Table Of Contents

Managing FlexConfigs

Understanding FlexConfigs

FlexConfig Policy Objects

CLI Commands

Scripting Language Instructions

Object Variables

FlexConfig Policy Object Example

Sample FlexConfig Policy Objects

FlexConfig System Variables

FlexConfig Policies

Creating FlexConfigs—Scenario

Working with FlexConfigs

Adding FlexConfig Policy Objects

Editing FlexConfig Policy Objects

Deleting FlexConfig Policy Objects

Reordering FlexConfig Policy Objects

Previewing FlexConfig Policy Objects

Deleting FlexConfig Object Variables

Managing FlexConfigs

---

Security Manager provides tools to configure most parameters needed to manage your devices. For the parameters that are not supported, Security Manager provides the FlexConfig feature.

Understanding these topics will help you use the FlexConfig feature:

•Understanding FlexConfigs

•Creating FlexConfigs—Scenario

•Working with FlexConfigs

Understanding FlexConfigs

If you are familiar with VPN/Security Management Solution (VMS), FlexConfigs are similar to beginning and ending commands that are supported in VMS. You create FlexConfig policy objects that contain CLI commands. Then you combine different FlexConfig policy objects within your FlexConfig policy to produce various assignment and deployment results. However, unlike with VMS, FlexConfigs provide the additional capability of using variables and a formal scripting language.

To use FlexConfigs, you need to understand the information in the following topics:

•FlexConfig Policy Objects

•FlexConfig Policies

FlexConfig Policy Objects

FlexConfig policy objects are reusable, named components that can be referenced by other policy objects and policies. You create FlexConfig policy objects by entering configuration commands, either with or without additional scripting language instructions, in the FlexConfig Editor.

Alternatively, you can create a new FlexConfig policy object by duplicating and then modifying an existing FlexConfig policy object, either one that you have created, or one of the sample FlexConfig policy objects that come with Security Manager.

The following topics help you better understand FlexConfig policy objects:

•CLI Commands

•Scripting Language Instructions

•Object Variables

•FlexConfig Policy Object Example

•Sample FlexConfig Policy Objects

•FlexConfig System Variables

For more information about policy objects in general, see Chapter 1, "Managing Objects."

CLI Commands

The configuration commands are actual CLI commands used to configure devices, such as PIX Firewalls and Cisco IOS Routers. You can include CLI commands that are not supported in the current release of Security Manager. You are responsible for knowing and implementing the command according to the proper syntax for the device type. See the Command Reference for the particular device type (Cisco Router, PIX Firewall, and so on) for specific information about commands and their syntax.

You can add commands and instructions to the beginning or end of the configurations:

•Prepended commands—Commands placed at the beginning are called prepended commands. Prepended commands are always replaced when configuration files are deployed.

•Appended commands—Commands placed after all other commands in a configuration file and before the write mem command are called appended commands.

The device will generate an error if these commands are already configured on the device if an attempt is made to add them again. To resolve this, two workarounds are available:

–Enter the command that removes the feature in question as an appended command. For example, if the command is xyz, enter the following two lines:

no xyz 

xyz 

–Change the setting that controls the action that device will take to "warn." This is set under Tools > Security Administration > Deployment.

Following are additional important notes about appended commands:

–The setting change will affect the behavior of devices for all commands being deployed, not just those designated as appended commands.

–If you are deploying to a device, most appended commands should be removed after the initial deployment. This is especially true for object groups, where any unbound object group is replaced in the Ending Command section during command generation, then resent each time the configuration is deployed to a device.

The device displays an error because the firewall device shows that the object group already exists.

–If you are deploying to a file or AUS, the appended commands should remain.

Scripting Language Instructions

The instructions are a subset of commands supported in the Velocity Template Engine, a Java-based scripting language, where control flows, such as looping and if/else statements, and variables can be used.

Security Manager supports all Velocity Template Engine commands except the include and parse commands. For information about additional functions supported, see Velocity Template Engine documentation.

The following topics provide examples of the most commonly-used functions:

•Example 1: Looping

•Example 2: Looping with Two-Dimensional Arrays

•Example 3: Looping with If/Else Statements

Example 1: Looping

A plain old telephone service (POTS) dial peer enables incoming calls to be received by a telephony device by associating a telephone number to a voice port. The following example enables caller ID for a set of POTS dial peers.

Object Body

#foreach ($peer_id in ["2", "3", "4"])

	dial-peer voice $peer_id pots

	caller-id

#end

CLI Output

dial-peer voice 2 pots

caller-id

dial-peer voice 3 pots

caller-id

dial-peer voice 4 pots

caller-id 

Example 2: Looping with Two-Dimensional Arrays

In this example, a set of phone numbers is associated to voice ports, so incoming calls can be received at a router.

Object Body

#foreach ($phone in [ [ "2000", "15105552000", "1/0/0" ], [ "2100", 
"15105552100", "1/0/1" ], [ "2200", "15105552200", "1/0/2" ] ] ) 

	dial-peer voice $phone.get(0) pots 

	destination-pattern $phone.get(1) 

	port $phone.get(2) 

#end

CLI Output

dial-peer voice 2000 pots 

destination-pattern 15105552000 

port 1/0/0 

dial-peer voice 2100 pots 

destination-pattern 15105552100 

port 1/0/1 

dial-peer voice 2200 pots 

destination-pattern 15105552200 

port 1/0/2

Example 3: Looping with If/Else Statements

In this example, a set of phone numbers is associated to voice ports, so incoming calls can be received at a router. In addition, another set of phone numbers is associated to IP addresses to enable Voice Over IP outgoing calls from the router.

Object Body

#foreach ( $phone in [ [ "2000", "15105552000", "1/0/0", "" ],

[ "2100", "15105552100", "1/0/1", "" ],

[ "2200", "15105552200", "" , "ipv4:150.50.55.55"] 

[ "2300", "15105552300", "" , "ipv4:150.50.55.55"] ] ) 

	dial-peer voice $phone.get(0) pots 

		destination-pattern $phone.get(1) 

	#if ( $phone.get(2) == "" )

		session target $phone.get(3) 

	#else 

		port $phone.get(2) 

	#end 

#end

CLI Output

dial-peer voice 2000 pots 

	destination-pattern 15105552000 

	port 1/0/0 

dial-peer voice 2100 pots 

	destination-pattern 15105552100 

	port 1/0/1 

dial-peer voice 2200 pots 

	destination-pattern 15105552000 

	session target ipv4:150.50.55.55 

dial-peer voice 2300 pots 

	destination-pattern 15105552300 

	session target ipv4:150.50.55.55

Object Variables

There are three types of variables you can use:

•Policy Object Variables—Static variables that reference a specific property. For example, Text objects are a type of policy object variable. They are a name and value pair, and the value can be a single string, a list of strings, or a table of strings. Their flexibility allows you to enter any type of textual data to be referenced and acted upon by a any policy object.

