This discussion is locked

ASK THE EXPERTS : Cisco Security Manager

Unanswered Question
May 6th, 2011

Read the bioRead the bio

With and

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how Cisco Security Manager enables deployment of security related configuration to Cisco devices with Cisco experts, Stefano De Crescenzo and Nevena Krsmanovic. Stefano De Crescenzo is working in Cisco’s Product Security Incident Response Team (PSIRT) as an incident manager. Prior to this, he was working in Cisco’s Technical Assistance Center in EMEA as a customer support engineer within the Security and Content team where he specialized in solving high complex Firewall and VPN issues with particular focus on Cisco Security Manager. Nevena Krsmanovic is a customer support engineer in the Firewall and Intrusion Detection System team for the Cisco Technical Assistance Center in Brussels. She specializes in resolving high-severity issues with Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, Content Security and Content Module, and the Cisco IOS firewall feature set. Prior to this she supported security (firewall and VPN) and content (Cisco Load Balancers) technologies.

Remember to use the rating system to let Stefano and Nevena know if you have received an adequate response.
Stefano and Nevena might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the discussion forum shortly after the event. This event lasts through May 20, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (5 ratings)
Mohamed Sobair Fri, 05/06/2011 - 23:52


I have some questions on the Security Manager, and I would like to know the following:

1- Does it monitor and Log Network attacks?

2- Dose it provide loggin , Customized Reportings?

3- Does it provide Graph on the VPN utilization , number of VPN users and IPsec tunnel throughput and Performance measurment of VPN?

What features else do the Security Manager Product provides?



nkrsmano Sat, 05/07/2011 - 03:26

Hi Mohamed,

Thank you for participating in Ask the Expert sessions.

The functionality you are looking for, when it comes to logging is the CSM Event Viewer that was introduced in CSM 4.0. There is an interesting video posted on CCO that goes over the functionality of this new feature:

As you may see from there, Event Viewer provides logging capability, and you are able to create different type of views, that limit the logs to a specific device, log message, etc - customized logging you were looking for. However, this feature doesn't provide any corelation of logging events (such as for example CS-MARS), so that it can indicate an attack.

Here is a link on how to configure Event Viewer logging:

Additionally CSM 4.1 provides reporting functionality that allows you to generate reports on for example top source/destination/service that built/deny firewall events, top VPN bandwith users, top VPN duration users, etc. Important thing to remember is that all these statistics are obtained from the logs that were received by CSM Event Viewer.

You can find out more on how to configure reporting within CSM 4.1 configuration guide:

As for the monitoring of VPNs, this functionality is provided by a different application called Performance Monitor (MCP). You will find more details on VPN monitoring within MCP configuration guide:

As you may see from there, you can have a report on number of VPN sessions, throughput, CPU utulization of devices included in VPN, etc., and based on this data, you can also have a graph on throughput and dropped packets. The difference in this reporting and the one that you have within CSM 4.1 reporting functionality is that this one has been obrained via SNMP, while the other one was made by consolidating data received from the logs within Event Viewer.

Let me know if this answers your question.



Mohamed Sobair Sat, 05/07/2011 - 04:00


Yes Nevena, this answers my question.

Thanks for the useful links,



ROBERTO GIANA Tue, 05/10/2011 - 23:40

Are there plans to improve the reporting capabilities in next versions? Today they are very basic and only about toptalker kind of stuff.

snimmaga Thu, 05/19/2011 - 13:04

Future plans can not be shared in open forums like these. Please reach out to your Cisco account manager and get the question answered by the product management team. BTW, what kind of report related enhancements are you looking for?

7network123 Sun, 05/08/2011 - 21:33

Hi Experts,

When I do ipconfig /all to pull up its MAC address, I see it starts with 8C:60:XX:XX:XX:XX. When I try to add it to the 4th entry of my Client List on the AP4410N, it rejects it with a dialog box:

"MAC 4 must be 12 Hex chars (0~9 and A~F) with optional delimiters (: or -), and the second bit is not a odd number."

I checked over and over that the Wireless Card MAC address is correct. Any ideas what can I do?


nkrsmano Sun, 05/08/2011 - 23:24

Hi Erik,

Unfortunately this question is related to the Wireless AP, which is not my area of Expertise. This particular session is opened for Cisco Security Manager, and I would be able to answer your queries within this domain. However, looking around the forum I saw that you posted the same question within "Getting Started with Wireless" section few days back, and that it was not answered so far. I've sync up with my colleague from Wireless team, and he will be able to address your query shortly.



sding2006 Mon, 05/09/2011 - 06:04

WIll CSM support ASR or Nexus management? Especially ACL, ZBF




sdecresc Mon, 05/09/2011 - 06:17

Hi Shiling,

thanks for partecipating in this "Ask the expert" session

Regarding your question, we do support ASR configuration provisioning. You can refer to the following link for CSM 4.1 where you can find which ASR hw and sw are supported.

Regarding Nexus, at the moment there is no official plan to have it in CSM. You might want to reach your account team to get it in the roadmap if possible.

Hope this answers your questions.


ROBERTO GIANA Tue, 05/10/2011 - 23:38


Why do the system requirements for the server plattform require 550 GB for Windows and CSCOPx, meanwhile after installation only about 47 GB are occupied for both?

Kind regards


nkrsmano Wed, 05/11/2011 - 01:22

Hi Roberto,

Thank you for participating in "Ask the Experts" session.

The required space should also take into account the space required for events and reporting data. Right after the installation the size would be minimal, with the space occupied just for the basic data. However, as  DB grows over time and lots of historical data like the config archives build up and the events are being collected and stored in addition, the space would go up, so we had to address it within  limitation mentioned in the  documentation.

Especially, the space requirement for Eventing data could be higher compared to CSM's own data.

Let me know if this answers your question.

Best Regards,


ROBERTO GIANA Wed, 05/11/2011 - 02:37

Hi Nevena

I agree with that. But the system requirements demand an additional 1'500 GB of disk space just for the logging of the events. :-)

Did any body ever talk to its data center operator about how much you have to pay for each GB of storage you ask for? Keep in mind that the price takes into account not only the price for the disks it self, but also costs of shelfs, licenses, SAN switches and especially backup tapes.

nkrsmano Wed, 05/11/2011 - 08:48

Hi Roberto,

I understand your concern. I am not sure whether developement team had any discussions with DC operators when putting on the specific requirements on disk space size . However, what I can do from my side is to raise this concern with the DE team and see whether this could be changed in future.



vsimpson Wed, 05/11/2011 - 06:00

Hi, can you tell me how I can update the signature engine from version 1 to version 4 on my IDSM2 blade please?

sdecresc Wed, 05/11/2011 - 08:06


thanks for joining Ask the Expert

To update your sensors you can follow the guideline in the config guide:

You have different options to download the new sensor and signature package, either via Cisco website or manually.

Please also read the IPS release notes of the package you want to upgrade to in ordert to double check that you are following the right upgrade path.

Please let me know if this answers your questions.



vsimpson Wed, 05/11/2011 - 08:20

Hi Stefano

Many thanks for the reply, the document you point me to refers to IPS, however I will be using IDM and I have downloaded the latest signature via the cisco download site, the error I get when trying to load the signature is that it is for an engine version 4 and I have version 1. I presume I can upgrade to version 4 engine>

thanks & regards


sdecresc Wed, 05/11/2011 - 09:08

Hi Vince,

eheh, I need to ask few questions

1- are you using IDM or CSM to manage your IDSM?

2- indeed is possible that you need to upgrade the engine before updating the signature. At the end of the sig name you will find the required engine needed to run that sign package. E.g. IPS-CS-MGR-sig-S566-req-E4 means that it requires E4 engine on your IPS

3- yes you can upgrade to E4 engine. Which version are you using at the moment? Can you please send me a show version from the IDSM?



vsimpson Wed, 05/11/2011 - 09:25

Thanks Stefano

copy of IDSM version attached, I'm using IDM

Sig engine update is IDS-K9-sp-4.1-5-S189.rpm

signature update isIDS-sig-4.1-5-S252.rpm

Application Partition:

