Table Of Contents
Configuring Global Settings
Configuring Notifications
Incident and Event Types for Notifications
Selecting Notifications and Modifying Messages
Using Token Variables
Notification Message Example
Configuring SMTP Settings
Managing Syslog Servers
Setting a Verify Connection Schedule
Managing Administrator Accounts
About Administrator Accounts
Creating a User Account
Managing Certificates
Importing Certificates
Importing Untrusted Device Certificates
Adding Multiple Devices and Certificates
Viewing Certificate Details
Updating Certificates
Managing Licenses
About Cisco ICS Server Trial and Full Versions
About Device Licenses
Device License Expiration
Device License Renewal
Registering for a License File
Importing a License File
Viewing License Information
Backing Up the Database
Viewing the Last Backup
Specifying a Backup Location
Setting a Backup Schedule
Backing Up Manually
Configuring Global Settings
This chapter explains how to configure a variety of global settings. It contains the following sections:
•
Configuring Notifications
• Managing Syslog Servers
• Setting a Verify Connection Schedule
• Managing Administrator Accounts
• Managing Certificates
• Managing Licenses
• Backing Up the Database
Configuring Notifications
Certain incidents, errors, or events on the network, such as OPACL matching or license expiration, require immediate action. To monitor the incidents and events related to your outbreak protection strategy, configure Cisco ICS notifications. Send messages to the Cisco ICS administrator via email, write entries in the Windows Event log, or do both when certain incidents, errors, or events occur.
This section describes notifications and how to configure them. It contains the following topics:
• Incident and Event Types for Notifications
• Selecting Notifications and Modifying Messages
• Using Token Variables
• Notification Message Example
• Configuring SMTP Settings
Incident and Event Types for Notifications
Check any of the following check boxes to enable notifications for the following:
•Incidents:
–OPSig Matches—An IPS device detected a virus.
–OPACL Matches—A switch, router, or IPS device detects network traffic that matches the configuration settings in its OPACL.
•Errors:
–Event Log Errors—An error severity type for events, such as device communication or authentication errors, the Cisco ICS service stopping for an unknown reason, and database backup attempt unsuccessful. For more information about different types of errors, see About Incidents, Events, and Severity Levels, page 10-2. For more information about resolving errors, see Device Configuration Troubleshooting Tips, page D-8.
•Events:
–OPSig Downloaded
–Outbreak Management Task Downloaded
–Outbreak Management Task Started
–Outbreak Management Task Stopped
–Report Generated
–License Expired—Cisco ICS sends a notification message on the following number of days after expiration: 30, 15, 7, and 1.
Selecting Notifications and Modifying Messages
By default, no notifications are selected. Select the notifications to send and either use the default messages or modify them. For information on displaying details in messages, such as the names of viruses, see Using Token Variables.
Note Cisco ICS saves notifications even if you do not enable them.
To choose notifications and to modify message, follow these steps:
Step 1 Choose Global Settings > Notifications.
The Events tab appears by default.
Step 2 Check the check boxes next to the incidents or events for which Cisco ICS should send notices.
If you checked OPSig matches or OPACL matches, specify the following parameters:
•The number of incidents
•The number of minutes during which the incidents occur
If you checked Event logs, specify the number of minutes after which Cisco ICS sends a notice after receiving the first error event. Cisco ICS does not continue to send a notice at every interval you specified unless it continues to receive error events from devices.
For example, if you enter 10 minutes, and Cisco ICS receives error events at 1:00 p.m., 1:02 p.m., 1:12 p.m., and 1:30 p.m., Cisco ICS sends a notification at the following times:
•1:10 p.m.—10 minutes after the first error event, consolidating two errors.
•1:22 p.m.—10 minutes after the next event that occurs after the last notification.
•1:40 p.m.—10 minutes after the next event that occurs after the last notification.
Step 3 Click the name of the incident or event to configure the following notification items:
•Mail Notification:
–Send email notifications to the following recipients—Check the check box to enable the notification.
–To, Subject, Message—Enter the destination email address. If necessary, modify the default subject line and message.
