Table Of Contents
Managing Devices
Preparing the Devices for Security Manager to Manage
Setting Up SSL
Setting Up SSL on PIX Firewall, ASA, and FWSM Devices
Setting Up SSL on Cisco IOS Routers
Setting Up SSH
Testing Authentication
Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 Devices
Preventing Non-SSH Connections—Optional
Setting Up AUS
Setting Up AUS on PIX Firewall and ASA Devices
Setting Up CNS Gateway on an Auto Update Server
Setting Up CNS
Setting Up CNS on PIX Firewall and ASA Devices
Setting Up CNS on Cisco IOS Routers
Setting Up TMS
Changing the Device Transport Protocol on Cisco IOS Routers
Understanding the Device View
Filtering the Device Selector
Adding Devices to the Security Manager Inventory
Choosing the Method for Adding Devices
Adding Devices from the Network
Providing Device Information—Network
Providing Device Credentials
Grouping Devices
Adding Catalyst 6500/7600 Devices from the Network
Adding VPN SPA Slot Locations
Adding Devices from a Configuration File
Providing Device Information—Config File
Grouping Devices
Adding a New Device
Providing Device Information—New Device
Providing Device Credentials
Grouping Devices
Adding Devices from DCR
Providing Device Information—DCR
Grouping Devices
Working with Devices with Dynamically Assigned IP Addresses
Understanding Auto Update Server and Configuration Engine
Adding an Auto Update Server or Configuration Engine
Adding an Auto Update Server or Configuration Engine When Adding a New Device
Adding an Auto Update Server When Adding a Device from Network
Editing the Auto Update Server or Configuration Engine Information
Editing an Auto Update Server or Configuration Engine When Adding a New Device
Editing the Auto Update Server Information when Adding Device from Network
Understanding Device Credentials
Device Contact Credentials Naming Guidelines
Device Validation Error Messages Displayed When Adding Devices
Understanding Device Properties
Defining Device Properties
Editing Device Properties
Viewing Device Properties
Working with Device Policies
Cloning a Device
Managing Devices with IPS Manager
Deleting Devices from the Security Manager Inventory
Understanding Device Grouping
Working With Groups
Creating Group Types
Creating Groups
Creating Subgroups
Deleting Group Types, Groups, or Subgroups
Modifying the Group Type or Group Name
Adding Devices to Groups
Device Inventory Exporting
Inventory Export CLI Syntax
Exporting a Device Inventory Report
Managing Devices
Before you can manage devices in Security Manager, you must prepare the devices for management, then add those devices to the Security Manager device inventory from the Devices page. After you add the devices, you can view and edit device information, delete devices from the inventory, copy and share policies, clone devices, and so on. The following topics describe how to manage devices:
•
Preparing the Devices for Security Manager to Manage
•Understanding the Device View
•Adding Devices to the Security Manager Inventory
•Working with Devices with Dynamically Assigned IP Addresses
•Understanding Device Credentials
•Understanding Device Properties
•Working with Device Policies
•Cloning a Device
•Managing Devices with IPS Manager
•Deleting Devices from the Security Manager Inventory
•Understanding Device Grouping
•Device Inventory Exporting
Preparing the Devices for Security Manager to Manage
To enable communication between Security Manager and devices, you must configure transport settings on the devices, before you add them to the inventory.
Security Manager uses Secure Socket Layer (SSL) as the default transport protocol for PIX Firewall, Adaptive Security Appliances (ASA), Firewall Service Modules (FWSM), and Cisco IOS routers. Therefore, you must configure SSL on these devices. For SSL configuration details, see Setting Up SSL.
Security Manager uses Secure Shell (SSH) as the default transport protocol for Catalyst 6500/7600 devices. Therefore, you must configure SSH on these devices. For configuration details see, Setting Up SSH.
You must configure both SSH and SSL transport protocols on Cisco IOS routers. Security Manager uses SSH connections to handle interactive command deployments during SSL deployments. Although SSL is the default, you can change the default to SSH. To change the default protocol from SSL to SSH, see Changing the Device Transport Protocol on Cisco IOS Routers. For SSH configuration details, see Setting Up SSH.
In addition to SSL and SSH, Security Manager supports staged delivery of configurations using AUS, CNS, and TMS transport protocols. Instead of sending configurations directly to devices, Security Manager sends them to another location, such as an Auto Update Server, Configuration Engine, or Token Management Server; then the device communicates with the appropriate server and downloads the configuration files.
If the device has a static IP address, you must configure the default transport protocols (SSL or SSH) for discovering and deploying the configurations on the device (Table 5-1).
If the device has a dynamic IP address, and it is managed by an Auto Update Server or a CNS-Configuration Engine, you can configure AUS or CNS on that device (Table 5-1).
If a Cisco IOS router has a dynamic IP address and is configured to use an Auto Update Server/CNS Gateway, Security Manager communicates with the Auto Update Server that is running the CNS Gateway protocol to determine the IP address of the router. For such routers, you must configure SSL and SSH in addition to the CNS transport protocol.
Table 5-1 summarizes of the types of devices and the transport settings they support.
Table 5-1 Devices and Transport Settings
Devices
|
Transport Settings
|
PIX Firewall, ASA, FWSM and Cisco IOS routers (default)
|
SSL
|
Cisco IOS routers
|
SSH
|
Catalyst 6500/7600 devices (default)
|
SSH
|
PIX and ASA devices—For devices managed by an Auto Updated Server
|
AUS
|
Cisco IOS routers—For devices managed by a CNS-Configuration Engine
|
CNS
|
Cisco IOS routers—For devices managed by a Token Management Server
|
TMS
|
For details about device types and associated server fields, discovery and deployment methods, and transport protocols used for each device type, see Device Types and Associated Server Fields—Add New Device.
For information about device types, the IP types they support (static or dynamic), and discovery and deployment methods, see Device Type and Supported IP Types - Add Device from Network.
Related Topics
•Setting Up SSL
•Setting Up SSH
•Setting Up AUS
•Setting Up CNS
•Setting Up TMS
•Changing the Device Transport Protocol on Cisco IOS Routers
Setting Up SSL
Security Manager deploys the configuration to the device using a Secure Socket Layer (SSL) protocol. With this protocol, Security Manager encrypts the configuration file and sends it to the device.
The following topics describe how to set up SSL on devices:
•Setting Up SSL on PIX Firewall, ASA, and FWSM Devices
•Setting Up SSL on Cisco IOS Routers
Setting Up SSL on PIX Firewall, ASA, and FWSM Devices
Table 5-2 describes the tasks to complete before you use SSL as the transport protocol for device management on PIX Firewall, ASA, and FWSM devices.
Table 5-2 Setting Up SSL on PIX Firewall, ASA, and FWSM Devices
| |
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode from the terminal.
Respond to the prompts appropriately. Here are some tips:
1. Enter y when the prompt asks if you want to preconfigure using interactive prompts.
2. Enter the current enable password.
3. Specify the time zone, year, month, day, and time.
4. If the device:
–Is new — Specify the network interface IP address of the device and the network mask that applies to the inside IP address.
–Exists — Verify that the interface IP address and mask are correct.
5. If the device:
–Is new —Specify the hostname and the domain name.
–Exists — Verify that the hostname and domain name are correct.
6. When prompted for the IP address of the host that runs the PIX Device Manager, specify the IP address of the Security Manager server.
7. Enter yes when the prompt asks if you want to write the above changes to Flash.
|
Step 2
|
hostname(config)# http server enable
|
Enables the HTTP server.
|
Step 3
|
hostname(config)# http ip_address [netmask] [if_name]
|
Specifies the host or network authorized to initiate an HTTP connection to the device.
•ip_address - IP address of the Security Manager server.
•netmask - Network mask for the http ip_address.
•if_name - Device interface name (default is inside) from which Security Manager initiates the HTTP connection.
|
Step 4
|
hostname(config)# write memory
|
Stores the current configuration in Flash memory.
|
Setting Up SSL on Cisco IOS Routers
Table 5-3 describes the tasks to complete before you use SSL as the transport protocol for device management on Cisco IOS routers.
Table 5-3 Setting Up SSL on Cisco IOS Routers
| |
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
router(config)# hostname<name>
|
Configures the hostname.
If the device is new, you must configure its hostname.
After you configure the hostname, the device prompt changes to hostname(config)#. For example, if the hostname is router1, the device prompt changes to router1(config)# (see step 3).
|
Step 3
|
router1(config)# ip domain-name <your_domain>
|
Specifies the IP domain name of the router.
If the device is new and is not configured with a domain name, you must specify the IP domain name of the router.
|
Step 4
|
router1(config)# username <username> privilege 15 password 0 <password>
|
Configures level 15 privilege.
SSL requires that you must have level 15 privileges to log in to a Cisco IOS router.
|
Step 5
|
router1(config)# no aaa authorization network <list-name>
|
(Optional) Disables AAA authorization.
If you are using AAA for authorization but would like to use local authorization, use this command to disable the AAA authorization.
•list-name - Character string used to name the list of authorization methods.
|
Step 6
|
router1(config)# no aaa authentication login <list-name>
|
(Optional) Disables AAA authentication at login.
If you are using AAA for authentication but would like to use local authentication, use this command to disable the AAA authentication.
•list-name - Character string used to name the list of authentication methods activated when a user logs in.
|
Step 7
|
router1(config)# ip http authentication local
|
(Optional) Enables local authentication for SSL.
Enables Security Manager to authenticate with the local username you created in step 4.
Note If you do not enter this command, the default enable password is used for authentication.
Note You can either enable AAA authentication or local authentication. To enable AAA authentication, enter the commands in step 8 and step 9. To enable local authentication, enter the command in this step.
|
Step 8
|
router1(config)# ip http authentication aaa
|
(Optional) Enables AAA authentication/authorization for SSL.
Note You can either enable AAA authentication or local authentication. To enable AAA authentication, enter the commands in step 8 and step 9. To enable local authentication, enter the command in step 7.
|
Step 9
|
router1(config)# ip http authentication aaa login-authentication <list-name>
router1(config)# ip http authentication aaa exec-authorization <list-name>
|
(Optional) If multiple AAA lists are defined, you must enter these commands.
These commands authenticate the user that is contacting the device using the HTTPS protocol. The authentication uses AAA.
•list-name - Character string used to name the list of AAA server groups.
Note You can either enable AAA authentication or local authentication. To enable AAA authentication, enter the commands in step 8 and step 9. To enable local authentication, enter the command in step 7.
|
Step 10
|
router1(config)# ip http secure-server
|
Enables the HTTPS server.
|
Step 11
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 12
|
router1# 1show ip http server secure status
|
Verifies that SSL is set up on the device. Device responds with an "enabled" status.
|
Setting Up SSH
Security Manager deploys the configuration to Cisco IOS Routers and Catalyst 6500/7600 devices using a Secure Shell (SSH). This provides strong authentication and secure communications over insecure channels. Security Manager supports both SSHv1.5 and SSHv2. Once connected to the device, Security Manager determines which version to use and downloads using that version.
The following topics describe the tasks required to set up SSH on Cisco IOS routers and Catalyst 6500/7600 devices:
•Testing Authentication
•Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 Devices
•Preventing Non-SSH Connections—Optional
Note Security Manager supports Catalyst 6500/7600 devices running the Cisco IOS software only.
Testing Authentication
Before you set up SSH, you must test authentication without SSH to make sure the device can be authenticated. You can authenticate with a local username and password or with an authentication, authorization, and accounting (AAA) server running TACACS+ or RADIUS.
To test authentication without SSH using a local or AAA server username and password, enter the commands described in Table 5-4.
Table 5-4 Testing Authentication Without SSH
| |
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
hostname(config)# aaa new-model
|
Uses the local username and password in the absence of aaa statements.
Note On Cisco IOS routers, you can use the login local command on vty lines instead of the aaa new-model command.
|
Step 3
|
hostname(config)# username <name> password 0 <password>
|
Configures the user in the local database of the device. This command is optional.
|
Step 4
|
hostname(config)# exit
|
Exits configuration mode.
|
Step 5
|
hostname# write memory
|
Saves the configuration changes.
|
Related Topics
•Setting Up SSH
•Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 Devices
•Preventing Non-SSH Connections—Optional
Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 Devices
Table 5-5 describes the tasks required to set up SSH on Cisco IOS routers and Catalyst 6500/7600 devices.
Note You must configure SSH on Cisco IOS routers because Security Manager uses SSH connections to handle interactive command deployments during SSL deployments.
Table 5-5 Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 Devices
| |
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
router(config)# hostname<name>
|
Configures the hostname.
If the device is new, you must configure its hostname.
After you configure the hostname, the device prompt changes to hostname(config)#. For example, if the hostname is router1, the device prompt changes to router1(config)# (see step 3).
|
Step 3
|
router1(config)# ip domain-name <your_domain>
|
Specifies the IP domain name of the router.
If the device is new and is not configured with a domain name, you must specify the IP domain name of the router.
|
Step 4
|
router1(config)# crypto key generate rsa
|
Generates the RSA key pair for the SSH session.
