Table Of Contents
Managing Objects
Guidelines for Managing Objects
Understanding the Policy Object Manager Window
Filtering the Objects Table
Working with AAA Server Group Objects
Predefined AAA Authentication Server Groups
Creating AAA Server Group Objects
Duplicating AAA Server Group Objects
Editing AAA Server Group Objects
Viewing AAA Server Group Object Details
Managing AAA Server Group Overrides
Generating Usage Reports for AAA Server Group Objects
Deleting AAA Server Group Objects
Working with AAA Server Objects
Supported AAA Server Types
AAA Support on ASA Devices
Creating AAA Server Objects
Duplicating AAA Server Objects
Editing AAA Server Objects
Viewing AAA Server Object Details
Generating Usage Reports for AAA Server Objects
Deleting AAA Server Objects
Working with Access Control List Objects
Understanding the GUI
Creating Access Control List Objects
Creating Extended Access Control List Objects
Creating Standard Access Control List Objects
Editing Access Control List Objects
Duplicating Access Control List Objects
Deleting Access Control List Objects
Generating Usage Reports for Access Control List Objects
Viewing Access Control List Object Details
Working with ASA User Groups
Creating ASA User Groups
Identity Tab
General Tab
IPSec Tab
Client Configuration Tab
Client Firewall Attributes Tab
Hardware Client Tab
Editing ASA User Groups
Duplicating ASA User Groups
Deleting ASA User Groups
Generating Usage Reports for ASA User Groups
Viewing ASA User Group Details
Working with Category Objects
Editing Category Objects
Working with FlexConfig Objects
Creating FlexConfig Objects
Duplicating FlexConfig Objects
Editing FlexConfig Objects
Viewing FlexConfig Objects
Generating Usage Reports for FlexConfig Objects
Deleting FlexConfig Objects
Working with FTP Map Objects
Creating FTP Map Objects
Editing FTP Map Objects
Duplicating FTP Map Objects
Deleting FTP Map Objects
Generating Usage Reports for FTP Map Objects
Viewing FTP Map Object Details
Working with GTP Map Objects
Creating GTP Map Objects
Editing GTP Map Objects
Duplicating GTP Map Objects
Deleting GTP Map Objects
Generating Usage Reports for GTP Map Objects
Viewing GTP Map Object Details
Working with HTTP Map Objects
Creating HTTP Map Objects
General Tab
Entity Length Tab
RFC Request Method Tab
Extension Request Method Tab
Port Misuse Tab
Encoding Tab
Editing HTTP Map Objects
Duplicating HTTP Map Objects
Deleting HTTP Map Objects
Generating Usage Reports for HTTP Map Objects
Viewing HTTP Map Object Details
Working with IKE Proposal Objects
Creating IKE Proposal Objects
Duplicating IKE Proposal Objects
Editing IKE Proposal Objects
Viewing IKE Proposal Object Details
Generating Usage Reports for IKE Proposal Objects
Deleting IKE Proposal Objects
Working with Interface Role Objects
Creating Interface Role Objects
Duplicating Interface Role Objects
Editing Interface Role Objects
Viewing Interface Role Object Details
Managing Interface Role Overrides
Generating Usage Reports for Interface Role Objects
Deleting Interface Role Objects
Specifying Interfaces During Policy Definition
Exceptional Cases When Using Interface Roles
Working with IPSec Transform Set Objects
IPSec Protocols
IPSec Modes
Creating IPSec Transform Set Objects
Duplicating IPSec Transform Set Objects
Editing IPSec Transform Set Objects
Viewing IPSec Transform Set Object Details
Generating Usage Reports for IPSec Transform Set Objects
Deleting IPSec Transform Set Objects
Working with Network/Host Objects
Supported IP Address Formats
Creating Network/Host Objects
Duplicating Network/Host Objects
Editing Network/Host Objects
Viewing Network/Host Object Details
Managing Network/Host Overrides
Generating Usage Reports for Network/Host Objects
Deleting Network/Host Objects
Specifying IP Addresses During Policy Definition
Working with PKI Enrollment Objects
Creating PKI Enrollment Objects
Defining CA Server Properties
Defining PKI Enrollment Parameters
Defining Additional PKI Attributes
Defining the Trusted CA Hierarchy
Duplicating PKI Enrollment Objects
Editing PKI Enrollment Objects
Viewing PKI Enrollment Object Details
Managing PKI Enrollment Overrides
Generating Usage Reports for PKI Enrollment Objects
Deleting PKI Enrollment Objects
Working with Port List Objects
Creating Port List Objects
Duplicating Port List Objects
Editing Port List Objects
Viewing Port List Object Details
Managing Port List Overrides
Generating Usage Reports for Port List Objects
Deleting Port List Objects
Working with Service Objects
Creating Service Objects
Duplicating Service Objects
Editing Service Objects
Viewing Service Object Details
Managing Service Overrides
Generating Usage Reports for Service Objects
Deleting Service Objects
Working with Service Group Objects
Creating Service Group Objects
Duplicating Service Group Objects
Editing Service Group Objects
Viewing Service Group Object Details
Managing Service Group Overrides
Generating Usage Reports for Service Group Objects
Deleting Service Group Objects
Working with TCP Map Objects
Creating TCP Map Objects
Editing TCP Map Objects
Duplicating TCP Map Objects
Deleting TCP Map Objects
Generating Usage Reports for TCP Map Objects
Viewing TCP Map Object Details
Working with Text Objects
Creating Text Objects
Duplicating Text Objects
Editing Text Objects
Viewing Text Objects
Generating Usage Reports for Text Objects
Managing Text Object Overrides
Deleting Text Objects
Working with Time Range Objects
Creating Time Range Objects
Duplicating Time Range Objects
Editing Time Range Objects
Viewing Time Range Object Details
Generating Usage Reports for Time Range Objects
Deleting Time Range Objects
Working with Traffic Flow Objects
Creating Traffic Flow Objects
Source and Destination IP Addresses
Default Inspection Traffic With Access List
TCP or UDP Destination Ports
RTP Ranges
Tunnel Groups
IP Precedence Bits
IP DiffServ CodePoints (DSCPs)
Editing Traffic Flow Objects
Duplicating Traffic Flow Objects
Deleting Traffic Flow Objects
Generating Usage Reports for Traffic Flow Objects
Viewing Traffic Flow Object Details
Working with User Group Objects
Creating User Group Objects
Configuring General User Group Settings
Configuring the DNS and WINS Servers
Configuring Split Tunneling
Configuring Advanced IOS Options
Configuring Advanced PIX Options
Duplicating User Group Objects
Editing User Group Objects
Viewing User Group Objects
Generating Usage Reports for User Group Objects
Deleting User Group Objects
Overriding Global Objects for Individual Devices
Allowing a Global Object to Be Overridden
Creating Device-Level Object Overrides
Creating Object Overrides for a Single Device
Creating Object Overrides for Multiple Devices
Deleting Device-Level Object Overrides
Deleting Overrides from the Device Properties Window
Deleting Overrides from the Policy Object Manager window
Selecting Objects for Policies
Filtering Object Selectors
Object Filtering Options
How Policy Objects are Provisioned as PIX Object Groups
How Network/Host Objects are Provisioned as PIX Object Groups
How Port List Objects are Provisioned as PIX Object Groups
How Service Objects are Provisioned as PIX Object Groups
How Service Group Objects are Provisioned as PIX Object Groups
Managing Objects
Objects enable you to define logical collections of elements. They are reusable, named components that can be used by other objects and policies. When used, an object becomes an integral component of the object or policy. This means that if you change the definition of an object, this change is reflected in all objects and policies that reference the object. Objects aid policy definition by eliminating the need to define that component each time you define a policy.
Objects facilitate network updates, because you can identify objects separately but maintain them in a central location. For example, you can identify the servers in your network as a network/host object called MyServers, and the protocols to allow for these services in a service group object. You can then create an access rule that permits the service group to access the MyServers network/host object. If a change is made to these servers, you need only update the network/host object and redeploy, instead of trying to locate and edit each rule in which the servers are used.
By default, objects are defined globally. This means that the definition of an object is the same for every object and policy that references it. However, certain object types (for example, interface roles) can be overridden at the device level. This enables you to customize an object to match the configuration of a particular device in your network. For more information, see Allowing a Global Object to Be Overridden.
Note 
Objects were known as building blocks in the VPN/Security Management Solution (VMS) bundle, which predated the Cisco Security Manager.
Examples of Objects
•Transform sets are integral to IPSec policies. However, you can define several transform sets independently of your IPSec policy definitions. These transform sets are always available for selection when you create IPSec policies.
•A firewall access rule might have a source address of 10.10.10.1. As an alternative, you can use objects to create a network/host object named fred-pc with the address 10.10.10.1. You can then create an access rule with the source address as fred-pc.
Creating Objects
Security Manager provides a set of predefined objects that you can use you create policies. Additionally, you can create your own objects, as required.
You can access the dialog box for creating objects in one of two ways:
•Using the Policy Object Manager window. This option is best suited for situations where you are defining one or more objects outside of the context of defining a particular policy. See Understanding the Policy Object Manager Window.
•Using object selectors. When you define a policy that uses objects, object selectors include buttons for creating and editing objects without your having to first leave the policy you are defining. See Selecting Objects for Policies.
The following topics describe the types of objects that are available in Security Manager and how to create them.
•Working with AAA Server Group Objects
•Working with AAA Server Objects
•Working with Access Control List Objects
•Working with ASA User Groups
•Working with Category Objects
•Working with FlexConfig Objects
•Working with FTP Map Objects
•Working with GTP Map Objects
•Working with HTTP Map Objects
•Working with IKE Proposal Objects
•Working with Interface Role Objects
•Working with IPSec Transform Set Objects
•Working with Network/Host Objects
•Working with PKI Enrollment Objects
•Working with Port List Objects
•Working with Service Objects
•Working with Service Group Objects
•Working with TCP Map Objects
•Working with Text Objects
•Working with Time Range Objects
•Working with Traffic Flow Objects
•Working with User Group Objects
Other important topics related to managing objects are:
•Guidelines for Managing Objects
•Filtering the Objects Table
•Overriding Global Objects for Individual Devices
•Selecting Objects for Policies
Guidelines for Managing Objects
You should keep in mind the following guidelines when working with objects:
•Object names are not case-sensitive and are limited to 128 characters. You must begin object names with a letter. You can use a mix of letters, numbers, special characters, and spaces for the remainder of the object name. Supported special characters include hyphens (-), underscores (_), periods (.), and plus signs (+).
Note Certain object types, such as AAA server groups, ASA user groups, and traffic flows, have different naming guidelines. Refer to the procedures for creating each object type for more details.
•Objects are defined on the global level and are available for use with all relevant policies and other objects. To override certain types of objects for specific devices, see Overriding Global Objects for Individual Devices.
•If you change the definition of an object, this change is reflected in all policies that reference that object.
•Your ability to create multiple objects with the same definition depends on a setting on the Policy page located in the Preferences section of the Cisco Security Manager Administration window. By default, Security Manager warns you when you create an object whose definition is identical to that of an existing object, but it does not prevent you from proceeding. For more information, see Defining Policy Object Settings, page 2-65.
•You can rename an object that is referenced by policies or other objects. Security Manager synchronizes the references with the new object name.
•You cannot delete an object that is referenced by policies or other objects.
•In certain situations, you might not be allowed to delete an object, even though the usage report indicates that it is not being used by any other objects or policies. For example, if you configured a device with a local policy that uses network/host object A and later replace that local policy with a shared policy that does not use that object, you will still be prevented from deleting object A. This can also happen when Security Manager creates an internal object from the configuration of a discovered device, and the device is later deleted. If you are prevented from deleting an object and you do not find any policies or objects that use that object, we recommend that you submit or discard all pending changes, then try again.
Related Topics
•Understanding the Policy Object Manager Window
•How Policy Objects are Provisioned as PIX Object Groups
Understanding the Policy Object Manager Window
You manage objects in Security Manager using the Policy Object Manager window. This window enables you to view, create, edit, copy, and delete objects of each type. Additionally, the Policy Object Manager window enables you to run a usage report that details how each object is being used by Security Manager.
To open the Policy Object Manager window, click the Policy Object Manager button on the toolbar, or select Tools > Policy Object Manager.
