Health and Performance Monitor Overview
The Health and Performance Monitor is a stand-alone application that you can launch from the other stand-alone Security Manager applications (Configuration Manager, Event Viewer, Report Manager, and Image Manager); from the Windows Start menu; or from its icon on your desktop.
The HPM application complements the Event Viewer and Report Manager applications, as follows:
-
Event Viewer
– Monitors your network for syslog (system log) events from ASA and FWSM devices and their security contexts, and for SDEE (Secure Device Event Exchange) events from IPS devices and virtual sensors. These events include firewall traffic information, NAT events, failover events, IPS alerts, and so on. Event Viewer collects and displays this information, organized into a variety of views. See Chapter 66, “Viewing Events” for more information.
-
Report Manager
– Collects, displays and exports network usage and security information for ASA and IPS devices, and for remote-access IPsec and SSL VPNs. These reports aggregate security data such as top sources, destinations, attackers, victims, as well as security information such as top bandwidth, duration, and throughput users. Data is also aggregated for hourly, daily, and monthly periods. See Chapter 67, “Managing Reports” for more information.
-
Health and Performance Monitor
(HPM) – Monitors and displays key health, performance and VPN data for ASA and IPS devices in your network. This information includes critical and non-critical issues, such as memory usage, interface status, dropped packets, tunnel status, and so on. You also can categorize devices for normal or priority monitoring, and set different alert rules for the priority devices.
You can add notes to displayed alerts, you can “acknowledge” them, and you can clear them. When an alert is cleared, it is removed from the Alerts display; however, the alert information is retained in a database for 30 days. See Alerts: Acknowledging and Clearing for more information about adding notes, and acknowledging and clearing alerts.
Note You can use the Alerts History window to access and view previously cleared alerts, as described in Alerts: History.
This section contains the following topics:
Trend Information
The Health and Performance Monitor periodically polls monitored devices for status and performance data. This information is used for alert generation, and to display real-time views and historical trends based on aggregated data.
Trends are displayed graphically for a specific set of metrics. Each trend for the currently selected device is represented as a graph generated for a chosen time interval. Comparing current values with the weekly averages for CPU and memory usage, for example, can provide an operational context for the selected device. Available trend intervals for monitored devices are one hour, 24 hours, and one week.
Metrics used for generating trends include:
-
CPU usage
-
Memory usage (only for single-context devices)
-
Connections per second (firewall devices)
-
Translations per second (firewall devices)
-
Inspection load (IPS devices)
-
Missed packets as a percentage (IPS devices)
-
Number of VPN tunnels
-
Number of RA VPN sessions
-
Total VPN throughput
-
Firewall throughput
-
Total dropped packets (firewall interfaces)
For additional graphical information about the health and performance of a specific device, you can launch the related device manager by right-clicking the entry for a device, a cluster node, or the system context for a multi-context device, and then choosing
Device Manager
from the pop-up menu. See Starting Device Managers for more information about the device managers.
Monitoring Multiple Contexts
The Health and Performance Monitor can monitor single- and multiple-context ASA devices. For multiple-context devices, each context is monitored and displayed as if it was a separate device.
Each context will be polled separately for all applicable metrics, with HPM polling a maximum of five contexts at a time from any given device. For devices with more than five contexts, data will be acquired from each successive batch of five contexts, with each batch being polled progressively during successive polling cycles. This means that all contexts may not be updated at the same time.
For multiple-context devices, basic device health—memory usage, device status, and so on—is monitored only on the physical device (that is, from the system context), while traffic data—number of connections, number of translations, dropped packets and so on—are monitored at context level.
For virtual contexts, CPU usage data are used only for pattern analysis, not for alert generation. Only interface-status alerts will be generated for virtual contexts.
Managing Monitored Devices
The HPM device selector is used to add and remove devices from both the “normal” and “priority” monitoring lists. You can also use the device selector to transfer devices between the two lists.
To use the HPM device selector:
Step 1 Choose
Device Selector
from the Tools menu to open the device selector window; the device-management screen is displayed.
The All Devices section on the left lists all ASA and IPS devices in the Security Manager inventory that can be monitored. (For example. HPM supports monitoring of version 7.0.1 and later IPS sensors only. Earlier IPS versions are not displayed in the device selector.)
All devices currently assigned to the Normal monitoring list and the Priority monitoring list are displayed in the two sections on the right side of the window.
Step 2 To add a device to the Normal list, select the device in the All Devices list and then click the > button between the All Devices list and the Normal Monitored Devices list.
The procedure for moving a device to the Priority Monitored Devices list is the same: use the > button between the All Devices list and that list.
Step 3 To remove a device from either Monitored list, returning it to the All Devices list, select the device and then click the appropriate < button.
Step 4 To transfer a device from one Monitored list to the other, highlight that entry and click the Up or Down button to move it to the upper or lower list respectively.
Step 5 Click Next at the bottom of the window to display the VPN-selector screen.
All monitored devices and their individual contexts, if any, are listed; each entry includes a checkbox for remote-access (RA) and one for site-to-site (S2S) VPN selection. (Remote-access VPNs are not supported in multiple-context mode, so that checkbox is disabled for context entries.)
You can use the List Filter field on this page to filter the list, as described in Using The List Filter Fields.
Step 6 Select the types of VPN to be monitored on specific devices by checking the appropriate boxes.
Step 7 Click
Save
to save and apply your changes, and close the device selector.
HPM Window
The Health and Performance Monitor (HPM) application window is where you view status information and alerts collected from monitored firewall and IPS devices, as well as remote-access (RA) and site-to-site (S2S) VPN information, across your network.
Note See Managing Monitored Devices for information about specifying the devices to be monitored.
The following illustration presents the primary features of the HPM window.
Figure 68-1 Health and Performance Monitor Window
|
Monitoring button.
|
|
Quick-launch buttons.
|
|
Alerts button.
|
|
Monitoring/Alerts display area.
|
The HPM window consists of three main elements:
-
Monitoring button (1)
– Click this button to view device and VPN health and performance data. See HPM Window: Monitoring Display for more information.
-
Alerts button (2)
– Click this button to view a table of alerts in the window’s display area. See HPM Window: Alerts Display for more information.
-
Quick-launch buttons (3)
– Click any button to cross-launch the related Security Manager client application.
-
Monitoring/Alerts display area (4)
– This section of the window displays either Monitoring information for devices and VPNs, or a table of alerts generated by monitored devices. The Monitoring and Alerts buttons are used to switch back and forth between these two displays.
Working with Table Columns
You can customize the different tables of information presented in HPM as follows:
-
Sort a table such entries in a particular column are in ascending or descending order.
– Click a column heading—anywhere but on a drop-down menu button—to sort the table such that the column entries are in ascending order (indicated by a small grey up-arrow).
– Click the heading again to sort the entries are in descending order (indicated by a small grey down-arrow).
– Click the heading again to return the table to its original order of display (the direction icon is removed).
-
Hide and show various columns; the columns available for display depend on the particular table.
-
Apply a column filter, meaning the table displays only entries that fit the specified criteria.
This section contains the following topics:
Showing and Hiding Table Columns
You can customize the different tables presented in HPM by hiding and showing various columns of information; the columns available for display depend on the particular table.
Note The column headings are menus that you can use to further filter the table by hiding or showing entries according to chosen parameters, as described in Column-based Filtering.
To show or hide specific columns displayed for a table:
1. Click the Columns button on the right side of the column headings to open the Choose Columns to Display dialog box.
All columns available for the current view are listed.
2. Select and deselect the columns to be shown and hidden.
3. Click OK to close the dialog box.
Only the selected columns are displayed for this table.
The following topics describe the individual columns available for various tables:
Table Columns: Device-related Views
You can customize the tables presented in the Monitoring pane for the device-related views by hiding and showing various columns of information; the columns available for display depend on the particular view.
The order of the entries in the Choose Columns to Display dialog box reflects the ordering of the columns when displayed. (However, the ordering of the rows in the following table does not necessarily reflect ordering of the columns as displayed.) See Showing and Hiding Table Columns for information about opening the Choose Columns to Display dialog box.
The following table presents all available data columns for the device-related Monitoring views: Priority Devices, IPS Devices, Firewall Devices, All Devices, and all custom views based on these system views. Some of the listed columns are not available for specific views, as indicated.