•System Variables—Dynamic variables that reference a value during deployment when the CLI is generated. The values are obtained from either the deploying device or policies configured for the deploying device. System variables can be declared optional in FlexConfig objects, which means that the variables do not need to be assigned a value for it to be deployed to the device.

•Local Variables—Variables that are local in the looping and assignment derivatives (foreach and set statements). Local variables get their values directly from the Velocity Template Engine. There is no need to supply values for the local variables.

You can manually enter variables (denoted with a starting $ character) in an object. For example:

interface $inside

FlexConfig Policy Object Example

Using CLI commands and variables, you can create a FlexConfig policy object to name the inside interface and crypto map on a Cisco router:

You enter these commands:

interface $inside

crypto map $xyz

You enter these variable assignments:

$inside = "serial0"

$xyz = "my_crypto"

When the configuration is generated, the following output is created from the commands and variables you entered:

interface serial0

crypto map my_crypto

Sample FlexConfig Policy Objects

Security Manager provides a set of sample FlexConfig policy objects for you to use. These policy objects have predefined commands and scripting.

These sample FlexConfig policy objects are permanently set as read only objects. To edit these sample FlexConfig policy objects you duplicate the desired object, make changes to the copy, and save it with a new name. This way, the original FlexConfig samples always remain unchanged. For lists of these sample policy objects and further information on each, see the following tables:

•Sample ASA FlexConfig Policy Objects—Table 1-2

•Sample Cisco IOS FlexConfig Policy Objects—Table 1-2

•Sample PIX Firewall FlexConfig Policy Objects—Table 1-3

•Sample Router FlexConfig Policy Objects—Table 1-4

Table 1-1 Sample ASA FlexConfig Policy Objects 

Name	Description
ASA_add_ACEs	Adds an access control entry (ACE) to all access control lists on the device.
ASA_add_EtherType_ACL_remark	Loops through a list of ethertype access-list names and adds ACEs or remarks to them. The ethertype access list is the same as Transparent Rules for Firewalls in Security Manager. The remarks set by the CLI in this FlexConfig will be shown in the description field of a transparent rule.
ASA_command_alias	Creates a command alias named "save" for the copy running-config and copy startup_config commands.
ASA_define_traffic_flow_tunnel _group	Defines site-to-site VPN tunnel groups listed in the SYS_FW_MPCRULE_TRAFFICFLOW_TUNNELGROUPNAME system variable. This variable is populated with tunnel group names defined in Traffic Flow objects.
ASA_established	Permits return access for outbound connections through the security appliance. This command works with an original connection that is outbound from a network and protected by the security appliance and a return connection that is inbound between the same two devices on an external host. Uses the established command to specify the destination port that is used for connection lookups, which gives you more control over the command and supports protocols where the destination port is known, but the source port is unknown. The permitto and permitfrom keywords define the return inbound connection.
ASA_FTP_mode_passive	Sets the FTP mode to passive.
ASA_generate_route_map	Generates a route map to be used by the pim accept-register route-map command configured under Platform > Multicast > PIM > Request Filter. Security Manager exports the route-map name used in the pim command so that you can configure it as desired.
ASA_IP_audit	Uses the ip-audit command to provide the following: •Sets the default actions (alarm, drop, reset) for packets that match an attack signature. •Sets the default actions (alarm, drop, reset) for packets that match an informational signature. •Creates a named audit policy that identifies the actions to take (alarm, drop, reset) when a packet matches a defined attack signature or an informational signature. •Disables a signature for an audit policy. •Assigns an audit policy to an interface.
ASA_MGCP	Identifies a specific map for defining the parameters for Media Gateway Control Protocol (MGCP) inspection.
ASA_no_router_Id	Removes the router ID for each OSPF process.
ASA_no_shut_Intf	Loops through and enables all interfaces on a device.
ASA_privilege	Sets the privilege levels for the configuration, show and clear commands.
ASA_route_map	Defines a route map for each OSPF process redistribution route map name.
ASA_RSA_KeyPair_generation	Resets and generates RSA key pairs for certificates.
ASA_sysopt	Uses the sysopt command to provide the following examples: •Ensures that the maximum TCP segment size does not exceed the value you set or that the minimum is not less than a specified size. •Forces each TCP connection to remain in a shortened TIME_WAIT state of at least 15 seconds after the final normal TCP close-down sequence. •Disables DNS inspection that alters the DNS A record address. •Ignores the authentication key in RADIUS accounting responses. •Enables the web browser to supply a username and password from its cache when it reauthenticates with the virtual HTTP server on the security appliance.
ASA_virtual	Configures virtual HTTP and Telnet servers.

Table 1-2 Sample Cisco IOS FlexConfig Policy Objects 

Name	Description
IOS_add_bridge_interface_desc	Loops through a list of bridge interfaces and adds the description, "this is a bridge interface."
IOS_CA_server	Configures a certificate server.
IOS_compress_config	Compresses large Cisco IOS configurations.
IOS_console_AAA_bypass	Provides examples of the following scenarios: •Enables the authentication, authorization, and accounting (AAA) access-control model. •Sets AAA at login. •Enables AAA authentication for logins.
IOS_enable_SSL	Enables SSL.
IOS_FPM	Copies traffic class definition files to a router and applies policy-maps.
IOS_set_clock	Sets the clock to the current time on the Security Manager server.
IOS_VOIP_advanced	Loops through and associates a POTS port number to a telephone number and port or IP address number.
IOS_VOIP_simple	Associates a POTS port number to a telephone number and port number.
IOS_VPN_config_gre_tunnel	Uses VPN variables to configure the GRE tunnel for each VPN in which the device participates.
IOS_VPN_set_interface_desc	Using VPN variables, updates the description of the public interface for each VPN in which the device participates.
IOS_VPN_shutdown_inside_interface	Using VPN variables, shuts down all inside interfaces for each VPN in which the device participates.
IOS_VRF_on_vFW	Configures virtual routing and forwarding (VRF) on virtual firewall interfaces.
IOS_wireless_root__radio_station	Creates and configures the root radio station for a wireless LAN on Cisco IOS 851 or 871 routers.

Table 1-3 Sample PIX Firewall FlexConfig Policy Objects 

Name	Description
PIX6.3_nat0_acl_compiled	Generates a compiled access list for NAT 0 access-control lists.
PIX6.3_policy_nat_acl_compiled	Generates a compiled access list for Policy NAT ACLs
PIX6.3_policy_static_acl_compiled	Generates a compiled access list for Policy Static ACLs.
PIX_VPDN	Configures a virtual private dialup network (VPDN).

Table 1-4 Sample Router FlexConfig Policy Objects 

Name	Description
ROUTER_add_inspect_rules	Loops through and appends inspect rules.
ROUTER_BGP_untrusted_info	Uses the distance bgp 255 255 255 sub-command to make the border gateway protocol (BGP) routing information untrusted for each BGP. This FlexConfig policy object uses the list of BGP numbers from the SYS_ROUTER_BGP_AS_NUMBERS_LIST system variable.
ROUTER_EIGRP_min_cost_routes	Configures traffic to use minimum cost routes when multiple routes have different cost routes to the same destination network. This is done using multi-interface load splitting on different interfaces with equal cost paths. This FlexConfig policy object uses the list of router enhanced interior gateway routing protocol (EIGRP) numbers from the SYS_ROUTER_EIGRP_AS_NUMBERS_LIST system variable.
Router_EIGRP_no_auto_summary	Disables the auto route summary for each router enhanced interior gateway routing protocol (EIGRP) processes by using the no auto-summary sub-command. This FlexConfig policy object uses the list of EIGRP numbers from the SYS_ROUTER_EIGRP_AS_NUMBERS_LIST system variable.
ROUTER_interface_prevent_dos _attacks	Prevents denial-of-service (DOS) attacks on all device interfaces. This FlexConfig policy object uses the list of interface names from the SYS_INTERFACE_NAME_LIST system variable.
ROUTER_OSPF_router_ID_reset	Removes the router OSPF ID for each OSPF process. This FlexConfig policy uses the list of OSPF IDs from the SYS_ROUTER_OSPF_PROCESS_IDS_LIST system variable.
ROUTER_QoS_Class_Map _description	Sets QoS class map descriptions. This FlexConfig policy object uses the list of router QoS class names from the SYS_ROUTER_QOS_CLASS_MAP_LIST system variable.
ROUTER_QoS_Policy_Map _description	Sets QoS policy descriptions. This FlexConfig policy object uses the list of router QoS policy names from the SYS_ROUTER_QOS_POLICY_MAP_LIST system variable.

FlexConfig System Variables

System variables reference values during deployment when commands are generated. Security Manager provides a set of defined system variables for you to use in defining FlexConfig objects and policies. The values for these variables are required unless otherwise noted. For information about these variables, see the following tables:

•Device system variables—Table 1-5. For more information about discovering or configuring devices to obtain values for these variables, see Chapter 1, "Managing Devices."

•Firewall system variables—Table 1-6. For more information about creating Firewall system variables, see Chapter 1, "Managing Firewall Devices" and Chapter 1, "Managing Firewall Services."

•Router platform system variables—Table 1-7. For more information about creating router system variables, see Chapter 1, "Managing Routers."

•VPN system variables—Table 1-8. For more information about creating VPN system variables, see Chapter 1, "Managing Site-to-Site VPNs."

•Remote access system variables—Table 1-9. For more information about creating remote access system variables, see Chapter 1, "Managing Remote Access VPNs."

Table 1-5 Device System Variables¹  

Name	Dimension	Description
SYS_DOMAIN_NAME	0	The DNS domain name. Discover or configure devices on Security Manager to generate values for this variable.
SYS_FW_OS_MODE	0	OS mode of the FWSM or ASA device. Valid values are ROUTER (routed mode), TRANSPARENT, or NOT_APPLICABLE. Discover or configure device operating system information (Tools > Device Properties > General) to generate values for this variable. This variable applies only to FWSM or ASA devices.
SYS_FW_OS_MULTI	0	Device OS context (single or multi mode). Valid values are SINGLE, MULTI, or NOT_APPLICABLE. This variable applies only to FWSM or ASA devices. Discover or configure device properties (Tools > Device Properties > General) to generate values for this variable.
SYS_HOSTNAME	0	The device's hostname. Discover or configure devices on Security Manager to generate values for this variable.
SYS_IMAGE_NAME	0	The device's image name. Discover or configure devices on Security Manager to generate values for this variable.
SYS_INTERFACE_IP_LIST	1	IP addresses and masks of the interfaces configured in the Interface policy. The IP address and mask are in the x.x.x.x/nn format (for example, 10.20.1.2/24). If there are no interfaces defined on the device, no list will be returned. Each element in SYS_INTERFACE_NAME_LIST and SYS_INTERFACE_IP_LIST share the same index for the interface. For example, if element 3 in SYS_INTERFACE_NAME_LIST is for Ethernet1, then element 3 in SYS_INTERFACE_IP_LIST is the IP address for Ethernet1. If Ethernet1 has no ip address, element 3 in the SYS_INTERFACE_IP_LIST is empty. Configure interface policies on the device to generate values for this variable. This variable is optional.
SYS_INTERFACE_NAME_LIST	1	Names of the interfaces on the device. If no interfaces are defined on the device, no list is returned. Each element in SYS_INTERFACE_NAME_LIST and SYS_INTERFACE_IP_LIST share the same index for the interface. For example, if element 3 in SYS_INTERFACE_NAME_LIST is for Ethernet1, then element 3 in SYS_INTERFACE_IP_LIST is the IP address for Ethernet1. If Ethernet1 has no ip address, element 3 in the SYS_INTERFACE_IP_LIST is empty. Discover or configure interfaces on the device to generate values for this variable. This variable is optional.
SYS_MANAGEMENT_IP	0	Management IP address of the device. Discover or configure device IP addresses (Tools > Device Properties > General) to generate values for this variable.
SYS_MDF_TYPE	0	The Cisco MDF (MetaData Framework) Type of the device. Indicates the device model. Discover or configure devices on Security Manager to generate values for this variable.
SYS_OS_RUNNING_VERSION	0	The software version of the OS running on the device. Version string could be 6.1, 6.2 etc. on a PIX platform, 12.1, 12.2S etc. on an IOS platform, 3.5, 4.1 etc. in an IDS platform and so on. Discover or configure devices on Security Manager to generate values for this variable.
SYS_OS_TARGET_VERSION	0	Indicates the OS version to be used when generating the device configuration. Discover or configure devices on Security Manager to generate values for this variable.
SYS_OS_TYPE	0	Device OS type. Valid values are IOS, PIX, ASA, CATOS, FWSM, IDS. Discover or configure device properties (Tools > Device Properties > General) to generate values for this variable.
SYS_SYS_OID	0	The SysObjId of the device. Discover or configure devices on Security Manager to generate values for this variable.

1 Device variables apply to all device types.

Table 1-6 Firewall System Variables 

Name	Dimension	Description
SYS_FPM_INPUT_SP	1	FPM policy map names applied on the interface corresponding to the entry in the SYS_FPM_INTERFACE list in the "in" direction. This data is not configured in Security Manager. It is obtained from a router's running configuration and is used by the FPM FlexConfig.
SYS_FPM_INTERFACE	1	Interface names. This data is not configured in Security Manager. It is obtained from a router's running configuration and is used by the FPM FlexConfig.
SYS_FPM_OUTPUT_SP	1	FPM policy map names applied on the interface corresponding to the entry in the SYS_FPM_INTERFACE list in the "out" direction. This data is not configured in Security Manager. It is obtained from a router's running configuration and is used by the FPM FlexConfig.
SYS_FW_ACL_IN_NAME	1	Names of ACLs applied to interfaces for traffic filtering in the inbound direction. Each element has a one-to-one correspondence with the SYS_INTERFACE_NAME_LIST variable for Cisco IOS routers, PIX Firewalls, Firewall Service Modules, and ASA devices. Configure firewall access rules to generate values for this variable.
SYS_FW_ACL_OUT_NAME	1	Names of ACLs applied to interfaces for traffic filtering in the outbound direction. Each element of this array has a one-to-one correspondence with SYS_INTERFACE_NAME_LIST variable for Cisco IOS routers, PIX Firewalls, Firewall Service Modules, and ASA devices. Configure Access Rules policies to generate values for this variable.
SYS_FW_BRIDGE_INTERFACE_NAMES	1	Names of bridge interfaces. This variable applies only to IOS transparent firewalls. Configure Policy Firewall > Settings > Transparent to generate values for this variable.
SYS_FW_ETHERTYPERULE_ACL_NAMES	1	Names of ethertype access-lists applied to interfaces for traffic filtering coming in or going out. Each element of this array has a one-to-one correspondence with the elements in the SYS_FW_ETHERTYPERULE_INTERFACE_NAMES and SYS_FW_ETHERTYPERULE_DIRECTION_NAMES variables. Configure Firewall transparent rules policies to generate values for this variable.
SYS_FW_ETHERTYPERULE_DIRECTION_NAMES	1	Direction that ethertype access-lists are applied. The value is either "in" or "out." Each element has a one-to-one correspondence with the elements in the SYS_FW_ETHERTYPERULE_ACL_NAMES and SYS_FW_ETHERTYPERULE_INTERFACE_NAMES variables. Configure Firewall transparent rules policies to generate values for this variable.
SYS_FW_ETHERTYPERULE_INTERFACE_NAMES	1	Interface names to which ethertype access-lists are applied. Each element has a one-to-one correspondence with the SYS_FW_ETHERTYPERULE_ACL_NAMES and SYS_FW_ETHERTYPERULE_DIRECTION_NAMES variables. Configure Firewall transparent rules policies to generate values for this variable.
SYS_FW_INSPECT_IN_NAME	1	Names of Inspect rules applied to Cisco IOS router interfaces in the inbound direction. Each element of this array has a one-to-one correspondence with the SYS_INTERFACE_NAME_LIST variable for Cisco IOS routers. Configure Inspection Rules policies to generate values for this variable. This variable is optional.
SYS_FW_INSPECT_OUT_NAME	1	Names of Inspect rules applied to Cisco IOS router interfaces in the outbound direction. Each element of this array has a one-to-one correspondence with the SYS_INTERFACE_NAME_LIST variable for Cisco IOS routers. Configure Inspection Rules policies as values for this variable. This variable is optional.
SYS_FW_INTERFACE_HARDWARE_ID_ LIST	1	Hardware IDs for the device. Configure interface policies on the device to generate values for this variable. This variable is optional.
SYS_FW_INTERFACE_NETWORK_LIST	1	Interface networks on the device. Configure interface policies on the device to generate values for this variable.
SYS_FW_INTERFACE_SECURITY_LEVEL_LIST	1	Interface security levels on the device. Configure interface policies on the device to generate values for this variable.
SYS_FW_INTERFACE_STATE_LIST	1	Interface states on the device. Configure interface policies on the device to generate values for this variable.
SYS_FW_MPCRULE_TRAFFICFLOW_ TUNNELGROUPNAME	1	Names of tunnel groups specified in Traffic Flow objects. Traffic Flow objects configure class-map commands on PIX firewalls, and the names of the tunnel groups listed in Traffic Flow objects populate this variable. This variable is used by the define_traffic_flow_tunnel_group FlexConfig object to create tunnel groups on PIX firewalls. This variable is optional.
SYS_FW_MULTICAST_PIM_ACCEPT_REG_ROUTEMAP	0	Route-map name used in the pim accept-register route-map command. Enter a name for the route-map (Platform > Multicast > PIM > Request Filter), then configure its features using FlexConfig to generate values for this variable. This variable is optional.
SYS_FW_NAT0_ACL_NAMES	1	Names of ACLs used in the nat interface_name 0 access-list acl_name command. This variable is optional.
SYS_FW_OSPF_PROCESS_ID_LIST	1	IDs for OSPF routing processes globally configured on PIX Firewalls, Firewall Service Modules, and ASA devices. Configure OSPF (Platform > Routing > OSPF) to generate values for this variable.
SYS_FW_OSPF_REDISTRIBUTION_ROUTE_MAP_LIST	1	Names for the route maps to apply to the OSPF redistribute commands configured on PIX Firewalls, Firewall Service Modules, and ASA devices. Configure the OSPF policy to generate values for this variable.
SYS_FW_POLICY_NAT_ACL_NAMES	1	Names of ACLs used in the policy nat commands (nat commands with non-0 pool id). Configure NAT (NAT > Translation Rules > Policy NAT) to generate values for this variable. This variable applies to only PIX 6.3(3), PIX/ASA 7.0, and FWSM devices. This variable does not apply to Cisco IOS routers. This variable is optional.
SYS_FW_POLICY_STATIC_ACL_NAMES	1	Names of ACLs used in the policy static commands that include access lists. Configure NAT 0 (NAT > Translation Rules > Policy NAT) to generate values for this variable. The variable contains the access-list names used by the nat-0, policy nat, and policy static commands. This variable applies to only PIX 6.3(3), PIX/ASA 7.0, and FWSM devices. This variable does not apply to Cisco IOS routers. This variable is optional.