When the device prompts you to enter the size of the modulus, we recommend that you enter1024.
|
Step 5
|
router1(config)# ip ssh timeout <time>
|
(Optional) Sets the timeout interval in minutes.
|
Step 6
|
router1(config)# ip ssh authentication-retries <n>
|
(Optional) Sets the number of retries.
|
Step 7
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 8
|
router1# write memory
|
Saves the configuration changes.
|
Related Topics
•Setting Up SSH
•Testing Authentication
•Preventing Non-SSH Connections—Optional
Preventing Non-SSH Connections—Optional
After configuring SSH, you can configure the Cisco IOS routers and Catalyst 6500/7600 devices to use SSH connections only. To prevent non-SSH connections, enter the commands described in Table 5-6.
Table 5-6 Preventing Non-SSH Connections (Optional)
| |
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
hostname(config)# line vty <first line number> <last line number>
|
Sets up the router for Telnet access.
•first line number - valid values are 0-1180.
•last line number - valid values are 1-1180.
|
Step 3
|
hostname(config-line)# transport input ssh
|
Prevents non-SSH connections, such as telnet.
|
Step 4
|
hostname(config-line)# end
|
Exits configuration mode.
|
Step 5
|
hostname# write memory
|
Saves the configuration changes.
|
Related Topics
•Setting Up SSH
•Testing Authentication
•Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 Devices
Setting Up AUS
Security Manager deploys configuration files to the Auto Update Server, where they are stored for later retrieval by the device.
The following topics provide more information:
•Setting Up AUS on PIX Firewall and ASA Devices
•Setting Up CNS Gateway on an Auto Update Server
Setting Up AUS on PIX Firewall and ASA Devices
Devices, such as PIX Firewall and ASA, use the AUS protocol to contact the Auto Update Server for configuration (and image) updates. See the Auto Update Server product documentation for more information.
Table 5-7 describes the tasks to complete before you use AUS as the transport protocol for device management on PIX Firewall and ASA devices.
Table 5-7 Setting Up AUS on PIX Firewall and ASA Devices
| |
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
hostname(config)# auto-update server https://username:password@AUSserver_IP_address:port/autoupdate/AutoUpdateServlet
|
Connects to the AUS.
•username - The username is the one you enter when you use Security Manager.
•password - The password is the one you enter when you use Security Manager.
•The port number is typically 443.
|
Step 3
|
hostname(config)# auto-update poll-period poll_period [retry_count] [retry_period]
|
Specifies the polling period for AUS.
•poll_period - Polling period interval between two updates. Default is 720 minutes (12 hours).
•retry_count - (Optional) Number of times to retry if the server connection attempt fails. Default is 0.
•retry_period - (Optional) Number of minutes between retries. Default is 5.
|
Step 4
|
hostname(config)# auto-update device-id hardware-serial | hostname | ipaddress [<if_name>] | mac-address [<if_name>] | string<text>
|
Configures the device to use the specified unique device ID to identify itself.
•if_name - Device interface name (default is inside).
•text - A unique string name.
|
Step 5
|
hostname(config)# write memory
|
Saves the configuration changes.
|
Setting Up CNS Gateway on an Auto Update Server
An Auto Update Server can provide the CNS event-bus feature to Cisco IOS routers that have dynamic IP addresses obtained from a DHCP server. Security Manager communicates with the Auto Update Server that is running the CNS Gateway protocol to determine the IP address of the device. To configure CNS on a Cisco IOS router in event-bus mode, see Table 5-8.
If you changed the CNS password on a Cisco IOS router, you must change the password in the Auto Update Server also. See Changing the Default CNS Bootstrap Password in the Auto Update Server.
Changing the Default CNS Bootstrap Password in the Auto Update Server
The default CNS bootstrap password configured in an Auto Update Server is callhome. If you changed the CNS password on the router (step 7, Table 5-8), you must change the default CNS bootstrap password in the Auto Update Server also.
This procedure describes how to change the default CNS bootstrap password in an Auto Update Server.
Procedure
Step 1 Open the Windows command prompt on the machine where you installed AUS.
Step 2 Navigate to the directory ..\CSCOpx\MDC\autoupdate\bin\eventgateway. For example, enter cd C:\Progra~1\CSCOpx\MDC\autoupdate\bin\eventgateway if C:\Progra~1\CSCOpx\ is the directory where you installed AUS.
Step 3 Enter cnspassword.pl <password>.
where <password> is the same CNS password you set on the device.
The Perl executable file must be in a directory defined in the $PATH environment variable. Otherwise, issue the command from the directory where perl was installed. For example, enter C:\Progra~1\CSCOpx\bin\perl cnspassword.pl <password>
Step 4 Restart the Daemon Manager if it is running.
Related Topics
•Setting Up CNS on Cisco IOS Routers
Setting Up CNS
Security Manager deploys the configuration file to the Cisco Configuration Engine, where it is stored for later retrieval from the device. Devices, such as Cisco IOS router, PIX Firewall, and ASA that use a Dynamic Host Configuration Protocol (DHCP) server, contact the Cisco Configuration Engine for configuration (and image) updates. See the Cisco Configuration Engine product documentation for more information.
The following topics describe how to set up CNS on devices:
•Setting Up CNS on PIX Firewall and ASA Devices
•Setting Up CNS on Cisco IOS Routers in Event-Bus Mode
Setting Up CNS on PIX Firewall and ASA Devices
If PIX Firewall and ASA devices are configured for CNS, they use the AUS protocol. The required steps are identical to the steps that you follow when you configure PIX Firewall and ASA for AUS. See Setting Up AUS.
Setting Up CNS on Cisco IOS Routers
The following tables describes the tasks to complete before you use CNS as the transport protocol for device management on Cisco IOS routers. You can configure CNS in the event-bus mode or the call-home mode.
•To configure CNS in event-bus mode, see Table 5-8.
•To configure CNS in call-home mode, see Table 5-9.
Table 5-8 Setting Up CNS on Cisco IOS Routers in Event-Bus Mode
| |
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
router(config)# hostname<name>
|
Configures the hostname.
If the device is new, you must configure its hostname.
After you configure the hostname, the device prompt changes to hostname(config)#. For example, if the hostname is router1, the device prompt changes to router1(config)# (see step 3).
|
Step 3
|
router1(config)# ip domain-name <your_domain>
|
Specifies the IP domain name of the router.
If the device is new and is not configured with a domain name, you must specify the IP domain name of the router.
|
Step 4
|
router1(config)# cns trusted-server all-agents <ip_address>
|
Specifies the trusted server for the CNS agent.
•ip_address - The IP address of the trusted server.
|
Step 5
|
router1(config)# cns event <ip_address> [port]
|
Configures the CNS event gateway, which provides CNS event services to Cisco IOS clients.
•ip_address - IP address of the event gateway.
•port - The port is an optional parameter, and by default it is either 11011 (with no encryption) or 11012 (with encryption).
|
Step 6
|
router1(config)# cns config partial <ip_address>
|
Starts the CNS configuration agent and accepts a partial configuration.
|
Step 7
|
router1(config)# cns password <password>
|
Sets the CNS password.
•<password> - The password you want to set on the router.
You can set the CNS password to callhome (which is the default bootstrap password in AUS) or you can set a different password.
If you set a different password on the router, you must change the default CNS bootstrap password in the Auto Update Server. For instructions, see Changing the Default CNS Bootstrap Password in the Auto Update Server.
Note For information on how to authenticate a Cisco IOS router on a Configuration Engine, see the Cisco CNS Configuration Engine Administrator Guide.
|
Step 8
|
router1(config)# cns exec
|
Enables and configures the CNS execute agent.
|
Step 9
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 10
|
router1# copy running startup
|
Saves the configuration changes to NVRAM.
|
Table 5-9 Setting Up CNS on Cisco IOS Routers in Call-Home Mode
| |
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
router(config)# hostname<name>
|
Configures the hostname.
If the device is new, you must configure its hostname.
After you configure the hostname, the device prompt changes to hostname(config)#. For example, if the hostname is router1, the device prompt changes to router1(config)# (see step 3).
|
Step 3
|
router1(config)# ip domain-name <your_domain>
|
Specifies the IP domain name of the router.
If the device is new and is not configured with a domain name, you must specify the IP domain name of the router.
|
Step 4
|
router1(config)# cns trusted-server all-agents <ip_address>
|
Specifies the trusted server for the CNS agent.
•ip_address - IP address of the trusted server.
|
Step 5
|
router1(config)# kron occurrence occurrence-name [user username] {in [[numdays:]numhours:]nummin | at hours:min [[month] day-of-month] [day-of-week]} {oneshot | recurring}
|
Specifies schedule parameters for a Command Scheduler occurrence and enters kron-occurrence configuration mode.
•occurrence-name - Name of occurrence. Length of occurrence-name is from 1 to 31 characters. If the occurrence-name is new, an occurrence structure will be created. If the occurrence-name is not new, the existing occurrence will be edited.
•username - (Optional) Name of user.
•numdays: - (Optional) Number of days. Identifies that the occurrence is to run after a specified time interval. The timer starts when the occurrence is configured. If used, add a colon after the number.
•numhours: - (Optional) Number of hours. If used, add a colon after the number.
•nummin - Number of minutes.
•hours: - Hour as a number using the 24-hour clock. Identifies that the occurrence is to run at a specified calendar date and time. Add a colon after the number.
•min - Minute as a number.
•month - (Optional) Month name. If used, you must also specify day-of-month.
•day-of-month - (Optional) Day of month as a number.
•day-of-week - (Optional) Name of the day of the week.
•oneshot - Identifies that the occurrence is to run only once. After the occurrence runs, the configuration is removed.
•recurring - Identifies that the occurrence is to run on a recurring basis.
|
Step 6
|
router1(config-kron-occurrence)# policy-list <list-name>
|
Specifies the policy list associated with a Command Scheduler occurrence.
Use the kron occurrence and policy-list commands to schedule one or more policy lists to run at the same time or interval.
•list-name - Name of policy. Length of list-name is from 1 to 31 characters. If the list-name is new, a policy list structure will be created. If the list-name is not new, the existing policy list will be edited.
|
Step 7
|
router1(config-kron-occurrence)# exit
|
Exits kron-occurrence and returns to configuration mode.
|
Step 8
|
router1(config)# kron policy-list <list-name>
|
Specifies a name for a Command Scheduler policy and enters kron-policy configuration mode.
•list-name - Name of policy. Length of list-name is from 1 to 31 characters. If the list-name is new, a policy list structure will be created. If the list-name is not new, the existing policy list will be edited.
|
Step 9
|
router1(config-kron-policy)# cli cns config retrieve <ip_address> page /cns/JobbedDynaConfig status http://<ip_address>/cns/PostStatus
|
Retrieves the config from the staged CNS job.
•ip address - IP address of the CNS server.
•JobbedDynaConfig status - You must use JobbedDynaConfig status so that the device retrieves the config from the staged CNS job; otherwise, the device retrieves the template associated with the device.
|
Step 10
|
router1(config-kron-policy)# exit
|
Exits kron-policy configuration mode and returns to configuration mode.
|
Step 11
|
router1(config)# cns exec
|
Enables and configures the CNS execute agent.
|
Step 12
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 13
|
router1# copy running startup
|
Saves the configuration changes to NVRAM.
|
Related Topics
•Setting Up CNS Gateway on an Auto Update Server
•Changing the Default CNS Bootstrap Password in the Auto Update Server
Setting Up TMS
Security Manager uses FTP to deploy the configuration file to the Token Management Server (TMS), from which it can be downloaded and encrypted onto an eToken. The eToken can then be connected to the USB port of a router and the configuration downloaded. See TMS product documentation for more information.
To download the configuration from the eToken to the router, plug the eToken into the router, then enter the commands as described in Table 5-10.
Table 5-10 Setting Up TMS on Cisco IOS Routers
| |
Enter
|
Result
|
Step 1
|
router# crypto pki token <usb_token_id> login <PIN>
|
Logs into the eToken.
•usb_token_id - Depending on the port in which the e-token is inserted, usb_token_id could either be usbtoken0 or usbtoken1.
•PIN - By default is 1234567890.
|
Step 2
|
router# config terminal
|
Enters configuration mode from the terminal.
|
Step 3
|
router(config)# crypto pki token default secondary config CCCD
|
Enables configuration provisioning with eToken.
CCCD is the private sector on the eToken where the configuration file resides. When you enter this command, the CLI on the e-token merges with the CLI on the router.
|
Step 4
|
router(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 5
|
router# write memory
|
Keeps the CLI on the router after you disconnect the eToken.
|
Changing the Device Transport Protocol on Cisco IOS Routers
Security Manager uses Secure Socket Layer (SSL) as the default transport protocol on Cisco IOS routers. Although SSL is the default, you can change the default to SSH.
•You can change the default protocol from SSL to SSH on all Cisco IOS routers from the Device Communication page. For the procedure, see Defining Connection and Transport Protocol Settings in the UI, page 2-53.
•You can change the default protocol from SSL to SSH on a single Cisco IOS router from the General page.
This procedure describes how to change the default protocol from SSL to SSH on a selected Cisco IOS router.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Do one of the following:
•In the Device selector, double-click the Cisco IOS router. The Device Properties page appears.
•In the Device selector, right-click the Cisco IOS router to display menu options, then select Device Properties. The Device Properties page appears.
Step 3 Click General. The General page appears.
Step 4 From the Transport Settings field, select SSH.
Step 5 Click Save.
Note If you select the Use Default option, the transport protocol set in the Device Communications page (Tools > Security Manager Administration > Device Communication) is used.
