-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Numerics
12.1 and 12.2
managing routers 13-3
3DES encryption algorithm
cluster load balancing
using FQDNs 10-16
in IKE proposals 9-45
802.1x
802.1x Policy page J-128
defining policies 13-85
interface authorization states 13-83
on Cisco IOS routers 13-82
supported topologies 13-84
understanding device roles 13-83
A
AAA
accounting 10-2
authorization 10-2
Cisco IOS routers
AAA Policy page J-64
Accounting tab J-68
Authentication tab J-64
Authorization tab J-65
Command Accounting dialog box J-70
Command Authorization dialog box J-67
defining services 13-46
overview 13-44
supported accounting types 13-45
supported authorization types 13-44
understanding method lists 13-45
configuring on firewall devices 14-28
configuring settings 11-42
credentials for device access 5-5
defining policies 14-32
device administration 14-31
local fallback 14-30
network access 14-31
PIX/ASA/FWSM K-56
Accounting tab K-58
Authentication tab K-57
Authorization tab K-58
support 14-29
understanding 14-28
user authentication 10-2
VPN access 14-31
AAA authentication groups
predefined 8-19
using SDI
as the protocol 9-78
AAA firewall
advanced settings I-73
MAC exempt lists I-76
AAA rules
AAA Rules page I-1
Add AAA Rules dialog box I-4
adding 11-40
AuthProxy dialog box I-8
combining rules
interpreting results 11-11
procedure 11-9
configuring in Map view 3-17
configuring settings
for IOS 11-44
for IOS devices in Map view 3-18
for PIX/ASA/FWSM 11-43
for PIX/ASA/FWSM in Map view 3-17
deleting 11-4
disabling 11-8
Edit AAA Option dialog box I-7
Edit AAA Rules dialog box I-4
Edit AAA Server Group dialog box I-8
editing 11-5
enabling 11-8
moving 11-7
understanding 11-40
AAA Rules page I-1
AAA server group objects
attributes F-6
creating 8-22
default server groups on IOS devices 8-19
predefined authentication groups 8-19
understanding 8-15
AAA server objects
creating 8-20
HTTP-FORM settings F-17
Kerberos settings F-13
LDAP settings F-14
NT settings F-16
RADIUS settings F-10
SDI settings F-16
supported additional types for ASA/PIX/FWSM 8-17
supported types 8-16
TACACS+ settings F-12
understanding 8-15
AAA servers
external servers 10-2
supported types on ASA, PIX, FWSM devices 8-17
Abort the Job dialog box N-22
About Security Manager command 2-12
ABR
definition 14-73
access control list objects
creating 8-23
extended objects 8-23
standard objects 8-25
web objects 8-26
access control lists
in GET VPNs 9-86
policy discovery 6-14
access controls
configuring ACL names 11-23
configuring settings 11-23
configuring settings in Map view 3-17
Access Control Settings page I-67
Access Group tab
Access Group tab (IGMP) K-136
Access Interface Configuration dialog box (ASA) H-96
Access page (ASA) H-2
access permissions
maps 3-2
access policies
configuring 10-44
access ports
Create and Edit Interface dialog boxes-Access Port mode L-12
understanding 15-2
access rule
CS-MARS query 20-24
look up
from device managers 20-5
access rules
access control settings I-67, I-69
Access Rules page I-9
address requirements 11-19
Advanced dialog box I-13
combining rules
interpreting results 11-11
procedure 11-9
configuring 11-21
configuring access control settings 11-23
configuring in Map view 3-17
deleting 11-4
disabling 11-8
Edit Firewall Rule Expiration dialog box I-15
editing 11-5
enabling 11-8
expiration dates 11-22
generating analysis reports 11-24
hit counts
generating 11-26
viewing results I-101
how deployed 11-19
import examples 11-29
importing 11-28
moving 11-7
optimizing during deployment 11-31
rule attributes I-11
understanding 11-17
understanding device-specific behavior 11-19
viewing related CS-MARS events 20-25
working with 11-17
Access Rules page I-9
accounts and credentials
Cisco IOS routers
overview 13-48
PIX/ASA/FWSM
user accounts K-115
user accounts, add/edit K-115
accounts and credentials policies
Accounts and Credentials Policy page J-71
User Accounts dialog box J-73
ACLs
configuring names 11-23
Actions Shortcut menu M-7
Active/Active failover
command replication 14-47
configuration synchronization 14-47
Active/Standby failover 14-46
activities
accessing functions 7-7
Activity Manager window E-1
Activity Required dialog box E-7
Approve Activity dialog box E-6
Approved state 7-4
benefits of 7-2
closing 7-9
Create Activity dialog box E-4
creating 7-8
Discard Activity dialog box E-7
discarding 7-14
Edit state 7-4
locking 7-2
managing 7-1
multiple users 7-3
Openable Activities dialog box E-8
opening 7-9
Reject Activity dialog box E-6
Rejected state 7-4
rejecting 7-13
states 7-4
Submit Activity dialog box E-5
Submitted state 7-4
submitting for approval 7-12
understanding 7-1
user interface reference E-1
validating 7-11
viewing change reports 7-9
viewing status and history 7-14
working with 7-6
Activities menu 2-11
Activity Manager command 2-10
Activity Manager window E-1
Activity Required dialog box E-7
activity states E-3
Add/Edit AnyConnect Client Image dialog box (ASA) H-111
Add/Edit AnyConnect Client Profile dialog box (ASA) H-112
Add/Edit Collector dialog box
description 14-62, K-98, K-118
Add/Edit Connection Profile dialog box
SSL tab
Add/Edit Connection Alias dialog box H-35
Add/Edit Connection URL dialog box H-36
Add/Edit Content Rewrite dialog box (ASA) H-100
Add/Edit DAP Entry Dialog Box > Device H-53
Add/Edit File Encoding dialog box (ASA) H-103
Add/Edit IGMP Join Group dialog box
description 14-70
Add/Edit IGMP Static Group dialog box
description 14-70
Add/Edit Multicast Route dialog box
description K-140, K-141, K-142
Add/Edit PIM Bidirectional Neighbor Filter dialog box
description K-146
Add/Edit PIM Neighbor Filter dialog box
description K-145
Add/Edit Plug-in Entry dialog box (ASA) H-109
Add/Edit Proxy Bypass dialog box (ASA) H-107
Add AAA Rules dialog box I-4
Add AAA Server dialog box F-8
Add AAA Server Group dialog box F-6
Add Access List dialog box M-81
Add an Entry dialog box M-48
Add AOL Class Map dialog box F-61
Add A Port Forwarding Entry dialog box F-152
Add ASA Group Policies dialog box
client configuration settings F-27
client firewall attributes F-28
connection settings F-42
DNS/WINS settings F-40
hardware client attributes F-30
IPSec settings F-31
overview F-25
split tunneling settings F-41
SSL VPN clientless settings F-33
SSL VPN full client settings F-35
SSL VPN settings F-37
Technology settings F-25
Add A Smart Tunnel Entry dialog box F-179
Add Auto Signon Rules dialog box F-39
Add Cat6k Block Vlan dialog box M-99
Add Certificate dialog box A-14
Add Certificate Filter dialog box G-51
Add Cisco Secure Desktop Configuration dialog box F-44
Add Client Access Rules dialog box F-33
Add Client Update dialog box F-195
Add Column dialog box F-173
Add Custom Pane dialog box F-173
Add Custom Signature dialog box M-5
Add DCE/RPC Map dialog box F-86
Add Destinations dialog box I-64
Add Device from Network wizard
Device Credentials page C-18
Add Devices to Group command 2-7
Add Devices to Group dialog box C-36
Add DNS Class Map dialog box F-61
Add DNS Map dialog box
Filtering tab F-89
overview F-87
Protocol Conformance tab F-88
Add eDonkey Class Map dialog box F-61
Add ESMTP Map dialog box F-92
Add Extended Access Control Entry dialog box F-20
Add Extended Access List dialog box F-19
Add External Filter dialog box F-80
Add FastTrack Class Map dialog box F-61
Add File Object dialog box F-47
Add Firewall Rule dialog box I-11
Add FlexConfig dialog box F-48
Add FTP Class Map dialog box F-61
Add FTP Map dialog box F-95
Add Gnutella Class Map dialog box F-61
Add Group dialog box C-37
Add GTP Map dialog box F-99
Add H.323 Class Map dialog box F-61
Add H.323 Map dialog box F-103, F-134
Add HSI Endpoint IP Address dialog box F-105
Add HSI Group dialog box F-104
Add HTTP Class Map dialog box F-61
Add HTTP Map dialog box F-134
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab F-109
Extension Request Method tab F-112
General tab F-108
overview F-107
Port Misuse tab F-113
RFC Request Method tab F-111
Transfer Encoding tab F-114
ASA 7.2+ and PIX 7.2+ devices F-115
Add ICQ Class Map dialog box F-61
Add IKE Proposal dialog box F-53
Add IMAP Class Map dialog box F-61
Add IMAP Map dialog box F-134
Add IM Class Map dialog box F-61
Add IM Map dialog box F-134
ASA and PIX device F-121
IOS device F-124
Add Inspect Parameter Map dialog box F-74
Add Interfaces dialog box I-65
Add IPsec Pass Through Map dialog box F-125
Add IPSec Transform Set dialog box F-57
Add Kazaa2 Class Map dialog box F-61
Add Language dialog box F-167
Add LDAP Attribute Map dialog box F-59
Add LDAP Attribute Map Value dialog box F-60
Add Link command 2-9
Add Link dialog box B-13
Add Local Rules command 2-8
Add Local Web Filter Class Map dialog box F-61
Add Local Web Filter Parameter Map dialog box F-77
Add Map Object and Node Properties dialog boxes B-14
Add Map Object command 2-9
Add Map Value dialog box F-61
Add Match Condition and Action dialog box
DNS policy maps F-90
ESMTP policy maps F-94
FTP policy maps F-97
GTP policy maps F-101
H.323 (IOS) policy maps F-135
H.323 policy maps F-106
HTTP (Zone Based IOS) policy maps F-135
HTTP policy maps F-117
IM (Zone Based IOS) policy maps F-135
IMAP policy maps F-135
IM policy maps F-122
P2P policy maps F-135
POP3 policy maps F-135
SIP (IOS) policy maps F-135
SIP policy maps F-129
Skinny policy maps F-133
SMTP policy maps F-135
Sun RPC policy maps F-135
Web Filter policy maps F-135
Add Match Criterion dialog box
AOL class maps F-64
DNS class maps F-90
eDonkey class maps F-64
FastTrack class maps F-64
FTP class maps F-97
Gnutella class maps F-64
H.323 (IOS) class maps F-65
H.323 class maps F-106
HTTP (IOS) class maps F-65
HTTP class maps F-117
ICQ class maps F-64
IMAP class maps F-67
IM class maps F-122
Kazaa2 class maps F-64
Local Web Filter class maps F-72
MSN Messenger class maps F-64
N2H2 class maps F-73
POP3 class maps F-67
SIP (IOS) class maps F-68
SIP class maps F-129
SMTP class maps F-69
Sun RPC class maps F-72
Websense class maps F-73
Windows Messenger class maps F-64
Yahoo Messenger class maps F-64
Add MSN Messenger Class Map dialog box F-61
Add N2H2 Parameter Map dialog box F-78
Add N2H2 Web Filter Class Map dialog box F-61
Add NetBIOS Map dialog box F-126
Add Network/Host dialog box F-141
Add New Device wizard
Device Credentials page C-18
Add or Edit Status Providers dialog box A-38
Add Other Devices dialog box N-15
Add P2P Map dialog box F-134
Add Permit Response dialog box F-100
Add PKI Enrollment dialog box
CA Information tab F-144
Certificate Subject Name tab F-150
Enrollment Parameters tab F-148
overview F-142
Trusted CA Hierarchy tab F-151
Add POP3 Class Map dialog box F-61
Add Port Forwarding List dialog box F-151
Add Port List dialog box F-153
Add Protocol Info Parameter Map dialog box F-76
Add Regular Expression dialog box F-138
Add Regular Expression Group dialog box F-138
Address Pools
PIX/ASA/FWSM K-4
add/edit K-5
address pools
defining 14-19
Address Resolution Protocol
Add Row command 2-7
Add Rule Section dialog box I-90
Add Server dialog box
Protocol Info Parameter maps F-77
Add Service dialog box F-154
Add Services dialog box I-65
Add Signature Parameter--List Entry Dialog Box M-48
Add Single Sign On Server dialog boxes F-156
Add SIP Class Map dialog box F-61
Add SIP Map dialog box F-127, F-134
Add Skinny Map dialog box F-131
Add SLA Monitor dialog box F-158
Add Smart Tunnel Lists dialog box F-177
Add SMTP Class Map dialog box F-61
Add SMTP Map dialog box F-134
Add SNMP Map dialog box F-133
Add Sources dialog box I-64
Add SSL VPN Customization dialog box F-163
Applications F-172
Copyright Panel F-170
Custom Panes F-172
Full Customization F-170
Home Page F-174
Informational Panel F-169
Language F-166
Logon Form F-168
Logout Page F-175
Title Panel F-165
Toolbar F-171
Add SSL VPN Gateway dialog box F-176
Add Standard Access Control Entry dialog box F-22
Add Standard Access List dialog box F-19
Add Sun RPC Class Map dialog box F-61
Add Sun RPC Map dialog box F-134
Add TCP Map dialog box F-139
Add TCP Option Range Dialog Box F-141
Add Text Object dialog box F-181
Add Time Range dialog box F-182
Add Traffic Flow dialog box F-184
Add Transparent Firewall Rule dialog box I-42
Add Trend Content Filter Class Map dialog box F-61
Add Trend Parameter Map dialog box F-81
Add URL Domain Name dialog box F-84
Add URLF Glob Parameter Map dialog box F-84
Add URL Filter Parameter Map dialog box F-82
Add User Group dialog box
Advanced PIX 6.3 settings F-196
Browser Proxy settings F-201
Client (IOS) settings F-192
Clientless settings F-197
Client VPN Software Update (IOS) settings F-195
DNS/WINS settings F-190
General settings F-189
IOS Xauth Options settings F-194
overview F-187
Split Tunneling settings (Easy VPN/remote access IPSec VPN) F-191
SSL VPN Connection settings F-202
SSL VPN Full Tunnel settings F-198
SSL VPN Split Tunneling settings F-200
Technology settings F-187
Thin Client settings F-198
Add User Profile dialog box M-93
Add Virtual Sensor dialog box M-103
Add Web Access Control Entry dialog box F-23
Add Web Filter Map dialog box F-136
Add WebSense Parameter Map dialog box F-78
Add Websense Web Filter Class Map dialog box F-61
Add Web Type Access List dialog box F-19
Add Windows Messenger Class Map dialog box F-61
Add WINS Server dialog box F-204
Add WINS Server List dialog box F-203
Add Yahoo Messenger Class Map dialog box F-61
Add Zones dialog box I-65
admin context
in Performance Monitor 20-10
overview 14-82
administration
selecting router policies to manage 6-10
administrative settings, configuring 19-2
administrative settings pages A-1
admin password, changing 19-13
ADSL
ADSL Policy page J-32
ADSL Settings dialog box J-33
defining settings 13-27
supported operating modes 13-26
Advanced dialog box
access rules I-13
Advanced Interface Settings
PIX/ASA K-37
Advanced NAT Options
PIX/ASA/FWSM
add/edit K-21
advanced SSL VPN settings
configuring 10-61
Advanced tab (ASA) H-113
Advanced tab (IOS) H-120
AES encryption algorithm
in IKE proposals 9-46
in VPN SPA 9-31
AIM-IPS interfaces
IPS Module Interface Settings page J-24
Alarm Indication Signal (AIS) cells 13-34
allocate interfaces
PIX/ASA
security contexts K-202
Allowed host
use of 16-4
Allowed Hosts page M-81
Analysis Engine global variables
configuring 16-8
Analysis Engine tab M-90
analysis reports
generating 11-24
anomaly detection
definition of 12-13
limiting false positives M-55
worm attacks M-55
Anomaly Detection page M-49
anti-spoofing 14-76
AOL class map objects
match criteria F-64
Apply IPS Update command 2-10
Apply IPS Update wizard A-23
Approve Activity command 2-11
Approve Activity dialog box E-6
Approved activity state 7-4
Approve Deployment Job dialog box N-19
Area Border Router
See ABR 14-73
ARP
Layer 2 signatures M-19
PIX/ASA/FWSM
configuration K-51
inspection K-52
inspection, enable/disable K-52
table K-50
protocol M-19
ARP spoof tools
dsniff M-19
ettercap M-19
ARP table
ASA
ASDM 20-2
Failover
Add Failover Group K-88
interface configuration K-89
settings K-85
failover K-83
policy discovery 6-12
rollback, commands to recover from failover misconfiguration 17-38
rollback command conflicts 17-37
rollback restrictions for failover devices 17-34
rollback restrictions for multiple context mode 17-34
security contexts
allocate interfaces K-202
configuration K-200
viewing allocated interfaces K-203
setting up AUS or CNS 4-8
setting up SSL (HTTPS) 4-3
ASA 5505
ports and interfaces 14-5
ASA Cluster Load Balance page H-20
ASA devices
5505
interfaces, add/edit K-30
interfaces and ports K-45
port configuration K-48
AAA support 8-17
adding SSL thumbprints manually 5-22
defining
DNS server IP address 10-14
enabling
DNS lookups 10-14
FlexConfig object samples 18-18
interfaces K-23
about adding/editing K-25
add/edit K-26
advanced settings K-37
VPND Groups K-38
models supported
VPN cluster load balancing 10-16
monitoring service level agreements 8-77
outside IP addresses
associated with DNS entry 10-14
PIX/ASA/FWSM Platform policies K-1
remote access IPSec VPNs
access policies 10-44
remote access IPsec VPNs
creating using wizard 10-10, 10-12
other settings 10-45
shared license client 10-57
shared license server 10-58
remote access SSL VPNs
content rewrite rules 10-47
encoding rules 10-49
encoding settings 10-48
performance settings 10-46
proxy bypass rules 10-50
proxy bypass settings 10-49
remote access VPNs
access policies (ASA) H-94, H-96
advanced settings (ASA) H-113
AnyConnect client image settings (ASA) H-111
AnyConnect client profile settings(ASA) H-112
browser plug-ins (ASA) H-108, H-109
certificate to connection profile map policies 10-33, 10-34
certificate to connection profile map rules 10-35
Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) H-78
Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) H-77
Certificate to Connection Profile Maps > Policies page H-75
Certificate to Connection Profile Maps > Rules page H-76
client settings (ASA) H-110
cluster load balancing 10-14, 10-15, H-20
configuring bookmarks 8-84
configuring portal appearance 8-79
configuring WINS servers for file system access 8-89
connection profiles 10-16, H-22
content rewrite settings (ASA) H-99, H-100
customizing 8-79
dynamic access policies 10-17, 10-18
dynamic access policy (DAP) attributes 10-19, 10-23
Dynamic Access policy page (ASA) H-36
encoding settings (ASA) H-101, H-103
fragmentation settings H-70
Global Settings page H-66
group policies 10-30, H-72, H-73
IKE proposals H-81
ISAKMP/IPsec settings H-67
NAT settings H-69
other settings (ASA) H-97
performance settings (ASA) H-98
post URL method and macro substitutions in bookmarks 8-86
proxy bypass settings (ASA) H-107
proxy settings (ASA) H-103
Public Key Infrastructure (PKI) H-74
secure desktop manager policies 10-24, 10-26
shared license H-114
smart tunnels 8-87
SSL certificate configuration A-12
supported OS versions
redirection using FQDNs 10-15
VPN cluster load balancing
3DES/AES license 10-16
overview 10-14
ASA group policies objects
client configuration settings F-27
client firewall attributes F-28
connection settings F-42
DNS/WINS settings F-40
hardware client attributes F-30
IPSec settings F-31
split tunneling settings F-41
SSL VPN clientless settings F-33
SSL VPN full client settings F-35
SSL VPN settings F-37
technology settings F-25
ASA user group objects
creating 8-28
ASBR
definition 14-73
ASCII limitations for text 2-18
ASDM
access rule look-up 20-6
device manager 20-2
ASR
zone-based firewall
global parameters I-87
restrictions 11-63
assignment overview 1-7
Assignments tab D-17
Assign Shared Policy command 2-8
Assign Shared Policy dialog box D-2
Asymmetric Digital Subscriber Line (ADSL)
on Cisco IOS routers 13-25
Asynchronous Transfer Mode (ATM) 13-30
ATM 13-30
virtual channel connections (VCCs) 13-31
virtual channel identifier (VCI) 13-31
virtual path connections (VPCs) 13-31
virtual path identifier (VPI) 13-31
Atomic ARP engine
described M-19
parameters (table) M-19
Atomic IP engine
parameters (table) M-14
audit logs
configuring default settings A-32
purging entries 19-12
understanding 19-11
working with 19-11
Audit Message Detail dialog box E-9
Audit Report command 2-11
audit reports
generating and viewing 19-12
understanding 19-11
working with 19-11
Audit Report window E-9
AUS
deploying configurations 17-25
deployment method 17-11
setting up 4-7
setting up on PIX Firewall and ASA devices 4-8
Authentication-Authorization-Accounting
see AAA 14-28
Authentication Header (AH) encryption algorithm F-59
authentication methods
in IKE proposals 9-47
preshared keys 9-47
RSA signatures 9-47
authentication testing
SSH 4-5
AuthProxy
configuring settings in Map view 3-18
AuthProxy dialog box
AAA rules I-8
AuthProxy General tab (IOS) I-79, I-81
AuthProxy page I-79
autolink
omitting reserved networks from maps A-2
auto signon rules
ASA group policy objects F-39
Auto Update Server (AUS)
adding 5-14
licensing 19-4
PIX/ASA/FWSM K-96
add/edit server K-98
Auto Update Server Properties dialog box C-12
Auto Update Servers (AUS)
configuring AUS settings on firewall devices 14-52
Available Bit Rate (ABR) 13-32
Available Servers dialog box C-14
B
background, map
setting 3-8
background image, map
deleting 3-9
importing 3-8
scale and position 3-9
setting 3-8
backup.pl command 19-14
Backup command 2-11
backups, Security Manager database 19-14
Banner
PIX/ASA/FWSM K-60
banners
configuring on firewall devices 14-33
benefits of product 1-2
BGP routing
BGP Routing Policy page J-161
defining routes 13-118
Neighbors dialog box J-162
on Cisco IOS routers 13-118
redistributing routes 13-120
Redistribution Mapping dialog box J-164
Redistribution tab J-163
Setup tab J-161
Bidirectional Neighbor Filter
add/edit K-146
Bidirectional Neighbor Filter tab
PIM K-145
blocking
definition of 16-9
Blocking page M-90
Boot image/configuration
PIX/ASA/FWSM K-61
add K-62
boot image and configuration settings
configuring on firewall devices 14-34
bootstrap configuration
Failover K-91
bootstrapping devices
in Performance Monitor 20-8, 20-10
botnet traffic filter rules 11-47
adding static entries 11-50
configuring DNS snooping I-29
configuring in Map view 3-17
configuring the dynamic database 11-49
databases 11-47
Device Blacklist dialog box I-39
Device Whitelist dialog box I-39
Dynamic Blacklist Configuration tab I-35
enabling DNS snooping 11-51
field definitions I-34
illustrations 11-47
task flow 11-48
traffic classification 11-52
Traffic Classification dialog box I-37
Traffic Classification tab I-36
understanding 11-47
Whitelist/Blacklist tab I-38
Bridge Groups
FWSM
add/edit K-44
bridge groups
defining 13-51
FWSM 3.1 14-27
Bridging
PIX/ASA/FWSM K-50
ARP configuration K-51
ARP Inspection K-52
ARP Inspection, enable/disable K-52
ARP Table K-50
MAC Address, add/edit K-54
MAC Address Table K-53
MAC Learning K-54
MAC Learning, enable/disable K-55
Management IP address K-56
bridging
Cisco IOS routers
Bridge Group dialog box J-75
Bridging Policy page J-74
BVI interfaces 13-50
overview 13-50
PIX/ASA/FWSM
configuring on 14-26
broadcasts
enabling directed on routers J-22
browser plug-ins
defining 10-53
understanding 10-52
C
CA server authentication methods
SCEP (Simple Certificate Enrollment Protocol) 9-58
Cat6k Device dialog box M-99