Cisco Intrusion Prevention System, Version 6.1(1)E1

    Realm Keys          key1.0
Signature Definition:
    Signature Update    S329.0                   2008-04-16
    Virus Update        V1.2                     2005-11-24
OS Version:             2.4.30-IDS-smp-bigphys
Platform:               WS-SVC-IDSM-2
Serial Number:          SAD133101NT
No license present
Sensor up-time is 51 days.
Using 1407328256 out of 1983504384 bytes of available memory (70% usage)
system is using 17.7M out of 29.0M bytes of available disk space (61% usage)
application-data is using 35.2M out of 166.8M bytes of available disk space (22% usage)
boot is using 40.5M out of 68.6M bytes of available disk space (62% usage)
application-log is using 529.2M out of 2.8G bytes of available disk space (20% usage)

MainApp          M-2008_APR_24_19_16   (Release)   2008-04-24T19:49:05-0500   Running
AnalysisEngine   M-2008_APR_24_19_16   (Release)   2008-04-24T19:49:05-0500   Running
CLI              M-2008_APR_24_19_16   (Release)   2008-04-24T19:49:05-0500

Upgrade History:

  IPS-K9-6.1-1-E1   19:16:00 UTC Thu Apr 24 2008

Maintenance Partition Version 2.1(3)

Recovery Partition Version 1.1 - 6.1(1)E1

Host Certificate Valid from: 14-Feb-2011 to 14-Feb-2013

sdecresc Thu, 05/12/2011 - 00:57

Hi Vince,

I see you are on 6.1.1E1. In order to upgrade the sensor, you might want to read the following release note:

this is for 7.0.4E4 one of the latest.

To do the upgrade via IDM, you can refer to:

Hope this helps.

PS, this Ask the expert session is meant for Cisco Security Manager (CSM) only

Not sure if you are aware about this product, I invite you to consult the CSM webpage and get familiar with it. It offers much more comprehensive security product management than IDM


vsimpson Thu, 05/12/2011 - 04:00

Hi Stefano

Thanks for the reply, very helpful,

Apologies for using wrong forum, I hadn't realised.

best regards


Jordan0113 Wed, 05/11/2011 - 09:44


Please bear with me as I am new to managing the CSM platform.  I'm currently working on upgrading a current production CSM 3.2.1 to CSM 4.0.1.

It is my understanding that in order for me to reach 4.0.1 I must complete the following "stair-step" upgrade path as follows: 3.2.2, then 4.0, and finally 4.0.1.  During this process there would be multiple OS upgrades as well on the physical box due to software requirements.

What I'm currently having a hard time understanding is why I would want to complete this "stair-step" upgrade path as opposed to just deploying a fresh install of CSM 4.0.1?  A fresh install would allow me to only have to upgrade the OS once with the added bonus of a shorter project timeline which is dependent upon Maintenance Window constraints.

On one hand -

I have the argument of "I need to retain the integrity of the original CSM 3.2.1 database".

On the other hand -

What relevant information is retained within the original database?

Is it possible for me to deploy a fresh install of 4.0.1, add the devices to CSM, and then import each devices' configuration/policies - thus creating a like-for-like 4.0.1 database as to the original 3.2.1?

NOTE:  Keep in mind that currently CSM is only utilized to manage a small number(<200) of ASAs.

Thanks in advance for your assistance!


sdecresc Thu, 05/12/2011 - 01:07

Hi Jordan,

thanks for contributing to this Ask the Experts session

To start with, yes that is the correct upgrade path and no, you cannot install a fresh 4.0.1 and restore a 3.2.1 DB. The reason is that in some new releases we have changed the database schema (for example adding new field) in order to implement new features.

Since 3.2.1 has a different DB schema then 4.0.1, a direct restore will not work hence the stepped upgrade.

Let me make an example of what is happening.

When you upgrade from 3.2.1 to 3.2.2, the 3.2.2 installer has knowledge of the 3.2.1 schema and will translate this in a compatible 3.2.2 schema. After the upgrade is completed, the DB will have a full 3.2.2 schema. This is valid for all the next steps (e.g. 4.0 installer will transform 3.2.2 DB in a 4.0 compatible)...

