User Guide for Cisco Security Manager 4.3
Index
Downloads: This chapterpdf (PDF - 3.66MB) The complete bookPDF (PDF - 23.01MB) | Feedback

Index

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z

Index

Numerics

12.1 and 12.2

managing routers 57-2

3DES encryption algorithm

in IKE proposals 24-6

802.1x

802.1x Policy page 60-5

defining policies 60-4

interface authorization states 60-2

on Cisco IOS routers 60-1

supported topologies 60-3

understanding device roles 60-2

A

AAA

about 46-1

Cisco IOS routers

AAA Policy page 59-6

Accounting tab 59-10

Authentication tab 59-6

Authorization tab 59-7

Command Accounting dialog box 59-12

Command Authorization dialog box 59-9

defining services 59-4

overview 59-2

supported accounting types 59-3

supported authorization types 59-2

understanding method lists 59-3

configuring access control for IPS 34-19

configuring on firewall devices 46-1

credentials for device access 3-4

device administration 46-4

local fallback 46-3

network access 46-4

PIX/ASA/FWSM 46-5

Accounting tab 46-7

Authentication tab 46-5

Authorization tab 46-6

support 46-2

VPN access 46-4

AAA authentication groups

predefined 6-26

AAA firewall

MAC exempt lists 14-22

AAA Firewall page

Advanced Setting tab 14-18

AAA firewall policy

advanced settings 14-18

configuring 14-6

AAA page 14-24

AAA rules

ACL naming conventions 12-5

combining rules

example 12-26

interpreting results 12-24

procedure 12-21

configuring AAA firewall settings (PIX/ASA/FWSM) 14-6

configuring AuthProxy settings (IOS) 14-8

configuring cut-through proxy (ASA) 13-23

configuring for ASA/PIX/FWSM devices 14-4

configuring for IOS devices 14-7

configuring identity aware 13-21

configuring in Map view 33-22

configuring settings

for IOS devices in Map view 33-23

for PIX/ASA/FWSM in Map view 33-23

deleting 12-9

disabling 12-19

editing 12-9

enabling 12-19

managing 14-1

moving 12-18

preserving ACL names 12-4

properties 14-12

understanding 14-1

understanding how users authenticate 14-2

understanding NAT effects 12-3

understanding processing order 12-2

AAA Rules page 14-9

AAA server group objects

attributes 6-45

creating 6-43

default server groups on IOS devices 6-27

predefined authentication groups 6-26

understanding 6-23

AAA server objects

creating 6-28

HTTP-FORM settings 6-40

Kerberos settings 6-34

LDAP settings 6-35

NT settings 6-38

RADIUS settings 6-31

SDI settings 6-39

supported additional types for ASA/PIX/FWSM 6-24

supported types 6-24

TACACS+ settings 6-33

understanding 6-23

AAA servers

supported types on ASA, PIX, FWSM devices 6-24

Abort the Job dialog box 8-51

About Configuration Manager command 1-35

ABR

definition 53-2

access control list objects

creating 6-48

extended objects 6-48

standard objects 6-50

web objects 6-51

access control lists

GET VPN security policies 27-10

policy discovery 5-14

access control lists (ACLs)

names preserved during discovery 12-4

naming conventions 12-5

resolving naming conflicts 12-6

access controls

configuring ACL names (IPv4 or IPv6) 15-19

configuring settings 15-19

configuring settings in Map view 33-23

Access Control Settings page 15-20

Access Group tab (IGMP) 52-5

Access Interface Configuration dialog box (ASA) 29-36

access permissions

Event Viewer 65-3

Health and Performance Monitor 67-3

maps 33-7

Report Manager 66-5

access policies

configuring 29-36

reference 29-33

understanding 29-32

access ports

Create and Edit Interface dialog boxes-Access Port mode 64-9

understanding 64-5

access rule

look up

from device managers 68-13

access rules

access control settings 15-20, 15-22

Access Rules page 15-9

ACL naming conventions 12-5

address requirements 15-5

Advanced dialog box 15-16

combining rules

example 12-26

interpreting results 12-24

procedure 12-21

configuring 15-7

configuring access control settings 15-19

configuring identity aware 13-21

configuring in Map view 33-22

controlling non-IP layer-2 traffic 21-1

deleting 12-9

detecting conflicts 15-24

disabling 12-19

Edit Firewall Rule Expiration dialog box 15-18

editing 12-9

enabling 12-19

examples of event analysis

user access to server blocked 65-50

expiration dates 15-19

finding from CS-MARS events 68-27

finding from Event Viewer events 65-48

generating analysis reports 15-30

hit counts

analyzing results 15-36

generating 15-32

how deployed 15-5

identity-aware rules

requirements 13-3

import examples 15-42

importing 15-37

IPS blocking, affect of 41-4

managing 15-1

moving 12-18

optimizing during deployment 15-44

packet tracer, analyzing with 68-1

preserving ACL names 12-4

Report Manager reports

firewall traffic reports 66-13

resolving conflicts 15-30

rule attributes 15-12

sharing ACLs among interfaces 11-12

syslog messages supported for look-up 68-28

understanding 15-1

understanding device-specific behavior 15-4

understanding global 15-3

understanding NAT effects 12-3

understanding processing order 12-2

understanding requirements when using inspection 16-4

understanding the automatic conflict detection user interface 15-26

viewing related CS-MARS events 68-24

Access Rules page 15-9

Accounting

Cisco IOS routers

settings 59-10

accounts and credentials

Cisco IOS routers

overview 59-13

PIX/ASA/FWSM

user accounts 49-6

user accounts, add/edit 49-7

accounts and credentials policies

Accounts and Credentials Policy page 59-15

User Accounts dialog box 59-17

ACLs

configuring names (IPv4 or IPv6) 15-19

ACS user authorization

configuring notifications when unavailable 1-23

Event Viewer 65-3

Health and Performance Monitor 67-3

how permissions affect what you can do 1-9

Report Manager 66-5

Active/Active failover

about 48-2

command replication 48-4

configuration synchronization 48-3

Active/Standby failover 48-2

Active Directory (AD)