Catalyst 6500/7600 devices
configuring FWSM on 9-33
configuring SSH 4-6
default transport protocol A-12
deployment 17-17
FlexConfig object samples 18-20
policy discovery for FWSM 6-12
rollback restrictions 17-35
Catalyst 6500/7600 switches
including in deployment jobs N-10, N-11
Catalyst 6K tab M-98
Catalyst devices
policy discovery 6-12
remote access VPNs
Dynamic VTI/VRF Aware IPsec settings H-89
high availability H-79
IPsec proposals H-85
user group policies H-93
VPNSM/VPN SPA settings H-87
Catalyst platform policies
general reference L-1
IDSM settings policy
Create and Edit IDSM Data Port VLANs dialog boxes L-32
Create and Edit IDSM EtherChannel VLANs dialog boxes L-31
IDSM Settings page L-30
IDSM Slot-Port Selector dialog box L-33
interfaces/VLANs policy
Access Port Selector dialog box L-6
Create and Edit Interface dialog boxes-Access Port mode L-12
Create and Edit Interface dialog boxes-Dynamic Port mode L-21
Create and Edit Interface dialog boxes-Other mode L-27
Create and Edit Interface dialog boxes-Routed Port mode L-15
Create and Edit Interface dialog boxes-subinterfaces L-25
Create and Edit Interface dialog boxes-Trunk Port mode L-17
Create and Edit VLAN dialog boxes L-4
Create and Edit VLAN Group dialog boxes L-8
Interfaces/VLANs page L-2
Interfaces tab L-10
Service Module Slot Selector dialog box L-9
Summary tab L-29
Trunk Port Selector dialog box L-7
VLAN Groups tab L-7
VLAN Selector dialog box L-10
VLANs tab L-3
VLAN access lists policy
Create and Edit VLAN ACL Content dialog boxes L-37
Create and Edit VLAN ACL dialog boxes L-35
VLAN Access Lists page L-34
Catalyst Summary Info command 2-10
Catalyst switches
configuring SSH 4-6
default transport protocol A-12
showing modules, security contexts, and virtual sensors 5-24
Catalyst switches and 7600 Series routers
access ports 15-2
Catalyst Summary Info page L-1
defining IDSM Data Port VLANs 15-14
defining IDSM EtherChannel VLANs 15-13
defining ports 15-3
defining VACLs 15-10
defining VLAN groups 15-7
defining VLANs 15-5
deleting IDSM Data Port VLANs 15-16
deleting IDSM EtherChannel VLANs 15-14
deleting ports 15-4
deleting VACLs 15-11
deleting VLAN groups 15-8
deleting VLANs 15-6
discovering policies 15-2
generating interface names 15-4
IDSM settings 15-12
IDSM Settings page L-30
interfaces 15-2
Interfaces/VLANs page L-2
managing 15-1
routed ports 15-2
trunk ports 15-2
viewing configuration summary 15-16
VLAN Access Lists page L-34
VLAN ACLs (VACLs) 15-9
VLAN groups 15-7
VLANs 15-5
Catalyst VPN Services Module (VPNSM)
configuring 9-31
configuring in remote access VPNs 10-39
defining settings (site-to-site VPN) G-14
Catalyst VPN Shared Port Adapter (VPN SPA)
configuring a VPN SPA 9-31
configuring in remote access VPNs 10-39
defining settings (site-to-site VPN) G-14
categories
using 8-6
Category Editor dialog box F-43
cautions
significance of i-liv
CDP
definition of 12-4
CEF Interface Settings dialog box J-27
CEF interface settings policies 13-22
certificates, SSL
adding thumbprints manually 5-22
configuring default settings for how handled A-12
certificate to connection profile map policies
configuring 10-34
understanding 10-33
certificate to connection profile map rules
configuring 10-35
understanding 10-35
Change Report dialog box E-8
change reports, viewing 7-9
Change Reports command 2-11
Cisco 7600 Series routers
managing 15-1
Cisco Discovery Protocol (CDP)
enabling CDP on router interfaces J-20
Cisco Express Forwarding (CEF)
CEF Interface Settings policy J-26
CEF router interface settings policies 13-22
importance for QoS 13-100
Cisco IOS routers
802.1x 13-82
AAA 13-44
accounts and credentials 13-48
ADSL 13-25
advanced interface settings 13-18
available interface types 13-13
basic interface settings 13-13
BGP routing 13-118
CNS call-home mode 4-10
CNS event-bus mode 4-9
configuring SSH 4-6
CPU settings 13-54
default AAA server groups 8-19
deploying configurations using TMS 17-26
dialer interfaces 13-22
discovering policies 13-3
Domain Name System (DNS) 13-68
Dynamic Host Configuration Protocol (DHCP) 13-76
EIGRP routing 13-121
host and domain names 13-70
HTTP 13-54
IOS 12.1 and 12.2 13-3
line access 13-57
managing 13-1
memory settings 13-70
NAT 13-4
Network Admission Control (NAC) 13-86
Network Time Protocol (NTP) 13-80
optional SSH settings 13-64
OSPF routing 13-125
permanent virtual connections (PVCs) 13-30
platform policies 13-1
Point-to-Point Protocol (PPP) 13-39
policy discovery 6-12
quality of service (QoS) 13-99
RIP routing 13-136
Secure Device Provisioning (SDP) 13-71
setting up SSL (HTTPS) 4-4
SHDSL 13-28
SNMP 13-66
static routing 13-140
syslog logging 13-92
time zone settings 13-52
transparent bridging 13-50
Cisco IOS Software
FlexConfig object samples 18-20
selecting policy types to manage 6-10
Cisco NSDB M-9
Cisco Secure Desktop configuration objects
creating 8-73
Cisco Security Management Suite server
logging into or exiting 1-8
Cisco Technical Assistance Center
creating diagnostic file 19-16
Cisco Trust Agent (CTA) 13-87
CiscoWorks Common Services
backing up and restoring Security Manager 19-14
logging into or exiting 1-8
Class-Based Policing 13-104
class maps
understanding 8-38
Clear Connection Configuration dialog box I-75
clear xlate
PIX/ASA/FWSM platform K-198
CLI commands
FlexConfig objects 18-2
client connection characteristics
Client Connection Characteristics page G-30
configuring policies for Easy VPN 9-79
clientless access mode 10-4
client settings
configuring 10-55
understanding 10-54
Clock
PIX/ASA/FWSM K-62
clock
Cisco IOS routers
overview 13-52
configuring on firewall devices 14-35
clock settings
Cisco IOS routers
Clock Policy page J-76
Clone Device command 2-6
cloning devices
in VPN topologies 9-17
Close Activity command 2-11
cluster load balancing
configuring 10-15
redirection using FQDNs
3DES/AES 10-16
ASA outside IP addresses 10-14
instead of IP addresses 10-15
OS versions supported 10-15
overview 10-14
reverse DNS lookup 10-14
understanding 10-14
CNS
call-home mode 4-10
deploying configurations 17-25
deployment method 17-11
event-bus mode 4-9
setting up on PIX Firewall and ASA devices 4-8
collectors (NetFlow) 14-62
Combine Rules Selection Summary dialog box I-103
commands
Activities menu 2-11
Edit menu 2-7
File menu 2-6
Help menu 2-12
Map menu 2-9
Policy menu 2-8
Tools menu 2-9
View menu 2-7
Common Services
licensing 19-4
configuration
initial Security Manager 1-10
understanding rollback 17-33
Configuration Archive
adding configurations from devices 17-31
rolling back to archived configuration files 17-40
settings A-2
version viewer N-28
viewing and comparing configuration versions 17-32
window N-26
Configuration Archive command 2-11
Configuration Archive page A-2
Configuration Engine
adding 5-14
CNS call-home mode 4-10
CNS event-bus mode 4-9
setting up 4-7
Configuration Engine Properties dialog box C-12
configuration files
deploying in non-Workflow mode 17-17
deploying in Workflow mode 17-19, 17-23
deploying to 17-12
deploying to an AUS or CNS 17-25
deploying to a TMS 17-26
deployment process overview 17-2
factory-default configurations 14-1
previewing 17-27
redeploying to devices 17-28
rolling back to archived configurations 17-40
selecting 2-19
web VPN policy discovery restrictions 5-8
configurations
adding to the Configuration Archive 17-31
rollback, commands to recover from failover misconfiguration 17-38
rollback command conflicts 17-37
rolling back 17-33
rolling back Catalyst 6500/7600 17-35
rolling back failover devices 17-34
rolling back IPS and IOS IPS 17-35
rolling back multiple context mode 17-34
rolling back to devices 17-38
understanding out-of-band changes 17-13
viewing and comparing 17-32
configuration views 1-5
Configure DNS dialog box
inspection rules I-29
Configure ESMTP dialog box
inspection rules I-30
Configure Fragments dialog box
inspection rules I-31
Configure Hardware Ports
ASA 5505 K-48
Configure IMAP dialog box
inspection rules I-32
Configure POP3 dialog box
inspection rules I-33
Configure RPC dialog box
inspection rules I-33
Configure SMTP dialog box
inspection rules I-29
Configuring Protocol Platform dialog box I-34
Config Version Viewer (Preview Configuration) dialog box N-17
connection
PIX/ASA/FWSM
rules K-192
rules wizard K-193
tab K-194
Connection Profile page (ASA) H-3
connection profiles
configuring 10-16
understanding 10-16
Connection Profiles page
Add/Edit Connection Profile dialog box
AAA tab H-25
Add/Edit Interface Specific Authentication Server Groups dialog box H-27, H-30
General tab (ASA) H-23
IPSec tab H-32
Secondary AAA tab H-28
SSL tab H-32
Connection Profiles page (ASA) H-22
Connection Profiles Policy page
Add/Edit Connection Profile dialog box
IPSec tab H-31
connection timeout
device communication settings A-12
connectivity, testing device 5-16
console
Cisco IOS routers
AAA tab J-87
Accounting tab J-90
Authentication tab J-87
Authorization tab J-88
Console Policy page J-85
Setup tab J-85
console port
Cisco IOS routers
defining AAA settings 13-59
defining setup parameters 13-57
Console timeout
PIX/ASA/FWSM K-65
console timeout settings
configuring on firewall devices 14-37
Constant Bit Rate (CBR) 13-32
contact credentials
configuring on firewall devices 14-36
contained modules
showing 5-24
content rewrite rules
defining 10-47
understanding 10-47
Content Rewrite tab (ASA) H-99
Context Editor dialog box (IOS) H-116
contexts
continuity check (CC) cells 13-34
control plane (CP)
defining QoS on 13-110
policing on 13-107
Control Plane Policing 13-107
conventions i-liii
Copy Policies Between Devices command 2-8
Copy Policies wizard
Copy Policies from this Device page D-4
Copy Policies to these Devices page D-6
Select Policies to Copy page D-4
understanding D-3
CPU settings
defining utilization settings 13-54
overview 13-54
CPU Threshold
PIX/ASA/FWSM K-64
CPU utilization
CPU Policy page J-78
Create/Edit Group Policies Dialog Box H-73
Create a Clone of Device dialog box C-27
Create Activity dialog box E-4
Create a Policy dialog box D-18
Create Filter dialog box C-1
Create Overrides for Device dialog box F-208
Create Text Object dialog box F-51
Create VPN Topology wizard G-2
credential objects
attributes F-46
creating 8-30
Credentials
PIX/ASA/FWSM K-64
credentials
device manager validation 20-4
IPS module C-25
service module C-23
testing 5-16
understanding device 5-5
Credentials page
HTTPS port number
overriding with HTTP policy C-33
Credentials page (Devices) C-31
crypto connect alternate feature 9-31
crypto engine slot command 9-32
crypto engine slot slot/subslot {inside | outside} command
VRF-Aware IPsec 9-32
crypto maps
dynamic 9-49
in IPsec proposals 9-49
static 9-49
CSDM Policy Editor dialog box H-64
CS-MARS
access to Security Manager 20-21
configuring servers A-3
discovering or changing server used by device 5-23
event
queries 20-21
events
historical 20-22
real-time 20-22
integration with Security Manager 20-16, 20-20
NetFlow 20-17
query
considerations 20-19
registering in Security Manager 20-23
CS-MARS page A-3
CSMDiagnostics.zip
setting debug options A-6
CSM tab, Licensing page A-29
Customize Desktop Settings page A-5
Custom Protocol dialog box
inspection rules I-30
D
database
backing up and restoring 19-14
Days of Week dialog box M-52
DCE/RPC policy map objects
creating 8-42
properties F-86
DCS properties file, SSH settings 5-23
DDNS
configuring on firewall devices 14-57
PIX/ASA/FWSM K-109
add interface rules K-110
update methods K-111
update methods, add/edit K-111
DDoS
protocols M-47
Stacheldraht M-47
TFN M-47
dead-peer detection (DPD) 9-52
debugging
configuring debug levels A-6
Debug Options page A-6
defaults, configuring 19-2
Defaults page (ASA) H-15
Defaults page (IOS) H-18
default virtual sensor
vs0 16-11
Delete Device command 2-6
Delete Map command 2-9
Delete Map dialog box B-10
Delete Row command 2-7
Denial of Service (DoS)
preventing in SMTP using zone based firewall F-69
denial of service (DoS)
preventing using unicast reverse path forwarding (RFP) J-22
Denial of Service (DoS) attacks
configuring inspection settings to mitigate 11-39
Deploy command 2-6
Deploy Job dialog box N-19
deployment
Abort the Job dialog box N-22
Add Other Devices dialog box N-15
Auto Update Server 17-25
Catalyst 6500/7600 devices 17-17
Cisco Networking Services configuration engine 17-25
clearing XLATE on 14-81
configuration files, to 17-12
configurations 17-17
configuring status providers 20-11
creating or editing schedules 17-30
Deploy Job dialog box N-19
Deployment—Create or Edit a Job dialog box N-11
device communication settings 5-21
devices, directly to 17-10
devices, through intermediate server 17-11
dialog box references N-9
Edit Deploy Method dialog box N-13
Edit Selected Deployment Method dialog box N-13
errors
OS version mismatches 17-14
handling OS version mismatches 17-14
IPsec on VPNs
using RADIUS 9-78
managing 17-1
methods 17-10
non-Workflow mode 17-4
Deploy Saved Changes dialog box N-9
optimizing access rules 11-31
out-of-band changes 17-13
process overview 17-2
Redeploy a Job dialog box N-22
Rollback a Job dialog box N-23
rolling back configurations 17-33
rolling back configurations, Catalyst 6500/7600 17-35
rolling back configurations, command conflicts 17-37
rolling back configurations, commands to recover from failover misconfiguration 17-38
rolling back configurations, failover devices 17-34
rolling back configurations, IPS and IOS IPS devices 17-35
rolling back configurations, multiple context mode 17-34
setting debug options A-6
Submit Deployment Job dialog box N-18
suspending or resuming schedules 17-31
system settings A-7
task flow
non-Workflow mode 17-5
Workflow mode 17-6
TMS server 17-26
troubleshooting SSL certificate errors 5-22
understanding 17-1
understanding configuration rollback 17-33
using a Cisco Networking Services (CNS) server 17-25
viewing device details 17-16
viewing job summary 17-16
viewing status and history for jobs and schedules 17-16
Warning - Partial VPN Deployment dialog box N-16
Workflow mode 17-6, 17-19, 17-23
Deployment—Create or Edit a Job dialog box N-11
Deployment Manager window N-3
working with 17-15
Deployment—Create or Edit a Job dialog box N-11
deployment jobs
aborting 17-29
approval 17-9
approving 17-22
creating and editing 17-20
Deployment Manager 17-2
discarding 17-24
including devices in 17-9
multiple users 17-9
redeploying 17-28
rejecting 17-22
states
non-Workflow mode 17-5
Workflow mode 17-7
submitting 17-22
viewing history 17-16
Deployment Manager
overview 17-2
Deployment Manager command 2-10
Deployment Manager window
Deployment Schedules tab N-6
Deployment Manager window in non-Workflow mode N-1
Deployment Manager window in Workflow mode N-3
Deployment page
PIX/ASA/FWSM Platform
clear xlate K-198
Deployment Schedules tab N-6
Deployment Settings page A-7
Deployment Status Details dialog box N-20
Deployment Workflow Commentary dialog boxes N-19
Deploy Saved Changes dialog box N-9
DES encryption algorithm
in IKE proposals 9-45
Destination Contents dialog box I-66
Dest Port Map dialog box M-54
device
AAA administration 14-31
export inventory 5-26
viewing inventory status 5-25
Device Access
FWSM
Resources K-92
Resources, add/edit K-93
PIX/ASA/FWSM K-65
console timeout K-65
host name K-91
HTTP configuration K-67
HTTP page K-66
ICMP rules K-67
ICMP rules, add/edit K-68
Management Access interface K-69
Secure Shell (SSH) K-69
Secure Shell, add/edit host K-70
Server Access K-96
SNMP host access K-73
SNMP page K-71
SNMP Trap configuration K-72
Telnet configuration K-75
Telnet page K-74
user accounts K-115
user accounts, add/edit K-115
device access
configuring on firewall devices 14-37
device access policies
defining 13-48
device administration policies
configuring on firewall devices 14-28
device authentication
adding SSL thumbprints manually 5-22
SSL certificate default configuration A-12
Device Blacklist dialog box I-39
Device Communication page A-11
device communication settings
connection timeout A-12
managing 5-21
retry count A-12
socket read timeout A-12
Device Connectivity Test dialog box C-22
device credentials
understanding 5-5
Device Credentials page C-18
Device Delete Validation page C-26
Device Grouping page C-26
adding or removing devices 5-32
creating group types 5-31
deleting groups or types 5-32
understanding 5-30
Device Information page - Add Device from File C-15
Device Information page - Configuration File C-8
Device Information page - Network C-4
Device Information page- New Device C-10
device inventory
exporting
DCR, CS-MARS, Security Manager formats 5-26
overview 5-26
using command line utility 5-28
managing 5-1
testing device connectivity 5-16
understanding 5-1
understanding contents 5-3
user interface reference C-1
working with 5-7
device manager
access rule look up 20-5
ASDM 20-2
access rule look-up 20-6
command 20-5
credentials 20-4
IDM 20-2
PDM 20-2
preparing devices 20-3
prerequisites 20-3
SDM 20-2
access rule look-up 20-7
starting 20-4
starting from Security Manager 20-1
xdm-launcher.exe 20-5
Device Manager command 2-10
Device OS Management command 2-11
Device Properties
Credentials page C-31
Device Groups page C-33
General page C-28
Policy Object Override pages
general reference C-34
device properties
changes with policy effects 5-19
changing critical 5-18
image version changes with no policy effects 5-18
understanding 5-6
viewing or changing 5-17
Device Properties command 2-10
Device Properties page
creating object overrides 8-11
deleting overrides 8-12
overview C-28
devices
adding 5-7
adding configurations to the Configuration Archive 17-31
adding from configuration files 5-10
adding from inventory file 5-12
adding from network 5-8
adding local rules to shared policies 6-30
adding manually 5-11
adding to Performance Monitor 20-10
assigning shared policies 6-29
changing critical properties 5-18
cloning or duplicating 5-24
communication requirements 4-1
communication settings and certificates 5-21
configuring local policies 6-20
copying policies between 6-22
copying shared policies 6-32
creating policy object overrides 8-11
deleting from inventory 5-25
deleting policy object overrides 8-12
deployment through intermediate server 17-11
deployment to 17-10
discovering or changing CS-MARS server 5-23
discovering policies 6-11
discovering policies on existing devices 6-14
dynamic IP addresses 5-14
image version changes with no policy effects 5-18
including in deployment jobs N-10, N-11
including in deployment jobs or schedules 17-9
inheriting policy rules 6-32
managing operating system 5-29
maps
adding existing managed 3-10
adding new managed 3-10
displaying devices from Device View 3-11
displaying managed 3-10
showing containment for Catalyst switches, ASA, PIX, IPS devices 3-11
modifying policy assignment 6-34
modifying shared policies 6-34
naming conventions 5-3
policy status icons 6-19
preparing for management 4-1
property changes with policy effects 5-19
redeploying configuration files to 17-28
redeploying configurations to replaced hardware 17-28
renaming policies 6-33
replacing policies 6-29
rolling back configurations 17-38
sharing multiple policies 6-28
showing contained modules 5-24
system variables 18-7
testing connectivity 5-16
unassigning policies 6-23
understanding out-of-band changes 17-13
unsharing policies 6-29
what counts as a device 5-3
device selector
filtering 2-14
Device Server Assignment dialog box C-38
Device view
adding local rules to shared policies 6-30
assigning shared policies 6-29
configuring local policies 6-20
copying policies between devices 6-22
copying shared policies 6-32
editing site-to-site VPN policies in 9-43
inheriting policies 6-32
managing policies 6-19
managing VPN devices in 9-42
modifying policy assignments 6-34
modifying shared policies 6-34
policy banner 6-25
policy status icons 6-19
remote access VPNs
managing 10-7
renaming policies 6-33
sharing local policies 6-27
sharing multiple policies 6-28
Site-to-Site VPN Topologies page G-76
unassigning policies 6-23
understanding basic policy management 6-20
understanding shared policies 6-25
unsharing policies 6-29
device view
understanding 5-1
Device View command 2-8
Device Whitelist dialog box I-39
DHCP
Cisco IOS routers
defining address pools 13-79
defining policies 13-78
DHCP Database dialog box J-121
DHCP Policy page J-119
IP Pool dialog box J-122
overview 13-76
understanding database agents 13-76
understanding option 82 13-77
understanding relay agents 13-77
understanding secured ARP 13-78
PIX/ASA/FWSM
add/edit servers K-104
advanced configuration K-104
configuring DHCP relay 14-53
configuring DHCP servers 14-54
server options K-105
servers page K-102
DHCP relay
PIX/ASA/FWSM K-99
add/edit agent K-100
add/edit server K-101
diagnostics
setting debug options A-6
diagnostics file, creating 19-16
dial backup
configuring 9-29
configuring in Easy VPN 9-72
Dial Backup Settings dialog box G-22
understanding 9-29
dialer interfaces
defining BRI properties 13-24
defining profiles 13-23
Dialer Physical Interface dialog box J-30
Dialer Policy page J-28
Dialer Profile dialog box J-29
on Cisco IOS routers 13-22
Diffie-Hellman groups
in IKE proposals 9-46
Digital Subscriber Line (DSL) 13-25
digital subscriber line-access multiplexer (DSLAM) 13-25
directed broadcasts
enabling J-22
Discard Activity command 2-12
Discard Activity dialog box E-7
Discard command 2-6
Discard Deployment Job dialog box N-19
discovering
remote access VPNs 10-6
site-to-site VPNs 9-12
discovering site-to-site VPNs
wizard G-77
Discover Policies on Device command 2-8
Discover Policies On Device dialog box D-10
Discover VPN Policies command 2-8
Discover VPN Policies wizard G-77
Name and Technology page G-78
Discover VPN Policies wizard > Device Selection page G-79
discovery
default behavior settings A-16
overview 1-7
setting debug options A-6
Discovery Settings page A-16
Discovery Status dialog box D-12
discovery task
frequently asked questions 6-17
starting 6-14
viewing status 6-16
Display Actual Size command 2-9
Distributed Denial of Service
Distributed Traffic Shaping (DTS) 13-104
DMVPN (Dynamic Multipoint VPN)
advantages of using with GRE 9-67
configuring policies 9-68
large scale DMVPNs
configuring 9-70
understanding 9-70
