS Events
Understanding Security Manager Device Lookup
Understanding Access Rule Table Lookup
Security Appliance and Router System Log Messages Supported for Policy Lookup
Understanding Signature Table Lookup
Guidelines for Working with Policy Table Lookup from MARS
Checklist for Policy Table Lookup from MARS
Devices and OS Versions Supported by Both Security Manager and MARS
Bootstrapping Security Manager Server to Communicate with MARS
Adding a Security Manager Server to MARS
Navigating to Access Rule Policy in Security Manager from MARS
Navigating to IPS Signature Policy in Security Manager from MARS
Read-Only Security Manager Policy Lookup Page for Access Rules
Read-Only Security Manager Policy Lookup Page for an IPS Signature
MARS Events Lookup from a Security Manager Policy
Taskflow for MARS Events Query from Policy Table
Understanding MARS Events Lookup
About Historical Events for a Policy
About Realtime Events for a Policy
Obtaining Events for an Access Rule Policy
Obtaining Events for a Signature Policy
Guidelines for Working with MARS Events Lookup from Security Manager
Checklist for Events Lookup from Security Manager
Adding a MARS Appliance to Security Manager
About Authentication for Events Lookup from Security Manager
Navigating to MARS Events from an Access Rule Policy
Navigating to MARS Events from an IPS Signature Policy
Login to CS-MARS ip_address Dialog Box
Using Monitoring, Troubleshooting, and Diagnostic Tools
High network availability is a requirement for large enterprise and service provider networks. Network managers face increasing challenges to providing high availability, including unscheduled down time, lack of expertise, insufficient tools, complex technologies, business consolidation, and competing markets. Monitoring involves the study of network activities and device status to identify anomalous activities or behavior. Diagnosing and correcting network and system faults (outages and degradations) increases service availability and tools to isolate, analyze, and correct faults are highly imperative. The following topics describe the tools that are available in Security Manager 3.1 and later to provide integrated network monitoring services and diagnostic capabilities for troubleshooting significant events in your network and resolution:
•
Performance Monitor (Status Provider)
•
•
•
Device Managers
In Security Manager 3.0.1 and earlier, you cannot start device managers for devices that are managed by Security Manager, with the exception of Catalyst 6500/7600 Device Manager (DM 6500/7600). With Security Manager 3.1 and later, you can start device managers for all supported devices, such as PIX security appliances, Firewall Services Module (FWSM), IPS sensors, IOS routers, and Adaptive Security Appliance (ASA) devices. Device managers provide several monitoring and diagnostic features that enable you to get information regarding the services running on the device and a snapshot of the overall health of the system. By starting device managers from Security Manager, you eliminate the need to open an HTTPS connection between your client system and the device you want to monitor.
The Security Manager server is shipped with device manager images for the supported devices. When the Security Manager server receives a request to start a device manager, the corresponding device manager image is downloaded to the Security Manager client. The default location for the device manager images is C:\Program Files\Cisco Systems\Cisco Security Manager Client\cache. The device manager images are uninstalled when you uninstall the Security Manager client on your client system.
Note
Although you can modify device configurations using the device manager running on the device, we recommend that you do not make changes to a device configuration outside of Security Manager (an out-of-band change) if you are adding the device to the inventory to be managed by Security Manager.The following topics describe the device managers that you can start from Security Manager:
•
•
•
•
IDM
The Cisco Intrusion Prevention System (IPS) Sensor software is an inline, network-based solution, that identifies, classifies, and stops malicious traffic, including worms, spyware/adware, network viruses, and application abuse, before they affect business continuity. IPS sensors analyze network packets and flows to determine whether their contents appear to indicate a network intrusion. Additionally, the IPS solution, in combination with IPS Sensor software, works with other network security resources to provide proactive protection of your network.
Intrusion Prevention System Device Manager (IDM) is an application that enables you to configure and manage your IPS sensors. The web server for IDM resides on the sensor. Security Manager provides the ability to start IDM without the need for IDM to be installed on your IPS sensor. IDM started from Security Manager does not depend on the type of browser. Using IDM, you can monitor whether sensors that are initialized and configured to be managed by IDM can be reached and are functioning properly. When an IPS sensor detects an unauthorized network activity, the alarm generated can be viewed from IDM.
Note
From an IDM started from Security Manager client, you can click the Monitoring button and navigate to the menus in the left-hand pane to configure monitoring. You can use the Monitoring menus to edit the settings that enable you to monitor sensor health.
When you access the online help for IDM 5.1, the Enter Network Password dialog box pops up after you click Yes in the Security Alert dialog box. Enter your username and password and click OK. This behavior is different from the method of accessing online help for other versions of IDMs in which only the security certificate alert appears and you are not prompted to enter credentials to display online help.See IDM product documentation for more information.
Related Topics
PDM
PIX Device Manager (PDM) software provides secure administration of FWSM and PIX Firewalls. Security Manager provides the ability to start PDM without the need for PDM to be installed on your PIX Firewall or FWSM. PDM started from Security Manager does not depend on the type of browser and uses the Java plug-in shipped with Security Manager. PDM manages FWSM Releases 1.1, 2.3 and 2.2 when it runs in single or multiple context modes, and PIX OS versions 6.0 through 6.3.
PDM provides you with a graphical user interface to the firewall and FWSM to administer it. PDM is also compatible with the firewall and FWSM CLI and includes a tool for using standard CLI commands within PDM. With PDM, you can graph many aspects of the firewall and FWSM, including system activity such as CPU and memory utilization, and performance statistics for xlates, connections, AAA, fixups, URL filtering and TCP Intercept. You can also print or export the graphs. Additionally, using PDM, you can monitor DHCP client lease information, interface statistics, Telnet and SSH sessions, current PDM sessions to the firewall, syslog messages based on their level of severity, and VPN tunnels.
The PDM home page lets you view at a glance important information about your firewall such as the status of your interfaces, the version you are running, licensing information, and performance. Many of the details available on the PDM home page are available elsewhere in PDM, but this is a useful and quick way to see how your firewall is running. All information on the home page is updated every ten seconds, except for the Device Information.
See PDM product documentation for more information.
Related Topics
ASDM
Cisco Adaptive Security Device Manager ( ASDM) provides security management and monitoring through a web-based management interface. Bundled with ASA 5500 Series Adaptive Security Appliances, PIX Security Appliances, and FWSM, ASDM integrates an array of robust security services to prevent unauthorized administrative access to a device. Security Manager provides the ability to start ASDM without the need for ASDM to be installed on your device. ASDM started from Security Manager does not depend on a type of browser and uses the same Java plug-in that is shipped with Security Manager.
ASDM offers in-depth monitoring and reporting services in addition to the at-a-glance monitoring capabilities on the home page. You can view detailed device status information, including blocks used and free, current memory utilization, and CPU utilization. ASDM also tracks real-time session and performance monitoring data for connections, address translations, and AAA transactions on a per-second basis. Connection graphs enable you to stay fully informed of your network connections and activities. ASDM provides 16 different graphs to display potentially malicious activity, real-time monitoring of bandwidth usage for each interface on the security appliance, and VPN statistics and connection graphs. By running separate instances of ASDM, you can connect to multiple security appliances from a single workstation.
The ASDM home page includes a dynamic dashboard that provides a complete system overview and device health statistics at a glance. You can view important information about your security appliance, such as the status of your interfaces, CPU and memory usage details, number of connected IKE and IPsec tunnels, the version you are running, device information, UDP and TCP connections per second, real-time syslog viewer and traffic throughput. Many of the details available on the ASDM home page are available elsewhere in ASDM, but this is a useful and quick way to see how your security appliance is running. Status information on the Home page is updated every ten seconds.
See ASDM product documentation for more information.
Related Topics
SDM
Cisco Router and Security Device Manager (SDM) is a tool that can be used to proactively manage Cisco IOS software-based router resources and security before they affect mission-critical applications on the network. Security Manager provides the ability to start SDM without the need for SDM to be installed on your router. SDM started from Security Manager does not depend on the type of browser. SDM requires no previous experience with Cisco devices or the Cisco command-line interface (CLI). Cisco SDM supports a wide range of Cisco IOS Software releases.
The SDM home page displays system and configuration overview information about your router hardware and software, such as the running configuration, interface-specific firewall policies, and number of static and dynamic routes. The home page provides for faster and easier monitoring of security configurations.
The home page also provides a quick snapshot of detailed VPN status, such as the number of active VPN connections, the name of an interface with a configured VPN connection, the type of VPN connection configured on the interface, and the name of the IPsec policy associated with the VPN connection.
See SDM product documentation for more information.
Related Topics
Understanding Communication
Security Manager client intercepts all HTTPS requests made by device managers and sends them to the Security Manager server. The server processes the requests redirected by the client by obtaining information from the device or sending data such as the device manager image to the client. This communication between the client and server is transparent to the device manager, and appears as though there is a direct connection between the device manager and the device. Because the Security Manager client intercepts all requests from the device manager, you do not need to enable SSL on all Security Manager clients for secure access between the client and the server and between the device manager and Security Manager.
When a device manager is started from Security Manager, the Security Manager client starts the correct device manager image for the selected device. If the device manager image is not available in the client cache directory, the image is obtained from the Security Manager server. The Security Manager client starts only one instance of device manager per device and closes the device manager window when you exit the Security Manager client or the idle session timeout period is exceeded.
Related Topics
•
Starting Device Managers
You can start device managers for all devices (both static and dynamic IP addresses) that are supported by Security Manager. Device managers can be started on all versions of Windows that are supported by Security Manager. The device manager opens in a separate window and you can switch between the Security Manager client and device manager windows at any time. If the device manager window for a device is not active or has been minimized, an error message is displayed when you attempt to start the device manager for the same device. You can either choose to close the previous instance of device manager and start a new window, or cancel the operation to start a fresh device manager instance and activate the device manager window that was started before. The credentials that you supplied while adding the device to Security Manager inventory are reused to start the device manager. If you did not enter the device credentials while adding the device, an error message is displayed when you start the device manager stating that the device credential information for logging in to the device must be entered.
Keep in mind the following guidelines when working with device managers started from Security Manager:
•
•
•
•
•
•
•
The maximum number of persistent HTTPS connections that can be established with the security appliance is limited by the system limit for your device model. An error message is displayed if you attempt to exceed this limit. The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with one host and one dynamic translation for every four connections.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
This procedure describes how to start a device manager for a device added to the Security Manager inventory.
Before You Begin
•
•
•
•
•
•
Note
Related Topics
•
Step 1
Step 2
•
•
A warning message states that the device manager started from Security Manager does not allow you to perform configuration changes on the device and asks if you want to continue.
Tip
Step 3
Note
If you have configured the CSA policies to prevent the execution of the xdm-launcher.exe process, the icon in the system tray (the red flag) will wave to indicate that CSA has a message for you when you start device manager. To read the message, double-click the CSA icon (the red flag in the Windows system tray) to open the CSA utility. The Messages tab displays by default. CSA considers xdm.launcher.exe as an untrusted application and places this information in the Untrusted Applications edit box. To remove the program executable from the list of untrusted applications, from the Untrusted Applications window of the CSA utility, select the <installation_location>\Cisco Security Manager Client\cache\xdm.launcher.exe entry in the edit box, where <installation_location> is the drive and directory in which you installed Security Manager client and press the Delete key. The restriction on the device manager application is removed and the device manager allowed to be started from Security Manager.A progress bar indicates the progress of the device manager start and displays what percentage of the launch has been completed. The device manager home page is displayed when the start operation is complete.
Device OS Version Interoperability with Device Managers
Each version of the device manager image is compatible with specific versions of software running on the device. The most recent version of device manager supported for the software version running on the device is started from Security Manager, regardless of the device manager version installed on the device. For example, if SDM 2.2 is installed on a router running Cisco IOS 12.3 release, when you start the device manager for this router from Security Manager, SDM 2.4.1, which is the most recent version of SDM that supports the current and earlier Cisco IOS releases, is started. The version of device manager installed on the device is not taken into consideration. Only the most recent version of device manager is started for all devices.
Note
Table 22-1 lists the device manager version supported for the software version running on the device when you start the device manager from Security Manager.
Table 22-1 Supported Device Manager Versions and Device OS Versions
ASDM
6.0(3)
ASA 8.0(2)1 , PIX 8.0(2)
5.2(2)F
FWSM 3.1, 3.2(1)1
5.2(3)
PIX 7.2, ASA 7.21
5.1(2)
ASA 7.11, PIX 7.1
5.0(7)
ASA 7.0(1) through ASA 7.0(7)1, PIX 7.0(1) through PIX 7.0(6)
PDM
4.1(5)
FWSM 2.2, 2.31
3.0(4)
PIX 6.3
2.1(1)
PIX 6.2, FWSM 1.11
1.1(2)
PIX 6.0, 6.1
IDM
5.1
IPS 5.0(x), IPS 5.1(x)
6.0
IPS 6.0(x)
SDM
2.4.1
Most recent and previous releases of Cisco IOS software running on your Cisco router.
