Cisco CL-28826-01 User Manual

User Guide for Cisco Security Manager 4.4

February 2013

Americas Headquarters

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Text Part Number: OL-28826-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.

User Guide for Cisco Security Manager 4.4

© 2002-2013 Cisco Systems, Inc. All rights reserved.

CONTENTS

Preface lvii

Conventions lvii

Obtaining Documentation, Obtaining Support, and Security Guidelines lviii

CHAPTER

1 Getting Started with Security Manager 1-1

Product Overview 1-1

Primary Benefits of Cisco Security Manager 1-2
Security Manager Policy Feature Sets 1-4
Security Manager Applications Overview 1-6
Device Monitoring Overview 1-6
IPv6 Support in Security Manager 1-7

Policy Object Changes in Security Manager 4.4 1-9

Logging In to and Exiting Security Manager 1-9

Understanding User Permissions 1-10
Logging In to the Cisco Security Management Suite Server 1-10
Logging In to and Exiting the Security Manager Client 1-11

Using Configuration Manager - Overview 1-12

Configuration Manager Overview 1-12

Device View Overview 1-13
Policy View Overview 1-14

Map View Overview 1-16
Task Flow for Configuring Security Policies 1-17
Policy and Policy Object Overview 1-18
Workflow and Activities Overview 1-18

Working in Workflow Mode 1-19

Working in Non-Workflow Mode 1-20

Comparing Workflow Modes 1-20

OL-28826-01

Using the JumpStart to Learn About Security Manager 1-22

Completing the Initial Security Manager Configuration 1-23

Configuring an SMTP Server and Default Addresses for E-Mail Notifications 1-25
Changing Workflow Modes 1-26

Understanding Basic Security Manager Interface Features 1-27

Menu Bar Reference for Configuration Manager 1-27

File Menu (Configuration Manager) 1-28

User Guide for Cisco Security Manager 4.4

iii

Contents

Edit Menu (Configuration Manager) 1-29
View Menu (Configuration Manager) 1-30
Policy Menu (Configuration Manager) 1-30
Map Menu (Configuration Manager) 1-31
Manage Menu (Configuration Manager) 1-32
Tools Menu (Configuration Manager) 1-33
Activities Menu (Configuration Manager) 1-34
Tickets Menu (Configuration Manager) 1-34
Launch Menu (Configuration Manager) 1-35

Help Menu (Configuration Manager) 1-36
Toolbar Reference (Configuration Manager) 1-36
Using Global Search 1-39
Using Selectors 1-42

Filtering Items in Selectors 1-42

Create Filter Dialog Box 1-43
Using Wizards 1-44
Using Tables 1-45

Filtering Tables 1-45

Table Columns and Column Heading Features 1-46
Using Text Fields 1-46

Understanding ASCII Limitations for Text 1-46

Finding Text in Text Boxes 1-47

Navigating Within Text Boxes 1-47
Selecting or Specifying a File or Directory in Security Manager 1-47
Troubleshooting User Interface Problems 1-48

CHAPTER

iv

Accessing Online Help 1-49

2 Preparing Devices for Management 2-1

Understanding Device Communication Requirements 2-1

Setting Up SSL (HTTPS) 2-3

Setting Up SSL (HTTPS) on PIX Firewall, ASA and FWSM Devices 2-3
Setting Up SSL on Cisco IOS Routers 2-4

Setting Up SSH 2-5

Critical Line-Ending Conventions for SSH 2-5
Testing Authentication 2-5
Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices 2-6
Preventing Non-SSH Connections (Optional) 2-7

Setting Up AUS or Configuration Engine 2-7

Setting Up AUS on PIX Firewall and ASA Devices 2-8

User Guide for Cisco Security Manager 4.4

OL-28826-01

Setting Up CNS on Cisco IOS Routers in Event-Bus Mode 2-9
Setting Up CNS on Cisco IOS Routers in Call-Home Mode 2-10

Configuring Licenses on Cisco ASA Devices 2-11

Configuring Licenses on Cisco IOS Devices 2-12

Initializing IPS Devices 2-12

Contents

CHAPTER

3 Managing the Device Inventory 3-1

Understanding the Device Inventory 3-1

Understanding the Device View 3-1
Understanding Device Names and What Is Considered a Device 3-3
Understanding Device Credentials 3-4
Understanding Device Properties 3-6

Adding Devices to the Device Inventory 3-6

Working with Generically Supported Devices 3-8
Working with Device Clusters 3-9
Adding Devices from the Network 3-11

Device Information Page – Add Device from Network 3-13
Service Module Credentials Dialog Box 3-18
IPS Module Discovery Dialog Box 3-19

Adding Devices from Configuration Files 3-20

Device Information Page—Configuration File 3-22

Adding Devices by Manual Definition 3-25

Device Information Page—New Device 3-26

Adding Devices from an Inventory File 3-29

Device Information Page—Add Device from File 3-31

OL-28826-01

Working with the Device Inventory 3-34

Adding, Editing, or Deleting Auto Update Servers or Configuration Engines 3-35

Server Properties Dialog Box 3-36

Available Servers Dialog Box 3-38
Adding or Changing Interface Modules 3-39
Viewing or Changing Device Properties 3-39

Device Properties: General Page 3-40

Device Credentials Page 3-44

Device Groups Page 3-48

Cluster Information Page 3-48

Policy Object Override Pages 3-49
Changing Critical Device Properties 3-50

Image Version Changes That Do Not Change the Feature Set in Security Manager 3-50

Changes That Change the Feature Set in Security Manager 3-51

User Guide for Cisco Security Manager 4.4

v

Contents

Showing Device Containment 3-53
Cloning a Device 3-54
Deleting Devices from the Security Manager Inventory 3-55

Device Delete Validation Dialog Box 3-56

Working with Device Groups 3-57

Understanding Device Grouping 3-57

Edit Device Groups Dialog Box 3-58
Creating Device Group Types 3-59
Creating Device Groups 3-60
Deleting Device Groups or Group Types 3-60
Adding Devices to or Removing Them From Device Groups 3-60

Working with Device Status View 3-61

CHAPTER

4 Managing Activities 4-1

Understanding Activities 4-1

Benefits of Activities 4-2
Activity Approval 4-3
Activities and Locking 4-3
Activities and Multiple Users 4-4
Understanding Activity/Ticket States 4-4

Working with Activities/Tickets 4-7

Accessing Activity Functions in Workflow Mode 4-8
Accessing Ticket Functions in Non-Workflow Mode 4-9
Activity/Ticket Manager Window 4-10
Creating an Activity/Ticket 4-14

Responding to the Activity/Ticket Required Dialog Box 4-14
Opening an Activity/Ticket 4-15
Closing an Activity/Ticket 4-16
Viewing Change Reports 4-16

Selecting a Change Report in Non-Workflow Mode with Ticket Management Disabled 4-18
Validating an Activity/Ticket 4-18
Submitting an Activity for Approval (Workflow Mode with Activity Approver) 4-20
Approving or Rejecting an Activity (Workflow Mode) 4-21
Discarding an Activity/Ticket 4-22
Viewing Activity/Ticket Status and History 4-23

CHAPTER

vi

5 Managing Policies 5-1

Understanding Policies 5-1

Settings-Based Policies vs. Rule-Based Policies 5-2

User Guide for Cisco Security Manager 4.4

OL-28826-01

Service Policies vs. Platform-Specific Policies 5-2
Local Policies vs. Shared Policies 5-3
Understanding Rule Inheritance 5-4

Inheritance vs. Assignment 5-6
Policy Management and Objects 5-7
Understanding Policy Locking 5-7

Understanding Locking and Policies 5-9

Understanding Locking and VPN Topologies 5-9

Understanding Locking and Objects 5-10
Customizing Policy Management for Routers and Firewall Devices 5-10

Discovering Policies 5-12

Discovering Policies on Devices Already in Security Manager 5-15

Create Discovery Task and Bulk Rediscovery Dialog Boxes 5-18
Viewing Policy Discovery Task Status 5-21

Discovery Status Dialog Box 5-21

Policy Discovery Status Page 5-23
Frequently Asked Questions about Policy Discovery 5-25

Contents

Managing Policies in Device View and the Site-to-Site VPN Manager 5-28

Policy Status Icons 5-28
Performing Basic Policy Management 5-29

Configuring Local Policies in Device View 5-29

Copying Policies Between Devices 5-31

Unassigning a Policy 5-33
Working with Shared Policies in Device View or the Site-to-Site VPN Manager 5-34

Using the Policy Banner 5-35

Policy Shortcut Menu Commands in Device View and the Site-to-Site VPN Manager 5-37

Sharing a Local Policy 5-38

Sharing Multiple Policies of a Selected Device 5-39

Unsharing a Policy 5-40

Assigning a Shared Policy to a Device or VPN Topology 5-41

Adding Local Rules to a Shared Policy 5-42

Inheriting or Uninheriting Rules 5-43

Cloning (Copying) a Shared Policy 5-44

Renaming a Shared Policy 5-45

Modifying Shared Policy Definitions in Device View or the Site-to-Site VPN Manager 5-45

Modifying Shared Policy Assignments in Device View or the Site-to-Site VPN Manager 5-46

OL-28826-01

Managing Shared Policies in Policy View 5-47

Policy View Selectors 5-49
Policy View—Shared Policy Selector Options 5-50

User Guide for Cisco Security Manager 4.4

vii

Contents

Creating a New Shared Policy 5-51
Modifying Policy Assignments in Policy View 5-51
Deleting a Shared Policy 5-53

Managing Policy Bundles 5-53

Creating a New Policy Bundle 5-54
Cloning a Policy Bundle 5-55
Renaming a Policy Bundle 5-55
Assigning Policy Bundles to Devices 5-56

CHAPTER

6 Managing Policy Objects 6-1

Selecting Objects for Policies 6-2

Policy Object Manager 6-4

Policy Object Manager: Undocking and Docking 6-8
Policy Object Manager Shortcut Menu 6-8

Working with Policy Objects—Basic Procedures 6-9

Creating Policy Objects 6-9
Editing Objects 6-12
Using Category Objects 6-12
Cloning (Duplicating) Objects 6-13
Viewing Object Details 6-14
Generating Object Usage Reports 6-14
Deleting Objects 6-16
Managing Object Overrides 6-17

Understanding Policy Object Overrides for Individual Devices 6-17
Allowing a Policy Object to Be Overridden 6-18
Creating or Editing Object Overrides for a Single Device 6-18
Creating or Editing Object Overrides for Multiple Devices At A Time 6-19
Deleting Device-Level Object Overrides 6-21

Importing and Exporting Policy Objects 6-21

viii

Understanding AAA Server and Server Group Objects 6-24

Supported AAA Server Types 6-25
Additional AAA Support on ASA, PIX, and FWSM Devices 6-26
Predefined AAA Authentication Server Groups 6-28
Default AAA Server Groups and IOS Devices 6-28
Creating AAA Server Objects 6-29
Add or Edit AAA Server Dialog Box 6-30

AAA Server Dialog Box—RADIUS Settings 6-32
AAA Server Dialog Box—TACACS+ Settings 6-35
AAA Server Dialog Box—Kerberos Settings 6-36

User Guide for Cisco Security Manager 4.4

OL-28826-01

AAA Server Dialog Box—LDAP Settings 6-37

AAA Server Dialog Box—NT Settings 6-40

AAA Server Dialog Box—SDI Settings 6-40

AAA Server Dialog Box—HTTP-FORM Settings 6-41
Add and Edit LDAP Attribute Map Dialog Boxes 6-43

Add and Edit LDAP Attribute Map Value Dialog Boxes 6-44

Add and Edit Map Value Dialog Boxes 6-44
Creating AAA Server Group Objects 6-45

AAA Server Group Dialog Box 6-46

Creating Access Control List Objects 6-49

Creating Extended Access Control List Objects 6-50
Creating Standard Access Control List Objects 6-51
Creating Web Access Control List Objects 6-52
Creating Unified Access Control List Objects 6-54
Add or Edit Access List Dialog Boxes 6-55

Add and Edit Extended Access Control Entry Dialog Boxes 6-56

Add and Edit Standard Access Control Entry Dialog Boxes 6-59

Add and Edit Web Access Control Entry Dialog Boxes 6-60

Add and Edit Unified Access Control Entry Dialog Boxes 6-62

Contents

Configuring Time Range Objects 6-66

Recurring Ranges Dialog Box 6-67

Understanding Interface Role Objects 6-67

Creating Interface Role Objects 6-68

Interface Role Dialog Box 6-69
Specifying Interfaces During Policy Definition 6-70
Using Interface Roles When a Single Interface Specification is Allowed 6-71
Handling Name Conflicts between Interfaces and Interface Roles 6-72

Understanding Map Objects 6-72

Understanding Networks/Hosts Objects 6-74

Contiguous and Discontiguous Network Masks for IPv4 Addresses 6-75
Creating Networks/Hosts Objects 6-76

Add or Edit Network/Host Dialog Box 6-77
Using Unspecified Networks/Hosts Objects 6-80
Specifying IP Addresses During Policy Definition 6-81

Understanding Pool Objects 6-83

Add or Edit IPv4 Pool Dialog Box 6-83
Add or Edit IPv6 Pool Dialog Box 6-84
Add or Edit MAC Address Pool Dialog Box 6-85

OL-28826-01

Understanding and Specifying Services and Service and Port List Objects 6-86

User Guide for Cisco Security Manager 4.4

ix

Contents

Configuring Port List Objects 6-87
Configuring Service Objects 6-89

How Policy Objects are Provisioned as Object Groups 6-91

How Network/Host, Port List, and Service Objects are Named When Provisioned As Object
Groups

How Service Objects are Provisioned as Object Groups 6-92

6-92

CHAPTER

7 Managing FlexConfigs 7-1

Understanding FlexConfig Policies and Policy Objects 7-2

Using CLI Commands in FlexConfig Policy Objects 7-2
Using Scripting Language Instructions 7-3

Scripting Language Example 1: Looping 7-3
Scripting Language Example 2: Looping with Two-Dimensional Arrays 7-3
Example 3: Looping with If/Else Statements 7-4

Understanding FlexConfig Object Variables 7-5

Example of FlexConfig Policy Object Variables 7-6
FlexConfig System Variables 7-7

Predefined FlexConfig Policy Objects 7-19

Configuring FlexConfig Policies and Policy Objects 7-24

A FlexConfig Creation Scenario 7-24
Creating FlexConfig Policy Objects 7-27
Add or Edit FlexConfig Dialog Box 7-29

Create Text Object Dialog Box 7-31
Add or Edit Text Object Dialog Box 7-31
FlexConfig Undefined Variables Dialog Box 7-32
Property Selector Dialog Box 7-33

Editing FlexConfig Policies 7-34

CHAPTER

x

FlexConfig Policy Page 7-35

Values Assignment Dialog Box 7-36
FlexConfig Preview Dialog Box 7-37

Troubleshooting FlexConfigs 7-37

8 Managing Deployment 8-1

Understanding Deployment 8-1

Overview of the Deployment Process 8-1
Deployment in Non-Workflow Mode 8-3

Deployment Task Flow in Non-Workflow Mode 8-3
Job States in Non-Workflow Mode 8-4

Deployment in Workflow Mode 8-5

User Guide for Cisco Security Manager 4.4

OL-28826-01

Deployment Task Flow in Workflow Mode 8-5

Job States in Workflow Mode 8-6

Deployment Job Approval 8-7

Deployment Jobs and Multiple Users 8-8
Including Devices in Deployment Jobs or Schedules 8-8
Understanding Deployment Methods 8-8

Deploying Directly to a Device 8-9

Deploying to a Device through an Intermediate Server 8-10

Deploying to a File 8-11

Understanding How Out-of-Band Changes are Handled 8-12
Handling Device OS Version Mismatches 8-13

Overview of the Deployment Manager and Configuration Archive 8-16

Understanding What You Can Do with the Deployment Manager 8-16
Deployment Manager Window 8-17

Deployment Workflow Commentary Dialog Box 8-21
Deployment Schedules Tab, Deployment Manager 8-22
Configuration Archive Window 8-24

Contents

Working with Deployment and the Configuration Archive 8-26

Viewing Deployment Status and History for Jobs and Schedules 8-27
Tips for Successful Deployment Jobs 8-28
Deploying Configurations in Non-Workflow Mode 8-29

Edit Deploy Method Dialog Box 8-31

Warning - Partial VPN Deployment Dialog Box 8-32

Deployment Status Details Dialog Box 8-33
Deploying Configurations in Workflow Mode 8-35

Creating and Editing Deployment Jobs 8-36

Submitting Deployment Jobs 8-39

Approving and Rejecting Deployment Jobs 8-39

Deploying a Deployment Job in Workflow Mode 8-40

Discarding Deployment Jobs 8-41
Deploying Configurations Using an Auto Update Server or CNS Configuration Engine 8-42
Deploying Configurations to a Token Management Server 8-43
Previewing Configurations 8-45
Detecting and Analyzing Out of Band Changes 8-46

OOB (Out of Band) Changes Dialog Box 8-48
Redeploying Configurations to Devices 8-49
Aborting Deployment Jobs 8-51
Creating or Editing Deployment Schedules 8-52

Schedule Dialog Box 8-53

Add Other Devices Dialog Box 8-54

OL-28826-01

User Guide for Cisco Security Manager 4.4

xi

Contents

Suspending or Resuming Deployment Schedules 8-55
Adding Configuration Versions from a Device to the Configuration Archive 8-55
Viewing and Comparing Archived Configuration Versions 8-56

Configuration Version Viewer 8-56

Viewing Deployment Transcripts 8-58

Rolling Back Configurations 8-59

Understanding Configuration Rollback 8-59

Understanding Rollback for Devices in Multiple Context Mode 8-61
Understanding Rollback for Failover Devices 8-61
Understanding Rollback for Catalyst 6500/7600 Devices 8-61
Understanding Rollback for IPS and IOS IPS 8-62
Commands that Can Cause Conflicts after Rollback 8-64

Commands to Recover from Failover Misconfiguration after Rollback 8-65
Rolling Back Configurations to Devices Using the Deployment Manager 8-65
Using Rollback to Deploy Archived Configurations 8-66
Performing Rollback When Deploying to a File 8-67

CHAPTER

9 Troubleshooting Device Communication and Deployment 9-1

Testing Device Connectivity 9-1

Device Connectivity Test Dialog Box 9-3

Managing Device Communication Settings and Certificates 9-4

Manually Adding SSL Certificates for Devices that Use HTTPS Communications 9-4
Security Certificate Rejected When Discovering Device 9-6
Invalid Certificate Error During Device Discovery 9-6
Troubleshooting SSH Connection Problems 9-7
Troubleshooting Device Communication Failures 9-7

Resolving Red X Marks in the Device Selector 9-8

Troubleshooting Deployment 9-9

Changing How Security Manager Responds to Device Messages 9-10
Memory Violation Deployment Errors for ASA 8.3+ Devices 9-11
Security Manager Unable to Communicate With Device After Deployment 9-12
Updating VPNs That Include Routing Processes 9-13
Mixing Deployment Methods with Router and VPN Policies 9-13
Deployment Failures for Routers 9-14
Deployment Failures for Catalyst Switches and Service Modules 9-15

Changing How Security Manager Deploys Configurations to Multiple-Context FWSM 9-16
Deployment Failures to Devices Managed by AUS 9-17
Troubleshooting the Setup of Configuration Engine-Managed Devices 9-18

xii

User Guide for Cisco Security Manager 4.4

OL-28826-01

Contents

CHAPTER

10 Managing the Security Manager Server 10-1

Overview of Security Manager Server Management and Administration 10-1

Managing a Cluster of Security Manager Servers 10-2

Overview of Security Manager Server Cluster Management 10-2

Splitting a Security Manager Server 10-3
Synchronizing Shared Policies Among Security Manager Servers 10-4

Exporting the Device Inventory 10-5

Exporting the Device Inventory from the Security Manager Client 10-6
Supported CSV Formats for Inventory Import/Export 10-9

Exporting the Device Inventory from the Command Line 10-10
Exporting Shared Policies 10-11
Importing Policies or Devices 10-13

Installing Security Manager License Files 10-16

Certificate Trust Management 10-17

Working with Audit Reports 10-19

Understanding Audit Reports 10-19
Generating the Audit Report 10-20
Using the Audit Report Window 10-20
Purging Audit Log Entries 10-22

CHAPTER

Taking Over Another User’s Work 10-23

Changing Passwords for the Admin or Other Users 10-23

Backing up and Restoring the Security Manager Database 10-24

Backing Up the Server Database 10-24
Restoring the Server Database 10-26

Generating Data for the Cisco Technical Assistance Center 10-27

Creating a Diagnostics File for the Cisco Technical Assistance Center 10-27
Generating Deployment or Discovery Status Reports 10-28
Generating a Partial Database Backup for the Cisco Technical Assistance Center 10-29

11 Configuring Security Manager Administrative Settings 11-1

API Settings Page 11-2

AutoLink Settings Page 11-2

Configuration Archive Page 11-3

CS-MARS Page 11-4

New or Edit CS-MARS Device Dialog Box 11-5

Customize Desktop Page 11-6

OL-28826-01

Debug Options Page 11-8

User Guide for Cisco Security Manager 4.4

xiii

Contents

Deployment Page 11-9

Device Communication Page 11-16

Add Certificate Dialog Box 11-19

Device Groups Page 11-20

Discovery Page 11-21

Event Management Page 11-22

Health and Performance Monitoring Page 11-25

Identity Settings Page 11-26

Image Manager Page 11-28

IPS Updates Page 11-30

Edit Update Server Settings Dialog Box 11-34
Edit Auto Update Settings Dialog Box 11-37
Edit Signature Download Filter Settings Dialog Box 11-38

ISE Settings Page 11-39

Licensing Page 11-40

CSM Tab, Licensing Page 11-40
IPS Tab, Licensing Page 11-41

Verifying IPS Devices for License Update or Redeployment 11-43
Selecting IPS License Files 11-43
License Update Status Details Dialog Box 11-43

Logs Page 11-44

Policy Management Page 11-45

Policy Objects Page 11-47

Rule Expiration Page 11-48

Server Security Page 11-49

Take Over User Session Page 11-50

Ticket Management Page 11-51

Token Management Page 11-52

VPN Policy Defaults Page 11-53

Workflow Page 11-54

Wall Settings Page 11-56

CHAPTER

xiv

12 Introduction to Firewall Services 12-1

Overview of Firewall Services 12-1

Understanding the Processing Order of Firewall Rules 12-2
Understanding How NAT Affects Firewall Rules 12-3
ACL Names Preserved by Security Manager 12-4

User Guide for Cisco Security Manager 4.4

OL-28826-01

ACL Naming Conventions 12-5

Resolving ACL Name Conflicts Between Policies 12-6

Managing Your Rules Tables 12-7

Using Rules Tables 12-7
Adding and Removing Rules 12-9
Editing Rules 12-9

Adding or Editing Address Cells in Rules Tables 12-11

Adding or Editing User Cells in Rules Tables 12-12

Adding or Editing Services Cells in Rules Tables 12-12

Adding or Editing Interfaces or Zones Cells in Rules Tables 12-13

Editing Category Cells in Rules Tables 12-14

Editing Description Cells in Rules Tables 12-14

Showing the Contents of Cells in Rules Tables 12-14
Finding and Replacing Items in Rules Tables 12-16

Find and Replace Dialog Box 12-17
Moving Rules and the Importance of Rule Order 12-19
Enabling and Disabling Rules 12-20
Using Sections to Organize Rules Tables 12-20

Add and Edit Rule Section Dialog Boxes 12-22
Combining Rules 12-22

Combine Rules Selection Summary Dialog Box 12-24

Interpreting Rule Combiner Results 12-25

Example Rule Combiner Results 12-27
Converting IPv4 Rules to Unified Rules 12-28
Generating Policy Query Reports 12-28