Regarding the other questions, well potentially you can install a fresh 4.0.1 and re discover one by one all your devices. If you have limited number of device I guess can be done, but when the number of devices grow it become unpractical.

On top of this, bear in mind that by rediscovering the devices you will lose all your shared policy (if you have configured ), logs, config archive, settings and so on...

However this will not lead to any modification to the real up to you

Hope this answers your questions


ROBERTO GIANA Thu, 05/12/2011 - 01:44

How will RBAC in the future work within the CSM, as ACS 4.x has been put to End Of Sales? As far as I know ACS 5.x doesn't support RBAC anymore.

nkrsmano Thu, 05/12/2011 - 02:23

Hi Roberto,

Indeed, for the moment we don't support ACS 5.x, and additionally ACS 5.x doesn't support  RBAC. However, there is a lot of internal dsicussion around this and  CSM product team is working on  alternative solutionbs when it comes to support for RBAC.



Mohammed Khair ... Mon, 05/16/2011 - 10:31

Hi All,

Will CSM give me the ability to make configuration script and paste them into multiple devices without having to go through 1 device at a time?

My colleague told me that Cisco guys use CSM rather than SecureCRT for this functionality. Can you please give me a hint about it?

Best Regards

nkrsmano Tue, 05/17/2011 - 00:43


Actually, it's a bit different then doing a configuration script that would paste relevant config to the device, although the end result is kind of the same When using CSM, you create different policies on CSM that result in a certain configuration that would be pushed to the real device. Having said that, if you have a policy that needs to be applied on different devices of the same type, what you can do is to apply this specific policy, or even all the policies from one device to the other, which would result in these two devices having the same configuration after CSM deployment.

For example, if you need to have the same access-list applied on all the outside interfaces of your firewalls, what you can do is to create an access-list policy, and apply it to all firewalls. This way, after the deployment, CSM will push the same kind of access-list to all outside interfaces.

Let me know if this answers your question.



Mohammed Khair ... Tue, 05/17/2011 - 01:31

Thank you Nevana, I will try to work on this in my lab.


cpaquet Mon, 05/16/2011 - 20:07

Good evening,

An ogainization has 2,200 Cisco routers configured to perform authentication and authorization tacacs+ local

Every 12 weeks the primary credentials and enable password need to be changed.

How can we change on all 2,200 routers, beside a manual process, the credentials found at CSM > Device Proprieties > Credentials ?



ROBERTO GIANA Mon, 05/16/2011 - 23:56

Hi Catherine

If you deploy the new credentials as a shared policy under "Platform/Device Admin/Credentials" the CSM updates itself the access credentials during the deployment phase.

See also the online manual:

The Username, Password, and Enable Password on this page are linked to the Credentials settings in the Device Properties window. When you update these parameters and then deploy the changes to the device, Security Manager uses the existing credentials defined in the Device Properties to log into the device and deploy changes. After successful deployment, the Device Properties credentials are updated to match these settings. For more information about Credentials in Device Properties, see Device Credentials Page.

nkrsmano Tue, 05/17/2011 - 03:17

Thanks for the post Roberto!

Looking forward to your future posts on Cisco Support Community!

nkrsmano Tue, 05/17/2011 - 03:14

Hi Catherine,

It looks like Roberto was faster

Indeed, the best way to make change to the credentials on large amount of devices is via the shared policy as he mentioned. So, you would need to:

1. create shared policy

2. fillin credential info

3. assign the policy to a device

4. deoploy changes

More info on changing device credentials (including this shared policy) can be found here:

Let me know if this answers your question.

Best Regards,


ROBERTO GIANA Tue, 05/17/2011 - 00:04


How can we enter credentials with already encrpyted passwords under "Platform/Device Admin/User Accounts"? If I enter there a new username with a clear text password, the CSM deploys it, after deployment it checks that the device config has been changed (by the device of course, as it encrypts all passwords) and then the CSM goes redeploying the username, as it has a configuration for the clear text password, sees that the config has been changed. And so on, so on, so on, so on, ... :-)

BTW: When rediscovering the configuration with an encrypted password, the CSM has no problem with it. As long as no one changes the password...

