-
User Guide for Cisco Security Manager 3.0.1
-
Preface
-
Getting to Know Security Manager
-
Performing Administrative Tasks
-
Working With the Security Manager User Interface
-
Using Map View
-
Managing Devices
-
Managing Policies
-
Managing Activities
-
Managing Objects
-
Managing Site-to-Site VPNs
-
Managing Remote Access VPNs
-
Managing Firewall Services
-
Managing Routers
-
Managing Firewall Devices
-
Using the Catalyst 6500/7600 Device Manager
-
Managing Deployment
-
Managing FlexConfigs
-
Using Tools
-
Devices User Interface Reference
-
Site-to-Site VPN User Interface Reference
-
Policy User Interface Reference
-
Map View User Interface Reference
-
Tools User Interface Reference
-
Administrative Settings User Interface Reference
-
Activities User Interface Reference
-
Deployment User Interface Reference
-
Index
-
Table Of Contents
Policy User Interface Reference
Assign Shared Policy Dialog Box
Copy Policies Wizard—Copy Policies from this Device Page
Copy Policies Wizard—Copy Policies to these Devices Page
Copy Policies Wizard—Select Policies to Copy Page
Share Policies Wizard—Share Policies from this Device Page
Share Policies Wizard—Select Policies to Share Page
Shared Policy Assignments Dialog Box
Create Discovery Task Dialog Box
Policy View—Policy Type Selector
Policy View—Policy Type Selector Options
Policy View—Shared Policy Selector Options
Create Filter Dialog Box—Policy View
Policy Object Manager General Reference
Policy Object Manager Window—Work Area Buttons
Policy Object Manager Window—Shortcut Menu
Client Firewall Attributes Tab
Hardware Client Attributes Tab
FlexConfig Undefined Variables Dialog Box
Add and Edit FTP Map Dialog Boxes
Add and Edit GTP Map Dialog Boxes
Interface Name Conflict Dialog Box
IPSec Transform Set Dialog Box
Add and Edit TCP Map Dialog Boxes
Add and Edit Traffic Flow Dialog Boxes
Create Filter Dialog Box—Object Selectors
Policy Object Overrides Window
Policy Object Overrides Window—AAA Server Groups
Policy Object Overrides Window—Interface Roles
Policy Object Overrides Window—Networks/Hosts
Policy Object Overrides Window—PKI Enrollments
Policy Object Overrides Window—Port Lists
Policy Object Overrides Window—Services
Policy Object Overrides Window—Service Groups
Policy Object Overrides Window—Text Objects
Create Overrides for Device Dialog Box
FlexConfigs Selector Dialog Box
FlexConfig Policy Preview Dialog Box
PIX/ASA/FWSM Platform Policies
Bootstrap Configuration for LAN Failover Dialog Box
Add/Edit User Account Dialog Box
IPS, QoS, and Connection Rules Page
Add/Edit Security Context Dialog Box (FWSM)
Add/Edit Security Context Dialog Box (PIX/ASA)
Allocate Interfaces Dialog Box
View Interface Allocation Dialog Box
Create Router Interface Dialog Box
Interface Auto Name Generator Dialog Box
NAT Interface Specification Tab
Dialer Physical Interface Dialog Box
Secure Device Provisioning Policy Page
Network Admission Control Policy Page
Network Admission Control Setup Tab
Network Admission Control Interfaces Tab
Network Admission Control Identities Tab
Quality of Service Policy Page
OSPF Process Redistribution Tab
Add and Edit Firewall Rule Dialog Boxes
Show Source Contents Dialog Box
Show Destination Contents Dialog Box
Show Service Contents Dialog Box
Edit Firewall Option Dialog Box
Show Interface Contents Dialog Box
Add and Edit Inspection Rule Dialog Boxes
Match Traffic to Protocol Page
Limit Inspection Between Source and Destination IP Addresses (ASA, FWSM 3.x) Page
Match Traffic by Custom Destination Ports Page
Match Traffic by Destination Address and Port (IOS) Page
Match Traffic by Source and Destination Address and Port (ASA, FWSM 3.x) Page
Show Source Contents Dialog Box
Show Destination Contents Dialog Box
Show Service Contents Dialog Box
Show Interface Contents Dialog Box
Edit Inspected Protocol Dialog Box
Configure Fragments Dialog Box
Add and Edit AAA Rules Dialog Boxes
Show Source Contents Dialog Box
Show Destination Contents Dialog Box
Show Service Contents Dialog Box
Show Interface Contents Dialog Box
Edit AAA Server Group Dialog Box
Web Filter Rules Page (ASA/FWSM/PIX)
Show Source Contents Dialog Box
Show Destination Contents Dialog Box
Show Service Contents Dialog Box
Edit Web Filter Type Dialog Box
Edit Web Filter Options Dialog Box
Exclusive Domain Name Dialog Box
Add and Edit Transparent Firewall Rule Dialog Boxes
Edit Transparent EtherType Dialog Box
Edit Transparent Mask Dialog Box
Firewall ACL Setting Dialog Box
Firewall AAA MAC Exempt Setting Dialog Box
Web Filter Server Configuration Dialog Box
Remote Access VPN Server Wizard
Tunnel Group Editor Dialog Box
IPSec Proposal Editor Dialog Box (for PIX and ASA Devices)
IPSec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices)
Public Key Infrastructure Page
DN Rule Dialog Box (Upper Pane)
DN Rule Dialog Box (Lower Pane)
Policy User Interface Reference
These topics describe the pages that are accessed from the Policy menu and from the Policies folder of devices selected in the VPN/Security Management Solution:
•
Policy Menu General Reference
•
•
Policy Menu General Reference
Use the options in the Policy menu to manage local and shared policies in Device view. The options in the Policy menu display the dialog boxes and wizards described in the following topics:
•
•
•
Share Policy Dialog Box
Use the Share Policy dialog box to convert a local policy to a shared policy that you can assign to multiple devices or VPNs. For more information, see Sharing a Local Policy, page 1-23.
Navigation PathIn Device view, select a policy from the Device Policies selector, then do one of the following:
•
•
Related Topics•
•
•
Field Reference
Assign Shared Policy Dialog Box
Use the Assign Shared Policy dialog box to assign an existing shared policy to a selected device. For more information, see Assigning a Shared Policy to a Selected Device, page 1-28.
Navigation PathIn Device view, select a policy from the Device Policies selector, then do one of the following:
•
•
•
Related Topics•
•
Field Reference
Note
Copy Policies Wizard
Use the Copy Policies wizard to copy selected policies (both local and shared) to one or more devices of the same type. For example, you can use the Copy Policies wizard to copy a set of firewall service policies and routing policies from one firewall device to fifty other firewall devices with a single operation.
For more information, see Copying Policies Between Devices, page 1-19.
Note
The pages of the Copy Policies wizard are described in the following topics:
•
•
•
Navigation PathIn Device view, select a device from the Device selector, then do one of the following:
•
•
Related Topics•
Copy Policies Wizard—Copy Policies from this Device Page
Use the Copy Policies from this Device page of the Copy Policies wizard to select the device whose policies will be copied to other devices of the same type.
Note
Navigation PathIn Device view, select a device from the Device selector, then select Policy > Copy Policies Between Devices.
Related Topics•
Field Reference
Table A-3 Copy Policies Wizard—Copy Policies from this Device Page
Filter
Selects a filter to apply to the device selector, or enables you to create a new filter. By default, the active filter in Device view is applied to the filter displayed in the wizard. For more information, see Filtering Items in Selector Trees, page 1-16.
Note
Device selector
Selects the device containing the policies to be copied.
Next button
Advances to the next wizard page.
Cancel button
Closes the wizard without saving your changes.
Help button
Opens the context-sensitive online help for this wizard page.
Copy Policies Wizard—Copy Policies to these Devices Page
Use the Copy Policies to these Devices page of the Copy Policies wizard to select the devices to which policies from the source device will be copied.
Navigation PathGo to the Copy Policies Wizard, then click Next on the Copy Policies from this Device page.
Related Topics•
Field Reference
Table A-4 Copy Configuration Wizard—Copy Policies to these Devices Page
Filter
Selects a filter to apply to the device selector, or enables you to create a new filter. By default, the active filter in Device view is applied to the filter displayed in the wizard. For more information, see Filtering Items in Selector Trees, page 1-16.
Note
Device selector
Selects the devices to which policies from the source device should be copied. Selecting the check box for a device group selects all of the devices in that group.
The device selector displays only those devices that are the same type as the source device. For example, if the source device is a Cisco IOS router, only routers are displayed, not firewall devices.
Back button
Returns to the previous wizard page.
Next button
Advances to the next wizard page.
Cancel button
Closes the wizard without saving your changes.
Help button
Opens the context-sensitive online help for this wizard page.
Copy Policies Wizard—Select Policies to Copy Page
Use the Select Policies to Copy page of the Copy Policies wizard to select which policies to copy from the source device to the target devices.
Navigation PathGo to the Copy Policies Wizard, then click Next on the Copy Policies to these Devices page.
Related Topics•
Field Reference
Share Policies Wizard
Use the Share Policies wizard to take the local policies configured on a particular device and make them shared policies that you can assign to other devices. For more information, see Sharing Multiple Policies of a Selected Device, page 1-25.
Note
The pages of the Share Policies wizard are described in the following topics:
•
•
Navigation PathIn Device view, select a device from the Device selector, then do one of the following:
•
•
Related Topics•
Share Policies Wizard—Share Policies from this Device Page
Use the Share Policies from this Device page of the Share Policies wizard to select the device whose local policies you want to share.