Table 68-1 Available Table Columns for Device-related Views
|
|
|
Device Name
|
IPS, Firewall
|
Name assigned to the device; that is, the Host Name as defined on the Device Properties: General Page of the Device Properties window. Column-based Filtering is available.
The Name is preceded by an icon indicating device type. This icon in turn may be preceded by a device-alerts indicator: a red dot indicates one or more critical alerts (and possibly warnings), while a yellow dot indicates one or more warnings only. The area is blank for a device with no alerts.
You can “hover” the mouse pointer over the dot to view a pop-up displaying the number of critical alerts and the number of warnings on the device.
A gold star is added to the device icon itself to indicate Priority monitoring.
|
Receive Time
|
IPS, Firewall
|
Poll date and time for this entry (format is: day-of-week MMM DD HH:MM:SS your-time-zone YYYY).
|
IP Address
|
IPS, Firewall
|
IP address of this device. Column-based Filtering is available.
|
Health Status
|
IPS, Firewall
|
Current overall health of the device: Critical, Warning, or Normal. Column-based Filtering is available.
Note Overall health is defined by the most critical of any of the health metrics. For instance, if all the selected metrics on the device are normal except for one that is critical, overall device health becomes critical.
|
Connection Status
|
IPS, Firewall
|
Indicates HPM’s ability to connect to/poll the device: Connected, Authentication Error, Certificate Mismatch Error, Connection error, Timeout during Read operation, or Service unavailable. Column-based Filtering is available.
Note If the device is not selected as a Normal or Priority Monitored Device in HPM (Tools > Device Selector), this status will not apply. Changes to Monitored Device selection may take several minutes to become effective and be reflected on screen.
Any information displayed for a non-"Connected" device is from the indicated Receive Time, prior to connection failure.
|
Memory (%)
|
IPS, Firewall
|
Memory usage as a percentage of the total available.
|
CPU (%)
|
IPS, Firewall
|
CPU usage as a percentage of the total available.
|
Model
|
IPS, Firewall
|
Device type and model number. For example, ASA 5510, or IPS 4270.
|
Version
|
IPS, Firewall
|
Software version running on this device. Column-based Filtering is available.
|
Inspection Load (%)
|
IPS
|
Inspection load on the device when polled, as a percentage.
|
Missed Packet(%)
|
IPS
|
Dropped packets as a percentage of total packets inspected.
|
SensorApp Status
|
IPS
|
Current SensorApp (Analysis Engine) status: Up or Down. Column-based Filtering is available.
|
MainApp Status
|
IPS
|
Current MainApp status: Up or Down. Column-based Filtering is available.
|
CollaborationApp Status
|
IPS
|
Current CollaborationApp status: Up or Down.
|
License Expiration Status
|
IPS
|
Status of the sensor’s license, based on red and yellow threshold values set on the sensor: Normal, Warning, or Critical. Column-based Filtering is available.
|
In Bypass Mode
|
IPS
|
Whether bypass mode is enabled on the sensor: Yes or No. Column-based Filtering is available.
|
Event Retrieval Status
|
IPS
|
Status of the IPS event retrieval: Normal, Warning, or Critical. Column-based Filtering is available.
|
Global Correlation Status
|
IPS
|
For a sensor participating in global correlation, its update status: Normal (last update was successful), Warning (no successful update within the past day [86,400 seconds]), or Critical (no successful update within the last three days [259,200 seconds]). Column-based Filtering is available.
|
Signature Update
|
IPS
|
The number of the most recent signature update applied to this sensor; for example, S574. Column-based Filtering is available.
|
Firewall Mode
|
Firewall
|
Operating mode of this device: Routed, Transparent, or Mixed. Column-based Filtering is available.
|
Context Mode
|
Firewall
|
Context mode of this device: Single or Multiple. Column-based Filtering is available.
|
Connections
|
Firewall
|
Number of active connections when device was polled.
|
Xlates
|
Firewall
|
Address translation counter.
|
Connections/second
|
Firewall
|
Number of connections established per second.
|
Translations/second
|
Firewall
|
Number of translations per second.
|
Failover Status
|
Firewall
|
If this device is part of a failover pair, its current state: Active or Standby. Column-based Filtering is available.
|
Failover Host Role
|
Firewall
|
If this device is part of a failover pair, its current role: Primary or Secondary. Column-based Filtering is available.
|
Failover Peer Role
|
Firewall
|
If this device is part of a failover pair, current role of its peer device: Primary or Secondary. Column-based Filtering is available.
|
Failover Peer Status
|
Firewall
|
If this device is part of a failover pair, current status of its peer: Active or Standby Ready. Column-based Filtering is available.
|
Used Memory (MB)
|
Firewall
|
Amount of memory (in megabytes) in use when device was polled. Column-based Filtering is available.
|
Free Memory (MB)
|
Firewall
|
Amount of memory available (in megabytes) when device was polled. Column-based Filtering is available.
|
Max. Connections
|
Firewall
|
Peak number of connections. Not available for ASA clusters.
|
Max. Xlates
|
Firewall
|
Peak number of address translations. Not available for ASA clusters.
|
Throughput (Kbps)
|
Firewall
|
Average device throughput in kilobits per second. For an ASA 9.0+ cluster, this the total throughput for all interfaces in the cluster.
|
ACL Dropped Packets
|
Firewall
|
The number of packets dropped because they failed an access control list rule. Available only at cluster level for ASA clusters; not available for individual nodes.
|
Scanning Threat Dropped Packets
|
Firewall
|
If scanning threat detection is enabled, the number of packets dropped because they failed scanning threat inspection. If not enabled, “NA” is displayed. Available only at cluster level for ASA clusters; not available for individual nodes.
|
Inspection Dropped Packets
|
Firewall
|
If application inspection is enabled, the number of packets dropped because they failed application inspection. If not enabled, “NA” is displayed. Available only at cluster level for ASA clusters; not available for individual nodes.
|
Syn Attack Dropped Packets
|
Firewall
|
Number of packets dropped because of SYN flooding. Available only at cluster level for ASA clusters; not available for individual nodes.
|
Total Interface Dropped Packets
|
Firewall
|
Total number of dropped packets on all interfaces. Available only at cluster level for ASA clusters; not available for individual nodes.
Note You can view the number of per-interface dropped packets on the tabbed Interface panel presented in the detail section for the selected device.
|
Analysis Engine Memory (%)
|
IPS
|
Percentage of memory assigned to the Analysis Engine currently in use.
|
Role in Cluster
|
Firewall
|
The role of this member of an ASA load-balancing cluster: Cluster, Master, or Slave.
A cluster is managed by Security Manager as a single device with multiple nodes. Thus, each cluster is displayed in HPM as single entry, which you can expand in order to view a list of nodes.
|
* All of these columns are available in the All Devices and Priority Devices views.
|
Table Columns: VPN-related Views
You can customize the tables presented in the Monitoring pane for the VPN-related views by hiding and showing various columns of information; the columns available for display depend on the particular view.
The order of the entries in the Choose Columns to Display dialog box reflects the ordering of the columns when displayed. (However, the ordering of the rows in the following table does not necessarily reflect ordering of the columns as displayed.) See Showing and Hiding Table Columns for information about opening the Choose Columns to Display dialog box.
The following table presents all available data columns for the VPN-related Monitoring views: Remote Access Users (RA), Site-to-Site Tunnels (S2S), VPN Summary, and all custom views based on these system views. Some of the listed columns are not available for specific views, as indicated.