understanding 9-67
using with GRE 9-67
DMVPN policies G-46
DNS
configuring for inspection rules I-29
configuring on firewall devices 14-56
definition of 16-7
PIX/ASA/FWSM
add server K-108
add server group K-107
look-up K-108
servers page K-106
DNS class map objects
creating 8-41
match criteria F-90
DNS policy map objects
creating 8-43
match conditions and actions F-90
properties F-87
DNS requirement for IPS 16-7
DNS server identification for IPS M-88
DNS snooping 11-51
Dock Map View command 2-9
documentation
conventions i-liii
Domain Name System (DNS)
Cisco IOS routers
defining policies 13-69
DNS Policy page J-113
IP Host dialog box J-114
overview 13-68
do not ask warnings, resetting A-5
DSLAM 13-25
duplex
interface K-49
dynamic access policies
configuring 10-18
understanding 10-17
dynamic access policies (DAP) H-53
Dynamic Access Policy page
Add/Edit Dynamic Access Policy dialog box
Add/Edit DAP Entry dialog box H-45
Add/Edit DAP Entry dialog box > AAA Attributes Cisco H-47
Add/Edit DAP Entry dialog box > AAA Attributes LDAP H-48
Add/Edit DAP Entry dialog box > AAA Attributes RADIUS H-49
Add/Edit DAP Entry dialog box > Anti-Spyware H-50
Add/Edit DAP Entry dialog box > Anti-Virus H-51
Add/Edit DAP Entry dialog box > Application H-52
Add/Edit DAP Entry dialog box > File H-54
Add/Edit DAP Entry dialog box > NAC H-55
Add/Edit DAP Entry dialog box > Operating System H-55
Add/Edit DAP Entry dialog box > Personal Firewall H-56
Add/Edit DAP Entry dialog box > Policy H-57
Add/Edit DAP Entry dialog box > Process H-58
Add/Edit DAP Entry dialog box > Registry H-59
Advanced Expressions tab H-63
Logical Operators tab H-60
Main tab H-39
Dynamic Access Policy page (ASA) H-36
Cisco Secure Desktop Manager Policy Editor dialog box H-64
Dynamic Access policy page (ASA) > Add/Edit Dynamic Access Policy dialog box H-38
Dynamic Blacklist Configuration tab I-35
dynamic crypto maps 9-49
dynamic filter snooping (DNS)
enabling I-29
dynamic IP devices
and GRE
understanding 9-64
Dynamic Multipoint VPN (DMVPN) 9-5
dynamic NAT
creating rules on Cisco IOS routers 13-10
Dynamic Translation Rule
PIX/ASA/FWSM K-9
add/edit K-11
dynamic VTI
configuring in Easy VPN 9-72
in remote access VPNs 10-37
Dynamic VTI/VRF Aware IPsec settings tab H-89
Dynamic VTI tab (site-to-site VPN) G-41
E
Easy VPN 9-5
Advanced tab G-37
client connection characteristics 9-79
Client VPN Software Update tab G-38
configuring dial backup in 9-72
configuring dynamic VTI in 9-72
configuring high availability in 9-72
Dynamic VTI tab G-41
General tab G-33
IPsec Proposal page G-38
IPsec Proposal tab G-39
IPsec tab G-35
tunnel group policies 9-78
Tunnel Group Policy page G-33
understanding 9-71
user group policies 9-77
User Group Policy page G-64
with dial backup 9-71
with Dynamic Virtual Tunnel Interfaces (DVTI) 9-71
with high availability 9-71
Edit AAA Option dialog box I-7
Edit AAA Rules dialog box I-4
Edit AAA Server dialog box F-8
Edit AAA Server Group dialog box F-6, I-8
Edit Actions dialog box M-8
Edit AOL Class Map dialog box F-61
Edit A Port Forwarding Entry dialog box F-152
Edit ASA Group Policies dialog box
client configuration settings F-27
client firewall attributes F-28
connection settings F-42
DNS/WINS settings F-40
hardware client attributes F-30
IPSec settings F-31
overview F-25
split tunneling settings F-41
SSL VPN clientless settings F-33
SSL VPN full client settings F-35
SSL VPN settings F-37
technology settings F-25
Edit A Smart Tunnel Entry dialog box F-179
Edit Auto Signon Rules dialog box F-39
Edit Auto Update Settings dialog box A-23
Edit Category dialog box I-66
Edit Cisco Secure Desktop Configuration dialog box F-44
Edit Client Access Rules dialog box F-33
Edit Client Update dialog box F-195
Edit Column dialog box F-173
Edit Custom Pane dialog box F-173
Edit DCE/RPC Map dialog box F-86
Edit Deploy Method dialog box N-13
Edit Description dialog box I-66
Edit Destinations dialog box I-64
Edit Device Groups command 2-6
Edit Device Groups dialog box C-36
Edit DNS Class Map dialog box F-61
Edit DNS Map dialog box
Filtering tab F-89
overview F-87
Protocol Conformance tab F-88
Edit eDonkey Class Map dialog box F-61
Edit Endpoints dialog box G-10
Protected Networks tab G-17
VPN Interface tab G-10
Edit ESMTP Map dialog box F-92
Edit Extended Access Control Entry dialog box F-20
Edit Extended Access List dialog box F-19
Edit External Filter dialog box F-80
Edit FastTrack Class Map dialog box F-61
Edit Fidelity dialog box M-9
Edit File Object dialog box F-47
Edit Firewall Rule dialog box I-11
Edit Firewall Rule Expiration dialog box I-15
Edit FlexConfig dialog box F-48
Edit FTP Class Map dialog box F-61
Edit FTP Map dialog box F-95
Edit Gnutella Class Map dialog box F-61
Edit GTP Map dialog box F-99
Edit H.323 Class Map dialog box F-61
Edit H.323 Map dialog box F-103, F-134
Edit HSI Endpoint IP Address dialog box F-105
Edit HSI Group dialog box F-104
Edit HTTP Class Map dialog box F-61
Edit HTTP Map dialog box F-134
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab F-109
Extension Request Method tab F-112
General tab F-108
overview F-107
Port Misuse tab F-113
RFC Request Method tab F-111
Transfer Encoding tab F-114
ASA 7.2+ and PIX 7.2+ devices F-115
Edit ICQ Class Map dialog box F-61
Edit IKE Proposal dialog box F-53
Edit IMAP Class Map dialog box F-61
Edit IMAP Map dialog box F-134
Edit IM Class Map dialog box F-61
Edit IM Map dialog box F-134
ASA and PIX device F-121
IOS device F-124
Edit Inspected Protocol dialog box I-21
Edit Inspect Parameter Map dialog box F-74
Edit Interfaces dialog box I-65
Edit IPsec Pass Through Map dialog box F-125
Edit IPSec Transform Set dialog box F-57
Edit Kazaa2 Class Map dialog box F-61
Edit Language dialog box F-167
Edit LDAP Attribute Map dialog box F-59
Edit LDAP Attribute Map Value dialog box F-60
Edit Local Web Filter Class Map dialog box F-61
Edit Local Web Filter Parameter Map dialog box F-77
Edit Map Value dialog box F-61
Edit Match Condition and Action dialog box
DNS policy maps F-90
ESMTP policy maps F-94
FTP policy maps F-97
GTP policy maps F-101
H.323 (IOS) policy maps F-135
H.323 policy maps F-106
HTTP (Zone Based IOS) policy maps F-135
HTTP policy maps F-117
IM (Zone Based IOS)policy maps F-135
IMAP policy maps F-135
IM policy maps F-122
P2P policy maps F-135
POP3 policy maps F-135
SIP (IOS) policy maps F-135
SIP policy maps F-129
Skinny policy maps F-133
SMTP policy maps F-135
Sun RPC policy maps F-135
Web Filter policy maps F-135
Edit Match Criterion dialog box
AOL class maps F-64
DNS class maps F-90
eDonkey class maps F-64
FastTrack class maps F-64
FTP class maps F-97
Gnutella class maps F-64
H.323 (IOS) class maps F-65
H.323 class maps F-106
HTTP (IOS) class maps F-65
HTTP class maps F-117
ICQ class maps F-64
IMAP class maps F-67
IM class maps F-122
Kazaa2 class maps F-64
Local Web Filter class maps F-72
MSN Messenger class maps F-64
N2H2 class maps F-73
POP3 class maps F-67
SIP (IOS) class maps F-68
SIP class maps F-129
SMTP class maps F-69
Sun RPC class maps F-72
Websense class maps F-73
Windows Messenger class maps F-64
Yahoo Messenger class maps F-64
Edit menu 2-7
Edit MSN Messenger Class Map dialog box F-61
Edit N2H2 Parameter Map dialog box F-78
Edit N2H2 Web Filter Class Map dialog box F-61
Edit NetBIOS Map dialog box F-126
Edit Network/Host dialog box F-141
Edit Options dialog box I-13
Edit P2P Map dialog box F-134
Edit Permit Response dialog box F-100
Edit PKI Enrollment dialog box
CA Information tab F-144
Certificate Subject Name tab F-150
Enrollment Parameters tab F-148
overview F-142
Trusted CA Hierarchy tab F-151
Edit Policy Assignments command 2-8
Edit POP3 Class Map dialog box F-61
Edit Port Forwarding List dialog box F-151
Edit Port List dialog box F-153
Edit Protocol Info Parameter Map dialog box F-76
Edit Regular Expression dialog box F-138
Edit Regular Expression Group dialog box F-138
Edit Row command 2-7
Edit Rule Section dialog box I-90
Edit Selected Deployment Method dialog box N-13
Edit Server dialog box
Protocol Info Parameter maps F-77
Edit Service dialog box F-154
Edit Services dialog box I-65
Edit Signature dialog box M-3
Edit Signature Parameter—Component List dialog box M-47
Edit Signature Parameter—List Entry Dialog Box M-48
Edit Signature Parameters dialog box M-10
Edit Signatures page, Apply IPS Update wizard A-27
Edit Single Sign On Server dialog boxes F-156
Edit SIP Class Map dialog box F-61
Edit SIP Map dialog box F-127, F-134
Edit Skinny Map dialog boxes F-131
Edit SLA Monitor dialog box F-158
Edit Smart Tunnel Lists dialog box F-177
Edit SMTP Class Map dialog box F-61
Edit SMTP Map dialog box F-134
Edit SNMP Map dialog box F-133
Edit Sources dialog box I-64
Edit SSL VPN Customization dialog box F-163
Applications F-172
Copyright Panel F-170
Custom Panes F-172
Full Customization F-170
Home Page F-174
Informational Panel F-169
Language F-166
Logon Form F-168
Logout Page F-175
Title Panel F-165
Toolbar F-171
Edit SSL VPN Gateway dialog box F-176
Edit Standard Access Control Entry dialog box F-22
Edit Standard Access List dialog box F-19
Edit state 7-4
Edit Sun RPC Class Map dialog box F-61
Edit Sun RPC Map dialog box F-134
Edit TCP Map dialog box F-139
Edit TCP Option Range Dialog Box F-141
Edit Text Object dialog box F-181
Edit Time Range dialog box F-182
Edit Traffic Flow dialog box F-184
Edit Transparent EtherType dialog box I-44
Edit Transparent Firewall Rule dialog box I-42
Edit Transparent Mask dialog box
transparent rules I-45
Edit Trend Content Filter Class Map dialog box F-61
Edit Trend Parameter Map dialog box F-81
Edit Update Server Settings dialog box A-21
Edit URL Domain Name dialog box F-84
Edit URLF Glob Parameter Map dialog box F-84
Edit URL Filter Parameter Map dialog box F-82
Edit User Group dialog box
Advanced PIX 6.3 settings F-196
Browser Proxy settings F-201
Client (IOS) settings F-192
Clientless settings F-197
Client VPN Software Update (IOS) settings F-195
DNS/WINS settings F-190
General settings F-189
IOS Xauth Options settings F-194
overview F-187
Split Tunneling settings (Easy VPN/remote access IPSec VPN) F-191
SSL VPN Connection settings F-202
SSL VPN Full Tunnel settings F-198
SSL VPN Split Tunneling settings F-200
Technology settings F-187
Thin Client settings F-198
Edit Virtual Sensor dialog box M-103
Edit Web Access Control Entry dialog box F-23
Edit Web Filter Map dialog box F-136
Edit Web Filter Options dialog box I-50
Edit Web Filter Type dialog box I-49
Edit Websense Parameter Map dialog box F-78
Edit Websense Web Filter Class Map dialog box F-61
Edit Web Type Access List dialog box F-19
Edit Windows Messenger Class Map dialog box F-61
Edit WINS Server dialog box F-204
Edit WINS Server List dialog box F-203
Edit Yahoo Messenger Class Map dialog box F-61
Edit Zones dialog box I-65
eDonkey class map objects
match criteria F-64
EIGRP routing
defining interface properties 13-122
defining routes 13-121
EIGRP Routing Policy page J-165
Interface dialog box J-168
Interfaces tab J-167
on Cisco IOS routers 13-121
redistributing routes 13-124
Redistribution Mapping dialog box J-170
Redistribution tab J-169
Setup dialog box J-166
Setup tab J-166
blocking spam using zone-based firewall rules F-69
preventing DoS attacks F-69
e-mail notifications
configuring SMTP server 1-12
PIX/ASA/FWSM
recipient set-up K-119
syslog messages K-118
Enable PIM and IGMP
PIX/ASA/FWSM K-134
Encapsulating Security Protocol (ESP) encryption algorithm F-59
encoding rules
defining 10-49
encoding settings
understanding 10-48
Encoding tab (ASA) H-101
encryption algorithms
3DES (Triple DES) 9-45
AES (Advanced Encryption Standard) 9-46
DES (Data Encryption Standard) 9-45
in IKE proposals 9-45
endpoints and protected networks
defining in VPN topologies 9-20, 9-23
understanding 9-19
VPN Interface tab G-10
ESMTP policy map objects
creating 8-44
match conditions and actions F-94
properties F-92
EtherChannel
Create and Edit IDSM EtherChannel VLANs dialog boxes L-31
defining IDSM VLANs 15-13
deleting IDSM VLANs 15-14
Ethereal 20-14
evaluation license
upgrading to permanent license 19-3
event
historical 20-22
lists K-119
add/edit K-121
queries 20-21
access rule 20-24
IPS signatures 20-28
real-time 20-22
syslog class
add/edit K-122
syslog message ID
add/edit K-122
Event Action Filters page M-61
Event Action Filters tab
described M-70
Event Action Override dialog box M-65
Event Action Overrides page M-64
Event Action policies M-60
event reporting
Inventory Status 20-12
severity levels 20-12
exclusive domains
configuring for IOS devices 11-56
Exit command 2-7
exiting
Cisco Security Management Suite server 1-8
CiscoWorks Common Services 1-8
expiration dates
configuring for access rules 11-22
export
device inventory 5-26
Export Inventory command 2-10
Export Inventory dialog box C-35
Export Map command 2-9
External Product Interface dialog box M-86
External Product Interface page M-85
F
factory-default configurations 14-1
Failover
FWSM K-78
advanced settings K-81
interface configuration K-82
PIX/ASA K-83
Add Failover Group K-88
interface configuration K-89
settings K-85
PIX/ASA/FWSM K-75
bootstrap configuration K-91
interface MAC address K-90
PIX 6.3 K-76
interface configuration K-77
failover
link 14-45
PIX/ASA/FWSM
active/standby 14-46
configuring 14-45
configuring on 14-49
stateless 14-46
types of 14-46
understanding 14-45
false positives
definition of 12-11
FastTrack class map objects
match criteria F-64
feature sets 1-3
File menu 2-6
file objects
attributes F-47
creating 8-31
files
deploying to 17-12
selecting or specifying 2-19
Filter Item dialog box M-62
filters
defined using signature categories 12-18
filtering selectors 2-14
filtering tables 2-16
Find and Replace dialog box I-91
find and replace in rules policies 11-6
Find Map Node command 2-9
Find Node dialog box B-10
firewall
access rule
CS-MARS query 20-24
Firewall AAA IOS Timeout Value Setting dialog box I-82
Firewall AAA MAC Exempt Setting dialog box I-78
Firewall ACL Setting dialog box I-69
Firewall Device dialog box M-97
firewall devices
policy discovery 6-12
firewalls
system variables 18-9
firewall service module (FWSM)
including in deployment jobs N-10, N-12
firewall services
AAA rules
adding 11-40
understanding 11-40
access rules
address requirements 11-19
configuring 11-21
configuring expiration dates 11-22
how deployed 11-19
import examples 11-29
importing 11-28
optimizing during deployment 11-31
understanding 11-17
understanding device-specific behavior 11-19
working with 11-17
adding rules 11-4
analysis reports 11-24
combining rules
interpreting results 11-11
procedure 11-9
common edit and show dialog boxes I-64
configuring policies in Map view 3-16
configuring settings policies in Map view 3-17
deleting rules 11-4
disabling rules 11-8
editing rules 11-5
enabling rules 11-8
finding and replacing items in rules policies 11-6
firewall settings
configuring settings 11-23, 11-42, 11-57
for IOS 11-44
for PIX/ASA/FWSM 11-43
per user downloadable ACLs I-70
hit count reports 11-26
inspection rules
custom destination ports 11-36
default inspection traffic 11-36
destination address and port (IOS) inspection rules 11-37
source and destination address and port 11-38
supported features 11-33
inspection settings
configuring for IOS devices 11-39
managing 11-1
managing rules tables 11-2
moving rules 11-7
object groups
expanding during discovery 11-16
optimizing network object groups during deployment 11-15
policy query
generating reports 11-12
report results 11-14
rule table sections 11-8
understanding rule order 11-7
user interface reference I-1
using rules tables 11-3
web filter rules
configuring for IOS devices 11-56
zone-based firewall
advanced options I-60
configuring PAM I-62
configuring settings 11-70
designing network zones 11-66
protocol selection I-61
rules table I-54
tabs 11-70
zone-based firewalls
about 11-61
IPSec VPN 11-65
overview 11-60
restrictions 11-63
Self zone 11-63
understanding 11-62
VRF 11-65
Firewall Services Module
security contexts
configuration K-199
Firewall Services Module (FWSM) 9-33
Bridge Groups
add/edit K-44
Failover K-78
advanced settings K-81
interface configuration K-82
FWSM tab (site-to-site VPN) G-18
interfaces K-40
add/edit K-42
PIX/ASA/FWSM Platform policies K-1
understanding configuration 9-33
Firewall Services Module(FWSM)
Device Access
Resources K-92
Resources, add/edit K-93
firewall settings
AAA firewall I-73
advanced setting I-73
MAC exempt lists I-76
Access Control page I-67
access controls
per user downloadable ACLs I-70
AuthProxy General tab (IOS) I-79
AuthProxy page I-79
AuthProxy Timeout tab (IOS) I-81
botnet traffic filter rules I-34
Firewall AAA IOS Timeout Value Setting dialog box I-82
Firewall ACL Setting dialog box I-69
Inspection page I-70
MAC exempt lists, AAA firewall I-76
reference information I-67
Web Filter page I-83
zone-based firewall
add/edit zones I-90
Content Filter tab I-89
Global Parameters tab I-87
page I-87
VPN tab I-87
WAAS tab I-87
Zones tab I-87
zone-based firewalls
logging 11-61
Firewall tab M-97
Fit to Window command 2-9
FlexConfig objects
adding to policies 18-28
ASA samples 18-18
Catalyst 6500/7600 samples 18-20
changing order in policies 18-28
changing variable values 18-28
Cisco IOS Software samples 18-20
CLI commands 18-2
configuring 18-23
configuring AAA for administrative introducers 13-75
creating 18-26
deleting variables 18-26
PIX firewall samples 18-21
previewing CLI 18-28
removing from policies 18-28
router samples 18-22
samples 18-17
scripting language
example of looping 18-3
example of looping with if/else statements 18-4
example of two-dimensional looping 18-3
understanding 18-3
system variables
device 18-7
firewalls 18-9
remote access VPN 18-17
router 18-12
understanding 18-7
VPN 18-13
understanding 18-1
variables 18-5
variables, example 18-6
FlexConfig policies
adding objects 18-28
changing object order 18-28
changing variable values 18-28
configuring 18-23
configuring AAA for administrative introducers 13-75
editing 18-28
previewing CLI 18-28
removing objects 18-28
understanding 18-1
FlexConfig Policy page 18-29
FlexConfig Preview dialog box 18-31
FlexConfigs
creating (scenario) 18-23
managing 18-1
FlexConfig Undefined Variables dialog box F-51
Flood engine
described M-21
floodguard 14-76
Flood Host engine
parameters (table) M-21
Flood Net engine
parameters (table) M-22
FQDN
redirection using
cluster load balancing and 10-14
fragmentation
in remote access VPNs 10-27
in site-to-site VPNs
General Settings tab G-69
understanding 9-54
maximum transmission unit (MTU) 9-54
fragments settings 14-76
frequently asked questions
policy discovery 6-17
FTP class map objects
creating 8-41
match criteria F-97
FTP policy map objects
creating 8-45
match conditions and actions F-97
properties F-95
full mesh topologies
description 9-4
diagram 9-4
full tunnel client access mode 10-4
FWSM
bridge groups 14-27
credentials C-23
PDM 20-2
policy discovery 6-12
rollback, commands to recover from failover misconfiguration 17-38
rollback command conflicts 17-37
rollback restrictions for failover devices 17-34
rollback restrictions for multiple context mode 17-34
setting up SSL (HTTPS) 4-3
FWSM devices
AAA support 8-17
adding SSL thumbprints manually 5-22
SSL certificate configuration A-12
G
Gateway and Context page H-10
General
PIX/ASA/FWSM
security policies K-186
General Configuration tab M-82
General page, device properties C-28
General Settings tab H-70
General sub-tab M-53
General tab M-91
General tab (SSL VPNs and IOS devices) H-116
General tab (Translation Rules)
PIX/ASA/FWSM K-19
GET VPN 9-5
communication flow 9-84
defining group encryption in 9-22
features 9-85
group members
access control lists 9-86
adding G-26
editing G-27
IKE proposal G-54
key servers
adding G-26
editing G-27
recieve-only SAs 9-87
SAs
recieve-only mode 9-87
understanding 9-82, 9-83, 9-84, 9-85, 9-86, 9-87
GET VPN Peers page G-25
GET VPNs
group encryption policies
certificate authorization G-51
global settings
remote access VPN
configuring 10-27
understanding 10-27
Global Settings page H-66
Gnutella class map objects
match criteria F-64
GRE (generic routing encapsulation)
advantages of IPsec tunneling with GRE 9-62
configuring policies 9-65
for devices with dynamic IP 9-64
GRE Modes page G-42
implementation 9-62
prerequisites for successful configuration 9-63
understanding in site-to-site VPNs 9-62
using DMVPN with 9-67
GRE Dynamic IP 9-5
configuring policies 9-65
for dynamically addressed spokes 9-64
GRE Dynamic IP policy G-43
GRE mode G-43
DMVPN policy G-46
GRE Modes Page > DMVPN Policy G-46
GRE Modes Page > GRE or GRE Dynamic IP Policy G-43
group encryption
defining in GET VPN topologies 9-22
group encryption (GET VPN)
group encryption (policies)
Group Encryption Policy page (site-to-site VPN) G-50, G-52
Group Encryption Policy page (GET VPN) G-6
group members
adding G-26
communication flow 9-84
editing G-27
GET VPN
access control lists 9-86
group members (GET VPN)
Group Members page (GET VPN) G-53
group policies
understanding 10-29
VPNs
ASA devices 10-30
configuring bookmarks 8-84
configuring portal appearance 8-79
configuring WINS servers for file system access 8-89
customizing 8-79
post URL method and macro substitutions in bookmarks 8-86
smart tunnels 8-87
Group Policies page H-72
groups
adding or removing devices 5-32
creating 5-32
deleting 5-32
understanding 5-30
working with 5-29
group types
creating 5-31
deleting 5-32
GTP map objects
Add Country Network Codes dialog box F-100
Edit Country Network Codes dialog box F-100
GTP Map Timeouts dialog box F-101
GTP policy map objects
creating 8-46
match conditions and actions F-101
properties F-99
H
H.323 (ASA, PIX) class map objects
creating 8-41
H.323 (ASA/PIX/FWSM) policy map objects
creating 8-47
properties F-103
H.323 (IOS) class map objects
match criteria F-65
H.323 (IOS) policy map objects
creating 8-57
match conditions and actions F-135
H.323 class map objects
match criteria F-106
H.323 policy map objects
match conditions and actions F-106
hash algorithms
in IKE proposals 9-46
MD5 9-46
SHA 9-46
help
accessing 2-20
Help About This Page command 2-12
helper addresses 13-19
Help menu 2-12
Help Topics command 2-12