Table 1-7 Router Platform System Variables 

Name	Dimension	Description
SYS_ROUTER_BGP_AS_NUMBERS_LIST	1	Autonomous system (AS) number of the border gateway protocol (BGP) and exterior gateway protocol (EGP) on the device. Configure BGP policies as values for this variable (Router Platform > Routing > BGP). This variable is optional.
SYS_ROUTER_EIGRP_AS_ NUMBERS_LIST	1	Autonomous system (AS) numbers of the different enhanced internet gateway routing protocols (EIGRP) and interior gateway protocols (IGP) on the device. Configure EIGRP policies as values for this variable (Router Platform > Routing > EIGRP). This variable is optional.
SYS_ROUTER_OSPF_PROCESS_ IDS_LIST	1	Open shortest path first (OSPF) interior gateway protocol (IGP) process numbers on the device. Configure OSPF Process policies as values for this variable (Router Platform > Routing > OSPF Process). This variable is optional.
SYS_ROUTER_QOS_CLASS_MAP_LIST	1	Names of QoS class maps on the device. Configure Quality of Service policies to generate values for this variable. This variable is optional.
SYS_ROUTER_QOS_POLICY_MAP_LIST	1	Names of the QoS policy-maps on the device. Configure Quality of Service policies to generate values for this variable. This variable is optional.

