Index Numerics
12.1 and 12.2
managing routers 58-2
3DES encryption algorithm
in IKE proposals 25-6
802.1x
802.1x Policy page 61-5
defining policies 61-4
interface authorization states 61-2
on Cisco IOS routers 61-1
supported topologies 61-3
understanding device roles 61-2
A
AAA
about 47-1
Cisco IOS routers
AAA Policy page 60-6
Accounting tab 60-10
Authentication tab 60-6
Authorization tab 60-7
Command Accounting dialog box 60-12
Command Authorization dialog box 60-9
defining services 60-4
overview 60-2
supported accounting types 60-3
supported authorization types 60-2
understanding method lists 60-3
configuring access control for IPS 35-19
configuring on firewall devices 47-1
credentials for device access 3-4
device administration 47-4
local fallback 47-3
network access 47-4
PIX/ASA/FWSM 47-5
Accounting tab 47-7
Authentication tab 47-5
Authorization tab 47-6
support 47-2
VPN access 47-4
AAA authentication groups
predefined 6-28
AAA firewall
MAC exempt lists 15-23
AAA Firewall page
Advanced Setting tab 15-19
AAA firewall policy
advanced settings 15-19
configuring 15-6
AAA page 15-25
AAA rules
ACL naming conventions 12-5
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring AAA firewall settings (PIX/ASA/FWSM) 15-6
configuring AuthProxy settings (IOS) 15-9
configuring cut-through proxy (ASA) 13-23
configuring for ASA/PIX/FWSM devices 15-4
configuring for IOS devices 15-7
configuring identity aware 13-21
configuring in Map view 34-23
configuring security group aware 14-13
configuring settings
for IOS devices in Map view 34-24
for PIX/ASA/FWSM in Map view 34-24
converting IPv4 12-28
deleting 12-9
disabling 12-20
editing 12-9
enabling 12-20
managing 15-1
moving 12-19
preserving ACL names 12-4
properties 15-13
understanding 15-1
understanding how users authenticate 15-2
understanding NAT effects 12-3
understanding processing order 12-2
AAA Rules page 15-10
AAA server group objects
attributes 6-46
creating 6-45
default server groups on IOS devices 6-28
predefined authentication groups 6-28
understanding 6-24
AAA server objects
creating 6-29
HTTP-FORM settings 6-41
Kerberos settings 6-36
LDAP settings 6-37
NT settings 6-40
RADIUS settings 6-32
SDI settings 6-40
supported additional types for ASA/PIX/FWSM 6-26
supported types 6-25
TACACS+ settings 6-35
understanding 6-24
AAA servers
supported types on ASA, PIX, FWSM devices 6-26
Abort the Job dialog box 8-51
About Configuration Manager command 1-36
ABR
definition 54-2
access control list objects
creating 6-49
extended objects 6-50
standard objects 6-51
unified objects 6-54
web objects 6-52
access control lists
GET VPN security policies 28-10
policy discovery 5-14
access control lists (ACLs)
names preserved during discovery 12-4
naming conventions 12-5
resolving naming conflicts 12-6
access controls
configuring ACL names 16-20
configuring settings 16-20
configuring settings in Map view 34-24
Access Control Settings page 16-21
Access Group tab (IGMP) 53-5
Access Interface Configuration dialog box (ASA) 30-40
access permissions
Event Viewer 66-3
Health and Performance Monitor 68-3
maps 34-8
Report Manager 67-5
access policies
configuring 30-40
reference 30-37
understanding 30-36
access ports
Create and Edit Interface dialog boxes-Access Port mode 65-9
understanding 65-5
access rule
look up
from device managers 69-6
access rules
access control settings 16-21, 16-23
Access Rules page 16-9
ACL naming conventions 12-5
address requirements 16-5
Advanced dialog box 16-15
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring 16-7
configuring access control settings 16-20
configuring identity aware 13-21
configuring in Map view 34-23
configuring security group aware 14-13
controlling non-IP layer-2 traffic 22-1
deleting 12-9
detecting conflicts 16-25
disabling 12-20
editing 12-9
enabling 12-20
examples of event analysis
user access to server blocked 66-50
expiration dates 16-19
finding from CS-MARS events 69-31
finding from Event Viewer events 66-48
generating analysis reports 16-31
hit counts
details 16-33
how deployed 16-5
identity-aware rules
requirements 13-3
import examples 16-41
importing 16-37
IPS blocking, affect of 42-4
managing 16-1
moving 12-19
optimizing during deployment 16-43
packet tracer, analyzing with 69-12
preserving ACL names 12-4
Report Manager reports
firewall traffic reports 67-13
resolving conflicts 16-31
rule attributes 16-13
sharing ACLs among interfaces 11-14
syslog messages supported for look-up 69-32
understanding 16-1
understanding device-specific behavior 16-4
understanding global 16-3
understanding NAT effects 12-3
understanding processing order 12-2
understanding requirements when using inspection 17-4
understanding the automatic conflict detection user interface 16-27
viewing related CS-MARS events 69-28
Accounting
Cisco IOS routers
settings 60-10
accounts and credentials
Cisco IOS routers
overview 60-13
PIX/ASA/FWSM
user accounts 50-6
user accounts, add/edit 50-7
accounts and credentials policies
Accounts and Credentials Policy page 60-15
User Accounts dialog box 60-17
ACLs
configuring names 16-20
ACS user authorization
configuring notifications when unavailable 1-25
Event Viewer 66-3
Health and Performance Monitor 68-3
how permissions affect what you can do 1-10
Report Manager 67-5
Active/Active failover
about 49-2
command replication 49-4
configuration synchronization 49-3
Active/Standby failover 49-2
Active Directory (AD)
collecting user statistics 13-25
configuring agent communication options 13-15, 14-8, 14-10
enabling for identity-aware firewall 13-8
identifying AD servers and agents 11-27, 13-8
requirements for identity-aware firewall 13-3
activities
accessing functions 4-8, 4-9
Activity Manager window 4-10
Approved state 4-5
approving 4-3, 4-21
benefits of 4-2
closing 4-16
creating 4-14
discarding 4-22
Edit state 4-4
locking 4-3
managing 4-1
multiple users 4-4
opening 4-15
overview 1-18
rejecting 4-21
responding to the Activity Required dialog box 4-14
states 4-4
Submitted state 4-5
submitting for approval 4-20
understanding 4-1
validating 4-18
viewing change reports 4-16
viewing status and history 4-23
working with 4-7
Activities command 1-32
Activities menu 1-34
Activity Manager window 4-10
Activity Required dialog box 4-14
Add/Edit AnyConnect Client Image dialog box (ASA) 30-55
Add/Edit AnyConnect Custom Attributes dialog box (ASA) 30-59, 30-60
Add/Edit Collector dialog box 52-2
Add/Edit Content Rewrite dialog box (ASA) 30-44
Add/Edit DAP Entry Dialog Box > Device 31-28
Add/Edit File Encoding dialog box 30-45
Add/Edit Multicast Route dialog box 53-8, 53-10
description 53-9
Add/Edit PIM Neighbor Filter dialog box 53-13
Add/Edit Proxy Bypass dialog box 30-49
Add AAA Rule dialog box 15-13
Add AAA Server dialog box 6-30
Add AAA Server Group dialog box 6-46
Add Access List dialog box (Allowed Hosts policy) 35-7
Add Access Rule dialog box 16-13
Add an Entry dialog box 38-26
Add AOL Class Map dialog box 17-26, 21-17
Add A Port Forwarding Entry dialog box 33-30
Add ASA Group Policies dialog box
client configuration settings 33-4
client firewall attributes 33-5
connection settings 33-22
DNS/WINS settings 33-20
hardware client attributes 33-7
IPSec settings 33-8
overview 33-1
split tunneling settings 33-21
SSL VPN clientless settings 33-10
SSL VPN full client settings 33-13
SSL VPN settings 33-17
Technology settings 33-1
Add A Smart Tunnel Entry dialog box 33-53
Add Auto Signon Rules dialog box 33-19
Add Cat6k Block Vlan dialog box 42-16
Add Certificate dialog box 11-20
Add Certificate Filter dialog box 24-53
Add Cisco Secure Desktop Configuration dialog box 33-23
Add Client Access Rules dialog box 33-10
Add Client Update dialog box 33-65
Add Column dialog box 33-47
Add Custom Pane dialog box 33-47
Add Custom Signature dialog box 38-12
Add DCE/RPC Map dialog box 17-27
Add Destinations dialog box 12-11
Add Device from Network wizard
Device Credentials page 3-44
Add Devices to Group command 1-29
Add Devices to Group dialog box 3-60
Add DNS Class Map dialog box 17-26
Add DNS Map dialog box
Filtering tab 17-30
overview 17-28
Protocol Conformance tab 17-30
Add eDonkey Class Map dialog box 17-26, 21-17
Add ESMTP Map dialog box 17-34
Add Extended Access Control Entry dialog box 6-56
Add Extended Access List dialog box 6-55
Add External Filter dialog box 21-40
Add FastTrack Class Map dialog box 17-26, 21-17
Add File Object dialog box 33-25
Add FlexConfig dialog box 7-29
Add FTP Class Map dialog box 17-26
Add FTP Map dialog box 17-37
Add Gnutella Class Map dialog box 17-26, 21-17
Add Group dialog box 3-60
Add Group Member dialog box 28-19
Add GTP Map dialog box 17-40
Add H.323 Class Map dialog box 17-26, 21-17
Add H.323 Map dialog box 17-45, 21-33
Add HSI Endpoint IP Address dialog box 17-48
Add HSI Group dialog box 17-47
Add HTTP Class Map dialog box 17-26, 21-17
Add HTTP Map dialog box 21-33
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab 17-52
Extension Request Method tab 17-55
General tab 17-51
overview 17-50
Port Misuse tab 17-56
RFC Request Method tab 17-54
Transfer Encoding tab 17-57
ASA 7.2+ and PIX 7.2+ devices 17-58
Add ICQ Class Map dialog box 17-26, 21-17
Add IKEv1 Proposal dialog box 25-10
Add IKEv2 Proposal dialog box 25-13
Add IMAP Class Map dialog box 17-26, 21-17
Add IMAP Map dialog box 21-33
Add IM Class Map dialog box 17-26
Add IM Map dialog box 21-33
ASA and PIX device 17-64
IOS device 17-67
Add Inspect/Application FW Rule wizard
Address and Port page 17-12
Inspected Protocol page 17-16
Match Traffic page 17-10
Add Inspect Parameter Map dialog box 21-29
Add Interfaces dialog box 12-13
Add IP Options Map dialog box 17-68
Add IPsec Pass Through Map dialog box 17-74
Add IPSec Transform Set dialog box 25-25
Add IPv4 Pool Object dialog box 6-83
Add IPv6 Map dialog box 17-70
Add IPv6 Pool Object dialog box 6-84
Add Kazaa2 Class Map dialog box 17-26, 21-17
Add Key Server dialog box 28-19
Add Language dialog box 33-42
Add LDAP Attribute Map dialog box 6-43
Add LDAP Attribute Map Value dialog box 6-44
Add Link command 1-31
Add Link dialog box 34-20
Add Local Rules command 1-30
Add Local Web Filter Class Map dialog box 17-26, 21-17
Add Local Web Filter Parameter Map dialog box 21-37
Add MAC Address Pool Object dialog box 6-85
Add Map Object command 1-31
Add Map Object dialog box 34-18
Add Map Value dialog box 6-44
Add Match Condition and Action dialog box
DNS policy maps 17-31
ESMTP policy maps 17-35
FTP policy maps 17-38
GTP policy maps 17-43
H.323 (IOS) policy maps 21-34
H.323 policy maps 17-48
HTTP (Zone Based IOS) policy maps 21-34
HTTP policy maps 17-59
IM (Zone Based IOS) policy maps 21-34
IMAP policy maps 21-34
IM policy maps 17-65
IPv6 policy maps 17-71
P2P policy maps 21-34
POP3 policy maps 21-34
SIP (IOS) policy maps 21-34
SIP policy maps 17-79
Skinny policy maps 17-83
SMTP policy maps 21-34
Sun RPC policy maps 21-34
Web Filter policy maps 21-34
Add Match Criterion dialog box
AOL class maps 21-20
DNS class maps 17-31
eDonkey class maps 21-20
FastTrack class maps 21-20
FTP class maps 17-38
Gnutella class maps 21-20
H.323 (IOS) class maps 21-21
H.323 class maps 17-48
HTTP (IOS) class maps 21-21
HTTP class maps 17-59
ICQ class maps 21-20
IMAP class maps 21-23
IM class maps 17-65
Kazaa2 class maps 21-20
Local Web Filter class maps 21-28
MSN Messenger class maps 21-20
N2H2 class maps 21-29
POP3 class maps 21-23
SIP (IOS) class maps 21-24
SIP class maps 17-79
SMTP class maps 21-25
Sun RPC class maps 21-28
Websense class maps 21-29
Windows Messenger class maps 21-20
Yahoo Messenger class maps 21-20
Add MSN Messenger Class Map dialog box 17-26, 21-17
Add N2H2 Parameter Map dialog box 21-38
Add N2H2 Web Filter Class Map dialog box 17-26, 21-17
Add NAT Rule dialog box
ASA 8.3+ 23-35
Add NetBIOS Map dialog box 17-75
Add Network/Host dialog box
General tab 6-77
NAT tab 23-41
Add New Device wizard
Device Credentials page 3-44
Add New Security Association dialog box 24-54
Add or Edit Plug-in Entry dialog box (ASA) 30-50
Add Other Devices dialog box 8-54
Add P2P Map dialog box 21-33
Add Permit Response dialog box 17-42
Add Per-Session NAT Rule dialog box 23-46
Add PIX/ASA/FWSM Web Filter Rule dialog box 18-5
Add PKI Enrollment dialog box
CA Information tab 25-55
Certificate Subject Name tab 25-61
Enrollment Parameters tab 25-59
overview 25-54
Trusted CA Hierarchy tab 25-62
Add POP3 Class Map dialog box 17-26, 21-17
Add Port Forwarding List dialog box 33-28
Add Port List dialog box 6-87
Add Protocol Info Parameter Map dialog box 21-32
Add Regular Expression dialog box 17-86
Add Regular Expression Group dialog box 17-85
Address Pools
PIX/ASA/FWSM 23-17
add/edit 23-17
address pools
overriding in connection profiles 29-8
Add Row command 1-29
Add Rule Section dialog box 12-22
Add Server dialog box
Protocol Info Parameter maps 21-33
Add Service dialog box 6-89
Add Services dialog box 12-12
Add Single Sign On Server dialog boxes 33-30
Add SIP Class Map dialog box 17-26, 21-17
Add SIP Map dialog box 17-77, 21-33
Add Skinny Map dialog box 17-81
Add SLA Monitor dialog box 50-9
Add Smart Tunnel Auto Signon Entry dialog box 33-56
Add Smart Tunnel Auto Signon Lists dialog box 33-55
Add Smart Tunnel Lists dialog box 33-52
Add SMTP Class Map dialog box 17-26, 21-17
Add SMTP Map dialog box 21-33
Add SNMP Map dialog box 17-84
Add Sources dialog box 12-11
Add SSL VPN Customization dialog box 33-36
Applications 33-46
Copyright Panel 33-44
Custom Panes 33-46
Full Customization 33-45
Home Page 33-48
Informational Panel 33-43
Language 33-40
Logon Form 33-42
Logout Page 33-49
Title Panel 33-39
Toolbar 33-45
Add SSL VPN Gateway dialog box 33-50
Add Standard Access Control Entry dialog box 6-59
Add Standard Access List dialog box 6-55
Add Sun RPC Class Map dialog box 17-26, 21-17
Add Sun RPC Map dialog box 21-33
Add TCP Map dialog box 56-20
Add TCP Option Range Dialog Box 56-22
Add Text Object dialog box 7-31
Add Time Range dialog box 6-66
Add Traffic Flow dialog box 56-16
Add Transparent Firewall Rule dialog box 22-5
Add Trend Content Filter Class Map dialog box 17-26, 21-17
Add Trend Parameter Map dialog box 21-41
Add Unified Access Control Entry dialog box 6-62
Add URL Domain Name dialog box 21-44
Add URLF Glob Parameter Map dialog box 21-44
Add URL Filter Parameter Map dialog box 21-42
Add User dialog box 12-12, 35-17
Add User Group dialog box
Advanced PIX 6.3 settings 33-66
Browser Proxy settings 33-72
Client (IOS) settings 33-63
Clientless settings 33-67
Client VPN Software Update (IOS) settings 33-65
DNS/WINS settings 33-61
General settings 33-60
IOS Xauth Options settings 33-64
overview 33-58
Split Tunneling settings (Easy VPN/remote access IPSec VPN) 33-62
SSL VPN Connection settings 33-73
SSL VPN Full Tunnel settings 33-69
SSL VPN Split Tunneling settings 33-70
Technology settings 33-58
Thin Client settings 33-68
Add User Profile dialog box 42-12
Add VDI Server dialog box 33-12
Add Virtual Sensor dialog box 37-7, 37-8
Add Web Access Control Entry dialog box 6-60
Add Web Filter Map dialog box 21-46
Add WebSense Parameter Map dialog box 21-38
Add Websense Web Filter Class Map dialog box 17-26, 21-17
Add Web Type Access List dialog box 6-55
Add Windows Messenger Class Map dialog box 17-26, 21-17
Add WINS Server dialog box 33-74
Add WINS Server List dialog box 33-74
Add Yahoo Messenger Class Map dialog box 17-26, 21-17
Add Zones dialog box 12-13
admin context 57-1
administration
selecting policies to manage 5-10
administrative settings, configuring 11-1
admin password, changing 10-23
ADSL
ADSL Policy page 59-36
ADSL Settings dialog box 59-37
defining settings 59-35
supported operating modes 59-34
ADSL policies
unable to deploy 9-15
Advanced dialog box
access rules 16-15
Advanced NAT Options
PIX/ASA/FWSM
add/edit 23-28
Advanced settings
interface configuration
PIX/ASA/FWSM 45-42
AES encryption algorithm
in IKE proposals 25-6
AIM-IPS interfaces
IPS Module Interface Settings page 59-22
AIP-SSM/SSC
ASA 56-14
Alarm Indication Signal (AIS) cells 59-50
allowed hosts, configuring for IPS 35-7
Allowed Hosts policy 35-7
Analysis Engine global variables
configuring 35-26
analysis reports
generating 16-31
anomaly detection
configuring 40-6
configuring histograms 40-11
configuring learning accept mode 40-8
configuring signatures 40-4
configuring thresholds 40-11
managing 40-1
modes 40-2
understanding 40-1
understanding histograms 40-9
understanding thresholds 40-9
understanding worms 40-2
when to turn off 40-4
zones
overview 40-3
anti-spoofing 55-2
AnyConnect
client images 30-52, 30-53
profiles 30-52, 30-53
editing 30-53
AnyConnect Client Image dialog box (ASA) 30-53
AnyConnect custom attributes 30-59, 30-60
AnyConnect Profile Editor 30-53
AOL class map objects
creating 21-15
match criteria 21-20
Apply IPS Update command 1-33
Apply IPS Update wizard 43-7
Approve Activity command 1-34
Approve Activity dialog box 4-21
Approved activity state 4-5
Approve Deployment Job dialog box 8-21, 8-39
Area Border Router
See ABR 54-2
ARP
PIX/ASA/FWSM
configuration 46-4
inspection 46-5
inspection, enable/disable 46-6
table 46-3
ARP table
static entry 46-3, 46-4
ASA
ASDM 69-5
CX 56-15
Auth Proxy Configuration 56-16
CX module
detecting 69-10
Failover
Add Failover Group 49-24
edit bridge group 49-16
IPS, QoS, and Connection Rules
ASA CX Auth Proxy Configuration 56-16
IPS modules 56-14
policy discovery 5-13
rollback, commands to recover from failover misconfiguration 8-65
rollback command conflicts 8-64
rollback restrictions for failover devices 8-61
rollback restrictions for multiple context mode 8-61
security contexts
allocate interfaces 57-8
configuration 57-7
viewing allocated interfaces 57-9
setting up AUS or CNS 2-8
setting up SSL (HTTPS) 2-3
TCP State Bypass 56-3
ASA 5505
Management IPv6 46-10
ports and interfaces 45-6
ASA 8.3+
NAT policies
Add/Edit NAT rules dialog boxes 23-35
Translation Rules page 23-32
ASA Cluster Load Balance page 30-5
ASA CX
CX
about 56-15
ASA devices
5505
hardware port configuration 45-39
AAA support 6-26
about 45-1
adding or changing modules 3-39
adding SSL thumbprints manually 9-4
Bridge Groups
add/edit 45-41
Catalyst Service Module 45-1
changing those selected for reports 67-21
configuring for event management 66-25
configuring for report management 67-3
configuring IKE and IPsec policies 25-1
configuring IKEv2 authentication 25-62
configuring transparent firewall rules 22-1
Easy VPNs
connection profiles 27-13
Event Viewer support 66-4
FlexConfig object samples 7-19
global access rules 16-3
identity-aware services
configuring to provide 13-7, 14-8
interfaces 45-14
add/edit 45-19
Advanced tab 45-27
configuring 45-2
edit EtherChannel-assigned interface 45-11
EtherChannels 45-8, 45-12
General tab 45-20
IP Type 45-36
IPv6 45-29
IPv6, add/edit 45-33
IPv6, add/edit prefixes 45-34
LACP 45-11
MAC address 45-38
PPPoE Users 45-44
VPDN groups 45-45
licenses 2-11
monitoring service level agreements 50-7
object group search 16-22
packet capture, using 69-18
packet tracer, using 69-12
remote access SSL VPNs
advanced settings 30-61
Anyconnect client settings 30-52, 30-53
browser plug-ins 30-50
configuring HTTP/HTTPS proxies and proxy bypass 30-47
content rewrite rules 30-43
encoding rules 30-45
Kerberos Constrained Delegation (KCD) 30-56, 30-58
other settings 30-41
performance settings 30-42
server certificate verification settings 30-25, 30-26, 30-27, 30-61
shared license 30-62
shared license clients (ASA) 30-64
shared license servers (ASA) 30-65
remote access VPNs
access policies (ASA), configuring 30-40
access policies (ASA), reference 30-37
access policies (ASA), understanding 30-36
AnyConnect client image settings (ASA) 30-55
AnyConnect custom attributes (ASA) 30-59, 30-60
certificate to connection profile map policy (IKEv1) 30-29
certificate to connection profile map rules (IKEv1 IPSec) 30-29
cluster load balancing 30-4, 30-5
configuring bookmarks 30-70
configuring portal appearance 30-66
configuring WINS servers for file system access 30-76
connection profiles 30-6, 30-8
creating IPSec 29-24
creating SSL 29-14
customizing 30-65
device support 29-8
dynamic access policies 31-1, 31-2
dynamic access policy (DAP) attributes 31-3, 31-7
Dynamic Access policy page (ASA) 31-10
fragmentation settings 25-40
group policies, configuring 30-21
group policies, creating 30-23
group policies, understanding 30-22
IKE proposals 25-9
IKEv2 settings 25-34
IPsec proposals 30-33
ISAKMP/IPsec settings 25-30
managing 30-1
NAT settings 25-38
policy overview 30-2
post URL method and macro substitutions in bookmarks 30-72
proxy bypass rules (ASA) 30-49
Public Key Infrastructure (PKI) 25-52
secure desktop manager policies 31-8
smart tunnels 30-73
understanding IKE 25-5
understanding NAT settings 25-37
wizard 29-13
Report Manager reports
firewall summary botnet reports 67-14
firewall traffic reports 67-13
general VPN reports 67-16
VPN top reports 67-15
selecting for Event Viewer 66-31
selecting policy types to manage 5-10
SSL certificate configuration 11-18
ASA group policies objects
client configuration settings 33-4
client firewall attributes 33-5
connection settings 33-22
DNS/WINS settings 33-20
hardware client attributes 33-7
IPSec settings 33-8
split tunneling settings 33-21
SSL VPN clientless settings 33-10
SSL VPN full client settings 33-13
SSL VPN settings 33-17
technology settings 33-1
ASA Image Management 70-14, 70-30
ASBR
definition 54-2
ASCII limitations for text 1-46
ASDM
access rule look-up 69-7
device manager 69-5
ASR
zone-based firewall
global parameters 21-49
restrictions 21-3
assignment overview 1-18
Assignments tab, Policy view 5-51
Assign Shared Policy command 1-30
Assign Shared Policy dialog box 5-41
Asymmetric Digital Subscriber Line (ADSL)
on Cisco IOS routers 59-33
Asymmetric Routing Groups 45-5
Asynchronous Transfer Mode (ATM) 59-46
ATM 59-46
virtual channel connections (VCCs) 59-46
virtual channel identifier (VCI) 59-46
virtual path connections (VPCs) 59-46
virtual path identifier (VPI) 59-46
Attack Response Controller 42-1
attacks
broadcast 17-4
Denial of Service (DoS) 17-4
spoofing 17-4
SYN flooding 17-4
audit logs
configuring default settings 11-45
purging entries 10-22
understanding 10-19
working with 10-19
Audit Message Detail dialog box 10-20
Audit Report command 1-32
audit reports
generating and viewing 10-20
understanding 10-19
working with 10-19
Audit Report window 10-20
AUS
deploying configurations 8-42
deployment method 8-10
setting up 2-7
setting up on PIX Firewall and ASA devices 2-8
Authentication
Cisco IOS routers
settings 60-6
authentication
routing protocols 54-2
Authentication-Authorization-Accounting
see AAA 47-1
Authentication Header (AH) encryption algorithm 25-29
authentication methods
certificates (RSA signatures) 25-8
in IKE proposals 25-8
preshared keys 25-8
authentication testing
SSH 2-5
Authorization
Cisco IOS routers
settings 60-7
authorization proxy (AuthProxy)
configuring AAA rules 15-7
AuthProxy
configuring settings in Map view 34-24
Auth Proxy Configuration
ASA CX 56-16
AuthProxy dialog box 15-18
AuthProxy settings policy
configuring 15-9
autolink
omitting reserved networks from maps 11-2
automatic conflict detection
resolving conflicts 16-31
understanding 16-25
understanding the user interface 16-27
using 16-25
auto signon rules
ASA group policy objects 33-19
Auto Update Server (AUS)
adding 3-35
licensing 10-17
PIX/ASA/FWSM 51-1
add/edit server 51-3
troubleshooting deployment 9-18
Auto Update Server Properties dialog box 3-36
Available Bit Rate (ABR) 59-47
Available Servers dialog box 3-38
B
background image, map
deleting 34-13
importing 34-13
scale and position 34-13
setting 34-13
backup
event data store 66-32
backup.pl command 10-24
Backup command 1-33
backups, Security Manager database 10-24
bandwidth
VPN user reports 67-15, 67-16
banners
configuring on firewall devices 47-8
benefits of product 1-2
BGP routing
BGP Routing Policy page 64-4
defining routes 64-2
Neighbors dialog box 64-6
on Cisco IOS routers 64-1
redistributing routes 64-3
Redistribution Mapping dialog box 64-7
Redistribution tab 64-6
Setup tab 64-4
Bidirectional Neighbor Filter 53-14
Bidirectional Neighbor Filter tab
PIM 53-13
blocking, IPS
configuring 42-7
configuring ARC 42-1
configuring blocking devices 42-14
configuring master blocking sensors 42-13
configuring never block hosts and networks 42-17
configuring router blocking interfaces 42-15
configuring user profiles 42-12
configuring VLAN blocking interfaces 42-16
general options 42-10
master blocking sensor 42-6
policy 42-8
rate limiting 42-4
router and switch blocking devices 42-4
strategies 42-3
understanding 42-1
Blocking page 42-8
Boot image/configuration
PIX/ASA 47-9
add/edit 47-10
bootstrap configuration
Failover 49-26
Botnet Traffic Filter Drop Rules Editor 19-13
botnet traffic filter rules
adding static entries 19-5
blocking blacklisted traffic 19-6
configuring DNS snooping 17-18
configuring in Map view 34-23
configuring the dynamic database 19-4
configuring with IPS global correlation 41-1
databases 19-1
Device Blacklist dialog box 19-15
Device Whitelist dialog box 19-15
Drop Rules Editor 19-13
Dynamic Blacklist Configuration tab 19-10
enabling DNS snooping 19-6
field definitions 19-9
illustrations 19-1
mitigating botnet activity 66-56
monitoring
activity using ASDM 66-56
activity using Event Viewer 66-53, 66-55
overview 66-52
understanding botnet syslog events 66-53
overview 19-1
preserving ACL names 12-4
Report Manager reports
firewall summary botnet reports 67-14
task flow 19-2
traffic classification 19-6
Traffic Classification dialog box 19-12
Traffic Classification tab 19-11
understanding 19-1
understanding NAT effects 12-3
understanding processing order 12-2
Whitelist/Blacklist tab 19-14
bridge group
failover
editing 49-16
Bridge Groups
ASA/FWSM
add/edit 45-41
bridge groups
defining 60-19
FWSM 3.1 46-3
Bridging
ASA 5505
Management IPv6 46-10
PIX/ASA/FWSM
ARP configuration 46-4
ARP Inspection 46-5
ARP Inspection, enable/disable 46-6
ARP Table 46-3
MAC Address, add/edit 46-8
MAC Address Table 46-7
MAC Learning 46-8
MAC Learning, enable/disable 46-9
Management IP address 46-10
bridging
Cisco IOS routers
Bridge Group dialog box 60-21
Bridging Policy page 60-20
BVI interfaces 60-18
overview 60-18
configuring transparent firewall rules 22-1
PIX/ASA/FWSM
about 46-1
configuring on 46-1
broadcast attacks, preventing 17-4
broadcasts
enabling directed on routers 59-20
browser plug-ins
configuring 30-50
Bundles 70-11
bypass mode
configuring for IPS 36-12
C
CA server authentication methods
SCEP (Simple Certificate Enrollment Protocol) 25-47
Cat6k Device dialog box 42-14
Catalyst 6500/7600 devices
configuring FWSM in site-to-site VPNs 24-44
configuring SSH 2-6
default transport protocol 11-18
deployment 8-29
FlexConfig object samples 7-21
IPS blocking devices 42-4
policy discovery for FWSM 5-13
rollback restrictions 8-61
Service Modules 45-1
Catalyst 6500/7600 switches
including in deployment jobs 8-28
Catalyst devices
policy discovery 5-13
remote access VPNs
Dynamic VTI/VRF Aware IPsec settings 32-7
high availability 32-11
IPsec proposals 32-4
user group policies 32-13
VPNSM/VPN SPA/VSPA settings 32-6
Catalyst platform policies
IDSM settings policy
Create and Edit IDSM Data Port VLANs dialog boxes 65-50
Create and Edit IDSM EtherChannel VLANs dialog boxes 65-49
IDSM Settings page 65-48
IDSM Slot-Port Selector dialog box 65-51
interfaces/VLANs policy
Access Port Selector dialog box 65-30
Create and Edit Interface dialog boxes-Access Port mode 65-9
Create and Edit Interface dialog boxes-Dynamic Port mode 65-18
Create and Edit Interface dialog boxes-Other mode 65-24
Create and Edit Interface dialog boxes-Routed Port mode 65-12
Create and Edit Interface dialog boxes-subinterfaces 65-22
Create and Edit Interface dialog boxes-Trunk Port mode 65-14
Create and Edit VLAN dialog boxes 65-28
Create and Edit VLAN Group dialog boxes 65-34
Interfaces tab 65-7
Service Module Slot Selector dialog box 65-35
Summary tab 65-3
Trunk Port Selector dialog box 65-31
VLAN Groups tab 65-33
VLAN Selector dialog box 65-36
VLANs tab 65-27
VLAN access lists policy
Create and Edit VLAN ACL Content dialog boxes 65-42
Create and Edit VLAN ACL dialog boxes 65-41
VLAN Access Lists page 65-39
Catalyst Summary Info command 1-33
Catalyst switches
configuring SSH 2-6
default transport protocol 11-18
showing modules, security contexts, and virtual sensors 3-53
Catalyst switches/7600 routers
troubleshooting deployment 9-15
Catalyst switches and 7600 devices
IDSM mode support 65-44
interface deployment failure 9-16
internal VLAN deployment failure 9-16
supported VTP modes 65-1
Catalyst switches and 7600 Series routers
access ports 65-5
Catalyst Summary Info page 65-2
defining IDSM Data Port VLANs 65-46
defining IDSM EtherChannel VLANs 65-45
defining ports 65-5
defining VACLs 65-37
defining VLAN groups 65-32
defining VLANs 65-26
deleting IDSM Data Port VLANs 65-48
deleting IDSM EtherChannel VLANs 65-46
deleting ports 65-7
deleting VACLs 65-39
deleting VLAN groups 65-33
deleting VLANs 65-27
discovering policies 65-1
generating interface names 65-6
IDSM settings 65-44
IDSM Settings page 65-48
interfaces 65-5
managing 65-1
routed ports 65-5
trunk ports 65-5
viewing interface and VLAN summary 65-3
VLAN Access Lists page 65-39
VLAN ACLs (VACLs) 65-36
VLAN groups 65-31
VLANs 65-25
Catalyst VPN Service Port Adapters (VSPAs)
configuring 24-40
Catalyst VPN Services Module (VPNSM)
configuring 24-40
configuring in remote access VPNs 32-6
Catalyst VPN Shared Port Adapter (VPN SPA)
configuring 24-40
configuring in remote access VPNs 32-6
categories
using 6-12
cautions
significance of 1-1
CDP
configuring mode for IPS 36-12
CEF Interface Settings dialog box 59-26
CEF interface settings policies 59-24
certificates
accepting 11-29, 11-36
retrieving 11-29, 11-36
viewing 11-29, 11-36
certificates, SSL
adding thumbprints manually 9-4
configuring default settings for how handled 11-18
managing IPS 43-10
certificates for ASA image downloads 11-29
certificates for IPS package downloads 11-36
certificate to connection profile map policies
configuring policy 30-29
configuring rules 30-29
certificate trust management 11-29, 11-36
Change Report dialog box 4-18
change reports
selecting session in non-Workflow mode 4-18
viewing 4-16
Change Reports command 1-32
Checkpoint migration
configuring object group search on ASA 8.3+ devices 16-22
Choose a file dialog box 33-27
Cisco 7600 Series routers
managing 65-1
Cisco AnyConnect Profile Editor 30-53
Cisco Configuration Engine
troubleshooting device setup and deployment 9-18
Cisco Discovery Protocol (CDP)
enabling CDP on router interfaces 59-18
Cisco Express Forwarding (CEF)
CEF Interface Settings policy 59-25
CEF router interface settings policies 59-24
importance for QoS 63-2
Cisco IOS IPS
affect of load balancing 44-7
configuration files 44-3
configuration overview 44-3
configuring 44-1
configuring general settings 44-7
configuring interface rules 44-8
getting started 35-1
initial preparation of router 44-5
lightweight signature engines 44-2
limitations and restrictions 44-3
selecting signature category 44-6
understanding 44-1
understanding subsystems and revisions 44-2
Cisco IOS Routers
configuring IOS IPS 44-1
IPS blocking devices 42-4
Cisco IOS routers
802.1x 61-1
AAA 60-2
accounts and credentials 60-13
ADSL 59-33
advanced interface settings 59-13
available interface types 59-2
basic interface settings 59-1
BGP routing 64-1
CNS call-home mode 2-9
CNS event-bus mode 2-8
configuring SSH 2-6
CPU settings 60-25
default AAA server groups 6-28
deploying configurations using TMS 8-43
dialer interfaces 59-27
discovering policies 58-3
Domain Name System (DNS) 60-74
Dynamic Host Configuration Protocol (DHCP) 60-87
EIGRP routing 64-8
host and domain names 60-77
HTTP 60-28
interface deployment failure 9-14
IOS 12.1 and 12.2 58-2
licenses 2-12
line access 60-35
managing 58-1
memory settings 60-78
NAT 23-5
designating interfaces 23-6
dynamic rules 23-10
static rules 23-6
timeouts 23-13
NetFlow 62-1, 62-5, 62-12
Network Admission Control (NAC) 61-8
Network Time Protocol (NTP) 60-96
optional SSH settings 60-63
OSPF routing 64-19
permanent virtual connections (PVCs) 59-46
platform policies 58-1
Point-to-Point Protocol (PPP) 59-70
policy discovery 5-13
quality of service (QoS) 63-1
RIP routing 64-42
Secure Device Provisioning (SDP) 60-81
setting up SSL (HTTPS) 2-4
SHDSL 59-40
SNMP 60-66
static routing 64-50
syslog logging 62-1
time zone settings 60-22
transparent bridging 60-18
Cisco IOS Software
FlexConfig object samples 7-21
selecting policy types to manage 5-10
Cisco Prime Security Manager
see PRSM 69-9, 69-10
Cisco Secure Desktop configuration objects
creating 32-18
Cisco Security Management Suite server
logging into or exiting 1-10
Cisco Technical Assistance Center
creating diagnostic file 10-27
generating data 10-27
generating deployment or discovery status reports 10-28
generating partial database backup 10-29
Cisco Trust Agent (CTA) 61-9
CiscoWorks Common Services
backing up and restoring Security Manager 10-24
logging into or exiting 1-10
CiscoWorks user authorization, affect on what you can do 1-10
Class-Based Policing 63-6
class maps
understanding 6-72
Clear Connection Configuration dialog box 15-22
CLI commands
FlexConfig objects 7-2
client connection characteristics
configuration modes 27-3
configuring policies for Easy VPN 27-7
extended authentication (xauth) 27-4
clientless access mode 29-4
client settings
configuring AnyConnect 30-53
understanding AnyConnect 30-52
client-side file browsing 1-47
enabling or disabling 11-6
Clock
PIX/ASA/FWSM 47-11
clock
Cisco IOS routers
overview 60-22
clock settings
Cisco IOS routers
Clock Policy page 60-23
Clone Device command 1-28
Clone Policy Bundle dialog box 5-55
Clone Policy command 1-30
Clone Policy dialog box 5-44
Close Activity command 1-34
Close All Reports command (Report Manager) 67-8
Close Report command (Report Manager) 67-8
Close Ticket command 1-34
cluster, server
managing 10-2
overview 10-2
splitting server 10-3
synchronizing shared policies 10-4
Cluster Information page, device properties 3-48
clustering 3-9
cluster load balancing
configuring 30-5
understanding 30-4
understanding FQDN redirection 30-5
CNS
call-home mode 2-9
deploying configurations 8-42
deployment method 8-10
event-bus mode 2-8
setting up on PIX Firewall and ASA devices 2-8
color rules, configuring in Event Viewer 66-36
Combine Rules Selection Summary dialog box 12-24
commands
Activities menu 1-34
Edit menu (Configuration Manager) 1-29
Event Viewer File menu 66-8
Event Viewer View menu 66-9
File menu (Configuration Manager) 1-28
Help menu (Configuration Manager) 1-36
Launch menu 1-35
Manage menu 1-32
Map menu 1-31
Policy menu (Configuration Manager) 1-30
Report Manager menus 67-8
Tickets menu 1-34
Tools menu (Configuration Manager) 1-33
View menu (Configuration Manager) 1-30
Common Services
licensing 10-17
communication, device
troubleshooting 9-7
configuration
initial Security Manager 1-23
understanding rollback 8-59
Configuration Archive
adding configurations from devices 8-55
overview 8-16
rolling back to archived configuration files 8-66
rolling back when deploying to file 8-67
settings 11-3
version viewer 8-56
viewing and comparing configuration versions 8-56
viewing transcripts 8-58
window 8-24
Configuration Archive command 1-32
Configuration Archive page 11-3
Configuration Engine
adding 3-35
CNS call-home mode 2-9
CNS event-bus mode 2-8
setting up 2-7
Configuration Engine Properties dialog box 3-36
configuration files
deploying in non-Workflow mode 8-29
deploying in Workflow mode 8-35, 8-40
deploying to 8-11
deploying to an AUS or CNS 8-42
deploying to a TMS 8-43
deployment process overview 8-1
factory-default configurations 45-2
previewing 8-45
redeploying to devices 8-49
rolling back after deploying to file 8-67
rolling back to archived configurations 8-66
rolling back to devices 8-65
selecting 1-47
web VPN policy discovery restrictions 3-8
configuration location, configuring for IOS IPS 44-7
Configuration Manager
overview 1-12
using 1-12
configurations
adding to the Configuration Archive 8-55
avoiding out-of-band changes 8-47
detecting out-of-band changes 8-46
rollback, commands to recover from failover misconfiguration 8-65
rollback command conflicts 8-64
rolling back 8-59
rolling back Catalyst 6500/7600 8-61
rolling back failover devices 8-61
rolling back IPS and IOS IPS 8-62
rolling back multiple context mode 8-61
understanding out-of-band changes 8-12
viewing and comparing 8-56
configuration session
selecting session for change reports 4-18
viewing change reports 4-16
configuration sessions
discarding 4-22
configuration views 1-12
Configure dialog box 17-20
Configure DNS dialog box 17-18
Configure ESMTP dialog box 17-18
Configure Fragments dialog box 17-19
Configure Hardware Ports
ASA 5505 45-39
Configure IMAP dialog box 17-19
Configure POP3 dialog box 17-19
Configure RPC dialog box 17-20
Configure SMTP dialog box 17-18
Config Version Viewer (Preview Configuration) dialog box 8-45
conflict analysis reports
generating 16-31
conflict detection
resolving conflicts 16-31
understanding 16-25
understanding the user interface 16-27
using 16-25
connection
PIX/ASA/FWSM
identity-aware rules 13-21
rules 56-5
Connection Alias dialog box 30-20
Connection Profile dialog box
AAA tab 30-11
General tab 30-9
IPSec tab 30-16
Secondary AAA tab 30-14
SSL tab 30-18
connection profiles
configuring 30-6
configuring for Easy VPN 27-13
properties
AAA 30-11
general 30-9
IPSec 30-16
policy overview 30-8
secondary AAA 30-14
SSL 30-18
sharing among multiple ASAs 29-8
Connection Profiles page 30-8
Connection Settings
MPC rule wizard
tab 56-8
connection timeout
device communication settings 11-17
Connection URL dialog box 30-21
connectivity, testing device 9-1
console
Cisco IOS routers
AAA tab 60-44
Accounting tab 60-47
Authentication tab 60-44
Authorization tab 60-45
Console Policy page 60-42
Setup tab 60-42
console port
Cisco IOS routers
defining AAA settings 60-37
defining setup parameters 60-35
Console timeout
PIX/ASA/FWSM 48-1
Constant Bit Rate (CBR) 59-47
contained modules
showing 3-53
content rewrite rules
defining for SSL VPN on ASA 30-43
Context-Based Access Control
choosing interfaces 17-2
configuring 17-5
configuring identity aware 13-21
preventing DoS attacks on IOS devices 17-4
selecting protocols 17-3
understanding 17-1
understanding access rule requirements 17-4
Context Editor dialog box (IOS) 32-15
contexts
see “security contexts” 57-1
continuity check (CC) cells 59-50
control plane (CP)
defining QoS on 63-12
policing on 63-9
Control Plane Policing 63-9
conventions 1-1
cookie challenges 25-34
Copy command 1-29, 12-9
Copy Policies Between Devices command 1-30
Copy Policies wizard 5-31
CPU settings
defining utilization settings 60-25
overview 60-25
CPU utilization
CPU Policy page 60-26
Create a Clone of Device dialog box 3-54
Create Activity dialog box 4-14
Create a Policy dialog box 5-51
Create Discovery Task dialog box 5-18
Create Extranet VPN Topology wizard
overview 24-62
Create Filter dialog box 1-43
Create Group Policy wizard
Clientless and Thin Client Access Modes page 29-22
Full Tunnel page 29-20
Group Policy page 29-19
using 29-19
Create Overrides for Device dialog box 6-20
Create Policy Bundle dialog box 5-54
Create Text Object dialog box 7-31
Create Ticket dialog box 4-14
Create VPN Topology wizard
Device Selection page 24-32
Edit Endpoints dialog box 24-33
Endpoints page 24-33
GET VPN Group Encryption page 24-50
GET VPN Peers page 24-56
High Availability page 24-48
Name and Technology page 24-30
overview 24-28
VPN Defaults page 24-57
credential objects
attributes 27-9
credentials
configuring on firewall devices 47-13
device manager validation 69-4
IPS module 3-19
service module 3-18
testing 9-1
understanding device 3-4
Credentials page
HTTPS port number
overriding with HTTP policy 3-46
Credentials page, device properties 3-44
crypto maps
understanding 25-18
CSC
MPC rule wizard
tab 56-8
CSDM Policy Editor dialog box 31-40
CS-MARS
access to Security Manager 69-23
configuring servers 11-4
discovering or changing controller used by device 69-25
events
historical and real-time lookup 69-27
looking up 69-27
integrating with Security Manager 69-21
integration with Security Manager 69-22
looking up Security Manager policies based on events 69-31
NetFlow 69-33
query
troubleshooting 69-26
registering in Security Manager 69-24
supported log messages 69-32
viewing access rule events 69-28
viewing IPS signature events 69-30
CS-MARS page 11-4
CSMDiagnostics.zip
setting debug options 11-8
CSMDiagnostics.zip file, creating 10-27
CSM tab, Licensing page 11-41
CSV (comma-separated values) files
supported formats for device inventory 10-9
CSV file
export HPM data as 68-26
Customize Desktop Settings page 11-6
Customized Toolbar command 1-30
Custom Protocol dialog box 17-20
Custom Report List command (Report Manager) 67-9
Cut command 1-29, 12-9
cut-through proxy, configuring 13-23
CX
ASA module
detecting 69-10
CXSC
MPC rule wizard
tab 56-8
D
database
backing up 10-24
backing up and restoring 10-24
generating partial backups for TAC 10-29
restoring 10-26
DCE/RPC policy map objects
creating 17-21
properties 17-27
DCS.properties file
DCS.doSerialAccessForFWSMVCs property 9-17
DCS.FWSM.checkThreshold property 9-16
SSH settings 9-7
warning message expression properties 9-10
DDNS
PIX/ASA/FWSM 51-17
add interface rules 51-18
update methods 51-18
update methods, add/edit 51-19
dead-peer detection (DPD) 25-30
debugging
configuring debug levels 11-8
Debug Options page 11-8
Default Report Settings command (Report Manager) 67-9
defaults, configuring 11-1
Delete Device command 1-28
Delete Map command 1-31
Delete Map dialog box 34-10
Delete Row command 1-29
Denial of Service (DoS)
preventing in SMTP using zone based firewall 21-25
denial of service (DoS)
preventing using unicast reverse path forwarding (RFP) 59-20
Denial of Service (DoS) attacks
configuring inspection settings to mitigate 17-88
preventing on IOS devices using inspection 17-4
denial of service (DoS) attacks
preventing using IKEv2 cookie challenge 25-34
deny
inspection
rules 17-5
Deploy command 1-28
Deploy Job dialog box 8-40
deployment
Add Other Devices dialog box 8-54
Auto Update Server 8-42
Catalyst 6500/7600 devices 8-29
changes not deployed when using schedules 8-52
changing device message severity level to ignore errors 9-10
changing FWSM multiple-context deployment to serial 9-17
Cisco Networking Services configuration engine 8-42
configuration files, to 8-11
configurations 8-29
creating jobs in Workflow mode 8-36
creating or editing schedules 8-52
Deployment Manager window 8-17
device communication settings 9-4
devices, directly to 8-9
devices, through intermediate server 8-10
Edit Deploy Method dialog box 8-31
Edit Selected Deployment Method dialog box 8-31
errors
OS version mismatches 8-13
generating status report 10-28
handling OS version mismatches 8-13
managing 8-1
methods 8-8
minimum memory errors for ASA 8.3+ 9-11
non-Workflow mode 8-3
optimizing access rules 16-43
out-of-band changes
avoiding 8-47
detecting and analyzing 8-46
understanding 8-12
process overview 8-1
rolling back archived configurations 8-66
rolling back configurations 8-59
rolling back configurations, Catalyst 6500/7600 8-61
rolling back configurations, command conflicts 8-64
rolling back configurations, commands to recover from failover misconfiguration 8-65
rolling back configurations, failover devices 8-61
rolling back configurations, IPS and IOS IPS devices 8-62
rolling back configurations, multiple context mode 8-61
rolling back configuration when deploying to file 8-67
rolling back to last deployed configuration 8-65
setting debug options 11-8
SSL handshake failure 2-2
suspending or resuming schedules 8-55
system settings 11-9
task flow
non-Workflow mode 8-3
Workflow mode 8-5
tips for successful jobs 8-28
TMS server 8-43
troubleshooting 9-1, 9-9
ADSL or PVC deployment failures 9-15
AUS problems 9-18
Catalyst interface settings 9-16
Catalyst internal VLANs 9-16
Catalyst switch and modules 9-15
Configuration Engine problems 9-18
Error Writing to Server messages 9-15
HTTP Response Code 500 messages 9-15
layer 2 interfaces 9-14
mixing deployment methods with routers and VPNs 9-13
router interface settings 9-14
routers 9-14
Security Manager cannot contact device 9-12
VPNs with routing processes 9-13
troubleshooting device communication 9-7
troubleshooting router connection failures 2-2
troubleshooting SSL certificate errors 9-4
troubleshooting VRF-aware IPsec on Catalyst 6500/7600 devices 24-17
understanding 8-1
understanding configuration rollback 8-59
using a Cisco Networking Services (CNS) server 8-42
viewing device details 8-27
viewing job summary 8-27
viewing status and history for jobs and schedules 8-27
viewing transcripts 8-58
Warning - Partial VPN Deployment dialog box 8-32
Workflow mode 8-5, 8-35, 8-40
working with 8-26
Deployment—Create or Edit a Job dialog box 8-36
deployment jobs
aborting 8-51
approval 8-7
approving 8-39
creating and editing in non-Workflow mode 8-29
creating and editing in Workflow mode 8-36
Deployment Manager 8-16
discarding 8-41
including devices in 8-8
multiple users 8-8
redeploying 8-49
rejecting 8-39
states
non-Workflow mode 8-4
Workflow mode 8-6
submitting 8-39
viewing history 8-27
Deployment Manager
overview 8-16
Deployment Manager window 8-17
Deployment Schedules tab 8-22
Deployment Schedules tab 8-22
Deployments command 1-32
Deployment Settings page 11-9
Deployment Status Details dialog box 8-33
Deployment Workflow Commentary dialog boxes 8-21
Deploy Saved Changes dialog box 8-29
DES encryption algorithm
in IKE proposals 25-6
Designated Router
PIX/ASA/FWSM 53-12
Destination Contents dialog box 12-14
Dest Port Map dialog box 40-12
Detect Out of Band Changes command 1-33
device
AAA administration 47-4
firewall types 45-1
viewing inventory status 69-1
Device Access
FWSM
Resources, add/edit 50-3
PIX/ASA/FWSM 48-1
console timeout 48-1
host name 50-1
HTTP configuration 48-2
HTTP page 48-2
ICMP rules 48-3
ICMP rules, add/edit 48-4
Management Access interface 48-5
Secure Shell, add/edit host 48-6
Secure Shell (SSH) 48-5
Server Access 51-1
SNMP host access 48-12
SNMP page 48-8
SNMP Trap configuration 48-9
Telnet configuration 48-14
Telnet page 48-13
user accounts 50-6
user accounts, add/edit 50-7
device access policies
defining 60-14
Device Admin
FWSM
Resources 50-3
device administration policies
configuring on firewall devices 47-1
device authentication
adding SSL thumbprints manually 9-4
SSL certificate default configuration 11-18
Device Blacklist dialog box 19-15
device clusters 3-9
device communication
changing device message severity level 9-10
managing settings 9-4
routers without K8/K9 crypto image 9-7
Security Manager cannot contact device after deployment 9-12
troubleshooting failures 9-7
Device Communication page 11-17
device communications
troubleshooting 9-1
device communication settings
connection timeout 11-17
retry count 11-17
socket read timeout 11-18
Device Connectivity Test dialog box 9-3
device credentials
understanding 3-4
Device Credentials page 3-44
Device Delete Validation dialog box 3-56
device groups 3-57, 3-60
adding or removing devices 3-60
creating group types 3-59
deleting groups or types 3-60
understanding 3-57
Device Groups page 3-48, 11-20
Device Information page - Add Device from File 3-31
Device Information page - Configuration File 3-22
Device Information page - Network 3-13
Device Information page- New Device 3-26
device inventory
exporting
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-5
supported CSV formats 10-9
using command line utility 10-10
importing
device with policies 10-13
importing with policies 10-13
managing 3-1
sharing with PRSM 69-11
testing device connectivity 9-1
understanding 3-1
understanding contents 3-3
understanding device clusters 3-9
understanding generic devices 3-8
working with 3-34
device manager
access rule look up 69-6
ASDM 69-5
access rule look-up 69-7
credentials 69-4
IDM 69-5
PDM 69-5
prerequisites 69-5
SDM 69-5
access rule look-up 69-8
starting from HPM 68-2, 68-24
starting from Security Manager 69-4
troubleshooting 69-5
xdm-launcher.exe 69-6
Device Manager command 1-35
Device Properties
Cluster Information page 3-48
Credentials page 3-44
Device Groups page 3-48
General page 3-40
Policy Object Override pages
general reference 3-49
device properties
changes with policy effects 3-51
changing critical 3-50
image version changes with no policy effects 3-50
understanding 3-6
viewing or changing 3-39
Device Properties command 1-33
Device Properties page
creating object overrides 6-18
deleting overrides 6-21
overview 3-39
device response
to appear as an error message 9-10
devices
adding 3-6
adding configurations to the Configuration Archive 8-55
adding from configuration files 3-20
adding from inventory file 3-29
adding from network 3-11
adding local rules to shared policies 5-42
adding manually 3-25
adding or changing modules 3-39
assigning shared policies 5-41
avoiding out-of-band changes 8-47
changing critical properties 3-50
changing those selected for reports 67-21
cloning or duplicating 3-54
cloning shared policies 5-44
communication requirements 2-1
communication settings and certificates 9-4
configuring ASA licenses 2-11
configuring IOS licenses 2-12
configuring local policies 5-29
copying policies between 5-31
creating policy object overrides 6-18
deleting from inventory 3-55
deleting policy object overrides 6-21
deployment through intermediate server 8-10
deployment to 8-9
detecting out-of-band changes 8-46
discovering or changing CS-MARS controller 69-25
discovering policies 5-12
discovering policies on existing devices 5-15
dynamic IP addresses 3-35
image version changes with no policy effects 3-50
including in deployment jobs or schedules 8-8
including unmanaged or non-Cisco in a VPN 24-11
inheriting policy rules 5-43
maps
adding existing managed 34-16
adding new managed 34-16
displaying devices from Device View 34-16
displaying managed 34-16
removing managed 34-16
showing containment for Catalyst switches, ASA, PIX, IPS devices 34-16
modifying policy assignment 5-46
modifying shared policies 5-45
naming conventions 3-3
overview of monitoring 1-6
policy status icons 5-28
preparing for management 2-1
property changes with policy effects 3-51
redeploying configuration files to 8-49
redeploying configurations to replaced hardware 8-49
renaming policies 5-45
replacing policies 5-41
rolling back configurations 8-65, 8-66, 8-67
selecting in site-to-site VPNs 24-32
selecting multiple 1-42
sharing multiple policies 5-39
sharing with PRSM 69-11
showing contained modules 3-53
system variables 7-7
testing connectivity 9-1
troubleshooting communication 9-7
troubleshooting communication and deployment 9-1
troubleshooting device discovery failures 3-7
unassigning policies 5-33
understanding out-of-band changes 8-12
unsharing policies 5-40
using global search to find specific devices 1-39
what counts as a device 3-3
device selector
filtering 1-42
Device Selector dialog box 1-42
Device Server Assignment dialog box 9-8
device status view
working with 3-61
Device Status View command 1-30
Device view
adding local rules to shared policies 5-42
assigning shared policies 5-41
cloning shared policies 5-44
configuring local policies 5-29
configuring VPN topologies 24-19
copying policies between devices 5-31
inheriting policies 5-43
managing policies 5-28
modifying policy assignments 5-46
modifying shared policies 5-45
overview 1-13
policy banner 5-35
policy shortcut menu 5-37
policy status icons 5-28
renaming policies 5-45
sharing local policies 5-38
sharing multiple policies 5-39
unassigning policies 5-33
understanding basic policy management 5-29
understanding shared policies 5-34
unsharing policies 5-40
device view
understanding 3-1
Device View command 1-30
Device Whitelist dialog box 19-15
DHCP
Cisco IOS routers
defining address pools 60-91
defining policies 60-90
DHCP Database dialog box 60-94
DHCP Policy page 60-92
IP Pool dialog box 60-94
overview 60-87
understanding database agents 60-88
understanding option 82 60-89
understanding relay agents 60-88
understanding secured ARP 60-89
configuring passthrough for IOS devices 22-3
PIX/ASA/FWSM 51-10
add/edit servers 51-11
advanced configuration 51-12
configuring DHCP servers 51-9
server options 51-13
traffic blocked 9-15
DHCP relay
PIX/ASA/FWSM 51-5, 51-7
add/edit agent 51-5
add/edit server 51-6
DHCPv6 relay
PIX/ASA/FWSM
add/edit agent 51-8
add/edit server 51-9
diagnostics
setting debug options 11-8
diagnostics file, creating 10-27
dial backup
configuring in Easy VPN 27-2
configuring in VPN 24-38
configuring VPN advanced settings 24-39
Dial Backup Settings dialog box 24-39
dialer interfaces
defining BRI properties 59-29
defining profiles 59-27
Dialer Physical Interface dialog box 59-32
Dialer Policy page 59-30
Dialer Profile dialog box 59-31
on Cisco IOS routers 59-27
Diffie-Hellman groups
in IKE proposals 25-7
Digital Subscriber Line (DSL) 59-33
digital subscriber line-access multiplexer (DSLAM) 59-34
directed broadcasts
enabling 59-20
Disable/enable NAT rules 23-32, 23-45
Discard Activity command 1-34
Discard Activity dialog box 4-22
Discard command 1-29
Discard Deployment Job dialog box 8-21
Discard Ticket command 1-35
Discard Ticket dialog box 4-22
discovering
remote access VPNs 29-12
site-to-site VPNs 24-24
Discover Policies on Device command 1-31
Discover VPN Policies command 1-31
Discover VPN Policies wizard 24-24
discovery
default behavior settings 11-21
generating status report 10-28
invalid certificate error 9-6
overview 1-18
security certificate error 9-4, 9-6
setting debug options 11-8
Discovery Settings page 11-21
Discovery Status dialog box 5-21
discovery task
frequently asked questions 5-25
starting 5-15
viewing status 5-21
disk space, monitoring event data store 66-31
Display Actual Size command 1-31
Distributed Traffic Shaping (DTS) 63-6
DMVPN (Dynamic Multipoint VPN)
advantages of using with GRE 26-11
configuring 26-12
configuring GRE modes 26-12
large scale DMVPNs
configuring 26-16
configuring server load balancing 26-17
overview 26-1, 26-9
spoke-to-spoke connections 26-10
supported platforms 24-9
understanding 26-10
DNS
configuring for inspection rules 17-18
PIX/ASA/FWSM
add/edit server group 51-15
add server 51-16
servers page 51-13
DNS class map objects
creating 17-21
match criteria 17-31