Querying Device or Policy Dialog Box 12-29

Interpreting Policy Query Results 12-32

Example Policy Query Result 12-34
Optimizing Network Object Groups When Deploying Firewall Rules 12-35
Expanding Object Groups During Discovery 12-35

Contents

CHAPTER

OL-28826-01

13 Managing Identity-Aware Firewall Policies 13-1

Overview of Identity-Aware Firewall Policies 13-1

User Identity Acquisition 13-2
Requirements for Identity-Aware Firewall Policies 13-3
Configuring the Firewall to Provide Identity-Aware Services 13-7

Configuring Identity-Aware Firewall Policies 13-7

Enabling Identity-Aware Firewall Services 13-8

Identifying Active Directory Servers and Agents 13-8

User Guide for Cisco Security Manager 4.4

xv

Contents

Configuring Identity Options 13-15
Creating Identity User Group Objects 13-19
Selecting Identity Users in Policies 13-21
Configuring Identity-Based Firewall Rules 13-21
Configuring Cut-Through Proxy 13-23
Collecting User Statistics 13-25
Filtering VPN Traffic with Identity-Based Rules 13-26

Monitoring Identity Firewall Policies 13-27

CHAPTER

CHAPTER

14 Managing TrustSec Firewall Policies 14-1

Overview of TrustSec Firewall Policies 14-1

Understanding SGT and SXP Support in Cisco TrustSec 14-2
Roles in the Cisco TrustSec Solution 14-2
Security Group Policy Enforcement 14-3
About Speaker and Listener Roles 14-6
Prerequisites for Integrating an ASA with Cisco TrustSec 14-6

Configuring TrustSec Firewall Policies 14-7

Configuring Cisco TrustSec Services 14-8

Configuring Security Exchange Protocol (SXP) Settings 14-8

Defining SXP Connection Peers 14-9
Creating Security Group Objects 14-12
Selecting Security Groups in Policies 14-13
Configuring TrustSec-Based Firewall Rules 14-13

Monitoring TrustSec Firewall Policies 14-14

15 Managing Firewall AAA Rules 15-1

Understanding AAA Rules 15-1

xvi

Understanding How Users Authenticate 15-2

Configuring AAA Rules for ASA, PIX, and FWSM Devices 15-4

Configuring AAA Rules for IOS Devices 15-7

AAA Rules Page 15-10

Add and Edit AAA Rule Dialog Boxes 15-13
Edit AAA Option Dialog Box 15-18
AuthProxy Dialog Box 15-18
Edit Server Group Dialog Box 15-18

AAA Firewall Settings Policies 15-19

AAA Firewall Settings Page, Advanced Setting Tab 15-19

Interactive Authentication Configuration Dialog Box 15-21

User Guide for Cisco Security Manager 4.4

OL-28826-01

Clear Connection Configuration Dialog Box 15-22

AAA Firewall Page, MAC-Exempt List Tab 15-23

Firewall AAA MAC Exempt Setting Dialog Box 15-24

AAA Page 15-25

Firewall AAA IOS Timeout Value Setting 15-27

Contents

CHAPTER

16 Managing Firewall Access Rules 16-1

Understanding Access Rules 16-1

Understanding Global Access Rules 16-3
Understanding Device Specific Access Rule Behavior 16-4
Understanding Access Rule Address Requirements and How Rules Are Deployed 16-5

Configuring Access Rules 16-7

Access Rules Page 16-9

Add and Edit Access Rule Dialog Boxes 16-13
Advanced and Edit Options Dialog Boxes 16-15
Hit Count Selection Summary Dialog Box 16-18

Configuring Expiration Dates for Access Rules 16-19

Configuring Settings for Access Control 16-20

Access Control Settings Page 16-21

Firewall ACL Setting Dialog Box 16-23

Using Automatic Conflict Detection 16-25

Understanding Automatic Conflict Detection 16-25
Understanding the Automatic Conflict Detection User Interface 16-27
Resolving Conflicts 16-31

CHAPTER

OL-28826-01

Viewing Hit Count Details 16-33

Sample Hit Count Details Window 16-35

Importing Rules 16-37

Import Rules Wizard—Enter Parameters Page 16-38
Import Rules Wizard—Status Page 16-39
Import Rules Wizard—Preview Page 16-40
Examples of Imported Rules 16-41

Optimizing Access Rules Automatically During Deployment 16-43

17 Managing Firewall Inspection Rules 17-1

Understanding Inspection Rules 17-1

Choosing the Interfaces for Inspection Rules 17-2
Selecting Which Protocols To Inspect 17-3
Understanding Access Rule Requirements for Inspection Rules 17-4

User Guide for Cisco Security Manager 4.4

xvii

Contents

Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices 17-4

Configuring Inspection Rules 17-5

Inspection Rules Page 17-7

Add or Edit Inspect/Application FW Rule Wizard 17-10
Add or Edit Inspect/Application FW Rule Wizard, Step 2 17-12
Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page 17-16

Configure DNS Dialog Box 17-18

Configure SMTP Dialog Box 17-18

Configure ESMTP Dialog Box 17-18

Configure Fragments Dialog Box 17-19

Configure IMAP or POP3 Dialog Boxes 17-19

Configure RPC Dialog Box 17-20

Custom Protocol Dialog Box 17-20

Configure Dialog Box 17-20

Configuring Protocols and Maps for Inspection 17-21

Configuring Class Maps for Inspection Policies 17-26
Configuring DCE/RPC Maps 17-27
Configuring DNS Maps 17-28

DNS Map Protocol Conformance Tab 17-30

DNS Map Filtering Tab 17-30

DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes 17-31
Configuring ESMTP Maps 17-34

ESMTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes 17-35
Configuring FTP Maps 17-37

FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes 17-38
Configuring GTP Maps 17-40

Add and Edit Country Network Codes Dialog Boxes 17-42

Add and Edit Permit Response Dialog Boxes 17-42

GTP Map Timeouts Dialog Box 17-43

GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes 17-43
Configuring H.323 Maps 17-45

Add or Edit HSI Group Dialog Boxes 17-47

Add or Edit HSI Endpoint IP Address Dialog Boxes 17-48

H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes 17-48
Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices 17-50

HTTP Map General Tab 17-51

HTTP Map Entity Length Tab 17-52

HTTP Map RFC Request Method Tab 17-54

HTTP Map Extension Request Method Tab 17-55

xviii

User Guide for Cisco Security Manager 4.4

OL-28826-01

Contents

HTTP Map Port Misuse Tab 17-56
HTTP Map Transfer Encoding Tab 17-57

Configuring HTTP Maps for ASA 7.2+ and PIX 7.2+ Devices 17-58

HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog
Boxes

Configuring IM Maps for ASA 7.2+, PIX 7.2+ Devices 17-64

IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog

Boxes
Configuring IM Maps for IOS Devices 17-67
Configuring IP Options Maps 17-68
Configuring IPv6 Maps 17-70

IPv6 Policy Maps Add or Edit Match Condition and Action Dialog Boxes 17-71
Configuring IPsec Pass Through Maps 17-74
Configuring NetBIOS Maps 17-75
Configuring ScanSafe Maps 17-76
Configuring SIP Maps 17-77

SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes 17-79
Configuring Skinny Maps 17-81

Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes 17-83
Configuring SNMP Maps 17-84
Configuring Regular Expression Groups 17-85
Configuring Regular Expressions for Inspection Maps 17-86

Metacharacters Used to Build Regular Expressions 17-87

17-59

17-65

CHAPTER

OL-28826-01

Configuring Settings for Inspection Rules for IOS Devices 17-88

18 Managing Firewall Web Filter Rules 18-1

Understanding Web Filter Rules 18-1

Configuring Web Filter Rules for ASA, PIX, and FWSM Devices 18-2

Web Filter Rules Page (ASA/PIX/FWSM) 18-3

Add and Edit PIX/ASA/FWSM Web Filter Rule Dialog Boxes 18-5

Edit Web Filter Type Dialog Box 18-8

Edit Web Filter Options Dialog Box 18-9

Configuring Web Filter Rules for IOS Devices 18-10

Web Filter Rules Page (IOS) 18-11

IOS Web Filter Rule and Applet Scanner Dialog Box 18-13

IOS Web Filter Exclusive Domain Name Dialog Box 18-14

Configuring Settings for Web Filter Servers 18-15

Web Filter Settings Page 18-16

Web Filter Server Configuration Dialog Box 18-19

User Guide for Cisco Security Manager 4.4

xix

Contents

CHAPTER

CHAPTER

19 Managing Firewall Botnet Traffic Filter Rules 19-1

Understanding Botnet Traffic Filtering 19-1

Task Flow for Configuring the Botnet Traffic Filter 19-2

Configuring the Dynamic Database 19-4
Adding Entries to the Static Database 19-5
Enabling DNS Snooping 19-6
Enabling Traffic Classification and Actions for the Botnet Traffic Filter 19-6

Botnet Traffic Filter Rules Page 19-9

Dynamic Blacklist Configuration Tab 19-10
Traffic Classification Tab 19-11

BTF Enable Rules Editor 19-12
BTF Drop Rules Editor 19-13

Whitelist/Blacklist Tab 19-14

Device Whitelist or Device Blacklist Dialog Box 19-15

20 Working with ScanSafe Web Security 20-1

Configuring ScanSafe Web Security 20-2

ScanSafe Web Security Page 20-4

Add and Edit Default User Groups Dialog Box 20-6

CHAPTER

ScanSafe Web Security Settings Page 20-6

21 Managing Zone-based Firewall Rules 21-1

Understanding the Zone-based Firewall Rules 21-3

The Self Zone 21-5
Using VPNs with Zone-based Firewall Policies 21-5
Zones and VRF-aware Firewalls 21-6

Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules 21-7

Understanding the Relationship Between Services and Protocols in Zone-based Firewall Rules 21-10

General Recommendations for Zone-based Firewall Rules 21-11

Developing and Applying Zone-based Firewall Rules 21-12

Adding Zone-Based Firewall Rules 21-12

Configuring Inspection Maps for Zone-based Firewall Policies 21-15

Configuring Class Maps for Zone-Based Firewall Policies 21-17

Zone-based Firewall IM Application Class Maps: Add or Edit Match Condition Dialog Boxes

21-20

Zone-based Firewall P2P Application Class Maps: Add or Edit Match Condition Dialog Boxes

21-20

H.323 (IOS) Class Maps Add or Edit Match Criterion Dialog Boxes 21-21

xx

User Guide for Cisco Security Manager 4.4

OL-28826-01

HTTP (IOS) Class Add or Edit Match Criterion Dialog Boxes 21-21

IMAP and POP3 Class Maps Add or Edit Match Criterion Dialog Boxes 21-23

SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes 21-24

SMTP Class Maps Add or Edit Match Criterion Dialog Boxes 21-25

Sun RPC Class Maps Add or Edit Match Criterion Dialog Boxes 21-28

Local Web Filter Class Add or Edit Match Criterion Dialog Boxes 21-28

N2H2 and Websense Class Add or Edit Match Criterion Dialog Boxes 21-29
Configuring Inspect Parameter Maps 21-29
Configuring Protocol Info Parameter Maps 21-32

Add or Edit DNS Server for Protocol Info Parameters Dialog Box 21-33
Configuring Policy Maps for Zone-Based Firewall Policies 21-33

Add or Edit Match Condition and Action Dialog Boxes for Zone-Based Firewall and Web Filter

Policies

Configuring Content Filtering Maps for Zone-based Firewall Policies 21-35

Configuring Local Web Filter Parameter Maps 21-37
Configuring N2H2 or WebSense Parameter Maps 21-38

Add or Edit External Filter Dialog Box 21-40
Configuring Trend Parameter Maps 21-41
Configuring URL Filter Parameter Maps 21-42

Add or Edit URL Domain Name Dialog Box for URL Filter Parameters 21-44
Configuring URLF Glob Parameter Maps 21-44
Configuring Web Filter Maps 21-46

21-34

Contents

CHAPTER

Changing the Default Drop Behavior 21-47

Configuring Settings for Zone-based Firewall Rules 21-48

Zone Based Firewall Page 21-49

Zone Based Firewall Page - Content Filter Tab 21-51

Zone Dialog Box 21-52

Troubleshooting Zone-based Rules and Configurations 21-53

Zone-based Firewall Rules Page 21-57

Adding and Editing Zone-based Firewall Rules 21-59

Zone-based Firewall Rule: Advanced Options Dialog Box 21-63
Protocol Selector Dialog Box 21-64

Configure Protocol Dialog Box 21-65

22 Managing Transparent Firewall Rules 22-1

Configuring Transparent Firewall Rules 22-1

Transparent Rules Page 22-3

Add and Edit Transparent Firewall Rule Dialog Boxes 22-5
Edit Transparent EtherType Dialog Box 22-7

OL-28826-01

User Guide for Cisco Security Manager 4.4

xxi

Contents

Edit Transparent Mask Dialog Box 22-7

CHAPTER

23 Configuring Network Address Translation 23-1

Understanding Network Address Translation 23-2

Types of Address Translation 23-3
About “Simplified” NAT on ASA 8.3+ Devices 23-3

NAT Policies on Cisco IOS Routers 23-5

NAT Page: Interface Specification 23-6
NAT Page: Static Rules 23-6

NAT Static Rule Dialog Boxes 23-7

NAT Page: Dynamic Rules 23-10

NAT Dynamic Rule Dialog Box 23-11

NAT Page: Timeouts 23-13

NAT Policies on Security Devices 23-15

NAT in Transparent Mode 23-15
Translation Options Page 23-15
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices 23-17

Address Pools 23-17
Translation Rules: PIX, FWSM, and pre-8.3 ASA 23-18
Translation Exemptions (NAT 0 ACL) 23-19
Dynamic Rules Tab 23-21
Policy Dynamic Rules Tab 23-23
Static Rules Tab 23-25
General Tab 23-30

Configuring NAT on ASA 8.3+ Devices 23-32

Translation Rules: ASA 8.3+ 23-32
Per-Session NAT Rules: ASA 9.0(1)+ 23-45

CHAPTER

xxii

24 Managing Site-to-Site VPNs: The Basics 24-1

Understanding VPN Topologies 24-2

Hub-and-Spoke VPN Topologies 24-2
Point-to-Point VPN Topologies 24-3
Full Mesh VPN Topologies 24-4
Implicitly Supported Topologies 24-5

Understanding IPsec Technologies and Policies 24-5

Understanding Mandatory and Optional Policies for Site-to-Site VPNs 24-6
Overview of Site-to-Site VPN Policies 24-8
Understanding Devices Supported by Each IPsec Technology 24-9
Including Unmanaged or Non-Cisco Devices in a VPN 24-11

User Guide for Cisco Security Manager 4.4

OL-28826-01

Understanding and Configuring VPN Default Policies 24-12
Using Device Overrides to Customize VPN Policies 24-13
Understanding VRF-Aware IPsec 24-14

VRF-Aware IPsec One-Box Solution 24-14

VRF-Aware IPsec Two-Box Solution 24-15

Enabling and Disabling VRF on Catalyst Switches and 7600 Devices 24-17

Accessing Site-to-Site VPN Topologies and Policies 24-17

Site-to-Site VPN Manager Window 24-18
Configuring VPN Topologies in Device View 24-19

Site-To-Site VPN Discovery 24-19

Supported and Unsupported Technologies and Topologies for VPN Discovery 24-20
Prerequisites for VPN Discovery 24-21
VPN Discovery Rules 24-21
Discovering Site-to-Site VPNs 24-24
Defining or Repairing Discovered VPNs with Multiple Spoke Definitions 24-25
Rediscovering Site-to-Site VPNs 24-26

Contents

Creating or Editing VPN Topologies 24-28

Defining the Name and IPsec Technology of a VPN Topology 24-30
Selecting Devices for Your VPN Topology 24-32
Defining the Endpoints and Protected Networks 24-33

Configuring VPN Interface Endpoint Settings 24-35

Configuring Dial Backup 24-39

Dial Backup Settings Dialog Box 24-40

Configuring VPNSM or VPN SPA/VSPA Endpoint Settings 24-41

Identifying the Protected Networks for Endpoints 24-45

Configuring a Firewall Services Module (FWSM) Interface with VPNSM or

VPNSPA/VSPA

24-45

Configuring VRF Aware IPsec Settings 24-46
Configuring High Availability in Your VPN Topology 24-49
Defining GET VPN Group Encryption 24-51

Add Certificate Filter Dialog Box 24-54

Add New or Edit Security Association Dialog Box 24-55
Defining GET VPN Peers 24-57
Assigning Initial Policies (Defaults) to a New VPN Topology 24-58
Viewing a Summary of a VPN Topology’s Configuration 24-59

OL-28826-01

Creating or Editing Extranet VPNs 24-63

Deleting a VPN Topology 24-67

User Guide for Cisco Security Manager 4.4

xxiii

Contents

CHAPTER

25 Configuring IKE and IPsec Policies 25-1

Overview of IKE and IPsec Configurations 25-2

Comparing IKE Version 1 and 2 25-4

Understanding IKE 25-5

Deciding Which Encryption Algorithm to Use 25-6
Deciding Which Hash Algorithm to Use 25-6
Deciding Which Diffie-Hellman Modulus Group to Use 25-7
Deciding Which Authentication Method to Use 25-8
Configuring an IKE Proposal 25-9
Configuring IKEv1 Proposal Policy Objects 25-10
Configuring IKEv2 Proposal Policy Objects 25-13

Understanding IPsec Proposals 25-17

Understanding IPsec Proposals for Site-to-Site VPNs 25-18

Understanding Crypto Maps 25-18
Understanding Transform Sets 25-19
Understanding Reverse Route Injection 25-20

Configuring IPsec Proposals in Site-to-Site VPNs 25-21

Selecting the IKE Version for Devices in Site-to-Site VPNs 25-25

Configuring IPSec IKEv1 or IKEv2 Transform Set Policy Objects 25-25

Configuring VPN Global Settings 25-29

Configuring VPN Global ISAKMP/IPsec Settings 25-30
Configuring VPN Global IKEv2 Settings 25-34
Understanding NAT in VPNs 25-37
Configuring VPN Global NAT Settings 25-38
Configuring VPN Global General Settings 25-40

Understanding IKEv1 Preshared Key Policies in Site-to-Site VPNs 25-43

Configuring IKEv1 Preshared Key Policies 25-44

Understanding Public Key Infrastructure Policies 25-47

Requirements for Successful PKI Enrollment 25-48
Configuring IKEv1 Public Key Infrastructure Policies in Site-to-Site VPNs 25-50
Defining Multiple IKEv1 CA Servers for Site-to-Site VPNs 25-51
Configuring Public Key Infrastructure Policies for Remote Access VPNs 25-52
PKI Enrollment Dialog Box 25-54

PKI Enrollment Dialog Box—CA Information Tab 25-55
PKI Enrollment Dialog Box—Enrollment Parameters Tab 25-59
PKI Enrollment Dialog Box—Certificate Subject Name Tab 25-61
PKI Enrollment Dialog Box—Trusted CA Hierarchy Tab 25-62

xxiv

Configuring IKEv2 Authentication in Site-to-Site VPNs 25-62

IKEv2 Authentication Policy 25-64

User Guide for Cisco Security Manager 4.4

OL-28826-01

IKEv2 Authentication (Override) Dialog Box 25-66

Contents

CHAPTER

26 GRE and DM VPNs 26-1

Understanding the GRE Modes Page 26-1

GRE and Dynamic GRE VPNs 26-2

Understanding GRE 26-2

Advantages of IPsec Tunneling with GRE 26-3

How Does Security Manager Implement GRE? 26-3

Prerequisites for Successful Configuration of GRE 26-3

Understanding GRE Configuration for Dynamically Addressed Spokes 26-5
Configuring IPsec GRE VPNs 26-5
Configuring GRE Modes for GRE or GRE Dynamic IP VPNs 26-6

Dynamic Multipoint VPNs (DMVPN) 26-9

Understanding DMVPN 26-10

Enabling Spoke-to-Spoke Connections in DMVPN Topologies 26-10

Advantages of DMVPN with GRE 26-11
Configuring DMVPN 26-12
Configuring GRE Modes for DMVPN 26-12
Configuring Large Scale DMVPNs 26-16
Configuring Server Load Balancing in Large Scale DMVPN 26-17

Edit Load Balancing Parameters Dialog Box 26-17

CHAPTER

27 Easy VPN 27-1

Understanding Easy VPN 27-1

Easy VPN with Dial Backup 27-2
Easy VPN with High Availability 27-2
Easy VPN with Dynamic Virtual Tunnel Interfaces 27-2
Easy VPN Configuration Modes 27-3
Easy VPN and IKE Extended Authentication (Xauth) 27-4
Overview of Configuring Easy VPN 27-5
Important Notes About Easy VPN Configuration 27-6

Configuring Client Connection Characteristics for Easy VPN 27-7

Configuring Credentials Policy Objects 27-9

Configuring an IPsec Proposal for Easy VPN 27-10

Configuring Dynamic VTI for Easy VPN 27-12

Configuring a Connection Profile Policy for Easy VPN 27-13

Configuring a User Group Policy for Easy VPN 27-14

OL-28826-01

User Guide for Cisco Security Manager 4.4

xxv

Contents

CHAPTER

28 Group Encrypted Transport (GET) VPNs 28-1

Understanding Group Encrypted Transport (GET) VPNs 28-2

Understanding the GET VPN Registration Process 28-4

Choosing the Rekey Transport Mechanism 28-6
Configuring Redundancy Using Cooperative Key Servers 28-7
Configuring Fail-Close to Protect Registration Failures 28-8

Understanding the GET VPN Security Policy and Security Associations 28-10

Understanding Time-Based Anti-Replay 28-11

Configuring GET VPN 28-12

Generating and Synchronizing RSA Keys 28-13

Configuring the IKE Proposal for GET VPN 28-15

Configuring Global Settings for GET VPN 28-16

Configuring GET VPN Key Servers 28-18

Add Key Server, Group Member Dialog Box 28-19
Edit Key Server Dialog Box 28-19

Configuring GET VPN Group Members 28-20

Edit Group Member Dialog Box 28-21

CHAPTER

Using Passive Mode to Migrate to GET VPN 28-23

Troubleshooting GET VPN Configurations 28-25

29 Managing Remote Access VPNs: The Basics 29-1

Understanding Remote Access VPNs 29-1

Understanding Remote Access IPSec VPNs 29-2
Understanding Remote Access SSL VPNs 29-2

Remote Access SSL VPN Example 29-3
SSL VPN Access Modes 29-4
Understanding and Managing SSL VPN Support Files 29-5
Prerequisites for Configuring SSL VPNs 29-7
SSL VPN Limitations 29-7

Understanding Devices Supported by Each Remote Access VPN Technology 29-8

Overview of Remote Access VPN Policies 29-9

Discovering Remote Access VPN Policies 29-12

Using the Remote Access VPN Configuration Wizard 29-13

Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices) 29-14

SSL VPN Configuration Wizard—Access Page (ASA) 29-15
SSL VPN Configuration Wizard—Connection Profile Page (ASA) 29-16

Creating User Groups with the Create Group Policy Wizard 29-19

xxvi

User Guide for Cisco Security Manager 4.4

OL-28826-01

Contents

Create Group Policy Wizard—Full Tunnel Page 29-20

Create Group Policy Wizard—Clientless and Thin Client Access Modes Page 29-22
Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (ASA and PIX 7.0+

Devices)

Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices) 29-31

Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (IOS and PIX 6.3
Devices)

29-24

Remote Access VPN Configuration Wizard—IPSec VPN Connection Profile Page (ASA) 29-27