collecting user statistics 13-25

configuring agent communication options 13-15

enabling for identity-aware firewall 13-8

identifying AD servers and agents 11-25, 13-8

requirements for identity-aware firewall 13-3

activities

accessing functions 4-8, 4-9

Activity Manager window 4-10

Approved state 4-5

approving 4-3, 4-20

benefits of 4-2

closing 4-15

creating 4-13

discarding 4-21

Edit state 4-4

locking 4-3

managing 4-1

multiple users 4-4

opening 4-14

overview 1-17

rejecting 4-20

responding to the Activity Required dialog box 4-14

states 4-4

Submitted state 4-5

submitting for approval 4-19

understanding 4-1

validating 4-18

viewing change reports 4-16

viewing status and history 4-22

working with 4-7

Activities command 1-31

Activities menu 1-32

Activity Manager window 4-10

Activity Required dialog box 4-14

Add/Edit AnyConnect Client Image dialog box (ASA) 29-50

Add/Edit Collector dialog box 51-2

Add/Edit Content Rewrite dialog box (ASA) 29-40

Add/Edit DAP Entry Dialog Box > Device 30-27

Add/Edit File Encoding dialog box 29-41

Add/Edit Multicast Route dialog box 52-8, 52-10

description 52-9

Add/Edit PIM Neighbor Filter dialog box 52-13

Add/Edit Proxy Bypass dialog box 29-45

Add AAA Rule dialog box 14-12

Add AAA Server dialog box 6-29

Add AAA Server Group dialog box 6-45

Add Access List dialog box (Allowed Hosts policy) 34-7

Add Access Rule dialog box 15-12

Add an Entry dialog box 37-26

Add AOL Class Map dialog box 16-23, 20-17

Add A Port Forwarding Entry dialog box 32-26

Add ASA Group Policies dialog box

client configuration settings 32-4

client firewall attributes 32-5

connection settings 32-19

DNS/WINS settings 32-17

hardware client attributes 32-7

IPSec settings 32-8

overview 32-1

split tunneling settings 32-18

SSL VPN clientless settings 32-10

SSL VPN full client settings 32-12

SSL VPN settings 32-14

Technology settings 32-1

Add A Smart Tunnel Entry dialog box 32-49

Add Auto Signon Rules dialog box 32-16

Add Cat6k Block Vlan dialog box 41-16

Add Certificate dialog box 11-18

Add Certificate Filter dialog box 23-54

Add Cisco Secure Desktop Configuration dialog box 32-20

Add Client Access Rules dialog box 32-10

Add Client Update dialog box 32-61

Add Column dialog box 32-43

Add Custom Pane dialog box 32-43

Add Custom Signature dialog box 37-12

Add DCE/RPC Map dialog box 16-24

Add Destinations dialog box 12-11

Add Device from Network wizard

Device Credentials page 3-41

Add Devices to Group command 1-28

Add Devices to Group dialog box 3-57

Add DNS Class Map dialog box 16-23

Add DNS Map dialog box

Filtering tab 16-28

overview 16-26

Protocol Conformance tab 16-27

Add eDonkey Class Map dialog box 16-23, 20-17

Add ESMTP Map dialog box 16-32

Add Extended Access Control Entry dialog box 6-54

Add Extended Access List dialog box 6-53

Add External Filter dialog box 20-39

Add FastTrack Class Map dialog box 16-23, 20-17

Add File Object dialog box 32-22

Add FlexConfig dialog box 7-33

Add FTP Class Map dialog box 16-23

Add FTP Map dialog box 16-35

Add Gnutella Class Map dialog box 16-23, 20-17

Add Group dialog box 3-56

Add Group Member dialog box 27-19

Add GTP Map dialog box 16-38

Add H.323 Class Map dialog box 16-23, 20-17

Add H.323 Map dialog box 16-43, 20-32

Add HSI Endpoint IP Address dialog box 16-46

Add HSI Group dialog box 16-45

Add HTTP Class Map dialog box 16-23, 20-17

Add HTTP Map dialog box 20-32

ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices

Entity Length tab 16-50

Extension Request Method tab 16-53

General tab 16-49

overview 16-48

Port Misuse tab 16-54

RFC Request Method tab 16-52

Transfer Encoding tab 16-55

ASA 7.2+ and PIX 7.2+ devices 16-56

Add ICQ Class Map dialog box 16-23, 20-17

Add IKEv1 Proposal dialog box 24-10

Add IKEv2 Proposal dialog box 24-13

Add IMAP Class Map dialog box 16-23, 20-17

Add IMAP Map dialog box 20-32

Add IM Class Map dialog box 16-23

Add IM Map dialog box 20-32

ASA and PIX device 16-62

IOS device 16-65

Add Inspect/Application FW Rule wizard

Address and Port page 16-12

Inspected Protocol page 16-15

Match Traffic page 16-10

Add Inspect Parameter Map dialog box 20-29

Add Interfaces dialog box 12-13

Add IP Options Map dialog box 16-66

Add IPsec Pass Through Map dialog box 16-71

Add IPSec Transform Set dialog box 24-23

Add IPv6 Map dialog box 16-68

Add IPv6 Network/Host dialog box 6-73

Add Kazaa2 Class Map dialog box 16-23, 20-17

Add Key Server dialog box 27-19

Add Language dialog box 32-38

Add LDAP Attribute Map dialog box 6-41

Add LDAP Attribute Map Value dialog box 6-42

Add Link command 1-30

Add Link dialog box 33-20

Add Local Rules command 1-29

Add Local Web Filter Class Map dialog box 16-23, 20-17

Add Local Web Filter Parameter Map dialog box 20-36

Add Map Object command 1-30

Add Map Object dialog box 33-17

Add Map Value dialog box 6-43

Add Match Condition and Action dialog box

DNS policy maps 16-29

ESMTP policy maps 16-33

FTP policy maps 16-36

GTP policy maps 16-41

H.323 (IOS) policy maps 20-33

H.323 policy maps 16-46

HTTP (Zone Based IOS) policy maps 20-33

HTTP policy maps 16-57

IM (Zone Based IOS) policy maps 20-33

IMAP policy maps 20-33

IM policy maps 16-63

IPv6 policy maps 16-69

P2P policy maps 20-33

POP3 policy maps 20-33

SIP (IOS) policy maps 20-33

SIP policy maps 16-75

Skinny policy maps 16-79

SMTP policy maps 20-33

Sun RPC policy maps 20-33

Web Filter policy maps 20-33

Add Match Criterion dialog box

AOL class maps 20-19

DNS class maps 16-29

eDonkey class maps 20-19

FastTrack class maps 20-19

FTP class maps 16-36

Gnutella class maps 20-19

H.323 (IOS) class maps 20-20

H.323 class maps 16-46

HTTP (IOS) class maps 20-20

HTTP class maps 16-57

ICQ class maps 20-19

IMAP class maps 20-22

IM class maps 16-63

Kazaa2 class maps 20-19

Local Web Filter class maps 20-27

MSN Messenger class maps 20-19

N2H2 class maps 20-28

POP3 class maps 20-22

SIP (IOS) class maps 20-23

SIP class maps 16-75

SMTP class maps 20-24

Sun RPC class maps 20-27

Websense class maps 20-28

Windows Messenger class maps 20-19

Yahoo Messenger class maps 20-19

Add MSN Messenger Class Map dialog box 16-23, 20-17

Add N2H2 Parameter Map dialog box 20-37

Add N2H2 Web Filter Class Map dialog box 16-23, 20-17

Add NAT Rule dialog box

ASA 8.3+ 22-35

Add NetBIOS Map dialog box 16-72

Add Network/Host dialog box

General tab 6-73

NAT tab 22-42

Add New Device wizard

Device Credentials page 3-41

Add New Security Association dialog box 23-55

Add or Edit Plug-in Entry dialog box (ASA) 29-46

Add Other Devices dialog box 8-54

Add P2P Map dialog box 20-32

Add Permit Response dialog box 16-40

Add PIX/ASA/FWSM Web Filter Rule dialog box 17-5

Add PKI Enrollment dialog box

CA Information tab 24-51

Certificate Subject Name tab 24-57

Enrollment Parameters tab 24-55

overview 24-50

Trusted CA Hierarchy tab 24-58

Add POP3 Class Map dialog box 16-23, 20-17

Add Port Forwarding List dialog box 32-25

Add Port List dialog box 6-80

Add Protocol Info Parameter Map dialog box 20-31

Add Regular Expression dialog box 16-82

Add Regular Expression Group dialog box 16-81

Address Pools

PIX/ASA/FWSM 22-17

add/edit 22-17

address pools

overriding in connection profiles 28-8

Add Row command 1-28

Add Rule Section dialog box 12-21

Add Server dialog box

Protocol Info Parameter maps 20-32

Add Service dialog box 6-82

Add Services dialog box 12-12

Add Single Sign On Server dialog boxes 32-27

Add SIP Class Map dialog box 16-23, 20-17

Add SIP Map dialog box 16-73, 20-32

Add Skinny Map dialog box 16-77

Add SLA Monitor dialog box 49-9

Add Smart Tunnel Auto Signon Entry dialog box 32-52

Add Smart Tunnel Auto Signon Lists dialog box 32-51

Add Smart Tunnel Lists dialog box 32-48

Add SMTP Class Map dialog box 16-23, 20-17

Add SMTP Map dialog box 20-32

Add SNMP Map dialog box 16-80

Add Sources dialog box 12-11

Add SSL VPN Customization dialog box 32-32

Applications 32-42

Copyright Panel 32-40

Custom Panes 32-42

Full Customization 32-41

Home Page 32-44

Informational Panel 32-39

Language 32-36

Logon Form 32-38

Logout Page 32-45

Title Panel 32-35

Toolbar 32-41

Add SSL VPN Gateway dialog box 32-46

Add Standard Access Control Entry dialog box 6-57

Add Standard Access List dialog box 6-53

Add Sun RPC Class Map dialog box 16-23, 20-17

Add Sun RPC Map dialog box 20-32

Add TCP Map dialog box 55-20

Add TCP Option Range Dialog Box 55-22

Add Text Object dialog box 7-35

Add Time Range dialog box 6-60

Add Traffic Flow dialog box 55-16

Add Transparent Firewall Rule dialog box 21-5

Add Trend Content Filter Class Map dialog box 16-23, 20-17

Add Trend Parameter Map dialog box 20-40

Add URL Domain Name dialog box 20-43

Add URLF Glob Parameter Map dialog box 20-43

Add URL Filter Parameter Map dialog box 20-41

Add User dialog box 12-12, 34-17

Add User Group dialog box

Advanced PIX 6.3 settings 32-62

Browser Proxy settings 32-68

Client (IOS) settings 32-59

Clientless settings 32-63

Client VPN Software Update (IOS) settings 32-61

DNS/WINS settings 32-57

General settings 32-56

IOS Xauth Options settings 32-60

overview 32-54

Split Tunneling settings (Easy VPN/remote access IPSec VPN) 32-58

SSL VPN Connection settings 32-69

SSL VPN Full Tunnel settings 32-65

SSL VPN Split Tunneling settings 32-66

Technology settings 32-54

Thin Client settings 32-64

Add User Profile dialog box 41-12

Add Virtual Sensor dialog box 36-7, 36-8

Add Web Access Control Entry dialog box 6-58

Add Web Filter Map dialog box 20-45

Add WebSense Parameter Map dialog box 20-37

Add Websense Web Filter Class Map dialog box 16-23, 20-17

Add Web Type Access List dialog box 6-53

Add Windows Messenger Class Map dialog box 16-23, 20-17

Add WINS Server dialog box 32-70

Add WINS Server List dialog box 32-70

Add Yahoo Messenger Class Map dialog box 16-23, 20-17

Add Zones dialog box 12-13

admin context 56-1

administration

selecting policies to manage 5-10

administrative settings, configuring 11-1

admin password, changing 10-22

ADSL

ADSL Policy page 58-36

ADSL Settings dialog box 58-37

defining settings 58-35

supported operating modes 58-34

ADSL policies

unable to deploy 9-14

Advanced dialog box

access rules (IPv4 and IPv6) 15-16

Advanced NAT Options

PIX/ASA/FWSM

add/edit 22-28

Advanced settings

interface configuration

PIX/ASA/FWSM 44-42

AES encryption algorithm

in IKE proposals 24-6

AIM-IPS interfaces

IPS Module Interface Settings page 58-22

AIP-SSM/SSC

ASA 55-13

Alarm Indication Signal (AIS) cells 58-50

allowed hosts, configuring for IPS 34-7

Allowed Hosts policy 34-7

Analysis Engine global variables

configuring 34-26

analysis reports

generating 15-30

anomaly detection

configuring 39-6

configuring histograms 39-11

configuring learning accept mode 39-8

configuring signatures 39-4

configuring thresholds 39-11

managing 39-1

modes 39-2

understanding 39-1

understanding histograms 39-9

understanding thresholds 39-9

understanding worms 39-2

when to turn off 39-4

zones

overview 39-3

anti-spoofing 54-2

AnyConnect

client images 29-48, 29-49

profiles 29-48, 29-49

AnyConnect Client Image dialog box (ASA) 29-49

AOL class map objects

creating 20-15

match criteria 20-19

Apply IPS Update command 1-32

Apply IPS Update wizard 42-7

Approve Activity command 1-33

Approve Activity dialog box 4-20

Approved activity state 4-5

Approve Deployment Job dialog box 8-21, 8-39

Area Border Router

See ABR 53-2

ARP

PIX/ASA/FWSM

configuration 45-4

inspection 45-5

inspection, enable/disable 45-6

table 45-3

ARP table

static entry 45-3, 45-4

ASA

ASDM 68-11

CXSC 55-15

Failover

Add Failover Group 48-23

edit bridge group 48-15

IPS, QoS, and Connection Rules

CXSC Auth Proxy Configuration 55-16

IPS modules 55-13

policy discovery 5-13

rollback, commands to recover from failover misconfiguration 8-65

rollback command conflicts 8-64

rollback restrictions for failover devices 8-61

rollback restrictions for multiple context mode 8-61

security contexts

allocate interfaces 56-11

configuration 56-9

viewing allocated interfaces 56-11

setting up AUS or CNS 2-8

setting up SSL (HTTPS) 2-3

TCP State Bypass 55-3

ASA 5505

Management IPv6 45-10

ports and interfaces 44-6

ASA 8.3+

NAT policies

Add/Edit NAT rules dialog boxes 22-35

Translation Rules page 22-32

ASA Cluster Load Balance page 29-5

ASA devices

5505

hardware port configuration 44-39

AAA support 6-24

about 44-1

adding or changing modules 3-37

adding SSL thumbprints manually 9-4

Bridge Groups

add/edit 44-41

Catalyst Service Module 44-1

changing those selected for reports 66-21

configuring for event management 65-25

configuring for report management 66-3

configuring IKE and IPsec policies 24-1

configuring IKEv2 authentication 24-58

configuring transparent firewall rules 21-1

Easy VPNs

connection profiles 26-13

Event Viewer support 65-4

FlexConfig object samples 7-23

global access rules 15-3

identity-aware services

configuring to provide 13-7

interfaces 44-14

add/edit 44-19

Advanced tab 44-27

configuring 44-2

edit EtherChannel-assigned interface 44-11

EtherChannels 44-8, 44-12

General tab 44-20

IP Type 44-36

IPv6 44-29

IPv6, add/edit 44-33

IPv6, add/edit prefixes 44-34

LACP 44-11

MAC address 44-38

PPPoE Users 44-44

VPDN groups 44-45

licenses 2-11

monitoring service level agreements 49-7

object group search 15-22

packet capture, using 68-8

packet tracer, using 68-1

remote access SSL VPNs

advanced settings 29-54

Anyconnect client settings 29-48, 29-49

browser plug-ins 29-46

configuring HTTP/HTTPS proxies and proxy bypass 29-43

content rewrite rules 29-39

encoding rules 29-41

Kerberos Constrained Delegation (KCD) 29-51, 29-53

other settings 29-37

performance settings 29-38

shared license 29-55

shared license clients (ASA) 29-57

shared license servers (ASA) 29-58

remote access VPNs

access policies (ASA), configuring 29-36

access policies (ASA), reference 29-33

access policies (ASA), understanding 29-32

AnyConnect client image settings (ASA) 29-50

certificate to connection profile map policy (IKEv1) 29-25

certificate to connection profile map rules (IKEv1 IPSec) 29-26

cluster load balancing 29-4, 29-5

configuring bookmarks 29-63

configuring portal appearance 29-59

configuring WINS servers for file system access 29-69

connection profiles 29-6, 29-8

creating IPSec 28-24

creating SSL 28-14

customizing 29-58

device support 28-8

dynamic access policies 30-1, 30-2

dynamic access policy (DAP) attributes 30-3, 30-8

Dynamic Access policy page (ASA) 30-11

fragmentation settings 24-36

group policies, configuring 29-21

group policies, creating 29-23

group policies, understanding 29-22

IKE proposals 24-9

IKEv2 settings 24-30

IPsec proposals 29-30

ISAKMP/IPsec settings 24-26

managing 29-1

NAT settings 24-34

policy overview 29-2

post URL method and macro substitutions in bookmarks 29-65

proxy bypass rules (ASA) 29-45

Public Key Infrastructure (PKI) 24-48

secure desktop manager policies 30-9

smart tunnels 29-66

understanding IKE 24-5

understanding NAT settings 24-33

wizard 28-13

Report Manager reports

firewall summary botnet reports 66-14

firewall traffic reports 66-13

general VPN reports 66-16

VPN top reports 66-15

selecting for Event Viewer 65-30

selecting policy types to manage 5-10

SSL certificate configuration 11-16

ASA group policies objects

client configuration settings 32-4

client firewall attributes 32-5

connection settings 32-19

DNS/WINS settings 32-17

hardware client attributes 32-7

IPSec settings 32-8

split tunneling settings 32-18

SSL VPN clientless settings 32-10

SSL VPN full client settings 32-12

SSL VPN settings 32-14

technology settings 32-1

ASA Image Management 69-12, 69-25

ASBR

definition 53-2

ASCII limitations for text 1-45

ASDM

access rule look-up 68-14

device manager 68-11

ASR

zone-based firewall

global parameters 20-48

restrictions 20-3

assignment overview 1-16

Assignments tab, Policy view 5-51

Assign Shared Policy command 1-29

Assign Shared Policy dialog box 5-41

Asymmetric Digital Subscriber Line (ADSL)

on Cisco IOS routers 58-33

Asymmetric Routing Groups 44-5

Asynchronous Transfer Mode (ATM) 58-46

ATM 58-46

virtual channel connections (VCCs) 58-46

virtual channel identifier (VCI) 58-46

virtual path connections (VPCs) 58-46

virtual path identifier (VPI) 58-46

Attack Response Controller 41-1

attacks

broadcast 16-4

Denial of Service (DoS) 16-4

spoofing 16-4

SYN flooding 16-4

audit logs

configuring default settings 11-40

purging entries 10-21

understanding 10-18

working with 10-18

Audit Message Detail dialog box 10-20

Audit Report command 1-31

audit reports

generating and viewing 10-19

understanding 10-18

working with 10-18

Audit Report window 10-20

AUS

deploying configurations 8-42

deployment method 8-10

setting up 2-7

setting up on PIX Firewall and ASA devices 2-8

Authentication

Cisco IOS routers

settings 59-6

authentication

routing protocols 53-2

Authentication-Authorization-Accounting

see AAA 46-1

Authentication Header (AH) encryption algorithm 24-25

authentication methods

certificates (RSA signatures) 24-7

in IKE proposals 24-7

preshared keys 24-7

authentication testing

SSH 2-5

Authorization

Cisco IOS routers

settings 59-7

authorization proxy (AuthProxy)

configuring AAA rules 14-7

AuthProxy

configuring settings in Map view 33-23

AuthProxy dialog box 14-17

AuthProxy settings policy

configuring 14-8

autolink

omitting reserved networks from maps 11-2

automatic conflict detection

resolving conflicts 15-30

understanding 15-25

understanding the user interface 15-26

using 15-24

auto signon rules

ASA group policy objects 32-16

Auto Update Server (AUS)

