User Guide for Cisco Security Manager 3.0.2 - Using Tools [Cisco Security Manager]

Table Of Contents

Using Tools

Understanding the Tools Menu Options

Understanding Policy Discovery Status

Viewing Policy Discovery Status Information

Understanding Show Containment

Understanding Audit Reports

Guidelines for Defining the Audit Report Parameters

Generating the Audit Report

Viewing Audit Logs

Purging Audit Log Entries

Using the Configuration Archive Tool

Customizing the Configuration Archive Toolbar

Viewing Transcripts

Viewing and Comparing Configurations

Using Rollback to Deploy Archived Configurations

Adding Configuration Versions to Archive

Adding Configurations from a File to Configuration Archive

Adding Configurations from a Device to Configuration Archive

Backup and Restore

Using Security Manager Diagnostics

Diagnostic Utility Executable Menu Item

Using Tools

These topics describe pages that are accessed from the Tools menu:

•Understanding the Tools Menu Options

•Understanding Policy Discovery Status

•Understanding Show Containment

•Understanding Audit Reports

•Using the Configuration Archive Tool

•Backup and Restore

•Using Security Manager Diagnostics

Understanding the Tools Menu Options

The Tools menu provides access to these features:

•Device Properties—Provides general information about the device, credentials, the group the device is assigned to, and policy overrides. For more information, see Understanding Device Properties, page 5-75.

•Policy Object Manager—Allows you to view all available objects grouped according to object type, access all object dialog boxes to create, copy, edit, and delete objects, and generate usage reports, which describe how selected objects are being used by other Security Manager objects and policies. For information see Policy Object Manager General Reference, page C-28.

•Site-To-Site VPN Manager—Enables you to configure site-to-site VPNs. For information, see Site-to-Site VPN Manager Window, page B-2.

•Deployment Manager—Enables you to deploy configurations and manage deployment jobs. For information, see Deployment User Interface Reference, page H-1.

•Activity Manager—Allows you to create and manage activities. For information, see Activity Manager Window, page G-1.

•Policy Discovery Status—Allows you to see the status of policy discovery and device import from the Policy Discovery Status page. For information, see Understanding Policy Discovery Status.

•Catalyst 6500/7600 Device Manager—Embedded in Security Manager, enables you to set up, configure, and monitor devices in the Cisco Catalyst 6500 and 7600 families. For information, see Using the Catalyst 6500/7600 Device Manager, page 14-1.

•Device Status—Allows you to view important information about your security appliance, such as the status of your interfaces, the version you are running, licensing information, and performance. For information, see Device Status Page, page C-482.

•Show Containment—Displays information about composite devices. For information, see Understanding Show Containment.

•IPS Manager—Opens from the Tools menu. For more information, see the IPS Manager context-sensitive online help.

•Preview Configuration—Displays the proposed changes, last deployed configuration, or current running configuration for specific devices. For information, see Preview Config Dialog Box, page H-8.

•Audit Report—Allows you to generate audit report data according to parameters set in the audit report page. For information, see Understanding Audit Reports.

•Change Reports (Activity Report)—Allows you to generate a table of changes to devices, shared policies, and building blocks within a given activity (Workflow Mode) or configuration session (nonWorkflow Mode). For information, see Understanding Activity Change Reports, page 7-17.

•Configuration Archive—Stores archived device configuration versions and allows you to view, compare and roll back from one configuration to another. For information, see Using the Configuration Archive Tool.

•Backup—Allows backing up of Security Manager database using Common Services. For information, see Backup and Restore.

•Security Manager Administration—Details administrative settings, recommends which settings to define first, and explains user permissions and access modalities. For information, see Performing Administrative Tasks, page 2-1.

•Security Manager Diagnostics—Describes how to gather troubleshooting information and contact the Technical Assistance Center (TAC). For help see Using Security Manager Diagnostics.

Understanding Policy Discovery Status

When you initiate policy discovery, a task is created. For each initiation, only one task is created regardless of the number of devices in the discovery.

You can see the status of policy discovery and device import on the Policy Discovery Status page. The Policy Discovery Status page contains three panes:

•Tasks pane—Provides status information for the overall task.

•Discovery Details or Import Details pane—Depending on the type of task, this pane is called either Discovery Details or Import Details. For each task you select in the Tasks pane, you will see corresponding information in the Discovery Details or Import Details pane.

–The Discovery Details pane displays details about the policy discovery, such as the list of devices in the selected task, the status of the discovery (completed or failed), and the discovery method used (discovered from live device or discovered from file).

–The Import Details pane displays details about the device import, such as the list of devices involved in the selected task, the task type for each device (import only or import and discover), and the status of device import (device added or device add failed).

•Messages pane—Contains three elements: Message Summary, Description, and Action. Displays messages about the selected device, the severity of the problem (error or warning), detailed descriptions for each message, and the steps you can take to resolve the problem.

Related Topics

•Policy Discovery Status Page, page E-2

•Viewing Policy Discovery Status Information

Viewing Policy Discovery Status Information

This procedure describes how to view the status of the policy discovery.

Procedure

Step 1 Select Tools > Policy Discovery Status. The Policy Discovery Status page appears. The Tasks pane displays the status of the overall task.

Step 2 Select a task from the Tasks pane. Corresponding information about that task is displayed in the Discovery Details pane or Import Details pane, whichever applies.

Step 3 Select a device from the Discovery Details pane or Import Details pane. Corresponding information about that device is displayed in the Messages text box.

Step 4 Click a message row. Detailed information about that message is displayed in the Description text box.

Step 5 Look at the Action field for steps to resolve the problem.

