06-25-2008 01:11 PM
When trying to tune for a False Positive I can't do this as the MARS continues to ask for a valid ip address.
The event is coming from a firewall and the event is known so I just want to stop this from appearing in the Incidents.
06-26-2008 12:25 AM
When I click the attachment it gives me this error:
"Document does not exist!"
Can you just paste the RAW event received from the firewall over here? Or re-attach that file.
Regards
Farrukh
P.S if you use the 'name' command on the firewall it will show as 0.0.0.0 in MARS.
06-26-2008 08:41 AM
So where is the edit button for the orginal message?
I have the "no names" command in the firewall
Anyhow not sure how copy/save/export of the raw data but the message is
PIX Stateful failover unable to create a translation slot (xlate)
Source IP/Port 0.0.0.0 0
Destination IP/Port 0.0.0.0 0
Reporting Device secondary.nxxpixdvc01.xxx.net
06-26-2008 08:59 AM
Have you tried the Cisco solution to the real problem? These messages are not normal, as per the docs:
"If this error repeats frequently, use the write standby command on the Active unit to synchronize system memory between the Active and Standby units."
Regards
Farrukh
06-26-2008 09:00 AM
Otherwise you can just remove this message from that particular rule. Or do false positive tuning without IPs.
Regards
Farrukh
06-26-2008 09:05 AM
Sure but when I use the method of clikcing the False Positive tuning from the incident I am taken through the steps. The normal flow let's you select any to any ip to any etc. But with a 0.0.0.0 as the IP address in this process you can't use the intergarted process for tuning from the looks of it. The MARS will contiune to ask for a valid IP address.
06-26-2008 09:02 AM
I am not concerned about the message from the firewall it's self. I am interested in the handling of the 0.0.0.0 in the Mars and why this ip is being reported in the MARS.
06-26-2008 09:05 AM
I'm not aware of handling the 0.0.0.0 in MARS itself, you have to find the root of the problem (like 'name' command etc. and then work from there). Or use any 'other' criteria to tune this false positive in MARS.
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide