Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSA MC: learn mode vs. application behavior investigation

Hi net pros,

We use CSA to protect a few call manager clusters. On the old call manager clusters we had the standalone CSAgents running.

With an update to a new call manager version we will setup CSA MC 5.2.

In the lab we use the predefined policies for CCM, CRS etc. and it is working as expected.

With the managed CSA version the goal is of course to protect other server/applications as well - for these applications course no predefined policies exist.

So at the moment I am trying to get an idea how to get to these policies?!

As I understand with learn mode no policies are generated - only all queries will be answered with "yes". But then I don't really know what my server is doing?!

With application behavior investigation you are able to investigate the server which seems very time consuming - and - as far as I understand - you need an extra license if you want to get policies out of that investigation.

I created a few small policies for VNC, McAfee ePO Agent etc. but no "big" policies for complex applications.

Maybe someone here with experience in creating CSA policies can give me some hints - best practice etc.

Should I use learn mode? Buy the rule module creation license?

Any help very appreciated.

Best regards

Juergen Bauer


Re: CSA MC: learn mode vs. application behavior investigation

Learn mode is good for when someone is there to allow the action but it only applies to that host and only for as long as the agent is not reset.

I think it's better to create and tune policies for your server apps and it would be enforced on all your servers.

You'd need a license to use the application behavior investigation but you can do the same thing by using test mode and making exceptions.

Yes it's time consuming but once it's done you can pretty much forget about it unless something changes on the host.


New Member

Re: CSA MC: learn mode vs. application behavior investigation

so in learn mode no events are sent to the MC? (thats what im seeing with one server which has a learn mode policy - but I thought the csa installation on that server is broken, because i see no events)

and if after a csa reset everything is gone, what is this mode good for? production environment? not really?!

so the best thing is to talk to the vendor of that server, ask whats running (ie. webserver, db server, application server etc.), use the predefined policies, run in test mode and make a lot of exceptions?

uuuurrrrrgggghhhh ;-)


Re: CSA MC: learn mode vs. application behavior investigation

Learn mode events are sent to the MC until the user chooses "allow and don't ask me again".

I agree that learn mode is not for production. It is to allow user machines to 'learn' for a period of time so administrators don't get a bazillion calls and the user doesn't get overwhelmed.

We deploy now in test mode just for this reason and then move hosts to protect mode when we are confident they can function.

I'll enjoy using learn mode so I don't have to make a million little exceptions....

The best way (IMHO) is to run the server(s) in test mode till you figure out how to allow what's needed and lock out the rest.

Servers should be way easier than laptops or desktops.

I depends a lot on what groups you have them in too.