The Policy Object Manager window is divided into the following sections:
•Object Type selector
•Work area
The Object Type selector, which is located on the left side of the Policy Object Manager window, contains a list of each available object type. A unique icon is displayed next to the name of each object type. This icon identifies objects of that type whenever they appear, such as in rules tables.
Select an object type in the Object Type selector to display a table of existing objects of that type in the work area, which is located on the right side of the Policy Object Manager window. The icons of user-defined objects include a special badge that distinguish them from the predefined objects that are provided with Security Manager.
The table displays key information about each object, including:
•Object type icon.
•Object name.
•Defined category.
•Object description.
Additional information in the table differs for each object type. For example, the table for service objects includes the protocol, the source and destination ports, the ICMP message type (if applicable), and whether the global settings for this object can be overridden for individual devices.
To sort the information in the work area, click a column header. Click the header again to sort the information in reverse order.
Related Topics
•Filtering the Objects Table
Filtering the Objects Table
You can filter the objects table to display only those objects that match your defined criteria. Filter criteria are preconfigured, and vary according to the type of object selected from the Object Type selector.
This procedure describes how to filter the objects table.
Procedure
Step 1 Select Tools > Policy Object Manager.
Step 2 Select the object type from Object Type selector. The objects that are defined for that type appear in the work area.
Step 3 Select a filter criterion from the Column list. The options available in the Column list depend on the object type.
Step 4 Enter filter criteria in the Criteria field, then click Apply or press Enter. The table displays only those objects that match your defined criteria.
Step 5 (Optional) To further filter the list, enter additional filter criteria. Each criterion that you enter is displayed in the Filtering field, which appears below the Column list.
There is an AND relationship between each criterion, which means that an object must match all criteria to be displayed in the table.
Step 6 (Optional) To restore the complete object table, click Remove. All filter criteria are erased.
Related Topics
•Understanding the Policy Object Manager Window
Working with AAA Server Group Objects
In Security Manager, policies requiring AAA (such as Easy VPN, Remote Access VPNs, and router platform policies such as Secured Device Provisioning and 802.1x) refer to AAA server group objects. These objects contain multiple AAA servers that use the same protocol, such as RADIUS or TACACS+. In essence, AAA server groups represent collections of authentication servers focused on enforcing specific aspects of your overall network security policy. For example, you can group those servers dedicated to authenticating internal traffic, external traffic, or remote dial-in users, as well as servers that authorize the administration of your firewall devices.
AAA server groups objects are typically made up of individual AAA server objects. For more information, see Working with AAA Server Objects. Security Manager policies always refer to the AAA server group, rather than individual AAA servers.
The following topics describe how to work with AAA server group objects:
•Predefined AAA Authentication Server Groups
•Creating AAA Server Group Objects
•Duplicating AAA Server Group Objects
•Editing AAA Server Group Objects
•Viewing AAA Server Group Object Details
•Managing AAA Server Group Overrides
•Generating Usage Reports for AAA Server Group Objects
•Deleting AAA Server Group Objects
Related Topics
•Managing Objects
Predefined AAA Authentication Server Groups
Security Manager contains several predefined AAA server groups that define an authentication method without specifying particular AAA servers. In policies such as IPSec proposals, you can use these predefined server groups to define the types of AAA authentication to perform and the order in which to perform them. Table 8-1 lists the predefined AAA authentication server groups.
Table 8-1 Predefined AAA Authentication Server Groups
Name
|
Description
|
Enable
|
Uses the enable password for authentication.
|
KRB5
|
Uses Kerberos 5 for authentication.
|
Line
|
Uses the line password for authentication.
|
Local
|
Uses the local username database for authentication.
|
None
|
Uses no authentication.
|
RADIUS
|
Not applicable for Cisco IOS routers.
Uses RADIUS authentication.
Note This AAA server group does not contain any AAA servers at the global level. To use this AAA server group when defining a policy, you must create a device-level override and define the AAA servers to associate with the group. For more information, see Creating Device-Level Object Overrides.
|
TACACS+
|
Not applicable for Cisco IOS routers.
Uses TACACS+ authentication.
Note This AAA server group does not contain any AAA servers at the global level. To use this AAA server group when defining a policy, you must create a device-level override and define the AAA servers to associate with the group. For more information, see Creating Device-Level Object Overrides.
|
Related Topics
•Creating AAA Server Group Objects
•Working with AAA Server Group Objects
Creating AAA Server Group Objects
You can create AAA server group objects for Security Manager policies requiring AAA services, such as authentication and authorization. Each AAA server group object can contain multiple AAA servers, all of which use the same protocol, such as RADIUS or TACACS+. For example, if you want to use RADIUS to authenticate network access and TACACS+ to authenticate CLI access, you must create at least two AAA server group objects, one for RADIUS servers and one for TACACS+ servers.
The number of AAA server group objects that can be created and the number of AAA server objects that can be included in each group object depend on the selected platform. For example, ASA devices support up to 18 single-mode server groups (with up to 16 servers each) and 7 multi-mode server groups (with up to 4 servers each). PIX firewalls support up to 14 server groups, each containing up to 14 servers.
Objects are defined at the global level, which means that they are applied identically to every object and policy that references them. However, you can override AAA server group object definitions at the device level. For more information, see Managing AAA Server Group Overrides.
This procedure describes how to create AAA server group objects.
Note Security Manager includes a predefined AAA server group object that you can use when you perform authentication locally inside the Cisco IOS router.
Tip You can also create AAA server group objects when you define policies or objects that use this object type. For more information, see Selecting Objects for Policies.
Before You Begin
•Read and understand Guidelines for Managing Objects.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select AAA Server Groups from the Object Type selector.
Step 3 Right-click inside the work area, then select New Object.
The AAA Server Group dialog box appears. For a description of the fields in this dialog box, see Table C-26 on page C-37.
Step 4 Enter a name for the object. The maximum name length is 16 characters if you plan to use this object with firewall devices and 128 characters for Cisco IOS routers. Spaces are not supported.
Note Cisco IOS routers do not support the following AAA server group names: RADIUS, TACACS, TACACS+. In addition, we do not recommend using an abbreviation of one of these names, such as rad or tac.
Step 5 (Optional) Enter a description for the object. The maximum length is 1024 characters (special characters are permitted).
Step 6 Select the protocol to be used by the servers in the group:
•RADIUS
•TACACS+
•Kerberos (ASA devices only)
•LDAP (ASA devices only)
•NT (ASA devices only)
•SDI (ASA devices only)
Step 7 Enter the names of the AAA servers to include in the group, or click Select to display a selector. Only those servers corresponding to the selected protocol are displayed. Select one or more items from the Available AAA Servers list, then click >> to add them to the Selected AAA Servers list. See Selecting Objects for Policies.
Tip If the required AAA server is not listed, click the Create button to open the dialog box for defining a AAA server. Additionally, you can select an object in the Selected AAA Servers list, then click the Edit button to modify its properties. See AAA Server Dialog Box, page C-42.
When you finish, click OK to return to the AAA Server Group dialog box. Your selections are displayed in the AAA Servers field.
Step 8 (Optional) Select the check box if this group is to be the default group in the network for RADIUS or TACACS+. Use this option if you intend to have a single global server group for this protocol for all policies requiring AAA.
The default group can be used in most cases, except when you need to configure multiple AAA server groups that use the same protocol. For example, you might want to define multiple RADIUS groups so that one group can be used for authentication and another group for authorization. Service providers may want to define multiple groups with the same protocol in order to provide customer separation when using VRF.
Note If you select this check box, the name of the group is automatically changed to the default name for that protocol (RADIUS or TACACS+) upon deployment. For example, if you define a AAA server group named my_AAA_group as your default RADIUS server group, and then deploy a policy containing this object, the AAA server group appears under the default name RADIUS in the device configuration.
Step 9 (ASA devices only) Configure the following settings:
a. Select the method for reactivating failed servers in the group:
–Depletion—All servers in the group are permitted to fail before all the servers are reactivated (known as depletion). This is the default.
–Timed—Causes failed servers to be reactivated after 30 seconds of downtime. This option is useful when customers use the first server in a server list as the primary server and prefer that it is online whenever possible.
Note The Timed option must be used when simultaneous accounting has been enabled, as described in Step d below.
b. (When Depletion is selected) You can configure the deadtime, which determines how long (in minutes) the system waits after the last server in the group has become inactive before beginning reactivation. Valid deadtime values range from 0 to 1440 minutes (24 hours). The default is 10 minutes.
c. Specify the number of connection attempts that can fail before a server is considered inactive. Valid values range from 1 to 5. The default is 3.
d. Select the method to use for sending accounting messages. Options include:
–None—Accounting messages are not sent.
–Simultaneous—Accounting messages are sent simultaneously to all servers in the group.
–Single—Accounting messages are sent to a single server in the group. This is the default.
Step 10 (Optional) Under Category, select a color to help you identify this object in the Objects table and in rule tables. See Working with Category Objects.
Step 11 (Optional) Select the Allow Value Override per Device check box to allow the properties of this object to be redefined on individual devices. See Allowing a Global Object to Be Overridden.
Step 12 Click OK to save your definitions. The new object appears in the table in the Policy Object Manager window.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•Predefined AAA Authentication Server Groups
•Understanding the Policy Object Manager Window
•Working with AAA Server Group Objects
Duplicating AAA Server Group Objects
An alternative to creating a policy object from scratch is to duplicate an existing object. The new object contains all the attributes of the copied object and a default name. You can then modify the name and all attributes as required.
Duplicating is particularly useful for creating new objects that are based on predefined objects that cannot be edited.
This procedure describes how to duplicate a AAA server group object.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window is displayed.
Step 2 Select AAA Server Groups from the Object Type selector.
Step 3 In the work area, right-click the object you want to duplicate, then select Create Duplicate.
The AAA Server Group dialog box appears. The Name field contains the following default name for the new object: Copy of name of copied object. The remaining fields contain the same values as the copied object. For a description of the fields in this dialog box, see Table C-26 on page C-37.
Step 4 Modify the name of the new object and its configuration, as required.
Step 5 Click OK to save your changes.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•Understanding the Policy Object Manager Window
•Working with AAA Server Group Objects
Editing AAA Server Group Objects
You can edit any user-defined AAA server group object as required. Changes that you make to the object are reflected in all policies that use the object. This procedure describes how to edit a AAA server group object.
Note Predefined objects cannot be edited, but they can be copied. See Duplicating AAA Server Group Objects.
Tip You can also edit AAA server group objects when you define policies or objects that use this object type. For more information, see Selecting Objects for Policies.
Before You Begin
•Determine if the object is being used, and which policies, objects, and devices would be affected by the changes. You can generate a usage report for this purpose. See Generating Usage Reports for AAA Server Group Objects.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select AAA Server Groups from the Object Type selector.
Step 3 In the work area, right-click the object you want to edit, then select Edit Object.
The AAA Server Group dialog box appears. See Table C-26 on page C-37 for a description of the fields in this dialog box.
Step 4 Modify the fields in the dialog box as required, then click OK to save your changes.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•Understanding the Policy Object Manager Window
•Working with AAA Server Group Objects
Viewing AAA Server Group Object Details
You can view detailed object information in read-only mode, even when the object is locked by another activity. This is useful when you need to view complete configuration details for complex objects whose definitions cannot be fully displayed in the Policy Object Manager window or when your user privileges allow you only to view object information.
Note You can display object details without opening an activity.
This procedure describes how to display complete configuration details for a selected object in read-only mode.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window is displayed.
Step 2 Select AAA Server Groups from the Object Type selector.
Step 3 In the work area, right-click the object that you want to view configuration details for, then select View Object.
The AAA Server Group dialog box appears in read-only mode. For a description of the fields in this dialog box, see Table C-26 on page C-37.
Related Topics
•Understanding the Policy Object Manager Window
•Working with AAA Server Group Objects
Managing AAA Server Group Overrides
From the Policy Object Manager window, you can select a global object that can be overridden and generate a table of device-level overrides that are defined for that global object. For example, you can select a global AAA server group object and view a table of all devices for which you defined a local variation of the global object.
Object override definitions are displayed in the Policy Object Override window. This procedure describes how to create, edit, and delete object overrides from this window.
Procedure
Step 1 Select Tools > Policy Object Manager.
