- Preface
-
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
-
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- Index
Logging on Cisco IOS Routers
Security Manager provides the following policies for configuring logging on a Cisco IOS router:
- Syslog Logging Setup—Enable the syslog-logging feature, and define basic logging parameters. For more information, see Defining Syslog Logging Setup Parameters.
- Syslog Servers—Define the remote servers to which syslog messages are sent. For more information, see Defining Syslog Servers.
- NetFlow—Enable NetFlow logging by providing parameters and interfaces. See Defining NetFlow Parameters for more information.
Note We strongly recommend configuring a Network Time Protocol (NTP) policy on all routers on which logging is enabled. NTP synchronization provides accurate timestamps for syslog messages, which is essential for comparing logs on multiple devices.
Defining Syslog Logging Setup Parameters
This procedure describes enabling syslog logging on the router, and defining which messages are sent to a syslog server. In addition, you can optionally define:
- The source interface for all syslog messages sent from this device.
- The messages that are saved to a local buffer.
- An origin identifier added to each message.
- A rate limit on the number of messages that can be sent.
Note To send syslog messages from the router to a syslog server, you must also define the IP address of the syslog server. For more information, see Defining Syslog Servers.
Step 1 Do one of the following to access the router’s Syslog Logging Setup page:
- (Device view) Select Platform > Logging > Syslog Logging Setup from the Policy selector.
- (Policy view) Select Router Platform > Logging > Syslog Logging Setup from the Policy Type selector. Select an existing policy or create a new one.
The Syslog Logging Setup page is displayed. See Table 62-2 for a description of the fields on this page.
Step 2 Select Enable Logging to turn on the syslog logging feature. If this option is not selected, no log messages are created.
Tip To use the device’s default logging settings, or to restore the default settings, simply select Enable Logging, ensure all other fields are blank, then click Save. The default settings vary by device. See your router documentation for more details.
Step 3 (Optional) In the Source Interface field, enter the name of the interface or interface role whose address should be used as the source interface for all log messages sent to a syslog server; or click Select to select an interface role from a list or to create a new one. The source interface must have an IP address.
This option is useful when the syslog server cannot reach the address from which the connection originated (for example, due to a firewall). If you do not enter a value in this field, the address of the outgoing interface is used.
Step 4 (Optional) To send log messages to a syslog server:
a. Select Enable Trap . This option is selected by default.
b. Select a value from the Trap Level list. All messages of this severity or greater (that is, having the same or a lower severity-level number) are sent to the syslog server; messages of a lesser severity are ignored. For more information about severity levels, see Table 62-1.
Step 5 (Optional) To save log messages locally to a buffer on the router:
a. Select Enable Buffer . This option is selected by default.
b. Enter the Buffer Size in bytes.
c. Select the lowest severity level for messages to be saved to the buffer. All messages of that severity level or greater are saved to the buffer.
d. Select Use XML Format to save messages in XML format. (You can configure both the regular buffer and the XML buffer in the same policy.) If you select this option, enter the size of the XML buffer in bytes.
Note Make sure not to make buffers so large that the router runs out of memory for other tasks. If this happens, deployment may fail.
Step 6 (Optional) Define a rate limit to prevent a flood of output messages:
a. Select Enable Rate Limit . This option is selected by default.
b. Enter the maximum number of messages that can be sent per second.
c. Select the severity levels to exclude from the rate limit. For example, if you select 2 (critical), all syslog messages of severity levels 0-2 are sent to the syslog server regardless of the defined rate limit.
d. Select All Messages to apply the rate limit to all syslog messages except console messages (and excepting those severity levels specifically excluded above).
e. Select Console Messages to apply the rate limit to console messages only.
Note If you enable rate limiting without specifying any options, the default settings (10 messages per second, applied to console messages only) are applied.
Step 7 (Optional) To add an origin identifier to the beginning of each syslog message:
a. Select the type of origin ID to send—the IP address of the router, its host name, or a text string that you provide.
b. If you select String, enter the desired text in the field provided. Spaces are permitted.
The origin identifier is useful for identifying the source of syslog messages in cases where you send output from multiple devices to a single syslog server.
Note The origin identifier is not added to messages sent to local destinations, such as the buffer, the console, and the monitor.
Defining Syslog Servers
This procedure describes how to define the servers to which the router should send syslog messages. When you define a syslog server, you can choose whether the logging messages it receives should be forwarded as plain text or in XML format.
If you define multiple syslog servers, logging messages are sent to all of them.
- Enable syslog logging and define basic logging parameters on the Syslog Logging Setup page. For more information, see Defining Syslog Logging Setup Parameters.
