Hi Jeaves,

Basically i want to see few sample reports that the ISE can give from TrustSec "Reports" section related to TrustSec Monitoring mode. ISE version is 2.2 patch 6

For a switch/router i may need to rely on syslog or netflow.

OK, not having ISE 2.2 operational in my lab, I just tried it on ISE 2.1 and ISE 2.3P2 and I see absolutely no reports at all for Monitor Mode under the TrustSec Policy Download Report. I tried enabling and disabling monitor mode for a single SGACL and also for all SGACLs.

Nothing is displayed in the report.

Wondering if anyone else on this forum has anything to add?

Maybe contact ise-pm to see if the function is included in the code and if not perhaps add it to the DPL. Of course, it could just be a bug.

I just tested to see what is available in terms of reporting on network devices.

My test bed was setup with an ASR but other platforms should behave the same way.

We are looking at the group 18:HVAC to group 14:PCI_Servers policy in this case.

1) Not in monitor mode, deny with log:

Kernow-ASR1kx#show cts role-based perm

IPv4 Role-based permissions default:

        Permit IP-00

IPv4 Role-based permissions from group 18:HVAC to group 14:PCI_Servers:

        deny_log-10

IPv4 Role-based permissions from group 255:Quarantined_Systems to group 14:PCI_Servers:

        Deny IP-00

RBACL Monitor All for Dynamic Policies : FALSE

RBACL Monitor All for Configured Policies : FALSE

Syslog message generated:

Jul  5 13:02:10.196: %FMANFP-6-IPACCESSLOGSGDP:  SIP0: fman_fp_image:  ingress_interface='LISP0.4102' sgacl_name='deny_log-10' action='Deny' protocol='icmp' src-ip='10.4.1.112' dest-ip='10.1.100.4' type='8' code='0' sgt='18' dgt='14' logging_interval_hits='1'

Kernow-ASR1kx#show cts role counters

Role-based IPv4 counters

From    To      SW-Denied  HW-Denied  SW-Permitt HW-Permitt SW-Monitor HW-Monitor

*       *       0          0          5378666    6291399    0          0        

18      14      0          5          0          0          0          0        

255     14      0          0          0          0          0          0        

Kernow-ASR1kx#

2) From ISE, set the SGACL in monitor mode:

Kernow-ASR1kx#show cts role perm

IPv4 Role-based permissions default:

        Permit IP-00

IPv4 Role-based permissions from group 18:HVAC to group 14:PCI_Servers (monitored):

        deny_log-10

IPv4 Role-based permissions from group 255:Quarantined_Systems to group 14:PCI_Servers:

        Deny IP-00

RBACL Monitor All for Dynamic Policies : FALSE

RBACL Monitor All for Configured Policies : FALSE

Syslog message generated:

Jul  5 13:03:57.632: %FMANFP-6-IPACCESSLOGSGDP:  SIP0: fman_fp_image:  ingress_interface='LISP0.4102' sgacl_name='deny_log-10' action='Deny' protocol='icmp' src-ip='10.4.1.112' dest-ip='10.1.100.4' type='8' code='0' sgt='18' dgt='14' logging_interval_hits='1'

Kernow-ASR1kx#show cts role counters

Role-based IPv4 counters

From    To      SW-Denied  HW-Denied  SW-Permitt HW-Permitt SW-Monitor HW-Monitor

*       *       0          0          5378613    6291011    0          0        

18      14      0          0          0          0          0          11       

255     14      0          0          0          0          0          0        

Kernow-ASR1kx#

So, the syslog function works with the log keyword whether in monitor mode or not.

The counters indicate whether monitor mode is active or not (different columns).

When in monitor mode with a deny ACE the traffic is really permitted as per my test.

Hope this helps, Regards, Joff.