adding 3-33

licensing 10-18

PIX/ASA/FWSM 50-1

add/edit server 50-3

troubleshooting deployment 9-17

Auto Update Server Properties dialog box 3-34

Available Bit Rate (ABR) 58-47

Available Servers dialog box 3-36

B

background image, map

deleting 33-13

importing 33-13

scale and position 33-13

setting 33-12

backup

event data store 65-32

backup.pl command 10-23

Backup command 1-32

backups, Security Manager database 10-23

bandwidth

VPN user reports 66-15, 66-16

banners

configuring on firewall devices 46-8

benefits of product 1-2

BGP routing

BGP Routing Policy page 63-4

defining routes 63-2

Neighbors dialog box 63-6

on Cisco IOS routers 63-1

redistributing routes 63-3

Redistribution Mapping dialog box 63-7

Redistribution tab 63-6

Setup tab 63-4

Bidirectional Neighbor Filter 52-14

Bidirectional Neighbor Filter tab

PIM 52-13

blocking, IPS

configuring 41-7

configuring ARC 41-1

configuring blocking devices 41-14

configuring master blocking sensors 41-13

configuring never block hosts and networks 41-17

configuring router blocking interfaces 41-15

configuring user profiles 41-12

configuring VLAN blocking interfaces 41-16

general options 41-10

master blocking sensor 41-6

policy 41-8

rate limiting 41-4

router and switch blocking devices 41-4

strategies 41-3

understanding 41-1

Blocking page 41-8

Boot image/configuration

PIX/ASA 46-9

add/edit 46-10

bootstrap configuration

Failover 48-25

Botnet Traffic Filter Drop Rules Editor 18-13

botnet traffic filter rules

adding static entries 18-5

blocking blacklisted traffic 18-6

configuring DNS snooping 16-16

configuring in Map view 33-23

configuring the dynamic database 18-4

configuring with IPS global correlation 40-1

databases 18-1

Device Blacklist dialog box 18-15

Device Whitelist dialog box 18-15

Drop Rules Editor 18-13

Dynamic Blacklist Configuration tab 18-10

enabling DNS snooping 18-6

field definitions 18-9

illustrations 18-1

mitigating botnet activity 65-56

monitoring

activity using ASDM 65-55

activity using Event Viewer 65-53, 65-55

overview 65-52

understanding botnet syslog events 65-52

overview 18-1

preserving ACL names 12-4

Report Manager reports

firewall summary botnet reports 66-14

task flow 18-2

traffic classification 18-6

Traffic Classification dialog box 18-12

Traffic Classification tab 18-11

understanding 18-1

understanding NAT effects 12-3

understanding processing order 12-2

Whitelist/Blacklist tab 18-14

bridge group

failover

editing 48-15

Bridge Groups

ASA/FWSM

add/edit 44-41

bridge groups

defining 59-19

FWSM 3.1 45-3

Bridging

ASA 5505

Management IPv6 45-10

PIX/ASA/FWSM

ARP configuration 45-4

ARP Inspection 45-5

ARP Inspection, enable/disable 45-6

ARP Table 45-3

MAC Address, add/edit 45-8

MAC Address Table 45-7

MAC Learning 45-8

MAC Learning, enable/disable 45-9

Management IP address 45-10

bridging

Cisco IOS routers

Bridge Group dialog box 59-21

Bridging Policy page 59-20

BVI interfaces 59-18

overview 59-18

configuring transparent firewall rules 21-1

PIX/ASA/FWSM

about 45-1

configuring on 45-1

broadcast attacks, preventing 16-4

broadcasts

enabling directed on routers 58-20

browser plug-ins

configuring 29-46

bundles 69-9

bypass mode

configuring for IPS 35-12

C

CA server authentication methods

SCEP (Simple Certificate Enrollment Protocol) 24-43

Cat6k Device dialog box 41-14

Catalyst 6500/7600 devices

configuring FWSM in site-to-site VPNs 23-45

configuring SSH 2-6

default transport protocol 11-16

deployment 8-29

FlexConfig object samples 7-25

IPS blocking devices 41-4

policy discovery for FWSM 5-13

rollback restrictions 8-61

Service Modules 44-1

Catalyst 6500/7600 switches

including in deployment jobs 8-28

Catalyst devices

policy discovery 5-13

remote access VPNs

Dynamic VTI/VRF Aware IPsec settings 31-7

high availability 31-11

IPsec proposals 31-4

user group policies 31-13

VPNSM/VPN SPA/VSPA settings 31-6

Catalyst platform policies

IDSM settings policy

Create and Edit IDSM Data Port VLANs dialog boxes 64-49

Create and Edit IDSM EtherChannel VLANs dialog boxes 64-49

IDSM Settings page 64-47

IDSM Slot-Port Selector dialog box 64-50

interfaces/VLANs policy

Access Port Selector dialog box 64-30

Create and Edit Interface dialog boxes-Access Port mode 64-9

Create and Edit Interface dialog boxes-Dynamic Port mode 64-18

Create and Edit Interface dialog boxes-Other mode 64-24

Create and Edit Interface dialog boxes-Routed Port mode 64-12

Create and Edit Interface dialog boxes-subinterfaces 64-22

Create and Edit Interface dialog boxes-Trunk Port mode 64-14

Create and Edit VLAN dialog boxes 64-28

Create and Edit VLAN Group dialog boxes 64-34

Interfaces tab 64-7

Service Module Slot Selector dialog box 64-35

Summary tab 64-3

Trunk Port Selector dialog box 64-31

VLAN Groups tab 64-33

VLAN Selector dialog box 64-35

VLANs tab 64-27

VLAN access lists policy

Create and Edit VLAN ACL Content dialog boxes 64-41

Create and Edit VLAN ACL dialog boxes 64-41

VLAN Access Lists page 64-39

Catalyst Summary Info command 1-32

Catalyst switches

configuring SSH 2-6

default transport protocol 11-16

showing modules, security contexts, and virtual sensors 3-50

Catalyst switches/7600 routers

troubleshooting deployment 9-15

Catalyst switches and 7600 devices

IDSM mode support 64-43

interface deployment failure 9-15

internal VLAN deployment failure 9-15

supported VTP modes 64-1

Catalyst switches and 7600 Series routers

access ports 64-5

Catalyst Summary Info page 64-2

defining IDSM Data Port VLANs 64-46

defining IDSM EtherChannel VLANs 64-44

defining ports 64-5

defining VACLs 64-37

defining VLAN groups 64-32

defining VLANs 64-26

deleting IDSM Data Port VLANs 64-47

deleting IDSM EtherChannel VLANs 64-45

deleting ports 64-7

deleting VACLs 64-38

deleting VLAN groups 64-33

deleting VLANs 64-27

discovering policies 64-1

generating interface names 64-6

IDSM settings 64-43

IDSM Settings page 64-47

interfaces 64-5

managing 64-1

routed ports 64-5

trunk ports 64-5

viewing interface and VLAN summary 64-3

VLAN Access Lists page 64-39

VLAN ACLs (VACLs) 64-36

VLAN groups 64-31

VLANs 64-25

Catalyst VPN Service Port Adapters (VSPAs)

configuring 23-41

Catalyst VPN Services Module (VPNSM)

configuring 23-41

configuring in remote access VPNs 31-6

Catalyst VPN Shared Port Adapter (VPN SPA)

configuring 23-41

configuring in remote access VPNs 31-6

categories

using 6-11

cautions

significance of i-lviii

CDP

configuring mode for IPS 35-13

CEF Interface Settings dialog box 58-26

CEF interface settings policies 58-24

certificates, SSL

adding thumbprints manually 9-4

configuring default settings for how handled 11-16

managing IPS 42-9

certificate to connection profile map policies

configuring policy 29-25

configuring rules 29-26

Change Report dialog box 4-17

change reports

selecting session in non-Workflow mode 4-17

viewing 4-16

Change Reports command 1-31

Checkpoint migration

configuring object group search on ASA 8.3+ devices 15-22

Choose a file dialog box 32-24

Cisco 7600 Series routers

managing 64-1

Cisco Configuration Engine

troubleshooting device setup and deployment 9-17

Cisco Discovery Protocol (CDP)

enabling CDP on router interfaces 58-18

Cisco Express Forwarding (CEF)

