hit counter script
Download
Share
Print this page
Cisco MARS Install And Setup Manual
  1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Security System
  5. MARS
  6. Install and setup manual
Cisco MARS Install And Setup Manual

Cisco MARS Install And Setup Manual

Hide thumbs

Advertisement

Quick Links

Download this manual
Install and Setup Guide for Cisco Security
MARS
Release 5.3.x
March 2008
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Customer Order Number:
Text Part Number: OL-14672-01

Advertisement

loading

Related Manuals for Cisco MARS

Summary of Contents for Cisco MARS

  • Page 1 Install and Setup Guide for Cisco Security MARS Release 5.3.x March 2008 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Customer Order Number: Text Part Number: OL-14672-01...
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.;...

  • Page 3: Table Of Contents

    MARS Web Interface Reporting and Mitigation Devices Network Cable Requirements Hardware Descriptions—MARS 25R, 25, 55, 110R, 110, 210, GC2R, and GC2 Technical Specifications for MARS 25R, 25, and 55 Technical Specifications for MARS 110R, 110, 210, GC2, and GC2R Part Numbers, License Key, and Serial Numbers...
  • Page 4 Contents AC Power Source Requirements 1-17 MARS 110R, 110, 210, GC2R, and GC2 Front and Back Panels 1-17 Front Panel Features—MARS 110R, 110, 210, GC2R, and GC2 1-17 Control Panel Description—MARS 110R, 110, 210, GC2R, and GC2 1-18 Control Panel LED Descriptions—MARS 110R, 110, 210, GC2R, and GC2 1-20 Back Panel Features—MARS 110R, 110, 210, GC2R, and GC2...
  • Page 5 Installing the Appliance C H A P T E R Installation Quick Reference Installing the MARS Appliance in a Rack Rack-Mounting MARS Appliances 110R, 110, 210, GC2R, and GC2 Installing the Chassis Handles Basic Rail Rack-Mount Installation Basic Rail Rack-Mount Removal...
  • Page 6 Upgrade Local Controller from the Global Controller User Interface 6-18 Configuring and Performing Appliance Data Backups 6-19 Typical Uses of the Archived Data 6-21 Format of the Archive Share Files 6-21 Archive Intervals By Data Type 6-23 Install and Setup Guide for Cisco Security MARS OL-14672-01...
  • Page 7 Configure the NFS Server on Linux 6-27 Configure the NetApp NFS Server 6-28 Configure Lookup Information for the NFS Server 6-29 Configure the Data Archive Setting for the MARS Appliance 6-30 Access the Data Within an Archived File 6-32 Recovery Management 6-32...
  • Page 8 (5.x) A-52 reboot A-57 route A-58 script A-60 show healthinfo A-61 show inventory A-63 shutdown A-65 snmpwalk A-66 A-67 sslcert A-69 ssllist A-70 syslogrelay setcollector A-71 syslogrelay src A-72 Install and Setup Guide for Cisco Security MARS viii OL-14672-01...
  • Page 9 Access the GUI when the Network Is Down Troubleshooting Global Controller-to-Local Controller Communications Communications Overview Communication States Required Open Ports General Issues and Solutions List of Backend Services and Processes B-11 Error Messages B-14 N D E X Install and Setup Guide for Cisco Security MARS OL-14672-01...
  • Page 10 Contents Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 11: Preface

    Cisco IOS software. Specifically, this manual is for system administrators who will install and configure a new MARS Appliance. It is also for administrators who have existing MARS Appliances that they want to upgrade to the most recent version available under their support contract.

  • Page 12: Conventions

    Means reader take note. Notes contain helpful suggestions or references to material not covered in the publication. Means reader be careful. In this situation, you might do something that could result in equipment Caution damage or loss of data. Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 13: Warning Definition

    Huomautus SÄILYTÄ NÄMÄ OHJEET Huomautus Tämä asiakirja on tarkoitettu käytettäväksi yhdessä tuotteen mukana tulleen asennusoppaan kanssa. Katso lisätietoja asennusoppaasta, kokoonpano-oppaasta ja muista mukana toimitetuista asiakirjoista. Install and Setup Guide for Cisco Security MARS xiii OL-14672-01...
  • Page 14 Hinweis Dieses Handbuch ist zum Gebrauch in Verbindung mit dem Installationshandbuch für Ihr Gerät bestimmt, das dem Gerät beiliegt. Entnehmen Sie bitte alle weiteren Informationen dem Handbuch (Installations- oder Konfigurationshandbuch o. Ä.) für Ihr spezifisches Gerät. Install and Setup Guide for Cisco Security MARS OL-14672-01...
  • Page 15 Nota Esta documentação destina-se a ser utilizada em conjunto com o manual de instalação incluído com o produto específico. Consulte o manual de instalação, o manual de configuração ou outra documentação adicional inclusa, para obter mais informações. Install and Setup Guide for Cisco Security MARS OL-14672-01...
  • Page 16 OBS! SPARA DESSA ANVISNINGAR OBS! Denna dokumentation ska användas i samband med den specifika produktinstallationshandbok som medföljde produkten. Se installationshandboken, konfigurationshandboken eller annan bifogad ytterligare dokumentation för närmare detaljer. Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 17: Related Documentation

    For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
  • Page 18 Preface Obtaining Documentation, Obtaining Support, and Security Guidelines Install and Setup Guide for Cisco Security MARS xviii OL-14672-01...

  • Page 19: Chapter 1 Appliance Overview And Specifications

    The MARS system operates at distinct and separate levels based on how much information is provided about your networks’ reporting devices. At its most basic level, MARS functions as a syslog server. As you add information about reporting devices, MARS begins to sessionize the raw data, and after you...

  • Page 20: Local Controller

    • Local Controller The Local Controller models are as follows—MARS 25R, 25, 55, 110R, 110, and 210. Each model differs in its ability to process and store events from reporting devices, enabling you to accurately address your needs based on the size of your network and the traffic volume.

  • Page 21: Global Controller

    Local Controllers and that Local Controllers monitor one or more reporting devices. Reporting devices provide MARS with data about the network, from traffic flows, as in the case of a router, to the configuration of possible attack targets, such as from a vulnerability assessment system.

  • Page 22: Network Cable Requirements

    MARS 25R, 25, 55, 110R, 110, 210, GC2R, and GC2 The Cisco Security MARS 25R, 25, 55, 110R, 110, 210, GC2R, and GC2 appliances are built with the second generation of CS-MARS hardware, and operate with only CS-MARS software versions 5.X.

  • Page 23: Technical Specifications For Mars 25R, 25, And 55

    Chapter 1 Appliance Overview and Specifications Hardware Descriptions—MARS 25R, 25, 55, 110R, 110, 210, GC2R, and GC2 MARS 110R, 110, 210, GC2R, and GC2 Front and Back Panels, page 1-17 • Technical Specifications for MARS 25R, 25, and 55 Table 1-1 summarizes chassis and component descriptions;...
  • Page 24 Chapter 1 Appliance Overview and Specifications Hardware Descriptions—MARS 25R, 25, 55, 110R, 110, 210, GC2R, and GC2 Table 1-2 Environmental Parameters—MARS 25, 25R, and 55 Environmental Parameter MARS 25R and MARS 25 MARS 55 Temperature range Operating: +10°C to +35°C derated Operating: +10°C to +35°C derated...

  • Page 25: Technical Specifications For Mars 110R, 110, 210, Gc2, And Gc2R

    Chapter 1 Appliance Overview and Specifications Hardware Descriptions—MARS 25R, 25, 55, 110R, 110, 210, GC2R, and GC2 Technical Specifications for MARS 110R, 110, 210, GC2, and GC2R Table 1-3 summarizes chassis and component descriptions; Table 1-4 summarizes environmental and electrical descriptions.

  • Page 26: Part Numbers, License Key, And Serial Numbers

    Part Numbers, License Key, and Serial Numbers The part numbers of Cisco Security MARS Appliances and the Field Replaceable Units (FRUs) that operate with software releases 5.X are as follows: Local Controller Appliances CS-MARS-25R-K9 •...

  • Page 27: Serial Numbers

    Removing and Replacing the Front Bezel For the MARS 55, 110R, 110, 210, GC2R, and GC2, you must remove the front bezel to access the DVD ROM, hard drives, and control panel buttons. The bezels do not lock. The MARS 25R and 25 front panel features are accessible without removing the bezel.
  • Page 28 1-3. To replace the bezel, line up the center notch on the bezel with the center guide on the rack handles, then push the bezel onto the front of the MARS Appliance until it clicks into place. Figure 1-3 Removing the Front Bezel from a MARS 110R, 110, 210, GC2, and GC2R...

