Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
Andy_G
Staff
Staff

Created on ‎09-28-2016 02:23 AM Edited on ‎05-26-2022 12:07 PM By Anonymous

Article Id 191734

Technical Note: [Accelops KB] How to debug Cisco IPS Event Pulling

Description

Summary of Topic

Accelops- Cisco IPS support has two major functions: Cisco IPS device performance monitoring and Cisco IPS events pulling. This document focuses on how to debug why Accelops could not get events from Cisco IPS.

Accelops pulls Cisco IPS events via Cisco IPS SDEE interface.

 

Steps

Problem 1: Cisco IPS SDEE Discovery Fail

There are three possibilities case IPS SDEE failure: Incorrect user/password, Accelops VA/Collector IP not in “Allowed Hosts/Networks”, not enough subscription ID.

Incorrect user/password: Customer can identify this by test connectivity

Accelops VA/Collector IP not in IPS “Allowed Hosts/Networks”:

agodwin_FD39408_tn_FD39408-1.jpg

Not enough subscription ID: The follow steps can confirm this issue:

Subscription ID is used in Cisco IPS to remember the connection from remote client, such as Web browser and IME access. It is very similar to cookies. By default, Cisco IPS allows max 5 subscription IDs.

1)  At Accelops GUI, when “Test Connectivity” or “Discover”, the error message will tell subscription error.

2)  Ssh to Cisco IPS, run “show statistics sdee-server”, it will show Max Available Subscriptions, Open Subscriptions and the list of subscription IDs. If the “Open Subscriptions” = “Max Available Subscriptions”, go to next step.

agodwin_FD39408_tn_FD39408-2.jpg

3)  Check the current web access, run “show statistics web-server”, check the IP addresses with URI = cgi-bin/sdee-server. If the Accelops IP is not in the list, then Cisco IPS has no free subscription ID to give the Accelops.

agodwin_FD39408_tn_FD39408-3.jpg

4)  Solution: free a subscription ID for Accelops.

Replace IPofIPS with your Cisco IPS IP, replace subscriptionID with the subscription ID to be deleted, such as “sub-17-21379f11” in step 2.

Please remember, some SDEE client, such as Cisco IME, keeps access Cisco IPS automatically, after you remove the ID in step b, IME will get another one immediately. So you have to stop IME first before step b.

 

Problem 2: Cisco IPS SDEE Event Pulling Failure

Scenarios: The IPS got discovered in Accelops and it is in Admin/Setup Wizard/Pull Events page, enabled. But there is no event pulled by Accelops and you are sure there are events in Cisco IPS (You can check by Cisco IME or any other way).

Possible Problem: no free subscription ID. You can

(1) ssh to Accelops, cd /opt/phoenix/log
(2) tail –f phoenix.log | grep IPofIPS. (replace IPofIPS to the IP of the IPS device), you will see something like “Subscription error” in 1 minutes.

Solution: free a subscription ID for Accelops. Same as in Problem 1, step 4.

 

Version Application

All

 

 

 

 

Labels:
409
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.