Step 2 Select AAA Server Groups from the Object Type selector to display the table of existing AAA server group objects.
Step 3 In the work area, select a global object for which device-level overrides have been permitted. These objects are indicated by a green checkmark in the Allow Override column.
Step 4 Double-click the checkmark, or right-click the object and select Edit Device Overrides. The Policy Object Overrides window is displayed.
Each device-level override defined for the selected object is displayed in a table containing the name of the device to which the override applies, the category assigned to the object, and the object definition. See Table C-114 on page C-207 for a description of the fields in this window.
Step 5 (Optional) Do one of the following:
•To create a device-level override, click the New Object button. The AAA Server Group Dialog Box, page C-36 is displayed. For more information, see Creating AAA Server Group Objects.
•To edit a device-level override, select the object from the table, then click the Edit Object button. The AAA Server Group Dialog Box, page C-36 is displayed.
•To delete a device-level override, select the object from the table, then click the Delete Object button. For more information, see Deleting Device-Level Object Overrides.
Step 6 Click Close to return to the Policy Object Manager window.
Related Topics
•Overriding Global Objects for Individual Devices
•Allowing a Global Object to Be Overridden
•Creating Object Overrides for a Single Device
•Creating Object Overrides for Multiple Devices
•Understanding the Policy Object Manager Window
•Working with AAA Server Group Objects
Generating Usage Reports for AAA Server Group Objects
Before you make any changes to a user-defined AAA server group object, you should determine if the object is being used. You can do this by generating usage reports that show which policies, objects, and devices are using the selected object and would therefore be affected by changes to that object. Usage reports contain any references to the selected object in your current activity as well as references found in the data committed to the Security Manager database.
This procedure described how to generate a usage report.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select AAA Server Groups from the Object Type selector.
Step 3 In the work area, right-click the object for which you want to generate a report, then select Find Usage.
The Usage Reports window appears, displaying all references to the selected object. See Table C-113 on page C-205 for a description of the fields in this window.
Tip Click a column header to sort the table according to the contents of that column. Click the column header again to sort the table in reverse order.
Step 4 (Optional) Filter the information displayed in the usage report by deselecting one or more of the following check boxes:
•Devices
•Policies
•Other Objects
The deselected entries are removed from the report.
Related Topics
•Understanding the Policy Object Manager Window
•Working with AAA Server Group Objects
Deleting AAA Server Group Objects
This procedure describes how to delete AAA server group objects. You can delete user-defined objects, but you cannot delete predefined objects. In addition, you can delete objects only when they are not being used by policies or other objects. If you delete an object for which device-level overrides are defined, all overrides are automatically deleted.
Note You might be prevented from deleting an unreferenced object from the database, for example, if you replace a local policy that used the object with a shared policy that does not. If object deletion fails, submit or discard all pending changes (in Workflow mode, submit or discard all pending activities), then try again to delete the object. Alternatively, you can leave unreferenced objects in the database, because they will not affect Security Manager operation.
Before You Begin
•Determine if the object is currently being used and which policies, objects, and devices would be affected by the deletion. You can generate a usage report for this purpose. See Generating Usage Reports for AAA Server Group Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
Step 2 Select AAA Server Groups from the Object Type selector.
Step 3 In the work area, right-click a user-defined object, then select Delete Object.
Tip You can select multiple objects by pressing Ctrl and clicking on the desired objects.
Step 4 When prompted, click Yes to confirm the deletion.
Step 5 To verify that the object was deleted, select Tools > Audit Report and view the generated report.
Related Topics
•Understanding the Policy Object Manager Window
•Working with AAA Server Group Objects
Working with AAA Server Objects
You can create AAA server objects in Security Manager. AAA enables devices to determine who the user is (authentication), what the user is permitted to do (authorization), and what the user actually did (accounting), as described below:
•Authentication—Authentication is the way a user is identified before being allowed access to the network and network services. It controls access by requiring valid user credentials, which are typically a username and password. You can use authentication alone or with authorization and accounting.
•Authorization—After authentication is complete, authorization controls the services and commands available to each authenticated user. Were you not to use authorization, authentication alone would provide the same access to services to all authenticated users. You must use authorization together with authentication.
•Accounting—Accounting is used to track the services users are accessing, as well as the amount of network resources they are consuming. Accounting information includes when sessions start and stop, usernames, the number of bytes that pass through the device for each session, the service used, and the duration of each session. This data can then be analyzed for network management, client billing, and/or auditing. You can use accounting alone or with authentication and authorization.
AAA provides an extra level of protection and control for user access over using ACLs alone. For example, you can create an ACL allowing all outside users to access Telnet on a server on the DMZ network. If you want only some users to access the server (and you might not always know the IP addresses of these users), you can enable AAA to allow only authenticated and/or authorized users to make it through the device.
AAA server objects are collected into AAA server group objects. In Security Manager, all policies requiring AAA (such as EzVPN, Remote Access VPNs, and router platform policies such as Secured Device Provisioning and 802.1x) use AAA server group objects. See Working with AAA Server Group Objects.
The following topics describe how to work with AAA server objects:
•Supported AAA Server Types
•AAA Support on ASA Devices
•Creating AAA Server Objects
•Duplicating AAA Server Objects
•Editing AAA Server Objects
•Viewing AAA Server Object Details
•Generating Usage Reports for AAA Server Objects
•Deleting AAA Server Objects
Related Topics
•Managing Objects
Supported AAA Server Types
Security Manager supports AAA servers using one of the following protocols:
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco devices and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market.
Cisco supports RADIUS under its AAA security model. RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, and local username lookup. RADIUS is supported on all Cisco platforms, but some RADIUS-supported features run only on specified platforms.
TACACS+
Terminal Access Controller Access Control System (TACACS+) is a security application that provides centralized validation of users attempting to gain access to a router or network access server. The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently.
Related Topics
•AAA Support on ASA Devices
•Creating AAA Server Objects
•Working with AAA Server Objects
AAA Support on ASA Devices
In addition to supporting RADIUS and TACACS+, ASA devices can support AAA servers running the following protocols:
Kerberos
ASA devices can use Kerberos servers for VPN authentication. When a user attempts to establish VPN access through the ASA device, and the traffic matches an authentication statement, the device consults the Kerberos server for user authentication and grants or denies user access based on the response from the server. 3DES, DES, and RC4 encryption types are supported.
NT
ASA devices can use NT servers for VPN authentication. When a user attempts to establish VPN access and the applicable tunnel-group policy specifies an NT authentication server group, the ASA device consults the Microsoft Windows domain server for user authentication and grants or denies user access based on the response from the domain server.
SDI Servers
SecurID servers from RSA Security, Inc. are known as SDI servers. When a user attempts to establish VPN access and the applicable tunnel-group policy specifies an SDI authentication server group, the ASA device sends the username and one-time password to the SDI server. The device then grants or denies user access based on the response from the server. Version 5.0 of SDI introduced the concept of SDI master and slave servers that share a single-node secret file (SECURID). As a result, when you configure an SDI server as a AAA server object in Security Manager, you must specify whether the server is version 5.0 or an earlier version.
LDAP
ASA devices can use Lightweight Directory Access Protocol (LDAP) servers for VPN authorization. ASA devices support LDAP version 3 and are compatible with any v3 or v2 directory server. However, password management is supported only on the Sun Microsystems JAVA System Directory Server and the Microsoft Active Directory.
With any other type of LDAP server (such as Novell or OpenLDAP), all LDAP functions are supported except for password management. Therefore, if someone tries to log in to an ASA device using one of these other servers for authentication and their password has expired, the ASA device drops the connection and a manual password reset is required.
You can configure Simple Authentication and Security Layer (SASL) mechanisms to authenticate an LDAP client (in this case, the ASA device) to an LDAP server. Both ASA devices and LDAP servers can support multiple mechanisms. If both mechanisms (MD5 and Kerberos) are available, the ASA device uses the stronger mechanism, Kerberos, for authentication.
When user authentication for VPN access has succeeded and the applicable tunnel-group policy specifies an LDAP authorization server group, the ASA device queries the LDAP server and applies the authorizations it receives to the VPN session.
Table 8-2 AAA Services Supported by ASA Devices
AAA Service
|
Database Type
|
Local
|
RADIUS
|
TACACS+
|
SDI
|
NT
|
Kerberos
|
LDAP
|
Authentication of...
|
VPN users
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
No
|
Firewall sessions
|
Yes
|
Yes
|
Yes
|
No
|
No
|
No
|
No
|
Administrators
|
Yes
|
Yes
|
Yes
|
No
|
No
|
No
|
No
|
Authorization of...
|
VPN users
|
Yes
|
Yes
|
No
|
No
|
No
|
No
|
Yes
|
Firewall sessions
|
No
|
Yes1
|
Yes
|
No
|
No
|
No
|
No
|
Administrators
|
Yes2
|
No
|
Yes
|
No
|
No
|
No
|
No
|
Accounting of...
|
VPN connections
|
No
|
Yes
|
Yes
|
No
|
No
|
No
|
No
|
Firewall sessions
|
No
|
Yes
|
Yes
|
No
|
No
|
No
|
No
|
Administrators
|
No
|
Yes
|
Yes
|
No
|
No
|
No
|
No
|
Related Topics
•Supported AAA Server Types
•Creating AAA Server Objects
•Working with AAA Server Objects
Creating AAA Server Objects
You can create AAA server objects to populate the AAA server group objects that are referenced by Security Manager policies, such as EzVPN and 802.1x. When creating a AAA server object, you must specify the IP address of the external AAA server, the key used for data encryption, the protocol used by the server, and the timeout interval.
This procedure describes how to create AAA server objects.
Before You Begin
•Read and understand Guidelines for Managing Objects.
•Configure the external AAA server that will be referenced by the AAA server object.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select AAA Servers from the Object Type selector.
Step 3 Right-click in the work area, then select New Object.
The AAA Server dialog box appears. For a description of the fields in this dialog box, see Table C-28 on page C-42.
Step 4 Enter a name for the object.
Step 5 (Optional) Enter a description for the object. The maximum length is 1024 characters (special characters are permitted).
Step 6 Enter the IP address of the AAA server in the IP Address field.
Step 7 (Optional) Click Select under Interface to display a dialog box for selecting the interface whose IP address should be used for all outgoing RADIUS or TACACS packets. Select an interface or interface role from the displayed list, then click OK to return to the AAA Server dialog box. See Selecting Objects for Policies.
When you enter the name of an interface, make sure the policy that uses this AAA object is assigned to a device containing an interface with this name. Otherwise, deployment will fail.
When you enter the name of an interface role, make sure the role represents a single interface, not multiple interfaces. Otherwise, an error message is displayed.
Tip If the required interface role is not listed, click the Create button in the selector to open the dialog box for defining an interface role. The interface role you define must correspond to a single interface on the device. Additionally, you can select an object, then click the Edit button to modify its properties. See Interface Role Dialog Box, page C-127.
Step 8 Enter the amount of time to wait until a AAA server is considered unresponsive.
The value range for this timeout are:
•Cisco IOS routers—1-1000 seconds.
•ASA devices and other devices running PIX 7.0—1-60 seconds.
•Firewall devices running PIX 6.3—1-30 seconds.
Step 9 Select the protocol used by the AAA server and configure protocol-specific properties. For details about these properties, see Table C-28 on page C-42.
Note The Kerberos, LDAP, NT, and SDI protocols can be used only with ASA devices.
Step 10 (Optional) Under Category, select a color to help you identify this object in the Objects table and in rule tables. See Working with Category Objects.
Step 11 Click OK to save your definitions. The new object appears in the table in the Policy Object Manager window.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•Supported AAA Server Types
•AAA Support on ASA Devices
•Understanding the Policy Object Manager Window
•Working with AAA Server Objects
Duplicating AAA Server Objects
An alternative to creating a policy object from scratch is to duplicate an existing object. The new object contains all the attributes of the copied object and a default name. You can then modify the name and all attributes as required.
Duplicating is particularly useful for creating new objects that are based on predefined objects that cannot be edited.
This procedure describes how to duplicate a AAA server object.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window is displayed.
Step 2 Select AAA Servers from the Object Type selector.
Step 3 In the work area, right-click the object you want to duplicate, then select Create Duplicate.
The AAA Server dialog box appears. The Name field contains the following default name for the new object: Copy of name of copied object. The remaining fields contain the same values as the copied object. For a description of the fields in this dialog box, see Table C-28 on page C-42.
Step 4 Modify the name of the new object and its configuration, as required.
Step 5 Click OK to save your changes.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•Understanding the Policy Object Manager Window
•Working with AAA Server Objects
Editing AAA Server Objects
This procedure describes how to edit a user-defined AAA server object. Changes that you make to the object are reflected in all AAA server groups that use the object.
You cannot change the protocol of a AAA server object that is defined as part of a AAA server group. For example, if a RADIUS AAA server is part of a RADIUS AAA server group, you cannot change the protocol on the server to TACACS+ unless you first delete it from the group.
Note Predefined objects cannot be edited, but they can be copied. See Duplicating AAA Server Objects.
Tip You can also edit AAA server objects when you define policies or objects that use this object type. For more information, see Selecting Objects for Policies.
Before You Begin
•Determine if the object is being used, and which policies, objects, and devices would be affected by the changes. You can generate a usage report for this purpose. See Generating Usage Reports for AAA Server Objects.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select AAA Servers from the Object Type selector.
Step 3 In the work area, right-click the object you want to edit, then select Edit Object.
The AAA Server dialog box appears. See Table C-28 on page C-42 for a description of the fields in this dialog box.
Step 4 Modify the fields in the dialog box as required, then click OK to save your changes.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•Understanding the Policy Object Manager Window
•Working with AAA Server Objects
Viewing AAA Server Object Details
You can view detailed object information in read-only mode, even when the object is locked by another activity. This is useful when you need to view complete configuration details for complex objects whose definitions cannot be fully displayed in the Policy Object Manager window or when your user privileges allow you only to view object information.
Note You can display object details without opening an activity.
This procedure describes how to display complete configuration details for a selected object in read-only mode.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window is displayed.
Step 2 Select AAA Servers from the Object Type selector.
Step 3 In the work area, right-click the object that you want to view configuration details for, then select View Object.
The AAA Server dialog box appears in read-only mode. For a description of the fields in this dialog box, see Table C-28 on page C-42.
Related Topics
•Understanding the Policy Object Manager Window
•Working with AAA Server Objects
Generating Usage Reports for AAA Server Objects
Before you make any changes to a user-defined AAA server object, you should determine if the object is being used. You can do this by generating usage reports that show which policies, objects, and devices are using the selected object and would therefore be affected by changes to that object. Usage reports contain any references to the selected object in your current activity as well as references found in the data committed to the Security Manager database.
This procedure described how to generate a usage report.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select AAA Servers from the Object Type selector.
Step 3 In the work area, right-click the object for which you want to generate a report, then select Find Usage.
The Usage Reports window appears, displaying all references to the selected object. See Table C-113 on page C-205 for a description of the fields in this window.
Tip Click a column header to sort the table according to the contents of that column. Click the column header again to sort the table in reverse order.
Step 4 (Optional) Filter the information displayed in the usage report by deselecting one or more of the following check boxes:
•Devices
•Policies
•Other Objects
The deselected entries are removed from the report.
Related Topics
•Understanding the Policy Object Manager Window
•Working with AAA Server Objects
Deleting AAA Server Objects
This procedure describes how to delete AAA server objects. You can delete user-defined objects, but you cannot delete predefined objects. In addition, you can delete objects only when they are not being used by policies or other objects.
Note You might be prevented from deleting an unreferenced object from the database, for example, if you replace a local policy that used the object with a shared policy that does not. If object deletion fails, submit or discard all pending changes (in Workflow mode, submit or discard all pending activities), then try again to delete the object. Alternatively, you can leave unreferenced objects in the database, because they will not affect Security Manager operation.
Before You Begin
•Determine if the object is currently being used and which policies, objects, and devices would be affected by the deletion. You can generate a usage report for this purpose. See Generating Usage Reports for AAA Server Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
Step 2 Select AAA Servers from the Object Type selector.
Step 3 In the work area, right-click a user-defined object, then select Delete Object.
Tip You can select multiple objects by pressing Ctrl and clicking on the desired objects.
Step 4 When prompted, click Yes to confirm the deletion.
Step 5 To verify that the object was deleted, select Tools > Audit Report and view the generated report.
Related Topics
•Understanding the Policy Object Manager Window
•Working with AAA Server Objects
Working with Access Control List Objects
An Access Control List (ACL) object is a reusable component that encapsulates one or more Access Control Entries (ACEs). Each ACE is an individual permit or deny statement within an ACL. The component (also referred to as a policy object) is platform independent and can be referenced by a host of Security Manager policies.
Although there are several types of ACLs, only two types are supported by the policy object tool for this release.
•Extended—Defines an extended type access list that can be used by various policies within Security Manager. Each ACE of extended type includes an action element (permit or deny) and filter criteria such as source address, destination address, protocol, and protocol-specific parameters. For more information, see Extended ACL.
•Standard—Defines a standard type access list that can be used by various policies within Security Manager. Each ACE of standard type includes an action element (permit or deny) and a filter criteria based on source address. For more information, see Standard ACL.
Extended ACL
Uses:
•Identifying addresses for NAT (policy NAT and NAT exemption)—Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses in an extended access list. You can also specify the source and destination ports. Regular NAT can only consider local addresses. An access list that is used with policy NAT cannot be configured to deny an ACE.
•Identifying addresses for IOS dynamic NAT—For user-defined ACLs, the NAT plug-in generates its own ACL CLIs when deducing NAT traffic from VPN traffic.
•Filtering traffic that will be intercepted by Network Admission Control (NAC).
•Identifying traffic in a traffic class-map for modular policy—Access lists can be used to identify traffic in a class-map, which is used for features that support Modular Policy Framework. Features that support Modular Policy Framework include TCP and general connection settings, inspection, IPS, and QoS. You can use one or more access lists to identify specific types of traffic.
•For transparent mode, enabling protocols that are blocked by a routed mode security appliance, including BGP, DHCP, and multicast streams. Because these protocols do not have sessions on the security appliance to allow return traffic, these protocols also require access lists on both interfaces.
•Establishing VPN access—You can use an extended access list in VPN commands to identify the traffic that should be tunneled on the device for an IPSec site-to-site tunnel or to identify the traffic that should be tunneled on the device for a VPN client. Use in conjunction with the following policy objects and settings:
|
|
Device
|
Purpose
|
VPN Topology
|
Any
|
Selecting Protected Networks.
|
ASA User Group
|
Any
|
Filter ACL.
|
ASA User Group
|
ASA
|
Inbound Firewall Policy; Filter ACL.
|
ASA User Group
|
ASA
|
Outbound Firewall Policy.
|
Traffic Flow
|
•ASA
•PIX 7.0
|
Service Policy Rules (MPC). The traffic flow BB (class-map) uses Extended ACL as one of its traffic match types.
|
User Group
|
•IOS
•Catalyst 6500/7600
•PIX 6.3
|
Selecting Protected Networks. Enables you to specify an ACL that represents protected subnets for the purpose of split tunneling.
|
Standard ACL
Uses:
•Identifying OSPF route redistribution. Standard access lists include only the destination address (Single Context Mode only).
•Filtering users of a community string using SNMP.
•Establishing VPN access—You can use a standard access list in VPN commands to identify a network list for split-tunneling. Use in conjunction with the following policy objects and settings:
|
|
Device
|
Purpose
|
User Group
|
•PIX 6.3 and later
•IOS 12.3 and later
|
Split Tunnel ACL
|
The following topics will help you work with ACL objects:
•Understanding the GUI
•Creating Access Control List Objects
•Editing Access Control List Objects
•Duplicating Access Control List Objects
•Deleting Access Control List Objects
•Generating Usage Reports for Access Control List Objects
•Viewing Access Control List Object Details
Understanding the GUI
The ACL Object GUI structure differs slightly from that of other policy objects.
1. First, you define the ACL object. After the object is defined, it is listed in the Extended ACL object table or Standard ACL object table.
From this table, you can request to add a new object, edit an existing object, or delete an object. These functions are performed using either the shortcut menus or the buttons located below the tables. You can also create a duplicate object, copy an ACL or ACE entry contained within that object and paste it in another table, or generate a report that indicates whether the objects are in use by another object, policy, or device. These functions are performed using the shortcut menu.
Note You cannot directly add or edit an ACL or ACE entry from this table.
2. Next, you define the ACL entry associated with the object. After the entry is defined, it is listed in the Add Extended Access List or Add Standard Access List table.
From this table, you can request to add a new ACE or ACL entry, edit an existing entry, or delete an entry. These functions are performed using either the shortcut menus or the buttons located below the tables. You can also move an entry up or down in the table, and copy and paste an entry within the table.
After you define an ACL object and associated ACE and ACL entries, the information is displayed in the Extended ACL or Standard ACL tables. You can click the arrows to expand or compress the listed information.
Creating Access Control List Objects
An Access Control List (ACL) object is made up of one or more ACEs, one or more ACL objects, or a combination of both.
Extended type ACEs enable you to specify source and destination addresses and protocol, and, based on the protocol type, the ports (for TCP or UDP), or the ICMP type (for ICMP) can be specified.
Standard type ACEs use the source IP address for matching operations.
Note You can define an ACL object from the Policy Object Manager and use it from multiple policies belonging to multiple devices.
Related Topics
•Creating Extended Access Control List Objects
•Creating Standard Access Control List Objects
Creating Extended Access Control List Objects
Before You Begin
•Read and understand Guidelines for Managing Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Access Control Lists.
The Access Control List page appears. The Extended tab opens by default. For a description of GUI elements, see Extended IP ACL Tab, page C-51.
Step 3 From the work area, right-click inside the table, then select New Object.
The Add Extended Access List dialog box appears. For a description of the GUI elements, see Add and Edit Extended Access List Pages, page C-52.
Step 4 Enter the name of the object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be a mix of letters and numbers. Spaces are permitted, as are the following special characters: hyphens (-), underscores (_), periods (.), and plus signs (+). The maximum length is 128 characters.
Step 5 (Optional) Enter a description to help you identify the object. A maximum of 1024 characters is allowed and special characters are permitted. If a description is entered, an icon appears when you view the Access Control Lists table.
Step 6 Right-click inside the table, then click the Add button.
The Add Extended Access Control Entry dialog box appears. For a description of GUI elements, see Add and Edit Extended Access Control Entry Dialog Boxes, page C-56.
Step 7 Select Type.
•Access Control Entry—Identifies the entry as an ACE.
•Access Control Lists—Identifies the entry as an ACL object. This allows ACL objects that have already been defined to be used in the newly created object.
Step 8 Select whether to permit or deny the traffic.
Step 9 (Optional) Select a color from the Category list to help you readily identify the object. For more information, see Working with Category Objects.
Step 10 Enter the source addresses or click Select to display a list of defined network/host objects. If the latter, do either of the following, then click OK:
•Select from the list of available objects, then click >>.
The objects are moved to the selected column.
•Click Create to create a new object to use as a source address.
A popup window helps you define the object. When you complete the definition, the new object is listed in the selected column.
For more information, see Working with Network/Host Objects.
Step 11 Enter the destination addresses or click Select to display a list of defined network/host objects. If the latter, do either of the following, then click OK:
•Select from the list of available objects, then click >>.
The objects are moved to the selected column.
•Click Create to create a new object to use as a destination address.
A popup window helps you define the object. When you complete the definition, the new object is listed in the selected column.
For more information, see Working with Network/Host Objects.
Step 12 Enter the services or click Select to display a list of services. If the latter, do either of the following, then click OK:
•Select from the list of available objects, then click >>.
The objects are moved to the selected column.
•Click Create to create a new service object.
A popup window helps you define the object. When you complete the definition, the new object is listed in the selected column.
For more information, see Working with Service Objects.
Step 13 (Optional) Enter a description to help you identify the object. A maximum of 1024 characters is allowed and special characters are permitted. If a description is entered, an icon appears when you view the Access Control Lists table.
Step 14 Click OK to save your changes.
The dialog box closes and you return to the Add Extended Access List dialog box. The new ACE is shown in the table.
Step 15 (Optional) Select a color from the Category list to help you readily identify the object. For more information, see Working with Category Objects.
