Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
480
Views
0
Helpful
2
Replies

Management and monitoring options for ASA

MIWConsulting
Level 1
Level 1

‎11-13-2008 09:19 AM - edited ‎02-21-2020 03:06 AM

Hi all,

Looking for some feedback on options for the management and monitoring of 25 ASA appliances.

Rather than configuring every ASA individually through ADSM, we are looking at the Cisco Security Manager. When it comes to alerting and monitoring for the IPS module in the ASA's, would people here recommend anything but MARS? There's 25 ASA's involved...I think that decentrailzed monitoring with ADSM would lead to too much overhead...Does MARS offer functionality that a syslog server couldn't match?

Thoughts, suggestions?

0 Helpful
2 Replies 2

grant.maynard
Level 4
Level 4

‎12-01-2008 04:25 PM

"Does MARS offer functionality that a syslog server couldn't match?" Does the Pope wear big hats?

MARS is not cheap but it is a great tool. Do some tuning on the ASA SSMs. Add them and L3 devices inbetween, maybe netflow, to MARS. It'll map your topo (using SNMP), then draw you attack charts, generate alarms, cases and reports, suggest mitigation and even tie in with CSM. Have a look at the datasheet and, if possible, view a demo.

If you have to choose between CSM and MARS, go for MARS. CSM is best if your firewalls have alot of config in common.

0 Helpful

clausonna
Level 3
Level 3
In response to grant.maynard

‎12-10-2008 09:36 AM

Check out a tool called 'Splunk'. Its like having your own Google server for your internal data. It can parse/index any type of data that you throw at it, including syslogs, without having to create a custom parser.

Its free for under 500Gb of data per day, and licensed based on volume of data/day.

It can also tie into other data repositories, for example you could also parse your Proxy server logs, and correlate firewall DENYs with proxy logs and something like the DShield or Emerging Threat "Bad" IP address list.

Don't get me wrong, I have 15 ASA's and IPS-SSM's logging into MARS (and managed by CSM), and over time (with countless hours of tweaking/tuning) I'm now quite happy with CSM/MARS. However Splunk is incredibly flexible, fast, and "open" in the sense of inputs/outputs, scripting, reporting, etc. I'm probably going to Splunk my proxy logs, and create rules that fire Syslogs off to MARS for specific incidents.

Also, FWIW, even though the CSM/MARS combo is great for IPS, I'm still using IME (IPS Manager Express) to watch my 5 most important sensors. Sometimes IPS alerts get buried/lost in MARS, and its good to watch the actual source(s) for whats being triggered

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card