1 Device managers can be started for FWSM blades and ASA devices running in transparent mode (Layer 2 firewall) or routed mode (Layer 3 firewall) and supporting single security context or multiple security context.
Related Topics
•
Device Connectivity Test
In Cisco Security Manager 3.0.1 and earlier, you cannot validate whether a device that is added to the Security Manager inventory can be reached. Although Security Manager validates the data you entered, it does not validate whether the data you entered will allow you to contact the device. In release 3.1, you can verify whether Security Manager can contact the device when you are adding the device. For more information on device connectivity test, see Testing Device Connectivity, page 6-21.
Related Topics
•
Performance Monitor (Status Provider)
Effective network management requires the fastest possible identification and resolution of events that occur on mission-critical systems. As a result, the need to monitor and troubleshoot the health and performance of enterprise network security services has become very essential. Security Manager 3.0.1 and earlier enabled you to centrally administer security policies and device settings for either small or large scale networks. However, any errors generated by deploying configurations containing these polices to devices or while discovering polices from devices were not easy to rectify. In some cases, a deployment or discovery error could have been caused by device connectivity or network problems rather than an incorrect policy configuration.
Security Manager 3.1 and later enables you to configure status providers that collect information about the status of various events from external sources or status providers, such as Performance Monitor, and from internal sources, such as deployment. As a status provider, Performance Monitor collects the status of events, such as VPN tunnel up/down status, device reachability, and CPU usage threshold, and reports them to Security Manager. You can use the Inventory Status window in the Security Manager GUI to view the events reported by status providers. Performance Monitor is a browser-based tool that monitors and troubleshoots the health and performance of services that contribute to network security. It helps you to isolate, analyze, and troubleshoot events in your network as they occur, so that you can increase service availability.
Performance Monitor, which is an external status provider, must be registered with Security Manager and needs to be authenticated by Security Manager to send status on events it is monitoring. Security Manager authenticates Performance Monitor by comparing the username and password with the account information stored in the CiscoWorks or Cisco Secure Access Control Server (ACS) database, depending on which you established at installation as your AAA provider. After the authentication of your credentials, Security Manager begins to receive the status of events. Security Manager uses SSL to establish a secure communication with Performance Monitor. You must add a device to both the Security Manager inventory and Performance Monitor for its status to be collected and displayed by the Security Manager client. If the device is deleted from Performance Monitor but is still available in Security Manager, or if you excluded the device from being polled by Performance Monitor, the health and performance of the device is not displayed by Security Manager.
Related Topics
•
•
•
Understanding Performance Monitor as a Status Provider
Security Manager polls data from external status providers, such as Performance Monitor, at an interval of five minutes by default. When a new external status provider is added, Security Manager begins polling and displays events from that provider. When a status provider is deleted from Security Manager, events from that provider are not displayed and polling of that provider is stopped. When the Security Manager server is restarted, the last event statuses that were obtained from deployment and Performance Monitor are displayed until the next polling cycle.
Security Manager overwrites the older events with the most recent events reported by status providers. Most recent events refer to events that were reported most recently by the providers for each event type. In other words, Security Manager does not accumulate the events reported by status providers at different points in time. As an example of two most recent events that will be persisted for Device1, assume that Performance Monitor logs a "DEVICE" event type with "critical" severity level, an "INTERFACE" event type with "warning" severity level at 12:00 noon, and no events of the same type have occurred since then until the time you view the event statuses in the Inventory Status window. In this case, both events would be displayed. As an example of one most recent event that will be persisted for Device1, assume that Performance Monitor logs a "DEVICE" event type with "warning" severity level at 1:00 p.m. and another "DEVICE" event type with "critical" severity level at 2:00 p.m. When you view the Inventory Status window at say, 2:00 p.m., the event that occurred at 2:00 p.m. would only be retained and displayed.
Note
•
•
•
•
Whenever Cisco Security Manager Daemon Manager is started or restarted, or the connection is restored with Performance Monitor after a network outage, Security Manager sends a list of devices, whose status needs to be monitored, to Performance Monitor. Security Manager also notifies Performance Monitor when a new device is added to the inventory or an existing device is deleted from the inventory. Security Manager also polls Performance Monitor for incremental changes in status at other times.
Related Topics
•
•
•
•
•
•
Configuring Performance Monitor as a Status Provider
The Status Provider page enables you to select the status providers that you want to send information to the Security Manager server. Depending on the status providers you choose, Security Manager polls the appropriate sources and modifies the display of events in the Inventory Status window.
You can add more than one Performance Monitor as a status provider and view status messages from all of them at the same time. Additionally, you can configure the same status provider to send event details to multiple Security Manager servers. You can also view information from the same Performance Monitor on multiple Security Manager clients.
For more information on how to configure Performance Monitor as a status provider to send event details to Security Manager, see Configuring Status Providers, page 1-24.
Related Topics
•
•
•
•
•
•
Understanding the Events to be Monitored
From the Inventory Status window, select a device in the upper pane and click the Status tab in the lower pane to view the list of Performance Monitors configured as status providers. You can click the arrow to expand or collapse the events reported by each status provider. Similarly, you can expand and collapse the event details by clicking the arrow next to the event name. The status of each event (whether it is normal or an abnormal condition has occurred) is displayed next to the event name. Table 22-2 describes the fields displayed for each event.
Performance Monitor collects the status of events, such as VPN tunnel up/down status, device reachability, and CPU usage threshold, and reports them to Security Manager. An event is a notification that a managed device or component has an abnormal condition. Multiple events can occur simultaneously on a single monitored device or service module. Using Performance Monitor, you can configure a threshold for an event or use the default threshold. For more information on how to configure and enable thresholds to generate performance or failure events of any priority, see Working with Event Thresholds. The events in which a monitored component or service exceeded acceptable thresholds are displayed. Supported service types are remote-access VPN, site-to-site VPN, firewall, web server load-balancing, and proxied SSL. For more information on the service types supported for different device platforms, see Supported Services and Platforms for Monitoring and Reports. The following sections describe the events whose statuses are reported by Performance Monitor to Security Manager:
Device Reachability
You must add a device to both the Security Manager inventory and Performance Monitor for its status to be recorded in the Inventory Status window. Security Manager does not display events from devices that are added only to Performance Monitor. The device that you want to monitor must be a device type supported by both Security Manager 3.1 and later, and Performance Monitor 3.1 and later. Using Performance Monitor, you cannot add, import, or validate any unsupported device type, any device when the MCP process has stopped, any device that uses a dynamic IP address or lacks configured SNMP values, and a VPN 3000 Series concentrator, unless you specify the correct SNMP and XML credentials, HTTPS is enabled, and the VPN 3000 Concentrator Series Manager is running.
You must set up devices by configuring the bootstrapping devices so Performance Monitor can validate, poll, and monitor them. Performance Monitor enables you to import or manually enter the IP addresses, hostnames, and read-only community strings for supported devices in your network. You can import device attributes from a comma-separated value (CSV) file or from the Device Credentials Repository (DCR) on a Common Services-based server, or you can add device attributes manually. You can also create device groups to interact with multiple devices in a single operation. A device group is a named entity that can contain devices, other groups, or a combination of devices and groups.
After adding a device to Performance Monitor, you can validate a device of any kind to confirm that it exists and is reachable, has the required features and interfaces enabled, has the correct credentials, uses a static (non-dynamic) IP address, and has configured SNMP values. During device validation, Performance Monitor sets all validated devices to a managed state by default meaning that polling is enabled. If you choose to move a device to an unmanaged state, you must move it back to the managed state manually before you can monitor its health or performance. By default, device validation occurs once every day, at midnight. It also occurs at other times and intervals that you specify. You can perform an immediate, one-time validation at any time. For more information on how to add, validate, and manage devices, see User Guide for Cisco Performance Monitor 3.2.
In Performance Monitor, a device is either a physical node in the network or it is a virtual node that is defined by a physical node. In either case, a device must have an IP address. For example, you can use multicontext mode to partition a single firewall into multiple virtual devices, known as security contexts. You can add and manage contexts in the system configuration. The system configuration identifies basic firewall settings, but does not include any network interfaces or network settings for itself, rather, it uses a context that is designated as the admin context.
The admin context is just like any other security context, except that a user who logs in to the admin context has administrative rights over the system and all of the other contexts. In Performance Monitor, you import only the admin context from a device when you want to monitor every configured context on a physical device. Similarly, when you delete an admin context in Performance Monitor, you simultaneously delete the record that Performance Monitor maintains for every context on the relevant physical device.
Performance Monitor reports information about only those validated devices for which monitoring is enabled. Performance Monitor enables monitoring after a successful device validation; thus, it polls the device in following polling cycles. If you decide to exclude a device from polling, you can disable monitoring for it. Later, at your discretion, you can reenable monitoring manually.
Table 22-3 describes the different management protocols that Performance Monitor uses to test device connectivity, depending on the device platform.
After you update the list of devices to be monitored, Performance Monitor polls reachable devices for their current status to compare device status information to performance and failure thresholds, generate performance and failure events, send event notifications, when appropriate, and update the values in tables and graphs. Security Manager obtains and displays a snapshot of the most recent device reachability status in the Inventory Status window during the next polling cycle. For a categorization of the device reachability, VPN tunnel status, and CPU usage event types by service type, see Table 22-6. For a description of the elements on the Global Notification page and Service Notifications page, see Working with Event Thresholds.
Related Topics
•
•
•
•
VPN Tunnel Status
Performance Monitor enables you to determine whether a VPN Tunnel is up or down. Whenever a VPN Tunnel is not functioning, an event is logged in the Event Browser window in the Performance Monitor GUI. A tunnel is considered as down when an IPsec security association (SA) is not present. Performance Monitor tracks the IPsec SAs and displays the event status. Internet Key Exchange (IKE) is the facilitator and manager of IPsec-based communications. It is a hybrid protocol used to authenticate IPsec peers, negotiate and distribute encryption keys, and automatically establish IPsec security associations (SAs). IKE protocol lets two hosts agree on how to build an IPsec SA. Each IKE negotiation is divided into a Phase 1 and Phase 2. Phase 1 creates the first tunnel, which protects IKE negotiation messages. Phase 2 creates the tunnel that protects data. With IKE keepalive, tunnel peers exchange messages that demonstrate they are available to send and receive data in the tunnel. Keepalive messages transmit at set intervals, and any disruption in that interval results in the creation of a new tunnel, using a backup device. Devices that rely on IKE keepalive for resiliency transmit their keepalive messages regardless of whether they are exchanging other information. These keepalive messages can therefore create a small but additional demand on your network.
Both IPsec SAs and IKE SAs can have timeout values. The absence of these SAs does not necessarily indicate a problem with IPsec tunnel. But in majority of site-to-site VPNs, both IPsec SAs and IKE SAs need to be present for all the interesting traffic.
You must define parameters for each of the available authentication methods so that IKE and IPsec can use your IKE policies successfully. For preshared key, you can either enter a key manually, or have Security Manager automatically generate a key for each hub-spoke communication session. When using preshared keys for authentication, you can use main mode or aggressive mode for negotiating key information and setting up IKE SAs. Security Manager mirrors the spoke's preshared key and configures it on its assigned hub, so that the key on the spoke and hub are the same.
With IPsec, crypto ACLs define what traffic should be protected between two IPsec peers. Traffic might be selected based on source and destination address. The crypto ACLs used for IPsec are used only to determine which traffic should be protected by IPsec, not which traffic should be blocked or permitted through the interface. ACLs are applied to interfaces by way of crypto map sets. Each tunnel policy you create with Security Manager is translated into a crypto map entry that includes an ACL. A crypto map set can contain multiple entries, each with a different ACL. The crypto map entries are searched in order and the router tries to match the packet to the ACL specified in each entry.
When some packets to be encrypted are encountered by the VPN device, it uses the symmetrical keys derived in the IKE SA establishment for encryption of data. The interesting traffic is specified by a crypto ACL as in GRE and standard IPsec VPNs. In DMVPNs, the crypto ACL is derived automatically. The pair of SAs called as IPsec SAs are created for data encryption.
Based on the threshold you configure for the site-to-site VPN tunnel status event type, Security Manager polls Performance Monitor at the preconfigured interval and displays the status in the Inventory Status window. For a categorization of the device reachability, VPN tunnel status, and CPU usage event types by service type, see Table 22-6.