  • Page 29: Mars 25R And 25 Front And Back Panels

    The front panel elements are shown in Figure 1-4 and described in the following subsections: Control Panel Description—MARS 25R and 25, page 1-11 • Control Panel LED Descriptions—MARS 25R and 25, page 1-12 • Figure 1-4 Front Panel—MARS 25R and 25 Cisco Security MARS 25 Series...

  • Page 30: Control Panel Led Descriptions-Mars 25R And 25

    NIC 2 LED Blinking Green—NIC Activity Back Panel Features—MARS 25R and 25 Figure 1-6 depicts the back panel of the MARS 25R, 25, and 55 appliances. Figure 1-6 Back Panel—MARS 25R, 25, and 55 AC Power Connector PS2 Mouse Port...

  • Page 31: Mars 55 Front And Back Panels

    Empty Hard Drive Bay with Spare Carrier Control Panel To maintain the proper air pressure within the system, all hard drive bays must be populated with either Note a hard drive, or a drive blank. Install and Setup Guide for Cisco Security MARS 1-13 OL-14672-01...

  • Page 32: Control Panel Description-Mars 55

    Chapter 1 Appliance Overview and Specifications MARS 55 Front and Back Panels Control Panel Description—MARS 55 The MARS 55 control panel has a power button and status LEDs. Figure 1-9 shows the layout and functions of the control panel. Figure 1-9 Control Panel Elements—MARS 55...
  • Page 33 Chapter 1 Appliance Overview and Specifications MARS 55 Front and Back Panels Back Panel Features—MARS 55 Figure 1-10 depicts the back panel of the MARS 55 appliance. Figure 1-10 Back Panel—MARS 25R, 25, and 55 AC Power Connector PS2 Mouse Port...
  • Page 34 1. The stated storage capacity is the sum of the rated capacity of all the hard drives and does reflect bytes reserved for the RAID overhead on each drive. Power Supply Description—MARS 25R, 25, and 55 The MARS 25R, 25, and 55 have a 350 watt ATX power supply (PS) with the following features: • Over-temperature protection (OTP) •...

  • Page 35: Ac Power Source Requirements

    Control Panel Description—MARS 110R, 110, 210, GC2R, and GC2, page 1-18 • Control Panel LED Descriptions—MARS 110R, 110, 210, GC2R, and GC2, page 1-20 • Figure 1-12 Front Panel of MARS 110R, 110, 210, GC2R, and GC2—with Bezel Removed...
  • Page 36 Chapter 1 Appliance Overview and Specifications MARS 110R, 110, 210, GC2R, and GC2 Front and Back Panels The USB ports on the front and back panels are not supported. Note To maintain the proper air pressure within the system, all hard drive bays must be populated with either Note a hard drive, or a drive blank.
  • Page 37 Chapter 1 Appliance Overview and Specifications MARS 110R, 110, 210, GC2R, and GC2 Front and Back Panels System Identification LED—Toggles the System identification button front and rear panel System ID LEDs on/off enabling you to more easily locate the appliance from behind a rack.
  • Page 38 Chapter 1 Appliance Overview and Specifications MARS 110R, 110, 210, GC2R, and GC2 Front and Back Panels Control Panel LED Descriptions—MARS 110R, 110, 210, GC2R, and GC2 Table 1-8 describes the function of control panel LEDs. Table 1-8 Control Panel LEDs—MARS 110R, 110, 210, GC2R, and GC2...
  • Page 39 Chapter 1 Appliance Overview and Specifications MARS 110R, 110, 210, GC2R, and GC2 Front and Back Panels Table 1-8 Control Panel LEDs—MARS 110R, 110, 210, GC2R, and GC2 Control Panel LED Figure 1-13 State Description Reference Number System Status LED...

  • Page 40: Back Panel Features-Mars 110R, 110, 210, Gc2R, And Gc2

    Off—No disk activity Back Panel Features—MARS 110R, 110, 210, GC2R, and GC2 Figure 1-14 depicts the back panel of the MARS 110R, 110, 210, GC2R, and GC2 appliances. Figure 1-14 Back Panel—MARS 110R, 110, 210, GC2R, and GC2 18 17 16 (Not supported).

  • Page 41: Connector Descriptions

    MARS 110R, 110, 210, GC2R, and GC2 Front and Back Panels Connector Descriptions Table 1-9 describes the type and function of the back panel communication ports of the MARS 110R, 110, 210, GC2R, and GC2. Table 1-9 Communication Port Descriptions—MARS 110R, 110, 210, GC2R, and GC2...
  • Page 42 Chapter 1 Appliance Overview and Specifications MARS 110R, 110, 210, GC2R, and GC2 Front and Back Panels Table 1-9 Communication Port Descriptions—MARS 110R, 110, 210, GC2R, and GC2 Connector Description Ethernet Add-in NIC connectors Not supported. Integrated Ethernet NIC connectors 10/100/1000–megabit-per-second (Mbps)
  • Page 43 Chapter 1 Appliance Overview and Specifications MARS 110R, 110, 210, GC2R, and GC2 Front and Back Panels Table 1-11 RJ-45 Serial Port Pin-outs Signal Name Description SPB_RTS RTS (Request to Send) SPB_DTR DTR (Data Terminal Ready) SPB_OUT_N TXD (Transmit Data)

  • Page 44: Hard Drive Layout

    2. Although there is a total of 4.5 TB storage, RAID 10 has a maximum size configuration of 2 TB Redundant, or 4 TB Redundant Power Supply Descriptions The MARS 110R, 110, 210, GC2R, and GC2 ship with two hot-swappable 750 watt redundant (1 + 1) ATX power supplies (PS) which have the following integrated management features: Status LED on each power module •...
  • Page 45 Chapter 1 Appliance Overview and Specifications MARS 110R, 110, 210, GC2R, and GC2 Front and Back Panels On a 20 amperes AC outlet, no more than a total of four (4) systems should be connected to a single Caution outlet at any time.

  • Page 46: Ac Power Source Requirements

    Chapter 1 Appliance Overview and Specifications MARS 110R, 110, 210, GC2R, and GC2 Front and Back Panels AC Power Source Requirements Each power supply has a socket to accommodate an AC power cord. Each power supply operates within the parameters listed in Table 1-14.

  • Page 47: Checking Power Supply Operational Status

    Chapter 1 Appliance Overview and Specifications MARS 110R, 110, 210, GC2R, and GC2 Front and Back Panels Checking Power Supply Operational Status Example 1-1 displays the power supply status information in an excerpt of a show healthinfo CLI command output. The power supply unit should evaluated for hotswapping if the status is down. An email alert is sent to the administrator when a power supply changes status from “ok.”...
  • Page 48 Chapter 1 Appliance Overview and Specifications MARS 110R, 110, 210, GC2R, and GC2 Front and Back Panels Install and Setup Guide for Cisco Security MARS 1-30 OL-14672-01...

  • Page 49: Chapter 2 Deployment Planning Guidelines

    Required Traffic Flows, page 2-2 MARS Components When planning a deployment, you must consider the ability of a MARS Appliance to process the traffic expected from reporting devices on your network. Which models you purchase and where you place them on your network depends on the anticipated, sustained events per second (EPS) and NetFlow flows per second (FPS) predicted for that network or segment.

  • Page 50: Required Traffic Flows

    GUI to managed the appliance. Required Traffic Flows Required traffic flows identify traffic that must be allowed by gateways if they separate the MARS Appliance from a reporting device, mitigation device, or a supporting device (as listed in Supporting Devices).
  • Page 51 Global Controller Proprietary (port 8444) This port must remain open on the and Local Controller outside and inside interfaces to ensure data synchronization. accurate data correlation operations of the Global Controller. Install and Setup Guide for Cisco Security MARS OL-14672-01...
  • Page 52 OPSEC application. SSLCA (TCP port 18184) OPSEC-CPMI (TCP port 18190) Oracle Database Listener (TCP Used by Oracle only port 1521) MS SQL (TCP port 1433) Used by FoundStone and eEye. Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 53: Safety

    You should observe the following safety guidelines when working with any equipment that connects to electrical power or telephone wiring. They can help you avoid injuring yourself or damaging the MARS Appliance. The English warnings in this document are followed by a statement number. To see the translations of a...

  • Page 54: Safety

    This equipment must be grounded. Never defeat the ground conductor or operate the equipment in the absence of a suitably installed ground conductor. Contact the appropriate electrical inspection authority or an electrician if you are uncertain that suitable grounding is available. Statement 1024 Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 55: General Precautions

    Do not spill food or liquids on your system components, and never operate the product in a wet • environment. If the computer gets wet, see the appropriate chapter in your troubleshooting guide or contact the Cisco Technical Assistance Center. For instructions on contacting the Technical Assistance Center, see Obtaining Documentation, Obtaining Support, and Security Guidelines, page xvii, in the Preface.

