I have a MARS and IDSM setup running and has been monitoring two internal VLANS with the IDSM. I get some notices in the IDSM and MARS for attempts flowing through our open firewall rules, nothing serious and I can get a path and mitigation suggestion for every attempt.
A few days ago I added our external unprotected VLAN to the IDSM and not surprisingly get alot more incidents in the IDSM and MARS. The problem is that none of these events can be graphed in MARS, it doesn't matter what type of events I get or if the events are aimed at valid NATed IPs or available IPs.
The only addition I've done to the MARS after adding the external VLAN to the IDSM is to add our external subnet to the list of networks monitored by the IDSM.
Do I have to change something else? My impression was that MARS should download NATsetups from our firewalls and use that to plot the network paths.