Note
Navigation PathIn Device view, select a device from the Device selector, then select Policy > Share Device Policies.
Related Topics•
Field Reference
Table A-6 Share Configuration Wizard—Share Policies from this Device Page
Filter
Selects a filter to apply to the device selector, or enables you to create a new filter. By default, the active filter in Device view is applied to the filter displayed in the wizard. For more information, see Filtering Items in Selector Trees, page 1-16.
Note
Device selector
Selects the device containing the policies to be shared.
Next button
Advances to the next wizard page.
Cancel button
Closes the wizard without saving your changes.
Help button
Opens the context-sensitive online help for this wizard page.
Share Policies Wizard—Select Policies to Share Page
Use the Select Policies to Share page of the Share Policies wizard to select which local policies you want to share.
Navigation PathGo to the Share Policies Wizard, then click Next on the Share Policies from this Device page.
Related Topics•
Field Reference
Shared Policy Assignments Dialog Box
Use the Shared Policy Assignments dialog box to modify the list of devices or VPN topologies to which you have assigned a selected shared policy. For more information, see Modifying Shared Policy Assignments in Device View, page 1-34.
Navigation PathIn Device view, select a shared policy from the Device Policies selector, then do one of the following:
•
•
•
Tip
Related Topics•
•
Field Reference
Save Policy As Dialog Box
Use the Save Policy As dialog box to duplicate an existing shared policy under a new name. For more information, see Copying a Shared Policy, page 1-30.
Navigation PathSelect a shared policy in either Device view or Policy view, then do one of the following:
•
•
Related Topics•
•
•
Field Reference
Rename Policy Dialog Box
Use the Rename Policy dialog box to assign a different name to a selected shared policy. For more information, see Renaming a Shared Policy, page 1-32.
Navigation PathSelect a shared policy in either Device view or Policy view, then do one of the following:
•
•
Related Topics•
Field Reference
Inherit Rules Dialog Box
Use the Inherit Rules dialog box to have a rule-based policy (such as access rules) inherit the rules of a shared policy of the same type. For more information, see Inheriting Rules, page 1-47.
Navigation PathSelect a shared rule-based policy in either Device view or Policy view, then do one of the following:
•
•
Related Topics•
•
•
Field Reference
Create Discovery Task Dialog Box
Use the Create Discovery Task dialog box to have Security Manager discover the policies that already exist on a device. For more information, see Discovering Policies, page 1-5.
Navigation PathIn Device view, select a device from the Device selector, then do one of the following:
•
•
Related Topics•
Field Reference
Table A-12 Create Discovery Task Dialog Box
Discovery Task Name
The name assigned to the discovery task. This name can be used to identify the task in the Discovery Manager. Security Manager automatically generates a name for the task based on the current date and time, but you can modify this name as required.
Discover From
The source of information to be discovered:
•
•
Note
•
Config. File
Applies only when performing discovery on a configuration file.
The location of the configuration file on which discovery will be performed. You can manually enter the path and file name, or click Browse to display a file selector. For more information, see Selecting a File or Directory on the Server File System, page 1-24.
Discover Policies for Security Contexts
Applies only to ASA/PIX/FWSM devices.
When selected, Security Manager attempts to discover policies on each virtual firewall (security context) that is configured on a firewall device running in multiple mode.
When deselected, Security Manager treats the entire device as having a single set of policies configured in single mode.
For more information about security contexts, see Configuring Security Contexts on Firewall Devices, page 1-103.
Policies to Discover
The policy types to discover on the selected device. Select one or more of the following options:
•
•
•
OK button
Initiates the discovery task. The Create Discovery dialog box closes and is replaced by the Discovery Status dialog box. For more information, see Discovery Status Dialog Box.
Cancel button
Closes the dialog box without saving your changes.
Help button
Opens help for this dialog box.
Discovery Status Dialog Box
Use the Discovery Status dialog box to view detailed information about the current policy discovery task. The dialog box includes general information about the status of the task, as well as detailed information about any warnings or errors generated by the device being discovered.
The Discovery Status dialog box opens automatically when you initiate a discovery task on existing devices and when you add devices from a configuration file or the DCR. For more information about initiating a discovery task, see Create Discovery Task Dialog Box.
Related Topics•
•
•
Field Reference
Table A-13 Discovery Status Dialog Box
Progress bar
Indicates what percentage of the discovery task on the current device has been completed. After discovery on all devices is complete, the bar is colored green if discovery was successful and red if one or more devices failed.
Status
The current state of the discovery task.
Devices to be discovered
The total number of devices being discovered during this task.
Note
Devices discovered successfully
The number of devices discovered without errors.
Devices discovered with errors
The number of devices that generated errors during discovery.
Device
The name of the device being discovered.
Severity
The overall severity level of the discovery task performed on each device (Info, Warning, Error). For example, if the discovery task completed successfully, an Info icon is displayed. If the task failed, an Error icon is displayed.
State
The current state of the policy discovery task for the selected device:
•
•
•
•
•
•
•
Discovered From
The source of policy information. For example, when discovering from a configuration file, this field displays the name and path of the file.
Messages
The text of each message.
Severity
The severity level of each message related to the discovery task (Info, Warning, Error).
Description
Additional information about the warning or error.
Action
The steps you should take to resolve the problem.
Abort button
Aborts the discovery task.
If you abort the task when performing policy discovery on a single device, the result is partial discovery of that device. In such cases, we recommend deleting the information (for example, by discarding the activity) and starting again.
If you abort the task when performing policy discovery on multiple devices, Security Manager automatically discards the information for any partially discovered device. Devices for which discovery was completed before you aborted the operation are fully discovered.
Close button
Closes the dialog box.
Help button
Opens help for this dialog box.
Policy View General Reference
Use Policy view to globally manage all the shared policies configured with Cisco Security Manager. Unlike Device view, which you use to manage all the policies configured on a selected device, Policy view enables you to manage all shared policies of a particular type regardless of device.
Policy view enables you to:
•
•
•
•
Navigation PathClick the Policy View button on the toolbar or select View > Policy View.
Related Topics•
Field Reference
Table A-14 Policy View
Policy Type selector
Lists the policy types available in Security Manager, divided by category. Clicking a policy type in the selector displays all the shared policies defined for that type in the Shared Policy selector. See Policy View—Policy Type Selector.
Shared Policy selector
Lists the shared policies that are defined for the selected type. Clicking a policy in the selector displays the definition of that policy on the Details tab of the work area. You can modify the definition as required. Changes affect all devices or VPN topologies to which the policy is assigned.
Use the Filter list to filter the list of policies displayed in the selector. For more information about creating filters, see Create Filter Dialog Box—Policy View.
The list of devices or VPN topologies to which the policy is assigned is displayed on the Assignments tab. For more information, see Policy View—Assignments Tab.
Work area
Contains two tabs:
•
•
The banner at the top of the work area displays the name of the shared policy, the policy type, and the number of devices or VPNs to which the policy is assigned.
Policy View—Policy Type Selector
The Policy Type selector displayed on the upper-left side of Policy view lists each policy type available in Security Manager, divided by domain. Select a policy type to display a list of shared policies that are defined for that type in the Shared Policy selector.
For more information, see Policy View Selectors, page 1-37.
Related Topics•
•
•
Field Reference
Table A-15 Policy View—Policy Type Selector
Firewall
Lists all policy types for configuring firewall services. See Managing Firewall Services, page 1-1.
NAT (PIX)
Lists all NAT policies configured on PIX/ASA/FWSM devices. See Configuring NAT Policies on Firewall Devices, page 1-19.
NAT (Router)
Lists all NAT policies configured on Cisco IOS routers. See Configuring NAT on Cisco IOS Routers, page 1-10.
Remote Access VPN
Lists all policy types for configuring remote-access VPNs. See Managing Remote Access VPNs, page 1-1.
PIX/ASA/FWSM Platform
Lists all policy types for configuring PIX/ASA/FWSM platform-specific policies. See Managing Firewall Devices, page 1-1.
Site-to-Site VPN
Lists all policy types for configuring site-to-site VPNs. See Managing Site-to-Site VPNs, page 1-1.
Router Platform
Lists all policy types for configuring platform-specific Cisco IOS router policies. See Managing Routers, page 1-1.
FlexConfig
Lists all FlexConfig policies. See Managing FlexConfigs, page 1-1.
Policy View—Policy Type Selector Options
Right-click a policy type in the Policy Type selector (see Policy View—Policy Type Selector) to display a shortcut menu for performing functions on the selected policy type.
For more information, see Policy View Selectors, page 1-37.
Related Topics•
•
Field Reference
Table A-16 Policy Type Selector Options
New [policy type] Policy
Opens the Create a Policy Dialog Box. Use this dialog box to create a shared policy of the selected type.
Policy View—Shared Policy Selector Options
Right-click a policy in the Shared Policy selector of Policy view to display a shortcut menu for performing functions on the selected policy.
For more information, see Policy View Selectors, page 1-37.
Related Topics•
•
•
Field Reference
Table A-17 Shared Policy Selector Options
Save Policy As
Saves a new instance of the selected shared policy under a different name. Use this option to create a new policy with the same definition as the policy from which it was created. See Save Policy As Dialog Box.
Rename Policy
Renames the selected policy. See Rename Policy Dialog Box.
Inherit Rules
Applies only to rule-based policies such as access rules.
