Table of Contents
Advertisement
Checklist for Security Manager-to-MARS Integration
Task
Define the devices in MARS.
4.
After you identify and bootstrap the reporting devices and mitigation devices and enable the required traffic
flows, you must represent those devices in MARS, which uses this information to communicate with the devices.
You can do this by adding individual devices in the web interface or by importing a comma separated vector
(CSV) file, which can define the required settings for basic device types and give you a headstart on defining the
more complicated devices. After you add the devices, you must activate them by clicking Activate on any page
in the web interface.
To display all devices that are either added incorrectly or not activated in MARS, you can define one of two
queries:
Select "Unknown Reporting Device" in the Devices field. This query returns the events only for those
•
devices that are reporting events that do not matching the one of the reporting IPs defined in MARS. When
MARS receives events, it first determines if the IP from which the events are received matches one of
reporting IPs identified in the Reporting and Monitor Devices page. Only if MARS finds a match does it
attempt to parse the events. Therefore, if the Reporting IP is defined incorrectly for a reporting device, the
events from that device are not parsed. This query essentially identifies events that are not parsed.
Select the "Unknown Device Event Type" in the Events field. This query returns events from known devices
•
that for some reason the event is not parsed by MARS (for example, if the MARS signature list is not current
with the device event lists), and it returns events reported by unknown devices.
For both queries, if you are looking for a specific reporting IP address, enter that address in the Keyword field to
filter the results down to those that include that IP address.
Result: All reporting devices and mitigation devices are defined and activated in MARS. When the devices are
bootstrapped and defined in MARS, MARS begins to inspect the logs received from the devices. Until the devices
are added in MARS, MARS picks up and stores the events it receives without inspecting them.
For more information, see:
Device Inventory Worksheet, page 1-18
•
Selecting the Access Type, page 2-10
•
Add Reporting and Mitigation Devices Individually, page 2-17
•
Add Multiple Reporting and Mitigation Devices Using a Seed File, page 2-20
•
•
Adding Reporting and Mitigation Devices Using Automatic Topology Discovery, page 2-25
•
Cisco Firewall Devices (PIX, ASA, and FWSM), page 4-1
•
Cisco Router Devices, page 3-1
Cisco Switch Devices, page 3-9
•
Supported Reporting and Mitigation Devices
•
Devices and Software Versions for Cisco Security MARS Local Controller 4.2.x and 5.2.x"
Verify Connectivity with the Reporting and Mitigation Devices, page 2-26
•
Activate the Reporting and Mitigation Devices, page 2-27
•
User Guide for Cisco Security MARS Local Controller
16-10
Chapter 16
Policy Table Lookup on Cisco Security Manager
in the (CSV Keyword column) in the document "Supported
78-17020-01
Advertisement
Table of Contents
Troubleshooting
