Tuning out a specific IP or user ID in MARS 50 v4.3

Unanswered Question
Nov 23rd, 2009

I have a vendor that monitors some firewalls remotely, and with that, the MARS is always firing the alert "System Rule: Modify Network Config" because of the "Firewall user entered a command other than show" rule. I'd like to tune either their IP or their user ID within MARS to have it not send an alert when they peform their duties.

Does anyone know how to do this just for their ID or IP? Thanks, Tony

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Farrukh Haroon Tue, 11/24/2009 - 00:08

The problem with this MARS' rule is that it will hardly ever report the source / destination IP field/username fields. The username field is also always blank (specially with firewalls).

So your only option is to disable this rule for the WHOLE device itself i.e. by editing the "System Rule: Modify Network Config" in MARS. Then click on DEVICE (ANY) and select != (Not Equal To) after entering the Firewall's Reporting IP/Hostname. But of course after doing this CS-MARS won't notify you about 'any' future management activity on the device.

Or if this vendor has there own dedicated virtual context on the firewall, you can disable syslog id# 111007 for them as follows:

no logging message 111007

Regards

Farrukh

ttrevino1 Tue, 11/24/2009 - 06:54

Thanks for the help. I figured as much, as I haven't found the MARS appliance to be very easy to use or user friendly. I can't tune out the entire firewall, as I need to have MARS notify me when others are making firewall changes. And the vendor doesn't have a separate context, so I guess that option is out too.

Thanks for the quick and detailed response and options, I'll just have to live with the multiple alerts. Have a great Thanksgiving.

Actions

This Discussion

Related Content