Cisco Security Manager (CSM)

To use a Cisco CSM management station, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

  1. Add an administrator user account. Write down the user name and password. You will need this information for a later step in the Administration module.
    1. Log on to the CSM.
    2. Click Tools > Security Manager Administration > Server Security > Local User Setup.
    3. Click Add.
    4. Complete the User Login Details section.
    5. For an Authorization Type, select Enable Task Authorization, and then select Super Admin from the Roles list.
    6. Click OK.
  2. If you will use Change Monitoring, you'll need to create a secondary user account.
    1. Repeat the steps used in creating the admin account.
    2. For an Authorization Type, select Enable Task Authorization and then select Help Desk.
    3. Click OK.
  3. Verify that the you have a CSMPRO and L-CSMPR-API license, which allows the API to work (this will not work with a CSM Standard license). To verify this, in the CSM, click Tools > Security Manager Administration > Licensing. In the License Information section, you should see Security Manager Professional listed as the Edition.
  1. To enable the API, click Tools > Security Manager Administration > API, and select the Enable API Service check box.

Ensure that you are not using a non-standard port for CSM. CSM API requires using the standard TCP port 443.

  1. To establish device communication, click Tools > Security Manager Administration > Device Communication, and select Connect to Device Using Security Manager Device Credentials.
  2. To set device credentials, right-click on a device name, click Device Properties > Credentials. In the HTTP Credentials section, select the Use Primary Credentials check box, and then click Save.

You will need to manually set every ASA firewall managed by CSM to use primary credentials.

  1. Click Save.

Caution! If you are running CSM 4.8 or 4.8sp1 and have context enabled firewalls installed, you will experience an API-related error when Security Manager attempts to connect to CSM, causing a discovery/retrieval failure. The API calls made during discovery result in a 404 response, if managed context enabled Firewalls exist. This issue appears to only be experienced if you have managed Context enabled Cisco firewalls. CSM 4.9 has been tested and does not exhibit this behavior.

To prevent API errors, ensure that the CSM does not have dummy or detached firewalls.

Step 2: Onboard the Device in the Administration Module

  1. On the toolbar, click Device > Management Stations.
  2. Click Create, and then click Cisco > Security Manager (CSM).
  1. General Properties section.
  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Names box, type the syslog match names (optional). You can enter multiple names separated by a comma.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. For Collection Configuration, enable Update Rule Documentation on Member Devices to allow Rule Documentation fields on member devices to inherit a value from the management station. Any management stations Rule Documentation field updates will override updates on the member device. A rule marked to be removed will not be updated.
  1. Device Settings section.

Credentials

  1. In the User Name box, type the user name used for the administrator account.
  2. In the Password box, type the password used for the administrator account.
  3. In the Re-enter Password box, retype the password entered above.

Retrieval

  • By default, the Port for retrieval is 443.
  • Select the Retrieve Local Child Policies check box to enable retrieving any local child policies.
  1. Monitoring section.

Change Monitoring

    1. By default, the Enable Change Monitoring check box is selected. To disable this automatic function, clear the check box.
      • Enter an optional Alternate Syslog Source IP.
    2. Select the Perform Change Verification check box to allow the data collector to verify that there are actual changes prior to posting a revision to Security manager. This will enable more efficient use of disk space by not posting revisions that did not change from the last revision.
    3. In the Change Monitoring Username box, type the secondary user account user name.
    4. In the Change Monitoring Password box, type the secondary user account password.
    5. In the DC Host IP Address box , enter the IP address of the data collector the CSM should send syslog messages to.

  1. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time regardless of change detection. This will activate additional fields to complete.

  • Set the Scheduled Retrieval Time to fit your requirements.

  • Select the Scheduled Retrieval Time Zone from the list.

Check for Change Retrieval

Select the Enable Check for Change check box to check for configuration changes after the specified interval and perform a retrieval if changes are detected. This will activate an additional field to complete.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).

  1. Advanced section.
    • Select the Skip Route Normalization check box to prevent normalization of routes.
    • Select the Fail Retrieval on Stage Rules check box to fail child retrieval if there are staged rules that apply to them which are not committed.
  2. Click Save.
    Devices being managed will be listed in the Discovered Devices section.