Related Topics
•
•
•
•
CPU Usage Threshold
Performance Monitor enables you to track and analyze system CPU utilization. Commonly, high CPU utilization is caused by a security issue, such as a worm or virus operating in your network. This is especially likely to be the cause if there have not been recent changes to the network. Usually, a configuration change, such as adding additional lines to your access lists, can mitigate the effects of this problem. Although debugging can also be of great help in troubleshooting high CPU utilization in processes, it should be carried out with extreme caution because it may raise the CPU utilization even more. Cisco software-based routers use software in order to process and route packets. CPU utilization on a Cisco router tends to increase as the router performs more packet processing and routing. Catalyst 6500/6000 switches do not use the CPU in the same way. These switches make forwarding decisions in hardware, not in software. Therefore, when the switches make the forwarding or switching decision for most frames that pass through the switch, the process does not involve the supervisor engine CPU.
Throttles are a good indication of an overloaded router. They show the number of times the receiver on the port has been disabled, possibly due to buffer or processor overload. Together with high CPU utilization on an interrupt level, throttles indicate that the router is overloaded with traffic. Unusual activity related to a process could also load the CPU and result in an error message in the log. Therefore, the output of the show logging exec command should be checked first for any errors related to the process which consumes lots of CPU cycles. When the TCP timer process uses a lot of CPU resources, there are too many TCP connection endpoints. This can happen in data-link switching (DLSw) environments with many peers, or in other environments where many TCP sessions are simultaneously opened on the router. High CPU utilization in the Address Resolution Protocol (ARP) Input process occurs if the router has to originate an excessive number of ARP requests.
High CPU utilization also can result from the merging of two or more VLANs due to improper cabling. Also, if STP is disabled on those ports where the VLAN merger happens, high CPU utilization can occur. The Exec process in Cisco IOS Software is responsible for communication on the TTY lines (console, auxiliary, asynchronous) of the router. The Virtual Exec process is responsible for the VTY lines (Telnet sessions). The Exec and Virtual Exec processes are medium priority processes, so if there are other processes that have a higher priority (High or Critical), the higher priority processes get the CPU resources. If there is a lot of data transferred through these sessions, the CPU utilization for the Exec process increases. High CPU utilization on an interrupt level is primarily caused by packets handled on interrupt level. Interrupts are generated any time a character is output from the console or auxiliary ports of a router. Universal Asynchronous Receiver/Transmitters (UARTs) are slow compared to the processing speed of the router, so it is unlikely, though possible, that console or auxiliary interrupts can cause a high CPU utilization on the router (unless the router has a large number of tty lines in use).
Based on the threshold you configure for the CPU usage event type associated with a particular service, Security Manager polls Performance Monitor at the preconfigured interval and displays the status in the Inventory Status window. For a categorization of the device reachability, VPN tunnel status, and CPU usage event types by service type, see Table 22-6.
Related Topics
•
•
•
•
Supported Services and Platforms for Monitoring and Reports
See Table 22-4 to understand which services this Performance Monitor release can monitor, and can issue reports for, on each supported Cisco platform.
1 Cisco no longer sells VPNSM for Catalyst 6500 Series switches. We encourage you to migrate to VPN SPA, which supports DES and 3DES, as well as 128-, 192-, and 256-bit AES keys. See: http://www.cisco.com/en/US/products/ps6267/products_data_sheet0900aecd8027cbb2.html.
2 Supported services that vary for specific software or device versions:
· PIX OS 7.0 and later support Easy VPN services, but not RAS clustering for Easy VPNs.
· PIX OS 7.0 and later support Easy VPN, RAS VPN, site-to-site VPN, and virtual (multicontext) firewall services.
· PIX OS 7.0 and later support RAS VPN and site-to-site VPN services in routed single context mode only.
· FWSM versions 2.2 and later support virtual (multicontext) firewall services.
· FWSM versions 3.1 and later support RAS VPN and site-to-site VPN services in routed single context mode only.
· Cisco ASA Software Version 7.0 and later support Easy VPN, RAS VPN, site-to-site VPN, and virtual (multicontext) firewall services.3 Performance Monitor neither monitors nor offers reports for the load balancing of Cisco VPN 3000 concentrators or supported ASA appliances that you organize in virtual clusters. The Load Balancing column in this table refers exclusively to the web server load balancing services associated with supported content switching services modules in Catalyst 6500 series switches.
4 In this table:
· NA describes a service that the specified platform does not provide.
· The em-dash character ( — ) describes a service that Performance Monitor does not monitor on the specified platform.
Related Topics
•
•
•
•
Supported Event Types for Each Service Type
To configure the threshold for device reachability, VPN tunnel status, or CPU usage event types, depending on the platform type, you need to enable the event type supported by a particular service. Configuring an event type under one of the services enables the threshold for that event type under all applicable services. Table 22-5 describes only the events that affect the relevant service.
Table 22-5 Event Types Supported for Service Types
Firewall
CPU Usage
Device Accessible via Https
Device Accessible via Snmp
Remote Access VPN
CPU Usage
Device Accessible via Snmp
SSL
CPU Usage
Device Accessible via Https
Site-to-Site VPN
CPU Usage
Device Accessible via Https
Device Accessible via Snmp
Tunnel Status
Related Topics
•
•
•
Working with Event Thresholds
While Tunnel Status is a failure metric, CPU Usage and Device Accessible via Https or Device Accessible via Snmp are performance metrics. When you create a threshold, you:
•
•
•
Although the thresholds that you define use different services, metrics, and states, every threshold definition follows the same basic workflow.
Tip
This procedure describes how to configure thresholds for the event types.
Related Topics
•
•
•
•
Step 1
Step 2
Step 3
Step 4
Tip
A Threshold Configuration page appears. Table 22-6 describes the elements in this page.
•
•
Step 5
You must select the Enable check box, or you cannot define values in a Threshold Configuration page.
Step 6
•
–
–
•
Note
Step 7
•
•
•
Table 22-6 Threshold Configuration Page Elements
Enable check box
Enables you to enable or disable the modification and implementation of threshold values.
State Name column
Displays two opposite states for a failure metric and a range of states for a performance metric.
Repetitions Before State Change column
Enables you to specify the number of consecutive polling cycles during which the relevant state must recur before Performance Monitor registers that the state has changed.
Event Priority column
Enables you to associate the relevant state with a priority level between P1 (the most severe) and P5 (the least severe).
Cancel button
Enables you to discard your changes and return to the Events page.
Apply button
Enables you to save and implement your threshold definitions for the current metric.
Default button
Enables you to reset all values to their default settings and remain in the Threshold Configuration page.
Lower Threshold column
Enables you to select the percentage that defines the lower boundary of a state. For example, you could select 10% as the lower threshold boundary for the intermediate state. (Your selection would, in such a case, be applied automatically as the upper threshold percentage for the benign state.)
Upper Threshold column
Displays a value that is equal to your definition of the lower threshold for the adjacent state, or displays 100% as the upper threshold for the problematic state.
IPS Event Viewer
The Cisco IPS Event Viewer ( IEV) offers a free monitoring solution for small-scale IPS deployments. Monitoring individual IPS devices, IEV is easy to set up and use, and provides the following capabilities:
•
•
•
•
IEV is a Java-based application that lets you view and manage alerts for up to five sensors. With IEV, you can connect to and view alerts in real time or in imported log files. You can configure filters and views to help you manage the alerts and import and export event data for further analysis. IEV reports the top alerts, attackers, and victims over a specified number of hours or days. IEV also provides access to MySDN for signature descriptions. See Cisco IPS Event Viewer Version 5.2 documentation for more information.
You can start IEV from Security Manager as a client-server application. IEV server is installed when you install the Security Manager server. When you start IEV on a Security Manager client, the IEV client files are obtained from the Security Manager server and copied to the folder where the Security Manager client was installed on your client system. The IEV client files are uninstalled when you uninstall the Security Manager client on your client system. The requirements and dependencies for installing IEV server and client are the same as those for Security Manager server and client software.
Note
When you start IEV client from the Security Manager client system, IEV client automatically opens TCP port 5001 to establish communication with the IEV server.
Note
Note
Caution
Related Topics
•
To verify IEV server installation, follow these steps:
Step 1
Cisco IPS Event Viewer service successfully started.Step 2
•
This service lets IEV retrieve alerts from remote device(s), store alerts in the MySQL database, archive database files, and check for available disk space.
•
This service controls the persistent storing and serving of data.
Note
Caution
IEV server is uninstalled when you uninstall Security Manager server.
Understanding Communication
Security Manager client intercepts all SSL requests made by IEV client and sends them to the IEV server running on Security Manager server. IEV server processes the requests redirected by the IEV client by obtaining information from the sensor or sending data such as the IEV image to the client. This communication between the IEV client and IEV server is transparent to the IPS sensor, and appears as though there is a direct connection between IEV client and the sensor.
The Cisco IPS Event Viewer and MySQL services must be running on the IEV server to enable IEV monitor sensors. IEV server retrieves the events from IPS sensors and stores them in the MySQL database. When you start the IEV client from Security Manager client, a secure connection is established between IEV client and IEV server, the Java application on the IEV client reads the event details from the MySQL database, and event data is displayed on the IEV client in various views, tables, and graphs.
If the IEV client files are not available in the client cache directory, the image is obtained from the Security Manager server. The Security Manager client starts only one instance of IEV client and closes the IEV client window when you exit the Security Manager client or when the idle session timeout period is exceeded.
Related Topics
•
•
Guidelines for Working with IEV from Security Manager
Keep in mind the following guidelines when working with IEV started from Security Manager:
•
•
•
•
Note
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Related Topics
Starting IEV Client
This procedure describes how to start an IEV client from the Security Manager client.
Before You Begin
•
•
Related Topics
•
•
Step 1
A dialog box asks you to confirm that you want to start IEV client from the Security Manager client.
Step 2
The IEV client window is displayed when the start operation is complete.
Navigating to IPS Signature Policy in Security Manager from IEV
Sensors use signatures to determine whether the contents of network packets meet the criteria of an attack. A signature is a pattern of traffic, often thought of as a set of rules, that your sensor uses to detect typical intrusive activity, such as denial of service (DoS) attacks. The Signatures policy page in Security Manager enables you to configure signatures for Cisco IPS sensors. When the packets match a given signature rule, the sensor generates an alarm. You can configure IEV to manage alarms from sensors by adding the sensors to the IEV Devices folder.
After you add the device to IEV, IEV sends a subscription request to the sensor. IEV will receive alerts and events from the sensor, beginning with the first event the sensor receives after connecting with IEV. An event is an IPS message that contains an alert, a block request, a status message, or an error message.
Using IEV, you can select an event generated by an IPS signature from the log of events within the Realtime Dashboard or the View folders, and navigate to the signature policy in Security Manager for that specific event. You can then edit the signature properties to modify the action the sensor must take to handle network attacks. The following sections describe how to look up the Signatures policy page in Security Manager from IEV:
•
•
IPS Signature Policy Lookup from the Realtime Dashboard
You can use the Realtime Dashboard to view a continuous stream of real-time events from the sensor. By default, the Realtime Dashboard displays the most recent events received from every device configured in IEV. You can configure the Realtime Dashboard to display only events from a particular device or only events of a particular severity level. You can also configure how often the Realtime Dashboard retrieves events from the sensor(s) and the maximum number of events to display.
This procedure describes how to look up an IPS signature in the Signatures policy page of Security Manager from the Realtime Dashboard of IEV:
Related Topics
•
•
Step 1
Step 2
IEV opens a subscription request with the sensor. If the connection is successful, the Realtime Dashboard appears and displays the most recent events received by the sensor since the request was opened.
Step 3
For each event entry in IEV, Security Manager searches all the signatures within the context of your current activity when Workflow mode is enabled (including policies defined in your private view and saved locally on the client, and policies committed to the Security Manager database), or current login session when non-Workflow mode is enabled. If the event entry had been triggered by a signature not referenced in the current activity, an error message appears.
You can edit the signature that triggered the event by right-clicking its row in the table and selecting Edit Row from the Row Context Menu.
IPS Signature Policy Lookup from the Views Tab
The Views tab lets you analyze filtered event data from a specified source. IEV ships with five default views; however, you can use the View Wizard to create and store user-defined views in the Views folder. Based on the data that is populated in a specific view, you can navigate to the events. For example, you can select the view configured to group events by signature name to organize the table of events by signature name. You can expand an event to view the details, such as signature name and severity level, associated with that event, and navigate to the Signatures policy in Security Manager.
IEV lets you access various tables and graphs that provide specialized views into the event data you are analyzing. Before you create a view and begin working with the individual tables and graphs, review the following descriptions.
The following tables organize the events for a view. The events shown in these tables and graph differ depending on the data source you choose for the view. The data source can be the event_realtime_table, archived tables, or imported log files.
