I want to track such connections: for example, in case when a customer need an access to some resource from inside to DMZ or...whatever. I can query on demand or just create a rule which will "make" incidents. Also, I have CSM plugged with MARS. But MARS tracks such events (syslog entries) as unresolved. Here what I mean: the SourceIP and DestinationIP showed as 0.0.0.0. Policy Table Lookup process becomes impossible - the CSM icon "Policy Query" (looks like crazy planet:) ) is not showed.
Is it possible to resolve this issue in next realises? During device discovery (analyzing config file) MARS can resolve such objects into real IP addresses (or at least resolveble domain naims) and tracks it correctly.
You post is a little cryptic, but I am assuming you are talking about the 'name' command in PIX/ASA/FWSM?
We faced the same issues on our network, MARS was unabled to understand the name command referenced in our ACLs and it would show 0.0.0.0 instead of properly resolving the name to IP (from the firewall configuration). It also has similar issues with Netscreen Addresses (when defined as names).
>You post is a little cryptic, but I am assuming you are talking about the 'name' command in PIX/ASA/FWSM?
Yeap:)...exectly - you've got the msg. Hope this will be resolved next update))) Wouldn't it?
The reason why should it be fixed - becouse using CSM/ASDM/SDM you can easy manage (reuse) your named objects (like CheckPoint do). I also hate any GUI tools...but in enterprise environment it brings some benefits.
I'm digging up an older post here, but this thread helped me resolve a problem I was having in MARS. I was starting to see the same messages with the 0.0.0.0 src and 0.0.0.0 dst events when they all used to read the correct IP addresses. Turned out that another admin had just 'named' all of the devices we had. I don't have the Topology/Monitored Device Update Scheduler configured to automatically update and was therefore not getting the current configuration of the ASA into MARS. Once I 'discovered' the ASAs again, the resolution worked properly and I had my IP addresses again. So, this can be remedied by 'discovering' the ASA again when a change is made to the names. It will also be applied during a scheduled Topology/Managed Device update.
There are many other events that cause the 'zero' thing. For example summary events generated from IPS signatures also have no IPs. Similaly some PIX/ASA syslogs have port as 0. On this particular MARS, it was the name command (this can easily be veriifed by looking at the 'raw event' which is present in each inident).
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...