CEF Interface Settings policy 58-25

CEF router interface settings policies 58-24

importance for QoS 62-2

Cisco IOS IPS

affect of load balancing 43-7

configuration files 43-3

configuration overview 43-3

configuring 43-1

configuring general settings 43-7

configuring interface rules 43-8

getting started 34-1

initial preparation of router 43-5

lightweight signature engines 43-2

limitations and restrictions 43-3

selecting signature category 43-6

understanding 43-1

understanding subsystems and revisions 43-2

Cisco IOS Routers

configuring IOS IPS 43-1

IPS blocking devices 41-4

Cisco IOS routers

802.1x 60-1

AAA 59-2

accounts and credentials 59-13

ADSL 58-33

advanced interface settings 58-13

available interface types 58-2

basic interface settings 58-1

BGP routing 63-1

CNS call-home mode 2-10

CNS event-bus mode 2-9

configuring SSH 2-6

CPU settings 59-25

default AAA server groups 6-27

deploying configurations using TMS 8-43

dialer interfaces 58-27

discovering policies 57-3

Domain Name System (DNS) 59-74

Dynamic Host Configuration Protocol (DHCP) 59-87

EIGRP routing 63-8

host and domain names 59-77

HTTP 59-28

interface deployment failure 9-13

IOS 12.1 and 12.2 57-2

licenses 2-12

line access 59-35

managing 57-1

memory settings 59-78

NAT 22-5

designating interfaces 22-5

dynamic rules 22-10

static rules 22-6

timeouts 22-13

NetFlow 61-1, 61-5, 61-12

Network Admission Control (NAC) 60-8

Network Time Protocol (NTP) 59-96

optional SSH settings 59-63

OSPF routing 63-19

permanent virtual connections (PVCs) 58-46

platform policies 57-1

Point-to-Point Protocol (PPP) 58-70

policy discovery 5-13

quality of service (QoS) 62-1

RIP routing 63-42

Secure Device Provisioning (SDP) 59-81

setting up SSL (HTTPS) 2-4

SHDSL 58-40

SNMP 59-66

static routing 63-50

syslog logging 61-1

time zone settings 59-22

transparent bridging 59-18

Cisco IOS Software

FlexConfig object samples 7-25

selecting policy types to manage 5-10

Cisco Secure Desktop configuration objects

creating 31-18

Cisco Security Management Suite server

logging into or exiting 1-9

Cisco Technical Assistance Center

creating diagnostic file 10-27

generating data 10-26

generating deployment or discovery status reports 10-28

generating partial database backup 10-28

Cisco Trust Agent (CTA) 60-9

CiscoWorks Common Services

backing up and restoring Security Manager 10-23

logging into or exiting 1-9

CiscoWorks user authorization, affect on what you can do 1-9

Class-Based Policing 62-6

class maps

understanding 6-67

Clear Connection Configuration dialog box 14-21

CLI commands

FlexConfig objects 7-2

client connection characteristics

configuration modes 26-3

configuring policies for Easy VPN 26-7

extended authentication (xauth) 26-4

clientless access mode 28-4

client settings

configuring AnyConnect 29-49

understanding AnyConnect 29-48

client-side file browsing 1-46

enabling or disabling 11-6

Clock

PIX/ASA/FWSM 46-11

clock

Cisco IOS routers

overview 59-22

clock settings

Cisco IOS routers

Clock Policy page 59-23

Clone Device command 1-27

Clone Policy Bundle dialog box 5-55

Clone Policy command 1-29

Clone Policy dialog box 5-44

Close Activity command 1-33

Close All Reports command (Report Manager) 66-8

Close Report command (Report Manager) 66-8

Close Ticket command 1-33

cluster, server

managing 10-2

overview 10-2

splitting server 10-3

synchronizing shared policies 10-4

cluster load balancing

configuring 29-5

understanding 29-4

understanding FQDN redirection 29-5

CNS

call-home mode 2-10

deploying configurations 8-42

deployment method 8-10

event-bus mode 2-9

setting up on PIX Firewall and ASA devices 2-8

color rules, configuring in Event Viewer 65-36

Combine Rules Selection Summary dialog box 12-23

commands

Activities menu 1-32

Edit menu (Configuration Manager) 1-28

Event Viewer File menu 65-8

Event Viewer View menu 65-9

File menu (Configuration Manager) 1-26

Help menu (Configuration Manager) 1-34

Launch menu 1-33

Manage menu 1-30

Map menu 1-29

Policy menu (Configuration Manager) 1-29

Report Manager menus 66-8

Tickets menu 1-33

Tools menu (Configuration Manager) 1-31

View menu (Configuration Manager) 1-28

Common Services

licensing 10-18

communication, device

troubleshooting 9-7

configuration

initial Security Manager 1-22

understanding rollback 8-59

Configuration Archive

adding configurations from devices 8-55

overview 8-16

rolling back to archived configuration files 8-66

rolling back when deploying to file 8-67

settings 11-3

version viewer 8-56

viewing and comparing configuration versions 8-56

viewing transcripts 8-58

window 8-24

Configuration Archive command 1-31

Configuration Archive page 11-3

Configuration Engine

adding 3-33

CNS call-home mode 2-10

CNS event-bus mode 2-9

setting up 2-7

Configuration Engine Properties dialog box 3-34

configuration files

deploying in non-Workflow mode 8-29

deploying in Workflow mode 8-35, 8-40

deploying to 8-11

deploying to an AUS or CNS 8-42

deploying to a TMS 8-43

deployment process overview 8-1

factory-default configurations 44-2

previewing 8-45

redeploying to devices 8-49

rolling back after deploying to file 8-67

rolling back to archived configurations 8-66

rolling back to devices 8-65

selecting 1-46

web VPN policy discovery restrictions 3-8

configuration location, configuring for IOS IPS 43-7

Configuration Manager

overview 1-12

using 1-11

configurations

adding to the Configuration Archive 8-55

avoiding out-of-band changes 8-47

detecting out-of-band changes 8-46

rollback, commands to recover from failover misconfiguration 8-65

rollback command conflicts 8-64

rolling back 8-59

rolling back Catalyst 6500/7600 8-61

rolling back failover devices 8-61

rolling back IPS and IOS IPS 8-62

rolling back multiple context mode 8-61

understanding out-of-band changes 8-12

viewing and comparing 8-56

configuration session

selecting session for change reports 4-17

viewing change reports 4-16

configuration sessions

discarding 4-21

configuration views 1-12

Configure dialog box 16-19

Configure DNS dialog box 16-16

Configure ESMTP dialog box 16-17

Configure Fragments dialog box 16-18

Configure Hardware Ports

ASA 5505 44-39

Configure IMAP dialog box 16-18

Configure POP3 dialog box 16-18

Configure RPC dialog box 16-19

Configure SMTP dialog box 16-17

Config Version Viewer (Preview Configuration) dialog box 8-45

conflict analysis reports

generating 15-30

conflict detection

resolving conflicts 15-30

understanding 15-25

understanding the user interface 15-26

using 15-24

connection

PIX/ASA/FWSM

identity-aware rules 13-21

rules 55-5

Connection Alias dialog box 29-20

Connection Profile dialog box

AAA tab 29-11

General tab 29-9

IPSec tab 29-16

Secondary AAA tab 29-14

SSL tab 29-18

connection profiles

configuring 29-6

configuring for Easy VPN 26-13

properties

AAA 29-11

general 29-9

IPSec 29-16

policy overview 29-8

secondary AAA 29-14

SSL 29-18

sharing among multiple ASAs 28-8

Connection Profiles page 29-8

Connection Settings

MPC rule wizard

tab 55-8

connection timeout

device communication settings 11-16

Connection URL dialog box 29-21

connectivity, testing device 9-1

console

Cisco IOS routers

AAA tab 59-44

Accounting tab 59-47

Authentication tab 59-44

Authorization tab 59-45

Console Policy page 59-42

Setup tab 59-42

console port

Cisco IOS routers

defining AAA settings 59-37

defining setup parameters 59-35

Console timeout

PIX/ASA/FWSM 47-1

Constant Bit Rate (CBR) 58-47

contained modules

showing 3-50

content rewrite rules

defining for SSL VPN on ASA 29-39

Context-Based Access Control

choosing interfaces 16-2

configuring 16-5

configuring identity aware 13-21

preventing DoS attacks on IOS devices 16-4

selecting protocols 16-3

understanding 16-1

understanding access rule requirements 16-4

Context Editor dialog box (IOS) 31-15

contexts

see "security contexts" 56-1

continuity check (CC) cells 58-50

control plane (CP)

defining QoS on 62-12

policing on 62-9

Control Plane Policing 62-9

conventions i-lvii

cookie challenges 24-30

Copy command 1-28, 12-9

Copy Policies Between Devices command 1-29

Copy Policies wizard 5-31

CPU settings

defining utilization settings 59-25

overview 59-25

CPU utilization

CPU Policy page 59-26

Create a Clone of Device dialog box 3-50

Create Activity dialog box 4-13

Create a Policy dialog box 5-51

Create Discovery Task dialog box 5-18

Create Extranet VPN Topology wizard

overview 23-63

Create Filter dialog box 1-41

Create Group Policy wizard

Clientless and Thin Client Access Modes page 28-22

Full Tunnel page 28-20

Group Policy page 28-19

using 28-19

Create Overrides for Device dialog box 6-18

Create Policy Bundle dialog box 5-54

Create Text Object dialog box 7-35

Create Ticket dialog box 4-13

Create VPN Topology wizard

Device Selection page 23-32

Edit Endpoints dialog box 23-33

Endpoints page 23-33

GET VPN Group Encryption page 23-51

GET VPN Peers page 23-57

High Availability page 23-49

Name and Technology page 23-30

overview 23-28

VPN Defaults page 23-58

credential objects

attributes 26-9

credentials

configuring on firewall devices 46-13

device manager validation 68-10

IPS module 3-17

service module 3-16

testing 9-1

understanding device 3-4

Credentials page

HTTPS port number

overriding with HTTP policy 3-43

Credentials page, device properties 3-41

crypto maps

understanding 24-17

CSC

MPC rule wizard

tab 55-8

CSDM Policy Editor dialog box 30-39

CS-MARS

access to Security Manager 68-19

configuring servers 11-4

discovering or changing controller used by device 68-21

events

historical and real-time lookup 68-23

looking up 68-23

integrating with Security Manager 68-18

integration with Security Manager 68-18

looking up Security Manager policies based on events 68-27

NetFlow 68-29

query

troubleshooting 68-22

registering in Security Manager 68-20

supported log messages 68-28

viewing access rule events 68-24

viewing IPS signature events 68-26

CS-MARS page 11-4

CSMDiagnostics.zip

setting debug options 11-8

CSMDiagnostics.zip file, creating 10-27

CSM tab, Licensing page 11-36

CSV (comma-separated values) files

supported formats for device inventory 10-8

Customize Desktop Settings page 11-6

Customized Toolbar command 1-28

Custom Protocol dialog box 16-19

Custom Report List command (Report Manager) 66-9

Cut command 1-28, 12-9

cut-through proxy, configuring 13-23

CXSC

about 55-15

MPC rule wizard

tab 55-8

CXSC Auth Proxy Configuration

ASA 55-16

D

database

backing up 10-23

backing up and restoring 10-23

generating partial backups for TAC 10-28

restoring 10-25

DCE/RPC policy map objects

creating 16-20

properties 16-24

DCS.properties file

DCS.doSerialAccessForFWSMVCs property 9-16

DCS.FWSM.checkThreshold property 9-16

SSH settings 9-7

warning message expression properties 9-9

DDNS

PIX/ASA/FWSM 50-15

add interface rules 50-16

update methods 50-16

update methods, add/edit 50-17

dead-peer detection (DPD) 24-27

debugging

configuring debug levels 11-8

Debug Options page 11-8

Default Report Settings command (Report Manager) 66-9

defaults, configuring 11-1

Delete Device command 1-27

Delete Map command 1-30

Delete Map dialog box 33-10

Delete Row command 1-28

Denial of Service (DoS)

preventing in SMTP using zone based firewall 20-24

denial of service (DoS)

preventing using unicast reverse path forwarding (RFP) 58-20

Denial of Service (DoS) attacks

configuring inspection settings to mitigate 16-85

preventing on IOS devices using inspection 16-4

denial of service (DoS) attacks

preventing using IKEv2 cookie challenge 24-30

Deploy command 1-27

Deploy Job dialog box 8-40

deployment

Add Other Devices dialog box 8-54

Auto Update Server 8-42

Catalyst 6500/7600 devices 8-29

changes not deployed when using schedules 8-52

changing device message severity level to ignore errors 9-9

changing FWSM multiple-context deployment to serial 9-16

Cisco Networking Services configuration engine 8-42

configuration files, to 8-11

configurations 8-29

creating jobs in Workflow mode 8-36

creating or editing schedules 8-52

Deployment Manager window 8-17

device communication settings 9-4

devices, directly to 8-9

devices, through intermediate server 8-10

Edit Deploy Method dialog box 8-31

Edit Selected Deployment Method dialog box 8-31

errors

OS version mismatches 8-13

generating status report 10-28

handling OS version mismatches 8-13

managing 8-1

methods 8-8

minimum memory errors for ASA 8.3+ 9-11

non-Workflow mode 8-3

optimizing access rules 15-44

out-of-band changes

avoiding 8-47

detecting and analyzing 8-46

understanding 8-12

process overview 8-1

rolling back archived configurations 8-66

rolling back configurations 8-59

rolling back configurations, Catalyst 6500/7600 8-61

rolling back configurations, command conflicts 8-64

rolling back configurations, commands to recover from failover misconfiguration 8-65