Remote Access VPN Configuration Wizard—IPSec Settings Page (ASA) 29-28

Remote Access VPN Configuration Wizard—Defaults Page 29-30

SSL VPN Configuration Wizard—Gateway and Context Page (IOS) 29-32

SSL VPN Configuration Wizard—Portal Page Customization Page (IOS) 29-34

29-35

CHAPTER

30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices 30-1

Overview of Remote Access VPN Policies for ASA and PIX 7.0+ Devices 30-2

Understanding Cluster Load Balancing (ASA) 30-4

Configuring Cluster Load Balance Policies (ASA) 30-5

Configuring Connection Profiles (ASA, PIX 7.0+) 30-6

Connection Profiles Page 30-8

General Tab (Connection Profiles) 30-9

AAA Tab (Connection Profiles) 30-11

Secondary AAA Tab (Connection Profiles) 30-14

IPSec Tab (Connection Profiles) 30-16

SSL Tab (Connection Profiles) 30-18

Configuring Group Policies for Remote Access VPNs 30-21

Understanding Group Policies (ASA) 30-22
Creating Group Policies (ASA, PIX 7.0+) 30-23

Understanding SSL VPN Server Verification (ASA) 30-25

Configuring Trusted Pool Settings (ASA) 30-26
Using the Trustpool Manager 30-27

Working with IPSec VPN Policies 30-28

Configuring Certificate to Connection Profile Map Policies (ASA) 30-29

Configuring Certificate to Connection Profile Map Rules (ASA) 30-29

Map Rule Dialog Box (Upper Table) 30-31

Map Rule Dialog Box (Lower Table) 30-32
Configuring an IPsec Proposal on a Remote Access VPN Server (ASA, PIX 7.0+ Devices) 30-33

IPsec Proposal Editor (ASA, PIX 7.0+ Devices) 30-33

OL-28826-01

Working with SSL and IKEv2 IPSec VPN Policies 30-36

Understanding SSL VPN Access Policies (ASA) 30-36

User Guide for Cisco Security Manager 4.4

xxvii

Contents

SSL VPN Access Policy Page 30-37
Configuring an Access Policy 30-40

Configuring Other SSL VPN Settings (ASA) 30-41

Configuring SSL VPN Performance Settings (ASA) 30-42
Configuring SSL VPN Content Rewrite Rules (ASA) 30-43
Configuring SSL VPN Encoding Rules (ASA) 30-45
Configuring SSL VPN Proxies and Proxy Bypass (ASA) 30-47
Configuring SSL VPN Browser Plug-ins (ASA) 30-50
Understanding SSL VPN AnyConnect Client Settings 30-52
Configuring SSL VPN AnyConnect Client Settings (ASA) 30-53
Understanding Kerberos Constrained Delegation (KCD) for SSL VPN (ASA) 30-56
Configuring Kerberos Constrained Delegation (KCD) for SSL VPN (ASA) 30-58
Configuring AnyConnect Custom Attributes (ASA) 30-59
Configuring SSL VPN Advanced Settings (ASA) 30-61
Configuring SSL VPN Server Verification (ASA) 30-61

Configuring SSL VPN Shared Licenses (ASA 8.2+) 30-62

Configuring an ASA Device as a Shared License Client 30-64
Configuring an ASA Device as a Shared License Server 30-65

CHAPTER

Customizing Clientless SSL VPN Portals 30-65

Configuring ASA Portal Appearance Using SSL VPN Customization Objects 30-66
Localizing SSL VPN Web Pages for ASA Devices 30-68
Creating Your Own SSL VPN Logon Page for ASA Devices 30-70
Configuring SSL VPN Bookmark Lists for ASA and IOS Devices 30-70
Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks 30-72
Configuring SSL VPN Smart Tunnels for ASA Devices 30-73
Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL VPNs

30-76

31 Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices) 31-1

Understanding Dynamic Access Policies 31-1

Configuring Dynamic Access Policies 31-2

Understanding DAP Attributes 31-3
Configuring DAP Attributes 31-7
Configuring Cisco Secure Desktop Policies on ASA Devices 31-8

Dynamic Access Page (ASA) 31-10

Add/Edit Dynamic Access Policy Dialog Box 31-12

Main Tab 31-13
Logical Operations Tab 31-36
Advanced Expressions Tab 31-39

xxviii

User Guide for Cisco Security Manager 4.4

OL-28826-01

Cisco Secure Desktop Manager Policy Editor Dialog Box 31-40

Contents

CHAPTER

CHAPTER

32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices 32-1

Overview of Remote Access VPN Policies for IOS and PIX 6.3 Devices 32-2

Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices) 32-3

IPsec Proposal Editor (IOS, PIX 6.3 Devices) 32-4
VPNSM/VPN SPA/VSPA Settings Dialog Box 32-6
Configuring Dynamic VTI/VRF Aware IPsec in Remote Access VPNs (IOS Devices) 32-7

Configuring High Availability in Remote Access VPNs (IOS) 32-11

Configuring User Group Policies 32-13

Configuring an SSL VPN Policy (IOS) 32-14

SSL VPN Context Editor Dialog Box (IOS) 32-15

General Tab 32-16
Creating Cisco Secure Desktop Configuration Objects 32-18

33 Configuring Policy Objects for Remote Access VPNs 33-1

ASA Group Policies Dialog Box 33-1

ASA Group Policies Client Configuration Settings 33-4
ASA Group Policies Client Firewall Attributes 33-5
ASA Group Policies Hardware Client Attributes 33-7
ASA Group Policies IPSec Settings 33-8

Add or Edit Client Access Rules Dialog Box 33-10
ASA Group Policies SSL VPN Clientless Settings 33-10

Add or Edit VDI Server Dialog Box 33-12
ASA Group Policies SSL VPN Full Client Settings 33-13
ASA Group Policies SSL VPN Settings 33-17

Add or Edit Auto Signon Rules Dialog Box 33-19
ASA Group Policies DNS/WINS Settings 33-20
ASA Group Policies Split Tunneling Settings 33-21
ASA Group Policies Connection Settings 33-22

OL-28826-01

Add or Edit Secure Desktop Configuration Dialog Box 33-23

Add and Edit File Object Dialog Boxes 33-25

File Object — Choose a file Dialog Box 33-27

Add or Edit Port Forwarding List Dialog Boxes 33-28

Add or Edit A Port Forwarding Entry Dialog Box 33-30

Add or Edit Single Sign On Server Dialog Boxes 33-30

Add or Edit Bookmarks Dialog Boxes 33-32

Add and Edit Bookmark Entry Dialog Boxes 33-33

User Guide for Cisco Security Manager 4.4

xxix

Contents

Add and Edit Post Parameter Dialog Boxes 33-36

Add and Edit SSL VPN Customization Dialog Boxes 33-37

SSL VPN Customization Dialog Box—Title Panel 33-39
SSL VPN Customization Dialog Box—Language 33-40

Add and Edit Language Dialog Boxes 33-42
SSL VPN Customization Dialog Box—Logon Form 33-42
SSL VPN Customization Dialog Box—Informational Panel 33-43
SSL VPN Customization Dialog Box—Copyright Panel 33-44
SSL VPN Customization Dialog Box—Full Customization 33-45
SSL VPN Customization Dialog Box—Toolbar 33-45
SSL VPN Customization Dialog Box—Applications 33-46
SSL VPN Customization Dialog Box—Custom Panes 33-46

Add and Edit Column Dialog Boxes 33-47

Add or Edit Custom Pane Dialog Boxes 33-47
SSL VPN Customization Dialog Box—Home Page 33-48
SSL VPN Customization Dialog Box—Logout Page 33-49

Add or Edit SSL VPN Gateway Dialog Box 33-50

Add and Edit Smart Tunnel List Dialog Boxes 33-52

Add and Edit A Smart Tunnel Entry Dialog Boxes 33-53

Add and Edit Smart Tunnel Auto Signon List Dialog Boxes 33-55

Add and Edit Smart Tunnel Auto Signon Entry Dialog Boxes 33-56

Add or Edit User Group Dialog Box 33-58

User Group Dialog Box—General Settings 33-60
User Group Dialog Box—DNS/WINS Settings 33-61
User Group Dialog Box—Split Tunneling 33-62
User Group Dialog Box—IOS Client Settings 33-63
User Group Dialog Box—IOS Xauth Options 33-64
User Group Dialog Box—IOS Client VPN Software Update 33-65

Add/Edit Client Update Dialog Box 33-65
User Group Dialog Box—Advanced PIX Options 33-66
User Group Dialog Box—Clientless Settings 33-67
User Group Dialog Box—Thin Client Settings 33-68
User Group Dialog Box—SSL VPN Full Tunnel Settings 33-69
User Group Dialog Box—SSL VPN Split Tunneling 33-70
User Group Dialog Box—Browser Proxy Settings 33-72
User Group Dialog Box—SSL VPN Connection Settings 33-73

xxx

Add or Edit WINS Server List Dialog Box 33-74

Add or Edit WINS Server Dialog Box 33-74

User Guide for Cisco Security Manager 4.4

OL-28826-01

Contents

CHAPTER

34 Using Map View 34-1

Understanding Maps and Map View 34-1

Understanding the Map View Main Page 34-2
Map Toolbar 34-4
Using the Navigation Window 34-4
Maps Context Menus 34-5

Managed Device Node Context Menu 34-5
Multiple Selected Nodes Context Menu 34-6
VPN Connection Context Menu 34-6
Layer 3 Link Context Menu 34-7
Map Object Context Menu 34-7
Map Background Context Menu 34-7

Access Permissions for Maps 34-8

Working With Maps 34-8

Creating New or Default Maps 34-9
Opening Maps 34-10
Saving Maps 34-10
Deleting Maps 34-10
Exporting Maps 34-11
Arranging Map Elements 34-11
Panning, Centering, and Zooming Maps 34-11
Selecting Map Elements 34-12
Searching for Map Nodes 34-12
Using Linked Maps 34-13
Setting the Map Background Properties 34-13

OL-28826-01

Displaying Your Network on the Map 34-14

Understanding Map Elements 34-14
Displaying Managed Devices on the Map 34-16
Showing Containment of Catalyst Switches, Firewalls, and Adaptive Security Appliances 34-16
Using Map Objects To Represent Network Topology 34-17

Add Map Object and Node Properties Dialog Boxes 34-18
Select Policy Object Dialog Box 34-18
Interface Properties Dialog Box 34-19

Creating and Managing Layer 3 Links on the Map 34-19

Select Interfaces and Link Properties Dialog Boxes 34-20
Add Link Dialog Box 34-20

Managing VPNs in Map View 34-20

Displaying Existing VPNs on the Map 34-21
Creating VPN Topologies in Map View 34-21

User Guide for Cisco Security Manager 4.4

xxxi

Contents

Editing VPN Policies or Peers From the Map 34-22

Managing Device Policies in Map View 34-22

Performing Basic Policy Management in Map View 34-22
Managing Firewall Policies in Map View 34-23
Managing Firewall Settings in Map View 34-23

CHAPTER

35 Getting Started with IPS Configuration 35-1

Understanding IPS Network Sensing 35-1

Capturing Network Traffic 35-2
Correctly Deploying the Sensor 35-4
Tuning the IPS 35-4

Overview of IPS Configuration 35-5

Identifying Allowed Hosts 35-7

Configuring SNMP 35-8

General SNMP Configuration Options 35-10
SNMP Trap Configuration Tab 35-11

SNMP Trap Communication Dialog Box 35-12

Managing User Accounts and Password Requirements 35-13

Understanding IPS User Roles 35-13
Understanding Managed and Unmanaged IPS Passwords 35-14
Understanding How IPS Passwords are Discovered and Deployed 35-15
Configuring IPS User Accounts 35-16

Add User and Edit User Credentials Dialog Boxes 35-17
Configuring User Password Requirements 35-18
Configuring AAA Access Control for IPS Devices 35-19

CHAPTER

xxxii

Identifying an NTP Server 35-21

Identifying DNS Servers 35-22

Identifying an HTTP Proxy Server 35-23

Configuring the External Product Interface 35-23

External Product Interface Dialog Box 35-24
Posture ACL Dialog Box 35-26

Configuring IPS Logging Policies 35-26

IPS Health Monitor 35-27

Configuring IPS Security Settings 35-29

36 Managing IPS Device Interfaces 36-1

Understanding Interfaces 36-1

Understanding Interface Modes 36-2

User Guide for Cisco Security Manager 4.4

OL-28826-01

Promiscuous Mode 36-2
Inline Interface Mode 36-3
Inline VLAN Pair Mode 36-3
VLAN Group Mode 36-4

Deploying VLAN Groups 36-5

Configuring Interfaces 36-6

Understanding the IPS Interfaces Policy 36-6
Viewing a Summary of IPS Interface Configuration 36-8
Configuring Physical Interfaces 36-10

Modify Physical Interface Map Dialog Box 36-11
Configuring Bypass Mode 36-12
Configuring CDP Mode 36-13
Configuring Inline Interface Pairs 36-13
Configuring Inline VLAN Pairs 36-14
Configuring VLAN Groups 36-15

Contents

CHAPTER

CHAPTER

37 Configuring Virtual Sensors 37-1

Understanding the Virtual Sensor 37-1

Advantages and Restrictions of Virtualization 37-3
Inline TCP Session Tracking Mode 37-3
Understanding Normalizer Mode 37-4
Assigning Interfaces to Virtual Sensors 37-4
Identifying the Virtual Sensors for a Device 37-5

Defining A Virtual Sensor 37-5

Virtual Sensor Dialog Box 37-7

Editing Policies for a Virtual Sensor 37-9

Deleting A Virtual Sensor 37-10

38 Defining IPS Signatures 38-1

Understanding Signatures 38-1

Obtaining Detailed Information About a Signature 38-2
Understanding Signature Inheritance 38-3
IPS Signature Purge 38-3

Configuring Signatures 38-4

Signatures Page 38-4

Signature Shortcut Menu 38-7

Edit, Add, Replace Action Dialog Boxes 38-8

Edit Fidelity Dialog Box 38-9
Viewing Signature Update Levels 38-9

OL-28826-01

User Guide for Cisco Security Manager 4.4

xxxiii

Contents

Enabling and Disabling Signatures 38-10
Editing Signatures 38-11

Edit Signature or Add Custom Signature Dialog Boxes 38-12

Adding Custom Signatures 38-16

Engine Options 38-17
Cloning Signatures 38-18
Editing Signature Parameters (Tuning Signatures) 38-19

Edit Signature Parameters Dialog Box 38-21

Editing the Component List for Meta Engine Signatures 38-25

Obsoletes Dialog Box 38-26

Configuring Signature Settings 38-27

CHAPTER

CHAPTER

39 Configuring Event Action Rules 39-1

Understanding the IPS Event Action Process 39-1

Understanding IPS Event Actions 39-2

Configuring Event Action Filters 39-4

Tips for Managing Event Action Filter Rules 39-6
Event Action Filters Page 39-7
Filter Item Dialog Box 39-9

Configuring Event Action Overrides 39-13

Event Action Override Dialog Box 39-14

Configuring IPS Event Action Network Information 39-14

Configuring Target Value Ratings 39-15

Target Value Rating Dialog Box 39-16
Understanding Passive OS Fingerprinting 39-17
Configuring OS Identification (Cisco IPS 6.x and Later Sensors Only) 39-18

OS Map Dialog Box 39-20

Configuring Settings for Event Actions 39-21

40 Managing IPS Anomaly Detection 40-1

xxxiv

Understanding Anomaly Detection 40-1

Worm Viruses 40-2
Anomaly Detection Modes 40-2
Anomaly Detection Zones 40-3
Knowing When to Turn Off Anomaly Detection 40-4
Configuring Anomaly Detection Signatures 40-4

Configuring Anomaly Detection 40-6

Configuring Anomaly Detection Learning Accept Mode 40-8

User Guide for Cisco Security Manager 4.4

OL-28826-01

Understanding Anomaly Detection Thresholds and Histograms 40-9
Configuring Anomaly Detection Thresholds and Histograms 40-11

Dest Port or Protocol Map Dialog Box 40-12
Histogram Dialog Box 40-13

Contents

CHAPTER

CHAPTER

41 Configuring Global Correlation 41-1

Understanding Global Correlation 41-1

Understanding Reputation 41-2
Understanding Network Participation 41-3
Global Correlation Requirements and Limitations 41-4

Configuring Global Correlation Inspection and Reputation 41-5

Configuring Network Participation 41-7

42 Configuring Attack Response Controller for Blocking and Rate Limiting 42-1

Understanding IPS Blocking 42-1

Strategies for Applying Blocks 42-3
Understanding Rate Limiting 42-4
Understanding Router and Switch Blocking Devices 42-4
Understanding the Master Blocking Sensor 42-6

Configuring IPS Blocking and Rate Limiting 42-7

Blocking Page 42-8

General Tab, IPS Blocking Policy 42-10
User Profile Dialog Box 42-12
Master Blocking Sensor Dialog Box 42-13
Router, Firewall, Cat6K Device Dialog Box 42-14

Router Block Interface Dialog Box 42-15
Cat6k Block VLAN Dialog Box 42-16

Never Block Host or Network Dialog Boxes 42-17

CHAPTER

OL-28826-01

43 Managing IPS Sensors 43-1

Managing IPS Licenses 43-1

Updating IPS License Files 43-1
Redeploying IPS License Files 43-2
Automating IPS License File Updates 43-3

Managing IPS Updates 43-4

Configuring the IPS Update Server 43-4
Checking for IPS Updates and Downloading Them 43-5
Automating IPS Updates 43-6

User Guide for Cisco Security Manager 4.4

xxxv

Contents

Manually Applying IPS Updates 43-7

Managing IPS Certificates 43-10

Rebooting IPS Sensors 43-11

CHAPTER

CHAPTER

44 Configuring IOS IPS Routers 44-1

Understanding Cisco IOS IPS 44-1

Understanding IPS Subsystems and Support of IOS IPS Revisions 44-2
Cisco IOS IPS Signature Scanning with Lightweight Signatures 44-2
Router Configuration Files and Signature Event Action Processor (SEAP) 44-3
Cisco IOS IPS Limitations and Restrictions 44-3

Overview of Cisco IOS IPS Configuration 44-3

Initial Preparation of a Cisco IOS IPS Router 44-5
Selecting a Signature Category for Cisco IOS IPS 44-6
Configuring General Settings for Cisco IOS IPS 44-7
Configuring IOS IPS Interface Rules 44-8

IPS Rule Dialog Box 44-9

Pair Dialog Box 44-10

45 Managing Firewall Devices 45-1

Firewall Device Types 45-1

Default Firewall Configurations 45-2

Configuring Firewall Device Interfaces 45-2

Understanding Device Interfaces 45-3

Interfaces in Routed and Transparent Modes 45-4

Interfaces in Single and Multiple Contexts 45-5

About Asymmetric Routing Groups 45-5

Understanding ASA 5505 Ports and Interfaces 45-6

Configuring Subinterfaces (PIX/ASA) 45-7

Configuring Redundant Interfaces 45-7

Configuring EtherChannels 45-8
Managing Device Interfaces, Hardware Ports, and Bridge Groups 45-14

Add/Edit Interface Dialog Box (PIX 6.3) 45-15

Add/Edit Interface Dialog Box (PIX 7.0+/ASA/FWSM) 45-19

Configuring Hardware Ports on an ASA 5505 45-39

Add/Edit Bridge Group Dialog Box 45-41
Advanced Interface Settings (PIX/ASA/FWSM) 45-42

Enabling Traffic between Interfaces with the Same Security Level 45-43

Managing the PPPoE Users List 45-44

Managing VPDN Groups 45-45

xxxvi

User Guide for Cisco Security Manager 4.4

OL-28826-01

Contents

CHAPTER

CHAPTER

46 Configuring Bridging Policies on Firewall Devices 46-1

About Bridging on Firewall Devices 46-1

Bridging Support for FWSM 3.1 46-3

ARP Table Page 46-3

Add/Edit ARP Configuration Dialog Box 46-4

ARP Inspection Page 46-5

Add/Edit ARP Inspection Dialog Box 46-6

Managing the IPv6 Neighbor Cache 46-6

MAC Address Table Page 46-7

Add/Edit MAC Table Entry Dialog Box 46-8

MAC Learning Page 46-8

Add/Edit MAC Learning Dialog Box 46-9

Management IP Page 46-10

Management IPv6 Page (ASA 5505) 46-10

47 Configuring Device Administration Policies on Firewall Devices 47-1

About AAA on Security Devices 47-1

Preparing for AAA 47-2

Local Database 47-3
AAA for Device Administration 47-4
AAA for Network Access 47-4
AAA for VPN Access 47-4

Configuring AAA - Authentication Tab 47-5

Authorization Tab 47-6
Accounting Tab 47-7

CHAPTER

OL-28826-01

Configuring Banners 47-8

Configuring Boot Image/Configuration Settings 47-9

Images Dialog Box 47-10

Setting the Device Clock 47-11

Configuring Device Credentials 47-13

48 Configuring Device Access Settings on Firewall Devices 48-1

Configuring Console Timeout 48-1

HTTP Page 48-2

HTTP Configuration Dialog Box 48-2

Configuring ICMP 48-3

Add and Edit ICMP Dialog Boxes 48-4

User Guide for Cisco Security Manager 4.4

xxxvii

Contents

Configuring Management Access 48-5

Configuring Secure Shell Access 48-5

Add and Edit SSH Host Dialog Boxes 48-6

Configuring SNMP 48-7

SNMP Terminology 48-8
SNMP Page 48-8

SNMP Trap Configuration Dialog Box 48-9

Add SNMP Host Access Entry Dialog Box 48-12

Telnet Page 48-13

Telnet Configuration Dialog Box 48-14

CHAPTER

49 Configuring Failover 49-1

Understanding Failover 49-1

Active/Active Failover 49-3
Stateful Failover 49-4

Basic Failover Configuration 49-5

Adding a Security Context to Failover Group 2 49-7

Additional Steps for an Active/Standby Failover Configuration 49-9

Exporting the Certificate to a File or PKCS12 data 49-9
Importing the Certificate onto the Standby Device 49-9

Failover Policies 49-10

Failover Page (PIX 6.3) 49-10

Edit Failover Interface Configuration Dialog Box (PIX 6.3) 49-11
Failover Page (FWSM) 49-12

Advanced Settings Dialog Box 49-15
Failover Page (ASA/PIX 7.0+) 49-17

Settings Dialog Box 49-20
Failover Page (Security Context) 49-25
Bootstrap Configuration for LAN Failover Dialog Box 49-26

CHAPTER

xxxviii

50 Configuring Hostname, Resources, User Accounts, and SLAs 50-1

Hostname Page 50-1

Resource Management on Multi-context FWSMs 50-2

Resources Page 50-3

Add and Edit Resource Dialog Boxes 50-3

Configuring User Accounts 50-6

Add/Edit User Account Dialog Boxes 50-7

Monitoring Service Level Agreements (SLAs) To Maintain Connectivity 50-7

User Guide for Cisco Security Manager 4.4

OL-28826-01

Creating Service Level Agreements 50-8

Configuring SLA Monitor Objects 50-9

Contents

CHAPTER

51 Configuring Server Access Settings on Firewall Devices 51-1

AUS Page 51-1

Add and Edit Auto Update Server Dialog Boxes 51-3

DHCP Relay Page 51-5

Add and Edit DHCP Relay Agent Configuration Dialog Boxes 51-5
Add and Edit DHCP Relay Server Configuration Dialog Boxes 51-6

DHCP Relay IPv6 Page 51-7

Add and Edit DHCP Relay IPv6 Agent Configuration Dialog Boxes 51-8
Add and Edit DHCP Relay IPv6 Server Configuration Dialog Boxes 51-9