  • Page 56: Maintaining Safety With Electricity

    Cisco Technical Assistance Center or a local power company. • Use only approved power cable(s). You have been provided with a power cable for your MARS Appliance that is intended for your system (approved for use in your country, based on the shipping location).

  • Page 57: Preventing Emi

    If you are experiencing shutdowns or unusually high errors with your existing equipment, these precautions will help you isolate the cause of failures and prevent future problems. Use the following precautions when planning the operating environment for your MARS Appliance: •...

  • Page 58: Choosing A Site For Installation

    Choose a site with sufficient room in the front to open the hot-swappable hard drives (about ten • inches). Choose a site with sufficient room in the rear to attach the power cords and Ethernet cables (about • four inches). Avoid areas that receive direct sunlight. • Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 59: Grounding The System

    Install only in accordance with national and local wiring regulations. Statement 1045 Cabling Use the cables in the accessory kit to connect the MARS Appliance console port to a console or computer that is running a console program. In addition to using the console cable, use the provided standard Ethernet cable to connect the MARS Appliance to your network.

  • Page 60: Precautions For Rack-Mounting

    Do not use a telephone line to report a gas leak while you are in the vicinity of the leak. • Install the line-impedance filter to the modem. • Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 61: Required Tools And Equipment

    While unpacking the MARS Appliance, place the box so that the direction arrows on the box are facing up. Open the top of the box, and lift the appliance clear. Place the MARS Appliance on a clean flat surface. Re-inspect the appliance for damage.

  • Page 62: Selecting The Appropriate Rail Kit

    Web Browser Client Requirements Before running the user interface provided by MARS, you must prepare Microsoft® Internet Explorer 6.0 SP1 or later to connect to the MARS Appliance. This section describes the properly configured and patched web browser. Configuring Internet Explorer Settings, page 3-10 •...
  • Page 63 Click OK to close the Settings dialog box and to save your changes. Step 5 On the Security tab under Select a Web content zone to specify its security settings, select Trusted Sites. Step 6 Install and Setup Guide for Cisco Security MARS 3-11 OL-14672-01...
  • Page 64 The default security level settings for Trusted Sites is Low. If this value is not Low or Medium, use the Custom Level settings to ensure that ActiveX controls and scripting are allowed. With Trusted sites selected, click Sites. Step 7 Install and Setup Guide for Cisco Security MARS 3-12 OL-14672-01...
  • Page 65 Web Browser Client Requirements Figure 3-3 Internet Explorer Trusted Sites Enter the URL used to connect to the MARS Appliance in the Add this Web site to the zone box and Step 8 click Add. Specify the full URL, preceded by https://; you can use either the DNS name or the IP address, such as , in the URL.

  • Page 66: Configuring Pop-Up Blockers

    Step 12 Configuring Pop-Up Blockers This procedure describes how to allow access to the MARS Appliance for users running Windows XP SP2, which includes a pop-up blocker. For information on configuring a different popup blocker to allow access to the MARS Appliance, refer to the documentation provided with the pop-up blocker product.

  • Page 67: Correcting Issues Caused By The 832894 (Ms04-004) Security Update Or The 821814 Hotfix

    Preparing for Installation Web Browser Client Requirements In the Allow list box, enter the host ID of the MARS prefixed by https://. For example, https://171.69.180.5/ For later versions of the MSN Toolbar, you can access the Allow Lists tab by clicking the Popup Guard Note Settings button on Toolbar Buttons tab.

  • Page 68: Web Browser Client Usage Guidelines And Notes

    Do not open multiple instances of the browser under the same login session. In other words, do not • perform any of the following actions when viewing a page in the MARS web interface: Click File > New > Window on the menu bar of the browser.

  • Page 69: Installation Quick Reference

    Following installation and initial configuration, see the following publications for information on how to use a browser and the HTML interface to fully configure your MARS Appliance to provide the security threat mitigation (STM) services you want from this installation: User Guide for Cisco Security MARS Local Controller •...

  • Page 70: Installing The Mars Appliance In A Rack

    Do not perform any action that creates a potential hazard to people or makes the equipment unsafe. • Do not install the MARS Appliance in a rack that has not been securely anchored in place. Damage • to the system and personal injury may result.
  • Page 71 If the rack is provided with stabilizing devices, install the stabilizers before mounting Statement 1006 or servicing the unit in the rack. A rack is measured in rack units (RUs). An RU is equal to 44 mm or 1.75 inches. MARS Appliances require the following rack space: Table 4-2...

  • Page 72: Rack-Mounting Mars Appliances 110R, 110, 210, Gc2R, And Gc2

    Rack-Mounting MARS Appliances 110R, 110, 210, GC2R, and GC2 Your Cisco Security MARS 110R, 110, 210, GC2R or GC2 appliances can be mounted on a 19-inch rack. There are three methods for mounting the appliance on a rack. Instructions for installing your chassis on a rack are included in the rail kit, part number CS-MARS-X10-RAIL=.

  • Page 73: Basic Rail Rack-Mount Installation

    Fully extend a rail assembly; the finger tab for the extension lock is revealed. Step 1 separates. Press the finger tab and slide the inside rail from the middle rail until it completely Step 2 Install and Setup Guide for Cisco Security MARS OL-14672-01...
  • Page 74 Depress and hold down the finger tabs on both extension locks while sliding the chassis toward the rear. Step 25 Slide the chassis all the way into the rack until the chassis handles are against the front posts. Step 26 Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 75: Fixed Bracket Rack Mount Removal

    Statement 1024 Connect the AC power receptacle to the AC power source with the provided power cable. Some units have two power cables, one for each AC power receptacle in the appliance. Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 76: Connecting Cables

    Connecting Cables Use unshielded twisted pair (UTP) copper wire Ethernet cable, with standard RJ-45 compatible plugs, to connect the MARS Appliance to the network. Your MARS Appliance comes with one or two standard computer power cords, a Cat 5 crossover cable,...
  • Page 77 GC2” for further information on determining the operational status. When the appliance is operational, start the software configuration. See Chapter 5, “Initial MARS Appliance Configuration,” for more information on its default configuration settings. Install and Setup Guide for Cisco Security MARS OL-14672-01...
  • Page 78 Chapter 4 Installing the Appliance Powering on the Appliance and Verifying Hardware Operation Install and Setup Guide for Cisco Security MARS 4-10 OL-14672-01...

  • Page 79: Checklist For Initial Configuration

    HTML interface and is detailed in the User Guide for Cisco Security MARS Local Controller and the User Guide for Cisco Security MARS Global Controller.
  • Page 80 • interface. Each MARS Appliance has two Ethernet interfaces: eth0 and eth1. The eth0 interface is the dedicated interface used for collecting event data and logs from your network. The eth1 interface is intended for use in an out-of-band management (OOBM) network or for a console connection. Therefore, your default gateway and IP address/mask values should focus on the network connections to be used to monitor the data streams of reporting devices, and these settings should be applied to eth0.
  • Page 81 For more information, see: Specify the Time Settings, page 5-10 • Set Up Additional Routes, page 5-9 • • Completing the Cable Connections, page 5-11 Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 82: Establishing A Console Connection

    The software version determines the currency of signatures, system inspection rules, features, and bug fixes. An important part of your security solution is ensuring that you maintain the most up-to-date software on the MARS Appliance. This process involves preparing an upgrade strategy and selecting a method, determining your current version, identifying the most recent version, and downloading and applying all intermediate versions of the software.
  • Page 83 – Terminal = vt100 – To establish a console connection to the MARS Appliance, follow these steps: Select from among the direct, serial, or ethernet console connection options and configure according to Step 1 the information provided under that description.

  • Page 84: Configuring Basic Network Settings At The Command Line

    Chapter 5 Initial MARS Appliance Configuration Configuring Basic Network Settings at the Command Line Power on the MARS Appliance and the console, and if required by the option, open your terminal Step 2 emulation communication software on the console. The login prompt appears.

  • Page 85: Specify The Ip Address And Default Gateway For The Eth0 Interface

    Step 1 Console Connection, page 5-4. If the MARS Appliance is not configured (that is, it is new or has been re-imaged), the system Note displays the system information—including the software version. Log in using the system administrative account and password (pnadmin/pnadmin).

  • Page 86: Specify The Ip Address And Default Gateway For The Eth1 Interface

    Before you specify the interface settings, verify that eth1 is not connected to the network. To specify the IP address and default gateway address, follow these steps: Establish a console connection to the MARS Appliance; for options and details, see Establishing a...

  • Page 87: Specify The Appliance Hostname

    Note Set Up Additional Routes If MARS cannot access certain devices or resources (such as the Internet) through the default gateway, you must add a static route to reach such resources. You can define static routes to subnets or hosts.

