|
|
This chapter discusses initial configuration of server settings for the Policy Monitor Point. In this chapter you will find the following topics:
From the Policy Monitor panel, you can control basic Policy Monitor Point functions, such as the connection settings, audit event retention settings, and how large the Policy Database can grow before audit records are either deleted permanently or archived to an external database and then deleted from the Policy Database. You can specify that audit records be removed on the basis of their type and age or on the maximum size of the database. You can also specify the account information and database source name of the ODBC-compliant database used to archive the audit records that are purged from the Policy Database, or you can configure the Policy Monitor Point to duplicate the syslog data streams that it receives and redirect them to a unique UDP port (non-standard syslog port) on the primary or secondary server on which that Policy Monitor Point resides.
Within Cisco Secure Policy Manager, the Policy Monitor Point plays an important role. It collects the audit event streams from one or more Policy Enforcement Points and combines them into audit records that can be further refined into more meaningful data. The Policy Monitor Point provides this data to the Policy Report Point for administrative reports about network activity. It also combines audit events generated by Cisco Secure Policy Manager components running on primary and secondary servers, which provide status about the security system itself.
When the Policy Monitor Point monitors data streams generated by a Policy Enforcement Point, such as a PIX Firewall or an IOS Router, it does not actually study the warning data streams to derive summary records. While the Policy Monitor Point does categorize session data and warning events, it combines only the session data to derive higher level audit records. Essentially, it analyzes the session data streams and maps them into new composite records. The Policy Monitor Point continues monitoring a session's data stream, taking notes and recording statistical numbers about that session. However, Cisco Secure Policy Manager does not retain the actual syslog messages. Instead, it defines new, composite views of the same data. For warning records, Cisco Secure Policy Manager retains the actual syslog message, but does not analyze the data stream further. To present a summary of the warning data streams to an administrator, the Policy Report Point analyzes the detailed audit event data and generates an event summary report based on that analysis.
The Policy Monitor panel organizes the configuration settings for the Policy Monitor Point. Each primary or secondary server in the Cisco Secure Policy Manager system has a Policy Monitor Point and either a Primary or Secondary Policy Database. The update agent, which is a component of all secondary servers, replicates summary audit event data from Secondary Policy Database servers to the Primary Policy Database server. In addition, the update agent on a secondary server retrieves configuration data from the Primary Policy Database server. Because the secondary servers record the audit events generated by a Policy Enforcement Point and summary data is pushed up to the Primary Policy Database server, both the primary and secondary servers are subject to the mass storage constraints of the computers on which they are running.
Depending on which custom network services you use on your network, you may need to modify the UDP port that Policy Enforcement Points use to deliver data streams to the Policy Monitor Point. When you define this network service or modify the provided service definition, you must verify that you have selected that network service as the Associated Network Service in the Policy Monitor panel. By default, this network service is Cisco Policy Monitor, and it is defined as UDP port 514, the standard syslog port.
When you install your Policy Monitor Point, two possible scenarios exist that affect how you must apply network policy:
You can specify how large the Policy Database can grow before the oldest audit records are either automatically deleted permanently or archived to an ODBC-compliant database and deleted. You can specify the rules that determine when these actions will take place on the basis of a period of time or the maximum size of the Policy Database. You can also identify the ODBC-compliant database and account information used to store the audit records that are archived.
To define event archival and deletion settings for the Policy Database, perform the following task:
Step 2 To access the shortcut menu, right-click the Primary Server icon or the Secondary Server icon that represents the server on which the Policy Monitor Point is running.
Step 3 To view the Policy Monitor panel, point to Properties, and click Policy Monitor on the shortcut menu.
Result: The Policy Monitor panel appears in the View pane.
Step 4 To specify the number of days that you want to maintain warning audit event records before they are purged from the Policy Database, type that number in the Warning Events box under Event Purging.
To specify that you do not want to purge these audit records (you want to retain them indefinitely), type 0 (zero) in this box.
Step 5 To specify the number of days that you want to maintain composite audit records that summarize warning event activities before they are purged from the Policy Database, type that number in the Warning Summaries box under Event Purging.
To specify that you do not want to purge these audit records (you want to retain them indefinitely), type 0 (zero) in this box.
Step 6 To specify the number of days that you want to maintain detailed session audit event records before they are purged from the Policy Database, type that number in the Session Events box under Event Purging.
To specify that you do not want to purge these audit records (you want to retain them indefinitely), type 0 (zero) in this box.
Step 7 To specify the number of days that you want to maintain composite audit records that summarize network session activity before they are purged from the Policy Database, type that number in the Session Summaries box under Event Purging.
To specify that you do not want to purge these audit records (you want to retain them indefinitely), type 0 (zero) in this box.
Step 8 To specify the maximum size that you want to allow for the Policy Database before the oldest audit records are automatically purged, type that value in the Limit database size to box under Event Database.
The value that you enter represents the maximum number of megabytes (MB) of disk space that can be consumed by the Policy Database before audit records are purged.