Configuring DHCP Servers 51-9

DHCP Server Page 51-10

Add and Edit DHCP Server Interface Configuration Dialog Boxes 51-11
Add/Edit DHCP Server Advanced Configuration Dialog Box 51-12

DNS Page 51-13

Add DNS Server Group Dialog Box 51-15

Add DNS Server Dialog Box 51-16

Configuring DDNS 51-17

Add/Edit DDNS Interface Rule Dialog Box 51-18

DDNS Update Methods Dialog Box 51-18

CHAPTER

OL-28826-01

NTP Page 51-19

NTP Server Configuration Dialog Box 51-20

SMTP Server Page 51-21

TFTP Server Page 51-22

52 Configuring Logging Policies on Firewall Devices 52-1

NetFlow Page 52-1

Add and Edit Collector Dialog Boxes (NetFlow) 52-2

E-Mail Setup Page 52-3

Add/Edit Email Recipient Dialog Box 52-3

Event Lists Page 52-4

Message Classes and Associated Message ID Numbers 52-4
Add/Edit Event List Dialog Box 52-5

Add/Edit Syslog Class Dialog Box 52-6
Add/Edit Syslog Message ID Filter Dialog Box 52-6

Logging Filters Page 52-7

User Guide for Cisco Security Manager 4.4

xxxix

Contents

Edit Logging Filters Dialog Box 52-8

Configuring Logging Setup 52-9

Logging Setup Page 52-10

Configuring Rate Limit Levels 52-12

Rate Limit Page 52-13

Add/Edit Rate Limit for Syslog Logging Levels Dialog Box 52-13

Add/Edit Rate Limited Syslog Message Dialog Box 52-14

Configuring Syslog Server Setup 52-15

Server Setup Page 52-16

Logging Levels 52-18

Add/Edit Syslog Message Dialog Box 52-19

Defining Syslog Servers 52-20

Syslog Servers Page 52-21

Add/Edit Syslog Server Dialog Box 52-22

CHAPTER

53 Configuring Multicast Policies on Firewall Devices 53-1

Enabling PIM and IGMP 53-1

Configuring IGMP 53-2

IGMP Page - Protocol Tab 53-3

Configure IGMP Parameters Dialog Box 53-4
IGMP Page - Access Group Tab 53-5

Configure IGMP Access Group Parameters Dialog Box 53-5
IGMP Page - Static Group Tab 53-6

Configure IGMP Static Group Parameters Dialog Box 53-6
IGMP Page - Join Group Tab 53-7

Configure IGMP Join Group Parameters Dialog Box 53-7

Configuring Multicast Routes 53-8

Add/Edit MRoute Configuration Dialog Box 53-8

Configuring Multicast Boundary Filters 53-9

Add/Edit MBoundary Configuration Dialog Box 53-9

Add/Edit MBoundary Interface Configuration Dialog Box 53-10

Configuring PIM 53-11

PIM Page - Protocol Tab 53-11

Add/Edit PIM Protocol Dialog Box 53-12
PIM Page - Neighbor Filter Tab 53-12

Add/Edit PIM Neighbor Filter Dialog Box 53-13
PIM Page - Bidirectional Neighbor Filter Tab 53-13

Add/Edit PIM Bidirectional Neighbor Filter Dialog Box 53-14
PIM Page - Rendezvous Points Tab 53-15

xl

User Guide for Cisco Security Manager 4.4

OL-28826-01

Add/Edit Rendezvous Point Dialog Box 53-16
PIM Page - Route Tree Tab 53-17
PIM Page - Request Filter Tab 53-18

Add/Edit Multicast Group Rules Dialog Box 53-19

Contents

CHAPTER

54 Configuring Routing Policies on Firewall Devices 54-1

Configuring No Proxy ARP 54-1

Configuring OSPF 54-2

About OSPF 54-2
General Tab 54-3

OSPF Advanced Dialog Box 54-4
Area Tab 54-6

Add/Edit Area/Area Networks Dialog Box 54-7
Range Tab 54-8

Add/Edit Area Range Network Dialog Box 54-9
Neighbors Tab 54-10

Add/Edit Static Neighbor Dialog Box 54-10
Redistribution Tab 54-11

Redistribution Dialog Box 54-11
Virtual Link Tab 54-13

Add/Edit OSPF Virtual Link Configuration Dialog Box 54-13

Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box 54-15
Filtering Tab 54-15

Add/Edit Filtering Dialog Box 54-16
Summary Address Tab 54-17

Add/Edit Summary Address Dialog Box 54-18
Interface Tab 54-18

Add/Edit Interface Dialog Box 54-20

OL-28826-01

Configuring OSPFv3 54-22

About OSPFv3 54-22
Process Tab 54-24

OSPFv3 Advanced Properties Dialog Box 54-25

Area Tab (OSPFv3) 54-28

Add/Edit Redistribution Dialog Box (OSPFv3) 54-32

Add/Edit Summary Prefix Dialog Box (OSPFv3) 54-34
OSPFv3 Interface Tab 54-34

Add/Edit Interface Dialog Box (OSPFv3) 54-35

Add/Edit Neighbor Dialog Box (OSPFv3) 54-38

Configuring RIP 54-40

User Guide for Cisco Security Manager 4.4

xli

Contents

RIP Page for PIX/ASA 6.3–7.1 and FWSM 54-41

Add/Edit RIP Configuration (PIX/ASA 6.3–7.1 and FWSM) Dialog Boxes 54-41

RIP Page for PIX/ASA 7.2 and Later 54-42

RIP - Setup Tab 54-43
RIP - Redistribution Tab 54-45
RIP - Filtering Tab 54-46
RIP - Interface Tab 54-47

Configuring Static Routes 54-48

Add/Edit Static Route Dialog Box 54-49
Add/Edit IPv6 Static Route Dialog Box 54-50

CHAPTER

CHAPTER

55 Configuring Security Policies on Firewall Devices 55-1

General Page 55-1

Configuring Floodguard, Anti-Spoofing and Fragment Settings 55-2
Add/Edit General Security Configuration Dialog Box 55-3

Configuring Timeouts 55-4

56 Configuring Service Policy Rules on Firewall Devices 56-1

About Service Policy Rules 56-1

About TCP State Bypass 56-3

Priority Queues Page 56-4

Priority Queue Configuration Dialog Box 56-4

IPS, QoS, and Connection Rules Page 56-5

Insert/Edit Service Policy (MPC) Rule Wizard 56-6

Step 1. Configure a Service Policy 56-6
Step 2. Configure the traffic class 56-7
Step 3. Configure the MPC actions 56-8
About IPS Modules on ASA Devices 56-14
About the ASA CX 56-15

ASA CX Auth Proxy Configuration 56-16

CHAPTER

xlii

Configuring Traffic Flow Objects 56-16

Default Inspection Traffic 56-18

Configuring TCP Maps 56-20

Add and Edit TCP Option Range Dialog Boxes 56-22

57 Configuring Security Contexts on Firewall Devices 57-1

Enabling and Disabling Multiple-Context Mode 57-1

Checklist for Configuring Multiple Security Contexts 57-2

User Guide for Cisco Security Manager 4.4

OL-28826-01

Managing Security Contexts 57-4

Add/Edit Security Context Dialog Box (FWSM) 57-5
Add/Edit Security Context Dialog Box (PIX/ASA) 57-7

Allocate Interfaces Dialog Box (PIX/ASA only) 57-8

Contents

CHAPTER

CHAPTER

58 Managing Routers 58-1

Configuring Routers Running IOS Software Releases 12.1 and 12.2 58-2

Discovering Router Policies 58-3

59 Configuring Router Interfaces 59-1

Basic Interface Settings on Cisco IOS Routers 59-1

Available Interface Types 59-2
Defining Basic Router Interface Settings 59-3
Deleting a Cisco IOS Router Interface 59-6

Router Interfaces Page 59-7

Create Router Interface Dialog Box 59-8
Interface Auto Name Generator Dialog Box 59-12

Advanced Interface Settings on Cisco IOS Routers 59-13

Understanding Helper Addresses 59-14

Advanced Interface Settings Page 59-15

Advanced Interface Settings Dialog Box 59-16

IPS Module Interface Settings on Cisco IOS Routers 59-22

IPS Module Interface Settings Page 59-22

IPS Monitoring Information Dialog Box 59-23

OL-28826-01

CEF Interface Settings on Cisco IOS Routers 59-24

CEF Interface Settings Page 59-25

CEF Interface Settings Dialog Box 59-26

Dialer Interfaces on Cisco IOS Routers 59-27

Defining Dialer Profiles 59-27
Defining BRI Interface Properties 59-29

Dialer Policy Page 59-30

Dialer Profile Dialog Box 59-31
Dialer Physical Interface Dialog Box 59-32

ADSL on Cisco IOS Routers 59-33

Supported ADSL Operating Modes 59-34
Defining ADSL Settings 59-35

ADSL Policy Page 59-36

ADSL Settings Dialog Box 59-37

User Guide for Cisco Security Manager 4.4

xliii

Contents

SHDSL on Cisco IOS Routers 59-40

Defining SHDSL Controllers 59-40

SHDSL Policy Page 59-41

SHDSL Controller Dialog Box 59-42
Controller Auto Name Generator Dialog Box 59-45

PVCs on Cisco IOS Routers 59-46

Understanding Virtual Paths and Virtual Channels 59-46
Understanding ATM Service Classes 59-47
Understanding ATM Management Protocols 59-48

Understanding ILMI 59-49

Understanding OAM 59-50
Defining ATM PVCs 59-50
Defining OAM Management on ATM PVCs 59-53

PVC Policy Page 59-54

PVC Dialog Box 59-55

PVC Dialog Box—Settings Tab 59-57

PVC Dialog Box—QoS Tab 59-60

PVC Dialog Box—Protocol Tab 59-63

Define Mapping Dialog Box 59-64
PVC Advanced Settings Dialog Box 59-65

PVC Advanced Settings Dialog Box—OAM Tab 59-66

PVC Advanced Settings Dialog Box—OAM-PVC Tab 59-68

CHAPTER

PPP on Cisco IOS Routers 59-70

Understanding Multilink PPP (MLP) 59-70
Defining PPP Connections 59-71
Defining Multilink PPP Bundles 59-74

PPP/MLP Policy Page 59-75

PPP Dialog Box 59-76

PPP Dialog Box—PPP Tab 59-77

PPP Dialog Box—MLP Tab 59-79

60 Router Device Administration 60-1

AAA on Cisco IOS Routers 60-2

Supported Authorization Types 60-2
Supported Accounting Types 60-3
Understanding Method Lists 60-3
Defining AAA Services 60-4

AAA Policy Page 60-6

AAA Page—Authentication Tab 60-6

xliv

User Guide for Cisco Security Manager 4.4

OL-28826-01

AAA Page—Authorization Tab 60-7

Command Authorization Dialog Box 60-9

AAA Page—Accounting Tab 60-10

Command Accounting Dialog Box 60-12

User Accounts and Device Credentials on Cisco IOS Routers 60-13

Defining Accounts and Credential Policies 60-14

Accounts and Credential s Policy Page 60-15

User Account Dialog Box 60-17

Bridging on Cisco IOS Routers 60-18

Bridge-Group Virtual Interfaces 60-18
Defining Bridge Groups 60-19

Bridging Policy Page 60-20

Bridge Group Dialog Box 60-21

Time Zone Settings on Cisco IOS Routers 60-22

Defining Time Zone and DST Settings 60-22

Contents

Clock Policy Page 60-23

CPU Utilization Settings on Cisco IOS Routers 60-25

Defining CPU Utilization Settings 60-25

CPU Policy Page 60-26

HTTP and HTTPS on Cisco IOS Routers 60-28

Defining HTTP Policies 60-29

HTTP Policy Page 60-31

HTTP Page—Setup Tab 60-31
HTTP Page—AAA Tab 60-32

Command Authorization Override Dialog Box 60-34

Line Access on Cisco IOS Routers 60-35

Defining Console Port Setup Parameters 60-35
Defining Console Port AAA Settings 60-37
Defining VTY Line Setup Parameters 60-38
Defining VTY Line AAA Settings 60-40

Console Policy Page 60-42

Console Page—Setup Tab 60-42
Console Page—Authentication Tab 60-44
Console Page—Authorization Tab 60-45
Console Page—Accounting Tab 60-47

OL-28826-01

VTY Policy Page 60-50

VTY Line Dialog Box 60-51

VTY Line Dialog Box—Setup Tab 60-52

User Guide for Cisco Security Manager 4.4

xlv

Contents

VTY Line Dialog Box—Authentication Tab 60-55

VTY Line Dialog Box—Authorization Tab 60-56

VTY Line Dialog Box—Accounting Tab 60-57

Command Authorization Dialog Box—Line Access 60-60

Command Accounting Dialog Box—Line Access 60-61

Optional SSH Settings on Cisco IOS Routers 60-63

Defining Optional SSH Settings 60-63

Secure Shell Policy Page 60-64

SNMP on Cisco IOS Routers 60-66

Defining SNMP Agent Properties 60-67
Enabling SNMP Traps 60-68

SNMP Policy Page 60-69

Permission Dialog Box 60-70
Trap Receiver Dialog Box 60-71
SNMP Traps Dialog Box 60-72

DNS on Cisco IOS Routers 60-74

Defining DNS Policies 60-75

DNS Policy Page 60-76

IP Host Dialog Box 60-76

Hostnames and Domain Names on Cisco IOS Routers 60-77

Defining Hostname Policies 60-77

Hostname Policy Page 60-78

Memory Settings on Cisco IOS Routers 60-78

Defining Router Memory Settings 60-78

Memory Policy Page 60-79

Secure Device Provisioning on Cisco IOS Routers 60-81

Contents of Bootstrap Configuration 60-82
Secure Device Provisioning Workflow 60-82
Defining Secure Device Provisioning Policies 60-83
Configuring a AAA Server Group for Administrative Introducers 60-84

Secure Device Provisioning Policy Page 60-85

DHCP on Cisco IOS Routers 60-87

Understanding DHCP Database Agents 60-88
Understanding DHCP Relay Agents 60-88
Understanding DHCP Option 82 60-89
Understanding Secured ARP 60-89
Defining DHCP Policies 60-90
Defining DHCP Address Pools 60-91

xlvi

User Guide for Cisco Security Manager 4.4

OL-28826-01

DHCP Policy Page 60-92

DHCP Database Dialog Box 60-94
IP Pool Dialog Box 60-94

NTP on Cisco IOS Routers 60-96

Defining NTP Servers 60-97

NTP Policy Page 60-98

NTP Server Dialog Box 60-99

Contents

CHAPTER

61 Configuring Identity Policies 61-1

802.1x on Cisco IOS Routers 61-1
Understanding 802.1x Device Roles 61-2

802.1x Interface Authorization States 61-2
Topologies Supported by 802.1x 61-3
Defining 802.1x Policies 61-4

802.1x Policy Page 61-5

Network Admission Control on Cisco IOS Routers 61-8

Router Platforms Supporting NAC 61-8
Understanding NAC Components 61-9
Understanding NAC System Flow 61-9
Defining NAC Setup Parameters 61-10
Defining NAC Interface Parameters 61-11
Defining NAC Identity Parameters 61-13

Network Admission Control Policy Page 61-14

Network Admission Control Page—Setup Tab 61-14
Network Admission Control Page—Interfaces Tab 61-16

NAC Interface Configuration Dialog Box 61-17

Network Admission Control Page—Identities Tab 61-18

NAC Identity Profile Dialog Box 61-19
NAC Identity Action Dialog Box 61-19

CHAPTER

OL-28826-01

62 Configuring Logging Policies 62-1

Logging on Cisco IOS Routers 62-1

Defining Syslog Logging Setup Parameters 62-1
Defining Syslog Servers 62-3
Understanding Log Message Severity Levels 62-4
NetFlow on Cisco IOS Routers 62-5

Defining NetFlow Parameters 62-6

Syslog Logging Setup Policy Page 62-7

User Guide for Cisco Security Manager 4.4

xlvii

Contents

Syslog Servers Policy Page 62-10

Syslog Server Dialog Box 62-11

NetFlow Policy Page 62-12

Adding and Editing NetFlow Interface Settings 62-15

CHAPTER

63 Configuring Quality of Service 63-1

Quality of Service on Cisco IOS Routers 63-1

Quality of Service and CEF 63-2
Understanding Matching Parameters 63-2
Understanding Marking Parameters 63-3
Understanding Queuing Parameters 63-4

Tail Drop vs. WRED 63-4
Low-Latency Queuing 63-5
Default Class Queuing 63-6

Understanding Policing and Shaping Parameters 63-6

Understanding the Token-Bucket Mechanism 63-7
Understanding Control Plane Policing 63-9

Defining QoS Policies 63-10

Defining QoS on Interfaces 63-10
Defining QoS on the Control Plane 63-12
Defining QoS Class Matching Parameters 63-13
Defining QoS Class Marking Parameters 63-15
Defining QoS Class Queuing Parameters 63-16
Defining QoS Class Policing Parameters 63-17
Defining QoS Class Shaping Parameters 63-18

CHAPTER

xlviii

Quality of Service Policy Page 63-19

QoS Policy Dialog Box 63-21
QoS Class Dialog Box 63-23

QoS Class Dialog Box—Matching Tab 63-24
Edit ACLs Dialog Box—QoS Classes 63-25
QoS Class Dialog Box—Marking Tab 63-26
QoS Class Dialog Box—Queuing and Congestion Avoidance Tab 63-27
QoS Class Dialog Box—Policing Tab 63-29
QoS Class Dialog Box—Shaping Tab 63-31

64 Configuring Routing Policies 64-1

BGP Routing on Cisco IOS Routers 64-1

Defining BGP Routes 64-2
Redistributing Routes into BGP 64-3

User Guide for Cisco Security Manager 4.4

OL-28826-01

BGP Routing Policy Page 64-4

BGP Page—Setup Tab 64-4

Neighbors Dialog Box 64-6

BGP Page—Redistribution Tab 64-6

BGP Redistribution Mapping Dialog Box 64-7

EIGRP Routing on Cisco IOS Routers 64-8

Defining EIGRP Routes 64-9
Defining EIGRP Interface Properties 64-10
Redistributing Routes into EIGRP 64-12

EIGRP Routing Policy Page 64-13

EIGRP Page—Setup Tab 64-13

EIGRP Setup Dialog Box 64-14

EIGRP Page—Interfaces Tab 64-15

EIGRP Interface Dialog Box 64-16

EIGRP Page—Redistribution Tab 64-17

EIGRP Redistribution Mapping Dialog Box 64-18

Contents

OSPF Routing on Cisco IOS Routers 64-19

Defining OSPF Process Settings 64-20
Defining OSPF Area Settings 64-21
Redistributing Routes into OSPF 64-22

Defining OSPF Redistribution Mappings 64-22
Defining OSPF Maximum Prefix Values 64-23

Defining OSPF Interface Settings 64-25

Understanding Interface Cost 64-26
Understanding Interface Priority 64-26
Disabling MTU Mismatch Detection 64-27
Blocking LSA Flooding 64-27
Understanding OSPF Timer Settings 64-28
Understanding the OSPF Network Type 64-29
Understanding OSPF Interface Authentication 64-29

OSPF Interface Policy Page 64-30

OSPF Interface Dialog Box 64-31

OSPF Process Policy Page 64-34

OSPF Process Page—Setup Tab 64-35

OSPF Setup Dialog Box 64-35
Edit Interfaces Dialog Box—OSPF Passive Interfaces 64-36

OSPF Process Page—Area Tab 64-36

OSPF Area Dialog Box 64-37

OSPF Process Page—Redistribution Tab 64-38

OL-28826-01

User Guide for Cisco Security Manager 4.4

xlix

Contents

OSPF Redistribution Mapping Dialog Box 64-39
OSPF Max Prefix Mapping Dialog Box 64-41

RIP Routing on Cisco IOS Routers 64-42

Defining RIP Setup Parameters 64-42
Defining RIP Interface Authentication Settings 64-43
Redistributing Routes into RIP 64-44

RIP Routing Policy Page 64-45

RIP Page—Setup Tab 64-45
RIP Page—Authentication Tab 64-46

RIP Authentication Dialog Box 64-47

RIP Page—Redistribution Tab 64-48

RIP Redistribution Mapping Dialog Box 64-49

Static Routing on Cisco IOS Routers 64-50

Defining Static Routes 64-50

Static Routing Policy Page 64-51

Static Routing Dialog Box 64-52

CHAPTER

65 Managing Cisco Catalyst Switches and Cisco 7600 Series Routers 65-1

Discovering Policies on Cisco Catalyst Switches and Cisco 7600 Series Routers 65-1

Viewing Catalyst Summary Information 65-2

Viewing a Summary of Catalyst Interfaces, VLANs, and VLAN Groups 65-3

Interfaces 65-5

Creating or Editing Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers 65-5
Deleting Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers 65-7
Interfaces/VLANs Page—Interfaces Tab 65-7

Create and Edit Interface Dialog Boxes—Access Port Mode 65-9
Create and Edit Interface Dialog Boxes—Routed Port Mode 65-12
Create and Edit Interface Dialog Boxes—Trunk Port Mode 65-14
Create and Edit Interface Dialog Boxes—Dynamic Mode 65-18
Create and Edit Interface Dialog Boxes—Subinterfaces 65-22
Create and Edit Interface Dialog Boxes—Unsupported Mode 65-24

VLANs 65-25

Creating or Editing VLANs 65-26
Deleting VLANs 65-27
Interfaces/VLANs Page—VLANs Tab 65-27

Create and Edit VLAN Dialog Boxes 65-28
Access Port Selector Dialog Box 65-30
Trunk Port Selector Dialog Box 65-31

User Guide for Cisco Security Manager 4.4

l

OL-28826-01

VLAN Groups 65-31

Creating or Editing VLAN Groups 65-32
Deleting VLAN Groups 65-33
Interfaces/VLANs Page—VLAN Groups Tab 65-33

Create and Edit VLAN Group Dialog Boxes 65-34
Service Module Slot Selector Dialog Box 65-35
VLAN Selector Dialog Box 65-36

VLAN ACLs (VACLs) 65-36

Creating or Editing VACLs 65-37
Deleting VACLs 65-39
VLAN Access Lists Page 65-39

Create and Edit VLAN ACL Dialog Boxes 65-41
Create and Edit VLAN ACL Content Dialog Boxes 65-42

IDSM Settings 65-44

Creating or Editing EtherChannel VLAN Definitions 65-45
Deleting EtherChannel VLAN Definitions 65-46
Creating or Editing Data Port VLAN Definitions 65-46
Deleting Data Port VLAN Definitions 65-48
IDSM Settings Page 65-48

Create and Edit IDSM EtherChannel VLANs Dialog Boxes 65-49
Create and Edit IDSM Data Port VLANs Dialog Boxes 65-50

Contents

CHAPTER

66 Viewing Events 66-1

Introduction to Event Viewer Capabilities 66-1

Historical View 66-2
Real-Time View 66-2
Views and Filters 66-3
Policy Navigation 66-3
Understanding Event Viewer Access Control 66-3
Scope and Limits of Event Viewer 66-4
Deeply Parsed Syslogs 66-6

Overview of Event Viewer 66-7

Event Viewer File Menu 66-8
Event Viewer View Menu 66-9
View List 66-11
Event Monitoring Window 66-12

Event Table Toolbar 66-14
Columns in Event Table 66-16
Time Slider 66-23

OL-28826-01

User Guide for Cisco Security Manager 4.4

li

Contents

Event Details Pane 66-24

Preparing for Event Management 66-24

Ensuring Time Synchronization 66-25
Configuring ASA and FWSM Devices for Event Management 66-25
Configuring IPS Devices for Event Management 66-26

Managing the Event Manager Service 66-27

Starting, Stopping, and Configuring the Event Manager Service 66-27
Monitoring the Event Manager Service 66-28
Selecting Devices to Monitor 66-31
Monitoring Event Data Store Disk Space Usage 66-31
Archiving or Backing Up and Restoring the Event Data Store 66-32

Using Event Viewer 66-33

Using Event Views 66-33

Opening Views 66-34
Floating and Arranging Views 66-34
Customizing the Event Table Appearance 66-35
Switching Between Source/Destination IP Addresses and Host Object Names 66-36
Configuring Color Rules for a View 66-36
Creating Custom Views 66-37
Editing a Custom View Name or Description 66-38
Switching Between Real-Time and Historical Views 66-38
Saving Views 66-38
Deleting Custom Views 66-39

Filtering and Querying Events 66-39

Selecting the Time Range for Events 66-39
Using the Time Slider with Filtering 66-40
Refreshing the Event Table 66-40
Creating Column-Based Filters 66-41
Filtering Based on a Specific Event’s Values 66-43
Filtering on a Text String 66-44
Clearing Filters 66-44

Performing Operations on Specific Events 66-45

Event Context (Right-Click) Menu 66-45
Examining Details of a Single Event 66-47
Copying Event Records 66-48
Saving Events to a File 66-48

Looking Up a Security Manager Policy from Event Viewer 66-48

lii

Examples of Event Analysis 66-50

Help Desk: User Access To a Server Is Blocked By the Firewall 66-50

User Guide for Cisco Security Manager 4.4

OL-28826-01

Monitoring and Mitigating Botnet Activity 66-52

Understanding the Syslog Messages That Indicate Actionable Events 66-53
Monitoring Botnet Using the Security Manager Event Viewer 66-53
Monitoring Botnet Using the Security Manager Report Manager 66-55
Monitoring Botnet Activity Using the Adaptive Security Device Manager (ASDM) 66-56
Mitigating Botnet Traffic 66-56

Removing False Positive IPS Events from the Event Table 66-58

Contents

CHAPTER

67 Managing Reports 67-1

Understanding Report Management 67-1

Understanding the Types of Reports Available in Security Manager 67-2
Preparing Devices for Report Manager Reporting 67-3
Understanding Report Manager Data Aggregation 67-4
Understanding Report Manager Access Control 67-5

Overview of Report Manager 67-6

Report Manager Menus 67-8
Understanding the Report List in Report Manager 67-9
Understanding the Report Settings Pane 67-10
Understanding the Generated Report Pane and Toolbar 67-11

Understanding the Predefined System Reports in Report Manager 67-13

Understanding Firewall Traffic Reports 67-13
Understanding Firewall Summary Botnet Reports 67-14
Understanding VPN Top Reports 67-15
Understanding General VPN Reports 67-16
Understanding IPS Top Reports 67-16
Understanding General IPS Reports 67-17

OL-28826-01

Working with Reports in Report Manager 67-18

Opening and Generating Reports 67-18
Creating Custom Reports 67-20
Editing Report Settings 67-21
Printing Reports 67-23
Exporting Reports 67-23
Configuring Default Settings for Reports 67-24
Arranging Report Windows 67-25
Saving Reports 67-25
Renaming Reports 67-26
Closing Report Windows 67-26
Deleting Reports 67-27
Managing Custom Reports 67-27

User Guide for Cisco Security Manager 4.4

liii

Contents

Scheduling Reports 67-27

Viewing Report Schedules 67-28
Configuring Report Schedules 67-28
Viewing Scheduled Report Results 67-30
Enabling and Disabling Report Schedules 67-30
Deleting Report Schedules 67-31

Troubleshooting Report Manager 67-31

CHAPTER

68 Health and Performance Monitoring 68-1

Health and Performance Monitor Overview 68-1

Trend Information 68-2
Monitoring Multiple Contexts 68-3

HPM Access Control 68-3

Preparing for Health and Performance Monitoring 68-4

Launching the Health and Performance Monitor 68-4

Managing Monitored Devices 68-5

HPM Window 68-6

Working with Table Columns 68-8

Showing and Hiding Table Columns 68-8
Column-based Filtering 68-15

Using The List Filter Fields 68-17

Monitoring Devices 68-19

Managing Device Views 68-19

Views: Opening and Closing 68-21
Views: Tiling Horizontally or Vertically 68-21
Views: Floating and Docking 68-22
Views: Custom 68-22

HPM Window: Monitoring Display 68-23

Monitoring Views: Devices or VPNs Summary 68-25
Monitoring Views: Device or VPN Status List 68-25
Monitoring Views: Device or VPN Details 68-26
Monitoring Views: VPN, RA and S2S 68-27
Exporting HPM Data 68-27

liv

Alerts and Notifications 68-28

HPM Window: Alerts Display 68-29
Alerts: Configuring 68-31

Alerts Configuration: IPS 68-32
Alerts Configuration: Firewall 68-33
Alerts Configuration: VPN 68-35

User Guide for Cisco Security Manager 4.4

OL-28826-01

Alerts: Viewing 68-37

Alerts: Acknowledging and Clearing 68-38

Alerts: History 68-39

Contents

CHAPTER

69 Using External Monitoring, Troubleshooting, and Diagnostic Tools 69-1

Viewing Inventory Status 69-1

Inventory Status Window 69-2

Starting Device Managers 69-4

Troubleshooting Device Managers 69-5
Access Rule Look-up from Device Managers 69-6

Navigating to an Access Rule from ASDM 69-7
Navigating to an Access Rule from SDM 69-8

Launching Cisco Prime Security Manager 69-9

Detecting ASA CX Modules 69-10
Sharing Device Inventory and Policy Objects with PRSM 69-11

Analyzing an ASA or PIX Configuration Using Packet Tracer 69-12

Analyzing Connectivity Issues Using the Ping, Trace Route, or NS Lookup Tools 69-14

Analyzing Configuration Using Ping 69-15
Analyzing Configuration Using TraceRoute 69-17
Analyzing Configuration Using NS Lookup 69-18

Using the Packet Capture Wizard 69-18

Integrating CS-MARS and Security Manager 69-22

Checklist for Integrating CS-MARS with Security Manager 69-23

Configuring the Security Manager Server to Respond to CS-MARS Policy Queries 69-24
Registering CS-MARS Servers in Security Manager 69-24
Discovering or Changing the CS-MARS Controllers for a Device 69-25
Troubleshooting Tips for CS-MARS Querying 69-26

Looking Up CS-MARS Events for a Security Manager Policy 69-27

Viewing CS-MARS Events for an Access Rule 69-28
Viewing CS-MARS Events for an IPS Signature 69-30

Looking Up a Security Manager Policy from a CS-MARS Event 69-31

System Log Messages Supported for Policy Look-up 69-32
NetFlow Event Reporting in CS-MARS 69-33

CHAPTER

OL-28826-01

70 Using Image Manager 70-1

Getting Started with Image Manager 70-1

Image Manager Supported Platforms and Versions 70-2
Device Configurations supported by Image Manager 70-2
Image Manager Supported Image Types 70-3

User Guide for Cisco Security Manager 4.4

lv

Contents

Administrative Settings for Image Manager 70-4
Bootstrapping Devices for Image Manager 70-6

Working with Images 70-8

View All Images 70-8
Download Images to the Repository 70-10

Working with Bundles 70-11

Creating Bundles 70-12
View Images by Bundle 70-13
Renaming Bundles 70-13
Deleting Bundles 70-13
Deleting Images from Bundles 70-14

Working with Devices 70-14

Viewing Device Inventory 70-14
Manage Images on a Device 70-15
View Device Memory 70-17
Configuring the Image Install Location 70-17

I

NDEX

About Image Updates on Devices Using Image Manager 70-18

Validating a Proposed Image Update on a Device 70-20
Using the Image Installation Wizard to Install Images on Devices 70-23
Install Bundled Images on Devices 70-27
Install Compatible Images on Devices 70-28
Install Images on Selected Devices 70-29

Working with Jobs 70-30

Viewing Image Installation Job Summary 70-30
Viewing Install Jobs 70-31
Aborting an Image Installation Job 70-32
Retry a Failed Image Install Job 70-32
Roll Back a Deployed Job 70-33
Image Installation Job Approval Workflow 70-33

Troubleshooting Image Management 70-34

lvi

User Guide for Cisco Security Manager 4.4

OL-28826-01

Preface

Conventions

This document uses the following conventions:

Item Convention

Commands, keywords, special terminology, and options that should
be selected during procedures

Variables for which you supply values and new or important
terminology

Displayed session and system information, paths and file names

Information you enter boldface screen font

Variables you enter italic screen font

Menu items and button names boldface font

Indicates menu items to select, in the order you select them. Option > Network Preferences

boldface font

italic font

screen font

OL-28826-01

Tip Identifies information to help you get the most benefit from your product.

Note Means reader take note. Notes identify important information that you should reflect upon before

continuing, contain helpful suggestions, or provide references to materials not contained in the
document.

Caution Means reader be careful. In this situation, you might do something that could result in equipment

damage, loss of data, or a potential breach in your network security.

Warning

Identifies information that you must heed to prevent damaging yourself, the state of software, or
equipment. Warnings identify definite security breaches that will result if the information presented
is not followed carefully.

User Guide for Cisco Security Manager 4.4

lvii

Obtaining Documentation, Obtaining Support, and Security
Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback,
security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s

New in Cisco Product Documentation, which also lists all new and revised Cisco technical

documentation, at:

Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS)
feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds
are a free service and Cisco currently supports RSS Version 2.0.

Preface

lviii

User Guide for Cisco Security Manager 4.4

OL-28826-01

P

ART

1

The Basics of Using Security Manager

Getting Started with Security Manager

The following topics describe Cisco Security Manager, how to get started with the application, and how
to complete its configuration.

• Product Overview, page 1-1

• Logging In to and Exiting Security Manager, page 1-9

• Using Configuration Manager - Overview, page 1-12

• Using the JumpStart to Learn About Security Manager, page 1-22

• Completing the Initial Security Manager Configuration, page 1-23

• Understanding Basic Security Manager Interface Features, page 1-27

• Accessing Online Help, page 1-49

Product Overview

CHAP T ER

1

Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security
devices. Security Manager supports integrated provisioning of firewall, IPS, and VPN (site-to-site,
remote access, and SSL) services across:

• ASA and PIX security appliances.

• IPS appliances and various service modules for routers and ASA devices.

• IOS routers.

• Catalyst switches.

• Catalyst services modules related to firewall, VPN, and IPS.

Note For a complete list of devices and OS versions supported by Security Manager, please refer to Supported

Devices and Software Versions for Cisco Security Manager on Cisco.com.

Security Manager also supports provisioning of many platform-specific settings, for example, interfaces,
routing, identity, QoS, logging, and so on.

Security Manager efficiently manages a wide range of networks, from small networks consisting of a
few devices to large networks with thousands of devices. Scalability is achieved through a rich feature
set of shareable objects and policies and device grouping capabilities.

Security Manager supports multiple configuration views optimized around different task flows and use
cases.

OL-28826-01

User Guide for Cisco Security Manager 4.4

1-1

Product Overview

The following topics provide an overview of Security Manager:

• Primary Benefits of Cisco Security Manager, page 1-2

• Security Manager Policy Feature Sets, page 1-4

• Security Manager Applications Overview, page 1-6

• Device Monitoring Overview, page 1-6

• IPv6 Support in Security Manager, page 1-7

Primary Benefits of Cisco Security Manager

These are the primary benefits of working with Security Manager:

• Scalable network management—Centrally administer security policies and device settings for

either small networks or large scale networks consisting of thousands of devices. Define policies and
settings once and then optionally assign them to individual devices, groups of devices or all the
devices in the enterprise.

• Provisioning of multiple security technologies across different platforms—Manage VPN,

firewall, and IPS technologies on routers, security appliances, Catalyst devices and service modules,
and IPS devices.

Chapter 1 Getting Started with Security Manager

• Provisioning of platform-specific settings and policies—Manage platform-specific settings on

specific device types. For example: routing, 802.1x, EzSDD, and Network Admission Control on
routers, and device access security, DHCP, AAA, and multicast on firewall devices.

• VPN wizards—Quickly and easily configure point-to-point, hub-and-spoke, full-mesh, and

Extranet site-to-site VPNs across different VPN device types. Quickly and easily configure remote
access IPsec and SSL VPNs on ASA, IOS, and PIX devices.

• Multiple management views—Device, policy, and map views enable you to manage your security

in the environment that best suits your needs.

• Reusable policy objects—Create reusable objects to represent network addresses, device settings,

VPN parameters, and so on, then use them instead of manually entering values.

• Device grouping capabilities—Create device groups to represent your organizational structure.

Manage all devices in the groups concurrently.

• Policy inheritance—Centrally specify which policies are mandatory and enforced lower in the

organization.

• Role-based administration—Enable appropriate access controls for different operators.

• Workflow—Optionally allow division of responsibility and workload between network operators

and security operators and provide a change management approval and tracking mechanism.

• Ticket Management—Associate a ticket ID with policy changes, easily add and update comments

pertaining to those changes, and quickly navigate to an external change management system from
Security Manager.

• Single, consistent user interface for managing common firewall features—Single rule table for

all platforms (router, PIX, ASA, and FWSM).

• Image management—Complete image management for ASA devices. Facilitates at every stage of

image upgrade of devices by: downloading and maintaining image repository, evaluating images,
analyzing impact of upgrades, preparing and planning reliable and stable device upgrades, and
ensuring sufficient fallback and recovery mechanisms.

1-2

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 1 Getting Started with Security Manager

• Intelligent analysis of firewall policies—The conflict detection feature analyzes and reports rules

that overlap or conflict with other rules. The ACL hit count feature checks in real-time whether
specific rules are being hit or triggered by packets.

• Sophisticated rule table editing—In-line editing, ability to cut, copy, and paste rules and to change

their order in the rule table.

• Discover firewall policies from device—Policies that exist on the device can be imported into

Security Manager for future management.

• Flexible deployment options—Support for deployment of configurations directly to a device or to

a configuration file. You can also use Auto-Update Server (AUS), Configuration Engine, or Token
Management Server (TMS) for deployment.

• Rollback—Ability to roll back to a previous configuration if necessary.

• FlexConfig (template manager)—Intelligent CLI configlet editor to manage features available on

a device but not natively supported by Security Manager.

• Integrated device monitoring and reporting—Features for monitoring events on IPS, ASA, and

FWSM devices and correlating them to the related configuration policies, and for creating security
and usage reports. These features include the following stand-alone Security Manager applications:

–

Event Viewer—Event Viewer monitors your network for system log (syslog) events from ASA
and FWSM devices, as well as security contexts and SDEE events from IPS devices and virtual
sensors. Event Viewer collects these events and provides an interface by which you can view
them, group them, and examine their details in near real time.

Product Overview

–

Report Manager—Report Manager lets you collect, display and export a wide variety of
network usage and security information for ASA and IPS devices, and for ASA-hosted
remote-access IPsec and SSL VPNs. These reports aggregate security data such as top sources,
destinations, attackers, victims, as well as security information such as top bandwidth, duration,
and throughput users. Data is available for hourly, daily, and monthly periods. (Report Manager
aggregates information collected from devices monitored by the Event Manager service. Thus,
to view reports about a device, you must be monitoring that device in Event Viewer.)

Note Report Manager does not report FWSM events even though Event Viewer works with

FWSM.

–

Health and Performance Monitor—Health and Performance Monitor (HPM) periodically
polls monitored ASA devices, IPS devices, and ASA-hosted VPN services for key health and
performance data, including critical and non-critical issues, such as memory usage, interface
status, dropped packets, tunnel status, and so on. This information is used for alert generation
and email notification, and to display trends based on aggregated data, which is available for
hourly, daily, and weekly periods.

Note Health and Performance Monitor does not monitor FWSM devices.

Additional features let you monitor devices from Security Manager using other closely related
applications, including Cisco Security Monitoring, Analysis and Response System (CS-MARS),
Cisco Performance Monitor, and device managers such as ASDM (read-only versions of which are
included with Security Manager).

OL-28826-01

User Guide for Cisco Security Manager 4.4

1-3

Product Overview

Security Manager Policy Feature Sets

Security Manager provides the following primary feature sets for configuration policies:

• Firewall Services

Configuration and management of firewall policies across multiple platforms, including IOS
routers, ASA/PIX devices, and Catalyst Firewall Service Modules (FWSMs). Features include:

–

Access control rules—Permit or deny traffic on interfaces through the use of access control lists
for both IPv4 and IPv6 traffic.

–

Botnet Traffic Filter rules—(ASA only.) Filter traffic based on known malware sites and
optionally drop traffic based on threat level.

–

Inspection rules—Filter TCP and UDP packets based on application-layer protocol session
information.

–

AAA/Authentication Proxy rules—Filter traffic based on authentication and authorization for
users who log into the network or access the Internet through HTTP, HTTPS, FTP, or Telnet
sessions.

–

Web filtering rules—Use URL filtering software, such as Websense, to deny access to specific
web sites.

–

ScanSafe Web Security—(Routers only.) Redirect HTTP/HTTPS traffic to the ScanSafe web
security center for content scanning and malware protection services.

–

Transparent firewall rules—Filter layer-2 traffic on transparent or bridged interfaces.

Chapter 1 Getting Started with Security Manager

–

Zone-based firewall rules—Configure access, inspection, and web filtering rules based on zones
rather than on individual interfaces.

For more information, see Chapter 12, “Introduction to Firewall Services”.

• Site-to-Site VPN

Setup and configuration of IPsec site-to-site VPNs. Multiple device types can participate in a single
VPN, including IOS routers, PIX/ASA devices, and Catalyst VPN Service Modules. Supported VPN
topologies are:

–

Point to point

–

Hub and spoke

–

Full mesh

–

Extranet (a point-to-point connection to an unmanaged device)

Supported IPsec technologies are:

–

Regular IPsec

–

GRE

–

GRE Dynamic IP

–

DMVPN

–

Easy VPN

–

GET VPN

For more information, see Chapter 24, “Managing Site-to-Site VPNs: The Basics”.

• Remote Access VPN

1-4

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 1 Getting Started with Security Manager

Setup and configuration of IPsec and SSL VPNs between servers and mobile remote workstations
running Cisco VPN client or AnyConnect client software. For more information, see Chapter 29,

“Managing Remote Access VPNs: The Basics”.

• Intrusion Prevention System (IPS) Management

Management and configuration of Cisco IPS sensors (appliances and service modules) and IOS IPS
devices (Cisco IOS routers with IPS-enabled images and Cisco Integrated Services Routers).

For more information, see Overview of IPS Configuration, page 35-5 and Overview of Cisco IOS

IPS Configuration, page 44-3.

• Features Specific to Firewall Devices (PIX/ASA/FWSM)

Configuration of advanced platform-specific features and settings on PIX/ASA devices and Catalyst
FWSMs. These features provide added value when managing security profiles and include:

–

Interface configuration

–

Identity-aware firewall settings

–

Device administration settings

–

Security

–

Routing

Product Overview

–

Multicast

–

Logging

–

NAT

–

Bridging

–

Failover

–

Security contexts

For more information, see Chapter 45, “Managing Firewall Devices”.

• Features Specific to IOS Routers

Configuration of advanced platform-specific features and settings on IOS routers. These features
provide added value when managing security profiles and include:

–

Interface configuration

–

Routing

–

NAT

–

802.1x

–

NAC

–

QoS

–

Dialer interfaces

–

Secure device provisioning

OL-28826-01

For more information, see Chapter 58, “Managing Routers”.

• Features Specific to Catalyst 6500/7600 Devices and Catalyst Switches

Configuration of VLAN, network connectivity, and service module features and settings on Catalyst
6500/7600 devices and on other Catalyst switches.

For more information, Chapter 65, “Managing Cisco Catalyst Switches and Cisco 7600 Series

Routers”.

User Guide for Cisco Security Manager 4.4

1-5

Product Overview

• FlexConfigs

Flexconfig policies and policy objects enable you to provision features that are available on the
device but not natively supported by Security Manager. They enable you to manually specify a set
of CLI commands and to deploy them to devices using Security Manager’s provisioning
mechanisms. These commands can be either prepended or appended to the commands generated by
Security Manager to provision security policies.

For more information, see Chapter 7, “Managing FlexConfigs”.

Security Manager Applications Overview

The Security Manager client includes five main applications:

• Configuration Manager—This is the primary application. You use Configuration Manager to

manage the device inventory, create and edit local and shared policies, manage VPN configurations,
and deploy policies to devices. Configuration Manager is the largest of the applications and most of
the documentation addresses this application. If a procedure does not specifically mention an
application, the procedure is using Configuration Manager. For an introduction to Configuration
Manager, see Using Configuration Manager - Overview, page 1-12.

• Event Viewer—This is an event monitoring application, where you can view and analyze events

generated from IPS, ASA, and FWSM devices that you have configured to send events to Security
Manager. For information about using Event Viewer, see Chapter 66, “Viewing Events”.

Chapter 1 Getting Started with Security Manager

• Report Manager—This is a reporting application, where you can view and create reports of

aggregated information on device and VPN statistics. Much of the information is derived from
events available through Event Viewer, but some of the VPN statistics are obtained by
communicating directly with the device. For information about using Report Manager, see

Chapter 67, “Managing Reports”.

• Health & Performance Monitor—The HPM application lets you monitor key health and

performance data for ASA (including ASA-SM) devices, IPS devices, and VPN services by
providing network-level visibility into device status and traffic information. This ability to monitor
key network and device metrics lets you quickly detect and resolve device malfunctions and
bottlenecks in the network. See Chapter 68, “Health and Performance Monitor Overview” for more
information about this application.

• Image Manager—The Image Manager application provides complete image management of ASA

devices. It facilitates downloading, evaluating, analyzing, preparing, and planning image updates. It
assesses image availability, compatibility, and impact on devices and provides scheduling, grouping,
and change management of device updates. In addition, Image Manager includes capabilities for
maintaining an image repository as well as for ensuring stable fallback and recovery mechanisms
for image updates on ASA devices. For information about using Image Manager, see Chapter 70,

“Using Image Manager”.

You can open any of these applications directly from the Windows Start menu or a desktop icon, or you
can open them from within any of these applications through the application’s Launch menu. For
information on opening applications, see Logging In to and Exiting the Security Manager Client,

page 1-11.

Device Monitoring Overview

Security Manager includes several facilities for monitoring devices:

User Guide for Cisco Security Manager 4.4

1-6

OL-28826-01

Chapter 1 Getting Started with Security Manager

• Event Viewer—This integrated tool allows you to view events on ASA, FWSM, and IPS devices

and correlate them to the related configuration policies. This helps you identify problems,
troubleshoot configurations, and then fix the configurations and redeploy them. For more
information, see Chapter 66, “Viewing Events”.

• Report Manager—This is a reporting application, where you can view and create reports of

aggregated information on device and VPN statistics. Much of the information is derived from
events available through Event Viewer, but some of the VPN statistics are obtained by
communicating directly with the device. For information about using Report Manager, see

Chapter 67, “Managing Reports”.

For information on all of the types of reports available in Security Manager, see Understanding the

Types of Reports Available in Security Manager, page 67-2.

• Health & Performance Monitor—The HPM application lets you monitor key health and

performance data for ASA (including ASA-SM) devices, IPS devices, and VPN services by
providing network-level visibility into device status and traffic information. See Chapter 68,

“Health and Performance Monitoring” for more information about this application.

• Packet Tracer—You can use this tool to test whether certain types of packets will be allowed to go

through an ASA device. For more information, see Analyzing an ASA or PIX Configuration Using

Packet Tracer, page 69-12.

Product Overview

• Ping, Trace route, and NS Lookup—You can use ping and traceroute on a managed device to

check whether there is a route between the device and a specific destination. You can use NS lookup
to resolve addresses to DNS names. For more information, see Analyzing Connectivity Issues Using

the Ping, Trace Route, or NS Lookup Tools, page 69-14.

• Cisco Prime Security Manager (PRSM) Integration—You can “cross launch” PRSM from the

Configuration Manager application. The PRSM application is used to configure and manage ASA
CX devices. For more information, see Launching Cisco Prime Security Manager, page 69-9.

• Device Manager Integration—Security Manager includes read-only copies of the various device

managers, such as Adaptive Security Device Manager (ASDM). You can use these tools to view
device status, but not to change the device configuration. For more information, see Starting Device

Managers, page 69-4.

• Cisco Security Monitoring, Analysis and Response System (CS-MARS) Integration—If you

use the CS-MARS application, you can integrate it with Security Manager and view events in
CS-MARS from Security Manager, and conversely, Security Manager policies related to events from
CS-MARS. For more information, see Integrating CS-MARS and Security Manager, page 69-22.

IPv6 Support in Security Manager

Security Manager provides increasing support for IPv6 configuration, monitoring, and reporting.

Note To manage a device that supports IPv6 addressing with Security Manager, you must configure the

device’s management address as an IPv4 address. All communications between the device and Security
Manager, such as policy discovery and deployment, use IPv4 transport. Also, if the IPv6 policies are not
appearing for a supported device, rediscover the device policies; if necessary, delete the device from the
inventory and add it again.

OL-28826-01

User Guide for Cisco Security Manager 4.4

1-7

Product Overview

Chapter 1 Getting Started with Security Manager

In general, you can configure IPv6 policies on the following types of device. In addition, you can
monitor IPv6 alerts generated by IPS, ASA, and FWSM devices. For other types of devices, use
FlexConfig policies to configure IPv6 settings. For more specific information on IPv6 device support,
see the Supported Devices and Software Versions for Cisco Security Manager document on Cisco.com.

• ASA—Release 7.0+ when running in router mode; release 8.2+ when running in transparent mode.

Both single and multiple security context devices are supported.

• FWSM—Release 3.1+ when running in router mode. Not supported in transparent mode. Both

single and multiple security context devices are supported.

• IPS—Release 6.1+.

Following is a summary of the Security Manager features that support IPv6 addressing:

• Policy Objects—The following policy objects support IPv6 addresses:

–

Networks/Hosts. See Understanding Networks/Hosts Objects, page 6-74.

–

Services. This object includes predefined services for ICMP6 and DHCPv6, which you can use
only with IPv6 policies. The other services apply to both IPv4 and IPv6. For more information
on service objects, see Understanding and Specifying Services and Service and Port List

Objects, page 6-86.

• Firewall Services Policies—The following Firewall Services policies and tools support IPv6

configurations:

–

AAA Rules. See Chapter 15, “Managing Firewall AAA Rules”.

–

Access Rules. See Configuring Access Rules, page 16-7.

–

Inspection Rules. See Chapter 17, “Managing Firewall Inspection Rules”.

–

Settings > Access Control. See Configuring Settings for Access Control, page 16-20.

–

Tools:

Hit Count. See Viewing Hit Count Details, page 16-33.

Find and Replace. See Finding and Replacing Items in Rules Tables, page 12-16.

• ASA and FWSM Policies—The following ASA and FWSM policies support IPv6 configurations:

–

(ASA 7.0+ routed mode; ASA 8.2+ transparent mode; FWSM 3.1+ routed mode.) Interfaces:
IPv6 tab of the Add Interface and Edit Interface dialog boxes. See Configuring IPv6 Interfaces

(ASA/FWSM), page 45-29.

–

(ASA only.) Platform > Bridging > IPv6 Neighbor Cache. See Managing the IPv6 Neighbor

Cache, page 46-6.

–

(ASA 5505 8.2/8.3 only.) Platform > Bridging > Management IPv6. See Management IPv6 Page

(ASA 5505), page 46-10.

–

(ASA 8.4.2+ only.) Platform > Device Admin > Server Access > DNS. See DNS Page,

page 51-13.

• FlexConfig Policies—There are two Firewall system variables that you can use to identify IPv6

ACLs on a device. For more information, see FlexConfig System Variables, page 7-7.

1-8

There is also a predefined FlexConfig policy object that uses these variables,
ASA_add_IPv6_ACEs.

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 1 Getting Started with Security Manager

• Event Viewer—Events that include IPv6 addresses are supported, and the addresses are displayed

in the same columns as IPv4 addresses: Source, Destination, and IPLog Address (for IPS alerts).
However, you must configure the device to use IPv4 for sending events to the Security Manager
server. All event communications use IPv4 transport. For more information on Event Viewer, see

Chapter 66, “Viewing Events”.

• Report Manager—Reports include statistics for IPv6 events collected by Event Management. For

more information on Report Manager, see Chapter 67, “Managing Reports”.

Policy Object Changes in Security Manager 4.4

Certain changes were made to a few policies and policy objects in Security Manager 4.4, in order to unify
previously separate IPv4 and IPv6 elements. The most important of these changes are to the
Networks/Hosts object (which itself represents a unification of the Networks/Hosts and the
Networks/Hosts-IPv6 objects):

• The new Networks/Hosts object “All-IPv4-Addresses” replaces the IPv4 “any” network policy

object. If you upgrade to Security Manager 4.4 from a previous version, all references to the IPv4
“any” network policy object will be changed to “All-IPv4-Addresses.”

• The new Networks/Hosts object “All-IPv6-Addresses” replaces the IPv6 “any” network policy

object. If you upgrade to Security Manager 4.4 from a previous version, all references to the IPv6
“any” network policy object will be changed to “All-IPv6-Addresses.”

Logging In to and Exiting Security Manager

• The new Networks/Hosts object “All-Addresses” does not have a corresponding policy object in

earlier versions of Security Manager. It is a new global “any” policy object, and it encompasses all
IPv4 and IPv6 address ranges.

Other related changes include unification of IPv4 and IPv6 versions of device-specific policies such as
Access Rules, Inspection Rules, and so on.

Further, when editing policies and objects, IPv4, IPv6, or mixed-mode (both IPv4 and IPv6) entries are
automatically filtered in elements, such as dialog boxes, in which one or more of those entries is not
appropriate to that element.

Related Topics

• Policy Object Manager, page 6-4

• Understanding Networks/Hosts Objects, page 6-74

Logging In to and Exiting Security Manager

Security Manager has two main interfaces:

• Cisco Security Management Suite home page—Use this interface to install the Security Manager

client and to manage the server. You can also access other CiscoWorks applications you installed,
such as Resource Manager Essentials (RME).

• Security Manager clients—Use these interfaces to perform most Security Manager tasks. You can

log directly into any of five client applications: Configuration Manager, Event Viewer, Report
Manager, Health & Performance Monitor, and Image Manager.

OL-28826-01

These topics describe how to log in to and exit these interfaces:

• Understanding User Permissions, page 1-10

• Logging In to the Cisco Security Management Suite Server, page 1-10

User Guide for Cisco Security Manager 4.4

1-9

Logging In to and Exiting Security Manager

• Logging In to and Exiting the Security Manager Client, page 1-11

Understanding User Permissions

Cisco Security Manager authenticates your username and password before you can log in. After you are
authenticated, Security Manager establishes your role within the application. This role defines your
permissions (also called privileges), which are the set of tasks or operations that you are authorized to
perform. If you are not authorized for certain tasks or devices, the related menu items, items in tables of
contents, and buttons are hidden or disabled. In addition, a message tells you that you do not have
permission to view the selected information or perform the selected operation.

Authentication and authorization for Security Manager is managed either by the CiscoWorks server or
the Cisco Secure Access Control Server (ACS). By default, CiscoWorks manages authentication and
authorization, but you can configure Security Manager to use your Cisco Secure ACS setup.

When using ACS, if all of the ACS servers become unavailable, you cannot perform tasks in Security
Manager. If you are logged in, you might be abruptly logged out of the system (without an opportunity
to save changes) if you try to perform a task that requires ACS authorization. If this happens, you get a
message stating this is the reason you are getting logged off.

For more information about user permissions and AAA configuration, see the Installation Guide for

Cisco Security Manager.

For more information about authorization control in the Event Viewer and Report Manager applications,
see the following topics:

Chapter 1 Getting Started with Security Manager

• Understanding Event Viewer Access Control, page 66-3

• Understanding Report Manager Access Control, page 67-5

Logging In to the Cisco Security Management Suite Server

Use the Cisco Security Management Suite home page, and CiscoWorks Common Services, to install the
Security Manager client and to manage the server. You can also access other CiscoWorks applications
you installed, such as RME.

Step 1 In your web browser, open one of these URLs, where SecManServer is the name of the computer where

Security Manager is installed. Click Yes on any Security Alert windows.

• If you are not using SSL, open http://SecManServer:1741

• If you are using SSL, open https://SecManServer:443

The Cisco Security Management Suite login screen is displayed. Verify on the page that JavaScript and
cookies are enabled and that you are running a supported version of the web browser. For information
on configuring the browser to run Security Manager, see Installation Guide for Cisco Security Manager.

Step 2 Log in to the Cisco Security Management Suite server with your username and password. When you

initially install the server, you can log in using the username admin and the password defined during
product installation.

Step 3 On the Cisco Security Management Suite home page, you can access at least the following features.

Other features might be available depending on how you installed the product.

• Cisco Security Manager Client Installer—Click this item to install the Security Manager client. The

client is the main interface for using the product.

1-10

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 1 Getting Started with Security Manager

• Server Administration—Click this item to open the CiscoWorks Common Services Server page.

CiscoWorks Common Services is the foundation software that manages the server. Use it to
configure and manage back-end server features such as server maintenance and troubleshooting,
local user definition, and so on.

• CiscoWorks link (in the upper right of the page)—Click this link to open the CiscoWorks Common

Services home page.

Step 4 To exit the application, click Logout in the upper right corner of the screen. If you have both the home

page and the Security Manager client open at the same time, exiting the browser connection does not exit
the Security Manager client.

Logging In to and Exiting the Security Manager Client

Use the Security Manager client to perform most Security Manager tasks.

Tip You must log into the workstation using a Windows user account that has Administrator privileges to

fully use the Security Manager client applications. If you try to operate the applications with lesser
privileges, you might find that some features do not work correctly.

Logging In to and Exiting Security Manager

Before You Begin

Install the client on your computer. To install the client, log into the Security Manager server as
described in Logging In to the Cisco Security Management Suite Server, page 1-10, and then click Cisco
Security Manager Client Installer and follow the instructions in the installation wizard.

Step 1 Select one of the following applications from the Start > All Programs > Cisco Security Manager

Client menu:

• Configuration Manager

• Event Viewer

• Report Manager

• Health & Performance Monitor

• Image Manager

Tip If the client was installed on the workstation, but it does not appear in your Start menu, it

probably was installed by another user. To make Security Manager Client visible in the Start
menu for every user of the client station, copy the Cisco Security Manager Client folder from
Documents and Settings\<user>\Start Menu\Programs\Cisco Security Manager to Documents
and Settings\All Users\Start Menu\Programs\Cisco Security Manager.

Step 2 In the application’s login window, select the server to which you want to log in, and enter your Security

Manager username and password. Click Login.

OL-28826-01

The client logs in to the server and opens the application you selected based on the following conditions.
Note that these conditions are per application, for example, if you have Configuration Manager open on
one workstation, opening Event Viewer from a different workstation has no implications for your
Configuration Manager session unless or until you start Configuration Manager from Event Viewer.

User Guide for Cisco Security Manager 4.4

1-11

Using Configuration Manager - Overview

• In both Workflow and non-Workflow mode, you cannot log into the same server from a single

workstation and have more than one active session using the same user account. You are reminded
that you are already logged in and asked to reuse the existing open application.

• In both workflow modes, you can log into different servers using the same (or different) user name

from the same workstation.

• In non-Workflow mode, for a given server, if the user name is logged in on a different workstation,

the client on the other workstation is automatically logged out, and any unsaved changes are lost.
Thus, do not share user accounts, and if you must log in from different workstations to the same
server, be sure to save your changes before leaving an active client.

• In Workflow mode, you can log in using the same user account multiple times but only from

different workstations. However, you cannot open the same activity in Configuration Manager at the
same time in more than one client; you must open different activities. Activities do not apply when
using Event Viewer or Report Manager.

Tip The client automatically closes if it is idle for 120 minutes. To change the idle timeout, in

Configuration Manager, select Tools > Security Manager Administration, select Customize
Desktop from the table of contents, and enter the desired timeout period. You can also disable

the feature so that the client does not close automatically. All applications use the same timeout
setting, and working in one application resets the timer for all other applications.

Chapter 1 Getting Started with Security Manager

Step 3 To exit the application, select File > Exit.

Using Configuration Manager - Overview

These topics provide an overview of the different views in which you can work in Configuration
Manager, the basic task flow for defining and deploying policies to devices, and some basic concepts:

• Configuration Manager Overview, page 1-12

• Task Flow for Configuring Security Policies, page 1-17

• Policy and Policy Object Overview, page 1-18

• Workflow and Activities Overview, page 1-18

Configuration Manager Overview

The Configuration Manager application provides three views in which you can manage devices and
policies: Device view, Policy view, and Map view. You can switch between these views according to your
needs using toolbar buttons or the View menu.

• Device view—Provides a device-centric view, where you configure policies on specific devices. For

more information, see Device View Overview, page 1-13.

1-12

• Policy view—Provides a policy-centric view, where you can create device-independent shared

policies that you can assign to one or more devices. For more information, see Policy View

Overview, page 1-14.

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 1 Getting Started with Security Manager

• Map view—Provides a visual representation of your network, which is primarily useful for

visualizing and configuring site-to-site VPNs. For more information, see Map View Overview,

page 1-16.

Each view presents a different way to access Configuration Manager functionality. What you can do, and
how you do it, are determined by the view you select. In the Device and Policy views you see two
selectors on the left and a work area on the right. In each of these, your selection in the upper selector
determines what you can select in the lower selector. Your selection in the lower selector determines
what you view in the work area. This design enables you to quickly and easily drill down to the network
details that you want to view or edit.

Besides the main views, there are several additional tools used for configuring other items such as
site-to-site VPNs and policy objects, or for monitoring devices. These tools are typically available from
the Manage menu, although some are available on the Policy, Activities, Tools, or Launch menus. Some
tools have related buttons in the toolbar. These tools open in a separate window so that you do not loose
your place in the main view that you are currently using.

The following topics provide reference information about the basic features of the user interface:

• Menu Bar Reference for Configuration Manager, page 1-27

• Toolbar Reference (Configuration Manager), page 1-36

• Using Selectors, page 1-42

• Using Wizards, page 1-44

Using Configuration Manager - Overview

• Using Rules Tables, page 12-7

• Using Text Fields, page 1-46

• Accessing Online Help, page 1-49

Device View Overview

Device view in Configuration Manager enables you to add devices to the Security Manager inventory
and to centrally manage device policies, properties, interfaces, and so on. The following figure identifies
the functional areas of the Device view.

This is a device-centric view in which you can see all devices that you are managing and you can select
specific devices to view their properties and define their settings and policies.

Note Security Manager also provides the ability to see the status of the devices in the Security Manager

inventory. To access the Device Status View, select View > Device Status View or select one of the
folder nodes in the Device selector. For more information, see Working with Device Status View,

page 3-61.

In Device View, you can define security policies locally on specific devices. You can then share these
policies to make them globally available to be assigned to other devices.

For more information, see Understanding the Device View, page 3-1.

OL-28826-01

User Guide for Cisco Security Manager 4.4

1-13

Using Configuration Manager - Overview

Figure 1-1 Device View Overview

Chapter 1 Getting Started with Security Manager

1

3

5

The title bar displays the following information about Security Manager:

• Your login name.

• The name of the Security Manager server to which you are connected.

• If Workflow mode is enabled, the name of the open activity.

Policy View Overview

Policy view in Configuration Manager enables you to create and manage reusable policies that can be
shared among multiple devices. The following figure identifies the functional areas of the Policy view.

User Guide for Cisco Security Manager 4.4

1-14

Title bar

Toolbar (see Toolbar Reference

(Configuration Manager), page 1-36)

Policy selector

2

Menu bar (see Menu Bar Reference for

Configuration Manager, page 1-27)

4

6

Work area

Device selector (see Using Selectors,

page 1-42)

OL-28826-01

Chapter 1 Getting Started with Security Manager

This is a policy-centric view in which you can see all the shareable policy types supported by Security
Manager. You can select a specific policy type and create, view, or modify shared policies of that type.
You can also see the devices to which each shared policy is assigned and change the assignments as
required.

For more information, see Managing Shared Policies in Policy View, page 5-47.

Figure 1-2 Policy View Overview

Using Configuration Manager - Overview

OL-28826-01

1

Title bar

2

Menu bar (see Menu Bar Reference for

Configuration Manager, page 1-27)

3

Toolbar (see Toolbar Reference

(Configuration Manager), page 1-36)

5

7

Work a r e a

Policy filter

4

Policy type selector (see Using

Selectors, page 1-42)

6

Shared policy selector

User Guide for Cisco Security Manager 4.4

1-15

Using Configuration Manager - Overview

Map View Overview

Map view in Configuration Manager enables you to create customized, visual topology maps of your
network, within which you can view connections between your devices and easily configure VPNs and
access control settings. The following figure identifies the functional areas of the Map view.

For more information, see Chapter 34, “Using Map View”.

Figure 1-3 Map View Overview

Chapter 1 Getting Started with Security Manager

1-16

1

3

Title bar

Menu bar (see Map Menu

(Configuration Manager), page 1-31)

5

Map toolbar (see Map Toolbar,

page 34-4)

User Guide for Cisco Security Manager 4.4

2

4

Navigation window

Toolbar (see Toolbar Reference

(Configuration Manager), page 1-36)

6

Map

OL-28826-01

Chapter 1 Getting Started with Security Manager

Task Flow for Configuring Security Policies

The basic user task flow for configuring security policies on devices involves adding devices to the
Security Manager inventory, defining the policies, and then deploying them to the devices. You perform
these tasks in Configuration Manager. The following briefly describes the steps in a typical user task
flow:

Step 1 Prepare devices for management.

Before you can add a device to the Security Manager device inventory and manage it, you must configure
some minimal settings on the device to enable Security Manager to contact it. For more information, see

Chapter 2, “Preparing Devices for Management”.

Step 2 Add devices to the Security Manager device inventory.

To manage a device with Security Manager, you must first add it to the Security Manager inventory.
Security Manager provides multiple methods to add devices: from the network (live devices), from an
inventory file exported from another Security Manager server or CiscoWorks Common Services Device
Credential Repository (DCR), or in Cisco Security Monitoring, Analysis and Response System
(CS-MARS) format, or from a device configuration file. You can also add a device that does not yet exist
in the network but which will be deployed in the future, by creating it in Security Manager.

Using Configuration Manager - Overview

When you add a device, you can also discover its interfaces and certain policies that were already
configured on the device. Discovery brings the information into the Security Manager database for
continued management with Security Manager in the future.

For more information, see Chapter 3, “Managing the Device Inventory”.

Step 3 Define security policies.

After you have added your devices, you can define the security policies you require. You can use Device
view to define policies on specific devices. You can use Policy view to create and manage reusable
policies that can be shared by any number of devices. When you make a change to a shared policy, the
change is applied to all devices to which that policy is assigned.

To simplify and speed up policy definition, you can use policy objects, which are named, reusable
representations of specific values. You can define an object once and then reference it in multiple
policies instead of having to define the values individually in each policy.

Note If you are using Workflow mode, you must create an activity before you start defining policies.

For more information, see Workflow and Activities Overview, page 1-18.

For more information, see these topics:

• Chapter 5, “Managing Policies”

• Chapter 6, “Managing Policy Objects”

Step 4 Submit and deploy your policy definitions.

Policy definition is done within your private view. Your definitions are not committed to the database
and cannot be seen by other Security Manager users until you submit them. When you submit your policy
definitions, the system validates their integrity. Errors or warnings are displayed to inform you of any
problems that need to be addressed before the policies can be deployed to the devices.

OL-28826-01

Security Manager generates CLI commands according to your policy definitions and enables you to
quickly and easily deploy them to your devices. You can deploy directly to live devices in the network
(including dynamically addressed devices) through a secure connection, or to files that can be transferred
to your devices at any time.

User Guide for Cisco Security Manager 4.4

1-17

Using Configuration Manager - Overview

In non-Workflow mode, submitting and deploying your changes can be done in a single action. In
Workflow mode, you first submit your activity and then you create a deployment job to deploy your
changes.

For more information, see Chapter 8, “Managing Deployment”.

Policy and Policy Object Overview

A policy is a set of rules or parameters that define a particular aspect of network configuration. In
Configuration Manager, you define policies that specify the security functionality you want on your
devices. Security Manager translates your policies into CLI commands that can be deployed to the
relevant devices.

Security Manager enables you to configure local policies and shared policies.

• Local policies are confined to the device on which they are configured; they are automatically

assigned (applied) to the device when you configure them. Unconfigured policies (those whose
default settings you do not change) are not considered to be assigned or configured. To remove a
policy, you unassign it.

Chapter 1 Getting Started with Security Manager

• Shared policies are named, reusable policies that can be assigned to multiple devices at once. Any

changes you make to a shared policy are reflected on all devices to which that policy is assigned, so
you do not have to make the change on each device.

When you add a device to the inventory, you can discover the existing policies configured on the device.
Security Manager translates your device configuration into Security Manager policies, populates the
relevant local policies, and assigns them to the device. Policy discovery ensures that you do not need to
recreate your existing configurations in Security Manager terms. You can also rediscover policies on
devices after you add them to the inventory if you change their configuration through the CLI.

When you create policies, you often have the option to use policy objects, which are reusable definitions
of related sets of values. (Sometimes, you are required to use policy objects.) For example, you can
define a network object called MyNetwork that contains a set of IP addresses in your network. Whenever
you configure a policy requiring these addresses, you can simply refer to the MyNetwork network object
rather than manually entering the addresses each time. Furthermore, you can make changes to policy
objects in a central location and these changes will be reflected in all the policies that reference those
objects.

For more detailed information, see Understanding Policies, page 5-1 and Chapter 6, “Managing Policy

Objects”.

Workflow and Activities Overview

To provide flexible, secure policy management while allowing your organization to implement change
control processes, Security Manager provides three closely-related features in Configuration Manager:

• Workflow/Non-Workflow modes—Configuration Manager provides two modes of operation that

scale to different organizational working environments: Workflow mode and non-Workflow mode
(the default).

1-18

–

Workflow Mode —Workflow mode is for organizations that have division of responsibility
between users who define security policies and those who administer security policies. It
imposes a formal change-tracking and management system by requiring all policy configuration
to be done within the context of an explicitly-created activity. A user can create multiple

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 1 Getting Started with Security Manager

activities so that a single activity contains only logically-related policy changes. You can
configure Workflow mode to require a separate approver, so that configuration changes cannot
be made without oversight. After approval, the user defines a separate deployment job to push
the policy changes to the devices. For more information, see Working in Workflow Mode,

page 1-19.

–

Non-Workflow Mode—In non-Workflow mode, you do not explicitly create activities. When
you log in, Configuration Manager creates an activity for you or opens the one you were
previously using if it was not submitted. You can define and save your policies, and then submit
and deploy them in one step. For more information, see Working in Non-Workflow Mode,

page 1-20.

For information on selecting a mode, see Changing Workflow Modes, page 1-26.