•
•
•
•
See Cisco IPS Event Viewer Version 5.2 documentation for more information.
This procedure describes how to look up an IPS signature in the Signatures policy page of Security Manager from the Views folder of IEV:
Related Topics
•
•
Step 1
Step 2
Step 3
Step 4
a.
The Expanded Details Dialog appears with the Whole Address tab displayed.
b.
c.
The Alarm Information Dialog appears.
Tip
Note
A second table appears in the Drill Down Dialog and displays the contents of the cell. Double-clicking a cell containing an arrow (—>) in this second table displays the Alarm Information Dialog.Step 5
For each event entry in IEV, Security Manager searches all the signatures within the context of your current activity when Workflow mode is enabled (including policies defined in your private view and saved locally on the client, and policies committed to the Security Manager database), or current login session when non-Workflow mode is enabled. If the event entry had been triggered by a signature not referenced in the current activity, an error message appears.
You can edit the signature that triggered the event by right-clicking its row in the table and selecting Edit Row from the Row Context Menu.
Security Manager Access Rule Lookup from Device Manager Syslog
Each interface on the device or appliance is associated with a list of ACEs that are associated with an ACL. When the firewall device finds a matching ACE, the device performs the associated action either permitting the packet into the firewall device for further processing, or denying entry to the packet. If no ACE matches the packet, the packet is denied. Activity on your firewall or router is monitored through the creation of syslog entries. If logging is enabled on the device, whenever an access rule that is configured to generate syslog entries is invoked—for example, if a connection were attempted from a denied IP address—a log entry is generated.
Security Manager 3.1 and later introduces a new Syslog to Access Rule Correlation tool that enhances day-to-day security management and troubleshooting activities. With this tool, you can quickly resolve common configuration issues, along with most user and network connectivity problems. Because the configuration process is simple, operational efficiency and response times for business-critical functions are improved. For ASDM and SDM started from within Security Manager, you can identify the ACL on a router or firewall that generated a syslog message received by ASDM and SDM. The access rule that triggered the syslog entry is highlighted on a first-match basis, even if there are multiple access rules that cause the same syslog message to be generated. The feature to perform the Security Manager policy table lookup, when the device generates a syslog message, is available in SDM 2.4.1, which supports all versions of Cisco IOS software running on a router, ASDM 6.0(3), which manages ASA 8.0(3) and PIX 8.0(3), and ASDM 5.2(2)F, which runs with FWSM 3.1 and 3.2.
Using ASDM 5.2(2)F and 6.0(3), you can select a syslog message generated by an ACL within the Real-time Log Viewer window or Log Buffer Viewer window, and navigate to the access control rule in Security Manager for that specific syslog. The Syslog to Access Rule Correlation tool also offers an intuitive view into syslog messages invoked by user-configured access rules. You can closely observe enterprise traffic patterns and monitor resource access behavior. For more information, see Navigating to ACL in Security Manager from ASDM Syslog.
Using SDM 2.4.1, you can select a syslog message generated by an ACL from the log of events categorized by security level and displayed under the Syslog tab of the Logging window. For each selected syslog message, you can look up the Security Manager to highlight the access control entry that matches the traffic that generated the message. You can then disable the rule to permit or deny the traffic. For more information, see Navigating to ACL in Security Manager from SDM Syslog.
System log messages with the following ID numbers are generated by FWSM blades and ASA devices if you configured logging for an access rule that matches the network traffic:
•
•
On Cisco IOS devices, system log messages are generated for access lists configured with the log or log-input keyword. The log keyword causes an informational logging message about the packet that matches the entry to be sent to the console. The log-input keyword causes the input interface, source MAC address, or virtual circuit to be included in the logging output. The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
Related Topics
•
•
Navigating to ACL in Security Manager from ASDM Syslog
Using ASDM 5.2(2)F and 6.0(3), you can select a syslog message generated by an ACL within the Real-time Log Viewer window or Log Buffer Viewer window, and navigate to the access control rule in Security Manager for that specific syslog.
Navigating to ACL from the Log Buffer Viewer
The Log viewing feature of ASDM lets you view real-time system log messages that appear in the log buffer. When you start ASDM from Security Manager, the most recent ASDM system log messages appear at the bottom of the ASDM home page. The Log Buffer panel enables you to view log messages saved in the buffer in a separate window. Depending on the level of logging messages to view, ranging from Emergency to Debugging, and click View to open a separate window in which log messages appear. The Log Buffer window displays the identification number of the log message, date and time that the system log messages was generated, the logging level of a syslog message, and the addresses of the network or host from which the packet is being sent and received. You can select a syslog message and identify the ACL in Security Manager that created the log message.
This procedure describes how to look up the access rule in the policy table of Security Manager from the Log Buffer panel of ASDM.
Step 1
Step 2
Step 3
Step 4
Note
For each syslog entry, Security Manager searches all the access rules within the context of your current activity when Workflow mode is enabled (including policies defined in your private view and saved locally on the client, and policies committed to the Security Manager database), or current login session when non-Workflow mode is enabled. If the syslog entry had been triggered by an access rule not referenced in the current activity, an error message appears.
You can edit the access rule that triggered the syslog message in their entirety by double-clicking a rule number in the table, or edit individual table cells by double-clicking a cell.
If you did not close any modal dialog box in Security Manager, navigation to the access rule in the policy table fails from ASDM. Close the modal dialog box and try to invoke the access rule in Security Manager again.
Note
Navigating to ACL from the Real-time Log Viewer
The Real-time Log Viewer panel enables you to view real-time system log messages in a separate window. Depending on the level and maximum number of logging messages to view, click View to display a separate window in which log messages appear. The Real-time Log Viewer window enables you to view incoming messages in real time and look up the ACL that generated the syslog message.
This procedure describes how to look up the access rule in the policy table of Security Manager from the Real-time Log Viewer panel of ASDM.
Related Topics
•
•
Step 1
Step 2
Step 3
Step 4
Note
For each syslog entry, Security Manager searches all the access rules within the context of your current activity when Workflow mode is enabled (including policies defined in your private view and saved locally on the client, and policies committed to the Security Manager database), or current login session when non-Workflow mode is enabled. If the syslog entry had been triggered by an access rule not referenced in the current activity, an error message appears.
You can edit the access rule that triggered the syslog message in their entirety by double-clicking a rule number in the table, or edit individual table cells by double-clicking a cell.
Navigating to ACL in Security Manager from SDM Syslog
SDM 2.4.1 offers the following logs:
•
•
•
•
This procedure describes how to look up the access rule in the policy table of Security Manager from the Logging panel of SDM 2.4.1.
Related Topics
•
•
Step 1
Step 2
Step 3
Note
For each syslog entry, Security Manager searches all the access rules within the context of your current activity when Workflow mode is enabled (including policies defined in your private view and saved locally on the client, and policies committed to the Security Manager database), or current login session when non-Workflow mode is enabled. If the syslog entry had been triggered by an access rule not referenced in the current activity, an error message appears.
You can edit the access rule that triggered the syslog message in their entirety by double-clicking a rule number in the table, or edit individual table cells by double-clicking a cell.
Security Manager Policy Table Lookup from a MARS Event
While Security Manager enables you to centrally manage security policies and device settings in large scale networks, Cisco Security MARS identifies, isolates, and recommends precise removal of compromised network elements. Cisco Security MARS does this task by transforming raw security data into an easily-readable format to subvert valid security incidents and maintain compliance. MARS integrates with Security Manager to map traffic-related syslog messages to the firewall and to signature policies defined in Security Manager that triggered the event. Policy lookup enables rapid, round-trip analysis for troubleshooting firewall configuration-related network issues and policy configuration errors, and for fine-tuning defined policies. Following suggestions from MARS on access rule and signature changes to block the traffic, you can use Security Manager to manually mitigate using the access rule and signature recommendations provided by MARS, thereby, ensuring that the configuration management solution stays abreast of the mitigation responses. Security Manager can also publish the same change to all like devices that it manages, providing a more robust containment.
In Security Manager 3.1.1 through 3.0.1 and Cisco Security MARS 5.3.3 through 5.2.x and 4.3.3 through 4.2.1, although you can look up the Security Manager policy table that generated a MARS event or incident from within the MARS UI in read-only mode, you cannot alter the access rule that generated the event without logging in to Security Manager in a separate session. With Security Manager 3.2 and MARS 4.3.4 and 5.3.4, you can modify access rules generating the MARS event seamlessly from the read-only policy table popup window, which displays all rules associated with an event, by clicking the highlighted access rule number without starting Security Manager separately. Similarly, you can navigate to the signature summary table in Security Manager from MARS events associated with IPS sensors and IOS IPS devices and alter the signature properties. This feature enables you to map a syslog message to the policy that triggered that message and modify it simultaneously, thereby reducing time spent configuring and troubleshooting access rules in large or complex networks.
For example, consider the following case where a user cannot connect to destination X from source Y. To troubleshoot this issue, an administrator can do the following:
1.
2.
3.
The following sections describe how to configure Security Manager and MARS to ensure seamless integration for access rule and signature policies lookup in Security Manager from MARS syslogs:
•
•
•
•
•
•
•
•
•
•
•
Taskflow for Policy Table Query from MARS Events
The Security Manager Policy Table Lookup icon appears in the Reporting Device column of the MARS session display when MARS receives a syslog triggered by the following:
•
•
•
Clicking the icon queries Security Manager, the result of which is to identify the access rule in the policy table of the device that created the traffic incident or event. The following steps depict the policy query process between MARS and Security Manager:
1.
2.
3.
4.
5.
–
–
–
For more information on how Security Manager analyzes the syslogs from MARS and retrieves matching policies from the Access Rules page, see Understanding Access Rule Table Lookup. For more information on how the signature associated with an IPS event is retrieved from the signature policy table, see Understanding Signature Table Lookup.
6.
–
–
–
7.
8.
The Security Manager client is started from MARS in one of the following three ways:
–
–
–
Related Topics
•
•
•
•
•
Understanding Security Manager Device Lookup
MARS requests the access rule and signature policy table of a device that Security Manager administers by supplying the following criteria to Security Manager:
•
Note
When you add FWSM and ASA devices with multiple security contexts to Security Manager, the context name is set as the hostname in the Device Properties page and policy lookup from MARS events for these contexts works properly. If the hostname is not the same as the context name, policy lookup from events fails. In such cases, make sure that the hostname defined for that context in the Device Name field of the MARS GUI matches with the hostname configured in the Device Properties page of Security Manager for policy lookup to work correctly.•
•
The Device Lookup query takes the following actions between MARS and Security Manager:
1.
2.
3.
4.
Related Topics
•
•
•
•
Understanding Access Rule Table Lookup
The device lookup information is combined with the event information to perform the Security Manager access rule table lookup.
In the policy table lookup that was implemented in Security Manager 3.1.1 through 3.0.1 and MARS 5.3.1 through 4.2.1, the Security Manager policy query icon was displayed for all MARS events that had the 5-tuple data available. This method of lookup resulted in incorrect and inaccurate access rule matches from MARS events. For example, in earlier releases of Security Manager and MARS, the policy query icon was displayed for events generated by the connection establishment and teardown of management traffic from a firewall even though this traffic flow was not subjected to access rule check. Also, the incomplete parsing of connection-related syslogs was compounded by the absence of connection direction and post-NAT addresses in the teardown syslogs.
Security Manager 3.2 integration with MARS 4.3.4 and 5.3.4 for access rule table lookup supports more accurate mapping of MARS syslogs (events) to Security Manager access rules and reduces the number of irrelevant matches, thereby enabling faster and improved troubleshooting of access rules. This improved behavior is accomplished because MARS sends Security Manager the raw syslog message and not just the parsed event information, such as the event 5-tuple, action, ACL name, interface, and direction of flow. Using the raw event sent by MARS, Security Manager extracts critical data about the direction of traffic flow and other details, such as pre-NAT and post-NAT addresses. After the most accurately matching policy is found, Security Manager passes the information to MARS, which is translated in a readable format.
TCP and UDP connection setup/teardown syslogs represent the traffic flow through the firewall. A connection setup syslog is generated when a session is established through the device, when traffic flows to the device, or when traffic flows from the device. Each connection setup syslog has an associated teardown syslog, which is generated when the session is terminated. Although both the setup and teardown syslogs share a common connection ID, the teardown syslog does not contain the pre-NATed address and direction information. For teardown syslogs, MARS also transmits the corresponding setup syslog for that connection because it contains the necessary information for an accurate match. For sessionized events, MARS also sends the session object, which contains NATed details, to Security Manager for lookup. Security Manager parses the details from the syslog in raw format and performs two queries, instead of one, on the policy database to find a matching permit ACE in the inbound and outbound interfaces in the "in" and "out" directions, respectively. As a result, each policy query for a connection setup/teardown syslog yields zero, one, or two matches, depending on the configuration of a permit ACE on that interface in the specified direction. A maximum of two matching rules is displayed in the read-only access rule table popup window after the lookup.