DNS policy map objects
creating 17-21
match conditions and actions 17-31
properties 17-28
DNS servers
configuring for IPS global correlation 35-22
DNS snooping 19-6
dock
report windows 67-25
view windows 66-34
Dock Map View command 1-32
documentation
conventions 1-1
ordering 1-2
Domain AD Server dialog box 13-10
Domain Name System (DNS)
Cisco IOS routers
defining policies 60-75
DNS Policy page 60-76
IP Host dialog box 60-76
overview 60-74
do not ask warnings, resetting 11-6
DSLAM 59-34
duration
VPN user reports 67-15, 67-16
dynamic access policies
attributes 31-3, 31-7
configuring 31-2
managing 31-1
understanding 31-1
dynamic access policies (DAP) 31-28
Dynamic Access Policy page
Add/Edit Dynamic Access Policy dialog box
Add/Edit DAP Entry dialog box 31-19
Add/Edit DAP Entry dialog box > AAA Attributes Cisco 31-20
Add/Edit DAP Entry dialog box > AAA Attributes LDAP 31-22
Add/Edit DAP Entry dialog box > AAA Attributes RADIUS 31-23
Add/Edit DAP Entry dialog box > Anti-Spyware 31-24
Add/Edit DAP Entry dialog box > Anti-Virus 31-25
Add/Edit DAP Entry dialog box > AnyConnect Identity 31-26
Add/Edit DAP Entry dialog box > Application 31-27
Add/Edit DAP Entry dialog box > File 31-29
Add/Edit DAP Entry dialog box > NAC 31-30
Add/Edit DAP Entry dialog box > Operating System 31-31
Add/Edit DAP Entry dialog box > Personal Firewall 31-32
Add/Edit DAP Entry dialog box > Policy 31-33
Add/Edit DAP Entry dialog box > Process 31-34
Add/Edit DAP Entry dialog box > Registry 31-35
Advanced Expressions tab 31-39
Logical Operations tab 31-36
Main tab 31-13
Dynamic Access Policy page (ASA) 31-10
Cisco Secure Desktop Manager Policy Editor dialog box 31-40
Dynamic Access policy page (ASA) > Add/Edit Dynamic Access Policy dialog box 31-12
Dynamic Blacklist Configuration tab 19-10
dynamic crypto maps 25-18
dynamic filter snooping (DNS)
enabling 17-18
Dynamic Multipoint VPN (DMVPN)
mandatory and optional policies 24-6
dynamic NAT
Cisco IOS routers 23-10
Dynamic Translation Rule
PIX/ASA/FWSM 23-21
add/edit 23-21
dynamic VTI
configuring in Easy VPN 27-12
in remote access VPNs 32-7
understanding use in Easy VPN 27-2
E
Easy VPN
configuration modes 27-3
configuration overview 27-5
configuring client connection characteristics 27-7
configuring dial backup 27-2
configuring dynamic VTI 27-12
configuring high availability 27-2
connection profile policies 27-13
connection profiles (ASA, PIX 7+) 30-8
extended authentication (xauth) 27-4
important configuration notes 27-6
IPsec proposals 27-10
mandatory and optional policies 24-6
overview 27-1
supported platforms 24-9
understanding 27-1
understanding dynamic VTI 27-2
user group policies 27-14
Edit AAA Option dialog box 15-18
Edit AAA Rule dialog box 15-13
Edit AAA Server dialog box 6-30
Edit AAA Server Group dialog box 6-46
Edit Access Rule dialog box 16-13
Edit Actions dialog box 38-8
Edit activity state 4-4
Edit AOL Class Map dialog box 17-26, 21-17
Edit A Port Forwarding Entry dialog box 33-30
Edit ASA Group Policies dialog box
client configuration settings 33-4
client firewall attributes 33-5
connection settings 33-22
DNS/WINS settings 33-20
hardware client attributes 33-7
IPSec settings 33-8
overview 33-1
split tunneling settings 33-21
SSL VPN clientless settings 33-10
SSL VPN full client settings 33-13
SSL VPN settings 33-17
technology settings 33-1
Edit A Smart Tunnel Entry dialog box 33-53
Edit Auto Signon Rules dialog box 33-19
Edit Auto Update Settings dialog box 11-38
Edit Category dialog box 12-14
Edit Cisco Secure Desktop Configuration dialog box 33-23
Edit Client Access Rules dialog box 33-10
Edit Client Update dialog box 33-65
Edit Column dialog box 33-47
Edit Custom Pane dialog box 33-47
Edit DCE/RPC Map dialog box 17-27
Edit Deploy Method dialog box 8-31
Edit Description dialog box 12-14
Edit Destinations dialog box 12-11
Edit Device Groups command 1-29
Edit Device Groups dialog box 3-58
Edit DNS Class Map dialog box 17-26
Edit DNS Map dialog box
Filtering tab 17-30
overview 17-28
Protocol Conformance tab 17-30
Edit eDonkey Class Map dialog box 17-26, 21-17
Edit Endpoints dialog box
FWSM tab 24-44
overview 24-33
Protected Networks tab 24-44
VPN Interface tab 24-35
VPNSM/VPN SPA/VSPA settings, VPN Interface tab 24-40
VRF Aware IPsec tab 24-45
Edit ESMTP Map dialog box 17-34
Edit Extended Access Control Entry dialog box 6-56
Edit Extended Access List dialog box 6-55
Edit External Filter dialog box 21-40
Edit Extranet VPN dialog box
overview 24-62
Edit FastTrack Class Map dialog box 17-26, 21-17
Edit Fidelity dialog box 38-9
Edit File Object dialog box 33-25
Edit FlexConfig dialog box 7-29
Edit FTP Class Map dialog box 17-26
Edit FTP Map dialog box 17-37
Edit Gnutella Class Map dialog box 17-26, 21-17
Edit Group Member dialog box 28-21
Edit GTP Map dialog box 17-40
Edit H.323 Class Map dialog box 17-26, 21-17
Edit H.323 Map dialog box 17-45, 21-33
Edit HSI Endpoint IP Address dialog box 17-48
Edit HSI Group dialog box 17-47
Edit HTTP Class Map dialog box 17-26, 21-17
Edit HTTP Map dialog box 21-33
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab 17-52
Extension Request Method tab 17-55
General tab 17-51
overview 17-50
Port Misuse tab 17-56
RFC Request Method tab 17-54
Transfer Encoding tab 17-57
ASA 7.2+ and PIX 7.2+ devices 17-58
Edit ICQ Class Map dialog box 17-26, 21-17
Edit IKEv1 Proposal dialog box 25-10
Edit IKEv2 Proposal dialog box 25-13
Edit IMAP Class Map dialog box 17-26, 21-17
Edit IMAP Map dialog box 21-33
Edit IM Class Map dialog box 17-26
Edit IM Map dialog box 21-33
ASA and PIX device 17-64
IOS device 17-67
Edit Inspect/Application FW Rule wizard
Address and Port page 17-12
Inspected Protocol page 17-16
Match Traffic page 17-10
Edit Inspect Parameter Map dialog box 21-29
Edit Interfaces dialog box 12-13
Edit IP Options Map dialog box 17-68
Edit IPsec Pass Through Map dialog box 17-74
Edit IPSec Transform Set dialog box 25-25
Edit IPv4 Pool Object dialog box 6-83
Edit IPv6 Map dialog box 17-70
Edit IPv6 Pool Object dialog box 6-84
Edit Kazaa2 Class Map dialog box 17-26, 21-17
Edit Key Server dialog box 28-19
Edit Language dialog box 33-42
Edit LDAP Attribute Map dialog box 6-43
Edit LDAP Attribute Map Value dialog box 6-44
Edit Load Balancing Parameters dialog box 26-17
Edit Local Web Filter Class Map dialog box 17-26, 21-17
Edit Local Web Filter Parameter Map dialog box 21-37
Edit MAC Address Pool Object dialog box 6-85
Edit Map Value dialog box 6-44
Edit Match Condition and Action dialog box
DNS policy maps 17-31
ESMTP policy maps 17-35
FTP policy maps 17-38
GTP policy maps 17-43
H.323 (IOS) policy maps 21-34
H.323 policy maps 17-48
HTTP (Zone Based IOS) policy maps 21-34
HTTP policy maps 17-59
IM (Zone Based IOS) policy maps 21-34
IMAP policy maps 21-34
IM policy maps 17-65
IPv6 policy maps 17-71
P2P policy maps 21-34
POP3 policy maps 21-34
SIP (IOS) policy maps 21-34
SIP policy maps 17-79
Skinny policy maps 17-83
SMTP policy maps 21-34
Sun RPC policy maps 21-34
Web Filter policy maps 21-34
Edit Match Criterion dialog box
AOL class maps 21-20
DNS class maps 17-31
eDonkey class maps 21-20
FastTrack class maps 21-20
FTP class maps 17-38
Gnutella class maps 21-20
H.323 (IOS) class maps 21-21
H.323 class maps 17-48
HTTP (IOS) class maps 21-21
HTTP class maps 17-59
ICQ class maps 21-20
IMAP class maps 21-23
IM class maps 17-65
Kazaa2 class maps 21-20
Local Web Filter class maps 21-28
MSN Messenger class maps 21-20
N2H2 class maps 21-29
POP3 class maps 21-23
SIP (IOS) class maps 21-24
SIP class maps 17-79
SMTP class maps 21-25
Sun RPC class maps 21-28
Websense class maps 21-29
Windows Messenger class maps 21-20
Yahoo Messenger class maps 21-20
Edit menu
Configuration Manager 1-29
Edit MSN Messenger Class Map dialog box 17-26, 21-17
Edit N2H2 Parameter Map dialog box 21-38
Edit N2H2 Web Filter Class Map dialog box 17-26, 21-17
Edit NAT Rule dialog box
ASA 8.3+ 23-35
Edit NetBIOS Map dialog box 17-75
Edit Network/Host dialog box
General tab 6-77
NAT tab 23-41
Edit Options dialog box 16-15
Edit P2P Map dialog box 21-33
Edit Permit Response dialog box 17-42
Edit Per-Session NAT Rule dialog box 23-46
Edit PIX/ASA/FWSM Web Filter Rule dialog box 18-5
Edit PKI Enrollment dialog box
CA Information tab 25-55
Certificate Subject Name tab 25-61
Enrollment Parameters tab 25-59
overview 25-54
Trusted CA Hierarchy tab 25-62
Edit Policy Assignments command 1-30
Edit POP3 Class Map dialog box 17-26, 21-17
Edit Port Forwarding List dialog box 33-28
Edit Port List dialog box 6-87
Edit Protocol Info Parameter Map dialog box 21-32
Edit Regular Expression dialog box 17-86
Edit Regular Expression Group dialog box 17-85
Edit Row command 1-29
Edit Rule Section dialog box 12-22
Edit Security Association Dialog Box 24-54
Edit Selected Deployment Method dialog box 8-31
Edit Server dialog box
Protocol Info Parameter maps 21-33
Edit Server Group dialog box 15-18
Edit Service dialog box 6-89
Edit Services dialog box 12-12
Edit Signature dialog box 38-12
Edit Signature Parameter—Component List dialog box 38-25
Edit Signature Parameters dialog box 38-21
Edit Single Sign On Server dialog boxes 33-30
Edit SIP Class Map dialog box 17-26, 21-17
Edit SIP Map dialog box 17-77, 21-33
Edit Skinny Map dialog boxes 17-81
Edit SLA Monitor dialog box 50-9
Edit Smart Tunnel Auto Signon Entry dialog box 33-56
Edit Smart Tunnel Auto Signon Lists dialog box 33-55
Edit Smart Tunnel Lists dialog box 33-52
Edit SMTP Class Map dialog box 17-26, 21-17
Edit SMTP Map dialog box 21-33
Edit SNMP Map dialog box 17-84
Edit Sources dialog box 12-11
Edit SSL VPN Customization dialog box 33-36
Applications 33-46
Copyright Panel 33-44
Custom Panes 33-46
Full Customization 33-45
Home Page 33-48
Informational Panel 33-43
Language 33-40
Logon Form 33-42
Logout Page 33-49
Title Panel 33-39
Toolbar 33-45
Edit SSL VPN Gateway dialog box 33-50
Edit Standard Access Control Entry dialog box 6-59
Edit Standard Access List dialog box 6-55
Edit Sun RPC Class Map dialog box 17-26, 21-17
Edit Sun RPC Map dialog box 21-33
Edit TCP Map dialog box 56-20
Edit TCP Option Range Dialog Box 56-22
Edit Text Object dialog box 7-31
Edit Time Range dialog box 6-66
Edit Traffic Flow dialog box 56-16
Edit Translated Address dialog box 23-27
Edit Transparent EtherType dialog box 22-6
Edit Transparent Firewall Rule dialog box 22-5
Edit Transparent Mask dialog box 22-7
Edit Trend Content Filter Class Map dialog box 17-26, 21-17
Edit Trend Parameter Map dialog box 21-41
Edit Unified Access Control Entry dialog box 6-62
Edit Update Server Settings dialog box 11-36
Edit URL Domain Name dialog box 21-44
Edit URLF Glob Parameter Map dialog box 21-44
Edit URL Filter Parameter Map dialog box 21-42
Edit User Credentials dialog box 35-17
Edit User dialog box 12-12
Edit User Group dialog box
Advanced PIX 6.3 settings 33-66
Browser Proxy settings 33-72
Client (IOS) settings 33-63
Clientless settings 33-67
Client VPN Software Update (IOS) settings 33-65
DNS/WINS settings 33-61
General settings 33-60
IOS Xauth Options settings 33-64
overview 33-58
Split Tunneling settings (Easy VPN/remote access IPSec VPN) 33-62
SSL VPN Connection settings 33-73
SSL VPN Full Tunnel settings 33-69
SSL VPN Split Tunneling settings 33-70
Technology settings 33-58
Thin Client settings 33-68
Edit VDI Server dialog box 33-12
Edit Virtual Sensor dialog box 37-7, 37-8
Edit VPN dialog box
Device Selection tab 24-32
Edit Endpoints dialog box 24-33
Endpoints tab 24-33
High Availability tab 24-48
Name and Technology tab 24-30
overview 24-28
Edit Web Access Control Entry dialog box 6-60
Edit Web Filter Map dialog box 21-46
Edit Web Filter Options dialog box 18-9
Edit Web Filter Type dialog box 18-8
Edit Websense Parameter Map dialog box 21-38
Edit Websense Web Filter Class Map dialog box 17-26, 21-17
Edit Web Type Access List dialog box 6-55
Edit Windows Messenger Class Map dialog box 17-26, 21-17
Edit WINS Server dialog box 33-74
Edit WINS Server List dialog box 33-74
Edit Yahoo Messenger Class Map dialog box 17-26, 21-17
Edit Zones dialog box 12-13
eDonkey class map objects
creating 21-15
match criteria 21-20
EIGRP routing
defining interface properties 64-10
defining routes 64-9
EIGRP Routing Policy page 64-13
Interface dialog box 64-16
Interfaces tab 64-15
on Cisco IOS routers 64-8
redistributing routes 64-12
Redistribution Mapping dialog box 64-18
Redistribution tab 64-17
Setup dialog box 64-14
Setup tab 64-13
e-mail
blocking spam using zone-based firewall rules 21-25
preventing DoS attacks 21-25
e-mail notifications
configuring SMTP server 1-25
PIX/ASA/FWSM
recipient set-up 52-3
syslog messages 52-3
Enable/disable NAT rules 23-32, 23-45
Enable PIM and IGMP
PIX/ASA/FWSM 53-1
Encapsulating Security Protocol (ESP) encryption algorithm 25-28
encoding rules
defining for SSL VPN (ASA) 30-45
encryption algorithms
3DES (Triple DES) 25-6
AES (Advanced Encryption Standard) 25-6
DES (Data Encryption Standard) 25-6
in IKE proposals 25-6
endpoints and protected networks
configuring dial backup 24-38
defining in GET VPN topologies 24-56
defining in VPN topologies 24-33
VPN Interface tab 24-35
Error Writing to Server deployment errors 9-15
ESMTP
configuring for inspection rules 17-18
ESMTP policy map objects
creating 17-21
match conditions and actions 17-35
properties 17-34
EtherChannel
Create and Edit IDSM EtherChannel VLANs dialog boxes 65-49
defining IDSM VLANs 65-45
deleting IDSM VLANs 65-46
EtherChannels
ASA 45-8
edit assigned interface 45-11
LACP 45-11
load balancing 45-12
evaluation license
upgrading to permanent license 10-16
event
lists 52-4
add/edit 52-5
syslog class
add/edit 52-6
syslog message ID
add/edit 52-6
Event Action Filters page 39-7
Event Action Override dialog box 39-14
Event Action Overrides page 39-13
event actions, IPS
configuring filter rules 39-4
configuring network information 39-14
configuring OS maps 39-18
configuring overrides 39-13
configuring settings 39-21
configuring target value ratings 39-15
example filter rule 66-58
filter rule attributes 39-9
filter rules policy 39-7
filter rules tips 39-6
overview 39-1
possible actions 39-2
process overview 39-1
Event Management page 11-23
Event Manager service
configuring 66-27
managing 66-27
monitoring event store disk space 66-31
monitoring status 66-28
selecting devices to monitor 66-31
starting and stopping 66-27
status icon colors 66-28
events
archiving (backing up) the event data store 66-32
configuring firewall devices (ASA, FWSM) 66-25
configuring IPS devices 66-26
copying 66-48
CS-MARS 69-32
looking up 69-27
looking up policies based on related events 69-31
Netflow support for policy lookup 69-33
viewing access rule events 69-28
viewing IPS signature events 69-30
ensuring time synchronization 66-25
Event Viewer
clearing filters 66-44
context menu 66-45
filtering by column 66-41
filtering by events 66-43
filtering overview 66-39
looking up policies based on related events 66-48
refreshing event table 66-40
selecting time range 66-39
text searches (quick filter) 66-44
using time slider with filtering 66-40
examining details 66-47
examples of analysis
mitigating botnet activity 66-56
monitoring and mitigating botnet activity 66-52
monitoring botnet activity using ASDM 66-56
monitoring botnet activity using Event Viewer 66-53
monitoring botnet activity using Report Manager 66-55
monitoring identity-aware firewall policies 13-27
monitoring TrustSec policies 14-14
overview 66-50
removing false positive IPS events 66-58
understanding botnet syslog events 66-53
user access to server blocked 66-50
performing operations on 66-45
properties 66-16
recovering the event data store 66-32
saving to a file 66-48
understanding Event Viewer access control 66-3
viewing 66-1
Event Viewer
archiving (backing up) the event data store 66-32
arranging views 66-34
ASA devices, configuring to provide events 66-25
columns 66-16
configuring color rules 66-36
configuring Event Manager service 66-27
copying events 66-48
creating custom views 66-37
deleting custom views 66-39
editing view name and description 66-38
ensuring time synchronization 66-25
Event Monitoring window 66-12
events
context menu 66-45
event table
customizing appearance 66-35
event details pane 66-24
refreshing 66-40
time slider 66-23
toolbar 66-14
examining event details 66-47
examples of analysis
mitigating botnet activity 66-56
monitoring and mitigating botnet activity 66-52
monitoring botnet activity 66-53
monitoring identity-aware firewall policies 13-27
monitoring TrustSec policies 14-14
overview 66-50
removing false positive IPS events 66-58
understanding botnet syslog events 66-53
user access to server blocked 66-50
features
historical views 66-2
overview 66-1
policy navigation 66-3
real-time views 66-2
views and filters 66-3
File menu reference 66-8
filters
advantages of using network/host objects 66-59
clearing 66-44
column based 66-41
event based 66-43
overview 66-39
submission requirements for policy objects 66-59
text searches (quick filter) 66-44
time range 66-39
time slider 66-40
floating views 66-34
FWSM devices, configuring to provide events 66-25
IPS devices, configuring to provide events 66-26
limits of 66-4
looking up Security Manager policies based on events 66-48
managing service 66-27
monitoring event store disk space 66-31
monitoring status 66-28
opening views 66-34
overview 66-7
performing operations on 66-45
preparation for use 66-24
recovering the event data store 66-32
saving events 66-48
saving views 66-38
selecting devices to monitor 66-31
settings 11-23
starting or stopping the Event Manager service 66-27
status icon colors 66-28
switching between IP addresses and host object names 66-36
switching between real-time and historical views 66-38
syslogs 66-6
troubleshooting
Event Viewer Unavailable message 11-23, 11-26, 66-27
policy objects not available for filtering 66-59
understanding access control 66-3
using 66-33
using views 66-33
view list 66-11
View menu reference 66-9
Event Viewer command 1-35
exclusive domains
configuring for IOS devices 18-10
Exit command 1-29
Exit command (Report Manager) 67-8
exiting
Cisco Security Management Suite server 1-10
CiscoWorks Common Services 1-10
Security Manager 1-9, 1-11
expiration dates
configuring for access rules 16-19
export
device inventory
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-5
supported CSV formats 10-9
HPM data 68-26
IPS event action overrides 39-13
IPS event filter rules 39-4, 39-7
policy objects 6-21
reports 67-23
shared policies 10-11
Export Devices or Policies commands 1-28
Export Inventory dialog box 10-6
Export Map command 1-31
External Product Interface dialog box 35-24
External Product Interface policy 35-23
F
factory-default configurations 45-2
failover
Active/Active
command replication 49-4
configuration synchronization 49-3
add new context to group 2 49-7
configuring in site-to-site VPN 24-48
edit bridge group 49-16
FWSM 49-12
advanced settings 49-15
PIX/ASA 49-17
Add Failover Group 49-24
settings 49-20
PIX/ASA/FWSM 49-10
active/active 49-2, 49-3
active/standby 49-2
bootstrap configuration 49-26
configuration basics 49-5
configuring 49-1
interface configuration 49-23
interface MAC address 49-22
security context 49-25
stateful 49-3, 49-4
stateless 49-3
types of 49-2
understanding 49-1
PIX 6.3 49-10
interface configuration 49-11
stateful in site-to-site VPN 24-50
false negatives
definition of 38-19
false positives
definition of 38-19
FastTrack class map objects
creating 21-15
match criteria 21-20
feature sets 1-4
File menu
Configuration Manager 1-28
Event Viewer 66-8
Report Manager 67-8
file objects
attributes 33-25
selecting 33-27
files
deploying to 8-11
selecting or specifying 1-47
Filter Item dialog box 39-9
filter rules, event action (IPS)
attributes 39-9
configuring 39-4
example rule 66-58
exporting 39-4
policy 39-7
tips 39-6
filters
Event Viewer
clearing 66-44
column based 66-41
context menu 66-45
event based 66-43
overview 66-39
refreshing event list 66-40
selecting time range 66-39
text searches (quick filter) 66-44
using time slider 66-40
filtering selectors 1-42
filtering tables 1-45
HPM
column based 68-15
custom 68-15
filters (Event Viewer)
advantages of using network/host objects 66-59
overview 66-3
submission requirements for policy objects 66-59
Find and Replace dialog box 12-17
find and replace in rules policies 12-16
Find Map Node command 1-31
Find Node dialog box 34-12
Firewall
AAA IOS Timeout Values 15-27
firewall
AAA firewall
advanced settings 15-19
configuring 15-6
MAC exempt lists 15-23
AAA firewall policy
advanced settings 15-19
configuring 15-6
AAA page 15-25
AAA rules
configuring AAA firewall settings 15-6
configuring AuthProxy settings 15-9
configuring cut-through proxy (ASA) 13-23
configuring for ASA/PIX/FWSM devices 15-4
configuring for IOS devices 15-7
configuring identity aware 13-21
configuring security group aware 14-13
managing 15-1
properties 15-13
understanding 15-1
understanding how users authenticate 15-2
Access Control page 16-21
access controls
per user downloadable ACLs 16-24
access control settings
configuring settings 16-20
access rule
event analysis example, user access blocked 66-50
finding from CS-MARS events 69-31
finding from Event Viewer events 66-48
viewing related CS-MARS events 69-28
access rules
address requirements 16-5
configuring 16-7
configuring expiration dates 16-19
configuring identity aware 13-21
configuring security group aware 14-13
how deployed 16-5
import examples 16-41
importing 16-37
IPS blocking, affect of 42-4
managing 16-1
optimizing during deployment 16-43
sharing ACLs among interfaces 11-14
understanding 16-1
understanding device-specific behavior 16-4
understanding global 16-3
understanding requirements when using inspection 17-4
ACL naming conventions 12-5
adding rules 12-9
analysis reports 16-31
AuthProxy
configuring 15-9
AuthProxy settings policy
configuring 15-9
botnet traffic filter rules 19-9
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring policies in Map view 34-23
configuring settings 18-15
configuring settings policies in Map view 34-23
conflict detection 16-25
converting IPv4 rules 12-28
deleting rules 12-9
device types 45-1
disabling rules 12-20
editing rules 12-9
enabling rules 12-20
finding and replacing items in rules policies 12-16
Firewall ACL Setting dialog box 16-23
identity-aware policies
collecting user statistics 13-25
configuring 13-7
configuring cut-through proxy 13-23
configuring identity options 13-15, 14-8, 14-10
configuring rules 13-21
configuring the ASA 13-7, 14-8
enabling 13-8
filtering VPN traffic 13-26
identifying AD servers and agents 11-27, 13-8
managing 13-1
monitoring 13-27
overview 13-1
requirements 13-3
user identity acquisition 13-2
Inspection page 17-88
inspection rules
add/edit rule wizard 17-10, 17-12, 17-16
choosing interfaces 17-2
configuring 17-5
configuring identity aware 13-21
configuring security group aware 14-13
managing 17-1
preventing DoS attacks on IOS devices 17-4
selecting protocols 17-3, 17-16
understanding 17-1
understanding access rule requirements 17-4
inspection settings
configuring for IOS devices 17-88
introduction 12-1
IPv6 access rules
configuring expiration dates 16-19
sharing ACLs among interfaces 11-14
understanding global 16-3
MAC exempt lists, AAA firewall 15-23
managing rules tables 12-7
moving rules 12-19
object groups
expanding during discovery 12-35
optimizing network object groups during deployment 12-35
overview 12-1
per user downloadable ACLs 16-24
policy discovery 5-13
policy query
example report 12-34
generating reports 12-28
interpreting results 12-32
preserving ACL names 12-4
reference information for AAA rules 15-19
resolving access rule conflicts 16-31
resolving ACL naming conflicts 12-6
rule table sections 12-20
security group aware policies
configuring ISE settings 11-40
configuring rules 14-13
security group-aware policies
configuring 14-7
managing 14-1
system variables 7-9
transparent rules
adding or editing a rule 22-5
configuring 22-1
configuring passthrough for IOS devices 22-3
editing the EtherType 22-6
editing the mask 22-7
managing 22-1
Transparent Rules page 22-3
TrustSec firewall policies
configuring 14-7
managing 14-1
overview 14-1
TrustSec policies
monitoring 14-14
understanding NAT effects 12-3
understanding rule order 12-19
understanding rule processing order 12-2
using rules tables 12-7
Web Filter page 18-16
web filter rules
configuring for ASA, PIX, FWSM devices 18-2
configuring for IOS devices 18-10
managing 18-1
understanding 18-1
zone-based firewall
add/edit zones 21-52
advanced options 21-63
configuring PAM 21-65
configuring rules 21-12, 21-59
configuring settings 21-48
Content Filter tab 21-51
designing network zones 21-1
development overview 21-12
Global Parameters tab 21-49
page 21-49
protocol selection 21-64
rules table 21-57
tabs 21-48
VPN tab 21-49
WAAS tab 21-49
Zones tab 21-49
zone-based firewalls
changing the default drop rule 21-47
general recommendations 21-11
IPSec VPN 21-5
logging 21-1
overview 21-1
restrictions 21-3
Self zone 21-5
troubleshooting 21-53
understanding 21-3
understanding permit/deny and action 21-7
understanding services and protocols 21-10
VRF 21-6
Firewall AAA IOS Timeout Value Setting dialog box 15-27
Firewall AAA MAC Exempt Setting dialog box 15-24
Firewall ACL Setting dialog box 16-23
Firewall Device dialog box 42-14
Firewall Services Module
see FWSM 46-1
Fit to Window command 1-31
FlexConfig objects
adding to policies 7-34
ASA samples 7-19
Catalyst 6500/7600 samples 7-21
changing order in policies 7-34
changing variable values 7-34
Cisco IOS Software samples 7-21
CLI commands 7-2
configuring 7-24
configuring AAA for administrative introducers 60-84
creating 7-27
creating text objects 7-31
deleting variables 7-27
PIX firewall samples 7-23
previewing CLI 7-34
properties 7-29
property selector 7-33
removing from policies 7-34
router samples 7-23
samples 7-19
scripting language
example of looping 7-3
example of looping with if/else statements 7-4
example of two-dimensional looping 7-3
understanding 7-3
system variables
device 7-7
firewalls 7-9
remote access VPN 7-18
router 7-13
understanding 7-7
VPN 7-14
undefined variables 7-32
understanding 7-2
variables 7-5
variables, example 7-6
FlexConfig policies
adding objects 7-34
changing object order 7-34
changing variable values 7-34
configuring 7-24
configuring AAA for administrative introducers 60-84
editing 7-34
previewing CLI 7-34
removing objects 7-34
understanding 7-2
FlexConfig Policy page 7-35
FlexConfig Preview dialog box 7-37
FlexConfigs
creating (scenario) 7-24
managing 7-1
troubleshooting 7-37
FlexConfig Undefined Variables dialog box 7-32
float
report windows 67-25
view windows 66-34
floodguard 55-2
FQDN objects
creating 6-76
understanding 6-74
fragmentation
configuring settings in VPNs 25-40
fragments settings 55-2
frequently asked questions
policy discovery 5-25
FTP class map objects
creating 17-21
match criteria 17-38
FTP policy map objects
creating 17-21
match conditions and actions 17-38
properties 17-37
full mesh topologies
description 24-4
partial mesh 24-5
full tunnel client access mode 29-5
FWSM
AAA support 6-26
about 45-1
adding SSL thumbprints manually 9-4
adding when using multiple-context mode 3-7
adding when using non-default HTTPS (SSL) port 3-7
Asymmetric Routing Groups 45-5
Bridge Groups
add/edit 45-41
bridge groups 46-3
changing deployment method to serial for multiple-context mode 9-17
configuring for event management 66-25
configuring FWSM endpoints in site-to-site VPNs 24-44
configuring transparent firewall rules 22-1
credentials 3-18
deleting security contexts 57-4
deployment failures after changing interface policies 9-16
deployment failures in multiple-context mode 9-16
deployment failures with large ACLs 9-16
Device Access
managing Resources 50-2
Resources 50-3
Resources, add/edit 50-3
discovering failover modules 3-7
Event Viewer support 66-4
Failover 49-12
advanced settings 49-15
edit bridge group 49-16
including in deployment jobs 8-28
interfaces
add/edit 45-19
configuring 45-2
General tab 45-20
IPv6 45-29
IPv6, add/edit 45-33
IPv6, add/edit prefixes 45-34
managing 45-14
packet capture, using 69-18
PDM 69-5
policy discovery 5-13
rollback, commands to recover from failover misconfiguration 8-65
rollback command conflicts 8-64
rollback restrictions for failover devices 8-61
rollback restrictions for multiple context mode 8-61
security contexts
configuration 57-5
selecting policy types to manage 5-10
setting up SSL (HTTPS) 2-3
SSL certificate configuration 11-18
TCP State Bypass 56-3
troubleshooting deployment 9-15
G
General
PIX/ASA/FWSM
security policies 55-1
General Configuration tab, SNMP policy for IPS 35-10
General page, device properties 3-40
General tab, IPS blocking policy 42-10
General tab (Translation Rules)
PIX/ASA/FWSM 23-30
generic routers 3-8
GET VPN
anti-replay, time based 28-11
configuring 28-12
configuring global ISAKMP and IPsec settings 28-16
configuring group members 28-20
cooperative key servers 28-7
defining group encryption 24-50
generating, synchronizing RSA keys 28-13
group members
adding 28-19
editing 28-21
IKE proposal 28-15
key servers
adding 28-19
editing 28-19
mandatory and optional policies 24-6
migrating to 28-23
overview 28-1
receive-only SAs 28-23
registration
choosing the rekey transport mechanism 28-6
configuring fail-close mode 28-8
registration process 28-4
SAs
passive SA mode 28-23
receive-only mode 28-23
security policy 28-10
supported platforms 24-9
troubleshooting 28-25
understanding 28-2
GET VPNs
group encryption policies
certificate authorization 24-53
security associations 24-54
global correlation
configuring 41-1
configuring DNS servers 35-22
configuring HTTP proxy server 35-23
configuring inspection and reputation 41-5
configuring network participation 41-7
configuring with Botnet Traffic Filtering 41-1
data collected 41-3
requirements and limitations 41-4
understanding 41-1
understanding network participation 41-3
understanding reputation 41-2
Global Search
using 1-39
Global Search command 1-29
global settings
remote access VPN
configuring 25-29
Gnutella class map objects
creating 21-15
match criteria 21-20
GRE (generic routing encapsulation) VPN
advantages of IPsec tunneling with GRE 26-3
configuring 26-5
configuring GRE modes 26-6
dynamically addressed spokes 26-5
implementation 26-3
overview 26-1, 26-2
prerequisites for successful configuration 26-3
supported platforms 24-9
understanding 26-2
GRE Dynamic IP
mandatory and optional policies 24-6
GRE Modes Page
DMVPN properties 26-12
GRE or GRE Dynamic IP properties 26-6
overview 26-1
Group Domain of Interpretation (GDOI) protocol 28-3
group encryption
defining in GET VPN topologies 24-50
Group Encryption Policy page (GET VPN) 24-50
group members
adding 28-19
communication flow 28-2
configuring fail-close mode 28-8
editing 28-21
GET VPN
registration process 28-4
security policy ACLs 28-10
group members (GET VPN)
configuring 28-20
Group Members page (GET VPN) 28-20
group policies
configuring 30-21
creating 30-23
understanding 30-22
VPNs
configuring bookmarks 30-70
configuring portal appearance 30-66
configuring WINS servers for file system access 30-76
customizing 30-65
post URL method and macro substitutions in bookmarks 30-72
smart tunnels 30-73
Group Policies page 30-21
groups
adding or removing devices 3-60
creating 3-60
deleting 3-60
understanding 3-57
working with 3-57
group types
creating 3-59
deleting 3-60
GTP map objects
Add Country Network Codes dialog box 17-42
Edit Country Network Codes dialog box 17-42
GTP Map Timeouts dialog box 17-43
GTP policy map objects
creating 17-21
match conditions and actions 17-43
properties 17-40
H
H.323 class map objects
IOS
creating 21-15
match criteria 21-21
match criteria 17-48
H.323 policy map objects
ASA/PIX/FWSM
creating 17-21
properties 17-45
IOS
creating 21-15
match conditions and actions 21-34
match conditions and actions 17-48
hash algorithms
in IKE proposals 25-6
MD5 25-7
SHA 25-6
Health & Performance Monitor command 1-36
Health and Performance Monitor
see HPM 68-1
help
accessing 1-49
Help About This Page command 1-36
helper addresses 59-14
Help menu
Configuration Manager 1-36
Help Topics command 1-36
Hide Navigation Window command 1-32
high availability (HA groups)
configuring in Easy VPN 27-2
configuring in site-to-site VPN 24-48
stateful/stateless failover 24-50
high availability policies
configuring in remote access VPNs 32-11
Histogram dialog box 40-13
histograms
configuring anomaly detection 40-11
understanding anomaly detection 40-9
Hit Count Details
example 16-35
Hit Count Details page 16-33
Hit Count Selection Summary Dialog Box 16-18
Hostname
PIX/ASA/FWSM 50-1
hostnames
Cisco IOS routers
defining 60-77
Hostname Policy page 60-78
overview 60-77
HPM
access control 68-3
Alerts
firewall 68-32
IPS 68-31
VPN 68-34
VPN, SNMP configuration 68-35
alerts 68-27
acknowledging 68-37
clearing 68-37
configuring 68-30
history 68-38
viewing 68-36
application window 68-6
Alerts display 68-28
Monitoring display 68-22
columns
Alert table 68-14
Device-related 68-8
showing/hiding 68-7
sorting 68-7
VPN-related 68-11
configuring for 68-4
custom views 68-21
device
monitoring 68-18
monitoring multiple contexts 68-3
priority monitoring 68-27
views 68-18
Device Manager
launching 68-2, 68-24
device manager
cross-launch 68-27
devices
managing 68-5
email notifications
configuring 68-30
export data 68-26
filters
column based 68-15
introduction 68-1
launching 68-4
List Filter 68-17
monitoring
device details 68-25
device status list 68-24
RA and S2S views 68-26
Summary 68-24
VPN details 68-25
VPN Summary list 68-24
overview 68-1
read time-out 2-3, 68-4
Remote Access
log-off user 68-26
settings page 11-26
tables
showing/hiding columns 68-7
sorting columns 68-7
trending 68-2
views
closing 68-20
custom 68-21
docking 68-21
floating 68-21
list 68-18
opening 68-20
tiling 68-20
HTML file
export HPM data as 68-26
HTTP
Cisco IOS routers
AAA tab 60-32
Command Authorization Override dialog box 60-34
defining policies 60-29
HTTP Policy page 60-31
overview 60-28
Setup tab 60-31
PIX/ASA/FWSM 48-2
configuration 48-2
HTTP (ASA, PIX) class map objects
creating 17-21
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map objects
creating 17-21
properties 17-50
HTTP (ASA7.2+/PIX7.2+) policy map objects
creating 17-21
properties 17-58
HTTP (IOS) class map objects
creating 21-15
creating for zone-based firewall content filtering 21-35
match criteria 21-21
HTTP (Zone Based IOS) policy map objects
creating 21-15, 21-35
match conditions and actions 21-34
HTTP class map objects
match criteria 17-59
HTTP-FORM
settings in AAA server objects 6-41
HTTP policy
overriding HTTPS port number 3-46
sharing
HTTPS port number 3-46
HTTP policy map objects
match conditions and actions 17-59
HTTP proxy server
configuring for IPS global correlation 35-23
HTTP Response Code 500 deployment errors 9-15
HTTPS
setting up 2-3
troubleshooting certificate errors 9-4
hub-and-spoke topology
description 24-2
joined hub-and-spoke topology 24-5
tiered hub-and-spoke topologies 24-5
I
ICMP rules
PIX/ASA/FWSM 48-3
add/edit 48-4
ICMP settings
configuring on IOS routers 59-18
icons
Configuration Manager toolbar reference 1-36
event table toolbar reference 66-14
Event Viewer status color code 66-28
map elements 34-14
ICQ class map objects
creating 21-15
match criteria 21-20
identity-aware firewall policies
collecting user statistics 13-25
configuring 13-7
configuring cut-through proxy 13-23
configuring identity options 13-15, 14-8, 14-10
configuring rules 13-21
configuring the ASA 13-7, 14-8
enabling 13-8
filtering VPN traffic 13-26
identifying AD servers and agents 11-27, 13-8
managing 13-1
monitoring 13-27
overview 13-1
requirements 13-3
user identity acquisition 13-2
Identity Configuration wizard
Active Directory Agent Settings 13-13
Active Directory Settings 13-11
Preview 13-15
Identity Settings page 11-27
identity user group objects
creating 13-19
selecting 13-21
user identity acquisition 13-2
idle timeout, Security Manager client 11-6
IDM
device manager 69-5
IDSM
adding when using non-default HTTPS (SSL) port 3-7
Create and Edit IDSM Data Port VLANs dialog boxes 65-50
Create and Edit IDSM EtherChannel VLANs dialog boxes 65-49
credentials 3-18
defining Data Port VLANs 65-46
defining EtherChannel VLANs 65-45
deleting Data Port VLANs 65-48
deleting EtherChannel VLANs 65-46
deployment failures when changing data port VLAN running mode 9-16
IDSM Settings page 65-48
IDSM Slot-Port Selector dialog box 65-51
mode support limitations 65-44
troubleshooting deployment 9-15
understanding settings on Catalyst devices 65-44
IGMP
PIX/ASA/FWSM
Access Group parameters 53-5
Access Group tab 53-5
enable 53-1
Join Group parameters 53-7
Join Group tab 53-7
page 53-2
parameters 53-4
Protocol tab 53-3
Static Group parameters 53-6
Static Group tab 53-6
ignore error message, configure Security Manager to 9-10
IKE (Internet Key Exchange)
comparing version 1 and 2 25-4
configuring IKE and IPsec policies 25-1
configuring IKEv2 authentication 25-62
configuring proposal 25-9
Diffie-Hellman modulus groups 25-7
encryption algorithms 25-6
hash algorithms 25-6
IKEv2 Authentication policy 25-64, 25-66
overview 25-2
selecting the IKE version for devices in site to site VPNs 25-25
understanding 25-5
IKE keepalive
understanding 25-30
IKE proposal objects
v1 properties 25-10
v2 properties 25-13
IKE proposals (policies)
in GET VPNs 28-15
IKEv2 Authentication dialog box 25-66
IKEv2 Authentication page 25-64
IKEv2 settings
configuring 25-34
configuring cookie challenges 25-34
IM (ASA7.2+/PIX7.2+) policy map objects
creating 17-21
properties 17-64
IM (IOS) policy map objects
creating 17-21
properties 17-67
IM (Zone Based IOS) policy map objects
creating 21-15
match conditions and actions 21-34
IM (Zone based IOS) policy map objects
creating 21-15
Image Management 70-1
supported versions 70-2
Image Manager 70-7, 70-14
abort installation job 70-32
Add Image 70-9
Bootstrapping Devices 70-6
bundled images 70-28
bundles 70-11
create 70-11
delete 70-13
rename 70-13
view images 70-12
compatible images 70-15
configuring install location 70-17
device memory 70-16
devices 70-14
Getting Started 70-1
Installation Job Summary 70-31
installation wizard 70-24
installing compatible images on devices 70-28
installing images on selected devices 70-29
job approval workflow 70-34
jobs 70-30
RAM 70-15
Repository 70-7
retry on installation failure 70-33
roll back 70-33
settings 11-29
supported image types 70-3
supported platforms 70-2
Troubleshooting 70-35
update validation 70-21
updating images on devices 70-18
Using 70-1
Admin Settings 70-4
View All Images 70-8
view device information 70-14
view installation job details 70-31
Image Manager command 1-35
images
view 70-8
image updates 70-18
IMAP
configuring for inspection rules 17-19
IMAP class map objects
creating 21-15
match criteria 21-23
IM applications
match conditions for zone-based firewalls 21-20
protocol information for IM application inspection 21-32
IMAP policy map objects
creating 21-15
match conditions and actions 21-34
IM class map objects
creating 17-21
match criteria 17-65
IM policy map objects
match conditions and actions 17-65
import
device inventory 3-29
device with policies 10-13
policy objects 6-21
Import Background Image dialog box 34-13
Import Rules wizard
Enter Parameters page 16-38
Preview page 16-40
Status page 16-39
inheritance
inheriting rules 5-43
understanding 5-4
understanding signature policies 38-3
versus assignment 5-6
Inherit Rules command 1-30
Inherit Rules dialog box 5-43
Inspect/Application FW Rule wizard
Address and Port page 17-12
Inspected Protocol page 17-16
Match Traffic page 17-10
inspection
deny rules 17-5
global correlation (IPS)
configuring 41-5
inspection map objects
understanding 6-72
inspection rules
ACL naming conventions 12-5
add/edit rule wizard 17-10, 17-12, 17-16
choosing interfaces 17-2
configuring 17-5
configuring custom protocol name 17-20
configuring DNS settings 17-18
configuring ESMTP settings 17-18
configuring fragment inspection 17-19
configuring identity aware 13-21
configuring in Map view 34-23
configuring RPC settings 17-20
configuring security group aware 14-13
configuring settings for IOS devices 17-88
configuring settings in Map view 34-24
configuring SMTP settings 17-18
deep inspection options
IMAP 17-19
POP3 17-19
deleting 12-9
disabling 12-20
editing 12-9
enabling 12-20
Inspection Rules page 17-7
managing 17-1
moving 12-19
preserving ACL names 12-4
preventing DoS attacks on IOS devices 17-4
selecting protocols 17-3, 17-16
understanding 17-1
understanding access rule requirements 17-4
understanding NAT effects 12-3
understanding processing order 12-2
Inspection Rules page 17-7
Inspection settings page 17-88
inspect maps
policy maps
Add Country Network Codes dialog box 17-42
Edit Country Network Codes dialog box 17-42
Inspect parameter map objects
properties 21-29
Inspect Parameters map objects
creating 21-15, 21-35
installing
Security Manager client 1-11
Integrated Local Management Interface (ILMI) 59-49
Interactive Authentication Configuration dialog box 15-21
Interface Name Conflict dialog box 6-72
Interface Properties dialog box 34-19
Interface Role Contents dialog box 12-14
interface role objects
creating 6-68
defining subinterfaces 6-70
distinguishing from interfaces 6-70
handling conflicts between role and interface names 6-72
Interface Role dialog box 6-69
specifying during policy definition 6-70
understanding 6-67
use when a single interface name is allowed 6-71
interfaces
adding or changing modules 3-39
ASA
edit EtherChannel-assigned interface 45-11
EtherChannels 45-8, 45-12
LACP 45-11
ASA/FWSM
IPv6 45-29
IPv6, add/edit 45-33
IPv6, add/edit prefixes 45-34
ASA 5505 45-6
ASA devices
Advanced tab 45-27
IP Type 45-36
Catalyst switches and 7600 Series routers
Access Port Selector dialog box 65-30
Create and Edit Interface dialog boxes-Access Port mode 65-9
Create and Edit Interface dialog boxes-Dynamic Port mode 65-18
Create and Edit Interface dialog boxes-Other mode 65-24
Create and Edit Interface dialog boxes-Routed Port mode 65-12
Create and Edit Interface dialog boxes-subinterfaces 65-22
Create and Edit Interface dialog boxes-Trunk Port mode 65-14
Create and Edit VLAN dialog boxes 65-28
Create and Edit VLAN Group dialog boxes 65-34
defining ports 65-5
deleting ports 65-7
generating names 65-6
Interfaces/VLANs page-Interfaces tab 65-7
Interfaces/VLANs page-Summary tab 65-3
Interfaces/VLANs page-VLAN Groups tab 65-33
Interfaces/VLANs page-VLANs tab 65-27
Service Module Slot Selector dialog box 65-35
Trunk Port Selector dialog box 65-31
understanding 65-5
VLAN Selector dialog box 65-36
Cisco IOS routers
Advanced Interface Settings dialog box 59-16
Advanced Interface Settings page 59-15
available types 59-2
Create Router Interface dialog box 59-8
defining advanced settings 59-13
defining basic settings 59-3
defining CEF interface settings 59-24
defining IPS module settings 59-22
deleting from 59-6
generating names 59-4
Interface Auto Name Generator dialog box 59-12
overview 59-1
Router Interfaces page 59-7
understanding helper addresses 59-14
configuring IOS IPS rules 44-8
configuring multiple contexts 57-2
distinguishing from interface roles 6-70
failover
MAC address 49-22
PIX/ASA/FWSM 49-23
PIX 6.3 49-11
IPS
configuring 36-6
configuring bypass mode 36-12
configuring CDP mode 36-12
configuring inline interface pairs 36-13
configuring inline VLAN pairs 36-14
configuring physical 36-9
configuring VLAN groups 36-15
deploying VLAN groups 36-5
inline interface mode 36-3
inline VLAN pair mode 36-3
interfaces policy 36-6
managing interface configurations 36-1
physical interface properties 36-10
promiscuous mode 36-2
roles 36-1
sensing modes overview 36-2
understanding 36-1
viewing summary 36-8
VLAN group mode 36-4
IP Type
PIX 6.3 45-18
PIX/ASA
allocation in security contexts 57-8
IP Type 45-36
PPPoE Users 45-44
redundant 45-7
subinterfaces 45-7
VPDN groups 45-45
PIX/ASA/FWSM
add/edit 45-19
Advanced settings 45-42
configuring 45-2
contexts 45-5
DDNS update rules 51-18
enabling traffic between same security levels 45-43
General tab 45-20
manage 45-14
management access 48-5
understanding 45-3
PIX/ASA 7+ devices
MAC address 45-38
PIX 6.3
add/edit 45-15
routed and transparent 45-4
specifying during policy definition 6-70
specifying subinterfaces 6-70
throughput delay 59-18
Interface Selector dialog box (VLAN ACL Content) 65-43
Interfaces page (IPS) 36-6
Interface Specific Authentication Server Groups dialog box 30-13
Interface Specific Client Address Pools dialog box 30-10
inventory
deleting devices from 3-55
export devices
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-5
supported CSV formats 10-9
using command line utility 10-10
import devices
device with policies 10-13
inventory, device
adding devices 3-6
adding devices from configuration files 3-20
adding devices from inventory file 3-29
adding devices from network 3-11
adding devices manually 3-25
device status view
working with 3-61
managing 3-1
testing device connectivity 9-1
troubleshooting device discovery failures 3-7
understanding 3-1
understanding contents 3-3
understanding device clusters 3-9
understanding generic devices 3-8
viewing inventory status 69-1
working with 3-34
Inventory Status command 1-33
Inventory Status window 69-2
Inverse ARP 59-60
inverse multiplexing over ATM (IMA) 59-39
IOS devices
configuring transparent firewall rules 22-1
remote access IPSec VPNs
user group policies 32-13
remote access IPsec VPNs
creating using wizard 29-35
remote access SSL VPNs
configuring bookmarks 30-70
configuring WINS servers for file system access 30-76
creating using wizard 29-31
remote access VPNs
configuring SSL VPN policies 32-14
Context Editor dialog box (IOS) 32-15, 32-16
Dynamic VTI/VRF Aware IPsec settings 32-7
high availability 32-11
IPsec proposals 32-4
SDM 69-5
IOS IPS
affect of load balancing 44-7
comparing to IPS appliances and service modules 35-1
configuration files 44-3
configuration overview 44-3
configuring 44-1
configuring general settings 44-7
configuring interface rules 44-8
configuring target value ratings 39-15
event actions
filter rule attributes 39-9
filter rules 39-4, 39-7
filter rules tips 39-6
network information 39-14
overrides 39-13
overview 39-1
possible actions 39-2
process overview 39-1
settings 39-21
getting started 35-1
initial preparation of router 44-5
lightweight signature engines 44-2
limitations and restrictions 44-3
selecting signature category 44-6
signatures
adding custom 38-16
cloning 38-18
configuring 38-4
defining 38-1
detailed information 38-2
editing 38-11
editing Meta engine component list 38-25
editing or tuning parameters 38-19
enabling or disabling 38-10
engines 38-17
exporting 38-6
inheritance 38-3
parameters list 38-21
policy 38-4
shortcut menu 38-7
understanding 38-1
viewing update level 38-9
understanding 44-1
understanding subsystems and revisions 44-2
IOS Software Release 12.1 and 12.2
managing routers 58-2
IOS Web Filter Exclusive Domain Name dialog box 18-14
IOS Web Filter Rule and Applet Scanner dialog box 18-13
IP address
supporting dynamic 3-35
IP addresses
network masks 6-75
specifying in policies 6-81
IP Options policy map objects
creating 17-21
properties 17-68
IPS
IPS Module router interface settings policies 59-22
MPC rule wizard
tab 56-8
PIX/ASA/FWSM
identity-aware rules 13-21
rules 56-5
IPS alerts
properties 66-16
IPS Certificates dialog box 43-10
IPS command 1-32
IPS Devices
selecting for Event Viewer 66-31
IPS devices
adding SSL thumbprints manually 9-4
allowed hosts 35-7
anomaly detection
configuring 40-6
configuring histograms 40-11
configuring learning accept mode 40-8
configuring signatures 40-4
configuring thresholds 40-11
detection zones 40-3
managing 40-1
modes 40-2
understanding 40-1
understanding histograms 40-9
understanding thresholds 40-9
understanding worms 40-2
when to turn off 40-4
blocking
configuring 42-7
configuring ARC 42-1
configuring blocking devices 42-14
configuring master blocking sensors 42-13
configuring never block hosts and networks 42-17
configuring router blocking interfaces 42-15
configuring user profiles 42-12
configuring VLAN blocking interfaces 42-16
general options 42-10
master blocking sensor 42-6
policy 42-8
rate limiting 42-4
router and switch blocking devices 42-4
strategies 42-3
understanding 42-1
capturing network traffic 35-2
certificates 43-10
changing those selected for reports 67-21
configuration overview 35-5
configuration overview for IOS IPS 44-3
configuring AAA 35-19
configuring Analysis Engine global variables 35-26
configuring DNS servers 35-22
configuring for event management 66-26
configuring for report management 67-3
configuring HTTP proxy server 35-23
configuring NTP 35-21
configuring OS maps 39-18
configuring SNMP 35-8
configuring target value ratings 39-15
configuring the external product interface 35-23
configuring user accounts 35-16
credentials, IPS router modules 3-19
deployment of passwords 35-15
deployment topology 35-4
discovery of passwords 35-15
event actions
example filter rule 66-58
filter rule attributes 39-9
filter rules 39-4, 39-7
filter rules tips 39-6
network information 39-14
overrides 39-13
overview 39-1
possible actions 39-2
process overview 39-1
settings 39-21
Event Viewer support 66-4
getting started 35-1
global correlation
configuring 41-1
configuring inspection and reputation 41-5
configuring network participation 41-7
data collected 41-3
requirements and limitations 41-4
understanding 41-1
understanding network participation 41-3
understanding reputation 41-2
initializing 2-12
interfaces
configuring 36-6
configuring bypass mode 36-12
configuring CDP mode 36-12
configuring inline interface pairs 36-13
configuring inline VLAN pairs 36-14
configuring physical 36-9
configuring VLAN groups 36-15
deploying VLAN groups 36-5
inline interface mode 36-3
inline VLAN pair mode 36-3
interfaces policy 36-6
managing interface configurations 36-1
physical interface properties 36-10
promiscuous mode 36-2
roles 36-1
sensing modes overview 36-2
understanding 36-1
viewing summary 36-8
VLAN group mode 36-4
IPS modules for ASA 56-14
license, exporting 11-43
licenses
automating 43-3
managing 43-1
redeploying 43-2
updating 43-1
looking up signature policies for CS-MARS events 69-31
looking up signature policies for Event Viewer events 66-48
managing 43-1
managing user accounts and passwords 35-13
monitoring
removing false positive IPS events 66-58
passive OS fingerprinting 39-17
password requirements 35-18
policy discovery 5-13
rebooting 43-11
Report Manager reports
general VPN reports 67-17
IPS top reports 67-16
rollback restrictions 8-62
showing containment 3-53
signatures
adding custom 38-16
cloning 38-18
configuring 38-4
configuring settings 38-27
defining 38-1
detailed information 38-2
editing 38-11
editing Meta engine component list 38-25
editing or tuning parameters 38-19
enabling or disabling 38-10
engines 38-17
exporting 38-6
inheritance 38-3
parameters list 38-21
policy 38-4
shortcut menu 38-7
understanding 38-1
viewing update level 38-9
SSL certificate configuration 11-18
traffic flow notifications 35-26
tuning recommendations 35-4
understanding managed and unmanaged passwords 35-14
understanding network sensing 35-1
understanding user roles 35-13
updates
automatically applying 43-6
checking for and downloading 43-5
configuring server 43-4
managing 43-4
manually applying 43-7
user account attributes 35-17
viewing signature events in CS-MARS 69-30
virtual sensors
advantages 37-3
assigning interfaces 37-4
attributes 37-7
configuring 37-1, 37-5
deleting 37-10
editing policies 37-9
identifying 37-5
inline TCP session tracking mode 37-3
Normalizer mode 37-4
renaming 37-8
restrictions 37-3
understanding 37-1
IPsec
remote access VPNs
access policies for IKEv2 (ASA), configuring 30-40
access policies for IKEv2 (ASA), reference 30-37
access policies for IKEv2 (ASA), understanding 30-36
certificate to connection profile map policy (IKEv1) 30-29
certificate to connection profile map rules (IKEv1) 30-29
cluster load balancing 30-4, 30-5
configuring IKE and IPsec policies 25-1
connection profiles 30-6
connection profiles (ASA, PIX 7+) 30-8
creating on ASA/PIX 7.0+ 29-24
creating on IOS/PIX 6.3+ 29-35
dynamic access policies 31-1, 31-2
dynamic access policy (DAP) attributes 31-3, 31-7
Dynamic Access policy page (ASA) 31-10
Dynamic VTI/VRF Aware IPsec settings 32-7
fragmentation settings 25-40
global settings 25-29
group policies, configuring 30-21
group policies, creating 30-23
group policies, understanding 30-22
high availability policies 32-11
IKE proposals 25-9
IKEv2 settings 25-34
ISAKMP/IPsec settings 25-30
NAT settings 25-38
public key infrastructure (PKI) policies 25-52
secure desktop manager policies 31-8
understanding 29-2
understanding IKE 25-5
understanding NAT settings 25-37
user group policies 32-13
VPNSM, VPN SPA, VSPA settings 32-6
wizard 29-13
IPsec/GRE VPN
advantages of IPsec tunneling with GRE 26-3
configuring 26-5
configuring GRE modes 26-6
dynamically addressed spokes 26-5
implementation 26-3
overview 26-1, 26-2
prerequisites for successful configuration 26-3
supported platforms 24-9
understanding 26-2
IPSec Client Software Update dialog box 30-18
IPsec Pass Through policy map objects
creating 17-21
properties 17-74
IPsec Proposal Editor dialog box
ASA and PIX 7.0+ devices 30-33
IOS and PIX 6.3 devices 32-4
IPsec proposals
configuring for Easy VPN 27-10
configuring for remote access VPNs
attributes for ASA and PIX 7.0+ devices 30-33
attributes for IOS and PIX 6.3 devices 32-4
configuring in site-to-site VPNs 25-21
overview 25-2
remote access VPNs
attributes for ASA and PIX 7.0+ devices 30-33
attributes for IOS and PIX 6.3 devices 32-4
configuring for ASA and PIX 7.0+ devices 30-33
configuring for IOS and PIX 6.3 devices 32-3
selecting the IKE version for devices 25-25
understanding 25-17
understanding crypto maps 25-18
understanding site-to-site 25-18
understanding transform sets 25-19
using reverse route injection 25-20
IPsec technologies
defining 24-30
mandatory and optional policies 24-6
policies 24-5
supported platforms 24-9
supported platforms for remote access VPNs 29-8
understanding 24-5
IPSec transform set objects
attributes 25-25
understanding 25-19
IPSec VPN
zone-based firewalls 21-5
IPS event
definition of 39-1
IPS interfaces
IPS Monitoring Information dialog box 59-23
IPS module
credentials 3-19
IPS Module Discovery dialog box 3-19