For information about the elements in the Policy Discovery Status page, see Policy Discovery Status Page, page E-2.

Related Topics

•Understanding Policy Discovery Status

•Policy Discovery Status Page, page E-2

Understanding Show Containment

The Show Containment option displays information about composite devices. If you select this option, the containment of a device, that is service modules and security contexts supported on the selected device, is displayed:

Note This option is available for Catalyst 6500/7600, FWSM, PIX Firewall 7.0, and ASA devices.

•For Catalyst 6500/7600 devices, displays the IDSM and FWSM service modules, and the security contexts supported by the FWSM.

•For FWSMs, displays security contexts supported by the FWSM.

•For PIX Firewalls, displays security contexts supported by the PIX Firewall.

•For ASA devices, displays security contexts supported by the ASA device.

For information about security contexts, see Configuring Security Contexts on Firewall Devices, page 13-103.

This procedure describes how to view the containment of a device.

Procedure

Step 1 Select a Catalyst 6500/7600, PIX Firewall 7.0, FWSM, or ASA device from the Device selector.

Step 2 Select Tools > Show Containment.

Related Topics

•Configuring Security Contexts on Firewall Devices, page 13-103

Understanding Audit Reports

When state changes occur in Security Manager, an audit entry is created in the audit log. You can display the aggregated results of the audit entries by defining the parameters in the Audit Report page. The state changes that generate an event and create an audit entry are:

•Changes to the runtime environment:

–System changes, such as login attempts (successful for failed), logout, and scheduled backups.

–Authorization issues, such as failed attempts and security breaches.

–Map changes, such as saving, deleting, and changing background map views.

–Admin changes, such as workflow on and workflow off modes.

•Changes to the state of Security Manager objects:

–Activity changes, such as creating, editing, submitting, and approving an activity.

–Deployment changes, such as creating, editing, and submitting a deployment job.

•Changes to the state of managed devices:

–Object changes, such as changes to building blocks.

–Inventory changes, such as adding, deleting, modifying devices in the inventory.

–Policy changes, such as creating, restoring, modifying, and deleting policies.

–VPN changes, such as creating, modifying, and deleting a VPN.

Before you generate the audit report, you can narrow your search criteria by defining the parameters for the report in the Audit Report page. The Audit Report page contains two panes. You define the parameters in the left pane and click Search to display the audit report, corresponding to the parameters you defined, in the right pane.

The following topics provide more information:

•Guidelines for Defining the Audit Report Parameters

•Generating the Audit Report

•Viewing Audit Logs

•Purging Audit Log Entries

Note You can also view reports about actions that users have taken within an activity. For more information, see Understanding Activity Change Reports, page 7-17.

Guidelines for Defining the Audit Report Parameters

The following examples provide some guidelines that will help you understand what parameters you should define to get the information you need:

•To find out the deployment history of device X—From the Search by action column, select Deployment > Create. In the Search by all or part of the object name field, enter the name of the device. In this instance, enter X, then click Search.

•To find out when the device X was removed from Security Manager management—From the Search by action column, select Devices > Delete. In the Search by all or part of the object name field, enter the name of the device. In this instance, enter X, then click Search.

•To find out if a failed login attempt occurred in the system—From the Search by action column, select System > Authorization > Login > Failed, then click Search.

Related Topics

•Understanding Audit Reports

•Generating the Audit Report

•Audit Report Page, page E-6

Generating the Audit Report

You narrow down your search criteria by defining the parameters for the audit report in the Audit Report page.

This procedure describes how to generate an audit report.

Procedure

Step 1 Select Tools > Audit Report. The Audit Report page appears.

Step 2 Enter the information in the required fields in the left pane. For more information, see Table E-4.

Step 3 Click Search to generate the audit report.

The audit report is displayed in the right pane. For more information, see Table E-5.

Step 4 For a detailed description, double-click a row. The Audit Message Details page appears. For elements in this page, see Audit Message Details Dialog Box, page E-8.

Related Topics

•Understanding Audit Reports

•Guidelines for Defining the Audit Report Parameters

•Viewing Audit Logs

Viewing Audit Logs

Audit logs are stored in two locations, in the Security Manager database and in the CiscoWorks Common Services database.

To view the audit logs in the Security Manager database, see Generating the Audit Report.

To view the archived audit logs in Common Services, go to: CSCOpx/MDC/Logs/audit/ on the server machine or use the following procedure.

This procedure describes how to view audit logs in Common Services.

Procedure

Step 1 Select Common Services > Device and Credentials > Reports. The Report Generator page appears.

Step 2 Select Audit Report.

Step 3 Enter the report range in the fields provided, then click Generate Report.

The generated report contains all audit logs from both Common Services and Security Manager.

Related Topics

•Understanding Audit Reports

•Generating the Audit Report

Purging Audit Log Entries

To prevent database overload, the following audit log parameters have factory-set defaults:

•Time—60 days.

•Maximum number of entries—10,000 entries.

When the time limit or the maximum number of entries limit is reached, the audit logs that have expired are purged (deleted) from the system. To change the factory-set defaults, select Tools > Security Manager Administration > Preferences > Logs. For more information, see Logs Page, page F-16.

Related Topic

•Understanding Audit Reports

•Audit Report Page, page E-6

•Viewing Audit Logs

•Logs Page, page F-16

Using the Configuration Archive Tool

Configuration Archive stores configuration versions for each device managed by Security Manager.

Note Security Manager does not support the archiving of VLAN configurations.

You can use Configuration Archive to:

•View the transcript of a configuration deployment for a selected device.

•View and compare configuration versions.