Table 68-2 Available Table Columns for VPN-related Views
|
|
|
Receive Time
|
RA, S2S, VPN Summary
|
Poll date and time for this entry (format is: day-of-week MMM DD HH:MM:SS your-time-zone YYYY).
|
Firewall Name
|
RA, S2S, VPN Summary
|
Name of this device, as provided in the Security Manager inventory. Column-based Filtering is available.
|
User Name
|
RA
|
User log-in name used to establish this session. Column-based Filtering is available.
|
User Group Policy
|
RA
|
The name of the ASA VPN user group to which this user belongs. Column-based Filtering is available.
|
Gateway
|
RA
|
IP address of the VPN gateway to which the user is connected. Column-based Filtering is available.
|
Assigned IP
|
RA
|
Private IP address assigned to the remote client for this session; also known as the “inner” or “virtual” IP address.
|
Public IP
|
RA
|
Publicly routable IP address assigned to the client. Column-based Filtering is available.
|
Connection Initiation Time
|
RA
|
Time and date (HH:MM:SS day-of-week MMM DD YYYY) when connection was initiated. Time is displayed in 24-hour Coordinated Universal Time (UTC) notation.
|
Duration
|
RA
|
Elapsed time (HH:MM:SS) between the session initiation and the most-recent device poll.
|
Client Version
|
RA
|
VPN client software, and version, running on the remote peer; for example, AnyConnect Windows 3.0, or Mozilla 4.0. Column-based Filtering is available.
|
EndPoint OS
|
RA
|
Operating system in use on remote peer; for example, Windows or Windows NT. Column-based Filtering is available.
|
Authentication Method
|
RA
|
User password, certificate, or preshared key. Column-based Filtering is available.
|
Encryption
|
RA, S2S
|
Data encryption algorithm this session is using. Column-based Filtering is available..
|
Tunnel Type
|
RA, VPN Summary (as “Type” only)
|
Type of tunnel or connection. These include Clientless, IPsec, and AnyConnect. Column-based Filtering is available.
|
Throughput (Kbps)
|
RA, S2S
|
Bytes received plus bytes transmitted, in kilobits per second.
|
Session ID
|
RA
|
Identifier assigned to this session.
|
Inactive Time
|
RA
|
Amount of time this session has been inactive.
|
IP Address
|
S2S, VPN Summary
|
IP address of this device. Column-based Filtering is available.
|
Local Endpoint
|
S2S
|
IP address of local tunnel interface.
|
Remote Endpoint
|
S2S
|
IP address of remote tunnel interface.
|
Local Subnet
|
S2S
|
Address of local protected subnet.
|
Remote Subnet
|
S2S
|
Address of remote protected subnet.
|
Uptime
|
S2S
|
Current duration of this tunnel.
|
Connection Time
|
S2S
|
Time and date (HH:MM:SS day-of-week MMM DD YYYY) when connection was initiated. Time is displayed in 24-hour Coordinated Universal Time (UTC) notation.
|
Status
|
S2S
|
Tunnel connection status; this will be Up or Down. An alert is issued when a tunnel goes down a specified number of times; see Alerts: Configuring for more information.
|
Health Status
|
VPN Summary
|
Current overall health of the underlying device: Critical, Warning, or Normal. Column-based Filtering is available..
Note Overall health is defined by the most critical of any of the health metrics. For instance, if all the selected metrics on the device are normal except for one that is critical, overall device health becomes critical.
|
Connection Status
|
VPN Summary
|
Remote connection status; this will always be Connected. (HPM cannot present information about previous connections.) Column-based Filtering is available.
|
Monitoring Type
|
VPN Summary
|
Types of VPN connections being monitored. Column-based Filtering is available.
|
Active Sessions
|
VPN Summary
|
Current active sessions (S2S, IPSec RA, client-based SSL RA, and clientless SSL RA).
|
Peak Sessions
|
VPN Summary
|
Peak numbers of concurrent sessions (S2S, IPSec RA, client-based SSL RA, and clientless SSL RA).
|
Total Users
|
VPN Summary
|
Current remote user total (S2S, IPSec RA, client-based SSL RA, and clientless SSL RA).
|
Inactive Sessions
|
VPN Summary
|
Number of inactive sessions.
|
Total VPN Throughput (Kbps)
|
VPN Summary
|
Sum of all VPN traffic; that is, sum of RA and S2S throughput values, in kilobits per second. Column-based Filtering is available.
|
Alert Table Columns
You can customize the Alerts table by hiding and showing various columns of information.
The order of the entries in the Choose Columns to Display dialog box reflects the ordering of the columns when displayed. (However, the ordering of the rows in the following table does not necessarily reflect ordering of the columns as displayed.) See Showing and Hiding Table Columns for information about opening the Choose Columns to Display dialog box.
Table 68-3 Available Data Columns for the Alerts Table
|
|
Device Name (always selected)
|
Name of this device on which this alert was triggered, as provided in the Security Manager inventory. Column-based Filtering is available.
|
Node
|
The Node Name if this alert was generated by a member of an ASA load-balancing cluster Column-based Filtering is available.
|
Device Type
|
Type of device: ASA or IPS. Column-based Filtering is available.
|
Severity
|
Alert severity: Critical, Warning, or Normal. Column-based Filtering is available.
|
Status
|
Current device status: Active or Acknowledged. Column-based Filtering is available.
|
Description
|
Description of the alert. For example, “Device Health Critical” or “Device Polling: Authentication Error.”
|
First Seen
|
Date and time when this alert was first logged (day-of-week MMM DD, YYYY HH:MM:SS AM/PM). Time is based in your time zone. Column-based Filtering is available.
|
Last Seen
|
Date and time when this alert was first logged (day-of-week MMM DD, YYYY HH:MM:SS AM/PM). Time is based in your time zone. Column-based Filtering is available.
|
Notes
|
You can annotate an alert when you acknowledge it. Any annotations are displayed in this field. See Alerts: Acknowledging and Clearing for more information.
|
Column-based Filtering
You can filter the various tables in HPM based on the contents of specific columns. When you apply a column filter, the table is filtered to include only those entries with the specified criteria in that column.
Note See Working with Table Columns for other methods of altering table displays.
Tips
-
Column filters are cumulative: for an entry to appear in the filtered table, it must meet all column filter criteria. You cannot create a set of ORed column filters.
-
You can filter on the contents of most but not all columns. If a column does not have a down arrow, you cannot filter on it. For example, you cannot filter on Receive Time in All Devices view.
-
The filter icon (a funnel) appears in the heading of a filtered column.
-
For a description of the available columns, see Showing and Hiding Table Columns.
To filter a table according to a particular column parameter:
Step 1 Click the down-arrow in the heading of a column and choose one of the following from the drop-down menu:
-
All
– Choose
All
to remove or “undo” a filter from this column. The table is updated to show all entries for this parameter. For example, if you filtered the Severity column of the Alerts table to display only Critical alerts, choosing this option will re-display all Critical and Warning alerts.
-
Custom
– Choose
Custom
to open the Custom Filter dialog box where you can create a custom filter based on the information in that column. See Custom Filtering for more information.
-
A specific entry – The drop-down menu includes all values relevant to the column; choose one to display only that group of entries. For example, choosing
Critical
from the Severity column of the Alerts table filters the table to display only Critical alerts.
Custom Filtering
The following procedure explains how to create a custom column-based filter, one in which you are not simply selecting a value from the column’s drop-down list. Refer to Column-based Filtering for information about other column-based filtering options.
Step 1 Click the down-arrow in the heading of a column and choose
(Custom)
from the drop-down menu.
The Custom Filter dialog box for that column opens.
Step 2 In the Custom Filter dialog box, select the desired values. The following illustration shows a typical example of this dialog box.
These are the controls you might find in the Custom Filter dialog box (not all controls appear for every instance):
-
Condition
– Choose the condition applied to the selected Values.
Typically this is
is in
, meaning each of the Values you select must be “in” a column in order for that entry to be displayed in the filtered table.
-
Not
– Check this box to create a negative Condition.
With
is in
as the chosen Condition, this would mean the selected Values cannot be in the column. In other words, the table is filtered such that entries with these Values in the column are not displayed.
-
Values
list – A few instances of the dialog box present one list of Values from which to select: simply check the desired options.
Available and selected
Values
lists – In most cases, the dialog box presents two Values lists, as shown in the previous illustration. To select a value for the custom filter, highlight it in the left list, which contains available values for the column, and click the right arrow to add it to the list of selected values on the right. You can select multiple values.
The items in the available Values list are determined by the values currently present in the selected column of the source table.
If there are a lot of available values, you can search for a specific value by typing in the List Filter field above the list. For more information, see Using The List Filter Fields.
You can also select, or deselect, values using the following techniques:
– Type a Value name into the text field above the selected Values list and click the + button; the Value is added to the selected Values. This technique is useful if there is a large number of available Values, or if you want to filter on a value that is not present in the available Values list.
– Double-click an item in either list to move it to the other list.
– Click one of the double-arrow buttons to move all items from one list to the other, regardless of any selected values.