•Windows Event log:
–Write to Windows Event Log—Check the check box to write to the Windows Event log.
Note View Windows Events Log Notifications on the Windows Event Viewer. To access the viewer, choose Control Panel > Administrative Tools > Event Viewer > Application Log. See your Windows documentation for details on the Event Viewer.
Step 4 Click Save.
Using Token Variables
Notifications for OPACL and OPSig matches can include the following token variables to display important details:
•OPSig matches
–%VC: number of OPSig matches.
–%VS: number of computers that Cisco ICS detects as the source of a network virus outbreak when OPSig matching occurs. If an IPS device detects a host as the source of a specific network virus outbreak more than once, Cisco ICS counts the host only once.
–%VD: number of OPSig matches. If a network traffic from a specific virus matches the OPSig more than once, Cisco ICS counts the match only once.
–%VI: number of device interfaces detecting the OPSig matches. If an interface detects OPSig matches from a specific virus more than once, Cisco ICS counts the match only once.
•OPACL matches
–%OC: number of OPACL matches.
–%OS: number of computers whose source traffic matched OPACL rules. If a computer generates traffic that matches an OPACL more than once, Cisco ICS counts the OPACL match only once.
–%OD: number of OPACL matches. If a device detects OPACL matches from a specific virus more than once, Cisco ICS counts the match only once.
–%DC: number of devices detecting traffic that matched OPACL rules. If a device detects OPACL matches from a specific virus more than once, Cisco ICS
–counts the match only once.
•Event log errors
–%EC Number of event errors
•Other variables
–\n: line break
–\\: a single backslash
Notification Message Example
The following is the default notification message for OPSig matches:
OPSig matched.\n% VC viruses were found in %VI interfaces.\n There were %VS sources of infection and %VD infections.
Configuring SMTP Settings
You can configure SMTP server settings to enable Cisco ICS to send email notices.
To configure SMTP settings, follow these steps:
Step 1 Choose Global Settings > Notifications.
The Events tab displays by default.
Step 2 Click the SMTP Server tab.
Step 3 Enter the SMTP server domain name and the port it uses
The default is port 25.
Step 4 Click Save.
Managing Syslog Servers
The Cisco ICS server can send its logs to any Syslog servers on the network. A maximum of eight Syslog servers is allowed.
Note If a Syslog server is installed on the same computer as Cisco ICS, it can have the same IP address as the Cisco ICS server, but it must have a different port number than 514, the default.
To add a Syslog server, follow these steps:
Step 1 Choose Global Settings > Syslog Servers.
Step 2 Click Add.
The Add Syslog Server window appears.
Step 3 Enter the Syslog server IP address and UDP port number
The default is port 514.
Step 4 Click Save.
A confirmation message appears.
Step 5 Click Back to return to the Syslog Server window.
Step 6 Make sure the Syslog Server Service is active to start receiving log information.
Setting a Verify Connection Schedule
You can set a verification schedule to automate the task of verifying that the Cisco ICS server can communicate with the devices registered to it.
Note You should verify the connection daily, which is the default selection.
To verify the connection schedule, follow these steps:
Step 1 Choose Global Settings > Verify Connection Settings.
Step 2 Check the Enable verify connection schedule check box.
Step 3 Under Verify Connection Schedule, choose one of the following frequency settings:
•Once—Verifies connection only after you click Save. This is the same as verifying the connection from the Device List window. Select a start time.
•Every Minute—Selects a time to verify the connection every { } minutes.
•Hourly—Selects a start time in minutes after the hour. For example, if the current time is 5:53 and you select 54, the verify connection begins in 1 minute. If the current time is 5:53 and you select 52, the verify connection begins at 6:52.
•Daily—Selects a start time.
•Weekly, every { }—Selects a day and start time from the lists.
Step 4 Click Save.