•View CLI differences between deployed configuration versions.

•Rollback to an earlier configuration version.

•Add a configuration from file.

•Retrieve a current device configuration.

Note Configuration Archive differs from Preview Configuration which displays proposed configuration changes to the CLI. For more information on the Preview Configuration functions, see Previewing Configurations, page 15-38.

Related Topics

•Adding Configuration Versions to Archive

•Configuration Archive Window, page E-10

•Configuration Version Viewer, page E-12

•Customizing the Configuration Archive Toolbar

•New Config Version Dialog Box, page E-14

•Defining Configuration Archive Settings, page 2-46

•Using Rollback to Deploy Archived Configurations

•Viewing and Comparing Configurations

•Viewing Transcripts

Customizing the Configuration Archive Toolbar

In the right pane you can view and sort configuration file versions by version ID, creation date, creator, archival source, creation comment, and transcript. You can rearrange the column headings to appear in any order, and you can hide columns that you do not find useful.

This procedure will help you add or remove toolbar buttons.

Procedure

Step 1 Select Tools > Configuration Archive to go to Configuration Archive.

Step 2 In the Device selector, click any device. The Security Manager Config Archive page populates with archived configuration versions. For a description of the fields in this page, see Table E-7 on page E-11.

Step 3 Right click the Configuration Archive toolbar and select Show Columns. A list of toolbar buttons appears. A checkmark indicates that the button appears on the toolbar. No checkmark indicates that the button does not appear.

Step 4 Select buttons to include or deselect buttons to exclude from the toolbar.

Related Topics

•Adding Configuration Versions to Archive

•Configuration Archive Window, page E-10

•Defining Configuration Archive Settings, page 2-46

•Using Rollback to Deploy Archived Configurations

•Viewing and Comparing Configurations

•Viewing Transcripts

Viewing Transcripts

A transcript is the log file of Security Manager server and device transactions captured during a deployment or rollback operation. It includes commands sent and received between server and device from the time of deployment or rollback request. If rollback is unsuccessful, there might be a partial transcript generated depending on which stage rollback or deployment failed.

This procedure will help you view transcripts.

Procedure

Step 1 Select Tools > Configuration Archive to go to Configuration Archive.

In the Device selector, click the device for which you want to view a transcript. The Security Manager Config Archive page populates with archived configuration versions for the device you selected. For a description of the fields in this page, see Table E-9 on page E-15.

Step 2 Double-click the Transcript icon next to the configuration version for which you want to view its transcript. The transcript for that configuration version appears.

Related Topics

•Adding Configuration Versions to Archive

•Configuration Version Viewer, page E-12

•Customizing the Configuration Archive Toolbar

•Using Rollback to Deploy Archived Configurations

•Viewing and Comparing Configurations

Viewing and Comparing Configurations

You can view and compare any one full configuration version to any other in the archive from the configuration version viewer. You can view a delta configuration file from this viewer as well. A delta configuration file is generated by Security Manager during deployment and represents policy changes between the existing configuration and the one currently being deployed. Delta configuration versions contain command syntax different from that for full configuration versions, and include negation commands. A delta configuration file is available only for configuration versions in the archive that have been deployed to a device by Security Manager. When available, these can be viewed from the configuration version viewer.

This procedure will help you view and compare configurations.

Procedure

Step 1 Select Tools > Configuration Archive to go to Configuration Archive.

In the Device selector, click the device for which you want to view a full or delta configuration version. The Security Manager Config Archive page populates with archived configuration versions for the device you selected. For a description of the fields in this page, see Table E-9 on page E-15.

Step 2 Select the configuration version that you want to view or compare and click View.

Tip If you are comparing configuration versions, you only need to select one of the two in the version list.

The configuration version viewer opens. The configuration version you selected is in the left pane of the configuration version viewer. For details on interpreting the color coding in the file versions, and using the change indicator buttons, see Configuration Version Viewer, page E-12.

Step 3 To compare configuration versions, select a different version from the Compare with version list. The version you selected appears in the right pane of the configuration viewer.

Step 4 To view the delta configuration for the version in the left pane, click the Delta Configuration radio button. For details on interpreting the color coding in the file versions, and using the change indicator buttons, see Configuration Version Viewer, page E-12.

Related Topics

•Adding Configuration Versions to Archive

•Viewing Transcripts

Using Rollback to Deploy Archived Configurations

You can rollback any configuration version from Configuration Archive to the device for which it is archived. The rolled back configuration then becomes another archived version in the list for that device.

This procedure will help you rollback to an archived configuration.

Procedure

Step 1 Select Tools > Configuration Archive to go to Configuration Archive.

In the Device selector, click the device for which you want to rollback a different configuration version. The Security Manager Config Archive page populates with archived configuration versions for the device you selected. For a description of the fields in this page, see Table E-7 on page E-11.

Step 2 Highlight the device by clicking the device name.

Step 3 Highlight the configuration version to deploy to device.

To view the configuration version before rollback, click View. or a description of the fields in this page, see Table E-8 on page E-14.

Step 4 Click Rollback to deploy the selected configuration version to the selected device. A progress box will display, followed by notification message when the configuration version is successfully deployed. An error message will appear if the deployment was not successful.

Related Topics

•Adding Configuration Versions to Archive

•Configuration Version Viewer, page E-12

•Managing Deployment, page 15-1

•Viewing and Comparing Configurations

Adding Configuration Versions to Archive

Configuration Archive is updated any time a configuration version is rolled back to a device, in the form of a new line item in the archive for the device to which you rolled back. You can manually add a configuration version to an archive for a device, either by polling the device directly or by cutting and pasting from a file that contains the device configuration.