Causes a rule-based policy to inherit the rules of a different shared policy of the same type. See Inherit Rules Dialog Box.
New [policy type] Policy
Opens the Create a Policy Dialog Box. Use this dialog box to create a shared policy of the selected type.
Delete Policy
Deletes a shared policy from Security Manager.
Note
Create Filter Dialog Box—Policy View
Use the Create Filter dialog box to filter the shared policies displayed in Policy view, based on the filtering criteria you define. For more information, see Filtering the Shared Policy Selector, page 1-38.
Navigation PathIn Policy view, select Create Filter from the Filter list displayed above the Shared Policy selector.
Related Topics•
•
Field Reference
Policy View—Assignments Tab
Use the Assignments tab in Policy view to modify the list of devices or VPNs to which the selected shared policy is assigned. See Modifying Policy Assignments in Policy View, page 1-41.
Navigation PathIn Policy view, select a policy from the Shared Policy selector, then click the Assignments tab in the work area.
Related Topics•
Field Reference
Create a Policy Dialog Box
When working in Policy view, use the Create a Policy dialog box to create a new shared policy of a selected type. The new policy is initially not assigned to any devices or VPN topologies. See Creating a New Shared Policy, page 1-40.
Note
Navigation PathIn Policy view, do one of the following:
•
•
Related Topics•
Field Reference
Policy Object Manager General Reference
The Policy Object Manager general reference contains the following topics:
•
Policy Object Manager Window
Use the Policy Object Manager window to:
•
•
•
Navigation PathClick the Policy Object Manager button on the toolbar or select Tools > Policy Object Manager.
Related Topics•
•
•
•
•
Field Reference
Table A-21 Policy Object Manager Window
Object Type selector
Lists the object types available in Security Manager. Clicking an object type in the selector displays a table in the work area containing all the objects currently defined for that type. See Object Type Selector.
Work area
Displays the objects that are defined for the type selected in the Object Type selector. For information about the buttons displayed beneath the work area, see Policy Object Manager Window—Work Area Buttons.
Right-clicking anywhere inside the table displays a shortcut menu for performing object operations. See Policy Object Manager Window—Shortcut Menu.
Use the filtering bar located above the table to filter the list of objects displayed in the work area. See Filtering Tables, page 1-19.
Object Type Selector
The Object Type selector is displayed on the left side of the Policy Object Manager window. Select an object type to display a list of objects that have been defined for that type in the work area.
Navigation PathClick the Policy Object Manager button on the toolbar or select Tools > Policy Object Manager.
Related Topics•
•
Field Reference
Table A-22 Object Type Selector
AAA Server Groups
Click to display a table of defined AAA server group objects. See AAA Server Groups Page.
AAA Servers
Click to display a table of defined AAA server objects. See AAA Servers Page.
Access Control Lists
Click to display a table of defined ACL objects. See Access Control Lists Page.
ASA User Groups
Click to display a table of defined ASA user group objects. See ASA User Groups Page.
Categories
Click to display a table of defined category objects. See Categories Page.
FlexConfigs
Click to display a table of defined FlexConfig objects. See FlexConfigs Objects Page.
FTP Maps
Click to display a table of defined FTP map objects. See FTP Maps Page.
GTP Maps
Click to display a table of defined GTP map objects. See GTP Maps Page.
HTTP Maps
Click to display a table of defined HTTP map objects. See HTTP Maps Page.
IKE Proposals
Click to display a table of defined IKE proposal objects. See IKE Proposals Page.
Interface Roles
Click to display a table of defined interface role objects. See Interface Roles Page.
IPSec Transform Sets
Click to display a table of defined IPSec transform set objects. See IPSec Transform Sets Page.
Networks/Hosts
Click to display a table of defined network/host objects. See Networks/Hosts Page.
PKI Enrollments
Click to display a table of defined PKI enrollment objects. See PKI Enrollments Page.
Port Lists
Click to display a table of defined port list objects. See Port Lists Page.
Services
Click to display a table of defined service objects. See Services Page.
Service Groups
Click to display a table of defined service group objects. See Service Groups Page.
TCP Maps
Click to display a table of defined TCP map objects. See TCP Maps Page.
Text Objects
Click to display a table of defined free-form text objects. See TCP Maps Page.
Time Ranges
Click to display a table of defined time range objects. See Time Ranges Page.
Traffic Flows
Click to display a table of defined traffic flow objects. See Traffic Flow Page.
User Groups
Click to display a table of defined user group objects. See User Group Objects Page.
Policy Object Manager Window—Work Area Buttons
Use the buttons displayed in the work area of the Policy Object Manager window to perform actions on the objects that are displayed there.
Navigation PathClick the Policy Object Manager button on the toolbar or select Tools > Policy Object Manager.
Related Topics•
Field Reference
Policy Object Manager Window—Shortcut Menu
Right-click anywhere inside the work area of the Policy Object Manager window to display a shortcut menu for performing various functions on the selected object type.
Navigation PathClick the Policy Object Manager button on the toolbar or select Tools > Policy Object Manager.
Related Topics•
Field Reference
Table A-24 Policy Object Manager Window—Shortcut Menu
New Object
Opens the dialog box for creating an object of the selected type.
Edit Object
Opens the dialog box for editing the selected object. Only user-defined objects may be edited.
Delete Object
Deletes the selected objects. Only user-defined objects may be deleted.
Edit Device Overrides
Opens the Policy Object Overrides Window. From here, you can create, edit, and delete device-level object overrides.
Create Duplicate
Opens the dialog box for creating a copy of the selected object.
Note
Find Usage
Opens the Object Usage Window, which contains a usage report about the selected object.
View Object
Opens a read-only dialog box containing the complete definition of the selected object.
AAA Server Groups Page
Use the AAA Server Groups page to view, create, edit, copy, and delete AAA server group objects. When defining a policy that uses a AAA server for authentication, authorization, or accounting, you select the server by selecting the server group to which the server belongs.
Navigation PathOpen the Policy Object Manager Window, then select AAA Server Groups from the Object Type selector.
Related Topics•
•
•
•
Field Reference
Table A-25 AAA Server Groups Page
Filter
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. See Filtering Tables, page 1-19.
[Icon]
The icon that represents the object type. Icons marked with a star badge indicate user-defined objects that may be modified. Icons without a star badge indicate predefined objects that cannot be modified.
Name
The name of the object.
Protocol
The protocol defined for the AAA servers contained in the AAA server group.
Category
The category that is assigned to the object.
Overridable
Indicates whether the global object definition can be overridden by object values defined at device level. See Allowing a Global Object to Be Overridden, page 1-251.
Description
Displays an icon if a description is defined for the object. Point at the icon to display a tooltip with the text of the description.
TipNew Object button
Opens the AAA Server Group Dialog Box. From here you can create a AAA server group object.
Edit Object button
Opens the AAA Server Group Dialog Box. From here you can edit the selected user-defined AAA server group.
Note
Delete Object button
Deletes the selected AAA server groups from the table.
Note
AAA Server Group Dialog Box
Use the AAA Server Group dialog box to create, copy, and edit AAA server groups.
Navigation PathGo to the AAA Server Groups Page in the Policy Object Manager Window, then click New Object or Edit Object beneath the table.
Related Topics•
•
•
Field Reference
Table A-26 AAA Server Group Dialog Box
Name
The object name (up to 16 characters when using this object with firewall devices; up to 128 characters for Cisco IOS routers). Object names are not case-sensitive. Spaces are not supported.
For more information, see Guidelines for Managing Objects, page 1-3.
Note
Note
Description
Additional information about the object (up to 1024 characters).
Protocol
The protocol used by the AAA servers in the group:
•
•
•
•
•
•
AAA Servers
The AAA servers that comprise the server group. Enter the names of AAA servers (see Working with AAA Server Objects, page 1-19), or click Select to display a selector (see Object Selectors). The selector displays only those AAA servers that match the protocol you selected for the group.
TipTipMake this group the Default AAA Server Group
Applies only to RADIUS and TACACS+.
When selected, designates this AAA server group as the default group for the RADIUS or TACACS+ protocol. Select this check box if you intend to use a single global group for the selected protocol for all policies on a specific device requiring AAA.
Note
When deselected, creates a AAA server group that is not designated as the default group for that protocol. Leave this check box deselected if you intend to create multiple RADIUS or TACACS+ AAA server groups. Multiple groups can be used to separate different AAA functions (for example, use one group for authentication and a different group for authorization) or to separate different customers in a VRF environment.
Max Failed Attempts
Applies only to ASA devices.
The number of connection attempts that can fail before an unresponsive AAA server in the group is deactivated.
Values range from 1 to 5.
Reactivation Mode
Applies only to ASA devices.
The method to use when reactivating failed AAA servers in the group:
•
•
Note
Reactivation Deadtime
Applies only to ASA devices.
Available only when Depletion is the selected reactivation mode.
The number of minutes that should elapse between the deactivation of the last server in the group and the reactivation of all the servers in the group. Values range from 0 to 1440 minutes (24 hours).
Group Accounting Mode
Applies only to ASA devices.
The method for sending accounting messages to the AAA servers in the group:
•
•
Note
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Categories Page.
Allow Value Override per Device
When selected, allows the global object definition defined here to be changed at the device level. See Allowing a Global Object to Be Overridden, page 1-251.
When deselected, does not allow the global object definition to be overridden.
TipOK button
Saves your changes to the server and closes the dialog box.
Cancel button
Closes the dialog box without saving your changes.
