User Guide for Cisco Security MARS Local Controller, Release 5.3.x
Index

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - L - M - N - O - P - Q - R - S - T - U - V - W - Z

Index

Numerics

4.3.2

MARS version

read-only policy lookup 18-8

4.3.4

MARS version

policy lookup, read-write 18-8

5.3.4

MARS version

policy lookup, read-write 18-8

5-tuple data

access rule lookup from MARS and 18-3

low-latency event query 18-11

parsing during access rule lookup 18-5

policy table lookup from MARS and 18-3

802.1x, logging in Cisco Secure ACS 15-5

A

AAA authentication

and Cisco Secure ACS

for policy lookup 18-15

AAA devices 15-1

AAA server

add 3-8

delete 3-15

servers supported 3-1

access rule events

in MARS

looking up policy table 18-3

access rule lookup

authentication failure

during connection from MARS 18-2

communication

between MARS and Security Manager 18-14

deployed changes

synchronization with 18-11

device lookup query

sequence of actions 18-4

with a unique hostname 18-4

without any domain and hostname 18-4

device lookup results and 18-4

device software versions

supported for 18-15

devices with multiple contexts

prerequisites for 18-4

error message 18-12

expanding

network/host objects 18-12

service objects 18-12

for syslog messages

on IOS routers 18-7

for the selected MARS event

with multiple device matches 18-3

with no device match 18-3

from MARS

in read-only mode 18-1

in read-write mode 18-1

overview 18-4

sample case 18-1

taskflow 18-2

without Security Manager client running 18-3

from MARS events

in Security Manager 3.1.1 through 3.0.1 18-5

in Security Manager 3.2 18-5

guidelines for working 18-8

in MARS 4.3.4 and 5.3.4 18-5

parsing raw syslogs 18-5

in read-only mode

supported MARS versions 18-4

supported Security Manager versions 18-5

in read-write mode

improved rule matching accuracy 18-5

supported MARS versions 18-4

supported Security Manager versions 18-5

looking up device in MARS 18-4

MARS session object 18-5

multiple matches

for syslogs with insufficient details for parsing 18-6

starting a new client session 18-10

supported syslog IDs

for firewall devices 18-6

syslog messages supported

by IOS routers 18-6

by security appliances 18-6

syslogs supported for

by firewall devices 18-6

with multiple hostname matches 18-4

with Security Manager client active

in non-Workflow mode 18-3

in Workflow mode 18-3

with Security Manager client timed out 18-10

access rules

empty

policy lookup from MARS 18-12

hyperlink in rule number

read-only policy table 18-32

looking up

from MARS events (prerequisites) 18-20

from MARS events (procedure) 18-19

modified

after read-only policy display 18-13

not synchronized with device 18-13

on higher security interface, inbound

policy lookup 18-13

on lower security interface, inbound

policy lookup 18-13

policy query icon 18-12

on lower security interface, outbound

policy lookup 18-13

unavailable on the device

for MARS syslogs 18-13

Access Rules page

expanding objects

lookup from MARS events 18-23

highlighted row

after policy lookup from MARS 18-23

looking up

from MARS events 18-23

with Security Manager not installed 18-23

with Security Manager running 18-23

with Security Manager timed out 18-23

Accounts

expired

unlocking 3-4

ACS

configuring user names 3-8

Action 21-3

Activate button 23-18, 23-19, 23-21, 23-23, 25-1

activating reporting devices 2-28

explanation 19-7

what it does 2-28

when multiple users are logged in 19-8

when to use 2-28

Activation Settings page 19-9

activities

in an editable state

and policy table lookup from MARS 18-3

policy table lookup

with Security Manager client active 18-10

Add Event Action Filter dialog box

fields with

default values 18-29

values from MARS events 18-29

read-only signature policy page

in the MARS GUI 18-29

adding

cell phone number 24-11, 25-11

CSV file 2-21

devices 2-18

manually 2-18

seed file 2-21

drop rules 23-22

event groups 25-3

inspection rules 23-19

pager number 24-11, 25-11

seed file 2-21

service 25-8

user 24-10, 25-9

user group 25-12

adding IP groups 25-4

adding service provider 24-11, 25-11

Admin role

adding Security Manager

to MARS 18-16

admin roles, see user management 25-9

Adobe SVG 19-15

alert

action 23-15

Distributed Threat Management 23-15

Email 23-15

NONE 23-15

Page 23-15

SMS 23-15

SNMP 23-15

Syslog 23-15

hard drive 26-21

alerts 24-1

all matching event raw messages 22-7

all matching events 22-7

all matching sessions 22-7

anomaly detection, see NetFlow 2-32

approvers

associating with user account

for policy lookup from MARS 18-15

archive server

retrieving raw messages 26-3

ASA devices

supported software versions

for policy and events lookup 18-15

with multiple contexts

and policy lookup from MARS 18-4

prerequisite for policy table lookup 18-4

attack diagram 19-15

attack paths

L2 21-5

L3 21-5

audit trail 26-3

authentication

of MARS for policy lookup

Security Manager deleted from MARS 18-10

authentication settings

for MARS to access

Security Manager 18-15

policy table lookup

allow saving of credentials 18-19

using MARS credentials 18-18

using Security Manager credentials 18-18

B

backward compatibility

of policy table lookup

with Security Manager 3.0.x, 3.1.x 18-8

beep code 26-32

boostrap

devices 1-5

bootstrapping

devices

for policy lookup 18-14

Security Manager server

for communication with MARS 18-15

bootstrapping devices

managed by MARS 18-14

browser settings

File Download dialog box 18-23

bytes transmitted 22-8

C

caching

MARS events

sessionization 18-11

policy rules

in read-only policy window 18-11

reusing query results 18-11

Security Manager credentials

until MARS session is active 18-9

Catalyst 6500 Series switches

supported software versions

for policy and events lookup 18-15

cell phone paging 24-11, 25-11

certificate

monitor status 26-11