  • Page 88: Add A Static Route

    Chapter 5 Initial MARS Appliance Configuration Configuring Basic Network Settings at the Command Line Before you can edit the routing table, you must establish a console connection to the MARS Appliance; for options and details, see Establishing a Console Connection, page 5-4.

  • Page 89: Completing The Cable Connections

    License the 5.x Software Adding the license file is only performed using the web interface; there is not no CLI support. In the 5.x releases, you are able upgrade a MARS 110R to a MARS 110 by purchasing and applying an additional license.
  • Page 90 Once you have stored the file on your local computer, verify the file has a .lic extension. If not, rename Step 3 the file to have that extension. MARS prevents you from uploading a file with a different extension. Open your web browser and enter one of the following URL syntaxes in the address bar: Step 4 https://<machine_name>/...
  • Page 91 The first time you log in, expect performance to be a little slow due to first-time caching and compilation. Note If the MARS license key is not configured, the License Key dialog prompts you to enter this key. Figure 5-2...

  • Page 92: Verifying And Updating Network Settings

    Identifies the hostname for this appliance. This value serves not only as the hostname of the appliance, but the web interface uses this name in topologies, incidents, rules, queries, and reports. Note The MARS cannot have spaces in its hostname. The name can contain up to 15 letters and numbers. • Interface Name The two network interfaces for the MARS are eth0 and eth1.

  • Page 93: Specifying The Dns Settings

    The local TCP/IP stack that resides on the appliance uses DNS services just as any host on the network does. In addition, MARS uses DNS to resolve the IP addresses into hostnames for events that it studies. This mapping enables you to study events by hostname or by IP address.

  • Page 94: Configure E-Mail Settings For The System Administrative Account

    If the DNS configuration is changed from the web interface, you must perform a pnstop and then a Note pnstart operation for the new DNS information to be used by the MARS Appliance. For information on performing these two operations, see...

  • Page 95: Configure Tacacs/Aaa Login Prompts

    Step 5 Configure TACACS/AAA Login Prompts By default, MARS knows what the default device login prompt looks like. When attempting to connect to a reporting device or mitigation device, MARS validates the prompt to avoid login failures. However, if you use a TACACS-based AAA server to manage the administrative access to your reporting devices and mitigation devices, you must describe the login prompts for username and password so that MARS can recognize them.

  • Page 96: Updating The Appliance To The Most Recent Software

    Step 4 Click Submit to save your changes. The specified settings are used globally by MARS to recognize prompts by the TACACS/AAA server. In the event that neither the TACACS/AAA server prompt or the default device prompt is recognized, MARS does not attempt to connect to the device and an error message is generated.
  • Page 97 Performing Command Line Administration Tasks This section details basic administrative tasks that you perform using a console connection to the MARS Appliance. This section contains the following procedures: Log In to the Appliance via the Console, page 6-2 •...

  • Page 98: Performing Command Line Administration Tasks

    Performing Command Line Administration Tasks Log In to the Appliance via the Console After the MARS Appliance boots, the console service starts and prompts the user to log in. Successful login launches a command line application (shell) that operates the CLI.

  • Page 99: Shut Down The Appliance Via The Console

    For more information on powering up the appliance, see Powering on the Appliance and Verifying Hardware Operation, page 4-8. Powering off the MARS Appliance by using only the power switch may cause the loss or corruption of Caution data. Use this procedure to shut down the MARS Appliance.

  • Page 100: Reboot The Appliance Via The Console

    Determine the Status of Appliance Services via the Console You can use the console connection to obtain system and service status information. To determine the status of the MARS Appliance’s services, follow these steps: Step 1 Log in to the MARS Appliance. For more information, see...

  • Page 101: Stop Appliance Services Via The Console

    Stop Appliance Services via the Console You can stop all MARS Appliance services from the console. To list the services and their status, you can use the pnstatus command. For more information, see...

  • Page 102: View System Logs Via The Console

    Never try to upgrade the hardware components of the MARS Appliance. Doing so could result in bodily Caution injury and void support contracts. Contact Cisco for your hardware upgrade needs.
  • Page 103 Determine whether you should upgrade or reimage the MARS Appliance. Two scenarios exist for bringing your MARS Appliance in line with the current software release: upgrade versus reimage. The method required to get to the current release can differ greatly between these two scenarios.
  • Page 104 CD-ROM. Before you can upgrade, you must download the software and burn an image to a CD-ROM. You • can insert this CD-ROM in the DVD drive of the MARS Appliance to perform the upgrade. If you select the CD-ROM medium, you must upgrade each appliance individually and you must use the CLI.
  • Page 105 Download all required upgrade packages from the Cisco.com website. After you have identified the upgrade packages to download, log in to Cisco.com using your Cisco.com account and download the various packages. To download upgrade packages, you must have a valid SMARTnet support contract for the MARS Appliance.

  • Page 106: Burn An Upgrade Cd-Rom

    The Internal Upgrade Server requirements vary based on the upgrade option you selected and the version running on your appliance. MARS requires that the Internal Upgrade Server enforces user authentication. Therefore, you must Note specify a username and password pair to authenticate to the server whether it is accessed via HTTP, HTTPS, or FTP.

  • Page 107: Important Upgrade Notes

    General Notes The MARS Appliance performs a file system consistency check (fsck) on all disks when either of the following conditions is met: If the system has not been rebooted during the past 180 days.

  • Page 108: Upgrade To 5.2.8

    Upgrade images and supporting software are found on the Cisco.com software download pages dedicated to MARS. You can access these pages at the following URLs, assuming you have a valid Cisco.com account and that you have registered your SMARTnet contract number for your MARS Appliance.

  • Page 109: Specify The Proxy Settings For The Global Controller Or Local Controller

    For information on upgrading a Local Controller from within the Global Controller user interface, see Upgrading a Local Controller from the Global Controller, page 6-17. Install and Setup Guide for Cisco Security MARS 6-13 OL-14672-01...

  • Page 110: Upgrade Global Controller Or Local Controller From Its User Interface

    In the Proxy User field, specify the username that the appliance must use to authenticate to the proxy Step 4 server. This username and password pair is neither the Cisco.com nor the Internal Upgrade Server login and Note password. MARS requires that proxy servers enforce inline user authentication.Therefore, you must specify a username and password pair to authenticate to the proxy server.

  • Page 111: Upgrade From The Cli

    In the User Name and Password fields, enter your Internal Upgrade Server login information. Step 4 MARS requires that the Internal Upgrade Server enforces user authentication. Therefore, you must Note specify a username and password pair to authenticate to the server.
  • Page 112 Step 4 Do one of the following: MARS requires that the Internal Upgrade Server enforces user authentication. Therefore, you must Note specify a username and password pair to authenticate to the server whether it is accessed via HTTP, HTTPS, or FTP.

  • Page 113: Upgrading A Local Controller From The Global Controller

    If you notice that the Local Controller appears offline, verify that at least 10 minutes have passed since the appliances rebooted. Alternatively, you can jump start the communication by navigating to Admin > Local Controller Management in the Global Controller user interface. Install and Setup Guide for Cisco Security MARS 6-17 OL-14672-01...

  • Page 114: Specify The Proxy Settings In The Global Controller

    In the Proxy User field, specify the username that the appliance must use to authenticate to the proxy Step 5 server. This username and password pair is not the Internal Upgrade Server Login and Password. MARS Note requires that proxy servers enforce inline user authentication. Therefore, you must specify a username and password pair to authenticate to the proxy server.

  • Page 115: Configuring And Performing Appliance Data Backups

    During the upgrade, the user interface is also restarted. Configuring and Performing Appliance Data Backups You can archive data from a MARS Appliance and use that data to restore the operating system (OS), system configuration settings, dynamic data (event data), or the complete system. The appliance archives...
  • Page 116 You can use the same NFS server to archive the data for more than one MARS Appliance; however, you must specify a unique directory in the NFS path for each appliance that you want archive. If you use the same base directory, the appliances overwrite each others’...

  • Page 117: Typical Uses Of The Archived Data

    6-40. Format of the Archive Share Files The MARS archive process runs daily at 2:00 a.m., and it creates a dated directory for its data. You cannot specify a different time to archive the data. directory is where the operating system backup is stored.
  • Page 118 The following is an example of the data found in the configuration data directory. Directory of D:\MARSBackups\2005-07-08\CF 07/08/2005 04:49p <DIR> 07/08/2005 04:49p <DIR> 07/08/2005 02:02a 2,575,471 cf_2005-07-08-02-02-02.pna 1 File(s) 2,575,471 bytes Install and Setup Guide for Cisco Security MARS 6-22 OL-14672-01...

