Filter
Top Products
69-26
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools
Integrating CS-MARS and Security Manager
Step 2 Click General in the table of contents to open the General properties page (see Device Properties:
General Page, page 3-40).
Step 3 In the CS-MARS Monitoring group, click Discover CS-MARS. Security Manager determines which
registered controller is monitoring the device, if any. If there are more than one, you are prompted to
select which CS-MARS controller to use.
Troubleshooting Tips for CS-MARS Querying
Use the following troubleshooting tips to help you identify and resolve problems you might encounter
when using CS-MARS and Security Manager together:
• HTTPS is required for communication between the Security Manager server and CS-MARS.
• Interface names are not case-sensitive in Security Manager, but they are in CS-MARS. For example,
“outside” and “Outside” are considered exclusive by a CS-MARS appliance, while they are
equivalent in Security Manager. Further, syslog messages use lower case for all interface names. As
a result, when you perform a query for a Security Manager policy from an event generated in
CS-MARS, the interface name logged in the syslog event might not match the interface name in that
policy in Security Manager. To avoid this problem, use lower case for all interface names, and in the
definition of interface roles, in CS-MARS.
• To query for CS-MARS events from Security Manager policies, the Security Manager client must
be on the same side of a network address translation (NAT) boundary as the CS-MARS appliance
and the Security Manager server.
Similarly, when the CS-MARS client is not on the same side of a NAT boundary as the CS-MARS
appliance and the Security Manager server, you can look up Security Manager policies, but in
read-only mode. However, you cannot start the Security Manager client from the read-only policy
look-up table. The Security Manager client must be on the same side of the NAT boundary as the
CS-MARS appliance and the Security Manager server if you want to start the client from CS-MARS
to modify a matching policy.
• For FWSM, PIX and ASA devices on which multiple independent security contexts exist, to query
for CS-MARS events, you must define a unique management IP address in Security Manager for
each security context. Also, the host name and reporting IP address for each virtual context must be
configured before adding it to CS-MARS. Otherwise, event look-up from policies on these contexts
fails.
• For all IPS device and service policies, a default signature policy is assigned to the device when you
do not discover IPS policies, or when you remove the configured policies from the device. If you try
to perform event look-up from the default signature, a “Policy not found” error message is displayed.
However, if you edit the default signature and save it, you can then navigate to events in CS-MARS.
• If object grouping or rule optimization is enabled for an access rule defined in Security Manager and
the associated access-list commands on the device do not match the optimized rules, no events are
displayed in CS-MARS.
• If logging is not enabled for an access rule, a warning message is displayed, and you can only look
up traffic-flow events for those rules.
• When supported by the device, Security Manager uses access-control entry (ACE) hashcodes as
additional keywords when querying CS-MARS for syslog messages generated by an ACE, and large
access-control lists (ACLs) might contain thousands of such hashcodes. If the number of keywords,
or the sum of the number of sources, destinations, and protocols for an ACE or a signature exceeds
the query limit of 150, an error message is displayed. The error message indicates the probable cause
and recommended action.