Step 3 Click
OK
to close the dialog box.
The table is updated to show only those entries that satisfy all currently applied filters.
Using The List Filter Fields
A List Filter field is provided above the devices and VPNs lists in the Monitoring display, above the alerts table in the Alerts display, above the device list on the VPN page of the Device Selector, and in the View Cleared Alerts window. In each case, you can use the List Filter field to quickly locate any entries in the related table that contain a specified text string.
Note The found text can be part of any data field associated with an entry. For example, as you type “license” into the Alerts List Filter field, the Alerts table is filtered to show only those alerts related to imminent license expiration. (Any matched entries are listed even if the relevant data column—in this example, Detail—is not displayed, which could cause confusion. See Showing and Hiding Table Columns for more information about hiding table columns.)
Figure 68-2 Health and Performance Monitor: List Filter Field
|
Filter-parameters button.
|
|
Clear button.
|
To search for a specific text string in the devices list, the VPNs list, the Alerts table, or the View Cleared Alerts window:
-
Click in the List Filter field to place the text cursor, and then begin typing.
These are “live filter” fields. That is, as you type each character, entries that do not include your current text string are removed from the list or table. For example, suppose in an extensive list of alerts there is one with a Status of “Device Health Critical,” and that none of the other alerts include any text strings containing the letters
hea
. You want to use the List Filter field to quickly locate that one alert, so you begin to enter the word “health.” That alert is the only one displayed after you have typed the first three letters.
To clear a List Filter field:
-
Click the clear button at the right side of the field.
This button appears when you begin typing in the field. (You also can highlight the characters and press the Delete or Backspace key on your keyboard.)
When you clear the List Filter field, all entries in the list are again displayed.
You can tune the filter results by specifying the information (columns) searched, by selecting case sensitivity or insensitivity, by allowing wildcards or regular expressions, and by specifying where in a returned string your characters must be located.
To change the List Filter criteria:
1. Click the filter-parameters button (magnifying glass) at the left side of the List Filter field to open the parameters menu.
2. Choose an option.
The menu consists of four sections:
– A list of all available information types—these entries correspond to the columns that can be displayed for that particular list or table. You can choose
All
, or alternatively you can choose individual entries.
–
Case sensitive
and
Case insensitive
– Choose one or the other. If you choose
Case sensitive
, found text must match not only the characters you enter, but also their as-typed case.
–
Use wildcards
and
Use regular expression
– Choose one or the other. The following wildcards are recognized:
–
*
(asterisk) – Match zero or more characters at that location in the string.
–
?
(question mark) – Match one character at that location in the string.
–
Match from start
,
Match exactly
, and
Match anywhere
– Choose one.
Match from start
means that the string you enter must be found at the beginning of an entry, although it can be part of a larger set of characters.
Match exactly
requires that the string you enter exactly match the entire column entry.
Match anywhere
means the string can be found anywhere within an entry, and it can be part of a larger set of characters.
3. Repeat Steps 1 and 2 to change another parameter.
Monitoring Devices
The HPM Monitoring display presents View controls, view panels, and detailed information about the currently selected device, as described in HPM Window: Monitoring Display.
To switch to the Monitoring screen:
-
Click the
Monitoring
button below the HPM menu bar.
(Click the
Alerts
button to return to the Alerts screen.)
Note See Managing Monitored Devices for information about specifying the devices to be monitored.
This section contains the following topics:
Managing Device Views
“Views” provide the means to filter and organize the information displayed in the Monitoring pane of the HPM application. Various system views are provided—for example, All Devices, Firewall Devices, Remote Access Users Details, and so on—and you can create custom views that organize the information in other ways, such as geographic device location.
The left pane of the HPM main window displays a list of available views as shown in the following illustration.
Figure 68-3 Health and Performance Monitor: Views Pane
The Views pane includes the following controls:
-
(1) Push Pin button
– Click the Push Pin button to control display of the Views list. When the list is displayed as a pane of the HPM window (the pin is vertical), click the button to collapse the pane into the left edge of the window, leaving a labeled tab; the Monitoring pane is expanded to fill the HPM window.
You can “hover” your mouse pointer over the tab to “pop out” the Views list; it remains visible as long as the pointer is over the tab or in the list area (the pin is horizontal). You also can click anywhere in the title bar—except on the pin itself—to keep the list “popped out.”
Click the pin once again to re-establish the Views list as an open pane; the Monitoring pane contracts to make room for it.
-
(2) List of views
– The list is organized into folders: System Views and My Views. Click an entry in either folder to open that view in the Monitoring pane, as described in Views: Opening and Closing. See Views: Custom for information about creating new views in the My Views folder.
-
Right-click shortcut menu
– You can right-click any entry in the View list to access a pop-up menu of view-related commands:
–
Edit
– Edit the name and description of the existing custom view. See Views: Custom.
–
Save As
– Save the view as a new custom view. See Views: Custom.
–
Delete
– Delete that custom view.
–
Set as default view
– Use this command to designate the view that is always displayed whenever you launch the HPM application.
This section contains the following topics:
Views: Opening and Closing
All available views are listed in the Views pane, on the left side of the HPM window. The Monitoring pane displays open views, with each open view presented as a separate tabbed panel. (See HPM Window: Monitoring Display for more information about this window.)
Note You can detach views so they “float” in separate windows. For more information, see Views: Floating and Docking.
To display a new view in the Monitoring pane:
-
Click the desired entry in the Views list.
The view appears as a tabbed panel in the Monitoring pane; it is automatically selected and displayed.
To switch to another open view:
-
Click the desired tab in the Monitoring pane; that view is displayed.
-
Right-click any tab and choose
Next
or
Previous
to display the view to the right or left of that tabbed view.
-
Click the Scroll Back and Scroll Forward buttons to the right of the tabs to display the view to the left or right of the current view.
To close a view:
-
Click the close button in that tab.
-
Right-click the tab and choose the
Close
.
-
Right-click the tab and choose
Close Others
to close all open views except the one you right-clicked.
-
Right-click any tab and choose
Close All
to close all open views.
Views: Tiling Horizontally or Vertically
Rather than displaying a single view such that it fills the Monitoring pane, you can tile two or more of the views, either horizontally or vertically, for easy comparison.
For example, if you tile two views horizontally, one view fills the upper half of the Monitoring pane, while the other fills the lower half. Similarly, tiling two views vertically fills the left-hand half of the pane with one view, with the other view filling the right half. Further, you can tile more than two views—the pane is subdivided equally for each view.
To create two horizontal or vertical tiles:
-
Right-click one of the tabs and choose
New Horizontal Group
or
New Vertical Group
.
The selected view and the other view(s) are distributed to share the Monitoring pane equally, either horizontally or vertically depending on your choice.
Note that if there are more than two views open when you choose one of these commands, the selected view is tiled, with the remaining group of tabbed views displayed as the other tile. You can then repeat this process with the remaining tabbed views, increasing the number of visible tiles, as desired.
You can also move an existing tile to another tile:
-
Right-click the tab and choose
Move to Next Tab Group
or
Move to Previous Tab Group
.
The selected view is added to the next tile (below or to the right, depending on tile orientation), or to the previous tile (above or to the left). These commands are available only if the tiled views are arranged in a manner where such movement is possible.
To change the orientation of the views, switching from horizontal to vertical tiling, or vice versa:
-
Right-click any tab and choose
Change Tab Groups Orientation
.
This command is available only when two or more tiled views are displayed.
Views: Floating and Docking
You can detach tabbed views so they “float” as separate windows, and you can “dock” floating views, returning them to the Monitoring pane as tabbed views.
To detach a view as a floating window:
-
Right-click that tab and choose
Floating
.
A standard window opens, displaying the selected view.
To move another tabbed view from the Monitoring pane to an already-open floating-view window:
-
Right-click the tab and choose the window from the
Floating to
submenu.
The right-clicked view is added to the existing window as another tabbed panel.
To return a floating view to the Monitoring pane as a tabbed panel:
-
Right-click the view’s tab in the window and choose
Docking
.
That view is returned to the Monitoring pane.
Note As a standard window, you can minimize, maximize and close a floating view, as you would any other window.
Views: Custom
The Health and Performance Monitor provides seven System Views. In addition, you can create any number of custom views, each of which is based on an existing view. You also can edit and delete custom views.