Related Topics
•General Page, page A-48
•Preparing the Devices for Security Manager to Manage
Understanding the Device View
Clicking the Device View button opens the Devices page, from which you can add and delete devices from the Security Manager inventory and manage device policies, properties, and interfaces centrally.
In this view, you can see all the devices that you are managing, and you can select specific devices to view their properties and define their settings and policies.
You can define security policies locally on specific devices. You can then share those policies to make them globally available to be assigned to other devices.
The Devices page contains two panes. The left pane contains two elements: the Device selector, located in the top left pane, and the Policies selector, located in the bottom left pane. The right pane is the main content area. Figure 5-1 shows the Devices page.
Figure 5-1 Devices Page
Device selector—Contains the following:
•Add and Delete buttons—Enables you to add and delete devices from the Security Manager inventory.
•Filter field—Enables you to display a subset of devices based on the filtering criteria you define. For details, see Filtering the Device Selector.
•Device tree—Lists the device groups and devices that you added to or created in the system. Each device type is represented by an icon. For information about the icons, see Figure 5-2.
Figure 5-2 Device Icons
1
|
Adaptive Security Appliances (ASA)
|
5
|
Catalyst 6500 Series Switch
|
2
|
PIX Firewall
|
6
|
Catalyst 7600 Series Router
|
3
|
Firewall Services Module (FWSM)
|
7
|
VPN 3000 Concentrator
|
4
|
Cisco IOS Router
|
8
|
Intrusion Prevention System (IPS)
|
•Device shortcut menu options—Provides easy access to several tasks, such as device properties, containment, cloning device, showing devices in a map, discovering policies on a device, and so on. You can access these options by selecting a device in the Device selector, then right-clicking the device. For a complete list of menu options, see Device Shortcut Menu Options, page A-65.
•Device Grouping shortcut menu options—Provides access to several grouping tasks, such as add group, edit group information, add devices to group, and add a device to Security Manager. For details, see Device Group Shortcut Menu Options, page A-69.
Policies selector—Contains the following:
•Policy groups—Lists the policy groups that are supported on the selected device type. The policy groups that are displayed are dependent on four factors:
–Type of device selected in the Device selector.
–Operating system supported on the device.
–Target operating system version running on the device.
–Containment of the device. For details, see Show Containment, page A-66.
For details, see Working with Device Policies.
•Device policies shortcut menu options—Provides easy access to several tasks, such as assign shared policy, share policy, unassign policy, rename policy, and so on. You can access these options by right-clicking a policy in the Policy selector. For a complete list of menu options, see Device Policies Shortcut Menu Options, page A-67.
Contents pane—The main content area.
The information displayed on this page depends on the device you select from the Device selector and the option you select from the Policies selector.
Related Topics
•Devices Page, page A-2
•Adding Devices to the Security Manager Inventory
•Deleting Devices from the Security Manager Inventory
•Filtering the Device Selector
•Device Shortcut Menu Options, page A-65
•Device Policies Shortcut Menu Options, page A-67
•Device Group Shortcut Menu Options, page A-69
Filtering the Device Selector
You can view a subset of devices in the Device selector by defining the filtering criteria in the Create a Filter dialog box.
Note•For each device tree, you can have a maximum of 10 filters for each user. After that, a newly created filter replaces the older one: The 11th filter replaces the first filter.
•After you create the filters, you cannot delete them.
•A filter that you created in the Devices page, window, or wizard is added to the filter list.
When you create a filter in the Devices page, it becomes the last-applied topmost active filter in the Device selector. This filter is carried forward from the Devices page to other windows and wizards as the first active filter.
However, if you apply a new filter to a window or a wizard, this filter is not carried backwards to the Devices page as the topmost active filter. The Devices page retains its original last-applied filter.
This procedure describes how to filter devices in the Device selector.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Click the arrow in the Filter field in the Device selector pane, then select Create Filter. The Create Filter dialog box appears.
Step 3 Select one of the following from the Filter Type field (first field):
•Name—Select this option to filter the devices by device name.
•Type—Select this option to filter the devices by device type.
Step 4 Select an option in the Filter Relation field (second field) to narrow down the filter results.
Step 5 Do one of the following:
•If you selected Name in the Filter Type field, enter a string value in the Filter Value field (third field): either the device name or part of the device name.
•If you selected Type in the Filter Type field, select the appropriate option in the Filter Value field (third field): ASA, ASA IPS, PIX Firewall, Catalyst 6500/7600, FWSM, IPSSM, Router, Cisco IDS Network Module, or Sensor.
Step 6 Click Add. Based on the filter name, filter relation, and filter value that you selected, a row of filter controls is displayed in the filter control content area.
To delete the selected row of filter controls from the filter control content area, click Remove.
Step 7 Click one of the following radio buttons:
•Match Any of the Following—Clicking this radio button creates an "or" relationship between all of the filter controls that you created in the filter control area.
•Match All of the Following—Clicking this radio button creates an "and" relationship between all of the filter controls that you created in the filter control area.
See, Filter Control Relationship Example.
Step 8 Click OK. The filter is available from the filter field arrow in the Device selector pane.
Filter Control Relationship Example
To understand the "OR" and "AND" filter control relationship, see Table 5-11.
.
Table 5-11 Filter Control Relationship Example
If the following device types exist in Security Manager...
|
And the following device names exist in Security Manager...
|
If you select "Name contains a or Type is ASA," an OR relationship is created and the following devices are displayed:
|
If you select "Name contains a and Type is ASA," an AND relationship is created and the following devices are displayed:
|
PIX Firewall
|
pix_506
|
-
|
-
|
PIX Firewall
|
pix_520
|
-
|
-
|
ASA
|
asa_5510
|
asa_5510
|
asa_5510
|
Router
|
router_1601
|
-
|
-
|
Router
|
ISDN_access_router_761
|
ISDN_access_router_761
|
-
|
Catalyst 6500/7600
|
catalyst_6506
|
catalyst_6506
|
-
|
Related Topics
•Create Filter Dialog Box, page A-3
•Understanding the Device View
Adding Devices to the Security Manager Inventory
When you add a device to Security Manager, you bring in a range of identifying information for the device, such as its DNS name and IP address. After you add the device, it appears in the Security Manager device inventory. You can manage a device in Security Manager only after you add it to the inventory.
You can add devices to the Security Manager inventory in the following ways:
•Add a device from the network.
•Add a new device that is not yet on the network.
•Add one or more devices from the Device and Credentials Repository (DCR).
•Add one or more devices from a configuration file.
To add devices to the Security Manager inventory, from the Devices page, click the Add button in the Device selector, then select the appropriate option. For more information, see Choosing the Method for Adding Devices.
Note If you are working in ACS mode, you must first define the devices in ACS, then add them to the Security Manager inventory. See Associating NDGs and Roles with User Groups, page 2-38.
The following topics describe how to add devices to the Security Manager inventory:
•Choosing the Method for Adding Devices
•Adding Devices from the Network
•Adding Devices from a Configuration File
•Adding a New Device
•Adding Devices from DCR
•Working with Devices with Dynamically Assigned IP Addresses
Choosing the Method for Adding Devices
To add devices, click the Add button in the Device selector. The New Device - Choose Method page appears. Select one of the displayed options. Table 5-12 describes the options.
Note You can add Catalyst 6500/7600 devices with VPN Services Module and devices with dynamic IP addresses only by direct device discovery.
Table 5-12 Choose Method
Method
|
Action
|
Add device from network
|
Add a connected live device from the network. If you want Security Manager to manage a device that is already running in the network, select the Add Device from Network option.
When you add the device, you must specify whether the device has a static or a dynamic IP address. The IP address for a device with a dynamic IP address is retrieved from an Auto Update Server. See Adding Devices from the Network.
|
Add device(s) from config file
|
Add devices from a configuration file by either selecting a directory in which the configuration file resides or by selecting a single configuration file.
If the configuration information of a device is in a file and you want to import that file into Security Manager, select the Add Device from Config File option. See Adding Devices from a Configuration File.
|
Add new device
|
Add a single device to the Security Manager inventory. You can use this option for preprovisioning. You can create the device in the system, assign policies to the device, and generate configuration files before receiving the device hardware.
When you add the device, you must specify whether the device has a static or a dynamic IP address. The IP address for a device with a dynamic IP address is retrieved from an Auto Update Server or Configuration Engine. See Adding a New Device.
|
Add device(s) from DCR
|
Add devices to the Security Manager inventory from the Device and Credential Repository (DCR). The DCR resides in the CiscoWorks Server. DCR is a common repository of devices that stores device attributes and device credential information.
If you previously added devices to DCR and you want Security Manager to manage them, select the Add Device from DCR option. See Adding Devices from DCR. For more information on DCR, see CiscoWorks Common Services User Guide 3.0.
|
Related Topics
•Understanding the Device View
•Add Device from Network Wizard, page A-7
•Add Device(s) from Config File Wizard, page A-25
•Add New Device Wizard, page A-29
•Add Device(s) from DCR Wizard, page A-40
Adding Devices from the Network
If a device is already running in the network and you want Security Manager to manage it, select the Add device from Network option. Depending on the device type, the system determines the appropriate protocol configured on the device, such as SSH, SSL, or CNS, and connects to the device.
When you add the device, you bring in a range of identifying information for the device, such as credentials, DNS name and IP address.
The following topics describe the pages in the Add Device from Network wizard:
•Providing Device Information—Network
•Providing Device Credentials
•Grouping Devices
This procedure describes how to add a device from network.
Before You Begin
•Prepare the devices to be managed by Security Manager. For more information, see Preparing the Devices for Security Manager to Manage.
•If you are working in Workflow mode, and you want inventory and policies discovered, you must create an activity or open an existing one. For more information, see Chapter 7, "Managing Activities."
Note If you are not working in Workflow mode, Security Manager automatically creates an activity. For more information, see Chapter 7, "Managing Activities."
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Click the Add button in the Device selector. The New Device - Choose Method page appears with four options.
Step 3 Select Add Device(s) from Network, then click Next. The New Device - Device Information page appears.
Step 4 Enter the device information. For details see, Providing Device Information—Network.
Step 5 Click Next to continue. The Device Credentials page appears.
Step 6 Enter the device credentials information. See Providing Device Credentials.
Step 7 Do one of the following:
•Click Finish. The system performs device validation tasks.
If the data you entered is incorrect, the system generates error messages and displays the page on which the error occurs with a red error icon corresponding to it. Otherwise, the Task Status page appears, displaying the status of the device import and discovery.
Do one of the following on the Task Status page:
–Click Abort to end device import and discovery. This button is enabled during device import and discovery.
–Click Close to close this page. This button is enabled after device import and discovery are complete.
•Click Next to continue. The Device Grouping page appears.
Step 8 (Optional) Assign the device to a group. See Grouping Devices.
Note If you add the device without specifying the information in the Device Grouping page, that device is added to the ALL folder in the Device selector. You can then manage that device directly from the ALL folder.
Step 9 Click Finish. The system performs device validation tasks.
If the data you entered is incorrect, the system generates error messages and displays the page on which the error occurs with a red error icon corresponding to it. Otherwise, the Task Status page appears, displaying the status of the device import and discovery.
Step 10 Do one of the following on the Task Status page:
•Click Abort to end device import and discovery. This button is enabled during device import and discovery.
•Click Close to close this page. This button is enabled after device import and discovery are completed.
Step 11 If you are adding a Catalyst 6500/7600 device, you are asked if you want to proceed with FWSM inventory and policy discovery. Select Yes to display the Firewall Service Module Credentials page. For additional steps, see Adding Catalyst 6500/7600 Devices from the Network.
Note•If you entered a display name that already exists in DCR (but not in Security Manager), a Duplicate Device Notification window appears. See Cannot Add a Display Name that Exists in DCR.
•If you entered a hostname and domain name combination that already exists in DCR (but not in Security Manager), a Duplicate DNS Hostname Domain Name window appears. See Cannot Add a DNS Hostname and Domain Name Combination that Exists in DCR.
Related Topics
•Add Device from Network Wizard, page A-7
•Understanding the Device View
•Providing Device Information—Network
•Providing Device Credentials
•Grouping Devices
•Adding Catalyst 6500/7600 Devices from the Network
Providing Device Information—Network
This procedure describes how to use the Device Information page to add device information.
Procedure
Step 1 Select one of the following from the IP type field:
•Static—Select this option if the device has a static IP address.
•Dynamic—Applies to Cisco IOS routers only. Select this option if the device has a dynamic IP address obtained from a CNS Gateway running on an Auto Update Server.
The device information fields displayed differ, depending on whether you select static or dynamic.
Step 2 If you selected Static, enter the hostname, domain name, IP address, display name, and OS type in the appropriate fields. For more information, see Device Information Page—Network, page A-8.
Step 3 If you selected Dynamic, do the following:
a. Enter the string value that uniquely identifies the device in Auto Update Server in the Device Identity field.
b. From the CNS Gateway field, click the arrow to display a list of available Auto Update Servers. Select the Auto Update Server that is running the CNS Gateway protocol.
Security Manager communicates with the Auto Update Server running the CNS Gateway protocol to retrieve the IP address of an IOS device, then performs discovery directly from the device.
If the Auto Update Server does not appear in the list, do the following:
•Click the arrow, then select + Add Auto Update Server... The Auto Update Server Properties dialog box appears.