IPS Module interface settings policies 59-22
IPS Rules dialog box 44-9
IPS sensor
IDM 69-5
IPS sensors
default transport protocol 11-18
IPS signatures
finding from CS-MARS events 69-31
finding from Event Viewer events 66-48
tuning 66-58
viewing related CS-MARS events 69-30
IPS tab, Licensing page 11-42
IPS Updates page 11-31
IP Type
interface configuration
ASA and PIX 7+ 45-36
PIX 6.3 45-18
IPv4 pool objects
attributes 6-83
IPv6
interfaces
add/edit 45-33
add/edit prefixes 45-34
ASA/FWSM 45-29
management IPv4 address requirements 1-7
Neighbor cache 46-6
specifying addresses in policies 6-81
support in Security Manager 1-7
IPv6 access rules
ACL naming conventions 12-5
deleting 12-9
disabling 12-20
editing 12-9
enabling 12-20
expiration dates 16-19
identity-aware rules
requirements 13-3
moving 12-19
preserving ACL names 12-4
sharing ACLs among interfaces 11-14
understanding global 16-3
understanding processing order 12-2
IPv6 policy map objects
match conditions and actions 17-71
properties 17-70
IPv6 pool objects
attributes 6-84
IPv6 static routes
PIX/ASA/FWSM
configuration 54-50
ISAKMP/IPsec settings
configuring 25-30
ISE Settings page 11-40
ISR
zone-based firewall
restrictions 21-3
J
job deployment methods
understanding 8-8
jobs
aborting 8-51
approving 8-39
creating and editing deployment in non-Workflow mode 8-29
creating and editing deployment in Workflow mode 8-36
Deployment Manager 8-16
discarding 8-41
including devices in 8-8
rejecting 8-39
states
Workflow mode 8-6
submitting 8-39
joined hub-and-spoke topology 24-5
Join Group tab (IGMP) 53-7
JumpStart 1-22
Jumpstart command 1-36
K
Kazaa2 class map objects
creating 21-15
match criteria 21-20
Kerberos
configuring constrained delegation (KCD) 30-58
description 6-26
settings in AAA server objects 6-36
understanding constrained delegation (KCD) 30-56
key encryption key (KEK), GET VPN 28-4
key servers
adding 28-19
choosing the rekey transport mechanism 28-6
communication flow 28-2
cooperative, for redundancy 28-7
editing 28-19
generating, synchronizing RSA keys 28-13
registration failures 28-8
registration process 28-4
security policy ACLs 28-10
key servers (GET VPN)
configuring 28-18
Key Servers page (GET VPN) 28-18
Key Servers Selection dialog box 28-21
knowledge base structure (IPS) 40-8
L
LACP
interface assigned to an EtherChannel 45-11
large scale Dynamic Multipoint VPN (DMVPN)
mandatory and optional policies 24-6
Launch menu 1-35
Report Manager 67-8
LDAP
settings in AAA server objects 6-37
LDAP Attribute Map objects
attributes 6-43
learning accept mode (IPS), configuring 40-8
licenses
configuring for ASA devices 2-11
configuring for IOS devices 2-12
exporting IPS 11-43
IPS
automating 43-3
managing 43-1
redeploying 43-2
updating 43-1
Security Manager 10-16
License Update Status Details dialog box 11-44
licensing
Settings page 11-41
Lightweight Directory Access Protocol (LDAP)
description 6-26
lightweight signature engines 44-2
line access
Cisco IOS routers
Console Policy page 60-42
overview 60-35
VTY Policy page 60-50
Link Aggregation Control Protocol 45-11
Link Properties dialog box 34-20
load balancing
configuring in large scale DMVPN 26-16, 26-17
configuring IOS IPS deny actions 44-7
server attributes in large scale DMVPN 26-17
Local Policy Will Be Replaced dialog box 5-41
Local Web Filter class map objects
match criteria 21-28
Local web filter class map objects
creating 21-35
Local Web Filter parameter map objects
properties 21-37
Local web filter parameter map objects
creating 21-35
locking
activities 4-3
devices and policies 5-9
objects 5-10
understanding 5-7
VPN topologies 5-9
Log Buffer window 69-7
logging
Cisco IOS routers
defining NetFlow interfaces 62-15
defining NetFlow parameters 62-6
defining syslog servers 62-3
Logging Setup Policy page 62-7
NetFlow policy page 62-12
overview 62-1
Syslog Server dialog box 62-11
Syslog Servers Policy page 62-10
syslog setup parameters 62-1
syslog severity levels 62-4
PIX/ASA/FWSM 52-1
email notifications 52-3
email recipients 52-3
event lists 52-4
event lists, add/edit 52-5
filters 52-7
filters, editing 52-8
levels 52-18
logging setup 52-9
message classes and IDs 52-4
message editing 52-19
message limits 52-13
message limits, add/edit 52-13
NetFlow 52-1
NetFlow, add/edit collector 52-2
rate limit levels 52-12
rate limits, add/edit 52-14
server 52-16
server setup 52-15
set-up 52-10
syslog class 52-6
syslog message ID 52-6
syslog servers 52-20, 52-21
syslog servers, add/edit 52-22
syslog messages supported for CS-MARS queries 69-32
logging in to
Cisco Security Management Suite server 1-10
CiscoWorks Common Services 1-10
logging into
Security Manager 1-9, 1-11
Logging page, IPS platform 35-26
logs
configuring audit log default settings 11-45
configuring debug levels 11-8
Logs page 11-45
loopback cells 59-50
low-latency queuing (LLQ) 63-5
M
MAC address
interface configuration
ASA and PIX 7+ 45-38
PIX/ASA/FWSM
add/edit 46-8
interface 49-22
learning 46-8
learning, enable/disable 46-9
table 46-7
MAC address pool objects
attributes 6-85
MAC exempt lists
configuring 15-7, 15-23
rule attributes 15-24
Maintenance Operation Protocol (MOP), enabling 59-19
Management Access
PIX/ASA/FWSM
interface 48-5
management address
requirements for IPv6 devices 1-7
Management Center for Cisco Security Agents
configuring connection to IPS devices 35-23
connection attributes 35-24
posture ACLs 35-26
Management IP address
PIX/ASA/FWSM 46-10
Management IPv6
ASA 5505 46-10
Manage menu 1-32
Map menu 1-31
map objects
class maps
creating for inspection rules 17-21
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
parameter maps
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
Inspect properties 21-29
Local Web Filter properties 21-37
N2H2 properties 21-38
Protocol Info properties 21-32
Trend properties 21-41
URLF Glob properties 21-44
URL Filter properties 21-42
Websense properties 21-38
policy maps
creating for inspection rules 17-21
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
DCE/RPC properties 17-27
DNS properties 17-28
ESMTP properties 17-34
FTP properties 17-37
GTP properties 17-40
H.323 (ASA/PIX/FWSM) properties 17-45
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) properties 17-50
HTTP (ASA7.2+/PIX7.2+) properties 17-58
IM (ASA7.2+/PIX7.2+) properties 17-64
IM (IOS) properties 17-67
IP Options properties 17-68
IPsec Pass Through properties 17-74
IPv6 properties 17-70
NetBIOS properties 17-75
regular expression group properties 17-85
regular expression properties 17-86
SIP (ASA/PIX/FWSM) properties 17-77
Skinny properties 17-81
SNMP properties 17-84
TCP Map properties 56-20
Web Filter properties 21-46
regular expression objects
metacharacters 17-87
understanding 6-72
Map Properties command 1-31
Map Rule dialog box
connection profile map matching rules 30-32
connection profile maps 30-31
maps
access permissions 34-8
adding existing managed devices 34-16
adding new managed devices 34-16
arranging elements 34-11
background color 34-13
background images
deleting 34-13
importing 34-13
scale and position 34-13
setting 34-13
centering elements 34-11
changing the zoom level 34-11
class maps
Class Map dialog box 17-26, 21-17
creating 34-9
default map 34-9
deleting 34-10
displaying devices from Device View 34-16
displaying managed devices 34-16
displaying your network 34-14
elements, understanding 34-14
excluding private and reserved networks 11-2
exporting 34-11
icons 34-14
layer 3 links
autolink settings 11-2
creating 34-19
deleting 34-19
layouts, using 34-11
linking maps 34-13
navigation window 34-4
objects
adding 34-17
deleting 34-17
opening 34-10
overview 34-1
panning 34-11
refreshing 34-1
removing managed devices 34-16
renaming 34-10
saving 34-10
searching for nodes 34-12
selecting elements 34-12
setting background 34-13
showing containment for Catalyst, ASA, PIX, IPS devices 34-16
understanding 34-1
undocking window 34-2
working with 34-8
Map Settings dialog box 34-13
Map View
cloning devices 34-22
configuring firewall policies 34-23
configuring firewall settings policies 34-23
context menu
Layer 3 link 34-7
managed device node 34-5
map background 34-7
map objects 34-7
selected nodes 34-6
VPN connection 34-6
device policies, managing 34-22
discovering device configurations 34-22
icons for elements 34-14
main page 34-2
menus, context 34-5
navigation window 34-4
performing basic policy management 34-22
previewing device configurations 34-22
sharing device policies 34-22
toolbar reference 34-4
VPNs
creating 34-21
displaying existing 34-21
editing or showing peers 34-22
editing policies 34-22
managing 34-20
Map view
Autolink Settings page 11-2
copying between devices 34-22
overview 1-16, 34-1
Map View command 1-30
master blocking sensor 42-6
Master Blocking Sensor dialog box 42-13
maximum receive reconstructed unit (MRRU) 59-81
maximum segment size (MSS) 59-17
MBoundary
PIX/ASA/FWSM
configuration 53-9
interface configuration 53-10
MD5 hash algorithm 25-7
memory-allocation lite 60-80
memory settings
Cisco IOS routers
defining 60-78
overview 60-78
Memory Policy page 60-79
menu reference
Activities 1-34
Configuration Manager overview 1-27
Edit (Configuration Manager) 1-29
File (Configuration Manager) 1-28
File (Event Viewer) 66-8
File (Report Manager) 67-8
Help (Configuration Manager) 1-36
Launch 1-35
Launch (Report Manager) 67-8
Manage 1-32
Map 1-31
Policy (Configuration Manager) 1-30
Tickets 1-34
Tools (Configuration Manager) 1-33
Tools (Report Manager) 67-8
View (Configuration Manager) 1-30
View (Event Viewer) 66-9
message
editing
PIX/ASA/FWSM 52-19
PIX/ASA/FWSM
limits 52-13
limits, add/edit 52-13
rate limits, add/edit 52-14
message classes and IDs
PIX/ASA/FWSM 52-4
metacharacters
URLF Glob parameter maps 21-45
Modify Access List dialog box (Allowed Hosts policy) 35-7
Modify Physical Interface Map dialog box 36-10
monitoring
CS-MARS
integrating with Security Manager 69-21
device managers, using 69-4
device status 69-1
network activities 69-1
PRSM, launching 69-9
Move Row Down command 1-29
Move Row Up command 1-29
MPC
a.k.a. Modular Policy Framework 56-6
MRoute
PIX/ASA/FWSM
configuration 53-8
MRoute page
description 53-8
MSN Messenger class map objects
creating 21-15
match criteria 21-20
multicast
PIX/ASA/FWSM
Enable PIM and IGMP 53-1
IGMP Access Group parameters 53-5
IGMP Access Group tab 53-5
IGMP Join Group parameters 53-7
IGMP Join Group tab 53-7
IGMP parameters 53-4
IGMP Protocol tab 53-3
IGMP Static Group parameters 53-6
IGMP Static Group tab 53-6
MBoundary configuration 53-9
MBoundary interface configuration 53-10
MRoute configuration 53-8
Multicast Boundary Filter page 53-9
Multicast Group, add/edit 53-19
Multicast Group rule 53-17
PIM Bidirectional Neighbor Filter 53-14
PIM Bidirectional Neighbor Filter tab 53-13
PIM Neighbor Filter 53-13
PIM Neighbor Filter tab 53-12
PIM page 53-11
PIM Protocol dialog box 53-12
PIM Protocol tab 53-11
PIM Rendezvous Point, add/edit 53-16
PIM Rendezvous Points tab 53-15
PIM Request Filter tab 53-18
PIM Route Tree tab 53-17
Multicast Boundary Filter page
description 53-9
multicast rekey in GET VPN 28-6
multicast routing
PIX/ASA/FWSM
configuring on 53-1
IGMP 53-2
multicast boundary filters 53-9
multicast routes 53-8
PIM 53-11
Multiclass Multilink PPP (MCMP) 59-74
multilink PPP (MLP) 59-70
defining bundles 59-74
multiple users
activities 4-4
tickets 4-4
N
N2H2 (Smartfilter)
configuring for web filter rules policies 18-15, 18-19
configuring for zone based firewall rules policies 21-35, 21-38, 21-40
N2H2 class map objects
creating 21-35
match criteria 21-29
N2H2 parameter map objects
creating 21-35
properties 21-38
NAC
posture validation not occurring 9-15
NAT
VPN traffic sent unencrypted 9-14
NAT policies
Add/Edit Per-Session NAT rules dialog boxes 23-46
NBAR
enabling protocol discovery 59-19
Neighbor cache 46-6
Neighbor Filter
PIM
PIX/ASA/FWSM 53-13
Neighbor Filter tab
PIM 53-12
NetBIOS logout probe
configuring 13-15, 14-8, 14-10
requirements 13-5
NetBIOS policy map objects
creating 17-21
properties 17-75
NetFlow
Cisco IOS routers 62-1, 62-5
interface settings 62-15
configuring
on Cisco IOS routers 62-6
CS-MARS query 69-33
IOS routers 62-12
PIX/ASA/FWSM 52-1
add/edit collector 52-2
network/host objects
attributes 6-77
attributes, NAT 23-41
creating 6-76
naming when provisioned as object groups 6-92
network masks 6-75
optimizing when deploying firewall rules 12-35
understanding 6-74
unspecified value objects 6-80
using in Event Viewer filters 66-59
network access device (NAD) 61-9
Network Address Translation (NAT)
Add/Edit Per-Session NAT rules dialog boxes 23-46
ASA 8.3+
Add/Edit NAT rules dialog boxes 23-35
Translation Rules page 23-32
understanding 23-3
ASA 8.3 devices 23-32
Cisco IOS routers 23-5
Dynamic Rule dialog box 23-11
dynamic rules 23-10
Interface Specification 23-6
Static Rule dialog box 23-7
static rules 23-6
Static Rules tab 23-6
timeouts 23-13
configuring global options for VPNs 25-38
non-ASA 8.3 devices 23-17
No Proxy ARP 23-38, 23-44
PAT pool 23-40
Per-session NAT rules 23-45
PIX/ASA/FWSM
Address Pool dialog box 23-17
Address Pools page 23-17
Advanced NAT Options dialog box 23-28
configuring on 23-15
configuring translation rules 23-18
Dynamic Rules dialog box 23-21
Dynamic Rules tab 23-21
General tab 23-30
non ASA 8.3 23-17
Policy Dynamic Rules dialog box 23-24
Policy Dynamic Rules tab 23-23
Select Address Pool 23-22
Static Rules dialog box 23-26
Static Rules tab 23-25
Translation Exemptions (NAT 0 ACL) dialog box 23-20
Translation Exemptions (NAT 0 ACL) tab 23-19
Translation Options page 23-15
Translation Rules page 23-18
translation types 23-3
transparent mode 23-15
understanding 23-2
round robin allocation 23-40
understanding NAT effects on firewall rules 12-3
understanding NAT settings for VPNs 25-37
understanding NAT traversal 25-38
Network Admission Control (NAC)
Cisco Trust Agent 61-9
components 61-9
defining identity parameters 61-13
defining interface parameters 61-11
defining setup parameters 61-10
Identities tab 61-18
Identity Action dialog box 61-19
Identity Profile dialog box 61-19
Interface Configuration dialog box 61-17
Interfaces tab 61-16
NAC Policy page 61-14
network access device (NAD) 61-9
on Cisco IOS routers 61-8
Setup tab 61-14
supported platforms 61-8
understanding system flow 61-9
Network Information page (IPS) 39-14
network masks
discontiguous 6-75
discovering 6-76
displaying 6-76
understanding 6-75
network participation, IPS
configuring 41-7
data collected 41-3
requirements and limitations 41-4
understanding 41-3
understanding global correlation 41-1
understanding reputation 41-2
network sensing
capturing network traffic 35-2
deployment topology 35-4
overview 35-1
tuning recommendations 35-4
Network Time Protocol (NTP)
Cisco IOS routers
creating NTP servers 60-97
NTP Policy page 60-98
NTP Server dialog box 60-99
overview 60-96
Never Block Host dialog box 42-17
Never Block Network dialog box 42-17
New Activity command 1-34
New Device command 1-28
New Device Groups command 1-29
New Device wizard
Choose Method page 3-6
Device Grouping page 3-48
Device Information page - Add Device from File 3-31
Device Information page - Configuration File 3-22
Device Information page - Network 3-13
Device Information page - New Device 3-26
New Map command 1-31
New or Edit CS-MARS Device dialog box 11-5
New Ticket command 1-34
NHRP
DMVPN spoke-to-spoke connections 26-11
Node Properties dialog box 34-18
Non-Workflow mode
viewing
device details 8-27
non-Workflow mode
changing modes 1-26
comparing with Workflow mode 1-20
configuration files
deploying 8-29
previewing 8-45
configurations
rolling back 8-65
creating tickets 4-14
deployment 8-3
deployment jobs
aborting 8-51
Deployment Status Details dialog box 8-33
opening tickets 4-15
taking over another user session 10-23
understanding 1-20
No Proxy ARP
NAT rule 23-38, 23-44
PIX/ASA/FWSM Platform 54-1
notifications, e-mail
configuring SMTP server 1-25
NS Lookup 69-14, 69-17
NT
settings in AAA server objects 6-40
NTP
PIX/ASA/FWSM 51-19
server configuration 51-20
NTP policy, IPS platform 35-21
NTP server
configuring for IPS devices 35-21
O
object groups
policy discovery 5-14
object group search
ASA 8.3+ devices 16-22
PIX 6.3 devices 16-24
objects
AAA server
HTTP-FORM settings 6-41
Kerberos settings 6-36
LDAP settings 6-37
NT settings 6-40
RADIUS settings 6-32
SDI settings 6-40
TACACS+ settings 6-35
AAA server groups
attributes 6-46
creating 6-45
default server groups on IOS devices 6-28
predefined authentication groups 6-28
understanding 6-24
AAA servers
creating 6-29
supported additional types for ASA/PIX/FWSM 6-26
supported types 6-25
understanding 6-24
access control lists
creating 6-49
extended objects 6-50
standard objects 6-51
unified objects 6-54
web objects 6-52
ASA group policies
client configuration settings 33-4
client firewall attributes 33-5
connection settings 33-22
DNS/WINS settings 33-20
hardware client attributes 33-7
IPSec settings 33-8
split tunneling settings 33-21
SSL VPN clientless settings 33-10
SSL VPN full client settings 33-13
SSL VPN settings 33-17
technology settings 33-1
basic procedures 6-9
categories, using 6-12
changes in Security Manager 4.4 1-9
Cisco Secure Desktop configuration
creating 32-18
class map
creating for inspection rules 17-21
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
cloning (duplicating) 6-13
configuring for remote access VPN 33-1
creating 6-9
credentials
attributes 27-9
DCE/RPC policy map
properties 17-27
deleting 6-16
DNS policy map
properties 17-28
editing 6-12
ESMTP policy map
properties 17-34
exporting 6-21
file objects
attributes 33-25
selecting 33-27
FlexConfig
creating text objects 7-31
properties 7-29
property selector 7-33
undefined variables 7-32
FlexConfigs
adding to policies 7-34
changing order in policies 7-34
changing variable values 7-34
configuring 7-24
configuring AAA for administrative introducers 60-84
creating 7-27
previewing CLI 7-34
removing from policies 7-34
system variables 7-7
understanding 7-2
variables 7-5, 7-6
FTP policy map
properties 17-37
generating usage reports 6-14
GTP policy map
properties 17-40
H.323 (ASA/PIX/FWSM) policy map
properties 17-45
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map
properties 17-50
HTTP (ASA7.2+/PIX7.2+) policy map
properties 17-58
identity user group
creating 13-19
selecting 13-21
user identity acquisition 13-2
IKE proposals
v1 properties 25-10
v2 properties 25-13
IM (ASA7.2+/PIX7.2+) policy map
properties 17-64
IM (IOS) policy map
properties 17-67
importing 6-21
Inspect parameter map
properties 21-29
interface roles
creating 6-68
IP Options policy map
properties 17-68
IPsec Pass Through policy map
properties 17-74
IPSec transform sets
attributes 25-25
understanding 25-19
IPv6 policy map
properties 17-70
LDAP attribute map objects
attributes 6-43
Local Web Filter parameter map
properties 21-37
locking
effects on activities 4-3
managing 6-1
maps
understanding 6-72
N2H2 parameter map
properties 21-38
NetBIOS policy map
properties 17-75
network/host
optimizing when deploying firewall rules 12-35
understanding 6-74
using in Event Viewer filters 66-59
network/host objects
naming when provisioned as object groups 6-92
networks/hosts
creating 6-76
unspecified value objects 6-80
object selectors 6-2
overrides
allowing 6-18
creating for multiple devices 6-19
creating for single device 6-18
deleting 6-21
managing 6-17
understanding 6-17
overview 1-18
parameter map
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
PKI enrollments
defining CA server properties 25-55
defining certificate attributes 25-61
defining enrollment parameters 25-59
defining trusted CA hierarchy 25-62
properties 25-54
policy map
creating for inspection rules 17-21
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
port forwarding lists
properties 33-28
port list objects
naming when provisioned as object groups 6-92
port lists
creating 6-86
properties 6-87
Protocol Info parameter map
properties 21-32
provisioning as object groups 6-91
regular expression group policy map
properties 17-85
regular expression objects
metacharacters 17-87
regular expression policy map
properties 17-86
security group
creating 14-12
selecting for policies 6-2
service objects
naming when provisioned as object groups 6-92
provisioning as object groups 6-92
services
creating 6-86
single sign-on server
properties 33-30
SIP (ASA/PIX/FWSM) policy map
properties 17-77
Skinny policy map
properties 17-81
SLA monitors
attributes 50-9
configuring 50-8
understanding 50-7
SNMP policy map
properties 17-84
SSL VPN Bookmark
configuring 30-70
post URL method and macro substitutions 30-72
SSL VPN Customization
configuring 30-66
creating custom Logon page 30-70
localizing 30-68
SSL VPN gateway
properties 33-50
SSL VPN smart tunnel auto sign-on list
attributes 33-55
SSL VPN smart tunnel list
attributes 33-52
configuring 30-73
TCP Map policy map
properties 56-20
text
creating 7-31
time ranges
attributes for recurring ranges 6-67
configuring 6-66
traffic flow
default inspection traffic 56-18
properties 56-16
Trend parameter map
properties 21-41
TrustSec security group
selecting 14-13
URLF Glob parameter map
properties 21-44
URLF Glob parameter maps
metacharacters 21-45
URL Filter parameter map
properties 21-42
user groups
advanced PIX 6.3 settings 33-66
browser proxy settings 33-72
clientless settings 33-67
client VPN software update (IOS) settings 33-65
DNS/WINS settings 33-61
general settings 33-60
IOS client settings 33-63
IOS Xauth settings 33-64
split tunneling settings (Easy VPN/remote access IPSec VPN) 33-62
SSL VPN connection settings 33-73
SSL VPN full tunnel settings 33-69
SSL VPN split tunneling settings 33-70
technology settings 33-58
thin client settings 33-68
using global search to find specific objects 1-39
viewing details 6-14
Web Filter policy map
properties 21-46
Websense parameter map
properties 21-38
WINS server lists
attributes 33-74
creating 30-76
object selectors 6-2
Object Usage dialog box 6-14
Obsoletes dialog box 38-26
OOB (Out of Band) Changes dialog box 8-48
OOB (out of band changes)
avoiding 8-47
detecting and analyzing 8-46
understanding 8-12
Openable Activities dialog box 4-15
Openable Tickets dialog box 4-15
Open Activity command 1-34
Open command (Report Manager) 67-8
Open Map command 1-31
Open Map dialog box 34-10
Open Ticket command 1-34
OS Identifications tab, IPS Network Information policy 39-18
OS Map dialog box 39-20
OSPF
interaction with NAT 54-2
LSAs 54-2
OSPF interfaces
blocking LSA flooding 64-27
defining on Cisco IOS routers 64-25
disabling MTU mismatch detection 64-27
Interface dialog box 64-31
OSPF Interface Policy page 64-30
understanding
authentication 64-29
cost 64-26
network types 64-29
priority 64-26
timer settings 64-28
OSPF parameters
dead interval 54-21, 54-36
hello interval 54-21
retransmit interval 54-21, 54-36
transmit delay 54-21, 54-37
OSPF redistribution
defining mappings 64-22
defining maximum prefix values 64-23
understanding 64-22
OSPF routing
Cisco IOS routers
Area dialog box 64-37
Area tab 64-36
defining area settings 64-21
defining interface settings 64-25
defining setup parameters 64-20
Edit Interfaces dialog box 64-36
Max Prefix Mapping dialog box 64-41
OSPF Process Policy page 64-34
overview 64-19
redistributing routes 64-22
Redistribution Mapping dialog box 64-39
Redistribution tab 64-38
Setup dialog box 64-35
Setup tab 64-35
PIX/ASA/FWSM
advanced settings 54-4
Area/Area networks 54-7
Area Range 54-9
Area tab 54-6
Filtering configuration 54-16
Filtering tab 54-15
General tab 54-3
Interface configuration 54-20
Interface tab 54-18
Neighbors tab 54-10
policy 54-2
Range tab 54-8
Redistribution rule 54-11
Redistribution tab 54-11
static neighbor 54-10
Summary Address configuration 54-18
Summary Address tab 54-17
Virtual Link configuration 54-13
Virtual Link MD5 configuration 54-15
Virtual Link tab 54-13
OSPFv3
LSAs 54-22
OSPFv3 routing
PIX/ASA/FWSM
advanced settings 54-25
Area/Area networks 54-29
Area Range 54-30
Area tab 54-28
Interface configuration 54-35
Interface tab 54-34
policy 54-22
Process tab 54-24
Redistribution rule 54-32
static neighbor 54-38
Summary Prefix configuration 54-34
Virtual Link configuration 54-31
OS version mismatches
handling 8-13
other settings
configuring for SSL VPN (ASA) 30-41
out-of-band changes
avoiding 8-47
detecting and analyzing 8-46
understanding 8-12
overrides
allowing overrides 6-18
creating for multiple devices 6-19
creating for single device 6-18
deleting 6-21
managing 6-17
understanding 6-17
overview
activities 1-18
device monitoring 1-6
IPv6 support 1-7
policies 1-18
ticketing 1-18
user permissions 1-10
workflow 1-18
P
P2P applications
match conditions for zone-based firewalls 21-20
P2P policy map objects
creating 21-15
match conditions and actions 21-34
packageMonitorInterval 43-6
packet capture 69-18
Packet Capture Wizard command 1-33
packet tracer 69-12
Pair dialog box 44-10
PAM
zone-based firewall
configuring 21-65
parameter maps
understanding 6-72
partial_backup.pl command 10-29
partial mesh topologies 24-5
participation, network
configuring 41-7
data collected 41-3
requirements and limitations 41-4
understanding 41-3
understanding global correlation 41-1
understanding reputation 41-2
passive OS fingerprinting on IPS sensors
configuring 39-18
understanding 39-17
Password Requirements policy, IPS platform 35-18
passwords
admin, changing 10-23
configuring IPS requirements 35-18
configuring IPS user account 35-16
discovery and deployment of IPS 35-15
managing IPS requirements 35-13
understanding managed and unmanaged IPS passwords 35-14
Paste command 1-29, 12-9
PAT
pools 23-40
PDF file
export HPM data as 68-26
PDM
device manager 69-5
Peers page 24-33
performance settings
configuring for SSL VPN (ASA) 30-42
performance tuning 43-6
permanent virtual connections (PVC)
Define Mapping dialog box 59-64
PVC Advanced Settings dialog box 59-65
PVC dialog box 59-55
PVC Policy page 59-54
permanent virtual connections (PVCs)
defining ATM PVCs 59-50
defining OAM management 59-53
on Cisco IOS routers 59-46
understanding
ATM management protocols 59-48
ATM service classes 59-47
ILMI 59-49
Operation, Administration, and Maintenance (OAM) 59-50
virtual paths and channels 59-46
per-session NAT rules 23-45
Add/Edit Per-Session NAT rules dialog boxes 23-46
PIM
configuring on firewall devices 53-11
PIX/ASA/FWSM
Bidirectional Neighbor Filter 53-14
Bidirectional Neighbor Filter tab 53-13
enable 53-1
Multicast Group, add/edit 53-19
Multicast Group rule 53-17
Neighbor Filter 53-13
Neighbor Filter tab 53-12
page 53-11
PIM Protocol dialog box 53-12
Protocol tab 53-11
Rendezvous Point, add/edit 53-16
Rendezvous Points tab 53-15
Request Filter tab 53-18
Route Tree tab 53-17
ping 69-14, 69-15
Ping, TraceRoute and NSLookup command 1-33
PIX
PDM 69-5
PIX/ASA
boot image/configuration 47-9
add/edit 47-10
failover 49-17
settings 49-20
interfaces
Advanced tab 45-27
IP Type 45-36
MAC address 45-38
PPPoE Users 45-44
redundant 45-7
subinterfaces 45-7
VPDN groups 45-45
security contexts
allocate interfaces 57-8
configuration 57-7
viewing allocated interfaces 57-9
PIX/ASA/FWSM
AAA 47-5
Authentication tab 47-5
about AAA 47-1
bridging 46-1
clock settings 47-11
configuring banners 47-8
credentials 47-13
Device Access
Server Access 51-1
device administration policies 47-1
Failover
bootstrap configuration 49-26
interface MAC address 49-22
failover
active/active 49-3
interface configuration 49-23
security context 49-25
understanding 49-1
interfaces
add/edit 45-19
Advanced settings 45-42
configuring 45-2
contexts 45-5
General tab 45-20
managing 45-14
operating modes 45-4
understanding 45-3
security contexts
about 57-1
Server Access
AUS, add/edit server 51-3
AUS page 51-1
DDNS interface rule 51-18
DDNS page 51-17
DDNS update methods 51-18
DDNS update methods, add/edit 51-19
DHCP Relay, add/edit agent 51-5
DHCP Relay, add/edit server 51-6
DHCP Relay page 51-5
DHCP Server, add/edit 51-11
DHCP Server, advanced configuration 51-12
DHCP Server, options 51-13
DHCP Server page 51-10
DHCPv6 Relay, add/edit agent 51-8
DHCPv6 Relay, add/edit server 51-9
DHCPv6 Relay page 51-7
DNS page 51-13
DNS server, add 51-16
DNS server group 51-15
NTP page 51-19
NTP server configuration 51-20
SMTP page 51-21
TFTP server page 51-22
stateful
stateful 49-4
PIX/ASA/FWSM Platform
AAA
Accounting tab 47-7
Authorization tab 47-6
anti-spoofing 55-2
ARP configuration 46-4
ARP Inspection 46-5
enable/disable 46-6
ARP Table 46-3
configuring DHCP servers 51-9
configuring multicast routing 53-1
configuring routing 54-1
Device Access 48-1
console timeout 48-1
host name 50-1
HTTP configuration 48-2
HTTP page 48-2
ICMP rules 48-3
ICMP rules, add/edit 48-4
Management Access interface 48-5
Secure Shell, add/edit host 48-6
Secure Shell (SSH) 48-5
SNMP host access 48-12
SNMP page 48-8
SNMP Trap configuration 48-9
Telnet configuration 48-14
Telnet page 48-13
user accounts 50-6
user accounts, add/edit 50-7
failover 49-10
failover configuration 49-1
failover configuration basics 49-5
floodguard 55-2
identity-aware IPS, QoS, and Connection Rules 13-21
IPS, QoS, and Connection Rules 56-5
wizard 56-6, 56-8
logging 52-1
email notifications 52-3
email recipients 52-3
event lists 52-4
event lists, add/edit 52-5
filters 52-7
filters, editing 52-8
levels 52-18
message classes and IDs 52-4
message editing 52-19
message limits 52-13
message limits, add/edit 52-13
NetFlow 52-1
NetFlow, add/edit collector 52-2
rate limits, add/edit 52-14
server 52-16
set-up 52-10
syslog class 52-6
syslog message ID 52-6
syslog servers 52-21
syslog servers, add/edit 52-22
MAC Address
add/edit 46-8
MAC Address Table 46-7
MAC learning 46-8
enable/disable 46-9
Management IP address 46-10
multicast
Enable PIM and IGMP 53-1
group, add/edit 53-19
IGMP Access Group parameters 53-5
IGMP Access Group tab 53-5
IGMP Join Group parameters 53-7
IGMP Join Group tab 53-7
IGMP page 53-2
IGMP parameters 53-4
IGMP Protocol tab 53-3
IGMP Static Group parameters 53-6
IGMP Static Group tab 53-6
MBoundary configuration 53-9
MBoundary interface configuration 53-10
MRoute configuration 53-8
Multicast Boundary Filter page 53-9
Multicast Group rule 53-17
Multicast Routes page 53-8
PIM Bidirectional Neighbor Filter 53-14
PIM Bidirectional Neighbor Filter tab 53-13
PIM Neighbor Filter 53-13
PIM Neighbor Filter tab 53-12
PIM page 53-11
PIM Protocol dialog box 53-12
PIM Protocol tab 53-11
PIM Rendezvous Point, add/edit 53-16
PIM Rendezvous Points tab 53-15
PIM Request Filter tab 53-18
PIM Route Tree tab 53-17
NAT policies 23-17
Address Pools dialog box 23-17
Address Pools page 23-17
Advanced NAT Options dialog box 23-28
Dynamic Rules dialog box 23-21
Dynamic Rules tab 23-21
General tab 23-30
Policy Dynamic Rules dialog box 23-24
Policy Dynamic Rules tab 23-23
Select Address Pool 23-22
Static Rules dialog box 23-26
Static Rules tab 23-25
Translation Exemptions (NAT 0 ACL) dialog box 23-20
Translation Exemptions (NAT 0 ACL) tab 23-19
Translation Options page 23-15
Translation Rules page 23-18
policy configuration 45-1
priority queues 56-4
priority queues configuration 56-4
routing
IPv6 Static Route configuration 54-50
IPv6 Static Route page 54-50
No Proxy ARP 54-1
OSPF 54-2
OSPF - advanced settings 54-4
OSPF - Area/Area networks 54-7
OSPF - Area Range 54-9
OSPF - Area tab 54-6
OSPF - Filtering configuration 54-16
OSPF - Filtering tab 54-15
OSPF - General tab 54-3
OSPF - Interface configuration 54-20
OSPF - Interface tab 54-18
OSPF - Neighbors tab 54-10
OSPF - Range tab 54-8
OSPF - Redistribution rule 54-11
OSPF - Redistribution tab 54-11
OSPF - static neighbor 54-10
OSPF - Summary Address configuration 54-18
OSPF - Summary Address tab 54-17
OSPFv3 54-22
OSPFv3 - advanced settings 54-25
OSPFv3 - Area/Area networks 54-29
OSPFv3 - Area Range 54-30
OSPFv3 - Area tab 54-28
OSPFv3 - Interface configuration 54-35
OSPFv3 - Interface tab 54-34
OSPFv3 - Process tab 54-24
OSPFv3 - Redistribution rule 54-32
OSPFv3 - static neighbor 54-38
OSPFv3 - Summary Prefix configuration 54-34
OSPFv3 - Virtual Link configuration 54-31
OSPF - Virtual Link configuration 54-13
OSPF - Virtual Link MD5 configuration 54-15
OSPF - Virtual Link tab 54-13
RIP (PIX/ASA 6.3–7.1, FWSM) 54-41
RIP (PIX/ASA 6.3–7.1, FWSM) configuration 54-41
RIP (PIX/ASA 7.2+) 54-42
RIP (PIX/ASA 7.2+) Filtering 54-46
RIP (PIX/ASA 7.2+) Filtering configuration 54-47
RIP (PIX/ASA 7.2+) Interface 54-47
RIP (PIX/ASA 7.2+) Interface configuration 54-48
RIP (PIX/ASA 7.2+) Redistribution 54-45
RIP (PIX/ASA 7.2+) Redistribution configuration 54-45
RIP (PIX/ASA 7.2+) Setup 54-43
RIP page 54-40
Static Route configuration 54-49
Static Route page 54-48, 54-49
security contexts
managing 57-4
security group aware IPS, QoS, and Connection Rules 14-13
security policies 55-1
General configuration 55-3
General page 55-1
timeouts 55-4
service policy
wizard 56-6
service policy rules 56-1
SNMP configuration 48-7
traffic class 56-7
Unicast Reverse Path Forwarding 55-2
PIX/ASA/FWSM Platform policies
bridging 46-1
configuring fragment settings 55-2
configuring NAT 23-15
transparent mode 23-15
PIX 6.3
Failover
interface configuration 49-11
failover 49-10
interface configuration
IP Type 45-18
interfaces
add/edit 45-15
PIX 7.x
Failover
Add Failover Group 49-24
PIX devices
AAA support 6-26
about 45-1
monitoring service level agreements 50-7
remote access VPNs
IPsec proposals 30-33
user group policies for PIX 6.3 32-13
selecting policy types to manage 5-10
PIX Firewall
setting up AUS or CNS 2-8
setting up SSL (HTTPS) 2-3
PIX Firewalls
configuring transparent firewall rules 22-1
rollback, commands to recover from failover misconfiguration 8-65
rollback command conflicts 8-64
rollback restrictions for failover devices 8-61
rollback restrictions for multiple context mode 8-61
PIX firewalls
access controls
access list compilation 16-25
object group search 16-24
adding SSL thumbprints manually 9-4
FlexConfig object samples 7-23
packet capture, using 69-18
packet tracer, using 69-12
SSL certificate configuration 11-18
PKI (Public Key Infrastructure) policies
CA server authentication methods 25-47
defining multiple CA servers 25-51
enrollment requirements 25-48
understanding 25-47
using TFTP 25-49
PKI enrollment
prerequisites using TFTP 25-49
requirements 25-48
PKI enrollment objects
defining CA server properties 25-55
defining certificate attributes 25-61
defining enrollment parameters 25-59
defining trusted CA hierarchy 25-62
properties 25-54
plug ins
configuring browser 30-50
Point-to-Point Protocol (PPP)
defining connections 59-71
defining multilink PPP bundles 59-74
on Cisco IOS routers 59-70
understanding multilink PPP (MLP) 59-70
Point-to-Point protocol (PPP)
PPP/MLP Policy page 59-75
PPP dialog box 59-76
point-to-point topologies
description 24-3
policies
adding local rules to shared policies 5-42
assigning shared policies 5-41
basic concepts
inheritance vs. assignment 5-6
local vs. shared 5-3
managing 5-29
overview 5-1
rule inheritance 5-4
service vs. platform-specific 5-2
settings-based vs. rule-based 5-2
shared policies in Device view or Site-to-Site VPN Manager 5-34
signature inheritance 38-3
status icons 5-28
cloning shared policies 5-44
configuring IKE and IPsec for VPNs 25-1
copying between devices 5-31
creating shared 5-51
deleting shared 5-53
Device view
configuring local policies 5-29
managing 5-28
modifying assignments 5-46
modifying shared policies 5-45
discovering 5-12
discovering on existing devices 5-15
exporting 10-11
exporting with device inventory 10-6
FlexConfigs
adding objects 7-34
changing object order 7-34
changing variable values 7-34
configuring 7-24
configuring AAA for administrative introducers 60-84
editing 7-34
FlexConfig Policy page 7-35
previewing CLI 7-34
removing objects 7-34
understanding 7-2
importing 10-13
inheriting rules 5-43
locking 5-7
managing 5-1
object selectors 6-2
overview 1-18
performing basic policy management in Map view 34-22
PKI (Public Key Infrastructure) 25-47
policy banner 5-35
policy discovery FAQ 5-25
policy management and objects 5-7
Policy view
managing 5-47
modifying assignments 5-51
preshared keys 25-43
renaming 5-45
router platform policies 58-1
selecting policies to manage 5-10
sharing local 5-38
sharing multiple local policies 5-39
sharing with PRSM 69-11
Site-to-Site VPN Manager
managing 5-28
modifying assignments 5-46
site-to-site VPNs 24-8
specifying interfaces 6-70
specifying IP addresses 6-81
synchronizing among Security Manager servers 10-4
unassigning 5-33
unsharing 5-40
using global search to find specific policies 1-39
viewing discovery task status 5-21
VPN defaults 11-54
policy assignments
modifying in Device view 5-46
modifying in Policy view 5-51
modifying in Site-to-Site VPN Manager 5-46
overview 1-18
policy bundles
cloning 5-55
creating 5-54
managing 5-53
renaming 5-55, 5-56
Policy Bundle view
cloning policy bundles 5-55
creating policy bundles 5-54
renaming policy bundles 5-55, 5-56
Policy Bundle View command 1-30
policy discovery
AAA commands not displayed in AAA policy 5-27
ACL naming conventions 12-5
ACLs 5-14
Catalyst devices 5-13
Catalyst switches and 7600 Series routers 65-1
Cisco IOS routers 5-13, 58-3
frequently asked questions 5-25
IPS devices 5-13
network masks 6-76
object groups 5-14
on existing devices 5-15
overview 1-18
policy objects 5-14
preserving ACL names 12-4
resolving ACL naming conflicts 12-6
security contexts 5-13
understanding 5-12
viewing task status 5-21
VPNs 5-12
web VPN restrictions 3-8
Policy Discovery Status command 1-32
Policy Discovery Status page 5-23
Policy Dynamic Translation Rule
PIX/ASA/FWSM 23-23
add/edit 23-24
policy management
Settings page 11-46
Policy Management page 11-46
policy maps
understanding 6-72
Policy menu
command reference 1-30
Policy Object Manager
field reference 6-4
shortcut menu 6-8
undocking and docking the window 6-8
Policy Object Manager window
creating overrides 6-19
deleting overrides 6-21
Policy Object Overrides window 6-20
policy objects
AAA server
HTTP-FORM settings 6-41
Kerberos settings 6-36
LDAP settings 6-37
NT settings 6-40
RADIUS settings 6-32
SDI settings 6-40
TACACS+ settings 6-35
AAA server groups
attributes 6-46
creating 6-45
default server groups on IOS devices 6-28
predefined authentication groups 6-28
understanding 6-24
AAA servers
creating 6-29
supported additional types for ASA/PIX/FWSM 6-26
supported types 6-25
understanding 6-24
access control lists
creating 6-49
extended objects 6-50
standard objects 6-51, 6-54
web objects 6-52
ASA group policies
client configuration settings 33-4
client firewall attributes 33-5
connection settings 33-22
DNS/WINS settings 33-20
hardware client attributes 33-7
IPSec settings 33-8
split tunneling settings 33-21
SSL VPN clientless settings 33-10
SSL VPN full client settings 33-13
SSL VPN settings 33-17
technology settings 33-1
basic procedures 6-9
categories, using 6-12
changes in Security Manager 4.4 1-9
Cisco Secure Desktop configuration
creating 32-18
class map
creating for inspection rules 17-21
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
cloning (duplicating) 6-13
configuring for remote access VPN 33-1
connection with policy management 5-7
creating 6-9
credentials
attributes 27-9
DCE/RPC policy map
properties 17-27
deleting 6-16
DNS policy map
properties 17-28
editing 6-12
ESMTP policy map
properties 17-34
exporting 6-21
file objects
attributes 33-25
selecting 33-27
FlexConfig
creating text objects 7-31
properties 7-29
property selector 7-33
undefined variables 7-32
FlexConfigs
adding to policies 7-34
changing order in policies 7-34
changing variable values 7-34
configuring 7-24
configuring AAA for administrative introducers 60-84
creating 7-27
previewing CLI 7-34
removing from policies 7-34
system variables 7-7
understanding 7-2
variables 7-5, 7-6
FTP policy map
properties 17-37
generating usage reports 6-14
GTP policy map
properties 17-40
H.323 (ASA/PIX/FWSM) policy map
properties 17-45
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map
properties 17-50
HTTP (ASA7.2+/PIX7.2+) policy map
properties 17-58
identity user group
creating 13-19
selecting 13-21
user identity acquisition 13-2
IKE proposals
v1 properties 25-10
v2 properties 25-13
IM (ASA7.2+/PIX7.2+) policy map
properties 17-64
IM (IOS) policy map
properties 17-67
importing 6-21
Inspect parameter map
properties 21-29
interface roles
creating 6-68
understanding 6-67
IP Options policy map
properties 17-68
IPsec Pass Through policy map
properties 17-74
IPSec transform sets
attributes 25-25
understanding 25-19
IPv6 policy map
properties 17-70
LDAP attribute map objects
attributes 6-43
Local Web Filter parameter map
properties 21-37
managing 6-1
maps
understanding 6-72
N2H2 parameter map
properties 21-38
NetBIOS policy map
properties 17-75
network/host
optimizing when deploying firewall rules 12-35
understanding 6-74
using in Event Viewer filters 66-59
network/host objects
naming when provisioned as object groups 6-92
networks/hosts
creating 6-76
unspecified value objects 6-80
object selectors 6-2
overrides 3-49
allowing 6-18
creating for multiple devices 6-19
creating for single device 6-18
deleting 6-21
managing 6-17
understanding 6-17
overview 1-18
parameter map
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
PKI enrollments
defining CA server properties 25-55
defining certificate attributes 25-61
defining enrollment parameters 25-59
defining trusted CA hierarchy 25-62
properties 25-54
policy discovery 5-14
policy map
creating for inspection rules 17-21
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
pools
understanding 6-83
port forwarding lists
properties 33-28
port list objects
naming when provisioned as object groups 6-92
port lists
creating 6-86
properties 6-87
Protocol Info parameter map
properties 21-32
provisioning as object groups 6-91
regular expression group policy map
properties 17-85
regular expression objects
metacharacters 17-87
regular expression policy map
properties 17-86
security group
creating 14-12
selecting for policies 6-2
service objects
naming when provisioned as object groups 6-92
provisioning as object groups 6-92
services
creating 6-86
Settings page 11-48
sharing with PRSM 69-11
single sign-on server
properties 33-30
SIP (ASA/PIX/FWSM) policy map
properties 17-77
Skinny policy map
properties 17-81
SLA monitors
attributes 50-9
configuring 50-8
understanding 50-7
SNMP policy map
properties 17-84
SSL VPN bookmark
configuring 30-70
post URL method and macro substitutions 30-72
SSL VPN Customization
configuring 30-66
creating custom Logon page 30-70
localizing 30-68
SSL VPN gateway
properties 33-50
SSL VPN smart tunnel auto sign-on lists
attributes 33-55
SSL VPN smart tunnel lists
attributes 33-52
configuring 30-73
TCP Map policy map
properties 56-20
text
creating 7-31
time ranges
attributes for recurring ranges 6-67
configuring 6-66
traffic flow
default inspection traffic 56-18
properties 56-16
Trend parameter map
properties 21-41
TrustSec security group
selecting 14-13
URLF Glob parameter map
properties 21-44
URLF Glob parameter maps
metacharacters 21-45
URL Filter parameter map
properties 21-42
user groups
advanced PIX 6.3 settings 33-66
browser proxy settings 33-72
clientless settings 33-67
client VPN software update (IOS) settings 33-65
DNS/WINS settings 33-61
general settings 33-60
IOS client settings 33-63
IOS Xauth settings 33-64
split tunneling settings (Easy VPN/remote access IPSec VPN) 33-62
SSL VPN connection settings 33-73
SSL VPN full tunnel settings 33-69
SSL VPN split tunneling settings 33-70
technology settings 33-58
thin client settings 33-68
viewing details 6-14
Web Filter policy map
properties 21-46
Websense parameter map
properties 21-38
WINS server lists
attributes 33-74
creating 30-76
Policy Objects command 1-32
policy objects interface
Interface Role dialog box 6-69
SSL VPN Bookmark Entry dialog box 33-33
SSL VPN bookmarks
Add or Edit Bookmarks dialog boxes 33-32
Post Parameters dialog box 33-36
Policy Objects page 11-48
policy query
example report 12-34
generating reports 12-28
interpreting report results 12-32
Querying Device or Policy dialog box 12-29
Policy Query Results dialog box 12-32
Policy view
Assignments tab 5-51
creating shared policies 5-51
deleting shared policies 5-53
filtering shared policy selector 1-42
modifying assignments 5-51
overview 1-14
selectors 5-49
Shared Policy selector options 5-50
understanding 5-47
Policy View command 1-30
pool objects
understanding 6-83
POP3
configuring for inspection rules 17-19
POP3 class map objects
creating 21-15
match criteria 21-23
POP3 policy map objects
creating 21-15
match conditions and actions 21-34
port application mapping
see PAM 21-65
port forwarding list objects
properties 33-28
port list objects
creating 6-86
naming when provisioned as object groups 6-92
properties 6-87
ports
ASA 5505
configure 45-39
Posture ACL dialog box 35-26
PPP dialog box
MLP tab 59-79
PPP tab 59-77
PPPoE Users 45-44
pre-provisioning devices 3-25
preshared keys
aggressive mode negotiation 25-44
compared to certificates 25-8
configuring policies for IKEv1 site-to-site VPNs 25-44
FQDN (fully qualified domain name) negotiation 25-44
main mode address negotiation 25-43
understanding 25-43
Preview Configuration command 1-33
Prime Security Manager
see PRSM 69-9
Prime Security Manager command 1-35
print
Report Manager reports 67-23
Print command 1-29
priority queues
PIX/ASA/FWSM
configuration 56-4
page 56-4
Product Authorization Key (PAK) 10-16
productivity categories for Trend class maps 21-19
properties
changes with policy effects 3-51
changing critical device 3-50
image version changes with no policy effects 3-50
understanding device 3-6
viewing or changing device 3-39
Property Selector dialog box 7-33
protected networks
defining in GET VPN topologies 24-56
defining in VPN topologies 24-33
Protected Networks tab 24-44
Protocol Independent Multicast 53-11
Protocol Info parameter map objects
properties 21-32
Protocol Info Parameters map object
creating 21-15
Protocol Map dialog box 40-12
protocols
selecting for inspection 17-3
Protocol tab
IGMP 53-3
proxies
defining HTTP/HTTPS for SSL VPN (ASA) 30-47
proxy ARP
enabling on IOS routers 59-19
proxy bypass rules
defining HTTP/HTTPS for SSL VPN (ASA) 30-47
proxy server
configuring HTTP for IPS global correlation 35-23
PRSM
sharing
devices 69-11
policy objects 69-11
starting from Security Manager 69-9
public key infrastructure (PKI) policies
compared to certificates 25-8
configuring for remote access VPNs 25-52
configuring for site-to-site VPNs 25-50
PVC Advanced Settings dialog box
OAM-PVC tab 59-68
OAM tab 59-66
PVC dialog box
Protocol tab 59-63
QoS tab 59-60
Settings tab 59-57
PVC policies
unable to deploy 9-15
Q
QoS
MPC rule wizard
tab 56-8
PIX/ASA/FWSM
identity-aware rules 13-21
rules 56-5
QoS Class dialog box 63-23
Edit ACLs dialog box 63-25
Marking tab 63-26
Matching tab 63-24
Policing tab 63-29
Queuing and Congestion Avoidance tab 63-27
Shaping tab 63-31
QoS queuing
default class 63-6
defining for classes 63-16
tail drop vs. WRED 63-4
understanding 63-4
understanding LLQ 63-5
quality of service (QoS)
CEF requirements 63-2
defining on control plane 63-12
defining on interfaces 63-10
defining policies 63-10
on Cisco IOS routers 63-1
QoS Class dialog box 63-23
QoS Policy dialog box 63-21
Quality of Service Policy page 63-19
understanding
Control Plane Policing 63-9
default class queuing 63-6
low-latency queuing 63-5
marking parameters 63-3
matching parameters 63-2
policing parameters 63-6
queuing parameters 63-4
shaping parameters 63-6
tail drop and WRED 63-4
token-bucket mechanism 63-7
quality of service (QoS) classes
defining marking parameters 63-15
defining matching parameters 63-13
defining policing parameters 63-17
defining queuing parameters 63-16
defining shaping parameters 63-18
query
CS-MARS
access rule events 69-28
IPS signature events 69-30
looking up policies based on related events 69-31
overview 69-27
troubleshooting 69-26
Event Viewer
looking up policies based on related events 66-48
Querying Device or Policy dialog box 12-29
quick filter
searching for events 66-44
R
RADIUS
description 6-25
settings in AAA server objects 6-32
RAM
Image Manager 70-15
rate limiting, IPS 42-4
Real-time Log Viewer 69-7
recovery
event data store 66-32
Recurring Ranges dialog box 6-67
Redeploy a Job dialog box 8-49
Redeploying Licenses dialog box 11-44
rediscovering
remote access VPNs 29-12
rediscovering site-to-site VPNs 24-26
Rediscover VPN Policies wizard 24-26
redundant interfaces 45-7
red X in device selector, troubleshooting 9-8
Refresh Map command 1-31
regular expression group objects
properties 17-85
regular expression objects
metacharacters 17-87
properties 17-86
regular IPsec
mandatory and optional policies 24-6
supported platforms 24-9
supported platforms for remote access VPNs 29-8
Reject Activity command 1-34
Reject Activity dialog box 4-21
Reject Deployment Job dialog box 8-21, 8-39
remote access
user
logging off 68-26
remote access VPN
system variables 7-18
Remote Access VPN Configuration wizard
IPsec VPN
Defaults page 29-29
IPsec Settings page (ASA) 29-28
IPsec VPN Connection Profile page (ASA) 29-27
User Groups page 29-35
IPsec VPNs
creating on ASA/PIX 7.0+ 29-24
creating on IOS/PIX 6.3+ 29-35
SSL VPN
Access page (ASA) 29-15
Connection Profile page (ASA) 29-16
Gateway and Context Page (IOS) 29-32
Portal Page Customization Page (IOS) 29-34
SSL VPNs
creating on ASA devices 29-14
creating on IOS devices 29-31
using 29-13
remote access VPNs
ASA devices
configuring bookmarks 30-70
configuring portal appearance 30-66
configuring WINS servers for file system access 30-76
customizing 30-65
post URL method and macro substitutions in bookmarks 30-72
smart tunnels 30-73
configuring using wizard 29-13
device support 29-8
discovering 29-12
IOS devices
configuring bookmarks 30-70
configuring WINS servers for file system access 30-76
IPsec 30-28
access policies for IKEv2 (ASA), configuring 30-40
access policies for IKEv2 (ASA), reference 30-37
access policies for IKEv2 (ASA), understanding 30-36
certificate to connection profile map policy (IKEv1) 30-29
certificate to connection profile map rules (IKEv1) 30-29
cluster load balancing 30-4, 30-5
configuring IKE and IPsec policies 25-1
connection profiles 30-6
connection profiles (ASA, PIX 7+) 30-8
creating on ASA/PIX 7.0+ 29-24
creating on IOS/PIX 6.3+ 29-35
dynamic access policies 31-1, 31-2
dynamic access policy (DAP) attributes 31-3, 31-7
Dynamic Access policy page (ASA) 31-10
Dynamic VTI/VRF Aware IPsec settings 32-7
fragmentation settings 25-40
global settings 25-29
group policies, configuring 30-21
group policies, creating 30-23
group policies, understanding 30-22
high availability policies 32-11
IKE proposals 25-9
IKEv2 settings 25-34
ISAKMP/IPsec settings 25-30
NAT settings 25-38
policy overview 29-9
policy overview (ASA, PIX 7.0+) 30-2
policy overview (IOS, PIX 6.3) 32-2
public key infrastructure (PKI) policies 25-52
secure desktop manager policies 31-8
understanding 29-2
understanding IKE 25-5
understanding NAT settings 25-37
user group policies for IOS, PIX 6.3 32-13
VPNSM, VPN SPA, VSPA settings 32-6
IPsec proposals
attributes for ASA and PIX 7.0+ devices 30-33
attributes for IOS and PIX 6.3 devices 32-4
configuring for ASA and PIX 7.0+ devices 30-33
configuring for IOS and PIX 6.3 devices 32-3
managing 29-1
managing (ASA, PIX 7.0+) 30-1
managing (IOS, PIX 6.3) 32-1
rediscovering 29-12
SSL 30-36
access modes 29-4
access policies (ASA), configuring 30-40
access policies (ASA), reference 30-37
access policies (ASA), understanding 30-36
advanced settings (ASA) 30-61
AnyConnect client image settings (ASA) 30-55
AnyConnect client settings (ASA) 30-52, 30-53
AnyConnect custom attributes(ASA) 30-59, 30-60
browser plug-ins (ASA) 30-50
cluster load balancing 30-4, 30-5
configuring HTTP/HTTPS proxies and proxy bypass(ASA) 30-47
connection profiles 30-6
connection profiles (ASA) 30-8
content rewrite rules (ASA) 30-43
Context Editor dialog box (IOS) 32-15, 32-16
creating on ASA 29-14
creating on IOS devices 29-31
dynamic access policies 31-1, 31-2
dynamic access policy (DAP) attributes 31-3, 31-7
Dynamic Access policy page (ASA) 31-10
encoding rules (ASA) 30-45
example 29-3
fragmentation settings 25-40
global settings 25-29
group policies, configuring 30-21
group policies, creating 30-23
group policies, understanding 30-22
IKEv2 settings 25-34
ISAKMP/IPsec settings 25-30
Kerberos Constrained Delegation (KCD on ASA) 30-56, 30-58
limitations 29-7
managing support files 29-5
NAT settings 25-38
other settings (ASA) 30-41
performance settings (ASA) 30-42
policies (IOS) 32-14
policy overview 29-9
policy overview (ASA, PIX 7.0+) 30-2
policy overview (IOS, PIX 6.3) 32-2
prerequisites 29-7
proxy bypass rules (ASA) 30-49
public key infrastructure (PKI) policies 25-52
secure desktop manager policies 31-8
server certificate verification (ASA) 30-25, 30-26, 30-27, 30-61
shared license (ASA) 30-62
shared license clients (ASA) 30-64
shared license servers (ASA) 30-65
understanding 29-2
understanding NAT settings 25-37
wizard 29-13
understanding 29-1
Remote Detection Indication (RDI) cells 59-50
Rename Policy Bundle dialog box 5-55, 5-56
Rename Policy command 1-30
Rename Policy dialog box 5-45
Rendezvous Point
PIX/ASA/FWSM
add/edit 53-16
Rendezvous Points
PIM 53-15
Report Manager
arranging window 67-25
closing 67-26
configuring default settings 67-24
configuring devices to provide reports 67-3
configuring Event Manager service 66-27
configuring schedules 67-28
creating custom reports 67-20
deleting another user’s custom reports 67-27
deleting reports 67-27
deleting schedules 67-31
disabling schedules 67-30
editing report settings 67-21
enabling schedules 67-30
examples of analysis
monitoring botnet activity 66-55
exporting reports 67-23
generated report pane and toolbar 67-11
generating reports 67-18
managing custom reports 67-27
opening reports 67-18
overview 67-1, 67-6
printing reports 67-23
renaming reports 67-26
report list 67-9
report settings 67-10
saving reports 67-25
scheduling reports 67-27
troubleshooting 67-31
understanding 67-1
understanding access control 67-5
understanding data aggregation 67-4
understanding predefined reports
firewall summary botnet reports 67-14
firewall traffic reports 67-13
general IPS reports 67-17
general VPN reports 67-16
IPS top reports 67-16
overview 67-13
VPN top reports 67-15
using 67-18
viewing schedule results 67-30
viewing schedules 67-28
Report Manager command 1-35
reports
arranging windows 67-25