Table 1-8 VPN System Variables 

Name	Dimension	Description
Topology—Variables related to the VPN in which a device participates. For more information, see Creating a VPN Topology, page 1-11.
SYS_VPN_TOPOLOGY	1	Virtual private network (VPN) topology type. Valid values are HUB_AND_SPOKE, POINT_TO_POINT, and FULL_MESH.
SYS_VPN_TOPOLOGY_NAME	1	Name of the VPN topology in which the device participates. Configure VPNs to generate values for this variable.
SYS_VPN_TOPOLOGY_ROLE	1	Details about the role of the device in the VPN. Valid values are PEER, HUB, and SPOKE. Configure VPNs to generate values for this variable.
Devices—Variables related to devices in the VPN in which a device participates. For more information, see Creating a VPN Topology, page 1-11.
SYS_VPN_HOST_NAME	1	Device host name. Configure VPNs to generate values for this variable.
SYS_VPN_LOCAL_PREFIXES	2	Interface and network IP addresses of protected networks. Configure VPNs to generate values for this variable.
SYS_VPN_PRIVATE_INTERFACES	2	Private interface names. Configure VPNs to generate values for this variable.
SYS_VPN_PRIVATE_TUNNEL_ENDPT_IP	1	Interface tunnel IP address. Configure VPNs to generate values for this variable.
SYS_VPN_PUBLIC_INTERFACES	2	Public interface names. Configure VPNs to generate values for this variable.
SYS_VPN_TUNNEL_ENDPT_INTERFACE_IP	1	IP address of the VPN endpoint. (In IPSec, the endpoint is the VPN interface; in GRE, it is the tunnel source.) Configure VPNs to generate values for this variable.
SYS_VPN_TUNNEL_ENDPT_INTERFACE_NAME	1	Name of the VPN endpoint. (In IPSec, the endpoint is the VPN interface; in GRE, it is the tunnel source.) Configure VPNs to generate values for this variable.
SYS_VPN_VPNSM_PUBLIC_IFC	2	Export port names (for Catalyst 6000 series switches only).
Remote Peers—Variables related to remote peers in which a device participates. For more information, see Creating a VPN Topology, page 1-11.
SYS_VPN_REM_PEER_BAK_LOGICAL_PRIVATE_IP	3	Interface tunnel IP addresses of remote peers of failover hubs. This value is used in DMVPN for next hop resolution protocol (NHRP). Configure VPNs to generate values for this variable.
SYS_VPN_REM_PEER_BAK_PREFIX	3	Protected networks (interface and network IP addresses) of remote peers of failover hubs. Configure VPNs to generate values for this variable.
SYS_VPN_REM_PEER_BAK_PUBLIC_IP	3	Public interface names of remote peers of failover hubs. Configure VPNs to generate values for this variable.
SYS_VPN_REM_PEER_BAK_TUNNEL_SRC	3	IP address of the VPN endpoint of remote peers. (In IPSec, the endpoint is the VPN interface; in GRE, it is the tunnel source.) Configure VPNs to generate values for this variable.
SYS_VPN_REM_PEER_DEVICE_NAME	2	Device host names of remote peers. Configure VPNs to generate values for this variable.
SYS_VPN_REM_PEER_LOGICAL_PRIVATE_IP	2	Interface tunnel IP addresses of remote peers. This value is used in DMVPN for next hop resolution protocol (NHRP). Configure VPNs to generate values for this variable.
SYS_VPN_REM_PEER_PREFIX	3	Protected networks (interface and network IP addresses) of remote peers. Configure VPNs to generate values for this variable.
SYS_VPN_REM_PEER_PRIVATE_IP	2	Private interface names of remote peers. Configure VPNs to generate values for this variable.
SYS_VPN_REM_PEER_PUBLIC_IP	2	Public interface names of remote peers. Configure VPNs to generate values for this variable.
SYS_VPN_REM_PEER_TUNNEL_SRC	2	Tunnel sources (if included in the interface tunnel of remote peers). Configure VPNs to generate values for this variable.
IPSec Proposal—Variables related to policy IPSec proposals. For more information, see Configuring IPSec Proposals, page 1-67 and Configuring High Availability in Your VPN Topology, page 1-51.
SYS_VPN_CRYPTO_MAP_TYPE	1	Crypto map type. Valid values are STATIC and DYNAMIC. Configure an IPSec proposal policy to generate values for this variable.
SYS_VPN_DYNAMIC_CRYPTO_NAME	1	Dynamic crypto map name. Configure VPNs to generate values for this variable.
SYS_VPN_DYNAMIC_CRYPTO_NUM	1	Dynamic crypto map number. Configure VPNs to generate values for this variable.
SYS_VPN_STATIC_CRYPTO_NAME	1	Static crypto map name. Configure VPNs to generate values for this variable.
SYS_VPN_STATIC_CRYPTO_NAME_BAK	1	Static crypto map name of failover hubs. Configure VPNs to generate values for this variable.
SYS_VPN_STATIC_CRYPTO_NUM	2	Static crypto map number. Configure VPNs to generate values for this variable.
SYS_VPN_STATIC_CRYPTO_NUM_BAK	2	Static crypto map number of failover hubs. Configure VPNs to generate values for this variable.
Preshared Keys—Variables related to preshared key/IKE policies. For more information, see Configuring Preshared Key Policies, page 1-76.
SYS_VPN_IKE_AUTHENTICATION_MODE	1	Authentication method of IKE policy. Valid values are pre-share, rsa-sig, rsa-encr, dsa-sig. Configure an IKE proposal policy to generate values for this variable.
SYS_VPN_IKE_PRIORITY	1	Priority number of the IKE policy Configure an IKE proposal policy to generate values for this variable.
SYS_VPN_NEGOTIATION_MODE	1	Negotiation method. Valid values are MAIN_ADDRESS, MAIN_HOST, and AGGRESSIVE. Configure a Preshared Key policy to generate values for this variable.
GRE Modes—Variables related to GRE Modes policies. For more information, see Configuring GRE or GRE Dynamic IP Policies, page 1-91.
SYS_VPN_BAK_TUNNEL_IFC	2	Interface tunnel number. (Matches the tunnel number of remote peers of failover hubs, for example, tunnel0.) Configure VPNs to generate values for this variable.
SYS_VPN_SIGP_PROCESS_NUMBER	1	Process number of interior gateway protocol (IGP). Configure GRE Modes policies to generate values for this variable.
SYS_VPN_SIGP_ROUTING_PROTOCOL	1	Type of secured interior gateway protocol (IGP) used. Valid values are STATIC, OSPF, EIGRP, RIPV2, BGP, and ODR. Configure GRE Modes policies to generate values for this variable.
SYS_VPN_SPOKE_TO_SPOKE_ CONN	1	Indication whether DMVPN is configured for spoke-to-spoke connectivity. Valid values are true or false. Configure GRE Modes policies to generate values for this variable.
SYS_VPN_TUNNEL_IFC	2	Interface tunnel number. (Matches the tunnel number of remote peers, for example, tunnel0.) Configure VPNs to generate values for this variable.
VRF—Variables related to VRF. For more information, see Configuring VRF-Aware IPSec Settings, page 1-45.
SYS_VPN_VRF_AREA_ID	1	Area ID numbers (if the OSPF process number was chosen). Configure VPNs to generate values for this variable.
SYS_VPN_VRF_MPLS_INTERFACE_IP	1	Multiprotocol label switching (MPLS) interface IPs. Configure VPN VRF settings to generate values for this variable.
SYS_VPN_VRF_MPLS_INTERFACE_NAME	1	Multiprotocol label switching (MPLS) interface names. Configure VPN VRF settings to generate values for this variable.
SYS_VPN_VRF_NAME	1	VRF names. Configure VPN VRF settings to generate values for this variable.
SYS_VPN_VRF_PROCESS_NUMBER	1	Interior gateway protocol (IGP) process numbers. Configure VPN VRF settings to generate values for this variable.
SYS_VPN_VRF_RD	1	RD values. Configure VPN VRF settings to generate values for this variable.
SYS_VPN_VRF_ROUTING_PROTOCOL	1	Interior gateway protocol (IGP) values. The IGP is used for routing the IPsec aggregator towards the Provider Edge (PE)/Multiprotocol Label Switching (MPLS) network. Valid values are STATIC, OSPF, EIGRP, RIPV2, and BGP. Configure VPN VRF settings to generate values for this variable.
SYS_VPN_VRF_SOLUTION	1	Virtual routing and forwarding (VRF) solution. Valid values are 1BOX and 2BOX. Configure VPN VRF settings to generate values for this variable.
CA—Variables related to CA policies. For more information, see Configuring Public Key Infrastructure Policies, page 1-84.
SYS_VPN_CA_NAME	2	Certificate authority (CA) names. Configure PKI policies to generate values for this variable.
EZVPN—Variables related to EZVPN. For more information, see Configuring Easy VPN Policies, page 1-103.
SYS_VPN_EZVPN_GROUP_NAME	2	User group names. Configure User Group policies to generate values for this variable.
Dial Backup—Variables related to dial backup configurations. For more information, see Configuring Dial Backup, page 1-28.
SYS_VPN_RTR_WATCH	1	Rtr/watch number. Configure dial backup to generate values for this variable.

Table 1-9 Remote Access System Variables 

Name	Dimension	Description
SYS_EZVPN_RA_DYNAMIC_CRYPTO_MAP_NAME	1	Dynamic Crypto map name
SYS_EZVPN_RA_DYNAMIC_CRYPTO_MAP_SEQ_NUM	1	Dynamic Crypto map number
SYS_EZVPN_RA_PUBLIC_INTERFACE_PIX	2	External interface names (PIX Firewall and ASA devices only).
SYS_EZVPN_RA_STATIC_CRYPTO_MAP_NAME	1	Static crypto map names.
SYS_EZVPN_RA_STATIC_CRYPTO_MAP_SEQ_NUM	1	Static crypto map numbers.
SYS_IOS_RA_CA_NAME	1	Certificate authority (CA) names (Cisco IOS routers only).
SYS_IOS_RA_PUBLIC_INTERFACE	1	External interface names (Cisco IOS routers only)
SYS_IOS_RA_USER_GROUP	1	User group names (Cisco IOS routers only).
SYS_IOS_RA_VRF_NAME	1	Virtual routing and forwarding (VRF) names (Cisco IOS routers only).

FlexConfig Policies

As with any other policy, you assign FlexConfig policies to devices using Policy or Device view. Then, you can deploy configurations containing these policies as you would deploy any configuration generated by Security Manager. For more information about working with policies in general, see Chapter 1, "Managing Policies." For a sample scenario that takes you through the steps to set up a FlexConfig, see Creating FlexConfigs—Scenario.