The following topics describe adding configuration versions to the Configuration Archive:

•Adding Configurations from a File to Configuration Archive

•Adding Configurations from a Device to Configuration Archive

Adding Configurations from a File to Configuration Archive

You can add a configuration version to the Configuration Archive for a device from a file or by composing it directly in the dialog box. The file contains the commands making up the device configuration and the device credentials.

This procedure will help you add a configuration from a file.

Procedure

Step 1 Select Tools > Configuration Archive to go to Configuration Archive.

In the Device selector, click the device for which you want to add a new configuration version. The Security Manager Config Archive page populates with archived configuration versions for the device you selected. For a description of the fields in this page, see Table E-9 on page E-15.

Step 2 Click Add to view the shortcut menu.

Step 3 Select Add New Version. The New config version dialog box, for the device you selected in the Device selector, appears.

Step 4 Paste the configuration file version into the window, or enter it live in the dialog box.

Step 5 Enter the device password and confirm the password.

Step 6 To provide a username and enable password for the device, complete the associated fields.

Step 7 Click OK. The configuration version is added to the list of configuration versions with the current time and date in the Created On field.

Note After you click OK no further changes can be made. If you decide to make a change for any reason, you must add a new configuration version.

Related Topics

•Adding Configurations from a Device to Configuration Archive

•Configuration Version Viewer, page E-12

•Using Rollback to Deploy Archived Configurations

•Viewing and Comparing Configurations

Adding Configurations from a Device to Configuration Archive

You can retrieve a configuration directly from the device to add to the Configuration Archive. This is useful when changes have been made directly to device configurations (out-of-band changes outside the scope of Security Manager).

Note Configurations cannot be fetched from those devices that are managed by AUS, and have been configured with dynamic IP addresses.

This procedure will help you fetch a configuration from a device and add it to the archive for that device.

Procedure

Step 1 Select Tools > Configuration Archive to go to Configuration Archive.

In the Device selector, click the device for which you want to retrieve its running configuration. The Security Manager Config Archive page populates with archived configuration versions for the device you selected. For a description of the fields in this page, see Table E-9 on page E-15.

Step 2 Click Add to view the Add configuration version menu.

Step 3 Click Fetch New Version from Device. The configuration version is added to the list of configuration versions in Configuration Archive.

Step 4 Locate the Creation Comment next to the version you just added to verify the new version was added. Time, date, and userid appear in this column.

Note You will receive a notification message if the retrieval was successful, and an error message if it was not.

Related Topics

•Adding Configurations from a File to Configuration Archive

•Configuration Version Viewer, page E-12

•Using Rollback to Deploy Archived Configurations

•Viewing and Comparing Configurations

Backup and Restore

You can backup and restore the Security Manager database using Common Services. From the Backup page you can schedule immediate, daily, weekly, or monthly automatic backups. This is accessible from the Tools menu by selecting Tools > Backup. For more information, click Help from the Common Services Backup page. Restoration of Security Manager database and data files is supported only by running a script on the command line.

A procedure for backup and restore is documented in the Common Services documentation. We strongly recommend you take a backup of your current system before restoring an older backup. For information and a procedure on restoring the database, please see http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.0/user/guide/admin.html.

Note While backing up and restoring data, both Common Services and Security Manager processes will be shutdown and restarted.

You cannot restore a backup from an earlier version of Security Manager into Security Manager 3.0.2 if that backup contains any pending data, meaning data that has not been committed to the database. Before upgrading to a new version of Cisco Security Manager, we recommend committing or discarding all uncommitted changes and then creating a backup of your database. You can use the following instructions to help with committing or discarding pending data:

In non-Workflow mode:

•To commit changes, select File > Submit.

•To discard uncommitted changes, select File > Discard.

Note If there are multiple users with pending data, the changes for those users must also be committed or discarded. If you need to commit or discard changes for another user, you can take over that user's session. To take over a session, select Tools > Security Manager Administration > Take Over User Session.

In Workflow mode:

•To commit changes, select Tools > Activity Manager. From the Activity Manager window, select an activity, then click Submit.

Note If you have enabled the activity approval requirement, you must also approve all activities after submitting. To approve an activity, select Tools > Activity Manager. From the Activity Manager window, select an activity and click Approve.

•To discard uncommitted changes, select Tools > Activity Manager. From the Activity Manager window, select an activity, then click Discard. Only an activity in the Edit or Edit Open state can be discarded.

Using Security Manager Diagnostics

The following topics describe how to gather troubleshooting information and contact the Technical Assistance Center (TAC) for help:

•Diagnostic Utility Executable Menu Item

Diagnostic Utility Executable Menu Item

You can use the diagnostic utility to run diagnostics on your system. A file with diagnostic information, CSMDiagnostics.zip, is generated and saved to a specified location on your server. This file is useful when working with the TAC to troubleshoot.

This procedure will help you generate a diagnostic file for troubleshooting purposes.

Procedure

Step 1 Select Tools > Security Manager Diagnostics to begin file generation. The Security Manager Diagnostics dialog box appears.

Step 2 Click OK to begin generating the diagnostics file. A Security Manager Diagnostics progress indicates the progress of the file generation.

Tip Click Cancel at any time to exit the utility.

When file generation is complete a confirmation dialog box will indicate that the file has been created. It will say something like "Diagnostic file CSMDiagnostic.zip is generated in the directory C:\PROGRA~\CSCOpx\MDC\etc on the server Security Manager server name.

Tip We recommend that you rename this file so it will not get overwritten each time this utility is run.