closing 67-26
configuring default settings for reports 67-24
configuring devices for Report Manager reporting 67-3
configuring schedules 67-28
creating custom 67-20
deleting 67-27
deleting another user’s in Report Manager 67-27
deleting schedules 67-31
deployment status 10-28
disabling schedules 67-30
discovery status 10-28
editing settings 67-21
enabling schedules 67-30
example policy query 12-34
exporting 67-23
generating 67-18
generating access rule analysis 16-31
generating policy query 12-28
interpreting policy query 12-32
managing 67-1
managing custom 67-27
opening 67-18
overview of available types 67-2
predefined Report Manager
firewall summary botnet reports 67-14
firewall traffic reports 67-13
general IPS reports 67-17
general VPN reports 67-16
IPS top reports 67-16
overview 67-13
VPN top reports 67-15
printing 67-23
renaming 67-26
Report Manager
generated report pane and toolbar 67-11
overview 67-6
report list 67-9
report settings 67-10
saving 67-25
scheduling in Report Manager 67-27
understanding Report Manager 67-1
understanding Report Manager access control 67-5
understanding Report Manager data aggregation 67-4
using Report Manager 67-18
viewing schedule results 67-30
viewing schedules 67-28
reputation
configuring global correlation 41-5
understanding IPS global correlation 41-2
Request Filter
PIM 53-18
Resources
FWSM 50-3
add/edit 50-3
managing 50-2
restorebackup.pl command 10-26
restore database 10-26
Resume Deployment Schedule dialog box 8-21, 8-55
retry count
device communication 11-17
reverse route injection 25-20
RIP
PIX/ASA/FWSM 54-40
(PIX/ASA 6.3–7.1, FWSM) 54-41
(PIX/ASA 6.3–7.1, FWSM) configuration 54-41
(PIX/ASA 7.2+) 54-42
(PIX/ASA 7.2+) Filtering 54-46
(PIX/ASA 7.2+) Filtering configuration 54-47
(PIX/ASA 7.2+) Interface 54-47
(PIX/ASA 7.2+) Interface configuration 54-48
(PIX/ASA 7.2+) Redistribution 54-45
(PIX/ASA 7.2+) Redistribution configuration 54-45
(PIX/ASA 7.2+) Setup 54-43
RIP routing
Cisco IOS routers
Authentication dialog box 64-47
Authentication tab 64-46
defining interface authentication 64-43
defining setup parameters 64-42
overview 64-42
redistributing routes 64-44
Redistribution Mapping dialog box 64-49
Redistribution tab 64-48
RIP Routing Policy page 64-45
Setup tab 64-45
roles, IPS user 35-13
rollback
archived configuration files 8-66
last deployed configuration 8-65
when deploying to file 8-67
Rollback a Job dialog box 8-65
round robin allocation
PAT 23-40
routed ports
Create and Edit Interface dialog boxes-Routed Port mode 65-12
understanding 65-5
Router Block Interface dialog box 42-15
Router Device dialog box 42-14
router platform interface
802.1x Policy page 61-5
AAA policy
AAA Policy page 60-6
Accounting tab 60-10
Authentication tab 60-6
Authorization tab 60-7
Command Accounting dialog box 60-12
Command Authorization dialog box 60-9
accounts and credentials policy
Accounts and Credentials Policy page 60-15
User Accounts dialog box 60-17
ADSL policy
ADSL Policy page 59-36
ADSL Settings dialog box 59-37
advanced interface settings policy
Advanced Interface Settings dialog box 59-16
Advanced Interface Settings page 59-15
BGP policy
BGP Neighbors dialog box 64-6
BGP Redistribution tab 64-6
BGP Routing Policy page 64-4
BGP Setup tab 64-4
Redistribution Mapping dialog box 64-7
bridging policy
Bridge Group dialog box 60-21
Bridging Policy page 60-20
CEF interface policy 59-25
CEF Interface Settings dialog box 59-26
Clock Policy page 60-23
console policy
AAA tab 60-44
Accounting tab 60-47
Authentication tab 60-44
Authorization tab 60-45
Command Accounting dialog box 60-61
Command Authorization dialog box 60-60
Console Policy page 60-42
Setup tab 60-42
CPU Policy page 60-26
DHCP policy
DHCP Database dialog box 60-94
DHCP Policy page 60-92
IP Pool dialog box 60-94
dialer interface policy
Dialer Physical Interface dialog box 59-32
Dialer Policy page 59-30
Dialer Profile dialog box 59-31
DNS policy
IP Host dialog box 60-76
DNS Policy page 60-76
EIGRP policy
EIGRP Routing Policy page 64-13
Interface dialog box 64-16
Interfaces tab 64-15
Redistribution Mapping dialog box 64-18
Redistribution tab 64-17
Setup dialog box 64-14
Setup tab 64-13
Hostname Policy page 60-78
HTTP policy
AAA tab 60-32
Command Authorization Override dialog box 60-34
HTTP Policy page 60-31
Setup tab 60-31
interfaces policy
Create Router Interface dialog box 59-8
Interface Auto Name Generator dialog box 59-12
Router Interfaces page 59-7
IPS interface policy
IPS Monitoring Information dialog box 59-23
IPS Module interface policy
IPS Module Interface Policy Page 59-22
logging policy
Syslog Server dialog box 62-11
logging setup policy
Logging Setup Policy page 62-7
Memory Policy page 60-79
NAC policy
Identities tab 61-18
Identity Action dialog box 61-19
Identity Profile dialog box 61-19
Interface Configuration dialog box 61-17
Interfaces tab 61-16
NAC Policy page 61-14
Setup tab 61-14
NAT policy
Dynamic Rule dialog box 23-11
Interface Specification tab 23-6
Static Rule dialog box 23-7
Static Rules tab 23-6
NetFlow policy 62-5, 62-12
NTP policy
NTP Policy page 60-98
NTP Server dialog box 60-99
OSPF policy
Area dialog box 64-37
Area tab 64-36
Interface dialog box 64-31
Max Prefix Mapping dialog box 64-41
OSPF Interface Policy page 64-30
OSPF Process Policy page 64-34
Redistribution Mapping dialog box 64-39
Redistribution tab 64-38
Setup dialog box 64-35
Setup tab 64-35
PPP/MLP policy
PPP/MLP Policy page 59-75
PPP dialog box 59-76
PVC policy
Define Mapping dialog box 59-64
PVC Advanced Settings dialog box 59-65
PVC dialog box 59-55
PVC Policy page 59-54
QoS policy
QoS Class dialog box 63-23
QoS Policy dialog box 63-21
Quality of Service Policy page 63-19
RIP policy
Authentication dialog box 64-47
Authentication tab 64-46
Redistribution Mapping dialog box 64-49
Redistribution tab 64-48
RIP Routing Policy page 64-45
Setup tab 64-45
Secure Device Provisioning Policy page 60-85
Secure Shell Policy page 60-64
SHDSL policy
Controller Auto Name Generator dialog box 59-45
SHDSL Controller dialog box 59-42
SHDSL Policy page 59-41
SNMP policy
Permission dialog box 60-70
SNMP Policy page 60-69
SNMP Traps dialog box 60-72
Trap Receiver dialog box 60-71
static routing policy
Static Routing dialog box 64-52
Static Routing Policy page 64-51
syslog servers policy
Syslog Servers Policy page 62-10
VTY policy
Command Accounting dialog box 60-61
Command Authorization dialog box 60-60
VTY Line dialog box 60-51
VTY Policy page 60-50
router platform policies
Device Admin policies
AAA 60-2
accounts and credentials 60-13
CPU settings 60-25
DHCP 60-87
DNS 60-74
host and domain names 60-77
HTTP 60-28
line access 60-35
memory settings 60-78
optional SSH settings 60-63
Secure Device Provisioning (SDP) 60-81
SNMP 60-66
time zone settings 60-22
transparent bridging 60-18
Identity policies
802.1x 61-1
Network Admission Control (NAC) 61-8
Interface policies
ADSL 59-33
advanced settings 59-13
basic settings 59-1
dialer interfaces 59-27
PPP 59-70
PVC 59-46
SHDSL 59-40
Logging policies 62-1
NAT 23-5
dynamic rules 23-10
static rules 23-6
timeouts 23-13
NetFlow policies 62-1
Network Time Protocol (NTP) 60-96
quality of service (QoS) 63-1
Routing policies
BGP routing 64-1
EIGRP routing 64-8
OSPF routing 64-19
RIP routing 64-42
static routing 64-50
routers
adding SSL thumbprints manually 9-4
CEF interface settings policies 59-24
Cisco Discovery Protocol (CDP) settings 59-18
CNS call-home mode 2-9
CNS event-bus mode 2-8
communication requirements 2-1
configuring SSH 2-6
default transport protocol for 12.1 and 12.2 11-18
default transport protocol for 12.3 and above 11-18
deploying configurations using TMS 8-43
enabling directed broadcasts 59-20
enabling Maintenance Operation Protocol (MOP) 59-19
enabling NBAR protocol discovery 59-19
enabling proxy ARP 59-19
enabling unicast reverse path forwarding (RFP) 59-20
enabling virtual fragment reassembly (VFR) 59-19
FlexConfig object samples 7-23
generating interface names 59-4
ICMP message settings 59-18
IPS Module interface settings policies 59-22
licenses 2-12
mixing deployment methods 9-13
selecting policy types to manage 5-10
setting up SSL (HTTPS) 2-4
SSL certificate configuration 11-18
system variables 7-13
troubleshooting deployment 9-14
Route Tree
PIM 53-17
routing
PIX/ASA/FWSM
about OSPF 54-2
about OSPFv3 54-22
authentication 54-2
configuring on 54-1
configuring static routes 54-48
IPv6 Static Route configuration 54-50
No Proxy ARP 54-1
OSPF 54-2
OSPF - advanced settings 54-4
OSPF - Area/Area networks 54-7
OSPF - Area Range 54-9
OSPF - Area tab 54-6
OSPF - Filtering configuration 54-16
OSPF - Filtering tab 54-15
OSPF - General tab 54-3
OSPF - Interface configuration 54-20
OSPF - Interface tab 54-18
OSPF - Neighbors tab 54-10
OSPF - Range tab 54-8
OSPF - Redistribution rule 54-11
OSPF - Redistribution tab 54-11
OSPF - static neighbor 54-10
OSPF - Summary Address configuration 54-18
OSPF - Summary Address tab 54-17
OSPFv3 54-22
OSPFv3 - advanced settings 54-25
OSPFv3 - Area/Area networks 54-29
OSPFv3 - Area Range 54-30
OSPFv3 - Area tab 54-28
OSPFv3 - Interface configuration 54-35
OSPFv3 - Interface tab 54-34
OSPFv3 - Process tab 54-24
OSPFv3 - Redistribution rule 54-32
OSPFv3 - static neighbor 54-38
OSPFv3 - Summary Prefix configuration 54-34
OSPFv3 - Virtual Link configuration 54-31
OSPF - Virtual Link configuration 54-13
OSPF - Virtual Link MD5 configuration 54-15
OSPF - Virtual Link tab 54-13
RIP (PIX/ASA 6.3–7.1, FWSM) 54-41
RIP (PIX/ASA 6.3–7.1, FWSM) configuration 54-41
RIP (PIX/ASA 7.2+) 54-42
RIP (PIX/ASA 7.2+) Filtering 54-46
RIP (PIX/ASA 7.2+) Filtering configuration 54-47
RIP (PIX/ASA 7.2+) Interface 54-47
RIP (PIX/ASA 7.2+) Interface configuration 54-48
RIP (PIX/ASA 7.2+) Redistribution 54-45
RIP (PIX/ASA 7.2+) Redistribution configuration 54-45
RIP (PIX/ASA 7.2+) Setup 54-43
RIP page 54-40
Static Route configuration 54-49
VPNs with routing processes 9-13
routing redistribution
BGP Redistribution Mapping dialog box 64-7
BGP Redistribution tab 64-6
EIGRP Redistribution Mapping dialog box 64-18
EIGRP Redistribution tab 64-17
into BGP 64-3
into EIGRP 64-12
into OSPF 64-22
into RIP 64-44
OSPF Max Prefix Mapping dialog box 64-41
OSPF Process Redistribution tab 64-38
OSPF Redistribution Mapping dialog box 64-39
RIP Redistribution Mapping dialog box 64-49
RIP Redistribution tab 64-48
RPC
configuring for inspection rules 17-20
RSA keys
generating, synchronizing for GET VPN 28-13
Rule Analysis Detail Report
generating 16-31
Rule Combiner Results dialog box 12-25
rule expiration
configuring for access rules 16-19
Rule Expiration page 11-49
rules
default 5-5
mandatory 5-5
rules tables
adding rules 12-9
columns and headings 1-46
commands, Edit menu 1-29
converting IPv4 rules 12-28
cut, copy, and paste rules 12-9
disabling rules 12-20
enabling rules 12-20
filtering 1-45
finding and replacing items 12-16
removing rules 12-9
sections 12-20
using 12-7
rule tables
moving rules 12-19
RX-Boot Mode Credentials dialog box 3-46
S
Save As command (Report Manager) 67-8
Save command 1-28
Save command (Report Manager) 67-8
Save Map As command 1-31
Save Map As dialog box 34-10
Save Map command 1-31
ScanSafe Web Security Settings 20-6
scenarios
creating FlexConfigs 7-24
SCEP (Simple Certificate Enrollment Protocol)
CA server authentication 25-47
Schedule dialog box 8-53
schedules
configuring in Report Manager 67-28
deleting in Report Manager 67-31
disabling in Report Manager 67-30
enabling in Report Manager 67-30
reports in Report Manager 67-27
viewing in Report Manager 67-28
viewing results in Report Manager 67-30
schedules, deployment
changes not deployed 8-52
creating or editing 8-52
including devices 8-8
suspending or resuming 8-55
viewing status and history 8-27
scripting language
examples
looping 7-3
looping with if/else statements 7-4
looping with two-dimensional arrays 7-3
FlexConfig objects 7-3
SDEE
subscriptions for IOS IPS 44-7
SDI
settings in AAA server objects 6-40
SDM
access rule look-up 69-8
device manager 69-5
searching for items 1-39
Secondary Interface Specific Authentication Server Groups dialog box 30-13
secure desktop manager policies
configuring 31-8
Secure Device Provisioning (SDP)
configuring AAA for administrative introducers 60-84
contents of bootstrap 60-82
defining policies 60-83
Secure Device Provisioning page 60-85
understanding
introducers 60-81
petitioners 60-81
registrars 60-81
TTI 60-81
workflow 60-82
SecureID servers (SDI)
description 6-26
Secure Shell
PIX/ASA/FWSM
add/edit SSH host 48-6
Secure Shell (SSH)
Cisco IOS routers
defining optional settings 60-63
optional settings overview 60-63
Secure Shell Policy page 60-64
PIX/ASA/FWSM 48-5
security associations
GET VPN
using passive mode during migration 28-23
security certificate
invalid during discovery 9-6
security context
Failover page 49-25
security contexts
adding to failover group 2 49-7
admin context
overview 57-1
configuring multiple 57-2
configuring on firewall devices 57-1
deleting FWSM 57-4
discovering policies 5-13
FWSM 57-5
configuration 57-5
managing Resources 50-2
Resources 50-3
PIX/ASA
allocate interfaces 57-8
configuration 57-7
viewing allocated interfaces 57-9
PIX/ASA/FWSM
enabling multi-context mode 57-1
managing 57-4
restoring single-context mode 57-1
rollback, commands to recover from failover misconfiguration 8-65
rollback command conflicts 8-64
rollback restrictions 8-61
rollback restrictions for failover devices 8-61
showing containment 3-53
security group aware firewall policies
configuring ISE settings 11-40
security group-aware firewall policies
configuring 14-7
managing 14-1
overview 14-1
security group objects
creating 14-12
security guidelines
obtaining 1-2
Security Manager
access by CS-MARS 69-23
applications overview 1-6
archiving (backing up) the event data store 66-32
backing up and restoring database 10-24
Configuration Manager interface overview 1-12
configuring administrative settings 11-1
getting started 1-1
how permissions affect what you can do 1-10
initial configuration 1-23
installing client 1-11
integrating with Security Manager 69-21
integration with CS-MARS 69-22
logging into and exiting 1-11
managing the server 10-1
overview 1-1
recovering the event data store 66-32
reports overview 67-2
server cluster
managing 10-2
overview 10-2
splitting server 10-3
synchronizing shared policies 10-4
server management and administration 10-1
using 1-12
Security Manager Administration command 1-34
Security Manager Diagnostics command 1-33
Security Manager Online command 1-36
security policies
PIX/ASA/FWSM 55-1
General configuration 55-3
General page 55-1
timeouts 55-4
security ratings for Trend class maps 21-19
see LACP 45-11
Select Address Pool
PIX/ASA/FWSM Platform 23-22
Select Interfaces dialog box 34-20
selectors
filtering items 1-42
using 1-42
selector trees
selecting items 1-42
Select Policy Object dialog box 34-18
Select VPN to Configure dialog box 34-22
self near-end crosstalk (SNEXT) 59-45
Self zone 21-5
sensors, IPS
allowed hosts 35-7
anomaly detection
configuring 40-6
configuring histograms 40-11
configuring learning accept mode 40-8
configuring signatures 40-4
configuring thresholds 40-11
detection zones 40-3
managing 40-1
modes 40-2
understanding 40-1
understanding histograms 40-9
understanding thresholds 40-9
understanding worms 40-2
when to turn off 40-4
blocking
configuring 42-7
configuring ARC 42-1
configuring blocking devices 42-14
configuring master blocking sensors 42-13
configuring never block hosts and networks 42-17
configuring router blocking interfaces 42-15
configuring user profiles 42-12
configuring VLAN blocking interfaces 42-16
general options 42-10
master blocking sensor 42-6
policy 42-8
rate limiting 42-4
router and switch blocking devices 42-4
strategies 42-3
understanding 42-1
capturing network traffic 35-2
certificates 43-10
configuration overview 35-5
configuration overview for IOS IPS 44-3
configuring AAA 35-19
configuring Analysis Engine global variables 35-26
configuring DNS servers 35-22
configuring HTTP proxy server 35-23
configuring NTP 35-21
configuring OS maps 39-18
configuring SNMP 35-8
configuring target value ratings 39-15
configuring the external product interface 35-23
configuring user accounts 35-16
deployment of passwords 35-15
deployment topology 35-4
discovery of passwords 35-15
event actions
example filter rule 66-58
filter rule attributes 39-9
filter rules 39-4, 39-7
filter rules tips 39-6
network information 39-14
overrides 39-13
overview 39-1
possible actions 39-2
process overview 39-1
settings 39-21
getting started 35-1
global correlation
configuring 41-1
configuring inspection and reputation 41-5
configuring network participation 41-7
data collected 41-3
requirements and limitations 41-4
understanding 41-1
understanding network participation 41-3
understanding reputation 41-2
interfaces
configuring 36-6
configuring bypass mode 36-12
configuring CDP mode 36-12
configuring inline interface pairs 36-13
configuring inline VLAN pairs 36-14
configuring physical 36-9
configuring VLAN groups 36-15
deploying VLAN groups 36-5
inline interface mode 36-3
inline VLAN pair mode 36-3
interfaces policy 36-6
managing interface configurations 36-1
physical interface properties 36-10
promiscuous mode 36-2
roles 36-1
sensing modes overview 36-2
understanding 36-1
viewing summary 36-8
VLAN group mode 36-4
IPS modules for ASA 56-14
licenses
automating 43-3
managing 43-1
redeploying 43-2
updating 43-1
managing 43-1
managing user accounts and passwords 35-13
monitoring
removing false positive IPS events 66-58
passive OS fingerprinting 39-17
password requirements 35-18
rebooting 43-11
signatures
adding custom 38-16
cloning 38-18
configuring 38-4
configuring settings 38-27
defining 38-1
detailed information 38-2
editing 38-11
editing Meta engine component list 38-25
editing or tuning parameters 38-19
enabling or disabling 38-10
engines 38-17
exporting 38-6
inheritance 38-3
parameters list 38-21
policy 38-4
shortcut menu 38-7
understanding 38-1
viewing update level 38-9
traffic flow notifications 35-26
tuning recommendations 35-4
understanding managed and unmanaged passwords 35-14
understanding network sensing 35-1
understanding user roles 35-13
updates
automatically applying 43-6
checking for and downloading 43-5
configuring server 43-4
managing 43-4
manually applying 43-7
user account attributes 35-17
virtual sensors
advantages 37-3
assigning interfaces 37-4
attributes 37-7
configuring 37-1, 37-5
deleting 37-10
editing policies 37-9
identifying 37-5
inline TCP session tracking mode 37-3
Normalizer mode 37-4
renaming 37-8
restrictions 37-3
understanding 37-1
sensorupdate.properties 43-6
server
managing Security Manager 10-1
syslog
PIX/ASA/FWSM 52-16, 52-21
server, IPS update 43-4
server, Security Manager
configuring administrative settings 11-1
managing or administrating 10-1
Server Access
PIX/ASA/FWSM 51-1
AUS, add/edit server 51-3
AUS page 51-1
DDNS interface rule 51-18
DDNS page 51-17
DDNS update methods 51-18
DDNS update methods, add/edit 51-19
DHCP Relay, add/edit agent 51-5
DHCP Relay, add/edit server 51-6
DHCP Relay page 51-5
DHCP Server, add/edit 51-11
DHCP Server, advanced configuration 51-12
DHCP Server, options 51-13
DHCP Server page 51-10
DHCPv6 Relay, add/edit agent 51-8
DHCPv6 Relay, add/edit server 51-9
DHCPv6 Relay page 51-7
DNS page 51-13
DNS server, add 51-16
DNS server group 51-15
NTP page 51-19
NTP server configuration 51-20
SMTP page 51-21
TFTP server page 51-22
server cluster, Security Manager
managing 10-2
overview 10-2
splitting server 10-3
synchronizing shared policies 10-4
Server Load Balance page 26-17
server load balancing
configuring for large scale DMVPN 26-16, 26-17
server attributes in large scale DMVPN 26-17
Server Properties dialog box 3-36
Server Security Settings page 11-50
Service
ASA CX
Auth Proxy Configuration 56-16
PIX/ASA/FWSM
identity-aware IPS, QoS, and Connection Rules 13-21
IPS, QoS, and Connection Rules 56-5
IPS, QoS, and Connection Rules wizard 56-6, 56-8
policy wizard 56-6
priority queues 56-4
priority queues configuration 56-4
security group aware IPS, QoS, and Connection Rules 14-13
traffic class 56-7
service, Event Manager
configuring 66-27
managing 66-27
monitoring event store disk space 66-31
monitoring status 66-28
selecting devices to monitor 66-31
starting or stopping 66-27
status icon colors 66-28
service agreement contracts 10-16
Service Contents dialog box 12-14
Service Device Provisioning (SDP)
on Cisco IOS routers 60-81
Service Module Credentials dialog box 3-18
Service Modules
Catalyst
firewalls 45-1
service objects
creating 6-86
naming when provisioned as object groups 6-92
provisioning as object groups 6-92
Services dialog box 6-89
understanding 6-86
service policy
configuring identity-aware rules 13-21
configuring security group aware rules 14-13
Service Policy (MPC) Rule Wizard 56-6
Connection Settings tab 56-8
CSC tab 56-8
CXSC tab 56-8
IPS tab 56-8
QoS tab 56-8
User Statistics tab 56-8
service policy rules
configuring on firewall devices 56-1
services
specifying 6-86
Set Linked Map dialog box 34-13
Settings
ScanSafe 20-6
settings
device communications 9-4
Settings, Event Actions policy 39-21
settings, report
editing 67-21
Settings pages
Autolink 11-2
Configuration Archive 11-3
CS-MARS 11-4
Customize Desktop 11-6
Debug Options 11-8
Deployment 11-9
Device Communication 11-17
Device Groups 11-20
Discovery 11-21
Event Management 11-23
Health and Performance Monitor 11-26
Identity 11-27
Image Manager 11-29
ISE 11-40
Licensing 11-41
Logs 11-45
Policy Management 11-46
Policy Objects 11-48
Rule Expiration 11-49
Server Security 11-50
Take Over User Session 11-51
Ticket Management 11-52
Token Management 11-53
VPN Policy Defaults 11-54
Workflow 11-55
SHA hash algorithm 25-6
Share Device Policies command 1-30
shared license clients
configuring 30-64
shared license servers
configuring 30-65
shared policies
cloning (copying) 5-44
Device view
adding local rules to selected device 5-42
assigning to selected device 5-41
modifying 5-45
modifying assignments 5-46
policy banner 5-35
sharing local 5-38
sharing multiple local policies 5-39
unsharing 5-40
working with 5-34
exporting 10-11
exporting with device inventory 10-6
importing 10-13
inheriting policies 5-43
Policy Bundle view
cloning 5-55
creating 5-54
renaming 5-55, 5-56
Policy view
creating 5-51
deleting 5-53
managing 5-47
modifying assignments 5-51
renaming 5-45
Site-to-Site VPN Manager
assigning to selected device 5-41
modifying assignments 5-46
sharing local 5-38
unsharing 5-40
working with 5-34
synchronizing among Security Manager servers 10-4
Shared Policy Assignments dialog box 5-46
Share Policies wizard 5-39
Share Policy command 1-30
Share Policy dialog box 5-38
SHDSL
Controller Auto Name Generator dialog box 59-45
defining controllers 59-40
on Cisco IOS routers 59-40
SHDSL Controller dialog box 59-42
SHDSL Policy page 59-41
shortcut menu commands
policies in Device view and Site-to-Site VPN Manager 5-37
Show Containment command 1-33
Show Devices On Map command 1-31
Show Devices on Map dialog box 34-16
Show Navigation Window command 1-32
Show VPN Peers dialog box 34-22
Show VPNs On Map command 1-31
Show VPNs on Map dialog box 34-21
signatures
adding custom 38-16
cloning 38-18
configuring 38-4
configuring settings 38-27
defining 38-1
detailed information 38-2
editing 38-11
editing Meta engine component list 38-25
editing or tuning parameters 38-19
enabling or disabling 38-10
engines 38-17
exporting 38-6
finding from CS-MARS events 69-31
finding from Event Viewer events 66-48
inheritance 38-3
parameters list 38-21
policy 38-4
selecting category for Cisco IOS IPS 44-6
shortcut menu 38-7
tuning 66-58
tuning recommendations 35-4
understanding 38-1
updates
automatically applying 43-6
checking for and downloading 43-5
configuring server 43-4
managing 43-4
manually applying 43-7
viewing related CS-MARS events 69-30
viewing update level 38-9
Signature Settings page 38-27
Signatures page
overview 38-4
shortcut menu 38-7
Simple Network Management Protocol
see SNMP 48-7
single sign on server (SSO) objects
properties 33-30
SIP (ASA, PIX) class map objects
creating 17-21
SIP (ASA/PIX/FWSM) policy map objects
creating 17-21
properties 17-77
SIP (IOS) class map objects
creating 21-15
match criteria 21-24
SIP (IOS) policy map objects
creating 21-15
match conditions and actions 21-34
SIP class map objects
match criteria 17-79
SIP policy map objects
match conditions and actions 17-79
Site-to-Site VPN Manager
assigning shared policies 5-41
copying shared policies 5-44
managing policies 5-28
modifying policy assignments 5-46
policy banner 5-35
policy shortcut menu 5-37
renaming policies 5-45
sharing local policies 5-38
unassigning policies 5-33
understanding shared policies 5-34
unsharing policies 5-40
Site-to-Site VPN Manager window 24-18
Site-to-Site VPN policy page (Device view) 24-19
site-to-site VPNs
accessing topologies and policies 24-17
configuring global settings
configuring fragmentation settings 25-40
configuring IKEv2 settings 25-34
configuring ISAKMP/IPsec settings 25-30
configuring NAT settings 25-38
overview 25-29
understanding NAT settings 25-37
configuring IKE and IPsec policies 25-1
creating or editing Extranet VPN topologies 24-62
creating or editing VPN topologies 24-28
discovering 24-24
managing 24-1
rediscovering 24-26
repairing discovered VPNs with multiple spoke definitions 24-25
understanding discovery 24-19
understanding topologies 24-2
using device overrides to customize VPN policies 24-13
viewing summary of VPN configuration 24-58
Site-to-Site VPNs command 1-32
Skinny policy map objects
creating 17-21
match conditions and actions 17-83
properties 17-81
SLA monitor objects
attributes 50-9
configuring 50-8
understanding 50-7
Smartfilter (N2H2)
configuring for web filter rules policies 18-15, 18-19
configuring for zone based firewall rules policies 21-35, 21-38, 21-40
Smart Tunnel Auto Signon Entry dialog box 33-56
Smart Tunnel Auto Signon Lists dialog box 33-55
smart tunnels
configuring for ASA SSL VPNs 30-73
SMTP
configuring for inspection rules 17-18
preventing DoS attacks using zone based firewall 21-25
preventing spam using zone based firewall 21-25
SMTP class map objects
creating 21-15
match criteria 21-25
SMTP policy map objects
creating 21-15
match conditions and actions 21-34
SMTP server
configuring 1-25
PIX/ASA/FWSM 51-21
SNEXT 59-45
SNMP
Cisco IOS routers
defining agent properties 60-67
enabling traps 60-68
overview 60-66
Permission dialog box 60-70
SNMP Policy page 60-69
SNMP Traps dialog box 60-72
Trap Receiver dialog box 60-71
configuring for HPM S2S polling 68-35
configuring for IPS sensors 35-8
configuring on firewall devices 48-7
IPS general options 35-10
IPS trap options 35-11
PIX/ASA/FWSM 48-8
host access 48-12
MIBs 48-7
OIDs 48-7
Trap configuration 48-9
terminology 48-8
SNMP Credentials dialog box 3-47
SNMP policy map objects
creating 17-21
properties 17-84
SNMP Trap Communication dialog box 35-12
SNMP Trap Communication tab, SNMP policy for IPS 35-11
socket read timeout
device communication 11-18
Software Application Support contracts 10-16
Source Contents dialog box 12-14
spam
blocking spam using zone-based firewall rules 21-25
spoke-to-spoke connections, DMVPN 26-10
spoofing, preventing 55-1, 55-3
spoofing attacks, preventing 17-4
SSH
configuring on IOS routers, Catalyst switches, Catalyst 6500/7600 devices 2-6
line ending conventions 2-5
preventing non-SSH connections 2-7
setting up 2-5
testing authentication 2-5
troubleshooting connections 9-7
SSL
handshake failure during deployment 2-2
remote access SSL VPNs
advanced settings (ASA) 30-61
AnyConnect client settings (ASA) 30-52, 30-53
browser plug-ins 30-50
content rewrite rules (ASA) 30-43
encoding rules (ASA) 30-45
Kerberos Constrained Delegation (KCD on ASA) 30-56, 30-58
proxy bypass rules (ASA) 30-49
remote access VPNs 30-36
access modes 29-4
access policies (ASA), configuring 30-40
access policies (ASA), reference 30-37
access policies (ASA), understanding 30-36
AnyConnect client image settings (ASA) 30-55
AnyConnect custom attributes (ASA) 30-59, 30-60
cluster load balancing 30-4, 30-5
configuring HTTP/HTTPS proxies and proxy bypass(ASA) 30-47
connection profiles 30-6
connection profiles (ASA) 30-8
Context Editor dialog box (IOS) 32-15, 32-16
creating on ASA 29-14
creating on IOS devices 29-31
dynamic access policies 31-1, 31-2
dynamic access policy (DAP) attributes 31-3, 31-7
Dynamic Access policy page (ASA) 31-10
example 29-3
fragmentation settings 25-40
global settings 25-29
group policies, configuring 30-21
group policies, creating 30-23
group policies, understanding 30-22
IKEv2 settings 25-34
ISAKMP/IPsec settings 25-30
limitations 29-7
managing support files 29-5
NAT settings 25-38
other settings (ASA) 30-41
performance settings (ASA) 30-42
policies (IOS) 32-14
prerequisites 29-7
public key infrastructure (PKI) policies 25-52
secure desktop manager policies 31-8
server certificate verification (ASA) 30-25, 30-26, 30-27, 30-61
shared license clients (ASA) 30-64
shared licenses (ASA) 30-62
shared license servers (ASA) 30-65
understanding 29-2
understanding NAT settings 25-37
wizard 29-13
setting up 2-3
troubleshooting certificate errors 9-4
VPN
sharing connection profiles on ASAs 29-8
SSL authentication certificates
adding thumbprints manually 9-4
configuring default settings for how handled 11-18
SSL VPN
policy discovery restriction 3-8
SSL VPN Access page (ASA) 30-37
SSL VPN bookmark objects
configuring 30-70
post URL method and macro substitutions 30-72
SSL VPN Bookmarks objects
SSL VPN Bookmarks dialog box 33-33
SSL VPN Configuration wizard
Access page (ASA) 29-15
Connection Profile page (ASA) 29-16
Gateway and Context Page (IOS) 29-32
Portal Page Customization Page (IOS) 29-34
SSL VPN Customization objects
configuring 30-66
creating custom Logon page 30-70
localizing 30-68
SSL VPN gateway objects
properties 33-50
SSL VPN Other Settings page (ASA)
Advanced tab 30-61
Client Settings tab 30-53
Content Rewrite tab 30-43
Encoding tab 30-45
Microsoft KCD Server tab 30-56, 30-58
overview 30-41
Performance tab 30-42
Proxy tab 30-47
SSL Server Verification tab 30-25, 30-26, 30-27, 30-61
SSL VPN Policy page (IOS) 32-14
SSL VPNs
ASA devices
configuring bookmarks 30-70
configuring portal appearance 30-66
configuring WINS servers for file system access 30-76
customizing 30-65
post URL method and macro substitutions in bookmarks 30-72
smart tunnels 30-73
IOS devices
configuring bookmarks 30-70
configuring WINS servers for file system access 30-76
SSL VPN Shared License page (ASA) 30-62
SSL VPN smart tunnel auto sign-on list objects
attributes 33-55
SSL VPN smart tunnel list objects
attributes 33-52
configuring 30-73
stateful failover 49-3, 49-4
site-to-site VPN 24-50
stateless failover 49-3
states
activity 4-4
ticket 4-4
static crypto maps 25-18
Static Group tab (IGMP) 53-6
static NAT
Cisco IOS routers
disable automatic aliasing 23-7
disable payload 23-9
on Cisco IOS routers 23-6
static routes
configuring on firewall devices 54-48
PIX/ASA/FWSM
configuration 54-49
static routing
Cisco IOS routers
defining on 64-50
overview 64-50
Static Routing dialog box 64-52
Static Routing Policy page 64-51
Static Rule
PIX/ASA/FWSM 23-25
add/edit 23-26
status
activity 4-4
ticket 4-4
subinterfaces 45-7
specifying during policy definition 6-70
Submit Activity command 1-34
Submit Activity dialog box 4-20
Submit and Deploy command 1-28
Submit command 1-28
Submit Deployment Job dialog box 8-39
Submitted activity state 4-5
Submit Ticket command 1-35
Sun RPC class map objects
creating 21-15
match criteria 21-28
Sun RPC policy map objects
creating 21-15
match conditions and actions 21-34
support
obtaining 1-2
support, technical
creating diagnostic file 10-27
generating data 10-27
generating deployment or discovery status reports 10-28
generating partial database backup 10-29
Suspend Deployment Schedule dialog box 8-21, 8-55
switches
communication requirements 2-1
SYN flooding attacks, preventing 17-4
syslog
access rule look-up 69-6
deeply parsed for Event Viewer 66-6
logging
PIX/ASA/FWSM 52-1
message properties 66-16
syslog messages supported for policy lookup 69-32
syslogs
Cisco IOS routers 62-1
system variables
devices 7-7
firewall 7-9
FlexConfigs 7-7
remote access VPN 7-18
routers 7-13
VPN 7-14
T
tables
using 1-45
tables, rules
adding rules 12-9
columns and headings 1-46
commands, Edit menu 1-29
converting IPv4 rules 12-28
cut, copy, and paste rules 12-9
disabling rules 12-20
enabling rules 12-20
filtering 1-45
finding and replacing items 12-16
removing rules 12-9
sections 12-20
using 12-7
TACACS+
description 6-26
settings in AAA server objects 6-35
Take Over User Session page 11-51
Target Value Rating dialog box 39-16
Target Value Ratings, IPS Network Information policy 39-15
target value ratings (IPS) 39-15
task flow
deployment
non-Workflow mode 8-3
Workflow mode 8-5
taskflow 1-17
TCP Map objects
properties 56-20
TCP State Bypass
ASA/FWSM 56-3
Telnet
PIX/ASA/FWSM 48-13
configuration 48-14
text fields
ASCII limitations 1-46
finding text in multiple-line 1-47
navigating 1-47
using 1-46
text objects
creating 7-31
TFTP servers
PIX/ASA/FWSM 51-22
thin client access mode 29-4
thresholds
configuring anomaly detection 40-11
understanding anomaly detection 40-9
throughput
VPN user reports 67-15, 67-16
ticketing
overview 1-18
Ticket Management
settings 11-52
ticket management
comparing workflow modes 1-20
Ticket Manager window 4-10
tickets
closing 4-16
creating 4-14
discarding 4-22
multiple users 4-4
opening 4-15
states 4-4
Ticket Manager window 4-10
understanding 4-1
using global search to find specific tickets 1-39
validating 4-18
viewing change reports 4-16
viewing status and history 4-23
working with 4-7
Tickets menu 1-34
tiered hub-and-spoke topologies 24-5
time
changing range for reports 67-21
timeouts
on firewall devices 55-4
timeouts (NAT)
Cisco IOS routers 23-13
Timeout Value
Firewall AAA 15-27
time range objects
attributes for recurring ranges 6-67
configuring 6-66
time slider (Event Viewer)
filtering with 66-40
using 66-23
time synchronization
on IOS routers 60-96
time zone settings
certificate errors 9-6
Cisco IOS routers
Clock Policy page 60-23
defining time zone and DST 60-22
overview 60-22
TMS
deploying configurations 8-43
deployment method 8-10
Token Management page 11-53
Token Management System (TMS)
settings 11-53
toolbar
activities 4-8, 4-9
toolbar reference
Configuration Manager 1-36
event table in Event Viewer 66-14
toolbars
Report Manager generated report 67-11
Report Manager report settings 67-10
Tools menu
Configuration Manager 1-33
Report Manager 67-8
Trace Route 69-14
TraceRoute 69-16
traffic class
PIX/ASA/FWSM
rules wizard 56-7
Traffic Classification dialog box 19-12
Traffic Classification tab 19-11
traffic encryption key (KEK), GET VPN 28-4
traffic flow notifications
configuring for IPS 35-26
traffic flow objects
default inspection traffic 56-18
properties 56-16
traffic match criteria 56-2
transcripts
viewing 8-56
Transcript Viewer window 8-58
transform sets
attributes 25-25
understanding 25-19
Translation Exemption (NAT-0 ACL) Rule
PIX/ASA/FWSM 23-19
add/edit 23-20
Translation Options
PIX/ASA/FWSM 23-15
Translation Rules
Add/Edit Per-Session NAT rules dialog boxes 23-46
ASA 8.3+ 23-32
Add/Edit NAT rules dialog boxes 23-35
per-session NAT rules 23-45
PIX/ASA/FWSM 23-18
transparent bridging
Cisco IOS routers
BVI interfaces 60-18
overview 60-18
defining bridge groups 60-19
transparent firewall
configuring on PIX/ASA/FWSM 46-1
NAT 23-15
transparent rules
adding or editing a rule 22-5
configuring 22-1
configuring DHCP passthrough for IOS devices 22-3
configuring in Map view 34-23
deleting 12-9
disabling 12-20
editing 12-9
editing the EtherType 22-6
editing the mask 22-7
enabling 12-20
managing 22-1
moving 12-19
Transparent Rules page 22-3
understanding processing order 12-2
Transparent Rules page 22-3
transport protocols
device defaults 11-18
overview of device requirements 2-1
transport settings
AUS 2-7
Configuration Engine 2-7
SSH 2-5
SSL (HTTPS) 2-3
traps, SNMP
configuring for IPS sensors 35-8
IPS options 35-11
trees
selecting items 1-42
Trend class map objects
creating 21-35
Trend parameter map objects
creating 21-35
properties 21-41
troubleshooting
AUS deployment 9-18
Catalyst switch and module deployment 9-15
Configuration Engine deployment 9-18
creating diagnostics file 10-27
CS-MARS queries 69-26
deleted FWSM contexts do not remove configuration files 57-4
deployment 9-9
device communication and deployment 9-1
device discovery failures 3-7
device managers 69-5
device managers, using 69-4
devices marked with red X in device selector 9-8
Event Manager service status 66-28
Event Viewer Unavailable message 11-23, 11-26, 66-27
FlexConfigs 7-37
FWSM multiple-context deployment failures 9-17
generating data for TAC 10-27
generating deployment or discovery status reports 10-28
GET VPN registration failure 28-9
global correlation (IPS) configuration 41-4
ignoring device errors during deployment 9-10
invalid certificate error 9-6
minimum memory errors for ASA 8.3+ 9-11
mixing deployment methods 9-13
Not able to connect to server message, Report Manager 67-31
online help, problems accessing 1-49
packet capture, using 69-18
packet tracer, using 69-12
policy objects not available in Event Viewer 66-59
preshared key policies in VPN not discovered 24-23
Report Manager 67-31
router connection failures 2-2
router deployment 9-14
Security Manager cannot contact device after deployment 9-12
SSL certificate errors 9-4, 9-6
user interface problems 1-48
VPN crypto traffic unexpectedly dropped on GET VPN interfaces 28-9
VPNs with routing processes 9-13
VRF-aware IPsec deployment failures on Catalyst 6500/7600 devices 24-17
trunk ports
Create and Edit Interface dialog boxes-Trunk Port mode 65-14
understanding 65-5
Trusted Transitive Introduction (TTI)
use in SDP policies 60-81
TrustSec
configuring ISE settings 11-40
security group objects
creating 14-12
TrustSec firewall policies
configuring 14-7
configuring rules 14-13
managing 14-1
TrustSec policies
monitoring 14-14
TrustSec security group objects
selecting 14-13
U
Unassign Policy command 1-30
Undock Map View command 1-32
unicast rekey in GET VPN 28-6
Unicast Reverse Path Forwarding 55-1, 55-3
unicast reverse path forwarding
enabling on routers 59-20
Unshare Policy command 1-30
Unspecified Bit Rate (UBR) 59-48
Unspecified Bit Rate Plus (UBR+) 59-48
Update Level dialog box 38-9
updating images on devices 70-18
Updating Licenses from File dialog box 11-44
Updating Licenses via CCO dialog box 11-44
URLF Glob parameter map objects
metacharacters 21-45
properties 21-44
URL Filter parameter map objects
creating 21-35
properties 21-42
usage reports
generating 6-14
user accounts
configuring IPS 35-16
configuring IPS password requirements 35-18
discovery and deployment of IPS 35-15
IPS account attributes 35-17
managing IPS device 35-13
PIX/ASA/FWSM 50-6
add/edit 50-7
rolling back configurations 8-60
understanding IPS user roles 35-13
understanding managed and unmanaged passwords 35-14
User Accounts policy, IPS devices 35-16
user group objects
advanced PIX 6.3 settings 33-66
browser proxy settings 33-72
clientless settings 33-67
client VPN software update (IOS) settings 33-65
DNS/WINS settings 33-61
general settings 33-60
IOS client settings 33-63
IOS Xauth settings 33-64
split tunneling settings (Easy VPN/remote access IPSec VPN) 33-62
SSL VPN connection settings 33-73
SSL VPN full tunnel settings 33-69
SSL VPN split tunneling settings 33-70
technology settings 33-58
thin client settings 33-68
user group policies
configuring for Easy VPN 27-14
configuring for remote access IPsec VPNs on IOS/PIX 6.3 32-13
User Group Policy page 32-13
user identity acquisition 13-2
user interface
applications overview 1-6
basic features 1-27
dialog box too big for screen 1-49
freezing 1-48
how permissions affect what you can do 1-10
Java errors 1-48
maps toolbar reference 34-4
map view 34-1
menu reference for Configuration Manager 1-27
missing text 1-48
overview of Configuration Manager 1-12
rules tables 12-7
searching for items 1-39
selecting items in a tree 1-42
selecting or specifying files 1-47
table
columns and headings 1-46
sections 12-20
tables 1-45
text fields
ASCII limitations 1-46
finding text in multiple-line 1-47
navigating 1-47
using 1-46
toolbars
Configuration Manager 1-36
event table in Event Viewer 66-14
troubleshooting 1-48
wizards 1-44
user login credentials for device access 3-4
user passwords
changing 10-23
user roles, IPS 35-13
users
how permissions affect what you can do 1-10
taking over configuration session 10-23
User Statistics
MPC rule wizard
tab 56-8
user statistics, collecting 13-25
user taskflow 1-17
V
Validate Activity command 1-34
Validate command 1-28
Validate Ticket command 1-35
Validation dialog box 4-18
validation error messages 4-18
Values Assignment dialog box 7-36
Variable Bit Rate-Non-Real Time (VBR-nrt) 59-48
Variable Bit Rate-Real Time (VBR-rt) 59-48
variables
deleting FlexConfig 7-27
FlexConfig objects 7-5, 7-6
changing variable values 7-34
VDI servers 33-12
Velocity Engine error message 7-37
Velocity Template Engine
scripting language 7-3
View Changes command 1-28, 1-34
viewing interface allocations 57-9
View menu
Configuration Manager 1-30
Event Viewer 66-9
views
Device 1-13
Event Viewer
clearing filters 66-44
column based filters 66-41
event based filters 66-43
filtering overview 66-39
refreshing event table 66-40
selecting time range 66-39
switching between real-time and historical 66-38
text searches (quick filter) 66-44
using time slider with filtering 66-40
HPM 68-18
column-based filters 68-15
Map 1-16
overview 1-12
Policy 1-14
views (Event Viewer)
arranging 66-34
configuring color rules 66-36
creating custom 66-37
customizing event table appearance 66-35
deleting custom 66-39
editing description 66-38
editing name 66-38
Event Monitoring window overview 66-12
Event Viewer overview 66-7
floating 66-34
list 66-11
opening 66-34
overview 66-3
saving 66-38
using 66-33
virtual channel identifier (VCI) 59-46
virtual firewalls
See security contexts
virtual fragment reassembly (VFR) 59-19
virtual path identifier (VPI) 59-46
Virtual Routing Forwarding (VRF)
VRF-Aware IPsec 24-14
virtual sensors
advantages 37-3
assigning interfaces 37-4
attributes 37-7
configuring 37-1, 37-5
deleting 37-10
discovering policies 5-13
editing policies 37-9
identifying 37-5
inline TCP session tracking mode 37-3
Normalizer mode 37-4
renaming 37-8
restrictions 37-3
showing containment 3-53
understanding 37-1
Virtual Sensors page 37-5
virtual terminal (VTY)
Cisco IOS routers
defining AAA settings 60-40
defining line groups 60-38
defining line setup parameters 60-38
virtual terminal (VTY) lines
Cisco IOS routers
VTY Line dialog box 60-51
VTY Policy page 60-50
VLAN
configuring IPS groups 36-15
configuring IPS inline pairs 36-14
VLAN ACLs (VACLs)
defining 65-37
deleting 65-39
understanding 65-36
VLAN access maps 65-37
VLANs
Catalyst switches and 7600 Series routers
Create and Edit VLAN ACL Content dialog boxes 65-42
Create and Edit VLAN ACL dialog boxes 65-41
Create and Edit VLAN dialog boxes 65-28
defining 65-26
defining Data Port for IDSM 65-46
defining EtherChannel for IDSM 65-45
defining groups 65-32
defining VACLs 65-37
deleting 65-27
deleting Data Port for IDSM 65-48
deleting EtherChannel for IDSM 65-46
deleting groups 65-33
deleting VACLs 65-39
Interfaces/VLANs page-VLANs tab 65-27
understanding 65-25
understanding VACLs 65-36
understanding VLAN groups 65-31
VLAN Access Lists page 65-39
VPDN groups 45-45
VPN
configuring policy defaults 11-54, 24-12
mixing deployment methods 9-13
policy discovery restriction for web VPNs 3-8
Report Manager reports
general VPN reports 67-16
VPN top reports 67-15
system variables 7-14
traffic sent unencrypted 9-14
updating routing processes 9-13
using device overrides to customize VPN policies 24-13
zone-based firewall 21-5
VPN default policies
configuring 24-12
factory defaults 24-12
understanding 24-12
VPN discovery
prerequisites 24-21
procedure 24-24
rules 24-21
supported and unsupported technologies and topologies 24-20
understanding 24-19
VPN global settings
GET VPN
VPN Global Settings for GET page 28-16
VPN Global Settings policy
General Settings tab 25-40
IKEv2 tab 25-34
ISAKMP/IPsec tab 25-30
NAT Settings tab 25-38
VPN Peers dialog box 34-22
VPN Policy Defaults page 11-54
VPN rediscovery 24-26
VPNs
AAA services 47-4
ASA devices
configuring bookmarks 30-70
configuring portal appearance 30-66
configuring WINS servers for file system access 30-76
customizing 30-65
post URL method and macro substitutions in bookmarks 30-72
smart tunnels 30-73
configuring remote access using wizard 29-13
creating in Map view 34-21
Easy VPN
connection profiles 27-13
connection profiles (ASA, PIX 7+) 30-8
IOS devices
configuring bookmarks 30-70
configuring WINS servers for file system access 30-76
IPsec
access policies for IKEv2 (ASA), configuring 30-40
access policies for IKEv2 (ASA), reference 30-37
access policies for IKEv2 (ASA), understanding 30-36
certificate to connection profile map policy (IKEv1) 30-29
certificate to connection profile map rules (IKEv1) 30-29
cluster load balancing 30-4, 30-5
configuring IKE and IPsec policies 25-1
connection profiles 30-6
connection profiles (ASA, PIX 7+) 30-8
creating on ASA/PIX 7.0+ 29-24
creating on IOS/PIX 6.3+ 29-35
dynamic access policies 31-1, 31-2
dynamic access policy (DAP) attributes 31-3, 31-7
Dynamic Access policy page (ASA) 31-10
Dynamic VTI/VRF Aware IPsec settings 32-7
fragmentation settings 25-40
global settings 25-29
group policies, configuring 30-21
group policies, creating 30-23
group policies, understanding 30-22
high availability policies 32-11
IKE proposals 25-9
IKEv2 authentication 25-62, 25-64, 25-66
IKEv2 settings 25-34
ISAKMP/IPsec settings 25-30
NAT settings 25-38
public key infrastructure (PKI) policies 25-52
secure desktop manager policies 31-8
understanding IKE 25-5
understanding NAT settings 25-37
user group policies for IOS, PIX 6.3 32-13
VPNSM, VPN SPA, VSPA settings 32-6
IPsec proposals
attributes for ASA and PIX 7.0+ devices 30-33
attributes for IOS and PIX 6.3 devices 32-4
configuring for ASA and PIX 7.0+ devices 30-33
configuring for IOS and PIX 6.3 devices 32-3
Map view 34-20
policy discovery 5-12
remote access
access modes 29-4
device support 29-8
discovering 29-12
managing 29-1
managing (ASA, PIX 7.0+) 30-1
managing (IOS, PIX 6.3) 32-1
SSL 30-36
remote access IPSec
understanding 29-2
remote access SSL
example 29-3
limitations 29-7
managing support files 29-5
prerequisites 29-7
understanding 29-2
shared policies 5-4
site-to-site
configuring IKE and IPsec policies 25-1
policies overview 24-8
site-to-site VPNs 24-1
SSL
access policies (ASA), configuring 30-40
access policies (ASA), reference 30-37
access policies (ASA), understanding 30-36
advanced settings (ASA) 30-61
AnyConnect client image settings (ASA) 30-55
AnyConnect client settings (ASA) 30-52, 30-53
AnyConnect custom attributes (ASA) 30-59, 30-60
browser plug-ins (ASA) 30-50
cluster load balancing 30-4, 30-5
configuring HTTP/HTTPS proxies and proxy bypass(ASA) 30-47
connection profiles 30-6
connection profiles (ASA) 30-8
content rewrite rules (ASA) 30-43
Context Editor dialog box (IOS) 32-15, 32-16
creating on ASA 29-14
creating on IOS devices 29-31
dynamic access policies 31-1, 31-2
dynamic access policy (DAP) attributes 31-3, 31-7
Dynamic Access policy page (ASA) 31-10
encoding rules (ASA) 30-45
fragmentation settings 25-40
global settings 25-29
group policies, configuring 30-21
group policies, creating 30-23
group policies, understanding 30-22
IKEv2 settings 25-34
ISAKMP/IPsec settings 25-30
Kerberos Constrained Delegation (KCD on ASA) 30-56, 30-58
NAT settings 25-38
other settings (ASA) 30-41
performance settings (ASA) 30-42
policies (IOS) 32-14
proxy bypass rules (ASA) 30-49
public key infrastructure (PKI) policies 25-52
secure desktop manager policies 31-8
server certificate verification (ASA) 30-25, 30-26, 30-27, 30-61
shared license (ASA) 30-62
shared license clients (ASA) 30-64
shared license servers (ASA) 30-65
understanding NAT settings 25-37
wizard 29-13
understanding 29-1
VPN Service Port Adapters (VSPAs)
configuring 24-40
VPN Services Module (VPNSM)
configuring 24-40
VPN Shared Port Adapter (VPN SPA)
configuring 24-40
VPNSM/VPN SPA/VSPA Settings dialog box 32-6
VPN Summary page 24-58
VPN topologies
accessing 24-17
assigning initial policies to new 24-57
assigning shared policies 5-41
cloning device VPN assignments 3-54
cloning shared policies 5-44
configuring dial backup 24-38
configuring GET VPN peers 24-56
configuring in Device view 24-19
creating or editing 24-28
creating or editing Extranet 24-62
defining endpoints and protected networks 24-33
defining GET VPN group encryption 24-50
deleting 24-66
discovering 24-19, 24-24
full mesh 24-4
hub-and-spoke 24-2
including unmanaged or non-Cisco devices 24-11
joined hub-and-spoke 24-5
locking 5-9
naming 24-30
partial mesh 24-5
point-to-point 24-3
rediscovering 24-26
removing devices 24-32
renaming policies 5-45
repairing discovered VPNs with multiple spoke definitions 24-25
selecting devices 24-32
tiered hub-and-spoke 24-5
unassigning policies 5-33
understanding 24-2
unsharing policies 5-40
using device overrides to customize VPN policies 24-13
viewing summary of VPN configuration 24-58
VRF-Aware IPsec
changing on Catalyst switches and 7600 routers 24-17
configuring 24-45
one-box solution 24-14
two-box solution 24-15
understanding 24-14
VRF-Aware IPsec tab (site-to-site VPN) 24-45
VTP modes, for Catalyst switches 65-1
VTY Line dialog box 60-51
Accounting tab 60-57
Authentication tab 60-55
Authorization tab 60-56
Setup tab 60-52
W
WAN interface card (WIC) 59-35
Warning - Partial VPN Deployment dialog box 8-32
warnings
significance of 1-1
Web Filter policy map objects
creating 21-35
match conditions and actions 21-34
properties 21-46
web filter rules
ACL naming conventions 12-5
ASA/FWSM/PIX
converting IPv4 12-28
deleting 12-9
editing 12-9
moving 12-19
attributes (IOS) 18-13
configuring exclusive domains for IOS devices 18-10
configuring for ASA, PIX, FWSM devices 18-2
configuring for IOS devices 18-10
configuring in Map view 34-23
disabling 12-20
enabling 12-20
exclusive domain names (IOS) 18-14
managing 18-1
preserving ACL names 12-4
understanding 18-1
understanding NAT effects 12-3
understanding processing order 12-2
Web Filter Rules page (ASA/FWSM/PIX) 18-3
Web Filter Rules page (IOS) 18-11
web filter server properties 18-19
Web Filter Rules page (ASA/FWSM/PIX) 18-3
Web Filter Rules page (IOS) 18-11
Web Filter Server Configuration dialog box 18-19
web filter servers
attributes 18-19
configuring settings 18-15
configuring settings in Map view 34-24
configuring zone-based firewall settings in Map view 34-24
Web Filter settings page 18-16
Websense
configuring for web filter rules policies 18-15, 18-19
configuring for zone based firewall rules policies 21-35, 21-38, 21-40
Websense class map objects
creating 21-35
match criteria 21-29
Websense parameter map objects
creating 21-35
properties 21-38
web VPN
policy discovery restriction 3-8
Weighted Random Early Detection (WRED) 63-4
Whitelist/Blacklist tab 19-14
windows
arranging report 67-25
arranging views 66-34
closing report 67-26
undocking maps 34-2
Windows Messenger class map objects
creating 21-15
match criteria 21-20
Windows NT servers
use by ASA, PIX, and FWSM devices 6-26
WINS Server Lists objects
attributes 33-74
creating 30-76
wizard
installation manager 70-24
wizards
configuring remote access SSL VPNs on ASA devices 29-14
configuring remote access SSL VPNs on IOS devices 29-31
configuring remote access VPNs 29-13
Copy Policies 5-31
Create Extranet VPN Topology 24-62
Create VPN Topology 24-28
creating remote access IPsec VPNs on ASA/PIX 7.0+ devices 29-24
creating remote access IPsec VPNs on IOS/PIX 6.3 devices 29-35
creating user group policies 29-19
Discover VPN policies 24-24
New Device 3-6
Rediscover VPN policies 24-26
Share Policies 5-39
wizards, using 1-44
workflow
overview 1-18
Workflow mode
changing modes 1-26
comparing with non-Workflow mode 1-20
configuration files
deploying 8-35, 8-40
previewing 8-45
configurations
rolling back 8-65
creating activities 4-14
deployment
viewing device details 8-27
viewing job history 8-27
jobs
aborting 8-51
approving 8-39
discarding 8-41
rejecting 8-39
states 8-6
submitting 8-39
opening activities 4-15
understanding 1-19
workflow modes
changing 1-26
comparing 1-20
Workflow Settings page 11-55
working with 3-57
worms
configuring IPS anomaly detection signatures 40-4
understanding 40-2
understanding IPS anomaly detection 40-1
understanding when to turn off anomaly detection 40-4
X
xdm-launcher.exe
device manager 69-6
Y
Yahoo Messenger class map objects
creating 21-15
match criteria 21-20
Z
zone-based firewall
add/edit zones 21-52
advanced options 21-63
changing the default drop rule 21-47
configuring PAM 21-65
configuring rules 21-12, 21-59
configuring settings 21-48
configuring settings in Map view 34-24
Content Filter tab 21-51
designing network zones 21-1
development overview 21-12
general recommendations 21-11
Global Parameters tab 21-49
IPSec VPN 21-5
logging 21-1
overview 21-1
page 21-49
preserving ACL names 12-4
protocol selection 21-64
restrictions 21-3
rules table 21-57
Self zone 21-5
tabs 21-48
troubleshooting 21-53
understanding 21-3
understanding NAT effects 12-3
understanding permit/deny and action 21-7
understanding processing order 12-2
understanding services and protocols 21-10
VPN tab 21-49
VRF 21-6
WAAS tab 21-49
Zones tab 21-49
zone-based firewall rules
configuring in Map view 34-23
deleting 12-9
disabling 12-20
editing 12-9
enabling 12-20
moving 12-19
zone-based firewall rules policies
blocking spam using zone-based firewall rules 21-25
configuring map objects for content filtering rules 21-35
configuring map objects for inspection rules 21-15
creating zones 6-68
inspection parameters 21-29
match conditions for IM applications 21-20
match conditions for P2P applications 21-20
preventing SMTP DoS attacks 21-25
protocol information for IM application inspection 21-32
understanding interface role objects 6-67
Zone Contents dialog box 12-14
zones
creating 6-68
understanding interface role objects 6-67
zones, anomaly detection 40-3
Zoom In command 1-31
Zoom Out command 1-31
Index
Numerics
12.1 and 12.2
