Event Manager for Cisco Firewalls

Release Notes

Date Published: November 2010

 
 

 

Event Manager for Cisco Firewalls allows you to monitor Cisco PIX, ASA, and FWSM firewalls. This module provides embedded knowledge so you can proactively manage Cisco firewalls and identify issues before they become critical. By detecting, alerting on, and automatically responding to critical events in real-time, Event Manager for Cisco Firewalls helps indicate, correct, and prevent possible external intrusions, attacks, and configuration problems. This module increases the security, availability, and performance of Cisco firewalls.

Event Manager for Cisco Firewalls monitors syslog messages generated by Cisco firewalls. Event Manager for Cisco Firewalls also highlights events that may indicate configuration changes or external attacks, so you can quickly take corrective or preventive actions. For example, Event Manager for Firewalls enables you to perform the following tasks:

  • Detect misconfigurations in your firewall environment
  • Back up your configuration settings using the Secure Shell (SSH) protocol
  • Identify external attacks, such as IP and connection spoofing and IP fragments, and then respond with an alert
  • Monitor performance data using the SSH protocol
  • Notify the Security Specialists notification group of serious issues
  • Monitor your environment from a single console

This module for the Security Manager product includes usability improvements and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs. You can post feedback in the Security Manager forum on Qmunity, our community Web site that also includes product notifications, blogs, and the Security Manager user group.

This document outlines why you should install this module, lists any installation requirements, and identifies any known issues.

Supported Products

This release supports the following products:

  • Cisco PIX Firewall 6.3 and later
  • Cisco FWSM 2.3 and later
  • Cisco ASA 6.3 and later

Return to Top

Why Install This Module?

Event Manager for Cisco Firewalls provides support for received data that contains Internet Protocol version 6 (IPv6) addresses. For more information about how Security Manager supports IPv6, see the Security Manager 6.5 documentation.

After you install this release, Event Manager for Cisco Firewalls enables you to create real-time processing rules on any events collected from your Cisco firewall devices, in addition to storing those events in the log archive. If you want to generate additional real-time alerts on Cisco firewall events, create new rules based on those events.

Return to Top

System Requirements

The following table lists additional requirements for a Windows agent acting as the agent for Cisco firewalls. For more information about agent requirements, see the Installation Guide for NetIQ Security Manager.

Category Requirement
Processor 1.5 GHz Intel Pentium III or equivalent.
Memory 40 MB minimum. The amount of memory usage varies and depends on the environment, including event rate and other factors. Memory usage for a Windows agent monitoring Cisco firewalls could reach 256 MB or higher.
Operating System All supported Windows agent platforms.
Software
  • Ensure you have Security Manager 6.5 or later installed.
  • Ensure you have the latest version of Security Manager Self-monitoring installed.
  • A Windows agent can monitor one or more Cisco firewalls. For more information about the number of instances one agent can support, see the NetIQ Security Manager Knowledge Base article NETIQKB51404 at www.netiq.com/support/sm/.
  • If the Cisco firewall device and the agent are separated by a firewall, ensure the firewall allows syslog data through.
  • Install a Windows agent to monitor your Cisco firewall device on a separate computer from the database server or central computer.

Return to Top

Installing This Module

Complete the following steps to install this module in a new Security Manager 6.5 installation.

To install this module:

  1. Open the Module Installer. Under Event Manager for Firewalls, the Module Installer lists both a Legacy and a non-Legacy version of the Cisco Firewalls module.
  2. Note
    The Legacy version of this module works with Security Manager 6.0 or 6.5. The non-Legacy version requires Security Manager 6.5 because the module takes advantage of improved Syslog2 event handling used in Security Manager 6.5.

  3. Select only the non-Legacy version of the module and click Install.
  4. Configure the new module using the Configuration Wizard. For more information about accessing the Configuration Wizard, see the User Guide for NetIQ Security Manager. For more information about how to enter information, click the question mark in the bottom left of the Configuration Wizard to expand a Help window to the right.
  5. Configure the Windows agent. For more information, see the Installation Guide for NetIQ Security Manager.
  6. Configure the Cisco firewall device to communicate with the Windows agent. For more information, see Configuring Cisco Firewall Devices.

Return to Top

Upgrading This Module

If you have an existing Security Manager 6.5 installation and have already replaced your Legacy version of the Cisco Firewalls module, you can upgrade the module as usual using the Module Installer. However, if you have an existing Security Manager installation, but did not yet upgrade to Security Manager 6.5, use the following procedure to upgrade the module from the old Legacy version. Upgrade your existing installation to Security Manager 6.5, and then complete either step 1 or step 2 in the following procedure to upgrade the module.

