13-27
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter1 3 Managing Identity-Aware Firewall Policies
Monitoring Identity Firewall Policies
interface access rules, deselect the Enable IPsec over Sysopt option on the ISAKMP/IPsec tab of
the RA VPN Global Settings policy. See Configuring VPN Global ISAKMP/IPsec Settings,
page 25-30.
Monitoring Identity Firewall Policies
You can use Event Viewer to monitor identity-aware firewall policies the same way you would monitor
other types of policies and events. The following are some tips to help you effectively monitor identity
policies. For general information on using Event Viewer, see Chapter 66, “Viewing Events”.
There is a group of syslog messages that relate specifically to identity firewall: 746001-746019. You
can find descriptions of these messages in the Syslog Message document for your ASA software
version at
http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html.
The following messages are of particular concern:
746004 and 746011—These syslogs indicate that you have exceeded the supported number of
references to user groups or users. You should consider changing your policies. For more
information on these restrictions, see Requirements for Identity-Aware Firewall Policies,
page 13-3.
746003—There was a failure in downloading user group or user mappings to IP address. The
message explains the reason for the failure.
746005—The AD agent could not be reached. Ensure that the agent is functioning correctly and
that there is a network path between the ASA and the agent.
746010—An update to the imported user or user group failed for the stated reason.
746016—DNS lookup for the fully-qualified domain name (FQDN) failed for the stated reason.
Several existing syslog messages now include username or FQDN information. Event Viewer has
two columns to display the information: Destination User Identity / FQDN and Source User Identity.
Updated messages include:
302005, 302006, 302013, 302014, 302016-302018, 302020, 302021.
305005, 305006, 305009-305013.
304001-304002 include identity information, but they are not parsed.
You can filter on all identity-related syslog messages by creating a filter on Event Type and selecting
the Identity Firewall Events folder.
When you use the Go to Policy command on an event, as described in Looking Up a Security
Manager Policy from Event Viewer, page66 -48, identity information is included in the lookup
criteria. Note that identity information is not included in 106100, so policy lookup on that message
cannot be sensitive to user identity.