Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
503
Views
0
Helpful
4
Replies

CS-MARS unable to compute mitigation path for external IPs

hoffa2000
Level 3
Level 3

‎09-26-2007 10:51 PM - edited ‎03-09-2019 06:54 PM

Hi

I have a MARS and IDSM setup running and has been monitoring two internal VLANS with the IDSM. I get some notices in the IDSM and MARS for attempts flowing through our open firewall rules, nothing serious and I can get a path and mitigation suggestion for every attempt.

A few days ago I added our external unprotected VLAN to the IDSM and not surprisingly get alot more incidents in the IDSM and MARS. The problem is that none of these events can be graphed in MARS, it doesn't matter what type of events I get or if the events are aimed at valid NATed IPs or available IPs.

The only addition I've done to the MARS after adding the external VLAN to the IDSM is to add our external subnet to the list of networks monitored by the IDSM.

Do I have to change something else? My impression was that MARS should download NATsetups from our firewalls and use that to plot the network paths.

Regards

Fredrik Hofgren

Labels:
0 Helpful
4 Replies 4

michaelwoolfe
Level 1
Level 1

‎09-28-2007 06:48 AM

I believe that MARS does a topology discovery through the "Topology/Monitored Device Update Scheduler". We use to run a MARS based topology scanner before we started using Qualys. See what results you can get from a manual run??

Also, what version and model of MARS are you currently running?

0 Helpful

hoffa2000
Level 3
Level 3
In response to michaelwoolfe

‎09-29-2007 04:11 AM

I'm running 4.3.1 and have run several over night topology updates without effect. What I've done now is to remove the IDSM monitoring on our external VLAN and MARS can now graph the route of the packets again.

I'll leave it as it is for a while but if anyone have a solution I'd appreciate it

Regards

Fredrik

0 Helpful

jfgobin01
Level 1
Level 1
In response to hoffa2000

‎09-30-2007 10:54 PM

Hello,

In the IDSM configuration (is this also functionning with contexts ?), did you precise which networks are protected ? With the NAT addresses or real addresses ?

jF

0 Helpful

hoffa2000
Level 3
Level 3
In response to jfgobin01

‎10-01-2007 01:42 AM

I'm not running the IDSM in context mode. In MARS I specified our two internal subnets and our external subnet as monitored by the IDSM.

I can add that I just tried to monitor the external VLAN but not specify it in MARS but I still get the same problem when graphing external events.

//Fredrik

0 Helpful
Customers Also Viewed These Support Documents