Help button
Opens help for this dialog box.
AAA Servers Page
Use the AAA Servers page to view, create, edit, copy, and delete AAA server objects. These objects are collected into AAA server group objects.
Navigation PathOpen the Policy Object Manager Window, then select AAA Servers from the Object Type selector.
Related Topics•
•
•
Field Reference
Table A-27 AAA Servers Page
Filter
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. See Filtering Tables, page 1-19.
[Icon]
The icon that represents the object type. Icons marked with a star badge indicate user-defined objects that may be modified. Icons without a star badge indicate predefined objects that cannot be modified.
Name
The name of the object.
Host
The IP address of the AAA server to which authentication requests will be sent.
Protocol
The protocol defined for the AAA server.
Category
The category that is assigned to the object.
Description
Displays an icon if a description is defined for the object. Point at the icon to display a tooltip with the text of the description.
TipNew Object button
Opens the AAA Server Dialog Box. From here you can create a AAA server object.
Edit Object button
Opens the AAA Server Dialog Box. From here you can edit the selected AAA server object.
Note
Delete Object button
Deletes the selected AAA server objects from the table.
Note
AAA Server Dialog Box
Use AAA Server dialog box to create, copy, and edit a AAA server object.
Navigation PathGo to the AAA Servers Page in the Policy Object Manager Window, then click New Object or Edit Object beneath the table.
Related Topics•
•
•
Field Reference
Table A-28 AAA Server Dialog Box
Name
The object name (up to 128 characters). Object names are not case-sensitive. For more information, see Guidelines for Managing Objects, page 1-3.
Description
Additional information about the object (up to 1024 characters).
Host
IP Address—The IP address of the AAA server to which authentication requests will be sent. Enter one or more host addresses or network/host objects, or click Select to display a selector (see Object Selectors).
Interface
The interface whose IP address should be used for all outgoing RADIUS or TACACS packets. Enter the name of an interface or interface role (see Working with Interface Role Objects, page 1-120), or click Select to display a selector (see Object Selectors).
When entering the name of an interface, make sure the policy that uses this AAA object is assigned to a device containing an interface with this name.
When entering the name of an interface role, make sure the role represents a single interface, not multiple interfaces.
TipTipTimeout
The amount of time to wait until the AAA server is considered unresponsive.
Valid values for Cisco IOS routers range from 1-1000 seconds. The default is 5 seconds.
Valid values for ASA devices and other firewall devices running PIX 7.0 is 1-60 seconds. The default is 10 seconds.
Valid values for PIX devices running PIX 6.3 is 1-30 seconds. The default is 5 seconds.
Protocol
The protocol used by the AAA server:
•
•
•
•
•
•
Note
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Categories Page.
Key
The shared secret that is used to encrypt data between the client and the AAA server. The key is a case-sensitive, alphanumeric string of up to 127 characters (U.S. English). The key you define in this field must match the key on the RADIUS server.
Note
Note
Authentication/Authorization
The port on which AAA authentication and authorization are performed. The default is 1645.
Accounting
The port on which AAA accounting is performed. The default is 1646.
RADIUS Password (ASA)
Applies only to ASA devices.
The alphanumeric keyword that serves as the password to the RADIUS server (maximum of 128 characters).
Retry Interval
The interval between attempts to contact the AAA server. Valid values are:
•
•
•
ACL Netmask Convert
Applies only to ASA and FWSM 3.1 devices.
The method for handling the netmask expressions that are contained in downloadable ACLs received from the RADIUS server:
•
•
•
Some Cisco products, including Cisco IOS routers, require that downloadable ACLs be configured with wildcards instead of network masks. ASA devices, on the other hand, require that downloadable ACLs be configured with network masks. This feature allows the ASA device to internally convert a wildcard to a netmask. Translation of wildcard netmask expressions means that downloadable ACLs written for Cisco IOS routers can be used by ASA devices without altering the configuration of the ACLs on the RADIUS server.
Key
The shared secret that is used to encrypt data between the client and the AAA server. The key is a case-sensitive, alphanumeric string of up to 127 characters (U.S. English). The key you define in this field must match the key on the TACACS+ server.
Note
Note
Server Port
The port used for communicating with the AAA server. The default is 49.
Server Port
The port used for communicating with the AAA server. The default is 88.
Kerberos Realm Name
The name of the realm containing the Kerberos authentication server and ticket granting server (maximum of 64 characters).
Retry Interval
The interval between attempts to contact the AAA server. Valid values range from 1 to 10 seconds. The default is 10 seconds.
Enable LDAP over SSL
When selected, establishes a secure SSL connection between the ASA device and the LDAP server.
When deselected, SSL is not used for communications between the ASA device and the LDAP server.
Note
Server Port
The port used for communicating with the AAA server. The default is 389.
LDAP Hierarchy Location
The base distinguished name (DN), which is the location in the LDAP hierarchy where the authentication server should being searching when it receives an authorization request (maximum of 128 characters). For example, OU=Cisco.
The string is case-sensitive. Spaces are not permitted, but other special characters are allowed.
LDAP Scope
The scope of LDAP searches:
•
•
LDAP Distinguished Name
The DN and password that uniquely identify this ASA device in the LDAP schema (maximum of 128 characters). The DN is similar to a unique key in a database or a fully qualified path for a file.
Note
LDAP Login Directory
The name of the directory object in the LDAP hierarchy used for authenticated binding (maximum of 128 characters). Authenticated binding is required by some LDAP servers (including the Microsoft Active Directory server) before other LDAP operations can be performed.
This string is case-sensitive. Spaces are not permitted in the string, but other special characters are allowed.
LDAP Login Password
The case-sensitive, alphanumeric password for accessing the LDAP server (maximum of 64 characters). Spaces are not allowed.
SASL MD5 Authentication
Establishes a Simple Authentication and Security Layer (SASL) mechanism to authenticate an LDAP client (the ASA device) to an LDAP server.
When selected, the ASA device sends the LDAP server an MD5 value computed from the username and password.
When deselected, the MD5 authentication option is not used.
SASL Kerberos Authentication
Establishes an SASL mechanism to authenticate an LDAP client (the ASA device) to an LDAP server.
When selected, the ASA device sends the LDAP server the username and realm using the GSSAPI (Generic Security Services Application Programming Interface) Kerberos mechanism. This mechanism is stronger than the MD5 mechanism.
When deselected, the Kerberos authentication option is not used.
Note
Kerberos Server Group
Applies only when SASL Kerberos authentication is enabled.
The name of the Kerberos AAA server group used for SASL authentication. The maximum length is 16 characters.
LDAP Server Type
The type of LDAP server used for AAA:
•
•
•
Note
Server Port
The port used for communicating with the AAA server. The default is 139.
NT Authentication Host
The name of the authentication domain controller hostname (maximum of 16 characters).
Server Port
The port used for communicating with the AAA server. The default is 5500.
Retry Interval
The interval between attempts to contact the AAA server. Valid values range from 1 to 10 seconds. The default is 10 seconds.
SDI Server Version
The SDI server version:
•
•
SDI pre-5 Slave Server
Applies only when using a version of SDI prior to version 5.0.
A secondary server to be used for authentication if the primary server fails. Enter an IP address or the name of a network/host object, or click Select to display a selector.
OK button
Saves your changes to the server and closes the dialog box.
Cancel button
Closes the dialog box without saving your changes.
Help button
Opens help for this dialog box.
Access Control Lists Page
Use the Access Control List page to define extended and standard Access Control List objects. The following main pages are used to configure settings for access control list objects:
•
•
Navigation PathTo access Access Control List objects, select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector.
Related Topics•
•
•
•
Field Reference
Table A-29 Access Control Lists Page
Extended IP ACL tab
Enables you to configure settings for an extended ACL object. For a description of GUI elements see Extended IP ACL Tab.
Standard IP ACL tab
Enables you to configure settings for a standard ACL object. For a description of GUI elements, see Standard IP ACL Tab.
Filter
Filters the object information displayed in the table based on conditions set.
New Object button
Enables you to create an object.
Edit Object button
Enables you to edit the selected object.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur.
Note
Close button
Closes the dialog box without saving your changes.
Help button
Opens help for this page.
Extended IP ACL Tab
Use the Extended IP ACL tab to define an extended ACL object. After a configuration is generated for the device, the access-list extended command is used.
Navigation PathTo access the Extended IP ACL tab, select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector.
Note
Related Topics•
•
•
•
Field Reference
Add and Edit Extended Access List Pages
Use the Add and Edit Extended Access List pages to configure ACEs for an ACL object. From this page, you can change the order of the ACEs and ACL objects within the table, add or edit ACEs and ACL objects, and delete ACEs and ACL objects.
Navigation PathTo access the Add and Edit Extended Access List Pages, select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector. Right-click inside the table, then click New Object or right-click a rule, then click Edit Object.
For more information, see:
•
•
Note
Related Topics•
•
•
Field Reference
Table A-31 Add and Edit Extended Access List Pages
Name*
Identifies the name of the ACL object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be letters and numbers. Spaces are permitted, as are the following special characters: hyphens (-), underscores (_), periods (.), and plus signs (+). Maximum length is 128 characters.
Description
Enables you to enter a description to help you identify a rule. Maximum characters allowed is 1024.
Name
Identifies the name of the included ACL object.
Permit
Shows whether rules permit or deny traffic based on the conditions set.