Kind regards


nkrsmano Tue, 05/17/2011 - 14:57

Hi Roberto,

There are several things you can do from the Account and Credentials view for a given device (

1. You can configure password (un-encrypted)

2. You can configure secret - displayed as MD5 hashed password (which is actually the most secure algorighm of all as noted here:

3. You can use password encryption service, which is an equivalent of confgiuring "service password-encryption" command on CLI. This basically encrypts all passwords within configuration with the type 7 encryption (as noted in previous link). This type of encryption is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file, however it doesn't provide a high level of network security compared to MD5.

Within IOS CLI you can configure a "type 7" encrypted password as noted below:

router(config)#username nevena password 7 ?
  WORD  The HIDDEN user password string

However, this is not meant to be used in this way, but when we copy paste already encrypted password from one device to the other.. because you normally don't know how would a certain string look like when "type 7" encrypted.

For this reason you don't have this possiblity in CSM. Nevertheless, if you wish to have your passwords encrypted, to make sure that whoever views the config cannot pick it up, I suggest to use password-encryption feature.

Let me know if this answers your question.

Best Regards,


kenneth.attard Tue, 05/17/2011 - 00:28

Good morning

I would like to ask you 3 questions one is related to Firewall design and the other 2 are related to features and future products.


Is it possible to increase the firewall throughput by load balance firewalls using ACE? If yes do you have any guidelines on how to do this?


If you implement contexts on the ASA you loose a number of functionality such as VPN, Dynamic routing.  Are there any plan in the roadmap to overcome these limitations?


At the end of March, a new ASA blade for the Cat 6500 was introduced.  Are there any plans to have the equivalent for the Nexus family?



sdecresc Wed, 05/18/2011 - 06:12

Hi Kenneth,

thanks for reaching out through this Ask the Expert session. Unfortunately this session is dedicated to Cisco Security Manager so I might not be the best person to answer your questions

Anyway I will try to give you some pointers:

1- please try to post this question in the ACE forums. I know there is a pretty active community there and I am sure they will answer your question pretty fast

2- as far as I know there is no plan, but please reach out your account team to ask more information

3- I believe there might be plan for something like that, however again please check with your account team for more information.



cpaquet Tue, 05/17/2011 - 06:59

Thanks for the quick reply regarding my Credential deployment question.

The same large entreprise wish to use AUX ports with modem for OOB management for extreme cases.  Any other way then using FlexConfig for push an AUX policy to all 2,200 routers?



sdecresc Wed, 05/18/2011 - 07:14

Hello Cathrine,

at this point AUX configuration is not supported so the only way you have is to do it via flexconfig.


cpaquet Tue, 05/17/2011 - 11:19

As mentioned in the User Guide "Deployment - Step 1:  Security Manager obtains the current configuration for the device and compares it to the latest saved policies for the device in Security Manager." Is it possible to turn this process off since it has undesirable latency in rare emergency situations? During Conflicker, one ACE was pushed to all 2,200 devices using a script, taking approx 5 secs per router to update.

sdecresc Wed, 05/18/2011 - 07:20

Hi Catherine,

If I understood correctly your question you are referring to the OOB check that is done just before the deployment.

Indeed before the deployment CSM retrieve the current config from the device and do a diff between the running config and what CSM has in it's DB.

If any OOB is detected CSM will stop the deployment or reports an error depending on the setting.

There is a way to skip the OOB checking, you can go to: Tools->Security Manager Administration->Deployment and set

When Out Of Band Detected to " Do not check for changes"

This will skip the oob checking.

You can find more information at:


Hope this answers your question.


cpaquet Wed, 05/18/2011 - 09:26

Hi Stefano,

Thanks for the reply.  I knew about the Do Not Check for OOBD, however, correct me if I'm wrong, but even when the Deployment does not check for OOBD, CSM will still get a copy of the device running-config. Is there of way, on an exception basis, to not have CSM retrieve the running-config on the live device before deploying?

