Management and monitoring options for ASA

Unanswered Question
Nov 13th, 2008

Hi all,

Looking for some feedback on options for the management and monitoring of 25 ASA appliances.

Rather than configuring every ASA individually through ADSM, we are looking at the Cisco Security Manager. When it comes to alerting and monitoring for the IPS module in the ASA's, would people here recommend anything but MARS? There's 25 ASA's involved...I think that decentrailzed monitoring with ADSM would lead to too much overhead...Does MARS offer functionality that a syslog server couldn't match?

Thoughts, suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
grant.maynard Mon, 12/01/2008 - 16:25

"Does MARS offer functionality that a syslog server couldn't match?" Does the Pope wear big hats?

MARS is not cheap but it is a great tool. Do some tuning on the ASA SSMs. Add them and L3 devices inbetween, maybe netflow, to MARS. It'll map your topo (using SNMP), then draw you attack charts, generate alarms, cases and reports, suggest mitigation and even tie in with CSM. Have a look at the datasheet and, if possible, view a demo.

If you have to choose between CSM and MARS, go for MARS. CSM is best if your firewalls have alot of config in common.

clausonna Wed, 12/10/2008 - 09:36

Check out a tool called 'Splunk'. Its like having your own Google server for your internal data. It can parse/index any type of data that you throw at it, including syslogs, without having to create a custom parser.

Its free for under 500Gb of data per day, and licensed based on volume of data/day.

It can also tie into other data repositories, for example you could also parse your Proxy server logs, and correlate firewall DENYs with proxy logs and something like the DShield or Emerging Threat "Bad" IP address list.

Don't get me wrong, I have 15 ASA's and IPS-SSM's logging into MARS (and managed by CSM), and over time (with countless hours of tweaking/tuning) I'm now quite happy with CSM/MARS. However Splunk is incredibly flexible, fast, and "open" in the sense of inputs/outputs, scripting, reporting, etc. I'm probably going to Splunk my proxy logs, and create rules that fire Syslogs off to MARS for specific incidents.

Also, FWIW, even though the CSM/MARS combo is great for IPS, I'm still using IME (IPS Manager Express) to watch my 5 most important sensors. Sometimes IPS alerts get buried/lost in MARS, and its good to watch the actual source(s) for whats being triggered


This Discussion