	User Guide for Cisco Security Manager 3.0.2
	Using Tools
User Guide for Cisco Security Manager 3.0.2 Preface Getting to Know Security Manager Performing Administrative Tasks Working With the Security Manager User Interface Using Map View Managing Devices Managing Policies Managing Activities Managing Objects Managing Site-to-Site VPNs Managing Remote Access VPNs Managing Firewall Services Managing Routers Managing Firewall Devices Using the Catalyst 6500/7600 Device Manager Managing Deployment Using Tools Devices User Interface Reference Site-to-Site VPN User Interface Reference Policy User Interface Reference Map View User Interface Reference Tools User Interface Reference Administrative Settings User Interface Reference Activities User Interface Reference Deployment User Interface Reference Index	Download this chapter Using Tools Download the complete book User Guide for Cisco Security Manager 3.0.2 (PDF - 21 MB) Table Of Contents Using Tools Understanding the Tools Menu Options Understanding Policy Discovery Status Viewing Policy Discovery Status Information Understanding Show Containment Understanding Audit Reports Guidelines for Defining the Audit Report Parameters Generating the Audit Report Viewing Audit Logs Purging Audit Log Entries Using the Configuration Archive Tool Customizing the Configuration Archive Toolbar Viewing Transcripts Viewing and Comparing Configurations Using Rollback to Deploy Archived Configurations Adding Configuration Versions to Archive Adding Configurations from a File to Configuration Archive Adding Configurations from a Device to Configuration Archive Backup and Restore Using Security Manager Diagnostics Diagnostic Utility Executable Menu Item Using Tools These topics describe pages that are accessed from the Tools menu: •Understanding the Tools Menu Options •Understanding Policy Discovery Status •Understanding Show Containment •Understanding Audit Reports •Using the Configuration Archive Tool •Backup and Restore •Using Security Manager Diagnostics Understanding the Tools Menu Options The Tools menu provides access to these features: •Device Properties—Provides general information about the device, credentials, the group the device is assigned to, and policy overrides. For more information, see Understanding Device Properties, page 5-75. •Policy Object Manager—Allows you to view all available objects grouped according to object type, access all object dialog boxes to create, copy, edit, and delete objects, and generate usage reports, which describe how selected objects are being used by other Security Manager objects and policies. For information see Policy Object Manager General Reference, page C-28. •Site-To-Site VPN Manager—Enables you to configure site-to-site VPNs. For information, see Site-to-Site VPN Manager Window, page B-2. •Deployment Manager—Enables you to deploy configurations and manage deployment jobs. For information, see Deployment User Interface Reference, page H-1. •Activity Manager—Allows you to create and manage activities. For information, see Activity Manager Window, page G-1. •Policy Discovery Status—Allows you to see the status of policy discovery and device import from the Policy Discovery Status page. For information, see Understanding Policy Discovery Status. •Catalyst 6500/7600 Device Manager—Embedded in Security Manager, enables you to set up, configure, and monitor devices in the Cisco Catalyst 6500 and 7600 families. For information, see Using the Catalyst 6500/7600 Device Manager, page 14-1. •Device Status—Allows you to view important information about your security appliance, such as the status of your interfaces, the version you are running, licensing information, and performance. For information, see Device Status Page, page C-482. •Show Containment—Displays information about composite devices. For information, see Understanding Show Containment. •IPS Manager—Opens from the Tools menu. For more information, see the IPS Manager context-sensitive online help. •Preview Configuration—Displays the proposed changes, last deployed configuration, or current running configuration for specific devices. For information, see Preview Config Dialog Box, page H-8. •Audit Report—Allows you to generate audit report data according to parameters set in the audit report page. For information, see Understanding Audit Reports. •Change Reports (Activity Report)—Allows you to generate a table of changes to devices, shared policies, and building blocks within a given activity (Workflow Mode) or configuration session (nonWorkflow Mode). For information, see Understanding Activity Change Reports, page 7-17. •Configuration Archive—Stores archived device configuration versions and allows you to view, compare and roll back from one configuration to another. For information, see Using the Configuration Archive Tool. •Backup—Allows backing up of Security Manager database using Common Services. For information, see Backup and Restore. •Security Manager Administration—Details administrative settings, recommends which settings to define first, and explains user permissions and access modalities. For information, see Performing Administrative Tasks, page 2-1. •Security Manager Diagnostics—Describes how to gather troubleshooting information and contact the Technical Assistance Center (TAC). For help see Using Security Manager Diagnostics. Understanding Policy Discovery Status When you initiate policy discovery, a task is created. For each initiation, only one task is created regardless of the number of devices in the discovery. You can see the status of policy discovery and device import on the Policy Discovery Status page. The Policy Discovery Status page contains three panes: •Tasks pane—Provides status information for the overall task. •Discovery Details or Import Details pane—Depending on the type of task, this pane is called either Discovery Details or Import Details. For each task you select in the Tasks pane, you will see corresponding information in the Discovery Details or Import Details pane. –The Discovery Details pane displays details about the policy discovery, such as the list of devices in the selected task, the status of the discovery (completed or failed), and the discovery method used (discovered from live device or discovered from file). –The Import Details pane displays details about the device import, such as the list of devices involved in the selected task, the task type for each device (import only or import and discover), and the status of device import (device added or device add failed). •Messages pane—Contains three elements: Message Summary, Description, and Action. Displays messages about the selected device, the severity of the problem (error or warning), detailed descriptions for each message, and the steps you can take to resolve the problem. Related Topics •Policy Discovery Status Page, page E-2 •Viewing Policy Discovery Status Information Viewing Policy Discovery Status Information This procedure describes how to view the status of the policy discovery. Procedure Step 1 Select Tools > Policy Discovery Status. The Policy Discovery Status page appears. The Tasks pane displays the status of the overall task. Step 2 Select a task from the Tasks pane. Corresponding information about that task is displayed in the Discovery Details pane or Import Details pane, whichever applies. Step 3 Select a device from the Discovery Details pane or Import Details pane. Corresponding information about that device is displayed in the Messages text box. Step 4 Click a message row. Detailed information about that message is displayed in the Description text box. Step 5 Look at the Action field for steps to resolve the problem. For information about the elements in the Policy Discovery Status page, see Policy Discovery Status Page, page E-2. Related Topics •Understanding Policy Discovery Status •Policy Discovery Status Page, page E-2 Understanding Show Containment The Show Containment option displays information about composite devices. If you select this option, the containment of a device, that is service modules and security contexts supported on the selected device, is displayed: Note This option is available for Catalyst 6500/7600, FWSM, PIX Firewall 7.0, and ASA devices. •For Catalyst 6500/7600 devices, displays the IDSM and FWSM service modules, and the security contexts supported by the FWSM. •For FWSMs, displays security contexts supported by the FWSM. •For PIX Firewalls, displays security contexts supported by the PIX Firewall. •For ASA devices, displays security contexts supported by the ASA device. For information about security contexts, see Configuring Security Contexts on Firewall Devices, page 13-103. This procedure describes how to view the containment of a device. Procedure Step 1 Select a Catalyst 6500/7600, PIX Firewall 7.0, FWSM, or ASA device from the Device selector. Step 2 Select Tools > Show Containment. Related Topics •Configuring Security Contexts on Firewall Devices, page 13-103 Understanding Audit Reports When state changes occur in Security Manager, an audit entry is created in the audit log. You can display the aggregated results of the audit entries by defining the parameters in the Audit Report page. The state changes that generate an event and create an audit entry are: •Changes to the runtime environment: –System changes, such as login attempts (successful for failed), logout, and scheduled backups. –Authorization issues, such as failed attempts and security breaches. –Map changes, such as saving, deleting, and changing background map views. –Admin changes, such as workflow on and workflow off modes. •Changes to the state of Security Manager objects: –Activity changes, such as creating, editing, submitting, and approving an activity. –Deployment changes, such as creating, editing, and submitting a deployment job. •Changes to the state of managed devices: –Object changes, such as changes to building blocks. –Inventory changes, such as adding, deleting, modifying devices in the inventory. –Policy changes, such as creating, restoring, modifying, and deleting policies. –VPN changes, such as creating, modifying, and deleting a VPN. Before you generate the audit report, you can narrow your search criteria by defining the parameters for the report in the Audit Report page. The Audit Report page contains two panes. You define the parameters in the left pane and click Search to display the audit report, corresponding to the parameters you defined, in the right pane. The following topics provide more information: •Guidelines for Defining the Audit Report Parameters •Generating the Audit Report •Viewing Audit Logs •Purging Audit Log Entries Note You can also view reports about actions that users have taken within an activity. For more information, see Understanding Activity Change Reports, page 7-17. Guidelines for Defining the Audit Report Parameters The following examples provide some guidelines that will help you understand what parameters you should define to get the information you need: •To find out the deployment history of device X—From the Search by action column, select Deployment > Create. In the Search by all or part of the object name field, enter the name of the device. In this instance, enter X, then click Search. •To find out when the device X was removed from Security Manager management—From the Search by action column, select Devices > Delete. In the Search by all or part of the object name field, enter the name of the device. In this instance, enter X, then click Search. •To find out if a failed login attempt occurred in the system—From the Search by action column, select System > Authorization > Login > Failed, then click Search. Related Topics •Understanding Audit Reports •Generating the Audit Report •Audit Report Page, page E-6 Generating the Audit Report You narrow down your search criteria by defining the parameters for the audit report in the Audit Report page. This procedure describes how to generate an audit report. Procedure Step 1 Select Tools > Audit Report. The Audit Report page appears. Step 2 Enter the information in the required fields in the left pane. For more information, see Table E-4. Step 3 Click Search to generate the audit report. The audit report is displayed in the right pane. For more information, see Table E-5. Step 4 For a detailed description, double-click a row. The Audit Message Details page appears. For elements in this page, see Audit Message Details Dialog Box, page E-8. Related Topics •Understanding Audit Reports •Guidelines for Defining the Audit Report Parameters •Viewing Audit Logs Viewing Audit Logs Audit logs are stored in two locations, in the Security Manager database and in the CiscoWorks Common Services database. To view the audit logs in the Security Manager database, see Generating the Audit Report. To view the archived audit logs in Common Services, go to: CSCOpx/MDC/Logs/audit/ on the server machine or use the following procedure. This procedure describes how to view audit logs in Common Services. Procedure Step 1 Select Common Services > Device and Credentials > Reports. The Report Generator page appears. Step 2 Select Audit Report. Step 3 Enter the report range in the fields provided, then click Generate Report. The generated report contains all audit logs from both Common Services and Security Manager. Related Topics •Understanding Audit Reports •Generating the Audit Report Purging Audit Log Entries To prevent database overload, the following audit log parameters have factory-set defaults: •Time—60 days. •Maximum number of entries—10,000 entries. When the time limit or the maximum number of entries limit is reached, the audit logs that have expired are purged (deleted) from the system. To change the factory-set defaults, select Tools > Security Manager Administration > Preferences > Logs. For more information, see Logs Page, page F-16. Related Topic •Understanding Audit Reports •Audit Report Page, page E-6 •Viewing Audit Logs •Logs Page, page F-16 Using the Configuration Archive Tool Configuration Archive stores configuration versions for each device managed by Security Manager. Note Security Manager does not support the archiving of VLAN configurations. You can use Configuration Archive to: •View the transcript of a configuration deployment for a selected device. •View and compare configuration versions. •View CLI differences between deployed