We are monitoring a MARS which running V 6.0, recently the MARS is getting much events form the Unknown reporting IPs. I tried to get the IPs of the Unknown reporting devices in many ways, but no luck. The only way I got those IP from the Raw logs of the events, but those are quite huge. I am getting the events comprising 150 pages for just 10 minutes time frame. Is there any possibilities that I can get only the list of IPs of the unknown reporting devices, Thanks in advance for your help....
Unfortunately, there is not a method for listing just the IP address of the unknown reporting devices.
You should be able to run a query with a result format of "Unknown Event Report...". Limit the device to "Unknown Reporting Device".
The resulting data will include the raw messages, which as you noted includes the unknown reporting IP as well as a button to add this device. Clicking the "Add Device" button will open a new window with the panel for adding a new security and monitoring device. You can then define the correct device specifics and add the device so it is correctly parsed and monitored by CS-MARS. This will be long process based on the amount of data you indicated, but adding one or two devices a day will lower the unknown reporting device events and slowly bring it under control.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...