•
•
Source
Identifies the source network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. Accepted formats are:
•
•
•
•
Enter the addresses in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
Destination
Identifies the destination network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. Accepted formats are:
•
•
•
•
Enter the addresses in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
Service
Identifies service objects that specify the service type of traffic. Multiple entries are separated by commas.
Enter the service objects in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Objects selector dialog box.
The following formats are supported:
•
•
•
•
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding.
Note
Description
Enables you to enter a description to help you identify a rule. Maximum characters allowed is 1024.
New Object button
Enables you to create an object.
Edit Object button
Enables you to edit the selected object.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur.
Note
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding.
Note
OK button
Saves your changes to the server and closes the page.
Cancel button
Closes the dialog box without saving your changes.
Help button
Opens help for this page.
1 An asterisk indicates that the field is required.
Add and Edit Extended Access Control Entry Dialog Boxes
Use the Add or Edit Extended Access Control Entry dialog box to add an ACL object or add and edit an ACE.
Note
Navigation PathTo access the Add and Edit Extended Access Control Entry dialog boxes, right-click inside the Add Extended Access List table, then click Add, or right-click a rule in the Edit Extended Access List table, then click Edit.
For more information, see Creating Extended Access Control List Objects, page 1-35.
Related Topics•
•
•
•
•
Field Reference
Table A-32 Add and Edit Extended Access Control Entry Dialog Boxes
Type
•
•
Action
Describes what should occur based on the conditions set.
•
•
Note
Source*
Identifies the source network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. Accepted formats are:
•
•
•
•
Enter the addresses in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
Destination*
Identifies the destination network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. Accepted formats are:
•
•
•
•
Enter the addresses in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
Service*
Identifies service objects that specify the service type of traffic. Multiple entries are separated by commas.
Enter the service objects in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Objects selector dialog box.
The following formats are supported:
•
•
•
•
Description
(Optional) Enables you to enter a description to help you identify a rule. Maximum characters allowed is 1024.
Available Access Control Lists
Displays the ACL objects that are defined.
Filter
Filters the object information displayed in the table based on conditions set.
Add >> button
Adds selected ACL objects to the Selected Access Control Lists column.
Remove << button
Removes selected ACL objects from the Selected Access Control Lists column.
Selected Access Control Lists
Displays the ACL objects that are selected.
OK button
Saves your changes to the server and closes the dialog box.
Cancel button
Closes the dialog box without saving your changes.
Help button
Opens help for this dialog box.
1 An asterisk indicates that the field is required.
Standard IP ACL Tab
Use the Standard IP ACL page to define standard ACL objects. After a configuration is generated for the device, the access-list standard command is shown, which is used in global configuration mode.
Navigation PathTo access the Standard IP ACL tab, select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector. Click the Standard tab.
Related Topics•
•
Field Reference
Add and Edit Standard Access List Pages
Use the Add and Edit Standard Access List pages configure ACEs for an ACL object. From this page, you can change the order of the ACEs and ACL objects within the table, add or edit ACEs and ACL objects, and delete ACEs and ACL objects.
Note
Navigation PathTo access the Add and Edit Standard Access List pages, select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector. Click the Standard tab. Right-click and select New Object or Edit Object.
For more information, see Creating Extended Access Control List Objects, page 1-35.
Related Topics•
•
Field Reference
Table A-34 Add and Edit Standard Access List Pages
Name*
Identifies the name of the ACL object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be letters and numbers. Spaces are permitted, as are the following special characters: hyphens (-), underscores (_), periods (.), and plus signs (+). Maximum length is 128 characters.
Description
Enables you to enter a description to help you identify a rule. Maximum characters allowed is 1024.
Name
Identifies the name of the access control entry.
Permit
Shows whether rules permit or deny traffic based on the conditions set.
•
•
Source*
Identifies the source network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. Accepted formats are:
•
•
•
•
Enter the addresses in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
Options
Displays if logging is turned on.
•
•
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding.
Note
Description
Enables you to enter a description to help you identify a rule. Maximum characters allowed is 1024.
New Object button
Enables you to create an object.
Edit Object button
Enables you to edit the selected object.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur.
Note
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding.
Note
Close button
Closes the page.
Help button
Opens help for this page.
1 An asterisk indicates that the field is required.
Add and Edit Standard Access Control Entry Dialog Boxes
Use the Add and Edit Standard Access Control Entry dialog boxes to add an ACL object or add and edit an ACE.
Note
Navigation PathTo access the Add and Edit Standard Access Control Entry dialog boxes, right-click inside the Add Standard Access List table, then click Add, or right-click a rule in the Edit Standard Access List table, then click Edit.
For more information, see Creating Standard Access Control List Objects, page 1-38.
Related Topics•
•
•
•
Field Reference
Table A-35 Add and Edit Standard Access Control Entry Dialog Boxes
Type
•
•
Action
Describes what should occur based on the conditions set.
•
•
Note
Source*
Identifies the source network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. Accepted formats are:
•
•
•
•
Enter the addresses in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
Description
Enables you to enter a description to help you identify an object or rule. Maximum characters allowed is 1024.
Log option
•
•
Note
Note
Available Access Control Lists
Displays the ACL objects that are defined.
Filter
Filters the object information displayed in the table based on conditions set.
Add >> button
Adds selected ACL objects to the Selected Access Control Lists column.
Remove << button
Removes selected ACL objects from the Selected Access Control Lists column.
Selected Access Control Lists
Displays the ACL objects that are selected.
OK button
Saves your changes to the server and closes the dialog box.
Cancel button
Closes the dialog box without saving your changes.
Help button
Opens help for this dialog box.
1 An asterisk indicates that the field is required.
ASA User Groups Page
Use the ASA User Groups page to define a set of user-oriented attributes and values for IPSec connections that are stored either on the device or a RADIUS server. After a configuration is generated for the device, the group-policy command is shown, which is used in global configuration mode.
Navigation PathTo access the ASA User Groups page, select Tools > Policy Object Manager, then select ASA User Groups from the Object Type selector.
Related Topics•
•
•
•
•
Field Reference
Identity Tab
Use the Identity tab to identify internal and external policy groups. For external policy groups, you can identify whether to use a LOCAL database on the device or RADIUS server.
Navigation PathTo access the Identity tab, select Tools > Policy Object Manager, then select ASA User Groups from the Object Type selector. Right-click inside the table, then click New Object, or right-click a row, then click Edit Object. The Identity tab opens by default.
For more information, see:
•
•
Related Topics•
•
•
•
Field Reference
Table A-37 Identity Tab
Name*
Identifies the name of the object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be letters and numbers. Spaces are not permitted. The following special characters are permitted: hyphens (-), underscores (_), periods (.), and plus signs (+). Maximum length is 64 characters.
Description
Enables you to enter a description to help you identify an object. Maximum characters allowed is 1024.
Group Policy Type
•
Note
•
Note
RADIUS Server Group
Identifies whether to use a LOCAL database on the device for authentication or another AAA server group. If the latter, click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Objects selector dialog box.
Password
Enables you to enter a password.
Confirm
Confirms the accuracy of the password entered.
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding.
Note
OK button
Saves your changes to the server and closes the dialog box.
Cancel button
Closes the page without saving your changes.
Help button
Opens help for this dialog box.
1 An asterisk indicates that the field is required.
General Tab
Use the General tab to configure settings for server configuration and connection parameters.
Navigation PathTo access the General tab, select Tools > Policy Object Manager, then select ASA User Groups from the Object Type selector. Right-click inside the table, then click New Object, or right-click a row, then click Edit Object. Click the General tab.
For more information, see:
•
•
Related Topics•
•
•
•
•
Field Reference
Table A-38 General Tab
Name*
Identifies the name of the object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be letters and numbers. Spaces are not permitted. The following special characters are permitted: hyphens (-), underscores (_), periods (.), and plus signs (+). Maximum length is 64 characters.
Description
Enables you to enter a description to help you identify an object rule. Maximum characters allowed is 1024.
Filter ACL
Enables you to enter the ACL name or click Select, which opens the object selector dialog box from which you can make your selection.
Primary DNS Server
Enables you to enter the IP address for the primary DNS server or click Select, which opens the object selector dialog box from which you can make your selection.
Secondary DNS Server
Enables you to enter the IP address for the secondary DNS server or click Select, which opens the object selector dialog box from which you can make your selection.
Primary WINS Server
Enables you to enter the IP address for the primary WINS server or click Select, which opens the object selector dialog box from which you can make your selection.
Secondary WINS Server
Enables you to enter the IP address for the secondary WINS server or click Select, which opens the object selector dialog box from which you can make your selection.
DHCP Network Scope
Enables you to enter the DHCP network information or click Select, which opens the object selector dialog box from which you can make your selection.
Access hours
Enables you to enter a time range value allowing VPN access based on specific times of the day and weekly access. The time range relies on the system clock of the security appliance; therefore, the feature works best with NTP synchronization.
Enter the time range value in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selection. You can also create a Time Range object by clicking the Add button in the Object Selector dialog box.
Note
Simultaneous Logins
Specifies the number of simultaneous logins allowed for any user.
Values are 0-2147483647. A zero (0) value disables login and prevents user access. A group policy can inherit this value from another group policy.
Note
Maximum Connect Time (min)
Specifies the amount of time that the security appliance should allow a connection. Values are 1-35791394 minutes.
Unlimited
When selected, permits an unlimited session timeout period.
Idle Timeout (min)
Specifies the amount of time that the security appliance should terminate a connection if there is no communication activity. Values are 1-35791394 minutes.