Currently, they are using a script that pushes this extra ACL to all 2,200 across WAN - it takes about 5 secs per devices.  Since time is a real issue in case of emergency, they could push the additional ACE with their script, and when time permits, add it to CSM and Deploy to File, right?

By the same token, how many simultaneous Deployment sessions can CSM 4.1 handle? This very large retailer customer wish to push a policy to 2,200 Cisco IOS routers.



sdecresc Thu, 05/19/2011 - 04:47

Hi Cath,

let me give you a bit of background on how csm is performing the deployment operations:

1- if OOB check is activated then we will retrieve the config and do the diff with the one present in the CSM DB. If OOB are present we will perform the action in the settings

2- we will do show version and some other commands depending on the platform and then deploy the change

3- we will retrieve the configuration again to make sure the config archive and DB are in sync with the current config on the device after the change

Now, while 1 can be skipped, 3 will always be there for CSM to function properly, so there will be at least 1 time which requires the configuration to be retrieved

For your questions:

1- yes, although not recommended you can add in CSM at later time and deploy to a file

2- there is not a upper bound on how many simultaenous deployment you can do. On the other hand it really depends on the HW and OS you use plus the actual delta you are deploying.


cpaquet Thu, 05/19/2011 - 05:34


Thank you for the excellent explanation.  May I suggest that part your your explanation "the configuration again to make sure the config archive and DB are in sync with the current config on the device after the change" be added to CSM 4.1 User Guide, in Table 8-1 Overview of Deployment Process as I had read the documentation but failed to realize that a config is sync once more at the end of deployment. 

Thank you again for the excellent support and prompt replies.  It is greatly appreciated.


sdecresc Fri, 05/20/2011 - 05:19

Hi Cath,

I will make sure it is listed in the doc.

Thanks once again for partecipating in this session


jbuenomocisco Fri, 05/20/2011 - 07:17

How can I configure the wireless not to be shown for users,but  used by tham? On a  Cisco 1242AG

I mean when someone do a wireless discovery not see my wireless name, but typing the name be able to connect it.

jsoudah Fri, 05/20/2011 - 17:55

Hi there,

A couple of basic questions regarding CSM 4.1. I recently upgraded a test environment SSM-10 to IPS version 7.0(5)E4, and ever since then Event Viewer shows a loginAction from the CSM box every 5 seconds. Is that normal? Also, in Device Properties, CSM shows the SSM as running OS version 7.0(4)E4. Do I need to refresh or rediscover it or something?


nkrsmano Sat, 05/21/2011 - 01:49


The loginAction from CSM you are seeing every 5 sec is actually done by the Event Viewer that is updating the logs for IPS. CSM Event Viewer will use SDEE, which connects to the device via SSL and requires authnetication, to periodically pull events from the sensor.

Regarding your question on the upgrade, in order to update running OS version, you would need to re-discover the inventory.  To perform inventory discovery, right click on the device in the Device View and select "Discover Policies on Device". Make sure that  "Inventory" policy is selected for discovery.

Let me know if this answers your question.



jsoudah Mon, 05/23/2011 - 13:23

Hi Nevena,

The "Discover Policies" option took care of it, thanks for that. I was expecting that it would pick up the change when you click on "Device Properties", but I guess it's not really reading the device at that time.

I understand what the loginAction is, I was just wondering why it started appearing after I upgraded the IPS OS. Other devices running 7.0(4)E4 do not report that event. It's not a big deal really, just curious.

Thanks for your help.

nkrsmano Mon, 05/23/2011 - 15:08

Hi again,

Indeed, "Discover Policies" updates the running version of the device, however, it also updates all the policies on that device. In case you have shared policies, this is usually not a good option, as it would cause all your policies to become local, i.e. your device won't any more have shared policies associated. In such cases discovering the inventory is a better option.

As for the loginAction, I presume that there is a  different setting for IPS logging. It may be that the logging configuration on IPS was changed, or that the new OS contains additional logging for the specific function.




Login or Register to take actions

This Discussion

Posted May 6, 2011 at 3:01 PM
Replies:52 Avg. Rating:5
Views:9368 Votes:0

Related Content

Discussions Leaderboard