cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3546
Views
0
Helpful
4
Replies
Highlighted
Cisco Employee

Monitoring mode report

Hi,

Can someone share few sample reports of the TrustSec Monitoring mode? I want to see the different kind of reports that may be available to me once Monitoring mode is enabled in TrustSec policy.

Thanks

TJ

4 REPLIES 4
Highlighted
Cisco Employee

Hi Tiju,

are you after ISE reports? If so, which release?

Or do you mean switch/router logs?

Highlighted

Hi Jeaves,

Basically i want to see few sample reports that the ISE can give from TrustSec "Reports" section related to TrustSec Monitoring mode. ISE version is 2.2 patch 6

For a switch/router i may need to rely on syslog or netflow.

Highlighted

OK, not having ISE 2.2 operational in my lab, I just tried it on ISE 2.1 and ISE 2.3P2 and I see absolutely no reports at all for Monitor Mode under the TrustSec Policy Download Report. I tried enabling and disabling monitor mode for a single SGACL and also for all SGACLs.

Nothing is displayed in the report.

Wondering if anyone else on this forum has anything to add?

Maybe contact ise-pm to see if the function is included in the code and if not perhaps add it to the DPL. Of course, it could just be a bug.

Highlighted

I just tested to see what is available in terms of reporting on network devices.

My test bed was setup with an ASR but other platforms should behave the same way.

We are looking at the group 18:HVAC to group 14:PCI_Servers policy in this case.

1) Not in monitor mode, deny with log:

Kernow-ASR1kx#show cts role-based perm

IPv4 Role-based permissions default:

        Permit IP-00

IPv4 Role-based permissions from group 18:HVAC to group 14:PCI_Servers:

        deny_log-10

IPv4 Role-based permissions from group 255:Quarantined_Systems to group 14:PCI_Servers:

        Deny IP-00

RBACL Monitor All for Dynamic Policies : FALSE

RBACL Monitor All for Configured Policies : FALSE

Syslog message generated:

Jul  5 13:02:10.196: %FMANFP-6-IPACCESSLOGSGDP:  SIP0: fman_fp_image:  ingress_interface='LISP0.4102' sgacl_name='deny_log-10' action='Deny' protocol='icmp' src-ip='10.4.1.112' dest-ip='10.1.100.4' type='8' code='0' sgt='18' dgt='14' logging_interval_hits='1'

Kernow-ASR1kx#show cts role counters

Role-based IPv4 counters

From    To      SW-Denied  HW-Denied  SW-Permitt HW-Permitt SW-Monitor HW-Monitor

*       *       0          0          5378666    6291399    0          0        

18      14      0          5          0          0          0          0        

255     14      0          0          0          0          0          0        

Kernow-ASR1kx#

2) From ISE, set the SGACL in monitor mode:

Kernow-ASR1kx#show cts role perm

IPv4 Role-based permissions default:

        Permit IP-00

IPv4 Role-based permissions from group 18:HVAC to group 14:PCI_Servers (monitored):

        deny_log-10

IPv4 Role-based permissions from group 255:Quarantined_Systems to group 14:PCI_Servers:

        Deny IP-00

RBACL Monitor All for Dynamic Policies : FALSE

RBACL Monitor All for Configured Policies : FALSE

Syslog message generated:

Jul  5 13:03:57.632: %FMANFP-6-IPACCESSLOGSGDP:  SIP0: fman_fp_image:  ingress_interface='LISP0.4102' sgacl_name='deny_log-10' action='Deny' protocol='icmp' src-ip='10.4.1.112' dest-ip='10.1.100.4' type='8' code='0' sgt='18' dgt='14' logging_interval_hits='1'

Kernow-ASR1kx#show cts role counters

Role-based IPv4 counters

From    To      SW-Denied  HW-Denied  SW-Permitt HW-Permitt SW-Monitor HW-Monitor

*       *       0          0          5378613    6291011    0          0        

18      14      0          0          0          0          0          11       

255     14      0          0          0          0          0          0        

Kernow-ASR1kx#

So, the syslog function works with the log keyword whether in monitor mode or not.

The counters indicate whether monitor mode is active or not (different columns).

When in monitor mode with a deny ACE the traffic is really permitted as per my test.

Hope this helps, Regards, Joff.

Content for Community-Ad