To upgrade this module from the Legacy version:

  1. If you have access to reconfigure the Cisco firewall devices and have an extra computer on which to install a new Security Manager 6.5 Windows agent, complete the following steps:
    1. Install and configure a new Security Manager 6.5 Windows agent to receive syslog messages. For more information, see the Installation Guide for NetIQ Security Manager.
    2. Open the Module Installer. Under Event Manager for Firewalls, the Module Installer lists both a Legacy and a non-Legacy version of the Cisco Firewalls module.
    3. Select both the Legacy and non-Legacy versions of this module and click Install. If you do not install the Legacy version of Cisco Firewalls, two instances of Configure the module for Cisco Firewalls will appear in the Support for Firewalls section of the Configuration Wizard. You will then have to open each instance to see which one is Legacy. When you install both versions, Security Manager renames Configuration Wizard links, existing rule groups, and documentation so you can easily distinguish between legacy items and new items.
    4. When the modules are installed, open the Configuration Wizard.
    5. In the left pane, click Support for Firewalls.
    6. Click Configure the module for Cisco Firewalls.
    7. In the left pane, click Agents that Monitor Cisco Firewalls.
    8. Add the new Security Manager 6.5 Windows agent you just installed.
    9. In the left pane, click Cisco Firewall Devices.
    10. Add the Cisco firewall devices from which you want the new Windows agent to receive data.
    11. Click Finish.
    12. Access the Cisco firewall devices and reconfigure them to send data to the new Windows agent. For more information, see Configuring Cisco Firewall Devices.
    13. Verify the new Cisco Firewalls computer groups are populated with data.
    14. Open the Configuration Wizard.
    15. In the left pane, click Support for Firewalls.
    16. Click Configure the module for Cisco Firewalls (Legacy).
    17. Remove all agents and devices, disabling the Legacy version of the module.
    18. Warning
      Before you disable the Legacy version of the module, ensure you have already reconfigured the Cisco firewall devices to forward their syslog events to the new agent. Otherwise, you will lose data.

    19. Click Finish.
    20. In the Schedule Configuration Changes window, select both checkboxes and click OK.
  2. If you do not have easy access to reconfigure Cisco firewall devices or you do not have an extra computer on which to install a new Security Manager 6.5 Windows agent, complete the following steps:
  3. Note
    If you do not complete the following steps in a timely manner, it is possible some data collected will be stored as unrecognized syslog events in the log archive.

    1. Open the Module Installer. Under Event Manager for Firewalls, the Module Installer lists both a Legacy and a non-Legacy version of the Cisco Firewalls module.
    2. Select both the Legacy and non-Legacy versions of this module and click Install. If you do not install the Legacy version of Cisco Firewalls, two instances of Configure the module for Cisco Firewalls will appear in the Support for Firewalls section of the Configuration Wizard. You will then have to open each instance to see which one is Legacy. When you install both versions, Security Manager renames Configuration Wizard links, existing rule groups, and documentation so you can easily distinguish between legacy items and new items.
    3. When the modules are installed, open the Configuration Wizard.
    4. In the left pane, click Support for Firewalls.
    5. Click Configure the module for Cisco Firewalls (Legacy).
    6. Take note of all settings:
      • Agent domains and names
      • Device names
      • Monitoring settings
    7. Clear all entries, disabling the module.
    8. Click Finish.
    9. In the Schedule Configuration Changes window, ensure both checkboxes are cleared.
    10. Warning
      Selecting these checkboxes will result in data loss, as the agents you have removed will stop receiving data from your Cisco firewall devices.

    11. Click OK.
    12. Click Configure the module for Cisco Firewalls.
    13. Configure the non-Legacy version of Cisco Firewalls with the settings you recorded earlier from the Legacy version.
    14. Click Finish.
    15. In the Schedule Configuration Changes window, select both checkboxes and click OK. Selecting both checkboxes forces the Legacy module to empty all of its computer groups, causing the version 6.5 module to fill up its computer groups with all of the newly dropped agents and devices.
    16. If you want to configure additional Cisco firewall devices in your installation, configure the Windows agent and then configure the Cisco firewall device. For more information, see Configuring the Agent and Configuring Cisco Firewall Devices.

Return to Top

Configuring the Agent

To configure the Windows agent, add the name and IP address of the Cisco firewall device to the Hosts file on the Windows agent computer. For more information about the Hosts file, see the Windows documentation.