managing routers 58-2
3DES encryption algorithm
in IKE proposals 25-6
802.1x
802.1x Policy page 61-5
defining policies 61-4
interface authorization states 61-2
on Cisco IOS routers 61-1
supported topologies 61-3
understanding device roles 61-2
A
AAA
about 47-1
Cisco IOS routers
AAA Policy page 60-6
Accounting tab 60-10
Authentication tab 60-6
Authorization tab 60-7
Command Accounting dialog box 60-12
Command Authorization dialog box 60-9
defining services 60-4
overview 60-2
supported accounting types 60-3
supported authorization types 60-2
understanding method lists 60-3
configuring access control for IPS 35-19
configuring on firewall devices 47-1
credentials for device access 3-4
device administration 47-4
local fallback 47-3
network access 47-4
PIX/ASA/FWSM 47-5
Accounting tab 47-7
Authentication tab 47-5
Authorization tab 47-6
support 47-2
VPN access 47-4
AAA authentication groups
predefined 6-28
AAA firewall
MAC exempt lists 15-23
AAA Firewall page
Advanced Setting tab 15-19
AAA firewall policy
advanced settings 15-19
configuring 15-6
AAA page 15-25
AAA rules
ACL naming conventions 12-5
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring AAA firewall settings (PIX/ASA/FWSM) 15-6
configuring AuthProxy settings (IOS) 15-9
configuring cut-through proxy (ASA) 13-23
configuring for ASA/PIX/FWSM devices 15-4
configuring for IOS devices 15-7
configuring identity aware 13-21
configuring in Map view 34-23
configuring security group aware 14-13
configuring settings
for IOS devices in Map view 34-24
for PIX/ASA/FWSM in Map view 34-24
converting IPv4 12-28
deleting 12-9
disabling 12-20
editing 12-9
enabling 12-20
managing 15-1
moving 12-19
preserving ACL names 12-4
properties 15-13
understanding 15-1
understanding how users authenticate 15-2
understanding NAT effects 12-3
understanding processing order 12-2
AAA Rules page 15-10
AAA server group objects
attributes 6-46
creating 6-45
default server groups on IOS devices 6-28
predefined authentication groups 6-28
understanding 6-24
AAA server objects
creating 6-29
HTTP-FORM settings 6-41
Kerberos settings 6-36
LDAP settings 6-37
NT settings 6-40
RADIUS settings 6-32
SDI settings 6-40
supported additional types for ASA/PIX/FWSM 6-26
supported types 6-25
TACACS+ settings 6-35
understanding 6-24
AAA servers
supported types on ASA, PIX, FWSM devices 6-26
Abort the Job dialog box 8-51
About Configuration Manager command 1-36
ABR
definition 54-2
access control list objects
creating 6-49
extended objects 6-50
standard objects 6-51
unified objects 6-54
web objects 6-52
access control lists
GET VPN security policies 28-10
policy discovery 5-14
access control lists (ACLs)
names preserved during discovery 12-4
naming conventions 12-5
resolving naming conflicts 12-6
access controls
configuring ACL names 16-20
configuring settings 16-20
configuring settings in Map view 34-24
Access Control Settings page 16-21
Access Group tab (IGMP) 53-5
Access Interface Configuration dialog box (ASA) 30-40
access permissions
Event Viewer 66-3
Health and Performance Monitor 68-3
maps 34-8
Report Manager 67-5
access policies
configuring 30-40
reference 30-37
understanding 30-36
access ports
Create and Edit Interface dialog boxes-Access Port mode 65-9
understanding 65-5
access rule
look up
from device managers 69-6
access rules
access control settings 16-21, 16-23
Access Rules page 16-9
ACL naming conventions 12-5
address requirements 16-5
Advanced dialog box 16-15
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring 16-7
configuring access control settings 16-20
configuring identity aware 13-21
configuring in Map view 34-23
configuring security group aware 14-13
controlling non-IP layer-2 traffic 22-1
deleting 12-9
detecting conflicts 16-25
disabling 12-20
editing 12-9
enabling 12-20
examples of event analysis
user access to server blocked 66-50
expiration dates 16-19
finding from CS-MARS events 69-31
finding from Event Viewer events 66-48
generating analysis reports 16-31
hit counts
details 16-33
how deployed 16-5
identity-aware rules
requirements 13-3
import examples 16-41
importing 16-37
IPS blocking, affect of 42-4
managing 16-1
moving 12-19
optimizing during deployment 16-43
packet tracer, analyzing with 69-12
preserving ACL names 12-4
Report Manager reports
firewall traffic reports 67-13
resolving conflicts 16-31
rule attributes 16-13
sharing ACLs among interfaces 11-14
syslog messages supported for look-up 69-32
understanding 16-1
understanding device-specific behavior 16-4
understanding global 16-3
understanding NAT effects 12-3
understanding processing order 12-2
understanding requirements when using inspection 17-4
understanding the automatic conflict detection user interface 16-27
viewing related CS-MARS events 69-28
Accounting
Cisco IOS routers
settings 60-10
accounts and credentials
Cisco IOS routers
overview 60-13
PIX/ASA/FWSM
user accounts 50-6
user accounts, add/edit 50-7
accounts and credentials policies
Accounts and Credentials Policy page 60-15
User Accounts dialog box 60-17
ACLs
configuring names 16-20
ACS user authorization
configuring notifications when unavailable 1-25
Event Viewer 66-3
Health and Performance Monitor 68-3
how permissions affect what you can do 1-10
Report Manager 67-5
Active/Active failover
about 49-2
command replication 49-4
configuration synchronization 49-3
Active/Standby failover 49-2
Active Directory (AD)
collecting user statistics 13-25
configuring agent communication options 13-15, 14-8, 14-10
enabling for identity-aware firewall 13-8
identifying AD servers and agents 11-27, 13-8
requirements for identity-aware firewall 13-3
activities
accessing functions 4-8, 4-9
Activity Manager window 4-10
Approved state 4-5
approving 4-3, 4-21
benefits of 4-2
closing 4-16
creating 4-14
discarding 4-22
Edit state 4-4
locking 4-3
managing 4-1
multiple users 4-4
opening 4-15
overview 1-18
rejecting 4-21
responding to the Activity Required dialog box 4-14
states 4-4
Submitted state 4-5
submitting for approval 4-20
understanding 4-1
validating 4-18
viewing change reports 4-16
viewing status and history 4-23
working with 4-7
Activities command 1-32
Activities menu 1-34
Activity Manager window 4-10
Activity Required dialog box 4-14
Add/Edit AnyConnect Client Image dialog box (ASA) 30-55
Add/Edit AnyConnect Custom Attributes dialog box (ASA) 30-59, 30-60
Add/Edit Collector dialog box 52-2
Add/Edit Content Rewrite dialog box (ASA) 30-44
Add/Edit DAP Entry Dialog Box > Device 31-28
Add/Edit File Encoding dialog box 30-45
Add/Edit Multicast Route dialog box 53-8, 53-10
description 53-9
Add/Edit PIM Neighbor Filter dialog box 53-13
Add/Edit Proxy Bypass dialog box 30-49
Add AAA Rule dialog box 15-13
Add AAA Server dialog box 6-30
Add AAA Server Group dialog box 6-46
Add Access List dialog box (Allowed Hosts policy) 35-7
Add Access Rule dialog box 16-13
Add an Entry dialog box 38-26
Add AOL Class Map dialog box 17-26, 21-17
Add A Port Forwarding Entry dialog box 33-30
Add ASA Group Policies dialog box
client configuration settings 33-4
client firewall attributes 33-5
connection settings 33-22
DNS/WINS settings 33-20
hardware client attributes 33-7
IPSec settings 33-8
overview 33-1
split tunneling settings 33-21
SSL VPN clientless settings 33-10
SSL VPN full client settings 33-13
SSL VPN settings 33-17
Technology settings 33-1
Add A Smart Tunnel Entry dialog box 33-53
Add Auto Signon Rules dialog box 33-19
Add Cat6k Block Vlan dialog box 42-16
Add Certificate dialog box 11-20
Add Certificate Filter dialog box 24-53
Add Cisco Secure Desktop Configuration dialog box 33-23
Add Client Access Rules dialog box 33-10
Add Client Update dialog box 33-65
Add Column dialog box 33-47
Add Custom Pane dialog box 33-47
Add Custom Signature dialog box 38-12
Add DCE/RPC Map dialog box 17-27
Add Destinations dialog box 12-11
Add Device from Network wizard
Device Credentials page 3-44
Add Devices to Group command 1-29
Add Devices to Group dialog box 3-60
Add DNS Class Map dialog box 17-26
Add DNS Map dialog box
Filtering tab 17-30
overview 17-28
Protocol Conformance tab 17-30
Add eDonkey Class Map dialog box 17-26, 21-17
Add ESMTP Map dialog box 17-34
Add Extended Access Control Entry dialog box 6-56
Add Extended Access List dialog box 6-55
Add External Filter dialog box 21-40
Add FastTrack Class Map dialog box 17-26, 21-17
Add File Object dialog box 33-25
Add FlexConfig dialog box 7-29
Add FTP Class Map dialog box 17-26
Add FTP Map dialog box 17-37
Add Gnutella Class Map dialog box 17-26, 21-17
Add Group dialog box 3-60
Add Group Member dialog box 28-19
Add GTP Map dialog box 17-40
Add H.323 Class Map dialog box 17-26, 21-17
Add H.323 Map dialog box 17-45, 21-33
Add HSI Endpoint IP Address dialog box 17-48
Add HSI Group dialog box 17-47
Add HTTP Class Map dialog box 17-26, 21-17
Add HTTP Map dialog box 21-33
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab 17-52
Extension Request Method tab 17-55
General tab 17-51
overview 17-50
Port Misuse tab 17-56
RFC Request Method tab 17-54
Transfer Encoding tab 17-57
ASA 7.2+ and PIX 7.2+ devices 17-58
Add ICQ Class Map dialog box 17-26, 21-17
Add IKEv1 Proposal dialog box 25-10
Add IKEv2 Proposal dialog box 25-13
Add IMAP Class Map dialog box 17-26, 21-17
Add IMAP Map dialog box 21-33
Add IM Class Map dialog box 17-26
Add IM Map dialog box 21-33
ASA and PIX device 17-64
IOS device 17-67
Add Inspect/Application FW Rule wizard
Address and Port page 17-12
Inspected Protocol page 17-16
Match Traffic page 17-10
Add Inspect Parameter Map dialog box 21-29
Add Interfaces dialog box 12-13
Add IP Options Map dialog box 17-68
Add IPsec Pass Through Map dialog box 17-74
Add IPSec Transform Set dialog box 25-25
Add IPv4 Pool Object dialog box 6-83
Add IPv6 Map dialog box 17-70
Add IPv6 Pool Object dialog box 6-84
Add Kazaa2 Class Map dialog box 17-26, 21-17
Add Key Server dialog box 28-19
Add Language dialog box 33-42
Add LDAP Attribute Map dialog box 6-43
Add LDAP Attribute Map Value dialog box 6-44
Add Link command 1-31
Add Link dialog box 34-20
Add Local Rules command 1-30
Add Local Web Filter Class Map dialog box 17-26, 21-17
Add Local Web Filter Parameter Map dialog box 21-37
Add MAC Address Pool Object dialog box 6-85
Add Map Object command 1-31
Add Map Object dialog box 34-18
Add Map Value dialog box 6-44
Add Match Condition and Action dialog box
DNS policy maps 17-31
ESMTP policy maps 17-35
FTP policy maps 17-38
GTP policy maps 17-43
H.323 (IOS) policy maps 21-34
H.323 policy maps 17-48
HTTP (Zone Based IOS) policy maps 21-34
HTTP policy maps 17-59
IM (Zone Based IOS) policy maps 21-34
IMAP policy maps 21-34
IM policy maps 17-65
IPv6 policy maps 17-71
P2P policy maps 21-34
POP3 policy maps 21-34
SIP (IOS) policy maps 21-34
SIP policy maps 17-79
Skinny policy maps 17-83
SMTP policy maps 21-34
Sun RPC policy maps 21-34
Web Filter policy maps 21-34
Add Match Criterion dialog box
AOL class maps 21-20
DNS class maps 17-31
eDonkey class maps 21-20
FastTrack class maps 21-20
FTP class maps 17-38
Gnutella class maps 21-20
H.323 (IOS) class maps 21-21
H.323 class maps 17-48
HTTP (IOS) class maps 21-21
HTTP class maps 17-59
ICQ class maps 21-20
IMAP class maps 21-23
IM class maps 17-65
Kazaa2 class maps 21-20
Local Web Filter class maps 21-28
MSN Messenger class maps 21-20
N2H2 class maps 21-29
POP3 class maps 21-23
SIP (IOS) class maps 21-24
SIP class maps 17-79
SMTP class maps 21-25
Sun RPC class maps 21-28
Websense class maps 21-29
Windows Messenger class maps 21-20
Yahoo Messenger class maps 21-20
Add MSN Messenger Class Map dialog box 17-26, 21-17
Add N2H2 Parameter Map dialog box 21-38
Add N2H2 Web Filter Class Map dialog box 17-26, 21-17
Add NAT Rule dialog box
ASA 8.3+ 23-35
Add NetBIOS Map dialog box 17-75
Add Network/Host dialog box
General tab 6-77
NAT tab 23-41
Add New Device wizard
Device Credentials page 3-44
Add New Security Association dialog box 24-54
Add or Edit Plug-in Entry dialog box (ASA) 30-50
Add Other Devices dialog box 8-54
Add P2P Map dialog box 21-33
Add Permit Response dialog box 17-42
Add Per-Session NAT Rule dialog box 23-46
Add PIX/ASA/FWSM Web Filter Rule dialog box 18-5
Add PKI Enrollment dialog box
CA Information tab 25-55
Certificate Subject Name tab 25-61
Enrollment Parameters tab 25-59
overview 25-54
Trusted CA Hierarchy tab 25-62
Add POP3 Class Map dialog box 17-26, 21-17
Add Port Forwarding List dialog box 33-28
Add Port List dialog box 6-87
Add Protocol Info Parameter Map dialog box 21-32
Add Regular Expression dialog box 17-86
Add Regular Expression Group dialog box 17-85
Address Pools
PIX/ASA/FWSM 23-17
add/edit 23-17
address pools
overriding in connection profiles 29-8
Add Row command 1-29
Add Rule Section dialog box 12-22
Add Server dialog box
Protocol Info Parameter maps 21-33
Add Service dialog box 6-89
Add Services dialog box 12-12
Add Single Sign On Server dialog boxes 33-30
Add SIP Class Map dialog box 17-26, 21-17
Add SIP Map dialog box 17-77, 21-33
Add Skinny Map dialog box 17-81
Add SLA Monitor dialog box 50-9
Add Smart Tunnel Auto Signon Entry dialog box 33-56
Add Smart Tunnel Auto Signon Lists dialog box 33-55
Add Smart Tunnel Lists dialog box 33-52
Add SMTP Class Map dialog box 17-26, 21-17
Add SMTP Map dialog box 21-33
Add SNMP Map dialog box 17-84
Add Sources dialog box 12-11
Add SSL VPN Customization dialog box 33-36
Applications 33-46
Copyright Panel 33-44
Custom Panes 33-46
Full Customization 33-45
Home Page 33-48
Informational Panel 33-43
Language 33-40
Logon Form 33-42
Logout Page 33-49
Title Panel 33-39
Toolbar 33-45
Add SSL VPN Gateway dialog box 33-50
Add Standard Access Control Entry dialog box 6-59
Add Standard Access List dialog box 6-55
Add Sun RPC Class Map dialog box 17-26, 21-17
Add Sun RPC Map dialog box 21-33
Add TCP Map dialog box 56-20
Add TCP Option Range Dialog Box 56-22
Add Text Object dialog box 7-31
Add Time Range dialog box 6-66
Add Traffic Flow dialog box 56-16
Add Transparent Firewall Rule dialog box 22-5
Add Trend Content Filter Class Map dialog box 17-26, 21-17
Add Trend Parameter Map dialog box 21-41
Add Unified Access Control Entry dialog box 6-62
Add URL Domain Name dialog box 21-44
Add URLF Glob Parameter Map dialog box 21-44
Add URL Filter Parameter Map dialog box 21-42
Add User dialog box 12-12, 35-17
Add User Group dialog box
Advanced PIX 6.3 settings 33-66
Browser Proxy settings 33-72
Client (IOS) settings 33-63
Clientless settings 33-67
Client VPN Software Update (IOS) settings 33-65
DNS/WINS settings 33-61
General settings 33-60
IOS Xauth Options settings 33-64
overview 33-58
Split Tunneling settings (Easy VPN/remote access IPSec VPN) 33-62
SSL VPN Connection settings 33-73
SSL VPN Full Tunnel settings 33-69
SSL VPN Split Tunneling settings 33-70
Technology settings 33-58
Thin Client settings 33-68
Add User Profile dialog box 42-12
Add VDI Server dialog box 33-12
Add Virtual Sensor dialog box 37-7, 37-8
Add Web Access Control Entry dialog box 6-60
Add Web Filter Map dialog box 21-46
Add WebSense Parameter Map dialog box 21-38
Add Websense Web Filter Class Map dialog box 17-26, 21-17
Add Web Type Access List dialog box 6-55
Add Windows Messenger Class Map dialog box 17-26, 21-17
Add WINS Server dialog box 33-74
Add WINS Server List dialog box 33-74
Add Yahoo Messenger Class Map dialog box 17-26, 21-17
Add Zones dialog box 12-13
admin context 57-1
administration
selecting policies to manage 5-10
administrative settings, configuring 11-1
admin password, changing 10-23
ADSL
ADSL Policy page 59-36
ADSL Settings dialog box 59-37
defining settings 59-35
supported operating modes 59-34
ADSL policies
unable to deploy 9-15
Advanced dialog box
access rules 16-15
Advanced NAT Options
PIX/ASA/FWSM
add/edit 23-28
Advanced settings
interface configuration
PIX/ASA/FWSM 45-42
AES encryption algorithm
in IKE proposals 25-6
AIM-IPS interfaces
IPS Module Interface Settings page 59-22
AIP-SSM/SSC
ASA 56-14
Alarm Indication Signal (AIS) cells 59-50
allowed hosts, configuring for IPS 35-7
Allowed Hosts policy 35-7
Analysis Engine global variables
configuring 35-26
analysis reports
generating 16-31
anomaly detection
configuring 40-6
configuring histograms 40-11
configuring learning accept mode 40-8
configuring signatures 40-4
configuring thresholds 40-11
managing 40-1
modes 40-2
understanding 40-1
understanding histograms 40-9
understanding thresholds 40-9
understanding worms 40-2
when to turn off 40-4
zones
overview 40-3
anti-spoofing 55-2
AnyConnect
client images 30-52, 30-53
profiles 30-52, 30-53
editing 30-53
AnyConnect Client Image dialog box (ASA) 30-53
AnyConnect custom attributes 30-59, 30-60
AnyConnect Profile Editor 30-53
AOL class map objects
creating 21-15
match criteria 21-20
Apply IPS Update command 1-33
Apply IPS Update wizard 43-7
Approve Activity command 1-34
Approve Activity dialog box 4-21
Approved activity state 4-5
Approve Deployment Job dialog box 8-21, 8-39
Area Border Router
See ABR 54-2
ARP
PIX/ASA/FWSM
configuration 46-4
inspection 46-5
inspection, enable/disable 46-6
table 46-3
ARP table
static entry 46-3, 46-4
ASA
ASDM 69-5
CX 56-15
Auth Proxy Configuration 56-16
CX module
detecting 69-10
Failover
Add Failover Group 49-24
edit bridge group 49-16
IPS, QoS, and Connection Rules
ASA CX Auth Proxy Configuration 56-16
IPS modules 56-14
policy discovery 5-13
rollback, commands to recover from failover misconfiguration 8-65
rollback command conflicts 8-64
rollback restrictions for failover devices 8-61
rollback restrictions for multiple context mode 8-61
security contexts
allocate interfaces 57-8
configuration 57-7
viewing allocated interfaces 57-9
setting up AUS or CNS 2-8
setting up SSL (HTTPS) 2-3
TCP State Bypass 56-3
ASA 5505
Management IPv6 46-10
ports and interfaces 45-6
ASA 8.3+
NAT policies
Add/Edit NAT rules dialog boxes 23-35
Translation Rules page 23-32
ASA Cluster Load Balance page 30-5
ASA CX
CX
about 56-15
ASA devices
5505
hardware port configuration 45-39
AAA support 6-26
about 45-1
adding or changing modules 3-39
adding SSL thumbprints manually 9-4
Bridge Groups
add/edit 45-41
Catalyst Service Module 45-1
changing those selected for reports 67-21
configuring for event management 66-25
configuring for report management 67-3
configuring IKE and IPsec policies 25-1
configuring IKEv2 authentication 25-62
configuring transparent firewall rules 22-1
Easy VPNs
connection profiles 27-13
Event Viewer support 66-4
FlexConfig object samples 7-19
global access rules 16-3
identity-aware services
configuring to provide 13-7, 14-8
interfaces 45-14
add/edit 45-19
Advanced tab 45-27
configuring 45-2
edit EtherChannel-assigned interface 45-11
EtherChannels 45-8, 45-12
General tab 45-20
IP Type 45-36
IPv6 45-29
IPv6, add/edit 45-33
IPv6, add/edit prefixes 45-34
LACP 45-11
MAC address 45-38
PPPoE Users 45-44
VPDN groups 45-45
licenses 2-11
monitoring service level agreements 50-7
object group search 16-22
packet capture, using 69-18
packet tracer, using 69-12
remote access SSL VPNs
advanced settings 30-61
Anyconnect client settings 30-52, 30-53
browser plug-ins 30-50
configuring HTTP/HTTPS proxies and proxy bypass 30-47
content rewrite rules 30-43
encoding rules 30-45
Kerberos Constrained Delegation (KCD) 30-56, 30-58
other settings 30-41
performance settings 30-42
server certificate verification settings 30-25, 30-26, 30-27, 30-61
shared license 30-62
shared license clients (ASA) 30-64
shared license servers (ASA) 30-65
remote access VPNs
access policies (ASA), configuring 30-40
access policies (ASA), reference 30-37
access policies (ASA), understanding 30-36
AnyConnect client image settings (ASA) 30-55
AnyConnect custom attributes (ASA) 30-59, 30-60
certificate to connection profile map policy (IKEv1) 30-29
certificate to connection profile map rules (IKEv1 IPSec) 30-29
cluster load balancing 30-4, 30-5
configuring bookmarks 30-70
configuring portal appearance 30-66
configuring WINS servers for file system access 30-76
connection profiles 30-6, 30-8
creating IPSec 29-24
creating SSL 29-14
customizing 30-65
device support 29-8
dynamic access policies 31-1, 31-2
dynamic access policy (DAP) attributes 31-3, 31-7
Dynamic Access policy page (ASA) 31-10
fragmentation settings 25-40
group policies, configuring 30-21
group policies, creating 30-23
group policies, understanding 30-22
IKE proposals 25-9
IKEv2 settings 25-34
IPsec proposals 30-33
ISAKMP/IPsec settings 25-30
managing 30-1
NAT settings 25-38
policy overview 30-2
post URL method and macro substitutions in bookmarks 30-72
proxy bypass rules (ASA) 30-49
Public Key Infrastructure (PKI) 25-52
secure desktop manager policies 31-8
smart tunnels 30-73
understanding IKE 25-5
understanding NAT settings 25-37
wizard 29-13
Report Manager reports
firewall summary botnet reports 67-14
firewall traffic reports 67-13
general VPN reports 67-16
VPN top reports 67-15
selecting for Event Viewer 66-31
selecting policy types to manage 5-10
SSL certificate configuration 11-18
ASA group policies objects
client configuration settings 33-4
client firewall attributes 33-5
connection settings 33-22
DNS/WINS settings 33-20
hardware client attributes 33-7
IPSec settings 33-8
split tunneling settings 33-21
SSL VPN clientless settings 33-10
SSL VPN full client settings 33-13
SSL VPN settings 33-17
technology settings 33-1
ASA Image Management 70-14, 70-30
ASBR
definition 54-2
ASCII limitations for text 1-46
ASDM
access rule look-up 69-7
device manager 69-5
ASR
zone-based firewall
global parameters 21-49
restrictions 21-3
assignment overview 1-18
Assignments tab, Policy view 5-51
Assign Shared Policy command 1-30
Assign Shared Policy dialog box 5-41
Asymmetric Digital Subscriber Line (ADSL)
on Cisco IOS routers 59-33
Asymmetric Routing Groups 45-5
Asynchronous Transfer Mode (ATM) 59-46
ATM 59-46
virtual channel connections (VCCs) 59-46
virtual channel identifier (VCI) 59-46
virtual path connections (VPCs) 59-46
virtual path identifier (VPI) 59-46
Attack Response Controller 42-1
attacks
broadcast 17-4
Denial of Service (DoS) 17-4
spoofing 17-4
SYN flooding 17-4
audit logs
configuring default settings 11-45
purging entries 10-22
understanding 10-19
working with 10-19
Audit Message Detail dialog box 10-20
Audit Report command 1-32
audit reports
generating and viewing 10-20
understanding 10-19
working with 10-19
Audit Report window 10-20
AUS
deploying configurations 8-42
deployment method 8-10
setting up 2-7
setting up on PIX Firewall and ASA devices 2-8
Authentication
Cisco IOS routers
settings 60-6
authentication
routing protocols 54-2
Authentication-Authorization-Accounting
see AAA 47-1
Authentication Header (AH) encryption algorithm 25-29
authentication methods
certificates (RSA signatures) 25-8
in IKE proposals 25-8
preshared keys 25-8
authentication testing
SSH 2-5
Authorization
Cisco IOS routers
settings 60-7
authorization proxy (AuthProxy)
configuring AAA rules 15-7
AuthProxy
configuring settings in Map view 34-24
Auth Proxy Configuration
ASA CX 56-16
AuthProxy dialog box 15-18
AuthProxy settings policy
configuring 15-9
autolink
omitting reserved networks from maps 11-2
automatic conflict detection
resolving conflicts 16-31
understanding 16-25
understanding the user interface 16-27
using 16-25
auto signon rules
ASA group policy objects 33-19
Auto Update Server (AUS)
adding 3-35
licensing 10-17
PIX/ASA/FWSM 51-1
add/edit server 51-3
troubleshooting deployment 9-18
Auto Update Server Properties dialog box 3-36
Available Bit Rate (ABR) 59-47
Available Servers dialog box 3-38
B
background image, map
deleting 34-13
importing 34-13
scale and position 34-13
setting 34-13
backup
event data store 66-32
backup.pl command 10-24
Backup command 1-33
backups, Security Manager database 10-24
bandwidth
VPN user reports 67-15, 67-16
banners
configuring on firewall devices 47-8
benefits of product 1-2
BGP routing
BGP Routing Policy page 64-4
defining routes 64-2
Neighbors dialog box 64-6
on Cisco IOS routers 64-1
redistributing routes 64-3
Redistribution Mapping dialog box 64-7
Redistribution tab 64-6
Setup tab 64-4
Bidirectional Neighbor Filter 53-14
Bidirectional Neighbor Filter tab
PIM 53-13
blocking, IPS
configuring 42-7
configuring ARC 42-1
configuring blocking devices 42-14
configuring master blocking sensors 42-13
configuring never block hosts and networks 42-17
configuring router blocking interfaces 42-15
configuring user profiles 42-12
configuring VLAN blocking interfaces 42-16
general options 42-10
master blocking sensor 42-6
policy 42-8
rate limiting 42-4
router and switch blocking devices 42-4
strategies 42-3
understanding 42-1
Blocking page 42-8
Boot image/configuration
PIX/ASA 47-9
add/edit 47-10
bootstrap configuration
Failover 49-26
Botnet Traffic Filter Drop Rules Editor 19-13
botnet traffic filter rules
adding static entries 19-5
blocking blacklisted traffic 19-6
configuring DNS snooping 17-18
configuring in Map view 34-23
configuring the dynamic database 19-4
configuring with IPS global correlation 41-1
databases 19-1
Device Blacklist dialog box 19-15
Device Whitelist dialog box 19-15
Drop Rules Editor 19-13
Dynamic Blacklist Configuration tab 19-10
enabling DNS snooping 19-6
field definitions 19-9
illustrations 19-1
mitigating botnet activity 66-56
monitoring
activity using ASDM 66-56
activity using Event Viewer 66-53, 66-55
overview 66-52
understanding botnet syslog events 66-53
overview 19-1
preserving ACL names 12-4
Report Manager reports
firewall summary botnet reports 67-14
task flow 19-2
traffic classification 19-6
Traffic Classification dialog box 19-12
Traffic Classification tab 19-11
understanding 19-1
understanding NAT effects 12-3
understanding processing order 12-2
Whitelist/Blacklist tab 19-14
bridge group
failover
editing 49-16
Bridge Groups
ASA/FWSM
add/edit 45-41
bridge groups
defining 60-19
FWSM 3.1 46-3
Bridging
ASA 5505
Management IPv6 46-10
PIX/ASA/FWSM
ARP configuration 46-4
ARP Inspection 46-5
ARP Inspection, enable/disable 46-6
ARP Table 46-3
MAC Address, add/edit 46-8
MAC Address Table 46-7
MAC Learning 46-8
MAC Learning, enable/disable 46-9
Management IP address 46-10
bridging
Cisco IOS routers
Bridge Group dialog box 60-21
Bridging Policy page 60-20
BVI interfaces 60-18
overview 60-18
configuring transparent firewall rules 22-1
PIX/ASA/FWSM
about 46-1
configuring on 46-1
broadcast attacks, preventing 17-4
broadcasts
enabling directed on routers 59-20
browser plug-ins
configuring 30-50
Bundles 70-11
bypass mode
configuring for IPS 36-12
C
CA server authentication methods
SCEP (Simple Certificate Enrollment Protocol) 25-47
Cat6k Device dialog box 42-14
Catalyst 6500/7600 devices
configuring FWSM in site-to-site VPNs 24-44
configuring SSH 2-6
default transport protocol 11-18
deployment 8-29
FlexConfig object samples 7-21
IPS blocking devices 42-4
policy discovery for FWSM 5-13
rollback restrictions 8-61
Service Modules 45-1
Catalyst 6500/7600 switches
including in deployment jobs 8-28
Catalyst devices
policy discovery 5-13
remote access VPNs
Dynamic VTI/VRF Aware IPsec settings 32-7
high availability 32-11
IPsec proposals 32-4
user group policies 32-13
VPNSM/VPN SPA/VSPA settings 32-6
Catalyst platform policies
IDSM settings policy
Create and Edit IDSM Data Port VLANs dialog boxes 65-50
Create and Edit IDSM EtherChannel VLANs dialog boxes 65-49
IDSM Settings page 65-48
IDSM Slot-Port Selector dialog box 65-51
interfaces/VLANs policy
Access Port Selector dialog box 65-30
Create and Edit Interface dialog boxes-Access Port mode 65-9
Create and Edit Interface dialog boxes-Dynamic Port mode 65-18
Create and Edit Interface dialog boxes-Other mode 65-24
Create and Edit Interface dialog boxes-Routed Port mode 65-12
Create and Edit Interface dialog boxes-subinterfaces 65-22
Create and Edit Interface dialog boxes-Trunk Port mode 65-14
Create and Edit VLAN dialog boxes 65-28
Create and Edit VLAN Group dialog boxes 65-34
Interfaces tab 65-7
Service Module Slot Selector dialog box 65-35
Summary tab 65-3
Trunk Port Selector dialog box 65-31
VLAN Groups tab 65-33
VLAN Selector dialog box 65-36
VLANs tab 65-27
VLAN access lists policy
Create and Edit VLAN ACL Content dialog boxes 65-42
Create and Edit VLAN ACL dialog boxes 65-41
VLAN Access Lists page 65-39
Catalyst Summary Info command 1-33
Catalyst switches
configuring SSH 2-6
default transport protocol 11-18
showing modules, security contexts, and virtual sensors 3-53
Catalyst switches/7600 routers
troubleshooting deployment 9-15
Catalyst switches and 7600 devices
IDSM mode support 65-44
interface deployment failure 9-16
internal VLAN deployment failure 9-16
supported VTP modes 65-1
Catalyst switches and 7600 Series routers
access ports 65-5
Catalyst Summary Info page 65-2
defining IDSM Data Port VLANs 65-46
defining IDSM EtherChannel VLANs 65-45
defining ports 65-5
defining VACLs 65-37
defining VLAN groups 65-32
defining VLANs 65-26
deleting IDSM Data Port VLANs 65-48
deleting IDSM EtherChannel VLANs 65-46
deleting ports 65-7
deleting VACLs 65-39
deleting VLAN groups 65-33
deleting VLANs 65-27
discovering policies 65-1
generating interface names 65-6
IDSM settings 65-44
IDSM Settings page 65-48
interfaces 65-5
managing 65-1
routed ports 65-5
trunk ports 65-5
viewing interface and VLAN summary 65-3
VLAN Access Lists page 65-39
VLAN ACLs (VACLs) 65-36
VLAN groups 65-31
VLANs 65-25
Catalyst VPN Service Port Adapters (VSPAs)
configuring 24-40
Catalyst VPN Services Module (VPNSM)
configuring 24-40
configuring in remote access VPNs 32-6
Catalyst VPN Shared Port Adapter (VPN SPA)
configuring 24-40
configuring in remote access VPNs 32-6
categories
using 6-12
cautions
significance of 1-1
CDP
configuring mode for IPS 36-12
CEF Interface Settings dialog box 59-26
CEF interface settings policies 59-24
certificates
accepting 11-29, 11-36
retrieving 11-29, 11-36
viewing 11-29, 11-36
certificates, SSL
adding thumbprints manually 9-4
configuring default settings for how handled 11-18
managing IPS 43-10
certificates for ASA image downloads 11-29
certificates for IPS package downloads 11-36
certificate to connection profile map policies
configuring policy 30-29
configuring rules 30-29
certificate trust management 11-29, 11-36
Change Report dialog box 4-18
change reports
selecting session in non-Workflow mode 4-18
viewing 4-16
Change Reports command 1-32
Checkpoint migration
configuring object group search on ASA 8.3+ devices 16-22
Choose a file dialog box 33-27
Cisco 7600 Series routers
managing 65-1
Cisco AnyConnect Profile Editor 30-53
Cisco Configuration Engine
troubleshooting device setup and deployment 9-18
Cisco Discovery Protocol (CDP)
enabling CDP on router interfaces 59-18
Cisco Express Forwarding (CEF)
CEF Interface Settings policy 59-25
CEF router interface settings policies 59-24
importance for QoS 63-2
Cisco IOS IPS
affect of load balancing 44-7
configuration files 44-3
configuration overview 44-3
configuring 44-1
configuring general settings 44-7
configuring interface rules 44-8
getting started 35-1
initial preparation of router 44-5
lightweight signature engines 44-2
limitations and restrictions 44-3
selecting signature category 44-6
understanding 44-1
understanding subsystems and revisions 44-2
Cisco IOS Routers
configuring IOS IPS 44-1
IPS blocking devices 42-4
Cisco IOS routers
802.1x 61-1
AAA 60-2
accounts and credentials 60-13
ADSL 59-33
advanced interface settings 59-13
available interface types 59-2
basic interface settings 59-1
BGP routing 64-1
CNS call-home mode 2-9
CNS event-bus mode 2-8
configuring SSH 2-6
CPU settings 60-25
default AAA server groups 6-28
deploying configurations using TMS 8-43
dialer interfaces 59-27
discovering policies 58-3
Domain Name System (DNS) 60-74
Dynamic Host Configuration Protocol (DHCP) 60-87
EIGRP routing 64-8
host and domain names 60-77
HTTP 60-28
interface deployment failure 9-14
IOS 12.1 and 12.2 58-2
licenses 2-12
line access 60-35
managing 58-1
memory settings 60-78
NAT 23-5
designating interfaces 23-6
dynamic rules 23-10
static rules 23-6
timeouts 23-13
NetFlow 62-1, 62-5, 62-12
Network Admission Control (NAC) 61-8
Network Time Protocol (NTP) 60-96
optional SSH settings 60-63
OSPF routing 64-19
permanent virtual connections (PVCs) 59-46
platform policies 58-1
Point-to-Point Protocol (PPP) 59-70
policy discovery 5-13
quality of service (QoS) 63-1
RIP routing 64-42
Secure Device Provisioning (SDP) 60-81
setting up SSL (HTTPS) 2-4
SHDSL 59-40
SNMP 60-66
static routing 64-50
syslog logging 62-1
time zone settings 60-22
transparent bridging 60-18
Cisco IOS Software
FlexConfig object samples 7-21
selecting policy types to manage 5-10
Cisco Prime Security Manager
see PRSM 69-9, 69-10
Cisco Secure Desktop configuration objects
creating 32-18
Cisco Security Management Suite server
logging into or exiting 1-10
Cisco Technical Assistance Center
creating diagnostic file 10-27
generating data 10-27
generating deployment or discovery status reports 10-28
generating partial database backup 10-29
Cisco Trust Agent (CTA) 61-9
CiscoWorks Common Services
backing up and restoring Security Manager 10-24
logging into or exiting 1-10
CiscoWorks user authorization, affect on what you can do 1-10
Class-Based Policing 63-6
class maps
understanding 6-72
Clear Connection Configuration dialog box 15-22
CLI commands
FlexConfig objects 7-2
client connection characteristics
configuration modes 27-3
configuring policies for Easy VPN 27-7
extended authentication (xauth) 27-4
clientless access mode 29-4
client settings
configuring AnyConnect 30-53
understanding AnyConnect 30-52
client-side file browsing 1-47
enabling or disabling 11-6
Clock
PIX/ASA/FWSM 47-11
clock
Cisco IOS routers
overview 60-22
clock settings
Cisco IOS routers
Clock Policy page 60-23
Clone Device command 1-28
Clone Policy Bundle dialog box 5-55
Clone Policy command 1-30
Clone Policy dialog box 5-44
Close Activity command 1-34
Close All Reports command (Report Manager) 67-8
Close Report command (Report Manager) 67-8
Close Ticket command 1-34
cluster, server
managing 10-2
overview 10-2
splitting server 10-3
synchronizing shared policies 10-4
Cluster Information page, device properties 3-48
clustering 3-9
cluster load balancing
configuring 30-5
understanding 30-4
understanding FQDN redirection 30-5
CNS
call-home mode 2-9
deploying configurations 8-42
deployment method 8-10
event-bus mode 2-8
setting up on PIX Firewall and ASA devices 2-8
color rules, configuring in Event Viewer 66-36
Combine Rules Selection Summary dialog box 12-24
commands
Activities menu 1-34
Edit menu (Configuration Manager) 1-29
Event Viewer File menu 66-8
Event Viewer View menu 66-9
File menu (Configuration Manager) 1-28
Help menu (Configuration Manager) 1-36
Launch menu 1-35
Manage menu 1-32
Map menu 1-31
Policy menu (Configuration Manager) 1-30
Report Manager menus 67-8
Tickets menu 1-34
Tools menu (Configuration Manager) 1-33
View menu (Configuration Manager) 1-30
Common Services
licensing 10-17
communication, device
troubleshooting 9-7
configuration
initial Security Manager 1-23
understanding rollback 8-59
Configuration Archive
adding configurations from devices 8-55
overview 8-16
rolling back to archived configuration files 8-66
rolling back when deploying to file 8-67
settings 11-3
version viewer 8-56
viewing and comparing configuration versions 8-56
viewing transcripts 8-58
window 8-24
Configuration Archive command 1-32
Configuration Archive page 11-3
Configuration Engine
adding 3-35
CNS call-home mode 2-9
CNS event-bus mode 2-8
setting up 2-7
Configuration Engine Properties dialog box 3-36
configuration files
deploying in non-Workflow mode 8-29
deploying in Workflow mode 8-35, 8-40
deploying to 8-11
deploying to an AUS or CNS 8-42
deploying to a TMS 8-43
deployment process overview 8-1
factory-default configurations 45-2
previewing 8-45
redeploying to devices 8-49
rolling back after deploying to file 8-67
rolling back to archived configurations 8-66
rolling back to devices 8-65
selecting 1-47
web VPN policy discovery restrictions 3-8
configuration location, configuring for IOS IPS 44-7
Configuration Manager
overview 1-12
using 1-12
configurations
adding to the Configuration Archive 8-55
avoiding out-of-band changes 8-47
detecting out-of-band changes 8-46
rollback, commands to recover from failover misconfiguration 8-65
rollback command conflicts 8-64
rolling back 8-59
rolling back Catalyst 6500/7600 8-61
rolling back failover devices 8-61
rolling back IPS and IOS IPS 8-62
rolling back multiple context mode 8-61
understanding out-of-band changes 8-12
viewing and comparing 8-56
configuration session
selecting session for change reports 4-18
viewing change reports 4-16
configuration sessions
discarding 4-22
configuration views 1-12
Configure dialog box 17-20
Configure DNS dialog box 17-18
Configure ESMTP dialog box 17-18
Configure Fragments dialog box 17-19
Configure Hardware Ports
ASA 5505 45-39
Configure IMAP dialog box 17-19
Configure POP3 dialog box 17-19
Configure RPC dialog box 17-20
Configure SMTP dialog box 17-18
Config Version Viewer (Preview Configuration) dialog box 8-45
conflict analysis reports
generating 16-31
conflict detection
resolving conflicts 16-31
understanding 16-25
understanding the user interface 16-27
using 16-25
connection
PIX/ASA/FWSM
identity-aware rules 13-21
rules 56-5
Connection Alias dialog box 30-20
Connection Profile dialog box
AAA tab 30-11
General tab 30-9
IPSec tab 30-16
Secondary AAA tab 30-14
SSL tab 30-18
connection profiles
configuring 30-6
configuring for Easy VPN 27-13
properties
AAA 30-11
general 30-9
IPSec 30-16
policy overview 30-8
secondary AAA 30-14
SSL 30-18
sharing among multiple ASAs 29-8
Connection Profiles page 30-8
Connection Settings
MPC rule wizard
tab 56-8
connection timeout
device communication settings 11-17
Connection URL dialog box 30-21
connectivity, testing device 9-1
console
Cisco IOS routers
AAA tab 60-44
Accounting tab 60-47
Authentication tab 60-44
Authorization tab 60-45
Console Policy page 60-42
Setup tab 60-42
console port
Cisco IOS routers
defining AAA settings 60-37
defining setup parameters 60-35
Console timeout
PIX/ASA/FWSM 48-1
Constant Bit Rate (CBR) 59-47
contained modules
showing 3-53
content rewrite rules
defining for SSL VPN on ASA 30-43
Context-Based Access Control
choosing interfaces 17-2
configuring 17-5
configuring identity aware 13-21
preventing DoS attacks on IOS devices 17-4
selecting protocols 17-3
understanding 17-1
understanding access rule requirements 17-4
Context Editor dialog box (IOS) 32-15
contexts
see “security contexts” 57-1
continuity check (CC) cells 59-50
control plane (CP)
defining QoS on 63-12
policing on 63-9
Control Plane Policing 63-9
conventions 1-1
cookie challenges 25-34
Copy command 1-29, 12-9
Copy Policies Between Devices command 1-30
Copy Policies wizard 5-31
CPU settings
defining utilization settings 60-25
overview 60-25
CPU utilization
CPU Policy page 60-26
Create a Clone of Device dialog box 3-54
Create Activity dialog box 4-14
Create a Policy dialog box 5-51
Create Discovery Task dialog box 5-18
Create Extranet VPN Topology wizard
overview 24-62
Create Filter dialog box 1-43
Create Group Policy wizard
Clientless and Thin Client Access Modes page 29-22
Full Tunnel page 29-20
Group Policy page 29-19
using 29-19
Create Overrides for Device dialog box 6-20
Create Policy Bundle dialog box 5-54
Create Text Object dialog box 7-31
Create Ticket dialog box 4-14
Create VPN Topology wizard
Device Selection page 24-32
Edit Endpoints dialog box 24-33
Endpoints page 24-33
GET VPN Group Encryption page 24-50
GET VPN Peers page 24-56
High Availability page 24-48
Name and Technology page 24-30
overview 24-28
VPN Defaults page 24-57
credential objects
attributes 27-9
credentials
configuring on firewall devices 47-13
device manager validation 69-4
IPS module 3-19
service module 3-18
testing 9-1
understanding device 3-4
Credentials page
HTTPS port number
overriding with HTTP policy 3-46
Credentials page, device properties 3-44
crypto maps
understanding 25-18
CSC
MPC rule wizard
tab 56-8
CSDM Policy Editor dialog box 31-40
CS-MARS
access to Security Manager 69-23
configuring servers 11-4
discovering or changing controller used by device 69-25
events
historical and real-time lookup 69-27
looking up 69-27
integrating with Security Manager 69-21
integration with Security Manager 69-22
looking up Security Manager policies based on events 69-31
NetFlow 69-33
query
troubleshooting 69-26
registering in Security Manager 69-24
supported log messages 69-32
viewing access rule events 69-28
viewing IPS signature events 69-30
CS-MARS page 11-4
CSMDiagnostics.zip
setting debug options 11-8
CSMDiagnostics.zip file, creating 10-27
CSM tab, Licensing page 11-41
CSV (comma-separated values) files
supported formats for device inventory 10-9
CSV file
export HPM data as 68-26
Customize Desktop Settings page 11-6
Customized Toolbar command 1-30
Custom Protocol dialog box 17-20
Custom Report List command (Report Manager) 67-9
Cut command 1-29, 12-9
cut-through proxy, configuring 13-23
CX
ASA module
detecting 69-10
CXSC
MPC rule wizard
tab 56-8
D
database
backing up 10-24
backing up and restoring 10-24
generating partial backups for TAC 10-29
restoring 10-26
DCE/RPC policy map objects
creating 17-21
properties 17-27
DCS.properties file
DCS.doSerialAccessForFWSMVCs property 9-17
DCS.FWSM.checkThreshold property 9-16
SSH settings 9-7
warning message expression properties 9-10
DDNS
PIX/ASA/FWSM 51-17
add interface rules 51-18
update methods 51-18
update methods, add/edit 51-19
dead-peer detection (DPD) 25-30
debugging
configuring debug levels 11-8
Debug Options page 11-8
Default Report Settings command (Report Manager) 67-9
defaults, configuring 11-1
Delete Device command 1-28
Delete Map command 1-31
Delete Map dialog box 34-10
Delete Row command 1-29
Denial of Service (DoS)
preventing in SMTP using zone based firewall 21-25
denial of service (DoS)
preventing using unicast reverse path forwarding (RFP) 59-20
Denial of Service (DoS) attacks
configuring inspection settings to mitigate 17-88
preventing on IOS devices using inspection 17-4
denial of service (DoS) attacks
preventing using IKEv2 cookie challenge 25-34
deny
inspection
rules 17-5
Deploy command 1-28
Deploy Job dialog box 8-40
deployment
Add Other Devices dialog box 8-54
Auto Update Server 8-42
Catalyst 6500/7600 devices 8-29
changes not deployed when using schedules 8-52
changing device message severity level to ignore errors 9-10
changing FWSM multiple-context deployment to serial 9-17
Cisco Networking Services configuration engine 8-42
configuration files, to 8-11
configurations 8-29
creating jobs in Workflow mode 8-36
creating or editing schedules 8-52
Deployment Manager window 8-17
device communication settings 9-4
devices, directly to 8-9
devices, through intermediate server 8-10
Edit Deploy Method dialog box 8-31
Edit Selected Deployment Method dialog box 8-31
errors
OS version mismatches 8-13
generating status report 10-28
handling OS version mismatches 8-13
managing 8-1
methods 8-8
minimum memory errors for ASA 8.3+ 9-11
non-Workflow mode 8-3
optimizing access rules 16-43
out-of-band changes
avoiding 8-47
detecting and analyzing 8-46
understanding 8-12
process overview 8-1
rolling back archived configurations 8-66
rolling back configurations 8-59
rolling back configurations, Catalyst 6500/7600 8-61
rolling back configurations, command conflicts 8-64
rolling back configurations, commands to recover from failover misconfiguration 8-65
rolling back configurations, failover devices 8-61
rolling back configurations, IPS and IOS IPS devices 8-62
rolling back configurations, multiple context mode 8-61
rolling back configuration when deploying to file 8-67
rolling back to last deployed configuration 8-65
setting debug options 11-8
SSL handshake failure 2-2
suspending or resuming schedules 8-55
system settings 11-9
task flow
non-Workflow mode 8-3
Workflow mode 8-5
tips for successful jobs 8-28
TMS server 8-43
troubleshooting 9-1, 9-9
ADSL or PVC deployment failures 9-15
AUS problems 9-18
Catalyst interface settings 9-16
Catalyst internal VLANs 9-16
Catalyst switch and modules 9-15
Configuration Engine problems 9-18
Error Writing to Server messages 9-15
HTTP Response Code 500 messages 9-15
layer 2 interfaces 9-14
mixing deployment methods with routers and VPNs 9-13
router interface settings 9-14
routers 9-14
Security Manager cannot contact device 9-12
VPNs with routing processes 9-13
troubleshooting device communication 9-7
troubleshooting router connection failures 2-2
troubleshooting SSL certificate errors 9-4
troubleshooting VRF-aware IPsec on Catalyst 6500/7600 devices 24-17
understanding 8-1
understanding configuration rollback 8-59
using a Cisco Networking Services (CNS) server 8-42
viewing device details 8-27
viewing job summary 8-27
viewing status and history for jobs and schedules 8-27
viewing transcripts 8-58
Warning - Partial VPN Deployment dialog box 8-32
Workflow mode 8-5, 8-35, 8-40
working with 8-26
Deployment—Create or Edit a Job dialog box 8-36
deployment jobs
aborting 8-51
approval 8-7
approving 8-39
creating and editing in non-Workflow mode 8-29
creating and editing in Workflow mode 8-36
Deployment Manager 8-16
discarding 8-41
including devices in 8-8
multiple users 8-8
redeploying 8-49
rejecting 8-39
states
non-Workflow mode 8-4
Workflow mode 8-6
submitting 8-39
viewing history 8-27
Deployment Manager
overview 8-16
Deployment Manager window 8-17
Deployment Schedules tab 8-22
Deployment Schedules tab 8-22
Deployments command 1-32
Deployment Settings page 11-9
Deployment Status Details dialog box 8-33
Deployment Workflow Commentary dialog boxes 8-21
Deploy Saved Changes dialog box 8-29
DES encryption algorithm
in IKE proposals 25-6
Designated Router
PIX/ASA/FWSM 53-12
Destination Contents dialog box 12-14
Dest Port Map dialog box 40-12
Detect Out of Band Changes command 1-33
device
AAA administration 47-4
firewall types 45-1
viewing inventory status 69-1
Device Access
FWSM
Resources, add/edit 50-3
PIX/ASA/FWSM 48-1
console timeout 48-1
host name 50-1
HTTP configuration 48-2
HTTP page 48-2
ICMP rules 48-3
ICMP rules, add/edit 48-4
Management Access interface 48-5
Secure Shell, add/edit host 48-6
Secure Shell (SSH) 48-5
Server Access 51-1
SNMP host access 48-12
SNMP page 48-8
SNMP Trap configuration 48-9
Telnet configuration 48-14
Telnet page 48-13
user accounts 50-6
user accounts, add/edit 50-7
device access policies
defining 60-14
Device Admin
FWSM
Resources 50-3
device administration policies
configuring on firewall devices 47-1
device authentication
adding SSL thumbprints manually 9-4
SSL certificate default configuration 11-18
Device Blacklist dialog box 19-15
device clusters 3-9
device communication
changing device message severity level 9-10
managing settings 9-4
routers without K8/K9 crypto image 9-7
Security Manager cannot contact device after deployment 9-12
troubleshooting failures 9-7
Device Communication page 11-17
device communications
troubleshooting 9-1
device communication settings
connection timeout 11-17
retry count 11-17
socket read timeout 11-18
Device Connectivity Test dialog box 9-3
device credentials
understanding 3-4
Device Credentials page 3-44
Device Delete Validation dialog box 3-56
device groups 3-57, 3-60
adding or removing devices 3-60
creating group types 3-59
deleting groups or types 3-60
understanding 3-57
Device Groups page 3-48, 11-20
Device Information page - Add Device from File 3-31
Device Information page - Configuration File 3-22
Device Information page - Network 3-13
Device Information page- New Device 3-26
device inventory
exporting
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-5
supported CSV formats 10-9
using command line utility 10-10
importing
device with policies 10-13
importing with policies 10-13
managing 3-1
sharing with PRSM 69-11
testing device connectivity 9-1
understanding 3-1
understanding contents 3-3
understanding device clusters 3-9
understanding generic devices 3-8
working with 3-34
device manager
access rule look up 69-6
ASDM 69-5
access rule look-up 69-7
credentials 69-4
IDM 69-5
PDM 69-5
prerequisites 69-5
SDM 69-5
access rule look-up 69-8
starting from HPM 68-2, 68-24
starting from Security Manager 69-4
troubleshooting 69-5
xdm-launcher.exe 69-6
Device Manager command 1-35
Device Properties
Cluster Information page 3-48
Credentials page 3-44
Device Groups page 3-48
General page 3-40
Policy Object Override pages
general reference 3-49
device properties
changes with policy effects 3-51
changing critical 3-50
image version changes with no policy effects 3-50
understanding 3-6
viewing or changing 3-39
Device Properties command 1-33
Device Properties page
creating object overrides 6-18
deleting overrides 6-21
overview 3-39
device response
to appear as an error message 9-10
devices
adding 3-6
adding configurations to the Configuration Archive 8-55
adding from configuration files 3-20
adding from inventory file 3-29
adding from network 3-11
adding local rules to shared policies 5-42
adding manually 3-25
adding or changing modules 3-39
assigning shared policies 5-41
avoiding out-of-band changes 8-47
changing critical properties 3-50
changing those selected for reports 67-21
cloning or duplicating 3-54
cloning shared policies 5-44
communication requirements 2-1
communication settings and certificates 9-4
configuring ASA licenses 2-11
configuring IOS licenses 2-12
configuring local policies 5-29
copying policies between 5-31
creating policy object overrides 6-18
deleting from inventory 3-55
deleting policy object overrides 6-21
deployment through intermediate server 8-10
deployment to 8-9
detecting out-of-band changes 8-46
discovering or changing CS-MARS controller 69-25
discovering policies 5-12
discovering policies on existing devices 5-15
dynamic IP addresses 3-35
image version changes with no policy effects 3-50
including in deployment jobs or schedules 8-8
including unmanaged or non-Cisco in a VPN 24-11
inheriting policy rules 5-43
maps
adding existing managed 34-16
adding new managed 34-16
displaying devices from Device View 34-16
displaying managed 34-16
removing managed 34-16
showing containment for Catalyst switches, ASA, PIX, IPS devices 34-16
modifying policy assignment 5-46
modifying shared policies 5-45
naming conventions 3-3
overview of monitoring 1-6
policy status icons 5-28
preparing for management 2-1
property changes with policy effects 3-51
redeploying configuration files to 8-49
redeploying configurations to replaced hardware 8-49
renaming policies 5-45
replacing policies 5-41
rolling back configurations 8-65, 8-66, 8-67
selecting in site-to-site VPNs 24-32
selecting multiple 1-42
sharing multiple policies 5-39
sharing with PRSM 69-11
showing contained modules 3-53
system variables 7-7
testing connectivity 9-1
troubleshooting communication 9-7
troubleshooting communication and deployment 9-1
troubleshooting device discovery failures 3-7
unassigning policies 5-33
understanding out-of-band changes 8-12
unsharing policies 5-40
using global search to find specific devices 1-39
what counts as a device 3-3
device selector
filtering 1-42
Device Selector dialog box 1-42
Device Server Assignment dialog box 9-8
device status view
working with 3-61
Device Status View command 1-30
Device view
adding local rules to shared policies 5-42
assigning shared policies 5-41
cloning shared policies 5-44
configuring local policies 5-29
configuring VPN topologies 24-19
copying policies between devices 5-31
inheriting policies 5-43
managing policies 5-28
modifying policy assignments 5-46
modifying shared policies 5-45
overview 1-13
policy banner 5-35
policy shortcut menu 5-37
policy status icons 5-28
renaming policies 5-45
sharing local policies 5-38
sharing multiple policies 5-39
unassigning policies 5-33
understanding basic policy management 5-29
understanding shared policies 5-34
unsharing policies 5-40
device view
understanding 3-1
Device View command 1-30
Device Whitelist dialog box 19-15
DHCP
Cisco IOS routers
defining address pools 60-91
defining policies 60-90
DHCP Database dialog box 60-94
DHCP Policy page 60-92
IP Pool dialog box 60-94
overview 60-87
understanding database agents 60-88
understanding option 82 60-89
understanding relay agents 60-88
understanding secured ARP 60-89
configuring passthrough for IOS devices 22-3
PIX/ASA/FWSM 51-10
add/edit servers 51-11
advanced configuration 51-12
configuring DHCP servers 51-9
server options 51-13
traffic blocked 9-15
DHCP relay
PIX/ASA/FWSM 51-5, 51-7
add/edit agent 51-5
add/edit server 51-6
DHCPv6 relay
PIX/ASA/FWSM
add/edit agent 51-8
add/edit server 51-9
diagnostics
setting debug options 11-8
diagnostics file, creating 10-27
dial backup
configuring in Easy VPN 27-2
configuring in VPN 24-38
configuring VPN advanced settings 24-39
Dial Backup Settings dialog box 24-39
dialer interfaces
defining BRI properties 59-29
defining profiles 59-27
Dialer Physical Interface dialog box 59-32
Dialer Policy page 59-30
Dialer Profile dialog box 59-31
on Cisco IOS routers 59-27
Diffie-Hellman groups
in IKE proposals 25-7
Digital Subscriber Line (DSL) 59-33
digital subscriber line-access multiplexer (DSLAM) 59-34
directed broadcasts
enabling 59-20
Disable/enable NAT rules 23-32, 23-45
Discard Activity command 1-34
Discard Activity dialog box 4-22
Discard command 1-29
Discard Deployment Job dialog box 8-21
Discard Ticket command 1-35
Discard Ticket dialog box 4-22
discovering
remote access VPNs 29-12
site-to-site VPNs 24-24
Discover Policies on Device command 1-31
Discover VPN Policies command 1-31
Discover VPN Policies wizard 24-24
discovery
default behavior settings 11-21
generating status report 10-28
invalid certificate error 9-6
overview 1-18
security certificate error 9-4, 9-6
setting debug options 11-8
Discovery Settings page 11-21
Discovery Status dialog box 5-21
discovery task
frequently asked questions 5-25
starting 5-15
viewing status 5-21
disk space, monitoring event data store 66-31
Display Actual Size command 1-31
Distributed Traffic Shaping (DTS) 63-6
DMVPN (Dynamic Multipoint VPN)
advantages of using with GRE 26-11
configuring 26-12
configuring GRE modes 26-12
large scale DMVPNs
configuring 26-16
configuring server load balancing 26-17
overview 26-1, 26-9
spoke-to-spoke connections 26-10
supported platforms 24-9
understanding 26-10
DNS
configuring for inspection rules 17-18
PIX/ASA/FWSM
add/edit server group 51-15
add server 51-16
servers page 51-13
DNS class map objects
creating 17-21
match criteria 17-31
DNS policy map objects
creating 17-21
match conditions and actions 17-31
properties 17-28
DNS servers
configuring for IPS global correlation 35-22
DNS snooping 19-6
dock
report windows 67-25
view windows 66-34
Dock Map View command 1-32
documentation
conventions 1-1
ordering 1-2
Domain AD Server dialog box 13-10
Domain Name System (DNS)
Cisco IOS routers
defining policies 60-75
DNS Policy page 60-76
IP Host dialog box 60-76
overview 60-74
do not ask warnings, resetting 11-6
DSLAM 59-34
duration
VPN user reports 67-15, 67-16
dynamic access policies
attributes 31-3, 31-7
configuring 31-2
managing 31-1
understanding 31-1
dynamic access policies (DAP) 31-28
Dynamic Access Policy page
Add/Edit Dynamic Access Policy dialog box
Add/Edit DAP Entry dialog box 31-19
Add/Edit DAP Entry dialog box > AAA Attributes Cisco 31-20
Add/Edit DAP Entry dialog box > AAA Attributes LDAP 31-22
Add/Edit DAP Entry dialog box > AAA Attributes RADIUS 31-23
Add/Edit DAP Entry dialog box > Anti-Spyware 31-24
Add/Edit DAP Entry dialog box > Anti-Virus 31-25
Add/Edit DAP Entry dialog box > AnyConnect Identity 31-26
Add/Edit DAP Entry dialog box > Application 31-27
Add/Edit DAP Entry dialog box > File 31-29
Add/Edit DAP Entry dialog box > NAC 31-30
Add/Edit DAP Entry dialog box > Operating System 31-31
Add/Edit DAP Entry dialog box > Personal Firewall 31-32
Add/Edit DAP Entry dialog box > Policy 31-33
Add/Edit DAP Entry dialog box > Process 31-34
Add/Edit DAP Entry dialog box > Registry 31-35
Advanced Expressions tab 31-39
Logical Operations tab 31-36
Main tab 31-13
Dynamic Access Policy page (ASA) 31-10
Cisco Secure Desktop Manager Policy Editor dialog box 31-40
Dynamic Access policy page (ASA) > Add/Edit Dynamic Access Policy dialog box 31-12
Dynamic Blacklist Configuration tab 19-10
dynamic crypto maps 25-18
dynamic filter snooping (DNS)
enabling 17-18
Dynamic Multipoint VPN (DMVPN)
mandatory and optional policies 24-6
dynamic NAT
Cisco IOS routers 23-10
Dynamic Translation Rule
PIX/ASA/FWSM 23-21
add/edit 23-21
dynamic VTI
configuring in Easy VPN 27-12
in remote access VPNs 32-7
understanding use in Easy VPN 27-2
E
Easy VPN
configuration modes 27-3
configuration overview 27-5
configuring client connection characteristics 27-7
configuring dial backup 27-2
configuring dynamic VTI 27-12
configuring high availability 27-2
connection profile policies 27-13
connection profiles (ASA, PIX 7+) 30-8
extended authentication (xauth) 27-4
important configuration notes 27-6
IPsec proposals 27-10
mandatory and optional policies 24-6
overview 27-1
supported platforms 24-9
understanding 27-1
understanding dynamic VTI 27-2
user group policies 27-14
Edit AAA Option dialog box 15-18
Edit AAA Rule dialog box 15-13
Edit AAA Server dialog box 6-30
Edit AAA Server Group dialog box 6-46
Edit Access Rule dialog box 16-13
Edit Actions dialog box 38-8
Edit activity state 4-4
Edit AOL Class Map dialog box 17-26, 21-17
Edit A Port Forwarding Entry dialog box 33-30
Edit ASA Group Policies dialog box
client configuration settings 33-4
client firewall attributes 33-5
connection settings 33-22
DNS/WINS settings 33-20
hardware client attributes 33-7
IPSec settings 33-8
overview 33-1
split tunneling settings 33-21
SSL VPN clientless settings 33-10
SSL VPN full client settings 33-13
SSL VPN settings 33-17
technology settings 33-1
Edit A Smart Tunnel Entry dialog box 33-53
Edit Auto Signon Rules dialog box 33-19
Edit Auto Update Settings dialog box 11-38
Edit Category dialog box 12-14
Edit Cisco Secure Desktop Configuration dialog box 33-23
Edit Client Access Rules dialog box 33-10
Edit Client Update dialog box 33-65
Edit Column dialog box 33-47
Edit Custom Pane dialog box 33-47
Edit DCE/RPC Map dialog box 17-27
Edit Deploy Method dialog box 8-31
Edit Description dialog box 12-14
Edit Destinations dialog box 12-11
Edit Device Groups command 1-29
Edit Device Groups dialog box 3-58
Edit DNS Class Map dialog box 17-26
Edit DNS Map dialog box
Filtering tab 17-30
overview 17-28
Protocol Conformance tab 17-30
Edit eDonkey Class Map dialog box 17-26, 21-17
Edit Endpoints dialog box
FWSM tab 24-44
overview 24-33
Protected Networks tab 24-44
VPN Interface tab 24-35
VPNSM/VPN SPA/VSPA settings, VPN Interface tab 24-40
VRF Aware IPsec tab 24-45
Edit ESMTP Map dialog box 17-34
Edit Extended Access Control Entry dialog box 6-56
Edit Extended Access List dialog box 6-55
Edit External Filter dialog box 21-40
Edit Extranet VPN dialog box
overview 24-62
Edit FastTrack Class Map dialog box 17-26, 21-17
Edit Fidelity dialog box 38-9
Edit File Object dialog box 33-25
Edit FlexConfig dialog box 7-29
Edit FTP Class Map dialog box 17-26
Edit FTP Map dialog box 17-37
Edit Gnutella Class Map dialog box 17-26, 21-17
Edit Group Member dialog box 28-21
Edit GTP Map dialog box 17-40
Edit H.323 Class Map dialog box 17-26, 21-17
Edit H.323 Map dialog box 17-45, 21-33
Edit HSI Endpoint IP Address dialog box 17-48
Edit HSI Group dialog box 17-47
Edit HTTP Class Map dialog box 17-26, 21-17
Edit HTTP Map dialog box 21-33
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab 17-52
Extension Request Method tab 17-55
General tab 17-51
overview 17-50
Port Misuse tab 17-56
RFC Request Method tab 17-54
Transfer Encoding tab 17-57
ASA 7.2+ and PIX 7.2+ devices 17-58
Edit ICQ Class Map dialog box 17-26, 21-17
Edit IKEv1 Proposal dialog box 25-10
Edit IKEv2 Proposal dialog box 25-13
Edit IMAP Class Map dialog box 17-26, 21-17
Edit IMAP Map dialog box 21-33
Edit IM Class Map dialog box 17-26
Edit IM Map dialog box 21-33
ASA and PIX device 17-64
IOS device 17-67
Edit Inspect/Application FW Rule wizard
Address and Port page 17-12
Inspected Protocol page 17-16
Match Traffic page 17-10
Edit Inspect Parameter Map dialog box 21-29
Edit Interfaces dialog box 12-13
Edit IP Options Map dialog box 17-68
Edit IPsec Pass Through Map dialog box 17-74
Edit IPSec Transform Set dialog box 25-25
Edit IPv4 Pool Object dialog box 6-83
Edit IPv6 Map dialog box 17-70
Edit IPv6 Pool Object dialog box 6-84
Edit Kazaa2 Class Map dialog box 17-26, 21-17
Edit Key Server dialog box 28-19
Edit Language dialog box 33-42
Edit LDAP Attribute Map dialog box 6-43
Edit LDAP Attribute Map Value dialog box 6-44
Edit Load Balancing Parameters dialog box 26-17
Edit Local Web Filter Class Map dialog box 17-26, 21-17
Edit Local Web Filter Parameter Map dialog box 21-37
Edit MAC Address Pool Object dialog box 6-85
Edit Map Value dialog box 6-44
Edit Match Condition and Action dialog box
DNS policy maps 17-31
ESMTP policy maps 17-35
FTP policy maps 17-38
GTP policy maps 17-43
H.323 (IOS) policy maps 21-34
H.323 policy maps 17-48
HTTP (Zone Based IOS) policy maps 21-34
HTTP policy maps 17-59
IM (Zone Based IOS) policy maps 21-34
IMAP policy maps 21-34
IM policy maps 17-65
IPv6 policy maps 17-71
P2P policy maps 21-34
POP3 policy maps 21-34
SIP (IOS) policy maps 21-34
SIP policy maps 17-79
Skinny policy maps 17-83
SMTP policy maps 21-34
Sun RPC policy maps 21-34
Web Filter policy maps 21-34
Edit Match Criterion dialog box
AOL class maps 21-20
DNS class maps 17-31
eDonkey class maps 21-20
FastTrack class maps 21-20
FTP class maps 17-38
Gnutella class maps 21-20
H.323 (IOS) class maps 21-21
H.323 class maps 17-48
HTTP (IOS) class maps 21-21
HTTP class maps 17-59
ICQ class maps 21-20
IMAP class maps 21-23
IM class maps 17-65
Kazaa2 class maps 21-20
Local Web Filter class maps 21-28
MSN Messenger class maps 21-20
N2H2 class maps 21-29
POP3 class maps 21-23
SIP (IOS) class maps 21-24
SIP class maps 17-79
SMTP class maps 21-25
Sun RPC class maps 21-28
Websense class maps 21-29
Windows Messenger class maps 21-20
Yahoo Messenger class maps 21-20
Edit menu
Configuration Manager 1-29
Edit MSN Messenger Class Map dialog box 17-26, 21-17
Edit N2H2 Parameter Map dialog box 21-38
Edit N2H2 Web Filter Class Map dialog box 17-26, 21-17
Edit NAT Rule dialog box
ASA 8.3+ 23-35
Edit NetBIOS Map dialog box 17-75
Edit Network/Host dialog box
General tab 6-77
NAT tab 23-41
Edit Options dialog box 16-15
Edit P2P Map dialog box 21-33
Edit Permit Response dialog box 17-42
Edit Per-Session NAT Rule dialog box 23-46
Edit PIX/ASA/FWSM Web Filter Rule dialog box 18-5
Edit PKI Enrollment dialog box
CA Information tab 25-55
Certificate Subject Name tab 25-61
Enrollment Parameters tab 25-59
overview 25-54
Trusted CA Hierarchy tab 25-62
Edit Policy Assignments command 1-30
Edit POP3 Class Map dialog box 17-26, 21-17
Edit Port Forwarding List dialog box 33-28
Edit Port List dialog box 6-87
Edit Protocol Info Parameter Map dialog box 21-32
Edit Regular Expression dialog box 17-86
Edit Regular Expression Group dialog box 17-85
Edit Row command 1-29
Edit Rule Section dialog box 12-22
Edit Security Association Dialog Box 24-54
Edit Selected Deployment Method dialog box 8-31
Edit Server dialog box
Protocol Info Parameter maps 21-33
Edit Server Group dialog box 15-18
Edit Service dialog box 6-89
Edit Services dialog box 12-12
Edit Signature dialog box 38-12
Edit Signature Parameter—Component List dialog box 38-25
Edit Signature Parameters dialog box 38-21
Edit Single Sign On Server dialog boxes 33-30
Edit SIP Class Map dialog box 17-26, 21-17
Edit SIP Map dialog box 17-77, 21-33
Edit Skinny Map dialog boxes 17-81
Edit SLA Monitor dialog box 50-9
Edit Smart Tunnel Auto Signon Entry dialog box 33-56
Edit Smart Tunnel Auto Signon Lists dialog box 33-55
Edit Smart Tunnel Lists dialog box 33-52
Edit SMTP Class Map dialog box 17-26, 21-17
Edit SMTP Map dialog box 21-33
Edit SNMP Map dialog box 17-84
Edit Sources dialog box 12-11
Edit SSL VPN Customization dialog box 33-36
Applications 33-46
Copyright Panel 33-44
Custom Panes 33-46
Full Customization 33-45
Home Page 33-48
Informational Panel 33-43
Language 33-40
Logon Form 33-42
Logout Page 33-49
Title Panel 33-39
Toolbar 33-45
Edit SSL VPN Gateway dialog box 33-50
Edit Standard Access Control Entry dialog box 6-59
Edit Standard Access List dialog box 6-55
Edit Sun RPC Class Map dialog box 17-26, 21-17
Edit Sun RPC Map dialog box 21-33
Edit TCP Map dialog box 56-20
Edit TCP Option Range Dialog Box 56-22
Edit Text Object dialog box 7-31
Edit Time Range dialog box 6-66
Edit Traffic Flow dialog box 56-16
Edit Translated Address dialog box 23-27
Edit Transparent EtherType dialog box 22-6
Edit Transparent Firewall Rule dialog box 22-5
Edit Transparent Mask dialog box 22-7
Edit Trend Content Filter Class Map dialog box 17-26, 21-17
Edit Trend Parameter Map dialog box 21-41
Edit Unified Access Control Entry dialog box 6-62
Edit Update Server Settings dialog box 11-36
Edit URL Domain Name dialog box 21-44
Edit URLF Glob Parameter Map dialog box 21-44
Edit URL Filter Parameter Map dialog box 21-42
Edit User Credentials dialog box 35-17
Edit User dialog box 12-12
Edit User Group dialog box
Advanced PIX 6.3 settings 33-66
Browser Proxy settings 33-72
Client (IOS) settings 33-63
Clientless settings 33-67
Client VPN Software Update (IOS) settings 33-65
DNS/WINS settings 33-61
General settings 33-60
IOS Xauth Options settings 33-64
overview 33-58
Split Tunneling settings (Easy VPN/remote access IPSec VPN) 33-62
SSL VPN Connection settings 33-73
SSL VPN Full Tunnel settings 33-69
SSL VPN Split Tunneling settings 33-70
Technology settings 33-58
Thin Client settings 33-68
Edit VDI Server dialog box 33-12
Edit Virtual Sensor dialog box 37-7, 37-8
Edit VPN dialog box
Device Selection tab 24-32
Edit Endpoints dialog box 24-33
Endpoints tab 24-33
High Availability tab 24-48
Name and Technology tab 24-30
overview 24-28
Edit Web Access Control Entry dialog box 6-60
Edit Web Filter Map dialog box 21-46
Edit Web Filter Options dialog box 18-9
Edit Web Filter Type dialog box 18-8
Edit Websense Parameter Map dialog box 21-38
Edit Websense Web Filter Class Map dialog box 17-26, 21-17
Edit Web Type Access List dialog box 6-55
Edit Windows Messenger Class Map dialog box 17-26, 21-17
Edit WINS Server dialog box 33-74
Edit WINS Server List dialog box 33-74
Edit Yahoo Messenger Class Map dialog box 17-26, 21-17
Edit Zones dialog box 12-13
eDonkey class map objects
creating 21-15
match criteria 21-20
EIGRP routing
defining interface properties 64-10
defining routes 64-9
EIGRP Routing Policy page 64-13
Interface dialog box 64-16
Interfaces tab 64-15
on Cisco IOS routers 64-8
redistributing routes 64-12
Redistribution Mapping dialog box 64-18
Redistribution tab 64-17
Setup dialog box 64-14
Setup tab 64-13
e-mail
blocking spam using zone-based firewall rules 21-25
preventing DoS attacks 21-25
e-mail notifications
configuring SMTP server 1-25
PIX/ASA/FWSM
recipient set-up 52-3
syslog messages 52-3
Enable/disable NAT rules 23-32, 23-45
Enable PIM and IGMP
PIX/ASA/FWSM 53-1
Encapsulating Security Protocol (ESP) encryption algorithm 25-28
encoding rules
defining for SSL VPN (ASA) 30-45
encryption algorithms
3DES (Triple DES) 25-6
AES (Advanced Encryption Standard) 25-6
DES (Data Encryption Standard) 25-6
in IKE proposals 25-6
endpoints and protected networks
configuring dial backup 24-38
defining in GET VPN topologies 24-56
defining in VPN topologies 24-33
VPN Interface tab 24-35
Error Writing to Server deployment errors 9-15
ESMTP
configuring for inspection rules 17-18
ESMTP policy map objects
creating 17-21
match conditions and actions 17-35
properties 17-34
EtherChannel
Create and Edit IDSM EtherChannel VLANs dialog boxes 65-49
defining IDSM VLANs 65-45
deleting IDSM VLANs 65-46
EtherChannels
ASA 45-8
edit assigned interface 45-11
LACP 45-11
load balancing 45-12
evaluation license
upgrading to permanent license 10-16
event
lists 52-4
add/edit 52-5
syslog class
add/edit 52-6
syslog message ID
add/edit 52-6
Event Action Filters page 39-7
Event Action Override dialog box 39-14
Event Action Overrides page 39-13
event actions, IPS
configuring filter rules 39-4
configuring network information 39-14
configuring OS maps 39-18
configuring overrides 39-13
configuring settings 39-21
configuring target value ratings 39-15
example filter rule 66-58
filter rule attributes 39-9
filter rules policy 39-7
filter rules tips 39-6
overview 39-1
possible actions 39-2
process overview 39-1
Event Management page 11-23
Event Manager service
configuring 66-27
managing 66-27
monitoring event store disk space 66-31
monitoring status 66-28
selecting devices to monitor 66-31
starting and stopping 66-27
status icon colors 66-28
events
archiving (backing up) the event data store 66-32
configuring firewall devices (ASA, FWSM) 66-25
configuring IPS devices 66-26
copying 66-48
CS-MARS 69-32
looking up 69-27
looking up policies based on related events 69-31
Netflow support for policy lookup 69-33
viewing access rule events 69-28
viewing IPS signature events 69-30
ensuring time synchronization 66-25
Event Viewer
clearing filters 66-44
context menu 66-45
filtering by column 66-41
filtering by events 66-43
filtering overview 66-39
looking up policies based on related events 66-48
refreshing event table 66-40
selecting time range 66-39
text searches (quick filter) 66-44
using time slider with filtering 66-40
examining details 66-47
examples of analysis
mitigating botnet activity 66-56
monitoring and mitigating botnet activity 66-52
monitoring botnet activity using ASDM 66-56
monitoring botnet activity using Event Viewer 66-53
monitoring botnet activity using Report Manager 66-55
monitoring identity-aware firewall policies 13-27
monitoring TrustSec policies 14-14
overview 66-50
removing false positive IPS events 66-58
understanding botnet syslog events 66-53
user access to server blocked 66-50
performing operations on 66-45
properties 66-16
recovering the event data store 66-32
saving to a file 66-48
understanding Event Viewer access control 66-3
viewing 66-1
Event Viewer
archiving (backing up) the event data store 66-32
arranging views 66-34
ASA devices, configuring to provide events 66-25
columns 66-16
configuring color rules 66-36
configuring Event Manager service 66-27
copying events 66-48
creating custom views 66-37
deleting custom views 66-39
editing view name and description 66-38
ensuring time synchronization 66-25
Event Monitoring window 66-12
events
context menu 66-45
event table
customizing appearance 66-35
event details pane 66-24
refreshing 66-40
time slider 66-23
toolbar 66-14
examining event details 66-47
examples of analysis
mitigating botnet activity 66-56
monitoring and mitigating botnet activity 66-52
monitoring botnet activity 66-53
monitoring identity-aware firewall policies 13-27
monitoring TrustSec policies 14-14
overview 66-50
removing false positive IPS events 66-58
understanding botnet syslog events 66-53
user access to server blocked 66-50
features
historical views 66-2
overview 66-1
policy navigation 66-3
real-time views 66-2
views and filters 66-3
File menu reference 66-8
filters
advantages of using network/host objects 66-59
clearing 66-44
column based 66-41
event based 66-43
overview 66-39
submission requirements for policy objects 66-59
text searches (quick filter) 66-44
time range 66-39
time slider 66-40
floating views 66-34
FWSM devices, configuring to provide events 66-25
IPS devices, configuring to provide events 66-26
limits of 66-4
looking up Security Manager policies based on events 66-48
managing service 66-27
monitoring event store disk space 66-31
monitoring status 66-28
opening views 66-34
overview 66-7
performing operations on 66-45
preparation for use 66-24
recovering the event data store 66-32
saving events 66-48
saving views 66-38
selecting devices to monitor 66-31
settings 11-23
starting or stopping the Event Manager service 66-27
status icon colors 66-28
switching between IP addresses and host object names 66-36
switching between real-time and historical views 66-38
syslogs 66-6
troubleshooting
Event Viewer Unavailable message 11-23, 11-26, 66-27
policy objects not available for filtering 66-59
understanding access control 66-3
using 66-33
using views 66-33
view list 66-11
View menu reference 66-9
Event Viewer command 1-35
exclusive domains
configuring for IOS devices 18-10
Exit command 1-29
Exit command (Report Manager) 67-8
exiting
Cisco Security Management Suite server 1-10
CiscoWorks Common Services 1-10
Security Manager 1-9, 1-11
expiration dates
configuring for access rules 16-19
export
device inventory
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-5
supported CSV formats 10-9
HPM data 68-26
IPS event action overrides 39-13
IPS event filter rules 39-4, 39-7
policy objects 6-21
reports 67-23
shared policies 10-11
Export Devices or Policies commands 1-28
Export Inventory dialog box 10-6
Export Map command 1-31
External Product Interface dialog box 35-24
External Product Interface policy 35-23
F
factory-default configurations 45-2
failover
Active/Active
command replication 49-4
configuration synchronization 49-3
add new context to group 2 49-7
configuring in site-to-site VPN 24-48
edit bridge group 49-16
FWSM 49-12
advanced settings 49-15
PIX/ASA 49-17
Add Failover Group 49-24
settings 49-20
PIX/ASA/FWSM 49-10
active/active 49-2, 49-3
active/standby 49-2
bootstrap configuration 49-26
configuration basics 49-5
configuring 49-1
interface configuration 49-23
interface MAC address 49-22
security context 49-25
stateful 49-3, 49-4
stateless 49-3
types of 49-2
understanding 49-1
PIX 6.3 49-10
interface configuration 49-11
stateful in site-to-site VPN 24-50
false negatives
definition of 38-19
false positives
definition of 38-19
FastTrack class map objects
creating 21-15
match criteria 21-20
feature sets 1-4
File menu
Configuration Manager 1-28
Event Viewer 66-8
Report Manager 67-8
file objects
attributes 33-25
selecting 33-27
files
deploying to 8-11
selecting or specifying 1-47
Filter Item dialog box 39-9
filter rules, event action (IPS)
attributes 39-9
configuring 39-4
example rule 66-58
exporting 39-4
policy 39-7
tips 39-6
filters
Event Viewer
clearing 66-44
column based 66-41
context menu 66-45
event based 66-43
overview 66-39
refreshing event list 66-40
selecting time range 66-39
text searches (quick filter) 66-44
using time slider 66-40
filtering selectors 1-42
filtering tables 1-45
HPM
column based 68-15
custom 68-15
filters (Event Viewer)
advantages of using network/host objects 66-59
overview 66-3
submission requirements for policy objects 66-59
Find and Replace dialog box 12-17
find and replace in rules policies 12-16
Find Map Node command 1-31
Find Node dialog box 34-12
Firewall
AAA IOS Timeout Values 15-27
firewall
AAA firewall
advanced settings 15-19
configuring 15-6
MAC exempt lists 15-23
AAA firewall policy
advanced settings 15-19
configuring 15-6
AAA page 15-25
AAA rules
configuring AAA firewall settings 15-6
configuring AuthProxy settings 15-9
configuring cut-through proxy (ASA) 13-23
configuring for ASA/PIX/FWSM devices 15-4
configuring for IOS devices 15-7
configuring identity aware 13-21
configuring security group aware 14-13
managing 15-1
properties 15-13
understanding 15-1
understanding how users authenticate 15-2
Access Control page 16-21
access controls
per user downloadable ACLs 16-24
access control settings
configuring settings 16-20
access rule
event analysis example, user access blocked 66-50
finding from CS-MARS events 69-31
finding from Event Viewer events 66-48
viewing related CS-MARS events 69-28
access rules
address requirements 16-5
configuring 16-7
configuring expiration dates 16-19
configuring identity aware 13-21
configuring security group aware 14-13
how deployed 16-5
import examples 16-41
importing 16-37
IPS blocking, affect of 42-4
managing 16-1
optimizing during deployment 16-43
sharing ACLs among interfaces 11-14
understanding 16-1
understanding device-specific behavior 16-4
understanding global 16-3
understanding requirements when using inspection 17-4
ACL naming conventions 12-5
adding rules 12-9
analysis reports 16-31
AuthProxy
configuring 15-9
AuthProxy settings policy
configuring 15-9
botnet traffic filter rules 19-9
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring policies in Map view 34-23
configuring settings 18-15
configuring settings policies in Map view 34-23
conflict detection 16-25
converting IPv4 rules 12-28
deleting rules 12-9
device types 45-1
disabling rules 12-20
editing rules 12-9
enabling rules 12-20
finding and replacing items in rules policies 12-16
Firewall ACL Setting dialog box 16-23
identity-aware policies
collecting user statistics 13-25
configuring 13-7
configuring cut-through proxy 13-23
configuring identity options 13-15, 14-8, 14-10
configuring rules 13-21
configuring the ASA 13-7, 14-8
enabling 13-8
filtering VPN traffic 13-26
identifying AD servers and agents 11-27, 13-8
managing 13-1
monitoring 13-27
overview 13-1
requirements 13-3
user identity acquisition 13-2
Inspection page 17-88
inspection rules
add/edit rule wizard 17-10, 17-12, 17-16
choosing interfaces 17-2
configuring 17-5
configuring identity aware 13-21
configuring security group aware 14-13
managing 17-1
preventing DoS attacks on IOS devices 17-4
selecting protocols 17-3, 17-16
understanding 17-1
understanding access rule requirements 17-4
inspection settings
configuring for IOS devices 17-88
introduction 12-1
IPv6 access rules
configuring expiration dates 16-19
sharing ACLs among interfaces 11-14
understanding global 16-3
MAC exempt lists, AAA firewall 15-23
managing rules tables 12-7
moving rules 12-19
object groups
expanding during discovery 12-35
optimizing network object groups during deployment 12-35
overview 12-1
per user downloadable ACLs 16-24
policy discovery 5-13
policy query
example report 12-34
generating reports 12-28
interpreting results 12-32
preserving ACL names 12-4
reference information for AAA rules 15-19
resolving access rule conflicts 16-31
resolving ACL naming conflicts 12-6
rule table sections 12-20
security group aware policies
configuring ISE settings 11-40
configuring rules 14-13
security group-aware policies
configuring 14-7
managing 14-1
system variables 7-9
transparent rules
adding or editing a rule 22-5
configuring 22-1
configuring passthrough for IOS devices 22-3
editing the EtherType 22-6
editing the mask 22-7
managing 22-1
Transparent Rules page 22-3
TrustSec firewall policies
configuring 14-7
managing 14-1
overview 14-1
TrustSec policies
monitoring 14-14
understanding NAT effects 12-3
understanding rule order 12-19
understanding rule processing order 12-2
using rules tables 12-7
Web Filter page 18-16
web filter rules
configuring for ASA, PIX, FWSM devices 18-2
configuring for IOS devices 18-10
managing 18-1
understanding 18-1
zone-based firewall
add/edit zones 21-52
advanced options 21-63
configuring PAM 21-65
configuring rules 21-12, 21-59
configuring settings 21-48
Content Filter tab 21-51
designing network zones 21-1
development overview 21-12
Global Parameters tab 21-49
page 21-49
protocol selection 21-64
rules table 21-57
tabs 21-48
VPN tab 21-49
WAAS tab 21-49
Zones tab 21-49
zone-based firewalls
changing the default drop rule 21-47
general recommendations 21-11
IPSec VPN 21-5
logging 21-1
overview 21-1
restrictions 21-3
Self zone 21-5
troubleshooting 21-53
understanding 21-3
understanding permit/deny and action 21-7
understanding services and protocols 21-10
VRF 21-6
Firewall AAA IOS Timeout Value Setting dialog box 15-27
Firewall AAA MAC Exempt Setting dialog box 15-24
Firewall ACL Setting dialog box 16-23
Firewall Device dialog box 42-14
Firewall Services Module
see FWSM 46-1
Fit to Window command 1-31
FlexConfig objects
adding to policies 7-34
ASA samples 7-19
Catalyst 6500/7600 samples 7-21
changing order in policies 7-34
changing variable values 7-34
Cisco IOS Software samples 7-21
CLI commands 7-2
configuring 7-24
configuring AAA for administrative introducers 60-84
creating 7-27
creating text objects 7-31
deleting variables 7-27
PIX firewall samples 7-23
previewing CLI 7-34
properties 7-29
property selector 7-33
removing from policies 7-34
router samples 7-23
samples 7-19
scripting language
example of looping 7-3
example of looping with if/else statements 7-4
example of two-dimensional looping 7-3
understanding 7-3
system variables
device 7-7
firewalls 7-9
remote access VPN 7-18
router 7-13
understanding 7-7
VPN 7-14
undefined variables 7-32
understanding 7-2
variables 7-5
variables, example 7-6
FlexConfig policies
adding objects 7-34
changing object order 7-34
changing variable values 7-34
configuring 7-24
configuring AAA for administrative introducers 60-84
editing 7-34
previewing CLI 7-34
removing objects 7-34
understanding 7-2
FlexConfig Policy page 7-35
FlexConfig Preview dialog box 7-37
FlexConfigs
creating (scenario) 7-24
managing 7-1
troubleshooting 7-37
FlexConfig Undefined Variables dialog box 7-32
float
report windows 67-25
view windows 66-34
floodguard 55-2
FQDN objects
creating 6-76
understanding 6-74
fragmentation
configuring settings in VPNs 25-40
fragments settings 55-2
frequently asked questions
policy discovery 5-25
FTP class map objects
creating 17-21
match criteria 17-38
FTP policy map objects
creating 17-21
match conditions and actions 17-38
properties 17-37
full mesh topologies
description 24-4
partial mesh 24-5
full tunnel client access mode 29-5
FWSM
AAA support 6-26
about 45-1
adding SSL thumbprints manually 9-4
adding when using multiple-context mode 3-7
adding when using non-default HTTPS (SSL) port 3-7
Asymmetric Routing Groups 45-5
Bridge Groups
add/edit 45-41
bridge groups 46-3
changing deployment method to serial for multiple-context mode 9-17
configuring for event management 66-25
configuring FWSM endpoints in site-to-site VPNs 24-44
configuring transparent firewall rules 22-1
credentials 3-18
deleting security contexts 57-4
deployment failures after changing interface policies 9-16
deployment failures in multiple-context mode 9-16
deployment failures with large ACLs 9-16
Device Access
managing Resources 50-2
Resources 50-3
Resources, add/edit 50-3
discovering failover modules 3-7
Event Viewer support 66-4
Failover 49-12
advanced settings 49-15
edit bridge group 49-16
including in deployment jobs 8-28
interfaces
add/edit 45-19
configuring 45-2
General tab 45-20
IPv6 45-29
IPv6, add/edit 45-33
IPv6, add/edit prefixes 45-34
managing 45-14
packet capture, using 69-18
PDM 69-5
policy discovery 5-13
rollback, commands to recover from failover misconfiguration 8-65
rollback command conflicts 8-64
rollback restrictions for failover devices 8-61
rollback restrictions for multiple context mode 8-61
security contexts
configuration 57-5
selecting policy types to manage 5-10
setting up SSL (HTTPS) 2-3
SSL certificate configuration 11-18
TCP State Bypass 56-3
troubleshooting deployment 9-15
G
General
PIX/ASA/FWSM
security policies 55-1
General Configuration tab, SNMP policy for IPS 35-10
General page, device properties 3-40
General tab, IPS blocking policy 42-10
General tab (Translation Rules)
PIX/ASA/FWSM 23-30
generic routers 3-8
GET VPN
anti-replay, time based 28-11
configuring 28-12
configuring global ISAKMP and IPsec settings 28-16
configuring group members 28-20
cooperative key servers 28-7
defining group encryption 24-50
generating, synchronizing RSA keys 28-13
group members
adding 28-19
editing 28-21
IKE proposal 28-15
key servers
adding 28-19
editing 28-19
mandatory and optional policies 24-6
migrating to 28-23
overview 28-1
receive-only SAs 28-23
registration
choosing the rekey transport mechanism 28-6
configuring fail-close mode 28-8
registration process 28-4
SAs
passive SA mode 28-23
receive-only mode 28-23
security policy 28-10
supported platforms 24-9
troubleshooting 28-25
understanding 28-2
GET VPNs
group encryption policies
certificate authorization 24-53
security associations 24-54
global correlation
configuring 41-1
configuring DNS servers 35-22
configuring HTTP proxy server 35-23
configuring inspection and reputation 41-5
configuring network participation 41-7
configuring with Botnet Traffic Filtering 41-1
data collected 41-3
requirements and limitations 41-4
understanding 41-1
understanding network participation 41-3
understanding reputation 41-2
Global Search
using 1-39
Global Search command 1-29
global settings
remote access VPN
configuring 25-29
Gnutella class map objects
creating 21-15
match criteria 21-20
GRE (generic routing encapsulation) VPN
advantages of IPsec tunneling with GRE 26-3
configuring 26-5
configuring GRE modes 26-6
dynamically addressed spokes 26-5
implementation 26-3
overview 26-1, 26-2
prerequisites for successful configuration 26-3
supported platforms 24-9
understanding 26-2
GRE Dynamic IP
mandatory and optional policies 24-6
GRE Modes Page
DMVPN properties 26-12
GRE or GRE Dynamic IP properties 26-6
overview 26-1
Group Domain of Interpretation (GDOI) protocol 28-3
group encryption
defining in GET VPN topologies 24-50
Group Encryption Policy page (GET VPN) 24-50
group members
adding 28-19
communication flow 28-2
configuring fail-close mode 28-8
editing 28-21
GET VPN
registration process 28-4
security policy ACLs 28-10
group members (GET VPN)
configuring 28-20
Group Members page (GET VPN) 28-20
group policies
configuring 30-21
creating 30-23
understanding 30-22
VPNs
configuring bookmarks 30-70
configuring portal appearance 30-66
configuring WINS servers for file system access 30-76
customizing 30-65
post URL method and macro substitutions in bookmarks 30-72
smart tunnels 30-73
Group Policies page 30-21
groups
adding or removing devices 3-60
creating 3-60
deleting 3-60
understanding 3-57
working with 3-57
group types
creating 3-59
deleting 3-60
GTP map objects
Add Country Network Codes dialog box 17-42
Edit Country Network Codes dialog box 17-42
GTP Map Timeouts dialog box 17-43
GTP policy map objects
creating 17-21
match conditions and actions 17-43
properties 17-40
H
H.323 class map objects
IOS
creating 21-15
match criteria 21-21
match criteria 17-48
H.323 policy map objects
ASA/PIX/FWSM
creating 17-21
properties 17-45
IOS
creating 21-15
match conditions and actions 21-34
match conditions and actions 17-48
hash algorithms
in IKE proposals 25-6
MD5 25-7
SHA 25-6
Health & Performance Monitor command 1-36
Health and Performance Monitor
see HPM 68-1
help
accessing 1-49
Help About This Page command 1-36
helper addresses 59-14
Help menu
Configuration Manager 1-36
Help Topics command 1-36
Hide Navigation Window command 1-32
high availability (HA groups)
configuring in Easy VPN 27-2
configuring in site-to-site VPN 24-48
stateful/stateless failover 24-50
high availability policies
configuring in remote access VPNs 32-11
Histogram dialog box 40-13
histograms
configuring anomaly detection 40-11
understanding anomaly detection 40-9
Hit Count Details
example 16-35
Hit Count Details page 16-33
Hit Count Selection Summary Dialog Box 16-18
Hostname
PIX/ASA/FWSM 50-1
hostnames
Cisco IOS routers
defining 60-77
Hostname Policy page 60-78
overview 60-77
HPM
access control 68-3
Alerts
firewall 68-32
IPS 68-31
VPN 68-34
VPN, SNMP configuration 68-35
alerts 68-27
acknowledging 68-37
clearing 68-37
configuring 68-30
history 68-38
viewing 68-36
application window 68-6
Alerts display 68-28
Monitoring display 68-22
columns
Alert table 68-14
Device-related 68-8
showing/hiding 68-7
sorting 68-7
VPN-related 68-11
configuring for 68-4
custom views 68-21
device
monitoring 68-18
monitoring multiple contexts 68-3
priority monitoring 68-27
views 68-18
Device Manager
launching 68-2, 68-24
device manager
cross-launch 68-27
devices
managing 68-5
email notifications
configuring 68-30
export data 68-26
filters
column based 68-15
introduction 68-1
launching 68-4
List Filter 68-17
monitoring
device details 68-25
device status list 68-24
RA and S2S views 68-26
Summary 68-24
VPN details 68-25
VPN Summary list 68-24
overview 68-1
read time-out 2-3, 68-4
Remote Access
log-off user 68-26
settings page 11-26
tables
showing/hiding columns 68-7
sorting columns 68-7
trending 68-2
views
closing 68-20
custom 68-21
docking 68-21
floating 68-21
list 68-18
opening 68-20
tiling 68-20
HTML file
export HPM data as 68-26
HTTP
Cisco IOS routers
AAA tab 60-32
Command Authorization Override dialog box 60-34
defining policies 60-29
HTTP Policy page 60-31
overview 60-28
Setup tab 60-31
PIX/ASA/FWSM 48-2
configuration 48-2
HTTP (ASA, PIX) class map objects
creating 17-21
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map objects
creating 17-21
properties 17-50
HTTP (ASA7.2+/PIX7.2+) policy map objects
creating 17-21
properties 17-58
HTTP (IOS) class map objects
creating 21-15
creating for zone-based firewall content filtering 21-35
match criteria 21-21
HTTP (Zone Based IOS) policy map objects
creating 21-15, 21-35
match conditions and actions 21-34
HTTP class map objects
match criteria 17-59
HTTP-FORM
settings in AAA server objects 6-41
HTTP policy
overriding HTTPS port number 3-46
sharing
HTTPS port number 3-46
HTTP policy map objects
match conditions and actions 17-59
HTTP proxy server
configuring for IPS global correlation 35-23
HTTP Response Code 500 deployment errors 9-15
HTTPS
setting up 2-3
troubleshooting certificate errors 9-4
hub-and-spoke topology
description 24-2
joined hub-and-spoke topology 24-5
tiered hub-and-spoke topologies 24-5
I
ICMP rules
PIX/ASA/FWSM 48-3
add/edit 48-4
ICMP settings
configuring on IOS routers 59-18
icons
Configuration Manager toolbar reference 1-36
event table toolbar reference 66-14
Event Viewer status color code 66-28
map elements 34-14
ICQ class map objects
creating 21-15
match criteria 21-20
identity-aware firewall policies
collecting user statistics 13-25
configuring 13-7
configuring cut-through proxy 13-23
configuring identity options 13-15, 14-8, 14-10
configuring rules 13-21
configuring the ASA 13-7, 14-8
enabling 13-8
filtering VPN traffic 13-26
identifying AD servers and agents 11-27, 13-8
managing 13-1
monitoring 13-27
overview 13-1
requirements 13-3
user identity acquisition 13-2
Identity Configuration wizard
Active Directory Agent Settings 13-13
Active Directory Settings 13-11
Preview 13-15
Identity Settings page 11-27
identity user group objects
creating 13-19
selecting 13-21
user identity acquisition 13-2
idle timeout, Security Manager client 11-6
IDM
device manager 69-5
IDSM
adding when using non-default HTTPS (SSL) port 3-7
Create and Edit IDSM Data Port VLANs dialog boxes 65-50
Create and Edit IDSM EtherChannel VLANs dialog boxes 65-49
credentials 3-18
defining Data Port VLANs 65-46
defining EtherChannel VLANs 65-45
deleting Data Port VLANs 65-48
deleting EtherChannel VLANs 65-46
deployment failures when changing data port VLAN running mode 9-16
IDSM Settings page 65-48
IDSM Slot-Port Selector dialog box 65-51
mode support limitations 65-44
troubleshooting deployment 9-15
understanding settings on Catalyst devices 65-44
IGMP
PIX/ASA/FWSM
Access Group parameters 53-5
Access Group tab 53-5
enable 53-1
Join Group parameters 53-7
Join Group tab 53-7
page 53-2
parameters 53-4
Protocol tab 53-3
Static Group parameters 53-6
Static Group tab 53-6
ignore error message, configure Security Manager to 9-10
IKE (Internet Key Exchange)
comparing version 1 and 2 25-4
configuring IKE and IPsec policies 25-1
configuring IKEv2 authentication 25-62
configuring proposal 25-9
Diffie-Hellman modulus groups 25-7
encryption algorithms 25-6
hash algorithms 25-6
IKEv2 Authentication policy 25-64, 25-66
overview 25-2
selecting the IKE version for devices in site to site VPNs 25-25
understanding 25-5
IKE keepalive
understanding 25-30
IKE proposal objects
v1 properties 25-10
v2 properties 25-13
IKE proposals (policies)
in GET VPNs 28-15
IKEv2 Authentication dialog box 25-66
IKEv2 Authentication page 25-64
IKEv2 settings
configuring 25-34
configuring cookie challenges 25-34
IM (ASA7.2+/PIX7.2+) policy map objects
creating 17-21
properties 17-64
IM (IOS) policy map objects
creating 17-21
properties 17-67
IM (Zone Based IOS) policy map objects
creating 21-15
match conditions and actions 21-34
IM (Zone based IOS) policy map objects
creating 21-15
Image Management 70-1
supported versions 70-2
Image Manager 70-7, 70-14
abort installation job 70-32
Add Image 70-9
Bootstrapping Devices 70-6
bundled images 70-28
bundles 70-11
create 70-11
delete 70-13
rename 70-13
view images 70-12
compatible images 70-15
configuring install location 70-17
device memory 70-16
devices 70-14
Getting Started 70-1
Installation Job Summary 70-31
installation wizard 70-24
installing compatible images on devices 70-28
installing images on selected devices 70-29
job approval workflow 70-34
jobs 70-30
RAM 70-15
Repository 70-7
retry on installation failure 70-33
roll back 70-33
settings 11-29
supported image types 70-3
supported platforms 70-2
Troubleshooting 70-35
update validation 70-21
updating images on devices 70-18
Using 70-1
Admin Settings 70-4
View All Images 70-8
view device information 70-14
view installation job details 70-31
Image Manager command 1-35
images
view 70-8
image updates 70-18
IMAP
configuring for inspection rules 17-19
IMAP class map objects
creating 21-15
match criteria 21-23
IM applications
match conditions for zone-based firewalls 21-20
protocol information for IM application inspection 21-32
IMAP policy map objects
creating 21-15
match conditions and actions 21-34
IM class map objects
creating 17-21
match criteria 17-65
IM policy map objects
match conditions and actions 17-65
import
device inventory 3-29
device with policies 10-13
policy objects 6-21
Import Background Image dialog box 34-13
Import Rules wizard
Enter Parameters page 16-38
Preview page 16-40
Status page 16-39
inheritance
inheriting rules 5-43
understanding 5-4
understanding signature policies 38-3
versus assignment 5-6
Inherit Rules command 1-30
Inherit Rules dialog box 5-43
Inspect/Application FW Rule wizard
Address and Port page 17-12
Inspected Protocol page 17-16
Match Traffic page 17-10
inspection
deny rules 17-5
global correlation (IPS)
configuring 41-5
inspection map objects
understanding 6-72
inspection rules
ACL naming conventions 12-5
add/edit rule wizard 17-10, 17-12, 17-16
choosing interfaces 17-2
configuring 17-5
configuring custom protocol name 17-20
configuring DNS settings 17-18
configuring ESMTP settings 17-18
configuring fragment inspection 17-19
configuring identity aware 13-21
configuring in Map view 34-23
configuring RPC settings 17-20
configuring security group aware 14-13
configuring settings for IOS devices 17-88
configuring settings in Map view 34-24
configuring SMTP settings 17-18
deep inspection options
IMAP 17-19
POP3 17-19
deleting 12-9
disabling 12-20
editing 12-9
enabling 12-20
Inspection Rules page 17-7
managing 17-1
moving 12-19
preserving ACL names 12-4
preventing DoS attacks on IOS devices 17-4
selecting protocols 17-3, 17-16
understanding 17-1
understanding access rule requirements 17-4
understanding NAT effects 12-3
understanding processing order 12-2
Inspection Rules page 17-7
Inspection settings page 17-88
inspect maps
policy maps
Add Country Network Codes dialog box 17-42
Edit Country Network Codes dialog box 17-42
Inspect parameter map objects
properties 21-29
Inspect Parameters map objects
creating 21-15, 21-35
installing
Security Manager client 1-11
Integrated Local Management Interface (ILMI) 59-49
Interactive Authentication Configuration dialog box 15-21
Interface Name Conflict dialog box 6-72
Interface Properties dialog box 34-19
Interface Role Contents dialog box 12-14
interface role objects
creating 6-68
defining subinterfaces 6-70
distinguishing from interfaces 6-70
handling conflicts between role and interface names 6-72
Interface Role dialog box 6-69
specifying during policy definition 6-70
understanding 6-67
use when a single interface name is allowed 6-71
interfaces
adding or changing modules 3-39
ASA
edit EtherChannel-assigned interface 45-11
EtherChannels 45-8, 45-12
LACP 45-11
ASA/FWSM
IPv6 45-29
IPv6, add/edit 45-33
IPv6, add/edit prefixes 45-34
ASA 5505 45-6
ASA devices
Advanced tab 45-27
IP Type 45-36
Catalyst switches and 7600 Series routers
Access Port Selector dialog box 65-30
Create and Edit Interface dialog boxes-Access Port mode 65-9
Create and Edit Interface dialog boxes-Dynamic Port mode 65-18
Create and Edit Interface dialog boxes-Other mode 65-24
Create and Edit Interface dialog boxes-Routed Port mode 65-12
Create and Edit Interface dialog boxes-subinterfaces 65-22
Create and Edit Interface dialog boxes-Trunk Port mode 65-14
Create and Edit VLAN dialog boxes 65-28
Create and Edit VLAN Group dialog boxes 65-34
defining ports 65-5
deleting ports 65-7
generating names 65-6
Interfaces/VLANs page-Interfaces tab 65-7
Interfaces/VLANs page-Summary tab 65-3
Interfaces/VLANs page-VLAN Groups tab 65-33
Interfaces/VLANs page-VLANs tab 65-27
Service Module Slot Selector dialog box 65-35
Trunk Port Selector dialog box 65-31
understanding 65-5
VLAN Selector dialog box 65-36
Cisco IOS routers
Advanced Interface Settings dialog box 59-16
Advanced Interface Settings page 59-15
available types 59-2
Create Router Interface dialog box 59-8
defining advanced settings 59-13
defining basic settings 59-3
defining CEF interface settings 59-24
defining IPS module settings 59-22
deleting from 59-6
generating names 59-4
Interface Auto Name Generator dialog box 59-12
overview 59-1
Router Interfaces page 59-7
understanding helper addresses 59-14
configuring IOS IPS rules 44-8
configuring multiple contexts 57-2
distinguishing from interface roles 6-70
failover
MAC address 49-22
PIX/ASA/FWSM 49-23
PIX 6.3 49-11
IPS
configuring 36-6
configuring bypass mode 36-12
configuring CDP mode 36-12
configuring inline interface pairs 36-13
configuring inline VLAN pairs 36-14
configuring physical 36-9
configuring VLAN groups 36-15
deploying VLAN groups 36-5
inline interface mode 36-3
inline VLAN pair mode 36-3
interfaces policy 36-6
managing interface configurations 36-1
physical interface properties 36-10
promiscuous mode 36-2
roles 36-1
sensing modes overview 36-2
understanding 36-1
viewing summary 36-8
VLAN group mode 36-4
IP Type
PIX 6.3 45-18
PIX/ASA
allocation in security contexts 57-8
IP Type 45-36
PPPoE Users 45-44
redundant 45-7
subinterfaces 45-7
VPDN groups 45-45
PIX/ASA/FWSM
add/edit 45-19
Advanced settings 45-42
configuring 45-2
contexts 45-5
DDNS update rules 51-18
enabling traffic between same security levels 45-43
General tab 45-20
manage 45-14
management access 48-5
understanding 45-3
PIX/ASA 7+ devices
MAC address 45-38
PIX 6.3
add/edit 45-15
routed and transparent 45-4
specifying during policy definition 6-70
specifying subinterfaces 6-70
throughput delay 59-18
Interface Selector dialog box (VLAN ACL Content) 65-43
Interfaces page (IPS) 36-6
Interface Specific Authentication Server Groups dialog box 30-13
Interface Specific Client Address Pools dialog box 30-10
inventory
deleting devices from 3-55
export devices
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-5
supported CSV formats 10-9
using command line utility 10-10
import devices
device with policies 10-13
inventory, device
adding devices 3-6
adding devices from configuration files 3-20
adding devices from inventory file 3-29
adding devices from network 3-11
adding devices manually 3-25
device status view
working with 3-61
managing 3-1
testing device connectivity 9-1
troubleshooting device discovery failures 3-7
understanding 3-1
understanding contents 3-3
understanding device clusters 3-9
understanding generic devices 3-8
viewing inventory status 69-1
working with 3-34
Inventory Status command 1-33
Inventory Status window 69-2
Inverse ARP 59-60
inverse multiplexing over ATM (IMA) 59-39
IOS devices
configuring transparent firewall rules 22-1
remote access IPSec VPNs
user group policies 32-13
remote access IPsec VPNs
creating using wizard 29-35
remote access SSL VPNs
configuring bookmarks 30-70
configuring WINS servers for file system access 30-76
creating using wizard 29-31
remote access VPNs
configuring SSL VPN policies 32-14
Context Editor dialog box (IOS) 32-15, 32-16
Dynamic VTI/VRF Aware IPsec settings 32-7
high availability 32-11
IPsec proposals 32-4
SDM 69-5
IOS IPS
affect of load balancing 44-7
comparing to IPS appliances and service modules 35-1
configuration files 44-3
configuration overview 44-3
configuring 44-1
configuring general settings 44-7
configuring interface rules 44-8
configuring target value ratings 39-15
event actions
filter rule attributes 39-9
filter rules 39-4, 39-7
filter rules tips 39-6
network information 39-14
overrides 39-13
overview 39-1
possible actions 39-2
process overview 39-1
settings 39-21
getting started 35-1
initial preparation of router 44-5
lightweight signature engines 44-2
limitations and restrictions 44-3
selecting signature category 44-6
signatures
adding custom 38-16
cloning 38-18
configuring 38-4
defining 38-1
detailed information 38-2
editing 38-11
editing Meta engine component list 38-25
editing or tuning parameters 38-19
enabling or disabling 38-10
engines 38-17
exporting 38-6
inheritance 38-3
parameters list 38-21
policy 38-4
shortcut menu 38-7
understanding 38-1
viewing update level 38-9
understanding 44-1
understanding subsystems and revisions 44-2
IOS Software Release 12.1 and 12.2
managing routers 58-2
IOS Web Filter Exclusive Domain Name dialog box 18-14
IOS Web Filter Rule and Applet Scanner dialog box 18-13
IP address
supporting dynamic 3-35
IP addresses
network masks 6-75
specifying in policies 6-81
IP Options policy map objects
creating 17-21
properties 17-68
IPS
IPS Module router interface settings policies 59-22
MPC rule wizard
tab 56-8
PIX/ASA/FWSM
identity-aware rules 13-21
rules 56-5
IPS alerts
properties 66-16
IPS Certificates dialog box 43-10
IPS command 1-32
IPS Devices
selecting for Event Viewer 66-31
IPS devices
adding SSL thumbprints manually 9-4
allowed hosts 35-7
anomaly detection
configuring 40-6
configuring histograms 40-11
configuring learning accept mode 40-8
configuring signatures 40-4
configuring thresholds 40-11
detection zones 40-3
managing 40-1
modes 40-2
understanding 40-1
understanding histograms 40-9
understanding thresholds 40-9
understanding worms 40-2
when to turn off 40-4
blocking
configuring 42-7
configuring ARC 42-1
configuring blocking devices 42-14
configuring master blocking sensors 42-13
configuring never block hosts and networks 42-17
configuring router blocking interfaces 42-15
configuring user profiles 42-12
configuring VLAN blocking interfaces 42-16
general options 42-10
master blocking sensor 42-6
policy 42-8
rate limiting 42-4
router and switch blocking devices 42-4
strategies 42-3
understanding 42-1
capturing network traffic 35-2
certificates 43-10
changing those selected for reports 67-21
configuration overview 35-5
configuration overview for IOS IPS 44-3
configuring AAA 35-19
configuring Analysis Engine global variables 35-26
configuring DNS servers 35-22
configuring for event management 66-26
configuring for report management 67-3
configuring HTTP proxy server 35-23
configuring NTP 35-21
configuring OS maps 39-18
configuring SNMP 35-8
configuring target value ratings 39-15
configuring the external product interface 35-23
configuring user accounts 35-16
credentials, IPS router modules 3-19
deployment of passwords 35-15
deployment topology 35-4
discovery of passwords 35-15
event actions
example filter rule 66-58
filter rule attributes 39-9
filter rules 39-4, 39-7
filter rules tips 39-6
network information 39-14
overrides 39-13
overview 39-1
possible actions 39-2
process overview 39-1
settings 39-21
Event Viewer support 66-4
getting started 35-1
global correlation
configuring 41-1
configuring inspection and reputation 41-5
configuring network participation 41-7
data collected 41-3
requirements and limitations 41-4
understanding 41-1
understanding network participation 41-3
understanding reputation 41-2
initializing 2-12
interfaces
configuring 36-6
configuring bypass mode 36-12
configuring CDP mode 36-12
configuring inline interface pairs 36-13
configuring inline VLAN pairs 36-14
configuring physical 36-9
configuring VLAN groups 36-15
deploying VLAN groups 36-5
inline interface mode 36-3
inline VLAN pair mode 36-3
interfaces policy 36-6
managing interface configurations 36-1
physical interface properties 36-10
promiscuous mode 36-2
roles 36-1
sensing modes overview 36-2
understanding 36-1
viewing summary 36-8
VLAN group mode 36-4
IPS modules for ASA 56-14
license, exporting 11-43
licenses
automating 43-3
managing 43-1
redeploying 43-2
updating 43-1
looking up signature policies for CS-MARS events 69-31
looking up signature policies for Event Viewer events 66-48
managing 43-1
managing user accounts and passwords 35-13
monitoring
removing false positive IPS events 66-58
passive OS fingerprinting 39-17
password requirements 35-18
policy discovery 5-13
rebooting 43-11
Report Manager reports
general VPN reports 67-17
IPS top reports 67-16
rollback restrictions 8-62
showing containment 3-53
signatures
adding custom 38-16
cloning 38-18
configuring 38-4
configuring settings 38-27
defining 38-1
detailed information 38-2
editing 38-11
editing Meta engine component list 38-25
editing or tuning parameters 38-19
enabling or disabling 38-10
engines 38-17
exporting 38-6
inheritance 38-3
parameters list 38-21
policy 38-4
shortcut menu 38-7
understanding 38-1
viewing update level 38-9
SSL certificate configuration 11-18
traffic flow notifications 35-26
tuning recommendations 35-4
understanding managed and unmanaged passwords 35-14
understanding network sensing 35-1
understanding user roles 35-13
updates
automatically applying 43-6
checking for and downloading 43-5
configuring server 43-4
managing 43-4
manually applying 43-7
user account attributes 35-17
viewing signature events in CS-MARS 69-30
virtual sensors
advantages 37-3
assigning interfaces 37-4
attributes 37-7
configuring 37-1, 37-5
deleting 37-10
editing policies 37-9
identifying 37-5
inline TCP session tracking mode 37-3
Normalizer mode 37-4
renaming 37-8
restrictions 37-3
understanding 37-1
IPsec
remote access VPNs
access policies for IKEv2 (ASA), configuring 30-40
access policies for IKEv2 (ASA), reference 30-37
access policies for IKEv2 (ASA), understanding 30-36
certificate to connection profile map policy (IKEv1) 30-29
certificate to connection profile map rules (IKEv1) 30-29
cluster load balancing 30-4, 30-5
configuring IKE and IPsec policies 25-1
connection profiles 30-6
connection profiles (ASA, PIX 7+) 30-8
creating on ASA/PIX 7.0+ 29-24
creating on IOS/PIX 6.3+ 29-35
dynamic access policies 31-1, 31-2
dynamic access policy (DAP) attributes 31-3, 31-7
Dynamic Access policy page (ASA) 31-10
Dynamic VTI/VRF Aware IPsec settings 32-7
fragmentation settings 25-40
global settings 25-29
group policies, configuring 30-21
group policies, creating 30-23
group policies, understanding 30-22
high availability policies 32-11
IKE proposals 25-9
IKEv2 settings 25-34
ISAKMP/IPsec settings 25-30
NAT settings 25-38
public key infrastructure (PKI) policies 25-52
secure desktop manager policies 31-8
understanding 29-2
understanding IKE 25-5
understanding NAT settings 25-37
user group policies 32-13
VPNSM, VPN SPA, VSPA settings 32-6
wizard 29-13
IPsec/GRE VPN
advantages of IPsec tunneling with GRE 26-3
configuring 26-5
configuring GRE modes 26-6
dynamically addressed spokes 26-5
implementation 26-3
overview 26-1, 26-2
prerequisites for successful configuration 26-3
supported platforms 24-9
understanding 26-2
IPSec Client Software Update dialog box 30-18
IPsec Pass Through policy map objects
creating 17-21
properties 17-74
IPsec Proposal Editor dialog box
ASA and PIX 7.0+ devices 30-33
IOS and PIX 6.3 devices 32-4
IPsec proposals
configuring for Easy VPN 27-10
configuring for remote access VPNs
attributes for ASA and PIX 7.0+ devices 30-33
attributes for IOS and PIX 6.3 devices 32-4
configuring in site-to-site VPNs 25-21
overview 25-2
remote access VPNs
attributes for ASA and PIX 7.0+ devices 30-33
attributes for IOS and PIX 6.3 devices 32-4
configuring for ASA and PIX 7.0+ devices 30-33
configuring for IOS and PIX 6.3 devices 32-3
selecting the IKE version for devices 25-25
understanding 25-17
understanding crypto maps 25-18
understanding site-to-site 25-18
understanding transform sets 25-19
using reverse route injection 25-20
IPsec technologies
defining 24-30
mandatory and optional policies 24-6
policies 24-5
supported platforms 24-9
supported platforms for remote access VPNs 29-8
understanding 24-5
IPSec transform set objects
attributes 25-25
understanding 25-19
IPSec VPN
zone-based firewalls 21-5
IPS event
definition of 39-1
IPS interfaces
IPS Monitoring Information dialog box 59-23
IPS module
credentials 3-19
IPS Module Discovery dialog box 3-19
