68-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter68 Health and Performance Monitoring
HPM Access Control
For additional graphical information about the health and performance of a specific device, you can
launch the related device manager by right-clicking the entry for a device, a cluster node, or the system
context for a multi-context device, and then choosing Device Manager from the pop-up menu. See
Starting Device Managers, page 69-4 for more information about the device managers.

Monitoring Multiple Contexts

The Health and Performance Monitor can monitor single- and multiple-context ASA devices. For
multiple-context devices, each context is monitored and displayed as if it was a separate device.
Each context will be polled separately for all applicable metrics, with HPM polling a maximum of five
contexts at a time from any given device. For devices with more than five contexts, data will be acquired
from each successive batch of five contexts, with each batch being polled progressively during
successive polling cycles. This means that all contexts may not be updated at the same time.
For multiple-context devices, basic device health—memory usage, device status, and so on—is
monitored only on the physical device (that is, from the system context), while traffic data—number of
connections, number of translations, dropped packets and so on—are monitored at context level.
For virtual contexts, CPU usage data are used only for pattern analysis, not for alert generation. Only
interface-status alerts will be generated for virtual contexts.
HPM Access Control
The privileges assigned to your user name control what you can do in Health and Performance Monitor.
If you use local users, or other types of non-ACS access control, then all users have access to HPM.
However, the following access limits are imposed:
You must have system administrator privileges to enable or disable Health and Performance
Monitoring in Security Manager, as described in Health and Performance Monitoring Page,
page 11-25.
You must have system administrator, network administrator, or approver privileges to select or
deselect devices for monitoring, as described in Managing Monitored Devices, page 68-5.
You also must have system administrator, network administrator, or approver privileges to configure
alerts and notifications, as described in Alerts: Configuring, page 68-31.
If you use ACS to control access to Security Manager, you can also control the following:
You can control access to the Health and Performance Monitor application using the View > Health
and Performance Monitor privilege (part of Role Management in ACS). Using this privilege, you
could prevent certain users from accessing HPM, or create roles that allow access to HPM without
allowing access to Event Viewer or Report Manager. All default ACS roles are permitted to use the
Health and Performance Monitor application.
Use the Modify > Policies > HPM Monitoring privilege to control which users can select and
deselect the devices that are monitored (see Managing Monitored Devices, page 68-5), configure
alerts and notifications (see Alerts: Configuring, page 68-31), and annotate and acknowledge alerts
(see Alerts: Acknowledging and Clearing, page68-38). All default ACS roles except Help Desk and
Super Admin have this permission.
Users can view health and performance information for a device only if they have at least View
privileges for the device.