upgrading from expired or fingerprint 26-11

certificate comparison

by MARS

conflict detection 18-9

storing a fresh copy after prompting 18-9

storing a fresh copy automatically 18-9

certificates

presented by Security Manager

compared by MARS during policy lookup 18-9

changing

drop rule status 23-21

inspection rule status 23-17

Cisco Adaptive Security Appliance, see CiscoASA 5-1

Cisco ASA

add to MARS 5-14

bootstrapping 5-2

security context

add discovered 5-18

define reporting options for 5-19

make MARS aware of 5-17

Cisco Firewall Services Modules, see Cisco FWSM 5-1

Cisco FWSM

add to MARS 5-14

bootstrapping 5-2

security context

add discovered 5-18

define reporting options for 5-19

make MARS aware of 5-17

Cisco IOS routers

access lists with

log-input keyword 18-7

log keyword 18-7

access rule lookup

from MARS 18-2

supported software versions

for policy and events lookup 18-15

supported syslog IDs

for policy lookup 18-7

Cisco Network Security Database

See NSDB

Cisco Secure ACS

access settings for

MARS appliance 18-15

configuring user names 3-8

roles for

policy table lookup 18-16

Cisco Secure ACS, 802.1x feature support 15-5

Cisco Secure ACS, 802.1x support 15-1

Cisco Secure ACS, audit logs required by MARS 15-3

Cisco Secure ACS, bootstrap 15-3

Cisco Secure ACS, event logs studied by MARS 15-1

Cisco Secure ACS, MARS agent 15-7

Cisco Secure ACS, NAC support 15-1

Cisco Secure ACS, representing in MARS 15-12

Cisco Secure ACS, sever support 15-2

Cisco Secure ACS, solution engine support 15-2

Cisco Secure ACS, supported versions 15-1

Cisco Secure ACS, TACACS+ command authorization 15-7

Cisco Security Manager Policy Query page

See read-only policy table

Cisco Security MARS

See MARS

Collapse All 21-5

columns

seed file 2-23

Common Services

AAA authentication for

MARS appliance 18-15

MARS user account, creating 18-16

MARS user not defined in

policy lookup 18-10

user account not defined in

logging in to MARS 18-10

Common Services roles

policy table lookup from MARS

Help Desk role 18-8

Common Vulneratbilities and Exposures 25-2

community strings 2-38

configuration

NetFlow 2-31

connection establishment messages

looking up access rules from MARS 18-2

connection protocol

between MARS and Security Manager

for policy table lookup 18-2

with MARS 18-18

connection-related messages

access rule lookup from MARS 18-3

generated by

outbound traffic, policy lookup 18-13

ICMP

access rule lookup from MARS events 18-5

management traffic

NP Identity Ifc keyword 18-5

number of matches

for access rule lookup 18-5

TCP

access rule lookup from MARS events 18-5

UDP

access rule lookup from MARS events 18-5

connection setup message

and session termination 18-5

common ID with teardown message 18-5

defining 18-5

connection teardown messages

2-minute gap with

connection setup 18-12

and corresponding setup syslog 18-5

direction details 18-5

in a different session from setup 18-12

looking up access rules from MARS 18-2

pre-NATed address 18-5

realtime event viewer 18-12

connectivity failure

from MARS to Security Manager

error message 18-9

connectivity test

between MARS and Security Manager

configuring administrative host 18-19

correct credentials 18-19

error message 18-19

failure due to incorrect credentials 18-9

success 18-19

Context Data events

on IPS and IDS sensors

policy query icon and 18-7

creating

report 22-25

cross-launch authentication settings

for policy lookup

allow saving of credentials 18-18

prompting user for credentials 18-18

using MARS credentials 18-18

modifying

to disable saving of Security Manager credentials 18-10

saving in MARS

for Security Manager not added 18-16

cross-launching

Security Manager client

from MARS events 18-1

without secure connection 18-9

CsmContentProvider file

downloading

during policy lookup 18-23

File Download dialog box

preventing from appearing 18-23

CSV files 2-21

custom log parser

selecting traffic type 17-14

custom signatures

policy lookup for 18-8

unknown device event type 18-27

CVE 25-2

D

Daemon Manager

not running on Security Manager

policy table lookup 18-9

data reduction 19-14

default certificate response

change 26-10

default fingerprint response

change 26-10

default password

change 26-8

deleting service 25-8

deployment

of access rule changes

synchronization with device 18-11

destination IP address ranking 22-6

destination network group ranking 22-6

destination network ranking 22-6

destination ranking 22-6

device,re-add 2-20

device lookup

for policy query from MARS

discovered devices 18-4

multiple matching hostnames 18-4

parameters passed 18-4

renaming device name 18-4

reporting IP address 18-4

single matching hostname 18-4

without domain name 18-4

devices

access rule lookup

from MARS 18-2

added to MARS only

policy lookup 18-12

adding to MARS 18-14

bootstrap overview 1-5

bootstrapping

for policy lookup 18-14

managed by MARS 18-14

define

overview 1-6

deleting 2-20

deleting all displayed 2-20

discovered but not submitted

policy lookup, error 18-12

edit 2-19

in MARS

multiple matches during policy lookup 18-3

no match during policy lookup 18-3

time synchronization, recommendation 18-14

managed by MARS and Security Manager

running compatible software version 18-13

managed by Security Manager

preparing for policy lookup 18-14

management traffic

between MARS and 18-14

mitigation

monitored by MARS 18-13

notification traffic

between MARS and 18-14

reporting

monitored by MARS 18-13

software versions

supported by MARS and Security Manager 18-15

synchronization with

changed policies 18-11

versions supported for policy lookup

by MARS and Security Manager 18-11

with matching hostname

policy lookup from MARS 18-4

with matching IP address

policy lookup from MARS 18-4

with multiple contexts

Device Properties page 18-4

differing host and context names 18-4

logging configuration 18-6

policy query icon 18-8

reporting IP address in MARS 18-8

setting hostname for policy lookup from MARS 18-4

without a unique match

policy lookup from MARS 18-4

without matching host and domain names

policy lookup from MARS 18-4

diagnostics

beep codes 26-32

diagrams

attack 19-15

discovering networks

automatic 2-40

discovery

in MARS

devices that do not allow 18-4

devices that support 18-4

scheduling 2-40

updating 2-40

display format

query 22-5

drop rule

activate and inactive 23-21

drop rules

adding 23-22

editing 23-22

drop rule status

changing 23-21

dynamic information 21-10

dynamic vulnerability scanning 2-30

E

editing

drop rules 23-22

host information 25-6

inspection rules 23-18

IP groups 25-4

service 25-8

user 25-12

error message

testing connectivity

between MARS and Security Manager 18-19

error messages

policy table lookup from MARS

access rules not on device 18-12

addition of multiple Security Managers to Local Controller 18-8

changed Security Manager credentials not updated in MARS 18-9

connection setup syslog unavailable 18-12

connection teardown events in realtime viewer 18-12

connectivity to Security Manager 18-9

Daemon Manager not running on Security Manager 18-9

device added to MARS only 18-12

discovered but unsubmitted devices 18-12

empty access rules 18-12

HTTPS not enabled on Security Manager 18-9

implicit permit statement in access rules 18-13

incorrect Security manager login credentials 18-9

management traffic events 18-12

modal dialog box open 18-10

modified signature on device 18-13

RPC connection failure 18-11

unsynchronized changes 18-11

event action filter

configuring

during policy table lookup from MARS 18-3

saving as a local policy 18-29

event groups 25-3

event log

changing pulling time interval for Windows 11-11

event management 25-1

editing 25-2

events

in MARS

caching, sessionization 18-11

in MARS, generated by

access rules 18-3

connection setup/teardown 18-3

IPS signatures 18-3

management traffic 18-12

in MARS, identifying

for access rule lookup 18-20

events lookup

device software versions

supported for 18-15

Event Type 21-3

event type group ranking 22-6

event type ranking 22-5

Expand All 21-5

expired

accounts 3-4

expired certificate 26-11

F

false positive

system determined 21-8

unconfirmed 21-8

user confirmed

false positive 21-8

positive 21-8

false positives

minimizing

signature tuning 18-7

tuning 21-5

tuning signatures 18-7

File Download dialog box

policy table lookup

from MARS events 18-23

preventing from appearing 18-23

filter

modem 26-31

fingerprint validation 26-9

FWSM

access rule lookup

from MARS 18-2

supported software versions

for policy and events lookup 18-15

with multiple contexts

and policy lookup from MARS 18-4

prerequisite for policy table lookup 18-4

G

gateways

intermediate

allowing flows between MARS and devices 18-14

Global Controller

policy query icon for events 18-8

policy table lookup and 18-8

viewing Security Manager server from 18-8

zone planning for

Security Manager mapping 18-16

H

hard drive

failure alert 26-21

hotswap procedure for MARS 55, 110R, 110, 210, GC2R, and GC2 26-26

raidstatus command 26-20

replacing in carrier 26-29

slot number diagram, MARS 55, 110R, 110, 210, GC2R, and GC2 26-25

hardware maintenance

MARS 55, 110, 110R, 210, GC2R, GC2 26-18

Help Desk role

modifying policy

from read-only policy table 18-16

historical events

policy lookup

error message 18-11

historical events lookup

device versions

supported for 18-15

hosts

adding 25-5

adding Security Manager on

a new one 18-17

an existing one 18-17

editing 25-6

Hot Spot Graph 19-15

hotswap

hard drives 26-20

power supply 26-30

procedure for MARS 55, 110R, 110, 210, GC2R, and GC2 26-26

I

ICMP connection-related messages

absence of necessary parameters 18-5

access rule lookup from MARS 18-5

accuracy of matching policies 18-5

example

for an ASA device 18-6

management traffic

access rule lookup 18-5

identifying 18-13

idle session timeout

of Security Manager

authentication of MARS 18-9

login credentials prompt during policy lookup 18-9

policy table lookup 18-9

idle timeout

exceeded for MARS session

without Security Manager client open before lookup 18-9

with Security Manager login credentials for lookup 18-9

IDSM-2 modules

supported software versions

for policy and events lookup 18-15

IDS sensors

Context Data events

and signature policy lookup 18-7

Packet Data events

and signature policy lookup 18-7

signature policy lookup

from MARS events 18-7

IIS

adding Security Manager

on an existing host 18-17

implicit permit

configured in access rules

lookup from MARS events 18-13

incident count 22-8

Incident Details page 21-4

accessing from

a search 18-20

Dashboard 18-20

Incidents page 18-20

Query/Reports tab 18-20

navigating to

read-only policy page 18-20

read-only signature policy page 18-24

policy query icon

for access rule lookup 18-20

for signature lookup 18-24

Incident ID 21-3

incident ID

Dashboard 18-20

Incidents page 18-20

locating using a search 18-20

Query Results page 18-20

Incident Path 21-3

incidents 19-13

action 21-3

correlation to events 18-19

description 18-19

event type 21-3

incident ID 21-3

incident path 21-3

incident vector 21-3

in MARS

policy table lookup and 18-2

instances 21-6

looking up access rule

and editing 18-20

matched rule 21-3

ranked by bytes transmitted 18-20

ranked by sessions 18-20

severity 21-3

time 21-3

time ranges 21-4

Incidents page

detecting incidents 18-19

viewing rules, events 18-19

incident table 21-5

Incident Vector 21-3

inspection rule

activate and inactive 23-17

inspection rules

adding 23-19

editing 23-18

inspection rule status

changing 23-17

instances

incidents 21-6

interface objects

read-only access rule table

displayed in MARS 18-33

viewing contents