IPS Module interface settings policies 59-22
IPS Rules dialog box 44-9
IPS sensor
IDM 69-5
IPS sensors
default transport protocol 11-18
IPS signatures
finding from CS-MARS events 69-31
finding from Event Viewer events 66-48
tuning 66-58
viewing related CS-MARS events 69-30
IPS tab, Licensing page 11-42
IPS Updates page 11-31
IP Type
interface configuration
ASA and PIX 7+ 45-36
PIX 6.3 45-18
IPv4 pool objects
attributes 6-83
IPv6
interfaces
add/edit 45-33
add/edit prefixes 45-34
ASA/FWSM 45-29
management IPv4 address requirements 1-7
Neighbor cache 46-6
specifying addresses in policies 6-81
support in Security Manager 1-7
IPv6 access rules
ACL naming conventions 12-5
deleting 12-9
disabling 12-20
editing 12-9
enabling 12-20
expiration dates 16-19
identity-aware rules
requirements 13-3
moving 12-19
preserving ACL names 12-4
sharing ACLs among interfaces 11-14
understanding global 16-3
understanding processing order 12-2
IPv6 policy map objects
match conditions and actions 17-71
properties 17-70
IPv6 pool objects
attributes 6-84
IPv6 static routes
PIX/ASA/FWSM
configuration 54-50
ISAKMP/IPsec settings
configuring 25-30
ISE Settings page 11-40
ISR
zone-based firewall
restrictions 21-3
J
job deployment methods
understanding 8-8
jobs
aborting 8-51
approving 8-39
creating and editing deployment in non-Workflow mode 8-29
creating and editing deployment in Workflow mode 8-36
Deployment Manager 8-16
discarding 8-41
including devices in 8-8
rejecting 8-39
states
Workflow mode 8-6
submitting 8-39
joined hub-and-spoke topology 24-5
Join Group tab (IGMP) 53-7
JumpStart 1-22
Jumpstart command 1-36
K
Kazaa2 class map objects
creating 21-15
match criteria 21-20
Kerberos
configuring constrained delegation (KCD) 30-58
description 6-26
settings in AAA server objects 6-36
understanding constrained delegation (KCD) 30-56
key encryption key (KEK), GET VPN 28-4
key servers
adding 28-19
choosing the rekey transport mechanism 28-6
communication flow 28-2
cooperative, for redundancy 28-7
editing 28-19
generating, synchronizing RSA keys 28-13
registration failures 28-8
registration process 28-4
security policy ACLs 28-10
key servers (GET VPN)
configuring 28-18
Key Servers page (GET VPN) 28-18
Key Servers Selection dialog box 28-21
knowledge base structure (IPS) 40-8
L
LACP
interface assigned to an EtherChannel 45-11
large scale Dynamic Multipoint VPN (DMVPN)
mandatory and optional policies 24-6
Launch menu 1-35
Report Manager 67-8
LDAP
settings in AAA server objects 6-37
LDAP Attribute Map objects
attributes 6-43
learning accept mode (IPS), configuring 40-8
licenses
configuring for ASA devices 2-11
configuring for IOS devices 2-12
exporting IPS 11-43
IPS
automating 43-3
managing 43-1
redeploying 43-2
updating 43-1
Security Manager 10-16
License Update Status Details dialog box 11-44
licensing
Settings page 11-41
Lightweight Directory Access Protocol (LDAP)
description 6-26
lightweight signature engines 44-2
line access
Cisco IOS routers
Console Policy page 60-42
overview 60-35
VTY Policy page 60-50
Link Aggregation Control Protocol 45-11
Link Properties dialog box 34-20
load balancing
configuring in large scale DMVPN 26-16, 26-17
configuring IOS IPS deny actions 44-7
server attributes in large scale DMVPN 26-17
Local Policy Will Be Replaced dialog box 5-41
Local Web Filter class map objects
match criteria 21-28
Local web filter class map objects
creating 21-35
Local Web Filter parameter map objects
properties 21-37
Local web filter parameter map objects
creating 21-35
locking
activities 4-3
devices and policies 5-9
objects 5-10
understanding 5-7
VPN topologies 5-9
Log Buffer window 69-7
logging
Cisco IOS routers
defining NetFlow interfaces 62-15
defining NetFlow parameters 62-6
defining syslog servers 62-3
Logging Setup Policy page 62-7
NetFlow policy page 62-12
overview 62-1
Syslog Server dialog box 62-11
Syslog Servers Policy page 62-10
syslog setup parameters 62-1
syslog severity levels 62-4
PIX/ASA/FWSM 52-1
email notifications 52-3
email recipients 52-3
event lists 52-4
event lists, add/edit 52-5
filters 52-7
filters, editing 52-8
levels 52-18
logging setup 52-9
message classes and IDs 52-4
message editing 52-19
message limits 52-13
message limits, add/edit 52-13
NetFlow 52-1
NetFlow, add/edit collector 52-2
rate limit levels 52-12
rate limits, add/edit 52-14
server 52-16
server setup 52-15
set-up 52-10
syslog class 52-6
syslog message ID 52-6
syslog servers 52-20, 52-21
syslog servers, add/edit 52-22
syslog messages supported for CS-MARS queries 69-32
logging in to
Cisco Security Management Suite server 1-10
CiscoWorks Common Services 1-10
logging into
Security Manager 1-9, 1-11
Logging page, IPS platform 35-26
logs
configuring audit log default settings 11-45
configuring debug levels 11-8
Logs page 11-45
loopback cells 59-50
low-latency queuing (LLQ) 63-5
M
MAC address
interface configuration
ASA and PIX 7+ 45-38
PIX/ASA/FWSM
add/edit 46-8
interface 49-22
learning 46-8
learning, enable/disable 46-9
table 46-7
MAC address pool objects
attributes 6-85
MAC exempt lists
configuring 15-7, 15-23
rule attributes 15-24
Maintenance Operation Protocol (MOP), enabling 59-19
Management Access
PIX/ASA/FWSM
interface 48-5
management address
requirements for IPv6 devices 1-7
Management Center for Cisco Security Agents
configuring connection to IPS devices 35-23
connection attributes 35-24
posture ACLs 35-26
Management IP address
PIX/ASA/FWSM 46-10
Management IPv6
ASA 5505 46-10
Manage menu 1-32
Map menu 1-31
map objects
class maps
creating for inspection rules 17-21
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
parameter maps
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
Inspect properties 21-29
Local Web Filter properties 21-37
N2H2 properties 21-38
Protocol Info properties 21-32
Trend properties 21-41
URLF Glob properties 21-44
URL Filter properties 21-42
Websense properties 21-38
policy maps
creating for inspection rules 17-21
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
DCE/RPC properties 17-27
DNS properties 17-28
ESMTP properties 17-34
FTP properties 17-37
GTP properties 17-40
H.323 (ASA/PIX/FWSM) properties 17-45
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) properties 17-50
HTTP (ASA7.2+/PIX7.2+) properties 17-58
IM (ASA7.2+/PIX7.2+) properties 17-64
IM (IOS) properties 17-67
IP Options properties 17-68
IPsec Pass Through properties 17-74
IPv6 properties 17-70
NetBIOS properties 17-75
regular expression group properties 17-85
regular expression properties 17-86
SIP (ASA/PIX/FWSM) properties 17-77
Skinny properties 17-81
SNMP properties 17-84
TCP Map properties 56-20
Web Filter properties 21-46
regular expression objects
metacharacters 17-87
understanding 6-72
Map Properties command 1-31
Map Rule dialog box
connection profile map matching rules 30-32
connection profile maps 30-31
maps
access permissions 34-8
adding existing managed devices 34-16
adding new managed devices 34-16
arranging elements 34-11
background color 34-13
background images
deleting 34-13
importing 34-13
scale and position 34-13
setting 34-13
centering elements 34-11
changing the zoom level 34-11
class maps
Class Map dialog box 17-26, 21-17
creating 34-9
default map 34-9
deleting 34-10
displaying devices from Device View 34-16
displaying managed devices 34-16
displaying your network 34-14
elements, understanding 34-14
excluding private and reserved networks 11-2
exporting 34-11
icons 34-14
layer 3 links
autolink settings 11-2
creating 34-19
deleting 34-19
layouts, using 34-11
linking maps 34-13
navigation window 34-4
objects
adding 34-17
deleting 34-17
opening 34-10
overview 34-1
panning 34-11
refreshing 34-1
removing managed devices 34-16
renaming 34-10
saving 34-10
searching for nodes 34-12
selecting elements 34-12
setting background 34-13
showing containment for Catalyst, ASA, PIX, IPS devices 34-16
understanding 34-1
undocking window 34-2
working with 34-8
Map Settings dialog box 34-13
Map View
cloning devices 34-22
configuring firewall policies 34-23
configuring firewall settings policies 34-23
context menu
Layer 3 link 34-7
managed device node 34-5
map background 34-7
map objects 34-7
selected nodes 34-6
VPN connection 34-6
device policies, managing 34-22
discovering device configurations 34-22
icons for elements 34-14
main page 34-2
menus, context 34-5
navigation window 34-4
performing basic policy management 34-22
previewing device configurations 34-22
sharing device policies 34-22
toolbar reference 34-4
VPNs
creating 34-21
displaying existing 34-21
editing or showing peers 34-22
editing policies 34-22
managing 34-20
Map view
Autolink Settings page 11-2
copying between devices 34-22
overview 1-16, 34-1
Map View command 1-30
master blocking sensor 42-6
Master Blocking Sensor dialog box 42-13
maximum receive reconstructed unit (MRRU) 59-81
maximum segment size (MSS) 59-17
MBoundary
PIX/ASA/FWSM
configuration 53-9
interface configuration 53-10
MD5 hash algorithm 25-7
memory-allocation lite 60-80
memory settings
Cisco IOS routers
defining 60-78
overview 60-78
Memory Policy page 60-79
menu reference
Activities 1-34
Configuration Manager overview 1-27
Edit (Configuration Manager) 1-29
File (Configuration Manager) 1-28
File (Event Viewer) 66-8
File (Report Manager) 67-8
Help (Configuration Manager) 1-36
Launch 1-35
Launch (Report Manager) 67-8
Manage 1-32
Map 1-31
Policy (Configuration Manager) 1-30
Tickets 1-34
Tools (Configuration Manager) 1-33
Tools (Report Manager) 67-8
View (Configuration Manager) 1-30
View (Event Viewer) 66-9
message
editing
PIX/ASA/FWSM 52-19
PIX/ASA/FWSM
limits 52-13
limits, add/edit 52-13
rate limits, add/edit 52-14
message classes and IDs
PIX/ASA/FWSM 52-4
metacharacters
URLF Glob parameter maps 21-45
Modify Access List dialog box (Allowed Hosts policy) 35-7
Modify Physical Interface Map dialog box 36-10
monitoring
CS-MARS
integrating with Security Manager 69-21
device managers, using 69-4
device status 69-1
network activities 69-1
PRSM, launching 69-9
Move Row Down command 1-29
Move Row Up command 1-29
MPC
a.k.a. Modular Policy Framework 56-6
MRoute
PIX/ASA/FWSM
configuration 53-8
MRoute page
description 53-8
MSN Messenger class map objects
creating 21-15
match criteria 21-20
multicast
PIX/ASA/FWSM
Enable PIM and IGMP 53-1
IGMP Access Group parameters 53-5
IGMP Access Group tab 53-5
IGMP Join Group parameters 53-7
IGMP Join Group tab 53-7
IGMP parameters 53-4
IGMP Protocol tab 53-3
IGMP Static Group parameters 53-6
IGMP Static Group tab 53-6
MBoundary configuration 53-9
MBoundary interface configuration 53-10
MRoute configuration 53-8
Multicast Boundary Filter page 53-9
Multicast Group, add/edit 53-19
Multicast Group rule 53-17
PIM Bidirectional Neighbor Filter 53-14
PIM Bidirectional Neighbor Filter tab 53-13
PIM Neighbor Filter 53-13
PIM Neighbor Filter tab 53-12
PIM page 53-11
PIM Protocol dialog box 53-12
PIM Protocol tab 53-11
PIM Rendezvous Point, add/edit 53-16
PIM Rendezvous Points tab 53-15
PIM Request Filter tab 53-18
PIM Route Tree tab 53-17
Multicast Boundary Filter page
description 53-9
multicast rekey in GET VPN 28-6
multicast routing
PIX/ASA/FWSM
configuring on 53-1
IGMP 53-2
multicast boundary filters 53-9
multicast routes 53-8
PIM 53-11
Multiclass Multilink PPP (MCMP) 59-74
multilink PPP (MLP) 59-70
defining bundles 59-74
multiple users
activities 4-4
tickets 4-4
N
N2H2 (Smartfilter)
configuring for web filter rules policies 18-15, 18-19
configuring for zone based firewall rules policies 21-35, 21-38, 21-40
N2H2 class map objects
creating 21-35
match criteria 21-29
N2H2 parameter map objects
creating 21-35
properties 21-38
NAC
posture validation not occurring 9-15
NAT
VPN traffic sent unencrypted 9-14
NAT policies
Add/Edit Per-Session NAT rules dialog boxes 23-46
NBAR
enabling protocol discovery 59-19
Neighbor cache 46-6
Neighbor Filter
PIM
PIX/ASA/FWSM 53-13
Neighbor Filter tab
PIM 53-12
NetBIOS logout probe
configuring 13-15, 14-8, 14-10
requirements 13-5
NetBIOS policy map objects
creating 17-21
properties 17-75
NetFlow
Cisco IOS routers 62-1, 62-5
interface settings 62-15
configuring
on Cisco IOS routers 62-6
CS-MARS query 69-33
IOS routers 62-12
PIX/ASA/FWSM 52-1
add/edit collector 52-2
network/host objects
attributes 6-77
attributes, NAT 23-41
creating 6-76
naming when provisioned as object groups 6-92
network masks 6-75
optimizing when deploying firewall rules 12-35
understanding 6-74
unspecified value objects 6-80
using in Event Viewer filters 66-59
network access device (NAD) 61-9
Network Address Translation (NAT)
Add/Edit Per-Session NAT rules dialog boxes 23-46
ASA 8.3+
Add/Edit NAT rules dialog boxes 23-35
Translation Rules page 23-32
understanding 23-3
ASA 8.3 devices 23-32
Cisco IOS routers 23-5
Dynamic Rule dialog box 23-11
dynamic rules 23-10
Interface Specification 23-6
Static Rule dialog box 23-7
static rules 23-6
Static Rules tab 23-6
timeouts 23-13
configuring global options for VPNs 25-38
non-ASA 8.3 devices 23-17
No Proxy ARP 23-38, 23-44
PAT pool 23-40
Per-session NAT rules 23-45
PIX/ASA/FWSM
Address Pool dialog box 23-17
Address Pools page 23-17
Advanced NAT Options dialog box 23-28
configuring on 23-15
configuring translation rules 23-18
Dynamic Rules dialog box 23-21
Dynamic Rules tab 23-21
General tab 23-30
non ASA 8.3 23-17
Policy Dynamic Rules dialog box 23-24
Policy Dynamic Rules tab 23-23
Select Address Pool 23-22
Static Rules dialog box 23-26
Static Rules tab 23-25
Translation Exemptions (NAT 0 ACL) dialog box 23-20
Translation Exemptions (NAT 0 ACL) tab 23-19
Translation Options page 23-15
Translation Rules page 23-18
translation types 23-3
transparent mode 23-15
understanding 23-2
round robin allocation 23-40
understanding NAT effects on firewall rules 12-3
understanding NAT settings for VPNs 25-37
understanding NAT traversal 25-38
Network Admission Control (NAC)
Cisco Trust Agent 61-9
components 61-9
defining identity parameters 61-13
defining interface parameters 61-11
defining setup parameters 61-10
Identities tab 61-18
Identity Action dialog box 61-19
Identity Profile dialog box 61-19
Interface Configuration dialog box 61-17
Interfaces tab 61-16
NAC Policy page 61-14
network access device (NAD) 61-9
on Cisco IOS routers 61-8
Setup tab 61-14
supported platforms 61-8
understanding system flow 61-9
Network Information page (IPS) 39-14
network masks
discontiguous 6-75
discovering 6-76
displaying 6-76
understanding 6-75
network participation, IPS
configuring 41-7
data collected 41-3
requirements and limitations 41-4
understanding 41-3
understanding global correlation 41-1
understanding reputation 41-2
network sensing
capturing network traffic 35-2
deployment topology 35-4
overview 35-1
tuning recommendations 35-4
Network Time Protocol (NTP)
Cisco IOS routers
creating NTP servers 60-97
NTP Policy page 60-98
NTP Server dialog box 60-99
overview 60-96
Never Block Host dialog box 42-17
Never Block Network dialog box 42-17
New Activity command 1-34
New Device command 1-28
New Device Groups command 1-29
New Device wizard
Choose Method page 3-6
Device Grouping page 3-48
Device Information page - Add Device from File 3-31
Device Information page - Configuration File 3-22
Device Information page - Network 3-13
Device Information page - New Device 3-26
New Map command 1-31
New or Edit CS-MARS Device dialog box 11-5
New Ticket command 1-34
NHRP
DMVPN spoke-to-spoke connections 26-11
Node Properties dialog box 34-18
Non-Workflow mode
viewing
device details 8-27
non-Workflow mode
changing modes 1-26
comparing with Workflow mode 1-20
configuration files
deploying 8-29
previewing 8-45
configurations
rolling back 8-65
creating tickets 4-14
deployment 8-3
deployment jobs
aborting 8-51
Deployment Status Details dialog box 8-33
opening tickets 4-15
taking over another user session 10-23
understanding 1-20
No Proxy ARP
NAT rule 23-38, 23-44
PIX/ASA/FWSM Platform 54-1
notifications, e-mail
configuring SMTP server 1-25
NS Lookup 69-14, 69-17
NT
settings in AAA server objects 6-40
NTP
PIX/ASA/FWSM 51-19
server configuration 51-20
NTP policy, IPS platform 35-21
NTP server
configuring for IPS devices 35-21
O
object groups
policy discovery 5-14
object group search
ASA 8.3+ devices 16-22
PIX 6.3 devices 16-24
objects
AAA server
HTTP-FORM settings 6-41
Kerberos settings 6-36
LDAP settings 6-37
NT settings 6-40
RADIUS settings 6-32
SDI settings 6-40
TACACS+ settings 6-35
AAA server groups
attributes 6-46
creating 6-45
default server groups on IOS devices 6-28
predefined authentication groups 6-28
understanding 6-24
AAA servers
creating 6-29
supported additional types for ASA/PIX/FWSM 6-26
supported types 6-25
understanding 6-24
access control lists
creating 6-49
extended objects 6-50
standard objects 6-51
unified objects 6-54
web objects 6-52
ASA group policies
client configuration settings 33-4
client firewall attributes 33-5
connection settings 33-22
DNS/WINS settings 33-20
hardware client attributes 33-7
IPSec settings 33-8
split tunneling settings 33-21
SSL VPN clientless settings 33-10
SSL VPN full client settings 33-13
SSL VPN settings 33-17
technology settings 33-1
basic procedures 6-9
categories, using 6-12
changes in Security Manager 4.4 1-9
Cisco Secure Desktop configuration
creating 32-18
class map
creating for inspection rules 17-21
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
cloning (duplicating) 6-13
configuring for remote access VPN 33-1
creating 6-9
credentials
attributes 27-9
DCE/RPC policy map
properties 17-27
deleting 6-16
DNS policy map
properties 17-28
editing 6-12
ESMTP policy map
properties 17-34
exporting 6-21
file objects
attributes 33-25
selecting 33-27
FlexConfig
creating text objects 7-31
properties 7-29
property selector 7-33
undefined variables 7-32
FlexConfigs
adding to policies 7-34
changing order in policies 7-34
changing variable values 7-34
configuring 7-24
configuring AAA for administrative introducers 60-84
creating 7-27
previewing CLI 7-34
removing from policies 7-34
system variables 7-7
understanding 7-2
variables 7-5, 7-6
FTP policy map
properties 17-37
generating usage reports 6-14
GTP policy map
properties 17-40
H.323 (ASA/PIX/FWSM) policy map
properties 17-45
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map
properties 17-50
HTTP (ASA7.2+/PIX7.2+) policy map
properties 17-58
identity user group
creating 13-19
selecting 13-21
user identity acquisition 13-2
IKE proposals
v1 properties 25-10
v2 properties 25-13
IM (ASA7.2+/PIX7.2+) policy map
properties 17-64
IM (IOS) policy map
properties 17-67
importing 6-21
Inspect parameter map
properties 21-29
interface roles
creating 6-68
IP Options policy map
properties 17-68
IPsec Pass Through policy map
properties 17-74
IPSec transform sets
attributes 25-25
understanding 25-19
IPv6 policy map
properties 17-70
LDAP attribute map objects
attributes 6-43
Local Web Filter parameter map
properties 21-37
locking
effects on activities 4-3
managing 6-1
maps
understanding 6-72
N2H2 parameter map
properties 21-38
NetBIOS policy map
properties 17-75
network/host
optimizing when deploying firewall rules 12-35
understanding 6-74
using in Event Viewer filters 66-59
network/host objects
naming when provisioned as object groups 6-92
networks/hosts
creating 6-76
unspecified value objects 6-80
object selectors 6-2
overrides
allowing 6-18
creating for multiple devices 6-19
creating for single device 6-18
deleting 6-21
managing 6-17
understanding 6-17
overview 1-18
parameter map
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
PKI enrollments
defining CA server properties 25-55
defining certificate attributes 25-61
defining enrollment parameters 25-59
defining trusted CA hierarchy 25-62
properties 25-54
policy map
creating for inspection rules 17-21
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
port forwarding lists
properties 33-28
port list objects
naming when provisioned as object groups 6-92
port lists
creating 6-86
properties 6-87
Protocol Info parameter map
properties 21-32
provisioning as object groups 6-91
regular expression group policy map
properties 17-85
regular expression objects
metacharacters 17-87
regular expression policy map
properties 17-86
security group
creating 14-12
selecting for policies 6-2
service objects
naming when provisioned as object groups 6-92
provisioning as object groups 6-92
services
creating 6-86
single sign-on server
properties 33-30
SIP (ASA/PIX/FWSM) policy map
properties 17-77
Skinny policy map
properties 17-81
SLA monitors
attributes 50-9
configuring 50-8
understanding 50-7
SNMP policy map
properties 17-84
SSL VPN Bookmark
configuring 30-70
post URL method and macro substitutions 30-72
SSL VPN Customization
configuring 30-66
creating custom Logon page 30-70
localizing 30-68
SSL VPN gateway
properties 33-50
SSL VPN smart tunnel auto sign-on list
attributes 33-55
SSL VPN smart tunnel list
attributes 33-52
configuring 30-73
TCP Map policy map
properties 56-20
text
creating 7-31
time ranges
attributes for recurring ranges 6-67
configuring 6-66
traffic flow
default inspection traffic 56-18
properties 56-16
Trend parameter map
properties 21-41
TrustSec security group
selecting 14-13
URLF Glob parameter map
properties 21-44
URLF Glob parameter maps
metacharacters 21-45
URL Filter parameter map
properties 21-42
user groups
advanced PIX 6.3 settings 33-66
browser proxy settings 33-72
clientless settings 33-67
client VPN software update (IOS) settings 33-65
DNS/WINS settings 33-61
general settings 33-60
IOS client settings 33-63
IOS Xauth settings 33-64
split tunneling settings (Easy VPN/remote access IPSec VPN) 33-62
SSL VPN connection settings 33-73
SSL VPN full tunnel settings 33-69
SSL VPN split tunneling settings 33-70
technology settings 33-58
thin client settings 33-68
using global search to find specific objects 1-39
viewing details 6-14
Web Filter policy map
properties 21-46
Websense parameter map
properties 21-38
WINS server lists
attributes 33-74
creating 30-76
object selectors 6-2
Object Usage dialog box 6-14
Obsoletes dialog box 38-26
OOB (Out of Band) Changes dialog box 8-48
OOB (out of band changes)
avoiding 8-47
detecting and analyzing 8-46
understanding 8-12
Openable Activities dialog box 4-15
Openable Tickets dialog box 4-15
Open Activity command 1-34
Open command (Report Manager) 67-8
Open Map command 1-31
Open Map dialog box 34-10
Open Ticket command 1-34
OS Identifications tab, IPS Network Information policy 39-18
OS Map dialog box 39-20
OSPF
interaction with NAT 54-2
LSAs 54-2
OSPF interfaces
blocking LSA flooding 64-27
defining on Cisco IOS routers 64-25
disabling MTU mismatch detection 64-27
Interface dialog box 64-31
OSPF Interface Policy page 64-30
understanding
authentication 64-29
cost 64-26
network types 64-29
priority 64-26
timer settings 64-28
OSPF parameters
dead interval 54-21, 54-36
hello interval 54-21
retransmit interval 54-21, 54-36
transmit delay 54-21, 54-37
OSPF redistribution
defining mappings 64-22
defining maximum prefix values 64-23
understanding 64-22
OSPF routing
Cisco IOS routers
Area dialog box 64-37
Area tab 64-36
defining area settings 64-21
defining interface settings 64-25
defining setup parameters 64-20
Edit Interfaces dialog box 64-36
Max Prefix Mapping dialog box 64-41
OSPF Process Policy page 64-34
overview 64-19
redistributing routes 64-22
Redistribution Mapping dialog box 64-39
Redistribution tab 64-38
Setup dialog box 64-35
Setup tab 64-35
PIX/ASA/FWSM
advanced settings 54-4
Area/Area networks 54-7
Area Range 54-9
Area tab 54-6
Filtering configuration 54-16
Filtering tab 54-15
General tab 54-3
Interface configuration 54-20
Interface tab 54-18
Neighbors tab 54-10
policy 54-2
Range tab 54-8
Redistribution rule 54-11
Redistribution tab 54-11
static neighbor 54-10
Summary Address configuration 54-18
Summary Address tab 54-17
Virtual Link configuration 54-13
Virtual Link MD5 configuration 54-15
Virtual Link tab 54-13
OSPFv3
LSAs 54-22
OSPFv3 routing
PIX/ASA/FWSM
advanced settings 54-25
Area/Area networks 54-29
Area Range 54-30
Area tab 54-28
Interface configuration 54-35
Interface tab 54-34
policy 54-22
Process tab 54-24
Redistribution rule 54-32
static neighbor 54-38
Summary Prefix configuration 54-34
Virtual Link configuration 54-31
OS version mismatches
handling 8-13
other settings
configuring for SSL VPN (ASA) 30-41
out-of-band changes
avoiding 8-47
detecting and analyzing 8-46
understanding 8-12
overrides
allowing overrides 6-18
creating for multiple devices 6-19
creating for single device 6-18
deleting 6-21
managing 6-17
understanding 6-17
overview
activities 1-18
device monitoring 1-6
IPv6 support 1-7
policies 1-18
ticketing 1-18
user permissions 1-10
workflow 1-18
P
P2P applications
match conditions for zone-based firewalls 21-20
P2P policy map objects
creating 21-15
match conditions and actions 21-34
packageMonitorInterval 43-6
packet capture 69-18
Packet Capture Wizard command 1-33
packet tracer 69-12
Pair dialog box 44-10
PAM
zone-based firewall
configuring 21-65
parameter maps
understanding 6-72
partial_backup.pl command 10-29
partial mesh topologies 24-5
participation, network
configuring 41-7
data collected 41-3
requirements and limitations 41-4
understanding 41-3
understanding global correlation 41-1
understanding reputation 41-2
passive OS fingerprinting on IPS sensors
configuring 39-18
understanding 39-17
Password Requirements policy, IPS platform 35-18
passwords
admin, changing 10-23
configuring IPS requirements 35-18
configuring IPS user account 35-16
discovery and deployment of IPS 35-15
managing IPS requirements 35-13
understanding managed and unmanaged IPS passwords 35-14
Paste command 1-29, 12-9
PAT
pools 23-40
PDF file
export HPM data as 68-26
PDM
device manager 69-5
Peers page 24-33
performance settings
configuring for SSL VPN (ASA) 30-42
performance tuning 43-6
permanent virtual connections (PVC)
Define Mapping dialog box 59-64
PVC Advanced Settings dialog box 59-65
PVC dialog box 59-55
PVC Policy page 59-54
permanent virtual connections (PVCs)
defining ATM PVCs 59-50
defining OAM management 59-53
on Cisco IOS routers 59-46
understanding
ATM management protocols 59-48
ATM service classes 59-47
ILMI 59-49
Operation, Administration, and Maintenance (OAM) 59-50
virtual paths and channels 59-46
per-session NAT rules 23-45
Add/Edit Per-Session NAT rules dialog boxes 23-46
PIM
configuring on firewall devices 53-11
PIX/ASA/FWSM
Bidirectional Neighbor Filter 53-14
Bidirectional Neighbor Filter tab 53-13
enable 53-1
Multicast Group, add/edit 53-19
Multicast Group rule 53-17
Neighbor Filter 53-13
Neighbor Filter tab 53-12
page 53-11
PIM Protocol dialog box 53-12
Protocol tab 53-11
Rendezvous Point, add/edit 53-16
Rendezvous Points tab 53-15
Request Filter tab 53-18
Route Tree tab 53-17
ping 69-14, 69-15
Ping, TraceRoute and NSLookup command 1-33
PIX
PDM 69-5
PIX/ASA
boot image/configuration 47-9
add/edit 47-10
failover 49-17
settings 49-20
interfaces
Advanced tab 45-27
IP Type 45-36
MAC address 45-38
PPPoE Users 45-44
redundant 45-7
subinterfaces 45-7
VPDN groups 45-45
security contexts
allocate interfaces 57-8
configuration 57-7
viewing allocated interfaces 57-9
PIX/ASA/FWSM
AAA 47-5
Authentication tab 47-5
about AAA 47-1
bridging 46-1
clock settings 47-11
configuring banners 47-8
credentials 47-13
Device Access
Server Access 51-1
device administration policies 47-1
Failover
bootstrap configuration 49-26
interface MAC address 49-22
failover
active/active 49-3
interface configuration 49-23
security context 49-25
understanding 49-1
interfaces
add/edit 45-19
Advanced settings 45-42
configuring 45-2
contexts 45-5
General tab 45-20
managing 45-14
operating modes 45-4
understanding 45-3
security contexts
about 57-1
Server Access
AUS, add/edit server 51-3
AUS page 51-1
DDNS interface rule 51-18
DDNS page 51-17
DDNS update methods 51-18
DDNS update methods, add/edit 51-19
DHCP Relay, add/edit agent 51-5
DHCP Relay, add/edit server 51-6
DHCP Relay page 51-5
DHCP Server, add/edit 51-11
DHCP Server, advanced configuration 51-12
DHCP Server, options 51-13
DHCP Server page 51-10
DHCPv6 Relay, add/edit agent 51-8
DHCPv6 Relay, add/edit server 51-9
DHCPv6 Relay page 51-7
DNS page 51-13
DNS server, add 51-16
DNS server group 51-15
NTP page 51-19
NTP server configuration 51-20
SMTP page 51-21
TFTP server page 51-22
stateful
stateful 49-4
PIX/ASA/FWSM Platform
AAA
Accounting tab 47-7
Authorization tab 47-6
anti-spoofing 55-2
ARP configuration 46-4
ARP Inspection 46-5
enable/disable 46-6
ARP Table 46-3
configuring DHCP servers 51-9
configuring multicast routing 53-1
configuring routing 54-1
Device Access 48-1
console timeout 48-1
host name 50-1
HTTP configuration 48-2
HTTP page 48-2
ICMP rules 48-3
ICMP rules, add/edit 48-4
Management Access interface 48-5
Secure Shell, add/edit host 48-6
Secure Shell (SSH) 48-5
SNMP host access 48-12
SNMP page 48-8
SNMP Trap configuration 48-9
Telnet configuration 48-14
Telnet page 48-13
user accounts 50-6
user accounts, add/edit 50-7
failover 49-10
failover configuration 49-1
failover configuration basics 49-5
floodguard 55-2
identity-aware IPS, QoS, and Connection Rules 13-21
IPS, QoS, and Connection Rules 56-5
wizard 56-6, 56-8
logging 52-1
email notifications 52-3
email recipients 52-3
event lists 52-4
event lists, add/edit 52-5
filters 52-7
filters, editing 52-8
levels 52-18
message classes and IDs 52-4
message editing 52-19
message limits 52-13
message limits, add/edit 52-13
NetFlow 52-1
NetFlow, add/edit collector 52-2
rate limits, add/edit 52-14
server 52-16
set-up 52-10
syslog class 52-6
syslog message ID 52-6
syslog servers 52-21
syslog servers, add/edit 52-22
MAC Address
add/edit 46-8
MAC Address Table 46-7
MAC learning 46-8
enable/disable 46-9
Management IP address 46-10
multicast
Enable PIM and IGMP 53-1
group, add/edit 53-19
IGMP Access Group parameters 53-5
IGMP Access Group tab 53-5
IGMP Join Group parameters 53-7
IGMP Join Group tab 53-7
IGMP page 53-2
IGMP parameters 53-4
IGMP Protocol tab 53-3
IGMP Static Group parameters 53-6
IGMP Static Group tab 53-6
MBoundary configuration 53-9
MBoundary interface configuration 53-10
MRoute configuration 53-8
Multicast Boundary Filter page 53-9
Multicast Group rule 53-17
Multicast Routes page 53-8
PIM Bidirectional Neighbor Filter 53-14
PIM Bidirectional Neighbor Filter tab 53-13
PIM Neighbor Filter 53-13
PIM Neighbor Filter tab 53-12
PIM page 53-11
PIM Protocol dialog box 53-12
PIM Protocol tab 53-11
PIM Rendezvous Point, add/edit 53-16
PIM Rendezvous Points tab 53-15
PIM Request Filter tab 53-18
PIM Route Tree tab 53-17
NAT policies 23-17
Address Pools dialog box 23-17
Address Pools page 23-17
Advanced NAT Options dialog box 23-28
Dynamic Rules dialog box 23-21
Dynamic Rules tab 23-21
General tab 23-30
Policy Dynamic Rules dialog box 23-24
Policy Dynamic Rules tab 23-23
Select Address Pool 23-22
Static Rules dialog box 23-26
Static Rules tab 23-25
Translation Exemptions (NAT 0 ACL) dialog box 23-20
Translation Exemptions (NAT 0 ACL) tab 23-19
Translation Options page 23-15
Translation Rules page 23-18
policy configuration 45-1
priority queues 56-4
priority queues configuration 56-4
routing
IPv6 Static Route configuration 54-50
IPv6 Static Route page 54-50
No Proxy ARP 54-1
OSPF 54-2
OSPF - advanced settings 54-4
OSPF - Area/Area networks 54-7
OSPF - Area Range 54-9
OSPF - Area tab 54-6
OSPF - Filtering configuration 54-16
OSPF - Filtering tab 54-15
OSPF - General tab 54-3
OSPF - Interface configuration 54-20
OSPF - Interface tab 54-18
OSPF - Neighbors tab 54-10
OSPF - Range tab 54-8
OSPF - Redistribution rule 54-11
OSPF - Redistribution tab 54-11
OSPF - static neighbor 54-10
OSPF - Summary Address configuration 54-18
OSPF - Summary Address tab 54-17
OSPFv3 54-22
OSPFv3 - advanced settings 54-25
OSPFv3 - Area/Area networks 54-29
OSPFv3 - Area Range 54-30
OSPFv3 - Area tab 54-28
OSPFv3 - Interface configuration 54-35
OSPFv3 - Interface tab 54-34
OSPFv3 - Process tab 54-24
OSPFv3 - Redistribution rule 54-32
OSPFv3 - static neighbor 54-38
OSPFv3 - Summary Prefix configuration 54-34
OSPFv3 - Virtual Link configuration 54-31
OSPF - Virtual Link configuration 54-13
OSPF - Virtual Link MD5 configuration 54-15
OSPF - Virtual Link tab 54-13
RIP (PIX/ASA 6.3–7.1, FWSM) 54-41
RIP (PIX/ASA 6.3–7.1, FWSM) configuration 54-41
RIP (PIX/ASA 7.2+) 54-42
RIP (PIX/ASA 7.2+) Filtering 54-46
RIP (PIX/ASA 7.2+) Filtering configuration 54-47
RIP (PIX/ASA 7.2+) Interface 54-47
RIP (PIX/ASA 7.2+) Interface configuration 54-48
RIP (PIX/ASA 7.2+) Redistribution 54-45
RIP (PIX/ASA 7.2+) Redistribution configuration 54-45
RIP (PIX/ASA 7.2+) Setup 54-43
RIP page 54-40
Static Route configuration 54-49
Static Route page 54-48, 54-49
security contexts
managing 57-4
security group aware IPS, QoS, and Connection Rules 14-13
security policies 55-1
General configuration 55-3
General page 55-1
timeouts 55-4
service policy
wizard 56-6
service policy rules 56-1
SNMP configuration 48-7
traffic class 56-7
Unicast Reverse Path Forwarding 55-2
PIX/ASA/FWSM Platform policies
bridging 46-1
configuring fragment settings 55-2
configuring NAT 23-15
transparent mode 23-15
PIX 6.3
Failover
interface configuration 49-11
failover 49-10
interface configuration
IP Type 45-18
interfaces
add/edit 45-15
PIX 7.x
Failover
Add Failover Group 49-24
PIX devices
AAA support 6-26
about 45-1
monitoring service level agreements 50-7
remote access VPNs
IPsec proposals 30-33
user group policies for PIX 6.3 32-13
selecting policy types to manage 5-10
PIX Firewall
setting up AUS or CNS 2-8
setting up SSL (HTTPS) 2-3
PIX Firewalls
configuring transparent firewall rules 22-1
rollback, commands to recover from failover misconfiguration 8-65
rollback command conflicts 8-64
rollback restrictions for failover devices 8-61
rollback restrictions for multiple context mode 8-61
PIX firewalls
access controls
access list compilation 16-25
object group search 16-24
adding SSL thumbprints manually 9-4
FlexConfig object samples 7-23
packet capture, using 69-18
packet tracer, using 69-12
SSL certificate configuration 11-18
PKI (Public Key Infrastructure) policies
CA server authentication methods 25-47
defining multiple CA servers 25-51
enrollment requirements 25-48
understanding 25-47
using TFTP 25-49
PKI enrollment
prerequisites using TFTP 25-49
requirements 25-48
PKI enrollment objects
defining CA server properties 25-55
defining certificate attributes 25-61
defining enrollment parameters 25-59
defining trusted CA hierarchy 25-62
properties 25-54
plug ins
configuring browser 30-50
Point-to-Point Protocol (PPP)
defining connections 59-71
defining multilink PPP bundles 59-74
on Cisco IOS routers 59-70
understanding multilink PPP (MLP) 59-70
Point-to-Point protocol (PPP)
PPP/MLP Policy page 59-75
PPP dialog box 59-76
point-to-point topologies
description 24-3
policies
adding local rules to shared policies 5-42
assigning shared policies 5-41
basic concepts
inheritance vs. assignment 5-6
local vs. shared 5-3
managing 5-29
overview 5-1
rule inheritance 5-4
service vs. platform-specific 5-2
settings-based vs. rule-based 5-2
shared policies in Device view or Site-to-Site VPN Manager 5-34
signature inheritance 38-3
status icons 5-28
cloning shared policies 5-44
configuring IKE and IPsec for VPNs 25-1
copying between devices 5-31
creating shared 5-51
deleting shared 5-53
Device view
configuring local policies 5-29
managing 5-28
modifying assignments 5-46
modifying shared policies 5-45
discovering 5-12
discovering on existing devices 5-15
exporting 10-11
exporting with device inventory 10-6
FlexConfigs
adding objects 7-34
changing object order 7-34
changing variable values 7-34
configuring 7-24
configuring AAA for administrative introducers 60-84
editing 7-34
FlexConfig Policy page 7-35
previewing CLI 7-34
removing objects 7-34
understanding 7-2
importing 10-13
inheriting rules 5-43
locking 5-7
managing 5-1
object selectors 6-2
overview 1-18
performing basic policy management in Map view 34-22
PKI (Public Key Infrastructure) 25-47
policy banner 5-35
policy discovery FAQ 5-25
policy management and objects 5-7
Policy view
managing 5-47
modifying assignments 5-51
preshared keys 25-43
renaming 5-45
router platform policies 58-1
selecting policies to manage 5-10
sharing local 5-38
sharing multiple local policies 5-39
sharing with PRSM 69-11
Site-to-Site VPN Manager
managing 5-28
modifying assignments 5-46
site-to-site VPNs 24-8
specifying interfaces 6-70
specifying IP addresses 6-81
synchronizing among Security Manager servers 10-4
unassigning 5-33
unsharing 5-40
using global search to find specific policies 1-39
viewing discovery task status 5-21
VPN defaults 11-54
policy assignments
modifying in Device view 5-46
modifying in Policy view 5-51
modifying in Site-to-Site VPN Manager 5-46
overview 1-18
policy bundles
cloning 5-55
creating 5-54
managing 5-53
renaming 5-55, 5-56
Policy Bundle view
cloning policy bundles 5-55
creating policy bundles 5-54
renaming policy bundles 5-55, 5-56
Policy Bundle View command 1-30
policy discovery
AAA commands not displayed in AAA policy 5-27
ACL naming conventions 12-5
ACLs 5-14
Catalyst devices 5-13
Catalyst switches and 7600 Series routers 65-1
Cisco IOS routers 5-13, 58-3
frequently asked questions 5-25
IPS devices 5-13
network masks 6-76
object groups 5-14
on existing devices 5-15
overview 1-18
policy objects 5-14
preserving ACL names 12-4
resolving ACL naming conflicts 12-6
security contexts 5-13
understanding 5-12
viewing task status 5-21
VPNs 5-12
web VPN restrictions 3-8
Policy Discovery Status command 1-32
Policy Discovery Status page 5-23
Policy Dynamic Translation Rule
PIX/ASA/FWSM 23-23
add/edit 23-24
policy management
Settings page 11-46
Policy Management page 11-46
policy maps
understanding 6-72
Policy menu
command reference 1-30
Policy Object Manager
field reference 6-4
shortcut menu 6-8
undocking and docking the window 6-8
Policy Object Manager window
creating overrides 6-19
deleting overrides 6-21
Policy Object Overrides window 6-20
policy objects
AAA server
HTTP-FORM settings 6-41
Kerberos settings 6-36
LDAP settings 6-37
NT settings 6-40
RADIUS settings 6-32
SDI settings 6-40
TACACS+ settings 6-35
AAA server groups
attributes 6-46
creating 6-45
default server groups on IOS devices 6-28
predefined authentication groups 6-28
understanding 6-24
AAA servers
creating 6-29
supported additional types for ASA/PIX/FWSM 6-26
supported types 6-25
understanding 6-24
access control lists
creating 6-49
extended objects 6-50
standard objects 6-51, 6-54
web objects 6-52
ASA group policies
client configuration settings 33-4
client firewall attributes 33-5
connection settings 33-22
DNS/WINS settings 33-20
hardware client attributes 33-7
IPSec settings 33-8
split tunneling settings 33-21
SSL VPN clientless settings 33-10
SSL VPN full client settings 33-13
SSL VPN settings 33-17
technology settings 33-1
basic procedures 6-9
categories, using 6-12
changes in Security Manager 4.4 1-9
Cisco Secure Desktop configuration
creating 32-18
class map
creating for inspection rules 17-21
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
cloning (duplicating) 6-13
configuring for remote access VPN 33-1
connection with policy management 5-7
creating 6-9
credentials
attributes 27-9
DCE/RPC policy map
properties 17-27
deleting 6-16
DNS policy map
properties 17-28
editing 6-12
ESMTP policy map
properties 17-34
exporting 6-21
file objects
attributes 33-25
selecting 33-27
FlexConfig
creating text objects 7-31
properties 7-29
property selector 7-33
undefined variables 7-32
FlexConfigs
adding to policies 7-34
changing order in policies 7-34
changing variable values 7-34
configuring 7-24
configuring AAA for administrative introducers 60-84
creating 7-27
previewing CLI 7-34
removing from policies 7-34
system variables 7-7
understanding 7-2
variables 7-5, 7-6
FTP policy map
properties 17-37
generating usage reports 6-14
GTP policy map
properties 17-40
H.323 (ASA/PIX/FWSM) policy map
properties 17-45
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map
properties 17-50
HTTP (ASA7.2+/PIX7.2+) policy map
properties 17-58
identity user group
creating 13-19
selecting 13-21
user identity acquisition 13-2
IKE proposals
v1 properties 25-10
v2 properties 25-13
IM (ASA7.2+/PIX7.2+) policy map
properties 17-64
IM (IOS) policy map
properties 17-67
importing 6-21
Inspect parameter map
properties 21-29
interface roles
creating 6-68
understanding 6-67
IP Options policy map
properties 17-68
IPsec Pass Through policy map
properties 17-74
IPSec transform sets
attributes 25-25
understanding 25-19
IPv6 policy map
properties 17-70
LDAP attribute map objects
attributes 6-43
Local Web Filter parameter map
properties 21-37
managing 6-1
maps
understanding 6-72
N2H2 parameter map
properties 21-38
NetBIOS policy map
properties 17-75
network/host
optimizing when deploying firewall rules 12-35
understanding 6-74
using in Event Viewer filters 66-59
network/host objects
naming when provisioned as object groups 6-92
networks/hosts
creating 6-76
unspecified value objects 6-80
object selectors 6-2
overrides 3-49
allowing 6-18
creating for multiple devices 6-19
creating for single device 6-18
deleting 6-21
managing 6-17
understanding 6-17
overview 1-18
parameter map
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
PKI enrollments
defining CA server properties 25-55
defining certificate attributes 25-61
defining enrollment parameters 25-59
defining trusted CA hierarchy 25-62
properties 25-54
policy discovery 5-14
policy map
creating for inspection rules 17-21
creating for zone-based firewall content filtering 21-35
creating for zone-based firewall inspection 21-15
pools
understanding 6-83
port forwarding lists
properties 33-28
port list objects
naming when provisioned as object groups 6-92
port lists
creating 6-86
properties 6-87
Protocol Info parameter map
properties 21-32
provisioning as object groups 6-91
regular expression group policy map
properties 17-85
regular expression objects
metacharacters 17-87
regular expression policy map
properties 17-86
security group
creating 14-12
selecting for policies 6-2
service objects
naming when provisioned as object groups 6-92
provisioning as object groups 6-92
services
creating 6-86
Settings page 11-48
sharing with PRSM 69-11
single sign-on server
properties 33-30
SIP (ASA/PIX/FWSM) policy map
properties 17-77
Skinny policy map
properties 17-81
SLA monitors
attributes 50-9
configuring 50-8
understanding 50-7
SNMP policy map
properties 17-84
SSL VPN bookmark
configuring 30-70
post URL method and macro substitutions 30-72
SSL VPN Customization
configuring 30-66
creating custom Logon page 30-70
localizing 30-68
SSL VPN gateway
properties 33-50
SSL VPN smart tunnel auto sign-on lists
attributes 33-55
SSL VPN smart tunnel lists
attributes 33-52
configuring 30-73
TCP Map policy map
properties 56-20
text
creating 7-31
time ranges
attributes for recurring ranges 6-67
configuring 6-66
traffic flow
default inspection traffic 56-18
properties 56-16
Trend parameter map
properties 21-41
TrustSec security group
selecting 14-13
URLF Glob parameter map
properties 21-44
URLF Glob parameter maps
metacharacters 21-45
URL Filter parameter map
properties 21-42
user groups
advanced PIX 6.3 settings 33-66
browser proxy settings 33-72
clientless settings 33-67
client VPN software update (IOS) settings 33-65
DNS/WINS settings 33-61
general settings 33-60
IOS client settings 33-63
IOS Xauth settings 33-64
split tunneling settings (Easy VPN/remote access IPSec VPN) 33-62
SSL VPN connection settings 33-73
SSL VPN full tunnel settings 33-69
SSL VPN split tunneling settings 33-70
technology settings 33-58
thin client settings 33-68
viewing details 6-14
Web Filter policy map
properties 21-46
Websense parameter map
properties 21-38
WINS server lists
attributes 33-74
creating 30-76
Policy Objects command 1-32
policy objects interface
Interface Role dialog box 6-69
SSL VPN Bookmark Entry dialog box 33-33
SSL VPN bookmarks
Add or Edit Bookmarks dialog boxes 33-32
Post Parameters dialog box 33-36
Policy Objects page 11-48
policy query
example report 12-34
generating reports 12-28
interpreting report results 12-32
Querying Device or Policy dialog box 12-29
Policy Query Results dialog box 12-32
Policy view
Assignments tab 5-51
creating shared policies 5-51
deleting shared policies 5-53
filtering shared policy selector 1-42
modifying assignments 5-51
overview 1-14
selectors 5-49
Shared Policy selector options 5-50
understanding 5-47
Policy View command 1-30
pool objects
understanding 6-83
POP3
configuring for inspection rules 17-19
POP3 class map objects
creating 21-15
match criteria 21-23
POP3 policy map objects
creating 21-15
match conditions and actions 21-34
port application mapping
see PAM 21-65
port forwarding list objects
properties 33-28
port list objects
creating 6-86
naming when provisioned as object groups 6-92
properties 6-87
ports
ASA 5505
configure 45-39
Posture ACL dialog box 35-26
PPP dialog box
MLP tab 59-79
PPP tab 59-77
PPPoE Users 45-44
pre-provisioning devices 3-25
preshared keys
aggressive mode negotiation 25-44
compared to certificates 25-8
configuring policies for IKEv1 site-to-site VPNs 25-44
FQDN (fully qualified domain name) negotiation 25-44
main mode address negotiation 25-43
understanding 25-43
Preview Configuration command 1-33
Prime Security Manager
see PRSM 69-9
Prime Security Manager command 1-35
print
Report Manager reports 67-23
Print command 1-29
priority queues
PIX/ASA/FWSM
configuration 56-4
page 56-4
Product Authorization Key (PAK) 10-16
productivity categories for Trend class maps 21-19
properties
changes with policy effects 3-51
changing critical device 3-50
image version changes with no policy effects 3-50
understanding device 3-6
viewing or changing device 3-39
Property Selector dialog box 7-33
protected networks
defining in GET VPN topologies 24-56
defining in VPN topologies 24-33
Protected Networks tab 24-44
Protocol Independent Multicast 53-11
Protocol Info parameter map objects
properties 21-32
Protocol Info Parameters map object
creating 21-15
Protocol Map dialog box 40-12
protocols
selecting for inspection 17-3
Protocol tab
IGMP 53-3
proxies
defining HTTP/HTTPS for SSL VPN (ASA) 30-47
proxy ARP
enabling on IOS routers 59-19
proxy bypass rules
defining HTTP/HTTPS for SSL VPN (ASA) 30-47
proxy server
configuring HTTP for IPS global correlation 35-23
PRSM
sharing
devices 69-11
policy objects 69-11
starting from Security Manager 69-9
public key infrastructure (PKI) policies
compared to certificates 25-8
configuring for remote access VPNs 25-52
configuring for site-to-site VPNs 25-50
PVC Advanced Settings dialog box
OAM-PVC tab 59-68
OAM tab 59-66
PVC dialog box
Protocol tab 59-63
QoS tab 59-60
Settings tab 59-57
PVC policies
unable to deploy 9-15
Q
QoS
MPC rule wizard
tab 56-8
PIX/ASA/FWSM
identity-aware rules 13-21
rules 56-5
QoS Class dialog box 63-23
Edit ACLs dialog box 63-25
Marking tab 63-26
Matching tab 63-24
Policing tab 63-29
Queuing and Congestion Avoidance tab 63-27
Shaping tab 63-31
QoS queuing
default class 63-6
defining for classes 63-16
tail drop vs. WRED 63-4
understanding 63-4
understanding LLQ 63-5
quality of service (QoS)
CEF requirements 63-2
defining on control plane 63-12
defining on interfaces 63-10
defining policies 63-10
on Cisco IOS routers 63-1
QoS Class dialog box 63-23
QoS Policy dialog box 63-21
Quality of Service Policy page 63-19
understanding
Control Plane Policing 63-9
default class queuing 63-6
low-latency queuing 63-5
marking parameters 63-3
matching parameters 63-2
policing parameters 63-6
queuing parameters 63-4
shaping parameters 63-6
tail drop and WRED 63-4
token-bucket mechanism 63-7
quality of service (QoS) classes
defining marking parameters 63-15
defining matching parameters 63-13
defining policing parameters 63-17
defining queuing parameters 63-16
defining shaping parameters 63-18
query
CS-MARS
access rule events 69-28
IPS signature events 69-30
looking up policies based on related events 69-31
overview 69-27
troubleshooting 69-26
Event Viewer
looking up policies based on related events 66-48
Querying Device or Policy dialog box 12-29
quick filter
searching for events 66-44
R
RADIUS
description 6-25
settings in AAA server objects 6-32
RAM
Image Manager 70-15
rate limiting, IPS 42-4
Real-time Log Viewer 69-7
recovery
event data store 66-32
Recurring Ranges dialog box 6-67
Redeploy a Job dialog box 8-49
Redeploying Licenses dialog box 11-44
rediscovering
remote access VPNs 29-12
rediscovering site-to-site VPNs 24-26
Rediscover VPN Policies wizard 24-26
redundant interfaces 45-7
red X in device selector, troubleshooting 9-8
Refresh Map command 1-31
regular expression group objects
properties 17-85
regular expression objects
metacharacters 17-87
properties 17-86
regular IPsec
mandatory and optional policies 24-6
supported platforms 24-9
supported platforms for remote access VPNs 29-8
Reject Activity command 1-34
Reject Activity dialog box 4-21
Reject Deployment Job dialog box 8-21, 8-39
remote access
user
logging off 68-26
remote access VPN
system variables 7-18
Remote Access VPN Configuration wizard
IPsec VPN
Defaults page 29-29
IPsec Settings page (ASA) 29-28
IPsec VPN Connection Profile page (ASA) 29-27
User Groups page 29-35
IPsec VPNs
creating on ASA/PIX 7.0+ 29-24
creating on IOS/PIX 6.3+ 29-35
SSL VPN
Access page (ASA) 29-15
Connection Profile page (ASA) 29-16
Gateway and Context Page (IOS) 29-32
Portal Page Customization Page (IOS) 29-34
SSL VPNs
creating on ASA devices 29-14
creating on IOS devices 29-31
using 29-13
remote access VPNs
ASA devices
configuring bookmarks 30-70
configuring portal appearance 30-66
configuring WINS servers for file system access 30-76
customizing 30-65
post URL method and macro substitutions in bookmarks 30-72
smart tunnels 30-73
configuring using wizard 29-13
device support 29-8
discovering 29-12
IOS devices
configuring bookmarks 30-70
configuring WINS servers for file system access 30-76
IPsec 30-28
access policies for IKEv2 (ASA), configuring 30-40
access policies for IKEv2 (ASA), reference 30-37
access policies for IKEv2 (ASA), understanding 30-36
certificate to connection profile map policy (IKEv1) 30-29
certificate to connection profile map rules (IKEv1) 30-29
cluster load balancing 30-4, 30-5
configuring IKE and IPsec policies 25-1
connection profiles 30-6
connection profiles (ASA, PIX 7+) 30-8
creating on ASA/PIX 7.0+ 29-24
creating on IOS/PIX 6.3+ 29-35
dynamic access policies 31-1, 31-2
dynamic access policy (DAP) attributes 31-3, 31-7
Dynamic Access policy page (ASA) 31-10
Dynamic VTI/VRF Aware IPsec settings 32-7
fragmentation settings 25-40
global settings 25-29
group policies, configuring 30-21
group policies, creating 30-23
group policies, understanding 30-22
high availability policies 32-11
IKE proposals 25-9
IKEv2 settings 25-34
ISAKMP/IPsec settings 25-30
NAT settings 25-38
policy overview 29-9
policy overview (ASA, PIX 7.0+) 30-2
policy overview (IOS, PIX 6.3) 32-2
public key infrastructure (PKI) policies 25-52
secure desktop manager policies 31-8
understanding 29-2
understanding IKE 25-5
understanding NAT settings 25-37
user group policies for IOS, PIX 6.3 32-13
VPNSM, VPN SPA, VSPA settings 32-6
IPsec proposals
attributes for ASA and PIX 7.0+ devices 30-33
attributes for IOS and PIX 6.3 devices 32-4
configuring for ASA and PIX 7.0+ devices 30-33
configuring for IOS and PIX 6.3 devices 32-3
managing 29-1
managing (ASA, PIX 7.0+) 30-1
managing (IOS, PIX 6.3) 32-1
rediscovering 29-12
SSL 30-36
access modes 29-4
access policies (ASA), configuring 30-40
access policies (ASA), reference 30-37
access policies (ASA), understanding 30-36
advanced settings (ASA) 30-61
AnyConnect client image settings (ASA) 30-55
AnyConnect client settings (ASA) 30-52, 30-53
AnyConnect custom attributes(ASA) 30-59, 30-60
browser plug-ins (ASA) 30-50
cluster load balancing 30-4, 30-5
configuring HTTP/HTTPS proxies and proxy bypass(ASA) 30-47
connection profiles 30-6
connection profiles (ASA) 30-8
content rewrite rules (ASA) 30-43
Context Editor dialog box (IOS) 32-15, 32-16
creating on ASA 29-14
creating on IOS devices 29-31
dynamic access policies 31-1, 31-2
dynamic access policy (DAP) attributes 31-3, 31-7
Dynamic Access policy page (ASA) 31-10
encoding rules (ASA) 30-45
example 29-3
fragmentation settings 25-40
global settings 25-29
group policies, configuring 30-21
group policies, creating 30-23
group policies, understanding 30-22
IKEv2 settings 25-34
ISAKMP/IPsec settings 25-30
Kerberos Constrained Delegation (KCD on ASA) 30-56, 30-58
limitations 29-7
managing support files 29-5
NAT settings 25-38
other settings (ASA) 30-41
performance settings (ASA) 30-42
policies (IOS) 32-14
policy overview 29-9
policy overview (ASA, PIX 7.0+) 30-2
policy overview (IOS, PIX 6.3) 32-2
prerequisites 29-7
proxy bypass rules (ASA) 30-49
public key infrastructure (PKI) policies 25-52
secure desktop manager policies 31-8
server certificate verification (ASA) 30-25, 30-26, 30-27, 30-61
shared license (ASA) 30-62
shared license clients (ASA) 30-64
shared license servers (ASA) 30-65
understanding 29-2
understanding NAT settings 25-37
wizard 29-13
understanding 29-1
Remote Detection Indication (RDI) cells 59-50
Rename Policy Bundle dialog box 5-55, 5-56
Rename Policy command 1-30
Rename Policy dialog box 5-45
Rendezvous Point
PIX/ASA/FWSM
add/edit 53-16
Rendezvous Points
PIM 53-15
Report Manager
arranging window 67-25
closing 67-26
configuring default settings 67-24
configuring devices to provide reports 67-3
configuring Event Manager service 66-27
configuring schedules 67-28
creating custom reports 67-20
deleting another user’s custom reports 67-27
deleting reports 67-27
deleting schedules 67-31
disabling schedules 67-30
editing report settings 67-21
enabling schedules 67-30
examples of analysis
monitoring botnet activity 66-55
exporting reports 67-23
generated report pane and toolbar 67-11
generating reports 67-18
managing custom reports 67-27
opening reports 67-18
overview 67-1, 67-6
printing reports 67-23
renaming reports 67-26
report list 67-9
report settings 67-10
saving reports 67-25
scheduling reports 67-27
troubleshooting 67-31
understanding 67-1
understanding access control 67-5
understanding data aggregation 67-4
understanding predefined reports
firewall summary botnet reports 67-14
firewall traffic reports 67-13
general IPS reports 67-17
general VPN reports 67-16
IPS top reports 67-16
overview 67-13
VPN top reports 67-15
using 67-18
viewing schedule results 67-30
viewing schedules 67-28
Report Manager command 1-35