Creating FlexConfigs—Scenario

This scenario takes you through the steps to set up Media Gateway Control Protocol (MGCP) for a PIX Firewall using one of the sample FlexConfig policy objects that come with Security Manager. MGCP is used by the call agent application to control media gateways (devices that convert telephone circuit audio to data packets). Security Manager does not support MGCP configuration, but a FlexConfig policy object can be used to provide a configuration. This illustrates how the FlexConfig feature enables you to customize, for your network, what is not natively supported in Security Manager.

In this scenario, you do the following:

•Create a new policy object by duplicating an existing policy object

•Assign a policy object to a device

•Preview the configuration to verify it is correct

•Share the policy object with another device

•Deploy the configurations to the devices

You can use this scenario as an example to implement other features by creating copies of and modifying sample FlexConfig policy objects or by creating your own FlexConfig policy objects.

Before You Begin

•Add two PIX Firewalls to Security Manager for this scenario.

Procedure

---

Step 1 Duplicate the FlexConfig policy object

a. Select the Policy Object Manager.

The Policy Object Manager page appears.

b. Select FlexConfigs from the Object list.

The FlexConfigs Selector window appears.

c. Right click the ASA_MGCP FlexConfig object and select Create Duplicate

The Add FlexConfigs dialog box appears.

d. Enter a new name for the new FlexConfig object, for this example MyASA_MGCP.

e. Enter a new Group name and a Description.

---

Tip The new group name and description are optional. We recommend you establish descriptions and groups for the new objects you create.

---

f. Click OK.

The new FlexConfig object appears on the list of FlexConfigs.

Step 2 Duplicate and edit the $callAgentList text object.

The original ASA_MGCP FlexConfig object employs Policy Object Variable $callAgentList, a text object. The text object is read-only and cannot be edited. Duplicating the text object enables you to edit the duplicate object to apply to your network settings.

a. From the Policy Object Manager, select Text Objects from the Object list.

The Text Objects window appears.

b. Right click the callAgentList text object and select Create Duplicate.

The Add Text Object dialog box appears.

c. Edit the Name of the text object. For this example change it to mycallAgentList.

d. Double-click the first value in column A, then enter the IP address for a call agent in your network. For this example, change the value to 10.10.10.10.

e. Double-click the first value in column B, then enter the port number for a call agent in your network. For this example, change the value to 105.

f. Repeat steps d and e to change the values for another call agent. For this example, change the IP address to 20.20.20.20 and the port number to 106. Alternatively, if you had only one call agent in your network, you could remove the second row in the table by decreasing the number in the Number of Rows field. Similarly, if you have more than two call agents, you can add rows by increasing the number in this field.

This concept is similar for increasing and decreasing the number of columns by increasing or decreasing the Number of Columns field.

g. Click OK.

The new text object appears on the list of text objects.

Step 3 Edit the new FlexConfig policy object to employ the new variable.

a. From the Policy Object Manager, select FlexConfigs from the Object list.

The FlexConfigs Selector window appears.

b. Double-click the MyASA_MGCP FlexConfig object.

The Edit FlexConfig dialog box appears.

c. Edit $callAgentList to read $mycallAgentList.

d. Click OK.

A warning appears that reads: "The following variables are undefined: mycallAgentList Define them now?

e. Click Yes to the warning.

The FlexConfig Undefined Variables window appears with mycallAgentList listed in the Variable Name column.

f. From the Object Type list, select Text Objects.

The Text Objects window appears.

g. Select mycallAgentList from the Available Text Objects list and click OK.

h. In the FlexConfig Undefined Variables window, click OK.

The mycallAgentList variable appears in the Variables list of the Edit FlexConfig dialog box.

i. In the Edit FlexConfig dialog box, click OK.

j. Close the Policy Object Manager window.

Step 4 Assign the new FlexConfig policy to a device

a. From the Device view, select the device for which you want to set up MGCP.

b. Select FlexConfigs from the Policy selector.

The FlexConfigs Policy page appears.

c. Click the Add button.

The FlexConfigs Selector dialog box appears.

d. Select the new MyASA_MGCP FlexConfig policy object and click the >> button to add the policy object to the Selected FlexConfigs column.

---

Note You can select multiple policy objects at a time by clicking and selecting either the Control or Shift keys.

---

e. Click OK.

The MyASA_MGCP policy object is added to the Appended FlexConfigs table, because it is set to be appended to the configuration. That is, commands are added to the end of the configuration. You configure FlexConfig policy objects that you want added to the beginning of the configuration as Prepended policy objects.

f. Click Save.

Step 5 Preview the commands as they will be generated and sent to the device.

a. From the FlexConfigs Policy page, select the MGCP_Configuration policy object.

b. Click Preview.

The commands that are generated with this FlexConfig policy object and the values assigned to the selected device appear. Note the changed values:

class-map sj_mgcp_class

  match access-list mgcp_list

  exit

mgcp-map inbound_mgcp

      call-agent 10.10.10.10 105

      call-agent 20.20.20.20 106

      gateway 10.10.10.115 101

      gateway 10.10.10.116 102

  command-queue 150

  exit

policy-map inbound_policy

  class sj_mgcp_class

    inspect mgcp inbound_mgcp

    exit

exit

service-policy inbound_policy interface outside

Step 6 If you have additional PIX Firewall devices that require MGCP, you can share this policy with them.

a. In the Device view, from the Policy selector, right-click FlexConfigs, then select Share Policy.

The Share Policy dialog box appears.

b. Enter a name in the Policy Name field and click OK. For this example, enter My Shared Policies.

c. In the Main toolbar, click the Policy View button.

d. From the Policy Types selector, select FlexConfigs. Note the policy type (FlexConfigs) and policy name (My Shared Policies) appear at the top of the page.

e. Click the Assignments tab.

f. From the Devices selector, navigate to the desired device. For this example, navigate to the other PIX Firewall.

g. Select the device and click the >> button.

h. Click Save.

Step 7 Deploy the configurations to the devices. For information about deploying configurations, see Working with Deployment, page 1-31.

---

Working with FlexConfigs

Because of their complexity and interdependency, FlexConfig policy objects are described with FlexConfig policies. For more information, see Understanding FlexConfigs. For information about creating, editing, and deleting FlexConfig policy objects, see Chapter 1, "Managing Objects."

The following topics will help you work with FlexConfig policy objects:

•Adding FlexConfig Policy Objects

•Editing FlexConfig Policy Objects

•Deleting FlexConfig Policy Objects

•Reordering FlexConfig Policy Objects

•Previewing FlexConfig Policy Objects

Adding FlexConfig Policy Objects

This procedure describes how to add FlexConfig policy objects and assumes that you are doing so from the Device view.