The various views are presented in the Views pane of the Monitoring display, organized into two folders: System Views and My Views (the latter folder contains your custom views). The Monitoring display is described in HPM Window: Monitoring Display.
Follow these steps to create a new custom view:
1. In the Views list, select the view on which the new view is to be based.
This can be a System View or an existing custom view.
2. Choose
Save As
from the File menu to open the Save View As dialog box.
You also can right-click the selected view and choose
Save As
from the pop-up menu to open the dialog box.
3. Provide a
Name
for the new view, and optionally a
Description
.
4. Specify the devices to be monitored for this view: check and clear entries in the device-selector area of the dialog box.
5. Click Save to close the dialog box and add the new view to the My Views folder.
Follow these steps to edit an existing custom view:
1. Under My Views, select the view.
2. Choose
Edit
from the File menu to open the Save View As dialog box.
You also can right-click the selected view and choose
Edit
from the pop-up menu.
3. Edit the
Name
and
Description
, as necessary.
4. Check and clear entries in the device selector to change the devices monitored for this view.
5. Click Save to close the dialog box.
Follow these steps to delete an existing custom view:
1. Under My Views, select the view.
2. Choose
Delete
from the File menu.
You also can right-click the selected view and choose
Delete
from the pop-up menu.
3. Confirm that you want the view deleted.
That view is removed from the Views list.
HPM Window: Monitoring Display
The HPM window provides two different information displays: Monitoring and Alerts. Click the Monitoring button to access the Monitoring display.
The Monitoring display consists of two primary panes: Views and Monitoring. The Views pane presents a list of available views. Click an entry in this list to open that View as a tabbed panel in the Monitoring pane.
The Monitoring pane can present multiple tabbed views, most of which display several sections. Click a tab to bring that view to the front.
Note The Remote Access Users and the Site-to-Site Tunnels views each display only a single table of information, as described in Monitoring Views: VPN, RA and S2S. The following descriptions focus mainly on the other available system views.
The following illustration presents the primary features of the Monitoring display and the panel sections.
Figure 68-4 Health and Performance Monitor: the Monitoring Display
|
Views list.
|
|
Status of devices or VPNs.
|
|
Monitoring view controls.
|
|
Selected device details.
|
|
Summary of all devices.
|
|
|
The Monitoring display consists of five main elements:
-
Views list (1)
– This pane lists all views available—click an entry in this list to open that view in the Monitoring pane. The views are organized into System Views, provided as part of the Health and Performance Monitor, and My Views, which are custom views you have created. See Managing Device Views for information about the Views pane, and Views: Custom for information about managing custom views.
-
Monitoring view controls (2)
– A labeled tab appears here for each view you open; click any tab to bring that view to the front. You also can use the Scroll Backward and Scroll Forward buttons to step backward or forward through the tabbed views. Alternately, open the Show List drop-down menu on the right and choose a label to make that the active view.
-
Summary of all devices or VPNs (3)
– Provides aggregate information for all devices or VPNs represented by this view. Expand or collapse this section by clicking the button on the right side. The device-summary section is described in greater detail in Monitoring Views: Devices or VPNs Summary.
-
Device-status list (4)
– All devices or VPNs included in this view are listed here; see Monitoring Views: Device or VPN Status List for more information about this list. Use the List Filter field in this section to filter the list, as described in Using The List Filter Fields.
-
Selected device or VPN details (5)
– This section provides detailed information about the device or VPN currently highlighted in the device list. The details section is described in greater detail in Monitoring Views: Device or VPN Details.
This section contains the following topics:
Monitoring Views: Devices or VPNs Summary
The HPM Monitoring display presents tabbed views, each of which provides detailed information about the device or VPN currently selected, as described in HPM Window: Monitoring Display. All device-related views (that is, all but the Remote-Access Users and Site-to-Site Tunnels views), include a Summary section, as described here.
This devices summary, or VPN Summary, which you can show and hide by clicking the button on the right side of its title bar, displays a snapshot of the aggregate Health Status and Alert Status for all the devices or VPNs relevant to the current view. For example, if you are viewing the Firewall Devices panel, the status summaries are for all monitored firewall devices only.
Monitoring Views: Device or VPN Status List
The HPM Window: Monitoring Display presents detailed information about the device or VPN currently selected (in a specific device view, or the VPN Summary view, respectively). All device-related views and the VPN Summary view include a table of monitored devices or VPNs relevant to the current view.
This table displays “at-a-glance” status information for every monitored device or VPN—each is represented by an entry in this table. Note that ASA clusters are presented as expandable entries: click the + icon in front of the cluster entry to expand it and view indented entries for each cluster node.
Again, the list includes only those elements relevant to the current view. For example, the list in the Firewall Devices view does not include entries for IPS devices. The Remote-Access Users and Site-to-Site Tunnels views do not include this status display.
You can resize the table columns, you can show and hide columns, and the column headings are menus you can use to filter the table by hiding or showing devices according to chosen parameters. See Showing and Hiding Table Columns for more information about these options.
When you select an entry in this list, detailed information for that device is displayed in the device-details area below the table, as described in Monitoring Views: Device or VPN Details.
Tip With the All Devices, Firewall Devices, IPS Devices, and Priority Devices views (and any custom device-related views), you can right-click the highlighted entry and choose Device Manager from the pop-up menu to open the appropriate external device manager for that device—that is, ASDM for an ASA, and IDM for an IPS sensor—where you can “drill down” into the health and performance data for that device. See Starting Device Managers for more information about the device managers.
Monitoring Views: Device or VPN Details
The HPM Window: Monitoring Display presents views and detailed information about the currently selected device or VPN. All device-related views and the VPN Summary view provide three or four tabbed panels of detailed information for the individual device or VPN currently selected in the device-status table above it. (The Remote-Access Users and Site-to-Site Tunnels views do not provide this details panel.)
The information presented for each type of view follows.
-
For the All Devices, Firewall Devices, IPS Devices, Priority Devices, and custom device-related views, the tabbed panels are:
–
Health
– A “snapshot” of device status, including graphic displays for certain metrics such as CPU and memory usage. With firewall and IPS devices, the top section of this panel includes:
– The Health entry indicates general overall status, and can be Normal, Warning, or Critical, based on number and type of alerts triggered on the device. Click the
i
button for a pop-up view of current device metrics.
– The Alerts entry indicates current alert level; also can be Normal, Warning, or Critical. The numbers of triggered Critical and Warning alerts are indicated, followed by a
View
hyperlink. Click the link to switch to the Alerts display with only the alerts for this device listed.
Note For IPS devices, certain health-metric thresholds must be configured separately on the individual devices—that is, outside of HPM. Therefore, it is possible for the health of an IPS device to be critical, for example, without any indication in HPM. See Alerts Configuration: IPS for additional information.
– Used Memory and Free Memory indicate respectively the amount of device RAM in use, and the amount available; both values are megabytes.
– Total cluster nodes is the total number of devices assigned to the selected ASA cluster, along with the number of those nodes currently
Up
,
Down
and
Undiscovered.
–
Device Information
– This panel provides a read-only listing of device-specific information such as device name, IP address, device type and model number, and so on. A read-only listing of Failover information is also presented. If an ASA cluster is selected, the Failover listing is replaced with a listing of cluster-related information.
–
Traffic
– This panel presents device-specific traffic information, some of which is also presented in graphical form. For example, average number of connections and number of translations for firewall devices (over the most-recent polling period), and average inspection load and percentage of missed packets for IPS sensors (over the most-recent polling period).
–
Interfaces
– A listing of all interfaces defined on the device, with current status information.
-
For the VPN Summary view, the tabbed panels are:
–
VPN Usage
– Several graphs presenting information such as active site-to-site tunnels, active remote-access sessions, and total throughput. This includes historical trending information for active Site-to-Site tunnels, active IPSec remote-access users, active SSL VPN clientless users, and active SSL VPN with client users.
–
License Information
– A read-only listing of license information by VPN type, or IPSec and SSL license and load information, depending on your selection in the table above. For the System context of a multiple-mode device, VPN Licensing and allocation are shown; for individual contexts, VPN allocation Limits and VPN licensing usage are shown.
–
Other Details
– A listing of certificate and TrustPoint details.
See Managing Monitored Devices for information about selecting devices for VPN monitoring.
