Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Network Performance Monitor (NPM) > NPM 12.2 and NCM 7.7 feature: Network Insight for Cisco ASA firewalls

NPM 12.2 and NCM 7.7 feature: Network Insight for Cisco ASA firewalls

Created by Magdalena.Markova, last modified by Melanie Boyd on Oct 20, 2017

Views: 3,143 Votes: 0 Revisions: 54

Last Updated: September 13, 2017 

Network Insight for Cisco ASA automates the monitoring and management of your ASA infrastructure to provide visibility and help ensure service availability.

  • Ensure health and performance of the ASA. If the ASA goes down, critical business services will not be available.
  • Get visibility into VPN tunnel connectivity. Prevent loss of connectivity to remote locations.
  • Analyze ACL configs. Identify shadowed and redundant rules.

 

Want to learn more about PerfStack and Network Insight for ASA? Check out New Feature Training: Improved Troubleshooting Tools with NPM 12.2 and PerfStack, available at SolarWinds Academy.

Ensure that services dependent on your firewall are available

These features require NPM 12.2.

  • Monitor the status of VPN tunnels to help ensure connectivity between sites.
  • Monitor firewall high availability health and readiness.
  • Monitor interfaces with firewall metrics such as security level
  • Monitor failover situations
  • Monitor the count of connections in use, and failed connections

Enjoy the complete visibility into the health and performance of your firewall infrastructure

These features require NCM 7.7.

  • Filter, search, and view ACLs including object groups.
  • Translate interfaces from a physical name to a logical name for enhanced visibility.
  • Automate the identification of ACL config changes.

Automate firewall activities to improve operational efficiency

These features require NCM 7.7.

  • Optimize ACLs through the elimination of redundant and shadowed rules. Single click to view ACL.
  • Snapshot and version ACL configs.
  • Compare differences in ACL config versions.

 

See the  Network Insight for Cisco ASA Firewalls Getting Started Guide for more information.

Add Cisco ASA firewalls for monitoring

Data for monitoring Cisco® ASA firewalls is polled by a combination of SNMP and CLI polling. To get accurate ASA-specific information, add the firewall device to NPM as a node, and provide CLI credentials.

Enable CLI polling on monitored ASA devices

To poll firewall-specific data on ASA devices already monitored in SolarWinds NPM, enable CLI polling for ASAs.

Access Network Insight for Cisco ASAs

Go to the Node details view for the ASA node and see the relevant information.

Review the node details, such as firmware version or IP address.
See the load summary on the device: average percent memory used, average CPU load, and connections in use.
Click Performance Analyzer to open Performance Analysis dashboard for the ASA node featuring predefined metrics.
Review the hardware health and high availability status. Click See details to go to the Platform overview, and see more information about High Availability.
See the top 3 site-to-site VPN tunnels. How do I add tunnels to this resource?
Review the In and Out bandwidth of favorite interfaces. How do I add interfaces here?
callout7.png See the basic overview of monitored site-to-site tunnels.

Review the Platform health

On the ASA node details summary, click the Platform Overview. 

Review the High Availability details, RAM and CPU load, the number of connections on the ASA, and the rate of failed connections.

asa_nodeDetailsplatform.png

Select important interfaces and site-to-site VPNs to see the info on the summary page

To see important interfaces and site-to-site VPNs on the ASA summary page, specify up to three favorites.

  1. Click Interfaces or Site-to-site VPN tunnels on the subview menu on the left.
  2. Click the star for interfaces or site-to-site tunnels you want to see on the summary page.

 

Review site-to-site tunnels

asa_nodeDetailsSiteToSite.png

Review remote sessions

asa_nodeDetailsRemoteAccess.png

View and compare ACL rules for Cisco ASA devices 

You can use NCM 7.7 to examine the rules that make up an access control list (ACL) for a Cisco ASA device. After displaying a set of rules, you can:

  • Apply filters to display only rules that meet the specified criteria. Filter by rule type, source, destination, protocol, object, or object type.
  • Order the rules by line number or by hit count.
  • Show or hide remarks.
  • View information about objects or object groups included in a rule. If the object or object group has been modified, you can compare the current version to a previous version.

You can also compare two different ACLs, or two versions of the same ACL. The rules from each ACL are displayed beside each other, and lines with differences are highlighted.

Support for multiple contexts

The Cisco ASA (Adaptive Security Appliance) provides multiple security contexts on a single device. You can use NCM to back up and restore configurations for all contexts.

Redundant and shadowed rule detection 

Shadowed and redundant rules are ACL rules that will never be executed because the affected traffic has already been processed by a previous rule. NCM detects and reports these rules. Eliminating shadowed and redundant rules reduces the size of the rule set, making it easier to manage, and helps you ensure that the rules achieve the intended results.

NCM detects four types of rules:

  • Fully Shadowed
  • Partially Shadowed
  • Fully Redundant
  • Partially Redundant

For more information about each type of rule, see Overlapping ACL rules.

Alerts and Reports

Network Insight for ASAs includes the following alerts:

  • Failover on ASA node
  • High Availability on ASA Node is not up
  • VPN Site-to-Site tunnel down
  • Connections in use exceeding threshold on ASA node
     

Network Insight for ASAs includes the following reports:

  • VPN Site-to-Site Tunnel History - Last 30 Days
  • VPN Remote Access Tunnel History - Last 30 Days

Learn more...

Last modified

Tags

Classifications

Public