  • Page 119: Archive Intervals By Data Type

    Archive Intervals By Data Type MARS archives data either daily or in near real time based on the type of data. Therefore, all the data in the MARS internal storage (local database) should be in the NFS storage as well, give or take a day’s worth of specific types of data.

  • Page 120: Configure The Nfs Server On Windows 6-24

    Performance Tuning Guidelines for Microsoft Services for Network File System http://www.microsoft.com/technet/interopmigration/unix/sfu/perfnfs.mspx To install and configure the WSU 3.5 to operate with a MARS Appliance, perform the following tasks: • Install Windows Services for UNIX 3.5, page 6-24 Configure a Share using Windows Services for UNIX 3.5, page 6-26 •...
  • Page 121 Verify that the Change the default behavior to case sensitive check box is not selected, and then click Step 11 Next. As the MARS Appliance does not use a special account for NFS authentication, you do not need to change the default settings. Step 12 The User Name Mapping panel appears.
  • Page 122 Enter the IP address of the MARS Appliance, and click OK. Step 10 Select the IP address of the MARS Appliance, then select Read-Write from the Type of Access list. Ensure that ANSI is selected from the Encoding list. Click OK to save your changes and close the NFS Share Permissions dialog box.

  • Page 123: Enable Logging Of Nfs Events

    This section presents an example configuration as guidance for configuring your NFS to archive the data for a MARS Appliance. For each MARS Appliance that you want to archive for a given NFS server, you must set up a directory on the NFS server to which the appliance can read and write. The following procedure identifies the steps required to accomplish this task.

  • Page 124: Configure The Netapp Nfs Server

    For information on configuring such a host, refer to the documentation for you Network Appliance server. To prepare the NetApp NFS server so that the MARS Appliance can archive to it, follow these step: If you have not exported an directory on the NetApp NFS appliance, and perform the following task from Step 1 the NetApp's web GUI.

  • Page 125: Configure Lookup Information For The Nfs Server

    The NFS Export Wizard - Read-Write Access page appears. Click Add, and enter the IP address of the MARS Appliance in the Host to Add field, and click OK. Click Add, and enter the IP address of the NetApp administrative host in the Host to Add field, click OK, and then click Next.

  • Page 126: Configure The Data Archive Setting For The Mars Appliance

    Configure the Data Archive Setting for the MARS Appliance You can archive the data and the system software that is running on a MARS Appliance to a remote server. This data archival includes operating system (OS) and upgrade/patch data, system configuration settings, and dynamic data, such as system logs, incidents, generated reports, and the audit events received by the appliance.
  • Page 127 If you need to change any values on this page, enter the value and click Change. Step 7 To stop archiving data, return to the Data Archiving page and click Stop. Install and Setup Guide for Cisco Security MARS 6-31 OL-14672-01...

  • Page 128: Access The Data Within An Archived File

    You can use any text editor or run scripts against the data in these files. However, you should not change the contents of these zipped files or leave extracted data or additional files in the archive folders. MARS cannot process new or extracted files when performing a restore operation.

  • Page 129: Recovering A Lost Administrative Password

    Downloading and Burning a Recovery DVD If you do not have the MARS Appliance Recovery DVD-ROM that shipped with your MARS Appliance or you want to use a new image to expedite the post recovery upgrade process, you can download the current recovery image from the Cisco.com software download pages dedicated to MARS.

  • Page 130: Recovery The Mars Operating System

    For MARS 110, 210, GC2, and their variant models, the MARS operating system (OS) is stored separate from the MARS application and event data. It is stored on a flash disk-on-module (DOM) drive in the appliance. With the OS and application separation, if the MARS application hangs due to a RAID failure, you can login from a remote host and still retrieve log and trace data to assist in identifying the root cause of the failure.

  • Page 131: Re-Imaging A Local Controller

    Connect your monitor to the MARS Appliance VGA port and your keyboard to the PS/2 keyboard port. Step 1 (To view a diagram of the MARS Appliance VGA and serial ports, refer to the appropriate model in Hardware Descriptions—MARS 25R, 25, 55, 110R, 110, 210, GC2R, and GC2, page 1-4.)

  • Page 132: Re-Imaging A Global Controller

    2. Distributed Mars - Global Controller 3. Mars Operating System Recovery 4. Quit Using the arrow keys, select 1. Distributed MARS — Local Controller at the Recover menu and press Step 5 Enter. If you are re-imaging a MARS 110R or 110, the following message appears on the console.
  • Page 133 Begin, page 6-37, connect your monitor to the MARS Appliance VGA port and your keyboard to the PS/2 keyboard port. (To view a diagram of the MARS Appliance VGA and serial ports, refer to the appropriate model in Hardware Descriptions—MARS 25R, 25, 55, 110R, 110, 210, GC2R, and GC2, page 1-4.)

  • Page 134: Restoring Archived Data After Re-Imaging A Mars Appliance

    Restoring Archived Data after Re-Imaging a MARS Appliance When you restore a MARS Appliance using archived data, you are restoring the system to match the data and configuration settings found in the archive. The configuration data includes the operating system, MARS software, license key, user accounts, passwords, and device list in effect at the time the archive was performed.

  • Page 135: Upsizing A Mars Appliance

    To restore to a different replacement appliance, you must restore to an appliance of the same model or higher. For example, you can restore an image from a MARS 20 to a MARS 20, MARS 50, MARS 100, or MARS 100e; however, you cannot restore a MARS 50 to a MARS 20. Restoring to a replacement appliance differs from restoring to the actual appliance that performed the archive.

  • Page 136: Configuring A Standby Or Secondary Mars Appliance

    To restore to a secondary appliance, you must restore to an appliance of the same model or higher. For example, you can restore an image from a MARS 20 to a MARS 20, MARS 50, MARS 100, or MARS 100e; however, you cannot restore a MARS 50 to a MARS 20. Restoring to a secondary appliance differs from restoring to the actual appliance that performed the archive.
  • Page 137 If the data contained in the selected restore range of the archive exceeds the capacity of the local • database on the target MARS Appliance, the MARS Appliance automatically purges the data in the oldest partition of the local database and then resumes the restore operation. As such, you should select a reasonable range of dates when performing the restore.
  • Page 138 Chapter 6 Administering the MARS Appliance Guidelines for Restoring Install and Setup Guide for Cisco Security MARS 6-42 OL-14672-01...

  • Page 139: Appendix

    • Command Privileges and Modes To access the CLI on the MARS Appliance, you must have a console connection to the appliance and use the system administrative account, pnadmin. No other administrative account defined in the web interface has privileges to access the console connection. For more information about establishing a...

  • Page 140: Checking Command Syntax

    Enter, for example, arp -h. The help contains command usage information and syntax. Command Summary Table A-1 summarizes all commands available on the MARS Appliance. Refer to the full description of commands that you are not familiar with before using them. Table A-1 Command Summary...
  • Page 141 — Export configuration and event data from pnexp, page A-32 a 4.3.x appliance for import into a MARS Appliance running 5.3.1 or later. pnimp — Import configuration and event data pnimp, page A-35 previously exported from a MARS Appliance running 4.3.x into a one...
  • Page 142 A-69 certificate. ssllist — List existing ssl certificates ssllist, page A-70 syslogrelay — Displays the IP address of the device to syslogrelay setcollector, setcollector which syslogs are forwarded. page A-71 Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 143: Command Syntax Conventions

    A-84 on the MARS Appliance. 1. This command applies only to the MARS 100/100e, MARS 200, and the Global Controller appliance models. Command Syntax Conventions Command descriptions in this document and in the CLI help system use the following conventions: •...
  • Page 144 The ? command lists available commands and provides a brief description of each command. Syntax Description This command has no arguments or keywords. Examples To see the full list of commands that are available, enter: Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 145: Arp

    Each complete entry in the ARP cache is marked with the C flag. Permanent entries are marked with M and published entries have the P flag. You cannot add arp entries from a file, as you do not have access to the file system on the MARS Note Appliance.
  • Page 146 To permanently add an arp cache entry for a management host (marsgui) reachable from eth1, enter: arp -v -H ether -i eth1 -s marsgui 00:05:9A:3C:78:00 pub To remove the entry defined above, enter: arp -v i eth1 -d marsgui nopub Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 147: Date

    Examples To display the current date, enter: date To change the date to March 12, 2004, enter either of the following commands: date 03/12/2004 date 03/12/04 Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 148: Diskusage

    Examples To display the disk usage for all partitions in the MARS Appliance, enter the following command: diskusage The following is sample output for a MARS 100, as noted by the size of the /u02 partition: Filesystem Size Used Avail Use% Mounted on /dev/sda3 5.7G...