Managing Administrator Accounts
This section describes how to create and manage Administrator accounts. It contains the following topics:
• About Administrator Accounts
• Creating a User Account
About Administrator Accounts
You can create administrator accounts to log in to the Cisco ICS web console. Two types of accounts are available:
•Root account—Cisco ICS allows a single root account to manage all other accounts. The root account is created during Cisco ICS installation. You cannot modify or delete the username; however, you can change the password.
•User accounts—Cisco ICS allows a maximum of seven user accounts. Users who log in with a user account can modify the credentials for that account only.
Note The only difference between the root account and the user accounts is the ability to add, delete, or modify user accounts. Owners of user accounts can modify only their own credentials. Both accounts allow full access to Cisco ICS features.
The Administrator Account window displays the following information:
•Username—The name of the root or user account.
•Last Logon Date/Time—The last time this account was used to log into the web console.
Creating a User Account
To create a user account, follow these steps:
Step 1 Start the Cisco ICS web console and log in to it with the root account.
Step 2 Choose Global Settings > Administrator Accounts.
Step 3 Click Add.
The Add Account window appears.
Step 4 Enter the new username and password.
The username must be 1 to 32 alphanumeric characters long, and passwords must be 4 to 32 alphanumeric characters long. The username is not case sensitive. The following characters are not allowed: / \ [ ] " : ; | < > + = , ? ' * !
Step 5 Click Save.
A confirmation message appears.
Step 6 Click Back to return to the Administrator Accounts window.
Managing Certificates
Digital certificates add security to your network environment. By using device-generated certificates, the Cisco ICS server validates whether it is communicating with the correct network devices to stop the spread of threats. Without certificates, Cisco ICS could not guarantee it is deploying threat-protection components to the correct devices, which increases the chances that you network is being exposed to risks.
This section describes how to use and manage certificates. It contains the following topics:
• Importing Certificates
• Importing Untrusted Device Certificates
• Adding Multiple Devices and Certificates
• Viewing Certificate Details
• Updating Certificates
Importing Certificates
By default, all network devices that Cisco ICS supports generate a digital certificate. Cisco ICS obtains certificate information from the devices when you add them to the device list, but you must import the certificates through the web console. If you do not import a device's certificate, the device appears offline in the device list and you cannot manage it. You can import a certificate at the time you are adding the device, or later from the Device Certificates window.
Importing Untrusted Device Certificates
Untrusted certificates are device certificates that you did not import when you added a device. You cannot manage devices with untrusted certificates. The Untrusted Certificates window allows you to import or delete untrusted certificates and view untrusted certificate details. The following information appears on this screen:
•Fingerprint—The hash value of the encoded certificate.
•Device IP Address—The IP address of the device to which the certificate belongs.
•Device Port—The port on the device to which the certificate belongs.
If you did not import a device's certificate when you added it, Cisco ICS considers the certificate untrusted and the device appears offline in the device list tree. You can import the untrusted certificate at any time to bring the device online.
To import untrusted device certificates, follow these steps:
Step 1 Choose Global Settings > Device Certificates.
Step 2 Check the check box next to the certificates you want to import.
Step 3 Click Import.
Adding Multiple Devices and Certificates
If you are using the tool for adding multiple devices, follow these steps:
Step 1 Run the tool so that Cisco ICS can receive the certificate information.
Step 2 Import the certificates from the Device Certificates window.
Step 3 Run the tool again to finally add the devices to the device list.
For the procedure, see Adding Multiple Devices, page 4-5.
Viewing Certificate Details
You can view the details of each certificate on the Cisco ICS server and verify that they match the certificate details on the devices. When you add a device through the web console, a window displays the device's certificate details. You can establish a telnet, console, or aux connection to the device and use the appropriate command to verify that the certificate on the device is the same as the certificate you are importing.
Updating Certificates
You must update the device certificates on the Cisco ICS server if the certificates on the device change, if you reimage the device's operating system, or if you generate a new certificate on the device. See the documentation for your Cisco devices for more information on certificates.
Managing Licenses
You can view existing licensing information and import a new license through the web console.