Monitoring Views: VPN, RA and S2S
The HPM Monitoring display presents a variety of device- and VPN-related data views, as described in HPM Window: Monitoring Display. These include the Remote Access Users and Site-to-Site Tunnels views, which unlike the other views, are simply tables of current users and tunnels.
See Managing Monitored Devices for information about selecting devices for VPN monitoring.
In both of these views, you can resize the table columns, you can show and hide columns, and the column headings are menus you can use to filter the table by hiding or showing entries according to chosen parameters. See Showing and Hiding Table Columns for more information about these options.
The Remote Access Users view lists the remote-access users currently logged into network resources via the devices being monitored by HPM. Note that remote-access user information is updated every 20 minutes (for normal monitoring; for Priority monitoring the interval is 15 minutes), rather than the five minutes that is standard for the other views. Also, no historical or trending data is available for remote-access users.
Further, you may notice a mismatch between RA user count in the VPN Summary view and the Remote Access Users view. This is because the VPN Summary is updated at ten-minute/five-minute (normal/Priority) intervals.
Tip In the Remote Access Users view, you can right-click a user entry and choose Log Off User from the pop-up menu to terminate that remote-access connection.
The Site-to-Site Tunnels view provides current VPN tunnel information through all monitored devices. Note that to enable tunnel Up/Down alerts for a device or context, you must configure SNMPv3 on the device, as described in SNMP Credentials Dialog Box.
For clusters of ASA 9.0+ devices, information is shown for the master device only, since VPN processing is not load-balanced across the nodes and is thus limited to centralized support in the cluster.
Note VPN polling occurs on a fixed time interval, so it is not possible to log status changes within that time interval. For example, if a site-to-site tunnel goes down immediately after polling and comes back up just before the next poll, that status change cannot be detected.
Exporting HPM Data
You can save a “snapshot” of the device-status information in the current View as a PDF, HTML, or CSV (comma-separated values) file. The following steps describe exporting the current View data in either a PDF, HTML, or CSV file.
Related Topics
Step 1 Click the appropriate tab to display the View you want to export (that is, Priority Devices, VPN Summary, All Devices, or another).
Tip To export the data for a subset of all entries in a particular view, create a custom view that includes only the desired devices. See Views: Custom for information.
Step 2 Click the down-arrow beside the Export button next to the List Filter field (above the device- or VPN-status list) and choose
As PDF
,
As HTML
, or
As CSV
from the drop-down menu.
The Export dialog box opens.
Step 3 Select the specific information to be exported by checking the appropriate columns in the dialog box.
The following topics describe the individual columns available for various views:
Step 4 If you chose
As PDF
from the Export drop-down list, at the bottom of the Export dialog box you can choose the desired
Page Size
for the PDF file: A1, A2, A4, Letter, or Legal.
The pages of the PDF file will be the selected size, with the presented information formatted accordingly.
Step 5 Click
Export
to close the Export dialog box.
The Save file dialog box opens.
Step 6 Provide a name for the file, and specify where it is to be saved.
The default file name is the current system time (as a long integer); you can change this to something informative. On Windows systems, the default location is My Documents; you can specify any location.
Step 7 Click
Save
to close the Save dialog box and export the selected data.
Alerts and Notifications
The Health and Performance Monitor (HPM) provides trend information, alerts, and notifications regarding the performance and health of monitored devices. You can monitor the overall health of your network—including network user and device resource utilization—by quickly scanning the status of individual devices and groups of devices.
Specific device-level trend information is available for hourly, daily and weekly intervals. Alerts are displayed prominently, with easy navigation to the relevant HPM data. You also can acknowledge and annotate individual alerts.
These alerts are based on threshold values and state-change rules that you have configured: you specify thresholds that define Critical, Warning, and Normal levels for various metrics, and you can configure rules for certain state changes such as interface failure.
Further, there are two levels of device monitoring. Initially all devices are unmonitored. However, you can designate devices to be monitored at a “normal” level, or at a “Priority” level—you define a separate set of alert definitions for each level. Priority devices are polled and reported on more frequently (five-minute intervals versus ten for “normal” devices), and failure parameters are more stringent.
You also can enable email alert notifications. If configured, an email is sent to the specified address(es) whenever an alert is generated. You can provide multiple addresses for each category of alerts (Firewall and IPS).
Note An email notification is sent the first time an alert is logged, and when the severity of an alert changes from warning to critical (but not vice-versa). No notification is issued if a device returns to the Normal state.
This section contains the following topics:
HPM Window: Alerts Display
The HPM window provides two different information displays: Monitoring and Alerts. Click the Alerts button to access the Alerts display.
The following illustration presents the primary features of the Alerts display.
Related Topics
Figure 68-5 Health and Performance Monitor: Alerts Display
|
Alerts button.
|
|
Clear button.
|
|
List Filter field.
|
|
Acknowledge button.
|
|
Alerts table.
|
|
View Cleared Alerts button.
|
|
Refresh button.
|
|
|
The Alerts display consists of seven main elements:
-
Alerts button (1)
– The HPM window displays either Monitoring information for devices and VPNs, or a table of alerts generated by monitored devices. Click the Alerts button to view the alerts table.
-
List Filter field (2)
– You can use this field to filter the alerts displayed in the table; only those alerts containing the specified text are listed. Refer to Using The List Filter Fields for more information.
-
Alerts table (3)
– This table lists all alerts for all currently monitored devices. The alerts displayed can be filtered using the List Filter field. You also can show and hide various columns of information for each alert. See Alerts and Notifications for more information.
-
Refresh button (4)
– Click this button to update all alerts ahead of the normal polling cycles.
-
Clear button (5)
– When one or more alerts are selected, you can click this button to open the Clear dialog box. Click the Clear button in the dialog box to close it and clear the highlighted alerts from the table.
Note See Alerts: Acknowledging and Clearing for additional information about clearing and acknowledging alerts.
-
Acknowledge button (6)
– When one or more alerts are selected, you can click this button to open the Acknowledge dialog box. If desired, you can enter a note that will be applied to the selected alerts. Click the Acknowledge button to close the dialog box and mark all highlighted alerts as acknowledged.
Tip You can add a note to any previously acknowledged alert. Click the Note field for that alert to open the Enter Notes dialog box. This is the only method of accessing the Enter Notes dialog box.
-
View Cleared Alerts button (7)
– Click this button to open the View Cleared Alerts window where you can access and view previously cleared alerts; you specify a set of devices and a time range. See Alerts: History for more information about using this window.
Alerts: Configuring
The alerts and email notifications provided by HPM are based on threshold values and state-change rules that you configure in the Alerts Configuration dialog box.
The Alerts Configuration dialog box consists of three tabbed panels:
IPS
for IPS sensor-related alerts,
FW
for firewall-related alerts, and VPN for tunnel-status alerts. Each panel presents groups of options in sections—use the expand/collapse button to show or hide a particular section.
Note You can enable and disable a particular alert without expanding that section; simply check or clear the box preceding the section heading—the current settings are used and retained.
There are two levels of device monitoring: normal or “standard” priority and “active” priority. Active priority devices are polled and reported on more frequently, and failure parameters are more stringent. You can designate up to 10% of all monitored devices for Priority monitoring. See Managing Monitored Devices for more information about device selection.
Follow these steps to configure alert reporting and notifications for both Standard and Priority devices:
Step 1 Choose Alert Configuration from the Tools menu to open the Alerts Configuration dialog box.
Step 2 On the IPS panel, configure IPS-related alerts—if necessary, click the IPS tab to display the panel.
1. To enable email Notifications when IPS alerts are generated, enter one or more valid addresses in the Email Addresses field; separate multiple addresses with commas.
2. Use the checkboxes in the section headings to enable and disable specific alerts. Expand a section to update those alert definitions. The IPS parameters are described in Alerts Configuration: IPS.
Note An email notification is sent the first time an alert is logged, and when the severity of an alert changes from warning to critical (but not vice-versa). No notification is issued if a device returns to the Normal state.
Step 3 On the FW panel, configure firewall-related alerts—click the FW tab to display the panel.
1. To enable email Notifications when firewall alerts are generated, enter one or more valid addresses in the Email Addresses field; separate multiple addresses with commas.
2. Use the checkboxes in the section headings to enable and disable specific alerts. Expand a section to update those alert definitions. The FW parameters are described in Alerts Configuration: Firewall.
Step 4 On the VPN panel, configure tunnel-status alerts—click the VPN tab to display the panel.
1. To enable email Notifications when tunnel-down alerts are generated, enter one or more valid addresses in the Email Addresses field; separate multiple addresses with commas.
2. Use the checkbox in the section heading to enable and disable tunnel-status alerts. Expand the section to update those alert definitions. The VPN parameters are described in Alerts Configuration: VPN.
Note To enable these tunnel-status alerts for a device or context, you must first configure SNMP on the device, as described in Configuring SNMP for S2S Polling.
Step 5 Click
Save
to save your changes and close the dialog box.
Alerts Configuration: IPS
The alerts and status information collected from monitored IPS devices are configured on the IPS panel of the Alerts Configuration dialog box. Refer to Alerts: Configuring for information about opening the dialog box, accessing the IPS panel, and providing email addresses for IPS-related Notifications.
The IPS-alert configuration parameters are grouped into sections that can be expanded and collapsed. Each section includes a checkbox next to its heading; use this checkbox to enable or disable that alert. When expanded, each section provides access to the settings used to define the alert.
The IPS alert and status configuration parameters are described in the following table. Each parameter can be configured separately for Priority Devices and Standard Devices. (Specifying devices for priority and standard monitoring is described in Managing Monitored Devices.)
Note Some of the following alert settings require specific related parameters to be configured on the monitored IPS sensors themselves. For example, if license-expiration-policy (health-monitor command) is not enabled on a particular sensor, license-expiration messages are not generated by that sensor and therefore no occurrences are tallied for it by HPM.
Table 68-4 IPS Alerts Configuration
Setting
|
Description
|
CollaborationApp Status
|
Errors generated by the CollaborationApp application are tallied. Alerts and Notifications are generated when the number of errors tallied reaches the specified Occurrences value.
|
SensorApp Status
|
Errors generated by the SensorApp application are tallied. Alerts and Notifications are generated when the number of events reaches the specified Occurrences value.
|
Bypass Mode
|
Any time bypass mode is triggered, one Occurrence is tallied for this setting. Alerts and Notifications are generated when the number of Occurrences reaches the value specified.
|
Interface Status
|
The status of each enabled interface is polled periodically. Each “down” result for any given interface is tallied as one Occurrence for that interface. Alerts and Notifications are generated when the number of Occurrences reaches the value specified.
|
License Expiration
|
A license-expiration threshold can be configured on each IPS sensor, and whenever this threshold is crossed, a status message is issued.
|
Memory Usage
|
A memory-usage threshold can be configured on each IPS sensor, and whenever this threshold is exceeded, a status message is issued.
An Occurrence is tallied for each memory-usage message. Alerts and Notifications are generated when the number of Occurrences reaches the value specified here.
|
Missed Packets
|
A missed-packets threshold can be configured on each IPS sensor, and whenever this threshold is exceeded, a status message is issued.
An Occurrence is tallied for each missed-packets message. Alerts and Notifications are generated when the number of Occurrences reaches the value specified here.
|
Inspection Load
|
A traffic inspection-load threshold can be configured on each IPS sensor, and whenever this threshold is exceeded, a status message is issued.
An Occurrence is tallied for each load-exceeded message. Alerts and Notifications are generated when the number of Occurrences reaches the value specified.
|
Alerts Configuration: Firewall
The alerts and status information collected from monitored firewall devices are configured on the
FW
panel of the Alerts Configuration dialog box. Refer to Alerts: Configuring for information about opening the dialog box, accessing the FW panel, expanding and collapsing sections, and providing email addresses for FW-related Notifications.
The firewall-alert configuration parameters are grouped into sections that can be expanded and collapsed. Each section includes a checkbox next to its heading; use this checkbox to enable or disable that alert. When expanded, each section provides access to the settings used to define the alert.
Some section headings also include
Consider for Device Health
checkboxes. Checking one of these boxes means that particular information is considered when determining overall health of each device.
The FW alert and status configuration parameters are described in the following table.
Table 68-5 Firewall Alerts Configuration
Setting
|
Description
|
Failover Peer Status
|
The status of the link to the device’s failover peer is polled periodically. Each failed contact attempt is tallied as one Occurrence. Alerts and notifications are generated when the number of occurrences reaches the values specified here.
For Priority devices and for Standard devices: choose
Critical
or
Warning
to specify the type of alert generated, and then specify the number of occurrences necessary to trigger the alert.
|
Interface Status
|
The status of each enabled interface is polled periodically. Each “down” result for any given interface is tallied as one Occurrence for that interface. This monitoring is per stand-alone device, and per node of an ASA cluster. Alerts and notifications are generated when the number of occurrences reaches the values specified here.
For Priority devices and for Standard devices: choose
Critical
or
Warning
to specify the type of alert generated, and then specify the number of occurrences necessary to trigger the alert.
Note Check Consider for Device Health in the header to include these data in device-health calculations.
|
Master Changed
|
An Occurrence is tallied each time the device designated as master node of an ASA cluster changes. Alerts and notifications are generated when the number of occurrences reaches the values specified here.
For Priority devices and for Standard devices: choose
Critical
or
Warning
to specify the type of alert generated, and then specify the number of occurrences necessary to trigger the alert.
|
Cluster Node Status
|
An Occurrence is tallied each time the Connection Status of an ASA cluster node changes (comes up or goes down). Alerts and notifications are generated when the number of occurrences reaches the values specified here.
For Priority devices and for Standard devices: choose
Critical
or
Warning
to specify the type of alert generated, and then specify the number of occurrences necessary to trigger the alert.
|
CPU Usage
|
An Occurrence is tallied each time CPU usage exceeds the specified Threshold percentage. This is per stand-alone device; per node of a single-context cluster; and per node for the system context only in a multi-context cluster. Alerts and notifications are generated when the number of occurrences reaches the values specified here.
Note Check Consider for Device Health in the header to include these data in device-health calculations.
For Priority devices and for Standard devices, you can enable either or both
Critical
and
Warning
CPU Usage alerts:
1. Check the appropriate box to enable the
Threshold
and
Occurrence
fields.
2. Specify a
Threshold
percentage by clicking the up or down arrows, or by highlighting the existing value and typing a number.
3. In the
Occurrence
field, specify the number of times the specified Threshold must be exceeded before the critical or warning alert is issued.
|
Memory Usage
|
An Occurrence is tallied each time memory usage exceeds the specified Threshold percentage. This is per stand-alone device; per node of a single-context cluster; and per node for the system context only in a multi-context cluster. Alerts and notifications are generated when the number of occurrences reaches the values specified here.
Note Check Consider for Device Health in the header to include these data in device-health calculations.
For Priority devices and for Standard devices, you can enable either or both
Critical
and
Warning
Memory Usage alerts:
1. Check the appropriate box to enable the
Threshold
and
Occurrence
fields.
2. Specify a
Threshold
percentage by clicking the up or down arrows, or by highlighting the existing value and typing a number.
3. In the
Occurrence
field, specify the number of times the specified Threshold must be exceeded before the critical or warning alert is issued.
|
Alerts Configuration: VPN
The generation of alerts for site-to-site (S2S) tunnels on monitored devices and contexts is enabled and configured on the
VPN
panel of the Alerts Configuration dialog box. Refer to Alerts: Configuring for information about opening the dialog box, accessing the VPN panel, and providing email addresses for VPN-related Notifications.
Tip When VPN alerts are enabled, HPM polls the monitored devices and contexts at normal and Priority intervals (ten and five minutes, respectively), according to your normal/Priority designations. You also can enable SNMP monitoring which updates HPM tunnel status immediately upon processing the traps. See Configuring SNMP for S2S Polling for more about enabling SNMP processing for HPM.
The tunnel-status configuration parameters are grouped into a section that can be expanded and collapsed. When expanded, you have access to the alert settings. The checkbox next to the heading is used to enable or disable the alert.
The VPN alert parameters are described in the following table.
Table 68-6 VPN Alerts Configuration
Setting
|
Description
|
Tunnel Status
|
The status of each monitored S2S tunnel is updated whenever it comes up or goes down, based on periodic polling or SNMP trap processing. Each “down” result for any given tunnel is tallied as one Occurrence. An alert is generated when the number of occurrences reaches the values specified here.
For Priority Devices and for Standard Devices, you can separately configure both Critical and Warning tunnel-down alerts: choose
Critical
or
Warning
to specify the type of alert generated, and then in the
Occurrence
field, specify the number of times a tunnel is down when polled before the critical or warning alert is issued.
|
Configuring SNMP for S2S Polling
The Health and Performance Monitor (HPM) application uses SNMP to poll site-to-site (S2S) VPN tunnels for up/down status updates. The generation of alerts for site-to-site (S2S) tunnels on monitored devices and contexts is configured on the
VPN
panel of the HPM Alerts Configuration dialog box. Refer to Alerts: Configuring for information about opening the dialog box, accessing the VPN panel, and providing email addresses for VPN-related Notifications.
Configuring SNMP in Security Manager to provide S2S polling is outlined here. The basic steps are:
1. Enable and configure SNMP on the SNMP Page for the device or individual context; specifically: check Enable SNMP Servers and provide and confirm the Read Community String.
2. In the SNMP Trap Configuration Dialog Box, check
IPSEC Start
and
IPSEC Stop
on the Other panel.
3. In the Add SNMP Host Access Entry Dialog Box, provide Interface Name, IP Address, Community String (and Confirm it), and choose the SNMP Version (1 or 2c).
Versions 1, 2c and 3 are supported for S2S polling, but version 3 must be configured separately, as described in the next section.
4. Configure SNMP credentials for the device or individual context in the SNMP Credentials Dialog Box.
For versions 1 and 2c, provide and confirm the RO Community String.
For version 3, Security Manager supports three modes; which to use is determined from your input:
– noauthnopriv (no authentication, no privacy) – User name is mandatory, others are optional.
– authnopriv (authentication, no privacy) – User name, Password, Auth Algorithm, and Engine ID are required.
– authpriv (authentication and privacy) – User name, Password, Auth Algorithm, Privacy Password, Privacy Algorithm, and Engine ID are required.
Again, configuration of SNMP v3 is performed separately, as described in the next section.
Configuring SNMP v3 for Security Manager Device
You cannot configure SNMP v3 directly in Security Manager; you must use CLI commands or set up a FlexConfig. The steps are:
1. Configure an SNMP server group.
snmp-server group group-name v3 [auth | noauth | priv]
The
auth
keyword enables packet authentication. The
noauth
keyword indicates no packet authentication or encryption is being used. The
priv
keyword enables packet encryption and authentication. There are no default values for the
auth
or
priv
keywords.
2. Define a new SNMP user.
snmp-server user username group-name{v3 [encrypted] [auth {md5 | sha]} auth-password [priv [des | 3des | aes] [128 | 192 | 256] priv-password]
The
v3
keyword specifies that the SNMP Version 3 security model is used, and enables the use of the
encrypted
,
priv
, and
auth
keywords. The
encrypted
keyword indicates the password is in encrypted format. Encrypted passwords must be in hexadecimal format.
The
auth
keyword specifies which authentication level (
md5
or
sha
) is used.
The
priv
keyword specifies the encryption level. There are no default values for the
auth
or
priv
keywords.
For the encryption algorithm, you can specify either
des
,
3des
, or
aes
. You can also specify which version of the AES encryption algorithm to use:
128
,
192
, or
256
. The
auth-password
specifies the authentication user password. The
priv-password
specifies the encryption user password.
3. Specify the recipient of SNMP notifications.
snmp-server host interface {hostname | ip_address} [version 3 username]
Indicates the interface from which traps are sent. Identifies the name and IP address of the NMS or SNMP manager that can connect to the device.
Related Topics
Alerts: Viewing
All alerts generated for monitored devices are displayed as a table in an alternate screen of the HPM window. The Alerts table is updated automatically as devices are polled for status information. You can also click the Refresh button, above the table on the right side, to update the table.
These alerts are based on the threshold values and state-change rules you have configured. See Alerts: Configuring for more information.
Note See Managing Monitored Devices for information about specifying the devices to be monitored.
To switch to the Alerts screen:
-
Click the
Alerts
button below the HPM menu bar.
(Click the
Monitoring
button to return to the Monitoring screen.)
The Alerts listing is a basic table, consisting of rows and columns, with each row representing one alert from a given device. Each column provides specific information about that alert: device name, alert severity, time recorded, and so on. (See HPM Window: Alerts Display for more about the Alerts screen.)
Note The column headings are menus that you can use to filter the table by hiding or showing alerts according to chosen parameters. For example, you might choose to display alerts for only a particular device, and then choose only critical alerts for that device. See Working with Table Columns for more information.
In addition to scrolling the Alerts table, you can view sets of specific alerts:
-
Use the List Filter field above this table to filter the list. See Using The List Filter Fields for more information.
-
Use the View Cleared Alerts window to view previously cleared alerts for a selected set of devices over a specified time range. See Alerts: History for more information.
You also can acknowledge alerts, clear alerts, and edit alert notes:
-
You can acknowledge an alert, or clear it, as described in Alerts: Acknowledging and Clearing.
-
To add to an existing alert note, click Notes field for that entry in the table to open the Enter Notes dialog box—used to view and add notes to an alert. Available only when a single alert with an existing note is selected in the table.
Alerts: Acknowledging and Clearing
All alerts generated for monitored devices are displayed in the Alerts table, as described in Alerts: Viewing. You can add notes to individual alerts, and you can acknowledge or clear alerts individually or in groups.
To select an alert, click that entry in the Alerts table. You can Shift-click another alert to select the group between the two, and you can Ctrl-click various rows to select multiple non-contiguous alerts.
When an alert is selected in the table, you can:
-
Click the Acknowledge button to open the Acknowledge Alert dialog box, used to add a note to, and then mark the selected alert(s) as acknowledged. You can acknowledge multiple alerts at one time.
Enter text in the Notes field in this dialog box (this is optional), and then click OK. The dialog box closes and the alerts are marked as acknowledged with a timestamp displayed in the Notes column.
-
Click the Clear button to open the Clear Alert dialog box, used to add a note to, and then remove the selected entries from the Alerts table.
Enter text in the Notes field in this dialog box (this is optional), and then click OK. The dialog box closes and the selected alerts are removed from the Alerts table.
Note Alerts can be cleared automatically by HPM if you change the relevant threshold(s). Like alerts you have cleared, these alerts can be viewed in the View Cleared Alerts window (see Alerts: History).
Notes and other information for cleared alerts are saved in an Alerts database for 30 days.
Alerts: History
All alerts generated for monitored devices are displayed as a table in the HPM window. You can filter the table by any visible column parameter, as described in Alerts: Viewing.
You also can use the View Cleared Alerts window to access and view previously cleared alerts; you specify a set of devices and a time range. (Clearing alerts is described in Alerts: Acknowledging and Clearing.)
Note Notes and other information for cleared alerts is maintained in an Alerts database for 30 days—you cannot access alerts more than 30 days old.
Follow these steps to open and use the View Cleared Alerts window:
1. In the Alerts screen, click the View Cleared Alerts button next to the List Filter field to open the View Cleared Alerts window. (See Alerts: Viewing for more information about accessing the Alerts screen of the HPM window.)
2. Specify the alert View Settings; these define the set of alerts you wish to view:
– Specify the devices of interest;
All
devices are selected by default. To select a particular set of devices:
a. Click the
Select
button to open the Select Devices dialog box.
b. Select the desired device(s); deselect any devices you wish to exclude.
c. Click
OK
to close the Select Devices dialog box.
– Specify the types of Alerts to display: select or deselect
Critical
,
Warning
and
Normal
.
– Define the desired
Time Range
by choosing a From date and time, and a To date and time. All alerts with a First Seen time within this range will be displayed.
From and To each present a standard drop-down calendar used to select a month and day.
Use the time field below each calendar to specify the precise start or end time, respectively. Highlight a digit and click the up or down arrow, or simply type the desired number. You can also click the
Now
button to specify the present moment.
3. Click the
Search
button to display the defined set of alerts.
Note that the View Cleared Alerts window provides a List Filter field that you can use to filter the cleared-alerts display. Using this field is described in Using The List Filter Fields.
Refer to Working with Table Columns for other methods of filtering this table.