Unlimited
When selected, permits an unlimited idle timeout period.
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding.
Note
OK button
Saves your changes to the server and closes the dialog box.
Cancel button
Closes the page without saving your changes.
Help button
Opens for this dialog box.
1 An asterisk indicates that the field is required.
IPSec Tab
Use the IPSec tab to specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified. This creates security associations that govern authentication, encryption, encapsulation, and key management.
Navigation PathTo access the IPSec tab, select Tools > Policy Object Manager, then select ASA User Groups from the Object Type selector. Right-click inside the table, then click New Object, or right-click a row, then click Edit Object. Click the IPSec tab.
For more information, see:
•
•
Related Topics•
•
•
Field Reference
Table A-39 IPSec Tab
Name*
Identifies the name of the object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be letters and numbers. Spaces are not permitted. The following special characters are permitted: hyphens (-), underscores (_), periods (.), and plus signs (+). Maximum length is 64 characters.
Description
Enables you to enter a description to help you identify an object or rule. Maximum characters allowed is 1024.
Enable Re-Authentication on IKE Re-Key
When selected, requires that users reauthenticate on IKE rekey. If enabled, the security appliance prompts the user to enter a username and password during initial Phase 1 IKE negotiation and also prompts for user authentication whenever an IKE rekey occurs. Reauthentication provides additional security.
Note
Enable IPSec Compression
When selected, enables IPSec compression. Enabling data compression might speed up data transmission rates for remote dial-in users connecting with modems.
Caution
Enable Perfect Forward Secrecy (PFS)
When selected, enables perfect forward secrecy (PFS). In IPSec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key.
Tunnel Group Lock
Specifies whether to restrict remote users to access through the tunnel group only.
Group-lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting. If you do not configure group-lock, the security appliance authenticates users without regard to the assigned group. Group locking is disabled by default.
•
•
Priority
Identifies the priority for this rule. The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type and/or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it.
Action
Specifies whether this rule permits or denies access.
Client Type
Specifies the type of VPN client to which this rule applies, software or hardware, and for software clients, all Windows clients or a subset.
VPN Client Version
Specifies the versions of the VPN client (software or firmware) to which this rule applies. Multiple entries are separated by a comma.
New Object button
Enables you to create an object.
Edit Object button
Enables you to edit the selected object.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur.
Note
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding.
Note
OK button
Saves your changes to the server and closes the dialog box.
Cancel button
Closes the page without saving your changes.
Help button
Opens help for this dialog box.
1 An asterisk indicates that the field is required.
Add and Edit Client Access Rules Dialog Boxes
Use the Add and Edit Client Access Rules dialog boxes to populate the Client Access Rules table.
Navigation PathThe Add and Edit Client Access Rules dialog boxes are accessed from the IPSec tab. To access the IPSec tab, select Tools > Policy Object Manager, then select ASA User Groups from the Object Type selector. Right-click inside the table, then click New Object, or right-click a row, then click Edit Object. Click the IPSec tab.
For more information, see:
•
•
Related Topics•
•
•
Field Reference
Table A-40 Add and Edit Client Access Rules Dialog Boxes
Priority*
Associates priority with a value. The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type and/or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it. Values are 1-65535.
Action
Describes what should occur based on the conditions set.
•
•
VPN Client Type*
Specifies the type of VPN client to which this rule applies, software or hardware, and for software clients, all Windows clients or a subset.
VPN Client Version*
Specifies the version or versions of the VPN client (software or firmware) to which this rule applies. Multiple entries are separated by a comma.
OK button
Saves your changes to the server and closes the dialog box.
Cancel button
Closes the dialog box without saving your changes.
Help button
Opens help for this dialog box.
1 An asterisk indicates that the field is required.
Client Configuration Tab
Use the Client Configuration tab to configure client attributes, including the banner text, default domain, split tunnel parameters, Cisco client parameters, and Microsoft client parameters.
Navigation PathTo access the Client Configuration tab, select Tools > Policy Object Manager, then select ASA User Groups from the Object Type selector. Right-click inside the table, then click New Object, or right-click a row, then click Edit Object. Click the Client Configuration tab.
For more information, see:
•
•
Related Topics•
•
•
•
•
•
Field Reference
Table A-41 Client Configuration Tab
Name*
Identifies the name of the object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be letters and numbers. Spaces are not permitted. The following special characters are permitted: hyphens (-), underscores (_), periods (.), and plus signs (+). Maximum length is 64 characters.
Description
Enables you to enter a description to help you identify an object rule. Maximum characters allowed is 1024.
Banner Text
Enables you to define the banner, for example, a welcome message. The message is displayed on remote clients when they connect. Banner text can be a maximum of 500 characters.
Default Domain
Identifies the default domain name. A blank field = none.
DNS Names
Specifies the default domain name. The security appliance passes the default domain name to the IPSec client to append to DNS queries that omit the domain field. This domain name applies only to tunneled packets.
Entries in the list of domains are separated by a single space. There is no limit on the number of entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric characters, hyphens (-), and periods (.).
Tunnel Policy
Defines the tunnel policy type or behavior.
•
•
•
Access Control Lists
Creates a network list for split-tunneling. Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from those that do not require tunneling. The security appliance makes split tunneling decisions on the basis of a network list, which is an ACL that consists of a list of addresses on the private network. Only standard-type ACLs are allowed.
Store Password on Client System
Identifies whether a user can store a password on their LOCAL system.
•
•
Note
Enable IPSec over UDP
When selected, allows a Cisco VPN client or hardware client to connect via UDP to a security appliance that is running NAT.
Note
IPSec over UDP Port
Specifies a port value when IPSec over UDP is used. In IPSec negotiations, the security appliance listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic. Values are 4001-49151.
IPSec Backup Server Server Configuration
•
•
•
IPSec Backup Server Addresses (*)
Enables you to enter a backup server name or click Select, which opens the Object Selector dialog box from which you can make your selection.
Note
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding.
Note
OK
Saves your settings and closes the page.
Cancel
Exits without saving your settings.
Help
Opens the context-sensitive online help for this page.
1 An asterisk indicates that the field is required.
Client Firewall Attributes Tab
Use the Client Firewall Attributes tab to configure firewall settings for VPN clients for the group policy being added or modified.
Navigation PathTo access the Client Firewall Attributes tab, select Tools > Policy Object Manager, then select ASA User Groups from the Object Type selector. Right-click inside the table, then click New Object, or right-click a row, then click Edit Object. Click the Client Firewall Attributes tab.
For more information, see:
•
•
Related Topics•
•
•
•
Field Reference
Table A-42 Client Firewall Attributes Page
Name*
Identifies the name of the object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be letters and numbers. Spaces are not permitted. The following special characters are permitted: hyphens (-), underscores (_), periods (.), and plus signs (+). Maximum length is 64 characters.
Description
Enables you to enter a description to help you identify an object or rule. Maximum characters allowed is 1024.
Firewall Setting
•
•
•
•
Firewall Type
Lists firewalls from several vendors, including Cisco.
•
•
•
•
•
•
•
•
Vendor ID
Identifies the firewall vendor. Values are 1-32.
Note
Product ID
Identifies the product ID. Values are 1-32 or 255. Multiple ranges are allowed, for example, 4-12, 24-32. Use 255 for all supported products.
Description
Enables you to enter a description to help you identify an object or rule. Maximum characters allowed is 1024.
Policy Defined by Remote Firewall (AYT)
Specifies that the client PC firewall application controls the firewall policy. The security appliance checks to make sure that the firewall is running. It asks, "Are You There?" If there is no response, the security appliance tears down the tunnel.
Policy Pushed (CPP)
Also known as Central Protection Policy. Specifies Policy Pushed as source of the VPN client firewall policy.
Inbound Traffic Policy
Enables you to enter the policy the client uses for inbound traffic or click Select, which opens the Object Selector dialog box from which you can make your selection.
Outbound Traffic Policy
Enables you to enter the policy the client uses for outbound traffic or click Select, which opens the Object Selector dialog box from which you can make your selection.
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding.
Note
OK
Saves your settings and closes the page.
Cancel
Exits without saving your settings.
Help
Opens the context-sensitive online help for this page.
1 An asterisk indicates that the field is required.
Hardware Client Attributes Tab
Use the Hardware Client Attributes tab to configure VPN 3002 Hardware Client settings for the group policy being added or modified.
Navigation PathTo access the Hardware Client Attributes tab, select Tools > Policy Object Manager, then select ASA User Groups from the Object Type selector. Click the Hardware Client Attributes tab.
To access the Hardware Client Attributes tab, select Tools > Policy Object Manager, then select ASA User Groups from the Object Type selector. Right-click inside the table, then click New Object, or right-click a row, then click Edit Object. Click the Hardware Client Attributes tab.
For more information, see:
•
•
Related Topics•
•
•
•
Field Reference
Table A-43 Hardware Client Attributes Tab
Name*
Identifies the name of the object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be letters and numbers. Spaces are not permitted. The following special characters are permitted: hyphens (-), underscores (_), periods (.), and plus signs (+). Maximum length is 64 characters.
Description
Enables you to enter a description to help you identify an object or rule. Maximum characters allowed is 1024.
Require Interactive Client Authentication
When selected, enables secure unit authentication, which provides additional security by requiring VPN hardware clients to authenticate with a username and password each time that the client initiates a tunnel. When enabled, the hardware client does not have a saved username and password.