from read-only policy table 18-23

Internet Explorer

accessing MARS GUI using

for access rule lookup 18-21

for signature policy lookup 18-29

cached passwords

policy table lookup 18-21

File Download dialog box 18-23

remembered passwords

policy table lookup 18-21

Internet Information Services

See IIS

interoperation

of MARS and Security Manager

for policy lookup 18-1

IOS IPS devices

signature policy lookup

from MARS 18-2

IOS IPS sensors

supported software versions

for policy and events lookup 18-15

IP groups

adding 25-4

editing 25-4

IP management 25-3

adding

hosts 25-5

IP range 25-4

network 25-4

variable 25-4

IPS events

error message

invalid details 18-13

in MARS

fired by a signature 18-7

signature policy lookup 18-3

IPS sensors

Context Data events

and signature policy lookup 18-7

Packet Data events

and signature policy lookup 18-7

signature policy lookup

from MARS 18-2

supported software versions

for policy and events lookup 18-15

IPS signature policy lookup

authentication failure

during connection from MARS 18-2

communication

between MARS and Security Manager 18-14

device lookup query

sequence of actions 18-4

device software versions

supported for 18-15

error message, invalid events 18-13

error message, modified signature 18-13

event action filter, configuring 18-3

fields parsed from raw syslogs

for IPS events in MARS 18-7

for MARS events of type

Context Data 18-7

Packet Data 18-7

from MARS

for virtual sensors, error message 18-3

sample case 18-1

taskflow 18-2

without Security Manager client running 18-3

guidelines for working 18-8

looking up devices in MARS 18-4

overview 18-7

signature ID, using 18-7

starting a new client session 18-10

subsignature ID, using 18-7

with Security Manager client active

in non-Workflow mode 18-3

in Workflow mode 18-3

with Security Manager client timed out 18-10

IPS virtual sensors

signature policy lookup

from MARS events 18-7

L

L2 attack path 21-5

L3 attack path 21-5

Linux host, bootstrap 11-2

loading

MARS

seed file 2-25

Local Controller

adding

multiple Security Manager servers to 18-8

one Security Manager server to 18-8

adding Security Manager to

prerequisites 18-16

procedure 18-16

supported versions 18-16

using Admin role 18-16

defining for Security Manager

access IP address 18-17

credentials for discovery 18-18

hostname 18-17

interface details 18-17

operating system 18-17

reporting IP address 18-17

mapping to Security Manager 18-16

policy lookup

for managed devices 18-16

querying one Security Manager 18-16

same Security Manager on multiple

defining 18-16

Security Manager not added to

user credential fields 18-16

zone planning for multiple

mapping to Security Manager 18-16

Local User Setup page

defining

MARS user account 18-18

log files 26-2

logging in to

MARS

using an account not in Common Services 18-10

using read/write privileges 18-10

Security Manager

after error during policy lookup 18-11

using a different account from the one in MARS 18-10

logging level

changing for firewalls

and syslogs in MARS 18-6

default

large number of events 18-7

logging message command 18-7

logging traffic

between MARS and monitored devices

enabling 18-14

login credentials

of Security Manager

saved in MARS during policy lookup 18-9

login credentials, Security Manager

authenticating MARS

Security Manager deleted from MARS 18-10

deleting

from User Configuration page 18-10

editing

from User Configuration page in MARS 18-10

read-only signature policy table 18-34

saving during policy lookup 18-18

using a different account from the one in MARS

for policy lookup 18-10

login dialog box

read-only policy page

disabling saving of credentials 18-19

enabling saving of credentials 18-19

Login Failure

procedure to unlock 3-15

log-input keyword

access lists on IOS routers 18-7

output details 18-7

login username, Security Manager

read-only access rule table 18-31

read-only signature policy table 18-34

log keyword

access lists on IOS routers 18-7

output details 18-7

looking up

access rules

from MARS, overview 18-4

from MARS, procedure 18-19

from MARS events (prerequisites) 18-20

from Multiple Devices window 18-21

from Multiple Events window 18-21

from Policy Table window 18-21

devices in MARS

for policy table query 18-4

signature policies

from MARS events (overview) 18-24

from MARS events (procedure) 18-24

low-latency query

for MARS events

display of policy query icon 18-11

parsing 18-11

M

MAC address report 22-7

management

events 25-1

IP 25-3

service 25-7

user 25-8

management traffic

between MARS and monitored devices

enabling 18-14

connection-related messages

access rule lookup from MARS 18-5

policy lookup

error message 18-12

mapping

Local Controller

to Security Manager 18-16

MARS

access rule lookup

overview 18-4

adding devices to 18-14

adding Security Manager to

users with admin privileges 18-9

audit trail 26-3

bootstrapping managed devices 18-14

checklist for

policy table lookup 18-13

committed view

of Security Manager policy 18-11

deployed view

of Security Manager policy 18-11

device lookup for policy query 18-4

devices

identifying for policy lookup 18-13

running supported software for lookup 18-13

device software versions

supported for policy lookup 18-11

downloading Security Manager 18-10

easily-readable event data 18-1

integration with Security Manager

for access rule lookup 18-1

for signature lookup 18-1

Local Controller

mapping to Security Manager 18-16

log files 26-2

mitigation of security threats

and policy changes 18-1

navigating to Incident Details page

from Incidents page 18-2

from Query page 18-2

from Summary page 18-2

policy table lookup

more accurate mapping of events in 4.3.4 and 5.3.4 18-5

read-only rule table, matched rules 18-3

reusing an existing Security Manager instance 18-3

time taken for 18-10