Step 9 To specify how often the Policy Database should be examined for old audit records, type the number of minutes that should pass before the Policy Database is examined in the Examine database age/size every box under Event Database.
The Policy Database is examined to determine whether it contains audit records that are older than the values specified in Steps 4 through 7 or it has exceeded the maximum size value specified in Step 8. The optimal value for this field is dependent on the number of audit records being generated and the amount of disk space that can temporarily be used by the Policy Database.
Step 10 To accept your changes and close the Policy Monitor panel, click OK.
Step 11 To save any changes that you have made, click Save on the File menu.
You can specify the IP address that clients, such as Policy Enforcement Points submitting audit event streams, use to contact the Policy Monitor Point. This feature is useful if you are interested in separating the Cisco Secure Policy Manager services onto different IP addresses so that you can monitor network sessions across Policy Enforcement Points to these services. By assigning separate IP addresses, you can study network sessions to the Policy Monitor Point that occur across a Policy Enforcement Point and develop custom reports that summarize this activity. This feature is also useful if you have multiple IP addresses assigned to the host, but you only have a DNS entry defined for one of the IP addresses.
To modify the IP address used to connect to the Policy Monitor Point, perform the following task:
Step 2 To access the shortcut menu, right-click the Primary Server icon or the Secondary Server icon that represents the server on which the Policy Monitor Point is running.
Step 3 To view the Policy Monitor panel, point to Properties, and click Policy Monitor on the shortcut menu.
Result: The Policy Monitor panel appears in the View pane.
Step 4 To change the IP address that clients will use to contact the Policy Monitor Point running on this computer, click the new IP address in the IP Address list under General Settings.
The list of IP addresses available are those IP addresses that are defined for this Primary or Secondary Server node. These addresses are defined in the IP Addresses box in the General panel of the selected Primary or Secondary Server node. By default, the Policy Monitor Point uses the first IP address in the IP Addresses box.
Step 5 To accept your changes and close the Policy Monitor panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
You can specify a custom UDP port on which the Policy Monitor Point listens for audit streams from the Policy Enforcement Points. This feature is useful if you already have a network service that listens on the default UDP port used by the Policy Monitor Point, which is UDP port 514. To modify the UDP port for the Policy Monitor Point, you must modify the provided network service definition (the Cisco Policy Monitor definition under the Network Services branch of the Tools and Services tree) or define a custom network service. To make the Policy Monitor Point consistent with your new port settings, you must then select that network service in the Policy Monitor panel. This modification ensures that any security polices that you have applied that permit Policy Monitor Point network traffic will continue to operate correctly after you have modified the port value.
 |
Note By changing the Cisco Policy Monitor definition rather than defining a new network service, you can ensure that any applied security policies that permit Policy Monitor Point communications across a Policy Enforcement Point will be updated automatically. |
To modify the UDP port used to connect to the Policy Monitor Point, perform the following task:
Step 2 To configure the UDP transport layer of the network service definition, right-click the Cisco Policy Monitor icon in the Navigator pane, and click Properties on the shortcut menu.
Result: The UDP panel appears in the View pane. You can make any changes directly in this panel.
Step 3 To change the UDP port value used by the Cisco Policy Monitor network service, type that new port number in the Port box under Instance Settings.
If you change this port setting from the default value of 514, the Policy Monitor Point automatically detects the change; you will not need to reboot the server for the change to take effect.
Step 4 To accept your changes and close the UDP panel, click OK.
Step 5 To save any changes that you have made, click Save on the File menu.
From the Policy Monitor panel, you can specify the network service that is associated with the Policy Monitor Point. This network service identifies the UDP port on which the Policy Monitor Point listens for audit streams from remote Policy Enforcement Points. When you specify a network service that uses a different UDP port value than the network service that is currently associated with the Policy Monitor Point, the Policy Monitor Point stops listening to the old port number and starts listening on the new port.
|
Note Changing the UDP port can result in the loss of data and state. Therefore, any Cisco Secure Policy Manager components that are requesting services at the time you change the port number must reissue their requests once the process starts listening on the new port. Such changes cancel the existing sessions. |
To select the network service definition used to connect to the Policy Monitor Point, perform the following task:
Step 2 To access the shortcut menu, right-click the Primary Server icon or the Secondary Server icon that represents the server on which the Policy Monitor Point is running.
Step 3 To view the Policy Monitor panel, point to Properties, and click Policy Monitor on the shortcut menu.
Result: The Policy Monitor panel appears in the View pane.
Step 4 To select the network service definition used by the Policy Monitor Point running on this host, click that network service in the Associated Network Service box under General Settings.
