i have tried adding some simple and advanced filtering for a sensor from CSPM so events from one specific ip to my external network, and from my external network to this one ip are not logged in Event Viewer. When I Save --> Update, everything seems to go fine. But if I close out of CSPM and reopen it, and then go to the Filtering tab, the filtering i entered is gone. And i can tell its not being applied because in Event Viewer the packets i filtered out are being logged.(nr.postofficed, nr.fileXferd, nr.loggerd, nr.managed, nr.sapd, and nr.packetd are all running) Where should i start to troubleshoot at?
The first thing to check is whether or not the filters are being sent to the sensor in it's configuration files.
Check the /usr/nr/etc/packetd.conf file on the sensor, you should see lines beginning with either RecordOfExcludedNetAddress (used by Simple Filter Tab) or RecordOfExcludedPattern (used by Advanced Filter Tab)
If the filters are not making it to the sensor then check to see if they are saved in the CSPM GUI.
It looks like you have already checked the GUI and they are not being saved. SO you may want to alert the TAC to this problem so they can talk with the CSPM development team and get a DDTS Issue created (DDTS for Bug tracking).
If the filters are making it to the sensorm, but the filters are not working then it is possible that the signature you are trying to filter does not use the zero "0" subsignature id. There is a bug in CSPM that ONLY the "0" subsignature can be filtered. You can use the workaround below for this issue. Instead of "0" for the subsignature use the "*" to wildcard for all subsignatures for the RecordOfExcludedPattern.
As for a workaround:
Create RecordOfExcludedPattern configuration lines manually. The instructions for the RecordOfExcludedPattern lines are in the 2.5 documentation:
the updates are not even making it to the sensor. the data/time stamp on the packetd.conf file doesnt even change. also i have tried a couple things: filtering tab does not update, monitoring tab does not update, logging tab does not update, (was afraid to change Internal Network Tab, Identification Tab or Blocking Tab because they are ok and didnt want to stop that). The Command Generation says:
Max FileXfer Retries: 1
# End of Sensor Configuration
The Distribution Command says:
Getting files from Sensor.
Getting etc\auths from Sensor
Getting etc\configd.conf from Sensor
Getting etc\daemons from Sensor
Getting etc\destinations from Sensor
Getting etc\hosts from Sensor
Getting etc\loggerd.conf from Sensor
Getting etc\managed.conf from Sensor
Getting etc\organizations from Sensor
Getting etc\packetd.conf from Sensor
Getting etc\postofficed.conf from Sensor
Getting etc\routes from Sensor
Getting etc\sapd.conf from Sensor
Skipping etc\auths (no changes)
Skipping etc\configd.conf (no changes)
Skipping etc\daemons (no changes)
Skipping etc\destinations (no changes)
Skipping etc\hosts (no changes)
Skipping etc\loggerd.conf (no changes)
Skipping etc\managed.conf (no changes)
Skipping etc\organizations (no changes)
Skipping etc\packetd.conf (no changes)
Skipping etc\postofficed.conf (no changes)
Skipping etc\routes (no changes)
Skipping etc\sapd.conf (no changes)
It shows no changes. This seems to be changed made to the sensor under Network Topology in CSPM. I tried modifying a signature in CSPM and it workied(i had sig 1000 IP Bad Options enabled so i disabled it and did a Save --> Update and then went to the sensor and it did update packetd.conf) This is really concerning to me....
At this point you may need to go ahead and contact the TAC. It souds like you have come across a bug that I have not seen in my testing. The TAC should be able to walk you through some steps to help diagnose, and a create DDTS entry for bug tracking if necessary. Then he may be able to get some help from a developer.
Personally I work on the sensor development team, and not the CSPM development team. I will also check around and see if anyone from here can help you out.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :