Table of Contents
Advertisement
Overview of Cisco Security Manager Policy Table Lookup
More About Cisco Security Manager Policy Table Lookup
The device lookup information is combined with the event information to perform the Security Manager
policy table lookup.
The following MARS event information derived from the reporting device raw message is passed to
Security Manager:
•
•
•
•
•
The device, five tuple, action, ACL name, interface, and direction information comprise the policy query
criteria submitted to the Security Manager. MARS displays the policy table in a pop-up window. The
matching access rule is displayed in highlight. If MARS was unable to provide the interface, direction,
and action information, multiple matched access rules may be highlighted.
Sample Cisco PIX Firewall Syslog Messages with Direction and Protocol Information
10.33.10.2 <142>%PIX-6-302013:
inside:10.1.1.10/4000 (10.1.1.10/4000) to dmz:192.168.1.10/80 (192.168.1.10/80)
10.33.10.2 <142>%PIX-6-302013:
outside:1.234.58.149/12000 (1.234.58.149/12000) to inside:192.168.1.10/25 (100.1.4.10/25)
Sample Cisco PIX Firewall Syslog Messages with Access Group Name Information
10.33.10.2 <142>%PIX-4-106023:
by access-group "Cisco Security Manager-acl-inside"
Sample Cisco IOS 12.2 Syslog Messages with ACL Name Information
100.1.20.2 Mon Jun 9 14:46:31 2003 <46>485232: Jun 9 14:46:29 PDT: %SEC-6-IPACCESSLOGP:
list
100.1.4.10(25), 1540 packet
10.34.1.1 <46>146570: Dec 19 21:01:57 PST: %SEC-6-IPACCESSLOGP: list
Manager-acl-FastEthernet1/0 denied tcp 10.10.1.20(59399) ->
Prerequisites for Policy Table Lookup
•
•
•
User Guide for Cisco Security MARS Local Controller
16-4
Event Five Tuple—Source IP Address, Destination IP address, Source Port, Destination Port, and
Protocol defining session. The event five tuple must match the five tuples of the target access rule.
For ICMP logs, ICMP type and code, when available, are passed instead of the source and
destination ports.
Action—If available, permit or deny. If not available, access rules with both permit and deny are
highlighted.
ACL name—If available, the name of the ACL or Access Group that triggers the syslog. With the
ACL name, Security Manager can reduce the number of matching access rules.
Interface—If available, the interface names are parsed from the event's raw message.
Direction—If available, keyword such as "inbound" and "outbound" identify the direction.
Cisco Security Manager-acl-FastEthernet0/0 permitted tcp 1.234.51.255(12000) ->
MARS Local Controller running software version 4.2.1 or more recent version.
Cisco Security Manager version 3.0.1 or more recent
MARS configured for operation with Cisco Security Manager as explained in the section,
for Security Manager-to-MARS Integration, page 16-6
Chapter 16
Built outbound TCP connection 2021
Built inbound TCP connection 2000
Deny tcp src inside:10.1.5.234/3010 dst outside:5.6.7.8/21
Policy Table Lookup on Cisco Security Manager
for
for
Cisco Security
10.1.5.11(23), 1 packet
Checklist
78-17020-01
Advertisement
Table of Contents
Troubleshooting