with Security Manager client not installed 18-3

with Security Manager client not running 18-3

with Security Manager in non-Workflow mode 18-3

with Security Manager in Workflow mode 18-3

with Security Manager session timed out 18-3

reusing Security Manager instance 18-10

sessionized events

access rule lookup 18-5

starting a new instance of Security Manager

with client session active 18-10

starting Security Manager client

for modifying policies 18-1

starting Security Manager for policy lookup

using Security Manager credentials 18-10

taskflow

for policy table query 18-2

User Configuration page

Security Manager credentials 18-10

versions 4.2.1 through 5.3.1

access rule lookup 18-5

versions 4.3.4 and 5.3.4

access rule lookup 18-5

versions supported

for read-only policy lookup 18-1

for read-write policy lookup 18-1

viewing security incidents 18-1

MARS appliance

activating 18-19

adding Security Manager to

with admin user privileges 18-9

without admin user privileges 18-9

adding Security Manager to (procedure) 18-16

comparing certificate from Security Manager

during policy lookup 18-9

configuring access to

Security Manager 18-15

solving conflict with stored certificate

during policy lookup 18-9

testing connectivity

with Security Manager 18-19

time synchronization

recommendation 18-14

MARS authentication

with Security Manager for policy lookup

credentials, caching of 18-9

deleting Security Manager from MARS 18-10

editing Security Manager credentials in MARS 18-10

MARS database

deleting

Security Manager credentials 18-10

Security Manager server from 18-10

saving Security Manager credentials

during policy lookup 18-18

submitting to

Security Manager addition 18-19

MARS events

for connection teardown

in realtime event viewer 18-12

generated by

management traffic 18-12

generated by custom signatures

and policy lookup 18-8

improved mapping of

to Security Manager policies 18-5

IPS

invalid details, policy lookup 18-13

looking up access rule

and editing 18-20

navigating from

to access rule policy 18-19

to IPS signature policy 18-24

of type

Context Data 18-7

NetFlow 18-8

Packet Data 18-7

parsing raw syslogs

for access rule lookup 18-5

policy lookup from

checklist for 18-13

sessionized

access rule lookup 18-5

policy query icon 18-11

with 5-tuple data

policy query icon and 18-5

MARS Global Controller

See Global Controller

MARS GUI

accessing using

Internet Explorer, note 18-21

MARS incidents

See incidents

MARS Local Controller

See Local Controller

MARS session

idle timeout, exceeding

and Security Manager client session 18-9

MARS session timeout

caching Security Manager credentials 18-9

MARS user account

defining in Common Services

associating with roles 18-15

for policy lookup 18-16

not defined in Common Services

prompting for credentials 18-10

MARS user credentials

cross-launch authentication

benefits of 18-18

defining 18-18

MARS user roles

Admin

editing Security Manager credentials 18-10

for modifying Security Manager credentials 18-9

Notifications Only

disabling saving of Security Manager credentials 18-10

Operator

disabling saving of Security Manager credentials 18-10

Security Analyst

editing Security Manager credentials 18-10

MARS web interface

policy table lookup

with Security Manager not installed 18-10

matched incident ranking 22-7

Matched Rule 21-3

matched rule ranking 22-7

matching access rules

retrieved during

policy lookup 18-3

matching rules

accurate mapping of syslogs 18-5

in read-only policy table

policy lookup from MARS 18-3

not found

during policy lookup 18-13

number of

for connection-related messages 18-5

permit ACE 18-5

matching signatures

in read-only policy table 18-8

policy lookup from MARS 18-8

MIB

MARS format 2-58

Microsoft Windows host, bootstrap 11-4

mitigate 21-5

mitigation

of security threats

using policy lookup from MARS 18-1

mitigation policy

suggested content 1-1

modal dialog box

looking up policy table

from MARS 18-10

Modems

line impedance matching filter 26-31

monitoring

network attacks

using MARS events 18-1

policy table lookup and 18-1

monitoring policy

suggested content 1-1

Multiple Devices window

description 18-21

Multiple Events window

description 18-21

MySDN

accessing from

read-only signature policy table in MARS 18-35

N

NAC, AAA server support 15-1

NAT connection report 22-7

navigating

from MARS events

to policies 18-1

to Security Manager 3.0.x or 3.1.x 18-8

to Security Manager 3.2 18-8

to access rule policy

from MARS events 18-19

to IPS signature policy

from MARS events 18-24

to other MARS pages

from read-only access rule table 18-30

from read-only signature policy table 18-34

to permit ACE

from ICMP connection-related messages 18-20

from TCP connection-related messages 18-20

from UDP connection-related messages 18-20

navigating from MARS

for configuring event action filters 18-8

NetFllow, enable processing 2-35

NetFlow 2-31

configuration 2-31

Global NetFlow UPD Port 2-36

NetFlow, bootstrap reporting devices 2-33

NetFlow,enable processing 2-36

NetFlow,examined networks 2-36

NetFlow,guidelines 2-33

NetFlow,how it is used 2-32

NetFlow,performance tuning 2-36

NetFlow,supported versions 2-32

NetFlow events

policy query icon for 18-8

NetScreen

IDP 2.x 7-47

IDP 3.x 7-47

IDP 4.0 7-47

IDP-Management Server 7-47

Security Manager 7-47

network/host objects

destination

read-only access rule table 18-32

expanding contents

read-only policy table 18-12

source

read-only access rule table 18-32

network administrators

associating with user account

for policy lookup from MARS 18-16

network group ranking 22-6

network operators

associating with user account

for policy lookup from MARS 18-16

network ranking 22-6

Network Status tab

Incidents 19-17

Top Destinations 19-18

Top Event Types 19-18

Top Sources 19-18

Network Summary dashboard

detecting incidents 18-19