ICMP connection setup and teardown syslogs do not contain the ICMP code, type, interface names, direction keyword, and a connection ID. Therefore, lookup of access rules for ICMP setup/teardown syslogs is not as accurate as their TCP and UDP counterparts owing to the absence of necessary details to locate an exact match. However, the ICMP setup/teardown syslogs associated with management traffic to and from a device are handled slightly differently. For management traffic triggered by TCP and UDP connection-related messages, Security Manager checks for the presence of the "NP Identity Ifc" keyword as the second interface in the syslog format for these protocols to obtain the most accurate matches for the lookup query. Although the Security Manager icon is displayed for events generated by ICMP connection teardown syslogs, an error message is displayed when you perform policy lookup from these events. The error message states that the corresponding connection setup syslog for the teardown syslog could not be found and asks you to try this operation after a few seconds. However, the same error is displayed even if you perform lookup at a later time.
Each syslog generated by an access rule or connection setup/teardown is associated with a unique ID. You can navigate to the policy rules that trigger syslogs in MARS from the Incident Details page by clicking the Security Manager icon. You can query policies only from those syslog IDs that are supported by MARS and Security Manager. For details on the syslog IDs supported by MARS and Security Manager for policy lookup from events, see Security Appliance and Router System Log Messages Supported for Policy Lookup.
MARS displays the policy table in a popup window. The matching access rule is displayed in highlight. If MARS was unable to provide the interface, direction, and action information, multiple matched access rules may be highlighted.
Sample TCP Connection Setup/Teardown Syslog Messages for an ASA Device
Mar 19 2007 21:05:59 2.168.154.2 : %ASA-2-302013: Built outbound TCP connection 42210Mar 19 2007 21:06:27 2.168.154.2 : %ASA-2-302014: Teardown TCP connection 42210Sample ICMP Connection Setup/Teardown Syslog Messages for an ASA Device
Mar 19 2007 21:03:44 2.168.154.2 : %ASA-2-302021: Teardown ICMP connectionMar 19 2007 21:03:44 2.168.154.2 : %ASA-2-302020: Built ICMP connectionSample UDP Connection Setup/Teardown Syslog Messages for an ASA Device
Mar 19 2007 21:08:53 2.168.154.2 : %ASA-2-302015: Built outbound UDP connection 42214Mar 19 2007 21:10:55 2.168.154.2 : %ASA-2-302016: Teardown UDP connection 42214Sample Cisco PIX Firewall Syslog Messages with Access Group Name Information
10.33.10.2 <142>%PIX-4-106023: Deny tcp src inside:10.1.5.234/3010 dst outside:5.6.7.8/21Sample Cisco IOS 12.2 Syslog Messages with ACL Name Information
100.1.20.2 Mon Jun 9 14:46:31 2003 <46>485232: Jun 9 14:46:29 PDT: %SEC-6-IPACCESSLOGP: list10.34.1.1 <46>146570: Dec 19 21:01:57 PST: %SEC-6-IPACCESSLOGP: listRelated Topics
•
•
•
Security Appliance and Router System Log Messages Supported for Policy Lookup
You can configure logging options on security appliances when a deny ACE matches a packet for network access (an access list applied with the access-group command). If you enter the log keyword without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). If you do not enter the log keyword, the default logging occurs, using system log message 106023. In devices with multiple contexts, each security context includes its own logging configuration and generates its own messages.
System log messages begin with a percent sign (%) and are structured as follows:
%{ASA | PIX | FWSM}-Level-Message_number: Message_textA unique 6-digit number identifies each message. The following syslog message IDs are supported for looking up policies in Security Manager from incidents generated in MARS. If you change the logging level of the firewall, ensure that the following messages IDs are generated at the new level so the MARS Appliance receives them.
106100, 106023, 302013, 302014, 302015, 302016, 302020, 302021
The default level for many of the events that are studied by MARS is the debug level, which can generate a high volume of additional events that are not used by MARS. If you are experiencing an influx of these other events, you can use the logging message command to either turn off events or change the severity level of the event to a level that generates required messages but not as many as debug. For details on the message, explanation, and recommended action for each of these message IDs, see the System Message Guide of the relevant product documentation.
On Cisco IOS routers, system log messages are generated for access lists configured with the log or log-input keywords. Use the log keyword to get access list logging messages, including violations. Use the log-input keyword to include input interface, source MAC address, or virtual circuit in the logging output. The first packet that triggers the access list causes an immediate logging message, and subsequent packets are collected over 5-minute intervals before they are displayed or logged. The logging message includes the access list number, whether the packet was permitted or denied, the source IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval. You can look up access rules that generate these log messages by clicking the Security Manager policy query icon in the Incident Details page or the Query Results page of MARS.
For IOS routers, system log messages with the following identifiers support policy lookup and the Security Manager icon is displayed beside them in the MARS GUI:
%SEC-6-IPACCESSLOGDP, %SEC-6-IPACCESSLOGNP, %SEC-6-IPACCESSLOGS, %SEC-6-IPACCESSLOGP
For IOS system log messages with IDs other than the ones listed above and that are not generated by access rules, the Security Manager icon is not displayed in the MARS GUI.
Related Topics
•
•
•
•
Understanding Signature Table Lookup
Security Manager 3.2 and MARS 4.3.4 and 5.3.4 support signature summary table lookup for events generated by IPS devices (Cisco IPS sensors and Cisco IOS IPS devices) and IDS sensors. Sensors that use a signature-based technology can detect network intrusions. A signature is a set of rules that your sensor uses to detect typical intrusive activity, such as DoS attacks. As sensors scan network packets, they use signatures to detect known attacks and respond with actions that you define. The sensor compares the list of signatures with network activity. When a match is found, the sensor takes an action, such as logging the event or sending an alert. Signature-based intrusion detection can produce false positives that you can minimize by tuning your signatures. Some signatures have subsignatures, that is, the signature is divided into subcategories. When you configure a subsignature, changes made to the parameters of one subsignature apply only to that subsignature.
Security Manager looks for the following criteria from the raw event message that MARS sends for IPS events:
•
•
Note
Packet Data events that identify the data that was being transmitted on the network the instant an alarm was detected on IPS and IDS sensors can cause the size of the raw message associated with this event to become very huge. Also, these events are not triggered by signature rules on sensors. As a result, the Security Manager icon is not displayed for Packet Data events in the MARS GUI for policy lookup.
Events triggered by custom signature configured on a sensor are categorized as "Unknown Device Event Type" in the MARS GUI and the Security Manager icon is displayed for these events to enable policy lookup.After a match is found, Security Manager transmits the signature details to MARS and the matching signature parameters are displayed in a read-only popup window in MARS. You can click Edit Signature to navigate to the signature summary table of Security Manager with the matching signature selected. You can also click Event Action Filter from the read-only popup window to configure a filter on the basis of signature categories to remove one or more actions from the signature event. The filter is applied in the order specified in the summary table. The authentication mechanism that you entered while adding Security Manager to MARS is used to open the signature summary table and a new instance of Security Manager is started if one is not running or the existing session times out.
Related Topics
•
•
•
•
Guidelines for Working with Policy Table Lookup from MARS
Remember the following points when you query the Security Manager policy table from MARS syslog messages:
•
Support for read-only policy table lookup from a MARS appliance running 4.3.4 or 5.3.4 is solely to provide backward compatibility with a Security Manager server running 3.0.1, 3.0.2, or 3.1.x.
•
•
•
•
•
•
•
•
•
•
•
•
•
The username and password pair in the User Configuration page comprise the credentials that MARS uses to authenticate with Security Manager to look up the policy table, when you select the option to use Security Manager credentials for policy lookup. The Security Manager username and password fields in the User Configuration page are populated with the values you enter in the policy query login dialog box if you chose to allow saving of Security Manager login credentials during policy lookup.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
–
–
–
Note
•
This behavior is expected. When MARS receives events, they are parsed, sessionized, written to an event shared buffer, and then written to the database. Because sessionization takes time, sometimes keeping an event in cache for 2 minutes, the low-latency event query displays events right after parsing, but before sessionization. Displaying the event at this point allows the low-latency query to achieve a close to realtime effect. For some events, parsing cannot determine some part of the 5-tuple data, such as a destination address. Later, sessionization later fills in such missing data using configuration data. As a result, the 5-tuple data displayed by the low-latency event query can be different from values stored in the database, which are used to populate the standard queries.
•
•
•
•
•
•
•
<190>2312080: *May 9 23:50:02.199: %SEC-6-IPACCESSLOGDP: list permit-all permitted icmp 10.2.3.8 ->10.4.21.2 (0/0), 1 packetAn error occurred while querying policies from Cisco Security Manager. Reason: Failed to retrieve policyinformation from CSM. Reason: Cisco Security Manager Internal error: Failed to get interfaces in the device!Before you perform policy queries, verify that all discovered devices have been submitted in Security Manager.
•
•
•
•
•
•
•
•
•
•
•
•
Related Topics
•
•
•
•
•
•
Checklist for Policy Table Lookup from MARS
You can use the following checklist to track the tasks required to integrate MARS with a Security Manager server and the reporting and mitigation devices managed by that Security Manager server. Each step might contain several substeps; the steps and substeps should be performed in order. The checklist contains references to the specific procedures used to perform each task.
Step 1
Identify devices that need to be managed by both Security Manager and MARS.
The first step in integrating MARS and Security Manager involves identifying those devices for which Security Manager is used to define policy rules. You must ensure that devices are running a software version supported by both MARS and Security Manager. For a list of devices supported by both Security Manager and MARS, see Devices and OS Versions Supported by Both Security Manager and MARS.
Step 2
Identify and enable all required traffic flows between the devices and MARS.
After you identify the devices to be managed by the Security Manager server and monitored by MARS, you must verify that the network services they use for management, reporting, and notification are permitted along the required traffic flows. Ensure that the management, logging, and notification traffic between the MARS Appliance and each monitored device is allowed by intermediate gateways. For more information, see User Guide for Cisco Security MARS local Controller 4.3.x and 5.3.x.
TipStep 3
Prepare the devices to be managed by Security Manager.
Before you can manage devices using Security Manager, you must set up the devices with a minimum configuration that provides basic connectivity. To enable communication between Security Manager and devices, you must configure transport settings on the devices, before you add them to the inventory. Bootstrapping involves getting the device up and running on the network, assigning it an IP address, and connecting it to the physical media. See the Chapter 5, "Preparing Devices for Management" chapter for details about preparing or bootstrapping the devices.
Step 4
Add the devices to Security Manager.
For more information, see the Managing the Device Inventory chapter.
Step 5
Bootstrap the devices managed by MARS.
After you identify the devices managed by the Security Manager server and to be monitored by MARS, you must prepare, or bootstrap, that device to ensure that the MARS Appliance can receive or pull any necessary logs from those devices. After you identify and bootstrap the devices and enable the required traffic flows, you must represent those devices in MARS, which uses this information to communicate with the devices. For more information on adding and activating devices, see User Guide for Cisco Security MARS Local Controller 4.3.x and 5.3.x.
Step 6
Add the devices to MARS.
For more information, see User Guide for Cisco Security MARS Local Controller 4.3.x and 5.3.x.
Step 7
Bootstrap each Security Manager server and add it to the correct MARS Local Controller.
For more information, see Bootstrapping Security Manager Server to Communicate with MARS.
Step 8
Perform policy lookups as required.
Once an event generated by one of the Security Manager-managed devices is received by MARS, you can perform a policy lookup operation and modify the possible policies that could have affected the generation of that event from the Security Manager server. For more information on how to perform policy table lookup for events generated by access rules and signatures, see the following sections:
•
•
Related Topics
•
•
•
•
•
Devices and OS Versions Supported by Both Security Manager and MARS
You must ensure that devices that need to be monitored by MARS and managed by Security Manager are running a software versions supported by both MARS and Security Manager to perform the policy table lookup from MARS syslogs and events lookup from Security Manager policies.
Table 22-7 lists the software versions for each device platform supported by both Security Manager and MARS.