This network service must be defined under the Network Services branch of the Tools and Services tree. By default, the Policy Monitor Point uses the Cisco Policy Monitor network service, which specifies UDP port 514, to conduct communications. If you change this port setting from the default value of 514, the Policy Monitor Point automatically detects the change; you will not need to reboot the server for the change to take effect.
 |
Caution If you change the network service name from Cisco Policy Monitor, any security policies that you have applied that permit this service to pass through Policy Enforcement Points will need to be updated manually. |
Step 5 To accept your changes and close the Policy Monitor panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
The Policy Database supports archival of session data via the Microsoft ODBC API via the Policy Monitor Point. To configure the Policy Monitor Point to archive session data to an ODBC-compliant database, you must install an ODBC driver and configure the Policy Database to write data to that driver. For instructions on configuring the Policy Database to write to an ODBC driver, refer to Configuring to Archive to an ODBC Data Source.
To install an ODBC driver and specify the data source path, perform the following task:
Result: Control Panel appears.
Step 2 In Control Panel, double-click the ODBC icon.
Result: The ODBC Data Source Administrator dialog box appears.
Step 3 To add a new data source, click Add on either the User DSN or the System DSN tab.
Result: The Create New Data Source dialog box appears.
A User DSN allows only a specific user on the local host to access the data source. A System DSN allows all users on the local host, as well as NT services, to access the data source.
Step 4 Under Name, select the database type that you want to use to create the data source that the Policy Monitor Point will use to archive session records.
Step 5 To create the new data source, click Finish.
Result: The ODBC Setup dialog box appears for the database type you selected.
Step 6 To name this data source, type the name that you want to use to identify this data source in the Data Source Name box, and press Tab.
Step 7 To provide a description of this data source (if desired), type a description in the Description box, and press Tab.
Step 8 To complete the ODBC setup, depending on the type of driver that you selected, you must complete additional fields in this dialog box, including identifying the location of the database.
Step 9 To close the ODBC Setup dialog box, click OK when you complete all the fields.
Result: The ODBC Setup dialog box closes.
Step 10 To close the ODBC Data Source Administrator dialog box, click OK.
Result: The ODBC Data Source Administrator dialog box closes.
Once you define the driver and data source name, you must configure the Policy Database to write its session data to that new data source. To configure the Policy Monitor Point to write to an ODBC data source, refer to Configuring to Archive to an ODBC Data Source.
Step 11 To close Control Panel, click Close on the File menu.
Result: Control Panel closes.
The Policy Database supports archival of session data via the Microsoft ODBC API via the Policy Monitor Point. To configure the Policy Monitor Point to archive session data to an ODBC-compliant database, you must install an ODBC driver and configure the Policy Database to write data to that driver. For instructions on defining an ODBC data source, refer to Defining an ODBC Driver and Data Source Name.
To configure the Policy Monitor Point to use a data source name for ODBC archival, perform the following task:
Step 2 To access the shortcut menu, right-click the Primary Server icon or the Secondary Server icon that represents the server on which the Policy Monitor Point is running.
Step 3 To view the Policy Monitor panel, point to Properties, and click Policy Monitor on the shortcut menu.
Result: The Policy Monitor panel appears in the View pane.
Step 4 To archive data to an ODBC-compliant database, click Archive purged data under Event Archival (Requires ODBC).
Step 5 To identify the data source that will archive the Policy Database audit records, type the name of the data source previously defined in the Data Source Name box.
This information is available in ODBC Data Source Administrator in Control Panel. For instructions on defining a Data Source Name, refer to "Defining an ODBC Driver and Data Source Name."
Step 6 To specify the username of the account used to connect to the data source in which you want to archive audit records, type that username in the Username box.
Step 7 To authenticate the username, type the password that the data source uses to authenticate the specified username in the Password box.
Step 8 To accept your changes and close the Policy Monitor panel, click OK.
Step 9 To save any changes that you have made, click Save on the File menu.
You can specify that you want the Policy Monitor Point to duplicate the syslog data packets that it receives from the Policy Enforcement Points that it monitors. This feature enables both the Policy Monitor Point and a third-party syslog server to study the syslog data streams even though both the Policy Monitor Point and the syslog server reside on the same primary or secondary server. This feature is useful if you use a centralized syslog system to track application and network activity.
To specify that you want the Policy Monitor Point to duplicate and direct syslog messages, perform the following task:
Step 2 To access the shortcut menu, right-click the Primary Server icon or the Secondary Server icon that represents the server on which the Policy Monitor Point is running.
Step 3 To view the Policy Monitor panel, point to Properties, and click Policy Monitor on the shortcut menu.
Result: The Policy Monitor panel appears in the View pane.
Step 4 To specify that you want the syslog messages duplicated and redirected to a specific UDP port on the selected server, type the number of that UDP port in the Redirect Port box under Other.
To specify that you do not want to generate and publish syslog messages, type 0 (zero) in this box. Otherwise, specify the UDP port that the syslog server running on this primary or secondary server listens to for syslog data streams. You must configure a syslog server separately to monitor this event stream. For more information on defining a syslog server, refer to the Cisco Secure Policy Manager Administrator's Guide: Network Topology Definition.
Step 5 To accept your changes and close the Policy Monitor panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
Posted: Tue May 30 08:29:26 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.