cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

CSM 4.0 - New / Enhanced functionality

4228
Views
5
Helpful
10
Comments
Cisco Employee

[toc:faq]

CSM of the past

Cisco Security Manager (CSM) is a Security Management platform that runs on a server and is used to manage security devices. Its earliest version was CSM 3.0 that came out in 2007, with its successors being 3.1, 3.2 and 3.3. Recently CSM 4.0 was released and the product is still being developed and improved with extra functions and futures. The platform was initially envisioned to work as a general security management tool that would enable an administrator to manage his firewalls through a graphical interface that resides on a central server. The CSM database would "know" about all the security devices and their configurations. It was designed to be able to deploy to multiple firewalls at the same time based on the configuration changes on each one. It also introduced a number of useful features that had to do with saving configuration time by sharing policies and configurations amongst multiple devices. The ability to manage multiple security "boxes" is what made CSM popular amongst security administrators.

Previous CSM versions supported a number of product features, devices and versions and security functions that were less than those CSM 4.0 can support. They sometimes suffered from bugs that were fixed with service packs introduced in each version. As time went by there were also some functions that administrators were looking for from the product. These could include newly developed security features on IOS routers, new firewall features on ASA/FWSM firewalls or new software versions. CSM 4.0 tried to integrate all the above. There were also more drastic design changes that had to do with CSM being able to collect and report on syslog messages, being able to not only deploy to multiple devices, but also import them in CSM database and more. These features were not supported in 3.x CSM versions. CSM 4.0 is the version that passed the CSM product to a new era, that goes beyond just management. It introduces error message monitoring and reporting and we can say that it is on its way of becoming the ultimate security management and monitoring platform for Cisco security features and devices. More functionality is in the pipeline...

CSM 4.0 / 4.0.1

The Release Notes that include the requirements and the new functionality introduced in CSM 4.0 are:

- CSM 4.0

- CSM 4.0.1

New Features

CSM 4.0 and 4.0.1 introduce a number of new features that did not exist in previous versions that are presented here:

  • Event Viewer / Syslogs

Probably the most drastic and useful change is that CSM  can now collect syslogs and the GUI gives the user the ability to query and filter on these logs. That functionality requires the security device to send logs to the CSM server. That feature is equivalent to logging and syslog filtering in ASDM for ASAs/FWSMs with more enhanced features. The tool that is used in CSM to view and filter on events is called Event Viewer.

oob.jpg

Launching the Event Viewer

oob.jpg

The Event Viewer

  • Event to Policy correlations

CSM can now dig down in an alert (firewall or IPS) and identify the policy that it came from.

oob.jpg

Identifying what policy an alert was triggered from

  • Out of Band Change check

CSM can now detect Out Of Band (OOB) changes. Out of Band changes refer to the CLI changes made on a managed device outside of CSM i.e. after the last discovery/deployment/rollback. Hence Out of Band Difference is always calculated between the last live discovered or deployed/rolled back configuration stored in CSM (from Configuration Archive) and the current configuration on the device. Prior to CSM 4.0  Out of Band changes detection always happened during deployment, prior to pushing the changes to the device. In case Out of Band changes were detected, the deployment used to proceed/fail based on administration settings which allowed the options Warn, Cancel, Skip. In 4.0 the user can use the OOB tool to check for OOB changes on any device.

oob.jpg

OOB detection screen

  • Delete/Discover  multiple devices
  • You can now chose and delete multiple devices from CSM's Device View, whereas in previous CSM versions you would need to do it one at a time which could end up being a cumbersome task if you needed to remove a lot of devices at once. Accordingly your can discover multiple devices at once from Device View or the menu bar Policy > Discover Policies on Device.

  • Licensing

Users will need a new licenses for CSM 4.0 irrespective of whether they have a valid license for any of the older CSM 3.x releases. Existing CSM 3.x licenses will no longer be valid in CSM 4.0.

Enhancements

The enhancements and improvements introduced are:

  • 64-bit support

Some key processes of CSM can now run as 64 bit processes on Windows 2008, that increases the memory space available and improves performance.

  • Selective Policy Management

In previous releases, you could select which types of policy to manage on Cisco IOS routers. You can now also select which policies to manage on ASA, PIX, and FWSM firewall devices.

oob.jpg

Selective Policy Management for each device under Tools > Security Manager Administration > Policy Management

  • Packet Tracer support (ASA)

Packet Tracer is a feature of the ASA that shows how a packet would be processed when hitting the firewall. That feature can now be used in CSM.

oob.jpg

Packet Tracer tool

  • IPS signature tuning

If you modify a signature policy with more than one tuning contexts, Security Manager can now copy the policy to other contexts when appropriate and with your permission.

More supported devices

CSM 4.0 and 4.0.1 support a number of new devices and versions

4.0

  • ASA 8.3
  • FWSM 4.1(1), 4.0(7-11), 3.1(16, 17), 3.2(14-17)
  • 1002 Fixed Router model of the Cisco ASR 1000 Series Aggregation Services Routers.
  • ASR Version 2.4 software
  • Support for shared port adapters (SPAs) in Cisco ASR 1000 Series Aggregation Services Routers
  • Cisco Secure Access Control Server (ACS) 4.2

4.0.1

The changes between 4.0 ad 4.0.1 are minor and mainly refer to newly supported versions and devices:

  • 8.2(3) on the ASA 5585-X platform
  • Cisco 3800 Series Integrated Services Routers: 3825 NOVPN, 3845 NOVPN
  • Cisco 3925E, 3945E
  • Cisco IOS Software release 15.1(1)T
  • Cisco ASA 5585 IPS Security Services Processor
  • Cisco IOS XE Software releases 2.5 and 2.6.
10 Comments

Can anyone let me know -

i) I can't see my firewall report in reporter, whether i can see the IPS.

Regards

Russell

Cisco Employee

Hi Russell,

Are you sending syslogs from the firewall? For example can you see firewall events from it?

CSM needs to see the logs in order to provide reports.

Rgs,

PK

Hi PK,

I can't see the event log as well in event viewer. it showing in my map, ports, access list.

One more thing, How can i scheduled backup for - log of ASA & IPS ?

Rgs

Russell

Hi PK,

I can't see the event log of the FW in event viewer. i can see the port, access list etc.

Regards

Russell

Cisco Employee

You need to setup the firewakk to send logs for the event viewer as explained here http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.1/user/guide/evntchap.html#wp416834

If this doesn't work, please ask in the Security > Nework Management community forum and they should be able help you further.

Rgs,

PK

Beginner

Hello... I am trying to add a pix firewall into the CSM server but I am getting an error saying "The Security Manager server and device could not negotiate the security level. Please generate a new certificate on the device and retry the operation." Not sure how to resolve this issue.

Cisco Employee

Hi Eric,

It is probably because your self signed cert on the PIX has expired. You can try to generate a new one on the PIX and see if CSM can import it.

Also you can ask such questions in the Security > Network Management forum

I hope it helps,

PK

Beginner

Thank you very much PK for the very prompt response.

will try to look into this.

Enthusiast

Do you have any information about support of ASR1001?

Beginner

Hello,

Please suggest if CSM alerts/allows import of duplicate object groups while adding firewalls.

This scenario crops up when multiple firewall (mutually indipendent) use same set of network/port objects need to be integrated to CSM.

Is there a way to detect duplicate objects/groups...