Description
Summary of Topic
In order to get the correct SRC IP and DST IP from your Cisco PIX or ASA from SYSLOG, AO has to grab the interface security level. A log message from CISCO PIX or ASA does not contain that information with its logs. This is information is pulled from the CMDB based on the device's security level. The higher the security level, that interface will be considered to be the inside interface. The lower the security level, that interface will be considered the outside interface for the device.
NOTE: This information is pulled from SSH/Telnet Discovery. If you cannot use SSH/Telnet you can manually configure the Security Level of the interface from the CMDB
If the interface security level is configured correctly and we also retrieve the interface information, our parser will set the inbound/outbound interfaces according to the security level of the interface at that point.
So, during the event parsing phase, we detect the source and destination ports based on the SYSLOG event. After we have parsed this information from the SYSLOG event, we will compare the security level of the ports based on the CMDB and swap them according to their security level.
For Example:
Inside interface should have a security level of 100
Outside interface should have a security level of anything below 100 (By default, this is 0)
Additional Information
For information on how to manually configure refer to the related KB article "How to set interface security levels for Cisco PIX / ASA on AO's CMDB?".
Related Articles
Technical Note: [Accelops KB] How to set interface security levels for Cisco PIX / ASA on AO's CMDB