reports
arranging windows 67-25
closing 67-26
configuring default settings for reports 67-24
configuring devices for Report Manager reporting 67-3
configuring schedules 67-28
creating custom 67-20
deleting 67-27
deleting another user’s in Report Manager 67-27
deleting schedules 67-31
deployment status 10-28
disabling schedules 67-30
discovery status 10-28
editing settings 67-21
enabling schedules 67-30
example policy query 12-34
exporting 67-23
generating 67-18
generating access rule analysis 16-31
generating policy query 12-28
interpreting policy query 12-32
managing 67-1
managing custom 67-27
opening 67-18
overview of available types 67-2
predefined Report Manager
firewall summary botnet reports 67-14
firewall traffic reports 67-13
general IPS reports 67-17
general VPN reports 67-16
IPS top reports 67-16
overview 67-13
VPN top reports 67-15
printing 67-23
renaming 67-26
Report Manager
generated report pane and toolbar 67-11
overview 67-6
report list 67-9
report settings 67-10
saving 67-25
scheduling in Report Manager 67-27
understanding Report Manager 67-1
understanding Report Manager access control 67-5
understanding Report Manager data aggregation 67-4
using Report Manager 67-18
viewing schedule results 67-30
viewing schedules 67-28
reputation
configuring global correlation 41-5
understanding IPS global correlation 41-2
Request Filter
PIM 53-18
Resources
FWSM 50-3
add/edit 50-3
managing 50-2
restorebackup.pl command 10-26
restore database 10-26
Resume Deployment Schedule dialog box 8-21, 8-55
retry count
device communication 11-17
reverse route injection 25-20
RIP
PIX/ASA/FWSM 54-40
(PIX/ASA 6.3–7.1, FWSM) 54-41
(PIX/ASA 6.3–7.1, FWSM) configuration 54-41
(PIX/ASA 7.2+) 54-42
(PIX/ASA 7.2+) Filtering 54-46
(PIX/ASA 7.2+) Filtering configuration 54-47
(PIX/ASA 7.2+) Interface 54-47
(PIX/ASA 7.2+) Interface configuration 54-48
(PIX/ASA 7.2+) Redistribution 54-45
(PIX/ASA 7.2+) Redistribution configuration 54-45
(PIX/ASA 7.2+) Setup 54-43
RIP routing
Cisco IOS routers
Authentication dialog box 64-47
Authentication tab 64-46
defining interface authentication 64-43
defining setup parameters 64-42
overview 64-42
redistributing routes 64-44
Redistribution Mapping dialog box 64-49
Redistribution tab 64-48
RIP Routing Policy page 64-45
Setup tab 64-45
roles, IPS user 35-13
rollback
archived configuration files 8-66
last deployed configuration 8-65
when deploying to file 8-67
Rollback a Job dialog box 8-65
round robin allocation
PAT 23-40
routed ports
Create and Edit Interface dialog boxes-Routed Port mode 65-12
understanding 65-5
Router Block Interface dialog box 42-15
Router Device dialog box 42-14
router platform interface
802.1x Policy page 61-5
AAA policy
AAA Policy page 60-6
Accounting tab 60-10
Authentication tab 60-6
Authorization tab 60-7
Command Accounting dialog box 60-12
Command Authorization dialog box 60-9
accounts and credentials policy
Accounts and Credentials Policy page 60-15
User Accounts dialog box 60-17
ADSL policy
ADSL Policy page 59-36
ADSL Settings dialog box 59-37
advanced interface settings policy
Advanced Interface Settings dialog box 59-16
Advanced Interface Settings page 59-15
BGP policy
BGP Neighbors dialog box 64-6
BGP Redistribution tab 64-6
BGP Routing Policy page 64-4
BGP Setup tab 64-4
Redistribution Mapping dialog box 64-7
bridging policy
Bridge Group dialog box 60-21
Bridging Policy page 60-20
CEF interface policy 59-25
CEF Interface Settings dialog box 59-26
Clock Policy page 60-23
console policy
AAA tab 60-44
Accounting tab 60-47
Authentication tab 60-44
Authorization tab 60-45
Command Accounting dialog box 60-61
Command Authorization dialog box 60-60
Console Policy page 60-42
Setup tab 60-42
CPU Policy page 60-26
DHCP policy
DHCP Database dialog box 60-94
DHCP Policy page 60-92
IP Pool dialog box 60-94
dialer interface policy
Dialer Physical Interface dialog box 59-32
Dialer Policy page 59-30
Dialer Profile dialog box 59-31
DNS policy
IP Host dialog box 60-76
DNS Policy page 60-76
EIGRP policy
EIGRP Routing Policy page 64-13
Interface dialog box 64-16
Interfaces tab 64-15
Redistribution Mapping dialog box 64-18
Redistribution tab 64-17
Setup dialog box 64-14
Setup tab 64-13
Hostname Policy page 60-78
HTTP policy
AAA tab 60-32
Command Authorization Override dialog box 60-34
HTTP Policy page 60-31
Setup tab 60-31
interfaces policy
Create Router Interface dialog box 59-8
Interface Auto Name Generator dialog box 59-12
Router Interfaces page 59-7
IPS interface policy
IPS Monitoring Information dialog box 59-23
IPS Module interface policy
IPS Module Interface Policy Page 59-22
logging policy
Syslog Server dialog box 62-11
logging setup policy
Logging Setup Policy page 62-7
Memory Policy page 60-79
NAC policy
Identities tab 61-18
Identity Action dialog box 61-19
Identity Profile dialog box 61-19
Interface Configuration dialog box 61-17
Interfaces tab 61-16
NAC Policy page 61-14
Setup tab 61-14
NAT policy
Dynamic Rule dialog box 23-11
Interface Specification tab 23-6
Static Rule dialog box 23-7
Static Rules tab 23-6
NetFlow policy 62-5, 62-12
NTP policy
NTP Policy page 60-98
NTP Server dialog box 60-99
OSPF policy
Area dialog box 64-37
Area tab 64-36
Interface dialog box 64-31
Max Prefix Mapping dialog box 64-41
OSPF Interface Policy page 64-30
OSPF Process Policy page 64-34
Redistribution Mapping dialog box 64-39
Redistribution tab 64-38
Setup dialog box 64-35
Setup tab 64-35
PPP/MLP policy
PPP/MLP Policy page 59-75
PPP dialog box 59-76
PVC policy
Define Mapping dialog box 59-64
PVC Advanced Settings dialog box 59-65
PVC dialog box 59-55
PVC Policy page 59-54
QoS policy
QoS Class dialog box 63-23
QoS Policy dialog box 63-21
Quality of Service Policy page 63-19
RIP policy
Authentication dialog box 64-47
Authentication tab 64-46
Redistribution Mapping dialog box 64-49
Redistribution tab 64-48
RIP Routing Policy page 64-45
Setup tab 64-45
Secure Device Provisioning Policy page 60-85
Secure Shell Policy page 60-64
SHDSL policy
Controller Auto Name Generator dialog box 59-45
SHDSL Controller dialog box 59-42
SHDSL Policy page 59-41
SNMP policy
Permission dialog box 60-70
SNMP Policy page 60-69
SNMP Traps dialog box 60-72
Trap Receiver dialog box 60-71
static routing policy
Static Routing dialog box 64-52
Static Routing Policy page 64-51
syslog servers policy
Syslog Servers Policy page 62-10
VTY policy
Command Accounting dialog box 60-61
Command Authorization dialog box 60-60
VTY Line dialog box 60-51
VTY Policy page 60-50
router platform policies
Device Admin policies
AAA 60-2
accounts and credentials 60-13
CPU settings 60-25
DHCP 60-87
DNS 60-74
host and domain names 60-77
HTTP 60-28
line access 60-35
memory settings 60-78
optional SSH settings 60-63
Secure Device Provisioning (SDP) 60-81
SNMP 60-66
time zone settings 60-22
transparent bridging 60-18
Identity policies
802.1x 61-1
Network Admission Control (NAC) 61-8
Interface policies
ADSL 59-33
advanced settings 59-13
basic settings 59-1
dialer interfaces 59-27
PPP 59-70
PVC 59-46
SHDSL 59-40
Logging policies 62-1
NAT 23-5
dynamic rules 23-10
static rules 23-6
timeouts 23-13
NetFlow policies 62-1
Network Time Protocol (NTP) 60-96
quality of service (QoS) 63-1
Routing policies
BGP routing 64-1
EIGRP routing 64-8
OSPF routing 64-19
RIP routing 64-42
static routing 64-50
routers
adding SSL thumbprints manually 9-4
CEF interface settings policies 59-24
Cisco Discovery Protocol (CDP) settings 59-18
CNS call-home mode 2-9
CNS event-bus mode 2-8
communication requirements 2-1
configuring SSH 2-6
default transport protocol for 12.1 and 12.2 11-18
default transport protocol for 12.3 and above 11-18
deploying configurations using TMS 8-43
enabling directed broadcasts 59-20
enabling Maintenance Operation Protocol (MOP) 59-19
enabling NBAR protocol discovery 59-19
enabling proxy ARP 59-19
enabling unicast reverse path forwarding (RFP) 59-20
enabling virtual fragment reassembly (VFR) 59-19
FlexConfig object samples 7-23
generating interface names 59-4
ICMP message settings 59-18
IPS Module interface settings policies 59-22
licenses 2-12
mixing deployment methods 9-13
selecting policy types to manage 5-10
setting up SSL (HTTPS) 2-4
SSL certificate configuration 11-18
system variables 7-13
troubleshooting deployment 9-14
Route Tree
PIM 53-17
routing
PIX/ASA/FWSM
about OSPF 54-2
about OSPFv3 54-22
authentication 54-2
configuring on 54-1
configuring static routes 54-48
IPv6 Static Route configuration 54-50
No Proxy ARP 54-1
OSPF 54-2
OSPF - advanced settings 54-4
OSPF - Area/Area networks 54-7
OSPF - Area Range 54-9
OSPF - Area tab 54-6
OSPF - Filtering configuration 54-16
OSPF - Filtering tab 54-15
OSPF - General tab 54-3
OSPF - Interface configuration 54-20
OSPF - Interface tab 54-18
OSPF - Neighbors tab 54-10
OSPF - Range tab 54-8
OSPF - Redistribution rule 54-11
OSPF - Redistribution tab 54-11
OSPF - static neighbor 54-10
OSPF - Summary Address configuration 54-18
OSPF - Summary Address tab 54-17
OSPFv3 54-22
OSPFv3 - advanced settings 54-25
OSPFv3 - Area/Area networks 54-29
OSPFv3 - Area Range 54-30
OSPFv3 - Area tab 54-28
OSPFv3 - Interface configuration 54-35
OSPFv3 - Interface tab 54-34
OSPFv3 - Process tab 54-24
OSPFv3 - Redistribution rule 54-32
OSPFv3 - static neighbor 54-38
OSPFv3 - Summary Prefix configuration 54-34
OSPFv3 - Virtual Link configuration 54-31
OSPF - Virtual Link configuration 54-13
OSPF - Virtual Link MD5 configuration 54-15
OSPF - Virtual Link tab 54-13
RIP (PIX/ASA 6.3–7.1, FWSM) 54-41
RIP (PIX/ASA 6.3–7.1, FWSM) configuration 54-41
RIP (PIX/ASA 7.2+) 54-42
RIP (PIX/ASA 7.2+) Filtering 54-46
RIP (PIX/ASA 7.2+) Filtering configuration 54-47
RIP (PIX/ASA 7.2+) Interface 54-47
RIP (PIX/ASA 7.2+) Interface configuration 54-48
RIP (PIX/ASA 7.2+) Redistribution 54-45
RIP (PIX/ASA 7.2+) Redistribution configuration 54-45
RIP (PIX/ASA 7.2+) Setup 54-43
RIP page 54-40
Static Route configuration 54-49
VPNs with routing processes 9-13
routing redistribution
BGP Redistribution Mapping dialog box 64-7
BGP Redistribution tab 64-6
EIGRP Redistribution Mapping dialog box 64-18
EIGRP Redistribution tab 64-17
into BGP 64-3
into EIGRP 64-12
into OSPF 64-22
into RIP 64-44
OSPF Max Prefix Mapping dialog box 64-41
OSPF Process Redistribution tab 64-38
OSPF Redistribution Mapping dialog box 64-39
RIP Redistribution Mapping dialog box 64-49
RIP Redistribution tab 64-48
RPC
configuring for inspection rules 17-20
RSA keys
generating, synchronizing for GET VPN 28-13
Rule Analysis Detail Report
generating 16-31
Rule Combiner Results dialog box 12-25
rule expiration
configuring for access rules 16-19
Rule Expiration page 11-49
rules
default 5-5
mandatory 5-5
rules tables
adding rules 12-9
columns and headings 1-46
commands, Edit menu 1-29
converting IPv4 rules 12-28
cut, copy, and paste rules 12-9
disabling rules 12-20
enabling rules 12-20
filtering 1-45
finding and replacing items 12-16
removing rules 12-9
sections 12-20
using 12-7
rule tables
moving rules 12-19
RX-Boot Mode Credentials dialog box 3-46
S
Save As command (Report Manager) 67-8
Save command 1-28
Save command (Report Manager) 67-8
Save Map As command 1-31
Save Map As dialog box 34-10
Save Map command 1-31
ScanSafe Web Security Settings 20-6
scenarios
creating FlexConfigs 7-24
SCEP (Simple Certificate Enrollment Protocol)
CA server authentication 25-47
Schedule dialog box 8-53
schedules
configuring in Report Manager 67-28
deleting in Report Manager 67-31
disabling in Report Manager 67-30
enabling in Report Manager 67-30
reports in Report Manager 67-27
viewing in Report Manager 67-28
viewing results in Report Manager 67-30
schedules, deployment
changes not deployed 8-52
creating or editing 8-52
including devices 8-8
suspending or resuming 8-55
viewing status and history 8-27
scripting language
examples
looping 7-3
looping with if/else statements 7-4
looping with two-dimensional arrays 7-3
FlexConfig objects 7-3
SDEE
subscriptions for IOS IPS 44-7
SDI
settings in AAA server objects 6-40
SDM
access rule look-up 69-8
device manager 69-5
searching for items 1-39
Secondary Interface Specific Authentication Server Groups dialog box 30-13
secure desktop manager policies
configuring 31-8
Secure Device Provisioning (SDP)
configuring AAA for administrative introducers 60-84
contents of bootstrap 60-82
defining policies 60-83
Secure Device Provisioning page 60-85
understanding
introducers 60-81
petitioners 60-81
registrars 60-81
TTI 60-81
workflow 60-82
SecureID servers (SDI)
description 6-26
Secure Shell
PIX/ASA/FWSM
add/edit SSH host 48-6
Secure Shell (SSH)
Cisco IOS routers
defining optional settings 60-63
optional settings overview 60-63
Secure Shell Policy page 60-64
PIX/ASA/FWSM 48-5
security associations
GET VPN
using passive mode during migration 28-23
security certificate
invalid during discovery 9-6
security context
Failover page 49-25
security contexts
adding to failover group 2 49-7
admin context
overview 57-1
configuring multiple 57-2
configuring on firewall devices 57-1
deleting FWSM 57-4
discovering policies 5-13
FWSM 57-5
configuration 57-5
managing Resources 50-2
Resources 50-3
PIX/ASA
allocate interfaces 57-8
configuration 57-7
viewing allocated interfaces 57-9
PIX/ASA/FWSM
enabling multi-context mode 57-1
managing 57-4
restoring single-context mode 57-1
rollback, commands to recover from failover misconfiguration 8-65
rollback command conflicts 8-64
rollback restrictions 8-61
rollback restrictions for failover devices 8-61
showing containment 3-53
security group aware firewall policies
configuring ISE settings 11-40
security group-aware firewall policies
configuring 14-7
managing 14-1
overview 14-1
security group objects
creating 14-12
security guidelines
obtaining 1-2
Security Manager
access by CS-MARS 69-23
applications overview 1-6
archiving (backing up) the event data store 66-32
backing up and restoring database 10-24
Configuration Manager interface overview 1-12
configuring administrative settings 11-1
getting started 1-1
how permissions affect what you can do 1-10
initial configuration 1-23
installing client 1-11
integrating with Security Manager 69-21
integration with CS-MARS 69-22
logging into and exiting 1-11
managing the server 10-1
overview 1-1
recovering the event data store 66-32
reports overview 67-2
server cluster
managing 10-2
overview 10-2
splitting server 10-3
synchronizing shared policies 10-4
server management and administration 10-1
using 1-12
Security Manager Administration command 1-34
Security Manager Diagnostics command 1-33
Security Manager Online command 1-36
security policies
PIX/ASA/FWSM 55-1
General configuration 55-3
General page 55-1
timeouts 55-4
security ratings for Trend class maps 21-19
see LACP 45-11
Select Address Pool
PIX/ASA/FWSM Platform 23-22
Select Interfaces dialog box 34-20
selectors
filtering items 1-42
using 1-42
selector trees
selecting items 1-42
Select Policy Object dialog box 34-18
Select VPN to Configure dialog box 34-22
self near-end crosstalk (SNEXT) 59-45
Self zone 21-5
sensors, IPS
allowed hosts 35-7
anomaly detection
configuring 40-6
configuring histograms 40-11
configuring learning accept mode 40-8
configuring signatures 40-4
configuring thresholds 40-11
detection zones 40-3
managing 40-1
modes 40-2
understanding 40-1
understanding histograms 40-9
understanding thresholds 40-9
understanding worms 40-2
when to turn off 40-4
blocking
configuring 42-7
configuring ARC 42-1
configuring blocking devices 42-14
configuring master blocking sensors 42-13
configuring never block hosts and networks 42-17
configuring router blocking interfaces 42-15
configuring user profiles 42-12
configuring VLAN blocking interfaces 42-16
general options 42-10
master blocking sensor 42-6
policy 42-8
rate limiting 42-4
router and switch blocking devices 42-4
strategies 42-3
understanding 42-1
capturing network traffic 35-2
certificates 43-10
configuration overview 35-5
configuration overview for IOS IPS 44-3
configuring AAA 35-19
configuring Analysis Engine global variables 35-26
configuring DNS servers 35-22
configuring HTTP proxy server 35-23
configuring NTP 35-21
configuring OS maps 39-18
configuring SNMP 35-8
configuring target value ratings 39-15
configuring the external product interface 35-23
configuring user accounts 35-16
deployment of passwords 35-15
deployment topology 35-4
discovery of passwords 35-15
event actions
example filter rule 66-58
filter rule attributes 39-9
filter rules 39-4, 39-7
filter rules tips 39-6
network information 39-14
overrides 39-13
overview 39-1
possible actions 39-2
process overview 39-1
settings 39-21
getting started 35-1
global correlation
configuring 41-1
configuring inspection and reputation 41-5
configuring network participation 41-7
data collected 41-3
requirements and limitations 41-4
understanding 41-1
understanding network participation 41-3
understanding reputation 41-2
interfaces
configuring 36-6
configuring bypass mode 36-12
configuring CDP mode 36-12
configuring inline interface pairs 36-13
configuring inline VLAN pairs 36-14
configuring physical 36-9
configuring VLAN groups 36-15
deploying VLAN groups 36-5
inline interface mode 36-3
inline VLAN pair mode 36-3
interfaces policy 36-6
managing interface configurations 36-1
physical interface properties 36-10
promiscuous mode 36-2
roles 36-1
sensing modes overview 36-2
understanding 36-1
viewing summary 36-8
VLAN group mode 36-4
IPS modules for ASA 56-14
licenses
automating 43-3
managing 43-1
redeploying 43-2
updating 43-1
managing 43-1
managing user accounts and passwords 35-13
monitoring
removing false positive IPS events 66-58
passive OS fingerprinting 39-17
password requirements 35-18
rebooting 43-11
signatures
adding custom 38-16
cloning 38-18
configuring 38-4
configuring settings 38-27
defining 38-1
detailed information 38-2
editing 38-11
editing Meta engine component list 38-25
editing or tuning parameters 38-19
enabling or disabling 38-10
engines 38-17
exporting 38-6
inheritance 38-3
parameters list 38-21
policy 38-4
shortcut menu 38-7
understanding 38-1
viewing update level 38-9
traffic flow notifications 35-26
tuning recommendations 35-4
understanding managed and unmanaged passwords 35-14
understanding network sensing 35-1
understanding user roles 35-13
updates
automatically applying 43-6
checking for and downloading 43-5
configuring server 43-4
managing 43-4
manually applying 43-7
user account attributes 35-17
virtual sensors
advantages 37-3
assigning interfaces 37-4
attributes 37-7
configuring 37-1, 37-5
deleting 37-10
editing policies 37-9
identifying 37-5
inline TCP session tracking mode 37-3
Normalizer mode 37-4
renaming 37-8
restrictions 37-3
understanding 37-1
sensorupdate.properties 43-6
server
managing Security Manager 10-1
syslog
PIX/ASA/FWSM 52-16, 52-21
server, IPS update 43-4
server, Security Manager
configuring administrative settings 11-1
managing or administrating 10-1
Server Access
PIX/ASA/FWSM 51-1
AUS, add/edit server 51-3
AUS page 51-1
DDNS interface rule 51-18
DDNS page 51-17
DDNS update methods 51-18
DDNS update methods, add/edit 51-19
DHCP Relay, add/edit agent 51-5
DHCP Relay, add/edit server 51-6
DHCP Relay page 51-5
DHCP Server, add/edit 51-11
DHCP Server, advanced configuration 51-12
DHCP Server, options 51-13
DHCP Server page 51-10
DHCPv6 Relay, add/edit agent 51-8
DHCPv6 Relay, add/edit server 51-9
DHCPv6 Relay page 51-7
DNS page 51-13
DNS server, add 51-16
DNS server group 51-15
NTP page 51-19
NTP server configuration 51-20
SMTP page 51-21
TFTP server page 51-22
server cluster, Security Manager
managing 10-2
overview 10-2
splitting server 10-3
synchronizing shared policies 10-4
Server Load Balance page 26-17
server load balancing
configuring for large scale DMVPN 26-16, 26-17
server attributes in large scale DMVPN 26-17
Server Properties dialog box 3-36
Server Security Settings page 11-50
Service
ASA CX
Auth Proxy Configuration 56-16
PIX/ASA/FWSM
identity-aware IPS, QoS, and Connection Rules 13-21
IPS, QoS, and Connection Rules 56-5
IPS, QoS, and Connection Rules wizard 56-6, 56-8
policy wizard 56-6
priority queues 56-4
priority queues configuration 56-4
security group aware IPS, QoS, and Connection Rules 14-13
traffic class 56-7
service, Event Manager
configuring 66-27
managing 66-27
monitoring event store disk space 66-31
monitoring status 66-28
selecting devices to monitor 66-31
starting or stopping 66-27
status icon colors 66-28
service agreement contracts 10-16
Service Contents dialog box 12-14
Service Device Provisioning (SDP)
on Cisco IOS routers 60-81
Service Module Credentials dialog box 3-18
Service Modules
Catalyst
firewalls 45-1
service objects
creating 6-86
naming when provisioned as object groups 6-92
provisioning as object groups 6-92
Services dialog box 6-89
understanding 6-86
service policy
configuring identity-aware rules 13-21
configuring security group aware rules 14-13
Service Policy (MPC) Rule Wizard 56-6
Connection Settings tab 56-8
CSC tab 56-8
CXSC tab 56-8
IPS tab 56-8
QoS tab 56-8
User Statistics tab 56-8
service policy rules
configuring on firewall devices 56-1
services
specifying 6-86
Set Linked Map dialog box 34-13
Settings
ScanSafe 20-6
settings
device communications 9-4
Settings, Event Actions policy 39-21
settings, report
editing 67-21
Settings pages
Autolink 11-2
Configuration Archive 11-3
CS-MARS 11-4
Customize Desktop 11-6
Debug Options 11-8
Deployment 11-9
Device Communication 11-17
Device Groups 11-20
Discovery 11-21
Event Management 11-23
Health and Performance Monitor 11-26
Identity 11-27
Image Manager 11-29
ISE 11-40
Licensing 11-41
Logs 11-45
Policy Management 11-46
Policy Objects 11-48
Rule Expiration 11-49
Server Security 11-50
Take Over User Session 11-51
Ticket Management 11-52
Token Management 11-53
VPN Policy Defaults 11-54
Workflow 11-55
SHA hash algorithm 25-6
Share Device Policies command 1-30
shared license clients
configuring 30-64
shared license servers
configuring 30-65
shared policies
cloning (copying) 5-44
Device view
adding local rules to selected device 5-42
assigning to selected device 5-41
modifying 5-45
modifying assignments 5-46
policy banner 5-35
sharing local 5-38
sharing multiple local policies 5-39
unsharing 5-40
working with 5-34
exporting 10-11
exporting with device inventory 10-6
importing 10-13
inheriting policies 5-43
Policy Bundle view
cloning 5-55
creating 5-54
renaming 5-55, 5-56
Policy view
creating 5-51
deleting 5-53
managing 5-47
modifying assignments 5-51
renaming 5-45
Site-to-Site VPN Manager
assigning to selected device 5-41
modifying assignments 5-46
sharing local 5-38
unsharing 5-40
working with 5-34
synchronizing among Security Manager servers 10-4
Shared Policy Assignments dialog box 5-46
Share Policies wizard 5-39
Share Policy command 1-30
Share Policy dialog box 5-38
SHDSL
Controller Auto Name Generator dialog box 59-45
defining controllers 59-40
on Cisco IOS routers 59-40
SHDSL Controller dialog box 59-42
SHDSL Policy page 59-41
shortcut menu commands
policies in Device view and Site-to-Site VPN Manager 5-37
Show Containment command 1-33
Show Devices On Map command 1-31
Show Devices on Map dialog box 34-16
Show Navigation Window command 1-32
Show VPN Peers dialog box 34-22
Show VPNs On Map command 1-31
Show VPNs on Map dialog box 34-21
signatures
adding custom 38-16
cloning 38-18
configuring 38-4
configuring settings 38-27
defining 38-1
detailed information 38-2
editing 38-11
editing Meta engine component list 38-25
editing or tuning parameters 38-19
enabling or disabling 38-10
engines 38-17
exporting 38-6
finding from CS-MARS events 69-31
finding from Event Viewer events 66-48
inheritance 38-3
parameters list 38-21
policy 38-4
selecting category for Cisco IOS IPS 44-6
shortcut menu 38-7
tuning 66-58
tuning recommendations 35-4
understanding 38-1
updates
automatically applying 43-6
checking for and downloading 43-5
configuring server 43-4
managing 43-4
manually applying 43-7
viewing related CS-MARS events 69-30
viewing update level 38-9
Signature Settings page 38-27
Signatures page
overview 38-4
shortcut menu 38-7
Simple Network Management Protocol
see SNMP 48-7
single sign on server (SSO) objects
properties 33-30
SIP (ASA, PIX) class map objects
creating 17-21
SIP (ASA/PIX/FWSM) policy map objects
creating 17-21
properties 17-77
SIP (IOS) class map objects
creating 21-15
match criteria 21-24
SIP (IOS) policy map objects
creating 21-15
match conditions and actions 21-34
SIP class map objects
match criteria 17-79
SIP policy map objects
match conditions and actions 17-79
Site-to-Site VPN Manager
assigning shared policies 5-41
copying shared policies 5-44
managing policies 5-28
modifying policy assignments 5-46
policy banner 5-35
policy shortcut menu 5-37
renaming policies 5-45
sharing local policies 5-38
unassigning policies 5-33
understanding shared policies 5-34
unsharing policies 5-40
Site-to-Site VPN Manager window 24-18
Site-to-Site VPN policy page (Device view) 24-19
site-to-site VPNs
accessing topologies and policies 24-17
configuring global settings
configuring fragmentation settings 25-40
configuring IKEv2 settings 25-34
configuring ISAKMP/IPsec settings 25-30
configuring NAT settings 25-38
overview 25-29
understanding NAT settings 25-37
configuring IKE and IPsec policies 25-1
creating or editing Extranet VPN topologies 24-62
creating or editing VPN topologies 24-28
discovering 24-24
managing 24-1
rediscovering 24-26
repairing discovered VPNs with multiple spoke definitions 24-25
understanding discovery 24-19
understanding topologies 24-2
using device overrides to customize VPN policies 24-13
viewing summary of VPN configuration 24-58
Site-to-Site VPNs command 1-32
Skinny policy map objects
creating 17-21
match conditions and actions 17-83
properties 17-81
SLA monitor objects
attributes 50-9
configuring 50-8
understanding 50-7
Smartfilter (N2H2)
configuring for web filter rules policies 18-15, 18-19
configuring for zone based firewall rules policies 21-35, 21-38, 21-40
Smart Tunnel Auto Signon Entry dialog box 33-56
Smart Tunnel Auto Signon Lists dialog box 33-55
smart tunnels
configuring for ASA SSL VPNs 30-73
SMTP
configuring for inspection rules 17-18
preventing DoS attacks using zone based firewall 21-25
preventing spam using zone based firewall 21-25
SMTP class map objects
creating 21-15
match criteria 21-25
SMTP policy map objects
creating 21-15
match conditions and actions 21-34
SMTP server
configuring 1-25
PIX/ASA/FWSM 51-21
SNEXT 59-45
SNMP
Cisco IOS routers
defining agent properties 60-67
enabling traps 60-68
overview 60-66
Permission dialog box 60-70
SNMP Policy page 60-69
SNMP Traps dialog box 60-72
Trap Receiver dialog box 60-71
configuring for HPM S2S polling 68-35
configuring for IPS sensors 35-8
configuring on firewall devices 48-7
IPS general options 35-10
IPS trap options 35-11
PIX/ASA/FWSM 48-8
host access 48-12
MIBs 48-7
OIDs 48-7
Trap configuration 48-9
terminology 48-8
SNMP Credentials dialog box 3-47
SNMP policy map objects
creating 17-21
properties 17-84
SNMP Trap Communication dialog box 35-12
SNMP Trap Communication tab, SNMP policy for IPS 35-11
socket read timeout
device communication 11-18
Software Application Support contracts 10-16
Source Contents dialog box 12-14
spam
blocking spam using zone-based firewall rules 21-25
spoke-to-spoke connections, DMVPN 26-10
spoofing, preventing 55-1, 55-3
spoofing attacks, preventing 17-4
SSH
configuring on IOS routers, Catalyst switches, Catalyst 6500/7600 devices 2-6
line ending conventions 2-5
preventing non-SSH connections 2-7
setting up 2-5
testing authentication 2-5
troubleshooting connections 9-7
SSL
handshake failure during deployment 2-2
remote access SSL VPNs
advanced settings (ASA) 30-61
AnyConnect client settings (ASA) 30-52, 30-53
browser plug-ins 30-50
content rewrite rules (ASA) 30-43
encoding rules (ASA) 30-45
Kerberos Constrained Delegation (KCD on ASA) 30-56, 30-58
proxy bypass rules (ASA) 30-49
remote access VPNs 30-36
access modes 29-4
access policies (ASA), configuring 30-40
access policies (ASA), reference 30-37
access policies (ASA), understanding 30-36
AnyConnect client image settings (ASA) 30-55
AnyConnect custom attributes (ASA) 30-59, 30-60
cluster load balancing 30-4, 30-5
configuring HTTP/HTTPS proxies and proxy bypass(ASA) 30-47
connection profiles 30-6
connection profiles (ASA) 30-8
Context Editor dialog box (IOS) 32-15, 32-16
creating on ASA 29-14
creating on IOS devices 29-31
dynamic access policies 31-1, 31-2
dynamic access policy (DAP) attributes 31-3, 31-7
Dynamic Access policy page (ASA) 31-10
example 29-3
fragmentation settings 25-40
global settings 25-29
group policies, configuring 30-21
group policies, creating 30-23
group policies, understanding 30-22
IKEv2 settings 25-34
ISAKMP/IPsec settings 25-30
limitations 29-7
managing support files 29-5
NAT settings 25-38
other settings (ASA) 30-41
performance settings (ASA) 30-42
policies (IOS) 32-14
prerequisites 29-7
public key infrastructure (PKI) policies 25-52
secure desktop manager policies 31-8
server certificate verification (ASA) 30-25, 30-26, 30-27, 30-61
shared license clients (ASA) 30-64
shared licenses (ASA) 30-62
shared license servers (ASA) 30-65
understanding 29-2
understanding NAT settings 25-37
wizard 29-13
setting up 2-3
troubleshooting certificate errors 9-4
VPN
sharing connection profiles on ASAs 29-8
SSL authentication certificates
adding thumbprints manually 9-4
configuring default settings for how handled 11-18
SSL VPN
policy discovery restriction 3-8
SSL VPN Access page (ASA) 30-37
SSL VPN bookmark objects
configuring 30-70
post URL method and macro substitutions 30-72
SSL VPN Bookmarks objects
SSL VPN Bookmarks dialog box 33-33
SSL VPN Configuration wizard
Access page (ASA) 29-15
Connection Profile page (ASA) 29-16
Gateway and Context Page (IOS) 29-32
Portal Page Customization Page (IOS) 29-34
SSL VPN Customization objects
configuring 30-66
creating custom Logon page 30-70
localizing 30-68
SSL VPN gateway objects
properties 33-50
SSL VPN Other Settings page (ASA)
Advanced tab 30-61
Client Settings tab 30-53
Content Rewrite tab 30-43
Encoding tab 30-45
Microsoft KCD Server tab 30-56, 30-58
overview 30-41
Performance tab 30-42
Proxy tab 30-47
SSL Server Verification tab 30-25, 30-26, 30-27, 30-61
SSL VPN Policy page (IOS) 32-14
SSL VPNs
ASA devices
configuring bookmarks 30-70
configuring portal appearance 30-66
configuring WINS servers for file system access 30-76
customizing 30-65
post URL method and macro substitutions in bookmarks 30-72
smart tunnels 30-73
IOS devices
configuring bookmarks 30-70
configuring WINS servers for file system access 30-76
SSL VPN Shared License page (ASA) 30-62
SSL VPN smart tunnel auto sign-on list objects
attributes 33-55
SSL VPN smart tunnel list objects
attributes 33-52
configuring 30-73
stateful failover 49-3, 49-4
site-to-site VPN 24-50
stateless failover 49-3
states
activity 4-4
ticket 4-4
static crypto maps 25-18
Static Group tab (IGMP) 53-6
static NAT
Cisco IOS routers
disable automatic aliasing 23-7
disable payload 23-9
on Cisco IOS routers 23-6
static routes
configuring on firewall devices 54-48
PIX/ASA/FWSM
configuration 54-49
static routing
Cisco IOS routers
defining on 64-50
overview 64-50
Static Routing dialog box 64-52
Static Routing Policy page 64-51
Static Rule
PIX/ASA/FWSM 23-25
add/edit 23-26
status
activity 4-4
ticket 4-4
subinterfaces 45-7
specifying during policy definition 6-70
Submit Activity command 1-34
Submit Activity dialog box 4-20
Submit and Deploy command 1-28
Submit command 1-28
Submit Deployment Job dialog box 8-39
Submitted activity state 4-5
Submit Ticket command 1-35
Sun RPC class map objects
creating 21-15
match criteria 21-28
Sun RPC policy map objects
creating 21-15
match conditions and actions 21-34
support
obtaining 1-2
support, technical
creating diagnostic file 10-27
generating data 10-27
generating deployment or discovery status reports 10-28
generating partial database backup 10-29
Suspend Deployment Schedule dialog box 8-21, 8-55
switches
communication requirements 2-1
SYN flooding attacks, preventing 17-4
syslog
access rule look-up 69-6
deeply parsed for Event Viewer 66-6
logging
PIX/ASA/FWSM 52-1
message properties 66-16
syslog messages supported for policy lookup 69-32
syslogs
Cisco IOS routers 62-1
system variables
devices 7-7
firewall 7-9
FlexConfigs 7-7
remote access VPN 7-18
routers 7-13
VPN 7-14
T
tables
using 1-45
tables, rules
adding rules 12-9
columns and headings 1-46
commands, Edit menu 1-29
converting IPv4 rules 12-28
cut, copy, and paste rules 12-9
disabling rules 12-20
enabling rules 12-20
filtering 1-45
finding and replacing items 12-16
removing rules 12-9
sections 12-20
using 12-7
TACACS+
description 6-26
settings in AAA server objects 6-35
Take Over User Session page 11-51
Target Value Rating dialog box 39-16
Target Value Ratings, IPS Network Information policy 39-15
target value ratings (IPS) 39-15
task flow
deployment
non-Workflow mode 8-3
Workflow mode 8-5
taskflow 1-17
TCP Map objects
properties 56-20
TCP State Bypass
ASA/FWSM 56-3
Telnet
PIX/ASA/FWSM 48-13
configuration 48-14
text fields
ASCII limitations 1-46
finding text in multiple-line 1-47
navigating 1-47
using 1-46
text objects
creating 7-31
TFTP servers
PIX/ASA/FWSM 51-22
thin client access mode 29-4
thresholds
configuring anomaly detection 40-11
understanding anomaly detection 40-9
throughput
VPN user reports 67-15, 67-16
ticketing
overview 1-18
Ticket Management
settings 11-52
ticket management
comparing workflow modes 1-20
Ticket Manager window 4-10
tickets
closing 4-16
creating 4-14
discarding 4-22
multiple users 4-4
opening 4-15
states 4-4
Ticket Manager window 4-10
understanding 4-1
using global search to find specific tickets 1-39
validating 4-18
viewing change reports 4-16
viewing status and history 4-23
working with 4-7
Tickets menu 1-34
tiered hub-and-spoke topologies 24-5
time
changing range for reports 67-21
timeouts
on firewall devices 55-4
timeouts (NAT)
Cisco IOS routers 23-13
Timeout Value
Firewall AAA 15-27
time range objects
attributes for recurring ranges 6-67
configuring 6-66
time slider (Event Viewer)
filtering with 66-40
using 66-23
time synchronization
on IOS routers 60-96
time zone settings
certificate errors 9-6
Cisco IOS routers
Clock Policy page 60-23
defining time zone and DST 60-22
overview 60-22
TMS
deploying configurations 8-43
deployment method 8-10
Token Management page 11-53
Token Management System (TMS)
settings 11-53
toolbar
activities 4-8, 4-9
toolbar reference
Configuration Manager 1-36
event table in Event Viewer 66-14
toolbars
Report Manager generated report 67-11
Report Manager report settings 67-10
Tools menu
Configuration Manager 1-33
Report Manager 67-8
Trace Route 69-14
TraceRoute 69-16
traffic class
PIX/ASA/FWSM
rules wizard 56-7
Traffic Classification dialog box 19-12
Traffic Classification tab 19-11
traffic encryption key (KEK), GET VPN 28-4
traffic flow notifications
configuring for IPS 35-26
traffic flow objects
default inspection traffic 56-18
properties 56-16
traffic match criteria 56-2
transcripts
viewing 8-56
Transcript Viewer window 8-58
transform sets
attributes 25-25
understanding 25-19
Translation Exemption (NAT-0 ACL) Rule
PIX/ASA/FWSM 23-19
add/edit 23-20
Translation Options
PIX/ASA/FWSM 23-15
Translation Rules
Add/Edit Per-Session NAT rules dialog boxes 23-46
ASA 8.3+ 23-32
Add/Edit NAT rules dialog boxes 23-35
per-session NAT rules 23-45
PIX/ASA/FWSM 23-18
transparent bridging
Cisco IOS routers
BVI interfaces 60-18
overview 60-18
defining bridge groups 60-19
transparent firewall
configuring on PIX/ASA/FWSM 46-1
NAT 23-15
transparent rules
adding or editing a rule 22-5
configuring 22-1
configuring DHCP passthrough for IOS devices 22-3
configuring in Map view 34-23
deleting 12-9
disabling 12-20
editing 12-9
editing the EtherType 22-6
editing the mask 22-7
enabling 12-20
managing 22-1
moving 12-19
Transparent Rules page 22-3
understanding processing order 12-2
Transparent Rules page 22-3
transport protocols
device defaults 11-18
overview of device requirements 2-1
transport settings
AUS 2-7
Configuration Engine 2-7
SSH 2-5
SSL (HTTPS) 2-3
traps, SNMP
configuring for IPS sensors 35-8
IPS options 35-11
trees
selecting items 1-42
Trend class map objects
creating 21-35
Trend parameter map objects
creating 21-35
properties 21-41
troubleshooting
AUS deployment 9-18
Catalyst switch and module deployment 9-15
Configuration Engine deployment 9-18
creating diagnostics file 10-27
CS-MARS queries 69-26
deleted FWSM contexts do not remove configuration files 57-4
deployment 9-9
device communication and deployment 9-1
device discovery failures 3-7
device managers 69-5
device managers, using 69-4
devices marked with red X in device selector 9-8
Event Manager service status 66-28
Event Viewer Unavailable message 11-23, 11-26, 66-27
FlexConfigs 7-37
FWSM multiple-context deployment failures 9-17
generating data for TAC 10-27
generating deployment or discovery status reports 10-28
GET VPN registration failure 28-9
global correlation (IPS) configuration 41-4
ignoring device errors during deployment 9-10
invalid certificate error 9-6
minimum memory errors for ASA 8.3+ 9-11
mixing deployment methods 9-13
Not able to connect to server message, Report Manager 67-31
online help, problems accessing 1-49
packet capture, using 69-18
packet tracer, using 69-12
policy objects not available in Event Viewer 66-59
preshared key policies in VPN not discovered 24-23
Report Manager 67-31
router connection failures 2-2
router deployment 9-14
Security Manager cannot contact device after deployment 9-12
SSL certificate errors 9-4, 9-6
user interface problems 1-48
VPN crypto traffic unexpectedly dropped on GET VPN interfaces 28-9
VPNs with routing processes 9-13
VRF-aware IPsec deployment failures on Catalyst 6500/7600 devices 24-17
trunk ports
Create and Edit Interface dialog boxes-Trunk Port mode 65-14
understanding 65-5
Trusted Transitive Introduction (TTI)
use in SDP policies 60-81
TrustSec
configuring ISE settings 11-40
security group objects
creating 14-12
TrustSec firewall policies
configuring 14-7
configuring rules 14-13
managing 14-1
TrustSec policies
monitoring 14-14
TrustSec security group objects
selecting 14-13
U
Unassign Policy command 1-30
Undock Map View command 1-32
unicast rekey in GET VPN 28-6
Unicast Reverse Path Forwarding 55-1, 55-3
unicast reverse path forwarding
enabling on routers 59-20
Unshare Policy command 1-30
Unspecified Bit Rate (UBR) 59-48
Unspecified Bit Rate Plus (UBR+) 59-48
Update Level dialog box 38-9
updating images on devices 70-18
Updating Licenses from File dialog box 11-44
Updating Licenses via CCO dialog box 11-44
URLF Glob parameter map objects
metacharacters 21-45
properties 21-44
URL Filter parameter map objects
creating 21-35
properties 21-42
usage reports
generating 6-14
user accounts
configuring IPS 35-16
configuring IPS password requirements 35-18
discovery and deployment of IPS 35-15
IPS account attributes 35-17
managing IPS device 35-13
PIX/ASA/FWSM 50-6
add/edit 50-7
rolling back configurations 8-60
understanding IPS user roles 35-13
understanding managed and unmanaged passwords 35-14
User Accounts policy, IPS devices 35-16
user group objects
advanced PIX 6.3 settings 33-66
browser proxy settings 33-72
clientless settings 33-67
client VPN software update (IOS) settings 33-65
DNS/WINS settings 33-61
general settings 33-60
IOS client settings 33-63
IOS Xauth settings 33-64
split tunneling settings (Easy VPN/remote access IPSec VPN) 33-62
SSL VPN connection settings 33-73
SSL VPN full tunnel settings 33-69
SSL VPN split tunneling settings 33-70
technology settings 33-58
thin client settings 33-68
user group policies
configuring for Easy VPN 27-14
configuring for remote access IPsec VPNs on IOS/PIX 6.3 32-13
User Group Policy page 32-13
user identity acquisition 13-2
user interface
applications overview 1-6
basic features 1-27
dialog box too big for screen 1-49
freezing 1-48
how permissions affect what you can do 1-10
Java errors 1-48
maps toolbar reference 34-4
map view 34-1
menu reference for Configuration Manager 1-27
missing text 1-48
overview of Configuration Manager 1-12
rules tables 12-7
searching for items 1-39
selecting items in a tree 1-42
selecting or specifying files 1-47
table
columns and headings 1-46
sections 12-20
tables 1-45
text fields
ASCII limitations 1-46
finding text in multiple-line 1-47
navigating 1-47
using 1-46
toolbars
Configuration Manager 1-36
event table in Event Viewer 66-14
troubleshooting 1-48
wizards 1-44
user login credentials for device access 3-4
user passwords
changing 10-23
user roles, IPS 35-13
users
how permissions affect what you can do 1-10
taking over configuration session 10-23
User Statistics
MPC rule wizard
tab 56-8
user statistics, collecting 13-25
user taskflow 1-17
V
Validate Activity command 1-34
Validate command 1-28
Validate Ticket command 1-35
Validation dialog box 4-18
validation error messages 4-18
Values Assignment dialog box 7-36
Variable Bit Rate-Non-Real Time (VBR-nrt) 59-48
Variable Bit Rate-Real Time (VBR-rt) 59-48
variables
deleting FlexConfig 7-27
FlexConfig objects 7-5, 7-6
changing variable values 7-34
VDI servers 33-12
Velocity Engine error message 7-37
Velocity Template Engine
scripting language 7-3
View Changes command 1-28, 1-34
viewing interface allocations 57-9
View menu
Configuration Manager 1-30
Event Viewer 66-9
views
Device 1-13
Event Viewer
clearing filters 66-44
column based filters 66-41
event based filters 66-43
filtering overview 66-39
refreshing event table 66-40
selecting time range 66-39
switching between real-time and historical 66-38
text searches (quick filter) 66-44
using time slider with filtering 66-40
HPM 68-18
column-based filters 68-15
Map 1-16
overview 1-12
Policy 1-14
views (Event Viewer)
arranging 66-34
configuring color rules 66-36
creating custom 66-37
customizing event table appearance 66-35
deleting custom 66-39
editing description 66-38
editing name 66-38
Event Monitoring window overview 66-12
Event Viewer overview 66-7
floating 66-34
list 66-11
opening 66-34
overview 66-3
saving 66-38
using 66-33
virtual channel identifier (VCI) 59-46
virtual firewalls
See security contexts
virtual fragment reassembly (VFR) 59-19
virtual path identifier (VPI) 59-46
Virtual Routing Forwarding (VRF)
VRF-Aware IPsec 24-14
virtual sensors
advantages 37-3
assigning interfaces 37-4
attributes 37-7
configuring 37-1, 37-5
deleting 37-10
discovering policies 5-13
editing policies 37-9
identifying 37-5
inline TCP session tracking mode 37-3
Normalizer mode 37-4
renaming 37-8
restrictions 37-3
showing containment 3-53
understanding 37-1
Virtual Sensors page 37-5
virtual terminal (VTY)
Cisco IOS routers
defining AAA settings 60-40
defining line groups 60-38
defining line setup parameters 60-38
virtual terminal (VTY) lines
Cisco IOS routers
VTY Line dialog box 60-51
VTY Policy page 60-50
VLAN
configuring IPS groups 36-15
configuring IPS inline pairs 36-14
VLAN ACLs (VACLs)
defining 65-37
deleting 65-39
understanding 65-36
VLAN access maps 65-37
VLANs
Catalyst switches and 7600 Series routers
Create and Edit VLAN ACL Content dialog boxes 65-42
Create and Edit VLAN ACL dialog boxes 65-41
Create and Edit VLAN dialog boxes 65-28
defining 65-26
defining Data Port for IDSM 65-46
defining EtherChannel for IDSM 65-45
defining groups 65-32
defining VACLs 65-37
deleting 65-27
deleting Data Port for IDSM 65-48
deleting EtherChannel for IDSM 65-46
deleting groups 65-33
deleting VACLs 65-39
Interfaces/VLANs page-VLANs tab 65-27
understanding 65-25
understanding VACLs 65-36
understanding VLAN groups 65-31
VLAN Access Lists page 65-39
VPDN groups 45-45
VPN
configuring policy defaults 11-54, 24-12
mixing deployment methods 9-13
policy discovery restriction for web VPNs 3-8
Report Manager reports
general VPN reports 67-16
VPN top reports 67-15
system variables 7-14
traffic sent unencrypted 9-14
updating routing processes 9-13
using device overrides to customize VPN policies 24-13
zone-based firewall 21-5
VPN default policies
configuring 24-12
factory defaults 24-12
understanding 24-12
VPN discovery
prerequisites 24-21
procedure 24-24
rules 24-21
supported and unsupported technologies and topologies 24-20
understanding 24-19
VPN global settings
GET VPN
VPN Global Settings for GET page 28-16
VPN Global Settings policy
General Settings tab 25-40
IKEv2 tab 25-34
ISAKMP/IPsec tab 25-30
NAT Settings tab 25-38
VPN Peers dialog box 34-22
VPN Policy Defaults page 11-54
VPN rediscovery 24-26
VPNs
AAA services 47-4
ASA devices
configuring bookmarks 30-70
configuring portal appearance 30-66
configuring WINS servers for file system access 30-76
customizing 30-65
post URL method and macro substitutions in bookmarks 30-72
smart tunnels 30-73
configuring remote access using wizard 29-13
creating in Map view 34-21
Easy VPN
connection profiles 27-13
connection profiles (ASA, PIX 7+) 30-8
IOS devices
configuring bookmarks 30-70
configuring WINS servers for file system access 30-76
IPsec
access policies for IKEv2 (ASA), configuring 30-40
access policies for IKEv2 (ASA), reference 30-37
access policies for IKEv2 (ASA), understanding 30-36
certificate to connection profile map policy (IKEv1) 30-29
certificate to connection profile map rules (IKEv1) 30-29
cluster load balancing 30-4, 30-5
configuring IKE and IPsec policies 25-1
connection profiles 30-6
connection profiles (ASA, PIX 7+) 30-8
creating on ASA/PIX 7.0+ 29-24
creating on IOS/PIX 6.3+ 29-35
dynamic access policies 31-1, 31-2
dynamic access policy (DAP) attributes 31-3, 31-7
Dynamic Access policy page (ASA) 31-10
Dynamic VTI/VRF Aware IPsec settings 32-7
fragmentation settings 25-40
global settings 25-29
group policies, configuring 30-21
group policies, creating 30-23
group policies, understanding 30-22
high availability policies 32-11
IKE proposals 25-9
IKEv2 authentication 25-62, 25-64, 25-66
IKEv2 settings 25-34
ISAKMP/IPsec settings 25-30
NAT settings 25-38
public key infrastructure (PKI) policies 25-52
secure desktop manager policies 31-8
understanding IKE 25-5
understanding NAT settings 25-37
user group policies for IOS, PIX 6.3 32-13
VPNSM, VPN SPA, VSPA settings 32-6
IPsec proposals
attributes for ASA and PIX 7.0+ devices 30-33
attributes for IOS and PIX 6.3 devices 32-4
configuring for ASA and PIX 7.0+ devices 30-33
configuring for IOS and PIX 6.3 devices 32-3
Map view 34-20
policy discovery 5-12
remote access
access modes 29-4
device support 29-8
discovering 29-12
managing 29-1
managing (ASA, PIX 7.0+) 30-1
managing (IOS, PIX 6.3) 32-1
SSL 30-36
remote access IPSec
understanding 29-2
remote access SSL
example 29-3
limitations 29-7
managing support files 29-5
prerequisites 29-7
understanding 29-2
shared policies 5-4
site-to-site
configuring IKE and IPsec policies 25-1
policies overview 24-8
site-to-site VPNs 24-1
SSL
access policies (ASA), configuring 30-40
access policies (ASA), reference 30-37
access policies (ASA), understanding 30-36
advanced settings (ASA) 30-61
AnyConnect client image settings (ASA) 30-55
AnyConnect client settings (ASA) 30-52, 30-53
AnyConnect custom attributes (ASA) 30-59, 30-60
browser plug-ins (ASA) 30-50
cluster load balancing 30-4, 30-5
configuring HTTP/HTTPS proxies and proxy bypass(ASA) 30-47
connection profiles 30-6
connection profiles (ASA) 30-8
content rewrite rules (ASA) 30-43
Context Editor dialog box (IOS) 32-15, 32-16
creating on ASA 29-14
creating on IOS devices 29-31
dynamic access policies 31-1, 31-2
dynamic access policy (DAP) attributes 31-3, 31-7
Dynamic Access policy page (ASA) 31-10
encoding rules (ASA) 30-45
fragmentation settings 25-40
global settings 25-29
group policies, configuring 30-21
group policies, creating 30-23
group policies, understanding 30-22
IKEv2 settings 25-34
ISAKMP/IPsec settings 25-30
Kerberos Constrained Delegation (KCD on ASA) 30-56, 30-58
NAT settings 25-38
other settings (ASA) 30-41
performance settings (ASA) 30-42
policies (IOS) 32-14
proxy bypass rules (ASA) 30-49
public key infrastructure (PKI) policies 25-52
secure desktop manager policies 31-8
server certificate verification (ASA) 30-25, 30-26, 30-27, 30-61
shared license (ASA) 30-62
shared license clients (ASA) 30-64
shared license servers (ASA) 30-65
understanding NAT settings 25-37
wizard 29-13
understanding 29-1
VPN Service Port Adapters (VSPAs)
configuring 24-40
VPN Services Module (VPNSM)
configuring 24-40
VPN Shared Port Adapter (VPN SPA)
configuring 24-40
VPNSM/VPN SPA/VSPA Settings dialog box 32-6
VPN Summary page 24-58
VPN topologies
accessing 24-17
assigning initial policies to new 24-57
assigning shared policies 5-41
cloning device VPN assignments 3-54
cloning shared policies 5-44
configuring dial backup 24-38
configuring GET VPN peers 24-56
configuring in Device view 24-19
creating or editing 24-28
creating or editing Extranet 24-62
defining endpoints and protected networks 24-33
defining GET VPN group encryption 24-50
deleting 24-66
discovering 24-19, 24-24
full mesh 24-4
hub-and-spoke 24-2
including unmanaged or non-Cisco devices 24-11
joined hub-and-spoke 24-5
locking 5-9
naming 24-30
partial mesh 24-5
point-to-point 24-3
rediscovering 24-26
removing devices 24-32
renaming policies 5-45
repairing discovered VPNs with multiple spoke definitions 24-25
selecting devices 24-32
tiered hub-and-spoke 24-5
unassigning policies 5-33
understanding 24-2
unsharing policies 5-40
using device overrides to customize VPN policies 24-13
viewing summary of VPN configuration 24-58
VRF-Aware IPsec
changing on Catalyst switches and 7600 routers 24-17
configuring 24-45
one-box solution 24-14
two-box solution 24-15
understanding 24-14
VRF-Aware IPsec tab (site-to-site VPN) 24-45
VTP modes, for Catalyst switches 65-1
VTY Line dialog box 60-51
Accounting tab 60-57
Authentication tab 60-55
Authorization tab 60-56
Setup tab 60-52
W
WAN interface card (WIC) 59-35
Warning - Partial VPN Deployment dialog box 8-32
warnings
significance of 1-1
Web Filter policy map objects
creating 21-35
match conditions and actions 21-34
properties 21-46
web filter rules
ACL naming conventions 12-5
ASA/FWSM/PIX
converting IPv4 12-28
deleting 12-9
editing 12-9
moving 12-19
attributes (IOS) 18-13
configuring exclusive domains for IOS devices 18-10
configuring for ASA, PIX, FWSM devices 18-2
configuring for IOS devices 18-10
configuring in Map view 34-23
disabling 12-20
enabling 12-20
exclusive domain names (IOS) 18-14
managing 18-1
preserving ACL names 12-4
understanding 18-1
understanding NAT effects 12-3
understanding processing order 12-2
Web Filter Rules page (ASA/FWSM/PIX) 18-3
Web Filter Rules page (IOS) 18-11
web filter server properties 18-19
Web Filter Rules page (ASA/FWSM/PIX) 18-3
Web Filter Rules page (IOS) 18-11
Web Filter Server Configuration dialog box 18-19
web filter servers
attributes 18-19
configuring settings 18-15
configuring settings in Map view 34-24
configuring zone-based firewall settings in Map view 34-24
Web Filter settings page 18-16
Websense
configuring for web filter rules policies 18-15, 18-19
configuring for zone based firewall rules policies 21-35, 21-38, 21-40
Websense class map objects
creating 21-35
match criteria 21-29
Websense parameter map objects
creating 21-35
properties 21-38
web VPN
policy discovery restriction 3-8
Weighted Random Early Detection (WRED) 63-4
Whitelist/Blacklist tab 19-14
windows
arranging report 67-25
arranging views 66-34
closing report 67-26
undocking maps 34-2
Windows Messenger class map objects
creating 21-15
match criteria 21-20
Windows NT servers
use by ASA, PIX, and FWSM devices 6-26
WINS Server Lists objects
attributes 33-74
creating 30-76
wizard
installation manager 70-24
wizards
configuring remote access SSL VPNs on ASA devices 29-14
configuring remote access SSL VPNs on IOS devices 29-31
configuring remote access VPNs 29-13
Copy Policies 5-31
Create Extranet VPN Topology 24-62
Create VPN Topology 24-28
creating remote access IPsec VPNs on ASA/PIX 7.0+ devices 29-24
creating remote access IPsec VPNs on IOS/PIX 6.3 devices 29-35
creating user group policies 29-19
Discover VPN policies 24-24
New Device 3-6
Rediscover VPN policies 24-26
Share Policies 5-39
wizards, using 1-44
workflow
overview 1-18
Workflow mode
changing modes 1-26
comparing with non-Workflow mode 1-20
configuration files
deploying 8-35, 8-40
previewing 8-45
configurations
rolling back 8-65
creating activities 4-14
deployment
viewing device details 8-27
viewing job history 8-27
jobs
aborting 8-51
approving 8-39
discarding 8-41
rejecting 8-39
states 8-6
submitting 8-39
opening activities 4-15
understanding 1-19
workflow modes
changing 1-26
comparing 1-20
Workflow Settings page 11-55
working with 3-57
worms
configuring IPS anomaly detection signatures 40-4
understanding 40-2
understanding IPS anomaly detection 40-1
understanding when to turn off anomaly detection 40-4
X
xdm-launcher.exe
device manager 69-6
Y
Yahoo Messenger class map objects
creating 21-15
match criteria 21-20
Z
zone-based firewall
add/edit zones 21-52
advanced options 21-63
changing the default drop rule 21-47
configuring PAM 21-65
configuring rules 21-12, 21-59
configuring settings 21-48
configuring settings in Map view 34-24
Content Filter tab 21-51
designing network zones 21-1
development overview 21-12
general recommendations 21-11
Global Parameters tab 21-49
IPSec VPN 21-5
logging 21-1
overview 21-1
page 21-49
preserving ACL names 12-4
protocol selection 21-64
restrictions 21-3
rules table 21-57
Self zone 21-5
tabs 21-48
troubleshooting 21-53
understanding 21-3
understanding NAT effects 12-3
understanding permit/deny and action 21-7
understanding processing order 12-2
understanding services and protocols 21-10
VPN tab 21-49
VRF 21-6
WAAS tab 21-49
Zones tab 21-49
zone-based firewall rules
configuring in Map view 34-23
deleting 12-9
disabling 12-20
editing 12-9
enabling 12-20
moving 12-19
zone-based firewall rules policies
blocking spam using zone-based firewall rules 21-25
configuring map objects for content filtering rules 21-35
configuring map objects for inspection rules 21-15
creating zones 6-68
inspection parameters 21-29
match conditions for IM applications 21-20
match conditions for P2P applications 21-20
preventing SMTP DoS attacks 21-25
protocol information for IM application inspection 21-32
understanding interface role objects 6-67
Zone Contents dialog box 12-14
zones
creating 6-68
understanding interface role objects 6-67
zones, anomaly detection 40-3
Zoom In command 1-31
Zoom Out command 1-31