Require Individual User Authentication
When selected, enables user authentication. If disabled, allows inheritance of a value for user authentication from another group policy.
Enable Cisco IP Phone Bypass
When selected, allows IP phones behind hardware clients to connect without undergoing a user authentication processes. When enabled, secure unit authentication remains in effect.
Enable LEAP Bypass
When selected, enables LEAP Bypass. When LEAP Bypass is enabled, LEAP packets from wireless devices behind a VPN hardware client travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco wireless access point devices establish LEAP authentication and then authenticate again per user authentication.
Note
Allow Network Extension Mode
When selected, enables network extension mode for hardware clients. Network Extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPSec encapsulates all traffic from the private network behind the hardware client to networks behind the security appliance. PAT does not apply. Therefore, devices behind the security appliance have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.
User Idle Timeout (min)
Sets an idle timeout for individual users behind hardware clients. The minutes parameter specifies the number of minutes in the idle timeout period. Values are 1-35791394 minutes.
If there is no communication activity by a user behind a hardware client in the idle timeout period, the security appliance terminates the client's access.
Unlimited
When selected, permits an unlimited idle timeout period.
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding.
Note
OK button
Saves your changes to the server and closes the page.
Cancel button
Closes the page without saving your changes.
Help button
Opens help for this page.
1 An asterisk indicates that the field is required.
Categories Page
Use the Categories page to view or edit category objects. Categories objects help you categorize and readily identify rules and other objects.
Navigation PathOpen the Policy Object Manager Window, then select Categories from the Object Type selector.
Related Topics•
•
•
Field Reference
Table A-44 Categories Page
Filter
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. See Filtering Tables, page 1-19.
[Icon]
The icon that represents the object type. Icons marked with a star badge indicate user-defined objects that may be modified. Icons without a star badge indicate predefined objects that cannot be modified.
Name
The name of the object.
Display
The category that is assigned to the object.
Description
Displays an icon if a description is defined for the object. Point at the icon to display a tooltip with the text of the description.
TipEdit Object button
Opens the Category Editor Dialog Box. From here you can edit the selected category.
Category Editor Dialog Box
Use the Category Editor dialog box to edit a category object. You can edit the name of the object as well as its description.
Navigation PathGo to the Categories Page in the Policy Object Manager Window, then click Edit Object beneath the table.
Related Topics•
•
Field Reference
FlexConfigs Objects Page
FlexConfig policy objects are reusable, named components that can be referenced by other policy objects and policies. You create FlexConfig policy objects by entering configuration commands, either with or without additional scripting language instructions, in the FlexConfig Editor.
Use the FlexConfig Objects page to create, edit, delete, duplicate, find usages of, and view FlexConfig objects. Sample FlexConfig objects are configured as read only; you must duplicate a sample FlexConfig object before you can edit it.
Navigation PathsSelect Tools > Policy Object Manager > FlexConfigs.
Related Topics•
•
•
Field Reference
Table A-46 FlexConfigs Objects Page
Filter
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. See Filtering Tables, page 1-19.
Name
Name of the object (up to 128 characters). Object names are not case sensitive.
When creating a duplicate of a FlexConfig object, the name of the object is copy-of- and the name of the FlexConfig. For example, a duplicate of the no_router_Id FlexConfig object is named copy-of-no_router_Id. You can keep this name or enter a new one.
For more information, see Guidelines for Managing Objects, page 1-3.
Group
Group assigned to the object.
Type
Location of the commands in configurations files—either prepended (put at the beginning) or appended (put at the end).
Negate For
Name of the FlexConfig object whose commands are undone in the current FlexConfig object.
For example, FlexConfig A has the command banner login mybanner. FlexConfig B has the command no banner login mybanner. Therefore, FlexConfig B negates the configuration for FlexConfig A, and FlexConfig A is listed in the Negate for field.
Description
A word or phrase that reflects the contents of the object (up to 1024 characters).
New Object button
Opens a dialog box for creating a new FlexConfig object. See FlexConfig Editor Dialog Box.
Edit Object button
Select the row of an object from the table, then click to open the dialog box for editing the selected object. For details, see FlexConfig Editor Dialog Box.
Delete Object button
Select the rows of one or more objects, then click to delete.
You cannot delete an object that is referenced by policies or other objects.
FlexConfig Editor Dialog Box
FlexConfig policy objects are reusable, named components that can be referenced by other policy objects and policies. You create FlexConfig policy objects by entering configuration commands, either with or without additional scripting language instructions, in the FlexConfig Editor.
Use the FlexConfig Editor dialog box to create or edit FlexConfig objects. Before you can edit a sample FlecConfig object (one that came with Security Manager) you must duplicate it. The sample FlexConfig objects are read only.
Navigation PathFrom the FlexConfigs Objects page, do one of the following:
•
•
Related Topics•
Field Reference
Table A-47 FlexConfigs Editor Dialog Box
Name
Name of the object (up to 128 characters). Object names are not case sensitive. For more information, see Guidelines for Managing Objects, page 1-3.
Description
A word or phrase that reflects the contents of the object (up to 1024 characters).
Group
Displays the category that is assigned to the object. See Working with Category Objects, page 1-68.
Type
Indicates whether the commands in the object are prepended (put at the beginning) or appended (put at the end) of configurations.
Negate For
Name of the FlexConfig object whose commands are undone in the current FlexConfig object.
For example, FlexConfig A has the command banner login mybanner. FlexConfig B has the command no banner login mybanner. Therefore, FlexConfig B negates the configuration for FlexConfig A, and FlexConfig A is listed in the Negate for field.
Object Body
Commands and instructions to produce the desired configuration file output.
Right-click in the object body field to display a pop-up menu to do one of the following:
•
•
•
Undo button
Deletes the previous action.
Redo button
Performs the previously undone action.
Cut button
Deletes highlighted text.
Copy button
Copies highlighted text.
Paste button
Pastes previously cut or copied text.
Find button
Locates the specified text string in the object body.
Validate FlexConfig button
Checks the integrity and deployability of the FlexConfig object.
Name
Name of the variable.
Default Value
Value to use when one is not provided.
Note
Object Property
Property of the object. The object property name is in the following format:
type.name.data.property
where
•
•
•
•
Dimension
Structure of the data in the variable. Valid values are as follows:
•
•
•
Optional
Indicates whether the variable is required to have a value.
Description
A word or phrase that reflects the contents of the object.
OK button
Saves your changes locally on the client and closes the page.
To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.
Cancel button
Closes the dialog box without saving your changes.
Help button
Opens help for this dialog box.
Create Text Object Dialog Box
Text objects are a type of policy object variable. They are a name and value pair, and the value can be a single string, a list of strings, or a table of strings. Their flexibility allows you to enter any type of textual data to be referenced and acted upon by any policy object.
Use the Text Objects dialog box to create text objects.
Navigation PathFrom the FlexConfig Editor dialog box, right-click in the object body field and select Create Text Object.
Related Topics•
Field Reference
Table A-48 Create Text Object Dialog Box
Name
Name of the object (up to 128 characters). Object names are not case sensitive. For more information, see Guidelines for Managing Objects, page 1-3.
Value
Value to use when one is not provided. When a default value is not provided, the user must provide the value for this variable.
Dimension
Structure of the data in the variable. Valid values are as follows:
•
•
•
OK button
Saves your changes locally on the client and closes the dialog box.
To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.
Cancel button
Closes the dialog box without saving your changes.
FlexConfig Undefined Variables Dialog Box
Use the FlexConfig Undefined Variables dialog box to define policy object variables that have not yet been defined. You can choose from a list of policy object types or add a new policy object to use.
Note
Navigation PathFrom the FlexConfig Editor dialog box, if you enter a variable name but do not define its values and you attempt to save the FlexConfig object, Security Manager displays a warning. Click Yes to define the undefined variables.
Related Topics•
Field Reference
Table A-49 FlexConfig Undefined Variables Dialog Box
Variable Name
Name of the object (up to 128 characters). Object names are not case sensitive. For more information, see Guidelines for Managing Objects, page 1-3.
Object Type
Type of policy object.
Select the desired policy object from the list, and the Single Selection Objects Selector dialog box appears. Select an object and click OK. Depending on the object type that you selected, the Property Selector dialog box appears. Selections are based on the object type selected. For more information about these related dialog boxes, see the following topics:
Object Property
Property of the object. The list displayed depends on the object type.
Optional
Indicates whether the variable is required to have a value.
OK button
Saves your changes locally on the client and closes the dialog box.
To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.
Cancel button
Closes the dialog box without saving your changes.
Property Selector Dialog Box
Use the Property Selector dialog box to create text objects.
Navigation PathTo open the Property Selector dialog box from the FlexConfig Undefined Variables dialog box, select the desired policy object from the Object Type list. The Single Selection Objects Selector dialog box appears. Select an object and click OK. The Property Selector dialog box appears. For more information about the Single Selection Objects Selector dialog box, see Object Type Selector.
Related Topics•
Field Reference
FTP Maps Page
Use the FTP Maps page to identify a specific map for defining the parameters for strict FTP inspection. After a configuration is generated for the device, the ftp-map command is shown.
Navigation PathTo access the FTP Maps page, select Tools > Policy Object Manager, then select FTP Maps from the Object Type selector.
Related Topics•
•
•
•
Field Reference
Add and Edit FTP Map Dialog Boxes
Use the Add and Edit FTP Map dialog box to configure settings for the FTP policy object.