• Activities or Configuration Sessions—An activity (in non-Workflow mode, a configuration

session), is essentially a private view of the Security Manager database. In Configuration Manager,
you use activities to control changes made to policies and policy assignments. Adding devices to the
inventory does not involve an activity, however, unless you discover policies that define security
contexts (on multi-context firewall devices) or virtual sensors (on IPS devices). Isolating policy
changes in activities helps prevent “work in progress” from accidentally making it into active device
configurations. For more information about activities and configuration sessions, see Understanding

Activities, page 4-1 and Working with Activities/Tickets, page 4-7.

• Ticket Management—Ticket management allows you to associate a Ticket ID with policy

configuration changes made in Security Manager. Ticket management works in coordination with
activities or configuration sessions depending on whether you have workflow mode enabled or not.
If workflow mode is enabled, you can also enable ticket management so that a Ticket ID can
optionally be associated with a specific activity. If workflow mode is not enabled, using ticket
management makes it so that all changes must be done as part of a ticket and the ticket must be
submitted before those changes can be deployed. In this respect, ticket management with workflow
disabled is very similar to how activities function when workflow is enabled; however, no approval
of submitted tickets is required.

Using Configuration Manager - Overview

For a comparison of the various modes of operation, see Comparing Workflow Modes, page 1-20.

Working in Workflow Mode

Workflow mode is an advanced mode of operation that imposes a formal change-tracking and
change-management system. Workflow mode is suitable for organizations in which there is division of
responsibility among security and network operators for defining policies and deploying those policies
to devices. For example, a security operator might be responsible for defining security policies on
devices, another security operator might be responsible for approving the policy definitions, and a
network operator might be responsible for deploying the resulting configurations to a device. This
separation of responsibility helps maintain the integrity of deployed device configurations.

You can use Workflow mode with or without an approver. When using Workflow mode with an approver,
device management and policy configuration changes performed by one user are reviewed and approved
by another user before being deployed to the relevant devices. When using Workflow mode without an
approver, device and policy configuration changes can be created and approved by a single user, thus
simplifying the change process.

Note Workflow mode works in the same manner whether Ticket Management is enabled or not. Enabling

Ticket Management in Workflow mode simply enables the Ticket field for use with Activities. Entering
a ticket ID is not required, but if one is used, the Ticket field can be configured to link to an external
change management system. For more information, see Ticket Management.

OL-28826-01

User Guide for Cisco Security Manager 4.4

1-19

Using Configuration Manager - Overview

For information about enabling or disabling Workflow mode or enabling or disabling Ticket
Management, see Changing Workflow Modes, page 1-26.

In Workflow mode:

• A user must create an activity before defining or changing policy configurations in Configuration

Manager. The activity is essentially a proposal to make configuration changes. The changes made
within the activity are applied only after the activity is approved by a user with the appropriate
permissions. An activity can either be submitted to another user for review and approval (Workflow
mode with an activity approver), or it can be approved by the current user (Workflow mode without
an activity approver). For detailed information about the process of creating, submitting, and
approving activities, see Chapter 4, “Managing Activities”.

• After the activity is approved, the configuration changes need to be deployed to the relevant devices.

To do this, a user must create a deployment job. A deployment job defines the devices to which
configurations will be deployed, and the deployment method to be used. A deployment job can either
be submitted to another user for review and approval (Workflow mode with a deployment job
approver), or it can be approved by the current user (Workflow mode without a job approver).
Deployment preferences can be configured with or without job approval. For more information, see

Chapter 8, “Managing Deployment”

Chapter 1 Getting Started with Security Manager

Working in Non-Workflow Mode

Some organizations have no division of responsibility between users when defining and administering
their VPN and firewall policies. These organizations can work in non-Workflow mode. When using
non-Workflow mode, you do not explicitly create activities. When you log in, Configuration Manager
creates an activity for you, also called a configuration session, or opens the activity you were using when
previously logged in (the configuration session is automatically closed when you log out of Security
Manager). This activity is transparent to the user and does not need to be managed in any way. When
you submit your configuration changes to the database, this is equivalent to submitting and approving
the activity in Workflow mode. In addition, when you submit and deploy configuration changes, Security
Manager creates a deployment job for you as well. Like activities, deployment jobs are transparent and
do not need to be managed.

When using non-Workflow mode, multiple users with the same username and password cannot be logged
into Security Manager at the same time. If another user logs in with the same username and password
while you are working, your session will be terminated and you will have to log in again.

Ticket Management in Non-Workflow Mode

If your organization uses a change management system, Security Manager can associate the changes
made to configurations with a ticket ID. Before making any configuration changes, you must open a
ticket and the ticket must be submitted before the changes associated with that ticket are available to be
deployed. Tickets can be opened and closed as needed, and you can discard a ticket if the changes
associated with that ticket are no longer desired. Entering a ticket ID is not required, but if one is used,
the Ticket field can be configured to link to an external change management system. For more
information, see Ticket Management.

Non-Workflow mode with Ticket Management enabled is the default mode for Security Manager. For
information about enabling or disabling Workflow mode or enabling or disabling Ticket Management,
see Changing Workflow Modes, page 1-26.

Comparing Workflow Modes

The following table highlights the differences between the workflow modes.

User Guide for Cisco Security Manager 4.4

1-20

OL-28826-01

Chapter 1 Getting Started with Security Manager

Note Workflow mode works in the same manner whether Ticket Management is enabled or not. Enabling

Ticket Management in Workflow mode simply enables the Ticket field for use with Activities. Entering
a ticket ID is not required, but if one is used, the Ticket field can be configured to link to an external
change management system. For more information, see Ticket Management.

Table 1-1 Comparison Between Workflow Mode and Non-Workflow Mode in Configuration

Manager

Using Configuration Manager - Overview

Question

What is the default
mode for Security
Manager?

How do I know which
mode is currently
selected?

Must I explicitly create
activities to make
configuration changes?

Must I explicitly create
deployment jobs to
deploy configurations to
devices?

How do I deploy my
configuration changes
to the devices?

Non-Workflow Mode
with Ticket
Management Enabled

Non-Workflow Mode
with Ticket
Management Disabled Workflow Mode

Default Not Default Not default

Select Tools > Security Manager Administration > Workflow. If the
Enable Workflow check box is selected, you are in Workflow mode.

Select Tools > Security Manager Administration > Ticket Management.
If the Enable Ticketing check box is selected, ticket management is
enabled.

You must explicitly
create a Ticket before
you can make
configuration changes.
Configuration Manager
automatically creates an
activity that is

No. Configuration
Manager automatically
creates an activity when
you log in, or opens the
previous session if you
did not submit it before
logging out.

Yes .

associated with that
ticket.

No. Configuration
Manager creates a
deployment job for you
when you deploy
configuration changes.

Do one of the following:

• Select File >

Deploy.

• Select Manage >

Deployments and

click Deploy on the
Deployment Jobs
tab.

No. Configuration
Manager creates a
deployment job for you
when you deploy
configuration changes.

Do one of the following:

• Click the Submit

and Deploy
Changes button in

the Main toolbar.

• Select File >

Submit and
Deploy.

• Select Manage >

Yes .

Select Manage >
Deployments and
create a deployment job.

Deployments and
click Deploy on the
Deployment Jobs
tab.

OL-28826-01

User Guide for Cisco Security Manager 4.4

1-21

Using the JumpStart to Learn About Security Manager

Table 1-1 Comparison Between Workflow Mode and Non-Workflow Mode in Configuration

Manager (Continued)

Chapter 1 Getting Started with Security Manager

Question

At what stage are the
CLI commands for my
configuration changes
generated?

How do I delete my
current changes?

Can multiple users log
into Security Manager
at the same time?

What if another user is
configuring the devices
I want to configure?

Non-Workflow Mode
with Ticket
Management Enabled

When initiating
deployment.

Select Tickets >
Discard Ticket to
discard the
currently-open ticket, or
select the ticket in the
Ticket Manager and
click Discard.

If you have already
started deploying
devices, abort the
deployment by selecting
the job in the
Deployment Manager
and clicking Abort.

Yes. Each user can open
a different ticket and
make configuration
changes. A single user
can log in multiple
times, but the user must
open separate tickets.

You will receive a message indicating that the devices are locked. See

Activities and Locking, page 4-3.

Non-Workflow Mode
with Ticket
Management Disabled Workflow Mode

When initiating
deployment.

Select File > Discard.

If you have already
started deploying
devices, abort the
deployment by selecting
the job in the
Deployment Manager
and clicking Abort.

Yes, but only if each one
has a different
username. If a user with
the same username logs
into Security Manager,
the first user is
automatically logged
out.

When creating a
deployment job.

Select Activities >
Discard Activity to
discard the
currently-open activity,
or select the activity in
the Activity Manager
and click Discard.

If you already created a
deployment job, select
the job in the
Deployment Manager
and click Discard. If the
job has already been
deployed, you can abort
the job by selecting
Abort.

Yes. Each user can open
a different activity and
make configuration
changes. A single user
can log in multiple
times, but the user must
open separate activities.

Using the JumpStart to Learn About Security Manager

The JumpStart is an introduction to Security Manager. It describes and illustrates the major concepts of
using the product. Use the jumpstart to explore Security Manager features and capabilities.

The JumpStart opens automatically when you first launch Security Manager. To get to the JumpStart
while you are working with Security Manager, select Help > JumpStart from the main menu in
Configuration Manager.

The JumpStart contains the following navigation features:

• A table of contents, which is always visible in the upper right corner. Click an entry to open its page.

User Guide for Cisco Security Manager 4.4

1-22

OL-28826-01

Chapter 1 Getting Started with Security Manager

Completing the Initial Security Manager Configuration

• Links in the page enable you to drill down to more detailed information in the JumpStart or to

relevant information in the online help.

Completing the Initial Security Manager Configuration

After you install Security Manager, there are several configuration steps you might want to perform to
complete the installation. Although most of the features you initially configure have default settings, you
should familiarize yourself with the features and decide if the default settings are the best settings for
your organization.

The following list explains the features you might want to initially configure, with pointers to topics that
provide more detailed information where appropriate. You can configure these features in any order, or
delay configuring those that you do not yet need to use.

• Configure an SMTP server and default e-mail addresses. Security Manager can send e-mail

notifications for several actions that occur in the system. For example, you can get an e-mail when
your deployment job finishes reconfiguring network devices. For e-mail notifications to work, you
must configure an SMTP server.

For information on configuring an SMTP server and setting the default e-mail addresses, see

Configuring an SMTP Server and Default Addresses for E-Mail Notifications, page 1-25

• Create user accounts. Users must log into Security Manager to use the product. However, if a user

logs in with an account another user is already using, the first user is automatically disconnected.
Thus, each user should have a unique account. You can create accounts local to the Security Manager
server, or you can use your ACS system to manage user authentication. For more information, see
the Installation Guide for Cisco Security Manager

• Configure default deployment settings. When users deploy configurations to devices, they can select

how the configurations should be deployed and how Security Manager should handle anomalies.
However, you can select system-default settings that make it easier for users to follow your
organization’s recommendations. To set deployment defaults, in Configuration Manager, select
Tools > Security Manager Administration, and then select Deployment from the table of contents
to open the Deployment settings page (see Deployment Page, page 11-9).

The following deployment settings are of particular interest:

–

Default Deployment Method—Whether configuration deployments should be written directly
to the device or to a transport server, or if configuration files should be written to a specified
directory on the Security Manager server. The default is to deploy configurations directly to the
device or transport server, if one is configured for the device. However, if you have your own
methods for deploying configuration files, you might want to select File as the default
deployment method. For more information on deployment methods, see Understanding

Deployment Methods, page 8-8

–

When Out-of-Band Changes Detected—How to respond when Security Manager detects that
configuration changes were made on the device through the CLI rather than through Security
Manager. The default is to issue a warning and proceed with the deployment, overwriting the
changes that were made through the CLI. However, you can change this behavior to simply skip
the check for changes (which means Security Manager overwrites the changes but does not warn
you), or to cancel the deployment, thus leaving the device in its current state. For more
information about handling out-of-bound changes, see Understanding How Out-of-Band

Changes are Handled, page 8-12.

OL-28826-01

–

Allow Download on Error—Whether to allow deployment to continue if minor configuration
errors are found. The default is to not allow deployment when minor errors are found.

User Guide for Cisco Security Manager 4.4

1-23

Completing the Initial Security Manager Configuration

• Select a workflow mode. The default mode is non-Workflow mode with Ticket Management

enabled. In non-Workflow mode, users have more freedom to create and deploy configurations.
However, if your organization requires a more transaction-oriented approach to network
management, where separate individuals perform policy creation, approval, and deployment, you
can enable Workflow mode to enforce your procedures. If you are using Workflow mode, ensure that
you configure user permissions appropriately when you define user accounts to enforce your
required division of labor. For information on the types of workflow you can use, see Workflow and

Activities Overview, page 1-18. For information on how to change workflow modes, see Changing
Workflow Modes, page 1-26.

Tip You can disable Ticket Management in non-Workflow mode to make most activity management tasks

automatic.

• Configure default device communication settings. Security Manager uses the most commonly used

methods for accessing devices based on the type of device. For example, Security Manager uses SSH
by default when contacting Catalyst switches. If the default protocols work for the majority of your
devices, you do not need to change them. For devices that should use a non-default protocol, you
can change the protocol in the device properties for the specific devices. However, if you typically
use a protocol that is not the Security Manager default (for example, if you use a token management
server (TMS) for your routers), you should change the default setting. To change the default
communication settings, in Configuration Manager, select Tools > Security Manager
Administration, and select Device Communication from the table of contents. In the Device
Connection Settings group, select the most appropriate protocols for each type of device. You can
also change the default connection time out and retry settings. For more information about device
communication settings, see Device Communication Page, page 11-16

• Select the types of router and firewall policies you will manage with Security Manager. When you

manage IPS devices in Security Manager, you automatically manage the entire configuration.
However, with routers and firewall devices (ASA, PIX, and FWSM), you can select which types of
policies are managed by Security Manager. You can manage other parts of the device configuration
using other tools (including the devices’s CLI). By default, all security-related policies are managed.
To change which policies are managed, in Configuration Manager, select Tools > Security
Manager Administration > Policy Management. For detailed information about changing these
settings and what you should do before and after making the change, see Customizing Policy

Management for Routers and Firewall Devices, page 5-10.

Chapter 1 Getting Started with Security Manager

1-24

• Decide whether you want to use the Event Viewer to manage firewall and IPS events. You can

configure the disk and location for collecting syslog events from devices, and the port number to use
for syslog communication. If you do not want to use Security Manager for event management, you
can turn off the feature, which is enabled by default. For more information on the configuration
options, see Event Management Page, page 11-22.

• Configure Security Manager for communication with Cisco Security Monitoring, Analysis and

Response System (CS-MARS). If you use CS-MARS for monitoring your network, you can identify
the servers to Security Manager and then access CS-MARS event information from within Security
Manager. For information on configuring this cross-communication, see Checklist for Integrating

CS-MARS with Security Manager, page 69-23.

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 1 Getting Started with Security Manager

Completing the Initial Security Manager Configuration

Configuring an SMTP Server and Default Addresses for E-Mail Notifications

Security Manager can send e-mail notifications for several types of events such as deployment job
completion, activity approval, or ACL rule expiration. To enable e-mail notifications, you must
configure an SMTP server that Security Manager can use for sending the e-mails. Then, you can
configure e-mail addresses and notification settings on these settings pages (in Configuration Manager,
select Tools > Security Manager Administration and select the page from the table of contents):

• Workflow page—For default e-mail addresses and notification settings for deployment jobs and

activities. Users can override the defaults when managing deployment jobs and activities.

• Rules Expiration page—For default e-mail addresses and notification settings for ACL rule

expiration. Rules expire only if you configure them with expiration dates.

• IPS Updates page—For the e-mail address that should be notified of IPS update availability.

• Server Security page—When you configure local user accounts (click Local User Setup), specify

the user’s e-mail address. This address is used as the default target for some notifications such as
deployment job completion.

• Event Management page—When you configure an extended data storage location, you must specify

at least one e-mail address. The email addresses receive notifications if problems arise with the use
of the extended storage location.

Tip If you are using ACS for user authorization, you might have already configured an SMTP server and

system administrator e-mail address in the ACS integration procedure as described in the Installation

Guide for Cisco Security Manager. Security Manager sends a notification to this address if all ACS

servers become unavailable.

Step 1 Access CiscoWorks Common Services on the Security Manager server:

• If you are currently using the Security Manager client, the easiest way to do this is to select Tool s

> Security Manager Administration, select Server Security from the table of contents, and click
any button on that page (for example, Local User Setup).

• You can use your web browser to log into the home page on the Security Manager server

(https://servername/CSCOnm/servlet/login/login.jsp) and click Server Administration.

Step 2 Click Server > Admin and select System Preferences from the table of contents.

Step 3 On the System Preferences page, enter the host name or IP address of an SMTP server that Security

Manager can use. The SMTP server cannot require user authentication for sending e-mail messages.

Also, enter an e-mail address that CiscoWorks can use for sending e-mails. This does not have to be the
same e-mail address that you configure for Security Manager to use when sending notifications. If you
are using ACS for authorization, Security Manager sends an e-mail message to this address if all ACS
servers become unavailable. This can alert you to a problem that needs immediate attention. The
administrator might also receive e-mail messages from Common Services for non-ACS-related events.

Step 4 Click Apply to save your changes.

OL-28826-01

User Guide for Cisco Security Manager 4.4

1-25

Completing the Initial Security Manager Configuration

Changing Workflow Modes

You can change the workflow mode that Security Manager enforces if you have the appropriate
administrator permissions. Changing the workflow mode has significant effects on users. Before making
a change, be sure to understand the following:

• When you change the workflow mode, the change will take effect for all Security Manager users

working from the same server.

• Before you can change from Workflow mode to non-Workflow mode, all activities in editable states

(Edit, Edit Open, Submit, or Submit Open) must be approved or discarded, and all generated jobs
must be deployed, rejected, discarded, or aborted so that the locks on the devices can be released.
You do not have to do anything to jobs that are in the failed state.

• Before you can disable Ticket Management in non-Workflow mode, all tickets in editable states

(Edit or Edit Open) must be submitted or discarded.

• If you change from Workflow mode to non-Workflow mode and then restore an earlier version of

the database, Security Manager automatically changes to Workflow mode if the restored database
has any activities in an editable state (Edit, Edit Open, Submit, or Submit Open). Approve or delete
the editable activities, and then turn Workflow mode off again.

• When changing from non-Workflow mode to Workflow mode or enabling Ticket Management in

non-Workflow mode, current configuration sessions are listed as activities/tickets in the Edit_Open
state, and these activities/tickets must now be explicitly managed.

• When Ticket Management is enabled or disabled, any other users logged into Security Manager are

logged out.

Chapter 1 Getting Started with Security Manager

For an explanation of workflow modes, see Workflow and Activities Overview, page 1-18.

Step 1 In Configuration Manager, select Tools > Security Manager Administration and select Workflow

from the table of contents to open the Workflow page (see Workflow Page, page 11-54).

Step 2 Configure the workflow mode settings in the Workflow Control group. If you select Enable Workflow

(to use Workflow mode), you can also select these options:

• Require Activity Approval—To enforce explicit approval of activities before policy changes are

committed to the database.

• Require Deployment Approval—To enforce explicit approval of deployment jobs before they can be

run.

Step 3 Configure the e-mail notification settings. These are the default e-mail addresses for the e-mail sender

(that is, Security Manager), the approvers, and another person or e-mail alias who should be notified
when deployment jobs are complete.

You also have the options to include the job deployer when sending notifications of job status, and to
require that e-mail notifications are sent for deployment job status changes.

Step 4 Click Save to save and apply changes.

Step 5 Select Workfl o w from the table of contents to open the Ticket Management page (see Ticket

Management Page, page 11-51).

Step 6 Configure the Ticket Management settings. If you select Enable Ticketing, you can also select these

options:

1-26

Note See Ticket Management Page, page 11-51 for detailed information on these fields.

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 1 Getting Started with Security Manager

Understanding Basic Security Manager Interface Features

• Ticket System URL—To provide linking between a Ticket ID and an external ticket management

system.

• Ticket History—Specify how long to keep information related to tickets.

Step 7 Click Save to save and apply changes.

Understanding Basic Security Manager Interface Features

The following topics provide information about some basic interface features such as descriptions of the
menu commands, toolbar buttons, and how to use common user interface elements. Many of the features
described are used only in Configuration Manager.

• Menu Bar Reference for Configuration Manager, page 1-27

• Toolbar Reference (Configuration Manager), page 1-36

• Using Selectors, page 1-42

• Using Wizards, page 1-44

• Using Tables, page 1-45

• Using Text Fields, page 1-46

• Selecting or Specifying a File or Directory in Security Manager, page 1-47

• Troubleshooting User Interface Problems, page 1-48

Menu Bar Reference for Configuration Manager

The menu bar in Configuration Manager contains menus with commands for using Security Manager.
Commands may become unavailable depending on the task you are performing.

The menus in the menu bar are described in the following topics:

• File Menu (Configuration Manager), page 1-28

• Edit Menu (Configuration Manager), page 1-29

• View Menu (Configuration Manager), page 1-30

• Policy Menu (Configuration Manager), page 1-30

• Map Menu (Configuration Manager), page 1-31

• Manage Menu (Configuration Manager), page 1-32

• Tools Menu (Configuration Manager), page 1-33

• Launch Menu (Configuration Manager), page 1-35

• Activities Menu (Configuration Manager), page 1-34

• Tickets Menu (Configuration Manager), page 1-34

• Help Menu (Configuration Manager), page 1-36

OL-28826-01

User Guide for Cisco Security Manager 4.4

1-27

Understanding Basic Security Manager Interface Features

File Menu (Configuration Manager)

The following table describes the commands on the File menu in Configuration Manager. The menu
items differ depending on the workflow mode.

Table 1-2 File Menu (Configuration Manager)

Command Description

New Device Initiates the wizard to add a new device. See Adding Devices to the

Clone Device Creates a device by duplicating an existing device. See Cloning a

Delete Device Deletes a device. See Deleting Devices from the Security Manager

Save Saves any changes made on the active page, but does not submit them

Import Import policies and devices exported from another Security Manager

Export Export policies or devices so that they can be imported into another

View Changes

(non-Workflow mode only)

Validate

(non-Workflow mode only)

Submit

(non-Workflow mode only)

Submit and Deploy

(non-Workflow mode only)

Deploy

(non-Workflow mode only)

Chapter 1 Getting Started with Security Manager

Device Inventory, page 3-6.

Device, page 3-54

Inventory, page 3-55.

to the Security Manager database.

server. See Importing Policies or Devices, page 10-13.

Security Manager server. A device export can include policy
information, or it can be a simple CSV file that you can import into
CiscoWorks Common Services Device Credential Repository (DCR) or
Cisco Security Monitoring, Analysis and Response System
(CS-MARS). See Exporting the Device Inventory from the Security

Manager Client, page 10-6 and Exporting Shared Policies, page 10-11.

Opens the Activity Change Report (in PDF format) for the current
configuration session.

To see changes for the current activity in Workflow mode, select
Activities > View Changes.

Validates the changes you have saved. See Validating an

Activity/Ticket, page 4-18.

To validate the current activity in Workflow mode, select Activities >
Validate Activity.

Submits all changes made since the last submission to the Security
Manager database.

To validate the current activity in Workflow mode, select Activities >
Submit Activity.

Submits all changes made since the last submission to the Security
Manager database and deploys all changes made since the last
deployment. See Understanding Deployment, page 8-1.

In Workflow mode, you must have your activity approved and then
create a deployment job to deploy changes to devices.

Deploys all changes made since the last deployment. See

Understanding Deployment, page 8-1.

In Workflow mode, you must have your activity approved and then
create a deployment job to deploy changes to devices.