•Enter the information in the required fields. For a description of the fields on the page, see Auto Update Server Properties Dialog Box, page A-12.
•After you click OK in the Auto Update Server Properties dialog box, the new Auto Update Server is added to the list of Available Servers.
c. Enter the display name.
For more information, see Device Information Page—Network, page A-8.
Step 4 Select the System Context check box if the device you are adding is a PIX Firewall 7.0, ASA, or FWSM device that meets the following criteria:
•The device supports system contexts.
•The device is running in multi-mode.
When this check box is selected, Security Manager discovers the device as a System Context instead of a Security Context.
Step 5 From the Discover field, select one of the discovery options:
•Policies and Inventory—When selected, discovers policies and interfaces. This is the default option.
If you select this option, the following policies are displayed:
–Platform Settings—Also called platform-specific policy domains. For more information, see Service Policies vs. Platform-Specific Policies, page 6-3.
If you do not want these discovered, deselect this check box.
–Firewall Policies—Also called firewall services. For details see, Firewall Services, page C-637.
If you do not want these discovered, deselect this check box.
–Discover Policies for Security Context—Security contexts apply to PIX Firewall, ASA, or FWSM devices. This field is active for static IP type only.
•Inventory Only—When selected, discovers interfaces. If the device is a composite device, all the service modules in that device are discovered.
•No Discovery—When selected, Security Manager does not initiate discovery.
Step 6 Click Next to continue. The Device Credentials page appears. See Providing Device Credentials.
For information about device types, the IP types they support (static or dynamic), and discovery and deployment methods, see Device Type and Supported IP Types - Add Device from Network.
Device Type and Supported IP Types - Add Device from Network
Table 5-13 lists the device types, the IP types they support (static or dynamic), and discovery and deployment methods. It shows how what you select in the IP type field, static or dynamic, affects the discovery and deployment methods. For information about deployment, see Understanding Deployment Methods, page 15-11.
Table 5-13 Device Type and Supported IP Types - Add Device From Network
Device Type
|
Static or Dynamic IP Address
|
Discovery Method
|
Deployment Method
|
PIX Firewall, FWSM, or ASA
|
Static IP address is supported.
|
Discovers from device using the SSL transport protocol.
|
Deploys to one of the following:
•File
•Device using the SSL transport protocol.
|
Dynamic IP address is not supported.
|
Not applicable.
|
Not applicable.
|
Cisco IOS routers
|
Static IP address is supported.
|
Discovers from device using the default transport protocol you selected, SSL or SSH.
|
Deploys to one of the following:
•File
•Device using the SSL transport protocol.
|
Dynamic IP address is supported.
From the CNS Gateway field, click the arrow to display a list of available Auto Update Servers, then select the Auto Update Server that is running the CNS Gateway protocol.
|
Discovers from device using the SSL transport protocol.
Security Manager communicates with the Auto Update Server that is running the CNS Gateway protocol to determine the IP address of the device, then performs discovery directly from the device.
|
Deploys to one of the following:
•File
•Device using the SSL transport protocol—
Communicates with the Auto Update Server that is running the CNS Gateway protocol to determine the IP address of the device, then deploys directly to the device.
|
Catalyst 6500/7600
|
Static IP address is supported.
|
Discovers from device using the SSH transport protocol.
|
Deploys to one of the following:
•File
•Device using the SSH transport protocol.
|
Related Topics
•Device Information Page—Network, page A-8
•Adding Devices from the Network
•Providing Device Credentials
•Grouping Devices
•Discovering Policies, page 6-5
Providing Device Credentials
Use the Device Credentials page to add device credentials information. For information about device credentials, see Understanding Device Credentials.
Note Primary Credentials are required for all device types. You can provide other credential information later by using the Edit Properties feature. For more information, see Editing Device Properties,
This procedure describes how to use the Device Credentials page.
Procedure
Step 1 Enter the Primary Credentials, such as the username, password, and enable password.
Step 2 (Optional) Enter the SDEE credentials, such as username and password.
SDEE credentials are displayed for devices that support Intrusion Prevention System (IPS), such as Cisco IOS routers, ASA, and IDS.
Step 3 Enter the HTTP credentials, such as HTTP port number, HTTPS port number, the certificate common name, and the mode: HTTP or HTTPS.
The HTTP credentials are displayed for devices that support IPS, such as Cisco IOS routers, ASA, and IDS. This information is required for devices that support SDEE.
Step 4 (Optional) Click the Rx-Boot Mode Credentials tab. The Rx-Boot Mode Credentials dialog box appears.
Step 5 If you clicked the Rx-Boot Mode Credentials tab, enter the Rx-Boot mode credentials, such as username and password, then click OK. For more information, see Rx-Boot Mode Credentials Dialog Box, page A-16.
Step 6 (Optional) Click the SNMP Credentials tab. The SNMP Credentials dialog box appears.
Step 7 If you clicked the SNMP Credentials tab, enter the SNMP V2C and V3 credentials, then click OK. For more information, see SNMP Credentials Dialog Box, page A-17.
Step 8 (Optional) Click the HTTP Credentials tab. The HTTP Credentials dialog box appears.
Note The HTTP credentials tab does not appear for devices that support IPS, such as Cisco IOS routers, ASA, and IDS.
Step 9 If you clicked the HTTP Credentials tab, enter the HTTP credentials, such as HTTP port number, HTTPS port number, the certificate common name, and the mode: HTTP or HTTPS, then click OK. For more information, see HTTP Credentials Dialog Box, page A-18.
Step 10 Do one of the following:
•Click Finish. The system performs device validation tasks.
If the data you entered is incorrect, the system generates error messages and displays the page on which the error occurs with a red error icon corresponding to it. Otherwise, the Task Status page appears, displaying the status of the device import and discovery.
Do one of the following on the Task Status page:
–Click Abort to end device import and discovery. This button is enabled during device import and discovery.
–Click Close to close this page. This button is enabled after device import and discovery are completed.
•Click Next to continue. The Device Grouping page appears. See Grouping Devices.
Related Topics
•Device Credentials Page, page A-14
•Understanding Device Credentials
•Device Contact Credentials Naming Guidelines
•Rx-Boot Mode Credentials Dialog Box, page A-16
•SNMP Credentials Dialog Box, page A-17
•HTTP Credentials Dialog Box, page A-18
Grouping Devices
Use the Device Grouping page to assign devices to groups.
Note•You can group devices later or change the grouping structure by using the Edit Properties feature. For more information, see Editing Device Properties.
•You cannot add a device directly to a group type. You must create a new group under a group type, then assign the device to it.
•If you add the device without specifying the information in the Device Grouping tab, that device is added to the ALL folder in the Device selector. You can then manage that device directly from the ALL folder.
This procedure describes how to use the Device Grouping page to assign devices to groups.
Procedure
Step 1 Click the arrow in a group type field, for example, Department or Location, then select an existing group or create a new group.
Step 2 To create a new group under a group type:
a. Click the arrow, then select Edit Groups. The Edit Device Groups page appears.
b. Select the group type, for example, Department or Location.
c. Click the Add (+) button.
d. Enter the group name in the field provided, then click OK. The new group is created under the group type you selected, on the Device Grouping page.
Note To add groups and subgroups, click the Add (+) button. To add group types (in addition to Location and Department), click Add Type.
Step 3 Select the Set values as default check box to set the current group values. These values are defaults for adding and editing device groups later.
Step 4 Click Finish. The system performs device validation tasks.
If the data you entered is incorrect, the system generates error messages and displays the page on which the error occurs with a red error icon corresponding to it. Otherwise, the Task Status page appears, displaying the status of the device import and discovery.
Step 5 Do one of the following on the Task Status page:
•Click Abort to end device import and discovery. This button is enabled during device import and discovery.
•Click Close to close this page. This button is enabled after device import and discovery are completed.
Related Topics
•Device Grouping Page, page A-24
•Understanding Device Grouping
•Understanding the Device View
•Adding Devices from the Network
•Adding Devices from a Configuration File
•Adding a New Device
•Adding Devices from DCR
Adding Catalyst 6500/7600 Devices from the Network
If you are adding a Catalyst 6500/7600 device and you have completed all the steps in the Adding Devices from the Network topic, you are asked if you want to proceed with FWSM inventory and policy discovery. Click Yes to display the Firewall Service Module Credentials and VPN SPA Slot Location page. If you click No, the VPN SPA Slots window appears giving you the opportunity to manually enter the locations of any Catalyst VPN Shared Port Adapter (VPN SPA) service modules (VPN SPAs) installed on Catalyst 6500/7600 devices.
Each device can have from 3 to 13 slots, and each of these slots divides into subslots that can hold one or two VPN SPAs. Security Manager allows you to enter the subslot location to help you manage the device. The dialog box appears when you initiate discovery for Catalyst 6500/7600 devices. For elements in the Firewall Service Module Credentials page, see FWSM Credentials and VPN SPA Slot Location Dialog Box, page A-19.
This procedure describes how to enter the information on the Firewall Service Module Credentials and VPN SPA Slot Location page.
Before you Begin
•Complete all the steps described in Adding Devices from the Network topic. See Adding Devices from the Network.
Procedure
Step 1 (Optional) Enter the management IP address for each slot.
The slots represent FWSMs on the Catalyst 6500/7600 device. Although this step is optional, we recommend that you enter the management IP address. For details, see FWSM Credentials and VPN SPA Slot Location Dialog Box, page A-19.
Step 2 Enter the username, password, and enable password for each slot.
If the device you are adding is a multi-mode FWSM, note the following:
•Multi-mode FWSMs contain System Space and Admin Context. If you entered the management IP address in step 1, Security Manager uses the credentials you entered in this step to access the FWSM System Space (through the session command from the Catalyst 6500/7600 device) and the Admin Context (through SSL). Therefore, in the Catalyst 6500/7600 device, you must configure the same username, password, and enable password for both System Space and Admin Context and enter them in this dialog box.
•If you did not enter the management IP address in step 1, Security Manager uses the credentials you entered in this step to access the FWSM System Space (through the session command from the Catalyst 6500/7600 device) and the Admin Context (through the changeto context command from the System Space). Therefore, you must enter the System Space credentials in this dialog box.
Step 3 If you do not want to discover policies for a particular slot, deselect the Discover Policies check box for that slot. The Discover Policies check box is selected by default.
If you deselect the check box, only inventory data, such as VLAN configuration, security contexts, and interfaces are discovered. You can discover the policy configuration later by right-clicking an FWSM and selecting Discover Policies on Device.
Step 4 Click OK. The Task Status page appears. After inventory and policy discovery for all of the security contexts is completed, the Task Completed dialog box appears.
Step 5 Select Yes to submit the activity. The Validation Result dialog box appears.
We recommend that you submit the activity, otherwise the FWSMs and the security contexts will not appear in the Device selector.
Step 6 Do one of the following:
•Click OK to submit the activity.
The activity is submitted and the FWSM and security context appears in the Device selector.
•Click Details... to view the results of the validation.
•Click Cancel to cancel the operation.
Related Topics
•FWSM Credentials and VPN SPA Slot Location Dialog Box, page A-19
•Adding Devices from the Network
Adding VPN SPA Slot Locations
Use the VPN SPA Slots dialog box to add the locations of any Cisco Share Port Adapters (VPN SPAs) installed on Catalyst 6500/7600 devices. Each of two slots on these devices can hold one or two VPN SPAs, and Security Manager allows you to enter this information to help you manage the device. FWSMs occupy a whole slot in Catalyst 6500/7600, and each VPN SPAs occupies half a slot. Each slot can therefore hold two VPN SPAs in each of two subslots, numbered 0 and 1. For a description of the fields on this page, see VPN SPA Slots Dialog Box, page A-21.
This procedure describes how to add in VPN SPA Slot locations to Catalyst 6500/7600 device information.
Procedure
Step 1 Do one of the following:
•Enter the slot number on the left of the "/" and subslot (numbered 0 and 1) to the right of the "/".
•Click Select to select slot and subslot locations from a list of available slot and subslots.
Step 2 Do one of the following:
•Click OK to confirm.
•Click Cancel to cancel the operation.
Adding Devices from a Configuration File
Use the Add Device(s) from Config File option to add a single device or multiple devices from a configuration file into the Security Manager device inventory by either selecting a directory in which the configuration file resides or by selecting a single configuration file.
When you add the device, you bring in a range of identifying information for the device, such as credentials, DNS name and IP address.
Note•We recommend that you use SSL or SSH to download the configuration files.
•If you use TFTP to obtain a configuration file from a Cisco IOS router, ASA, or PIX Firewall device, you must replace all control characters in the file with corresponding printable characters before adding it to Security Manager. For example, you would replace 0x03 with ^C. We recommend that you use Notepad to edit the files.
•You cannot add a Catalyst 6500/7600 device from a configuration file.
The following topics describe the pages in the Add Device from Config File wizard:
•Providing Device Information—Config File
•Grouping Devices
This procedure describes how to add devices from a configuration file.
Before You Begin
•If you are working in Workflow mode and you want inventory and policies discovered, you must create an activity or open an existing one. For more information, see Chapter 7, "Managing Activities."
Note If you are not working in Workflow mode, Security Manager automatically creates an activity. For more information, see Chapter 7, "Managing Activities."
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Click the Add button in the Device selector. The New Device - Choose Method page appears with four options.