Hide Navigation Window command 2-9
high availability (HA groups)
configuring in Easy VPN 9-72
configuring in site-to-site VPN 9-41
High Availability page (site-to-site VPN) G-23
in remote access VPNs 10-40, 10-41
prerequisites 9-40
stateful failover 9-39
stateless failover 9-39
understanding in site-to-site VPN 9-39
High Availability page H-79
high availability policies
configuring 10-41
understanding 10-40
Histogram dialog box M-54
historical events
CS-MARS 20-22
hit count
generating reports 11-26
Hit Count Query Results page I-101
Hit Count Selection Summary Dialog Box I-101
Hostname
PIX/ASA/FWSM K-91
hostnames
Cisco IOS routers
defining 13-70
Hostname Policy page J-115
overview 13-70
hostname settings
configuring on firewall devices 14-51
Host posture ACLs in IPS M-87
HSRP 14-27
HTTP
Cisco IOS routers
AAA tab J-82
Command Authorization Override dialog box J-84
defining policies 13-55
HTTP Policy page J-80
overview 13-54
Setup tab J-81
PIX/ASA/FWSM K-66
configuration K-67
HTTP (ASA, PIX) class map objects
creating 8-41
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map objects
creating 8-49
properties F-107
HTTP (ASA7.2+/PIX7.2+) policy map objects
creating 8-50
properties F-115
HTTP (IOS) class map objects
creating for zone-based firewall content filtering 8-59
match criteria F-65
HTTP (Zone Based IOS) policy map objects
match conditions and actions F-135
HTTP class map objects
match criteria F-117
HTTP-FORM
settings in AAA server objects F-17
HTTP policy
overriding HTTPS port number C-33
sharing
HTTPS port number C-33
HTTP policy map objects
match conditions and actions F-117
understanding 8-49
HTTPS
setting up 4-3
troubleshooting certificate errors 5-22
HTTP settings
configuring on firewall devices 14-38
hub-and-spoke topology
description 9-2
diagram 9-2
I
ICMP rules
PIX/ASA/FWSM K-67
add/edit K-68
ICMP settings
configuring on firewall devices 14-38
configuring on IOS routers J-20
icons
map elements B-2
toolbar reference 2-12
ICQ class map objects
match criteria F-64
idle timeout, Security Manager client A-5
IDM
device manager 20-2
IDSM
Create and Edit IDSM Data Port VLANs dialog boxes L-32
Create and Edit IDSM EtherChannel VLANs dialog boxes L-31
credentials C-23
defining Data Port VLANs 15-14
defining EtherChannel VLANs 15-13
deleting Data Port VLANs 15-16
deleting EtherChannel VLANs 15-14
IDSM Settings page L-30
IDSM Slot-Port Selector dialog box L-33
understanding settings on Catalyst devices 15-12
IEV
IPS Event Viewer 20-13
IGMP
configuring on firewall devices 14-70
PIX/ASA/FWSM
Access Group parameters K-137
Access Group tab K-136
enable K-134
Join Group parameters K-139
Join Group tab K-138
page K-134
parameters K-135
Protocol tab K-134
Static Group parameters K-138
Static Group tab K-137
IKE (Internet Key Exchange)
aggressive mode negotiation 9-45
main mode negotiation 9-45
proposals 9-45
understanding 9-45
IKE keepalive
understanding 9-52
IKE proposal objects
creating 8-32
properties F-53
IKE Proposal page H-81
IKE proposals (policies)
configuring 9-47
IKE Proposal page (site-to-site VPN) G-53
in GET VPNs G-54
IKE protocol
using RADIUS
as the authentication method 9-78
IM (ASA7.2+/PIX7.2+) policy map objects
creating 8-51
properties F-121
IM (IOS) policy map objects
creating 8-52
properties F-124
IM (Zone Based IOS) policy map objects
creating 8-57
match conditions and actions F-135
IM (Zone based IOS) policy map objects
creating 8-57
IMAP class map objects
match criteria F-67
IM applications
match conditions for zone-based firewalls F-64
protocol information for IM application inspection F-76
IMAP policy map objects
creating 8-57
match conditions and actions F-135
IM class map objects
creating 8-41
match criteria F-122
IM policy map objects
match conditions and actions F-122
Import Background Image dialog box B-11
Import Rules wizard
Enter Parameters page I-94
Preview page I-96
Status page I-95
inheritance
for signatures 12-8
inheriting rules 6-32
Inherit Rules dialog box D-10
understanding 6-4
versus assignment 6-6
Inherit Rules command 2-8
Inherit Rules dialog box D-10
Inline Pairs tab M-74
Inspected Protocol page
inspection rules I-21
Inspection/Reputation
definition of 12-15
inspection map objects
class maps
creating 8-41
understanding 8-38
inspection rules
adding 11-34
Add Inspection Rule dialog box I-18
Configure DNS dialog box I-29
Configure ESMTP dialog box I-30
Configure Fragments dialog box I-31
Configure IMAP dialog box I-32
Configure POP3 dialog box I-33
Configure RPC dialog box I-33
Configure SMTP dialog box I-29
configuring custom destination ports 11-36
configuring default inspection traffic 11-36
configuring in Map view 3-17
configuring settings I-70
configuring settings for IOS devices 11-39
configuring settings in Map view 3-18
configuring source and destination address and port (asa/fwsm3.x) 11-38
Custom Protocol dialog box I-30
deleting 11-4
disabling 11-8
editing 11-5
Edit Inspection Rule dialog box I-18
enabling 11-8
Inspected Protocol page I-21
Inspection Rules page I-16
Limit Inspection Between Source and Destination IP Addresses (ASA) page I-23
Match Traffic by Custom Destination Ports page I-25
Match Traffic by Destination Address and Port (IOS) page I-25
Match Traffic by Source and Destination Address and Port (ASA) page I-27
moving 11-7
protocols allowing configuration I-22
supported features 11-33
Inspection Rules page I-16
Inspection settings page I-70
inspect maps
policy maps
Add Country Network Codes dialog box F-100
Edit Country Network Codes dialog box F-100
Inspect parameter map objects
properties F-74
Inspect Parameters map objects
installing
Security Manager client 1-9
Integrated Local Management Interface (ILMI) 13-33
Interactive Authentication Configuration dialog box I-74
interface
add and edit 14-6
duplex K-49
IP type
ASA and PIX 7+ 14-10
PIX 6.3 14-11
MAC address 14-12
management 14-5
media type 14-13
Interface Name Conflict dialog box F-57
Interface Notifications tab M-89
Interface Pair dialog box M-74
interface pairs
described M-74
Interface Pairs dialog box
described M-74
Interface Properties dialog box B-14
Interface Role Contents dialog box I-66
interface role objects
creating 8-34
defining subinterfaces 8-35
distinguishing from interfaces 8-35
exceptional cases 8-35
Interface Name Conflict dialog box F-57
Interface Role dialog box F-56
specifying during policy definition 8-35
understanding 8-33
interfaces
ASA 5505 K-45
add/edit K-30
ASA devices K-23
about adding/editing K-25
add/edit K-26
advanced settings K-37
VPND Groups K-38
Catalyst switches and 7600 Series routers
Access Port Selector dialog box L-6
Create and Edit Interface dialog boxes-Access Port mode L-12
Create and Edit Interface dialog boxes-Dynamic Port mode L-21
Create and Edit Interface dialog boxes-Other mode L-27
Create and Edit Interface dialog boxes-Routed Port mode L-15
Create and Edit Interface dialog boxes-subinterfaces L-25
Create and Edit Interface dialog boxes-Trunk Port mode L-17
Create and Edit VLAN dialog boxes L-4
Create and Edit VLAN Group dialog boxes L-8
defining ports 15-3
deleting ports 15-4
generating names 15-4
Interfaces/VLANs page L-2
Interfaces/VLANs page-Interfaces tab L-10
Interfaces/VLANs page-Summary tab L-29
Interfaces/VLANs page-VLAN Groups tab L-7
Interfaces/VLANs page-VLANs tab L-3
Service Module Slot Selector dialog box L-9
Trunk Port Selector dialog box L-7
understanding 15-2
VLAN Selector dialog box L-10
checklist for configuring multiple contexts 14-83
Cisco IOS routers
Advanced Interface Settings dialog box J-18
Advanced Interface Settings page J-17
available types 13-13
Create Router Interface dialog box J-12
defining advanced settings 13-18
defining basic settings 13-15
defining CEF interface settings 13-22
defining IPS module settings 13-21
deleting from 13-17
generating names 13-16
Interface Auto Name Generator dialog box J-17
overview 13-13
Router Interfaces page J-11
understanding helper addresses 13-19
contexts 14-5
distinguishing from interface roles 8-35
failover
FWSM K-82
MAC address K-90
PIX/ASA K-89
PIX 6.3 K-77
FWSM K-40
add/edit K-42
PIX/ASA K-23
about adding/editing K-25
add/edit K-26
advanced settings K-37
VPND Groups K-38
PIX/ASA/FWSM
configuring 14-2
DDNS update rules K-110
DNS look-up K-108
enabling traffic between same security levels 14-14, 14-15
management access K-69
managing the PPPoE users list 14-15
managing VPDN groups 14-16
troubleshooting 14-17
understanding 14-2
PIX 6.3
add/edit K-34
PIX Firewall K-23
about adding/editing K-25
add/edit K-26
advanced settings K-37
VPND Groups K-38
redundant 14-4
routed and transparent 14-4
specifying during policy definition 8-35
specifying subinterfaces 8-35
throughput delay J-20
Interface Selector dialog box (VLAN ACL Content) L-38
Interfaces page M-71
Interfaces pane
described M-71
Internal Zone tab M-52
inventory
deleting devices from 5-25
export devices
DCR, CS-MARS, Security Manager formats 5-26
overview 5-26
using command line utility 5-28
inventory, device
adding devices 5-7
adding devices from configuration files 5-10
adding devices from inventory file 5-12
adding devices from network 5-8
adding devices manually 5-11
managing 5-1
testing device connectivity 5-16
understanding 5-1
understanding contents 5-3
user interface reference C-1
viewing inventory status 5-25
working with 5-7
inventory report
status window C-39
Inventory Status
event monitoring 20-12
Inventory Status command 2-10
Inventory Status window C-39
and Performance Monitor 20-7
Inverse ARP J-46
inverse multiplexing over ATM (IMA) J-35
IOS devices
remote access IPSec VPNs
user group policies 10-42
remote access IPsec VPNs
creating using wizard 10-10
user group policies 10-41
remote access SSL VPNs
advanced settings 10-61
configuring 10-58
configuring bookmarks 8-84
configuring WINS servers for file system access 8-89
Context Editor dialog box (IOS) H-120
creating using wizard 10-8
portal page 10-60
secure desktop manager policies 10-26
secure desktop software 10-61
remote access VPNs
Context Editor dialog box (IOS) H-116, H-118, H-119
Dynamic VTI/VRF Aware IPsec settings H-89
general settings 10-59
high availability H-79
IPsec proposals H-85
SSL VPN policies H-115
user group policies H-93
SDM 20-2
IOS IPS
description of 12-20
preparation of router 12-21
support of minor revisions 12-20
IOS IPS configuration 12-1
IOS IPS general settings 12-21
IOS IPS interface rules 12-22
IOS IPS limitations and restrictions 12-20
IOS IPS management 12-1
IOS IPS policies 12-19
IOS IPS signature policies 12-21
IOS IPS signature sets 12-21
IOS Software Release 12.1 and 12.2
managing routers 13-3
IOS Web Filter Exclusive Domain Name dialog box I-53
IOS Web Filter Rule and Applet Scanner dialog box I-52
IP address
supporting dynamic 5-14
IP addresses
network masks 8-65
specifying in policies 8-68
IPS
IPS Module router interface settings policies 13-21
PIX/ASA/FWSM
rules K-192
rules wizard K-193
tab K-194
updates, automatically applying 19-8
updates, checking for and downloading 19-7
updates, configuring server 19-6
updates, managing 19-6
updates, manually applying 19-9
IPS alert frequency options M-29
IPS allowed host identification 16-1
IPS anomaly detection modes 12-14
IPS anomaly detection zones
list of 12-15
IPS attack detection 12-7
IPS blocking M-90
IPS bypass mode configuration 12-3
IPS CDP mode configuration 12-4
IPS configuration 12-1
IPS custom signatures 12-11
IPS device access policies M-80
IPS device management 16-1
IPS device password settings 16-4
IPS devices
adding SSL thumbprints manually 5-22
credentials, IPS router modules C-25
initializing 4-11
license, exporting A-30
license, redeploying 19-5
license, updating 19-4
license, updating automatically 19-6
policy discovery 6-13
rollback restrictions 17-35
showing containment 5-24
SSL certificate configuration A-12
IPsec
proposals 10-37
remote access VPNs
certificate to connection profile map policies 10-33, 10-34
certificate to connection profile map rules 10-35
Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) H-78
Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) H-77
Certificate to Connection Profile Maps > Policies page H-75
Certificate to Connection Profile Maps > Rules page H-76
cluster load balancing 10-14, 10-15, H-20
connection profiles 10-16
connection profiles (ASA) H-22
creating using wizard 10-10, 10-12
dynamic access policies 10-17, 10-18
dynamic access policy (DAP) attributes 10-19, 10-23
Dynamic Access policy page (ASA) H-36
Dynamic VTI/VRF Aware IPsec settings H-89
fragmentation settings H-70
global settings 10-27
Global Settings page H-66
high availability H-79
high availability policies 10-40, 10-41
IKE proposals H-81
ISAKMP/IPsec settings H-67
NAT settings H-69
Public Key Infrastructure (PKI) H-74
public key infrastructure (PKI) policies 10-32
public key infrastructure (PKI) proposals 10-36
secure desktop manager policies 10-24, 10-26
understanding 10-2
user group policies 10-41, 10-42, H-93
VPNSM/VPN SPA settings H-87
IPsec Pass Through policy map objects
creating 8-53
properties F-125
IPsec Proposal Editor dialog box (for IOS Routers and Catalyst 6500/7600 Devices) H-85
IPsec Proposal Editor dialog box (for PIX and ASA Devices) H-84
IPsec Proposal page H-82
IPsec proposals
configuring 10-38
remote access VPNs H-82, H-84, H-85
configuring 10-38
understanding 10-37
IPsec proposals (policies)
configuring for Easy VPN 9-75, 9-88
configuring in site-to-site VPNs 9-51
IPsec Proposal page (in Easy VPN)
IPsec Proposal tab G-39
usage G-38
IPsec Proposal page (site-to-site VPN) G-55
using crypto maps in 9-49
using reverse route injection in 9-50
using transform sets in 9-49
IPsec Settings page (ASA) H-14
IPsec technologies
defining 9-16
policies 9-5
supported platforms 9-5
understanding 9-5
IPSec transform set objects
attributes F-57
creating 8-36
supported modes F-58
supported protocols F-59
IPsec tunnels
understanding policies 9-48
IPSec VPN
zone-based firewalls 11-65
IPsec VPN
Remote Access Configuration wizard
Defaults page (ASA) H-15
Defaults page (IOS) H-18
IPsec Settings page (ASA) H-14
IPsec VPN Connection Profile page (ASA) H-13
User Group Policy page (IOS) H-17
IPsec VPN Connection Profile page (ASA) H-13
IPS engine options M-13
IPS event
definition of 12-17
IPS event action filters
exporting M-61
IPS event action overrides
elements to configure 12-18
exporting M-65
IPS event action settings 12-19
IPS Event Viewer 20-13
accessing signatures in Security Manager 20-15, 20-16
Ethereal 20-14
starting 20-14
using with Security Manager 20-13
IPS Event Viewer command 2-10
IPS Global Correlation configuration 12-16
IPS Global Correlation policies M-58
IPS inline pair configuration 12-4
IPS Inspection/Reputation M-58
IPS interface cofiguration 12-3
IPS interface modes
list of 12-2
IPS interface roles
list of 12-2
IPS interface rules M-106
IPS interfaces
(not appl. to IOS IPS) 12-2
IPS Monitoring Information dialog box J-25
IPS interface summary 12-6
IPS management 12-1
IPS module
credentials C-25
IPS Module Discovery dialog box C-25
IPS Module interface settings policies 13-21
IPS Network Participation M-59
IPS Network Participation configuration 12-17
IPS normalizer mode description 16-13
IPS OS Identification configuration 12-18
IPS patches M-101
IPS protection against worm viruses 12-13
IPS rules M-107
IPS sensor
IDM 20-2
IPS sensors
default transport protocol A-12
IPS server access policies M-80
IPS service packs M-101
IPS signature
CS-MARS query 20-28
IPS signature cloning 12-10
IPS signature configuration 12-7
IPS signature enabling and disabling 12-10
IPS signature policies M-1
IPS signatures
accessing from IEV 20-15
Realtime Dashboard 20-15
Views display 20-16
properties that can be edited 12-8
properties that cannot be edited 12-9
viewing related CS-MARS events 20-28
IPS signature summary
exporting M-3
IPS signature updates M-101
IPS SMB Advanced Engine Options M-33
IPS tab, Licensing page A-29
IPS Target Value Ratings
description of 12-18
elements to configure 12-19
IPS Target Value Ratings configuration 12-18
IPS traffic flow identification M-108
IPS Updates page A-17
IPS User Interface Reference M-1
IPS VLAN group configuration 12-6
IPS VLAN pair configuration 12-5
ISAKMP/IPsec settings
IKE keepalive 9-52
in remote access VPNs 10-27
in site-to-site VPNs 9-52
ISAKMP/IPsec Settings tab (site-to-site VPN) G-66
ISAKMP/IPsec Settings tab H-67
ISR
zone-based firewall
restrictions 11-63
J
job deployment methods
understanding 17-10
jobs
aborting 17-29
approving 17-22
creating and editing 17-20
Deployment Manager 17-2
discarding 17-24
including devices in 17-9
rejecting 17-22
states
Workflow mode 17-7
submitting 17-22
joined hub-and-spoke topology 9-5
Join Group tab
description 14-70
Join Group tab (IGMP) K-138
JumpStart 1-9
Jumpstart command 2-12
K
Kazaa2 class map objects
match criteria F-64
Kerberos
description 8-17
settings in AAA server objects F-13
key servers
adding G-26
communication flow 9-84
editing G-27
key servers (GET VPN)
Key Servers page (GET VPN) G-58
knowledge base
histogram M-54
tree structure M-54
knowledge basescanner threshold M-54
L
L4TM
See botnet traffic filter rules
large scale Dynamic Multipoint VPN (DMVPN) 9-5
Layer 2 firewall
LDAP
settings in AAA server objects F-14
LDAP Attribute Map objects
attributes F-59
creating 8-37
Learning Accept Mode tab M-50
licenses
exporting IPS A-30
managing 19-3
redeploying IPS 19-5
Security Manager 19-3
updating IPS 19-4
updating IPS, automating 19-6
License Update Status Details dialog box A-32
licensing
Settings page A-28
Lightweight Directory Access Protocol (LDAP)
description 8-17
Limit Inspection Between Source and Destination IP Addresses (ASA) page I-23
line access
Cisco IOS routers
Console Policy page J-85
overview 13-57
VTY Policy page J-93
Link Properties dialog box B-12
load balancing
and IOS IPS settings M-105
load-balancing devices
in a VPN cluster
redirection using FQDN 10-14
Local Policy Will Be Replaced dialog box D-2
Local Web Filter class map objects
match criteria F-72
Local web filter class map objects
Local Web Filter parameter map objects
properties F-77
Local web filter parameter map objects
creating 8-59
locking
activities 7-2
committed configuration 7-2
devices and policies 6-8
objects 6-10
understanding 6-7
VPN topologies 6-9
Log Buffer window 20-6
logging
Cisco IOS routers
defining NetFlow interfaces J-146
defining NetFlow parameters 13-97
defining syslog servers 13-95
Logging Setup Policy page J-138
NetFlow policy page J-143
overview 13-92
Syslog Server dialog box J-142
Syslog Servers Policy page J-141
syslog setup parameters 13-93
syslog severity levels 13-96
NetFlow 14-61
PIX/ASA/FWSM K-116
configuring on 14-61
email notifications K-118
email recipients K-119
e-mail setup 14-62
event lists, add/edit K-121
filters K-123
filters, editing K-124
levels K-130
logging filters 14-64
logging setup 14-65
message classes and IDs K-120
message editing K-130
message limits K-126
message limits, add/edit K-127
NetFlow K-117
NetFlow, add/edit collector K-118
rate limit levels 14-66
rate limits, add/edit K-128
server K-128
server setup 14-67
set-up K-125
syslog class K-122
syslog message ID K-122
syslog servers, add/edit K-132
logging in to
Cisco Security Management Suite server 1-8
CiscoWorks Common Services 1-8
logging into
Logging page M-89
logs
configuring audit log default settings A-32
configuring debug levels A-6
Logs page A-32
LOKI
described M-47
protocol M-47
loopback cells 13-34
low-latency queuing (LLQ) 13-103
M
MAC address
PIX/ASA/FWSM
add/edit K-54
interface K-90
learning K-54
learning, enable/disable K-55
table K-53
MAC exempt lists
rule attributes I-78
Maintenance Operation Protocol (MOP), enabling J-21
Management Access
PIX/ASA/FWSM
interface K-69
management access settings
configuring on firewall devices 14-40
Management Center for Cisco Security Agents 16-4
Management Center for Cisco Security Agents tab M-85
Management IP address
PIX/ASA/FWSM K-56
managing the PPPoE users list 14-15
managing VPDN groups 14-16
Map menu 2-9
map objects
class maps
creating 8-41
creating for zone-based firewall content filtering 8-59
creating for zone-based firewall inspection 8-57
parameter maps
creating for zone-based firewall content filtering 8-59
creating for zone-based firewall inspection 8-57
Inspect properties F-74
Local Web Filter properties F-77
N2H2 properties F-78
Protocol Info properties F-76
Trend properties F-81
URLF Glob properties F-84
URL Filter properties F-82
Websense properties F-78
policy maps
creating 8-44
creating DCE/RPC 8-42
creating DNS 8-43
creating for zone-based firewall content filtering 8-59
creating for zone-based firewall inspection 8-57
creating FTP 8-45
creating GTP 8-46
creating H.323 (ASA/PIX/FWSM) 8-47
creating HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) 8-49
creating HTTP (ASA 7.2+/PIX 7.2+) 8-50
creating IM for ASA7.2+/PIX7.2+ 8-51
creating IM for IOS devices 8-52
creating IPSec Pass Through 8-53
creating NetBIOS 8-54
creating SIP (ASA/PIX/FWSM) 8-55
creating Skinny 8-56
creating SNMP 8-57
DCE/RPC properties F-86
DNS properties F-87
ESMTP properties F-92
FTP properties F-95
GTP properties F-99
H.323 (ASA/PIX/FWSM) properties F-103
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) properties F-107
HTTP (ASA7.2+/PIX7.2+) properties F-115
IM (ASA7.2+/PIX7.2+) properties F-121
IM (IOS) properties F-124
IPsec Pass Through properties F-125
NetBIOS properties F-126
regular expression group properties F-138
regular expression properties F-138
SIP (ASA/PIX/FWSM) properties F-127
Skinny properties F-131
SNMP properties F-133
TCP Map properties F-139
understanding HTTP 8-49
Web Filter properties F-136
regular expression group objects
creating 8-61
regular expression objects
creating 8-62
metacharacters 8-63
TCP maps
creating 8-64
understanding 8-38
Map Properties command 2-9
Map Rule dialog box (lower pane) H-78
Map Rule dialog box (upper pane) H-77
maps
access permissions 3-2
adding existing managed devices 3-10
adding new managed devices 3-10
background color 3-9
background images
deleting 3-9
importing 3-8
scale and position 3-9
setting 3-8
centering elements 3-6
changing the zoom level 3-5
class maps
