Configuring Device Lists
You can add devices to IME in the Device List pane and view important information about each device. This chapter describes the Device List pane and how to add devices. It contains the following sections:
•Device List Pane
•Device List Pane Field Definitions
•Add and Edit Device List Dialog Boxes Field Definitions
•Adding, Editing, and Deleting Devices
•Starting, Stopping, and Displaying Device, Event, Health, and Global Correlation Connection Status
•Using Tools for Devices
Device List Pane
IME manages up to ten Cisco IPS devices. The upper half of the Device List pane displays pertinent information about each device.
You can customize which columns you want to view and which you want to hide by clicking the column button in the far-right corner of the pane to bring up the Choose Columns to Display dialog box.
From this pane, you can add, edit, or delete a sensor in the device list. You can start and stop the health and events connections for a sensor and you can view the status of a sensor. You can also obtain information about the sensor by using tools such as ping, trace route, whois, and DNS lookup.
You can use the Add, Edit, Delete, Start, Stop, Status, and Tools buttons in the Device List table, or you can select the sensor in the table and use the right-click menu.
In the lower half of the Device List pane, the IME health monitoring center displays the details about the sensor you have selected in the upper half of the pane. The data displayed here match the information in the customizable dashboard gadgets.
The Device Details pane contains the following details about the selected sensor:
•Sensor Health—Sensor health and network security health information shown in graph form.
You can click Details next to the Sensor Health and Network Security graphs to obtain the specifics about the sensor health and network security health.
If you want to change the sensor health metrics, choose Details > Configure Sensor Health Metrics, and you are taken to Configuration > sensor_name > Sensor Management > Sensor Health, where you can reconfigure the health metrics.
If you want to change the threat thresholds, choose Details > Configure thresholds, and you are taken to Configuration > sensor_name > Policies > IPS Policies, where you can configure the threat thresholds.
If you want to reset the network security health, choose Details > Reset Health Status, and you are taken to Configuration > sensor_name > Sensor Monitoring > Properties > Reset Network Security Health, where you can reset the status and calculation of network security health.
•Sensor Information—Displays the host name, IPS version, whether the sensor is using inline bypass, the total sensing interfaces, the sensor IP address, the device type, the total memory, the total data storage, and the status of Analysis Engine.
•CPU, Memory, and & Load—Displays the CPU, memory, and sensor load usage in graph form.
Click Details next to the Inspection Load graph to see a detailed description of how the inspection load is determined.
•Licensing—Displays all pertinent license, signature version, and signature engine version information.
•Interface Status—Displays the interface name, link status, whether it is enabled, the speed, the mode, and the received and transmitted packets.
•Global Correlation Health—Displays the configuration status of global correlation and network participation.
For More Information
•For the procedure for configuring sensor and network security health, see Configuring Sensor Health.
•For the procedure for changing threat thresholds, see Configuring Risk Category.
•For the procedure for resetting network security health, see Resetting Network Security Health.
•For more information about global correlation, see Chapter 13 "Configuring Global Correlation."
Device List Pane Field Definitions
The following fields are found in the Device List pane:
•Time—If there is a problem with the synchronization between your local system and a sensor that you have added, an icon appears in the time field. If the local system and the sensor are synchronized, the field is empty.
Note If the time in not synchronized between the sensor and the local system, you do not receive accurate monitoring and reporting.
•Device Name—Displays the name that you gave the sensor.
•IP Address—IP address of the sensor.
•Device Type—Displays the IPS model name.
•Event Status—Informs you that IME is connecting to the sensor to receive events.
•Sensor Health—Informs you whether the sensor health is normal or needs attention.
•Global Correlation Status—Informs you of the global correlation status of the sensor.
•Version—Displays the installed Cisco IPS software version.
•License Expiration—Informs you about how many days until the sensor license expires.
•Load—Displays the load percentage.
•Memory—Displays the memory percentage.
•CPU—Displays the percentage the CPU is using.
•Signature Version—Displays the current signature version.
For More Information
•For information about time and the sensor, see Configuring Time.
•For more information about sensor health metrics, see Configuring Sensor Health.
•For more information about global correlation, see Chapter 13 "Configuring Global Correlation."
•For more information about licensing the sensor, see Configuring Licensing.
•For the procedure for obtaining the latest IPS software, see Obtaining Cisco IPS Software.
Add and Edit Device List Dialog Boxes Field Definitions
•Sensor Name—Name of the sensor you are adding.
•Sensor IP Address—IP address of the sensor you are adding.
•Web Server Port—TCP port used by the Web Server.
The default is 443 for HTTP or HTTPS. You receive an error message if you enter a value out of the range of 1 to 65535.
•Communication Protocol—Enables TLS and SSL in the Web Server.
The default is Use encrypted connection (HTTPS). We strongly recommend that you use an encrypted connection.
•Authentication—Lets you specify separate credentials for configuration and event subscription.
–Configuration User Name—Name of user account allowed to configure this sensor.
–Configuration Password—Password of the user account allowed to configure this sensor.
–Use the Same Account for Configuration and Event Subscription (This is not recommended)—Lets you have the same account apply to users who can configure and monitor the sensor.
Caution
Using the same credentials for both configuration and event retrieval is not as secure as maintaining separate user accounts. We recommend that you maintain separate accounts and that the configuration username have an administrator user role and the event subscription username have a viewer user role.
–Event Subscription User Name—Name of user account allowed to view events on this sensor.