This section describes licenses and how to manage them. It contains the following topics:
• About Cisco ICS Server Trial and Full Versions
• About Device Licenses
• Device License Expiration
• Device License Renewal
• Registering for a License File
• Importing a License File
• Viewing License Information
About Cisco ICS Server Trial and Full Versions
The trial version of Cisco ICS allows full product functionality for a limited amount of time. You can upgrade to a full version by obtaining a full version Product Activation Key from Cisco and importing it through the web console. Contact your sales representative for details. Note the following:
•When the trial version expires, Cisco ICS can no longer download components, including OPACLs and OPSigs.
•You cannot upgrade from one trial license to another trial license.
•Full versions never expire.
Note Do not confuse device licenses with the Cisco ICS license. The full version of the Cisco ICS license, which you import during installation, never expires. However, device licenses expire. For more information, see About Device Licenses.
If you installed Cisco ICS with a trial version license and want to upgrade to the full version, you must import the full version license before importing the device licenses.
About Device Licenses
The following types of device licenses are available:
•ACL license—Allows router and switch management, including the ability to create, download, and deploy outbreak management tasks and their associated OPACLs.
•IPS Low-end License—Allows router, switch, and low-end IPS device management, including the ability to create, download, and deploy outbreak management tasks, their associated OPACLs, and OPSigs.
•IPS High-end License—Allows router, switch, and high-end IPS device management, including the ability to create, download, and deploy outbreak management tasks, their associated OPACLs, and OPSigs.
The license file you imported during Cisco ICS server installation give you the right to manage a certain number of network devices. You cannot add more devices to the device list tree than you have licenses for.
Table 9-1 contains important information about each type of device and its required license.
Table 9-1 Device Licenses
Incident Control System Type
|
Device
|
License
|
ACL Incident Control System service
(OPACL)
|
•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3800, 7200 and 7301 Series routers
•Cisco 3550 Series switches
•Cisco Catalyst 6500 Series switches
•Cisco 7600 Series switches
|
ACL license (ICS-LIC-ACL-25)
|
IPS Incident Control System service
(OPACL + OPSig)
|
•Cisco 3800 Series integrated services routers
•Cisco 7200 Series routers
•Cisco IPS 4235 Sensors
•Cisco IPS 4240 Sensors
•Cisco IPS 4250 Sensors
•Cisco IPS 4250 XL Sensors
•Cisco IPS 4255 Sensors
•Cisco IDSM2 Catalyst Modules
•Cisco ASA 5500 adaptive security appliances with AIP-SSM 20
|
IPS high-end license (ICS-LIC-IPS-HE-1)
|
•Cisco IPS-4215 Appliances
•Cisco ASA 5500 adaptive security appliances with AIP-SSM 10
•Cisco 800 Series routers, Cisco 1800 Series integrated services routers, Cisco 1700 Series modular access routers, Cisco 2600XM and 3700 Series multiservice access routers
•All other Cisco routers
|
IPS low-end license (ICS-LIC-IPS-LE-5)
|
Device License Expiration
When a device license expires, you cannot manage the devices that previously used the license. Cisco ICS moves existing devices on the device list to the Expired Device folder and disables the OPACL on those devices. The devices can no longer receive OPACLs or OPSigs.
Note Do not confuse device licenses with the Cisco ICS license. The full version of the Cisco ICS license, which you import during installation, never expires.
Device License Renewal
Contact your Cisco sales representative for information about how to renew device licenses. After renewal, move the devices from the Expired Device folder to other locations in the device directory.
Registering for a License File
When you obtain a new license file from Cisco, save it on the computer on which Cisco ICS is installed and then import it from the Licenses window. If you did not register with Cisco to obtain a license file, you can do so now.
To register for a license file, follow these steps:
Step 1 Choose Global Settings > Licenses.
Step 2 Click Import License File.
Step 3 Click Registered Users to register with Cisco if you already have a Cisco.com account, or click Non-registered Users if you do not have a Cisco.com account.
Another window opens directing you to the Cisco website.
Step 4 Follow the instructions on the Cisco website to obtain the license file.
