66-50
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 66 Viewing Events
Examples of Event Analysis
If your organization is using ACS to control access, you must have View Device privileges to the
device, and also View privileges to the firewall or IPS policy, to perform policy lookup. If you do
not have all permissions, you will get an “Unable to Find Matching Rule” error if you try to look up
a matching rule.
Step 1 Right-click the event in Event Viewer and select Go To Policy.
Tip You can identify whether you can look up policies from the event by looking at the Event Name
cell in the table. If there is a binoculars icon before the event name, policy lookup is available.
Also, if the Go To Policy command is greyed out, you cannot look up policies for that type of
event.
Step 2 Security Manager finds the related access rule or IPS signature for the device and highlights it in the
policy table. From here, you can edit the policy to view or change it; for detailed instructions, see
Configuring Access Rules, page 16-7 and Configuring Signatures, page 38-4.
Your changes do not take effect until you submit and deploy the updated configurations.
Examples of Event Analysis
There are many different techniques you can use to analyze and respond to events generated by your
network devices. The examples in this section can help you understand some of the things you can do
with the Security Manager Event Viewer.
This section contains the following topics:
Help Desk: User Access To a Server Is Blocked By the Firewall, page 66-50
Monitoring and Mitigating Botnet Activity, page66-52
Removing False Positive IPS Events from the Event Table, page 66-58

Help Desk: User Access To a Server Is Blocked By the Firewall

In this example, the help desk gets a call from a user who cannot access a server.
There are many reasons that a user might not be able to access a server, such as:
Problems at the server’s end of the network, including server down, no network connection, or the
server’s firewall is actively preventing access by policy.
Problems in the network cloud between the user and the server, such as routing problems.
Problems in the user’s network, which could include workstation problems, physical problems with
a network connection (for example, broken wires), problems with the switch port or wireless access
point, DNS lookup failures, and so forth.
The Security Manager Event Viewer cannot identify or resolve these problems. However, it can identify
whether a firewall that you control is blocking access to the server. This can help you either to rule out
the firewall as being the source of the problem, or if it is blocking access, to fix the problem or to inform
the user that the server is blocked by policy.