Step 3 Select Add Device(s) from Config File, then click Next. The New Device - Device Information page appears.
Step 4 Enter the device information in the appropriate fields. For more information, see Providing Device Information—Config File.
Step 5 Do one of the following:
•Click Finish. The system performs device validation tasks.
If the data you entered is incorrect, the system generates error messages and displays the page on which the error occurs with a red error icon corresponding to it. Otherwise, the Task Status page appears, displaying the status of the device import and discovery.
Do one of the following on the Task Status page:
–Click Abort to end device import and discovery. This button is enabled during device import and discovery.
–Click Close to close this page. This button is enabled after device import and discovery are completed.
•Click Next to continue. The Device Grouping page appears.
Step 6 (Optional) Assign the device to a group. For more information, see Grouping Devices.
Note If you add the device without specifying the information in the Device Grouping tab, that device is added to the ALL folder in the Device selector. You can then manage that device directly from the ALL folder.
Step 7 Click Finish. The system performs device validation tasks.
If the data you entered is incorrect, the system generates error messages and displays the page on which the error occurs with a red error icon corresponding to it. Otherwise, the Task Status page appears, displaying the status of the device import and discovery.
Step 8 Do one of the following on the Task Status page:
•Click Abort to end device import and discovery. This button is enabled during device import and discovery.
•Click Close to close this page. This button is enabled after device import and discovery are completed.
Related Topics
•Add Device(s) from Config File Wizard, page A-25
•Understanding the Device View
•Providing Device Information—Config File
•Grouping Devices
Providing Device Information—Config File
This procedure describes how to use the Device Information page to add device information.
Procedure
Step 1 Select the device type for the new device:
a. Select the top-level device type folder to display the supported device families.
b. Select the device family folder to display the supported device types.
c. Select the device type.
Note If you do not know the device type, select the device family folder as described in step b. Through discovery, Security Manager automatically selects the appropriate device type for the new device.
System object IDs for that device type are displayed in the SysObjectId field.
Step 2 Enter the full path to the directory containing the device configuration files in the Configuration Files field, or click Browse to navigate to the directory and locate the configuration file.
Step 3 From the Discover field, select one of the discovery options:
•Policies and Inventory—When selected, discovers policies and interfaces. This is the default option.
If you select this option, the following policies are displayed:
–Platform Settings—Also called platform-specific policy domains. For more information, see Service Policies vs. Platform-Specific Policies, page 6-3.
If you do not want these discovered, deselect this check box.
–Firewall Policies—Also called firewall services. For details see, Firewall Services, page C-637.
If you do not want these discovered, deselect this check box.
•Inventory Only—When selected, discovers interfaces. If the device is a composite device, all the service modules in that device are discovered.
•No Discovery—When selected, Security Manager does not initiate discovery.
Step 4 Do one of the following:
•Click Finish. The system performs device validation tasks.
If the data you entered is incorrect, the system generates error messages and displays the page on which the error occurs with a red error icon corresponding to it. Otherwise, the Task Status page appears, displaying the status of the device import and discovery.
Do one of the following on the Task Status page:
–Click Abort to end device import and discovery. This button is enabled during device import and discovery.
–Click Close to close this page. This button is enabled after device import and discovery are completed.
•Click Next to continue. The Device Grouping page appears. For more information, see Grouping Devices.
Related Topics
•Device Information Page—Config File, page A-25
•Adding Devices from a Configuration File
•Grouping Devices
•Discovering Policies, page 6-5
Grouping Devices
For this procedure, see Grouping Devices.
Adding a New Device
Use the Add New Device option to add a single device to the Security Manager inventory. You can use this option for preprovisioning. You can create the device in the system, assign policies to the device, and generate configuration files before receiving the device hardware.
When you receive the device hardware, you must prepare the devices to be managed by Security Manager. For more information, see Preparing the Devices for Security Manager to Manage.
After preparing the devices, you can deploy the configurations to them.
The following topics describe the pages in the Add New Device wizard:
•Providing Device Information—New Device
•Providing Device Credentials
•Grouping Devices
This procedure describes how to add a new device.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Click the Add button in the Device selector. The New Device - Choose Method page appears with four options.
Step 3 Select Add New Device, then click Next. The New Device - Device Information page appears.
Step 4 Enter the device information in the appropriate fields. For more information, see Providing Device Information—New Device.
Step 5 Do one of the following:
•Click Finish. The system performs device validation tasks:
–If the data is incorrect, the system generates error messages and displays the page on which the error occurs with a red error icon corresponding to it.
–If the data is correct, the device is added to the inventory and it appears in the Device selector.
•Click Next to continue. The Device Credentials page appears.
Step 6 (Optional) Enter the device credentials in the appropriate fields. For more information, see Providing Device Credentials.
Step 7 Do one of the following:
•Click Finish. The system performs device validation tasks:
–If the data is incorrect, the system generates error messages and displays the page on which the error occurs with a red error icon corresponding to it.
–If the data is correct, the device is added to the inventory and it appears in the Device selector.
•Click Next to continue. The Device Grouping page appears.
Step 8 (Optional) Assign the device to a group. For more information, see Grouping Devices.
Note If you add the device without specifying the information in the Device Grouping tab, that device is added to the ALL folder in the Device selector. You can then manage that device directly from the ALL folder.
Step 9 Click Finish. The system performs device validation tasks:
•If the data is incorrect, the system generates error messages and displays the page on which the error occurs with a red error icon corresponding to it.
•If the data is correct, the device is added to the inventory and it appears in the Device selector.
Step 10 If you selected the Manage in IPS Manager check box to manage a Cisco IOS router or an IDS sensor in the Device Information page, start the IPS Manager application to perform configuration and deployment tasks on that device. See Managing Devices with IPS Manager.
Note•If you entered a display name that already exists in DCR (but not in Security Manager), a Duplicate Device Notification window appears. See Cannot Add a Display Name that Exists in DCR.
•If you entered a hostname and domain name combination that already exists in DCR (but not in Security Manager), a Duplicate DNS Hostname Domain Name window appears. See Cannot Add a DNS Hostname and Domain Name Combination that Exists in DCR.
•Firewall devices only—After you add a firewall device manually, we highly recommend that you discover (import) the factory-default policies for that device. Bringing these policies into Security Manager prevents you from unintentionally removing them the first time you deploy to that device. For more information about factory-default policies for firewall devices, see Understanding Factory-Default Configurations, page 13-2. For more information about importing policies, see Discovering Policies, page 6-5.
Related Topics
•Add New Device Wizard, page A-29
•Understanding the Device View
•Providing Device Information—New Device
•Providing Device Credentials
•Grouping Devices
•Managing Devices with IPS Manager
Providing Device Information—New Device
This procedure describes how to use the Device Information page to add device information.
Procedure
Step 1 Select the device type for the new device:
a. Select the top-level device type folder to display the supported device families.
b. Select the device family folder to display the supported device types.
c. Select the device type.
Note After you add a device, you cannot change the device type.
System object IDs for that device type are displayed in the SysObjectId field. The first system object ID is selected by default. You can select another one if needed.
Step 2 Enter the device identity information, such as the IP type (static or dynamic), hostname, domain name, IP address, and display name. For more information, see Identity, page A-30.
Step 3 Enter the device operating system information, such as OS type, image name, target OS version, contexts, and operational mode. For more information, see Operating System, page A-31.
Step 4 Depending on the device type you select, the Auto Update or CNS-Configuration Engine field appears:
•Auto Update—Displayed for PIX Firewall and ASA devices.
•CNS-Configuration Engine—Displayed for Cisco IOS routers.
Note This field is not active for Catalyst 6500/7600 and FWSM devices.
For details, see Device Types and Associated Server Fields—Add New Device.
Step 5 Do the following:
•Auto Update—Click the arrow to display a list of servers. Select the server that is managing the device. If the server does not appear in the list, do the following:
–Click the arrow, then select + Add Server... The Server Properties dialog box appears.
–Enter the information in the required fields. For a description of the fields on the page, see Server Properties Dialog Box, page A-35.
–Click OK. The new server is added to the list of available servers.
•CNS-Configuration Engine—Depending on whether you select static or dynamic IP type, different information is displayed:
Static—Click the arrow to display a list of Configuration Engines. Select the Configuration Engine that is managing the device. If the Configuration Engine does not appear in the list, do the following:
–Click the arrow, then select + Add Configuration Engine... The Configuration Engine Properties dialog box appears.
–Enter the information in the required fields. For a description of the fields on the page, see CNS-Configuration Engine Properties Dialog Box, page A-37.
–Click OK. The new Configuration Engine is added to the list of available Configuration Engines.
Dynamic—Click the arrow to display a list of servers. Select the server that is managing the device. If the server does not appear in the list, do the following:
–Click the arrow, then select + Add Server... The Server Properties dialog box appears.
–Enter the information in the required fields. For a description of the fields on the page, see Server Properties Dialog Box, page A-35.
–Click OK. The new server is added to the list of available servers.
For a summary of the device types and the server fields associated with them, see Device Types and Associated Server Fields—Add New Device
Step 6 Do one of the following:
•To manage the device in Security Manager, select the Manage in Cisco Security Manager check box. This is the default.
•If the only function of the device you are adding is to serve as a VPN end point, deselect the Manage in Cisco Security Manager check box.
Security Manager will not manage configurations nor will it upload or download configurations on this device.
Step 7 Select the Security Context of Unmanaged Device check box to manage a security context, whose parent device (PIX Firewall, ASA, or FWSM) is not managed by Security Manager.
You can partition a PIX Firewall, ASA, or FWSM into multiple security firewalls, also known as security contexts. Each context is an independent system, with its own configuration and policies. You can manage these standalone contexts in Security Manager, even though the parent (PIX Firewall, ASA, or FWSM) is not managed by Security Manager. For more information, see Configuring Security Contexts on Firewall Devices, page 13-103.
Note This field is active only if the device you selected in the Device selector is a firewall device, such as PIX Firewall, ASA, or FWSM, that supports security context.
Step 8 Select the Manage in IPS Manager check box to manage a Cisco IOS router in IPS Manager.
This field is active only if you selected a Cisco IOS router from the Device selector.
Note IPS Manager can manage the IPS features only on a Cisco IOS router that has IPS capabilities. For more information see the IPS documentation.
If you select the Manage in IPS Manager check box, you must select the Manage in Cisco Security Manager check box also.
If the selected device is IDS, this field is not active, but the check box is selected because IPS Manager manages IDS sensors.
If the selected device is PIX Firewall, ASA, or FWSM, this field is not active because IPS Manager does not manage these device types.
Step 9 Do one of the following:
•Click Finish. The system performs device validation tasks:
–If the data you entered is incorrect, the system generates error messages and displays the page on which the error occurs.
–If the data you entered is correct, the device is added to the inventory and it appears in the Device selector.
Note If you selected the Manage in IPS Manager check box to manage a Cisco IOS router or an IDS sensor, you must start the IPS Manager application to perform configuration and deployment tasks on that device. See Managing Devices with IPS Manager.
•Click Next to continue. The Device Credentials page appears. For more information, see Providing Device Credentials.
Device Types and Associated Server Fields—Add New Device
Table 5-14 lists the device types and the server fields associated with them when you add a new device. The table also lists the discovery and deployment method and transport protocols used for each device type. It shows how the server you select in the Server field, affects the discovery and deployment methods. For information about deployment, see Understanding Deployment Methods, page 15-11.
Table 5-14 Device Type and Associated Server Fields - Add New Device
Device Type
|
Server Field
|
Discovery Method
|
Deployment Method
|
PIX Firewall and ASA
|
Auto Update
(for static IP addresses)
Depending on which server is managing the device, select Auto Update Server or Configuration Engine from the Server Properties dialog box.
|
Discovers from one of the following:
•File
•Device using the SSL transport protocol.
|
Deploys to one of the following:
•File
•Auto Update Server or Configuration Engine using the AUS transport protocol—Deploys the configuration file to an Auto Update Server or Configuration Engine; then the device communicates with the Auto Update Server or Configuration Engine and downloads the configuration file.
|
Auto Update
(for dynamic IP addresses)
Depending on which server is managing the device, select Auto Update Server or Configuration Engine from the Server Properties dialog box.
|
Discovers from file only.
|
Deploys to one of the following:
•File
•Auto Update Server or Configuration Engine using the AUS transport protocol—Deploys the configuration file to an Auto Update Server or Configuration Engine; then the device communicates with the Auto Update Server or Configuration Engine and downloads the configuration file.
|
Empty (Auto Update Server or Configuration Engine not selected)
|
Discovers from File.
Discovers from device using the SSL transport protocol.
|
Deploys to File.
Deploys to device using the SSL transport protocol.
|
Cisco IOS routers
|
CNS-Configuration Engine (for static IP addresses)
|
Discovers from one of the following:
•File
•Device using the default transport protocol you selected, SSL or SSH.
|
Deploys to one of the following:
•File
•Configuration Engine using the CNS transport protocol—Deploys the configuration file to a Configuration Engine; then the device communicates with the Configuration Engine and downloads the configuration file.
|
CNS-Configuration Engine (for dynamic IP addresses)
|
Discovers from one of the following:
•File
•Device using CNS and the default transport protocol you selected, SSL or SSH—Communicates with the CNS Gateway running on an Auto Update Server to determine the IP address of the device, then discovers directly from the device.
•Configuration Engine using the CNS transport protocol—Discovers the configuration file from a Configuration Engine.
|
Deploys to one of the following:
•File
•Device using the SSL and CNS transport protocols—
Communicates with the CNS Gateway running on an Auto Update Server to determine the IP address of the device, then deploys directly to the device.
•Configuration Engine using the CNS transport protocol—Deploys the configuration file to a Configuration Engine; then the device communicates with the Configuration Engine and downloads the configuration file.
|
Empty (Configuration Engine not selected)
|
Discovers from File.
Discovers from device using the SSL transport protocol.
|
Deploys to File.
Deploys to device using the SSL transport protocol.
|
Catalyst 6500/7600
|
Not active.
|
Discovers from device using the SSH transport protocol.
|
Deploys to device using the SSH transport protocol.
|
FWSM
|
Not active.
|
Discovers from one of the following:
•File
•Device using the SSL transport protocol.
|
Deploys to one of the following:
•File
•Device using the SSL transport protocol.
|
Related Topics
•Device Information Page—New Device, page A-29
•Adding a New Device
•Providing Device Credentials
•Grouping Devices
•Managing Devices with IPS Manager
Providing Device Credentials
For this procedure, see Providing Device Credentials.
Grouping Devices
For this procedure, see Grouping Devices.
Adding Devices from DCR
Use the Add Device(s) from DCR option to add a single device or multiple devices from the CiscoWorks Device and Credential Repository (DCR) into the Security Manager inventory. DCR resides in the CiscoWorks Server. DCR is a common repository of devices that stores device attributes and device credential information. For more information on DCR, see CiscoWorks Common Services User Guide 3.0.
Note You can add only devices that are running in the network from DCR into Security Manager. When you add a device from DCR, Security Manager tries to connect to the device to get basic device information, such as its OS version. This is called base device discovery, and occurs even if you do not select the Policy and Inventory check box when you add the device. If Security Manager cannot connect to the device, that device is not added to the inventory.
The following topics describe the pages in the Add Device from DCR wizard:
•Providing Device Information—DCR
•Grouping Devices
This procedure describes how to add devices from DCR to the Security Manager inventory.
Before You Begin
•Prepare the devices to be managed by Security Manager. For more information, see Preparing the Devices for Security Manager to Manage.
•If you are working in Workflow mode, and you want inventory and policies discovered, you must create an activity or open an existing one. For more information, see Chapter 7, "Managing Activities."
Note If you are not working in Workflow mode, Security Manager automatically creates an activity. For more information, see Chapter 7, "Managing Activities."
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Click the Add button in the Device selector. The New Device - Choose Method page appears with four options.
Step 3 Select Add Device(s) from DCR, then click Next. The New Device - Device Information page appears.
Step 4 Enter the device information in the appropriate fields. For more information, see Providing Device Information—DCR.
Step 5 Do one of the following:
•Click Finish. The system performs device validation tasks.
If the data you entered is incorrect, the system generates error messages and displays the page on which the error occurs with a red error icon corresponding to it. Otherwise, the Task Status page appears, displaying the status of the device import and discovery.
Do one of the following on the Task Status page:
–Click Abort to end device import and discovery. This button is enabled during device import and discovery.
–Click Close to close this page. This button is enabled after device import and discovery are completed.
•Click Next to continue. The Device Grouping page appears.
Step 6 (Optional) Assign the device to a group. For more information, see Grouping Devices.
Note If you add the device without specifying the information in the Device Grouping tab, that device is added to the ALL folder in the Device selector. You can then manage that device directly from the ALL folder.
Step 7 Click Finish. The system performs device validation tasks.
If the data you entered is incorrect, the system generates error messages and displays the page on which the error occurs with a red error icon corresponding to it. Otherwise, the Task Status page appears, displaying the status of the device import and discovery.
Step 8 Do one of the following on the Task Status page:
•Click Abort to end device import and discovery. This button is enabled during device import and discovery.
•Click Close to close this page. This button is enabled after device import and discovery are completed.
Step 9 If you selected the Manage in IPS Manager check box to manage a Cisco IOS router or an IDS sensor, start the IPS Manager application to perform configuration and deployment tasks on that device. See Managing Devices with IPS Manager.
Note Firewall devices only—After you add a firewall device from DCR, we highly recommend that you discover (import) the factory-default policies for that device. Bringing these policies into Security Manager prevents you from unintentionally removing them the first time you deploy to that device. For more information about factory-default policies for firewall devices, see Understanding Factory-Default Configurations, page 13-2. For more information about importing policies, see Discovering Policies, page 6-5.
Related Topics
•Add Device(s) from DCR Wizard, page A-40
•Understanding the Device View
•Providing Device Information—DCR
•Grouping Devices
•Managing Devices with IPS Manager
Providing Device Information—DCR
This procedure describes how to use the Device Information page to add device information.
Procedure
Step 1 Expand the appropriate folder to select a device from the DCR List of Devices pane, then click >>. The selected device moves to the Selected Devices pane.
Tip You can select multiple devices by pressing Ctrl and clicking on the desired devices.
To remove a device from the Selected Devices pane, select the device from the Selected Devices pane, then click <<. The selected device moves to the DCR List of Devices pane.
Step 2 From the Discover field, select one of the discovery options:
•Policies and Inventory—When selected, discovers policies and interfaces. This is the default option.
If you select this option, the following policies are displayed:
–Platform Settings—Also called platform-specific policy domains. For more information, see Service Policies vs. Platform-Specific Policies, page 6-3.
If you do not want these discovered, deselect this check box.
–Firewall Policies—Also called firewall services. For details see, Firewall Services, page C-637.
If you do not want these discovered, deselect this check box.
•Inventory Only—When selected, discovers interfaces. If the device is a composite device, all the service modules in that device are discovered.
•No Discovery—When selected, Security Manager does not initiate discovery.
Step 3 Select the Manage IOS-IPS Device in IPS Manager check box to manage Cisco IOS routers and IDS sensors in IPS Manager.
If the devices you selected from the DCR List of Devices pane contain Cisco IOS routers and IDS sensors, you can select this check box to manage them in IPS-MC.
Step 4 Do one of the following:
•Click Finish. The system performs device validation tasks.
If the data you entered is incorrect, the system generates error messages and displays the page on which the error occurs with a red error icon corresponding to it. Otherwise, the Task Status page appears, displaying the status of the device import and discovery.
Do one of the following on the Task Status page:
–Click Abort to end device import and discovery. This button is enabled during device import and discovery.
–Click Close to close this page. This button is enabled after device import and discovery are completed.
•Click Next to continue. The Device Grouping page appears. For more information, see Grouping Devices.
Note You can add only devices that are running in the network from DCR into Security Manager. When you add a device from DCR, Security Manager tries to connect to the device to get basic device information, such as its OS version. This is called base device discovery, and occurs even if you do not select the Policy and Inventory check box when you add the device. If Security Manager cannot connect to the device, that device is not added to the inventory.
Related Topics
•Device Information Page—DCR, page A-40
•Adding Devices from DCR
•Grouping Devices
•Discovering Policies, page 6-5
Grouping Devices
For this procedure, see Grouping Devices.
Working with Devices with Dynamically Assigned IP Addresses
You can add devices that have dynamic IP addresses. From the Add Device from Network or Add New Device wizards, select the dynamic IP type, then select Auto Update Server or Configuration Engine. Security Manager uses the device identity information to retrieve the device IP address from an Auto Update Server or Configuration Engine that can be reached.
You can add these devices one at a time. You cannot add dynamic IP devices from a file.
Related Topics
•Understanding Auto Update Server and Configuration Engine
•Adding an Auto Update Server or Configuration Engine
•Editing the Auto Update Server or Configuration Engine Information
•Adding a New Device
•Adding Devices from the Network
Understanding Auto Update Server and Configuration Engine
Auto Update Server (AUS) is a tool for upgrading device configuration files on PIX Firewall and ASA devices that use the auto update feature.
Cisco Configuration Engine is a tool for upgrading device configuration files on Cisco IOS routers and PIX Firewalls that use the configuration engine feature.
Security Manager cannot initiate direct communication with devices that acquire their interface addresses using DHCP because their IP addresses are not known ahead of time. Furthermore, these devices might not be running, or they might be behind firewalls and NAT boundaries when the management system must make changes. These devices connect to an Auto Update Server or Configuration Engine to get device information.
For a summary of the device types and associated servers, see Table 5-15
Table 5-15 Device Types and Associated Servers
Device Types with Dynamic IP Addresses
|
Servers
|
PIX Firewall and ASA (that use the auto update feature)
|
Auto Update Server
|
Cisco IOS routers and PIX Firewall (that use the configuration engine feature)
|
Configuration Engine
|
Cisco IOS routers
|
Auto Update Server (running the CNS Gateway protocol)
|
Related Topics
•Adding an Auto Update Server or Configuration Engine
•Editing the Auto Update Server or Configuration Engine Information
•Adding a New Device
•Adding Devices from the Network
Adding an Auto Update Server or Configuration Engine
If you want to use an Auto Update Server or Configuration Engine as the management server, you can add it to Security Manager. After you add the server, it appears in the Available AUS Managers or Available CE Managers list.
If the Auto Update Server or Configuration Engine that is managing the selected device does not appear in the Available AUS Managers or Available CE Managers list, you can add the Auto Update Server or Configuration Engine in the following ways:
•From the Add New Device page. See Adding an Auto Update Server or Configuration Engine When Adding a New Device.
•From the Add Device from Network page. See Adding an Auto Update Server When Adding a Device from Network.
•From the device properties page, select the General option. See Defining Device Properties.
Adding an Auto Update Server or Configuration Engine When Adding a New Device
If the Auto Update Server or Configuration Engine that is managing the selected device does not appear in the Available AUS Managers or Available CE Managers list, you can add the Auto Update Server or Configuration Engine.
This procedure describes how to add an Auto Update Server or Configuration Engine when you add a new device.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Click the Add button in the Device selector. The New Device - Choose Method page appears with four options.
Step 3 Select Add New Device, then click Next. The Add New Device page appears.
Step 4 From the IP Type field, select Dynamic.
Step 5 Enter the hostname, domain name, IP address, and display name. For more information, see Identity, page A-30.
Step 6 Enter the device operating system information, such as OS type, image name, target OS version, contexts, and operational mode. For more information, see Operating System, page A-31.
Step 7 Depending on the device type you select, the Auto Update or CNS-Configuration Engine field appears:
•Auto Update—Displayed for PIX Firewall and ASA devices.
•CNS-Configuration Engine—Displayed for Cisco IOS routers.
Note This field is not active for Catalyst 6500/7600 and FWSM devices.
Click the arrow to display a list of servers. Select the server that is managing the device. If the server does not appear in the list, do the following:
a. Click the arrow, then select + Add Server... The Server Properties dialog box appears.
b. Enter the information in the required fields. For a description of the fields on the page, see Server Properties Dialog Box, page A-35.
c. Click OK. The new server is added to the list of available servers.
For a summary of the device types and the server fields associated with them, see Device Types and Associated Server Fields—Add New Device
Related Topics
•Understanding Auto Update Server and Configuration Engine
•Editing the Auto Update Server or Configuration Engine Information
•Adding a New Device
Adding an Auto Update Server When Adding a Device from Network
If the Auto Update Server that is managing the selected device does not appear in the Available AUS Managers list, you can add the Auto Update Server.
This procedure describes how to add an Auto Update Server when you add a device from the network.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Click the Add button in the Device selector. The New Device - Choose Method page appears with four options.
Step 3 Select Add Device from Network, then click Next. The Add Device from Network page appears.
Step 4 From the Device IP Type field, select Dynamic.
Step 5 Enter the string value that uniquely identifies the device in Auto Update Server in the Device Identity field.
Step 6 From the CNS Gateway field, click the arrow to display a list of available Auto Update Servers. Select the Auto Update Server that is running the CNS Gateway protocol.
Security Manager communicates with the Auto Update Server running the CNS Gateway protocol to retrieve the IP address of an IOS device, then performs discovery directly from the device.
Step 7 If the Auto Update Server does not appear in the list, do the following:
a. Click the arrow, then select + Add Auto Update Server... The Auto Update Server Properties dialog box appears.
b. Enter the information in the required fields. For a description of the fields on the page, see Auto Update Server Properties Dialog Box, page A-12.
c. After you click OK in the Auto Update Server Properties dialog box, the new Auto Update Server is added to the list of Available Servers.
Step 8 Enter the display name.
For more information, see Device Information Page—Network, page A-8.
Note Only Cisco IOS routers with a dynamic IP address can be associated with an Auto Update Server running the CNS Gateway protocol.
For information about device types, the IP types they support (static or dynamic), and discovery and deployment methods, see Device Type and Supported IP Types - Add Device from Network.
Related Topics
•Understanding Auto Update Server and Configuration Engine
•Editing the Auto Update Server or Configuration Engine Information
•Adding Devices from the Network
Editing the Auto Update Server or Configuration Engine Information
You can edit the Auto Update Server or Configuration Engine information in three ways:
•From the device properties page, select the General option. For the procedure, see Editing Device Properties.
•From the Add New Device page. For the procedure, see Editing an Auto Update Server or Configuration Engine When Adding a New Device.
•From the Add device from Network page. For the procedure, see Editing the Auto Update Server Information when Adding Device from Network.
Editing an Auto Update Server or Configuration Engine When Adding a New Device
This procedure describes how to edit the Auto Update Server or Configuration Engine information when you add a new device to Security Manager.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Click the Add button in the Device selector. The New Device - Choose Method page appears with four options.
Step 3 Select Add New Device, then click Next. The Add New Device page appears.
Step 4 From the IP Type field, select Dynamic.
Step 5 Enter the hostname, domain name, IP address, and display name. For more information, see Identity, page A-30.
Step 6 Enter the device operating system information, such as OS type, image name, target OS version, contexts, and operational mode. For more information, see Operating System, page A-31.
Step 7 Depending on the device type you select, the Auto Update or CNS-Configuration Engine field appears:
•Auto Update—Displayed for PIX Firewall and ASA devices.
•CNS-Configuration Engine—Displayed for Cisco IOS routers.
Note This field is not active for Catalyst 6500/7600 and FWSM devices.
Step 8 Click the arrow in the Auto Update or the CNS-Configuration Engine field, then select Edit Servers.
The Available Servers dialog box appears. For a description of the fields on the page, see Available Servers Dialog Box, page A-36.
Step 9 Select the server then click Edit.
The Auto Update Server Properties page or the CNS-Configuration Engine Properties page appears. For a description of the fields on the page, see Auto Update Server Properties Dialog Box, page A-12 or CNS-Configuration Engine Properties Dialog Box, page A-37.
Step 10 Select the field to edit, then enter the changed information.
Step 11 Click OK. The Available Servers dialog box appears.
Step 12 Click OK.
Related Topics
•Understanding Auto Update Server and Configuration Engine
•Adding an Auto Update Server or Configuration Engine
•Adding a New Device
Editing the Auto Update Server Information when Adding Device from Network
This procedure describes how to edit the Auto Update Server information when you add a device that is already in the network.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Click the Add button in the Device selector. The New Device - Choose Method page appears with four options.
Step 3 Select Add Device from Network, then click Next. The Add Device from Network page appears.
Step 4 From the Device IP Type field, select Dynamic.
Step 5 Enter the string value that uniquely identifies the device in Auto Update Server in the Device Identity field.
Step 6 Click the arrow in the CNS Gateway field, then select Edit Auto Update Server.
The Available Auto Update Server dialog box appears. For a description of the fields on the page, see Available Auto Update Servers Dialog Box, page A-13.
Step 7 Select the Auto Update Server, then click Edit.
The Auto Update Server Properties appears. For a description of the fields on the page, see Auto Update Server Properties Dialog Box, page A-12.
Step 8 Select the field to edit, then replace it with the desired information.
Step 9 Click OK.
Related Topics
•Understanding Auto Update Server and Configuration Engine
•Adding an Auto Update Server or Configuration Engine
•Adding Devices from the Network
Understanding Device Credentials
Security Manager requires device credentials for logging in to the device. You can provide device credentials in two ways:
•When you add a device into Security Manager.
•From the Device Properties page.
For information about the elements in the device credentials page, see Device Credentials Page, page A-14. You can provide the following device credentials:
•Primary Credentials—Username and password for logging into the device. This information is required for device communication.
•SDEE Credentials—Security Device Event Exchange (SDEE) is a standard that specifies the format of messages and protocol used to communicate events generated by security devices. SDEE uses a pull mechanism: requests come from the network management application and the Intrusion Detection System/Intrusion Prevention System (IDS/IPS) router responds. SDEE uses HTTP and XML to provide a standardized interface.
SDEE is used for event management on IPS-supported devices. IPS Manager uses SDEE to query the IPS supported devices after deployment to verify that the deployment was successful.
•HTTP Credentials—Web browsers and Web servers use HTTP to transfer files, such as text and graphic files. HTTP credentials are required for devices that support SDEE. SDEE uses HTTP and XML to provide a standardized interface. HTTP credentials are optional for other types of devices.
•Rx-Boot Mode—(Optional) Some Cisco routers are designed to run from flash memory where they boot only from the first file in flash. This means that you must run an image other than that in flash to upgrade the flash image. That image is a reduced command-set image referred to as Rx-Boot (a ROM-based image).
•SNMP Credentials—(Optional) The Simple Network Management Protocol (SNMP) is an application-layer protocol that facilitates the exchange of management information between network devices. It is part of the TCP/IP suite. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth.
Note You can use a maximum of 70 characters to define device credentials. Security Manager does not restrict the characters you can use to define them. However, you may not add spaces in passwords.
Related Topics
•Device Credentials Page, page A-14
•Device Contact Credentials Naming Guidelines
•Device Validation Error Messages Displayed When Adding Devices
•Adding Devices from the Network
•Adding a New Device
Device Contact Credentials Naming Guidelines
Security Manager imposes restrictions on the maximum length and the characters that can be used in defining display name, device IP address, hostname and domain name fields.
Table 5-16 describes the naming guidelines.
Table 5-16 Device Credentials Naming Guidelines
Elements
|
Should contain...
|
Display Name
|
Maximum length
|
70 characters
|
Valid characters
|
0-9
Uppercase A-Z
Lowercase a-z
_ - . : and space
|
Device IP Address
|
Valid characters
|
. and 0-9
Must be dotted quads, for example, 192.64.3.8
|
Hostname
|
Maximum length
|
70 characters
|
Valid characters
|
0-9
Uppercase A-Z
Lowercase a-z
-
|
Domain Name
|
Maximum length
|
70 characters
|
Valid characters
|
0-9
Uppercase A-Z
Lowercase a-z
. -
|
Password
|
Maximum length
|
70 characters
|
Valid characters
|
0-9
Uppercase A-Z
Lowercase a-z
All characters except space.
|
Device Validation Error Messages Displayed When Adding Devices
When you add a device, Security Manager validates the data you entered. If the data is incorrect, the system generates error messages and displays the page on which the error occurs with a red error icon corresponding to it.
Security Manager does not validate whether the data you entered will allow you to contact the device. It validates whether the data is formatted correctly, whether you have entered duplicate display name and hostname combinations, and whether the display name you entered exists in DCR. The following error messages could be displayed:
Cannot Add a Display Name that Exists in DCR
If you are in the Add New Device page and you enter a display name that already exists in DCR (but not in Security Manager), a Duplicate Device Notification window displays the following message:
A device with the same display name exists in DCR. Duplicate display
names are not allowed in DCR. To change the display name, click No. To
import the existing device from DCR into Cisco Security Manager, click
Yes.
If you click No, the Add New Device page appears. You can enter another display name and continue adding the device. For a description of the elements in this page, see Add New Device Wizard, page A-29.
If you click Yes, the Add Device from DCR page appears, with the device name selected in the DCR List of Devices pane. Click >>. The selected device moves to the Selected Devices pane. For a description of the elements in this page, see Add Device(s) from DCR Wizard, page A-40.
Cannot Add a DNS Hostname and Domain Name Combination that Exists in DCR
When you are in the Add New Device page and you enter a hostname and domain name combination that already exists in DCR (but not in Security Manager), a Duplicate Device Notification window displays the following message:
A device with the same DNS (hostname + domain name) exists in DCR.
Duplicate DNS is not allowed in DCR. To change the DNS, click No. To
import the existing device from DCR into Cisco Security Manager, click
Yes.
If you click No, the Add New Device page appears. You can enter another hostname and domain name combination and continue adding the device. For a description of the elements in this page, see Add New Device Wizard, page A-29.
If you click Yes, the Add Device from DCR page appears, with the device name selected in the DCR List of Devices pane. Click >>. The selected device moves to the Selected Devices pane. For a description of the elements in this page, see Add Device(s) from DCR Wizard, page A-40.
Understanding Device Properties
You define device properties when you add devices to Security Manager. Device properties are general information about the device, credentials, the group the device is assigned to, and policy overrides. You must provide some of device property information, such as device identity and primary credentials, when you add the device, but you can add other information later from the Device Properties page.
To open this page, do one of the following:
•In the Device selector, double-click a device.
•In the Device selector, right-click the device, then select Device Properties.
The Device Properties page has two panes. The left pane contains the General, Credentials, Device Groups, and Policy Object Overrides options.
•General—Contains general information about the device, such as device identity, the operating system running on the device, and DCS settings.
•Credentials—Contains device primary credentials (username, password, and enable password), SNMP credentials, Rx-Boot Mode credentials, and HTTP credentials.
•Device Groups—Contains the groups to which the device is assigned.
•Policy Object Overrides—Contains global settings of certain types of reusable policy objects, which you can override.
If you click a device property option, the corresponding information is displayed in the right pane. For information about the elements in this page, see Device Properties Page, page A-47.
From the Device Properties page you can:
•View device properties.
•Define device properties. If you did not define the device properties when you added the device to the Security Manager inventory, you can define them in this page.
•Edit device properties.
Note•Security Manager does not assume that the DNS hostname that appears on the Device Properties page is the same as the hostname that you configured on the device.
•When you add a device to Security Manager, you must enter either the management IP address or the DNS hostname. Because it is not possible to determine the management interface and, therefore, the management IP address when you discover from a configuration file, the hostname in the configuration file is used as the DNS hostname. If the hostname is missing in the CLI of the configuration file, the configuration filename is used as the DNS hostname.
•During live device discovery, the DNS hostname in the Device Properties page is not updated with the hostname configured on the device. Therefore, if you want to specify the DNS hostname for the device, you must specify it manually when you add the device to Security Manager or on the Device Properties page.
•If the DNS hostname or display name of the security context you are discovering exists in DCR, Security Manager appends it with a _01, _02, and so on to give it a unique name.
The following topics describe how to use the Device Properties page:
•Defining Device Properties
•Editing Device Properties
•Viewing Device Properties
Defining Device Properties
You can define device properties when you add a device or you can use the Device Properties page to define them later.
This procedure describes how to define device properties in the Device Properties page.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Do one of the following:
•In the Device selector, double-click a device. The Device Properties page appears.
•In the Device selector, right-click the device to display menu options, then select Device Properties. The Device Properties page appears.
Step 3 Define general information about the device, such as device identity, the operating system running on the device, and DCS settings:
a. Click General. The General page appears.
b. Enter the information in the appropriate fields. For more information, see General Page, page A-48.
c. Click Save.
Step 4 Define device credentials, such as username and password:
a. Click Credentials. The Credentials page appears.
b. Enter the information in the appropriate fields. For more information, see Credentials Page, page A-51.
c. Click Save.
Step 5 Assign groups to a device:
a. Click Device Groups. The Device Groups page appears.
b. Enter the device grouping information. For more information, see Device Groups Page, page A-53.
c. Click Save.
Step 6 Define policy object overrides:
a. Click Policy Object Overrides. The Policy Object Overrides folder expands.
b. Click a policy object. The corresponding page appears in the right pane.
c. Enter the information in the appropriate fields. For more information, see Policy Object Override Pages, page A-54.
d. Click Save.
Related Topics
•Understanding Device Properties
•General Page, page A-48
•Credentials Page, page A-51
•Policy Object Override Pages, page A-54
•Device Groups Page, page A-53
•Editing Device Properties
•Viewing Device Properties
Editing Device Properties
You can change the device properties information from the Device Properties page.
This procedure describes how to edit device properties.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Do one of the following:
•In the Device selector, double-click a device. The Device Properties page appears.
•In the Device selector, right-click the device to display menu options, then select Device Properties. The Device Properties page appears.
Step 3 Edit general information about the device, such as device identity, the operating system running on the device, and DCS settings:
a. Click General. The General page appears.
b. Select the field corresponding to the information to edit, then replace it with the desired information. For more information, see General Page, page A-48.
c. Click Save.
Step 4 Edit device credentials, such as username and password:
a. Click Credentials. The Credentials page appears.
b. Select the field corresponding to the information to edit, then replace it with the desired information. For more information, see Credentials Page, page A-51.
c. Click Save.
Step 5 Change the groups the device is assigned to:
a. Click Device Groups. The Device Groups page appears.
b. Click the arrow, then select a new group, or click Edit Groups to create a new group. For more information, see Edit Device Groups Page, page A-70.
c. Click Save.
Step 6 Edit policy object overrides:
a. Click Policy Object Overrides. The Policy Object Overrides folder expands.
b. Click an object. The appropriate page appears on the right pane.
c. Select the field corresponding to the information to edit, then replace it with the desired information. For more information, see Policy Object Override Pages, page A-54.
d. Click Save.
Related Topics
•Understanding Device Properties
•General Page, page A-48
•Credentials Page, page A-51
•Policy Object Override Pages, page A-54
•Device Groups Page, page A-53
•Defining Device Properties
•Viewing Device Properties
Viewing Device Properties
This procedure describes how to view device property information.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Do one of the following:
•In the Device selector, double-click a device. The Device Properties page appears.
•In the Device selector, right-click the device to display menu options, then select Device Properties. The Device Properties page appears.
Step 3 Do one of the following:
•To view general information about the device, such as device identity, the operating system running on the device, and DCS settings, click General. The General page appears. For more information, see General Page, page A-48.
•To view device credentials, such as username and password, click Credentials. The Credentials page appears. For more information, see Credentials Page, page A-51.
•To view the groups to which the device is assigned, click Device Groups. The Device Groups page appears. For more information, see Device Groups Page, page A-53.
