Cisco Systems DOC-78-17916 Using Test Mode

Chapter 2 Deployment Planning

Policy Tuning and Troubleshooting

2-10

Installing Management Center for Cisco Security Agents 5.2

78-17916-01

understand the behavior of the application, craft a policy, place it in test mode

on the pilot machines, and examine the event log. Use the techniques in the

rest of this section to tune/troubleshoot that application’s policy, re-examine

the event log, and if you are satisfied with the result, place the application’s

policy in live mode on the pilot machines. You repeat these steps with each

application on your prioritized list.

• Creating a completely custom set of policies. In this scenario, you have a

team of network security experts who have assembled a detailed list of

security features and studied the many supplied rule modules. The experts use

the Analysis -> Application Behavior Investigation tool to thoroughly

study the applications for which they will write rules. Then, the experts will

craft custom policies by selecting the desired rule modules and rules. With

this custom approach, consider conducting a small pilot of a few systems in

a test lab and then expanding to a larger and more thorough pilot.

Using Test Mode

CSA policies can execute in live mode, where they enforce rules by denying or

allowing events, or test mode, where they indicate in the event log what the action

would have been to the given event. All entries in the event log for rules in test

mode begin with the label TESTMODE: to make it easy to scan for events relating

to rules under test. In general, you start a pilot in test mode and gradually change

over to live mode as you examine the performance of each policy. You can use

test mode in two different ways:

• Place all policies for a group in test mode.

From the Systems->Groups menu, you use the supplied Systems - test mode

group, which is available for Windows, Linux, and Solaris. You attach hosts

(both desktops and servers) to each appropriate test mode group. You can

make one or more agent kits available for download with the test mode

groups. Be sure to include “test mode” in the name of the agent kit.

When the “test mode” phase of the pilot is completed, you can unattach hosts

from the test mode groups to place the hosts in live mode.

• Place a specific rule module in test mode.