Table 22-7 Supported Devices and OS Versions for Security Manager and MARS Integration
Cisco IOS Routers
12.x and later
PIX Security Appliances
6.0, 6.1, 6.2, 6.3, 7.0, 7.2, 7.2.1
Adaptive Security Appliances (ASA)
7.0.1, 7.2, 7.2.1
Cisco Intrusion Prevention System (IPS), IDSM-2 module
5.1, 6.0, 6.0.1, 6.0.2, 6.0.3
Cisco IOS Intrusion Prevention System (IOS IPS) sensors
Cisco IOS 12.4(11)T2 (the earliest supported Cisco IOS Software release)
Cisco Catalyst 6500 Series Switches
Cisco IOS 12.2 and later
Firewall Services Module (FWSM)
1.1, 1.2, 2.3, 3.1, 3.1.3, 3.1.51
1 FWSM support is supported only in Security Manager Enterprise Edition (Professional-50) and higher. The professional version includes support for the management of Cisco Catalyst 6500 Series switches and associated service modules; the Standard versions do not include this support.
Note
Related Topics
•
•
•
•
•
Bootstrapping Security Manager Server to Communicate with MARS
To prepare the Security Manager server to be queried by MARS, you must configure the following settings:
•
•
–
–
–
–
Note
When you add a Security Manager server to MARS, if you choose to use the option to prompt users for Security Manager credentials for the policy table lookup, you might not need to create a separate MARS user account in the Common Services 3.1 UI for authentication purposes.For more information on adding users and associating roles with them from the Common Services 3.1 UI, see User Guide for CiscoWorks Common Services 3.1.
Related Topics
•
•
Adding a Security Manager Server to MARS
The Security Manager server is represented in MARS by defining a host with a software application residing on that host. The Security Manager server that you add to the Local Controller can be used to perform policy lookup only for those devices that it manages and that publish their events to MARS.
Each Local Controller can query one Security Manager server only; you cannot define more than one Security Manager server per Local Controller. You can define the same Security Manager server on multiple Local Controllers. When planning the zones for Global Controller/multi-Local Controller deployments, ensure that each Local Controller maps to the Security Manager server that manages the reporting devices monitored by that Local Controller.
If a Security Manager server is not added to MARS, the username and password fields in the Cisco Security Manager section of the User Configuration page are disabled. A message appears in the User Configuration page that the Security Manager credentials for policy table cross-launch cannot be saved in the MARS database because a Security Manager server is not yet added to MARS.
This procedure describes how to identify a Security Manager server to use for policy lookups from within the web interface of MARS.
Before You Begin
•
Adding a Security Manager server running 3.0.1, 3.0.2, or 3.1.x to a MARS appliance provides the same behavior that existed in versions of MARS earlier than 4.3.4 and 5.3.4 to perform policy lookup.
•
Related Topics
•
•
•
•
Step 1
Step 2
•
•
Figure 22-1 Device Discovery-Add SW security apps on new host
You can select the Add SW Security apps on an existing host option if you have already defined the host within MARS, perhaps as part of the Management > IP Management settings or if you are running another application on the host, such as Microsoft Internet Information Services.
Step 3
•
•
•
•
Step 4
Step 5
Step 6
Step 7
Figure 22-2 Device Discovery-Cisco Security Manager ANY Page
Step 8
•
•
•
•
Step 9
•
•
When you click this radio button, the Allow Users to Save Credentials check box, beneath it, is enabled. Select this check box if you want the Save Credentials check box in the Security Manager login dialog box to be enabled when you cross-launch the policy lookup table. Selecting the Save Credentials check box causes the Security Manager credentials to be saved in the MARS database and you are not prompted for access details during subsequent lookups.
If you deselect the Allow Users to Save Credentials check box, the Save Credentials check box is disabled in the login dialog box, prompting you to enter the login details each time you start the Security Manager policy table from MARS in a new session or after the timeout period. When the Allow Users to Save Credentials check box is deselected, the Security Manager credentials saved in the MARS database are deleted.
Note
If the Allow Users to Save Credentials check box is deselected, the username and password fields in the Cisco Security Manager section of the User Configuration page are disabled. A message appears in the User Configuration page that the Security Manager credentials to perform policy lookup cannot be saved in the MARS database because the Allow Users to Save Credentials check box is deselected. The message appears in the User Configuration page even when you choose to use MARS credentials for policy table lookup.Step 10
If the username and password are correct and the MARS Appliance is configured as an administrative host for the device, a popup window appears with a "Connectivity successful." message when the discovery operation is successfully completed. Otherwise, an error message appears asking you to click the View Error link for more information about the probable cause and its possible solution.
Step 11
The submit operation records the changes in the database tables. However, it does not load the changes into working memory of the MARS Appliance. The activate operation loads submitted changes into working memory.
Step 12
After the MARS Appliance is activated, it can query the Security Manager server to perform policy lookups.
Navigating to Access Rule Policy in Security Manager from MARS
Access rules filter network traffic by controlling whether routed packets are forwarded or blocked at the firewall's interfaces. Rules are processed by a device from first to last, or first-match basis, against each received packet. After you configure and deploy access rules from Security Manager to a device and enable logging on the device monitored by MARS, a log entry is created when an access rule matches the network traffic that the device is processing and the action defined in the rule is used to decide if traffic needs to be permitted. An incident is generated in MARS after the log associated with an access rule is received from the device.
In MARS, an incident is a chain of events that are correlated by a rule to signal an attack upon your network. MARS simplifies and expedites the detection, mitigation, reporting, and analysis of the incident. The Network Summary dashboard, the Query Results pages, and the Incident pages help to detect recent incidents and show the rules and the events that compose them.
Using MARS, you can also navigate from messages that are generated during the establishment or tearing down of a TCP, UDP, or ICMP connection to the permit ACE in Security Manager for that specific syslog. You can then edit the access rule generating the MARS event or incident to update the action the device must take in response to a receiving packet.
This procedure describes how to look up and modify the access rule in the policy table of Security Manager from an incident in MARS.
Before You Begin
•
•
•
–
–
–
–
Related Topics
•
•
•
•
•
Step 1
If you selected the authentication option to use MARS credentials for policy lookup, log in as an Administrator or Security Analyst to be able to modify the matched access rules. If you selected the option to use Security Manager credentials for policy lookup, the MARS login user role does not matter.
Step 2
•
•
–
–
–
–
Step 3
If you selected the option to be prompted for credentials to log in to Security Manager for policy table lookup, a login dialog box is displayed. Otherwise, one of three popup windows is displayed.
Step 4
You are prompted for credentials the first time you start a new MARS session. These credentials are cached until the session expires or you open a fresh session.
Note
If you access the MARS GUI using Internet Explorer, it is possible that the password is automatically entered in the login dialog box after you enter the username. This behavior occurs if you configured your browser to remember passwords. See the "Interoperation of MARS and Security Manager" chapter in the FAQ and Troubleshooting Guide for Cisco Security Manager 3.2 for information on how cached passwords can be cleared or the caching feature can be disabled.One of the following three popup windows may appear:
•
•
•
Figure 22-3 MARS Multiple Events Pop-up Window
Figure 22-4 MARS Multiple Devices Pop-up Window
Figure 22-5 Read-Only Access Rule Table Pop-up Window
Step 5
•
•
Step 6
The access rules that match the MARS query criteria are highlighted. The access rules displayed in the read-only policy table window depend on whether an instance of the Security Manager client is running and whether Workflow or non-Workflow mode is enabled. For more information, see Task 6 in the Taskflow for Policy Table Query from MARS Events.
If there are more rules in the access rule table than can displayed in a single page, they are displayed across several pages and you can navigate back and forth. Pagination allows you to display a maximum number of items per page. Additional items carry over to the next page. You choose the number of items to display per page from the Rows per page drop-down list. Select a value from the Go to page drop-down list to navigate to the page number you desire, and click Prev or Next to navigate between pages.
To switch between matched rules, click Prev or Next, as required, beside the Go to matched policy drop-down list for each highlighted access rule. Select the first or last rule number from the Go to matched policy list to navigate to the first or last highlighted access rule. If multiple access rules match the query criteria, the first matching rule is highlighted, regardless of whether the page in which the match is found is the first page of the access rule table or not.
If an access rule contains network/host, interface, or service objects, you can click the object in the read-only policy lookup table to view the definitions of these objects in a popup window.
Step 7
Note
Note
The Security Manager client window is activated and the Access Rules page appears with the access rule that generated the event highlighted in the policy table. You can modify the access rule to control the flow of network packets and deploy the updated policy to the device to refine network protection.
If the highlighted access rule contains network/host, service, or interface objects, right-click the appropriate table cell of the rule in the Access Rules page and select Show <object> Contents from the shortcut menu to view the list of flattened values of the object.
Step 8
Step 9
Navigating to IPS Signature Policy in Security Manager from MARS
Sensors scan network packets using signatures to detect attacks or other misuses of network resources. When the sensor finds a match for an incoming packet with the signature, it takes some action, such as logging the event. If the signatures are configured on the sensor using Security Manager and the sensor is monitored by MARS, the sensor publishes the logs to MARS. From the Query page, you can define the query parameters and run a query to return events or incidents generated by signatures configured on the sensor. You can click the Security Manager icon from the returned events or raw messages associated with events. Alternatively, you can select a particular incident ID from the returned query results and view the details associated with the incident. From the Incident Details page, you can click the Security Manager icon in the Reporting Device column for the event that you want to examine.
Note
•
•
•
•
A collection of events generated by sensors are also displayed in the Incidents page from which you can select an incident ID and navigate to the signature policy in Security Manager. You can then edit their parameters (tune them) to achieve optimal performance on your network, and particularly to minimize false positives and false negatives.
This procedure describes how to look up and modify an IPS signature in the signature summary table of Security Manager from an incident in MARS.
Before You Begin
•
•
Related Topics
•
•
•
•
•
Step 1
If you selected the authentication option to use MARS credentials for policy lookup, log in as an Administrator or Security Analyst to be able to modify the matched access rules. If you selected the option to use Security Manager credentials for policy lookup, the MARS login user role does not matter.
Step 2
•
•
–
–
–
–
Figure 22-6 Query Results Page with Matching Events
Figure 22-7 Incident Details Page
Figure 22-8 Recent Incidents on MARS Summary Page
Figure 22-9 MARS Incidents Page
Step 3
Otherwise, the Cisco Security Manager Policy Query popup window is displayed with the signature parameters in read-only mode. See Figure 22-11Go to Step 5. For a description of the elements in the Policy Query window, see Read-Only Security Manager Policy Lookup Page for an IPS Signature.
Note
Figure 22-10 Read-Only Signature Policy Pop-up Window with Login Section
Figure 22-11 Read-Only Signature Policy Pop-up Window with Matching Signature Parameters
Step 4
You are prompted for credentials the first time you start a new MARS session. These credentials are cached until the session expires or you open a fresh session.
Note
If you access the MARS GUI using Internet Explorer, it is possible that the password is automatically entered in the login dialog box after you enter the username. This behavior occurs if you configured your browser to remember passwords. See the "Interoperation of MARS and Security Manager" chapter in the FAQ and Troubleshooting Guide for Cisco Security Manager 3.2 for information on how cached passwords can be cleared or the caching feature can be disabled.Step 5
•
Note
•
•
Note
Read-Only Security Manager Policy Lookup Page for Access Rules
Use the Cisco Security Manager Policy Query page in the MARS GUI to view the access rule that triggered the incident that you want to examine. This page takes one of the following forms, depending on the number of events and devices that match the incident you are investigating.
•
•
•
•
Navigation Path
To access the read-only policy lookup page for access rules, do one of the following:
1.
2.
–
–
–
–
Click the Security Manager icon in the Reporting Device field of the Incident Details page for incidents generated by access rules.
Related Topics
•
•
•
Note
Note
Field Reference
Table 22-8 Read-Only Access Rule Policy Lookup Page
Available only if you selected the option to prompt the user for Security Manager login credentials for access rule lookup and the Security Manager credentials are neither cached nor saved in the MARS database.
User Name
The username for logging in to Security Manager.
Note
Password
The password for logging in to Security Manager.
Submit
Sends the entered credentials to Security Manager and displays the read-only access table in the same page, if authentication is successful.
Save Credentials
Available only if the Allow Users to Save Credentials check box is selected in the Reporting Applications tab of MARS.
When selected, Security Manager credentials are saved in the MARS database and reused during policy lookup. You are not prompted for credentials during subsequent policy lookup operations if you select this check box.
If the Security Manager Login section is displayed, this table appears after MARS is successfully authenticated with Security Manager. Also, if a unique device and a single event cannot be identified for an incident, this table is displayed after you select the required device and event from the list of multiple devices and multiple events.
Go to matched policy
Select the rule number to which you want to navigate in the table.
Prev
Click to move to the matching access rule previous to the one currently highlighted in the table.
Next
Click to move to the matching access rule next to the one currently highlighted in the table.
No.
Identifies the ordered rule number in the table. Click the hyperlink in the rule number to start the Security Manager client with the current row highlighted the access rule table and modify its settings. Hold your cursor over the rule number to view a tooltip.
Note
Source
Identifies the source network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10.