rolling back configurations, failover devices 8-61

rolling back configurations, IPS and IOS IPS devices 8-62

rolling back configurations, multiple context mode 8-61

rolling back configuration when deploying to file 8-67

rolling back to last deployed configuration 8-65

setting debug options 11-8

SSL handshake failure 2-2

suspending or resuming schedules 8-55

system settings 11-9

task flow

non-Workflow mode 8-3

Workflow mode 8-5

tips for successful jobs 8-28

TMS server 8-43

troubleshooting 9-1, 9-9

ADSL or PVC deployment failures 9-14

AUS problems 9-17

Catalyst interface settings 9-15

Catalyst internal VLANs 9-15

Catalyst switch and modules 9-15

Configuration Engine problems 9-17

Error Writing to Server messages 9-14

HTTP Response Code 500 messages 9-14

layer 2 interfaces 9-14

mixing deployment methods with routers and VPNs 9-13

router interface settings 9-13

routers 9-13

Security Manager cannot contact device 9-11

VPNs with routing processes 9-12

troubleshooting device communication 9-7

troubleshooting router connection failures 2-2

troubleshooting SSL certificate errors 9-4

troubleshooting VRF-aware IPsec on Catalyst 6500/7600 devices 23-17

understanding 8-1

understanding configuration rollback 8-59

using a Cisco Networking Services (CNS) server 8-42

viewing device details 8-27

viewing job summary 8-27

viewing status and history for jobs and schedules 8-27

viewing transcripts 8-58

Warning - Partial VPN Deployment dialog box 8-32

Workflow mode 8-5, 8-35, 8-40

working with 8-26

Deployment—Create or Edit a Job dialog box 8-36

deployment jobs

aborting 8-51

approval 8-7

approving 8-39

creating and editing in non-Workflow mode 8-29

creating and editing in Workflow mode 8-36

Deployment Manager 8-16

discarding 8-41

including devices in 8-8

multiple users 8-8

redeploying 8-49

rejecting 8-39

states

non-Workflow mode 8-4

Workflow mode 8-6

submitting 8-39

viewing history 8-27

Deployment Manager

overview 8-16

Deployment Manager window 8-17

Deployment Schedules tab 8-22

Deployment Schedules tab 8-22

Deployments command 1-31

Deployment Settings page 11-9

Deployment Status Details dialog box 8-33

Deployment Workflow Commentary dialog boxes 8-21

Deploy Saved Changes dialog box 8-29

DES encryption algorithm

in IKE proposals 24-6

Designated Router

PIX/ASA/FWSM 52-12

Destination Contents dialog box 12-14

Dest Port Map dialog box 39-12

Detect Out of Band Changes command 1-32

device

AAA administration 46-4

firewall types 44-1

viewing inventory status 68-16

Device Access

FWSM

Resources, add/edit 49-3

PIX/ASA/FWSM 47-1

console timeout 47-1

host name 49-1

HTTP configuration 47-2

HTTP page 47-2

ICMP rules 47-3

ICMP rules, add/edit 47-4

Management Access interface 47-5

Secure Shell (SSH) 47-5

Secure Shell, add/edit host 47-6

Server Access 50-1

SNMP host access 47-12

SNMP page 47-8

SNMP Trap configuration 47-9

Telnet configuration 47-14

Telnet page 47-13

user accounts 49-6

user accounts, add/edit 49-7

device access policies

defining 59-14

Device Admin

FWSM

Resources 49-3

device administration policies

configuring on firewall devices 46-1

device authentication

adding SSL thumbprints manually 9-4

SSL certificate default configuration 11-16

Device Blacklist dialog box 18-15

device communication

changing device message severity level 9-9

managing settings 9-4

routers without K8/K9 crypto image 9-7

Security Manager cannot contact device after deployment 9-11

troubleshooting failures 9-7

Device Communication page 11-15

device communications

troubleshooting 9-1

device communication settings

connection timeout 11-16

retry count 11-16

socket read timeout 11-16

Device Connectivity Test dialog box 9-3

device credentials

understanding 3-4

Device Credentials page 3-41

Device Delete Validation dialog box 3-52

device groups 3-53, 3-56

adding or removing devices 3-57

creating group types 3-55

deleting groups or types 3-56

understanding 3-53

Device Groups page 3-45, 11-18

Device Information page - Add Device from File 3-29

Device Information page - Configuration File 3-20

Device Information page - Network 3-11

Device Information page- New Device 3-24

device inventory

exporting

DCR, CS-MARS, Security Manager formats 10-6

device with policies 10-6

overview 10-5

supported CSV formats 10-8

using command line utility 10-9

importing

device with policies 10-14

importing with policies 10-14

managing 3-1

testing device connectivity 9-1

understanding 3-1

understanding contents 3-3

understanding generic devices 3-8

working with 3-32

device manager

access rule look up 68-13

ASDM 68-11

access rule look-up 68-14

credentials 68-10

IDM 68-11

PDM 68-11

prerequisites 68-12

SDM 68-12

access rule look-up 68-15

starting from HPM 67-3, 67-23

starting from Security Manager 68-10

troubleshooting 68-12

xdm-launcher.exe 68-12

Device Manager command 1-34

Device Properties

Credentials page 3-41

Device Groups page 3-45

General page 3-38

Policy Object Override pages

general reference 3-46

device properties

changes with policy effects 3-48

changing critical 3-47

image version changes with no policy effects 3-47

understanding 3-6

viewing or changing 3-37

Device Properties command 1-31

Device Properties page

creating object overrides 6-17

deleting overrides 6-19

overview 3-37

device response

to appear as an error message 9-9

devices

adding 3-6

adding configurations to the Configuration Archive 8-55

adding from configuration files 3-18

adding from inventory file 3-27

adding from network 3-9

adding local rules to shared policies 5-42

adding manually 3-23

adding or changing modules 3-37

assigning shared policies 5-41

avoiding out-of-band changes 8-47

changing critical properties 3-47

changing those selected for reports 66-21

cloning or duplicating 3-50

cloning shared policies 5-44

communication requirements 2-1

communication settings and certificates 9-4

configuring ASA licenses 2-11

configuring IOS licenses 2-12

configuring local policies 5-29

copying policies between 5-31

creating policy object overrides 6-17

deleting from inventory 3-51

deleting policy object overrides 6-19

deployment through intermediate server 8-10

deployment to 8-9

detecting out-of-band changes 8-46

discovering or changing CS-MARS controller 68-21

discovering policies 5-12

discovering policies on existing devices 5-15

dynamic IP addresses 3-33

image version changes with no policy effects 3-47

including in deployment jobs or schedules 8-8

including unmanaged or non-Cisco in a VPN 23-11

inheriting policy rules 5-43

maps

adding existing managed 33-15

adding new managed 33-15

displaying devices from Device View 33-15

displaying managed 33-15

removing managed 33-15

showing containment for Catalyst switches, ASA, PIX, IPS devices 33-16

modifying policy assignment 5-46

modifying shared policies 5-45

naming conventions 3-3

overview of monitoring 1-6

policy status icons 5-28

preparing for management 2-1

property changes with policy effects 3-48

redeploying configuration files to 8-49

redeploying configurations to replaced hardware 8-49

renaming policies 5-45

replacing policies 5-41

rolling back configurations 8-65, 8-66, 8-67

selecting in site-to-site VPNs 23-32

selecting multiple 1-40

sharing multiple policies 5-39

showing contained modules 3-50

system variables 7-7

testing connectivity 9-1

troubleshooting communication 9-7

troubleshooting communication and deployment 9-1

troubleshooting device discovery failures 3-7

unassigning policies 5-33

understanding out-of-band changes 8-12

unsharing policies 5-40

using global search to find specific devices 1-37

what counts as a device 3-3

device selector

filtering 1-40

Device Selector dialog box 1-40

Device Server Assignment dialog box 9-8

Device view

adding local rules to shared policies 5-42

assigning shared policies 5-41

cloning shared policies 5-44

configuring local policies 5-29

configuring VPN topologies 23-19

copying policies between devices 5-31

inheriting policies 5-43

managing policies 5-28

modifying policy assignments 5-46

modifying shared policies 5-45

overview 1-12

policy banner 5-35

policy shortcut menu 5-37

policy status icons 5-28

renaming policies 5-45

sharing local policies 5-38

sharing multiple policies 5-39

unassigning policies 5-33

understanding basic policy management 5-29

understanding shared policies 5-34

unsharing policies 5-40

device view

understanding 3-1

Device View command 1-28

Device Whitelist dialog box 18-15

DHCP

Cisco IOS routers

defining address pools 59-91

defining policies 59-90

DHCP Database dialog box 59-94

DHCP Policy page 59-92

IP Pool dialog box 59-94

overview 59-87

understanding database agents 59-88

understanding option 82 59-89

understanding relay agents 59-88

understanding secured ARP 59-89

configuring passthrough for IOS devices 21-3

PIX/ASA/FWSM 50-7

add/edit servers 50-9

advanced configuration 50-10

configuring DHCP servers 50-7

server options 50-10

traffic blocked 9-14

DHCP relay

PIX/ASA/FWSM 50-5

add/edit agent 50-5

add/edit server 50-6

diagnostics

setting debug options 11-8

diagnostics file, creating 10-27

dial backup

configuring in Easy VPN 26-2

configuring in VPN 23-39

configuring VPN advanced settings 23-40

Dial Backup Settings dialog box 23-40

dialer interfaces

defining BRI properties 58-29

defining profiles 58-27

Dialer Physical Interface dialog box 58-32

Dialer Policy page 58-30

Dialer Profile dialog box 58-31

on Cisco IOS routers 58-27

Diffie-Hellman groups

in IKE proposals 24-7

Digital Subscriber Line (DSL) 58-33

digital subscriber line-access multiplexer (DSLAM) 58-34

directed broadcasts

enabling 58-20

Disable/enable NAT rules 22-32

Discard Activity command 1-33

Discard Activity dialog box 4-21

Discard command 1-27

Discard Deployment Job dialog box 8-21

Discard Ticket command 1-33

Discard Ticket dialog box 4-21

discovering

remote access VPNs 28-12

site-to-site VPNs 23-24

Discover Policies on Device command 1-29

Discover VPN Policies command 1-29

Discover VPN Policies wizard 23-24

discovery

default behavior settings 11-19

generating status report 10-28

invalid certificate error 9-6

overview 1-16

security certificate error 9-4, 9-5

setting debug options 11-8

Discovery Settings page 11-19

Discovery Status dialog box 5-21

discovery task

frequently asked questions 5-25

starting 5-15

viewing status 5-20

disk space, monitoring event data store 65-31

Display Actual Size command 1-30

Distributed Traffic Shaping (DTS) 62-7

DMVPN (Dynamic Multipoint VPN)

advantages of using with GRE 25-11

configuring 25-12

configuring GRE modes 25-12

large scale DMVPNs

configuring 25-16

configuring server load balancing 25-17

overview 25-1, 25-9

spoke-to-spoke connections 25-10

supported platforms 23-9

understanding 25-10

DNS

configuring for inspection rules 16-16

PIX/ASA/FWSM

add/edit server group 50-13

add server 50-14

servers page 50-11

DNS class map objects

creating 16-20

match criteria 16-29

DNS policy map objects

creating 16-20

match conditions and actions 16-29

properties 16-26

DNS servers

configuring for IPS global correlation 34-22

DNS snooping 18-6

dock

report windows 66-25

view windows 65-34

Dock Map View command 1-30

documentation

conventions i-lvii

ordering i-lviii

Domain AD Server dialog box 13-10

Domain Name System (DNS)

Cisco IOS routers

defining policies 59-75

DNS Policy page 59-76

IP Host dialog box 59-76

overview 59-74

do not ask warnings, resetting 11-6

DSLAM 58-34

duration

VPN user reports 66-15, 66-16

dynamic access policies

attributes 30-3, 30-8

configuring 30-2

managing 30-1

understanding 30-1

dynamic access policies (DAP) 30-27

Dynamic Access Policy page

Add/Edit Dynamic Access Policy dialog box

Add/Edit DAP Entry dialog box 30-19

Add/Edit DAP Entry dialog box > AAA Attributes Cisco 30-20

Add/Edit DAP Entry dialog box > AAA Attributes LDAP 30-22

Add/Edit DAP Entry dialog box > AAA Attributes RADIUS 30-23

Add/Edit DAP Entry dialog box > Anti-Spyware 30-23

Add/Edit DAP Entry dialog box > Anti-Virus 30-24

Add/Edit DAP Entry dialog box > AnyConnect Identity 30-25

Add/Edit DAP Entry dialog box > Application 30-26

Add/Edit DAP Entry dialog box > File 30-28

Add/Edit DAP Entry dialog box > NAC 30-29

Add/Edit DAP Entry dialog box > Operating System 30-30

Add/Edit DAP Entry dialog box > Personal Firewall 30-31

Add/Edit DAP Entry dialog box > Policy 30-32

Add/Edit DAP Entry dialog box > Process 30-33

Add/Edit DAP Entry dialog box > Registry 30-34

Advanced Expressions tab 30-38

Logical Operations tab 30-35

Main tab 30-14

Dynamic Access Policy page (ASA) 30-11

Cisco Secure Desktop Manager Policy Editor dialog box 30-39

Dynamic Access policy page (ASA) > Add/Edit Dynamic Access Policy dialog box 30-13

Dynamic Blacklist Configuration tab 18-10

dynamic crypto maps 24-17

dynamic filter snooping (DNS)

enabling 16-16

Dynamic Multipoint VPN (DMVPN)