1-28

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 1 Getting Started with Security Manager

Table 1-2 File Menu (Configuration Manager) (Continued)

Command Description

Discard

Understanding Basic Security Manager Interface Features

Discards all configuration changes since the last submission.

(non-Workflow mode only)

Edit Device Groups Edits device groups. See Working with Device Groups, page 3-57.

New Device Group Adds a device group. See Creating Device Groups, page 3-60.

Add Devices to Group Adds a device to a group. See Adding Devices to or Removing Them

Print Prints the active page.

Exit Exits Security Manager.

Edit Menu (Configuration Manager)

The following table describes the commands on the Edit menu in Configuration Manager. You can
typically use these commands only when you are working with a table in a policy, and some work only
for rules tables (see Using Rules Tables, page 12-7).

Table 1-3 Edit Menu (Configuration Manager)

Command Description

Cut Cuts the selected row in a rules table and saves it on the clipboard.

Copy Copies the selected row in a rules table and saves it on the clipboard.

Paste Pastes the rules table row from the clipboard to the into the rules table

Add Row Adds a row into the active table.

Edit Row Edits the selected table row.

Delete Row Deletes the selected table row.

Move Row Up

Move Row Down

Global Search Opens the Global Search window. For more information, see Using

To validate the current activity in Workflow mode, select Activities >
Discard Activity.

From Device Groups, page 3-60.

Not all pages can be printed. If the Print command is not available, you
cannot print the active page.

after the selected row.

Moves the selected row up or down in the rules table. For more
information, see Moving Rules and the Importance of Rule Order,

page 12-19.

Global Search, page 1-39.

OL-28826-01

User Guide for Cisco Security Manager 4.4

1-29

Understanding Basic Security Manager Interface Features

View Menu (Configuration Manager)

The View menu in Configuration Manager contains commands to navigate within the user interface or
to alter the toolbar.

Table 1-4 View Menu

Menu Command Description

Device View Opens Device view. See Device View Overview, page 1-13.

Device Status View Opens the Device Status View window. See Working with Device

Map View Opens Map view. See Map View Overview, page 1-16.

Policy View Opens Policy view. See Policy View Overview, page 1-14.

Policy Bundle View Opens Policy Bundle view. See Managing Policy Bundles, page 5-53.

Customized Toolbar Allows you to add or remove some optional buttons on the toolbar. For

Chapter 1 Getting Started with Security Manager

Status View, page 3-61.

information on all the buttons that can appear on the toolbar, see

Toolbar Reference (Configuration Manager), page 1-36.

Policy Menu (Configuration Manager)

The Policy menu in Configuration Manager contains commands for managing policies.

Table 1-5 Policy Menu (Configuration Manager)

Menu Command Description

Share Policy Saves the active local policy as a shared policy. See Sharing a Local

Unshare Policy Saves the active shared policy as a local policy. See Unsharing a Policy,

Assign Shared Policy Assigns shared policies to devices. See Assigning a Shared Policy to a

Unassign Policy Unassigns the current policy from the selected device. See Unassigning

Copy Policies Between
Devices

Share Device Polices Enables you to share local device policies. See Sharing a Local Policy,

Edit Policy Assignments Edits assignment of shared policies to devices. See Modifying Policy

Clone Policy Creates a copy of a policy with a new name. See Cloning (Copying) a

Rename Policy Renames a policy. See Renaming a Shared Policy, page 5-45.

Add Local Rules Adds local rules to a shared policy on a device. You must select a

Inherit Rules Edits policy inheritance. See Inheriting or Uninheriting Rules,

Policy, page 5-38.

page 5-40.

Device or VPN Topology, page 5-41.

a Policy, page 5-33.

Copies policies between devices. See Copying Policies Between

Devices, page 5-31

page 5-38.

Assignments in Policy View, page 5-51.

Shared Policy, page 5-44.

rule-based shared policy to use this command.

page 5-43

1-30

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 1 Getting Started with Security Manager

Table 1-5 Policy Menu (Configuration Manager) (Continued)

Menu Command Description

Discover Policies on Device Discovers policies on a device. See Discovering Policies, page 5-12

Discover VPN Policies Opens the Discover VPN Policies wizard. See Site-To-Site VPN

Map Menu (Configuration Manager)

The Map menu in Configuration Manager contains commands for using the Map view. The commands
in this menu are available only when the Map view is open. For more information, see Chapter 34,

“Using Map View”.

Table 1-6 Map Menu (Configuration Manager)

Menu Command Description

New Map Creates a map. See Creating New or Default Maps, page 34-9.

Open Map Opens a saved map or the default map. See Opening Maps, page 34-10.

Show Devices On Map Selects the managed devices to show on the active map. See Displaying

Show VPNs On Map Selects the VPNs to show on the active map. See Displaying Existing

Add Map Object Creates a map object on the open map. See Using Map Objects To

Add Link Creates a Layer 3 link on the open map. See Creating and Managing

Find Map Node Finds nodes on the open map. See Searching for Map Nodes,

Save Map Saves the open map. See Saving Maps, page 34-10.

Save Map As Saves the open map with a new name. See Saving Maps, page 34-10.

Zoom In Zooms in on the map. See Panning, Centering, and Zooming Maps,

Zoom Out Zooms out from the map. See Panning, Centering, and Zooming Maps,

Fit to Window Zooms the open map to display the entire map. See Panning, Centering,

Display Actual Size Zooms the open map to display at actual size. See Panning, Centering,

Refresh Map Refreshes the open map with updated network data. See Creating New

Export Map Exports the open map to a file. See Exporting Maps, page 34-11.

Delete Map Deletes the map you select from a list. See Deleting Maps, page 34-10.

Map Properties Displays or edits properties for the open map. See Setting the Map

Understanding Basic Security Manager Interface Features

Discovery, page 24-19.

Managed Devices on the Map, page 34-16.

VPNs on the Map, page 34-21.

Represent Network Topology, page 34-17.

Layer 3 Links on the Map, page 34-19.

page 34-12.

page 34-11.

page 34-11.

and Zooming Maps, page 34-11.

and Zooming Maps, page 34-11.

or Default Maps, page 34-9.

Background Properties, page 34-13.

OL-28826-01

User Guide for Cisco Security Manager 4.4

1-31

Understanding Basic Security Manager Interface Features

Table 1-6 Map Menu (Configuration Manager) (Continued)

Menu Command Description

Show/Hide Navigation
Window

Undock/Dock Map View Undocks the maps window, allowing you to use other features while

Manage Menu (Configuration Manager)

The Manage menu in Configuration Manager contains commands that start tools that run in a window
separate from the Security Manager main interface. This enables you to access features without closing
the page from which you are currently working.

Table 1-7 Manage Menu (Configuration Manager)

Chapter 1 Getting Started with Security Manager

Displays or hides the navigation window on the open map. See Using

the Navigation Window, page 34-4.

keeping the map open. If the window is already undocked, the Dock
Map View command reattaches the window to the primary Security
Manager window. See Understanding the Map View Main Page,

page 34-2.

Menu Command Description

Policy Objects Opens the Policy Object Manager, where you can view all available

objects grouped according to object type; create, copy, edit, and delete
objects; and generate usage reports, which describe how selected
objects are being used by other Security Manager objects and policies.
For information see Policy Object Manager, page 6-4.

Site-to-Site VPNs Opens the Site-to-Site VPN Manager, where you can configure

site-to-site VPNs. See Chapter 24, “Managing Site-to-Site VPNs: The

Basics”

Activities

(Workflow mode only)

Opens the Activity Manager, where you can create and manage
activities. See Activity/Ticket Manager Window, page 4-10.

Deployments Opens the Deployment Manager, where you can deploy configurations

and manage deployment jobs. See Chapter 8, “Managing Deployment”

Configuration Archive Stores archived device configuration versions and allows you to view,

compare, and roll back from one configuration to another. See

Configuration Archive Window, page 8-24.

Policy Discovery Status Opens the Policy Discovery Status window, where you can see the

status of policy discovery and device import. See Viewing Policy

Discovery Task Status, page 5-21.

IPS Manage IPS device certificates, which are required for device

communications.

Audit Report Generates an audit report according to parameters set in the audit report

page. See Using the Audit Report Window, page 10-20.

Change Reports

(non-Workflow mode only)

Allows you to generate a report of changes to devices, shared policies,
and policy objects for a previous configuration session. See Viewing

Change Reports, page 4-16.

To view changes for the current configuration session, select File >
View Changes.

1-32

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 1 Getting Started with Security Manager

Tools Menu (Configuration Manager)

The Tools menu in Configuration Manager contains commands that start tools that run in a window
separate from the Security Manager main interface. This enables you to access features without closing
the page from which you are currently working.

Table 1-8 Tools Menu (Configuration Manager)

Menu Command Description

Device Properties Opens the Device Properties window, which provides general

Detect Out of Band Changes Analyzes devices to determine if their configurations have changed

Packet Capture Wizard Opens the Packet Capture wizard, where you can set up a packet

Ping, TraceRoute and
NSLookup

Wall... Opens the Wall window, where you can send messages to all users who

Show Containment Shows security contexts or service modules for a device. See Showing

Inventory Status Shows device summary information for all devices. See Viewing

Catalyst Summary Info Shows high-level system information, including any service modules,

Apply IPS Update Manually applies IPS image and signature updates. See Manually

Preview Configuration Displays the proposed changes, last deployed configuration, or current

Backup Backs up the Security Manager database using CiscoWorks Common

Security Manager
Diagnostics

Understanding Basic Security Manager Interface Features

information about the device, including credentials, the group the
device is assigned to, and policy object overrides. For more
information, see Understanding Device Properties, page 3-6.

since the last time Security Manager deployed configurations. You can
use this information to ensure that you do not loose important
configuration changes. See Detecting and Analyzing Out of Band

Changes, page 8-46.

capture on an ASA device.

Opens the Ping, TraceRoute, and NSLookup tool, where you can use
these troubleshooting commands. Ping and traceroute run on managed
devices, whereas NSLookup runs on your client workstation. See

Analyzing Connectivity Issues Using the Ping, Trace Route, or NS
Lookup Tools, page 69-14.

are logged in on the same Security Manager server. First, however, it
must be enabled on the Wall Settings page. See Wall Settings Page,

page 11-56.

Device Containment, page 3-53.

Inventory Status, page 69-1.

ports, and VLANs that Security Manager has discovered on the selected
Catalyst switch. See Viewing Catalyst Summary Information,

page 65-2.

Applying IPS Updates, page 43-7.

running configuration for specific devices. See Previewing

Configurations, page 8-45.

Services. See Backing up and Restoring the Security Manager

Database, page 10-24.

Gathers troubleshooting information to send to the Technical
Assistance Center (TAC) if they request it. See Creating a Diagnostics

File for the Cisco Technical Assistance Center, page 10-27.

OL-28826-01

User Guide for Cisco Security Manager 4.4

1-33

Understanding Basic Security Manager Interface Features

Table 1-8 Tools Menu (Configuration Manager) (Continued)

Menu Command Description

Security Manager
Administration

Activities Menu (Configuration Manager)

The Activities menu in Configuration Manager contains commands for managing activities. It appears
only when Workflow mode is enabled. For more detailed information about these commands, see

Accessing Activity Functions in Workflow Mode, page 4-8.

Table 1-9 Activities Menu (Configuration Manager)

Menu Command Description

New Activity Creates a new activity. See Creating an Activity/Ticket, page 4-14.

Open Activity Opens an activity. See Opening an Activity/Ticket, page 4-15.

Close Activity Closes the open activity. See Closing an Activity/Ticket, page 4-16.

View Changes Opens the Activity Change Report (in PDF format). See Viewing

Validate Activity Validates the open activity. See Validating an Activity/Ticket,

Submit Activity Submits the open activity. See Submitting an Activity for Approval

Approve Activity Approves the open activity. See Approving or Rejecting an Activity

Reject Activity Rejects the open activity. See Approving or Rejecting an Activity

Discard Activity Discards the open activity. See Discarding an Activity/Ticket,

Chapter 1 Getting Started with Security Manager

Configures system-wide settings that control the functioning of
Security Manager. For information, see Chapter 11, “Configuring

Security Manager Administrative Settings”.

Change Reports, page 4-16.

page 4-18.

(Workflow Mode with Activity Approver), page 4-20.

(Workflow Mode), page 4-21.

(Workflow Mode), page 4-21.

page 4-22.

Tickets Menu (Configuration Manager)

The Tickets menu in Configuration Manager contains commands for managing tickets. It appears only
when Ticket Management is enabled in non-Workflow mode. For more detailed information about these
commands, see Accessing Ticket Functions in Non-Workflow Mode, page 4-9.

Table 1-10 Tickets Menu (Configuration Manager)

Menu Command Description

New Ticket Creates a new ticket. See Creating an Activity/Ticket, page 4-14.

Open Ticket Opens an ticket. See Opening an Activity/Ticket, page 4-15.

Close Ticket Closes the open ticket. See Closing an Activity/Ticket, page 4-16.

View Changes Opens the Ticket Change Report (in PDF format). See Viewing Change

User Guide for Cisco Security Manager 4.4

1-34

Reports, page 4-16.

OL-28826-01

Chapter 1 Getting Started with Security Manager

Table 1-10 Tickets Menu (Configuration Manager) (Continued)

Menu Command Description

Validate Ticket Validates the open ticket. See Validating an Activity/Ticket, page 4-18.

Submit Ticket Submits the open ticket. See Understanding Activity/Ticket States,

Discard Ticket Discards the open ticket. See Discarding an Activity/Ticket, page 4-22.

Launch Menu (Configuration Manager)

The Launch menu contains commands that start other applications.

Table 1-11 Launch Menu (Configuration Manager)

Menu Command Description

Device Manager Starts device managers for all supported devices, such as PIX security

Prime Security Manager Launches the Cisco Prime Security Manager (PRSM) application, used

Event Viewer Opens the Event Viewer, where you can view and analyze device

Understanding Basic Security Manager Interface Features

page 4-4.

appliances, Firewall Services Modules (FWSM), IPS sensors, IOS
routers, and Adaptive Security Appliance (ASA) devices. Device
managers provide several monitoring and diagnostic features that
enable you to get information regarding the services running on the
device and a snapshot of the overall health of the system. See Starting

Device Managers, page 69-4.

to manage ASA CX devices. See Launching Cisco Prime Security

Manager, page 69-9 for more information.

events. See Chapter 66, “Viewing Events” for more information.

If you have already logged into another Security Manager application,
Event Viewer is opened using the same user account; you are not
prompted to log in. To open Event Viewer using a different user
account, open the application from the Windows Start menu or desktop
icon.

Report Manager Opens the Report Manager, where you can generate and analyze

security and usage reports. See Chapter 67, “Managing Reports” for
more information.

If you have already logged into another Security Manager application,
Report Manager is opened using the same user account; you are not
prompted to log in. To open Report Manager using a different user
account, open the application from the Windows Start menu or desktop
icon.

Image Manager Opens the Image Manager, where you can manage the images on ASA

devices. See Chapter 70, “Using Image Manager” for more
information.

If you have already logged into another Security Manager application,
Image Manager is opened using the same user account; you are not
prompted to log in. To open Image Manager using a different user
account, open the application from the Windows Start menu or desktop
icon.

OL-28826-01

User Guide for Cisco Security Manager 4.4

1-35

Understanding Basic Security Manager Interface Features

Table 1-11 Launch Menu (Configuration Manager) (Continued)

Menu Command Description

Health & Performance
Monitor

Help Menu (Configuration Manager)

The Help menu in Configuration Manager contains commands for accessing product documentation and
training. For more information, see Accessing Online Help, page 1-49.

Table 1-12 Help Menu (Configuration Manager)

Chapter 1 Getting Started with Security Manager

Opens the Health & Performance Monitor (HPM), where you can view
device status and traffic information across your network, and view and
acknowledge device-specific alerts. See Chapter 68, “Health and

Performance Monitoring” for more information.

If you have already logged into another Security Manager application,
HPM is opened using the same user account; you are not prompted to
log in. To open HPM using a different user account, open the
application from the Windows Start menu or desktop icon.

Menu Command Description

Help Topics Opens the online help system.

Help About This Page Open online help for the active page.

JumpStart Opens the JumpStart.

Security Manager Online Opens the Security Manager web page on Cisco.com.

About Configuration
Manager

Displays information about Configuration Manager.

Toolbar Reference (Configuration Manager)

The main toolbar (see the illustration Figure 1-1) contains buttons that perform actions in Configuration
Manager.

The buttons that appear on the main toolbar vary depending on whether Workflow/Ticket Management
mode is enabled and how you have customized the toolbar. By selecting View > Customized Toolbar,
you can select some of the buttons included in the toolbar. Many buttons are on the toolbar permanently;
you cannot remove them.

The following table presents all buttons.

Table 1-13 Configuration Manager Toolbar

Button Description

Opens the Device view.

1-36

For more information, see Understanding the Device View, page 3-1.

Opens the Map view.

For more information, see Chapter 34, “Using Map View”.

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 1 Getting Started with Security Manager

Table 1-13 Configuration Manager Toolbar (Continued)

Button Description

Understanding Basic Security Manager Interface Features

Opens the Policy view.

For more information, see Managing Shared Policies in Policy View, page 5-47.

Opens the Policy Bundle view.

For more information, see Managing Policy Bundles, page 5-53.

Opens the Policy Object Manager.

For more information, see Chapter 6, “Managing Policy Objects”.

Opens the Site-to-Site VPN Manager.

For more information, see Chapter 24, “Managing Site-to-Site VPNs: The

Basics”.

Opens the Deployment Manager.

For more information, see Chapter 8, “Managing Deployment”.

Opens the Audit Report.

For more information, see Understanding Audit Reports, page 10-19.

(Non-Workflow mode with Ticket Management disabled only.) Submits and
deploys changes.

For more information, see Chapter 8, “Managing Deployment”.

Discovers configuration policies defined on the currently selected device.

For more information, see Discovering Policies, page 5-12.

Detects out-of-band changes, those made to the device outside of Security
Manager, for the currently selected devices.

For more information, see Detecting and Analyzing Out of Band Changes,

page 8-46.

Opens the Wall window, where you can send messages to all users who are logged
in on the same Security Manager server. First, however, it must be enabled on the
Wall Settings page.

For more information, see Workflow Page, page 11-54.

Shows high-level system information, including any service modules, ports, and
VLANs that Security Manager has discovered on the selected Catalyst switch.

For more information, see Viewing Catalyst Summary Information, page 65-2.

Previews the configuration for the currently selected device.

For more information, see Previewing Configurations, page 8-45.

Opens the device manager for the currently selected device.

For more information, see Starting Device Managers, page 69-4.

Opens the Event Viewer application.

For more information, see Chapter 66, “Viewing Events”.

Opens the Report Manager application.

OL-28826-01

For more information, see Chapter 67, “Managing Reports”.

User Guide for Cisco Security Manager 4.4

1-37

Understanding Basic Security Manager Interface Features

Table 1-13 Configuration Manager Toolbar (Continued)

Button Description

Opens the Image Manager application.

For more information, see Chapter 70, “Using Image Manager”.

Opens the Health & Performance Monitor application.

For more information, see Chapter 68, “Health and Performance Monitoring”.

Opens online help for the current page.

For more information, see Accessing Online Help, page 1-49.

Note The following buttons are not available in non-Workflow mode when Ticket Management is

disabled.

Opens the Activity Manager window in Workflow mode or the Ticket Manager
window when Ticket Management is enabled in non-Workflow mode. You can use
these windows to create and manage activities/tickets. For more information, see

Activity/Ticket Manager Window, page 4-10.

For more information on the activity buttons, and the conditions under which they
are enabled, see Accessing Activity Functions in Workflow Mode, page 4-8.

For more information on the ticket buttons, and the conditions under which they
are enabled, see Accessing Ticket Functions in Non-Workflow Mode, page 4-9.

Creates a new activity/ticket.

Chapter 1 Getting Started with Security Manager

Opens an activity/ticket.

Saves all changes made while the activity/ticket was open and closes it.

Evaluates all changes made in the activity/ticket and produces a Change Report in
PDF format in a separate window. For more information, see Viewing Change

Reports, page 4-16

Validates the integrity of changed policies within the current activity/ticket.

(Workflow mode with an approver only.) Submits the activity for approval when
using Workflow mode with an activity approver.

Submits the ticket. Submitting the ticket saves the proposed changes to the
database. Devices associated with the ticket are unlocked, meaning they can be
included in policy definitions and changes in other tickets. You can submit a ticket
when it is in the Edit or the Edit Open state.

(Workflow mode only.) Approves the changes proposed in an activity.

(Workflow mode only.) Rejects the changes proposed in an activity.

Discards the selected activity/ticket.

1-38

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 1 Getting Started with Security Manager

Using Global Search

Security Manager provides a global search feature to make finding and working with information that
you are interested in easier. The Global Search feature allows you to search for devices, policy objects,
policies, and tickets that contain a particular search string. The scope of the search can be limited to just
devices, policy objects, policies, or tickets.

Note Search is only performed using data that has been committed. Changes that have not yet been submitted

to the database will not be included in search results.

Wildcard Matching

The search string supports the use of the following wildcard characters:

• Asterisk (*)—matches zero or more characters

• Question Mark (?)—matches a single character

Semantic Searching

If the search string that is entered is an IP address, Security Manager will perform a semantic search. For
example, entering "192.168.0.0/16" in the search string will return items matching that subnet as well as
any specific hosts or other subnets belonging to that subnet or to which that subnet belongs.

Understanding Basic Security Manager Interface Features

Global Search Scope

Global search is supported only within a set of policies and policy objects, not all. The supported policies
and the policy objects are the most frequently used policies and objects in the customer deployments.
The policies and policy objects supported are:

• Devices: All Devices

• Policy Objects:

–

AAA Server Groups

–

AAA Servers

–

Access Control Lists

–

ASA Group Policies

–

Categories

–

Cisco Secure Desktop (Router)

–

Credentials

–

File Objects

–

FlexConfigs

–

Identity User Group

–

IKE Proposals

–

Interface Roles

–

IPSec Transform Sets

OL-28826-01

–

LDAP Attribute Maps

–

Networks/Hosts (IPv4 and IPv6)

–

PKI Enrollments

User Guide for Cisco Security Manager 4.4

1-39

Understanding Basic Security Manager Interface Features

–

Port Forwarding List

–

Services

–

Single Sign On Servers

–

SLA Monitors

–

SSL VPN Bookmarks

–

SSL VPN Customizations

–

SSL VPN Gateways

–

SSL VPN Smart Tunnel Auto Signon Lists

–

SSL VPN Smart Tunnels

–

Tex t O b jects

–

Time Ranges

–

Traffic Flows

–

User Groups

–

WINS Server Lists

Chapter 1 Getting Started with Security Manager

• Policies:

–

AAA Rules

–

Access Rules

–

IPv6 Access Rules

–

Inspection Rules

–

Translation Rules

–

Web Fil t e r Rule s

–

Zone Based Firewall Rules

• Tickets

–

Configuration Manager

–

Image Manager

Performing a Global Search

To perform a global search, do one of the following:

• Select Edit > Global Search or press Ctrl+F to open the Global Search window. Select the scope

for the search in the drop-down list to the left of the search field, enter your search string in the
search field, and then click Search.

Note If you are currently viewing a rule table, pressing Ctrl+F will open the Find and Replace

dialog box instead of the Global Search window. Use one of the other methods to access the
Global Search feature instead of the Find and Replace feature.

1-40

• Using the search field in the upper-right corner of the Configuration Manager window, select the

scope for the search by clicking on the Search icon, enter your search string in the search field, and
then press Enter.

The Global Search window displays the results matching your search criteria. Select the desired data
type from the Category selector tree to see results for that category.

User Guide for Cisco Security Manager 4.4

OL-28826-01