Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get more information on CSM, MARS, ASDM, IME, CCP, and IronPort SMA with Cisco experts Raghu Kasavaraju and Ziad Sarieddine. Raghu, Product Manager for Cisco Security Manager, has 15 years of extensive experience in IT and he has spent the last 10 years in Information Security Operations, Consulting & Engineering roles. Currently, Raghu is the PM Lead for Cisco Security Manager 4.0 release. Ziad (CCIE Security # 23379) is a security management technologist with expertise in security solutions covering Firewall, IPS, and VPN. Prior to joining Cisco in 2006, Ziad spent 10+ years as a Lead Analyst / Senior Network Engineer designing and installing large networks at different companies.
Remember to use the rating system to let Ziad know if you have received an adequate response.
Ziad might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 6, 2009. Visit this forum often to view responses to your questions and the questions of other community members.
Hi Raghu & Ziad,
First off, i really like CSM, i have been a Cisco consultant for many years and have seen a few different mng. systems from Cisco, and this one is by far the best one.
I have been installing and using CSM for some time now, and one thing that always comes up when doing more than just the basic vpn solution or firewall solution is lack of feature support, mostly on IOS routers. Can you explain what the timeline is for putting in support for new features as well as old features that are not there yet, and if that is even the plan to do so ?
one ex. is the "tag" option on a static route is not supported yet, and i wonder if it ever will be (i can't find it at least) ?
Nice to hear that you like our product...specific to your question on IOS router support, are there any specific set of features/router platforms that you are looking at?...IOS routers are definitely one of the critical platforms we support and would like to know little more details on it.
No specific feature set or platform allthough most of the stuff i do on ios are with adv. ip services feat. set and on the 2800/3800/7200 series.
Stuff like IP SLA, routing prot. features like distribute lists, prefix lists, hierarchial QoS, netflow, wccp seems like the main focus is on security features, which is good, but a solution that is managed by CSM, should in my mind support the whole feature set, or a lot of value is gone, since we then have to manage all that via flexconfigs, which gives us little to no flexibility.
Yes...you are right...CSM's main focus is on managing security features than platform features. I will take your feedback on supporting whole feature set and see how we can incorporate those in future releases.
I am assuming here that you have used CSM+Cisco Configuration Engine (CE)solution for security+non-security config management needs and you are looking for a single console to handle both aspects.
Hi Raghu and Ziad,
I have some basic questions for you on CSM:
1. Which is the current version of CSM available in the market ?
2. What are some of the key features coming in the next release of CSM ?
3. How do I get a demo or eval version of CSM for lab testing purposes ?
Good questions Saurabh...find responses below.
1. Current version of CSM available in the market is 3.3
2. On next releases of CSM, there are couple of releases committed for the next 8-9 months.
3. CSM 3.3.1, a minor release, is primarily targetted to provide security management support for ISR G2 platforms. In addition to ISR G2 platform support, this release will enable easier IPS User Credentials management until IPS devices support AAA. CSM 3.3.1 is expected to be released in Nov'09.
4. CSM 4.0, a major release, is a committed program targetted to deliver 'integrated experience' for Policy Management & Event Management. In addition to Event Management, this release will provide
- Seamless co-existence of CSM with other 3rd party management tools in 'hetero-operational' IT environments
- Tighter coupling between ASA<-->CSM via Simplified NAT Management, Interface independent policies, managing rule explosion
- Support for Botnet Traffic Filter & IPS Global Correlation enhancements
- Windows 2008 and 64 bit OS support
5.Demo/Eval version of CSM 3.3 for lab testing purpose is available www.cisco.com/go/csmanager and this CSM image comes with an in-built 90 day eval license.
Hope this addresses your queries.
1. Will CSM 4.0 have the same GUI(look and feel) as the ASDM/IME?
2. Will CSM 4.0 provide same function as the CheckPoint SmartCenter in future. (like HA design/mgmt in geographically distributed mode rather than central managed mode with only one single Active CSM in a single location.)
Please find responses below.
1. CSM 4.0 will have minor changes in UI from look and feel standpoint but it won't be same as ASDM/IME
2. A distributed deployment scenario is something we are considering for our future releases.
Can you please help me understand if you are looking at this distributed deployment architecture due to any scalability challenges?...
No. Not scalability challenges. It's more of the performance and redundancy. The current CSM is in Active/Pasive HA mode meaning all Cisco network security components have to talk to this central mgmt server. This architect is not optimized for the mgmt traffic flow. For example, for a global security deployment in different geographical locations, security admin/engr in different regions have to connected to the central CSM(assuming it's located in the US) to push the policy across WAN/continents. In my opinion, all Cisco MGMT software(CSM/NAC/CSA/MARS) should go with the distributed HA mode/direction - each region has it's own regional/local MGMT in HA or Non-HA mode, but all regional MGMT servers will sync up with a Central DB. so any single regional CSM fails, the security policy can still be managed from the other regional CSM.
Got it...today in CSM, we support manual export/import of policy objects by which you can share objects among multiple instances of CSM thereby your devices can be segregated and managed based on geography.
We are working towards a more elegant solution to address redundancy aspects you mention above.
Help me understand...do you see this requirement coming from large enterprises?..
We are using Cisco ASA VPN for SSL & IPSec. ASA Can keep only 1 week history of the session. I would like to monitor the vpn session for the longer period. Are there any tools I can use, or any configuration to be configure. Please advice.