Step 16 Click OK to save your changes.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•Extended IP ACL Tab, page C-51
•Add and Edit Extended Access List Pages, page C-52
•Add and Edit Extended Access Control Entry Dialog Boxes, page C-56
•Working with Access Control List Objects
•Working with Category Objects
Creating Standard Access Control List Objects
Before You Begin
•Read and understand Guidelines for Managing Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Access Control Lists.
The Access Control List page appears. For a description of GUI elements, see Standard IP ACL Tab, page C-59.
Step 3 Click the Standard tab.
Step 4 From the work area, right-click inside the table, then select New Object.
The Add Standard Access List dialog box appears. For a description of GUI elements, see Add and Edit Standard Access List Pages, page C-60.
Step 5 Enter the name of the object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be a mix of letters and numbers. Spaces are permitted, as are the following special characters: hyphens (-), underscores (_), periods (.), and plus signs (+). The maximum length is 128 characters.
Step 6 (Optional) Enter a description to help you identify the object. A maximum of 1024 characters are allowed and special characters are permitted. If a description is entered, an icon appears when you view the Access Control Lists table.
Step 7 Right-click inside the table, then click the Add button.
The Add Standard Access Control Entry dialog box appears. For a description of GUI elements, see Add and Edit Standard Access Control Entry Dialog Boxes, page C-62.
Step 8 Select Type.
•Access Control Entry—Identifies the entry as an ACE.
•Access Control Lists—Identifies the entry as an ACL object. This allows ACL objects that have already been defined to be used in the newly created object.
Step 9 Select whether to permit or deny the traffic.
Step 10 (Optional) Select a color from the Category list to help you readily identify the object. For more information, see Working with Category Objects.
Step 11 Enter the source addresses or click Select to display a list of defined network/host objects. If the latter, do either of the following, then click OK:
•Select from the list of available objects, then click >>.
The objects are moved to the selected column.
•Click Create to create a new object to use as a source address.
A popup window helps you define the object. When you complete the definition, the new object is listed in the selected column.
For more information, see Working with Network/Host Objects.
Step 12 (Optional) Enter a description to help you identify the object. A maximum of 1024 characters is allowed and special characters are permitted. If a description is entered, an icon appears when you view the Access Control Lists table.
Step 13 Select whether you want logging turned on or off.
Step 14 Click OK to save your changes.
The dialog box closes and you return to the Add Standard Access List dialog box. The new ACE is shown in the table.
Step 15 (Optional) Select a color from the Category list to help you readily identify the object. For more information, see Working with Category Objects.
Step 16 Click OK to save your changes.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•Standard IP ACL Tab, page C-59
•Add and Edit Standard Access List Pages, page C-60
•Add and Edit Standard Access Control Entry Dialog Boxes, page C-62
•Working with Access Control List Objects
•Working with Category Objects
Editing Access Control List Objects
You can edit any user-defined Access Control List object as required. Changes that you make to the object are reflected in all policies that use the object. This procedure describes how to edit an access control list object.
Before You Begin
Determine if the object is being used, and which policies, objects, and devices would be affected by the changes. You can generate a usage report for this purpose. See Generating Usage Reports for User Group Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Access Control Lists.
The Access Control List page appears. For more information, see Access Control Lists Page, page C-49.
Step 3 From the work area, right-click the object, then select Edit Object.
The Edit Extended Access Control Entry dialog box or Edit Standard Access Control Entry dialog box appears. For a description of the GUI elements, see:
•Add and Edit Extended Access Control Entry Dialog Boxes, page C-56
•Add and Edit Standard Access Control Entry Dialog Boxes, page C-62
Step 4 Follow the procedures for Creating Extended Access Control List Objects or Creating Standard Access Control List Objects to make any changes.
Step 5 Click OK to save your changes.
Related Topics
•Extended IP ACL Tab, page C-51
•Add and Edit Extended Access List Pages, page C-52
•Add and Edit Extended Access Control Entry Dialog Boxes, page C-56
•Standard IP ACL Tab, page C-59
•Add and Edit Standard Access List Pages, page C-60
•Add and Edit Standard Access Control Entry Dialog Boxes, page C-62
•Working with Access Control List Objects
Duplicating Access Control List Objects
An alternative to creating objects from scratch is to duplicate an existing object. The new object contains all the attributes of the original object and a default name. You can then modify the name and all object attributes as required.
This procedure describes how to duplicate an Access Control List object.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Access Control List Objects.
The Access Control List Objects page appears. For more information, see Access Control Lists Page, page C-49.
Step 3 From the work area, right-click the object to duplicate, then select Create Duplicate.
The Add Access Control List Object dialog box appears. The Name field references the original object name and notes that it is a copy. The remaining fields are preconfigured with the same values as the original object.
Step 4 Rename the new object and make the required configuration changes.
Step 5 Click OK to save your changes.
The dialog box closes and you return to the Access Control List Objects page. The new object information is shown in the table.
Related Topics
•Extended IP ACL Tab, page C-51
•Add and Edit Extended Access List Pages, page C-52
•Add and Edit Extended Access Control Entry Dialog Boxes, page C-56
•Standard IP ACL Tab, page C-59
•Add and Edit Standard Access List Pages, page C-60
•Add and Edit Standard Access Control Entry Dialog Boxes, page C-62
•Working with Access Control List Objects
Deleting Access Control List Objects
You can delete user-defined Access Control List objects only when they are not being used by any policies or other objects.
Note You might be prevented from deleting an "unreferenced" object from the database, for example, if you replace a local policy that used the object with a shared policy that does not. If object deletion fails, submit or discard all pending changes (in Workflow mode, submit or discard all pending activities), then try again to delete the objects. Alternatively, you can leave unreferenced objects in the database, because they will not affect Security Manager operation.
This procedure describes how to delete Access Control List objects.
Before You Begin
You must delete all references to the Access Control List object before you can remove it from the database. To locate all references to the object, run a usage report. See Generating Usage Reports for Traffic Flow Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Access Control Lists.
The Access Control Lists page appears. For more information, see Access Control Lists Page, page C-49.
Step 3 From the work area, right-click the object, then select Delete Object.
You are prompted to confirm the deletion.
Step 4 Click Yes.
The object is removed from the table.
Step 5 (Optional) Verify the deletion of the object by viewing an Audit Report. To generate an Audit Report, select Tools > Audit Report.
Related Topics
•Understanding the Policy Object Manager Window
•Working with Access Control List Objects
•Understanding Audit Reports, page 17-6
•Extended IP ACL Tab, page C-51
•Standard IP ACL Tab, page C-59
Generating Usage Reports for Access Control List Objects
You might need to edit an object, or delete an object from the Security Manager database. Before making such changes, you should determine if the object is referenced and which policies and devices would be affected by the changes. You can generate a usage report for this purpose.
The usage report indicates whether objects are in use (referenced) by another object, policy, or device. Usage reports contain any references in your current activity, as well as references committed to the Security Manager database.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Access Control Lists.
The Access Control List Objects page appears. For more information, see Access Control Lists Page, page C-49.
Step 3 From the work area, right-click the object to locate, then select Find Usage.
The Usage Report appears, which includes all references to the object.
Tip Click a column header to sort the table according to the contents of that column. Click the column header again to sort the table in reverse order.
Step 4 (Optional) Filter the information displayed in the Usage Reports window by deselecting one or more of the following check boxes:
•Devices
•Policies
•Other Objects
The deselected entries are removed from the table.
Related Topics
•Object Usage Window, page C-204
•Understanding the Policy Object Manager Window
•Editing Access Control List Objects
•Deleting Access Control List Objects
•Extended IP ACL Tab, page C-51
•Standard IP ACL Tab, page C-59
Viewing Access Control List Object Details
You can view ACL object information by expanding the tree structure of the Access Control List main page. For a description of the fields in this dialog box, see the following:
•Add and Edit Extended Access List Pages, page C-52
•Add and Edit Standard Access List Pages, page C-60
Related Topics
•Understanding the Policy Object Manager Window
•Working with Access Control List Objects
•Extended IP ACL Tab, page C-51
•Standard IP ACL Tab, page C-59
Working with ASA User Groups
ASA User Groups are group policies that are used to manage Virtual Private Networks (VPN) group policies. A VPN group policy is a collection of user-oriented attribute/value pairs that can be stored internally on the device or externally on a RADIUS server. The group policy information is referenced by VPN tunnel groups and user accounts.
The tunnel group refers to a group policy that sets terms for user connections after the tunnel is established. These set values for users in the aggregate. Group policies let you apply whole sets of attributes to a user or a group of users, rather than having to specify each attribute individually for each user.
Groups and users are core concepts in managing the security of VPNs and in configuring the security appliance. They specify attributes that determine user access to and use of the VPN. Tunnel groups identify the default group policy for a specific connection.
Tunnel groups and group policies simplify system management. You can create one or more group policies specific to your environment. The default tunnel groups and group policy provide settings that are likely to be common for many users.
Group policies use the following attributes:
•Identity—Identifies internal and external policy groups. For external policy groups, you can identify a RADIUS server. You must complete identity information for both internal and external policy group types. If your policy group is an external type, no other tabs are used to configure the policy group. For more information, see Identity Tab.
•Defining servers—Defines servers and connection settings. For more information, see General Tab.
•Client firewall settings—Configures firewall settings for VPN clients for the group policy being added or modified. For more information, see Client Firewall Attributes Tab.
•IPSec settings—Specifies tunneling protocols, filters, connection settings, and servers for the group policy being added or modified. For more information, see IPSec Tab.
•Hardware client settings—Configures VPN 3002 Hardware Client settings for the group policy being added or modified. For more information, see Hardware Client Tab.
•Client configuration settings— Configures client attributes, including the banner text, default domain, split tunnel parameters, Cisco client parameters, and Microsoft client parameters. For more information, see Client Configuration Tab.
The following topics will help you work with ASA Group Policy objects:
•Creating ASA User Groups
•Editing ASA User Groups
•Duplicating ASA User Groups
•Deleting ASA User Groups
•Generating Usage Reports for ASA User Groups
•Viewing ASA User Group Details
Related Topics
•Identity Tab
•General Tab
•IPSec Tab
•Client Configuration Tab
•Client Firewall Attributes Tab
•Hardware Client Tab
Creating ASA User Groups
Tip You can also create ASA User Group objects when defining policies or objects that use this object type. For more information, see Selecting Objects for Policies.
This procedure describes how to create ASA User Group objects.
Before You Begin
•Read and understand Guidelines for Managing Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select ASA User Groups.
The ASA User Groups page appears.
Step 3 From the work area, right-click inside the table, then select New Object.
The Add ASA User Group dialog box appears.
Step 4 Enter the name of the object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be a mix of letters and numbers. Spaces are not permitted. The following special characters are permitted: hyphens (-), underscores (_), periods (.), and plus signs (+). The maximum length is 64 characters.
Step 5 (Optional) Enter a description to help you identify the object. A maximum of 1024 characters is allowed and special characters are permitted. If a description is entered, an icon appears when you view the ASA User Groups table.
Step 6 Configure settings for any of the following tabs:
•Identity—Identifies internal and external policy groups. For external policy groups, you can identify a RADIUS server. You must complete identity information for both internal and external policy group types. If your policy group is an external type, no other tabs are used to configure the policy group. For more information, see Identity Tab.
•General—Defines servers and connection settings. For more information, see General Tab.
•IPSec—Specifies tunneling protocols, filters, connection settings, and servers for the group policy being added or modified. For more information, see IPSec Tab.
•Client Configuration—Configures client attributes, including the banner text, default domain, split tunnel parameters, Cisco client parameters, and Microsoft client parameters. For more information, see Client Configuration Tab.
•Client Firewall Attributes—Configures firewall settings for VPN clients for the group policy being added or modified. For more information, see Client Firewall Attributes Tab.
•Hardware Client—Configures VPN 3002 Hardware Client settings for the group policy being added or modified. For more information, see Hardware Client Tab.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•ASA User Groups Page, page C-64
•Identity Tab
•General Tab
•IPSec Tab
•Client Configuration Tab
•Client Firewall Attributes Tab
•Hardware Client Tab
Identity Tab
The Identity tab is used to specify a name and type for the group policy being added. You must complete identity information for both internal and external policy group types. If your policy group is an external type, no other tabs are used to configure the policy group.
