Filter
Top Products
69-27
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools
Integrating CS-MARS and Security Manager
• Problems with the synchronization between rules and reported events can occur in the following
situations:
–
The device has been added to Security Manager, but the configuration or changes to it have not
been saved to the database. This is especially true for access rules that have been changed but
not deployed since the device was added to CS-MARS.
–
Access rules exist on the device for which there are no corresponding rules in Security Manager,
and vice versa. Be sure all devices are added to Security Manager, and that access rules are
configured on them using Security Manager.
–
Traffic in the “wrong” direction triggering events for which there is no defined rule. For
example, outbound traffic on a higher-security-level interface on which only inbound-traffic
rules have been defined.
• If you perform a policy lookup from CS-MARS and the Security Manager client is active, the query
is performed on all policies within the open activity or configuration session plus what is saved in
the database (the committed configurations). If the Security Manager client is not active, only
committed policies are considered.
Related Topics
• Checklist for Integrating CS-MARS with Security Manager, page 69-23
• Looking Up CS-MARS Events for a Security Manager Policy, page 69-27
• Registering CS-MARS Servers in Security Manager, page 69-24
Looking Up CS-MARS Events for a Security Manager Policy
After you integrate CS-MARS and Security Manager, you can look up events in CS-MARS that relate
to specific firewall access rules or IPS signatures.
When CS-MARS receives events, they are parsed, “sessionized,” written to an event buffer, and then
written to the database. Sessionizing takes two forms: with a session-oriented protocol, such as TCP, the
session encompasses the initial handshake to the connection tear-down; with a sessionless protocol, such
as UDP, the session start and end times are based more on first and last packets tracked within a restricted
time period—packets that fall outside of the time period are considered parts of other sessions.
Because of there is a difference between newly-received and fully processed data, you can look up either
real-time or historical events:
• Real-time—Because sessionization takes time, keeping an event in cache for up to two minutes, you
can use the real-time event query to view events right after parsing, providing access to the most
current data received.
When you query for real-time events, the query is run automatically, based on the policy values
obtained from Security Manager, and the results are displayed in the CS-MARS Query Results
window. This real-time event viewer lets you monitor CS-MARS traffic in near real-time, as raw
events streaming to CS-MARS, before they are sessionized, with a maximum delay of five seconds.
You also can elect to view the sessionized event stream by clicking Edit in the Query Results window
and then choosing “Sessionized events” from the Realtime drop-down menu. Note that more delay
is possible when there are many events in a session.
• Historical—Historical event reports help you identify trends over longer periods of time than is
possible with real-time monitoring. When you query for historical events, the CS-MARS Query
Criteria: Result window opens. You can either run the query immediately, or save the criteria as a
“report” to run at a later time. For historical events, the Result Format is the All Matching Events
option, and the Filter By Time value is set to the previous 10 minutes.