69-22
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools
Integrating CS-MARS and Security Manager
Click Clear Device Buffer to remove the current content and allow room in the buffer to capture
more packets.
Note We recommend saving captures prior to clearing the device buffers. If you do not save
captures prior to clearing the device buffers, captured data will be lost.
Click Refresh Capture Buffers to fetch the next set of captured packets for a device in a cluster
and update the buffer status bar.
Step 14 Click Finish to exit the wizard.
Integrating CS-MARS and Security Manager
While Cisco Security Manager lets you centrally manage security policies and device settings in your
network, the Cisco Security Monitoring, Analysis and Response System (CS-MARS) is a separate
application that monitors devices and collects event information, including syslog messages and
NetFlow traffic records, with much more extensive network monitoring capabilities than Security
Manager. CS-MARS aggregates and presents massive amounts of network and security data in an
easy-to-use format. Based on information derived from CS-MARS reports, you can edit device policies
in Security Manager to counter security threats.
Specifically, if you use Security Manager to configure firewall access rules and IPS signatures, you can
configure CS-MARS to collect information related to those policies and make it available to Security
Manager users. By registering the CS-MARS servers with Security Manager, users can navigate directly
from a specific access rule or IPS signature to a CS-MARS report window, pre-populated with query
criteria for that rule or signature.
Similarly, CS-MARS users can view the Security Manager policies related to specific CS-MARS events.
This bi-directional mapping of specific events to the policies that triggered them, combined with the
ability to immediately modify the policies, can dramatically reduce the time spent configuring and
troubleshooting large or complex networks.
To enable this cross-communication, you must register your CS-MARS servers with Security Manager,
and register your Security Manager server with the CS-MARS servers. You must also register the
specific devices with each application. Then, when working with firewall access rules or IPS signatures
for a device, a Security Manager user can quickly view real-time and historical event information related
to that rule or signature.
The following sections explain how to enable and use CS-MARS and Security Manager
cross-communication:
Checklist for Integrating CS-MARS with Security Manager, page69-23
Looking Up CS-MARS Events for a Security Manager Policy, page69-27
Looking Up a Security Manager Policy from a CS-MARS Event, page 69-31