  • Page 149: Dns

    Appendix A Command Reference To display or specify the IP addresses of the Domain Name Services (DNS) servers that the MARS Appliance should use to resolve IP addresses into hostnames, use the dns command. dns [primary] [secondary] [tertiary] Note If the DNS configuration is changed from the web interface, you must perform a pnstop and then a pnstart operation for the new DNS information to be used by the MARS Appliance.

  • Page 150: Dnssuffix

    Appendix A Command Reference dnssuffix dnssuffix To display, add, or remove the DNS search paths associated with the adapters in the MARS Appliance, use the dnssuffix command. dnssuffix [add | del] searchpath Syntax Description noneThe default behavior of this command displays the current domain search paths defined for the appliance.

  • Page 151: Domainname

    Appendix A Command Reference domainname domainname To set or show the DNS domain of the MARS Appliance, use the domainname command. domainname [domain] Syntax Description noneThe default behavior of this command displays the current domain value, if defined. Otherwise, it displays no value.

  • Page 152: Exit

    To log out of the system, use the exit command. exit Syntax Description This command has no arguments or keywords. Examples The following command logs you out of the system: exit Install and Setup Guide for Cisco Security MARS A-14 OL-14672-01...

  • Page 153: Expert

    The expert command, undocumented before the 4.1.3, is for exclusive use by Cisco to aid in debugging customer issues that require direct access to the internal data store of the MARS Appliance. You may further restrict access to the expert command by setting the customer portion of the expert mode password via the passwd expert command.

  • Page 154: Gateway

    Command Reference gateway gateway To show or set the default gateway to be used by the MARS Appliance, use the gateway command. gateway [address] Syntax Description noneThe default behavior of this command displays the current gateway setting, if defined. Otherwise, it displays no value.

  • Page 155: Help

    Examples To display the complete list of available commands, enter: help To display a brief description about the netstat command, enter: help netstat Install and Setup Guide for Cisco Security MARS A-17 OL-14672-01...

  • Page 156: Hostname

    Appendix A Command Reference hostname hostname To set or show the hostname of the MARS Appliance, use the set hostname command. hostname [hostname] Changing the hostname requires that the appliance reboot. This reboot will occur automatically after Note your change the hostname. However, you are prompted to verify the hostname change. To cancel the...

  • Page 157: Hotswap

    To hotswap a hard drive is to replace the hard drive without powering down or rebooting the appliance. For MARS Appliances 110, 110R, 210, GC2R, and GC2, the valid disk arguments range from 0 to 5. For the MARS Appliance 55 the valid disk arguments are 0 and 1.
  • Page 158 Appendix A Command Reference hotswap Examples In the following example, a hard drive is hotswapped in slot 5 of a MARS 210. The hard drive status is verified with the raidstatus command: [pnadmin]$ version 5.3.2 (2702) [pnadmin]$ hotswap list all...
  • Page 159 Rebuild Progress on Device at Enclosure 14, Slot 5 Completed 17% in 32 Minutes. Related Commands Command Description raidstatus (5.x) Displays the status of the RAID array and of the individual HDDs. Install and Setup Guide for Cisco Security MARS A-21 OL-14672-01...

  • Page 160: Ifconfig

    Hardware Descriptions—MARS 25R, 25, 55, 110R, 110, 210, GC2R, and GC2, page 1-4. For MARS Appliances 110, 110R, 210, GC2R, and GC2, eth0 is integrated NIC 1, eth1 is integrated NIC 2; eth2 and eth4 are unsupported. Examples...

  • Page 161: Model

    Appendix A Command Reference model model Use the model command to display the model and mode of the MARS Appliance. model Syntax Description noneThe default behavior of this command lists model and mode of the MARS Appliance. -hDisplays the detailed usage guidelines on this command.

  • Page 162: Netstat

    Internet connections and UNIX domain sockets. -hDisplays the detailed usage guidelines on this command. -rDisplays information about the routing table on the MARS Appliance. -vDisplays verbose information. Useful for obtaining information about unconfigured address families.

  • Page 163: Nslookup

    Before using this tool, you should be familiar with how DNS works. Syntax Description nslookup puts you into interactive command mode. To quit the command mode and return to the command prompt, enter exit. Install and Setup Guide for Cisco Security MARS A-25 OL-14672-01...

  • Page 164: Ntp

    Identifies the server, by IP address, that runs the NTP server from which you want this MARS Appliance to retrieve system time information. This time value sets the clock used to date and correlate events that are received by the appliance.

  • Page 165: Passwd

    Examples To change the system administrative account password to Ou812o, enter: [pnadmin]$ passwd New password: <Ou812o> Retype new password: <Ou812o> [pnadmin]$ Install and Setup Guide for Cisco Security MARS A-27 OL-14672-01...

  • Page 166: Passwd Expert

    [new_pword] While you can use the passwd expert command to restrict access to the expert command, only authorized Cisco support personnel are able to access the expert debugging mode of an appliance. See also expert, page A-15.

  • Page 167: Ping

    -rBypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly attached network, an error is returned. This option can be used to ping a local host through an interface that has no route through it. Install and Setup Guide for Cisco Security MARS A-29 OL-14672-01...
  • Page 168 -UPrint true user-to-user latency (the old behavior). -vDisplays verbose output. -VDisplays the version of this command. -w deadlineSpecify a timeout, in seconds, before ping exits regardless of how many packets have been sent or received. Install and Setup Guide for Cisco Security MARS A-30 OL-14672-01...

  • Page 169: Pndbusage

    <number> events, received between <purge start date> and <purge end date> will be purged. In this case, the third line indicates the data that will be purged on the <estimated switching date>. Indents are displayed as shown above. Install and Setup Guide for Cisco Security MARS A-31 OL-14672-01...

  • Page 170: Pnexp

    Estimates how much time and storage is required to export the event data [MM/DD/YY:HH] that was received by MARS after a specified start time—only the events received after that time are migrated. If the last argument is not specified, then the estimate is based on all event data in the database.
  • Page 171 Use the pnexp command to prepare and export configuration and event data from MARS Appliance running 4.x as separate data so you can import either or both on a MARS Appliance running 5.x software. When the export operation begins, that MARS Appliance stops receiving events until the exporting process completes.
  • Page 172 4 11:25:21.395 2007@LM_INFO@Thread 1024:Trying to mount /mnt/pnarchive 4 11:25:22.677 2007@LM_INFO@Thread 1024:EXPORTING REPORT RESULTS ... Related Commands Command Description pnimp Import configuration and event data into a MARS Appliance running version 5.3.1 or later. Install and Setup Guide for Cisco Security MARS A-34 OL-14672-01...

  • Page 173: Pnimp

    Use the pnimp command to import configuration and event data generated from a MARS Appliance running 4.x into a MARS Appliance running 5.x software. The import operation does not affect event processing; in other words, the received events are processed upon arrival. However, it does affect the web interface and the query and report features may experience long delays and missing event or session data.
  • Page 174 WARNING: this operation will overwrite current MARS box's configurations (both system and DB) and reboot the machine. After reboot, current MARS box will take over the IP address, hostname and MARS username/password of the MARS box from which the config archive was exported, please make sure there will be no IP address conflict.
  • Page 175 Appendix A Command Reference pnimp The following example specifies that the MARS Appliance should import the event data corresponding to the configuration data in the previous example: pnadmin]$ pnimp Enter 'help' for a list of valid commands, 'exit' or 'quit' to exit.

  • Page 176: Pnlog

    Cisco recommends that you use the default value. The trace and debug options should be used only on the advice of Cisco TAC. Setting a level of critical shows only the critical events, while setting a level of warning shows all warning or higher events (in other words, it shows warning, error, and critical events).
  • Page 177 Appendix A Command Reference pnlog pnlog setlevel cpdebug 9 Install and Setup Guide for Cisco Security MARS A-39 OL-14672-01...

  • Page 178: Pnreset

    Recovery DVD. The pnreset command does not re-image the MARS Appliance. You should reimage the appliance when receiving a new appliance not running the most current version of the software or when you need to restore the administrator password to the factory default.
  • Page 179 Resets the tnsnames.ora file to factory defaults. The tnsnames.ora file is required for the Oracle client to connect to Oracle server. If MARS does not pull logs from the Oracle client, this option should never be used. If the tnsnames.ora file contains invalid data, MARS may be unable to connect to its internal Oracle database.
  • Page 180 You must also delete the Local Controller entry on the Global Controller. Note Related Commands Command Description pnstatus Displays the status of each module running as part of the MARS application. pnupgrade Upgrades the software running on the MARS Appliance. Install and Setup Guide for Cisco Security MARS A-42...