Class Map dialog box F-61
creating 3-2
default map 3-8
deleting 3-3
displaying devices from Device View 3-11
displaying managed devices 3-10
displaying your network 3-9
elements, understanding 3-9
excluding private and reserved networks A-2
exporting 3-4
icons B-2
Layer 3 automatic connectivity display 3-14
Layer 3 link
creating 3-13
deleting 3-13
displaying 3-13
layouts, using 3-6
navigating 3-4
navigation window 3-5
objects
adding 3-12
deleting 3-12
user created overview 3-12
opening 3-3
overview 3-1
panning 3-5
refreshing 3-7
saving 3-3
searching for elements 3-7
selecting elements 3-6
setting background 3-8
showing containment for Catalyst, ASA, PIX, IPS devices 3-11
understanding 3-1
undocking window 3-6
unlinked, using 3-7
working with 3-1
Map Settings dialog box B-10
Map View
cloning devices 3-16
configuring firewall policies 3-16
configuring firewall settings policies 3-17
context menu
Layer 3 link B-7
managed device node B-6
map background B-8
map objects B-8
selected nodes B-7
VPN connection B-7
device policies, managing 3-16
dialog box reference B-9
discovering device configurations 3-16
icons for elements B-2
main page B-1
menus B-5
navigation window B-5
performing basic policy management 3-16
previewing device configurations 3-16
sharing device policies 3-16
toolbar reference B-4
user interface reference B-1
VPNs
creating 3-15
displaying existing 3-14
editing peers 3-15
editing policies 3-15
managing 3-14
showing peers 3-15
Map view
Autolink Settings page A-2
copying between devices 3-16
Map View command 2-8
master blocking sensor
definition of 16-9
Master Blocking Sensor dialog box M-94
Master Blocking Sensors tab M-93
Master engine
general parameters (table) M-23
universal parameters M-23
Match Traffic by Custom Destination Ports page
inspection rules I-25
Match Traffic by Destination Address and Port (IOS) page
inspection rules I-25
Match Traffic by Source and Destination Address and Port (ASA) page
inspection rules I-27
maximum receive reconstructed unit (MRRU) J-63
maximum segment size (MSS) J-19
maximum transmission unit (MTU) 9-54
MBoundary
PIX/ASA/FWSM
configuration K-141
interface configuration K-142
MD5 hash algorithm 9-46
memory-allocation lite J-117
memory settings
Cisco IOS routers
defining 13-71
overview 13-70
Memory Policy page J-116
menu reference
Activities 2-11
Edit 2-7
File 2-6
Help 2-12
Map 2-9
overview 2-5
Policy 2-8
Tools 2-9
View 2-7
message
editing
PIX/ASA/FWSM K-130
PIX/ASA/FWSM
limits K-126
limits, add/edit K-127
rate limits, add/edit K-128
message classes and IDs
PIX/ASA/FWSM K-120
metacharacters
URLF Glob parameter maps F-85
Meta engine
parameters (table) M-15
Modify Physical Interface Map dialog box M-73
monitoring
and device managers 20-1
CS-MARS events 20-16
device status 20-1
IPS sensors 20-13
network activities 20-1
with status providers 20-7
Move Row Down command 2-7
Move Row Up command 2-7
MRoute
PIX/ASA/FWSM
configuration K-140
MRoute page
description 14-70
MSN Messenger class map objects
match criteria F-64
multicast
PIX/ASA/FWSM
Enable PIM and IGMP K-134
IGMP Access Group parameters K-137
IGMP Access Group tab K-136
IGMP Join Group parameters K-139
IGMP Join Group tab K-138
IGMP page K-134
IGMP parameters K-135
IGMP Protocol tab K-134
IGMP Static Group parameters K-138
IGMP Static Group tab K-137
MBoundary configuration K-141
MBoundary interface configuration K-142
MRoute configuration K-140
Multicast Boundary Filter page K-140
Multicast Group, add/edit K-150, K-151
Multicast Group rule, add/edit K-148
Multicast Routes page K-139
PIM Bidirectional Neighbor Filter, add/edit K-146
PIM Bidirectional Neighbor Filter tab K-145
PIM Neighbor Filter, add/edit K-145
PIM Neighbor Filter tab K-144
PIM page K-142
PIM Protocol, add/edit K-143
PIM Protocol tab K-143
PIM Rendezvous Point, add/edit K-147
PIM Rendezvous Points tab K-147
PIM Request Filter tab K-150
PIM Route Tree tab K-149
policies K-133
Multicast Boundary Filter page
description 14-71
multicast routing
PIX/ASA/FWSM
configuring on 14-69
enabling 14-69
IGMP 14-70
multicast boundary filters 14-71
multicast routes 14-70
PIM 14-72
multicast traffic 14-27
Multiclass Multilink PPP (MCMP) 13-43
multilink PPP (MLP) 13-39
defining bundles 13-43
multiple users
activities 7-3
Multi String engine
described M-17
parameters (table) M-17
Regex M-17
MySDN 12-8
N
N2H2 (Smartfilter)
configuring for web filter rules policies 11-57, I-86
configuring for zone based firewall rules policies 8-59, F-78, F-80
N2H2 class map objects
match criteria F-73
N2H2 parameter map objects
creating 8-59
properties F-78
NAT Settings tab H-69
NAT traversal 9-53
NBAR
enabling protocol discovery J-21
Neighbor Filter
add/edit K-145
Neighbor Filter tab
PIM K-144
NetBIOS policy map objects
creating 8-54
properties F-126
NetFlow
Cisco IOS routers 13-92, 13-96
interface settings J-146
configuring 14-61
on Cisco IOS routers 13-97
CS-MARS query 20-17
IOS routers J-143
managing 14-62
PIX/ASA/FWSM K-117
add/edit collector K-118
network/host objects
attributes F-141
creating 8-66
naming when provisioned as object groups 8-97
network masks 8-65
optimizing when deploying firewall rules 11-15
understanding 8-65
unspecified value objects 8-67
network access device (NAD) 13-87
Network Address Translation (NAT)
Cisco IOS routers
creating dynamic rules 13-10
creating static rules 13-5
designating interfaces 13-4
Dynamic Rule dialog box J-8
Dynamic Rules tab J-7
Interface Specification tab J-3
NAT Policy page J-2
overview 13-4
specifying timeouts 13-12
Static Rule dialog box J-4
Static Rules tab J-3
Timeouts tab J-10
configuring in remote access VPNs 10-27
configuring in site-to-site VPNs 9-53
configuring NAT traversal 9-53
NAT Settings tab (site-to-site VPN) G-68
PIX/ASA/FWSM
Address Pool dialog box K-5
Address Pools page K-4
Advanced NAT Options dialog box K-21
clearing XLATE on deployment 14-81
configuring on 14-17
configuring translation options 14-20
configuring translation rules 14-21
defining address pools 14-19
defining dynamic translation rules 14-23
defining policy-based dynamic translation rules 14-24
defining static translation rules 14-25
defining translation exemptions (NAT 0 ACL) 14-22
Dynamic Rules dialog box K-11
Dynamic Rules tab K-9
general summary of translation rules 14-26
General tab K-19
policies on K-4
Policy Dynamic Rules dialog box K-14
Policy Dynamic Rules tab K-13
Select Address Pool K-12
Static Rules dialog box K-17
Static Rules tab K-15
Translation Exemptions (NAT 0 ACL) dialog box K-8
Translation Exemptions (NAT 0 ACL) tab K-7
Translation Options page K-6
Translation Rules page K-6
translation types 14-18
understanding 14-17
Network Admission Control (NAC)
Cisco Trust Agent 13-87
components 13-87
defining identity parameters 13-91
defining interface parameters 13-90
defining setup parameters 13-89
Identities tab J-135
Identity Action dialog box J-137
Identity Profile dialog box J-136
Interface Configuration dialog box J-134
Interfaces tab J-133
NAC Policy page J-131
network access device (NAD) 13-87
on Cisco IOS routers 13-86
Setup tab J-131
supported platforms 13-87
understanding system flow 13-88
Network Information page M-66
network masks
discontiguous 8-66
discovering 8-66
displaying 8-66
understanding 8-65
Network Participation
definition of 12-15
list of data collected 12-16
Network Time Protocol
Network Time Protocol (NTP)
Cisco IOS routers
creating NTP servers 13-80
NTP Policy page J-125
NTP Server dialog box J-126
overview 13-80
Never Block Host dialog box M-100
Never Block Hosts and Networks tab M-100
Never Block Network dialog box M-101
New Activity command 2-11
New Device command 2-6
New Device Groups command 2-7
New Device wizard
Choose Method page C-3
Device Grouping page C-26
Device Information page - Add Device from File C-15
Device Information page - Configuration File C-8
Device Information page - Network C-4
Device Information page - New Device C-10
overview C-2
New Map command 2-9
New or Edit CS-MARS Device dialog box A-4
Node Properties dialog box B-13
Non-Workflow mode
viewing
device details 17-16
non-Workflow mode
changing modes 1-15
comparing with Workflow mode 1-14
configuration files
deploying in 17-17
previewing 17-27
configurations
rolling back 17-38
deployment 17-4
deployment jobs
aborting 17-29
Deployment Manager window N-1
Deployment Status Details dialog box N-20
Deploy Saved Changes dialog box N-9
selecting 1-12
taking over another user session 19-13
understanding 1-13
No Proxy ARP
page K-152
Normalizer engine
parameters (table) M-18
notifications, e-mail
configuring SMTP server 1-12
NSDB Release Version 12-8
NT
settings in AAA server objects F-16
NTP
configuring on firewall devices 14-58
definition of 16-6
PIX/ASA/FWSM K-112
server configuration K-113
NTP page M-87
NTP server identification 16-7
O
object groups
policy discovery 6-13
objects
AAA server
HTTP-FORM settings F-17
Kerberos settings F-13
LDAP settings F-14
NT settings F-16
RADIUS settings F-10
SDI settings F-16
TACACS+ settings F-12
AAA server groups
attributes F-6
creating 8-22
default server groups on IOS devices 8-19
predefined authentication groups 8-19
understanding 8-15
AAA servers
creating 8-20
supported additional types for ASA/PIX/FWSM 8-17
supported types 8-16
understanding 8-15
access control lists
creating 8-23
extended objects 8-23
standard objects 8-25
web objects 8-26
ASA group policies
client configuration settings F-27
client firewall attributes F-28
connection settings F-42
DNS/WINS settings F-40
hardware client attributes F-30
IPSec settings F-31
split tunneling settings F-41
SSL VPN clientless settings F-33
SSL VPN full client settings F-35
SSL VPN settings F-37
technology settings F-25
ASA user groups
creating 8-28
basic procedures 8-3
categories, using 8-6
Cisco Secure Desktop configuration
creating 8-73
class map
creating 8-41
creating for zone-based firewall content filtering 8-59
creating for zone-based firewall inspection 8-57
creating 8-4
credentials
attributes F-46
creating 8-30
DCE/RPC policy map
creating 8-42
properties F-86
deleting 8-8
DNS policy map
creating 8-43
properties F-87
duplicating 8-7
editing 8-6
ESMTP policy map
creating 8-44
properties F-92
exporting 8-13
file objects
attributes F-47
creating 8-31
FlexConfigs
adding to policies 18-28
changing order in policies 18-28
changing variable values 18-28
configuring 18-23
configuring AAA for administrative introducers 13-75
creating 18-26
previewing CLI 18-28
removing from policies 18-28
system variables 18-7
understanding 18-1
FTP policy map
creating 8-45
properties F-95
generating usage reports 8-8
GTP policy map
creating 8-46
properties F-99
H.323 (ASA/PIX/FWSM) policy map
creating 8-47
properties F-103
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map
properties F-107
HTTP (ASA7.2+/PIX7.2+) policy map
properties F-115
HTTP policy map
creating for ASA7.1.x/PIX7.1.x/FWSM3.x/IOS 8-49
creating for ASA 7.2+/PIX 7.2+ 8-50
understanding 8-49
IKE proposals
creating 8-32
properties F-53
IM (ASA7.2+/PIX7.2+) policy map
creating 8-51
properties F-121
IM (IOS) policy map
creating 8-52
properties F-124
importing 8-13
Inspect parameter map
properties F-74
interface roles
creating 8-34
IPsec Pass Through policy map
creating 8-53
properties F-125
IPSec transform sets
attributes F-57
creating 8-36
LDAP attribute map objects
attributes F-59
LDAP map objects
creating 8-37
Local Web Filter parameter map
properties F-77
locking
effects on activities 7-2
managing 8-1
maps
understanding 8-38
N2H2 parameter map
properties F-78
NetBIOS policy map
creating 8-54
properties F-126
network/host
optimizing when deploying firewall rules 11-15
understanding 8-65
network/host objects
naming when provisioned as object groups 8-97
networks/hosts
creating 8-66
unspecified value objects 8-67
object selectors F-205
overrides
allowing 8-10
creating for multiple devices 8-11
creating for single device 8-11
deleting 8-12
managing 8-9
understanding 8-9
overview 1-7
parameter map
creating for zone-based firewall content filtering 8-59
creating for zone-based firewall inspection 8-57
PKI enrollments
creating 8-69
policy map
creating for zone-based firewall content filtering 8-59
creating for zone-based firewall inspection 8-57
port forwarding lists
creating 8-71
port list objects
naming when provisioned as object groups 8-97
port lists
attributes F-153
Protocol Info parameter map
properties F-76
provisioning as object groups 8-96
regular expression group objects
creating 8-61
regular expression group policy map
properties F-138
regular expression objects
creating 8-62
metacharacters 8-63
regular expression policy map
properties F-138
selecting for policies 8-2
service objects
naming when provisioned as object groups 8-97
provisioning as object groups 8-98
services
creating 8-75
single sign-on server
attributes F-156
configuring 8-77
SIP (ASA/PIX/FWSM) policy map
creating 8-55
properties F-127
Skinny policy map
creating 8-56
properties F-131
SLA monitors
attributes F-158
configuring 8-77
SNMP policy map
creating 8-57
properties F-133
SSL VPN Bookmark
configuring 8-84
post URL method and macro substitutions 8-86
SSL VPN Customization
configuring 8-79
creating custom Logon page 8-83
localizing 8-82
SSL VPN gateway
attributes F-176
creating 8-90
SSL VPN smart tunnel list
attributes F-177
configuring 8-87
TCP map objects
creating 8-64
TCP Map policy map
properties F-139
text
creating 8-91
time ranges
attributes F-182
creating 8-92
traffic flow objects
creating 8-93
Trend parameter map
properties F-81
URLF Glob parameter map
properties F-84
URLF Glob parameter maps
metacharacters F-85
URL Filter parameter map
properties F-82
user groups
advanced PIX 6.3 settings F-196
browser proxy settings F-201
clientless settings F-197
client VPN software update (IOS) settings F-195
creating 8-94
DNS/WINS settings F-190
general settings F-189
IOS client settings F-192
IOS Xauth settings F-194
split tunneling settings (Easy VPN/remote access IPSec VPN) F-191
SSL VPN connection settings F-202
SSL VPN full tunnel settings F-198
SSL VPN split tunneling settings F-200
technology settings F-187
thin client settings F-198
viewing details 8-8
Web Filter policy map
properties F-136
Websense parameter map
properties F-78
WINS server lists
attributes F-204
creating 8-89
Object Usage dialog box F-206
Obsoletes dialog box M-48
Openable Activities dialog box E-8
Open Activity command 2-11
Open Map command 2-9
Open Map dialog box B-9
Operation Settings tab M-50
OS identification
using IPS 12-19
OS Identifications tab
described M-67
OS identification tab M-67
OS Management
settings page A-15
OS management
software image management, understanding 5-29
OS Map dialog box M-68
OSPF
authentication support 14-73
configuring on firewall devices 14-73
interaction with NAT 14-73
LSAs 14-73
OSPF interfaces
blocking LSA flooding 13-134
defining on Cisco IOS routers 13-131
disabling MTU mismatch detection 13-133
Interface dialog box J-173
OSPF Interface Policy page J-172
understanding
authentication 13-136
cost 13-132
network types 13-135
priority 13-133
timer settings 13-134
OSPF parameters
dead interval K-175
hello interval K-174
retransmit interval K-175
transmit delay K-175
OSPF redistribution
defining mappings 13-129
defining maximum prefix values 13-130
understanding 13-128
OSPF routing
Cisco IOS routers
Area dialog box J-179
Area tab J-178
defining area settings 13-127
defining interface settings 13-131
defining setup parameters 13-126
Edit Interfaces dialog box J-178
Max Prefix Mapping dialog box J-183
OSPF Process Policy page J-176
overview 13-125
redistributing routes 13-128
Redistribution Mapping dialog box J-181
Redistribution tab J-180
Setup dialog box J-178
Setup tab J-177
PIX/ASA/FWSM
advanced settings K-154
Area/Area networks K-157
Area Range K-160
Area tab K-156
Filtering configuration K-168
Filtering tab K-167
General tab K-153
Interface configuration K-173
Interface tab K-171
Neighbors tab K-160
policy K-153
Range tab K-159
Redistribution rule K-163
Redistribution tab K-162
static neighbor K-161
Summary Address configuration K-170
Summary Address tab K-169
Virtual Link configuration K-165
Virtual Link MD5 configuration K-167
Virtual Link tab K-164
OS version mismatches
handling 17-14
Other Protocols sub-tab M-56
other settings
configuring 10-45
out-of-band changes, understanding 17-13
overrides
allowing overrides 8-10
Create Overrides for Device dialog box F-208
creating for multiple devices 8-11
creating for single device 8-11
deleting 8-12
managing 8-9
Policy Object Overrides window F-207
understanding 8-9
overview
policies 1-7
workflow 1-7
P
P2P applications
match conditions for zone-based firewalls F-64
P2P policy map objects
creating 8-57
match conditions and actions F-135
PAM
zone-based firewall
configuring I-62
parameter maps
understanding 8-38
partial mesh topologies 9-5
Password Requirements page M-84
passwords
admin, changing 19-13
PDM
device manager 20-2
peers (GET VPN)
Peers page G-59
Performance Monitor
admin contexts 20-10
as a status provider 20-7
configuring devices 20-8, 20-10
configuring in Security Manager 20-11
enabling or disabling A-37
in Inventory Status window 20-7
Inventory Status 20-12
performance settings
defining 10-46
performance settings (remote access SSL VPNs)
understanding 10-46
Performance tab (ASA) H-98
permanent virtual connections (PVC)
Define Mapping dialog box J-50
PVC Advanced Settings dialog box J-51
PVC dialog box J-41
PVC Policy page J-40
permanent virtual connections (PVCs)
defining ATM PVCs 13-35
defining OAM management 13-37
on Cisco IOS routers 13-30
understanding
ATM management protocols 13-33
ATM service classes 13-32
ILMI 13-33
Operation, Administration, and Maintenance (OAM) 13-34
virtual paths and channels 13-31
Physical Interfaces tab M-71
PIM
configuring on firewall devices 14-72
PIX/ASA/FWSM
Bidirectional Neighbor Filter, add/edit K-146
Bidirectional Neighbor Filter tab K-145
enable K-134
Multicast Group, add/edit K-150, K-151
Multicast Group rule, add/edit K-148
Neighbor Filter, add/edit K-145
Neighbor Filter tab K-144
page K-142
Protocol, add/edit K-143
Protocol tab K-143
Rendezvous Point, add/edit K-147
Rendezvous Points tab K-147
Request Filter tab K-150
Route Tree tab K-149
PIM and IGMP
PIX/ASA/FWSM
enabling 14-69
PIX
PDM 20-2
PIX/ASA
security contexts
allocate interfaces K-202
configuration K-200
viewing allocated interfaces K-203
PIX/ASA/FWSM
Device Access
Server Access K-96
Failover
bootstrap configuration K-91
interface MAC address K-90
Server Access
AUS, add/edit server K-98
AUS page K-96
DDNS interface rule K-110
DDNS page K-109
DDNS update methods K-111
DDNS update methods, add/edit K-111
DHCP Relay, add/edit agent K-100
DHCP Relay, add/edit server K-101
DHCP Relay page K-99
DHCP Server, add/edit K-104
DHCP Server, advanced configuration K-104
DHCP Server, options K-105
DHCP Server page K-102
DNS look-up K-108
DNS page K-106
DNS server, add K-108
DNS server group K-107
NTP page K-112
NTP server configuration K-113
SMTP page K-114
TFTP server page K-114
PIX/ASA/FWSM Platform
AAA K-56
Accounting tab K-58
Authentication tab K-57
Authorization tab K-58
ARP configuration K-51
ARP Inspection K-52
enable/disable K-52
ARP Table K-50
banners K-60
boot image/configuration K-61
add K-62
bridging K-50
clock K-62
configuring AAA 14-28
CPU threshold K-64
credentials K-64
Device Access K-65
console timeout K-65
host name K-91
HTTP configuration K-67
HTTP page K-66
ICMP rules K-67
ICMP rules, add/edit K-68
Management Access interface K-69
Secure Shell (SSH) K-69
Secure Shell, add/edit host K-70
SNMP host access K-73
SNMP page K-71
SNMP Trap configuration K-72
Telnet configuration K-75
Telnet page K-74
user accounts K-115
user accounts, add/edit K-115
Failover K-75
IPS, QoS, and Connection Rules K-192
logging K-116
email notifications K-118
email recipients K-119
event lists K-119
event lists, add/edit K-121
filters K-123
filters, editing K-124
levels K-130
message classes and IDs K-120
message editing K-130
message limits K-126
message limits, add/edit K-127
NetFlow K-117
NetFlow, add/edit collector K-118
rate limits, add/edit K-128
server K-128
set-up K-125
syslog class K-122
syslog message ID K-122
syslog servers K-131
syslog servers, add/edit K-132
MAC Address
add/edit K-54
MAC Address Table K-53
MAC learning K-54
enable/disable K-55
Management IP address K-56
multicast
Enable PIM and IGMP K-134
group rule, add/edit K-148
IGMP Access Group parameters K-137
IGMP Access Group tab K-136
IGMP Join Group parameters K-139
IGMP Join Group tab K-138
IGMP page K-134
IGMP parameters K-135
IGMP Protocol tab K-134
IGMP Static Group parameters K-138
IGMP Static Group tab K-137
MBoundary configuration K-141
MBoundary interface configuration K-142
MRoute configuration K-140
Multicast Boundary Filter page K-140
Multicast Routes page K-139
PIM Bidirectional Neighbor Filter, add/edit K-146
PIM Bidirectional Neighbor Filter tab K-145
PIM Neighbor Filter, add/edit K-145
PIM Neighbor Filter tab K-144
PIM page K-142
PIM Protocol, add/edit K-143
PIM Protocol tab K-143
PIM Rendezvous Point, add/edit K-147
PIM Rendezvous Points tab K-147
PIM Request Filter tab K-150
PIM Route Tree tab K-149
policies K-133
NAT policies K-4
Address Pools dialog box K-5
Address Pools page K-4
Advanced NAT Options dialog box K-21
Dynamic Rules dialog box K-11
Dynamic Rules tab K-9
General tab K-19
Policy Dynamic Rules dialog box K-14
Policy Dynamic Rules tab K-13
Select Address Pool K-12
Static Rules dialog box K-17
Static Rules tab K-15
Translation Exemptions (NAT 0 ACL) dialog box K-8
Translation Exemptions (NAT 0 ACL) tab K-7
Translation Options page K-6
Translation Rules page K-6
policy configuration 14-1
priority queues K-190
priority queues configuration K-191
routing
No Proxy ARP page K-152
OSPF - advanced settings K-154
OSPF - Area/Area networks K-157
OSPF - Area Range K-160
OSPF - Area tab K-156
OSPF - Filtering configuration K-168
OSPF - Filtering tab K-167
OSPF - General tab K-153
OSPF - Interface configuration K-173
OSPF - Interface tab K-171
OSPF - Neighbors tab K-160
OSPF page K-153
OSPF - Range tab K-159
OSPF - Redistribution rule K-163
OSPF - Redistribution tab K-162
OSPF - static neighbor K-161
OSPF - Summary Address configuration K-170
OSPF - Summary Address tab K-169
OSPF - Virtual Link configuration K-165
OSPF - Virtual Link MD5 configuration K-167
OSPF - Virtual Link tab K-164
policies page K-152
RIP (PIX/ASA 6.3-7.1, FWSM) K-176
RIP (PIX/ASA 6.3-7.1, FWSM) configuration K-177
RIP (PIX/ASA 7.2+) K-178
RIP (PIX/ASA 7.2+) Filtering configuration K-182
RIP (PIX/ASA 7.2+) Filtering tab K-182
RIP (PIX/ASA 7.2+) Interface configuration K-183
RIP (PIX/ASA 7.2+) Interface tab K-183
RIP (PIX/ASA 7.2+) Redistribution configuration K-181
RIP (PIX/ASA 7.2+) Redistribution tab K-180
RIP (PIX/ASA 7.2+) Setup tab K-179
RIP page K-175
Static Route configuration K-185
Static Route page K-184
security contexts
page K-198
security policies K-186
General configuration K-187
General page K-186
timeouts K-188
service policy
wizard K-193
service rules K-190
traffic class K-194
user preferences
Deployment page K-198
PIX/ASA/FWSM Platform policies
about contexts 14-5
bridging 14-26
configuring AUS settings 14-52
configuring banners 14-33
configuring boot image and configuration settings 14-34
configuring clock 14-35
configuring console timeout settings 14-37
configuring contact credentials 14-36
configuring DDNS 14-57
configuring device access 14-37
configuring device administration policies 14-28
configuring DHCP relay 14-53
configuring DHCP servers 14-54
configuring DNS 14-56
configuring failover 14-45, 14-49
configuring fragment settings 14-76
configuring hostname settings 14-51
configuring HTTP settings 14-38
configuring ICMP settings 14-38
configuring interfaces 14-2
configuring logging 14-61
configuring management access settings 14-40
configuring multicast routing 14-69
configuring NAT 14-17
configuring NTP 14-58
configuring resources on FWSMs 14-51
configuring routing 14-72
configuring Secure Shell (SSH) 14-40
configuring security contexts 14-82
configuring security policies 14-76
configuring server access settings 14-52
configuring service policy rules 14-79
configuring SMTP servers 14-59
configuring SNMP 14-41
configuring SSH 14-40
configuring Telnet 14-44
configuring TFTP servers 14-59
configuring timeouts 14-78
configuring user accounts 14-60
configuring user preferences 14-81
enabling anti-spoofing 14-76
enabling floodguard 14-76
enabling Unicast Reverse Path Forwarding 14-76
operating modes 14-4
PIX/FWSM/ASA Rules dialog box I-47
PIX 6.3
Failover K-76
interface configuration K-77
interfaces
add/edit K-34
PIX 7.x
Failover
Add Failover Group K-88
interface configuration K-89
settings K-85
failover K-83
PIX devices
AAA support 8-17
monitoring service level agreements 8-77
remote access VPNs
IPsec proposals H-84
user group policies H-93
PIX Firewall
interfaces K-23
about adding/editing K-25
add/edit K-26
advanced settings K-37
VPND Groups K-38
PIX/ASA/FWSM Platform policies K-1
setting up AUS or CNS 4-8
setting up SSL (HTTPS) 4-3
PIX Firewalls
rollback, commands to recover from failover misconfiguration 17-38
rollback command conflicts 17-37
rollback restrictions for failover devices 17-34
rollback restrictions for multiple context mode 17-34
PIX firewalls
access controls
access list compilation I-70
object group search I-70
adding SSL thumbprints manually 5-22
FlexConfig object samples 18-21
SSL certificate configuration A-12
PKI (Public Key Infrastructure) policies
CA server authentication methods 9-58
configuring 9-61
enrollment prerequisites 9-59
Public Key Infrastructure page (site-to-site VPN) G-62
understanding 9-57
using TFTP 9-60
PKI enrollment
prerequisites 9-59
prerequisites using TFTP 9-60
PKI Enrollment dialog box
Trusted CA Hierarchy tab F-151
PKI enrollment objects
creating 8-69
defining CA server properties F-144
defining certificate attributes F-150
defining enrollment parameters F-148
defining trusted CA hierarchy F-151
Platform policies M-80
Plug-in tab (ASA) H-108
Point-to-Point Protocol (PPP)
defining connections 13-40
defining multilink PPP bundles 13-43
on Cisco IOS routers 13-39
understanding multilink PPP (MLP) 13-39
Point-to-Point protocol (PPP)
PPP/MLP Policy page J-56
PPP dialog box J-57
point-to-point topologies
description 9-3
diagram 9-3
policies
adding local rules to shared policies 6-30
assigning shared policies 6-29
basic concepts
inheritance vs. assignment 6-6
local vs. shared 6-3
managing 6-20
overview 6-1
rule inheritance 6-4
service vs. platform-specific 6-2
settings-based vs. rule-based 6-2
shared policies in Device view 6-25
status icons 6-19
configuring DMVPN policies 9-68
copying between devices 6-22
copying shared policies 6-32
creating shared 6-39
deleting shared 6-40
Device view
configuring local policies 6-20
managing 6-19
modifying assignments 6-34
modifying shared policies 6-34
discovering 6-11
discovering on existing devices 6-14
FlexConfigs
adding objects 18-28
changing object order 18-28
changing variable values 18-28
configuring 18-23
configuring AAA for administrative introducers 13-75
editing 18-28
FlexConfig Policy page 18-29
previewing CLI 18-28
removing objects 18-28
understanding 18-1
group
understanding 10-29
inheriting rules 6-32
locking 6-7
managing 6-1
object selectors F-205
overview 1-7
performing basic policy management in Map view 3-16
PKI (Public Key Infrastructure) 9-57
policy banner 6-25
policy discovery FAQ 6-17
policy management and objects 6-7
Policy view
managing 6-35
modifying assignments 6-39
preshared keys 9-56
renaming 6-33
router platform policies 13-1
selecting router policies to manage 6-10
sharing local 6-27
sharing multiple local policies 6-28
site-to-site VPN
mandatory policies 9-5
optional policies 9-5
specifying interfaces 8-35
specifying IP addresses 8-68
unassigning 6-23
unsharing 6-29
viewing discovery task status 6-16
VPN defaults A-41
policy assignments
Assignments tab in Policy view D-17
modifying in Device view 6-34
modifying in Policy view 6-39
overview 1-7
policy discovery
AAA commands not displayed in AAA policy 6-19
ACLs 6-14
Catalyst devices 6-12
Catalyst switches and 7600 Series routers 15-2
frequently asked questions 6-17
IPS devices 6-13
network masks 8-66
object groups 6-13
on existing devices 6-14
overview 1-7
policy objects 6-13
security contexts 6-12
understanding 6-11
viewing task status 6-16
VPNs 6-12
web VPN restrictions 5-8
Policy Discovery Status command 2-10
Policy Discovery Status page D-14
Policy Dynamic Translation Rule
PIX/ASA/FWSM K-13
add/edit K-14
policy management
Settings page A-33
Policy Management page A-33
policy maps
understanding 8-38
Policy menu
command reference 2-8
general reference D-1
Policy Object Manager command 2-10
Policy Object Manager window
Add or Edit dialog boxes F-4
creating overrides 8-11
deleting overrides 8-12
field reference F-1
Policy Object Overrides window F-207
shortcut menu F-3
Policy Object Overrides window F-207
policy objects
AAA server
HTTP-FORM settings F-17
Kerberos settings F-13
LDAP settings F-14
NT settings F-16
RADIUS settings F-10
SDI settings F-16
TACACS+ settings F-12
AAA server groups
attributes F-6
creating 8-22
default server groups on IOS devices 8-19
predefined authentication groups 8-19
understanding 8-15
AAA servers
creating 8-20
supported additional types for ASA/PIX/FWSM 8-17
supported types 8-16
understanding 8-15
access control lists
creating 8-23
extended objects 8-23
standard objects 8-25
web objects 8-26
ASA group policies
client configuration settings F-27
client firewall attributes F-28
connection settings F-42
DNS/WINS settings F-40
hardware client attributes F-30
IPSec settings F-31
split tunneling settings F-41
SSL VPN clientless settings F-33
SSL VPN full client settings F-35
SSL VPN settings F-37
technology settings F-25
ASA user groups
creating 8-28
basic procedures 8-3
categories, using 8-6
Cisco Secure Desktop configuration
creating 8-73
class map
creating 8-41
creating for zone-based firewall content filtering 8-59
creating for zone-based firewall inspection 8-57
connection with policy management 6-7
creating 8-4
credentials
attributes F-46
creating 8-30
DCE/RPC policy map
creating 8-42
properties F-86
deleting 8-8
DNS policy map
creating 8-43
properties F-87
duplicating 8-7
editing 8-6
ESMTP policy map
creating 8-44
properties F-92
exporting 8-13
file objects
attributes F-47
creating 8-31
FlexConfigs
adding to policies 18-28
changing order in policies 18-28
changing variable values 18-28
configuring 18-23
configuring AAA for administrative introducers 13-75
creating 18-26
previewing CLI 18-28
removing from policies 18-28
system variables 18-7
understanding 18-1
FTP policy map
creating 8-45
properties F-95
generating usage reports 8-8
GTP policy map
creating 8-46
properties F-99
H.323 (ASA/PIX/FWSM) policy map
creating 8-47
properties F-103
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map
properties F-107
HTTP (ASA7.2+/PIX7.2+) policy map
properties F-115
HTTP policy map
creating for ASA7.1.x/PIX7.1.x/FWSM3.x/IOS 8-49
creating for ASA 7.2+/PIX 7.2+ 8-50
understanding 8-49
IKE proposals
creating 8-32
properties F-53
IM (ASA7.2+/PIX7.2+) policy map
creating 8-51
properties F-121
IM (IOS) policy map
creating 8-52
properties F-124
importing 8-13
Inspect parameter map
properties F-74
interface roles
creating 8-34
understanding 8-33
IPsec Pass Through policy map
creating 8-53
properties F-125
IPSec transform sets
attributes F-57
creating 8-36
LDAP attribute map objects
attributes F-59
LDAP map objects
creating 8-37
Local Web Filter parameter map
properties F-77
managing 8-1
maps
understanding 8-38
N2H2 parameter map
properties F-78
NetBIOS policy map
creating 8-54
properties F-126
network/host
optimizing when deploying firewall rules 11-15
understanding 8-65
network/host objects
naming when provisioned as object groups 8-97
networks/hosts
creating 8-66
unspecified value objects 8-67
object selectors F-205
overrides C-34
allowing 8-10
creating for multiple devices 8-11
creating for single device 8-11
deleting 8-12
managing 8-9
understanding 8-9
overview 1-7
parameter map
creating for zone-based firewall content filtering 8-59
creating for zone-based firewall inspection 8-57
PKI enrollments
creating 8-69
policy discovery 6-13
policy map
creating for zone-based firewall content filtering 8-59
creating for zone-based firewall inspection 8-57
port forwarding lists
creating 8-71
port list objects
naming when provisioned as object groups 8-97
port lists
attributes F-153
Protocol Info parameter map
properties F-76
provisioning as object groups 8-96
regular expression group objects
creating 8-61
regular expression group policy map
properties F-138
regular expression objects
creating 8-62
metacharacters 8-63
regular expression policy map
properties F-138
selecting for policies 8-2
service objects
naming when provisioned as object groups 8-97
provisioning as object groups 8-98
services
creating 8-75
Settings page A-35
single sign-on server
attributes F-156
configuring 8-77
SIP (ASA/PIX/FWSM) policy map
creating 8-55
properties F-127
Skinny policy map
creating 8-56
properties F-131
SLA monitors
attributes F-158
configuring 8-77
SNMP policy map
creating 8-57
properties F-133
SSL VPN bookmark
configuring 8-84
post URL method and macro substitutions 8-86
SSL VPN Customization
configuring 8-79
creating custom Logon page 8-83
localizing 8-82
SSL VPN smart tunnel lists
attributes F-177
configuring 8-87
TCP map objects
creating 8-64
TCP Map policy map
properties F-139
text
creating 8-91
time ranges
attributes F-182
creating 8-92
traffic flow objects
creating 8-93
Trend parameter map
properties F-81
URLF Glob parameter map
properties F-84
URLF Glob parameter maps
metacharacters F-85
URL Filter parameter map
properties F-82
user groups
advanced PIX 6.3 settings F-196
browser proxy settings F-201
clientless settings F-197
client VPN software update (IOS) settings F-195
creating 8-94
DNS/WINS settings F-190
general settings F-189
IOS client settings F-192
IOS Xauth settings F-194
split tunneling settings (Easy VPN/remote access IPSec VPN) F-191
SSL VPN connection settings F-202
SSL VPN full tunnel settings F-198
SSL VPN split tunneling settings F-200
technology settings F-187
thin client settings F-198
user interface reference F-1
viewing details 8-8
Web Filter policy map
properties F-136
Websense parameter map
properties F-78
WINS server lists
atttributes F-204
creating 8-89
policy objects interface
Interface Role dialog box F-56
SSL VPN Bookmark Entry dialog box F-161
SSL VPN bookmarks
Add or Edit Bookmarks dialog boxes F-159
Post Parameters dialog box F-162
SSL VPN gateway
attributes F-176
creating 8-90
Policy Objects page A-35
policy query
generating reports 11-12
Policy Query Results dialog box I-99
Querying Device or Policy dialog box I-97
report results 11-14
Policy Query Results dialog box I-99
Policy view
Assignments tab D-17
Create a Policy dialog box D-18
creating shared policies 6-39
deleting shared policies 6-40
editing remote access VPN policies in 10-62
editing site-to-site VPN policies in 9-43
filtering shared policy selector 2-14
general reference D-16
managing remote access VPN policies in 10-62
managing site-to-site VPN policies in 9-44
modifying assignments 6-39
selectors 6-37
Shared Policy selector options D-16
understanding 6-35
work area 6-38
Policy View command 2-8
POP3 class map objects
match criteria F-67
POP3 policy map objects
creating 8-57
match conditions and actions F-135
Port Address Translation (PAT) 9-53
portal page
configuring 10-60
Portal Page Customization page H-12
Portal Page tab (IOS) H-118
port application mapping
see PAM I-62
port forwarding list objects
creating 8-71
port list objects
attributes F-153
naming when provisioned as object groups 8-97
ports
ASA 5505 K-45
configure K-48
PPP dialog box
MLP tab J-61
PPP tab J-58
preferences, user
PIX/ASA/FWSM
Deployment page K-198
pre-provisioning devices 5-11
preshared key authentication methods 9-47
preshared key negotiation methods
aggressive mode 9-56
FQDN (fully qualified domain name) 9-56
main mode address 9-56
preshared keys
aggressive mode negotiation 9-56
configuring policies 9-57
FQDN (fully qualified domain name) negotiation 9-56
main mode address negotiation 9-56
Preshared Key page G-59
understanding 9-56
Preview Configuration command 2-10
Print command 2-7
priority queues
PIX/ASA/FWSM
configuration K-191
page K-190
Product Authorization Key (PAK) 19-3
productivity categories for Trend class maps F-63
properties
changes with policy effects 5-19
changing critical device 5-18
image version changes with no policy effects 5-18
understanding device 5-6
viewing or changing device 5-17
Property Selector dialog box F-52
protected networks
defining in VPN topologies 9-20, 9-23
Protected Networks tab G-17
Protocol Independent Multicast
Protocol Info parameter map objects
properties F-76
Protocol Info Parameters map object
creating 8-57
Protocol Map dialog box M-57
protocols
ARP M-19
DDoS M-47
LOKI M-47
MSSQL M-16
Protocol tab
IGMP K-134
PIM K-143
Protocol tab (IGMP)
description 14-70
Protocol tab (PIM)
description 14-72
proxies
defining 10-50
understanding 10-49
proxy ARP
disabling on firewall devices 14-73
enabling on IOS routers J-21
proxy bypass rules
defining 10-50
proxy bypass settings
understanding 10-49
proxy server identification for IPS M-89
Proxy tab (ASA) H-103
Public Key Infrastructure (PKI) page H-74
public key infrastructure (PKI) policies
configuring 10-32
public key infrastructure (PKI) proposals
configuring 10-36
understanding 10-36
PVC Advanced Settings dialog box
OAM-PVC tab J-54
OAM tab J-52
PVC dialog box
Protocol tab J-49
QoS tab J-46
Settings tab J-43
Q
QoS
PIX/ASA/FWSM
rules K-192
rules wizard K-193
tab K-194
QoS Class dialog box J-151
Edit ACLs dialog box J-154
Marking tab J-154
Matching tab J-152
Policing tab J-157
Queuing and Congestion Avoidance tab J-155
Shaping tab J-159
QoS queuing
default class 13-104
defining for classes 13-114
tail drop vs. WRED 13-102
understanding 13-102
understanding LLQ 13-103
quality of service (QoS)
CEF requirements 13-100
defining on control plane 13-110
defining on interfaces 13-108
defining policies 13-108
on Cisco IOS routers 13-99
QoS Class dialog box J-151
QoS Policy dialog box J-149
Quality of Service Policy page J-147
understanding
Control Plane Policing 13-107
default class queuing 13-104
low-latency queuing 13-103
marking parameters 13-101
matching parameters 13-100
policing parameters 13-104
queuing parameters 13-102
shaping parameters 13-104
tail drop and WRED 13-102
token-bucket mechanism 13-105
quality of service (QoS) classes
defining marking parameters 13-113
defining matching parameters 13-111
defining policing parameters 13-115
defining queuing parameters 13-114
defining shaping parameters 13-117
query
access rule 20-24
IPS signature 20-28
Querying Device or Policy dialog box I-97
R
RADIUS
description 8-16
settings in AAA server objects F-10
RADIUS SDI authentication
enabling
for tunnel group policies 9-78
native SDI authentication and 9-78
overview 9-78
Realtime Dashboard 20-15
real-time events
CS-MARS 20-22
Real-time Log Viewer 20-6
Recurring Ranges dialog box F-183
Redeploy a Job dialog box N-22
Redeploying Licenses dialog box A-31
rediscovering
remote access VPNs 10-6
rediscovering site-to-site VPNs 9-13
Rediscover VPN Policies wizard G-80
Name and Technology page G-81
Rediscover VPN Policies wizard > Device Selection page G-81
redundant interfaces 14-4
Refresh Map command 2-9
regular expression group objects
creating 8-61
properties F-138
regular expression objects
creating 8-62
metacharacters 8-63
properties F-138
regular IPsec 9-5
Reject Activity command 2-12
Reject Activity dialog box E-6
Reject Deployment Job dialog box N-19
Rejected activity state 7-4
Remote Access Configuration wizard H-1
IPsec VPN
Defaults page (ASA) H-15
Defaults page (IOS) H-18
IPsec Settings page (ASA) H-14
IPsec VPN Connection Profile page (ASA) H-13
User Group Policy page (IOS) H-17
SSL VPN
Access page (ASA) H-2
Connection Profile page (ASA) H-3
Gateway and Context page H-10
Portal Page Customization page H-12
remote access SSL VPNs
cluster load balancing 10-14
Context Editor dialog box (IOS) H-120
remote access VPN
system variables 18-17
Remote Access VPN Configuration Wizard
IPsec VPNs
creating 10-10
Remote Access VPN Configuration wizard
IPsec VPNs
creating 10-12
SSL VPNs
using 10-8
remote access VPN policies
managing in Policy view 10-62
redirection using an FQDN
cluster load balancing and 10-14
remote access VPNs
ASA devices
configuring bookmarks 8-84
configuring portal appearance 8-79
configuring WINS servers for file system access 8-89
customizing 8-79
group policies 10-30
post URL method and macro substitutions in bookmarks 8-86
smart tunnels 8-87
configuring
using wizard 10-8
Device view 10-7
discovering 10-6
IOS devices
configuring bookmarks 8-84
configuring WINS servers for file system access 8-89
certificate to connection profile map policies 10-33, 10-34
certificate to connection profile map rules 10-35
Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) H-78
Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) H-77
Certificate to Connection Profile Maps > Policies page H-75
Certificate to Connection Profile Maps > Rules page H-76
cluster load balancing 10-14, 10-15, H-20
connection profiles 10-16
connection profiles (ASA) 10-16, H-22
creating using wizard 10-10, 10-12
dynamic access policies 10-17, 10-18
dynamic access policy (DAP) attributes 10-19, 10-23
Dynamic Access policy page (ASA) H-36
Dynamic VTI/VRF Aware IPsec settings H-89
fragmentation settings H-70
global settings 10-27
Global Settings page H-66
high availability H-79
high availability policies 10-40, 10-41
IKE proposals H-81
ISAKMP/IPsec settings H-67
NAT settings H-69
Public Key Infrastructure (PKI) H-74
public key infrastructure (PKI) policies 10-32
public key infrastructure (PKI) proposals 10-36
secure desktop manager policies 10-24, 10-26
understanding 10-2
user group policies 10-41, 10-42, H-93
VPNSM/VPN SPA settings H-87
IPsec proposals 10-37, H-82, H-84, H-85
configuring 10-38
managing 10-1
Device view 10-7
rediscovering 10-6
access modes 10-4
access policies (ASA) 10-44, H-94, H-96
advanced settings (ASA) H-113
advanced settings (IOS) 10-61
AnyConnect client image settings (ASA) H-111
AnyConnect client profile settings (ASA) H-112
browser plug-ins 10-53
browser plug-ins (ASA) 10-52, H-108, H-109
certificate to connection profile map policies 10-33, 10-34
certificate to connection profile map rules 10-35
Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) H-78
Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) H-77
Certificate to Connection Profile Maps > Policies page H-75
Certificate to Connection Profile Maps > Rules page H-76
client settings 10-55
client settings (ASA) 10-54, H-110
cluster load balancing 10-15, H-20
connection profiles 10-16
connection profiles(ASA) H-22
content rewrite rules 10-47
content rewrite settings (ASA) H-99, H-100
Context Editor dialog box (IOS) H-116, H-118, H-119
creating using wizard 10-8, 10-10
dynamic access policies 10-17, 10-18
dynamic access policy (DAP) attributes 10-19, 10-23
Dynamic Access policy page (ASA) H-36
encoding rules 10-49
encoding settings 10-48
encoding settings (ASA) H-101, H-103
example 10-3
fragmentation settings H-70
general settings 10-59
global settings 10-27
Global Settings page H-66
ISAKMP/IPsec settings H-67
managing support files 10-5
NAT settings H-69
other settings (ASA) 10-45, H-97
performance settings 10-46
performance settings (ASA) 10-46, H-98
policies (IOS) H-115
portal page 10-60
prerequisites 10-6
proxy bypass rules 10-50
proxy bypass settings (ASA) 10-49, H-107
proxy settings (ASA) H-103
Public Key Infrastructure (PKI) H-74
public key infrastructure (PKI) policies 10-32
secure desktop manager policies 10-24, 10-26
secure desktop software 10-61
shared license (ASA) H-114
shared license clients 10-57
shared license server 10-58
understanding 10-2
understanding 10-2
user interface reference H-1
VPN client in 10-2
VPN gateway in 10-2
remote access VPN servers
configuring devices as 10-8
configuring policies on 10-8
Remote Access Configuration wizard 10-8
Remote Detection Indication (RDI) cells 13-34
Rename Policy command 2-8
Rename Policy dialog box D-9
Rendezvous Point
add/edit K-147
Rendezvous Points tab
description 14-72
PIM K-147
reports
generating policy query 11-12
reading policy query 11-14
Reputation
definition of 12-15
Request Filter tab
description 14-72
Request Filtertab
PIM K-150
Resources
FWSM K-92
add/edit K-93
resources
configuring on FWSMs 14-51
Resume Deployment Schedule dialog box N-19
retry count
device communication A-12
reverse route injection 9-50
RIP
configuring on firewall devices 14-74
RIP routing
Cisco IOS routers
Authentication dialog box J-186
Authentication tab J-185
defining interface authentication 13-138
defining setup parameters 13-137
overview 13-136
redistributing routes 13-139
Redistribution Mapping dialog box J-188
Redistribution tab J-187
RIP Routing Policy page J-184
Setup tab J-184
PIX/ASA/FWSM
(PIX/ASA 6.3-7.1, FWSM) K-176
(PIX/ASA 6.3-7.1, FWSM) configuration K-177
(PIX/ASA 7.2+) K-178
(PIX/ASA 7.2+) Filtering configuration K-182
(PIX/ASA 7.2+) Filtering tab K-182
(PIX/ASA 7.2+) Interface configuration K-183
(PIX/ASA 7.2+) Interface tab K-183
(PIX/ASA 7.2+) Redistribution configuration K-181
(PIX/ASA 7.2+) Redistribution tab K-180
(PIX/ASA 7.2+) Setup tab K-179
page K-175
Rollback a Job dialog box N-23
rollback to archived configuration files 17-40
routed ports
Create and Edit Interface dialog boxes-Routed Port mode L-15
understanding 15-2
Router Block Interface dialog box M-96
Router Device dialog box M-95
router platform interface
802.1x Policy page J-128
AAA policy
AAA Policy page J-64
Accounting tab J-68
Authentication tab J-64
Authorization tab J-65
Command Accounting dialog box J-70
Command Authorization dialog box J-67
accounts and credentials policy
Accounts and Credentials Policy page J-71
User Accounts dialog box J-73
ADSL policy
ADSL Policy page J-32
ADSL Settings dialog box J-33
advanced interface settings policy
Advanced Interface Settings dialog box J-18
Advanced Interface Settings page J-17
BGP policy
BGP Neighbors dialog box J-162
BGP Redistribution tab J-163
BGP Routing Policy page J-161
BGP Setup tab J-161
Redistribution Mapping dialog box J-164
bridging policy
Bridge Group dialog box J-75
Bridging Policy page J-74
CEF interface policy J-26
CEF Interface Settings dialog box J-27
Clock Policy page J-76
console policy
AAA tab J-87
Accounting tab J-90
Authentication tab J-87
Authorization tab J-88
Command Accounting dialog box J-105
Command Authorization dialog box J-104
Console Policy page J-85
Setup tab J-85
CPU Policy page J-78
DHCP policy
DHCP Database dialog box J-121
DHCP Policy page J-119
IP Pool dialog box J-122
dialer interface policy
Dialer Physical Interface dialog box J-30
Dialer Policy page J-28
Dialer Profile dialog box J-29
DNS policy
IP Host dialog box J-114
DNS Policy page J-113
EIGRP policy
EIGRP Routing Policy page J-165
Interface dialog box J-168
Interfaces tab J-167
Redistribution Mapping dialog box J-170
Redistribution tab J-169
Setup dialog box J-166
Setup tab J-166
Hostname Policy page J-115
HTTP policy
AAA tab J-82
Command Authorization Override dialog box J-84
HTTP Policy page J-80
Setup tab J-81
interfaces policy
Create Router Interface dialog box J-12
Interface Auto Name Generator dialog box J-17
Router Interfaces page J-11
IPS interface policy
IPS Monitoring Information dialog box J-25
IPS Module interface policy
IPS Module Interface Policy Page J-24
logging policy
Syslog Server dialog box J-142
logging setup policy
Logging Setup Policy page J-138
Memory Policy page J-116
NAC policy
Identities tab J-135
Identity Action dialog box J-137
Identity Profile dialog box J-136
Interface Configuration dialog box J-134
Interfaces tab J-133
NAC Policy page J-131
Setup tab J-131
NAT policy
Dynamic Rule dialog box J-8
Dynamic Rules tab J-7
Interface Specification tab J-3
NAT Policy page J-2
Static Rule dialog box J-4
Static Rules tab J-3
Timeouts tab J-10
NTP policy
NTP Policy page J-125
NTP Server dialog box J-126
OSPF policy
Area dialog box J-179
Area tab J-178
Interface dialog box J-173
Max Prefix Mapping dialog box J-183
OSPF Interface Policy page J-172
OSPF Process Policy page J-176
Redistribution Mapping dialog box J-181
Redistribution tab J-180
Setup dialog box J-178
Setup tab J-177
PPP/MLP policy
PPP/MLP Policy page J-56
PPP dialog box J-57
PVC policy
Define Mapping dialog box J-50
PVC Advanced Settings dialog box J-51
PVC dialog box J-41
PVC Policy page J-40
QoS policy
QoS Class dialog box J-151
QoS Policy dialog box J-149
Quality of Service Policy page J-147
RIP policy
Authentication dialog box J-186
Authentication tab J-185
Redistribution Mapping dialog box J-188
Redistribution tab J-187
RIP Routing Policy page J-184
Setup tab J-184
Secure Device Provisioning Policy page J-117
Secure Shell Policy page J-106
SHDSL policy
Controller Auto Name Generator dialog box J-39
SHDSL Controller dialog box J-37
SHDSL Policy page J-36
SNMP policy
Permission dialog box J-110
SNMP Policy page J-108
SNMP Traps dialog box J-112
Trap Receiver dialog box J-110
static routing policy
Static Routing dialog box J-190
Static Routing Policy page J-189
syslog servers policy
Syslog Servers Policy page J-141
VTY policy
Command Accounting dialog box J-105
Command Authorization dialog box J-104
VTY Line dialog box J-94
VTY Policy page J-93
router platform policies
Device Admin policies
AAA 13-44
accounts and credentials 13-48
CPU settings 13-54
DHCP 13-76
DNS 13-68
host and domain names 13-70
HTTP 13-54
line access 13-57
memory settings 13-70
optional SSH settings 13-64
Secure Device Provisioning (SDP) 13-71
SNMP 13-66
time zone settings 13-52
transparent bridging 13-50
general reference J-1
Identity policies
802.1x 13-82
Network Admission Control (NAC) 13-86
Interface policies
ADSL 13-25
advanced settings 13-18
basic settings 13-13
dialer interfaces 13-22
PPP 13-39
PVC 13-30
SHDSL 13-28
Logging policies 13-92
NAT 13-4
NetFlow policies 13-92
Network Time Protocol (NTP) 13-80
quality of service (QoS) 13-99
Routing policies
BGP routing 13-118
EIGRP routing 13-121
OSPF routing 13-125
RIP routing 13-136
static routing 13-140
routers
adding SSL thumbprints manually 5-22
CEF interface settings policies 13-22
Cisco Discovery Protocol (CDP) settings J-20
CNS call-home mode 4-10
CNS event-bus mode 4-9
communication requirements 4-1
configuring SSH 4-6
default transport protocol for 12.1 and 12.2 A-12
default transport protocol for 12.3 and above A-12
deploying configurations using TMS 17-26
enabling directed broadcasts J-22
enabling Maintenance Operation Protocol (MOP) J-21
enabling NBAR protocol discovery J-21
enabling proxy ARP J-21
enabling unicast reverse path forwarding (RFP) J-22
enabling virtual fragment reassembly (VFR) J-21
FlexConfig object samples 18-22
generating interface names 13-16
ICMP message settings J-20
IPS Module interface settings policies 13-21
selecting policy types to manage 6-10
setting up SSL (HTTPS) 4-4
SSL certificate configuration A-12
system variables 18-12
Router tab M-95
Route Tree tab
description 14-72
PIM K-149
routing
PIX/ASA/FWSM
configuring on 14-72
configuring OSPF 14-73
configuring RIP 14-74
configuring static routes 14-75
disabling proxy ARP 14-73
No Proxy ARP page K-152
OSPF - advanced settings K-154
OSPF - Area/Area networks K-157
OSPF - Area Range K-160
OSPF - Area tab K-156
OSPF - Filtering configuration K-168
OSPF - Filtering tab K-167
OSPF - General tab K-153
OSPF - Interface configuration K-173
OSPF - Interface tab K-171
OSPF - Neighbors tab K-160
OSPF page K-153
OSPF - Range tab K-159
OSPF - Redistribution rule K-163
OSPF - Redistribution tab K-162
OSPF - static neighbor K-161
OSPF - Summary Address configuration K-170
OSPF - Summary Address tab K-169
OSPF - Virtual Link configuration K-165
OSPF - Virtual Link MD5 configuration K-167
OSPF - Virtual Link tab K-164
policies page K-152
RIP (PIX/ASA 6.3-7.1, FWSM) K-176
RIP (PIX/ASA 6.3-7.1, FWSM) configuration K-177
RIP (PIX/ASA 7.2+) K-178
RIP (PIX/ASA 7.2+) Filtering configuration K-182
RIP (PIX/ASA 7.2+) Filtering tab K-182
RIP (PIX/ASA 7.2+) Interface configuration K-183
RIP (PIX/ASA 7.2+) Interface tab K-183
RIP (PIX/ASA 7.2+) Redistribution configuration K-181
RIP (PIX/ASA 7.2+) Redistribution tab K-180
RIP (PIX/ASA 7.2+) Setup tab K-179
RIP page K-175
Static Route configuration K-185
Static Route page K-184
routing redistribution
BGP Redistribution Mapping dialog box J-164
BGP Redistribution tab J-163
EIGRP Redistribution Mapping dialog box J-170
EIGRP Redistribution tab J-169
into BGP 13-120
into EIGRP 13-124
into OSPF 13-128
into RIP 13-139
OSPF Max Prefix Mapping dialog box J-183
OSPF Process Redistribution tab J-180
OSPF Redistribution Mapping dialog box J-181
RIP Redistribution Mapping dialog box J-188
RIP Redistribution tab J-187
Row Shortcut menu M-5
RSA signature authentication method 9-47
Rule Analysis Results page I-93
Rule Combiner Results dialog box I-104
rule expiration
configuring for access rules 11-22
Rule Expiration page A-36
rules
default 6-4
mandatory 6-4
service policy 14-79
rules tables
adding rules 11-4
columns and headings 2-18
commands, Edit menu 2-7
cut, copy, and paste rules 11-4
disabling rules 11-8
enabling rules 11-8
filtering 2-16
finding and replacing items 11-6
removing rules 11-4
sections 11-8
using 11-3
rule tables
moving rules 11-7
RX-Boot Mode Credentials dialog box C-21
S
Save command 2-6
Save Map As command 2-9
Save Map As dialog box B-9
Save Map command 2-9
Save Policy As command 2-8
Save Policy As dialog box D-9
scenarios
creating FlexConfigs 18-23
SCEP (Simple Certificate Enrollment Protocol)
CA server authentication 9-58
Schedule dialog box N-25
schedules, deployment
creating or editing 17-30
including devices 17-9
suspending or resuming 17-31
viewing status and history 17-16
scripting language
examples
looping 18-3
looping with if/else statements 18-4
looping with two-dimensional arrays 18-3
FlexConfig objects 18-3
SDEE
subscriptions M-105
SDI
authentication
using a RADIUS SDI proxy 9-78
easier authentication
for VPN client users 9-78
protocol for
authentication server group 9-78
server
communication with a proxy 9-78
settings in AAA server objects F-16
SDM
access rule look-up 20-7
device manager 20-2
secure desktop manager policies
configuring 10-26
understanding 10-24
secure desktop software
configuring 10-61
Secure Desktop tab (IOS) H-119
Secure Device Provisioning (SDP)
configuring AAA for administrative introducers 13-75
contents of bootstrap 13-72
defining policies 13-73
Secure Device Provisioning page J-117
understanding
introducers 13-72
petitioners 13-72
registrars 13-72
TTI 13-72
workflow 13-73
SecureID servers (SDI)
description 8-17
Secure Shell
PIX/ASA/FWSM
add/edit SSH host K-70
Secure Shell (SSH)
Cisco IOS routers
defining optional settings 13-64
optional settings overview 13-64
Secure Shell Policy page J-106
configuring on firewall devices 14-40
PIX/ASA/FWSM K-69
security contexts
admin context
overview 14-82
configuring on firewall devices 14-82
discovering policies 6-12
FWSM 14-87
configuration K-199
Resources K-92
managing 14-85
multiple 14-83
PIX/ASA 14-86
allocate interfaces K-202
configuration K-200
viewing allocated interfaces K-203
PIX/ASA/FWSM
enabling multi-context mode 14-82
page K-198
restoring single-context mode 14-82
Trusted Flow Acceleration 14-80
rollback, commands to recover from failover misconfiguration 17-38
rollback command conflicts 17-37
rollback restrictions 17-34
rollback restrictions for failover devices 17-34
showing containment 5-24
Security Manager
access by CS-MARS 20-21
administrative settings A-1
configuring administrative settings 19-2
getting started 1-1
initial configuration 1-10
installing client 1-9
integration with CS-MARS 20-20
interface overview 2-1
logging into and exiting 1-9
managing the server 19-1
overview 1-1
server management and administration 19-1
understanding views 2-2
using 1-5
Security Manager Administration command 2-11
Security Manager Diagnostics command 2-11
Security Manager Online command 2-12
security policies
configuring on firewall devices 14-76
PIX/ASA/FWSM K-186
General configuration K-187
General page K-186
timeouts K-188
security ratings for Trend class maps F-63
Select Address Pool
PIX/ASA/FWSM Platform K-12
Select Interfaces dialog box B-12
selectors
filtering items 2-14
using 2-13
selector trees
managing items 2-14
selecting items 2-14
Select Policies Update Will Be Applied To page, Apply IPS Update wizard A-26
Select Policy Object dialog box B-15
Select Update to Apply page, Apply IPS Update wizard A-24
Select VPN to Configure dialog box B-16
self near-end crosstalk (SNEXT) J-39
Self zone 11-63
sensors
definition 12-2
sensors, IPS
updates, automatically applying 19-8
updates, checking for and downloading 19-7
updates, configuring server 19-6
updates, managing 19-6
updates, manually applying 19-9
server
managing Security Manager 19-1
syslog
server, IPS update 19-6
server, Security Manager
configuring administrative settings 19-2
managing or administrating 19-1
Server Access
PIX/ASA/FWSM K-96
AUS, add/edit server K-98
AUS page K-96
DDNS interface rule K-110
DDNS page K-109
DDNS update methods K-111
DDNS update methods, add/edit K-111
DHCP Relay, add/edit agent K-100
DHCP Relay, add/edit server K-101
DHCP Relay page K-99
DHCP Server, add/edit K-104
DHCP Server, advanced configuration K-104
DHCP Server, options K-105
DHCP Server page K-102
DNS look-up K-108
DNS page K-106
DNS server, add K-108
DNS server group K-107
NTP page K-112
NTP server configuration K-113
SMTP page K-114
TFTP server page K-114
Server Access policies M-85
server access settings
configuring on firewall devices 14-52
server as allowed host M-81
Server Load Balance page G-63
Edit Load Balancing Parameters dialog box G-64
server load balancing
configuring a policy 9-70
Server Properties dialog box C-12
Server Security Settings page A-36
Service
PIX/ASA/FWSM
IPS, QoS, and Connection Rules K-192
IPS, QoS, and Connection Rules wizard K-193, K-194
policy wizard K-193
priority queues K-190
priority queues configuration K-191
rules K-190
traffic class K-194
service agreement contracts 19-3
Service Contents dialog box I-66
Service Device Provisioning (SDP)
on Cisco IOS routers 13-71
Service DNS engine
described M-20
parameters (table) M-20
Service FTP engine
described M-22
parameters (table) M-22
PASV port spoof M-22
Service Generic engine
described M-24
parameters (table) M-25
Service H225 engine
parameters (table) M-26
Service HTTP engine
parameters (table) M-27
Service Module Credentials dialog box C-23
Service MSRPC engine
parameters (table) M-16
Service MSSQL engine
described M-16
MSSQL protocol M-16
parameters (table) M-16
Service NTP engine
described M-30
parameters (table) M-30
service objects
creating 8-75
naming when provisioned as object groups 8-97
provisioning as object groups 8-98
Services dialog box F-154
understanding 8-75
service policy rules 14-79
configuring on firewall devices 14-79
Service RPC engine
parameters (table) M-31
services
specifying 8-75
Service SMB engine
described M-35
parameters (table) M-35
Service SNMP engine
described M-37
parameters (table) M-37
Service SSH engine
described M-38
parameters (table) M-38
Service TNS engine
parameters (table) M-46
sessionize 20-22
Set Linked Map dialog box B-11
settings
device communications 5-21
OS Management A-15
Settings pages
Autolink A-2
Configuration Archive A-2
CS-MARS A-3
Customize Desktop A-5
Debug Options A-6
Deployment A-7
Device Communication A-11
Device Groups A-14
Discovery A-16
Licensing A-28
Logs A-32
Policy Management A-33
Policy Objects A-35
reference A-1
Rule Expiration A-36
Server Security A-36
Status A-37
Take Over User Session A-40
Token Management A-40
VPN Policy Defaults A-41
Workflow A-42
SHA hash algorithm 9-46
Share Device Policies command 2-8
shared license clients
configuring 10-57
shared policies
copying 6-32
Device view
adding local rules to selected device 6-30
assigning to selected device 6-29
modifying 6-34
modifying assignments 6-34
policy banner 6-25
sharing local 6-27
sharing multiple local policies 6-28
unsharing 6-29
working with 6-25
inheriting policies 6-32
Inherit Rules dialog box D-10
Policy view
Assignments tab D-17
Create a Policy dialog box D-18
creating 6-39
deleting 6-40
managing 6-35
modifying assignments 6-39
renaming 6-33
Shared Policy Assignments dialog box D-8
Share Policies wizard
Select Policies to Share page D-7
Share Policies from this Device page D-7
understanding D-6
Share Policy command 2-8
Share Policy dialog box D-1
SHDSL
Controller Auto Name Generator dialog box J-39
defining controllers 13-29
on Cisco IOS routers 13-28
SHDSL Controller dialog box J-37
SHDSL Policy page J-36
Show Containment command 2-10
Show Devices On Map command 2-9
Show Devices on Map dialog box B-15
Show Navigation Window command 2-9
Show VPN Peers dialog box B-16
Show VPNs On Map command 2-9
Show VPNs on Map dialog box B-16
signature engines
Atomic ARP M-19
Flood M-21
Flood Host M-21
Flood Net M-22
Multi String M-17
Service DNS M-20
Service FTP M-22
Service Generic M-24
Service MSSQL M-16
Service NTP engine M-30
Service SMB M-35
Service SNMP M-37
Service SSH engine M-38
Sweep M-44
Sweep Other TCP M-43
Traffic ICMP M-47
signatures
look up from IEV
Realtime Dashboard 20-15
Views display 20-16
updates, automatically applying 19-8
updates, checking for and downloading 19-7
updates, configuring server 19-6
updates, managing 19-6
updates, manually applying 19-9
viewing related CS-MARS events 20-28
signature settings policies
list of features 12-12
Signatures page M-1
Simple Network Management Protocol
single sign on server (SSO) objects
attributes F-156
single sign-on server objects
configuring 8-77
SIP (ASA, PIX) class map objects
creating 8-41
SIP (ASA/PIX/FWSM) policy map objects
creating 8-55
properties F-127
SIP (IOS) class map objects
match criteria F-68
SIP (IOS) policy map objects
creating 8-57
match conditions and actions F-135
SIP class map objects
match criteria F-129
SIP policy map objects
match conditions and actions F-129
Site-to-Site VPN
user interface reference G-1
Site-to-Site VPN Manager
policy banner 6-25
Site-to-Site VPN Manager command 2-10
Site-to-Site VPN Manager window G-1
site-to-site VPNs
configuring fragmentation settings 9-55
configuring ISAKMP/IPsec settings 9-55
configuring NAT settings 9-55
discovering 9-12
ISAKMP/IPsec settings 9-52
managing 9-1
managing policies in the Policy view 9-44
NAT settings 9-53
rediscovering 9-13
understanding discovery 9-8
using Create VPN Wizard 9-14
VPN global settings 9-52
working with 9-43
working with policies
in the Device view 9-43
in the Policy view 9-43
Skinny policy map objects
creating 8-56
match conditions and actions F-133
properties F-131
SLA monitor objects
attributes F-158
configuring 8-77
Smartfilter (N2H2)
configuring for web filter rules policies 11-57, I-86
configuring for zone based firewall rules policies 8-59, F-78, F-80
smart tunnels
configuring for ASA SSL VPNs 8-87
SMTP
preventing DoS attacks using zone based firewall F-69
preventing spam using zone based firewall F-69
SMTP class map objects
match criteria F-69
SMTP policy map objects
creating 8-57
match conditions and actions F-135
SMTP server
configuring 1-12
PIX/ASA/FWSM K-114
SMTP servers
configuring on firewall devices 14-59
SNEXT J-39
SNMP
Cisco IOS routers
defining agent properties 13-66
enabling traps 13-67
overview 13-66
Permission dialog box J-110
SNMP Policy page J-108
SNMP Traps dialog box J-112
Trap Receiver dialog box J-110
configuring on firewall devices 14-41
definition of 16-2
PIX/ASA/FWSM K-71
CPU utilization 14-42
host access K-73
MIBs 14-42
OIDs 14-42
terminology 14-41
Trap configuration K-72
SNMP Credentials dialog box C-21
SNMP page M-82
SNMP policy map objects
creating 8-57
properties F-133
SNMP Trap Communication tab M-83
SNMP traps in IPS M-83
socket read timeout
device communication A-12
Software Application Support contracts 19-3
Source Contents dialog box I-66
spam
blocking spam using zone-based firewall rules F-69
spoke-to-spoke connectivity with DMVPN 9-67
spoofing, preventing 14-76, K-186
SSH
configuring on firewall devices 14-40
configuring on IOS routers, Catalyst switches, Catalyst 6500/7600 devices 4-6
line ending conventions 4-5
preventing non-SSH connections 4-7
setting up 4-5
testing authentication 4-5
troubleshooting connections 5-23
SSL
remote access VPNs 10-43
access modes 10-4
access policies 10-44
access policies (ASA) H-94, H-96
advanced settings 10-61
advanced settings (ASA) H-113
AnyConnect client image settings (ASA) H-111
AnyConnect client profile settings (ASA) H-112
browser plug-ins (ASA) H-108, H-109
certificate to connection profile map policies 10-33, 10-34
certificate to connection profile map rules 10-35
Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) H-78
Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) H-77
Certificate to Connection Profile Maps > Policies page H-75
Certificate to Connection Profile Maps > Rules page H-76
client settings (ASA) H-110
cluster load balancing 10-14, 10-15, H-20
connection profiles 10-16
connection profiles (ASA) H-22
content rewrite rules 10-47
content rewrite settings (ASA) H-99, H-100
Context Editor dialog box (IOS) H-116, H-118, H-119, H-120
creating using wizard 10-8, 10-10
dynamic access policies 10-17, 10-18
dynamic access policy (DAP) attributes 10-19, 10-23
Dynamic Access policy page (ASA) H-36
encoding rules 10-49
encoding settings 10-48
encoding settings (ASA) H-101, H-103
example 10-3
fragmentation settings H-70
global settings 10-27
Global Settings page H-66
ISAKMP/IPsec settings H-67
managing support files 10-5
NAT settings H-69
other settings 10-45
other settings (ASA) H-97
performance settings 10-46
performance settings (ASA) H-98
policies (IOS) H-115
portal page 10-60
prerequisites 10-6
proxies 10-50
proxy bypass rules 10-50
proxy bypass settings 10-49
proxy bypass settings (ASA) H-107
proxy settings (ASA) H-103
Public Key Infrastructure (PKI) H-74
public key infrastructure (PKI) policies 10-32
secure desktop manager policies 10-24, 10-26, 10-27
secure desktop software 10-61
shared license (ASA) H-114
shared license clients 10-57
shared license server 10-58
understanding 10-2
setting up 4-3
troubleshooting certificate errors 5-22
SSL authentication certificates
adding thumbprints manually 5-22
configuring default settings for how handled A-12
SSL VPN
Create User Group wizard
Full Client Access Mode page H-7
Name and Access Method page H-6
policy discovery restriction 5-8
Remote Access Configuration wizard
Access page H-2
Connection Profile page (ASA) H-3
Gateway and Context page H-10
Portal Page Customization page H-12
secure access diagram 10-3
User Groups Selector page H-5
SSL VPN bookmark objects
configuring 8-84
post URL method and macro substitutions 8-86
SSL VPN Bookmarks objects
SSL VPN Bookmarks dialog box F-161
SSL VPN Client (SVC) 10-4
SSL VPN Client Settings tab (ASA) H-110
SSL VPN Connection Profiles Policy page
Add/Edit SSL VPN Connection Profile dialog box
Add/Edit Interface Specific Client Address Pools dialog box H-24
SSL VPN Customization objects
configuring 8-79
creating custom Logon page 8-83
localizing 8-82
SSL VPN gateway objects
attributes F-176
creating 8-90
SSL VPN Other Settings page (ASA) H-97
SSL VPN policies
configuring on an ASA device
defining advanced settings 10-56
SSL VPN Policy page (ASA) H-94
SSL VPN Policy page (IOS) H-115
SSL VPNs
ASA devices
configuring bookmarks 8-84
configuring portal appearance 8-79
configuring WINS servers for file system access 8-89
customizing 8-79
group policies 10-30
post URL method and macro substitutions in bookmarks 8-86
smart tunnels 8-87
clientless access mode 10-4
configuring on an ASA device
access policies 10-44
shared license client 10-57
shared license server 10-58
configuring on an IOS device
advanced settings 10-61
portal page 10-60
secure desktop software 10-61
configuring on IOS devices
general settings 10-59
Create User Group wizard
Clientless and Thin Client Access Modes page H-9
full tunnel client access mode 10-4
IOS devices
configuring 10-58
configuring bookmarks 8-84
configuring WINS servers for file system access 8-89
remote access
general settings 10-59
thin client access mode 10-4
SSL VPN Shared License page (ASA) H-114
SSL VPN smart tunnel list objects
attributes F-177
configuring 8-87
State engine
parameters (table) M-39
stateful failover 14-46, 14-48
stateless failover 14-46
states
activities E-3
activity 7-4
static crypto maps 9-49
Static Group tab
description 14-70
Static Group tab (IGMP) K-137
static NAT
creating rules for hosts 13-5
creating rules for ports 13-8
creating rules for subnets 13-7
creating rules on Cisco IOS routers 13-5
disabling automatic aliasing 13-9
disabling payload option 13-10
static routes
configuring on firewall devices 14-75
static routing
Cisco IOS routers
defining on 13-140
overview 13-140
Static Routing dialog box J-190
Static Routing Policy page J-189
PIX/ASA/FWSM
configuration K-185
policy K-184
Static Rule
PIX/ASA/FWSM K-15
add/edit K-17
status
activity E-3
Status page A-37
status provider
overview 20-7
Performance Monitor 20-7
status providers
configuring 20-11
stealth firewall
String ICMP engine
parameters (table) M-41
String TCP engine
parameters (table) M-42
String UDP engine
parameters (table) M-43
subinterfaces
specifying during policy definition 8-35
Submit Activity command 2-11
Submit Activity dialog box E-5
Submit and Deploy command 2-6
Submit command 2-6
Submit Deployment Job dialog box N-18
Submitted activity state 7-4
Summary tab M-79
Sun RPC class map objects
match criteria F-72
Sun RPC policy map objects
creating 8-57
match conditions and actions F-135
Suspend Deployment Schedule dialog box N-19
Sweep engine
described M-44
parameters (table) M-43
Sweep Other TCP engine
described M-43
switches
communication requirements 4-1
syslog
access rule look-up 20-5
syslogs
Cisco IOS routers 13-92
system configuration
overview 14-82
system variables
devices 18-7
firewall 18-9
FlexConfigs 18-7
remote access VPN 18-17
routers 18-12
VPN 18-13
T
tables
using 2-15
tables, rules
adding rules 11-4
columns and headings 2-18
commands, Edit menu 2-7
cut, copy, and paste rules 11-4
disabling rules 11-8
enabling rules 11-8
filtering 2-16
finding and replacing items 11-6
removing rules 11-4
sections 11-8
using 11-3
TACACS+
description 8-16
settings in AAA server objects F-12
Take Over User Session page A-40
Target Value Rating dialog box M-67
Target Value Ratings tab M-66
task flow
deployment
non-Workflow mode 17-5
Workflow mode 17-6
taskflow 1-5
TCP Map objects
properties F-139
TCP map objects
creating 8-64
TCP Protocol sub-tab M-53
Telnet
configuring on firewall devices 14-44
PIX/ASA/FWSM K-74
configuration K-75
text fields
ASCII limitations 2-18
finding text in multiple-line 2-19
navigating 2-19
using 2-18
text objects
creating 8-91
TFN2K
described M-47
TFTP servers
configuring on firewall devices 14-59
PIX/ASA/FWSM K-114
thin client access mode 10-4
tiered hub-and-spoke topologies 9-5
timeouts
configuring on firewall devices 14-78
PIX/ASA/FWSM
security policies K-188
time range objects
attributes F-182
attributes for recurring ranges F-183
creating 8-92
defining recurring ranges 8-93
Times of Day dialog box M-52
time synchronization
on IOS routers 13-80
time zone settings
Cisco IOS routers
Clock Policy page J-76
defining time zone and DST 13-53
overview 13-52
TMS
deploying configurations 17-26
deployment method 17-11
Token Management page A-40
Token Management System (TMS)
settings A-40
toolbar
activities 7-7
toolbar reference 2-12
Tools menu 2-9
traffic class
PIX/ASA/FWSM
rules wizard K-194
Traffic Classification dialog box I-37
Traffic Classification tab I-36
traffic flow notifications
configuring 16-8
traffic flow objects
creating 8-93
match value
default inspection traffic F-186
Traffic ICMP engine
DDoS M-47
described M-47
LOKI M-47
parameters (table) M-47
TFN2K M-47
traffic match criteria 14-79
transcripts
viewing 17-32
Transcript Viewer window N-30
transform sets
in IPsec tunnel policies 9-49
transport mode operation 9-49
tunnel mode operation 9-49
Translation Exemption (NAT-0 ACL) Rule
PIX/ASA/FWSM K-7
add/edit K-8
Translation Options
PIX/ASA/FWSM K-6
Translation Rules
PIX/ASA/FWSM K-6
translation table
clearing on deployment 14-81
transparent bridging
Cisco IOS routers
BVI interfaces 13-50
overview 13-50
defining bridge groups 13-51
transparent firewall
multicast traffic 14-27
VRRP 14-27
transparent rules
adding 11-59
Add Transparent Firewall Rule dialog box I-42
configuring in Map view 3-17
deleting 11-4
disabling 11-8
editing 11-5
Edit Transparent EtherType dialog box I-44
Edit Transparent Firewall Rule dialog box I-42
Edit Transparent Mask dialog box I-45
enabling 11-8
moving 11-7
Transparent Rules page I-39
understanding 11-58
Transparent Rules page I-39
transport protocols
device defaults A-12
overview of device requirements 4-1
transport settings
AUS 4-7
Configuration Engine 4-7
SSH 4-5
SSL (HTTPS) 4-3
trees
managing items 2-14
selecting items 2-14
Trend class map objects
Trend parameter map objects
creating 8-59
properties F-81
Tribe Flood Network 2000
Trojans
LOKI M-47
troubleshooting
creating diagnostics file 19-16
IPS sensors 20-13
online help, problems accessing 2-20
using device managers 20-1
with status providers 20-7
troubleshooting interfaces 14-17
trunk ports
Create and Edit Interface dialog boxes-Trunk Port mode L-17
understanding 15-2
Trusted Flow Acceleration
FWSM 14-80
Trusted Transitive Introduction (TTI)
use in SDP policies 13-72
tunnel group policies
Advanced tab G-37
Client VPN Software Update tab G-38
configuring for Easy VPN 9-78
General tab G-33
IPsec tab G-35
RADIUS SDI authentication 9-78
Tunnel Group Policy page G-33
TVRs
described M-66
U
UDP Protocol sub-tab M-56
Unassign Policy command 2-8
Undock Map View command 2-9
Unicast Reverse Path Forwarding 14-76, K-186
unicast reverse path forwarding
enabling on routers J-22
unmanaged devices
adding to VPN topologies 9-17
Unshare Policy command 2-8
Unspecified Bit Rate (UBR) 13-32
Unspecified Bit Rate Plus (UBR+) 13-32
Update Level dialog box (in IPS) M-6
Updating Licenses from File dialog box A-32
Updating Licenses via CCO dialog box A-31
URLF Glob parameter map objects
metacharacters F-85
properties F-84
URL Filter parameter map objects
creating 8-59
properties F-82
usage reports
generating 8-8
user accounts
configuring on firewall devices 14-60
PIX/ASA/FWSM K-115
add/edit K-115
user group objects
advanced PIX 6.3 settings F-196
browser proxy settings F-201
clientless settings F-197
client VPN software update (IOS) settings F-195
creating 8-94
DNS/WINS settings F-190
general settings F-189
IOS client settings F-192
IOS Xauth settings F-194
split tunneling settings (Easy VPN/remote access IPSec VPN) F-191
SSL VPN connection settings F-202
SSL VPN full tunnel settings F-198
SSL VPN split tunneling settings F-200
technology settings F-187
thin client settings F-198
user group policies
configuring 10-42
configuring for Easy VPN 9-77
understanding 10-41
User Group Policy page (Easy VPN) G-64
User Group Policy page H-93
User Group Policy page (IOS) H-17
user groups
creating using wizard H-6
User Groups Selector page H-5
user interface
managing items in a tree 2-14
maps toolbar reference B-4
map view 3-1
Map view reference B-1
menu reference 2-5
overview 2-1
rules tables 11-3
selecting items in a tree 2-14
selecting or specifying files 2-19
selectors 2-13
table
columns and headings 2-18
sections 11-8
tables 2-15
text fields
ASCII limitations 2-18
finding text in multiple-line 2-19
navigating 2-19
using 2-18
toolbar reference 2-12
wizards 2-15
working with Security Manager 2-1
user interface reference, activities E-1
user interface reference, deployment N-1
user interface reference, general policy management D-1
user login credentials for device access 5-5
user passwords
changing 19-13
user preferences
configuring on firewall devices 14-81
PIX/ASA/FWSM
Deployment page K-198
User Profiles tab M-92
users
taking over configuration session 19-13
user taskflow 1-5
V
Validate Activity command 2-11
Validate command 2-6
Validation dialog box 7-11
validation error messages 7-11
Values Assignment dialog box 18-30
Variable Bit Rate-Non-Real Time (VBR-nrt) 13-32
Variable Bit Rate-Real Time (VBR-rt) 13-32
variables
deleting FlexConfig 18-26
changing variable values 18-28
Velocity Template Engine
scripting language 18-3
View Changes command 2-6, 2-11
View menu 2-7
views
Device 2-2
Device view 1-5
Map 2-4
Map view 1-5
Policy 2-4
Policy view 1-5
virtual channel identifier (VCI) 13-31
virtual firewalls
virtual fragment reassembly (VFR) J-21
virtualization
definition of 16-9
virtual path identifier (VPI) 13-31
Virtual Routing Forwarding (VRF)
virtual sensor advantages 16-10
virtual sensor definition 16-12
virtual sensor deletion 16-13
virtual sensor editing 16-13
virtual sensor interface types 16-11
virtual sensors
default virtual sensor 16-11
definition of 16-9
discovering policies 6-13
showing containment 5-24
Virtual Sensors page M-101
virtual sensor summary table 16-12
virtual terminal (VTY)
Cisco IOS routers
defining AAA settings 13-62
defining line groups 13-60
defining line setup parameters 13-60
virtual terminal (VTY) lines
Cisco IOS routers
VTY Line dialog box J-94
VTY Policy page J-93
VLAN ACLs (VACLs)
defining 15-10
deleting 15-11
understanding 15-9
VLAN access maps 15-9
VLAN group
defined for IPS interfaces 12-5
Vlan Group Map dialog box M-78
VLAN Groups pane
described M-77
VLAN Groups tab M-77
VLAN Pair dialog box M-76
VLAN Pairs pane
overview M-75
VLAN Pairs tab M-75
VLANs
Catalyst switches and 7600 Series routers
Create and Edit VLAN ACL Content dialog boxes L-37
Create and Edit VLAN ACL dialog boxes L-35
Create and Edit VLAN dialog boxes L-4
defining 15-5
defining Data Port for IDSM 15-14
defining EtherChannel for IDSM 15-13
defining groups 15-7
defining VACLs 15-10
deleting 15-6
deleting Data Port for IDSM 15-16
deleting EtherChannel for IDSM 15-14
deleting groups 15-8
deleting VACLs 15-11
Interfaces/VLANs page-VLANs tab L-3
understanding 15-5
understanding VACLs 15-9
understanding VLAN groups 15-7
VLAN Access Lists page L-34
IDs M-77
VPN
configuring policy defaults A-41
policy discovery restriction for web VPNs 5-8
system variables 18-13
zone-based firewall 11-65
VPN client
in remote access VPNs 10-2
Mode configuration 10-2
VPN cluster master
redirecting to other devices
using an FQDN 10-14
VPN default policies
assigning to VPN topology 9-24
factory defaults 9-8
optional 9-8
understanding 9-8
VPN Defaults page (site-to-site VPN) G-28
VPND Groups
add K-38
VPN discovery 9-12
prerequisites 9-10
rules 9-10
supported technologies and topologies 9-9
understanding 9-8
VPN gateway
initiating a connection with 10-2
in remote access VPNs 10-2
VPN global settings
GET VPN
VPN Global Settings for GET page G-72
in remote access VPNs
fragmentation settings 10-27
General Settings tab H-70
ISAKMP/IPsec settings 10-27
ISAKMP/IPsec Settings tab H-67
NAT settings 10-27
NAT Settings tab H-69
in site-to-site VPNs
fragmentation settings 9-54
General Settings tab G-69
ISAKMP/IPsec settings 9-52
ISAKMP/IPsec Settings tab G-66
NAT settings 9-53
NAT Settings tab G-68
understanding 9-52
VPN Global Settings page G-65
VPN Peers dialog box B-16
VPN Policy Defaults page A-41
VPN rediscovery
site-to-site 9-13
VPNs
AAA services 14-31
ASA devices
configuring bookmarks 8-84
configuring portal appearance 8-79
configuring WINS servers for file system access 8-89
customizing 8-79
group policies 10-30
post URL method and macro substitutions in bookmarks 8-86
smart tunnels 8-87
creating in Map view 3-15
DMVPN policies G-46
IOS devices
configuring bookmarks 8-84
configuring WINS servers for file system access 8-89
IPsec
certificate to connection profile map policies 10-33, 10-34
certificate to connection profile map rules 10-35
Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) H-78
Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) H-77
Certificate to Connection Profile Maps > Policies page H-75
Certificate to Connection Profile Maps > Rules page H-76
cluster load balancing 10-14, 10-15, H-20
connection profiles 10-16
connection profiles (ASA) 10-16, H-22
creating using wizard 10-10, 10-12
dynamic access policies 10-17, 10-18
dynamic access policy (DAP) attributes 10-19, 10-23
Dynamic Access policy page (ASA) H-36
Dynamic VTI/VRF Aware IPsec settings H-89
fragmentation settings H-70
global settings 10-27
Global Settings page H-66
high availability H-79
high availability policies 10-40, 10-41
IKE proposals H-81
ISAKMP/IPsec settings H-67
NAT settings H-69
Public Key Infrastructure (PKI) H-74
public key infrastructure (PKI) policies 10-32
public key infrastructure (PKI) proposals 10-36
secure desktop manager policies 10-24, 10-26
user group policies 10-41, 10-42, H-93
VPNSM/VPN SPA settings H-87
IPsec proposals H-82, H-84, H-85
configuring 10-38
Map view 3-14
policy discovery 6-12
remote access
access modes 10-4
configuring using wizard 10-8
discovering 10-6
managing 10-1
SSL 10-43
remote access IPSec
understanding 10-2
remote access SSL
example 10-3
managing support files 10-5
prerequisites 10-6
understanding 10-2
shared policies 6-4
site-to-site
policies G-29
working with 9-43
SSL
access policies (ASA) 10-44, H-94, H-96
advanced settings (ASA) H-113
advanced settings (IOS) 10-61
AnyConnect client image settings (ASA) H-111
AnyConnect client profile settings (ASA) H-112
browser plug-ins 10-53
browser plug-ins (ASA) 10-52, H-108, H-109
certificate to connection profile map policies 10-33, 10-34
certificate to connection profile map rules 10-35
Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) H-78
Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) H-77
Certificate to Connection Profile Maps > Policies page H-75
Certificate to Connection Profile Maps > Rules page H-76
client settings 10-55
client settings (ASA) H-110
client settings z(ASA) 10-54
cluster load balancing 10-14, 10-15, H-20
connection profiles 10-16
connection profiles (ASA) H-22
content rewrite rules 10-47
content rewrite settings (ASA) H-99, H-100
Context Editor dialog box (IOS) H-116, H-118, H-119, H-120
creating using wizard 10-8, 10-10
dynamic access policies 10-17, 10-18
dynamic access policy (DAP) attributes 10-19, 10-23
Dynamic Access policy page (ASA) H-36
encoding rules 10-49
encoding settings (ASA) 10-48, H-101, H-103
fragmentation settings H-70
general settings 10-59
global settings 10-27
Global Settings page H-66
ISAKMP/IPsec settings H-67
NAT settings H-69
other settings 10-45
other settings (ASA) H-97
performance settings 10-46
performance settings (ASA) 10-46, H-98
policies (IOS) H-115
portal page 10-60
proxies 10-50
proxy bypass rules 10-50
proxy bypass settings 10-49
proxy bypass settings (ASA) H-107
proxy settings (ASA) H-103
Public Key Infrastructure (PKI) H-74
public key infrastructure (PKI) policies 10-32
secure desktop manager policies 10-24, 10-26
secure desktop software 10-61
shared license (ASA) H-114
shared license clients 10-57
shared license server 10-58
understanding 10-2
VPNSM/VPN SPA Settings dialog box H-87
VPN Summary page G-73
VPN topologies
about editing 9-25
adding unmanaged devices 9-17
cloning devices 9-17
Create VPN Topology wizard
Device Selection page G-4
Edit Endpoints dialog box G-10
Endpoints page G-7
Name and Technology page G-3
VPN Defaults page G-28
creating 9-14
defining endpoints and protected networks 9-20, 9-23
deleting 9-28
discovering 9-8
editing 9-27
full mesh 9-4
hub-and-spoke 9-2
joined hub-and-spoke 9-5
managing devices in the device view 9-42
naming 9-16
partial mesh 9-5
point-to-point 9-3
rediscovering 9-13
removing devices from 9-26
selecting devices 9-18
tiered hub-and-spoke 9-5
understanding 9-2
understanding device selection 9-17
VPN Topologies Device View page G-76
working with 9-14
VRF-Aware IPsec
configuring 9-38
one-box solution 9-35
two-box solution 9-36
understanding 9-34
VRF-Aware IPsec tab (site-to-site VPN) G-19
VRRP 14-27
VTY Line dialog box J-94
Accounting tab J-101
Authentication tab J-98
Authorization tab J-99
Setup tab J-95
W
WAN interface card (WIC) 13-27
Warning - Partial VPN Deployment dialog box N-16
warnings
significance of i-liv
Web Filter policy map objects
creating 8-59
match conditions and actions F-135
properties F-136
web filter rules
adding (ASA/FWSM/PIX) 11-54
ASA/FWSM/PIX
deleting 11-4
editing 11-5
moving 11-7
attributes (IOS) I-52
configuring exclusive domains for IOS devices 11-56
configuring for IOS devices 11-56
configuring in Map view 3-17
disabling 11-8
Edit Web Filter Options dialog box I-50
Edit Web Filter Type dialog box I-49
enabling 11-8
exclusive domain names (IOS) I-53
PIX/FWSM/ASA Rules dialog box I-47
understanding 11-54
Web Filter Rules page (ASA/FWSM/PIX) I-45
Web Filter Rules page (IOS) I-51
web filter server properties I-86
working with 11-53
Web Filter Rules page (ASA/FWSM/PIX) I-45
Web Filter Rules page (IOS) I-51
Web Filter Server Configuration dialog box I-86
web filter servers
attributes I-86
configuring settings 11-57
configuring settings in Map view 3-18
configuring zone-based firewall settings in Map view 3-18
Web Filter settings page I-83
Websense
configuring for web filter rules policies 11-57, I-86
configuring for zone based firewall rules policies 8-59, F-78, F-80
Websense class map objects
match criteria F-73
Websense parameter map objects
creating 8-59
properties F-78
web VPN
policy discovery restriction 5-8
Weighted Random Early Detection (WRED) 13-102
Whitelist/Blacklist tab I-38
windows
undocking maps 3-6
Windows Messenger class map objects
match criteria F-64
Windows NT servers
use by ASA, PIX, and FWSM devices 8-17
WINS Server Lists objects
attributes F-204
creating 8-89
wizards
configuring remote access SSL VPNs on ASA devices 10-10
configuring remote access VPNs 10-8, H-1
Copy Policies D-3
Create VPN Topology G-2
creating remote access IPsec VPNs on ASA devices 10-12
creating remote access IPsec VPNs on IOS devices 10-10
creating remote access SSL VPNs on IOS devices 10-8
creating user groups H-6
Discovering VPN Policies G-77
New Device C-2
rediscovering site-to-site VPNs 9-13
rediscovering VPN policies G-80
Share Policies D-6
wizards, using 2-15
workflow
overview 1-7
Workflow mode
changing modes 1-15
comparing with non-Workflow mode 1-14
configuration files
previewing 17-27
configurations
rolling back 17-38
creating activities 7-8
deployment
viewing device details 17-16
viewing job history 17-16
Deployment Manager window N-3
jobs
aborting 17-29
approving 17-22
discarding 17-24
rejecting 17-22
states 17-7
submitting 17-22
opening activities 7-9
selecting 1-12
understanding 1-13
workflow modes
changing 1-15
comparing 1-14
selecting 1-12
Workflow Settings page A-42
working with 5-29
worm attacks
histograms M-55
worm viruses
definition of 12-13
X
Xauth
deploying
IPsec on VPNs 9-78
IKE challenge
from RADIUS servers 9-78
IKE Extended Authentication 10-2
xdm-launcher.exe
device manager 20-5
XLATE table
clearing on deployment 14-81
Y
Yahoo Messenger class map objects
match criteria F-64
Z
zone based firewall
configuring settings in Map view 3-18
zone-based firewall
about 11-61
add/edit zones I-90
advanced options I-60
configuring PAM I-62
configuring settings 11-70
Content Filter tab I-89
designing network zones 11-66
Global Parameters tab I-87
IPSec VPN 11-65
logging 11-61
overview 11-60
page I-87
protocol selection I-61
restrictions 11-63
rules table I-54
Self zone 11-63
tabs 11-70
understanding 11-62
VPN tab I-87
VRF 11-65
WAAS tab I-87
Zones tab I-87
zone based firewall rules
deleting 11-4
disabling 11-8
editing 11-5
enabling 11-8
moving 11-7
zone-based firewall rules
configuring in Map view 3-17
zone-based firewall rules policies
blocking spam using zone-based firewall rules F-69
configuring map objects for content filtering rules 8-59
configuring map objects for inspection rules 8-57
creating zones 8-34
inspection parameters F-74
match conditions for IM applications F-64
match conditions for P2P applications F-64
preventing SMTP DoS attacks F-69
protocol information for IM application inspection F-76
understanding interface role objects 8-33
Zone Contents dialog box I-66
zones
creating 8-34
understanding interface role objects 8-33
Zoom In command 2-9
Zoom Out command 2-9