Table of Contents
Advertisement
Chapter 4
Configuring Firewall Devices
To bootstrap the Cisco firewall device, you must identify the MARS Appliance as an administrative host
Enabling administrative access allows MARS to discover the Cisco firewall device configuration
settings. To enable administrative access, you must make sure that the MARS Appliance is granted
Telnet or SSH administrative access to the firewall device. If you use FTP access type, make sure that
you have added its configuration file to an FTP server to allow MARS access to the FTP server.
In addition to configuring specific event types and administrative access, syslog messages should be sent
to the MARS Appliance. To prepare the Cisco firewall device to send these messages to the MARS
Appliance, you must configure the logging settings associated with each firewall device on your
network. To prepare a firewall device to generate the syslog messages and direct them to a specific
MARS Appliance, you must:
Enable logging on the firewall device.
1.
Before a firewall device can generate syslog messages, you must enable logging for one or more
interfaces. In addition, if you configured your firewall device in a failover pair, you can specify the
standby firewall device to generate syslog messages as well. You can enable the device to ensure
that the standby unit's syslog messages stay synchronized if failover occurs. However, this option
results in twice as much traffic on the MARS Appliance.
2.
Select the log facility and queue size.
To generate meaningful reports about the network activity of a firewall device and to monitor the
security events associated with that device, you must select the appropriate logging level. The
logging level generates the syslog details required to track session-specific data. After you select a
logging level, you can define a syslog rule that directs traffic to the MARS Appliance.
Do one of the following:
3.
•
•
The debug log level generates syslog messages that assist you in debugging. it also generates logs
that identify the commands issued during FTP sessions and the URLs requested during HTTP
sessions. It includes all emergency, alert, critical, error, warning, notification, and information
messages. Alternatively, you can change the severity level of the required messages using the
logging message command described in
page
Note
Identify the target MARS Appliance and the protocol and port pair that it listens on.
4.
By directing syslog messages generated by a firewall device to MARS, you can process and study
the messages.
78-17020-01
Select the log level to debug, or
Change the severity level of required events to a level other than debug and select that log level.
4-6.
Full URLs, such as
www.cisco.com/foo.html
command data is logged only if web filtering (N2H2\SecureComputing or WebSense) is
enabled on the reporting device. If web filtering is not enabled, then the HTTP session log
does not include the hostname (although the destination host's IP and the Request-URI are
included, such as
192.168.1.1:/foo.htm
Caveats exist with HTTP session logging, such as if the HTTP session request is broken
across packets, then the hostname data might not be included in the log data.
Cisco Firewall Devices (PIX, ASA, and FWSM)
Device-Side Tuning for Cisco Firewall Device Syslogs,
, are included in HTTP session logs and FTP
) and FTP command data is not logged at all.
User Guide for Cisco Security MARS Local Controller
4-3
Advertisement
Table of Contents
Troubleshooting
