This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hi,
Can someone share few sample reports of the TrustSec Monitoring mode? I want to see the different kind of reports that may be available to me once Monitoring mode is enabled in TrustSec policy.
Thanks
TJ
Hi Tiju,
are you after ISE reports? If so, which release?
Or do you mean switch/router logs?
Hi Jeaves,
Basically i want to see few sample reports that the ISE can give from TrustSec "Reports" section related to TrustSec Monitoring mode. ISE version is 2.2 patch 6
For a switch/router i may need to rely on syslog or netflow.
OK, not having ISE 2.2 operational in my lab, I just tried it on ISE 2.1 and ISE 2.3P2 and I see absolutely no reports at all for Monitor Mode under the TrustSec Policy Download Report. I tried enabling and disabling monitor mode for a single SGACL and also for all SGACLs.
Nothing is displayed in the report.
Wondering if anyone else on this forum has anything to add?
Maybe contact ise-pm to see if the function is included in the code and if not perhaps add it to the DPL. Of course, it could just be a bug.
I just tested to see what is available in terms of reporting on network devices.
My test bed was setup with an ASR but other platforms should behave the same way.
We are looking at the group 18:HVAC to group 14:PCI_Servers policy in this case.
1) Not in monitor mode, deny with log:
Kernow-ASR1kx#show cts role-based perm
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 18:HVAC to group 14:PCI_Servers:
deny_log-10
IPv4 Role-based permissions from group 255:Quarantined_Systems to group 14:PCI_Servers:
Deny IP-00
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
Syslog message generated:
Jul 5 13:02:10.196: %FMANFP-6-IPACCESSLOGSGDP: SIP0: fman_fp_image: ingress_interface='LISP0.4102' sgacl_name='deny_log-10' action='Deny' protocol='icmp' src-ip='10.4.1.112' dest-ip='10.1.100.4' type='8' code='0' sgt='18' dgt='14' logging_interval_hits='1'
Kernow-ASR1kx#show cts role counters
Role-based IPv4 counters
From To SW-Denied HW-Denied SW-Permitt HW-Permitt SW-Monitor HW-Monitor
* * 0 0 5378666 6291399 0 0
18 14 0 5 0 0 0 0
255 14 0 0 0 0 0 0
Kernow-ASR1kx#
2) From ISE, set the SGACL in monitor mode:
Kernow-ASR1kx#show cts role perm
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 18:HVAC to group 14:PCI_Servers (monitored):
deny_log-10
IPv4 Role-based permissions from group 255:Quarantined_Systems to group 14:PCI_Servers:
Deny IP-00
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
Syslog message generated:
Jul 5 13:03:57.632: %FMANFP-6-IPACCESSLOGSGDP: SIP0: fman_fp_image: ingress_interface='LISP0.4102' sgacl_name='deny_log-10' action='Deny' protocol='icmp' src-ip='10.4.1.112' dest-ip='10.1.100.4' type='8' code='0' sgt='18' dgt='14' logging_interval_hits='1'
Kernow-ASR1kx#show cts role counters
Role-based IPv4 counters
From To SW-Denied HW-Denied SW-Permitt HW-Permitt SW-Monitor HW-Monitor
* * 0 0 5378613 6291011 0 0
18 14 0 0 0 0 0 11
255 14 0 0 0 0 0 0
Kernow-ASR1kx#
So, the syslog function works with the log keyword whether in monitor mode or not.
The counters indicate whether monitor mode is active or not (different columns).
When in monitor mode with a deny ACE the traffic is really permitted as per my test.
Hope this helps, Regards, Joff.