14-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 14 Managing TrustSec Firewall Policies
Monitoring TrustSec Firewall Policies
Firewall Policies That Support Security Groups
Security group rules are allowed on ASA 9.0.1+ only. The following policies allow you to configure
security groups:
AAA Rules—Select Firewall > AAA Rules and see Configuring AAA Rules for ASA, PIX, and
FWSM Devices, page 15-4.
Access Rules—Select Firewall > Access Rules and see Configuring Access Rules, page 16-7.
Inspection Rules—Select Firewall > Inspection Rules and see Configuring Inspection Rules,
page 17-5.
Policies that use extended ACL policy objects—Several firewall policies use extended ACL policy
objects to define traffic matching criteria instead of incorporating a rule table directly in the policy.
You can configure extended ACL policy objects to include security group specifications (see
Creating Extended Access Control List Objects, page 6-50). You can then use these extended ACL
objects in the following policies:
Botnet Traffic Filter Rules—Select Firewall > Botnet Traffic Filter Rules and see Enabling
Traffic Classification and Actions for the Botnet Traffic Filter, page 19-6. You can use security
groups as part of the traffic classification for Enable and Drop rules.
IPS, QoS, and Connection Rules (service policy rules)—Select Platform > Service Policy
Rules > IPS, QoS, and Connection Rules and see IPS, QoS, and Connection Rules Page,
page 56-5.
Traffic match criteria in this policy is based on extended ACL policy objects that are
incorporated into traffic flow policy objects. You must select one of the options for specifying
an ACL in the traffic flow object to incorporate security group traffic classification. For more
information, see Configuring Traffic Flow Objects, page 56-16.
Monitoring TrustSec Firewall Policies
You can use Event Viewer to monitor TrustSec firewall policies the same way you would monitor other
types of policies and events. The following are some tips to help you effectively monitor identity
policies. For general information on using Event Viewer, see Chapter 66, “Viewing Events”.
There are groups of syslog messages that relate specifically to Cisco TrustSec: 766001-766020,
766201-766205, 766251-766254, and 766301-766313. You can find descriptions of these messages
in the Syslog Message document for your ASA software version at
http://www.cisco.com/en/US/products/ps6120/products_system_message_guides_list.html.
Event Viewer has the following columns to display TrustSec information: TrustSec Security Group
Name, TrustSec Security Group Tag, SXP Connection Source IP, SXP Connection Failure Reason,
SXP Peer IP, SXP Peer Connection Failure Reason.
You can filter on all identity-related syslog messages by creating a filter on Event Type and selecting
the All Firewall Events > Trustsec Events folder.