Before You Begin

•Security Manager does not manipulate or validate your commands; it simply deploys them to the devices. Therefore, ensure that your commands do not conflict in any way with the VPN or firewall configuration on the devices.

•If there is more than one set of commands for an interface, only the last set of commands is deployed. Therefore, it is not recommended to use beginning and ending commands to configure interfaces.

•When creating FlexConfigs involving route-maps (for example, OSPF route-maps, multicast route-maps, and others), the corresponding access control lists (ACLs) must be defined before the route-maps. This is a device requirement. If you do not define ACLs before route-maps, a deployment error results.

Procedure

---

Step 1 Select the desired device and click FlexConfig.

The FlexConfigs policy page appears.

Step 2 Click Add.

The FlexConfigs Selector dialog box appears. For details, see FlexConfigs Selector Dialog Box, page A-222.

Step 3 To add a new FlexConfig policy object, click Add. For details, see FlexConfig Editor Dialog Box, page A-87.

Step 4 Select one or more of the available FlexConfigs and click the >> button. For descriptions of sample FlexConfig policy objects, see Table 1-4.

The FlexConfigs appear in the Selected FlexConfigs column.

Step 5 Click OK.

The FlexConfigs policy page appears with the FlexConfigs in the prepended or appended field depending on the type defined for each FlexConfig.

---

Editing FlexConfig Policy Objects

You might want to edit a FlexConfig policy object that has already been added to a device. This procedure describes how to edit FlexConfig policy objects and assumes that you are doing so from the Device view.

Notes

•Security Manager does not manipulate or validate your commands; it simply deploys them to the devices. Therefore, ensure that your commands do not conflict in any way with the VPN or firewall configuration on the devices.

•If there is more than one set of commands for an interface, only the last set of commands will be deployed. Therefore, it is not recommended to use beginning and ending commands to configure interfaces.

•When editing FlexConfigs involving route-maps (for example, OSPF route-maps, multicast route-maps, and others), the corresponding access control lists (ACLs) must be defined before the route-maps. This is a device requirement. If you do not define ACLs before route-maps, a deployment error results.

Procedure

---

Step 1 Select the desired device and click FlexConfig.

The FlexConfigs policy page appears.

Step 2 Click Edit.

The Edit FlexConfigs dialog box appears. For details, see FlexConfig Editor Dialog Box, page A-87.

Step 3 Make the desired changes and click OK.

The FlexConfigs policy page appears with the FlexConfigs in the prepended or appended field depending on the type defined for each FlexConfig.

---

Deleting FlexConfig Policy Objects

You might want to delete a FlexConfig policy object from a device if it is no longer used. This procedure describes how to delete FlexConfig policy objects and assumes that you are doing so from the Device view.

Procedure

---

Step 1 Select the desired device and click FlexConfig.

The FlexConfigs policy page appears.

Step 2 Select the FlexConfig policy objects you want to delete.

Step 3 Click Delete.

Step 4 Click Yes.

The FlexConfigs policy page appears with the deleted FlexConfigs policy objects removed from the prepended or appended fields.

---

Reordering FlexConfig Policy Objects

The order of FlexConfig policy objects within the FlexConfig policy affects the way CLI commands are deployed to devices. First prepended FlexConfig policy objects are deployed, then all other policy objects, and finally appended FlexConfig policy objects. In addition, the FlexConfig policy objects in the prepended and appended fields are deployed sequentially.

The order of CLI commands can affect the results that are deployed and implemented. For example, make sure to order the FlexConfig policy objects based on dependencies. That is, the one that is used by most FlexConfig policy objects should be put on the top of the list.

This procedure describes how to reorder FlexConfig policy objects and assumes that you are doing so from the Device view.

---

Note When reordering FlexConfigs involving route-maps (for example, OSPF route-maps, multicast route-maps, and others), the corresponding access control lists (ACLs) must be defined before the route-maps. This is a device requirement. If you do not define ACLs before route-maps, a deployment error results.

---

Procedure

---

Step 1 Select the desired device and click FlexConfig.

The FlexConfigs policy page appears.

Step 2 Select the FlexConfig policy object you want to move.

Step 3 Click the up arrow or down arrow to move the FlexConfig policy object accordingly.

Step 4 Click Save.

---

Previewing FlexConfig Policy Objects

You can display the CLI commands to be generated by a FlexConfig policy. This is especially useful for checking that the CLI commands generated are what you intend to implement on the device.

---

Note During deployment, when the FlexConfig policy objects are compiled on the Security Manager server, the correct system variable values and settings are used to generate commands. However, because the Preview function does not have access these values the way it normally would during deployment, it might not display some CLI commands. In addition, because the Preview function generates CLI commands on the client, some macros used in FlexConfig policy objects reflect client settings instead of server settings.

---

This procedure describes how to preview FlexConfig policy objects and assumes that you are doing so from the Device view.

Procedure

---

Step 1 Select the desired device and click FlexConfig.

The FlexConfigs policy page appears.

Step 2 Select the FlexConfig policy object you want to preview.

Step 3 Click Preview.

The CLI generated from the selected FlexConfig policy object is displayed.

Step 4 Click Close when you are done viewing the CLI command.

---

Deleting FlexConfig Object Variables

If you no longer need a FlexConfig object variable, you can remove it from Security Manager.

This procedure show you how to delete a FlexConfig object variable.

Before You Begin

Determine whether the object is being used and which policies, objects, and devices would be affected by the changes. You can generate a usage report for this purpose. See Generating Usage Reports for FlexConfig Objects, page 1-75.

Procedure

---

Step 1 Delete the object variable.

a. Select Tools > Policy Object Manager.

b. Select FlexConfigs from the objects selector.

c. The Policy Object Manager dialog box appears.

d. In the work area, right-click the object that contains the variable you want to delete, then select Edit Object.

e. The FlexConfig Editor dialog box appears. For a description of the fields in this dialog box, see Table A-46 on page A-88.

f. In the object body, highlight the variable and click the Delete key.

g. Click OK to save your changes.

---

Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 1-63.

---

Step 2 Validate the FlexConfig object.

a. From Device view, select the device and click FlexConfigs from the Policies selector.

b. Select the FlexConfig object from which you removed the variable.

c. Click Values.

The Values Assignment dialog box appears.

d. Click Validate.

e. Click OK.

---