66-52
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 66 Viewing Events
Examples of Event Analysis
Tip If the traffic is denied because of the implicit deny any rule at the end of the access list, the Go
To Policy command cannot take you to the rule. For tips about rule lookup, see Looking Up a
Security Manager Policy from Event Viewer, page 66-48.
a. Right-click the event and select Go To Policy. You are taken to Device view with the rule selected.
You are notified if a matching rule cannot be found.
b. Modify the rule so that it allows the desired access. This might be as simple as deleting the rule, or
you might have to add a new rule that specifically allows traffic to or from the destination server
(place the permit rule above the deny rule). Your organization’s security policy determines the
allowable changes. For more information about configuring the access rules policy, see Configuring
Access Rules, page 16-7.
c. Submit and deploy the updated configuration to the device. For more information on the deployment
process, see Deploying Configurations in Non-Workflow Mode, page 8-29 or Deploying
Configurations in Workflow Mode, page8-35.
Wait for deployment to complete successfully.
Step 9 Ask the user to try to access the server again. If access is again denied, click Start in Event Viewer to
refresh the events list and find the latest denial event.
Tip There might be more than one access rule that can deny communications with the server. The
access rule policy is processed in order, top to bottom, so deleting a rule that prevents access can
result in a rule that previously was not being hit suddenly becoming active. If you have a very
long access rule policy, you could have several rules that you will have to remove one after the
other. Alternatively, you could use the Rule Combiner tool to consolidate and simplify your
access rules policy; for more information, see Combining Rules, page 12-22.
Step 10 Continue to resolve access denial events until the firewall is no longer blocking access.
Tip You can also use the Packet Tracer tool to simulate traffic going through the ASA device from
the workstation to the server. In Device view, right-click the device that is denying access and
select Packet Tracer. For more information, see Analyzing an ASA or PIX Configuration Using
Packet Tracer, page 69-12.
After resolving all events, if the user still cannot reach the server, you know that the firewall is no longer
one of the network elements that is blocking access. Consider other intervening network devices;
perhaps a router includes an access rule that blocks the traffic.
Monitoring and Mitigating Botnet Activity
After you configure Botnet Traffic Filtering as described in Chapter19, “Managing Firewall Botnet
Traffic Filter Rules”, you want to monitor it and resolve any problems identified in your network. You
can use Security Manager and ASDM to monitor Botnet activity, and mitigate identified problems, as
explained in the following sections:
Understanding the Syslog Messages That Indicate Actionable Events, page 66-53