Monitoring mode report

firefox · ‎07-04-2018

Hi,

Can someone share few sample reports of the TrustSec Monitoring mode? I want to see the different kind of reports that may be available to me once Monitoring mode is enabled in TrustSec policy.

Thanks

TJ

jeaves@cisco.com · ‎07-05-2018

Hi Tiju,

are you after ISE reports? If so, which release?

Or do you mean switch/router logs?

firefox · ‎07-05-2018

Hi Jeaves,

Basically i want to see few sample reports that the ISE can give from TrustSec "Reports" section related to TrustSec Monitoring mode. ISE version is 2.2 patch 6

For a switch/router i may need to rely on syslog or netflow.

jeaves@cisco.com · ‎07-05-2018

OK, not having ISE 2.2 operational in my lab, I just tried it on ISE 2.1 and ISE 2.3P2 and I see absolutely no reports at all for Monitor Mode under the TrustSec Policy Download Report. I tried enabling and disabling monitor mode for a single SGACL and also for all SGACLs.

Nothing is displayed in the report.

Wondering if anyone else on this forum has anything to add?

Maybe contact ise-pm to see if the function is included in the code and if not perhaps add it to the DPL. Of course, it could just be a bug.

jeaves@cisco.com · ‎07-05-2018

I just tested to see what is available in terms of reporting on network devices.

My test bed was setup with an ASR but other platforms should behave the same way.

We are looking at the group 18:HVAC to group 14:PCI_Servers policy in this case.

1) Not in monitor mode, deny with log:

Kernow-ASR1kx#show cts role-based perm

IPv4 Role-based permissions default:

Permit IP-00

IPv4 Role-based permissions from group 18:HVAC to group 14:PCI_Servers:

deny_log-10

IPv4 Role-based permissions from group 255:Quarantined_Systems to group 14:PCI_Servers:

Deny IP-00

RBACL Monitor All for Dynamic Policies : FALSE

RBACL Monitor All for Configured Policies : FALSE

Syslog message generated:

Jul 5 13:02:10.196: %FMANFP-6-IPACCESSLOGSGDP: SIP0: fman_fp_image: ingress_interface='LISP0.4102' sgacl_name='deny_log-10' action='Deny' protocol='icmp' src-ip='10.4.1.112' dest-ip='10.1.100.4' type='8' code='0' sgt='18' dgt='14' logging_interval_hits='1'

Kernow-ASR1kx#show cts role counters

Role-based IPv4 counters

From To SW-Denied HW-Denied SW-Permitt HW-Permitt SW-Monitor HW-Monitor

* * 0 0 5378666 6291399 0 0

18 14 0 5 0 0 0 0

255 14 0 0 0 0 0 0

Kernow-ASR1kx#

2) From ISE, set the SGACL in monitor mode:

Kernow-ASR1kx#show cts role perm

IPv4 Role-based permissions default:

Permit IP-00

IPv4 Role-based permissions from group 18:HVAC to group 14:PCI_Servers (monitored):

deny_log-10

IPv4 Role-based permissions from group 255:Quarantined_Systems to group 14:PCI_Servers:

Deny IP-00

RBACL Monitor All for Dynamic Policies : FALSE

RBACL Monitor All for Configured Policies : FALSE

Syslog message generated:

Jul 5 13:03:57.632: %FMANFP-6-IPACCESSLOGSGDP: SIP0: fman_fp_image: ingress_interface='LISP0.4102' sgacl_name='deny_log-10' action='Deny' protocol='icmp' src-ip='10.4.1.112' dest-ip='10.1.100.4' type='8' code='0' sgt='18' dgt='14' logging_interval_hits='1'

Kernow-ASR1kx#show cts role counters

Role-based IPv4 counters

From To SW-Denied HW-Denied SW-Permitt HW-Permitt SW-Monitor HW-Monitor

* * 0 0 5378613 6291011 0 0

18 14 0 0 0 0 0 11

255 14 0 0 0 0 0 0

Kernow-ASR1kx#

So, the syslog function works with the log keyword whether in monitor mode or not.

The counters indicate whether monitor mode is active or not (different columns).

When in monitor mode with a deny ACE the traffic is really permitted as per my test.

Hope this helps, Regards, Joff.