mandatory and optional policies 23-6

dynamic NAT

Cisco IOS routers 22-10

Dynamic Translation Rule

PIX/ASA/FWSM 22-21

add/edit 22-21

dynamic VTI

configuring in Easy VPN 26-12

in remote access VPNs 31-7

understanding use in Easy VPN 26-2

E

Easy VPN

configuration modes 26-3

configuration overview 26-5

configuring client connection characteristics 26-7

configuring dial backup 26-2

configuring dynamic VTI 26-12

configuring high availability 26-2

connection profile policies 26-13

connection profiles (ASA, PIX 7+) 29-8

extended authentication (xauth) 26-4

important configuration notes 26-6

IPsec proposals 26-10

mandatory and optional policies 23-6

overview 26-1

supported platforms 23-9

understanding 26-1

understanding dynamic VTI 26-2

user group policies 26-14

Edit AAA Option dialog box 14-17

Edit AAA Rule dialog box 14-12

Edit AAA Server dialog box 6-29

Edit AAA Server Group dialog box 6-45

Edit Access Rule dialog box 15-12

Edit Actions dialog box 37-8

Edit activity state 4-4

Edit AOL Class Map dialog box 16-23, 20-17

Edit A Port Forwarding Entry dialog box 32-26

Edit ASA Group Policies dialog box

client configuration settings 32-4

client firewall attributes 32-5

connection settings 32-19

DNS/WINS settings 32-17

hardware client attributes 32-7

IPSec settings 32-8

overview 32-1

split tunneling settings 32-18

SSL VPN clientless settings 32-10

SSL VPN full client settings 32-12

SSL VPN settings 32-14

technology settings 32-1

Edit A Smart Tunnel Entry dialog box 32-49

Edit Auto Signon Rules dialog box 32-16

Edit Auto Update Settings dialog box 11-34

Edit Category dialog box 12-14

Edit Cisco Secure Desktop Configuration dialog box 32-20

Edit Client Access Rules dialog box 32-10

Edit Client Update dialog box 32-61

Edit Column dialog box 32-43

Edit Custom Pane dialog box 32-43

Edit DCE/RPC Map dialog box 16-24

Edit Deploy Method dialog box 8-31

Edit Description dialog box 12-14

Edit Destinations dialog box 12-11

Edit Device Groups command 1-27

Edit Device Groups dialog box 3-55

Edit DNS Class Map dialog box 16-23

Edit DNS Map dialog box

Filtering tab 16-28

overview 16-26

Protocol Conformance tab 16-27

Edit eDonkey Class Map dialog box 16-23, 20-17

Edit Endpoints dialog box

FWSM tab 23-45

overview 23-33

Protected Networks tab 23-45

VPN Interface tab 23-35

VPNSM/VPN SPA/VSPA settings, VPN Interface tab 23-41

VRF Aware IPsec tab 23-46

Edit ESMTP Map dialog box 16-32

Edit Extended Access Control Entry dialog box 6-54

Edit Extended Access List dialog box 6-53

Edit External Filter dialog box 20-39

Edit Extranet VPN dialog box

overview 23-63

Edit FastTrack Class Map dialog box 16-23, 20-17

Edit Fidelity dialog box 37-9

Edit File Object dialog box 32-22

Edit Firewall Rule Expiration dialog box 15-18

Edit FlexConfig dialog box 7-33

Edit FTP Class Map dialog box 16-23

Edit FTP Map dialog box 16-35

Edit Gnutella Class Map dialog box 16-23, 20-17

Edit Group Member dialog box 27-21

Edit GTP Map dialog box 16-38

Edit H.323 Class Map dialog box 16-23, 20-17

Edit H.323 Map dialog box 16-43, 20-32

Edit HSI Endpoint IP Address dialog box 16-46

Edit HSI Group dialog box 16-45

Edit HTTP Class Map dialog box 16-23, 20-17

Edit HTTP Map dialog box 20-32

ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices

Entity Length tab 16-50

Extension Request Method tab 16-53

General tab 16-49

overview 16-48

Port Misuse tab 16-54

RFC Request Method tab 16-52

Transfer Encoding tab 16-55

ASA 7.2+ and PIX 7.2+ devices 16-56

Edit ICQ Class Map dialog box 16-23, 20-17

Edit IKEv1 Proposal dialog box 24-10

Edit IKEv2 Proposal dialog box 24-13

Edit IMAP Class Map dialog box 16-23, 20-17

Edit IMAP Map dialog box 20-32

Edit IM Class Map dialog box 16-23

Edit IM Map dialog box 20-32

ASA and PIX device 16-62

IOS device 16-65

Edit Inspect/Application FW Rule wizard

Address and Port page 16-12

Inspected Protocol page 16-15

Match Traffic page 16-10

Edit Inspect Parameter Map dialog box 20-29

Edit Interfaces dialog box 12-13

Edit IP Options Map dialog box 16-66

Edit IPsec Pass Through Map dialog box 16-71

Edit IPSec Transform Set dialog box 24-23

Edit IPv6 Map dialog box 16-68

Edit IPv6 Network/Host dialog box 6-73

Edit Kazaa2 Class Map dialog box 16-23, 20-17

Edit Key Server dialog box 27-19

Edit Language dialog box 32-38

Edit LDAP Attribute Map dialog box 6-41

Edit LDAP Attribute Map Value dialog box 6-42

Edit Load Balancing Parameters dialog box 25-17

Edit Local Web Filter Class Map dialog box 16-23, 20-17

Edit Local Web Filter Parameter Map dialog box 20-36

Edit Map Value dialog box 6-43

Edit Match Condition and Action dialog box

DNS policy maps 16-29

ESMTP policy maps 16-33

FTP policy maps 16-36

GTP policy maps 16-41

H.323 (IOS) policy maps 20-33

H.323 policy maps 16-46

HTTP (Zone Based IOS) policy maps 20-33

HTTP policy maps 16-57

IM (Zone Based IOS) policy maps 20-33

IMAP policy maps 20-33

IM policy maps 16-63

IPv6 policy maps 16-69

P2P policy maps 20-33

POP3 policy maps 20-33

SIP (IOS) policy maps 20-33

SIP policy maps 16-75

Skinny policy maps 16-79

SMTP policy maps 20-33

Sun RPC policy maps 20-33

Web Filter policy maps 20-33

Edit Match Criterion dialog box

AOL class maps 20-19

DNS class maps 16-29

eDonkey class maps 20-19

FastTrack class maps 20-19

FTP class maps 16-36

Gnutella class maps 20-19

H.323 (IOS) class maps 20-20

H.323 class maps 16-46

HTTP (IOS) class maps 20-20

HTTP class maps 16-57

ICQ class maps 20-19

IMAP class maps 20-22

IM class maps 16-63

Kazaa2 class maps 20-19

Local Web Filter class maps 20-27

MSN Messenger class maps 20-19

N2H2 class maps 20-28

POP3 class maps 20-22

SIP (IOS) class maps 20-23

SIP class maps 16-75

SMTP class maps 20-24

Sun RPC class maps 20-27

Websense class maps 20-28

Windows Messenger class maps 20-19

Yahoo Messenger class maps 20-19

Edit menu

Configuration Manager 1-28

Edit MSN Messenger Class Map dialog box 16-23, 20-17

Edit N2H2 Parameter Map dialog box 20-37

Edit N2H2 Web Filter Class Map dialog box 16-23, 20-17

Edit NAT Rule dialog box

ASA 8.3+ 22-35

Edit NetBIOS Map dialog box 16-72

Edit Network/Host dialog box

General tab 6-73

NAT tab 22-42

Edit Options dialog box 15-16

Edit P2P Map dialog box 20-32

Edit Permit Response dialog box 16-40

Edit PIX/ASA/FWSM Web Filter Rule dialog box 17-5

Edit PKI Enrollment dialog box

CA Information tab 24-51

Certificate Subject Name tab 24-57

Enrollment Parameters tab 24-55

overview 24-50

Trusted CA Hierarchy tab 24-58

Edit Policy Assignments command 1-29

Edit POP3 Class Map dialog box 16-23, 20-17

Edit Port Forwarding List dialog box 32-25

Edit Port List dialog box 6-80

Edit Protocol Info Parameter Map dialog box 20-31

Edit Regular Expression dialog box 16-82

Edit Regular Expression Group dialog box 16-81

Edit Row command 1-28

Edit Rule Section dialog box 12-21

Edit Security Association Dialog Box 23-55

Edit Selected Deployment Method dialog box 8-31

Edit Server dialog box

Protocol Info Parameter maps 20-32

Edit Server Group dialog box 14-17

Edit Service dialog box 6-82

Edit Services dialog box 12-12

Edit Signature dialog box 37-12

Edit Signature Parameter—Component List dialog box 37-25

Edit Signature Parameters dialog box 37-20

Edit Single Sign On Server dialog boxes 32-27

Edit SIP Class Map dialog box 16-23, 20-17

Edit SIP Map dialog box 16-73, 20-32

Edit Skinny Map dialog boxes 16-77

Edit SLA Monitor dialog box 49-9

Edit Smart Tunnel Auto Signon Entry dialog box 32-52

Edit Smart Tunnel Auto Signon Lists dialog box 32-51

Edit Smart Tunnel Lists dialog box 32-48

Edit SMTP Class Map dialog box 16-23, 20-17

Edit SMTP Map dialog box 20-32

Edit SNMP Map dialog box 16-80

Edit Sources dialog box 12-11

Edit SSL VPN Customization dialog box 32-32

Applications 32-42

Copyright Panel 32-40

Custom Panes 32-42

Full Customization 32-41

Home Page 32-44

Informational Panel 32-39

Language 32-36

Logon Form 32-38

Logout Page 32-45

Title Panel 32-35

Toolbar 32-41

Edit SSL VPN Gateway dialog box 32-46

Edit Standard Access Control Entry dialog box 6-57

Edit Standard Access List dialog box 6-53

Edit Sun RPC Class Map dialog box 16-23, 20-17

Edit Sun RPC Map dialog box 20-32

Edit TCP Map dialog box 55-20

Edit TCP Option Range Dialog Box 55-22

Edit Text Object dialog box 7-35

Edit Time Range dialog box 6-60

Edit Traffic Flow dialog box 55-16

Edit Translated Address dialog box 22-27

Edit Transparent EtherType dialog box 21-6

Edit Transparent Firewall Rule dialog box 21-5

Edit Transparent Mask dialog box 21-7

Edit Trend Content Filter Class Map dialog box 16-23, 20-17

Edit Trend Parameter Map dialog box 20-40

Edit Update Server Settings dialog box 11-32

Edit URL Domain Name dialog box 20-43

Edit URLF Glob Parameter Map dialog box 20-43

Edit URL Filter Parameter Map dialog box 20-41

Edit User Credentials dialog box 34-17

Edit User dialog box 12-12

Edit User Group dialog box

Advanced PIX 6.3 settings 32-62

Browser Proxy settings 32-68

Client (IOS) settings 32-59

Clientless settings 32-63

Client VPN Software Update (IOS) settings 32-61

DNS/WINS settings 32-57

General settings 32-56

IOS Xauth Options settings 32-60

overview 32-54

Split Tunneling settings (Easy VPN/remote access IPSec VPN) 32-58

SSL VPN Connection settings 32-69

SSL VPN Full Tunnel settings 32-65

SSL VPN Split Tunneling settings 32-66

Technology settings 32-54

Thin Client settings 32-64

Edit Virtual Sensor dialog box 36-7, 36-8

Edit VPN dialog box

Device Selection tab 23-32

Edit Endpoints dialog box 23-33

Endpoints tab 23-33

High Availability tab 23-49

Name and Technology tab 23-30

overview 23-28

Edit Web Access Control Entry dialog box 6-58

Edit Web Filter Map dialog box 20-45

Edit Web Filter Options dialog box 17-9

Edit Web Filter Type dialog box 17-8

Edit Websense Parameter Map dialog box 20-37

Edit Websense Web Filter Class Map dialog box 16-23, 20-17

Edit Web Type Access List dialog box 6-53

Edit Windows Messenger Class Map dialog box 16-23, 20-17

Edit WINS Server dialog box 32-70

Edit WINS Server List dialog box 32-70

Edit Yahoo Messenger Class Map dialog box 16-23, 20-17

Edit Zones dialog box 12-13

eDonkey class map objects

creating 20-15

match criteria 20-19

EIGRP routing

defining interface properties 63-10

defining routes 63-9

EIGRP Routing Policy page 63-13

Interface dialog box 63-16

Interfaces tab 63-15

on Cisco IOS routers 63-8

redistributing routes 63-12

Redistribution Mapping dialog box 63-18

Redistribution tab 63-17

Setup dialog box 63-14

Setup tab 63-13

e-mail

blocking spam using zone-based firewall rules 20-24

preventing DoS attacks 20-24

e-mail notifications

configuring SMTP server 1-23

PIX/ASA/FWSM

recipient set-up 51-3

syslog messages 51-2

Enable/disable NAT rules 22-32

Enable PIM and IGMP

PIX/ASA/FWSM 52-1

Encapsulating Security Protocol (ESP) encryption algorithm 24-25

encoding rules

defining for SSL VPN (ASA) 29-41

encryption algorithms

3DES (Triple DES) 24-6

AES (Advanced Encryption Standard) 24-6

DES (Data Encryption Standard) 24-6

in IKE proposals 24-6

endpoints and protected networks

configuring dial backup 23-39

defining in GET VPN topologies 23-57

defining in VPN topologies 23-33

VPN Interface tab 23-35

Error Writing to Server deployment errors 9-14

ESMTP

configuring for inspection rules 16-17

ESMTP policy map objects

creating 16-20

match conditions and actions 16-33

properties 16-32

EtherChannel

Create and Edit IDSM EtherChannel VLANs dialog boxes 64-49

defining IDSM VLANs 64-44

deleting IDSM VLANs 64-45

EtherChannels

ASA 44-8

edit assigned interface 44-11

LACP 44-11

load balancing 44-12

evaluation license

upgrading to permanent license 10-16

event

lists 51-4

add/edit 51-5

syslog class

add/edit 51-6

syslog message ID

add/edit 51-6

Event Action Filters page 38-7

Event Action Override dialog box 38-14

Event Action Overrides page 38-13

event actions, IPS

configuring filter rules 38-4

configuring network information 38-14

configuring OS maps 38-18

configuring overrides 38-13

configuring settings 38-21

configuring target value ratings 38-15

example filter rule 65-58

filter rule attributes 38-9

filter rules policy 38-7

filter rules tips 38-6

overview 38-1

possible actions 38-2

process overview 38-1

Event Management page 11-21

Event Manager service

configuring 65-27

managing 65-27

monitoring event store disk space 65-31

monitoring status 65-28

selecting devices to monitor 65-30

starting and stopping 65-27

status icon colors 65-28

events

archiving (backing up) the event data store 65-32

configuring firewall devices (ASA, FWSM) 65-25

configuring IPS devices 65-26

copying 65-47

CS-MARS 68-28

looking up 68-23

looking up policies based on related events 68-27

Netflow support for policy lookup 68-29

viewing access rule events 68-24

viewing IPS signature events 68-26

ensuring time synchronization 65-24

Event Viewer

clearing filters 65-44

context menu 65-45

filtering by column 65-41

filtering by events 65-43

filtering overview 65-39

looking up policies based on related events 65-48

refreshing event table 65-40

selecting time range 65-39

text searches (quick filter) 65-43

using time slider with filtering 65-40

examining details 65-47

examples of analysis

mitigating botnet activity 65-56

monitoring and mitigating botnet activity 65-52

monitoring botnet activity using ASDM 65-55

monitoring botnet activity using Event Viewer 65-53

monitoring botnet activity using Report Manager 65-55

monitoring identity-aware firewall policies 13-27

overview 65-50

removing false positive IPS events 65-57

understanding botnet syslog events 65-52

user access to server blocked 65-50

performing operations on 65-45

properties 65-16

recovering the event data store 65-32

saving to a file 65-48

understanding Event Viewer access control 65-3

viewing 65-1

Event Viewer

archiving (backing up) the event data store 65-32

arranging views 65-34

ASA devices, configuring to provide events 65-25

columns 65-16

configuring color rules 65-36

configuring Event Manager service 65-27

copying events 65-47

creating custom views 65-37

deleting custom views 65-39

editing view name and description 65-37

ensuring time synchronization 65-24

Event Monitoring window 65-12

events

context menu 65-45

event table

customizing appearance 65-35

event details pane 65-24

refreshing 65-40

time slider 65-23

toolbar 65-14

examining event details 65-47

examples of analysis

mitigating botnet activity 65-56

monitoring and mitigating botnet activity 65-52

monitoring botnet activity 65-53

monitoring identity-aware firewall policies 13-27

overview 65-50

removing false positive IPS events 65-57

understanding botnet syslog events 65-52

user access to server blocked 65-50

features

historical views 65-2

overview 65-1

policy navigation 65-3

real-time views 65-2

views and filters 65-3

File menu reference 65-8

filters

advantages of using network/host objects 65-58

clearing 65-44

column based 65-41

event based 65-43

overview 65-39

submission requirements for policy objects 65-59

text searches (quick filter) 65-43

time range 65-39

time slider 65-40

floating views 65-34

FWSM devices, configuring to provide events 65-25

IPS devices, configuring to provide events 65-26

limits of 65-4

looking up Security Manager policies based on events 65-48

managing service 65-27

monitoring event store disk space 65-31

monitoring status 65-28

opening views 65-34

overview 65-7

performing operations on 65-45

preparation for use 65-24

recovering the event data store 65-32

saving events 65-48

saving views 65-38

selecting devices to monitor 65-30

settings 11-21

starting or stopping the Event Manager service 65-27

status icon colors 65-28

switching between IP addresses and host object names 65-35

switching between real-time and historical views 65-38

syslogs 65-6

troubleshooting

Event Viewer Unavailable message 11-21, 11-24, 65-27

policy objects not available for filtering 65-59

understanding access control 65-3

using 65-33

using views 65-33

view list 65-11

View menu reference 65-9

Event Viewer command 1-34

exclusive domains

configuring for IOS devices 17-10

Exit command 1-28

Exit command (Report Manager) 66-8

exiting

Cisco Security Management Suite server 1-9

CiscoWorks Common Services 1-9

Security Manager 1-8, 1-10

expiration dates

configuring for access rules 15-19

export

device inventory

DCR, CS-MARS, Security Manager formats 10-6

device with policies 10-6

overview 10-5

supported CSV formats 10-8

IPS event action overrides 38-13

IPS event filter rules 38-4, 38-7

policy objects 6-20

reports 66-23

shared policies 10-12

Export Devices or Policies commands 1-27

Export Inventory dialog box 10-6

Export Map command 1-30

External Product Interface dialog box 34-24

External Product Interface policy 34-23

F

factory-default configurations 44-2

failover

Active/Active

command replication 48-4

configuration synchronization 48-3

configuring in site-to-site VPN 23-49

edit bridge group 48-15

FWSM 48-11

advanced settings 48-14

PIX/ASA 48-16

Add Failover Group 48-23

settings 48-19

PIX/ASA/FWSM 48-8

active/active 48-2, 48-3

active/standby 48-2

bootstrap configuration 48-25

configuration basics 48-5

configuring 48-1

interface configuration 48-22

interface MAC address 48-21

security context 48-24

stateful 48-3, 48-4

stateless 48-3

types of 48-2

understanding 48-1

PIX 6.3 48-9

interface configuration 48-10

stateful in site-to-site VPN 23-51

false negatives

definition of 37-18

false positives

definition of 37-18

FastTrack class map objects

creating 20-15

match criteria 20-19

feature sets 1-4

File menu

Configuration Manager 1-26

Event Viewer 65-8

Report Manager 66-8

file objects

attributes 32-22

selecting 32-24

files

deploying to 8-11

selecting or specifying 1-46

Filter Item dialog box 38-9

filter rules, event action (IPS)