  • Page 181: Pnrestore

    The version of MARS software running on the appliance to be restored must match the version recorded in the archive. For example, if the data archive is for version 4.1.4, you must re-image the MARS Appliance to version 4.1.4, not older or newer, before using the pnrestore command to recover the system configuration and events.
  • Page 182 NFS server, these modes prevent MARS from overwriting the OS installed in the appliance to read the specified time slice’s data. Install and Setup Guide for Cisco Security MARS...
  • Page 183 When restoring Local Controller data, problems can arise if you attempt to restore dynamic data from a bigger appliance to a smaller appliance. In such cases, use mode 1. Create a staging area that contains a range of data and determine the correct version of MARS to use •...
  • Page 184 2006 at midnight, with the archive at 10.1.1.1 and the corresponding directory under the stageAreaPath directory at 10.1.10.15. pnrestore –m 4 –r 1 -t 10/01/06:00 -e 11/01/06:00 -p 10.1.1.1:/archive -s 10.1.10.15:/stagingArea Install and Setup Guide for Cisco Security MARS A-46 OL-14672-01...

  • Page 185: Pnstart

    Appendix A Command Reference pnstart pnstart To manually start the MARS application running on the appliance from the serial console, use the pnstart command. pnstart Syntax Description This command has no arguments or keywords. Examples The following command starts the MARS application running on the appliance:...

  • Page 186: Pnstatus

    Appendix A Command Reference pnstatus pnstatus To show the status of each module running as part of the MARS application from the serial console, use the pnstatus command. pnstatus Note For a description of the processes and services, see List of Backend Services and Processes, page B-11.

  • Page 187: Pnstop

    Appendix A Command Reference pnstop pnstop To stop the MARS application running on the appliance from the serial console, use the pnstop command. pnstop Syntax Description This command has no arguments or keywords. Examples The following command stops the MARS application running on the appliance:...

  • Page 188: Pnupgrade

    Appendix A Command Reference pnupgrade pnupgrade To upgrade the software running on the MARS Appliance, use the pnupgrade command. This command supports upgrade from an Internal Upgrade Server and from a CD-ROM. See Checklist for Upgrading the Appliance Software, page 6-6, for details on obtaining upgrade images and preparing the Internal Upgrade Server.
  • Page 189 2.1 Patch OS end 2 Upgrade OS end 4 Upgrade MARS applications start 4.1 Untar MARS executable binary start 4.2 Untar MARS executable binary end 4.3 Modify janus.conf start 4.3 Modify janus.conf end Install and Setup Guide for Cisco Security MARS A-51 OL-14672-01...

  • Page 190: Raidstatus (5.X

    476772 MB HDS725050KLA360 KRVN0AZBH5R8RJ Enabled In the following example, the MARS 210 RAID array is fully operational and redundant, that is, adapter a0 Raid-10 status is optimal, and all of the hard drives are online. [pnadmin]$ raidstatus Adapter Information: -------------------------------------------------------...
  • Page 191 715404MB [0x575466f0 Sectors] ST3750640AS C3QD02BZ7 In the following example, the MARS 210 RAID array is shown degraded because hard drive 3 (p3) has failed. The RAID array is functional, but not fully redundant because the p2+p3 RAID 1 pair is compromised.
  • Page 192 Command Reference raidstatus (5.x) Table A-3 describes the output fields of the raidstatus command. Table A-3 raidstatus CLI command for MARS 55, 110R, 110, 210, GC2R, and GC2 Output Field Description RAID Controller Information Fields Product Name RAID controller manufacturer and serial number Firmware Version : 1.02.00-0119...
  • Page 193 Appendix A Command Reference raidstatus (5.x) Table A-3 raidstatus CLI command for MARS 55, 110R, 110, 210, GC2R, and GC2 (continued) Output Field Description Status The current state of the physical HDD. Online—The HDD is functioning normally • within the RAID 10 array.
  • Page 194 Appendix A Command Reference raidstatus (5.x) Table A-3 raidstatus CLI command for MARS 55, 110R, 110, 210, GC2R, and GC2 (continued) Output Field Description (MARS 55) Indicates the slot number and Rebuild Progress on Device at Enclosure 0, Slot 1 Completed 8% percentage complete of the physical drive being rebuilt.

  • Page 195: Reboot

    Appendix A Command Reference reboot reboot To reboot the MARS Appliance from the serial console, use the reboot command. reboot The reboot is immediate and you are not prompted to confirm. Caution Syntax Description This command has no arguments or keywords.

  • Page 196: Route

    Command Reference route route The route command manipulates the MARS Appliance’s IP routing tables. Its primary use is to set up static routes to specific hosts or networks via an interface after it has been configured with the ifconfig command.
  • Page 197 -vDisplay verbose information. -nDisplay numeric values for addresses; don’t resolve hostnames. -eDisplay extended information. -FDisplay Forwarding Information Base (FIB), which is the default. -CDisplay routing cache instead of FIB. Install and Setup Guide for Cisco Security MARS A-59 OL-14672-01...

  • Page 198: Script

    Gather high level statistics about the configuration and topology for the MARS Appliance. Examples The following example gathers high level statistics about the MARS Appliance’s configuration and topology. [pnadmin]$ script get_mars_summary_info.sh Collecting MARS summary info from the DB in HTML format...

  • Page 199: Show Healthinfo

    For more information on RAID BBU and power supply procedures, see the chapter, “System Maintenance” in the User Guide for Cisco Security MARS Local Controller at the following URL: http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a008084f072.html Examples The following example dispays the health monitoring information on a MARS 110.
  • Page 200 GNU/Linux Related Commands Command Description ifconfig Displays or modifies the IP address and network mask of the network interfaces. show inventory Displays identifying details of essential components in the appliance. Install and Setup Guide for Cisco Security MARS A-62 OL-14672-01...

  • Page 201: Show Inventory

    Appendix A Command Reference show inventory show inventory To display an inventory and serial numbers of essential components in the MARS Appliance, use the show inventory command. show inventory Syntax Description There are no arguments or keywords for this command.
  • Page 202 Appendix A Command Reference show inventory Related Commands Command Description show healthinfo Displays operational status of appliance components. Install and Setup Guide for Cisco Security MARS A-64 OL-14672-01...

  • Page 203: Shutdown

    For more information, see Powering on the Appliance and Verifying Hardware Operation, page 4-8. Syntax Description This command has no arguments or keywords. Examples The following command shuts down the appliance: shutdown Install and Setup Guide for Cisco Security MARS A-65 OL-14672-01...

  • Page 204: Snmpwalk

    DNS name of the device against which the snmpwalk command will be run. Typically, this device is a router or switch. This device must have SNMP management access enabled and the MARS Appliance must be a valid management host. communityIdentifies the community string for SNMP transactions.

  • Page 205: Ssh

    -D portEnable dynamic application-level port forwarding. -CEnable compression. -NDo not execute a shell or command. -gAllow remote hosts to connect to forwarded ports. -1Force protocol version 1. -2Force protocol version 2. Install and Setup Guide for Cisco Security MARS A-67 OL-14672-01...
  • Page 206 -4Use IPv4 only. -6 Use IPv6 only. -o 'option' Process the option as if it was read from a configuration file. -sInvoke command (mandatory) as SSH2 subsystem. -b addrLocal IP address. Install and Setup Guide for Cisco Security MARS A-68 OL-14672-01...

  • Page 207: Sslcert

    • The two-letter country code for the unit (C) • To generate a new self-signed certificate for use with this MARS Appliance, use the sslcert command: sslcert Syntax Description noneThe default behavior of this command launches an interactive program that collects the information required to generate a certificate.

  • Page 208: Ssllist

    [pnadmin]$ ssllist Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries global, Dec 29, 2006, trustedCertEntry, Certificate fingerprint (MD5): 85:2A:05:46:4E:6B:AB:15:B4:EE:77:FE:3C:4A:EE:65 server, Dec 28, 2006, trustedCertEntry, Certificate fingerprint (MD5): 6A:C8:50:8C:FA:65:BB:E2:08:F1:75:80:A4:69:47:90 Install and Setup Guide for Cisco Security MARS A-70 OL-14672-01...

  • Page 209: Syslogrelay Setcollector

    Local Controller forwards syslog messages to the collector. syslogrelay list Displays the list of IP addresses used by the syslogrelay. This list includes the collector, as well as reporting devices in the include and/or exclude lists. Install and Setup Guide for Cisco Security MARS A-71 OL-14672-01...

  • Page 210: Syslogrelay Src

    The syslogrelay src include ANY command indicates that all syslog messages received by MARS be relayed to the configured collector, excepting those that originate from the addresses configured as exclusions.
  • Page 211 Command Reference syslogrelay src The syslogrelay src exclude ANY command indicates that all syslog messages received by MARS should not be forwarded to the configured collector, excepting those that originate from addresses configured as inclusions. If inclusions are configured, the following prompt appears: One or more device ip addresses are currently included.

  • Page 212: Syslogrelay List

    If the collector address is not set, the syslogrelay feature is disabled. Examples The following example displays the t syslog relay configuration. [pnadmin]$ syslogrelay list all [Collector] 192.168.1.1 [Inclusions] [Exclusions] 192.168.2.1 182.168.3.1 Related Commands Install and Setup Guide for Cisco Security MARS A-74 OL-14672-01...
  • Page 213 Local Controller forwards syslog messages. If the address is cleared, this feature is turned off. syslogrelay src Add to, exclude from, or clear the list of IP addresses for which the Local Controller forwards syslog messages to the collector. Install and Setup Guide for Cisco Security MARS A-75 OL-14672-01...

  • Page 214: Sysstatus

    -dSpecifies the delay between screen updates. You can change this delay using the -s interactive command. -pMonitors only those processes with the given process id. This flag can be given up to twenty times. This option is not available interactively. Install and Setup Guide for Cisco Security MARS A-76 OL-14672-01...
  • Page 215 It runs until it reaches the number of iterations specified by the n option or until killed. Output is plain text suitable for display on a dumb terminal. Install and Setup Guide for Cisco Security MARS A-77...

  • Page 216: Tcpdump

    CPU activities. -hDisplays the detailed command’s usage guidelines. -i interfaceIdentifies the interface to sniff. -c countExit after receiving count number of packets. Ctrl+cExit the tcpdump screen. Install and Setup Guide for Cisco Security MARS A-78 OL-14672-01...

  • Page 217: Telnet

    Internet address of a remote host. portIndicates a port number (address of an application) used to connect on the remote host. If a number is not specified, the default telnet port is used. Install and Setup Guide for Cisco Security MARS A-79 OL-14672-01...

  • Page 218: Time

    01-24, mm is 00-59 and ss is 00-59. Examples To display the current time, enter: timezone To set the time to 11:15 p.m., enter: time 23:15:00 Install and Setup Guide for Cisco Security MARS A-80 OL-14672-01...

  • Page 219: Timezone

    POSIX TZ format. Examples To display the current timezone setting, enter: timezone To set the timezone to CST, enter: timezone set Install and Setup Guide for Cisco Security MARS A-81 OL-14672-01...

  • Page 220: Traceroute

    To display the network route that packets take to reach a specified host, enter: traceroute [hostname | ip_address] Traces the route that IP packets take from the MARS appliance to another host on a network by listing the intermediate gateways that the packet traverses to reach the host.

  • Page 221: Unlock

    Appendix A Command Reference unlock unlock Use the unlock command to restore access to the MARS Appliance GUI for all or specified user accounts after login failures. unlock {-a} | {{-l | -g | -b } login_name} Command History Release Modification 4.3.1/5.3.1...

  • Page 222: Version

    Command Reference version version To display the version of MARS software that is running on the appliance, use the version command. The version number appears in the following format: major.minor.patch (build no.) Syntax Description This command has no arguments or keywords.

  • Page 223: Appendix

    Beginning with the 4.3.1 and 5.3.1 releases, the dynamic IPS signature updates is an aspect of the version of software running on a MARS Appliance. Therefore, in addition to running the same MARS software versions on the Global Controller and Local Controller, the IPS signature version must match or the communications fail.

  • Page 224: Cannot Locate License Key

    Delete a Device, page 2-19. Cannot Re-Add a Device to MARS If you cannot re-add a device to MARS, the device is likely already defined in one capacity or another. Delete a Device, page 2-19. Cannot Add a Device to MARS If you cannot add a device to MARS, the device has likely been defined during a topology discovery operation.

  • Page 225: Submitting Feedback And Reporting Errors

    Appendix B Troubleshooting Collect Support Information Collect Summary Status from the MARS Database. As of 4.3.1 and 5.3.1 releases, you can use • the get_mars_summary_info.sh script to gather high-level statistics about a MARS Appliance’s configuration and topology. [pnadmin]$ script get_mars_summary_info.sh...
  • Page 226 TAC case number to which the error log is attached. If you do not already have a valid case number, you are redirected to the Cisco TAC web site so you can create a new TAC case and obtain a valid case number.

  • Page 227: Access The Gui When The Network Is Down

    Configure the computer’s local TCP/IP settings to be on the same network as one of the Ethernet Step 3 interfaces in the MARS Appliance. Pick an IP address other than the one used by the appliance on that interface. It is possible that you specified the interface address for eth1 when you configured the interfaces using...

  • Page 228: Troubleshooting Global Controller-To-Local Controller Communications

    10 minutes and sent to the Global Controller, regardless of whether a report is scheduled within that interval. Incident/firing event data. This data is sent from the Local Controller to Global Controller every • two minutes. Install and Setup Guide for Cisco Security MARS OL-14672-01...

  • Page 229: Communication States

    (possibly days). You should only delete a Local Controller if you want to permanently remove that Local Controller from the Global Controller. Install and Setup Guide for Cisco Security MARS OL-14672-01...
  • Page 230 The symptoms appear if the Local Controller receives a lot of data because, in such cases, the backlog can be large. A high usage MARS Appliance may not have adequate bandwidth between Local Controller/ Global Controller to ensure that the system stays synchronized.
  • Page 231 Global Controller is restored (to purge this information, use the -s option). For more information, see pnreset, page A-40. Use this option only when a Note Global Controller recovery is required. Install and Setup Guide for Cisco Security MARS OL-14672-01...
  • Page 232 Global Controller but more recent topology data has been transferred from the same Local Controller. Install and Setup Guide for Cisco Security MARS B-10 OL-14672-01...

  • Page 233: List Of Backend Services And Processes

    SNMP MIBs such as per-interface bandwidth, per-interface errors, and firewall connections. This service detects statistically significant anomalies in the data. In case of a detected anomaly, the ANOMALY service inserts a MARS generated “anomaly detected” event into the system. autoupdate The backend process that pulls and processes the IPS signature updates.
  • Page 234 GUI service The GUI service provides the code used to display web pages that serve as the web interface for MARS. The service uses a JBOSS/Tomcat application server framework. REPORTGEN service The REPORTGEN service generates and sends the reports for the users.
  • Page 235 It monitors resource usage of the various services and various consistency conditions and restarts the appropriate services whenever necessary. The superV service also provides an event bus for the MARS processes to send messages to each other. device_monitor The PNMONITOR service acts as a software watchdog for JBOSS and SUPERV.
  • Page 236 Issue: Problem with archiving to NFS server. The directories for the archiving are properly created on the server but those directories remain empty. Workaround: An interoperability issue exists between MARS and CygWin NFS server running on Windows 2003 server. To work around such interoperability issues, replace the NFS server with Microsoft Windows Services for Unix.

  • Page 237: Error Messages

    Workaround: If you have the MSN Search Toolbar enabled in your browser, you must disable it before logging into MARS. To disable it, right-click on the toolbar and deselect MSN Search Toolbar. Alternatively, you can simply delete the j_security_check at the end or the URL string and press Enter.
  • Page 238 Appendix B Troubleshooting Error Messages Install and Setup Guide for Cisco Security MARS B-16 OL-14672-01...

  • Page 239: I N D E X

    6-22 command conventions archiving 6-30 command privileges starting 6-31 console connection stopping 6-31 date direct console A-11 dnssuffix A-12 backing up 6-30 domainname A-13 backup 6-19 Ethernet console Install and Setup Guide for Cisco Security MARS IN-1 OL-14672-01...
  • Page 240 A-82 configuration settings 5-15 version A-84 documentation command line interface related to this product ii-xvii See CLI. typographical conventions in ii-xii command reference 3-9, 6-33 CLI conventions command privileges Install and Setup Guide for Cisco Security MARS IN-2 OL-14672-01...
  • Page 241 5-14 Global Controller Internal upgrade server, preparing for use 6-10 reimaging guidelines 6-41 IP address defaults for MARS Install and Setup Guide for Cisco Security MARS IN-3 OL-14672-01...
  • Page 242 MARS reset password power cords shutdown via console powering up upgrade processes, see services. B-11 MARS software version migration move data and configuration 6-39 rack-mounting Modems Install and Setup Guide for Cisco Security MARS IN-4 OL-14672-01...
  • Page 243 5-12 safety electrostatic discharge general precautions telecommunications, precautions for installation telephone cable preventing EMI temperature, operating 1-6, 1-8, 3-6 warnings and cautions Install and Setup Guide for Cisco Security MARS IN-5 OL-14672-01...
  • Page 244 Local Controller from Global Controller 6-17 path matrix 6-12 prepare internal server 6-10 proxy settings 6-13, 6-18 Zone 5-15 upsize moving to a bigger MARS appliance 6-39 version IPS signature version determine MARS software Install and Setup Guide for Cisco Security MARS IN-6 OL-14672-01...