Ticket management
By default Cisco Security Manager enables ticket, however I have disabled the ticket management.
The purpose of ticket is before any changes is made with CSM you need to create a ticket, then proceed to do the changes, after changes is made and saved, you need to submit the ticket. If workflow is disabled, submitted ticket will be automatically approved. Only when the ticket is approved, user can then deploy the changes.
To disable or enable ticket management click on Tools > Security Manager Administration.
To disable uncheck Enable Ticketing.
Configuring logging
Under the Policies box, follow this path Logging > Syslog > Logging Filters.
Step 1: Add row by clicking on the “+” button at the bottom right.
Step 2: From the Logging Destination drop down box, select Syslog Servers.
Step 3: Select informational from the drop down box, you can choose the severity level you like then click OK button. Choosing this is the same as this command logging trap informational.
Step 4: Click save.
Step 5: Adding the syslog server.
Add the row and configure the syslog source interface and syslog server address.
Save this configuration.
This configuration is the same as this command logging host management 172.16.0.30
Note that the policy object created in CSM is not the same as the object command in Cisco ASA.
Deployment
Saving the configuration will not change the Cisco ASA configuration. If you have regretted the changes you can choose to discard the changes.
Before you submit and deploy the new configuration to the Cisco ASA, you can check what commands will be deployed to the Cisco ASA.
To see the command changes, from the menu click on Tools > Preview Configuration.
ASA (Delta) presents commands that will be inserted/removed, since the commands are in green, it means these two lines of commands will be pushed to the ASA once deployed.
You can also compare the new proposed configuration with the previous configuration, in this example I want to compare the proposed configuration with the existing running-config.
From the menu click on File > Deploy to deploy the configuration to the Cisco ASA.
Alternatively you can choose File > Submit and Deploy to submit the changes and deployment at the same time.
Do not blindly click on Deploy button, always have a habit to check which device will be deployed first, previously I have made some changes to another device but have not deployed the changes yet. I chose ASALAB because I want ASALAB to have the logging configuration now.
Check and verify
I ssh into the Cisco ASA to check the command changes to make sure…
asalab# sh run logging logging enable logging timestamp logging buffer-size 8092 logging buffered informational logging trap informational logging asdm informational logging host management 172.16.0.30
Revert changes/Rollback
I can revert the changes back to the previous configuration. Click on Manage > Configuration Archive…
So far this is the second configuration in the archive since its first discovery. I can choose the first configuration discovered during the device discovery process to rollback to this configuration. Click on Rollback button to revert the changes of the Cisco ASA.
The two commands inserted had been removed.
If you decided to go ahead with the configuration you have made just now, you can rollback to the configuration again.
Keeping track of the changes, rollback, provision in the configuration archive will become more tedious as the number of entries increase, note that if you decided to rollback again another rollback entry will be added. Always maintain a good practice to preview the commands first before deployment.
cyruslab 