–Event Subscription Password—Password of the user account allowed to view events on this sensor.
•Event Start Time (UTC)—Lets you choose to have the most recent alerts retrieved or you can select the start date and time of alerts to retrieve.
•Exclude alerts of the following severity level(s)—Lets you choose to exclude security levels from retrieval. The default is for all security levels to be displayed.
For More Information
•For the procedure for recovering the IME password, see Creating and Changing the IME Password.
•For the procedure for adding users to IME, see Configuring Authentication and Users.
Adding, Editing, and Deleting Devices
To add, edit, and delete devices, follow these steps:
Step 1 Choose Home > Devices > Device List, and then click Add.
Step 2 Fill in the required fields in the Add Device dialog box:
a. Enter the sensor name and sensor IP address of the sensor you are adding.
b. To change the default web server port, enter a new port number.
c. Choose the communication protocol.
Note We strongly recommend that you use an encrypted connection.
d. Enter the username and password of the account that will configure this sensor.
e. Enter the username and password of the person who will monitor the event subscription for this sensor.
Caution
Using the same credentials for both configuration and event retrieval is not as secure as maintaining separate user accounts. We recommend that you maintain separate accounts and that the configuration username have an administrator user role and the event subscription username have a viewer user role.
f. Choose the event start time by either checking the Latest Alerts check box or entering a start date and time in the Start Date and Start Time fields.
g. Under Exclude alerts of the following severity level(s), check the check boxes of any levels you want to exclude.
The default is to have all the levels configured.
h. Click OK to add the sensor to the IME system.
Step 3 Click Yes to accept the certificate and continue the HTTPS connection with the sensor.
Note If you click No you reject the certificate and IME cannot connect to the sensor.
IME checks the time setting between IME and the sensor to make sure it is correct. If it is not, you receive a warning message if the sensor time and the IME system are more than five minutes apart. Make sure you synchronize the sensor with your system.
Caution
Having the correct time is important so that reports, historical events, and the top gadgets are accurate. If the time is not within the range of five minutes, an icon appears next to the device in the Device Lists pane.
Step 4 To edit a device, select it in the list, click Edit, make any changes needed, and then click OK.
Note You cannot change the Sensor Name because it is a key for the IME database.
Step 5 To delete a device, select it in the list, and then click Delete.
The device no longer appears in the Device List pane.
For More Information
For information on correcting time on the sensor, see Correcting Time on the Sensor.
Starting, Stopping, and Displaying Device, Event, Health, and Global Correlation Connection Status
IME queries the sensor every 10 seconds to obtain health status information as long as you choose Start > Health Connection. IME pulls alerts from the sensor as long as you choose Start > Events Connection. IME sends and receives global correlation data as long as you choose Start > Global Correlation Connection.
There are some situations in which you might want to stop the sensor from polling events. For example, you can stop polling events from a specific sensor if you do not want its real-time events interfering when you are analyzing the events of another sensor. Then you can resume after the polling is done. Or you can stop polling health and security if you want to look at a snapshot of the status without the 10-second update.
To start, stop, and display event, health, and global correlation connection status, follow these steps:
Step 1 Select the sensor in the device list for which you want to start or stop event, health, or global correlation connection status.
Step 2 Choose Start or Stop > Health Connection or Events Connection or Global Correlation Connection.
The column now reads Connected or Not Connected.
Step 3 To display the connection status of IME to the sensor, the sensor version, and statistics information, select the sensor in the list, and then click Status.
The following IPS component statistics are displayed in the Device Status dialog box:
•Analysis Engine
•Anomaly Detection
•Event Store
•External Product Interface
•Global Correlation
•Host
•Interface
•Network Access
•Notification
•OS Identification
•SDEE Server
•Transaction Server
•Virtual Sensor
•Web Server
Step 4 To update the contents of the Device Status dialog box, click Refresh.
Step 5 To display details about a sensor, select it in the list, and then view the information displayed in the Device Details section of the pane.
To change the health metrics that you see in the Device Details pane, go to Configuration > sensor_name > Sensor Management > Sensor Health. To change the global correlation metrics that you see in the Device Details pane, go to Configuration > sensor_name > Policies > Global Correlation.
For More Information
•For more information about sensor health metrics, see Configuring Sensor Health.
•For more information about global correlation, see Chapter 13 "Configuring Global Correlation."
Using Tools for Devices
You can use ping to diagnose basic network connectivity. Ping is a simple way to check if a sensor can communicate back. You can use traceroute to display the route an IP packet takes to a destination. You can use whois to determine the owner of a domain name or an IP address. You can use DNS lookup to translate host names to IP addresses, rather like a phone book.
To use tools for devices, follow these steps
Step 1 Choose Home > Devices.
Step 2 To obtain ping statistics for a sensor, select it in the device list table, and then click Tools > Ping.
The Executing command - ping dialog box displays the ping statistics for that sensor.
Step 3 To find the route of the IP packet, select the sensor in the list, and then click Tools > Traceroute.
The Executing command - traceroute dialog box displays the trace route statistics for that sensor.
Step 4 To find the whois information, select the sensor in the list, and then click Tools > WhoIs.
The Executing command - whois dialog box displays the WHOIS statistics for that sensor.
Step 5 To find the DNS information, select the sensor in the list, and then click Tools > DNS.
The Executing command - nslookup dialog box displays the DNS lookup statistics for that sensor.