Procedure
Step 1 Enter the name of the object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be a mix of letters and numbers. Spaces are not permitted. The following special characters are permitted: hyphens (-), underscores (_), periods (.), and plus signs (+). The maximum length is 64 characters.
Step 2 Select whether the group policy is assigned to internal or external traffic. The default type is internal. For an external group policy, you must identify the RADIUS server group that the security appliance can query for attributes and specify the password to use when retrieving attributes from the external server group.
Step 3 If your group policy is an external type, enter the RADIUS server group or click Select, which opens the AAA Server Groups Selector dialog box.
Note For an external group policy, RADIUS is the only supported AAA server type.
Step 4 Select from the list of available objects, then click OK.
The dialog box closes and you return to the Identity tab. The selected AAA server group is shown.
Step 5 Enter the password for the server group.
Step 6 Re-enter the password.
Step 7 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Working with Category Objects.
Step 8 Click OK to save your changes and close the dialog box, or select another tab.
Related Topics
•Identity Tab, page C-66
•Working with ASA User Groups
General Tab
The General tab is used to define connection settings and servers for the group policy being added or modified.
Procedure
Step 1 Specify the name of the ACL to use for VPN connections. Enter an ACL filter option from the list or click Select, which opens the Access Control Lists Selector dialog box.
Step 2 Select from the list of available objects, then click OK.
The dialog box closes and you return to the General tab. The selected ACL is shown.
Step 3 Enter the primary DNS server or click Select, which opens the Networks/Hosts Selector dialog box.
Note Only host objects are listed in the available objects column.
Step 4 Select from the list of available objects, then click OK.
The dialog box closes and you return to the General tab. The selected DNS server is shown.
Step 5 Enter the secondary DNS server or click Select, which opens the Networks/Hosts Selector dialog box.
Note Only host objects are listed in the available objects column.
Step 6 Select from the list of available objects, then click OK.
The dialog box closes and you return to the General tab. The selected DNS server is shown.
Step 7 Enter the primary WINS server or click Select, which opens the Networks/Hosts Selector dialog box.
Note Only host objects are listed in the available objects column.
Step 8 Select from the list of available objects, then click OK.
The dialog box closes and you return to the General tab. The selected WINS server is shown.
Step 9 Enter the secondary WINS server or click Select, which opens the Networks/Hosts Selector dialog box.
Note Only host objects are listed in the available objects column.
Step 10 Select from the list of available objects, then click OK.
The dialog box closes and you return to the General tab. The selected WINS server is shown.
Step 11 Enter the DHCP Network Scope or click Select, which opens the Networks/Hosts Selector dialog box.
Note Only host objects are listed in the available objects column.
Step 12 Select from the list of available objects, then click OK.
The dialog box closes and you return to the General tab. The selected DHCP server is shown.
Step 13 Set the VPN access hours. Enter the access hours or click Select, which opens the Time Ranges Selector dialog box.
Step 14 Select from the list of available objects, then click OK.
The dialog box closes and you return to the General tab. The selected time range is shown.
Step 15 Specify the number of simultaneous logins allowed for any user. Values are 0-2147483647.
Note While there is no maximum limit to the number of simultaneous logins, allowing several could compromise security and affect performance.
Step 16 Enter the maximum connect time or select Unlimited. Values are 1-35791394 minutes. At the end of this period of time, the security appliance terminates the connection.
Step 17 Enter the idle timeout value, or select Unlimited. Values are 1-35791394 minutes. If there is no communication activity on the connection in this period, the security appliance terminates the connection.
Step 18 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Related Topics
•General Tab, page C-68
•Working with ASA User Groups
IPSec Tab
The IPSec tab is used to specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified. This creates security associations that govern authentication, encryption, encapsulation, and key management.
Procedure
Step 1 (Optional) Select Enable Re-Authentication on IKE Re-Key, which would require that users reauthenticate on IKE rekey.
Reauthentication on IKE rekey is disabled by default. If you enable reauthentication on IKE rekey, the security appliance prompts the user to enter a username and password during initial Phase 1 IKE negotiation and also prompts for user authentication whenever an IKE rekey occurs. Reauthentication provides additional security.
Step 2 (Optional) Select Enable IPSec Compression to speed up data transmission rates for remote dial-in users connecting with modems.
Note Data compression increases the memory requirement and CPU usage for each user session and consequently decreases the overall throughput of the security appliance. For this reason, we recommend that you enable data compression only for remote users connecting with a modem. Design a group policy specific to modem users, and enable compression only for them.
Step 3 Select whether to enable Perfect Forward Secrecy (PFS). In IPSec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key.
Step 4 (Optional) Enter the tunnel group lock name which specifies whether to restrict remote users to access through the tunnel group only.
The name specifies an existing tunnel group that the security appliance requires for the user to connect. The lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting.If no group lock is used, the security appliance authenticates users without regard to the assigned group. Group locking is disabled by default.
Step 5 Add client access rules. Right-click the white space inside the table, then select Add Row.
The Add Client Access Rules dialog box appears.
Step 6 Enter the priority value. The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type and/or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it.
Step 7 Select whether to permit or deny the traffic.
Step 8 Enter the VPN client device type, which specifies the type of VPN client to which this rule applies, software or hardware, and for software clients, all Windows clients or a subset.
Step 9 Enter the VPN client device version, which specifies the version or versions of the VPN client (software or firmware) to which this rule applies. Multiple entries are separated by a comma.
Step 10 Click OK to save your changes.
The dialog box closes and you return to the IPSec tab. The new policy is shown in the table.
Step 11 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Related Topics
•IPSec Tab, page C-70
•Working with ASA User Groups
Client Configuration Tab
The Client Configuration tab is used to configure client attributes, including the banner text, default domain, split tunnel parameters, Cisco client parameters, and Microsoft client parameters.
Procedure
Step 1 Specify the banner, or welcome message, to display.
The message that you specify is displayed on remote clients when they connect. The banner text can be a maximum of 500 characters. Enter the "\n" sequence to insert a carriage return, which counts as two character. The default is no banner.
Step 2 Identify the default domain name.
The security appliance passes the default domain name to the IPSec client to append to DNS queries that omit the domain field. This domain name applies only to tunneled packets.
Step 3 Set the rules for tunneling traffic by specifying the split-tunneling policy.
Split tunneling lets a remote-access IPSec client conditionally direct packets over an IPSec tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the IPSec tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. The split tunneling policy is applied to a specific network.
Step 4 Enter a list of domains to be resolved through the split tunnel.
Enter a single space to separate each entry in the list of domains. There is no limit on the number of entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric characters, hyphens (-), and periods (.).
Step 5 Select the tunnel policy from the list. Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from that those that do not require tunneling. The security appliance makes split tunneling decisions on the basis of a network list, which is an ACL that consists of a list of addresses on the private network.
•Tunnel All Networks—(Default) Specifies that no traffic goes in the clear or to any other destination than the security appliance. This, in effect, disables split tunneling. Remote users reach Internet networks through the corporate network and do not have access to local networks.
•Tunnel Network List Below—Tunnels all traffic from or to the specified networks. This option enables split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear and is routed by the remote user's Internet service provider.
•Exclude Network List Below—Defines a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN client.
Step 6 Enter the access control lists or click Select, which opens the Access Control Lists Selector dialog box. Select from the list of available objects, then click OK. Only one object can be selected.
The dialog box closes and you return to the IPSec tab. The selected ACL is shown.
Step 7 Select Store Password on Client System to allow users to store their login passwords on the client system.
Enable password storage only on systems that you know to be in secure sites.
Note This feature is not supported on all EzVPN remote platforms. Check your platform to see if this feature is supported for your EzVPN remote.
Step 8 Select Enable IPSec over UDP to permit a Cisco VPN client to connect via UDP to a security appliance that is running NAT. The Cisco VPN client must also be configured to use IPSec over UDP, which is configured by default.
IPSec over UDP is proprietary; it applies only to remote-access connections, and it requires mode configuration. The security appliance exchanges configuration parameters with the client while negotiating SAs. Using IPSec over UDP may slightly degrade system performance.
Step 9 Enter the port value for IPSec over UDP.
In IPSec negotiations, the security appliance listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic. Port values are 4001-49151.
Step 10 Select the method used for IPSec backup server configuration.
•Keep Client Configuration—(Default) Specifies that the security appliance sends no backup server information to the client. The client uses its own backup server list, if configured.
•Clear Client Configuration—Specifies that the client uses no backup servers. The security appliance pushes a null server list.
•Use the Backup Servers Below—Enables you to configure backup servers either on the client or on the primary security appliance. If you configure backup servers on the security appliance, it pushes the backup server policy to the clients in the group, replacing the backup server list on the client if one is configured.
Step 11 If you opted to use backup servers, enter backup server IP addresses or click Select, which opens the Network/Hosts Selector dialog box. Do one of the following, then click OK:
•Select the available objects, then click >>.
The objects are moved to the selected column.
•Create a new object by clicking the Create button.
A popup window helps you define the object. When you complete the definition, the new object is listed in the selected column.
Note We recommend that you select each host instead of selecting a network list containing all required host addresses.
Step 12 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Related Topics
•Client Configuration Tab, page C-74
•Working with ASA User Groups
Client Firewall Attributes Tab
The Client Firewall Attributes tab lets you configure firewall settings for VPN clients for the group policy being added or modified.
Note Only VPN clients running Microsoft Windows can use these firewall features. The features are currently not available to hardware clients or other (non-Windows) software clients.
A firewall isolates and protects an computer from the Internet by inspecting each inbound and outbound individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if remote users in a group have split tunneling configured. In this case, the firewall protects the user's PC and thereby the corporate network from intrusions by way of the Internet or the user's local LAN. Remote users connecting to the security appliance with the VPN client can choose from the following possible firewall options:
•Policy defined by remote firewall (AYT)
For example, a remote user has a personal firewall installed on the PC. The VPN client enforces firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If the firewall stops running, the VPN client drops the connection to the security appliance. This firewall enforcement mechanism is called Are You There (AYT) because the VPN client monitors the firewall by sending it periodic are you there messages. If no reply is received, the VPN client knows the firewall is down and terminates its connection to the security appliance.
•Policy pushed (CPP)
For example, you might prefer to enforce a centralized firewall policy for personal firewalls on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the Internet while tunnels are established. This firewall scenario is called push policy or Central Protection Policy (CPP). On the security appliance, you create a set of traffic management rules to enforce on the VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The security appliance pushes this policy down to the VPN client. The VPN client then passes the policy to the local firewall, which enforces it.
Procedure
Step 1 Select the firewall setting.
•No Firewall—No firewall exists. None of the remaining field on the page are active.
•Firewall Required—A firewall exists and is required. All users in this group must use the designated firewall. The security appliance drops any session that attempts to connect without the designated, supported firewall installed and running. In this case, the security appliance notifies the VPN client that its firewall configuration does not match.
If you require a firewall for a group, make sure the group does not include any clients other than Windows VPN Clients. Any other clients in the group (including VPN 3002 Hardware Clients) are unable to connect.
•Firewall Optional—A firewall exists and is optional. This is beneficial if you have remote users in this group who do not yet have firewall capacity. The Firewall Optional setting allows all the users in the group to connect. Those who have a firewall can use it; users that connect without a firewall receive a warning message. This setting is useful if you are creating a group in which some users have firewall support and others do not—for example, you may have a group that is in gradual transition, in which some members have set up firewall capacity and others have not yet done so.
Step 2 Select the firewall type. Lists firewalls from several vendors, including Cisco. If you select Custom Firewall, the fields in the Custom Firewall and Firewall Policy group boxes become active. The firewall you designate must correlate with the firewall policies available. The specific firewall you configure determines which firewall policy options are supported.
•If you selected Custom Firewall, go to Step 3.
•If you selected Cisco Integrated Client Firewall, go to Step 4.
•For all other selections, go to Step 5.
Step 3 For Custom Firewall:
a. Enter the vendor ID, which specifies the vendor of the custom firewall being configured for this group policy.
b. Enter the product ID, which specifies the product or model name of the custom firewall being configured for this group policy.
c. (Optional) Enter a description to help you identify the hardware.