viewing rules, events 18-19

non-Workflow mode

access rule matches

with Security Manager running 18-23

policy table lookup

from MARS events 18-3

with Security Manager client active 18-10

with Security Manager not running 18-10

notification traffic

between MARS and monitored devices

enabling 18-14

NP Identity Ifc keyword

TCP, UDP connection-related syslogs

access rule lookup and 18-5

NSDB

accessing from

read-only signature policy table in MARS 18-35

O

Order/Rank By 22-7

order by 22-7

bytes transmitted 22-8

incident count 22-8

session count 22-7

time 22-8

P

Packet Data events

huge syslog messages 18-7

on IPS and IDS sensors

policy query icon and 18-7

pager 24-11, 25-11

parsing

invalid syslog messages 18-13

MARS session object

for access rule lookup 18-5

missing 5-tuple data

events in MARS 18-11

raw IPS event messages

for signature policy lookup 18-7

raw syslogs

for access rule lookup from MARS 18-5

password

change default 26-8

password, Security Manager

read-only access rule table 18-31

read-only signature policy table 18-34

performance

of MARS

number of rules 18-11

of Security Manager

number of rules 18-11

PIX

add to MARS 5-14

bootstrapping 5-2

security context

add discovered 5-18

define reporting options for 5-19

make MARS aware of 5-17

PIX firewalls

supported software versions

for policy and events lookup 18-15

PIX Security Appliance, see PIX 5-1

PN Log agent 15-7

PN Log Agent, error messages 15-10

PN MARS

seed file columns 2-23

policy lookup 18-12

policy lookup from MARS 18-11

policy query icon

displayed for

access rule matches 18-2

connection-related messages 18-2

signatures fired 18-2

displayed in

read-only lookup 18-5

read-write lookup 18-5

for access rules

not found on the device 18-12

for connection-related messages

generated by management traffic 18-5

for Context Data events 18-7

for devices with multiple contexts

without reporting IP address 18-8

for events in Global Controller 18-8

for NetFlow events 18-8

for Packet Data events 18-7

for Unknown Device Event Type

triggered by custom signatures 18-8

for unsupported syslog IDs

generated by IOS routers 18-7

Incident Details page 18-2

inconsistent display

query types and 18-11

in Reporting Device column 18-20

no matching rules, error 18-12

virtual sensors, error 18-12

policy query login dialog box

saving Security Manager credentials 18-9

Policy Query popup window

See read-only policy table

policy table lookup

associating user roles and permissions 18-8

authentication failure

during connection from MARS 18-2

authentication options

using MARS credentials 18-2

using Security Manager credentials 18-2

backward compatibility from MARS 4.3.4, 5.3.4

with Security Manager 3.0.x, 3.1.x 18-8

checklist for 18-13

cross-launch authentication settings 18-18

deleting

Security Manager credentials 18-10

device lookup query

sequence of actions 18-4

devices with multiple contexts

prerequisites for 18-4

error message 18-9, 18-10, 18-12

event action filter, configuring 18-3

for access rules

in MARS 4.2.1 through 5.3.1 18-5

parsing syslogs 18-5

for connection-related syslogs

number of matches 18-5

for the selected MARS event

with multiple device matches 18-3

with no device match 18-3

from MARS

for access rules in Security Manager 18-1

for signatures in Security Manager 18-1

sample case 18-1

signature, modifying 18-8

taskflow 18-2

guidelines for working 18-8

HTTPS connection with MARS 18-2

in read-only mode

absence of connection direction in syslogs 18-5

absence of post-NAT addresses in syslogs 18-5

supported Security Manager and MARS versions 18-1

in read-write mode

supported Security Manager and MARS versions 18-1

MARS user roles 18-9

modal dialog box 18-10

overview of

access rule lookup 18-4

prompting for credentials

MARS user not in Common Services 18-10

reusing an existing Security Manager instance 18-3

signature policies, overview 18-7

time taken for 18-10

with Security Manager client active

in non-Workflow mode 18-3

in Workflow mode 18-3

with Security Manager client not installed 18-3

with Security Manager client not running 18-3

with Security Manager session timed out 18-3

policy table lookup and

Cisco Secure ACS roles

policy table lookup from MARS 18-8

Policy Table window

See read-only policy table

description 18-21

post NAT destination addresses 22-11

post NAT source addresses 22-10

pre NAT destination addresses 22-11

pre NAT source addresses 22-10

protocol ranking 22-6

public networks 2-39

Q

queries

action

ANY 22-12

actions 22-12

criteria, matching

access rule lookup 18-23

destination IP 22-11

ANY 22-11

devices 22-11

IP addresses 22-11

IP ranges 22-11

networks 22-11

post NAT destination addresses 22-11

pre NAT destination addresses 22-11

devices 22-11

display format

all matching event raw messages 22-7

all matching events 22-7

all matching sessions 22-7

destination IP address ranking 22-6

destination ranking 22-6

event type group ranking 22-6

MAC address report 22-7

matched incident ranking 22-7

matched rule ranking 22-7

NAT connection report 22-7

protocol ranking 22-6

reporting device ranking 22-7

reporting device type ranking 22-7

source IP address ranking 22-6

source port ranking 22-6

unknown event report 22-7

use only firing events 22-8

event type grouping 22-11

event types 22-11

ANY 22-11

in MARS

low-latency 18-11

realtime event 18-11

operation

AND 22-12, 23-13

FOLLOWED-BY 22-12, 23-13

none 22-12, 23-13

OR 22-12, 23-13

parameters for

signature events 18-24

result format

destination network group ranking 22-6

destination network ranking 22-6

event type ranking 22-5

network group ranking 22-6

network ranking 22-6

reported user ranking 22-7

source network group ranking 22-6

source network ranking 22-6

results

returning incidents 18-20

rule 22-12

ANY 22-12

save as

reports 22-13

rules 22-13