Importing a License File
To import a license file, follow these steps:
Step 1 Choose Global Settings > Licenses.
Step 2 Click Import License File.
Step 3 Click Browse.
Step 4 Select the license file.
Step 5 Click Import.
Viewing License Information
The Licenses window displays summary information for all Cisco ICS licenses, including expired licenses.
To view license information, follow these steps:
Step 1 Choose Global Settings > Licenses.
The License Summary table displays aggregate information for all active licenses:
•Available ACL Licenses—The number of routers and switches allowed to register with Cisco ICS.
•Available IPS Low-end Licenses—The number of routers, switches, and low-end IPS devices allowed to register with Cisco ICS.
•Available IPS High-end Licenses—The number of routers, switches, and high-end IPS devices allowed to register with Cisco ICS.
•Host ID—The MAC address of the Cisco ICS server.
Note You will receive an email when your license enters its grace period. You can enable Cisco ICS to send a notification message the following number of days after expiration: 30, 15, 7, and 1. For more information, see Configuring Notifications.
Step 2 Choose one of the following from the Display list:
•All licenses
•Active licenses
•Expired licenses
The following information appears in the table:
•License Type—Cisco Incident Control Server, ACL Outbreak Management License, and IPS Outbreak Management License
•Mitigation Devices—The number of licenses available for each license
•Expiration Date
•Version Type—Trial or full version
Backing Up the Database
The Cisco ICS database contains configuration information about managed devices and contains all logs. If the database becomes corrupt, you can restore configuration settings from a backup. For more information, see Restoring Program Settings, page D-1.
You can back up the database manually at any time or configure a schedule for automatic backup. When backing up the database, Cisco ICS helps defragment the database and repairs index file corruption, if any. Cisco ICS preserves seven backups and deletes additional backups starting with the oldest.
Caution Do not back up the database with any other tool or software.
This section describes the database and how to back it up. It contains the following topics:
• Viewing the Last Backup
• Specifying a Backup Location
• Setting a Backup Schedule
• Backing Up Manually
Viewing the Last Backup
Choose Global Settings > Database Backup. The Database Backup window shows the following details on the Database tab:
•Start Time—The time the last backup began.
•Finish Time—The time the last backup was completed.
•Path—The location of the backup.
•Result—Whether the backup was successful.
Specifying a Backup Location
You must first decide the location in which to save the backup.
To specify a backup location, follow these steps:
Step 1 Choose Global Settings > Database Backup.
Step 2 Click the Settings tab.
Step 3 Next to Backup Path, modify the default backup path (Program Files\Cisco Systems\CICS\backup) by entering the new path in one of the following formats:
•Windows full path—C:\Cisco_ICS_backup
•Universal Naming Convention (UNC)—\\servername\sharedname\
Step 4 If the backup location is on a remote computer, enter an appropriate account name and corresponding password for write access.
Step 5 Check the Create the folder if not already present check box to have Cisco ICS automatically create the folder.
Step 6 Click Save.
A confirmation message appears.
Step 7 Click Back to return to the Database Backup window.
Setting a Backup Schedule
Tip Configure a schedule for automatic backup. Schedule the backup for nonpeak hours when demand on the server is low.
To set a backup schedule, follow these steps:
Step 1 Choose Global Settings > Database Backup.
Step 2 Click the Settings tab.
Step 3 Check the Enable scheduled database backup check box.
Step 4 Click one of the following:
•Daily—Back up daily.
•Weekly, every { }—Back up weekly. Select a day from the list.
•Monthly, on day { }—Back up monthly. Select a day of the month from the list.
Step 5 Regardless of the frequency, select a start time from the lists.
Step 6 Click Save.
A confirmation message appears.
Step 7 Click Back to return to the Database Backup window.
Backing Up Manually
To back the database manually, follow these steps:
Step 1 Choose Global Settings > Database Backup.
Step 2 Click the Settings tab.
Step 3 Make sure the location in the Backup path is correct.
Step 4 If you made changes, click Save.
Step 5 Click Back.
Step 6 Click Back Up.