Step 4 For Cisco Integrated Client Firewall:
a. Select Policy Defined by Remote Firewall (AYT) when the client PC firewall application controls the firewall policy. The security appliance checks to make sure that the firewall is running. It asks, "Are You There?" If there is no response, the security appliance tears down the tunnel.
b. Select Policy Pushed (CPP) to specify Policy Pushed as source of the VPN client firewall policy.
c. Select Inbound Traffic Policy to provide the policy the client uses for inbound traffic. Enter the ACL in the field provided or click Select, which opens the Access Control Lists selector from which you can make your selection. If the latter, do one of the following, then click OK:
–Select from the list of available objects, then click OK.
–Click the Add button to create a new extended ACL. For more information, see Working with Access Control List Objects.
d. Select Outbound Traffic Policy to provide the policy the client uses for outbound traffic. Enter the ACL in the field provided or click Select, which opens the Access Control Lists selector from which you can make your selection. If the latter, do one of the following, then click OK:
–Select from the list of available objects, then click OK.
–Click the Add button to create a new extended ACL. For more information, see Working with Access Control List Objects.
Step 5 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Related Topics
•Client Firewall Attributes Tab, page C-77
•Working with ASA User Groups
Hardware Client Tab
The Hardware Client tab is used to configure VPN 3002 Hardware Client settings for the group policy being added or modified.
Procedure
Step 1 (Optional) Select Require Interactive Client Authentication to provide additional security by requiring VPN hardware clients to authenticate with a username and password each time that the client initiates a tunnel. With this feature enabled, the hardware client does not have a saved username and password. Secure unit authentication is disabled by default.
Secure unit authentication requires that you have an authentication server group configured for the tunnel group the hardware clients use.
Note If you require secure unit authentication on the primary security appliance, be sure to configure it on any backup servers as well.
Step 2 (Optional) Select Require Individual User Authentication to require that individual users behind a hardware client authenticate to gain access to the network across the tunnel. Individual users authenticate according to the order of authentication servers that you configure. User authentication is disabled by default.
Note This option is applicable to EzVPN S2S only and is applicable only on certain EzVPN remotes. PIX 6.3 and VPN3000 hardware clients support this option.
Note If you require user authentication on the primary security appliance, be sure to configure it on any backup servers as well.
Step 3 (Optional) Select Enable Cisco IP Phone Bypass to allow IP phones behind hardware clients to connect without undergoing user authentication processes. IP Phone Bypass is disabled by default. If enabled, secure unit authentication remains in effect.
Step 4 (Optional) Select Enable LEAP Bypass to allow LEAP packets from wireless devices behind a VPN hardware client to travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco wireless access point devices establish LEAP authentication and then authenticate again per user authentication. LEAP Bypass is disabled by default.
Note This feature does not work as intended if you enable interactive hardware client authentication.
Step 5 (Optional) Select Allow Network Extension Mode, which lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPSec encapsulates all traffic from the private network behind the hardware client to networks behind the security appliance. PAT does not apply. Therefore, devices behind the security appliance have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.
Step 6 Enter the user idle timeout value or select Unlimited. Values are 1-35791394 minutes. If there is no communication activity by a user behind a hardware client in the idle timeout period, the security appliance terminates the client's access.
Step 7 Click OK to save your changes.
Note Settings are not saved to the database until you click OK.
Related Topics
•Hardware Client Attributes Tab, page C-81
•Working with ASA User Groups
Editing ASA User Groups
You can edit any user-defined ASA User Group object as required. Changes that you make to the object are reflected in all policies that use the object. This procedure describes how to edit an ASA User Group object.
Before You Begin
Determine if the object is being used, and which policies, objects, and devices would be affected by the changes. You can generate a usage report for this purpose. See Generating Usage Reports for User Group Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select ASA User Groups.
The ASA User Groups page appears.
Step 3 From the work area, right-click the object, then select Edit Object.
The Edit ASA User Group dialog box appears.
Step 4 Follow the procedure for Creating ASA User Groups when making any changes.
Step 5 Click OK to save your changes.
The dialog box closes and you return to the ASA User Groups page. The new object information is shown in the table.
Related Topics
•ASA User Groups Page, page C-64
•Working with ASA User Groups
Duplicating ASA User Groups
An alternative to creating objects from scratch is to duplicate an existing object. The new object contains all the attributes of the original object and a default name. You can then modify the name and all object attributes as required.
This procedure describes how to duplicate an ASA User Group object.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 Select ASA User Groups from the Object Type selector.
The ASA User Groups page appears.
Step 3 From the work area, right-click the object to duplicate, then select Create Duplicate.
The Add ASA User Group dialog box appears. The Name field references the original object name from which the new object is copied and notes that it is a copy. The remaining fields are preconfigured with the same values as the copied object.
Step 4 Rename the new object and make the required configuration changes.
Step 5 Click OK to save your changes.
The dialog box closes and you return to the ASA User Groups page. The new object information is shown in the table.
Related Topics
•ASA User Groups Page, page C-64
•Working with ASA User Groups
Deleting ASA User Groups
You can delete user-defined ASA User Group objects only when they are not being used by any policies or other objects.
Note You might be prevented from deleting an "unreferenced" object from the database, for example, if you replace a local policy that used the object with a shared policy that does not. If object deletion fails, submit or discard all pending changes (in Workflow mode, submit or discard all pending activities), then try again to delete the objects. Alternatively, you can leave unreferenced objects in the database, because they will not affect Security Manager operation.
This procedure describes how to delete ASA User Group objects.
Before You Begin
You must delete all references to the ASA User Group object before you can remove it from the database. To locate all references to the object, run a usage report. See Generating Usage Reports for ASA User Groups.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select ASA User Groups.
The ASA User Groups page appears.
Step 3 From the work area, right-click the object, then select Delete Object.
You are prompted to confirm the delete.
Step 4 Click Yes.
The object is removed from the table.
Step 5 (Optional) Verify the deletion of the object by viewing an Audit Report. To generate an Audit Report, select Tools > Audit Report.
Related Topics
•Understanding the Policy Object Manager Window
•Working with ASA User Groups
•Understanding Audit Reports, page 17-6
Generating Usage Reports for ASA User Groups
You might need to edit an object, or delete an object from the Security Manager database. Before making such changes, you should determine if the object is referenced and which policies and devices would be affected by the changes. You can generate a usage report for this purpose.
The usage report indicates whether objects are in use (referenced) by another object, policy, or device (in case of device override). Usage reports contain any references in your current activity, as well as references committed to the Security Manager database.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select ASA User Groups.
The ASA User Groups page appears.
Step 3 From the work area, right-click the object to locate, then select Find Usage.
The Usage Report appears, which includes all references to the object.
Tip Click a column header to sort the table according to the contents of that column. Click the column header again to sort the table in reverse order.
Step 4 (Optional) Filter the information displayed in the Usage Reports window by deselecting one or more of the following check boxes:
•Devices
•Policies
•Other Objects
The deselected entries are removed from the table.
Related Topics
•Object Usage Window, page C-204
•Understanding the Policy Object Manager Window
•Editing ASA User Groups
•Deleting ASA User Groups
Viewing ASA User Group Details
You can view detailed object information in read-only mode, even when the object is locked by another activity. This is useful when you need to view complete configuration details for complex objects whose definitions cannot be fully displayed in the Policy Object Manager window or when your user privileges allow you only to view object information.
Note You can display object details without opening an activity.
This procedure describes how to display complete configuration details for a selected object in read-only mode.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select ASA User Groups.
The ASA User Groups page appears.
Step 3 In the work area, right-click the object to view, then select View Object.
The Edit ASA User Group dialog box is displayed in read-only mode with the latest setting information that has been committed to the Security Manager database. For a description of the fields in this dialog box, see the following:
•Identity Tab, page C-66
•General Tab, page C-68
•IPSec Tab, page C-70
•Add and Edit Client Access Rules Dialog Boxes, page C-73
•Client Configuration Tab, page C-74
•Client Firewall Attributes Tab, page C-77
•Hardware Client Attributes Tab, page C-81
Related Topics
•Understanding the Policy Object Manager Window
•Working with ASA User Groups
•ASA User Groups Page, page C-64
Working with Category Objects
The categories feature provides an intermediate level of detail to objects, which helps you easily identify rules and objects in rules tables through the use of color. You can assign a category to a rule or object when you create the rule, or you can edit the rule or object to include category information later.
Default categories and color combinations are provided; however, you can edit these predefined categories, if required.
The benefits of using category objects are:
•Visibility is improved when you view rules tables using objects that are color-coded.
•Objects can be filtered in the rules tables, facilitating rule maintenance.
For example, you might want to create a network/host object and keep track of its use for administrative purposes. When you define this network/host object, you associate it with a category. When you view the access rules table, you can easily identify those rules that use your network/host object. You can also filter the table to display only those items associated with the category.
The following topic describes how to work with category objects:
•Editing Category Objects
Related Topics
•Understanding the Policy Object Manager Window
•Managing Objects
Editing Category Objects
You can edit the name and description of each predefined category object. These names and descriptions make it easier to identify the purpose of the category when it appears in various rules tables.
This procedure describes how to edit a category object.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select Categories from the Object Type selector.
Step 3 In the work area, right-click an object, then select Edit Object.
The Category Editor dialog box appears. For a description of the fields in this dialog box, see Table C-45 on page C-85.
Step 4 Modify the names and descriptions of the predefined category objects, as required. Names can have a maximum of 128 characters, including special characters and spaces. Descriptions can have a maximum of 1024 characters.
Step 5 Click OK to save your changes.
The dialog box closes and you return to the ASA User Groups page. The new object information is shown in the table.
Related Topics
•Understanding the Policy Object Manager Window
•Working with Category Objects
Working with FlexConfig Objects
FlexConfig objects are reusable, named components that can be referenced by other objects and policies. You create FlexConfig objects by entering configuration commands, either with or without additional scripting language instructions, in the FlexConfig Editor.
Because of their complexity and interdependency, FlexConfig objects are described with FlexConfig policies. For more information, see Chapter 16, "Managing FlexConfigs."
These topics help you create, duplicate, edit, view, generate usage reports for, and delete FlexConfig objects:
•Creating FlexConfig Objects
•Duplicating FlexConfig Objects
•Editing FlexConfig Objects
•Viewing FlexConfig Objects
•Generating Usage Reports for FlexConfig Objects
•Deleting FlexConfig Objects
Creating FlexConfig Objects
You can create FlexConfig objects to configure features on devices that are not directly supported by Security Manager. For more information about FlexConfigs, see Chapter 16, "Managing FlexConfigs."
Tip You can also create FlexConfig objects when defining policies or objects that use this object type. For more information, see Selecting Objects for Policies.
This procedure describes how to create FlexConfig objects.
Before You Begin
•Read and understand Guidelines for Managing Objects.
•Security Manager does not manipulate or validate your commands; it simply deploys them to the devices. Therefore, ensure that your commands do not conflict in any way with the VPN or firewall configuration on the devices.
•If there is more than one set of commands for an interface, only the last set of commands is deployed. Therefore, it is not recommended to use beginning and ending commands to configure interfaces.
Procedure
Step 1 Select Tools > Policy Object Manager.
Step 2 Select FlexConfigs from the Object Type selector.
The Policy Object Manager window appears.
Step 3 Right-click inside the work area, then click New Object.
The Add FlexConfig Object dialog box appears. See Table C-47 on page C-88 for a description of the fields in this dialog box.
Step 4 Click OK to save your changes.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•FlexConfig Editor Dialog Box, page C-87
•Understanding the Policy Object Manager Window
•Working with FlexConfig Objects
Duplicating FlexConfig Objects
An alternative to creating policy objects from scratch is to duplicate an existing object. The new object contains all attributes of the copied object and a default name. You can then modify the name and all attributes as required.
Duplicating is particularly useful for creating new objects that are based on predefined objects that cannot be edited.
This procedure describes how to duplicate a FlexConfig object.
Before You Begin
•Security Manager does not manipulate or validate your commands; it simply deploys them to the devices. Therefore, ensure that your commands do not conflict in any way with the VPN or firewall configuration on the devices.
•If there is more than one set of commands for an interface, only the last set of commands is deployed. Therefore, it is not recommended to use beginning and ending commands to configure interfaces.
Procedure
Step 1 Select Tools > Policy Object Manager.
Step 2 Select FlexConfigs from the objects selector.
The Policy Object Manager dialog box appears.
Step 3 In the work area, right-click the object you want to duplicate, then select Create Duplicate.