- Defining Syslog Logging Setup Parameters
- Understanding Log Message Severity Levels
- Logging on Cisco IOS Routers
Step 1 Do one of the following to access the router’s Syslog Servers page:
- (Device view) Select Platform > Logging > Syslog Servers from the Policy selector.
- (Policy view) Select Router Platform > Logging > Syslog Servers from the Policy Type selector. Select an existing policy or create a new one.
The Syslog Servers page is displayed. See Table 62-3 for a description of the fields on this page.
Step 2 To define a server to receive syslog messages from this router, click the Add button below the table to open the Syslog Server dialog box. See Table 62-4 for more about this dialog box.
Step 3 In the IP Address field, enter the address of the desired syslog server, or click Select to select a network/host object from a list or to create a new one. For more information, see Specifying IP Addresses During Policy Definition.
Step 4 (Optional) Select Forward Messages in XML Format to forward received syslog messages in XML format instead of plain text.
Step 5 Click OK to save your definition and close the dialog box. The syslog server you defined is displayed in the table.
Note To edit a syslog server, select it from the table, then click Edit. To remove a syslog server, select it, then click Delete.
Understanding Log Message Severity Levels
Syslog messages on Cisco IOS routers are classified into eight severity levels. Each severity level is identified by a number and a corresponding name. The lower the number, the greater the severity, as shown in the following table.
NetFlow on Cisco IOS Routers
The ability to characterize IP traffic and understand how and where it flows is critical for network availability, performance and troubleshooting. Monitoring IP traffic flows facilitates accurate capacity planning, and ensures that network resources are used appropriately in support of organizational goals.
NetFlow is a logging feature available on IOS devices for recording, caching and transmitting IP traffic-flow information on a per-interface basis. The basic output of NetFlow is a flow record, where a “flow” is defined as a unidirectional stream of packets between a given source and destination—both defined by a network-layer IP address and transport-layer source and destination port numbers.
On the IOS device, NetFlow consists of two key components—a NetFlow cache which stores IP flow data, and the NetFlow export mechanism that transmits the NetFlow records to a collection server for data reporting. Thus, when enabled, NetFlow records and caches statistics for incoming and outgoing traffic flows, periodically transmitting these records from the device to a NetFlow collector, in the form of User Datagram Protocol (UDP) datagrams.
Several different formats for the export packet, or flow record, have evolved as NetFlow has matured, and these formats are commonly referred to as the NetFlow version. These versions are well documented, and include versions 1, 5, 7, and 9. The most commonly used format is NetFlow version 5, but version 9 is the latest format and has some advantages for extensibility, security, traffic analysis and multicasting.
Security Manager currently supports Traditional NetFlow on IOS devices. Traditional NetFlow provides a fixed flow record, even for version 9, meaning the device will use certain flags and predefined record combinations in generating the flow. The device configuration settings define export destinations, export interface, and certain version-specific transmission options.
More About Traffic Flows and NetFlow
Each packet that passes into or out of a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity or “fingerprint,” and they define whether the packet is unique, or related to other packets.
All packets with the same source/destination IP address, source/destination ports, protocol interface, and class of service are grouped into a flow and the packets and bytes are tallied. This method of flow determination (or “fingerprinting”) is scalable because a large amount of network information can be condensed into a database of NetFlow information called the NetFlow cache.
In general, the NetFlow cache is constantly filling with flows, and software in the router or switch is searching the cache for flows that have terminated or expired, and these flows are exported to the NetFlow collector. (Unlike SNMP polling, NetFlow export periodically transmits information to the NetFlow collector.) The NetFlow collector has the job of assembling and organizing the exported flows to produce the real-time or historical reports used for traffic and security analysis.
Defining NetFlow Parameters
This procedure describes enabling NetFlow logging on the router.
Step 1 To access the router’s NetFlow page, do one of the following:
- (Device view) Select Platform > Logging > NetFlow from the Policy selector.
- (Policy view) Select Router Platform > Logging > NetFlow from the Policy Type selector. Select an existing policy or create a new one.
The router’s NetFlow page is displayed. See NetFlow Policy Page for complete descriptions of the fields on this page.
Step 2 On the Setup tab of the NetFlow page, specify global NetFlow parameters for the router:
- Primary Destination – Choose IP Address or Hostname from this list to enable NetFlow collection and to specify how the primary NetFlow collector will be defined. You can choose the blank entry to disable this option.
– IP Address – Enter the IP address of the device hosting the primary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector (port numbers can range from 1 to 65535)
– Hostname – Enter the fully qualified domain name of the device hosting the primary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector (port numbers can range from 1 to 65535)
- Redundant Destination – Choose IP Address or Hostname from this list to specify how the back-up NetFlow collector will be defined. You can choose the blank entry to disable this option.