configuration versions. •Rollback to an earlier configuration version. •Add a configuration from file. •Retrieve a current device configuration. Note Configuration Archive differs from Preview Configuration which displays proposed configuration changes to the CLI. For more information on the Preview Configuration functions, see Previewing Configurations, page 15-38. Related Topics •Adding Configuration Versions to Archive •Configuration Archive Window, page E-10 •Configuration Version Viewer, page E-12 •Customizing the Configuration Archive Toolbar •New Config Version Dialog Box, page E-14 •Defining Configuration Archive Settings, page 2-46 •Using Rollback to Deploy Archived Configurations •Viewing and Comparing Configurations •Viewing Transcripts Customizing the Configuration Archive Toolbar In the right pane you can view and sort configuration file versions by version ID, creation date, creator, archival source, creation comment, and transcript. You can rearrange the column headings to appear in any order, and you can hide columns that you do not find useful. This procedure will help you add or remove toolbar buttons. Procedure Step 1 Select Tools > Configuration Archive to go to Configuration Archive. Step 2 In the Device selector, click any device. The Security Manager Config Archive page populates with archived configuration versions. For a description of the fields in this page, see Table E-7 on page E-11. Step 3 Right click the Configuration Archive toolbar and select Show Columns. A list of toolbar buttons appears. A checkmark indicates that the button appears on the toolbar. No checkmark indicates that the button does not appear. Step 4 Select buttons to include or deselect buttons to exclude from the toolbar. Related Topics •Adding Configuration Versions to Archive •Configuration Archive Window, page E-10 •Defining Configuration Archive Settings, page 2-46 •Using Rollback to Deploy Archived Configurations •Viewing and Comparing Configurations •Viewing Transcripts Viewing Transcripts A transcript is the log file of Security Manager server and device transactions captured during a deployment or rollback operation. It includes commands sent and received between server and device from the time of deployment or rollback request. If rollback is unsuccessful, there might be a partial transcript generated depending on which stage rollback or deployment failed. This procedure will help you view transcripts. Procedure Step 1 Select Tools > Configuration Archive to go to Configuration Archive. In the Device selector, click the device for which you want to view a transcript. The Security Manager Config Archive page populates with archived configuration versions for the device you selected. For a description of the fields in this page, see Table E-9 on page E-15. Step 2 Double-click the Transcript icon next to the configuration version for which you want to view its transcript. The transcript for that configuration version appears. Related Topics •Adding Configuration Versions to Archive •Configuration Version Viewer, page E-12 •Customizing the Configuration Archive Toolbar •Using Rollback to Deploy Archived Configurations •Viewing and Comparing Configurations Viewing and Comparing Configurations You can view and compare any one full configuration version to any other in the archive from the configuration version viewer. You can view a delta configuration file from this viewer as well. A delta configuration file is generated by Security Manager during deployment and represents policy changes between the existing configuration and the one currently being deployed. Delta configuration versions contain command syntax different from that for full configuration versions, and include negation commands. A delta configuration file is available only for configuration versions in the archive that have been deployed to a device by Security Manager. When available, these can be viewed from the configuration version viewer. This procedure will help you view and compare configurations. Procedure Step 1 Select Tools > Configuration Archive to go to Configuration Archive. In the Device selector, click the device for which you want to view a full or delta configuration version. The Security Manager Config Archive page populates with archived configuration versions for the device you selected. For a description of the fields in this page, see Table E-9 on page E-15. Step 2 Select the configuration version that you want to view or compare and click View. Tip If you are comparing configuration versions, you only need to select one of the two in the version list. The configuration version viewer opens. The configuration version you selected is in the left pane of the configuration version viewer. For details on interpreting the color coding in the file versions, and using the change indicator buttons, see Configuration Version Viewer, page E-12. Step 3 To compare configuration versions, select a different version from the Compare with version list. The version you selected appears in the right pane of the configuration viewer. Step 4 To view the delta configuration for the version in the left pane, click the Delta Configuration radio button. For details on interpreting the color coding in the file versions, and using the change indicator buttons, see Configuration Version Viewer, page E-12. Related Topics •Adding Configuration Versions to Archive •Viewing Transcripts Using Rollback to Deploy Archived Configurations You can rollback any configuration version from Configuration Archive to the device for which it is archived. The rolled back configuration then becomes another archived version in the list for that device. This procedure will help you rollback to an archived configuration. Procedure Step 1 Select Tools > Configuration Archive to go to Configuration Archive. In the Device selector, click the device for which you want to rollback a different configuration version. The Security Manager Config Archive page populates with archived configuration versions for the device you selected. For a description of the fields in this page, see Table E-7 on page E-11. Step 2 Highlight the device by clicking the device name. Step 3 Highlight the configuration version to deploy to device. To view the configuration version before rollback, click View. or a description of the fields in this page, see Table E-8 on page E-14. Step 4 Click Rollback to deploy the selected configuration version to the selected device. A progress box will display, followed by notification message when the configuration version is successfully deployed. An error message will appear if the deployment was not successful. Related Topics •Adding Configuration Versions to Archive •Configuration Version Viewer, page E-12 •Managing Deployment, page 15-1 •Viewing and Comparing Configurations Adding Configuration Versions to Archive Configuration Archive is updated any time a configuration version is rolled back to a device, in the form of a new line item in the archive for the device to which you rolled back. You can manually add a configuration version to an archive for a device, either by polling the device directly or by cutting and pasting from a file