Clickable only if it represents a network object. Clicking the object displays the contents of the object in a popup window. The source IP address or hostname contained in the object is highlighted in the popup window if it matches with the source IP address in the syslog that generated this rule.
Destination
Identifies the destination network/host object names or addresses of hosts or networks.
Clickable only if it represents a network object. Clicking the object displays the contents of the object in a popup window. The destination IP address or hostname contained in the object is highlighted in the popup window if it matches with the destination IP address in the syslog that generated this rule.
Service
Identifies service objects that specify protocol and port information.
Clickable only if it represents a service object. Clicking the object displays the contents of the object in a popup window. The protocol and port contained in the interface object are highlighted in the popup window if they match with the protocol in the syslog that generated this rule. However, this feature of highlighted entries is supported only for TCP-based and UDP-based rules.
Interface
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned.
Clickable only if it represents an interface object. Clicking the object displays the contents of the object in a popup window. Unlike network/host and service objects, the flattened-out interface objects that match with the interface value in the syslog that generated this rule are not highlighted in the popup window.
Go to page
Select the page number to which you want to navigate. Click Prev and Next on either side of the drop-down list to navigate between pages.
Rows per page
Select the number of rows that you want to be displayed in each page of the access rule table.
Transcript Details
Click to open a dialog box displaying information about the raw syslog for the event that you selected in MARS and the parsed format of the syslog after it is processed by Security Manager to find access rules that generated the syslog. These details enable you to understand the taskflow of the access rule lookup query and are informational messages, which can be used to troubleshoot errors.
CS Manager Details
Click open a dialog box displaying the server name, username used to log in to Security Manager, whether Workflow mode is enabled, and the activity from which the signature details are retrieved.
Read-Only Security Manager Policy Lookup Page for an IPS Signature
Use the Cisco Security Manager Policy Query page in the MARS GUI to view the signature that triggered the incident that you want to examine. From this page, you can open the Security Manager client to edit the signature parameters or define an event action filter to remove specific actions from an event.
Navigation Path
To access the read-only policy lookup page for IPS signatures, do one of the following:
1.
2.
–
–
–
–
Click the Security Manager icon in the Reporting Device field of the Incident Details page for incidents generated by signatures.
Related Topics
•
•
•
Note
Even though the Security Manager icon in the event displayed at the top of the page can be clicked, it only refreshes the page with the same contents. You need to click Edit Signature to navigate to the Signatures page in the Security Manager client; clicking this icon does not start the Security Manager client.Field Reference
Table 22-9 Read-Only Signature Policy Lookup Page
Available only if you selected the option to prompt the user for Security Manager login credentials for signature rule lookup in the Reporting Applications tab and the Security Manager credentials are neither cached nor saved in the MARS database.
User Name
The username for logging in to Security Manager.
Note
Password
The password for logging in to Security Manager.
Submit
Sends the entered credentials to Security Manager and displays the read-only signature parameters in the same page, if authentication is successful.
Save Credentials
Available only if the Allow Users to Save Credentials check box is selected in the Reporting Applications tab of MARS.
When selected, Security Manager credentials are saved in the MARS database and reused during policy lookup. You are not prompted for credentials during subsequent policy lookup operations if you select this check box.
If the Cisco Security Manager Login section is displayed, this section appears after MARS is successfully authenticated with Security Manager. Otherwise, these details are displayed immediately after the policy query lookup page is opened.
Edit Signature
Click to open the Signatures page in Security Manager. The IPS signature that generated the event is highlighted in the policy table.
If an instance of the Security Manager client is already open, the same instance is activated. If the Security Manager client is not installed on the system, you are prompted to install the Security Manager client and the page to download the client software is opened.
Add Filter
Opens the Add Event Action Filter dialog box in Security Manager with the Actions to Subtract, % to Deny, Attacker Address, and Attacker Port fields populated with values derived from the MARS event. The remaining fields are displayed with default values.
Signature ID
Identifies the unique numerical value assigned to this signature. The signature ID contains hyperlinks to the Cisco Network Security Database (NSDB). Clicking on the link in the ID column will trigger the opening of an external browser window that opens to the entry in Security Center (MySDN) for that signature.
Signature Parameters
Displays the built-in micro-engine parameters for a particular signature. These parameters determine how the signature is configured and applied to an incoming packet.
Click the + icon beside the Parameters option to expand the tree and display the available signature parameters. If a + icon appears beside any of the items in the expanded list, it indicates that more options are available for this parameter.
CS Manager Details
Click open a dialog box displaying the server name, username used to log in to Security Manager, whether Workflow mode is enabled, and the activity from which the signature details are retrieved.
MARS Events Lookup from a Security Manager Policy
Security Manager 3.2 integrates with MARS 4.3.4 and 5.3.4 to quickly examine events generated in MARS by firewall and signature policies configured on network devices and optimize them to eliminate attacks and maintain compliance. As security policies become increasingly complex, enforcing them and managing changes becomes an arduous day-to-day task. At the same time, troubleshooting and monitoring updates requires expertise that comes with a higher cost of maintenance. To enable rapid troubleshooting for security appliance deployments of any nature, including those with complex security policies and numerous access rules, Security Manager 3.2 provides a facility to navigate to the events associated with an access rule or signature in MARS. MARS aggregates and presents massive amounts of network and security data in an easy-to-use format. Based on the information derived from the event log, you can edit the necessary policies and counter security threats.
Navigation from a Security Manager policy to a MARS event eliminates the need to run a detailed query in MARS by retrieving and populating the query criteria from the policy settings. If objects are referenced in policies, the complexity of the query criteria is increased because the components of the objects might need to be entered in the strings to be queried. However, when you select a Security Manager policy to navigate to the event generated in the MARS GUI by that policy, the contents of the objects are also expanded and prepopulated in the query fields.
The following sections describe how to configure Security Manager and MARS to ensure seamless integration for events lookup in MARS from the Security Manager policy table:
•
•
•
•
•
•
•
•
•
Taskflow for MARS Events Query from Policy Table
From the Access Rules and Signatures pages in Security Manager, you can navigate to the Query Criteria: Result page of MARS to run a query using the query criteria populated by the policy settings and investigate an incident. The results of the query enable you to examine the event generated by the access rule or signature and modify the rules to suit your needs. You can right-click a signature or an access rule, depending on the type of the device, to set up a low-latency, realtime event query or a standard, sessionized query in MARS. You can then run the query or save the query criteria to reuse as a report. The result of a query and of a report is exactly the same, but you can save reports to avoid having to enter the values every time you want that specific output. The following steps depict the process of querying events in MARS from the policy table in Security Manager:
1.
2.
3.
4.
If you query for historical events matching an access rule or signature, the Query Criteria: Result page is displayed in the MARS GUI. You can either run an on-demand query or save the criteria as a report to run at a later time. For historical events, the Result Format drop-down list is populated with the All Matching Events option and the Filter By Time value is set to the last 10 minutes by default in the Query Criteria: Result page. If you query for realtime events, the query is run based on the values obtained from the selected policy rule in Security Manager and the results of the query are displayed in the Query Results page of MARS.
Note
Related Topics
•
•
•
•
•
•
•
•
Understanding MARS Events Lookup
Security Manager requests the events matching an access rule by supplying the device details and other information associated with the access rule, such as service, source/destination addresses, action, and direction, to MARS. MARS displays the Query page with the following attributes prepopulated using the values passed by Security Manager:
•
•
•
•
•
•
Note
Because Security Manager and MARS do not share a common device repository, the XML query created by Security Manager and sent to MARS includes all the device information (management IP address, hostname, domain name, and display name) available in its database. MARS tries to match this information against the devices added to the MARS database. Events lookup from the policy table succeeds only if the relevant devices are added to both Security Manager and MARS and can be reached by MARS from Security Manager using a common IP address or hostname. For a complete list of devices and OS versions supported by Security Manager and MARS separately, see the Supported Devices and Software Versions document of the respective applications..
For events associated with IPS and IOS IPS devices, Security Manager uses the device details, signature ID, and subsignature ID to populate the query criteria fields in the Query page opened in MARS. If a virtual sensor is configured on your IPS device, the Keyword field displays the virtual sensor name in addition to the signature and subsignature IDs. You can also select multiple signatures from the Signatures policy table of Security Manager and query for realtime or historical events.
Sensors and other network devices can continually forward events to MARS. These events are stored in the MARS database. Querying for historical events from Security Manager policies allows you to view the events stored in the MARS database. You can also navigate from policies in Security Manager to view realtime events as they are forwarded to MARS. The following sections describe the differences in the syslogs displayed for realtime and historical events from access rule and signature policies in Security Manager:
•
•
Related Topics
•
•
•
•
•
•
•
•
About Historical Events for a Policy
Using Security Manager, you can select from an access rule or signature ID and view historical event data in MARS. Historical events are forensic analysis tools that enable you to identify trends over longer periods of time than the real-time monitoring features of MARS. For an historical event query, MARS sessionizes the event data after it is received from the device and parsed. Sessionizing takes two forms: reconstructing a session-oriented protocol, such as TCP, where the initial handshake and the session tear down and reconstructing a sessionless protocol, such as UDP, where the initial start and session end times are defined more based on first and last packets tracked within a restricted time period. In other words, packets that fall outside of the time period are considered part of different sessions. When you perform an historical event query from a firewall access rule policy in Security Manager, syslogs triggered by connection establishment and teardown are also displayed in addition to the ones generated by access rules in the Query page of MARS.
Related Topics
•
•
•
•
•
•
•
•
•
About Realtime Events for a Policy
The realtime event viewer in MARS is a query option that permits you to monitor traffic in near real-time events as follows:
•
•
When you query an access rule or a signature ID from Security Manager for realtime events in MARS, sessionized messages are displayed in the realtime event viewer, by default. The realtime events display as a continuously scrolling screen. You can configure query criteria to filter what is displayed. When viewing raw events, sessionization is not impeded, all the parsed raw events are sessionized per normal MARS operation. To view the most recent realtime events, you can submit the query at any time, adjust the scrolling rate, or pause and restart to reinitialize the realtime event viewer. The most recent events are always at the bottom of the output queue, and their freshness when you view them is limited by the number of events in the queue and the scroll speed of the display.
When MARS receives events, they are parsed, sessionized, written to an event shared buffer, and then written to the database. Because sessionization takes time, sometimes keeping an event in cache for 2 minutes, the realtime event query can be used to display events right after parsing and provides access to the most current data received.
When NAT or PAT is configured on the firewall, the source and destination addresses are mapped to the pre-NAT and post-NAT addresses accordingly. Regardless of whether NAT or PAT is configured on the device, the pre-NAT and post-NAT addresses are specified in the XML event query parameters for the source and destination address fields when Security Manager sends a query to MARS to look up events from policies. For inbound access rules, the destination address is considered as the pre-NAT address and for outbound access rules, the source address is considered as the post-NAT address.
Related Topics
•
•
•
•
•
•
•
•
•
Obtaining Events for an Access Rule Policy
An ACE is a single entry in an access list that specifies a permit or deny rule, and is applied to a protocol, a source and destination IP address or network, and optionally the source and destination ports. From a firewall access rule table in Security Manager, you can right-click an access rule and navigate to events or syslogs triggered by the access rule in MARS. You can view realtime and historical syslogs matching a rule or a traffic flow. For events matching a rule, only syslogs generated by access rules are displayed. However, for events matching a flow, as all the necessary details from an access rule, such as pre-NAT and post-NAT addresses, are available in the query parameters sent by Security Manager, syslogs generated by connection setup/teardown are also displayed in addition to those generated by firewall access rules in the Query page of MARS.
When you select the option to display events matching a rule, the support of ACE hashcodes by the version of software running on a device determines the accuracy of syslog matches. Although Security Manager is able to gather the device information, the appropriate event types in MARS, 5-tuple data from the ACEs, and the ACL, these details can result in inaccurate or excessive syslog matches. To produce most accurate syslog matches for an ACE, PIX and ASA 7.0 and later support ACE hashcodes. Each ACE contains an MD5 hashcode, which is included in the syslogs generated by that ACE. For PIX and ASA devices running 7.0 or later, Security Manager includes the hashcodes of the ACEs generated by the selected rule in the query sent to MARS. ACE hashcodes are not supported on security appliances running a version of PIX or ASA software earlier than 7.0.
