Filter
Top Products
66-51
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 66 Viewing Events
Examples of Event Analysis
This procedure assumes that you have first determined that access to the server is not being denied by
policy and that the firewall should allow access to the server.
Step 1 Ask the user for the IP address of the workstation and server.
Step 2 Open Event Viewer, for example, by selecting Launch > Event Viewer in Configuration Manager.
Step 3 Double-click the Firewall Traffic Events view to open it. Optionally, you can use the All Device Events
view if you also want to see if there are any IPS events related to the workstation.
Tip You can also select the Firewall Denied Events view to see just denial events. However, you
might want to see other events related to the user’s workstation.
Step 4 Ask the user to retry the server access.
Step 5 Click the Start button, or select View > Start, to refresh the event table with the latest events.
Step 6 Type the user’s IP address into the Search within Results box. The list of events is filtered as you type,
and presents events in which the search string appears in any column. In the following illustration, the
event list shows all events in the past 10 minutes for the IP address 10.52.150.50.
Figure 66-5 Restricting the Events List to One IP Address
Tip You can also select the IP address from the Source column’s drop-down list, and the server’s IP
address from the Destination column’s drop-down list (or the reverse), to show only events with
both the source and destination that interests you. Use the column filters if the search string does
not sufficiently reduce the event list for easy analysis.
Step 7 Look for an event that indicates that traffic from the user’s workstation to the server, or from the server
to the workstation, was denied. Syslog 106xxx messages indicate denial actions.
Select the event in the table and open the Event Details pane at the bottom of the window. The tabs in
this pane show the complete message information and include plain-language explanations and
recommended actions.
Step 8 If the event is message 106023 or 106100, you can quickly locate the access rule that is denying the
connection and fix it. You can identify whether you can look up policies from the event by looking at the
Event Name cell in the table. If there is a binoculars icon before the event name, policy lookup is
available. Also, if the Go To Policy command is greyed out, you cannot look up policies for that type of
event.