that contains the device configuration. The following topics describe adding configuration versions to the Configuration Archive: •Adding Configurations from a File to Configuration Archive •Adding Configurations from a Device to Configuration Archive Adding Configurations from a File to Configuration Archive You can add a configuration version to the Configuration Archive for a device from a file or by composing it directly in the dialog box. The file contains the commands making up the device configuration and the device credentials. This procedure will help you add a configuration from a file. Procedure Step 1 Select Tools > Configuration Archive to go to Configuration Archive. In the Device selector, click the device for which you want to add a new configuration version. The Security Manager Config Archive page populates with archived configuration versions for the device you selected. For a description of the fields in this page, see Table E-9 on page E-15. Step 2 Click Add to view the shortcut menu. Step 3 Select Add New Version. The New config version dialog box, for the device you selected in the Device selector, appears. Step 4 Paste the configuration file version into the window, or enter it live in the dialog box. Step 5 Enter the device password and confirm the password. Step 6 To provide a username and enable password for the device, complete the associated fields. Step 7 Click OK. The configuration version is added to the list of configuration versions with the current time and date in the Created On field. Note After you click OK no further changes can be made. If you decide to make a change for any reason, you must add a new configuration version. Related Topics •Adding Configurations from a Device to Configuration Archive •Configuration Version Viewer, page E-12 •Using Rollback to Deploy Archived Configurations •Viewing and Comparing Configurations Adding Configurations from a Device to Configuration Archive You can retrieve a configuration directly from the device to add to the Configuration Archive. This is useful when changes have been made directly to device configurations (out-of-band changes outside the scope of Security Manager). Note Configurations cannot be fetched from those devices that are managed by AUS, and have been configured with dynamic IP addresses. This procedure will help you fetch a configuration from a device and add it to the archive for that device. Procedure Step 1 Select Tools > Configuration Archive to go to Configuration Archive. In the Device selector, click the device for which you want to retrieve its running configuration. The Security Manager Config Archive page populates with archived configuration versions for the device you selected. For a description of the fields in this page, see Table E-9 on page E-15. Step 2 Click Add to view the Add configuration version menu. Step 3 Click Fetch New Version from Device. The configuration version is added to the list of configuration versions in Configuration Archive. Step 4 Locate the Creation Comment next to the version you just added to verify the new version was added. Time, date, and userid appear in this column. Note You will receive a notification message if the retrieval was successful, and an error message if it was not. Related Topics •Adding Configurations from a File to Configuration Archive •Configuration Version Viewer, page E-12 •Using Rollback to Deploy Archived Configurations •Viewing and Comparing Configurations Backup and Restore You can backup and restore the Security Manager database using Common Services. From the Backup page you can schedule immediate, daily, weekly, or monthly automatic backups. This is accessible from the Tools menu by selecting Tools > Backup. For more information, click Help from the Common Services Backup page. Restoration of Security Manager database and data files is supported only by running a script on the command line. A procedure for backup and restore is documented in the Common Services documentation. We strongly recommend you take a backup of your current system before restoring an older backup. For information and a procedure on restoring the database, please see http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.0/user/guide/admin.html. Note While backing up and restoring data, both Common Services and Security Manager processes will be shutdown and restarted. You cannot restore a backup from an earlier version of Security Manager into Security Manager 3.0.2 if that backup contains any pending data, meaning data that has not been committed to the database. Before upgrading to a new version of Cisco Security Manager, we recommend committing or discarding all uncommitted changes and then creating a backup of your database. You can use the following instructions to help with committing or discarding pending data: In non-Workflow mode: •To commit changes, select File > Submit. •To discard uncommitted changes, select File > Discard. Note If there are multiple users with pending data, the changes for those users must also be committed or discarded. If you need to commit or discard changes for another user, you can take over that user's session. To take over a session, select Tools > Security Manager Administration > Take Over User Session. In Workflow mode: •To commit changes, select Tools > Activity Manager. From the Activity Manager window, select an activity, then click Submit. Note If you have enabled the activity approval requirement, you must also approve all activities after submitting. To approve an activity, select Tools > Activity Manager. From the Activity Manager window, select an activity and click Approve. •To discard uncommitted changes, select Tools > Activity Manager. From the Activity Manager window, select an activity, then click Discard. Only an activity in the Edit or Edit Open state can be discarded. Using Security Manager Diagnostics The following topics describe how to gather troubleshooting information and contact the Technical Assistance Center (TAC) for help: •Diagnostic Utility Executable Menu Item Diagnostic Utility Executable Menu Item You can use the diagnostic utility to run diagnostics on your system. A file with diagnostic information, CSMDiagnostics.zip, is generated and saved to a specified location on your server. This file is useful when working with the TAC to troubleshoot. This procedure will help you generate a diagnostic file for troubleshooting purposes. Procedure Step 1 Select Tools > Security Manager Diagnostics to begin file generation. The Security Manager Diagnostics dialog box appears. Step 2 Click OK to begin generating the diagnostics file. A Security Manager Diagnostics progress indicates the progress of the file generation. Tip Click Cancel at any time to exit the utility. When file generation is complete a confirmation dialog box will indicate that the file has been created. It will say something like "Diagnostic file CSMDiagnostic.zip is generated in the directory C:\PROGRA~\CSCOpx\MDC\etc on the server Security Manager server name. Tip We recommend that you rename this file so it will not get overwritten each time this utility is run.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.