Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get more information on CSM, MARS, ASDM, IME, CCP, and IronPort SMA with Cisco experts Raghu Kasavaraju and Ziad Sarieddine. Raghu, Product Manager for Cisco Security Manager, has 15 years of extensive experience in IT and he has spent the last 10 years in Information Security Operations, Consulting & Engineering roles. Currently, Raghu is the PM Lead for Cisco Security Manager 4.0 release. Ziad (CCIE Security # 23379) is a security management technologist with expertise in security solutions covering Firewall, IPS, and VPN. Prior to joining Cisco in 2006, Ziad spent 10+ years as a Lead Analyst / Senior Network Engineer designing and installing large networks at different companies.
Remember to use the rating system to let Ziad know if you have received an adequate response.
Ziad might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 6, 2009. Visit this forum often to view responses to your questions and the questions of other community members.
Hi Raghu & Ziad,
First off, i really like CSM, i have been a Cisco consultant for many years and have seen a few different mng. systems from Cisco, and this one is by far the best one.
I have been installing and using CSM for some time now, and one thing that always comes up when doing more than just the basic vpn solution or firewall solution is lack of feature support, mostly on IOS routers. Can you explain what the timeline is for putting in support for new features as well as old features that are not there yet, and if that is even the plan to do so ?
one ex. is the "tag" option on a static route is not supported yet, and i wonder if it ever will be (i can't find it at least) ?
Nice to hear that you like our product...specific to your question on IOS router support, are there any specific set of features/router platforms that you are looking at?...IOS routers are definitely one of the critical platforms we support and would like to know little more details on it.
No specific feature set or platform allthough most of the stuff i do on ios are with adv. ip services feat. set and on the 2800/3800/7200 series.
Stuff like IP SLA, routing prot. features like distribute lists, prefix lists, hierarchial QoS, netflow, wccp seems like the main focus is on security features, which is good, but a solution that is managed by CSM, should in my mind support the whole feature set, or a lot of value is gone, since we then have to manage all that via flexconfigs, which gives us little to no flexibility.
Yes...you are right...CSM's main focus is on managing security features than platform features. I will take your feedback on supporting whole feature set and see how we can incorporate those in future releases.
I am assuming here that you have used CSM+Cisco Configuration Engine (CE)solution for security+non-security config management needs and you are looking for a single console to handle both aspects.
Hi Raghu and Ziad,
I have some basic questions for you on CSM:
1. Which is the current version of CSM available in the market ?
2. What are some of the key features coming in the next release of CSM ?
3. How do I get a demo or eval version of CSM for lab testing purposes ?
Good questions Saurabh...find responses below.
1. Current version of CSM available in the market is 3.3
2. On next releases of CSM, there are couple of releases committed for the next 8-9 months.
3. CSM 3.3.1, a minor release, is primarily targetted to provide security management support for ISR G2 platforms. In addition to ISR G2 platform support, this release will enable easier IPS User Credentials management until IPS devices support AAA. CSM 3.3.1 is expected to be released in Nov'09.
4. CSM 4.0, a major release, is a committed program targetted to deliver 'integrated experience' for Policy Management & Event Management. In addition to Event Management, this release will provide
- Seamless co-existence of CSM with other 3rd party management tools in 'hetero-operational' IT environments
- Tighter coupling between ASA<-->CSM via Simplified NAT Management, Interface independent policies, managing rule explosion
- Support for Botnet Traffic Filter & IPS Global Correlation enhancements
- Windows 2008 and 64 bit OS support
5.Demo/Eval version of CSM 3.3 for lab testing purpose is available www.cisco.com/go/csmanager and this CSM image comes with an in-built 90 day eval license.
Hope this addresses your queries.
1. Will CSM 4.0 have the same GUI(look and feel) as the ASDM/IME?
2. Will CSM 4.0 provide same function as the CheckPoint SmartCenter in future. (like HA design/mgmt in geographically distributed mode rather than central managed mode with only one single Active CSM in a single location.)
Please find responses below.
1. CSM 4.0 will have minor changes in UI from look and feel standpoint but it won't be same as ASDM/IME
2. A distributed deployment scenario is something we are considering for our future releases.
Can you please help me understand if you are looking at this distributed deployment architecture due to any scalability challenges?...
No. Not scalability challenges. It's more of the performance and redundancy. The current CSM is in Active/Pasive HA mode meaning all Cisco network security components have to talk to this central mgmt server. This architect is not optimized for the mgmt traffic flow. For example, for a global security deployment in different geographical locations, security admin/engr in different regions have to connected to the central CSM(assuming it's located in the US) to push the policy across WAN/continents. In my opinion, all Cisco MGMT software(CSM/NAC/CSA/MARS) should go with the distributed HA mode/direction - each region has it's own regional/local MGMT in HA or Non-HA mode, but all regional MGMT servers will sync up with a Central DB. so any single regional CSM fails, the security policy can still be managed from the other regional CSM.
Got it...today in CSM, we support manual export/import of policy objects by which you can share objects among multiple instances of CSM thereby your devices can be segregated and managed based on geography.
We are working towards a more elegant solution to address redundancy aspects you mention above.
Help me understand...do you see this requirement coming from large enterprises?..
We are using Cisco ASA VPN for SSL & IPSec. ASA Can keep only 1 week history of the session. I would like to monitor the vpn session for the longer period. Are there any tools I can use, or any configuration to be configure. Please advice.
Please look into extraxi 3rd party application. They provide a tool to handle historical reports, which should also cover SSLVPN reports for the ASA.
Here is the link for extraxi.
Also I will take your feedback on the need to natively support this feature in the future.