– IP Address – Enter the IP address of the device hosting the secondary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector (port numbers can range from 1 to 65535)
– Hostname – Enter the fully qualified domain name of the device hosting the secondary NetFlow Collection Engine, and then enter the number of the UDP Port monitored by that flow collector (port numbers can range from 1 to 65535)
Note If you define a Primary and a Redundant Destination, flow data is transmitted to both.
- Source Interface – Specify the router interface through which flow data will be transmitted to the collector destination(s).
- Version – Define the record format to be used for flow data by choosing the appropriate NetFlow version number from this drop-down list. You can choose the blank entry to disable this option.
– 1 – The original record format. No additional parameters are required.
– 5 – The most widely adopted format; includes Border Gateway Protocol (BGP) autonomous system (AS) information and flow sequence numbers.
If BGP is configured on your network, you can include either origin or peer AS information in the NetFlow records. Choose origin-as or peer-as from the AS Type drop-down list. You can choose the blank entry to disable this option.
Check Enable BGP Nexthop to include BGP next hop information in the flow caches. (Note that with version 5, this information is visible in the caches, but it is not exported.)
– 9 – The most-recent, template-based version; not yet fully supported.
If BGP is configured on your network, you can include either origin or peer AS information in the NetFlow records. Choose origin-as or peer-as from the AS Type drop-down list. You can choose the blank entry to disable this option.
Check Enable BGP Nexthop to include BGP next hop information in the flow records.
Note AS information collection is resource intensive, especially for origin-as. If you are not interested in monitoring peering arrangements, disabling AS collection may improve performance.
Step 3 On the Interfaces tab, define the interfaces for which traffic flows are to be reported.
- To add an interface, click the Add Row button to open the Add NetFlow Interface Settings dialog box. This dialog box is described in Adding and Editing NetFlow Interface Settings.
- To edit an existing interface, select the appropriate entry in the Interfaces table and then click the Edit Row button to open the Edit NetFlow Interface Settings dialog box (described in Adding and Editing NetFlow Interface Settings).
- To delete an existing interface, select that entry in the Interfaces table and then click the Delete Row button, and then confirm the deletion.
Note You can disable NetFlow data collection on an interface without deleting it. Refer to Adding and Editing NetFlow Interface Settings for more information.
Syslog Logging Setup Policy Page
Use the Syslog Logging Setup page to enable syslog logging and define basic logging parameters on the selected Cisco IOS router.
For more information, see Defining Syslog Logging Setup Parameters.
Note We strongly recommend that you define an NTP policy on all routers on which logging is enabled in order to create accurate timestamps for each log message. For more information, see NTP Policy Page.
Note If you unassign a logging setup policy, the default logging configuration is restored on the device upon deployment.
- (Device view) Select Platform > Logging > Syslog Logging Setup from the Policy selector.
- (Policy view) Select Router Platform > Logging > Syslog Logging Setup from the Policy Type selector. Right-click Syslog Logging Setup to create a policy, or select an existing policy from the Shared Policy selector.
- Logging on Cisco IOS Routers
- Syslog Servers Policy Page
- NTP on Cisco IOS Routers
- Understanding Interface Role Objects
When selected, syslog logging is enabled on the device. When deselected, logging is disabled on the device. This is the default. |
|
The source address for all outgoing log messages sent to a syslog server. This setting may be necessary when the syslog server cannot respond to the address from which the log message originated (for example, due to a firewall). If you do not define a value in this field, the address of the outgoing interface is used. Enter the name of an interface or interface role, or click Select to select an object from a list or to create a new one. |
|
Defines which log messages are forwarded to a syslog server:
|
|
Defines whether log messages are saved locally to a buffer on the device.
Note The maximum buffer size might be smaller on some devices.
Note The maximum buffer size might be smaller on some devices. |
|
Limits the rate of log messages sent to the syslog server.
|
|
The origin identifier that is added to the beginning of all syslog messages sent from this device to the remote syslog server. The origin identifier is useful in cases where you send output from multiple devices to a single syslog server. – IP Address—The IP address of the source device. – Hostname—The hostname of the source device.
Note The origin identifier is not added to messages sent to local destinations, such as the buffer, the console, and the monitor. |
Syslog Servers Policy Page
Use the Syslog Servers page to create, edit, and delete servers that collect log messages from the router.
For more information, see Defining Syslog Servers.
Note To enable logging to the syslog servers defined on this page, you must enable logging and define basic parameters on the Syslog Logging Setup Policy Page.