service

ANY 22-11

defined services 22-11

service variables 22-11

severity

ANY 22-12

green 22-12

red 22-12

yellow 22-12

source IP

ANY 22-10

devices 22-10

IP addresses 22-10

IP ranges 22-10

networks 22-10

post NAT source addresses 22-10

pre NAT source addresses 22-10

variables 22-10

time range

last 22-8

start and end times 22-8

zone 22-12

query

display format 22-5

reporting device ranking 2-28

Query/Reports tab

identifying event

for access rule lookup 18-20

for signature policy lookup 18-25

identifying incident

for access rule lookup 18-20

for signature policy lookup 18-25

querying

for MARS events from devices

without reporting IP address 18-8

for Unknown Reporting Devices in MARS 18-8

Security Manager policies

from MARS events 18-1

Query page 22-1

defining query parameters

for access rule events 18-20

for signature events 18-24

R

rank by 22-7

bytes transmitted 22-8

incident count 22-8

session count 22-7

time 22-8

raw messages

archive folder location 26-4

file name format 26-4

maximum size stored 26-4

retrieve from local controller database 26-6

retrieving from archive server 26-3

read-only access rule table

first match highlighted 18-23

hyperlink in rule number 18-32

in MARS

viewing matched rules 18-3

interface objects 18-33

in the MARS GUI

field descriptions 18-30

login username, Security Manager 18-31

multiple matches 18-23

navigating

to Access Rules page 18-31

to a page number 18-23

navigating across pages 18-23

navigating to other MARS pages 18-30

network/host objects

destination 18-32

source 18-32

pagination 18-23

Security Manager icon

refreshing the page 18-31

Security Manager login credentials 18-31

Security Manager login password 18-31

selecting number of items 18-23

switching between matched rules 18-23

read-only mode

policy lookup from MARS and 18-1

read-only policy table

after display of

access rules, modifying 18-13

caching of query results 18-11

editing signature from 18-8

error message

corrective action 18-12

device added to MARS only 18-12

event action filter, configuring 18-8

expanding

network/host objects 18-12

service objects 18-12

matching access rules

for connection-related syslogs 18-5

matching rules 18-3

modifying policy

using Help Desk role 18-16

saving Security Manager credentials 18-18

starting Security Manager client from

for access rule syslogs 18-1

for signature syslogs 18-1

read-only signature policy page

accessing from

Dashboard 18-34

Incidents page 18-34

Query Reports tab 18-34

search for incident ID 18-34

adding

event action filter 18-29

editing signature 18-29

navigating

to other MARS pages 18-34

to Signatures page 18-34

Security Manager icon

refreshing the page 18-34

starting Security Manager client 18-29

viewing

Security Manager details 18-29

signature parameters 18-36

read-only signature policy table

opening

MySDN 18-35

NSDB 18-35

password, Security Manager 18-34

Security Manager login credentials 18-34

Security Manager login username 18-34

read-write mode

policy lookup from MARS and 18-1

realtime events

policy lookup

error message 18-11

realtime events lookup

device versions

supported for 18-15

realtime event viewer

access rule lookup

for connection teardown events 18-12

remediation policy

suggested content 1-1

removing

user 25-12

report

adding 22-25

delete 22-26

edit 22-26

new 22-25

reported user ranking 22-7

Reporting Applications tab

deleting

Security Manager credentials 18-10

dimming out

Security Manager credentials 18-10

MARS user roles

Notifications Only 18-10

Operator 18-10

Security Manager user credentials

for initial communication 18-9

using MARS credentials

not defined in Common Services 18-10

reporting device ranking 22-7

reporting device type ranking 22-7

reporting IP address

for devices with multiple contexts

policy table lookup 18-8

reports

viewing 22-19, 22-25

reports, view type, CSV 22-24

reports, view type, recent 22-24

reports,view type, total 22-24

reports, view types 22-23

report views, CSV 22-24

report views, peak, reports, view type, peak 22-24

report views, recent 22-24

report views, total 22-24

rules

destination IP

ANY 23-8

devices 23-8

DISTINCT 23-8

IP addresses 23-8

IP ranges 23-8

Network Groups 23-8

networks 23-8

SAME 23-8

variables 23-8

device 23-11

ANY 23-11

Unknown Reporting Device 23-11

variables 23-11

event type grouping 23-10

event types 23-10

ANY 23-10

variables 23-10

reported user

ANY 23-11

Invalid User Name 23-11

NONE 23-11

variables 23-11

service

ANY 23-9

defined groups 23-10

defined services 23-10

service variables 23-9

severity

ANY 23-12

green 23-12

red 23-12

yellow 23-12

source IP

devices 23-7

IP addresses 23-7

IP ranges 23-7

Network Groups 23-7

networks 23-7

variables 23-7

runtime logging 26-1

S

scheduling

discovery 2-40

security contexts

add discovered 5-18

define reporting options 5-19

make MARS aware of 5-17

Security Manager policy query icon

See policy query icon

Security Manager Policy Query page

See read-only policy table

security policies

objectives of 1-1

security policy

suggested content 1-1

see CVE 25-2

seed file

CSV file 2-21

loading 2-25

sensor ID

in IPS syslog messages in MARS

for virtual sensors 18-7

service

adding 25-8

deleting 25-8

editing 25-8

editing groups 25-7

service group

adding 25-7

service management 25-7

service objects

expanding contents

read-only policy table 18-12

read-only access rule table

displayed in MARS 18-32

service provider

adding 24-11, 25-11

services

adding group 25-7

session count 22-7

sessionzed events

MARS

policy query icon 18-11

setting

runtime logging levels 26-1

Severity icons 21-3

Short Message Service

See SMS. 23-15

signature ID

parsed from IPS event messages

for signature policy lookup from MARS 18-7

signature policy lookup

See IPS signature policy lookup

signatures

description 18-7

