Cisco Systems DOC-78-17916

Chapter 2 Deployment Planning

Policy Tuning and Troubleshooting

2-8

Installing Management Center for Cisco Security Agents 5.2

78-17916-01

• Use the supplied groups and if necessary define additional groups for each

distinct desktop and server type in your network. In your pilot, you should

have some participants that are using each desktop and server type so you can

tune and troubleshoot all policies before deployment.

Group membership is cumulative, which can be useful in tuning and

troubleshooting. For example, at the beginning of a pilot, participating hosts

that are Windows desktops would be attached to the All Windows and

Desktops - All Types groups on the Systems -> Groups menu. Once you

have tuned the basic desktop policies, you might attach some of those hosts

to the Desktops - Remote or mobile group. Once you are satisfied with the

performance of the remote/mobile policies, you could define a new group for

a specific department’s applications, attach hosts to the new group, and pilot

those policies.

• Start piloting all groups in test mode and examine the event log (Events ->

Event Log menu) for possible tuning and troubleshooting needs before

moving to enforcement mode (also known as live mode). With the current

release, you can place all policies for a group in test mode or a single rule

module in test mode. Therefore, as you tune and troubleshoot, you can

incrementally move rule modules to enforcement mode if need be. Keep in

mind when using test mode that the area under test is completely vulnerable

from a security standpoint.

• Policy tuning and troubleshooting is an iterative process. Focus on a single

policy for improvement at a time and then verify that the tuning and

troubleshooting techniques did what you expected before deploying the

improved policy.

• Prioritize the security features you want to implement with CSA policies.

You can also prioritize applications and groups. By having clear priorities

and working through a single policy improvement at a time, you can manage

the complexity of deploying large policy sets in large networks. For example,

based on priorities, you can keep a specific rule module in test mode while

the rest of the rule modules in the policy are in live mode.

• Large policy sets can generate enormous numbers of log messages, so you

need to use the tools provided that help filter out extraneous information and

isolate the specific policy to be improved or behavior to be studied. For

example, you can log only the events that result in Deny actions or create an

exception rule that stops logging a specific event to reduce the overall number

of log messages. In addition, host diagnostics can be used to filter rules based

on the user state (that is, the user and group) the host is in, such as only