Please look into extraxi 3rd party application. They provide a tool to handle historical reports, which should also cover SSLVPN reports for the ASA.
Here is the link for extraxi.
Also I will take your feedback on the need to natively support this feature in the future.
I have the "CSMPR50-3.2-K9" license for Cisco Security Manager. This is for one installation on one server. Do we required another license for a back-up or HA Server?
Since the backup server or the server that will be used in an HA scenario will be considered as a standby server there is no requirement for another license. So you only need license for the primary Active server.
Hi. I've using MARS for almost a year now and I find it's a very interesting tool with so many features that I'm still discovering them.
But, on the other side, it takes forever to configure MARS using the web portal to configure even simple tasks. Now I'm parsing non-native devices, and it takes really a long time to create the first position of a pattern, wait for the page to refresh, then create the second position, wait to refresh , and so on... and this only for parsing one log !!! Also I wish to copy the patterns in order to reuse them in other logs (cause now we have to parse every log from scratch)
In future versions, do you plan to change the MARS web management portal into an ASDM-like tool?? ASDM is by far the best management tool that Cisco has.
Another drawback is the "pink" screen of death. I've seen like four times the "pink screen" saying to contact Cisco TAC, and I wasn't configuring anything, only looking the configuration !!! Most of the times the problem seems to go away, but still I have doubts about the stability of the solution.
We are always striving to improve our user interface. Please feel free to contact me with specific changes to the UI.
Regarding the pink screen, please report the problem to TAC. They should be able to resolve the matter.
I sold some CSMARS in the past 1-2 years and deployed 5 of them in production(GC+LC). Every single one of my customers hope Cisco MARS/CSM BU can make the GUI of MARS and CSM the SAME LOOK AND FEEL as the ASDM/IME. This will absolutely increase a lot more sales on both of the security mgmt products. And customer love to use the SAME GUI(Local/Central) to manage/monitor the security components in a consistent manner.
Hello. About specific changes:
1) The interface should be like ASDM/IDM
2) In "Query Reports/Query" menu, it could be very useful if we could construct the query using SQL language.
3) In "Query Reports/Query" menu,
in order to build a query we have to open many different web pages (to select time, events, etc) and it takes a lot of time and effort. It would be easier if all options could be editable from within the same web page instead of opening a lot of pages.
4) In "Query Reports/Reports" menu, there should be a way to select multiple reports to delete them. Right now we can only delete reports one at a time.
5) In "Management menu" there should be a "Patterns management" submenu, so we could create "template" patterns and reuse them in different network devices.
6)To create a new "event type group" we have to create previously an "event type" for that "event type group". But to create/edit an "event type" we have to create previously an "event type group". So the result is that we have to create new "event type groups" and assign them bogus events. Only then we can create/edit actual "event types" and assign them the recently created "event type groups".
7) The ability to "mass" create "event type groups"
And I have many more. I'd be happy if you're interested in hearing more ideas for Cisco MARS
Does CSM 3.3 support the ACL optimization feature found in FWSM 4.0 so that only the delta change is pushed to the FWSM. I ask because when CSM currently checks with the running config and it would be different from what CSM pushed to the FWSM. This could be supported in CSM if CSM does the same algorithm as the FWSM before the push and check with the FWSM.
When you turn on optimization on the FWSM, the FWSM will then be able to display the ACL in two ways.
1- Sh access-list (Original ACL)
2- show access-list [
CSM uses the original ACL on the FWSM and not the optimized one when computing the diff to be deployed. So turning on ACL optimization on the FWSM should not be an issue for CSM and hence it is supported today. In other words there is no need to run similar optimization algorithm on the CSM side.
Running optimization algorithm in CSM and displaying the optimized table in CSM is not supported today. Is this what you had in mind please let me know??
Does ASA 5520 support bandwidth management and proxy server (not only for voice, but i mean complete proxy server) like cyberoam and blue Coat. I want to manage the using of the internet connection per user, limit their bandwidth and their download like the services in blue coat and cyberoam. if these services are not found in ASA which CISCO Software (like LSM)can do these services. If these services can be applied by QoS, can you explain?
Help me understand your question better...are you asking if ASA can act as Proxy Server?...it yes, what kind of statistics it can provide from Per User Bandwidth management?..
thanks for your response.
Regarding Proxy server , Yes i want ASA to operate as Proxy server, can you give me a link to any document the describe this.
Regarding Per-user management, i want to manage my local users (2000 users), their bandwidth (ex. i want to give some of them a 10KB BW) and their download (ex. limit the download for each user to 100 MB)also i want to monitor my users internet using (ex. i want to know their chating details).
In summary i want the functions of Websense , Cybroam and Blue Coat to be implemented from ASA 5520 , please give me a link to any document the describe these in ASA or any other CISCO products.
Also I have another Q. Can i implement ASA 5520 functions in addtion to above services in the Core Switch (6509 and 4510R-E).
The ASA is not a web proxy or a web security appliance. Please look into our other product offerings such as the Cisco IronPort Security Appliance which is positioned to handle offerings similar to those of Websense and Bluecoat.
Thanks for your help.
Can i configure this on ASA 5520? can i configure the bandwidth (ex: 20KB)and the download (example 100MB)for specific local user in my network?
However, this service is only for CLI and not for web interface?