•To view policy object overrides, click Policy Object Overrides. The Policy Object folder expands. Click a policy object to display the appropriate page in the right pane. For more information, see Policy Object Override Pages, page A-54.
Related Topics
•Understanding Device Properties
•General Page, page A-48
•Credentials Page, page A-51
•Device Groups Page, page A-53
•Policy Object Override Pages, page A-54
•Defining Device Properties
•Editing Device Properties
Working with Device Policies
In Security Manager, a policy is a set of rules or parameters that define a particular aspect of network configuration. You configure your network by defining policies on devices (which includes individual devices, service modules, and security contexts) and VPN topologies (which are made up of multiple devices), and then deploying the configurations defined by these policies to these devices.
Several policy types might be required to configure a particular solution. For example, to configure a site-to-site VPN, you might need to configure multiple policies, such as IPSec, IKE, GRE, and so forth.
Policies are assigned to one or more devices. After a policy is assigned to a device, any changes to the policy definition change the behavior of the device.
You can use Device view to manage both local policies and shared policies.
For details, see Managing Policies in Device View, page 6-16.
Cloning a Device
A cloned (duplicate) device shares the configurations and properties of the source device. Cloning a device saves you time because you do not need to re-create configuration and properties on the new device.
The cloned device shares the device operating system version, credentials, and grouping attributes with the source device, but it has its own unique identity, such as display name, IP address, hostname, and domain name. You can clone only one device at a time.
Note You cannot clone a Catalyst 6500/7600 device.
This procedure describes how to clone a device.
Before You Begin
•If you are working in Workflow mode, you must create an activity or open an existing one.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Right-click the device in the Device selector to clone, then select Clone. The Create a Clone of <device name> page appears.
Step 3 Enter the information in the appropriate fields. See Create a Clone of <device name> Page, page A-46.
Step 4 Click OK. A clone of the source device with its unique display name is created in the Device selector.
Related Topics
•Create a Clone of <device name> Page, page A-46
•Device Contact Credentials Naming Guidelines
•Copying Policies Between Devices, page 6-19
Managing Devices with IPS Manager
To manage a Cisco IOS router or an IDS sensor in IPS Manager after adding the device into Security Manager, you must open IPS Manager to perform configuration and deployment tasks.
To open IPS Manager, right-click the device in the Device selector, then select IPS Manager. The IPS Manager application appears. For more information about configuration and deployment tasks, see the IPS Manager user guide.
Related Topics
•Adding a New Device
•Adding Devices from DCR
Deleting Devices from the Security Manager Inventory
This procedure describes how to delete devices from the Security Manager inventory.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Select the device to delete from the Device selector.
Step 3 Click the Delete button.
A Warning dialog box appears asking if you want to delete the selected nodes. The Delete from DCR check box is selected by default. If you delete a device with this check box selected, the device is deleted from Security Manager and from DCR. If you do not want to delete the device from DCR, deselect this check box.
Step 4 Click OK to continue. If all looks okay, the device is deleted.
If there are errors or warnings, the Device Delete Validation page appears displaying the status of the deletion. For more information, see Device Delete Validation Page, page A-43.
Step 5 Look for any warnings listed in the Severity column to determine if you want to continue. If you do, click OK to confirm the deletion. Otherwise, click Cancel.
Related Topics
•Device Delete Validation Page, page A-43
Understanding Device Grouping
Device grouping enables you to view a subset of devices that have similar group attributes. By default, Security Manager provides two Group Types: Department and Location, and one folder called ALL. The ALL folder contains all of the devices that are added to Security Manager.
You can create groups under the default group types, Department and Location, and assign devices to them or you can create new group types. You can create a maximum of 10 group types.
You cannot assign a device directly to a group type. You must create a group under a group type, and then assign a device to that group. For example, under Department (group type), you can create a group called Finance, and assign routerx to it (Figure 5-3).
Figure 5-3 Device Groups
You can create subgroups and assign a device to it. For example, under Location, you can create a group called United States; under United States, you can create a subgroup called California; and under California, you can create a subgroup called San Jose and assign routerx to it (Figure 5-3).
You can assign a device to multiple groups. When you do so, that device shows up in multiple groups in the Device selector. If you assign a device, for example, routerx, to the San Jose location and to the Finance department (Figure 5-3), that device, routerx, appears in both of these groups.
Note The device can be in only one group in a group type. For example, under the group type, Location, you can assign routerx to San Jose, but you cannot assign routerx to San Jose and California.
After you assign the device to groups, that device appears in the appropriate groups and in the ALL folder in the Device selector.
You can assign devices to groups in four ways:
•From the Device Grouping page in any of the add device wizards. See Grouping Devices.
•From the device group shortcut menu options. See Device Group Shortcut Menu Options, page A-69.
•From the Device Properties page. For more information, see Editing Device Properties.
•From the Tools menu options. Select Tools > Security Manager Administration > Device Groups.
Related Topics
•Working With Groups
•Adding Devices to Groups
•Edit Device Groups Page, page A-70
Working With Groups
You can create group types and groups, delete groups, and modify group names. The following topics describe how to perform these tasks:
•Creating Group Types
•Creating Groups
•Creating Subgroups
•Deleting Group Types, Groups, or Subgroups
•Modifying the Group Type or Group Name
Creating Group Types
Security Manager has two predefined group types: Location and Department. You can create groups under these group types and assign a device to them or you can create new group types.
This procedure describes how to create group types.
Procedure
Step 1 Do one of the following:
•When you add a device, select Edit Groups... from the Device Grouping page to display the Edit Device Groups page.
•Select Tools > Security Manager Administration > Device Groups to display the Device Groups page.
•Select Device Groups option from the Device Properties page, then select Edit Groups... to display the Edit Device Groups page.
Step 2 Click the Add Type button in the Device Groups page. A new group type field is created, which you can edit.
Step 3 Enter a name for this group type, then press Enter.
Step 4 Click OK.
Related Topics
•Understanding Device Grouping
•Grouping Devices
•Edit Device Groups Page, page A-70
Creating Groups
This procedure describes how to create groups.
Procedure
Step 1 Do one of the following:
•Right-click a group type in the Device selector, then select Add Group... to display the Add Group dialog box. See Add Group Dialog Box, page A-72.
•When you add a device, select Edit Groups... from the Device Grouping wizard page to display the Edit Device Groups page.
•Select Tools > Security Manager Administration > Device Groups to display the Device Groups page.
•Select Device Groups option from the Device Properties page, then select Edit Groups... to display the Edit Device Groups page.
Step 2 Click the group type under which you want to create the group, for example, Location.
Step 3 Click the Add (+) button. A new group field is created, which you can edit.
Step 4 Enter a name for this group, for example, United States, then press Enter.
Step 5 Click OK. The United States group is created under the Location group type (Figure 5-3).
Related Topics
•Understanding Device Grouping
•Add Group Dialog Box, page A-72
•Grouping Devices
•Edit Device Groups Page, page A-70
Creating Subgroups
This procedure describes how to create subgroups within a group.
Procedure
Step 1 Do one of the following:
•Right-click a group in the Device selector, then select Add Group... to display the Add Group dialog box. See Add Group Dialog Box, page A-72.
•When you add a device, select Edit Groups... from the Device Grouping wizard page to display the Edit Device Groups page.
•Select Tools > Security Manager Administration > Device groups to display the Device Groups page.
•Select Device Groups option from the Device Properties page, then select Edit Groups... to display the Edit Device Groups page.
Step 2 Click the group under which you want to create the subgroup, for example, United States (under the Location group type).
Step 3 Click the Add (+) button. A new subgroup is created, which you can edit.
Step 4 Enter a name for this subgroup, for example California, then press Enter.
Step 5 Click OK. The California subgroup is created under the United States group (Figure 5-3).
Related Topics
•Understanding Device Grouping
•Add Group Dialog Box, page A-72
•Grouping Devices
•Edit Device Groups Page, page A-70
Deleting Group Types, Groups, or Subgroups
This procedure describes how to delete groups, subgroups, or group types.
Procedure
Step 1 Do one of the following:
•Right-click a group type or a group in the Device selector, then select Edit Groups... to display the Edit Device Groups page.
•Select Edit Groups... when you add a device to display the Edit Device Groups page.
•Select Tools > Security Manager Administration > Device Groups to display the Device Groups page.
•Select Device Groups option from the Device Properties page, then select Edit Groups... to display the Edit Device Groups page.
Step 2 Click a group type or group to delete.
Step 3 Click the Delete button.
Step 4 Click OK.
Note•If you delete a group type, all groups and subgroups under it are also deleted.
•If you delete a group or a subgroup in a group type, all devices belonging to that group or subgroup are no longer associated with that group type.
•You can choose to delete the predefined group types, Location and Department.
Related Topics
•Understanding Device Grouping
•Edit Device Groups Page, page A-70
Modifying the Group Type or Group Name
This procedure describes how to modify the name of the group type or group.
Procedure
Step 1 Do one of the following:
•Right-click a group type or a group in the Device selector, then select Edit Groups... to display the Edit Device Groups page.
•When you add a device, select Edit Groups... from the Device Grouping wizard page to display the Edit Device Groups page.
•Select Device Groups option from the Device Properties page, then select Edit Groups... to display the Edit Device Groups page.
•Select Tools > Security Manager Administration > Device Groups to display the Device Groups page.
Step 2 Double-click the name to modify. You can now edit that name.
Step 3 Enter the new name.
Step 4 Click OK.
Note•You can modify the names of the predefined group types, Location and Department, and give them new names.
•You cannot have two group types with the same name.
•You cannot have two groups with the same name under one group type.
•You cannot have two subgroups with the same name under one group.
Related Topics
•Understanding Device Grouping
•Grouping Devices
•Edit Device Groups Page, page A-70
Adding Devices to Groups
You must create a group before you add devices to it. To create groups, see Creating Groups and Creating Subgroups.
This procedure describes how to add devices to a group:
Procedure
Step 1 From the Device selector, right-click the group in which you want to add devices, then select Add Devices to Group. The Add Devices to Group page appears.
Step 2 From the Device Groups pane, select a device, or devices from different groups, or select an entire group, then click >>. The individual device or devices in the selected group move to the Selected Devices pane.
Step 3 Click OK. The devices in the Selected Devices pane are added to the group you initially selected in the Device selector.
Note The device can be in only one group in a group type. If you assign a device to two groups that belong to one group type, you will get a warning message.
Related Topics
•Understanding Device Grouping
•Device Group Shortcut Menu Options, page A-69
Device Inventory Exporting
Security Manager includes an export utility, run from the command line, that you can use to customize, generate, and export a device inventory report. This report, in csv format, can then be viewed in any application that handles csv files.
Although the script is run outside the Security Manager interface, it works in conjunction with Security manager credentials, RBAC, and database access. The report you can generate is limited to those devices that you can view. That is, only a user with view permission for all devices can generate an inventory report for all devices. The script is located in the CSCOpx/bin/ directory and is named CSMgrDeviceExport.pl.
The contents of the report are customizable and are organized by device type. In the Image or Group field, a device that has no valueis indicated by an empty set of quotation marks. If the optional Group field is included in the report, and a device belongs to multiple groups, all groups are listed and delineated with semicolons. Fields that you can include in a device inventory report include the following:
•Display Name
•IP Address
•Device Type (order by device type)
•Host Name (optional field)
•Domain Name (optional field)
•OS Type
•Image Name (optional field)
•Running OS Version
•Target OS Version
•Groups (optional field)
Inventory Export CLI Syntax
The device inventory report employs the following syntax:
$ perl CSCOpx/bin/CSMgrDeviceExport.pl -u <user id> -p <password>
-s [Dhdoirstg]
where,
u - is your user name
p - is your Security Manager login password
h - help will be displayed (optional)
s - selected output fields (Optional. If not specified, all data will be exported.) These may include:
D - device display name
h - host name
d - domain name
o - OS type
i - image name
r - running OS version
t - target OS version
g - groups
For example, the following CLI calls for Display Name, Device Type (default), OS Type, and Group and only the first device has a Group value:
$ perl CSCOpx/bin/CSMgrDeviceExpor.pl -u <userid> -p <password> -s Dog
Output:
Display Name, Device Type, OS Type, Group
132.20.123.81, Cisco 871 Integrated Services Router, IOS,
"/Department/East Coast; /New/NewGroup"
132.20.109.62, Cisco ASA-5520 Adaptive Security Appliance Security
Context, ASA, ""
10.71.251.154, Cisco ASA-5540 Adaptive Security Appliance, ASA, ""
132.20.107.21, Cisco Catalyst 6506 Switch, IOS, ""
10.81.33.124, Cisco PIX 515E Firewall, PIX, ""
To send the script's output to a file, use the pipe command (>) in the original expression. For example:
$ perl CSCOpx/bin/CSMgrDeviceExpor.pl -u <userid> -p <password> -s Dog
> filename.csv
Exporting a Device Inventory Report
This procedure describes how to export a device inventory report.
Procedure
Step 1 Open a command line window.
Step 2 Enter the script command, arguments, and export file in the following format:
$ perl CSCOpx/bin/CSMgrDeviceExport.pl -u <user id> -p <password> -s [Dhdoirstg] > <filename>
For more information see Inventory Export CLI Syntax.
Step 3 Examine the output and format the data in an application, such as Excel, that uses csv format.