When Security Manager server contacts MARS to query the events associated with an ACE, two-way authentication between MARS and Security Manager takes place. On successful handshake, MARS requests the query parameters to populate the search criteria in the Query page of the MARS GUI. The following are the fields that Security Manager provides to MARS to display as query criteria for events that match an access rule:
•
•
•
•
•
•
When you define the query criteria in the MARS GUI, the Query Criteria: Keywords page enables you to specify only up to 10 keywords to search within the raw message. Each keyword is associated with a distinct color to enable easy identification of its occurrence in the query results. When you perform events lookup from access rules in Security Manager, hashcode of the ACE, if available, is sent to MARS to be displayed in the query criteria as a keyword. Because Security Manager uses the hashcodes of the ACEs on devices that support them to uniquely query for syslogs generated by the ACE in MARS, large access rules might contain thousands of such hashcodes contained in them. When the number of hashcodes or keywords exceeds ten, the Keyword field in the MARS Query Criteria page is dimmed and coloring is available only for the first ten occurrences of keywords in the raw syslog message. If the number of keywords or the sum of the number of sources, destinations, and protocols for an ACE or a signature exceeds the permissible limit of 150, an error message is displayed in the MARS GUI. The error message displays the possible cause and recommended action.
For the device to generate log entries, you must configure individual access rules to generate log messages when they are invoked. If logging is not enabled on the device for an access rule, messages about packets permitted or denied by the access rule are not sent to the configured facility, such as a console. Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass. The implicit deny at the end of the access list does not generate a syslog message. If you want all denied traffic to generate messages, you must add the implicit access rule manually to the end of the access list. To view syslogs associated with access rules for which logging is not enabled and connection-related syslogs, you can view syslogs matching a traffic flow. A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source port might differ for a new connection between the same two hosts, you might not see the same flow increment because a new flow was created for the connection. When you perform a query from a firewall access rule policy in Security Manager matching a traffic flow, syslogs triggered by connection establishment and teardown are also displayed in addition to the ones generated by access rules in the Query page of MARS. The following are the fields that Security Manager provides to MARS to display events that match a traffic flow:
•
•
•
•
•
Related Topics
•
•
•
•
•
•
•
Obtaining Events for a Signature Policy
For signatures configured on IPS and IOS IPS devices managed by Security Manager, you can navigate to the network intrusion events detected and reported by the devices in MARS. You can select one or more signature IDs at a time from the Signatures page in Security Manager and navigate to the Query page of MARS for running a query on historical and realtime events. Events of type Packet Data are not displayed in the Query page of MARS when you perform a lookup from a signature rule because these event types are not triggered by signature rules. The following are the fields populated in the query criteria of MARS, based on the information Security Manager provides from the signature settings:
•
•
Related Topics
•
•
•
•
•
•
•
Guidelines for Working with MARS Events Lookup from Security Manager
Keep the following points in mind while querying for realtime or historical events in MARS from the Security Manager policy table:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The username and password pair in the Login to CS-MARS ip_address dialog box comprise the credentials that Security Manager uses to authenticate with MARS to look up events matching a policy rule, when you select the option to use MARS credentials during the addition of MARS to Security Manager. The MARS username and password values you enter in the events lookup login dialog box are saved in the Security Manager database until the client session times out, if you chose to allow saving of MARS login credentials during events lookup
•
•
•
•
•
The actual setting you configure to allow reuse of browser instances varies depending on which browser you use. See your browser documentation or help system for more information on this configuration.
Related Topics
•
•
•
•
•
•
•
•
Checklist for Events Lookup from Security Manager
You can use the following checklist to track the tasks required to integrate MARS with a Security Manager server before you query for MARS events from the policy table. The checklist contains references to the specific procedures used to perform each task.
Step 1
Identify devices that need to be managed by both Security Manager and MARS.
The first step in integrating MARS and Security Manager involves identifying those devices that are monitored by MARS and for which Security Manager is used to define policy rules. You must ensure that these devices are running a software version supported by both MARS and Security Manager. For a list of devices supported by both Security Manager and MARS, see Devices and OS Versions Supported by Both Security Manager and MARS.
Step 2
Prepare the devices to be managed by Security Manager.
Before you can manage devices using Security Manager, you must set up the devices with a minimum configuration that provides basic connectivity. To enable communication between Security Manager and devices, you must configure transport settings on the devices, before you add them to the inventory. Bootstrapping involves getting the device up and running on the network, assigning it an IP address, and connecting it to the physical media. See the Chapter 5, "Preparing Devices for Management" topic for details about preparing or bootstrapping the devices.
Step 3
Add the devices to Security Manager.
After you identify and bootstrap the devices, you must represent those devices in the Security Manager inventory, which uses this information to communicate with the devices. When you add a device to Security Manager, you bring in a range of identifying information for the device, such as its DNS name and IP address. This information is added during device discovery. You can also bring existing network configurations associated with a device by initiating policy discovery. For more information, see the Chapter 6, "Managing the Device Inventory" topic.
Step 4
Discover the MARS appliance monitoring a device from the Security Manager UI.
You can discover the MARS appliance monitoring a device from the Device Properties page. If do not perform discovery before querying for MARS events from the policy table of that device and only one MARS appliance monitors the device, the Monitored By field in the Device Properties page is automatically populated with the IP address of the MARS appliance after the events lookup for the first time.
Note
For more information, see Discovering or Changing the CS-MARS Server for a Device, page 6-27.
Step 5
Add one or more MARS Local Controllers to the Security Manager server.
For more information, see Configuring CS-MARS Servers, page 1-25.
Step 6
Bootstrap the devices monitored by MARS and add them to the MARS database.
For more information, see User Guide for Cisco Security MARS Local Controller 4.3.x and 5.3.x.
Step 7
Bootstrap the Security Manager server and add it to the correct MARS Local Controller.
For more information, see Bootstrapping Security Manager Server to Communicate with MARS.
Step 8
Perform event lookups as required.
From the access rule or signature policy table in your Security Manager client, you can right-click a rule or signature and perform a lookup operation for historical and realtime events in MARS. Based on the event details for the selected device, you can modify the policy in Security Manager and deploy to the device to fine-tune the response to network traffic. For more information on how to perform events table lookup for syslogs triggered by access rules and signatures, see the following sections:
•
Related Topics
•
•
•
•
•
•
•
•
Adding a MARS Appliance to Security Manager
MARS must be registered with Security Manager and needs to be authenticated by Security Manager to perform a lookup for events it is monitoring. You can add only MARS Local Controllers to Security Manager and not Global Controllers. Also, you can add more than one MARS device to Security Manager and associate them with the devices they monitor. In addition, you can define the same Local Controller on multiple Security Manager servers.
The CS-MARS page enables you to configure MARS devices from which you can query events from the policy table in Security Manager. For more information on adding MARS to Security Manager, see Configuring CS-MARS Servers, page 1-25.
In the CS-MARS page, you can also configure the authentication mechanism to be used when Security Manager contacts MARS to query events. For more information, see About Authentication for Events Lookup from Security Manager.
Security Manager uses HTTPS to establish a secure communication with MARS. You must add a device to both the Security Manager inventory and MARS to perform events lookup. If the device is deleted from MARS but is still available in Security Manager, or if you did not activate the device to process the event data by MARS, the query for events cannot be run for that selected device.
Related Topics
•
•
•
•
•
•
•
About Authentication for Events Lookup from Security Manager
You can enable Security Manager to either contact MARS using the credentials that you entered while logging in to Security Manager or use MARS credentials for Security Manager to authenticate with MARS. If you select the option to be prompted for MARS credentials when the event query lookup is performed, you can also choose to save the MARS credentials in the login dialog box to avoid being prompted everytime you look up MARS events in a new Security Manager client session or if the client session times out.
If you selected the option to use MARS login credentials for Security Manager to authenticate with MARS and did not choose to allow the login credentials to be saved in the login dialog box, these credentials are cached until you exit Security Manager or the idle session timeout period is exceeded. You are not prompted for login details until the Security Manager session is active. If the MARS session times out after Security Manager has successfully authenticated with MARS and did not select the option to save credentials, the login dialog box is displayed when you perform an events lookup from the policy table.
Related Topics
•
•
•
•
Navigating to MARS Events from an Access Rule Policy
Access rules are recognized in the form of an ordered list, which is represented in Security Manager as a table. When a device decides whether to forward or drop a packet, the device tests the packet against each access rule in the order in which the entries are listed and performs the action based on the condition set in the access rule. When you configure a rule in the Access Rules table, you can enable logging for each access rule. MARS records the events generated by access rules on the devices that it monitors. For devices monitored by MARS and managed by Security Manager, you can query events in MARS from the policy table in Security Manager.
From the Access Rules page, you can select an ACE and navigate to the syslog or event generated by the ACE in MARS. You can also look up events associated with the connection establishment and teardown for an ACE. You can view events matching either a rule or a traffic flow for an ACE. Presence of MD5 hashcodes in an ACE determine the accuracy of lookup for events matching a rule. If logging is not enabled for an ACE on the device, such as denied traffic, you can view syslogs matching a traffic flow. When you perform a query for events matching a traffic flow, events triggered by access rules and connection setup/teardown are displayed. However, when you perform a query for events matching a rule, only events triggered by access rules and not connection setup/teardown are displayed. For more information, see Obtaining Events for an Access Rule Policy.
You can also look up historical and realtime events matching a source or destination address by right-clicking the Source or Destination table cell, then clicking one of the Show Events options from the shortcut menu.
When you lookup realtime events for an ACE, the query is automatically run based on the values passed by Security Manager to MARS and the results of the query are displayed in the realtime event viewer of MARS. You can modify the query parameters and resubmit the query as required. However, when you lookup historical events for an ACE, the values sent by Security Manager to MARS are used to only populate the query criteria and the Query Criteria: Result page is displayed in the MARS GUI. You need to either modify the query fields or retain the prepopulated values and run the query to view historical events matching the selected ACE.
This procedure describes how to look up realtime and historical events in MARS from an access rule in the policy table of Security Manager.
Before You Begin
•
•
Related Topics
•
•
•
•
•
•
•
Step 1
Step 2
Step 3
Step 4
•
Note
The fields in the Query Event Data section of the realtime query results page are prepopulated for events matching this ACE. You can modify the parameters of the Query Event Data filter as you require and submit. Real-time results begin to scroll up from the bottom of the page within 5 seconds.
Note
•
•
•
Step 5
•
•
Step 6
•
•
Step 7
•
If more than MARS device monitoring the device can be reached by Security Manager, the Select CS-MARS dialog box is displayed, prompting you to select the MARS device to be used for events lookup.
If you selected the option to prompt for MARS credentials during events lookup and these credentials are either not cached in the current Security Manager client session or saved in the MARS database, the Login to CS-MARS ip_address dialog box is displayed. Go to Step 8. Otherwise, the MARS Query Criteria: Result Page is displayed with the query fields prepopulated for historical events and the Query Results page is displayed with the results of the query for realtime events.
•
–
–
Go to Step 8.
•
Note
•
The MARS Query Criteria: Result or the Query Results page is displayed, depending on whether you are querying for historical or realtime events, with the query fields prepopulated using the ACE and device details. You can run or edit the query and save it as a report if you want to run it at regular intervals.
Step 8
Note
Note
Note
On devices running ASA and PIX 7.0 and later that support hashcodes, the Keyword field in the Query Criteria: Result page is dimmed if there are more than ten keywords in the query parameters returned from Security Manager. Also, color-coding is available only for the first ten occurrences of the keywords in the raw message returned after you run the query; the remaining keyword occurrences are not colored.
Navigating to MARS Events from an IPS Signature Policy
From the Signatures policy page in Security Manager, you can select one or more signature IDs to run a historical or realtime event query in MARS. When an IPS or IOS IPS device detects and reports a network intrusion by comparing the configured signature against incoming traffic, a syslog is generated on the device and transmitted to MARS. An incident is generated in MARS after the log associated with the signature is obtained from the device. Looking up the events associated with a signature ID enables you to quickly identify attacks and tune your device configuration to minimize or prevent intrusions.
For virtual sensors, the name of the sensor is also prepopulated in the Keyword column of the query criteria page in MARS along with other parameters derived from the signature and device information. If you query events for a signature for which no events were generated in MARS, an empty page is displayed when you run the query.
When you lookup realtime events for a signature, the query is automatically run based on the values passed by Security Manager to MARS and the results of the query are displayed in the realtime event viewer of MARS. However, when you lookup historical events for a signature, the values sent by Security Manager to MARS are used to only populate the query criteria. You need to either modify the query fields or retain the prepopulated values and run the query to view historical events matching the selected signature.
This procedure describes how to look up realtime and historical events in MARS from a signature rule in the policy table of Security Manager.
Before You Begin
•
•
Related Topics
•
•
•
•
•
•
•
•
Step 1
Step 2
The Signatures page is displayed.
Step 3
Note
Step 4
•
The fields in the Query Event Data section of the realtime query results page are prepopulated for events matching this signature. You can modify the parameters of the Query Event Data filter as you require and submit. Real-time results begin to scroll up from the bottom of the page within 5 seconds.
•
Note
Step 5
•