hyperlinked ID

opening MySDN 18-35

opening NSDB 18-35

looking up from events

minimizing false negatives 18-24

minimizing false positives 18-24

tuning 18-24

modifying

during policy lookup from MARS 18-8

modifying on device

policy lookup, error 18-13

parameters, viewing

from read-only policy page in MARS 18-36

Signatures page

navigating from MARS events

with Security Manager not installed 18-29

with Security Manager running 18-29

with Security Manager timed out 18-29

signature summary table

for editing signatures 18-8

navigating from MARS 18-8

Simple Network Management Protocol

See SNMP. 23-15

SNMP RO, unsupported characters 2-9, 2-23, 2-30

Snort

syslog format expectation 7-43

Solaris host, bootstrap 11-2

source IP address ranking 22-6

source network group ranking 22-6

source network ranking 22-6

source port ranking 22-6

SSH

fingerprint validation 26-9

SSL

certificate validation 26-9

stacked charts 19-18

standard query

for MARS events

display of policy query icon 18-11

static information 21-10

subsignature ID

parsed from IPS event messages

for signature policy lookup from MARS 18-7

syslog

alert forwarding 2-55

disable relay 2-57

enable relay 2-56

forwarding

status reports 2-57

message forwarding 2-55

troubleshoot relay 2-57

syslog message IDs

for firewall devices

supported for policy lookup from MARS 18-6

for IOS routers

supported for policy lookup from MARS 18-7

supported for policy lookup from MARS

by firewall devices 18-6

unsupported

for policy lookup 18-13

policy query icon 18-13

syslog messages

for IPS events

absence of sensor ID 18-7

parsing 18-7

for Packet Data events 18-7

generated by access rules

supported for policy lookup from MARS 18-5

generated by connection setup/teardown

supported for policy lookup from MARS 18-5

generated by IOS 12.2 routers

example, with ACL name 18-6

generated by PIX firewalls

example, with access group name 18-6

parsing for access rule lookup from MARS 18-5

system administrators

associating with user account

for policy lookup from MARS 18-16

system determined false positive type 21-8

system log messages

changing the severity level 18-7

connection teardown

policy lookup, error 18-12

deployed rules

synchronization with device 18-11

for access rule lookup

with log keyword 18-6

without log keyword 18-6

for access rules on IOS routers

with log-input keyword 18-7

with log keyword 18-7

for IOS routers

contents 18-7

format

for ASA devices 18-6

for FWSM 18-6

for PIX devices 18-6

generated by access rules

unavailable on device 18-13

in MARS, generated by

access rules 18-3

connection setup/teardown 18-3

IPS signatures 18-3

invalid format

policy lookup 18-13

logging level

for access rule lookup 18-6

with default level and interval 18-6

T

table

incidents 21-5

taskflow

for policy table lookup

from MARS events 18-2

TCP connection-related message

access rule lookup 18-5

example

for an ASA device 18-6

testing

connectivity

between MARS and Security Manager 18-19

Time 21-3

time consumption

for policy table lookup

number of rules 18-11

with Security Manager client open 18-10

Timeout Interval, setting for GUI and CLI 19-5

time ranges

incidents 21-4

Topology

toggle device display 19-17

traffic flows

between MARS and devices

enabling 18-14

identify and enable 1-4

troubleshoot,cannot add device 2-20

troubleshoot,cannot re-add device 2-20

troubleshooting

access rules quickly

using policy lookup 18-1

firewall and signature configurations

using policy lookup 18-1

network events

using policy lookup from MARS 18-1

tuning

false positives 21-5, 21-9

U

UDP connection-related message

access rule lookup 18-5

example

for an ASA device 18-6

unconfirmed false positive type 21-8

Unknown Device Event Type

custom signatures and 18-8

unknown event report 22-7

Unknown Reporting Devices

querying for

in MARS 18-8

unlock

after login failure 3-15

CLI command

after login failure 3-4

use only firing events 22-8

user

adding 24-10, 25-9

editing 25-12

removing 25-12

user account

associating roles for

policy lookup 18-15

creating a separate one

for policy lookup 18-16

for MARS

defining in Security Manager 18-15

for Security Manager discovery

defining in MARS 18-18

separate one for audit trail 18-15

with admin privileges

for adding Security Manager to MARS 18-9

User Configuration page

disabling

saving of credentials 18-19

in MARS

deleting Security Manager credentials 18-10

editing Security Manager credentials 18-10

Security Manager credentials disabled 18-10

message, displaying

while using MARS credentials 18-19

user confirmed false positive type 21-8

user confirmed positive type 21-8

user credentials

for Security Manager discovery

defining in MARS 18-18

of Security Manager added to MARS

in Reporting Applications tab 18-9

in the User Configuration page 18-9

Reporting Applications tab of MARS

different from those in User Configuration page 18-9

User Configuration page of MARS

authenticating Security Manager 18-9

populated from policy query login dialog box 18-9

user group

adding 25-12

user management 25-8

roles defined 25-9

user roles

for policy lookup from MARS 18-15

for policy table lookup from MARS 18-8

in MARS

editing Security Manager credentials 18-10

modifying Security Manager credentials 18-9

Notifications Only 18-10

Operator 18-10

V

validation

fingerprint 26-9

valid networks 2-39

variables 22-10, 22-11, 23-7, 23-8

views

committed 18-11

deployed

policy lookup from MARS 18-11

virtual sensors

signature policy lookup

from MARS events 18-7

W

Workflow mode

access rule matches

with Security Manager running 18-23

policy table lookup

editable activities 18-10

from MARS events 18-3

with Security Manager client active 18-10

with Security Manager not running 18-10

Z

zone planning

for Global Controller 18-16

for multiple Local Controllers 18-16