Return to Top

Configuring Cisco Firewall Devices

You can configure one or more Cisco firewall devices to communicate effectively with the Windows agent computer.

To configure a Cisco firewall device:

  1. If you configured time stamps on your firewall, ensure the time stamp uses the format Mmm DD YYYY hh:mm:ss, where Mmm is the three letter month name, DD is the day of the month, YYYY is the year, hh is the hour in 24 hour format, mm is minutes, and ss is seconds.
  2. Note
    If your Cisco syslog messages do not have a recognizable time stamp, Security Manager uses the local time of the agent for the log message time. Security Manager does not support the EMBLEM format.

  3. Specify an SSH connection for the Windows agent. For more information, see the Cisco firewall documentation.
  4. If your Cisco syslog messages have a device ID, ensure the device ID has more than three digits or fewer than three digits, but not exactly three digits.
  5. Disable paging, monitoring logging, and console logging on the firewall device to allow configuration scripts to run successfully.
  6. Configure the Cisco firewall to report only the messages with the severity you want to monitor.

Creating Custom Processing Rules

NetIQ recommends you create your own custom processing rule group outside of the processing rule group installed with the module and then create custom processing rules for your environment. You can copy the predefined rules included in the module processing rule group to your custom processing rule group or create new rules within your custom processing rule group.

If you create or modify processing rules within the module processing rule group, the next time you install an updated version of the module, Security Manager may remove your customized rules. If you use your custom processing rule group to create or modify rules, Security Manager does not remove your customized rules when you install a new version of the module.

Return to Top

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.

Device ID Cannot Have Three Characters

Due to limitations in regular expression parsing for this release, the device ID can have less than three characters or more than three characters, but not exactly three characters.

Incorrect Address or Interface Name

If an interface name on the firewall includes a colon or space, events will not be properly interpreted.

Excluded Account Names May Break Processing Rules

A known issue exists where adding certain account names or regular expressions on the Cisco Firewall Excluded Accounts page in the Configuration Wizard breaks associated module processing rules, and Security Manager does not generate alerts for matching events. If you enter any account names or regular expressions containing the characters or, and, or not, the module parser treats those characters as Boolean operators and does not recognize them as part of an account name. For example, entering Administrator or Anderson in the excluded accounts list would break the "Successful Login" and "User accessed configuration mode" rules in this module. If you add any regular expressions or account names containing or, and, or not to the excluded accounts list in the Configuration Wizard, you must also edit those names in the Development Console to enable the associated rules to function.

To ensure excluded account names do not break associated processing rules:

  1. After you install the module, open the Configuration Wizard and follow the instructions to configure support for Cisco firewalls. Add the appropriate Cisco firewall account names or regular expressions on the Cisco Firewall Excluded Accounts page and complete the remaining configuration steps in the wizard. For more information, see the help for the Configuration Wizard.
  2. Open the Development Console and expand Processing Rule Groups > Event Manager for Firewalls > Event Manager for Cisco Firewalls.
  3. Select Event Processing Rules and locate the rule named "Successful Login" in the content pane. Open the rule to view its properties.
  4. On the Criteria tab, click Advanced.
  5. Under Process only data that matches all these criteria, select User Name and click Remove.
  6. Under Define more criteria, the Value field displays each of the account names and regular expressions you entered in the Configuration Wizard. Review each account name or regular expression and modify any that contain or, and, or not characters by adding square brackets around one character in the string. For example, if the User Name list includes an entry named Anderson, change the entry to [A]nderson. Do not change or remove any other characters in the User Name list.
  7. When you are finished modifying the appropriate User Name entries, click Add to List.
  8. Click Close and then click Apply.
  9. In the Event Processing Rules list, locate the rule named "User accessed configuration mode," open the rule properties, and repeat steps 4 through 8 for that rule.

(DOC277433)

Configuration Wizard Allows Unsupported Characters

The Configuration Wizard allows entry of duplicate user account names and account names that conflict with the naming guidelines for Cisco and Microsoft Windows. Rules may not function correctly if you enter user account names:

  • Longer than 256 characters
  • Containing the following unsupported characters: / \ [ ] : ; | = , + * ? < > @ "

(ENG273406)

Return to Top

Contact Information

Please contact us with your questions and comments. We look forward to hearing from you.

For detailed contact information, see the Support Contact Information Web site.

For interactive conversations with your peers and NetIQ experts, become an active member of Qmunity, our community Web site that offers product forums, product notifications, blogs, and user groups.

Return to Top

Legal Notice

Return to Top