attributes 38-9

configuring 38-4

example rule 65-58

exporting 38-4

policy 38-7

tips 38-6

filters

Event Viewer

clearing 65-44

column based 65-41

context menu 65-45

event based 65-43

overview 65-39

refreshing event list 65-40

selecting time range 65-39

text searches (quick filter) 65-43

using time slider 65-40

filtering selectors 1-40

filtering tables 1-43

HPM

column based 67-13

custom 67-13

filters (Event Viewer)

advantages of using network/host objects 65-58

overview 65-3

submission requirements for policy objects 65-59

Find and Replace dialog box 12-16

find and replace in rules policies 12-15

Find Map Node command 1-30

Find Node dialog box 33-12

Firewall

AAA IOS Timeout Values 14-26

firewall

AAA firewall

advanced settings 14-18

configuring 14-6

MAC exempt lists 14-22

AAA firewall policy

advanced settings 14-18

configuring 14-6

AAA page 14-24

AAA rules

configuring AAA firewall settings 14-6

configuring AuthProxy settings 14-8

configuring cut-through proxy (ASA) 13-23

configuring for ASA/PIX/FWSM devices 14-4

configuring for IOS devices 14-7

configuring identity aware 13-21

managing 14-1

properties 14-12

understanding 14-1

understanding how users authenticate 14-2

Access Control page (IPv4 and IPv6) 15-20

access controls

per user downloadable ACLs 15-24

access control settings

configuring settings 15-19

access rule

event analysis example, user access blocked 65-50

finding from CS-MARS events 68-27

finding from Event Viewer events 65-48

viewing related CS-MARS events 68-24

access rules

address requirements 15-5

configuring 15-7

configuring expiration dates 15-19

configuring identity aware 13-21

how deployed 15-5

import examples 15-42

importing 15-37

IPS blocking, affect of 41-4

managing 15-1

optimizing during deployment 15-44

sharing ACLs among interfaces 11-12

understanding 15-1

understanding device-specific behavior 15-4

understanding global 15-3

understanding requirements when using inspection 16-4

ACL naming conventions 12-5

adding rules 12-9

analysis reports 15-30

AuthProxy

configuring 14-8

AuthProxy settings policy

configuring 14-8

botnet traffic filter rules 18-9

combining rules

example 12-26

interpreting results 12-24

procedure 12-21

configuring policies in Map view 33-22

configuring settings 17-15

configuring settings policies in Map view 33-23

conflict detection 15-24

deleting rules 12-9

device types 44-1

disabling rules 12-19

editing rules 12-9

enabling rules 12-19

finding and replacing items in rules policies 12-15

Firewall ACL Setting dialog box (IPv4 or IPv6) 15-22

hit count reports 15-32

identity-aware policies

collecting user statistics 13-25

configuring 13-7

configuring cut-through proxy 13-23

configuring identity options 13-15

configuring rules 13-21

configuring the ASA 13-7

enabling 13-8

filtering VPN traffic 13-26

identifying AD servers and agents 11-25, 13-8

managing 13-1

monitoring 13-27

overview 13-1

requirements 13-3

user identity acquisition 13-2

Inspection page 16-85

inspection rules

add/edit rule wizard 16-10, 16-12, 16-15

choosing interfaces 16-2

configuring 16-5

configuring identity aware 13-21

managing 16-1

preventing DoS attacks on IOS devices 16-4

selecting protocols 16-3, 16-15

understanding 16-1

understanding access rule requirements 16-4

inspection settings

configuring for IOS devices 16-85

introduction 12-1

IPv6 access control settings

configuring settings 15-19

IPv6 access rules

configuring 15-7

configuring expiration dates 15-19

configuring identity aware 13-21

sharing ACLs among interfaces 11-12

understanding 15-1

understanding global 15-3

MAC exempt lists, AAA firewall 14-22

managing rules tables 12-7

moving rules 12-18

object groups

expanding during discovery 12-34

optimizing network object groups during deployment 12-33

overview 12-1

per user downloadable ACLs 15-24

policy discovery 5-13

policy query

example report 12-32

generating reports 12-27

interpreting results 12-31

preserving ACL names 12-4

reference information for AAA rules 14-18

resolving access rule conflicts 15-30

resolving ACL naming conflicts 12-6

rule table sections 12-19

system variables 7-10

transparent rules

adding or editing a rule 21-5

configuring 21-1

configuring passthrough for IOS devices 21-3

editing the EtherType 21-6

editing the mask 21-7

managing 21-1

Transparent Rules page 21-3

understanding NAT effects 12-3

understanding rule order 12-18

understanding rule processing order 12-2

using rules tables 12-7

Web Filter page 17-16

web filter rules

configuring for ASA, PIX, FWSM devices 17-2

configuring for IOS devices 17-10

managing 17-1

understanding 17-1

zone-based firewall

add/edit zones 20-51

advanced options 20-62

configuring PAM 20-64

configuring rules 20-12, 20-58

configuring settings 20-47

Content Filter tab 20-50

designing network zones 20-1

development overview 20-11

Global Parameters tab 20-48

page 20-48

protocol selection 20-63

rules table 20-56

tabs 20-47

VPN tab 20-48

WAAS tab 20-48

Zones tab 20-48

zone-based firewalls

changing the default drop rule 20-46

general recommendations 20-11

IPSec VPN 20-5

logging 20-1

overview 20-1

restrictions 20-3

Self zone 20-5

troubleshooting 20-52

understanding 20-3

understanding permit/deny and action 20-7

understanding services and protocols 20-10

VRF 20-6

Firewall AAA IOS Timeout Value Setting dialog box 14-26

Firewall AAA MAC Exempt Setting dialog box 14-23

Firewall ACL Setting dialog box 15-22

Firewall Device dialog box 41-14

Firewall Services Module

see FWSM 45-1

Fit to Window command 1-30

FlexConfig objects

adding to policies 7-38

ASA samples 7-23

Catalyst 6500/7600 samples 7-25

changing order in policies 7-38

changing variable values 7-38

Cisco IOS Software samples 7-25

CLI commands 7-2

configuring 7-28

configuring AAA for administrative introducers 59-84

creating 7-31

creating text objects 7-35

deleting variables 7-31

PIX firewall samples 7-26

previewing CLI 7-38

properties 7-33

property selector 7-37

removing from policies 7-38

router samples 7-26

samples 7-22

scripting language

example of looping 7-3

example of looping with if/else statements 7-4

example of two-dimensional looping 7-3

understanding 7-3

system variables

device 7-7

firewalls 7-10

remote access VPN 7-22

router 7-15

understanding 7-7

VPN 7-16

undefined variables 7-36

understanding 7-2

variables 7-5

variables, example 7-6

FlexConfig policies

adding objects 7-38

changing object order 7-38

changing variable values 7-38

configuring 7-28

configuring AAA for administrative introducers 59-84

editing 7-38

previewing CLI 7-38

removing objects 7-38

understanding 7-2

FlexConfig Policy page 7-39

FlexConfig Preview dialog box 7-41

FlexConfigs

creating (scenario) 7-28

managing 7-1

troubleshooting 7-41

FlexConfig Undefined Variables dialog box 7-36

float

report windows 66-25

view windows 65-34

floodguard 54-2

FQDN objects

creating 6-71

understanding 6-69

fragmentation

configuring settings in VPNs 24-36

fragments settings 54-2

frequently asked questions

policy discovery 5-25

FTP class map objects

creating 16-20

match criteria 16-36

FTP policy map objects

creating 16-20

match conditions and actions 16-36

properties 16-35

full mesh topologies

description 23-4

partial mesh 23-5

full tunnel client access mode 28-5

FWSM

AAA support 6-24

about 44-1

adding SSL thumbprints manually 9-4

adding when using multiple-context mode 3-7

adding when using non-default HTTPS (SSL) port 3-7

Asymmetric Routing Groups 44-5

Bridge Groups

add/edit 44-41

bridge groups 45-3

changing deployment method to serial for multiple-context mode 9-16

configuring for event management 65-25

configuring FWSM endpoints in site-to-site VPNs 23-45

configuring transparent firewall rules 21-1

credentials 3-16

deleting security contexts 56-7

deployment failures after changing interface policies 9-15

deployment failures in multiple-context mode 9-15

deployment failures with large ACLs 9-16

Device Access

managing Resources 49-2

Resources 49-3

Resources, add/edit 49-3

discovering failover modules 3-7

Event Viewer support 65-4

Failover 48-11

advanced settings 48-14

edit bridge group 48-15

including in deployment jobs 8-28

interfaces

add/edit 44-19

configuring 44-2

General tab 44-20

IPv6 44-29

IPv6, add/edit 44-33

IPv6, add/edit prefixes 44-34

managing 44-14

packet capture, using 68-8

PDM 68-11

policy discovery 5-13

rollback, commands to recover from failover misconfiguration 8-65

rollback command conflicts 8-64

rollback restrictions for failover devices 8-61

rollback restrictions for multiple context mode 8-61

security contexts

configuration 56-8

selecting policy types to manage 5-10

setting up SSL (HTTPS) 2-3

SSL certificate configuration 11-16

TCP State Bypass 55-3

troubleshooting deployment 9-15

G

General

PIX/ASA/FWSM

security policies 54-1

General Configuration tab, SNMP policy for IPS 34-10

General page, device properties 3-38

General tab (Translation Rules)

PIX/ASA/FWSM 22-30

General tab, IPS blocking policy 41-10

generic routers 3-8

GET VPN

anti-replay, time based 27-11

configuring 27-12

configuring global ISAKMP and IPsec settings 27-16

configuring group members 27-20

cooperative key servers 27-7

defining group encryption 23-51

generating, synchronizing RSA keys 27-13

group members

adding 27-19

editing 27-21

IKE proposal 27-15

key servers

adding 27-19

editing 27-19

mandatory and optional policies 23-6

migrating to 27-23

overview 27-1

receive-only SAs 27-23

registration

choosing the rekey transport mechanism 27-6

configuring fail-close mode 27-8

registration process 27-4

SAs

passive SA mode 27-23

receive-only mode 27-23

security policy 27-10

supported platforms 23-9

troubleshooting 27-25

understanding 27-2

GET VPNs

group encryption policies

certificate authorization 23-54

security associations 23-55

global correlation

configuring 40-1

configuring DNS servers 34-22

configuring HTTP proxy server 34-23

configuring inspection and reputation 40-5

configuring network participation 40-7

configuring with Botnet Traffic Filtering 40-1

data collected 40-3

requirements and limitations 40-4

understanding 40-1

understanding network participation 40-3

understanding reputation 40-2

Global Search

using 1-37

global settings

remote access VPN

configuring 24-26

Gnutella class map objects

creating 20-15

match criteria 20-19

GRE (generic routing encapsulation) VPN

advantages of IPsec tunneling with GRE 25-3

configuring 25-5

configuring GRE modes 25-6

dynamically addressed spokes 25-5

implementation 25-3

overview 25-1, 25-2

prerequisites for successful configuration 25-3

supported platforms 23-9

understanding 25-2

GRE Dynamic IP

mandatory and optional policies 23-6

GRE Modes Page

DMVPN properties 25-12

GRE or GRE Dynamic IP properties 25-6

overview 25-1

Group Domain of Interpretation (GDOI) protocol 27-3

group encryption

defining in GET VPN topologies 23-51

Group Encryption Policy page (GET VPN) 23-51

group members

adding 27-19

communication flow 27-2

configuring fail-close mode 27-8

editing 27-21

GET VPN

registration process 27-4

security policy ACLs 27-10

group members (GET VPN)

