Table of Contents
Advertisement
Policy Table Lookup on Cisco Security Manager
MARS and Cisco Security Manager (Security Manager) can be configured to provide round-trip policy
audit features and improve traffic flow analysis and debugging. Using this feature, you can identify the
ACL on a router or firewall that generated a syslog message received by MARS. It is important to
understand that the integration between MARS and Security Manager is unique; MARS can provide
users of Security Manager with better analytical tools.
When using MARS as your STM solution, you must understand that MARS suggests and makes changes
to devices without notifying Security Manager of the suggested changes. Specifically, you can use the
"Big Red" button to shutdown a port for support L2 devices. For a layer 3 device, MARS suggest ACL
changes to block the traffic. In such cases, you can use Security Manager to manually mitigate using the
ACL recommendations provided by MARS, thereby, ensuring that the configuration management
solution stays abreast of the mitigation responses. Security Manager can also publish the same change
to all like devices that it manages, providing a more robust containment.
For example, consider the following case where a user cannot connect to destination X from source Y.
To troubleshoot this issue, an administrator can do the following:
1.
2.
3.
This chapter describes how to configure Security Manager and MARS to ensure optimal functionality
and seamless integration.
Overview of Cisco Security Manager Policy Table Lookup
When MARS receives a syslog from a Cisco PIX firewall, Cisco Adaptive Security Appliance (Cisco
ASA), Cisco Firewall Services Module (Cisco FWSM), or Cisco IOS, and can derive the five tuple
information required to establish an event (source IP, destination IP, source port, destination port, and
protocol) the Security Manager Policy Table Lookup icon
of the MARS session display. Clicking the icon invokes a query to the Security Manager, the result of
which is to identify the access rule in the policy table of the device which created the traffic incident or
event.
78-17020-01
Log into the MARS web interface, and using an on-demand query, determine whether an event has
been received that shows that traffic from source Y to destination X has been blocked.
If such events are found, the administrator can continue by determining which ACL is actually
blocking the traffic. To do so, the administrator would click the policy query icon in the row of one
of the selected events. MARS then queries Security Manager to retrieve the list of ACLs that match
that traffic flow, and assuming Security Manager was used to configure the routers and firewalls
between source Y and destination X, then a list of matching ACLs are returned.
Next, the administrator can log into the Security Manager user interface and modify the identified
policy, or ACL, to allow traffic between source Y and destination X.
Figure 16-1
depicts the policy query process between MARS and Security Manager.
C H A P T E R
appears in the Reporting Device column
User Guide for Cisco Security MARS Local Controller
16
16-1
Advertisement
Table of Contents
Troubleshooting
