Filter
Top Products
69-29
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools
Integrating CS-MARS and Security Manager
To view events for a source or destination address, right-click the address in the Source or
Destination cell and choose one of the following commands (the specific command differs
depending on the cell you select):
–
Show Events > Realtime > Matching this Source/Destination—To view real-time query
results in CS-MARS for events with a matching source or destination address. You can change
the query criteria in the CS-MARS window at any time, applying new parameters to alter the
real-time results.
–
Show Events > Historical > Matching this Source/Destination—Opens the historical query
criteria page in CS-MARS with fields populated based on the access rule’s source or destination
address. Edit the rule parameters and query criteria as desired, and click Apply to continue.
Next, in the Query window, you can submit the query, or save it for later submission and re-use.
Security Manager provides the following information to CS-MARS as criteria for a traffic-flow or
access-rule event queries:
• Device details—General information about the device, such as host name, domain name,
management IP address, and display name.
• Source addresses—Source addresses of hosts and the network/host objects expanded to display the
networks or collections of IP addresses.
• Destination addresses—Destination addresses of hosts and the network/host objects expanded to
display the networks or collections of IP addresses.
• Service—Protocol and port information.
• Event Type—“Built/teardown/permitted IP connection” for permit rules and “Deny packet due to
security policy” for deny rules.
• Keyword (rule events only, not provided for traffic-flow queries)—ACL name and ACE hashcode,
if available, connected by the logical operator OR.
On Version 7.0 or later PIX and ASA devices, each access rule is assigned an MD5 hashcode, which
is included in the syslogs generated by that rule. Large ACLs can include thousands of access rules.
Used as query keywords, these hashcodes can help produce more-accurate event matches. If a device
does not support hashcodes, a warning is displayed that query results might be inaccurate because
of keyword ambiguity; you can proceed with the query, and then edit the query keyword list and
resubmit.
Tips:
• You can query on only one access rule at a time.
• When NAT or PAT is configured on a security device, the source and destination addresses are
mapped to pre-translation and post-translation addresses, respectively, and the translated addresses
are used when Security Manager sends a query to CS-MARS. For inbound access rules, the
destination address is considered the pre-translation address, and for outbound access rules, the
source address is considered the post-translation address.
• If the device is monitored by multiple CS-MARS controllers, you are prompted to select the
CS-MARS instance to be used.
• Depending on how credentials verification is set up on your system, you might be prompted to log
into CS-MARS. For more information, see Registering CS-MARS Servers in Security Manager,
page 69-24.
Related Topics
• Access Rules Page, page 16-9
• Looking Up CS-MARS Events for a Security Manager Policy, page 69-27