configuring 27-20

Group Members page (GET VPN) 27-20

group policies

configuring 29-21

creating 29-23

understanding 29-22

VPNs

configuring bookmarks 29-63

configuring portal appearance 29-59

configuring WINS servers for file system access 29-69

customizing 29-58

post URL method and macro substitutions in bookmarks 29-65

smart tunnels 29-66

Group Policies page 29-21

groups

adding or removing devices 3-57

creating 3-56

deleting 3-56

understanding 3-53

working with 3-53

group types

creating 3-55

deleting 3-56

GTP map objects

Add Country Network Codes dialog box 16-40

Edit Country Network Codes dialog box 16-40

GTP Map Timeouts dialog box 16-41

GTP policy map objects

creating 16-20

match conditions and actions 16-41

properties 16-38

H

H.323 class map objects

IOS

creating 20-15

match criteria 20-20

match criteria 16-46

H.323 policy map objects

ASA/PIX/FWSM

creating 16-20

properties 16-43

IOS

creating 20-15

match conditions and actions 20-33

match conditions and actions 16-46

hash algorithms

in IKE proposals 24-6

MD5 24-7

SHA 24-6

Health & Performance Monitor command 1-34

Health and Performance Monitor

see HPM 67-1

help

accessing 1-47

Help About This Page command 1-35

helper addresses 58-14

Help menu

Configuration Manager 1-34

Help Topics command 1-35

Hide Navigation Window command 1-30

high availability (HA groups)

configuring in Easy VPN 26-2

configuring in site-to-site VPN 23-49

stateful/stateless failover 23-51

high availability policies

configuring in remote access VPNs 31-11

Histogram dialog box 39-13

histograms

configuring anomaly detection 39-11

understanding anomaly detection 39-9

hit count

generating reports 15-32

Hit Count Query Results page 15-36

Hit Count Selection Summary Dialog Box 15-35

Hostname

PIX/ASA/FWSM 49-1

hostnames

Cisco IOS routers

defining 59-77

Hostname Policy page 59-78

overview 59-77

HPM

access control 67-3

Alerts

firewall 67-29

IPS 67-28

alerts 67-24

acknowledging 67-31

clearing 67-31

configuring 67-27

history 67-32

viewing 67-31

application window 67-6

Alerts display 67-25

Monitoring display 67-21

columns

Alert table 67-12

Device-related 67-8

showing/hiding 67-7

sorting 67-7

VPN-related 67-10

configuring for 67-4

custom views 67-20

device

monitoring 67-16

monitoring multiple contexts 67-3

priority monitoring 67-24

views 67-17

Device Manager

launching 67-3, 67-23

device manager

cross-launch 67-24

devices

managing 67-5

email notifications

configuring 67-27

filters

column based 67-13

introduction 67-1

launching 67-4

List Filter 67-15

monitoring

device details 67-23

device status list 67-22

RA and S2S views 67-24

Summary 67-22

overview 67-1

Remote Access

log-off user 67-24

settings page 11-24

tables

showing/hiding columns 67-7

sorting columns 67-7

trending 67-2

views

closing 67-18

custom 67-20

docking 67-19

floating 67-19

list 67-17

opening 67-18

tiling 67-19

HTTP

Cisco IOS routers

AAA tab 59-32

Command Authorization Override dialog box 59-34

defining policies 59-29

HTTP Policy page 59-31

overview 59-28

Setup tab 59-31

PIX/ASA/FWSM 47-2

configuration 47-2

HTTP (ASA, PIX) class map objects

creating 16-20

HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map objects

creating 16-20

properties 16-48

HTTP (ASA7.2+/PIX7.2+) policy map objects

creating 16-20

properties 16-56

HTTP (IOS) class map objects

creating 20-15

creating for zone-based firewall content filtering 20-34

match criteria 20-20

HTTP (Zone Based IOS) policy map objects

creating 20-15, 20-34

match conditions and actions 20-33

HTTP class map objects

match criteria 16-57

HTTP-FORM

settings in AAA server objects 6-40

HTTP policy

overriding HTTPS port number 3-43

sharing

HTTPS port number 3-43

HTTP policy map objects

match conditions and actions 16-57

HTTP proxy server

configuring for IPS global correlation 34-23

HTTP Response Code 500 deployment errors 9-14

HTTPS

setting up 2-3

troubleshooting certificate errors 9-4

hub-and-spoke topology

description 23-2

joined hub-and-spoke topology 23-5

tiered hub-and-spoke topologies 23-5

I

ICMP rules

PIX/ASA/FWSM 47-3

add/edit 47-4

ICMP settings

configuring on IOS routers 58-18

icons

Configuration Manager toolbar reference 1-35

event table toolbar reference 65-14

Event Viewer status color code 65-28

map elements 33-13

ICQ class map objects

creating 20-15

match criteria 20-19

identity-aware firewall policies

collecting user statistics 13-25

configuring 13-7

configuring cut-through proxy 13-23

configuring identity options 13-15

configuring rules 13-21

configuring the ASA 13-7

enabling 13-8

filtering VPN traffic 13-26

identifying AD servers and agents 11-25, 13-8

managing 13-1

monitoring 13-27

overview 13-1

requirements 13-3

user identity acquisition 13-2

Identity Configuration wizard

Active Directory Agent Settings 13-13

Active Directory Settings 13-11

Preview 13-15

Identity Settings page 11-25

identity user group objects

creating 13-19

selecting 13-21

user identity acquisition 13-2

idle timeout, Security Manager client 11-6

IDM

device manager 68-11

IDSM

adding when using non-default HTTPS (SSL) port 3-7

Create and Edit IDSM Data Port VLANs dialog boxes 64-49

Create and Edit IDSM EtherChannel VLANs dialog boxes 64-49

credentials 3-16

defining Data Port VLANs 64-46

defining EtherChannel VLANs 64-44

deleting Data Port VLANs 64-47

deleting EtherChannel VLANs 64-45

deployment failures when changing data port VLAN running mode 9-16

IDSM Settings page 64-47

IDSM Slot-Port Selector dialog box 64-50

mode support limitations 64-43

troubleshooting deployment 9-15

understanding settings on Catalyst devices 64-43

IGMP

PIX/ASA/FWSM

Access Group parameters 52-5

Access Group tab 52-5

enable 52-1

Join Group parameters 52-7

Join Group tab 52-7

page 52-2

parameters 52-4

Protocol tab 52-3

Static Group parameters 52-6

Static Group tab 52-6

ignore error message, configure Security Manager to 9-9

IKE (Internet Key Exchange)

comparing version 1 and 2 24-4

configuring IKE and IPsec policies 24-1

configuring IKEv2 authentication 24-58

configuring proposal 24-9

Diffie-Hellman modulus groups 24-7

encryption algorithms 24-6

hash algorithms 24-6

IKEv2 Authentication policy 24-60, 24-62

overview 24-2

selecting the IKE version for devices in site to site VPNs 24-22

understanding 24-5

IKE keepalive

understanding 24-27

IKE proposal objects

v1 properties 24-10

v2 properties 24-13

IKE proposals (policies)

in GET VPNs 27-15

IKEv2 Authentication dialog box 24-62

IKEv2 Authentication page 24-60

IKEv2 settings

configuring 24-30

configuring cookie challenges 24-30

IM (ASA7.2+/PIX7.2+) policy map objects

creating 16-20

properties 16-62

IM (IOS) policy map objects

creating 16-20

properties 16-65

IM (Zone Based IOS) policy map objects

creating 20-15

match conditions and actions 20-33

IM (Zone based IOS) policy map objects

creating 20-15

Image Management 69-1

supported versions 69-2

image management

abort installation job 69-28

Image Manager 69-7, 69-12, 69-25

Getting Started 69-1

settings 11-27

supported image types 69-2

supported platforms 69-2

image manager 69-11

Add Image 69-8

bundle 69-9

bundled images 69-23

compatible images 69-13

configuring install location 69-14

create bundle 69-10

delete bundle 69-12

deleting images from a bundle 69-12

device information 69-12

device memory 69-14

Installation Job Summary 69-26

installation wizard 69-19

installing compatible images on devices 69-24

installing images on selected devices 69-25

job approval workflow 69-29

RAM 69-13

renaming a bundle 69-11

retry on installation failure 69-28

roll back 69-29

update validation 69-17

updating images on devices 69-15

view installation job details 69-27

Image Manager command 1-34

images

view 69-7

image updates 69-15

IMAP

configuring for inspection rules 16-18

IMAP class map objects

creating 20-15

match criteria 20-22

IM applications

match conditions for zone-based firewalls 20-19

protocol information for IM application inspection 20-31

IMAP policy map objects

creating 20-15

match conditions and actions 20-33

IM class map objects

creating 16-20

match criteria 16-63

IM policy map objects

match conditions and actions 16-63

import

device inventory 3-27

device with policies 10-14

policy objects 6-20

Import Background Image dialog box 33-12

Import Rules wizard

Enter Parameters page 15-39

Preview page 15-41

Status page 15-40

inheritance

inheriting rules 5-43

understanding 5-4

understanding signature policies 37-2

versus assignment 5-6

Inherit Rules command 1-29

Inherit Rules dialog box 5-43

Inspect/Application FW Rule wizard

Address and Port page 16-12

Inspected Protocol page 16-15

Match Traffic page 16-10

inspection

global correlation (IPS)

configuring 40-5

inspection map objects

understanding 6-67

inspection rules

ACL naming conventions 12-5

add/edit rule wizard 16-10, 16-12, 16-15

choosing interfaces 16-2

configuring 16-5

configuring custom protocol name 16-19

configuring DNS settings 16-16

configuring ESMTP settings 16-17

configuring fragment inspection 16-18

configuring identity aware 13-21

configuring in Map view 33-22

configuring RPC settings 16-19

configuring settings for IOS devices 16-85

configuring settings in Map view 33-23

configuring SMTP settings 16-17

deep inspection options

IMAP 16-18

POP3 16-18

deleting 12-9

disabling 12-19

editing 12-9

enabling 12-19

Inspection Rules page 16-7

managing 16-1

moving 12-18

preserving ACL names 12-4

preventing DoS attacks on IOS devices 16-4

selecting protocols 16-3, 16-15

understanding 16-1

understanding access rule requirements 16-4

understanding NAT effects 12-3

understanding processing order 12-2

Inspection Rules page 16-7

Inspection settings page 16-85

inspect maps

policy maps

Add Country Network Codes dialog box 16-40

Edit Country Network Codes dialog box 16-40

Inspect parameter map objects

properties 20-29

Inspect Parameters map objects

creating 20-15, 20-34

installing

Security Manager client 1-10

Integrated Local Management Interface (ILMI) 58-49

Interactive Authentication Configuration dialog box 14-20

Interface Name Conflict dialog box 6-66

Interface Properties dialog box 33-18

Interface Role Contents dialog box 12-14

interface role objects

creating 6-63

defining subinterfaces 6-65

distinguishing from interfaces 6-65

handling conflicts between role and interface names 6-66

Interface Role dialog box 6-64

specifying during policy definition 6-65

understanding 6-62

use when a single interface name is allowed 6-66

interfaces

adding or changing modules 3-37

ASA

edit EtherChannel-assigned interface 44-11

EtherChannels 44-8, 44-12

LACP 44-11

ASA/FWSM

IPv6 44-29

IPv6, add/edit 44-33

IPv6, add/edit prefixes 44-34

ASA 5505 44-6

ASA devices

Advanced tab 44-27

IP Type 44-36

Catalyst switches and 7600 Series routers

Access Port Selector dialog box 64-30

Create and Edit Interface dialog boxes-Access Port mode 64-9

Create and Edit Interface dialog boxes-Dynamic Port mode 64-18

Create and Edit Interface dialog boxes-Other mode 64-24

Create and Edit Interface dialog boxes-Routed Port mode 64-12

Create and Edit Interface dialog boxes-subinterfaces 64-22

Create and Edit Interface dialog boxes-Trunk Port mode 64-14

Create and Edit VLAN dialog boxes 64-28

Create and Edit VLAN Group dialog boxes 64-34

defining ports 64-5

deleting ports 64-7

generating names 64-6

Interfaces/VLANs page-Interfaces tab 64-7

Interfaces/VLANs page-Summary tab 64-3

Interfaces/VLANs page-VLAN Groups tab 64-33

Interfaces/VLANs page-VLANs tab 64-27

Service Module Slot Selector dialog box 64-35

Trunk Port Selector dialog box 64-31

understanding 64-5

VLAN Selector dialog box 64-35

Cisco IOS routers

Advanced Interface Settings dialog box 58-16

Advanced Interface Settings page 58-15

available types 58-2

Create Router Interface dialog box 58-8

defining advanced settings 58-13

defining basic settings 58-3

defining CEF interface settings 58-24

defining IPS module settings 58-22

deleting from 58-6

generating names 58-4

Interface Auto Name Generator dialog box 58-12

overview 58-1

Router Interfaces page 58-7

understanding helper addresses 58-14

configuring IOS IPS rules 43-8

configuring multiple contexts 56-2

distinguishing from interface roles 6-65

failover

MAC address 48-21

PIX/ASA/FWSM 48-22

PIX 6.3 48-10

IPS

configuring 35-6

configuring bypass mode 35-12

configuring CDP mode 35-13

configuring inline interface pairs 35-13

configuring inline VLAN pairs 35-14

configuring physical 35-10

configuring VLAN groups 35-15

deploying VLAN groups 35-5

inline interface mode 35-3

inline VLAN pair mode 35-3

interfaces policy 35-6

managing interface configurations 35-1

physical interface properties 35-11

promiscuous mode 35-2

roles 35-1

sensing modes overview 35-2

understanding 35-1

viewing summary 35-8

VLAN group mode 35-4

IP Type

PIX 6.3 44-18

PIX/ASA

allocation in security contexts 56-11

IP Type 44-36

PPPoE Users 44-44

redundant 44-7

subinterfaces 44-7

VPDN groups 44-45

PIX/ASA/FWSM

add/edit 44-19

Advanced settings 44-42

configuring