Navigation PathTo access the Add and Edit FTP Map dialog boxes, select Tools > Policy Object Manager, then select FTP Maps from the Object Type selector. Right-click inside the table, then click New Object or right-click a row, then click Edit Object.
For more information, see:
•
•
Related Topics•
•
•
•
Field Reference
Table A-52 Add and Edit FTP Map Dialog Boxes
Name*
Identifies the name of the object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be letters and numbers. Spaces are permitted, as are the following special characters: hyphens (-), underscores (_), periods (.), and plus signs (+). Maximum length is 128 characters.
Description
Enables you to enter a description to help you identify an object. Maximum characters allowed is 1024.
Mask Reply to System Command
When selected, hides the FTP server response from clients.
Append to a file
(APPE)—Disallows the command that appends to a file.
Change to Parent of Current Directory
(CDUP)—Disallows the command that changes to the parent directory of the current working directory.
Delete a File at Server Site
(DELE)—Disallows the command that deletes a file.
Help Information from Server
(HELP)—Disallows the command that provides help information.
Create a Directory
(MKD)—Disallows the command that creates a directory.
Retrieve a File
(RETR)—Disallows the command that gets a file.
Remove a Directory
(RMD)—Disallows the command that deletes a directory.
Rename From
(RNFR)—Disallows the command that specifies rename-from filename.
Rename To
(RNTO)—Disallows the command that specifies rename-to filename.
Specify Server Specific Command
(SITE)—Disallows the commands that are specific to the server system. Usually used for remote administration.
Store a File
(PUT)—Disallows the command for sending a file to the server.
Store a File with Unique Name
(STOU)—Disallows the command that stores a file using a unique filename.
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding.
Note
OK button
Saves your changes to the server and closes the dialog box.
Cancel button
Closes the dialog box without saving your changes.
Help button
Opens help for this dialog box.
1 An asterisk indicates that the field is required.
GTP Maps Page
Use the GTP Maps page to identify a specific map to use for defining the parameters for GTP.
The GPRS Tunnel Protocol (GTP) provides uninterrupted connectivity for mobile subscribers between GSM networks and corporate networks or the Internet. GTP uses a tunneling mechanism to provide a service for carrying user data packets.
After a configuration is generated for the device, the gtp-map command is shown.
Note
Navigation PathTo access the GTP Maps page, select Tools > Policy Object Manager, then select GTP Maps from the Object Type selector.
Related Topics•
•
•
•
Field Reference
Add and Edit GTP Map Dialog Boxes
Use the Add and Edit GTP Map dialog boxes to configure settings for the GTP policy object.
Navigation PathTo access the Add and Edit GTP Map dialog boxes, select Tools > Policy Object Manager, then select GTP Maps from the Object Type selector. Right-click inside the table, then click New Object, or right-click a row, then click Edit Object.
For more information, see:
•
•
Related Topics•
•
•
Field Reference
Table A-54 Add and Edit GTP Map Dialog Boxes
Name*
Identifies the name of the object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be letters and numbers. Spaces are permitted, as are the following special characters: hyphens (-), underscores (_), periods (.), and plus signs (+). Maximum length is 128 characters.
Description
Identifies a user-defined GTP configuration map description to help you identify a configuration. Maximum characters allowed is 200.
Country-Network Codes (mcc-mnc, mcc-mnc, etc)
Specifies the three-digit Mobile Country Code (mcc) and Mobile Network Code (mnc).Values are 000-999. One- or two- digit entries are prepended with 0s. Multiple entries are separated by a comma.
Add button
Enables you to create an object.
Edit button
Opens the appropriate object page for the selected object, enabling you to edit object settings.
Delete button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur.
Note
Drop Access Point Names
Drops GTP messages with the specified access point name. Multiple entries are separated by a comma.
Drop Message IDs
Drops specific GTP messages using an alphanumeric identifier for the message to drop. Values for the message_id is 1-255. Multiple entries are separated by a comma.
Drop Versions
Drops GTP messages with the specified version. Multiple entries are separated by a comma.
0 = Version 0. Uses port 2123.
1 = Version 1. Uses port 3386.
Message Length Min Bytes
Specifies the minimum number of bytes allowed in the UDP payload. Values are 1-65536.
Message Length Max Bytes
Specifies the maximum number of bytes allowed in the UDP payload. Values are 1-65536.
Permit Errors
When selected, permits packets with errors or different GTP versions.
Permit Response
Supports load-balancing GSNs by allowing GTP responses from a GSN that is different from the one to which the response was sent.
Add button
Enables you to create an object.
Edit button
Opens the appropriate object page for the selected object, enabling you to edit object settings.
Delete button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur.
Note
Request Queue
Specifies the maximum requests allowed in the queue. When the limit has been reached and a new request arrives, the request that has been in the queue for the longest time is removed. Values are 1-9999999. Default is 200.
Tunnel Limit
Specifies the maximum number of tunnels allowed.
Edit Timeouts button
Opens the GTP Map Timeouts dialog box. For more information, see Table A-57.
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding.
Note
OK button
Saves your changes to the server and closes the dialog box.
Cancel button
Closes the dialog box without saving your changes.
Help button
Opens help for this dialog box.
1 An asterisk indicates that the field is required.
Add and Edit Country Network Codes Dialog Boxes
Use the Add and Edit Country Network Codes dialog boxes to change mcc and mnc values.
Navigation PathYou access the Add and Edit Country Network Codes dialog boxes from the Add and Edit GTP Map dialog boxes. To access the Add and Edit GTP Map dialog boxes, select Tools > Policy Object Manager, then select GTP Maps from the Object Type selector. Right-click inside the table, then click New Object, or right-click a row, then click Edit Object.
For more information, see:
•
•
Related Topics•
•
•
Field Reference
Add and Edit Permit Response Dialog Boxes
Use the Add and Edit Permit Response dialog boxes to permit GTP responses from a GSN that is different from the one to which the response was sent.
Navigation PathYou access the Add and Edit Permit Response dialog boxes from the Add and Edit GTP Map dialog boxes. To access the Add and Edit GTP Map dialog boxes, select Tools > Policy Object Manager, then select GTP Maps from the Object Type selector. Right-click inside the table, then click New Object, or right-click a row, then click Edit Object.
For more information, see:
•
•
Related Topics•
•
•
Field Reference
Table A-56 Add and Edit Permit Response Dialog Boxes
To Object Group*
Identifies the source network/host object name of a host or network from which to allow GTP responses from a GSN that is different from the one to which the response was sent.
Enter the object name in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selection. You can also create an object by clicking the Create button in the Object Selector dialog box.
Note
From Object Group*
Identifies the destination network/host object name of a host or network from which to allow GTP responses from a GSN that is different from the one to which the response was sent.
Enter the object name in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selection. You can also create an object by clicking the Create button in the Object Selector dialog box.
Note
OK button
Saves your changes to the server and closes the dialog box.
Cancel button
Closes the dialog box without saving your changes.
Help button
Opens help for this dialog box.
1 An asterisk indicates that the field is required.
GTP Map Timeouts Dialog Box
Use the GTP Map Editor Timeouts dialog box to set timeout values.
Navigation PathTo access the GTP Map Timeouts dialog box, from the Add and Edit GTP Map dialog boxes, click Edit Timeouts.
You access the GTP Map Timeouts dialog box from the Add and Edit GTP Map dialog boxes. To access the Add and Edit GTP Map dialog boxes, select Tools > Policy Object Manager, then select GTP Maps from the Object Type selector. Right-click inside the table, then click New Object, or right-click a row, then click Edit Object.
For more information, see:
•
•
Related Topics•
•
•
Field Reference
HTTP Maps Page
Use the HTTP Maps page to create an HTTP map for applying enhanced HTTP inspection parameters. The enhanced HTTP inspection feature, which is also known as an application firewall, verifies that HTTP messages conform to RFC 2616, use RFC-defined methods, and comply with various other criteria. This can help prevent attackers from using HTTP messages for circumventing network security policy.
Note
After a configuration is generated for the device, the http-map command is shown.
Navigation PathTo access the HTTP Maps page, select Tools > Policy Object Manager, then select HTTP Maps from the Object Type selector.
Related Topics•
•
•
•
Field Reference
Table A-58 HTTP Maps Page
Filter
Filters the object information displayed in the table based on conditions set.
[Icon]
The icon that represents the object type. Icons marked with a star badge indicate user-defined objects that may be modified. Icons without a star badge indicate predefined objects that cannot be modified. The icon is displayed after the object is defined.
Name
Identifies the name of the object. Names can be sorted in ascending or descending order.
General
Enables you to configure general settings for HTTP inspection. For more information, see Table A-59.
Entity Length
Enables you to configure settings for inspection based on the length of the HTTP content. For more information, see Table A-60.
RFC Method
Enables you to configure settings for RFC. For more information, see Table A-61.
Ext Method
Enables you to configure settings for RFC extension format criteria. For more information, see Table A-62.
Port Misuse
Enables you to configure settings for port misuse application inspection. For more information, see Table A-63.
Transfer Encoding
Enables you to configure settings for inspection based on the transfer encoding type. For more information, see Table A-64.
IOS Specific
Enables you to configure settings for IOS devices. For more information, see Table A-65.
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding.
Note
Description
Shows a description as an icon. A tooltip displays the content. Descriptions help you identify an object.
New Object button
Enables you to create an object.
Edit Object button
Enables you to edit the selected object.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur.
Note
Close button
Closes the page.
</ Help button
Opens help for this page.
