69-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter69 Using External Monitoring, Troubleshooting, and Diagnostic Tools
Starting Device Managers
device tests the packet against each access rule in the order listed. When a rule is matched, the device
performs the specified action, either permitting the packet into the device for further processing, or
denying entry. If the packet does not match any rule, the packet is denied.
Activity on your firewall or router can be monitored through syslog messages. If logging is enabled on
the device, whenever an access rule that is configured to generate syslog messages is matched—for
example, a connection was attempted from a denied IP address—a log entry is generated.
Note For the device to generate log entries, logging must be enabled on the device (on the Logging Setup Page
for ASA/PIX devices and the Logging policies for IOS devices, described in Logging on Cisco IOS
Routers, page 62-1), and the individual access rules must be configured to generate log messages when
they are matched (in the Advanced and Edit Options Dialog Boxes, page16-15).
You can monitor syslog messages in device managers launched from Security Manager. For certain
device managers, you can also look up the access rule in Security Manager that generated a particular
message from the monitoring window. The access rule that triggered the syslog entry is highlighted in
Security Manager on a first-match basis, even if there are multiple matches.
This access rule look-up is available through SDM for all managed routers running IOS, and through
ASDM for managed PIX and ASA devices (including ASA-SM) running version 8.0(3) and above, and
FWSM devices running version 3.1 and above.
The following topics describe how to look up access rules in Security Manager from a device manager:
Navigating to an Access Rule from ASDM, page 69-7
Navigating to an Access Rule from SDM, page 69-8
Navigating to an Access Rule from ASDM
In an ASDM device manager launched from Security Manager, you can monitor system log messages in
the Real-time Log Viewer window and the Log Buffer window. You can select a syslog message
displayed in either window and navigate to the access-control rule in Security Manager that triggered
the message, where you can update the rule as necessary.
The Real-time Log Viewer is a separate window that lets you view syslog messages as they are logged.
The separate Log Buffer window lets you view messages present in the syslog buffer.
You can look up access rules associated with the following syslog message IDs:
106023 – Generated when an IP packet is denied by the access rule. This message appears even when
logging is not enabled for the rule.
106100 – If logging is enabled for a matched access rule (in the Advanced and Edit Options Dialog
Boxes, page 16-15), this message provides information about the traffic flow, depending on the
parameters set. This message provides more information than message 106023, which logs only
denied packets.
This procedure describes how to look up an access rule in Security Manager from ASDM’s Real-time
Log Viewer or Log Buffer windows.
Related Topics
Access Rule Look-up from Device Managers, page 69-6
Navigating to an Access Rule from SDM, page 69-8
Step 1 Select a PIX, ASA, ASA-SM, or FWSM in the Security Manager device inventory.