Skip navigation

Product Blog

1 Post authored by: tyler.peterson Employee

SolarWinds NCM 7.7 became available for download in the Customer Portal on September 13th. As always, the release notes contain plenty of great information on the new features.  I’d like to dive deeper into our Network Insight for Cisco ASA, building on the great post by Chris O'Brien.

 

Network Insight for Cisco ASA

As Chris pointed out, this is our second installment in the Network Insight series, and the first that I’ve had the pleasure of being involved in. The initial Network Insight release brought together NPM and NCM to deeply manage and monitor F5 BIG-IP devices. NCM 7.5 delivered valuable capabilities including binary configuration support, F5 LTM and GTM configuration support, and new inventory support.

 

For this release, we focused on delivering a set of capabilities around monitoring and management of Cisco’s Adaptive Security Appliance, or Cisco ASA. For SolarWinds NPM, this includes specific features around:

  • Site to Site VPN
  • Remote Access VPN
  • Interfaces

 

For SolarWinds NCM, we focused on the following three areas:

  • Firmware Upgrade
  • Multi-contexts
  • And the most exciting, Access Control List Management

 

Firmware Upgrade Support

With SolarWinds NCM 7.7, we’ve continued to improve the Firmware Upgrade feature, adding support for upgrading the firmware for Cisco ASAs, both in single- and multi-context mode.

  • Multi-context – must be used if the device is in multi-context mode, even if there is only one context. Must be run from the admin context
  • Single-context – must be used if the device is in single-context mode, or if the device doesn’t support contexts at all.

firmware upgrade for Cisco ASA

 

Multi-Context

In NCM 7.7, we can discover security contexts for Cisco ASA’s and easily bring them under management. To take advantage of this, first discover the ASA admin context. NCM will automatically discover additional contexts and list them in the Contexts resource. To manage each context, simply click on the “+” icon. Each additional context counts as a node; its configuration will be stored and managed separately.

Cisco ASA multi-context discovery and management

 

Access Control Lists (ACLs) Management

Saving the best for last, NCM 7.7 automatically discovers ACLs, which zones they are assigned to, and what interfaces are assigned to those zones. Using NCM, you can now ensure that your ACLs are doing what you expect them to do. Gone are the days of laboriously poring over each rule in an ACL in turn, hunting down object and object group definitions, wondering if a particular rule is being hit (and if not, why not?), and if something changed recently, and if so, what changed?

 

To see the list of ACLs for a particular ASA, mouse over the subviews panel and select “Access Lists.”

List of ACLs for a particular Cisco ASA

 

 

NCM tracks the history of ACLs on a particular ASA, including showing the date for the most recent version. And, if there are prior versions, they can be viewed via the expand carat.

 

History of a particular ACL on a Cisco ASA

 

And you can easily compare ACLs to prior versions, other ACLs on the same ASA, or even across ASAs.

Change which ACLs are compared for a Cisco ASA

 

Navigating into a particular ACL, you can see the rules of the ACL, with syntax highlighting.  You can filter rules by type, source, and destination. Each rule shows a count of hits, that is, how many times the firewall has seen traffic that matches a particular rule.

You can also drill into object groups, to see their definition including history.

ACL Detail view, including syntax highlighting, filtering, object group hierarchy traversal for Cisco ASA

 

Finally, with NCM 7.7, we’ve added Overlapping Rule Detection. Overlapping rules are classified in two ways, in terms of completeness of overlap and type of overlap.

With regards to completeness, we can have either partial or complete overlap, which should be self-explanatory. And with regards to type, we have the following:

  • Redundant: a rule earlier in the list overlaps this rule, and does the same action to the matched traffic.
  • Shadowed: a rule earlier in the list overlaps this rule, and does the opposite action.

 

Mousing over the Overlap indicator in the the Access List view, you can see a summary of the issues with a particular ACL.

Cisco ASA ACL rule overlap, summary

Drilling into a specific ACL, you can see which rules are overlapping, and clicking on the "Show the details" link will provide even more detail.

Cisco ASA ACL rule overlap, detailed view

 

 

Conclusion

Why are you still reading this? Go get the latest version from the Customer Portal and install it today! And, while you’re waiting for the new installer to work its magic, feel free to click through the new functionality in our online demo. We’d love to hear your feedback, post away below!

Filter Blog

By date: By tag: