User Guide for Cisco Security Manager 4.0.1
Index
Downloads: This chapterpdf (PDF - 3.21MB) The complete bookPDF (PDF - 24.15MB) | Feedback

Index

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z

Index

Numerics

12.1 and 12.2

managing routers 51-2

3DES encryption algorithm

cluster load balancing

using FQDNs 26-18

in IKE proposals 22-2

802.1x

802.1x Policy page 54-5

defining policies 54-4

interface authorization states 54-2

on Cisco IOS routers 54-1

supported topologies 54-3

understanding device roles 54-2

A

AAA

accounting 26-2

authorization 26-2

Cisco IOS routers

AAA Policy page 53-6

Accounting tab 53-10

Authentication tab 53-6

Authorization tab 53-7

Command Accounting dialog box 53-12

Command Authorization dialog box 53-9

defining services 53-4

overview 53-2

supported accounting types 53-3

supported authorization types 53-2

understanding method lists 53-3

configuring access control for IPS 30-19

configuring on firewall devices 39-19

credentials for device access 3-4

defining policies 39-22

device administration 39-22

local fallback 39-21

network access 39-22

PIX/ASA/FWSM 50-36

Accounting tab 50-38

Authentication tab 50-37

Authorization tab 50-38

support 39-20

understanding 39-19

user authentication 26-2

VPN access 39-22

AAA authentication groups

predefined 6-23

AAA firewall

MAC exempt lists 13-20

AAA Firewall page

Advanced Setting tab 13-16

AAA firewall policy

advanced settings 13-16

configuring 13-5

AAA rules

AAA Rules page 13-9

ACL naming conventions 12-5

combining rules

example 12-23

interpreting results 12-21

procedure 12-19

configuring AAA firewall settings (PIX/ASA/FWSM) 13-5

configuring AuthProxy settings (IOS) 13-8

configuring for ASA/PIX/FWSM devices 13-4

configuring for IOS devices 13-7

configuring in Map view 29-22

configuring settings

for IOS devices in Map view 29-23

for PIX/ASA/FWSM in Map view 29-23

deleting 12-8

disabling 12-17

editing 12-9

enabling 12-17

managing 13-1

moving 12-16

preserving ACL names 12-4

properties 13-11

understanding 13-1

understanding how users authenticate 13-2

understanding NAT effects 12-3

understanding processing order 12-2

AAA Rules page 13-9

AAA server group objects

attributes 6-38

creating 6-37

default server groups on IOS devices 6-24

predefined authentication groups 6-23

understanding 6-20

AAA server objects

creating 6-25

HTTP-FORM settings 6-35

Kerberos settings 6-31

LDAP settings 6-32

NT settings 6-34

RADIUS settings 6-28

SDI settings 6-34

supported additional types for ASA/PIX/FWSM 6-21

supported types 6-21

TACACS+ settings 6-30

understanding 6-20

AAA servers

external servers 26-2

supported types on ASA, PIX, FWSM devices 6-21

Abort the Job dialog box 8-48

About Security Manager command 1-28

ABR

definition 46-2

access control list objects

creating 6-40

extended objects 6-41

standard objects 6-43

web objects 6-44

access control lists

GET VPN security policies 25-10

policy discovery 5-15

access control lists (ACLs)

names preserved during discovery 12-4

naming conventions 12-5

resolving naming conflicts 12-6

access controls

configuring ACL names 14-16

configuring settings 14-16

configuring settings in Map view 29-23

Access Control Settings page 14-17

Access Group tab (IGMP) 45-5

Access Interface Configuration dialog box (ASA) 27-87

Access page (ASA) 27-2

access permissions

maps 29-8

access policies

configuring 26-45

access ports

Create and Edit Interface dialog boxes-Access Port mode 58-9

understanding 58-5

access rule

look up

from device managers 60-6

access rules

access control settings 14-17, 14-19

Access Rules page 14-8

ACL naming conventions 12-5

address requirements 14-5

Advanced dialog box 14-13

combining rules

example 12-23

interpreting results 12-21

procedure 12-19

configuring 14-7

configuring access control settings 14-16

configuring in Map view 29-22

controlling non-IP layer-2 traffic 19-1

deleting 12-8

disabling 12-17

Edit Firewall Rule Expiration dialog box 14-15

editing 12-9

enabling 12-17

examples of event analysis

user access to server blocked 59-45

expiration dates 14-16

finding from CS-MARS events 60-23

finding from Event Viewer events 59-43

generating analysis reports 14-21

hit counts

analyzing results 14-26

generating 14-23

how deployed 14-5

import examples 14-32

importing 14-28

IPS blocking, affect of 37-4

managing 14-1

moving 12-16

optimizing during deployment 14-34

packet tracer, analyzing with 60-1

preserving ACL names 12-4

rule attributes 14-11

sharing ACLs among interfaces 11-10

syslog messages supported for look-up 60-24

understanding 14-1

understanding device-specific behavior 14-4

understanding global 14-3

understanding NAT effects 12-3

understanding processing order 12-2

understanding requirements when using inspection 15-4

viewing related CS-MARS events 60-20

Access Rules page 14-8

accounts and credentials

Cisco IOS routers

overview 53-13

PIX/ASA/FWSM

user accounts 42-6

user accounts, add/edit 42-7

accounts and credentials policies

Accounts and Credentials Policy page 53-15

User Accounts dialog box 53-17

ACLs

configuring names 14-16

ACS user authorization

configuring notifications when unavailable 1-19

how permissions affect what you can do 1-9

Active/Active failover

about 41-2

command replication 41-3

configuration synchronization 41-3

Active/Standby failover 41-2

activities

accessing functions 4-7

Activity Manager window 4-8

Approved state 4-4

approving 4-2, 4-16

benefits of 4-2

closing 4-12

creating 4-10

discarding 4-17

Edit state 4-4

locking 4-3

managing 4-1

multiple users 4-4

opening 4-11

overview 1-11

rejecting 4-16

responding to the Activity Required dialog box 4-11

states 4-4

Submitted state 4-4

submitting for approval 4-15

understanding 4-1

validating 4-14

viewing change reports 4-12

viewing status and history 4-18

working with 4-6

Activities menu 1-27

Activity Manager command 1-26

Activity Manager window 4-8

Activity Required dialog box 4-11

Add/Edit AnyConnect Client Image dialog box (ASA) 27-101

Add/Edit AnyConnect Client Profile dialog box (ASA) 27-101

Add/Edit Collector dialog box 44-2

Add/Edit Connection Profile dialog box

SSL tab

Add/Edit Connection Alias dialog box 27-32

Add/Edit Connection URL dialog box 27-32

Add/Edit Content Rewrite dialog box (ASA) 27-91

Add/Edit DAP Entry Dialog Box > Device 27-48

Add/Edit File Encoding dialog box (ASA) 27-93

Add/Edit Multicast Route dialog box 45-8, 45-10

description 45-9

Add/Edit PIM Neighbor Filter dialog box 45-13

Add/Edit Plug-in Entry dialog box (ASA) 27-99

Add/Edit Proxy Bypass dialog box (ASA) 27-97

Add AAA Rule dialog box 13-11

Add AAA Server dialog box 6-26

Add AAA Server Group dialog box 6-38

Add Access List dialog box (Allowed Hosts policy) 30-7

Add an Entry dialog box 33-26

Add AOL Class Map dialog box 15-22, 18-17

Add A Port Forwarding Entry dialog box 28-43

Add ASA Group Policies dialog box

client configuration settings 28-4

client firewall attributes 28-5

connection settings 28-20

DNS/WINS settings 28-18

hardware client attributes 28-7

IPSec settings 28-9

overview 28-1

split tunneling settings 28-19

SSL VPN clientless settings 28-11

SSL VPN full client settings 28-13

SSL VPN settings 28-15

Technology settings 28-1

Add A Smart Tunnel Entry dialog box 28-66

Add Auto Signon Rules dialog box 28-17

Add Cat6k Block Vlan dialog box 37-17

Add Certificate dialog box 11-15

Add Certificate Filter dialog box 21-52

Add Cisco Secure Desktop Configuration dialog box 28-21

Add Client Access Rules dialog box 28-10

Add Client Update dialog box 28-76

Add Column dialog box 28-60

Add Custom Pane dialog box 28-60

Add Custom Signature dialog box 33-12

Add DCE/RPC Map dialog box 15-23

Add Destinations dialog box 12-10

Add Device from Network wizard

Device Credentials page 3-38

Add Devices to Group command 1-22

Add Devices to Group dialog box 3-56

Add DNS Class Map dialog box 15-22

Add DNS Map dialog box

Filtering tab 15-26

overview 15-24

Protocol Conformance tab 15-26

Add eDonkey Class Map dialog box 15-22, 18-17

Add ESMTP Map dialog box 15-30

Add Extended Access Control Entry dialog box 6-47

Add Extended Access List dialog box 6-45

Add External Filter dialog box 18-39

Add FastTrack Class Map dialog box 15-22, 18-17

Add File Object dialog box 28-24

Add Firewall Rule dialog box 14-11

Add FlexConfig dialog box 7-27

Add FTP Class Map dialog box 15-22

Add FTP Map dialog box 15-33

Add Gnutella Class Map dialog box 15-22, 18-17

Add Group dialog box 3-55

Add Group Member dialog box 25-19

Add GTP Map dialog box 15-36

Add H.323 Class Map dialog box 15-22, 18-17

Add H.323 Map dialog box 15-41, 18-32

Add HSI Endpoint IP Address dialog box 15-43

Add HSI Group dialog box 15-43

Add HTTP Class Map dialog box 15-22, 18-17

Add HTTP Map dialog box 18-32

ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices

Entity Length tab 15-48

Extension Request Method tab 15-50

General tab 15-47

overview 15-45

Port Misuse tab 15-51

RFC Request Method tab 15-49

Transfer Encoding tab 15-52

ASA 7.2+ and PIX 7.2+ devices 15-53

Add ICQ Class Map dialog box 15-22, 18-17

Add IKE Proposal dialog box 28-26

Add IMAP Class Map dialog box 15-22, 18-17

Add IMAP Map dialog box 18-32

Add IM Class Map dialog box 15-22

Add IM Map dialog box 18-32

ASA and PIX device 15-59

IOS device 15-62

Add Inspect/Application FW Rule wizard

Address and Port page 15-11

Inspected Protocol page 15-14

Match Traffic page 15-10

Add Inspect Parameter Map dialog box 18-28

Add Interfaces dialog box 12-11

Add Interface Specific Authentication Server Groups dialog box 27-24

Add Interface Specific Client Address Pools dialog box 27-21

Add IP Options Map dialog box 15-64

Add IPsec Pass Through Map dialog box 15-65

Add IPSec Transform Set dialog box 28-28

Add Kazaa2 Class Map dialog box 15-22, 18-17

Add Key Server dialog box 25-19

Add Language dialog box 28-54

Add LDAP Attribute Map dialog box 28-31

Add LDAP Attribute Map Value dialog box 28-32

Add Link command 1-25

Add Link dialog box 29-20

Add Local Rules command 1-24

Add Local Web Filter Class Map dialog box 15-22, 18-17

Add Local Web Filter Parameter Map dialog box 18-36

Add Map Object command 1-25

Add Map Object dialog box 29-17

Add Map Value dialog box 28-33

Add Match Condition and Action dialog box

DNS policy maps 15-27

ESMTP policy maps 15-31

FTP policy maps 15-34

GTP policy maps 15-39

H.323 (IOS) policy maps 18-33

H.323 policy maps 15-44

HTTP (Zone Based IOS) policy maps 18-33

HTTP policy maps 15-55

IM (Zone Based IOS) policy maps 18-33

IMAP policy maps 18-33

IM policy maps 15-60

P2P policy maps 18-33

POP3 policy maps 18-33

SIP (IOS) policy maps 18-33

SIP policy maps 15-69

Skinny policy maps 15-74

SMTP policy maps 18-33

Sun RPC policy maps 18-33

Web Filter policy maps 18-33

Add Match Criterion dialog box

AOL class maps 18-19

DNS class maps 15-27

eDonkey class maps 18-19

FastTrack class maps 18-19

FTP class maps 15-34

Gnutella class maps 18-19

H.323 (IOS) class maps 18-20

H.323 class maps 15-44

HTTP (IOS) class maps 18-20

HTTP class maps 15-55

ICQ class maps 18-19

IMAP class maps 18-22

IM class maps 15-60

Kazaa2 class maps 18-19

Local Web Filter class maps 18-27

MSN Messenger class maps 18-19

N2H2 class maps 18-28

POP3 class maps 18-22

SIP (IOS) class maps 18-23

SIP class maps 15-69

SMTP class maps 18-24

Sun RPC class maps 18-27

Websense class maps 18-28

Windows Messenger class maps 18-19

Yahoo Messenger class maps 18-19

Add MSN Messenger Class Map dialog box 15-22, 18-17

Add N2H2 Parameter Map dialog box 18-37

Add N2H2 Web Filter Class Map dialog box 15-22, 18-17

Add NAT Rule dialog box

ASA 8.3+ 20-35

Add NetBIOS Map dialog box 15-66

Add Network/Host dialog box

General tab 6-65

NAT tab 20-38

Add New Device wizard

Device Credentials page 3-38

Add New Security Association dialog box 21-52

Add or Edit Status Providers dialog box 11-36

Add Other Devices dialog box 8-51

Add P2P Map dialog box 18-32

Add Permit Response dialog box 15-38

Add PIX/ASA/FWSM Web Filter Rule dialog box 16-5

Add PKI Enrollment dialog box

CA Information tab 28-35

Certificate Subject Name tab 28-40

Enrollment Parameters tab 28-39

overview 28-33

Trusted CA Hierarchy tab 28-42

Add POP3 Class Map dialog box 15-22, 18-17

Add Port Forwarding List dialog box 28-42

Add Port List dialog box 6-71

Add Protocol Info Parameter Map dialog box 18-31

Add Regular Expression dialog box 15-77

Add Regular Expression Group dialog box 15-76

Address Pools

PIX/ASA/FWSM 20-17

add/edit 20-18

address pools

overriding in connection profiles 26-7

Add Row command 1-23

Add Rule Section dialog box 12-18

Add Secondary Interface Specific Authentication Server Groups dialog box 27-24

Add Server dialog box

Protocol Info Parameter maps 18-32

Add Service dialog box 6-72

Add Services dialog box 12-11

Add Single Sign On Server dialog boxes 28-44

Add SIP Class Map dialog box 15-22, 18-17

Add SIP Map dialog box 15-67, 18-32

Add Skinny Map dialog box 15-73

Add SLA Monitor dialog box 42-9

Add Smart Tunnel Lists dialog box 28-65

Add SMTP Class Map dialog box 15-22, 18-17

Add SMTP Map dialog box 18-32

Add SNMP Map dialog box 15-75

Add Sources dialog box 12-10

Add SSL VPN Customization dialog box 28-49

Applications 28-58

Copyright Panel 28-56

Custom Panes 28-59

Full Customization 28-57

Home Page 28-61

Informational Panel 28-56

Language 28-53

Logon Form 28-55

Logout Page 28-62

Title Panel 28-52

Toolbar 28-58

Add SSL VPN Gateway dialog box 28-63

Add Standard Access Control Entry dialog box 6-49

Add Standard Access List dialog box 6-45

Add Sun RPC Class Map dialog box 15-22, 18-17

Add Sun RPC Map dialog box 18-32

Add TCP Map dialog box 48-17

Add TCP Option Range Dialog Box 48-19

Add Text Object dialog box 7-29

Add Time Range dialog box 6-53

Add Traffic Flow dialog box 48-13

Add Transparent Firewall Rule dialog box 19-5

Add Trend Content Filter Class Map dialog box 15-22, 18-17

Add Trend Parameter Map dialog box 18-40

Add URL Domain Name dialog box 18-43

Add URLF Glob Parameter Map dialog box 18-43

Add URL Filter Parameter Map dialog box 18-41

Add User dialog box 30-17

Add User Group dialog box

Advanced PIX 6.3 settings 28-77

Browser Proxy settings 28-83

Client (IOS) settings 28-73

Clientless settings 28-78

Client VPN Software Update (IOS) settings 28-76

DNS/WINS settings 28-72

General settings 28-70

IOS Xauth Options settings 28-75

overview 28-68

Split Tunneling settings (Easy VPN/remote access IPSec VPN) 28-72

SSL VPN Connection settings 28-84

SSL VPN Full Tunnel settings 28-79

SSL VPN Split Tunneling settings 28-81

Technology settings 28-68

Thin Client settings 28-79

Add User Profile dialog box 37-12

Add Virtual Sensor dialog box 32-7, 32-8

Add Web Access Control Entry dialog box 6-51

Add Web Filter Map dialog box 18-45

Add WebSense Parameter Map dialog box 18-37

Add Websense Web Filter Class Map dialog box 15-22, 18-17

Add Web Type Access List dialog box 6-45

Add Windows Messenger Class Map dialog box 15-22, 18-17

Add WINS Server dialog box 28-85

Add WINS Server List dialog box 28-84

Add Yahoo Messenger Class Map dialog box 15-22, 18-17

Add Zones dialog box 12-11

admin context 49-1

administration

selecting policies to manage 5-10

administrative settings, configuring 11-1

admin password, changing 10-15

ADSL

ADSL Policy page 52-37

ADSL Settings dialog box 52-38

defining settings 52-35

supported operating modes 52-34

ADSL policies

unable to deploy 9-14

Advanced dialog box

access rules 14-13

Advanced Interface Settings

PIX/ASA 50-17

Advanced NAT Options

PIX/ASA/FWSM

add/edit 20-28

Advanced tab (ASA) 27-102

AES encryption algorithm

in IKE proposals 22-2

AIM-IPS interfaces

IPS Module Interface Settings page 52-23

AIP-SSM/SSC

ASA 48-12

Alarm Indication Signal (AIS) cells 52-50

allowed hosts, configuring for IPS 30-7

Allowed Hosts policy 30-7

Analysis Engine global variables

configuring 30-26

analysis reports

generating 14-21

anomaly detection

configuring 35-6

configuring histograms 35-10

configuring learning accept mode 35-8

configuring signatures 35-4

configuring thresholds 35-10

managing 35-1

modes 35-2

understanding 35-1

understanding histograms 35-9

understanding thresholds 35-9

understanding worms 35-2

when to turn off 35-4

zones

overview 35-3

anti-spoofing 47-2

AOL class map objects

creating 18-15

match criteria 18-19

Apply IPS Update command 1-26

Apply IPS Update wizard 10-9

Approve Activity command 1-28

Approve Activity dialog box 4-16

Approved activity state 4-4

Approve Deployment Job dialog box 8-19, 8-37

Area Border Router

See ABR 46-2

ARP

PIX/ASA/FWSM

configuration 50-31

inspection 50-31

inspection, enable/disable 50-32

table 50-30

ARP table

static entry 50-30, 50-31

ASA

ASDM 60-5

Failover

Add Failover Group 41-20

interface configuration 41-22

settings 41-18

failover 41-16

IPS modules 48-12

policy discovery 5-13

rollback, commands to recover from failover misconfiguration 8-62

rollback command conflicts 8-61

rollback restrictions for failover devices 8-58

rollback restrictions for multiple context mode 8-58

security contexts

allocate interfaces 49-8

configuration 49-7

viewing allocated interfaces 49-9

setting up AUS or CNS 2-8

setting up SSL (HTTPS) 2-3

TCP State Bypass 48-3

ASA 5505

ports and interfaces 39-5

ASA 8.3+

NAT policies

Add/Edit NAT rules dialog boxes 20-35

Translation Rules page 20-32

ASA Cluster Load Balance page 27-17

ASA devices

5505

interfaces, add/edit 50-10

interfaces and ports 50-25

port configuration 50-28

AAA support 6-21

adding or changing modules 3-33

adding SSL thumbprints manually 9-4

configuring for event management 59-26

configuring transparent firewall rules 19-1

defining

DNS server IP address 26-16

Easy VPNs

connection profiles 24-11

enabling

DNS lookups 26-16

FlexConfig object samples 7-18

global access rules 14-3

interfaces 50-2

about adding/editing 50-4

add/edit 50-5

advanced settings 50-17

PPPoE Users 50-19, 50-20

VPND Groups 50-18

licenses 2-11

models supported

VPN cluster load balancing 26-18

monitoring service level agreements 42-7

object group search 14-19

outside IP addresses

associated with DNS entry 26-16

packet tracer, using 60-1

PIX/ASA/FWSM Platform policies 50-1

remote access IPSec VPNs

access policies 26-45

remote access IPsec VPNs

creating using wizard 26-12, 26-14

other settings 26-46

shared license client 26-59

shared license server 26-59

remote access SSL VPNs

access settings 26-44, 26-58

browser plug-ins 26-53, 26-55

client settings 26-56, 26-57

content rewrite rules 26-48

encoding rules 26-50

encoding settings 26-49

performance settings 26-47

proxies 26-51

proxy bypass rules 26-51

proxy bypass settings 26-51

remote access VPNs

access policies (ASA) 27-85, 27-87

advanced settings (ASA) 27-102

AnyConnect client image settings (ASA) 27-101

AnyConnect client profile settings (ASA) 27-101

browser plug-ins (ASA) 27-98, 27-99

certificate to connection profile map policies 26-34, 26-35

certificate to connection profile map rules 26-35, 26-36

Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) 27-70

Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) 27-69

Certificate to Connection Profile Maps > Policies page 27-67

Certificate to Connection Profile Maps > Rules page 27-68

client settings (ASA) 27-99

cluster load balancing 26-16, 26-17, 27-17

configuring bookmarks 26-68

configuring portal appearance 26-63

configuring WINS servers for file system access 26-73

connection profiles 26-18, 27-18

content rewrite settings (ASA) 27-90, 27-91

customizing 26-63

dynamic access policies 26-19, 26-20

dynamic access policy (DAP) attributes 26-22, 26-25

Dynamic Access policy page (ASA) 27-33

encoding settings (ASA) 27-91, 27-93

fragmentation settings 27-64

Global Settings page 27-60

group policies 26-31, 27-66

IKE proposals 27-73

IPsec proposals 27-74, 27-75

ISAKMP/IPsec settings 27-60

NAT settings 27-63

other settings (ASA) 27-88

performance settings (ASA) 27-88

post URL method and macro substitutions in bookmarks 26-70

proxy bypass settings (ASA) 27-97

proxy settings (ASA) 27-94

Public Key Infrastructure (PKI) 27-66

secure desktop manager policies 26-26

shared license 27-103

smart tunnels 26-71

selecting for Event Viewer 59-23

selecting policy types to manage 5-10

SSL certificate configuration 11-14

supported OS versions

redirection using FQDNs 26-17

VPN cluster load balancing

3DES/AES license 26-18

overview 26-16

ASA group policies objects

client configuration settings 28-4

client firewall attributes 28-5

connection settings 28-20

DNS/WINS settings 28-18

hardware client attributes 28-7

IPSec settings 28-9

split tunneling settings 28-19

SSL VPN clientless settings 28-11

SSL VPN full client settings 28-13

SSL VPN settings 28-15

technology settings 28-1

ASBR

definition 46-2

ASCII limitations for text 1-34

ASDM

access rule look-up 60-7

device manager 60-5

ASR

zone-based firewall

global parameters 18-48

restrictions 18-3

assignment overview 1-11

Assignments tab, Policy view 5-50

Assign Shared Policy command 1-24

Assign Shared Policy dialog box 5-40

Asymmetric Digital Subscriber Line (ADSL)

on Cisco IOS routers 52-34

Asynchronous Transfer Mode (ATM) 52-46

ATM 52-46

virtual channel connections (VCCs) 52-47

virtual channel identifier (VCI) 52-47

virtual path connections (VPCs) 52-47

virtual path identifier (VPI) 52-47

Attack Response Controller 37-1

attacks

broadcast 15-4

Denial of Service (DoS) 15-5

spoofing 15-4

SYN flooding 15-5

audit logs

configuring default settings 11-31

purging entries 10-14

understanding 10-11

working with 10-11

Audit Message Detail dialog box 10-12

Audit Report command 1-27

audit reports

generating and viewing 10-12

understanding 10-11

working with 10-11

Audit Report window 10-12

AUS

deploying configurations 8-39

deployment method 8-10

setting up 2-7

setting up on PIX Firewall and ASA devices 2-8

authentication

routing protocols 46-2

Authentication-Authorization-Accounting

see AAA 39-19

Authentication Header (AH) encryption algorithm 28-31

authentication methods

in IKE proposals 22-3

preshared keys 22-3

RSA signatures 22-3

authentication testing

SSH 2-5

authorization proxy (AuthProxy)

configuring AAA rules 13-7

AuthProxy

configuring settings in Map view 29-23

AuthProxy dialog box 13-15

AuthProxy page 13-22

AuthProxy settings policy

configuring 13-8

autolink

omitting reserved networks from maps 11-2

auto signon rules

ASA group policy objects 28-17

Auto Update Server (AUS)

adding 3-29

licensing 10-3

PIX/ASA/FWSM 43-1

add/edit server 43-3

troubleshooting deployment 9-17

Auto Update Server Properties dialog box 3-31

Available Bit Rate (ABR) 52-47

Available Servers dialog box 3-32

B

background image, map

deleting 29-13

importing 29-13

scale and position 29-13

setting 29-13

backup

event data store 59-24

backup.pl command 10-16

Backup command 1-27

backups, Security Manager database 10-16

Banner

PIX/ASA/FWSM 50-40

banners

configuring on firewall devices 39-24

benefits of product 1-2

BGP routing

BGP Routing Policy page 57-4

defining routes 57-2

Neighbors dialog box 57-6

on Cisco IOS routers 57-1

redistributing routes 57-3

Redistribution Mapping dialog box 57-7

Redistribution tab 57-6

Setup tab 57-4

Bidirectional Neighbor Filter 45-14

Bidirectional Neighbor Filter tab

PIM 45-14

blocking, IPS

configuring 37-7

configuring ARC 37-1

configuring blocking devices 37-14

configuring master blocking sensors 37-13

configuring never block hosts and networks 37-18

configuring router blocking interfaces 37-16

configuring user profiles 37-12

configuring VLAN blocking interfaces 37-17

general options 37-11

master blocking sensor 37-6

policy 37-8

rate limiting 37-4

router and switch blocking devices 37-4

strategies 37-3

understanding 37-1

Blocking page 37-8

Boot image/configuration

PIX/ASA/FWSM 50-41

add 50-42

boot image and configuration settings

configuring on firewall devices 39-24

bootstrap configuration

Failover 41-23

Botnet Traffic Filter Drop Rules Editor 17-13

botnet traffic filter rules

adding static entries 17-5

blocking blacklisted traffic 17-7

configuring DNS snooping 15-16

configuring in Map view 29-23

configuring the dynamic database 17-4

configuring with IPS global correlation 36-1

databases 17-1

Device Blacklist dialog box 17-15

Device Whitelist dialog box 17-15

Drop Rules Editor 17-13

Dynamic Blacklist Configuration tab 17-10

enabling DNS snooping 17-6

field definitions 17-9

illustrations 17-1

mitigating botnet activity 59-50

monitoring

activity using ASDM 59-50

activity using Event Viewer 59-48

overview 59-47

understanding botnet syslog events 59-47

overview 17-1

preserving ACL names 12-4

task flow 17-3

traffic classification 17-7

Traffic Classification dialog box 17-12

Traffic Classification tab 17-11

understanding 17-1

understanding NAT effects 12-3

understanding processing order 12-2

Whitelist/Blacklist tab 17-15

Bridge Groups

FWSM

add/edit 50-24

bridge groups

defining 53-19

FWSM 3.1 39-19

Bridging

PIX/ASA/FWSM 50-29

ARP configuration 50-31

ARP Inspection 50-31

ARP Inspection, enable/disable 50-32

ARP Table 50-30

MAC Address, add/edit 50-34

MAC Address Table 50-33

MAC Learning 50-34

MAC Learning, enable/disable 50-35

Management IP address 50-36

bridging

Cisco IOS routers

Bridge Group dialog box 53-21

Bridging Policy page 53-20

BVI interfaces 53-18

overview 53-18

configuring transparent firewall rules 19-1

PIX/ASA/FWSM

configuring on 39-17

broadcast attacks, preventing 15-4

broadcasts

enabling directed on routers 52-20

browser plug-ins

defining 26-55

understanding 26-53

bypass mode

configuring for IPS 31-12

C

CA server authentication methods

SCEP (Simple Certificate Enrollment Protocol) 22-27

Cat6k Device dialog box 37-14

Catalyst 6500/7600 devices

configuring FWSM in site-to-site VPNs 21-43

configuring SSH 2-6

default transport protocol 11-13

deployment 8-26

FlexConfig object samples 7-20

IPS blocking devices 37-4

policy discovery for FWSM 5-13

rollback restrictions 8-59

Catalyst 6500/7600 switches

including in deployment jobs 8-26

Catalyst devices

policy discovery 5-13

remote access VPNs

Dynamic VTI/VRF Aware IPsec settings 27-81

high availability 27-71

IPsec proposals 27-77

user group policies 27-84

VPNSM/VPN SPA settings 27-80

Catalyst platform policies

IDSM settings policy

Create and Edit IDSM Data Port VLANs dialog boxes 58-50

Create and Edit IDSM EtherChannel VLANs dialog boxes 58-49

IDSM Settings page 58-48

IDSM Slot-Port Selector dialog box 58-51

interfaces/VLANs policy

Access Port Selector dialog box 58-30

Create and Edit Interface dialog boxes-Access Port mode 58-9

Create and Edit Interface dialog boxes-Dynamic Port mode 58-18

Create and Edit Interface dialog boxes-Other mode 58-24

Create and Edit Interface dialog boxes-Routed Port mode 58-12

Create and Edit Interface dialog boxes-subinterfaces 58-22

Create and Edit Interface dialog boxes-Trunk Port mode 58-14

Create and Edit VLAN dialog boxes 58-29

Create and Edit VLAN Group dialog boxes 58-34

Interfaces tab 58-7

Service Module Slot Selector dialog box 58-35

Summary tab 58-3

Trunk Port Selector dialog box 58-31

VLAN Groups tab 58-33

VLAN Selector dialog box 58-36

VLANs tab 58-28

VLAN access lists policy

Create and Edit VLAN ACL Content dialog boxes 58-42

Create and Edit VLAN ACL dialog boxes 58-41

VLAN Access Lists page 58-39

Catalyst Summary Info command 1-26

Catalyst switches

configuring SSH 2-6

default transport protocol 11-13

showing modules, security contexts, and virtual sensors 3-46

Catalyst switches/7600 routers

troubleshooting deployment 9-15

Catalyst switches and 7600 devices

IDSM mode support 58-44

interface deployment failure 9-15

internal VLAN deployment failure 9-16

supported VTP modes 58-1

Catalyst switches and 7600 Series routers

access ports 58-5

Catalyst Summary Info page 58-2

defining IDSM Data Port VLANs 58-46

defining IDSM EtherChannel VLANs 58-45

defining ports 58-5

defining VACLs 58-37

defining VLAN groups 58-32

defining VLANs 58-26

deleting IDSM Data Port VLANs 58-48

deleting IDSM EtherChannel VLANs 58-46

deleting ports 58-7

deleting VACLs 58-39

deleting VLAN groups 58-33

deleting VLANs 58-27

discovering policies 58-1

generating interface names 58-6

IDSM settings 58-44

IDSM Settings page 58-48

interfaces 58-5

managing 58-1

routed ports 58-5

trunk ports 58-5

viewing interface and VLAN summary 58-3

VLAN Access Lists page 58-39

VLAN ACLs (VACLs) 58-36

VLAN groups 58-32

VLANs 58-25

Catalyst VPN Service Port Adapters (VSPAs)

configuring 21-38

Catalyst VPN Services Module (VPNSM)

configuring 21-38

configuring in remote access VPNs 26-40

Catalyst VPN Shared Port Adapter (VPN SPA)

configuring 21-38

configuring in remote access VPNs 26-40

categories

using 6-9

cautions

significance of i-liii

CDP

configuring mode for IPS 31-13

CEF Interface Settings dialog box 52-26

CEF interface settings policies 52-24

certificates, SSL

adding thumbprints manually 9-4

configuring default settings for how handled 11-14

certificate to connection profile map policies

configuring 26-35

understanding 26-34

certificate to connection profile map rules

configuring 26-36

understanding 26-35

Change Report dialog box 4-14

change reports

selecting session in non-Workflow mode 4-14

viewing 4-12

Change Reports command 1-27

Checkpoint migration

configuring object group search on ASA 8.3+ devices 14-19

Cisco 7600 Series routers

managing 58-1

Cisco Configuration Engine

troubleshooting device setup and deployment 9-18

Cisco Discovery Protocol (CDP)

enabling CDP on router interfaces 52-18

Cisco Express Forwarding (CEF)

CEF Interface Settings policy 52-25

CEF router interface settings policies 52-24

importance for QoS 56-2

Cisco IOS IPS

affect of load balancing 38-7

configuration files 38-3

configuration overview 38-3

configuring 38-1

configuring general settings 38-7

configuring interface rules 38-8

getting started 30-1

initial preparation of router 38-5

lightweight signature engines 38-2

limitations and restrictions 38-3

selecting signature category 38-6

understanding 38-1

understanding subsystems and revisions 38-2

Cisco IOS Routers

configuring IOS IPS 38-1

IPS blocking devices 37-4

Cisco IOS routers

802.1x 54-1

AAA 53-2

accounts and credentials 53-13

ADSL 52-34

advanced interface settings 52-13

available interface types 52-2

basic interface settings 52-1

BGP routing 57-1

CNS call-home mode 2-10

CNS event-bus mode 2-9

configuring SSH 2-6

CPU settings 53-25

default AAA server groups 6-24

deploying configurations using TMS 8-41

dialer interfaces 52-27

discovering policies 51-3

Domain Name System (DNS) 53-75

Dynamic Host Configuration Protocol (DHCP) 53-88

EIGRP routing 57-8

host and domain names 53-78

HTTP 53-28

interface deployment failure 9-14

IOS 12.1 and 12.2 51-2

licenses 2-12

line access 53-35

managing 51-1

memory settings 53-79

NAT 20-5

designating interfaces 20-6

dynamic rules 20-10

static rules 20-6

timeouts 20-13

NetFlow 55-1, 55-5, 55-12

Network Admission Control (NAC) 54-8

Network Time Protocol (NTP) 53-97

optional SSH settings 53-63

OSPF routing 57-19

permanent virtual connections (PVCs) 52-46

platform policies 51-1

Point-to-Point Protocol (PPP) 52-70

policy discovery 5-13

quality of service (QoS) 56-1

RIP routing 57-42

Secure Device Provisioning (SDP) 53-82

setting up SSL (HTTPS) 2-4

SHDSL 52-40

SNMP 53-67

static routing 57-50

syslog logging 55-1

time zone settings 53-22

transparent bridging 53-18

Cisco IOS Software

FlexConfig object samples 7-20

selecting policy types to manage 5-10

Cisco Secure Desktop configuration objects

creating 26-61

Cisco Security Management Suite server

logging into or exiting 1-15

Cisco Technical Assistance Center

creating diagnostic file 10-19

Cisco Trust Agent (CTA) 54-9

CiscoWorks Common Services

backing up and restoring Security Manager 10-16

logging into or exiting 1-15

CiscoWorks user authorization, affect on what you can do 1-9

Class-Based Policing 56-6

class maps

understanding 6-60

Clear Connection Configuration dialog box 13-19

CLI commands

FlexConfig objects 7-2

client connection characteristics

Client Connection Characteristics page 24-15

configuring policies for Easy VPN 24-12

clientless access mode 26-4

client settings

configuring 26-57

understanding 26-56

Clock

PIX/ASA/FWSM 50-42

clock

Cisco IOS routers

overview 53-22

configuring on firewall devices 39-25

clock settings

Cisco IOS routers

Clock Policy page 53-23

Clone Device command 1-22

Close Activity command 1-27

cluster load balancing

configuring 26-17

redirection using FQDNs

3DES/AES 26-18

ASA outside IP addresses 26-16

instead of IP addresses 26-17

OS versions supported 26-17

overview 26-16

reverse DNS lookup 26-16

understanding 26-16

CNS

call-home mode 2-10

deploying configurations 8-39

deployment method 8-10

event-bus mode 2-9

setting up on PIX Firewall and ASA devices 2-8

Combine Rules Selection Summary dialog box 12-21

commands

Activities menu 1-27

Edit menu 1-23

File menu 1-22

Help menu 1-28

Map menu 1-24

Policy menu 1-24

Tools menu 1-25

View menu 1-23

Common Services

licensing 10-3

communication, device

troubleshooting 9-7

configuration

initial Security Manager 1-17

understanding rollback 8-57

Configuration Archive

adding configurations from devices 8-52

overview 8-14

rolling back to archived configuration files 8-64

rolling back when deploying to file 8-65

settings 11-3

version viewer 8-54

viewing and comparing configuration versions 8-53

viewing transcripts 8-55

window 8-22

Configuration Archive command 1-27

Configuration Archive page 11-3

Configuration Engine

adding 3-29

CNS call-home mode 2-10

CNS event-bus mode 2-9

setting up 2-7

Configuration Engine Properties dialog box 3-31

configuration files

deploying in non-Workflow mode 8-27

deploying in Workflow mode 8-32, 8-37

deploying to 8-11

deploying to an AUS or CNS 8-39

deploying to a TMS 8-41

deployment process overview 8-1

factory-default configurations 39-1

previewing 8-42

redeploying to devices 8-46

rolling back after deploying to file 8-65

rolling back to archived configurations 8-64

rolling back to devices 8-62

selecting 1-35

web VPN policy discovery restrictions 3-7

configuration location, configuring for IOS IPS 38-7

configurations

adding to the Configuration Archive 8-52

avoiding out-of-band changes 8-45

detecting out-of-band changes 8-43

rollback, commands to recover from failover misconfiguration 8-62

rollback command conflicts 8-61

rolling back 8-56

rolling back Catalyst 6500/7600 8-59

rolling back failover devices 8-58

rolling back IPS and IOS IPS 8-59

rolling back multiple context mode 8-58

understanding out-of-band changes 8-12

viewing and comparing 8-53

configuration session

selecting session for change reports 4-14

viewing change reports 4-12

configuration sessions

discarding 4-17

configuration views 1-5

Configure dialog box 15-18

Configure DNS dialog box 15-16

Configure ESMTP dialog box 15-16

Configure Fragments dialog box 15-17

Configure Hardware Ports

ASA 5505 50-28

Configure IMAP dialog box 15-17

Configure POP3 dialog box 15-17

Configure RPC dialog box 15-18

Configure SMTP dialog box 15-16

Config Version Viewer (Preview Configuration) dialog box 8-42

connection

PIX/ASA/FWSM

rules 48-5

rules wizard 48-6

tab 48-8

Connection Profile dialog box

AAA tab 27-21

General tab 27-19

IPSec tab 27-27

Secondary AAA tab 27-25

SSL tab 27-29

Connection Profile page (ASA) 27-3

connection profiles

configuring 26-18

configuring for Easy VPN 24-11

properties

AAA 27-21

general 27-19

IPSec 27-27

policy overview 27-18

secondary AAA 27-25

SSL 27-29

sharing among multiple ASAs 26-7

understanding 26-18

Connection Profiles page 27-18

Add/Edit Connection Profile dialog box

IPSec tab 27-29

SSL tab 27-29

Connection Profiles Policy page

Add/Edit Connection Profile dialog box

IPSec tab 27-27

connection timeout

device communication settings 11-13

connectivity, testing device 9-1

console

Cisco IOS routers

AAA tab 53-44

Accounting tab 53-47

Authentication tab 53-44

Authorization tab 53-45

Console Policy page 53-42

Setup tab 53-42

console port

Cisco IOS routers

defining AAA settings 53-37

defining setup parameters 53-35

Console timeout

PIX/ASA/FWSM 40-1

Constant Bit Rate (CBR) 52-48

contact credentials

configuring on firewall devices 39-26

contained modules

showing 3-46

content rewrite rules

defining 26-48

understanding 26-48

Content Rewrite tab (ASA) 27-90

Context-Based Access Control

choosing interfaces 15-3

configuring 15-5

preventing DoS attacks on IOS devices 15-5

selecting protocols 15-3

understanding 15-2

understanding access rule requirements 15-4

Context Editor dialog box (IOS) 27-105

contexts

see "security contexts" 49-1

continuity check (CC) cells 52-50

control plane (CP)

defining QoS on 56-13

policing on 56-9

Control Plane Policing 56-9

conventions i-liii

Copy command 1-23, 12-8

Copy Policies Between Devices command 1-24

Copy Policies wizard 5-30

CPU settings

defining utilization settings 53-25

overview 53-25

CPU Threshold

PIX/ASA/FWSM 50-44

CPU utilization

CPU Policy page 53-26

Create a Clone of Device dialog box 3-46

Create Activity dialog box 4-10

Create a Policy dialog box 5-50

Create Discovery Task dialog box 5-18

Create Filter dialog box 1-31

Create Overrides for Device dialog box 6-16

Create Text Object dialog box 7-29

Create VPN Topology wizard

Device Selection page 21-29

Edit Endpoints dialog box 21-31

Endpoints page 21-31

GET VPN Group Encryption page 21-49

GET VPN Peers page 21-54

High Availability page 21-46

Name and Technology page 21-28

overview 21-26

VPN Defaults page 21-55

credential objects

attributes 28-23

Credentials

PIX/ASA/FWSM 50-44

credentials

device manager validation 60-3

IPS module 3-15

service module 3-14

testing 9-1

understanding device 3-4

Credentials page

HTTPS port number

overriding with HTTP policy 3-39

Credentials page, device properties 3-38

crypto maps

dynamic 22-6

in IPsec proposals 22-6

static 22-6

CSDM Policy Editor dialog box 27-59

CS-MARS

access to Security Manager 60-16

comparing to other event managers 59-6

configuring servers 11-4

discovering or changing controller used by device 60-17

events

historical and real-time lookup 60-19

looking up 60-19

integrating with Security Manager 60-13

integration with Security Manager 60-14

looking up Security Manager policies based on events 60-23

NetFlow 60-26

query

troubleshooting 60-18

registering in Security Manager 60-16

supported log messages 60-24

viewing access rule events 60-20

viewing IPS signature events 60-22

CS-MARS page 11-4

CSMDiagnostics.zip

setting debug options 11-6

CSMDiagnostics.zip file, creating 10-19

CSM tab, Licensing page 11-27

Customize Desktop Settings page 11-5

Custom Protocol dialog box 15-18

Cut command 1-23, 12-8

D

database

backing up 10-16

backing up and restoring 10-16

restoring 10-18

DCE/RPC policy map objects

creating 15-19

properties 15-23

DCS.properties file

DCS.doSerialAccessForFWSMVCs property 9-16

DCS.FWSM.checkThreshold property 9-16

SSH settings 9-6

warning message expression properties 9-9

DDNS

PIX/ASA/FWSM 43-14

add interface rules 43-14

update methods 43-15

update methods, add/edit 43-16

dead-peer detection (DPD) 22-13

debugging

configuring debug levels 11-6

Debug Options page 11-6

defaults, configuring 11-1

Defaults page 27-16

Delete Device command 1-22

Delete Map command 1-25

Delete Map dialog box 29-10

Delete Row command 1-23

Denial of Service (DoS)

preventing in SMTP using zone based firewall 18-24

denial of service (DoS)

preventing using unicast reverse path forwarding (RFP) 52-20

Denial of Service (DoS) attacks

configuring inspection settings to mitigate 15-80

preventing on IOS devices using inspection 15-5

Deploy command 1-22

Deploy Job dialog box 8-37

deployment

Add Other Devices dialog box 8-51

Auto Update Server 8-39

Catalyst 6500/7600 devices 8-26

changes not deployed when using schedules 8-49

changing device message severity level to ignore errors 9-9

changing FWSM multiple-context deployment to serial 9-16

Cisco Networking Services configuration engine 8-39

configuration files, to 8-11

configurations 8-27

configuring as a status provider 60-9

creating jobs in Workflow mode 8-33

creating or editing schedules 8-49

Deployment Manager window 8-15

device communication settings 9-4

devices, directly to 8-9

devices, through intermediate server 8-10

Edit Deploy Method dialog box 8-29

Edit Selected Deployment Method dialog box 8-29

errors

OS version mismatches 8-13

handling OS version mismatches 8-13

managing 8-1

methods 8-8

minimum memory errors for ASA 8.3+ 9-11

non-Workflow mode 8-3

optimizing access rules 14-34

out-of-band changes

avoiding 8-45

detecting and analyzing 8-43

understanding 8-12

process overview 8-1

rolling back archived configurations 8-64

rolling back configurations 8-56

rolling back configurations, Catalyst 6500/7600 8-59

rolling back configurations, command conflicts 8-61

rolling back configurations, commands to recover from failover misconfiguration 8-62

rolling back configurations, failover devices 8-58

rolling back configurations, IPS and IOS IPS devices 8-59

rolling back configurations, multiple context mode 8-58

rolling back configuration when deploying to file 8-65

rolling back to last deployed configuration 8-62

setting debug options 11-6

SSL handshake failure 2-2

suspending or resuming schedules 8-52

system settings 11-7

task flow

non-Workflow mode 8-4

Workflow mode 8-5

tips for successful jobs 8-26

TMS server 8-41

troubleshooting 9-1, 9-9

ADSL or PVC deployment failures 9-14

AUS problems 9-17

Catalyst interface settings 9-15

Catalyst internal VLANs 9-16

Catalyst switch and modules 9-15

Configuration Engine problems 9-18

Error Writing to Server messages 9-15

HTTP Response Code 500 messages 9-15

layer 2 interfaces 9-14

mixing deployment methods with routers and VPNs 9-13

router interface settings 9-14

routers 9-14

Security Manager cannot contact device 9-11

VPNs with routing processes 9-12

troubleshooting device communication 9-7

troubleshooting router connection failures 2-2

troubleshooting SSL certificate errors 9-4

troubleshooting VRF-aware IPsec on Catalyst 6500/7600 devices 21-16

understanding 8-1

understanding configuration rollback 8-57

using a Cisco Networking Services (CNS) server 8-39

viewing device details 8-25

viewing job summary 8-25

viewing status and history for jobs and schedules 8-24

viewing transcripts 8-55

Warning - Partial VPN Deployment dialog box 8-30

Workflow mode 8-5, 8-32, 8-37

working with 8-24

Deployment—Create or Edit a Job dialog box 8-33

deployment jobs

aborting 8-48

approval 8-7

approving 8-37

creating and editing in non-Workflow mode 8-27

creating and editing in Workflow mode 8-33

Deployment Manager 8-15

discarding 8-39

including devices in 8-8

multiple users 8-8

redeploying 8-46

rejecting 8-37

states

non-Workflow mode 8-4

Workflow mode 8-6

submitting 8-36

viewing history 8-25

Deployment Manager

overview 8-14, 8-15

Deployment Manager command 1-26

Deployment Manager window 8-15

Deployment Schedules tab 8-19

Deployment Schedules tab 8-19

Deployment Settings page 11-7

Deployment Status Details dialog box 8-30

Deployment Workflow Commentary dialog boxes 8-19

Deploy Saved Changes dialog box 8-27

DES encryption algorithm

in IKE proposals 22-2

Designated Router

PIX/ASA/FWSM 45-12

Destination Contents dialog box 12-12

Dest Port Map dialog box 35-12

device

AAA administration 39-22

export inventory 3-49

viewing inventory status 60-9

Device Access

FWSM

Resources, add/edit 42-3

PIX/ASA/FWSM 40-1

console timeout 40-1

host name 42-1

HTTP configuration 40-2

HTTP page 40-2

ICMP rules 40-3

ICMP rules, add/edit 40-4

Management Access interface 40-5

Secure Shell (SSH) 40-5

Secure Shell, add/edit host 40-6

Server Access 43-1

SNMP host access 40-11

SNMP page 40-8

SNMP Trap configuration 40-9

Telnet configuration 40-12

Telnet page 40-11

user accounts 42-6

user accounts, add/edit 42-7

device access policies

defining 53-14

Device Admin

FWSM

Resources 42-3

device administration policies

configuring on firewall devices 39-19

device authentication

adding SSL thumbprints manually 9-4

SSL certificate default configuration 11-14

Device Blacklist dialog box 17-15

device communication

changing device message severity level 9-9

managing settings 9-4

routers without K8/K9 crypto image 9-7

Security Manager cannot contact device after deployment 9-11

troubleshooting failures 9-7

Device Communication page 11-12

device communications

troubleshooting 9-1

device communication settings

connection timeout 11-13

retry count 11-13

socket read timeout 11-13

Device Connectivity Test dialog box 9-3

device credentials

understanding 3-4

Device Credentials page 3-38

Device Delete Validation dialog box 3-48

device groups 3-52, 3-55

adding or removing devices 3-56

creating group types 3-55

deleting groups or types 3-56

understanding 3-52

Device Groups page 3-41, 11-16

Device Information page - Add Device from File 3-26

Device Information page - Configuration File 3-18

Device Information page - Network 3-9

Device Information page- New Device 3-21

device inventory

exporting

DCR, CS-MARS, Security Manager formats 3-49

overview 3-49

using command line utility 3-50

managing 3-1

testing device connectivity 9-1

understanding 3-1

understanding contents 3-3

working with 3-29

device manager

access rule look up 60-6

ASDM 60-5

access rule look-up 60-7

credentials 60-3

IDM 60-4

PDM 60-4

prerequisites 60-5

SDM 60-5

access rule look-up 60-8

starting from Security Manager 60-3

troubleshooting 60-5

xdm-launcher.exe 60-5

Device Manager command 1-26

Device OS Management command 1-27

Device Properties

Credentials page 3-38

Device Groups page 3-41

General page 3-34

Policy Object Override pages

general reference 3-42

device properties

changes with policy effects 3-44

changing critical 3-42

image version changes with no policy effects 3-43

understanding 3-5

viewing or changing 3-34

Device Properties command 1-25

Device Properties page

creating object overrides 6-14

deleting overrides 6-17

overview 3-34

device response

to appear as an error message 9-9

devices

adding 3-6

adding configurations to the Configuration Archive 8-52

adding from configuration files 3-16

adding from inventory file 3-24

adding from network 3-8

adding local rules to shared policies 5-41

adding manually 3-20

adding or changing modules 3-33

assigning shared policies 5-40

avoiding out-of-band changes 8-45

changing critical properties 3-42

cloning or duplicating 3-46

communication requirements 2-1

communication settings and certificates 9-4

configuring ASA licenses 2-11

configuring IOS licenses 2-12

configuring local policies 5-29

copying policies between 5-30

copying shared policies 5-43

creating policy object overrides 6-14

deleting from inventory 3-47

deleting policy object overrides 6-17

deployment through intermediate server 8-10

deployment to 8-9

detecting out-of-band changes 8-43

discovering or changing CS-MARS controller 60-17

discovering policies 5-12

discovering policies on existing devices 5-15

dynamic IP addresses 3-29

image version changes with no policy effects 3-43

including in deployment jobs or schedules 8-8

including unmanaged or non-Cisco in a VPN 21-10

inheriting policy rules 5-42

managing operating system 3-52

maps

adding existing managed 29-15

adding new managed 29-15

displaying devices from Device View 29-16

displaying managed 29-15

removing managed 29-16

showing containment for Catalyst switches, ASA, PIX, IPS devices 29-16

modifying policy assignment 5-45

modifying shared policies 5-44

naming conventions 3-3

overview of monitoring 1-14

policy status icons 5-28

preparing for management 2-1

property changes with policy effects 3-44

redeploying configuration files to 8-46

redeploying configurations to replaced hardware 8-47

renaming policies 5-44

replacing policies 5-40

rolling back configurations 8-62, 8-64, 8-65

selecting in site-to-site VPNs 21-29

selecting multiple 1-29

sharing multiple policies 5-38

showing contained modules 3-46

system variables 7-7

testing connectivity 9-1

troubleshooting communication 9-7

troubleshooting communication and deployment 9-1

troubleshooting device discovery failures 3-7

unassigning policies 5-32

understanding out-of-band changes 8-12

unsharing policies 5-39

what counts as a device 3-3

device selector

filtering 1-30

Device Selector dialog box 1-29

Device Server Assignment dialog box 9-8

Device view

adding local rules to shared policies 5-41

assigning shared policies 5-40

configuring local policies 5-29

configuring VPN topologies 21-18

copying policies between devices 5-30

copying shared policies 5-43

inheriting policies 5-42

managing policies 5-27

modifying policy assignments 5-45

modifying shared policies 5-44

overview 1-6

policy banner 5-35

policy shortcut menu 5-36

policy status icons 5-28

renaming policies 5-44

sharing local policies 5-37

sharing multiple policies 5-38

unassigning policies 5-32

understanding basic policy management 5-28

understanding shared policies 5-34

unsharing policies 5-39

device view

understanding 3-1

Device View command 1-23

Device Whitelist dialog box 17-15

DHCP

Cisco IOS routers

defining address pools 53-92

defining policies 53-91

DHCP Database dialog box 53-95

DHCP Policy page 53-93

IP Pool dialog box 53-95

overview 53-88

understanding database agents 53-89

understanding option 82 53-90

understanding relay agents 53-89

understanding secured ARP 53-90

configuring passthrough for IOS devices 19-3

PIX/ASA/FWSM 43-8

add/edit servers 43-9

advanced configuration 43-10

configuring DHCP servers 43-7

server options 43-11

traffic blocked 9-14

DHCP relay

PIX/ASA/FWSM 43-5

add/edit agent 43-6

add/edit server 43-6

diagnostics

setting debug options 11-6

diagnostics file, creating 10-19

dial backup

configuring in Easy VPN 24-2

configuring in VPN 21-36

configuring VPN advanced settings 21-37

Dial Backup Settings dialog box 21-37

dialer interfaces

defining BRI properties 52-29

defining profiles 52-27

Dialer Physical Interface dialog box 52-32

Dialer Policy page 52-30

Dialer Profile dialog box 52-31

on Cisco IOS routers 52-27

Diffie-Hellman groups

in IKE proposals 22-3

Digital Subscriber Line (DSL) 52-34

digital subscriber line-access multiplexer (DSLAM) 52-34

directed broadcasts

enabling 52-20

Disable/enable NAT rules 20-32

Discard Activity command 1-28

Discard Activity dialog box 4-17

Discard command 1-22

Discard Deployment Job dialog box 8-19

discovering

remote access VPNs 26-8

site-to-site VPNs 21-22

Discover Policies on Device command 1-24

Discover VPN Policies command 1-24

Discover VPN Policies wizard 21-22

discovery

default behavior settings 11-17

invalid certificate error 9-6

overview 1-11

security certificate error 9-4, 9-5

setting debug options 11-6

Discovery Settings page 11-17

Discovery Status dialog box 5-21

discovery task

frequently asked questions 5-25

starting 5-15

viewing status 5-20

disk space, monitoring event data store 59-24

Display Actual Size command 1-25

Distributed Traffic Shaping (DTS) 56-6

DMVPN (Dynamic Multipoint VPN)

advantages of using with GRE 23-11

configuring 23-11

configuring GRE modes 23-12

large scale DMVPNs

configuring 23-16

configuring server load balancing 23-17

overview 23-1, 23-9

spoke-to-spoke connections 23-10

supported platforms 21-8

understanding 23-9

DNS

configuring for inspection rules 15-16

PIX/ASA/FWSM

add/edit server group 43-12

add server 43-13

servers page 43-11

DNS class map objects

creating 15-19

match criteria 15-27

DNS policy map objects

creating 15-19

match conditions and actions 15-27

properties 15-24

DNS servers

configuring for IPS global correlation 30-22

DNS snooping 17-6

Dock Map View command 1-25

documentation

conventions i-liii

ordering i-liv

Domain Name System (DNS)

Cisco IOS routers

defining policies 53-76

DNS Policy page 53-77

IP Host dialog box 53-77

overview 53-75

do not ask warnings, resetting 11-5

DSLAM 52-34

duplex

interface 50-29

dynamic access policies

attributes 26-22, 26-25

configuring 26-20

understanding 26-19

dynamic access policies (DAP) 27-48

Dynamic Access Policy page

Add/Edit Dynamic Access Policy dialog box

Add/Edit DAP Entry dialog box 27-40

Add/Edit DAP Entry dialog box > AAA Attributes Cisco 27-42

Add/Edit DAP Entry dialog box > AAA Attributes LDAP 27-43

Add/Edit DAP Entry dialog box > AAA Attributes RADIUS 27-44

Add/Edit DAP Entry dialog box > Anti-Spyware 27-45

Add/Edit DAP Entry dialog box > Anti-Virus 27-46

Add/Edit DAP Entry dialog box > Application 27-47

Add/Edit DAP Entry dialog box > File 27-49

Add/Edit DAP Entry dialog box > NAC 27-50

Add/Edit DAP Entry dialog box > Operating System 27-51

Add/Edit DAP Entry dialog box > Personal Firewall 27-51

Add/Edit DAP Entry dialog box > Policy 27-52

Add/Edit DAP Entry dialog box > Process 27-53

Add/Edit DAP Entry dialog box > Registry 27-54

Advanced Expressions tab 27-58

Logical Operators tab 27-55

Main tab 27-36

Dynamic Access Policy page (ASA) 27-33

Cisco Secure Desktop Manager Policy Editor dialog box 27-59

Dynamic Access policy page (ASA) > Add/Edit Dynamic Access Policy dialog box 27-35

Dynamic Blacklist Configuration tab 17-10

dynamic crypto maps 22-6

dynamic filter snooping (DNS)

enabling 15-16

Dynamic Multipoint VPN (DMVPN)

mandatory and optional policies 21-6

dynamic NAT

Cisco IOS routers 20-10

Dynamic Translation Rule

PIX/ASA/FWSM 20-21

add/edit 20-22

dynamic VTI

configuring in Easy VPN 24-2

in remote access VPNs 26-38

Dynamic VTI/VRF Aware IPsec settings tab 27-81

Dynamic VTI tab (site-to-site VPN) 24-9

E

Easy VPN

client connection characteristics 24-12

configuration overview 24-3

configuring dial backup 24-2

configuring dynamic VTI 24-2

configuring high availability 24-2

connection profile policies 24-11

connection profiles (ASA, PIX 7+) 27-18

Dynamic VTI tab 24-9

important configuration notes 24-4

IPsec Proposal page 24-6

IPsec Proposal tab 24-7

IPsec proposals 24-5

mandatory and optional policies 21-6

overview 24-1

supported platforms 21-8

understanding 24-1

user group policies 24-10

User Group Policy page 24-11

Edit AAA Option dialog box 13-15

Edit AAA Rule dialog box 13-11

Edit AAA Server dialog box 6-26

Edit AAA Server Group dialog box 6-38

Edit Actions dialog box 33-8

Edit activity state 4-4

Edit AOL Class Map dialog box 15-22, 18-17

Edit A Port Forwarding Entry dialog box 28-43

Edit ASA Group Policies dialog box

client configuration settings 28-4

client firewall attributes 28-5

connection settings 28-20

DNS/WINS settings 28-18

hardware client attributes 28-7

IPSec settings 28-9

overview 28-1

split tunneling settings 28-19

SSL VPN clientless settings 28-11

SSL VPN full client settings 28-13

SSL VPN settings 28-15

technology settings 28-1

Edit A Smart Tunnel Entry dialog box 28-66

Edit Auto Signon Rules dialog box 28-17

Edit Auto Update Settings dialog box 11-26

Edit Category dialog box 12-12

Edit Cisco Secure Desktop Configuration dialog box 28-21

Edit Client Access Rules dialog box 28-10

Edit Client Update dialog box 28-76

Edit Column dialog box 28-60

Edit Custom Pane dialog box 28-60

Edit DCE/RPC Map dialog box 15-23

Edit Deploy Method dialog box 8-29

Edit Description dialog box 12-12

Edit Destinations dialog box 12-10

Edit Device Groups command 1-22

Edit Device Groups dialog box 3-54

Edit DNS Class Map dialog box 15-22

Edit DNS Map dialog box

Filtering tab 15-26

overview 15-24

Protocol Conformance tab 15-26

Edit eDonkey Class Map dialog box 15-22, 18-17

Edit Endpoints dialog box

FWSM tab 21-43

overview 21-31

Protected Networks tab 21-42

VPN Interface tab 21-32

VPNSM/VPN SPA/VSPA settings, VPN Interface tab 21-38

VRF Aware IPsec tab 21-44

Edit ESMTP Map dialog box 15-30

Edit Extended Access Control Entry dialog box 6-47

Edit Extended Access List dialog box 6-45

Edit External Filter dialog box 18-39

Edit FastTrack Class Map dialog box 15-22, 18-17

Edit Fidelity dialog box 33-9

Edit File Object dialog box 28-24

Edit Firewall Rule dialog box 14-11

Edit Firewall Rule Expiration dialog box 14-15

Edit FlexConfig dialog box 7-27

Edit FTP Class Map dialog box 15-22

Edit FTP Map dialog box 15-33

Edit Gnutella Class Map dialog box 15-22, 18-17

Edit Group Member dialog box 25-21

Edit GTP Map dialog box 15-36

Edit H.323 Class Map dialog box 15-22, 18-17

Edit H.323 Map dialog box 15-41, 18-32

Edit HSI Endpoint IP Address dialog box 15-43

Edit HSI Group dialog box 15-43

Edit HTTP Class Map dialog box 15-22, 18-17

Edit HTTP Map dialog box 18-32

ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices

Entity Length tab 15-48

Extension Request Method tab 15-50

General tab 15-47

overview 15-45

Port Misuse tab 15-51

RFC Request Method tab 15-49

Transfer Encoding tab 15-52

ASA 7.2+ and PIX 7.2+ devices 15-53

Edit ICQ Class Map dialog box 15-22, 18-17

Edit IKE Proposal dialog box 28-26

Edit IMAP Class Map dialog box 15-22, 18-17

Edit IMAP Map dialog box 18-32

Edit IM Class Map dialog box 15-22

Edit IM Map dialog box 18-32

ASA and PIX device 15-59

IOS device 15-62

Edit Inspect/Application FW Rule wizard

Address and Port page 15-11

Inspected Protocol page 15-14

Match Traffic page 15-10

Edit Inspect Parameter Map dialog box 18-28

Edit Interfaces dialog box 12-11

Edit Interface Specific Authentication Server Groups dialog box 27-24

Edit Interface Specific Client Address Pools dialog box 27-21

Edit IP Options Map dialog box 15-64

Edit IPsec Pass Through Map dialog box 15-65

Edit IPSec Transform Set dialog box 28-28

Edit Kazaa2 Class Map dialog box 15-22, 18-17

Edit Key Server dialog box 25-19

Edit Language dialog box 28-54

Edit LDAP Attribute Map dialog box 28-31

Edit LDAP Attribute Map Value dialog box 28-32

Edit Load Balancing Parameters dialog box 23-17

Edit Local Web Filter Class Map dialog box 15-22, 18-17

Edit Local Web Filter Parameter Map dialog box 18-36

Edit Map Value dialog box 28-33

Edit Match Condition and Action dialog box

DNS policy maps 15-27

ESMTP policy maps 15-31

FTP policy maps 15-34

GTP policy maps 15-39

H.323 (IOS) policy maps 18-33

H.323 policy maps 15-44

HTTP (Zone Based IOS) policy maps 18-33

HTTP policy maps 15-55

IM (Zone Based IOS) policy maps 18-33

IMAP policy maps 18-33

IM policy maps 15-60

P2P policy maps 18-33

POP3 policy maps 18-33

SIP (IOS) policy maps 18-33

SIP policy maps 15-69

Skinny policy maps 15-74

SMTP policy maps 18-33

Sun RPC policy maps 18-33

Web Filter policy maps 18-33

Edit Match Criterion dialog box

AOL class maps 18-19

DNS class maps 15-27

eDonkey class maps 18-19

FastTrack class maps 18-19

FTP class maps 15-34

Gnutella class maps 18-19

H.323 (IOS) class maps 18-20

H.323 class maps 15-44

HTTP (IOS) class maps 18-20

HTTP class maps 15-55

ICQ class maps 18-19

IMAP class maps 18-22

IM class maps 15-60

Kazaa2 class maps 18-19

Local Web Filter class maps 18-27

MSN Messenger class maps 18-19

N2H2 class maps 18-28

POP3 class maps 18-22

SIP (IOS) class maps 18-23

SIP class maps 15-69

SMTP class maps 18-24

Sun RPC class maps 18-27

Websense class maps 18-28

Windows Messenger class maps 18-19

Yahoo Messenger class maps 18-19

Edit menu 1-23

Edit MSN Messenger Class Map dialog box 15-22, 18-17

Edit N2H2 Parameter Map dialog box 18-37

Edit N2H2 Web Filter Class Map dialog box 15-22, 18-17

Edit NAT Rule dialog box

ASA 8.3+ 20-35

Edit NetBIOS Map dialog box 15-66

Edit Network/Host dialog box

General tab 6-65

NAT tab 20-38

Edit Options dialog box 14-13

Edit P2P Map dialog box 18-32

Edit Permit Response dialog box 15-38

Edit PIX/ASA/FWSM Web Filter Rule dialog box 16-5

Edit PKI Enrollment dialog box

CA Information tab 28-35

Certificate Subject Name tab 28-40

Enrollment Parameters tab 28-39

overview 28-33

Trusted CA Hierarchy tab 28-42

Edit Policy Assignments command 1-24

Edit POP3 Class Map dialog box 15-22, 18-17

Edit Port Forwarding List dialog box 28-42

Edit Port List dialog box 6-71

Edit Protocol Info Parameter Map dialog box 18-31

Edit Regular Expression dialog box 15-77

Edit Regular Expression Group dialog box 15-76

Edit Row command 1-23

Edit Rule Section dialog box 12-18

Edit Secondary Interface Specific Authentication Server Groups dialog box 27-24

Edit Security Association Dialog Box 21-52

Edit Selected Deployment Method dialog box 8-29

Edit Server dialog box

Protocol Info Parameter maps 18-32

Edit Server Group dialog box 13-16

Edit Service dialog box 6-72

Edit Services dialog box 12-11

Edit Signature dialog box 33-12

Edit Signature Parameter—Component List dialog box 33-25

Edit Signature Parameters dialog box 33-20

Edit Single Sign On Server dialog boxes 28-44

Edit SIP Class Map dialog box 15-22, 18-17

Edit SIP Map dialog box 15-67, 18-32

Edit Skinny Map dialog boxes 15-73

Edit SLA Monitor dialog box 42-9

Edit Smart Tunnel Lists dialog box 28-65

Edit SMTP Class Map dialog box 15-22, 18-17

Edit SMTP Map dialog box 18-32

Edit SNMP Map dialog box 15-75

Edit Sources dialog box 12-10

Edit SSL VPN Customization dialog box 28-49

Applications 28-58

Copyright Panel 28-56

Custom Panes 28-59

Full Customization 28-57

Home Page 28-61

Informational Panel 28-56

Language 28-53

Logon Form 28-55

Logout Page 28-62

Title Panel 28-52

Toolbar 28-58

Edit SSL VPN Gateway dialog box 28-63

Edit Standard Access Control Entry dialog box 6-49

Edit Standard Access List dialog box 6-45

Edit Sun RPC Class Map dialog box 15-22, 18-17

Edit Sun RPC Map dialog box 18-32

Edit TCP Map dialog box 48-17

Edit TCP Option Range Dialog Box 48-19

Edit Text Object dialog box 7-29

Edit Time Range dialog box 6-53

Edit Traffic Flow dialog box 48-13

Edit Translated Address dialog box 20-28

Edit Transparent EtherType dialog box 19-6

Edit Transparent Firewall Rule dialog box 19-5

Edit Transparent Mask dialog box 19-7

Edit Trend Content Filter Class Map dialog box 15-22, 18-17

Edit Trend Parameter Map dialog box 18-40

Edit Update Server Settings dialog box 11-24

Edit URL Domain Name dialog box 18-43

Edit URLF Glob Parameter Map dialog box 18-43

Edit URL Filter Parameter Map dialog box 18-41

Edit User Credentials dialog box 30-17

Edit User Group dialog box

Advanced PIX 6.3 settings 28-77

Browser Proxy settings 28-83

Client (IOS) settings 28-73

Clientless settings 28-78

Client VPN Software Update (IOS) settings 28-76

DNS/WINS settings 28-72

General settings 28-70

IOS Xauth Options settings 28-75

overview 28-68

Split Tunneling settings (Easy VPN/remote access IPSec VPN) 28-72

SSL VPN Connection settings 28-84

SSL VPN Full Tunnel settings 28-79

SSL VPN Split Tunneling settings 28-81

Technology settings 28-68

Thin Client settings 28-79

Edit Virtual Sensor dialog box 32-7, 32-8

Edit VPN dialog box

Device Selection tab 21-29

Edit Endpoints dialog box 21-31

Endpoints tab 21-31

High Availability tab 21-46

Name and Technology tab 21-28

overview 21-26

Edit Web Access Control Entry dialog box 6-51

Edit Web Filter Map dialog box 18-45

Edit Web Filter Options dialog box 16-8

Edit Web Filter Type dialog box 16-8

Edit Websense Parameter Map dialog box 18-37

Edit Websense Web Filter Class Map dialog box 15-22, 18-17

Edit Web Type Access List dialog box 6-45

Edit Windows Messenger Class Map dialog box 15-22, 18-17

Edit WINS Server dialog box 28-85

Edit WINS Server List dialog box 28-84

Edit Yahoo Messenger Class Map dialog box 15-22, 18-17

Edit Zones dialog box 12-11

eDonkey class map objects

creating 18-15

match criteria 18-19

EIGRP routing

defining interface properties 57-10

defining routes 57-9

EIGRP Routing Policy page 57-13

Interface dialog box 57-16

Interfaces tab 57-15

on Cisco IOS routers 57-8

redistributing routes 57-12

Redistribution Mapping dialog box 57-18

Redistribution tab 57-17

Setup dialog box 57-14

Setup tab 57-13

e-mail

blocking spam using zone-based firewall rules 18-24

preventing DoS attacks 18-24

e-mail notifications

configuring SMTP server 1-19

PIX/ASA/FWSM

recipient set-up 44-3

syslog messages 44-3

Enable/disable NAT rules 20-32

Enable PIM and IGMP

PIX/ASA/FWSM 45-1

Encapsulating Security Protocol (ESP) encryption algorithm 28-30

encoding rules

defining 26-50

encoding settings

understanding 26-49

Encoding tab (ASA) 27-91

encryption algorithms

3DES (Triple DES) 22-2

AES (Advanced Encryption Standard) 22-2

DES (Data Encryption Standard) 22-2

in IKE proposals 22-2

endpoints and protected networks

configuring dial backup 21-36

defining in GET VPN topologies 21-54

defining in VPN topologies 21-31

VPN Interface tab 21-32

Error Writing to Server deployment errors 9-15

ESMTP

configuring for inspection rules 15-16

ESMTP policy map objects

creating 15-19

match conditions and actions 15-31

properties 15-30

EtherChannel

Create and Edit IDSM EtherChannel VLANs dialog boxes 58-49

defining IDSM VLANs 58-45

deleting IDSM VLANs 58-46

evaluation license

upgrading to permanent license 10-2

event

lists 44-4

add/edit 44-5

syslog class

add/edit 44-6

syslog message ID

add/edit 44-6

Event Action Filters page 34-7

Event Action Override dialog box 34-13

Event Action Overrides page 34-12

event actions, IPS

configuring filter rules 34-4

configuring network information 34-14

configuring OS maps 34-17

configuring overrides 34-12

configuring settings 34-20

configuring target value ratings 34-14

example filter rule 59-52

filter rule attributes 34-9

filter rules policy 34-7

filter rules tips 34-6

overview 34-1

possible actions 34-2

process overview 34-1

Event Management page 11-19

Event Manager service

configuring 59-23

managing 59-22

monitoring event store disk space 59-24

selecting devices to monitor 59-23

starting and stopping 59-23

events

archiving (backing up) the event data store 59-24

configuring ASA devices 59-26

configuring IPS devices 59-27

CS-MARS 60-24

looking up 60-19

looking up policies based on related events 60-23

Netflow support for policy lookup 60-26

viewing access rule events 60-20

viewing IPS signature events 60-22

definition 60-9

Event Viewer

looking up policies based on related events 59-43

examples of analysis

mitigating botnet activity 59-50

monitoring and mitigating botnet activity 59-47

monitoring botnet activity using ASDM 59-50

monitoring botnet activity using Event Viewer 59-48

overview 59-45

removing false positive IPS events 59-52

understanding botnet syslog events 59-47

user access to server blocked 59-45

Performance Monitor

troubleshooting status collection 60-10

viewing 60-9

recovering the event data store 59-24

Event Viewer

archiving (backing up) the event data store 59-24

ASA devices, configuring to provide events 59-26

columns 59-16

comparing to other event managers 59-6

configuration 59-26

configuring Event Manager service 59-23

copying events from 59-37

customizing appearance of 59-30

custom view 59-33

examples of analysis

mitigating botnet activity 59-50

monitoring and mitigating botnet activity 59-47

monitoring botnet activity 59-48

overview 59-45

removing false positive IPS events 59-52

understanding botnet syslog events 59-47

user access to server blocked 59-45

filters 59-2

advantages of using network/host objects 59-53

submission requirements for policy objects 59-54

filters and queries 59-37

interface 59-13

IPS devices, configuring to provide events 59-27

limits of 59-4

looking up Security Manager policies based on events 59-43

managing service 59-22

monitoring event store disk space 59-24

quick filter 59-40

recovering the event data store 59-24

right-click filters 59-36

Saving Events to a File 59-37

selecting devices to monitor 59-23

settings 11-19

starting or stopping the Event Manager service 59-23

syslogs 59-5

time slider 59-32

toolbar 59-14

troubleshooting

Event Viewer Unavailable message 11-19, 59-23

policy objects not available for filtering 59-54

using 59-25

using views in 59-28

view selector 59-11

Event Viewer command 1-26

exclusive domains

configuring for IOS devices 16-9

Exit command 1-23

exiting

Cisco Security Management Suite server 1-15

CiscoWorks Common Services 1-15

Security Manager 1-15, 1-16

expiration dates

configuring for access rules 14-16

export

device inventory 3-49

inventory in DCR, CS-MARS, Security Manager formats 3-49

IPS event action overrides 34-12

IPS event filter rules 34-4, 34-7

policy objects 6-17

Export Inventory command 1-26

Export Inventory dialog box 3-49

Export Map command 1-25

External Product Interface dialog box 30-24

External Product Interface policy 30-23

F

factory-default configurations 39-1

Failover

FWSM 41-11

advanced settings 41-13

interface configuration 41-15

PIX/ASA 41-16

Add Failover Group 41-20

interface configuration 41-22

settings 41-18

PIX/ASA/FWSM 41-8

bootstrap configuration 41-23

interface MAC address 41-23

PIX 6.3 41-9

interface configuration 41-10

failover

configuring in site-to-site VPN 21-46

PIX/ASA/FWSM

active/active 41-2, 41-3

active/standby 41-2

configuration basics 41-5

configuring 41-1

stateful 41-3, 41-4

stateless 41-2

types of 41-2

understanding 41-1

stateful in site-to-site VPN 21-48

false negatives

definition of 33-18

false positives

definition of 33-18

FastTrack class map objects

creating 18-15

match criteria 18-19

feature sets 1-3

File menu 1-22

file objects

attributes 28-24

files

deploying to 8-11

selecting or specifying 1-35

Filter Item dialog box 34-9

filter rules, event action (IPS)

attributes 34-9

configuring 34-4

example rule 59-52

exporting 34-4

policy 34-7

tips 34-6

filters

filtering selectors 1-30

filtering tables 1-33

filters (Event Viewer)

advantages of using network/host objects 59-53

submission requirements for policy objects 59-54

Find and Replace dialog box 12-14

find and replace in rules policies 12-13

Find Map Node command 1-25

Find Node dialog box 29-12

firewall

access rule

event analysis example, user access blocked 59-45

finding from CS-MARS events 60-23

finding from Event Viewer events 59-43

viewing related CS-MARS events 60-20

Firewall AAA IOS Timeout Value Setting dialog box 13-24

Firewall AAA MAC Exempt Setting dialog box 13-21

Firewall ACL Setting dialog box 14-19

Firewall Device dialog box 37-14

firewall devices

policy discovery 5-13

firewalls

system variables 7-9

firewall service module (FWSM)

including in deployment jobs 8-26

firewall services

AAA firewall policy

advanced settings 13-16

configuring 13-5

AAA rules

configuring AAA firewall settings 13-5

configuring AuthProxy settings 13-8

configuring for ASA/PIX/FWSM devices 13-4

configuring for IOS devices 13-7

managing 13-1

properties 13-11

understanding 13-1

understanding how users authenticate 13-2

access rules

address requirements 14-5

configuring 14-7

configuring expiration dates 14-16

how deployed 14-5

import examples 14-32

importing 14-28

IPS blocking, affect of 37-4

managing 14-1

optimizing during deployment 14-34

sharing ACLs among interfaces 11-10

understanding 14-1

understanding device-specific behavior 14-4

understanding global 14-3

understanding requirements when using inspection 15-4

ACL naming conventions 12-5

adding rules 12-8

analysis reports 14-21

AuthProxy settings policy

configuring 13-8

combining rules

example 12-23

interpreting results 12-21

procedure 12-19

configuring policies in Map view 29-22

configuring settings policies in Map view 29-23

deleting rules 12-8

disabling rules 12-17

editing rules 12-9

enabling rules 12-17

finding and replacing items in rules policies 12-13

firewall settings

configuring settings 14-16, 16-14

per user downloadable ACLs 14-20

hit count reports 14-23

inspection rules

add/edit rule wizard 15-10, 15-11, 15-14

choosing interfaces 15-3

configuring 15-5

managing 15-1

preventing DoS attacks on IOS devices 15-5

selecting protocols 15-3, 15-14

understanding 15-2

understanding access rule requirements 15-4

inspection settings

configuring for IOS devices 15-80

introduction 12-1

managing rules tables 12-6

moving rules 12-16

object groups

expanding during discovery 12-31

optimizing network object groups during deployment 12-30

overview 12-1

policy query

example report 12-29

generating reports 12-24

interpreting results 12-28

preserving ACL names 12-4

resolving ACL naming conflicts 12-6

rule table sections 12-17

transparent rules

adding or editing a rule 19-5

configuring 19-1

configuring passthrough for IOS devices 19-3

editing the EtherType 19-6

editing the mask 19-7

managing 19-1

Transparent Rules page 19-3

understanding NAT effects 12-3

understanding rule order 12-16

understanding rule processing order 12-2

using rules tables 12-7

web filter rules

configuring for ASA, PIX, FWSM devices 16-2

configuring for IOS devices 16-9

managing 16-1

understanding 16-1

zone-based firewall

advanced options 18-61

configuring PAM 18-63

configuring rules 18-12, 18-58

configuring settings 18-47

designing network zones 18-1

development overview 18-12

protocol selection 18-62

rules table 18-56

tabs 18-47

zone-based firewalls

changing the default drop rule 18-46

general recommendations 18-11

IPSec VPN 18-6

overview 18-1

restrictions 18-3

Self zone 18-5

troubleshooting 18-52

understanding 18-3

understanding permit/deny and action 18-7

understanding services and protocols 18-10

VRF 18-6

Firewall Services Module

security contexts

configuration 49-5

Firewall Services Module (FWSM)

Bridge Groups

add/edit 50-24

configuring FWSM endpoints in site-to-site VPNs 21-43

Device Access

managing Resources 42-2

Resources 42-3

Resources, add/edit 42-3

Failover 41-11

advanced settings 41-13

interface configuration 41-15

interfaces 50-20

add/edit 50-22

PIX/ASA/FWSM Platform policies 50-1

firewall settings

AAA firewall

advanced settings 13-16

configuring 13-5

MAC exempt lists 13-20

Access Control page 14-17

access controls

per user downloadable ACLs 14-20

AuthProxy

configuring 13-8

AuthProxy page 13-22

botnet traffic filter rules 17-9

Firewall AAA IOS Timeout Value Setting dialog box 13-24

Firewall ACL Setting dialog box 14-19

Inspection page 15-80

MAC exempt lists, AAA firewall 13-20

reference information for AAA rules 13-16

Web Filter page 16-15

zone-based firewall

add/edit zones 18-51

Content Filter tab 18-50

Global Parameters tab 18-48

page 18-48

VPN tab 18-48

WAAS tab 18-48

Zones tab 18-48

zone-based firewalls

logging 18-1

Fit to Window command 1-25

FlexConfig objects

adding to policies 7-32

ASA samples 7-18

Catalyst 6500/7600 samples 7-20

changing order in policies 7-32

changing variable values 7-32

Cisco IOS Software samples 7-20

CLI commands 7-2

configuring 7-22

configuring AAA for administrative introducers 53-85

creating 7-25

creating text objects 7-29

deleting variables 7-25

PIX firewall samples 7-21

previewing CLI 7-32

properties 7-27

property selector 7-31

removing from policies 7-32

router samples 7-21

samples 7-17

scripting language

example of looping 7-3

example of looping with if/else statements 7-4

example of two-dimensional looping 7-3

understanding 7-3

system variables

device 7-7

firewalls 7-9

remote access VPN 7-17

router 7-12

understanding 7-7

VPN 7-13

undefined variables 7-30

understanding 7-1

variables 7-4

variables, example 7-6

FlexConfig policies

adding objects 7-32

changing object order 7-32

changing variable values 7-32

configuring 7-22

configuring AAA for administrative introducers 53-85

editing 7-32

previewing CLI 7-32

removing objects 7-32

understanding 7-1

FlexConfig Policy page 7-33

FlexConfig Preview dialog box 7-35

FlexConfigs

creating (scenario) 7-22

managing 7-1

FlexConfig Undefined Variables dialog box 7-30

floodguard 47-2

FQDN

redirection using

cluster load balancing and 26-16

fragmentation

in remote access VPNs 26-28

in site-to-site VPNs

General Settings tab 22-20

understanding 22-15

maximum transmission unit (MTU) 22-15

fragments settings 47-2

frequently asked questions

policy discovery 5-25

FTP class map objects

creating 15-19

match criteria 15-34

FTP policy map objects

creating 15-19

match conditions and actions 15-34

properties 15-33

full mesh topologies

description 21-4

partial mesh 21-5

full tunnel client access mode 26-5

FWSM

adding when using multiple-context mode 3-7

adding when using non-default HTTPS (SSL) port 3-7

bridge groups 39-19

changing deployment method to serial for multiple-context mode 9-16

credentials 3-14

deleting security contexts 49-4

deployment failures after changing interface policies 9-15

deployment failures in multiple-context mode 9-15

deployment failures with large ACLs 9-16

discovering failover modules 3-6

PDM 60-4

policy discovery 5-13

rollback, commands to recover from failover misconfiguration 8-62

rollback command conflicts 8-61

rollback restrictions for failover devices 8-58

rollback restrictions for multiple context mode 8-58

setting up SSL (HTTPS) 2-3

TCP State Bypass 48-3

troubleshooting deployment 9-15

FWSM devices

AAA support 6-21

adding SSL thumbprints manually 9-4

configuring transparent firewall rules 19-1

selecting policy types to manage 5-10

SSL certificate configuration 11-14

G

Gateway and Context page 27-10

General

PIX/ASA/FWSM

security policies 47-1

General Configuration tab, SNMP policy for IPS 30-10

General page, device properties 3-34

General Settings tab 27-64

General tab (Translation Rules)

PIX/ASA/FWSM 20-30

General tab, IPS blocking policy 37-11

GET VPN

anti-replay, time based 25-12

configuring 25-12

configuring global ISAKMP and IPsec settings 25-16

configuring group members 25-20

cooperative key servers 25-7

defining group encryption 21-49

generating, synchronizing RSA keys 25-13

group members

adding 25-19

editing 25-21

IKE proposal 25-15

key servers

adding 25-19

editing 25-19

mandatory and optional policies 21-6

migrating to 25-23

overview 25-1

receive-only SAs 25-23

registration

choosing the rekey transport mechanism 25-6

configuring fail-close mode 25-8

registration process 25-4

SAs

passive SA mode 25-23

receive-only mode 25-23

security policy 25-10

supported platforms 21-8

troubleshooting 25-25

understanding 25-2

GET VPNs

group encryption policies

certificate authorization 21-52

security associations 21-52

global correlation

configuring 36-1

configuring DNS servers 30-22

configuring HTTP proxy server 30-22

configuring inspection and reputation 36-5

configuring network participation 36-6

configuring with Botnet Traffic Filtering 36-1

data collected 36-3

requirements and limitations 36-4

understanding 36-1

understanding network participation 36-3

understanding reputation 36-2

global settings

remote access VPN

configuring 26-28

understanding 26-28

Global Settings page 27-60

Gnutella class map objects

creating 18-15

match criteria 18-19

GRE (generic routing encapsulation) VPN

advantages of IPsec tunneling with GRE 23-3

configuring 23-5

configuring GRE modes 23-6

dynamically addressed spokes 23-5

implementation 23-3

overview 23-1, 23-2

prerequisites for successful configuration 23-3

supported platforms 21-8

understanding 23-2

GRE Dynamic IP

mandatory and optional policies 21-6

GRE Modes Page

DMVPN properties 23-12

GRE or GRE Dynamic IP properties 23-6

overview 23-1

Group Domain of Interpretation (GDOI) protocol 25-3

group encryption

defining in GET VPN topologies 21-49

Group Encryption Policy page (GET VPN) 21-49

group members

adding 25-19

communication flow 25-2

configuring fail-close mode 25-8

editing 25-21

GET VPN

registration process 25-4

security policy ACLs 25-10

group members (GET VPN)

configuring 25-20

Group Members page (GET VPN) 25-20

group policies

understanding 26-30

VPNs

ASA devices 26-31

configuring bookmarks 26-68

configuring portal appearance 26-63

configuring WINS servers for file system access 26-73

customizing 26-63

post URL method and macro substitutions in bookmarks 26-70

smart tunnels 26-71

Group Policies page 27-66

groups

adding or removing devices 3-56

creating 3-55

deleting 3-56

understanding 3-52

working with 3-52

group types

creating 3-55

deleting 3-56

GTP map objects

Add Country Network Codes dialog box 15-38

Edit Country Network Codes dialog box 15-38

GTP Map Timeouts dialog box 15-39

GTP policy map objects

creating 15-19

match conditions and actions 15-39

properties 15-36

H

H.323 (ASA, PIX) class map objects

creating 15-19

H.323 (ASA/PIX/FWSM) policy map objects

creating 15-19

properties 15-41

H.323 (IOS) class map objects

creating 18-15

match criteria 18-20

H.323 (IOS) policy map objects

creating 18-15

match conditions and actions 18-33

H.323 class map objects

match criteria 15-44

H.323 policy map objects

match conditions and actions 15-44

hash algorithms

in IKE proposals 22-2

MD5 22-2

SHA 22-2

help

accessing 1-36

Help About This Page command 1-28

helper addresses 52-14

Help menu 1-28

Help Topics command 1-28

Hide Navigation Window command 1-25

high availability (HA groups)

configuring in Easy VPN 24-2

configuring in site-to-site VPN 21-46

in remote access VPNs 26-41

stateful/stateless failover 21-48

High Availability page 27-71

high availability policies

configuring 26-41

understanding 26-41

Histogram dialog box 35-13

histograms

configuring anomaly detection 35-10

understanding anomaly detection 35-9

hit count

generating reports 14-23

Hit Count Query Results page 14-26

Hit Count Selection Summary Dialog Box 14-25

Hostname

PIX/ASA/FWSM 42-1

hostnames

Cisco IOS routers

defining 53-78

Hostname Policy page 53-79

overview 53-78

HTTP

Cisco IOS routers

AAA tab 53-32

Command Authorization Override dialog box 53-34

defining policies 53-29

HTTP Policy page 53-31

overview 53-28

Setup tab 53-31

PIX/ASA/FWSM 40-2

configuration 40-2

HTTP (ASA, PIX) class map objects

creating 15-19

HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map objects

creating 15-19

properties 15-45

HTTP (ASA7.2+/PIX7.2+) policy map objects

creating 15-19

properties 15-53

HTTP (IOS) class map objects

creating 18-15

creating for zone-based firewall content filtering 18-34

match criteria 18-20

HTTP (Zone Based IOS) policy map objects

creating 18-15, 18-34

match conditions and actions 18-33

HTTP class map objects

match criteria 15-55

HTTP-FORM

settings in AAA server objects 6-35

HTTP policy

overriding HTTPS port number 3-39

sharing

HTTPS port number 3-39

HTTP policy map objects

match conditions and actions 15-55

HTTP proxy server

configuring for IPS global correlation 30-22

HTTP Response Code 500 deployment errors 9-15

HTTPS

setting up 2-3

troubleshooting certificate errors 9-4

hub-and-spoke topology

description 21-2

joined hub-and-spoke topology 21-5

tiered hub-and-spoke topologies 21-5

I

ICMP rules

PIX/ASA/FWSM 40-3

add/edit 40-4

ICMP settings

configuring on IOS routers 52-18

icons

map elements 29-14

toolbar reference 1-28

ICQ class map objects

creating 18-15

match criteria 18-19

idle timeout, Security Manager client 11-5

IDM

device manager 60-4

IDSM

adding when using non-default HTTPS (SSL) port 3-7

Create and Edit IDSM Data Port VLANs dialog boxes 58-50

Create and Edit IDSM EtherChannel VLANs dialog boxes 58-49

credentials 3-14

defining Data Port VLANs 58-46

defining EtherChannel VLANs 58-45

deleting Data Port VLANs 58-48

deleting EtherChannel VLANs 58-46

deployment failures when changing data port VLAN running mode 9-16

IDSM Settings page 58-48

IDSM Slot-Port Selector dialog box 58-51

mode support limitations 58-44

troubleshooting deployment 9-15

understanding settings on Catalyst devices 58-44

IGMP

PIX/ASA/FWSM

Access Group parameters 45-5

Access Group tab 45-5

enable 45-1

Join Group parameters 45-7

Join Group tab 45-7

page 45-2

parameters 45-4

Protocol tab 45-3

Static Group parameters 45-6

Static Group tab 45-6

ignore error message, configure Security Manager to 9-9

IKE (Internet Key Exchange)

aggressive mode negotiation 22-1

main mode negotiation 22-1

proposals 22-1

understanding 22-1

IKE keepalive

understanding 22-13

IKE proposal objects

properties 28-26

IKE Proposal page 27-73

IKE proposals (policies)

configuring 22-4

IKE Proposal page (site-to-site VPN) 22-4

in GET VPNs 25-15

IM (ASA7.2+/PIX7.2+) policy map objects

creating 15-19

properties 15-59

IM (IOS) policy map objects

creating 15-19

properties 15-62

IM (Zone Based IOS) policy map objects

creating 18-15

match conditions and actions 18-33

IM (Zone based IOS) policy map objects

creating 18-15

IMAP

configuring for inspection rules 15-17

IMAP class map objects

creating 18-15

match criteria 18-22

IM applications

match conditions for zone-based firewalls 18-19

protocol information for IM application inspection 18-31

IMAP policy map objects

creating 18-15

match conditions and actions 18-33

IM class map objects

creating 15-19

match criteria 15-60

IM policy map objects

match conditions and actions 15-60

import

device inventory 3-24

policy objects 6-17

Import Background Image dialog box 29-13

Import Rules wizard

Enter Parameters page 14-29

Preview page 14-31

Status page 14-30

inheritance

inheriting rules 5-42

understanding 5-4

understanding signature policies 33-3

versus assignment 5-6

Inherit Rules command 1-24

Inherit Rules dialog box 5-42

Inspect/Application FW Rule wizard

Address and Port page 15-11

Inspected Protocol page 15-14

Match Traffic page 15-10

inspection

global correlation (IPS)

configuring 36-5

inspection map objects

understanding 6-60

inspection rules

ACL naming conventions 12-5

add/edit rule wizard 15-10, 15-11, 15-14

choosing interfaces 15-3

configuring 15-5

configuring custom protocol name 15-18

configuring DNS settings 15-16

configuring ESMTP settings 15-16

configuring fragment inspection 15-17

configuring in Map view 29-23

configuring RPC settings 15-18

configuring settings for IOS devices 15-80

configuring settings in Map view 29-23

configuring SMTP settings 15-16

deep inspection options

IMAP 15-17

POP3 15-17

deleting 12-8

disabling 12-17

editing 12-9

enabling 12-17

Inspection Rules page 15-7

managing 15-1

moving 12-16

preserving ACL names 12-4

preventing DoS attacks on IOS devices 15-5

selecting protocols 15-3, 15-14

understanding 15-2

understanding access rule requirements 15-4

understanding NAT effects 12-3

understanding processing order 12-2

Inspection Rules page 15-7

Inspection settings page 15-80

inspect maps

policy maps

Add Country Network Codes dialog box 15-38

Edit Country Network Codes dialog box 15-38

Inspect parameter map objects

properties 18-28

Inspect Parameters map objects

creating 18-15, 18-34

installing

Security Manager client 1-16

Integrated Local Management Interface (ILMI) 52-49

Interactive Authentication Configuration dialog box 13-18

interface

add and edit 39-7

duplex 50-29

IP type

ASA and PIX 7+ 39-10

PIX 6.3 39-11

MAC address 39-13

management 39-6

media type 39-13

Interface Name Conflict dialog box 6-60

Interface Properties dialog box 29-18

Interface Role Contents dialog box 12-12

interface role objects

creating 6-56

defining subinterfaces 6-58

distinguishing from interfaces 6-58

handling conflicts between role and interface names 6-60

Interface Role dialog box 6-57

specifying during policy definition 6-58

understanding 6-55

use when a single interface name is allowed 6-59

interfaces

adding or changing modules 3-33

ASA 5505 50-25

add/edit 50-10

ASA devices 50-2

about adding/editing 50-4

add/edit 50-5

advanced settings 50-17

PPPoE Users 50-19, 50-20

VPND Groups 50-18

Catalyst switches and 7600 Series routers

Access Port Selector dialog box 58-30

Create and Edit Interface dialog boxes-Access Port mode 58-9

Create and Edit Interface dialog boxes-Dynamic Port mode 58-18

Create and Edit Interface dialog boxes-Other mode 58-24

Create and Edit Interface dialog boxes-Routed Port mode 58-12

Create and Edit Interface dialog boxes-subinterfaces 58-22

Create and Edit Interface dialog boxes-Trunk Port mode 58-14

Create and Edit VLAN dialog boxes 58-29

Create and Edit VLAN Group dialog boxes 58-34

defining ports 58-5

deleting ports 58-7

generating names 58-6

Interfaces/VLANs page-Interfaces tab 58-7

Interfaces/VLANs page-Summary tab 58-3

Interfaces/VLANs page-VLAN Groups tab 58-33

Interfaces/VLANs page-VLANs tab 58-28

Service Module Slot Selector dialog box 58-35

Trunk Port Selector dialog box 58-31

understanding 58-5

VLAN Selector dialog box 58-36

checklist for configuring multiple contexts 49-2

Cisco IOS routers

Advanced Interface Settings dialog box 52-16

Advanced Interface Settings page 52-15

available types 52-2

Create Router Interface dialog box 52-8

defining advanced settings 52-13

defining basic settings 52-3

defining CEF interface settings 52-24

defining IPS module settings 52-22

deleting from 52-6

generating names 52-4

Interface Auto Name Generator dialog box 52-12

overview 52-1

Router Interfaces page 52-7

understanding helper addresses 52-14

configuring IOS IPS rules 38-8

contexts 39-5

distinguishing from interface roles 6-58

failover

FWSM 41-15

MAC address 41-23

PIX/ASA 41-22

PIX 6.3 41-10

FWSM 50-20

add/edit 50-22

IPS

configuring 31-6

configuring bypass mode 31-12

configuring CDP mode 31-13

configuring inline interface pairs 31-13

configuring inline VLAN pairs 31-14

configuring physical 31-10

configuring VLAN groups 31-15

deploying VLAN groups 31-5

inline interface mode 31-3

inline VLAN pair mode 31-3

interfaces policy 31-6

managing interface configurations 31-1

physical interface properties 31-11

promiscuous mode 31-2

roles 31-1

sensing modes overview 31-2

understanding 31-1

viewing summary 31-8

VLAN group mode 31-4

PIX/ASA 50-2

about adding/editing 50-4

add/edit 50-5

advanced settings 50-17

allocation in security contexts 49-8

PPPoE Users 50-19, 50-20

VPND Groups 50-18

PIX/ASA/FWSM

configuring 39-2

DDNS update rules 43-14

enabling traffic between same security levels 39-14, 39-15

management access 40-5

managing the PPPoE users list 39-15

managing VPDN groups 39-16

troubleshooting 39-17

understanding 39-2

PIX 6.3

add/edit 50-14

PIX Firewall 50-2

about adding/editing 50-4

add/edit 50-5

advanced settings 50-17

PPPoE Users 50-19, 50-20

VPND Groups 50-18

redundant 39-4

routed and transparent 39-4

specifying during policy definition 6-58

specifying subinterfaces 6-58

throughput delay 52-18

Interface Selector dialog box (VLAN ACL Content) 58-43

Interfaces page (IPS) 31-6

inventory

deleting devices from 3-47

export devices

DCR, CS-MARS, Security Manager formats 3-49

overview 3-49

using command line utility 3-50

inventory, device

adding devices 3-6

adding devices from configuration files 3-16

adding devices from inventory file 3-24

adding devices from network 3-8

adding devices manually 3-20

managing 3-1

testing device connectivity 9-1

troubleshooting device discovery failures 3-7

troubleshooting Performance Monitor status collection 60-10

understanding 3-1

understanding contents 3-3

viewing inventory status 60-9

working with 3-29

Inventory Status command 1-26

Inventory Status window 60-11

Inverse ARP 52-60

inverse multiplexing over ATM (IMA) 52-39

IOS devices

configuring transparent firewall rules 19-1

remote access IPSec VPNs

user group policies 26-43

remote access IPsec VPNs

creating using wizard 26-11

user group policies 26-42

remote access SSL VPNs

configuring bookmarks 26-68

configuring for IOS devices 26-60

configuring WINS servers for file system access 26-73

creating using wizard 26-10

remote access VPNs

Context Editor dialog box (IOS) 27-105, 27-107

Dynamic VTI/VRF Aware IPsec settings 27-81

high availability 27-71

IPsec proposals 27-77

SSL VPN policies 27-105

user group policies 27-84

SDM 60-5

IOS IPS

affect of load balancing 38-7

comparing to IPS appliances and service modules 30-1

configuration files 38-3

configuration overview 38-3

configuring 38-1

configuring general settings 38-7

configuring interface rules 38-8

configuring target value ratings 34-14

event actions

filter rule attributes 34-9

filter rules 34-4, 34-7

filter rules tips 34-6

network information 34-14

overrides 34-12

overview 34-1

possible actions 34-2

process overview 34-1

settings 34-20

getting started 30-1

initial preparation of router 38-5

lightweight signature engines 38-2

limitations and restrictions 38-3

selecting signature category 38-6

signatures

adding custom 33-15

cloning 33-18

configuring 33-3

defining 33-1

detailed information 33-2

editing 33-11

editing Meta engine component list 33-25

editing or tuning parameters 33-18

enabling or disabling 33-10

engines 33-16

exporting 33-6

inheritance 33-3

parameters list 33-20

policy 33-4

shortcut menu 33-7

understanding 33-1

viewing update level 33-9

understanding 38-1

understanding subsystems and revisions 38-2

IOS Software Release 12.1 and 12.2

managing routers 51-2

IOS Web Filter Exclusive Domain Name dialog box 16-13

IOS Web Filter Rule and Applet Scanner dialog box 16-12

IP address

supporting dynamic 3-29

IP addresses

network masks 6-63

specifying in policies 6-68

IP Options policy map objects

creating 15-19

properties 15-64

IPS

IPS Module router interface settings policies 52-22

PIX/ASA/FWSM

rules 48-5

rules wizard 48-6

tab 48-8

updates, automatically applying 10-7

updates, checking for and downloading 10-6

updates, configuring server 10-5

updates, managing 10-5

updates, manually applying 10-9

IPS Devices

selecting for Event Viewer 59-23

IPS devices

adding SSL thumbprints manually 9-4

allowed hosts 30-7

anomaly detection

configuring 35-6

configuring histograms 35-10

configuring learning accept mode 35-8

configuring signatures 35-4

configuring thresholds 35-10

detection zones 35-3

managing 35-1

modes 35-2

understanding 35-1

understanding histograms 35-9

understanding thresholds 35-9

understanding worms 35-2

when to turn off 35-4

blocking

configuring 37-7

configuring ARC 37-1

configuring blocking devices 37-14

configuring master blocking sensors 37-13

configuring never block hosts and networks 37-18

configuring router blocking interfaces 37-16

configuring user profiles 37-12

configuring VLAN blocking interfaces 37-17

general options 37-11

master blocking sensor 37-6

policy 37-8

rate limiting 37-4

router and switch blocking devices 37-4

strategies 37-3

understanding 37-1

capturing network traffic 30-2

configuration overview 30-5

configuration overview for IOS IPS 38-3

configuring AAA 30-19

configuring Analysis Engine global variables 30-26

configuring DNS servers 30-22

configuring for event management 59-27

configuring HTTP proxy server 30-22

configuring NTP 30-21

configuring OS maps 34-17

configuring SNMP 30-8

configuring target value ratings 34-14

configuring the external product interface 30-23

configuring user accounts 30-16

credentials, IPS router modules 3-15

deployment of passwords 30-15

deployment topology 30-4

discovery of passwords 30-15

event actions

example filter rule 59-52

filter rule attributes 34-9

filter rules 34-4, 34-7

filter rules tips 34-6

network information 34-14

overrides 34-12

overview 34-1

possible actions 34-2

process overview 34-1

settings 34-20

getting started 30-1

global correlation

configuring 36-1

configuring inspection and reputation 36-5

configuring network participation 36-6

data collected 36-3

requirements and limitations 36-4

understanding 36-1

understanding network participation 36-3

understanding reputation 36-2

initializing 2-12

interfaces

configuring 31-6

configuring bypass mode 31-12

configuring CDP mode 31-13

configuring inline interface pairs 31-13

configuring inline VLAN pairs 31-14

configuring physical 31-10

configuring VLAN groups 31-15

deploying VLAN groups 31-5

inline interface mode 31-3

inline VLAN pair mode 31-3

interfaces policy 31-6

managing interface configurations 31-1

physical interface properties 31-11

promiscuous mode 31-2

roles 31-1

sensing modes overview 31-2

understanding 31-1

viewing summary 31-8

VLAN group mode 31-4

IPS modules for ASA 48-12

license, exporting 11-28

license, redeploying 10-4

license, updating 10-3

license, updating automatically 10-4

looking up signature policies for CS-MARS events 60-23

looking up signature policies for Event Viewer events 59-43

managing user accounts and passwords 30-13

monitoring

removing false positive IPS events 59-52

passive OS fingerprinting 34-16

password requirements 30-18

policy discovery 5-13

rollback restrictions 8-59

showing containment 3-46

signatures

adding custom 33-15

cloning 33-18

configuring 33-3

configuring settings 33-27

defining 33-1

detailed information 33-2

editing 33-11

editing Meta engine component list 33-25

editing or tuning parameters 33-18

enabling or disabling 33-10

engines 33-16

exporting 33-6

inheritance 33-3

parameters list 33-20

policy 33-4

shortcut menu 33-7

understanding 33-1

viewing update level 33-9

SSL certificate configuration 11-14

traffic flow notifications 30-26

tuning recommendations 30-4

understanding managed and unmanaged passwords 30-14

understanding network sensing 30-1

understanding user roles 30-13

user account attributes 30-17

viewing signature events in CS-MARS 60-22

virtual sensors

advantages 32-2

assigning interfaces 32-4

attributes 32-7

configuring 32-1, 32-5

deleting 32-10

editing policies 32-9

identifying 32-5

inline TCP session tracking mode 32-3

Normalizer mode 32-4

renaming 32-8

restrictions 32-2

understanding 32-1

IPsec

proposals 26-38

remote access VPNs

certificate to connection profile map policies 26-34, 26-35

certificate to connection profile map rules 26-35, 26-36

Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) 27-70

Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) 27-69

Certificate to Connection Profile Maps > Policies page 27-67

Certificate to Connection Profile Maps > Rules page 27-68

cluster load balancing 26-16, 26-17, 27-17

connection profiles 26-18

connection profiles (ASA, PIX 7+) 27-18

creating using wizard 26-11, 26-14

dynamic access policies 26-19, 26-20

dynamic access policy (DAP) attributes 26-22, 26-25

Dynamic Access policy page (ASA) 27-33

Dynamic VTI/VRF Aware IPsec settings 27-81

fragmentation settings 27-64

global settings 26-28

Global Settings page 27-60

group policies 27-66

high availability 27-71

high availability policies 26-41

IKE proposals 27-73

ISAKMP/IPsec settings 27-60

NAT settings 27-63

Public Key Infrastructure (PKI) 27-66

public key infrastructure (PKI) policies 26-33

public key infrastructure (PKI) proposals 26-37

secure desktop manager policies 26-26

understanding 26-2

user group policies 26-42, 26-43, 27-84

VPNSM/VPN SPA settings 27-80

IPsec/GRE VPN

advantages of IPsec tunneling with GRE 23-3

configuring 23-5

configuring GRE modes 23-6

dynamically addressed spokes 23-5

implementation 23-3