- (Device view) Select Platform > Logging > Syslog Servers from the Policy selector.
- (Policy view) Select Router Platform > Logging > Syslog Servers from the Policy Type selector. Right-click Syslog Servers to create a policy, or select an existing policy from the Shared Policy selector.
- Logging on Cisco IOS Routers
- Syslog Server Dialog Box
- Table Columns and Column Heading Features
- Filtering Tables
The name of the syslog server, as represented by a network/host object, or its IP address. |
|
Indicates whether the syslog server receives log messages in XML format. |
|
Opens the Syslog Server Dialog Box. From here you can define a syslog server. |
|
Opens the Syslog Server Dialog Box. From here you can edit the selected syslog server. |
|
Syslog Server Dialog Box
Use the Syslog Server dialog box to define the server that collects syslog messages from the router. You can also define whether the log messages it receives are in XML format or plain text.
Note To enable logging to the syslog servers defined on this page, you must enable logging and define basic parameters on the Syslog Logging Setup Policy Page.
Go to the Syslog Servers Policy Page, then click the Add or Edit button beneath the table.
NetFlow Policy Page
Use the NetFlow page to enable NetFlow recording and define its parameters on the selected Cisco IOS router.
The NetFlow page consists of two tabbed panels: Setup and Interfaces. The Setup tab provides global configuration parameters for NetFlow collection on the router. The Interfaces tab lists router interfaces for which NetFlow data collection is configured, and allows enabling and disabling ingress and egress accounting on a per-interface basis.
Note We strongly recommend that you define an NTP policy on all routers on which logging is enabled in order to create accurate timestamps for each log message. For more information, see NTP Policy Page.
- (Device view) Select Platform > Logging > NetFlow from the Policy selector.
- (Policy view) Select Router Platform > Logging > NetFlow from the Policy Type selector. Select an existing policy from the Shared Policy selector, or right-click NetFlow to create a new policy.
- NetFlow on Cisco IOS Routers
- Defining NetFlow Parameters
- Adding and Editing NetFlow Interface Settings
- Logging on Cisco IOS Routers
- NTP on Cisco IOS Routers
The primary and secondary NetFlow collector. You must select a primary collector to enable NetFlow data collection on this device. To disable transmission of NetFlow data to either of these collectors, choose the blank entry from the drop-down list. Select whether to identify the NetFlow collector using its IP address or host name, then configure the required fields for each option:
In the UDP Port field, enter the port number monitored by the flow collector (port numbers can range from 1 to 65535). You can enter a number or the name of a port list object, or click Select to select an object from a list or to create a new one. |
|
The router interface through which flow data will be transmitted to the collector destinations. Enter an interface or interface role name, or click Select to select an object from a list or to create a new one. |
|
The NetFlow version number, which defines the record format to be used for flow. You can choose the blank entry to disable this option.
If BGP is configured on your network, you can include either origin or peer AS information in the NetFlow records. Choose origin-as or peer-as from the AS Type drop-down list. You can choose the blank entry to disable this option. Check Enable BGP Nexthop to include BGP next hop information in the flow caches. (Note that with version 5, this information is visible in the caches, but it is not exported.) If BGP is configured on your network, you can include either origin or peer AS information in the NetFlow records. Choose origin-as or peer-as from the AS Type drop-down list. You can choose the blank entry to disable this option. Check Enable BGP Nexthop to include BGP next hop information in the flow records. Note AS information collection is resource intensive, especially for origin-as. If you are not interested in monitoring peering arrangements, disabling AS collection might improve performance. |
|
The names of the interfaces on which NetFlow collection is configured. |
|
“Enabled” indicates flow recording is enabled on this interface for incoming traffic; “Disabled” indicates incoming traffic is not recorded for this interface. |
|
“Enabled” indicates flow recording is enabled on this interface for outgoing traffic; “Disabled” indicates outgoing traffic is not recorded for this interface. |
|
Click this button to open the Add NetFlow Interface Settings dialog box. Adding a NetFlow interface is described in Adding and Editing NetFlow Interface Settings. |
|
Click this button to open the Edit NetFlow Interface Settings dialog box for the selected interface. Editing NetFlow interfaces is described in Adding and Editing NetFlow Interface Settings. |
|
Click this button to delete the selected interface. You will be asked to confirm the deletion. |
Adding and Editing NetFlow Interface Settings
Use the Add NetFlow Interface Settings and Edit NetFlow Interface Settings dialog boxes to enable and disable NetFlow ingress and egress reporting for specific router interfaces.
Note Except for their titles, these two dialog boxes are identical. The following information applies to both.
Go to the NetFlow Policy Page, then click the Add Row or Edit Row button beneath the table.