Step 4 The FlexConfig Editor dialog box appears. The name field contains the following default name for the new object: Copy of name of copied object. The remaining fields contain values that are the same as those for the copied object. For a description of the fields in this dialog box, see Table C-47 on page C-88.
Step 5 Click OK to save your changes.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•FlexConfig Editor Dialog Box, page C-87
•Working with FlexConfig Objects
•Understanding FlexConfigs, page 16-1
Editing FlexConfig Objects
You can edit any user-defined FlexConfig object as required. Changes that you make to the object are reflected in all policies that use the object.
Tip You can also edit FlexConfig objects when you define policies or objects that use this object type. For more information, see Selecting Objects for Policies.
This procedure describes how to edit a FlexConfig object.
Before You Begin
•Generate a usage report to determine if the object is being used and which policies, objects, and devices would be affected by the changes. See Generating Usage Reports for FlexConfig Objects.
•Security Manager does not manipulate or validate your commands; it simply deploys them to the devices. Therefore, ensure that your commands do not conflict in any way with the VPN or firewall configuration on the devices.
•If there is more than one set of commands for an interface, only the last set of commands will be deployed. Therefore, it is not recommended to use beginning and ending commands to configure interfaces.
Procedure
Step 1 Select Tools > Policy Object Manager.
Step 2 Select FlexConfigs from the objects selector.
The Policy Object Manager dialog box appears.
Step 3 In the work area, right-click the object you want to edit, then select Edit Object.
The FlexConfig Editor dialog box appears. For a description of the fields in this dialog box, see Table C-47 on page C-88.
Step 4 Click OK to save your changes.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•FlexConfig Editor Dialog Box, page C-87
•Working with FlexConfig Objects
•Understanding FlexConfigs, page 16-1
Viewing FlexConfig Objects
You can view detailed object information in read-only mode, even when the object is locked by another activity. This is useful when you need to view complete configuration details for complex objects whose definitions cannot be fully displayed in the Policy Object Manager window, or when your user privileges allow you only to view object information.
Note You can display object details without opening an activity.
This procedure describes how to display complete configuration details for a selected object in read-only mode.
Procedure
Step 1 Select Tools > Policy Object Manager.
Step 2 Select FlexConfigs from the objects selector.
The Policy Object Manager dialog box appears.
Step 3 In the work area, right-click the object that you want to view configuration details for, then select View Object.
The FlexConfig Editor dialog box appears in read-only mode. For a description of the fields in this dialog box, see Table C-47 on page C-88.
Related Topics
•FlexConfig Editor Dialog Box, page C-87
•Working with FlexConfig Objects
•Understanding FlexConfigs, page 16-1
Generating Usage Reports for FlexConfig Objects
Before you make any changes, you should determine if the FlexConfig object is referenced and which policies and devices would be affected by any changes. You can do this by generating a usage report that shows which policies, objects, and devices are using the selected object. Usage reports contain any references to the selected object in your current activity as well as references found in the data committed to the Security Manager database.
This procedure describes how to generate a usage report.
Procedure
Step 1 Select Tools > Policy Object Manager.
Step 2 Select FlexConfigs from the objects selector.
The Policy Object Manager dialog box appears.
Step 3 In the work area, right-click the object for which you want to generate a report, then select Find Usage.
The usage report appears, displaying all references to the object.
Tip Click a column header to sort the table according to the contents of that column. Click the column header again to sort the table in reverse order.
Step 4 (Optional) Filter the information displayed in the usage reports by deselecting one or more of the following check boxes:
•Devices
•Policies
•Other Objects
The deselected entries are removed from the report.
Related Topics
•Object Usage Window, page C-204
•Working with FlexConfig Objects
•Understanding FlexConfigs, page 16-1
Deleting FlexConfig Objects
This procedure describes how to delete FlexConfig objects. You can delete FlexConfig objects that you or others define, but you cannot delete sample FlexConfig objects that are shipped with Security Manager. In addition, you can delete objects only when they are not being referenced by policies or other objects and when you have the correct permissions.
Note You might be prevented from deleting an unreferenced object from the database, for example, if you replace a local policy that used the object with a shared policy that does not. If object deletion fails, submit or discard all pending changes (in Workflow mode, submit or discard all pending activities), then try again to delete the objects. Alternatively, you can leave unreferenced objects in the database, because they will not affect Security Manager operation.
This procedure describes how to delete FlexConfig objects.
Before You Begin
•Generate a usage report to determine if the object is referenced and which policies, objects, or devices would be affected by the deletion. See Generating Usage Reports for FlexConfig Objects.
•You need to remove all references to the object before you can delete it.
Procedure
Step 1 Select Tools > Policy Object Manager.
Step 2 Select FlexConfigs from the objects selector.
The Policy Object Manager dialog box appears.
Step 3 In the work area, right-click the user-defined object, then select Delete Object.
Note You can select multiple objects by pressing Ctrl and clicking on the desired objects.
Step 4 When prompted, click Yes to confirm the deletion.
Step 5 To verify that the objects was deleted, select Tools > Audit Report and view the generated report.
Related Topics
•Working with FlexConfig Objects
•Understanding FlexConfigs, page 16-1
•Generating the Audit Report, page 17-7
Working with FTP Map Objects
An FTP map object lets you change the default configuration values used for FTP application inspection. From the FTP Map page, you can create, view, and manage FTP inspect maps.
FTP is a common protocol used for transferring files over a TCP/IP network, such as the Internet. You can use an FTP map to block specific FTP protocol methods, such as an FTP PUT, from passing through the security appliance and reaching your FTP server.
The following topics will help you work with FTP Map objects:
•Creating FTP Map Objects
•Editing FTP Map Objects
•Duplicating FTP Map Objects
•Deleting FTP Map Objects
•Generating Usage Reports for FTP Map Objects
•Viewing FTP Map Object Details
Creating FTP Map Objects
Before You Begin
•Read and understand Guidelines for Managing Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select FTP Maps.
The FTP Maps page appears.
Step 3 From the work area, right-click inside the table, then select New Object.
The Add FTP Map dialog box appears.
Step 4 Enter the name of the FTP Map object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be a mix of letters and numbers. Spaces are permitted, as are the following special characters: hyphens (-), underscores (_), periods (.), and plus signs (+). The maximum length is 128 characters.
Step 5 (Optional) Enter a description to help you identify the object. A maximum of 1024 characters is allowed and special characters are permitted. If a description is entered, an icon appears when you view the FTP Maps table.
Step 6 Select the check box for any of the following:
•Mask Reply to System Command—When selected, hides the FTP server response from clients.
•Append to a file (APPE)—Disallows the command that appends to a file.
•Change to Parent of Current Directory (CDUP)—Disallows the command that changes to the parent directory of the current working directory.
•Delete a File at Server Site (DELE)—Disallows the command that deletes a file.
•Help Information from Server (HELP)—Disallows the command that provides help information.
•Create a Directory (MKD)—Disallows the command that creates a directory.
•Retrieve a File (RETR)—Disallows the command that gets a file.
•Remove a Directory (RMD)—Disallows the command that deletes a directory.
•Rename From (RNFR)—Disallows the command that specifies rename-from filename.
•Rename To (RNTO)—Disallows the command that specifies rename-to filename.
•Specify Server Specific Command (SITE)—Disallows the commands that are specific to the server system. Usually used for remote administration.
•Store a File (PUT)—Disallows the command for sending a file to the server.
•Store a File with Unique Name (STOU)—Disallows the command that stores a file using a unique filename.
Step 7 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Working with Category Objects.
Step 8 Click OK to save your changes.
The dialog box closes and you return to the FTP Maps page. The new object information is shown in the table.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•FTP Maps Page, page C-94
•Working with FTP Map Objects
Editing FTP Map Objects
You can edit any user-defined FTP Map object as required. Changes that you make to the object are reflected in all policies that use the object. This procedure describes how to edit an FTP Map object.
Before You Begin
Determine if the object is being used, and which policies, objects, and devices would be affected by the changes. You can generate a usage report for this purpose. See Generating Usage Reports for User Group Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select FTP Maps.
The FTP Maps page appears.
Step 3 From the work area, right-click the object, then select Edit Object.
The Edit FTP Map dialog box appears.
Step 4 Follow the procedure for Creating FTP Map Objects when making any changes.
Step 5 Click OK to save your changes.
The dialog box closes and you return to the FTP Maps page. The new object information is shown in the table.
Related Topics
Add and Edit FTP Map Dialog Boxes, page C-96
Working with FTP Map Objects
Duplicating FTP Map Objects
An alternative to creating objects from scratch is to duplicate an existing object. The new object contains all the attributes of the original object and a default name. You can then modify the name and all object attributes as required.
This procedure describes how to duplicate an FTP Map object.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Selector, select FTP Maps.
The FTP Map Objects page appears.
Step 3 From the work area, right-click the object to duplicate, then select Create Duplicate.
The Add FTP Map Object dialog box appears. The Name field references the original object name from which the new object is copied and notes that it is a copy. The remaining fields are preconfigured with the same values as the copied object.
Step 4 Rename the new object and make any needed changes.
Step 5 Click OK to save your changes.
The dialog box closes and you return to the FTP Maps page. The new object information is shown in the table.
Related Topics
•FTP Maps Page, page C-94
•Working with FTP Map Objects
Deleting FTP Map Objects
You can delete user-defined FTP Map objects only when they are not being used by any policies or other objects.
Note You might be prevented from deleting an "unreferenced" object from the database, for example, if you replace a local policy that used the object with a shared policy that does not. If object deletion fails, submit or discard all pending changes (in Workflow mode, submit or discard all pending activities), then try again to delete the objects. Alternatively, you can leave unreferenced objects in the database, because they will not affect Security Manager operation.
This procedure describes how to delete FTP Map objects.
Before You Begin
You must delete all references to the FTP Map object before you can remove it from the database. To locate all references to the object, run a usage report. See Generating Usage Reports for FTP Map Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Selector, select FTP Maps.
The FTP Map Objects page appears.
Step 3 From the work area, right-click the object to delete, then select Delete Object.
You are prompted to confirm the delete.
Step 4 Click Yes.
The object is removed from the table.
Step 5 (Optional) Verify the deletion of the object by viewing an Audit Report. To generate an Audit Report, select Tools > Audit Report.
Related Topics
•Understanding the Policy Object Manager Window
•Working with FTP Map Objects
•Understanding Audit Reports, page 17-6
Generating Usage Reports for FTP Map Objects
You might need to edit an object, or delete an object from the Security Manager database. Before making such changes, you should determine if the object is referenced and which policies and devices would be affected by the changes. You can generate a usage report for this purpose.
The usage report indicates whether objects are in use (referenced) by another object, policy, or device (in case of device override). Usage reports contain any references in your current activity, as well as references committed to the Security Manager database.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select FTP Maps.
The FTP Map Objects page appears.
Step 3 From the work area, right-click the object to locate, then select Find Usage.
The Usage Report appears, which includes all references to the object.
Tip Click a column header to sort the table according to the contents of that column. Click the column header again to sort the table in reverse order.
Step 4 (Optional) Filter the information displayed in the Usage Reports window by deselecting one or more of the following check boxes:
•Devices
•Policies
•Other Objects
The deselected entries are removed from the table.
Related Topics
•Object Usage Window, page C-204
•Understanding the Policy Object Manager Window
•Editing FTP Map Objects
•Deleting FTP Map Objects
Viewing FTP Map Object Details
You can view detailed object information in read-only mode, even when the object is locked by another activity. This is useful when you need to view complete configuration details for complex objects whose definitions cannot be fully displayed in the Policy Object Manager window or when your user privileges allow you only to view object information.
Note You can display object details without opening an activity.
This procedure describes how to display complete configuration details for a selected object in read-only mode.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select FTP Maps.
The FTP Map Objects page appears.
Step 3 In the work area, right-click the object to view, then select View Object.
The Edit FTP Map dialog box dialog box is displayed in read-only mode with the latest setting information that has been committed to the Security Manager database. For a description of the fields in this dialog box, see Add and Edit FTP Map Dialog Boxes, page C-96.
Related Topics
•Understanding the Policy Object Manager Window
•Working with FTP Map Objects
•FTP Maps Page, page C-94
Working with GTP Map Objects
A GTP map object lets you change the default configuration values used for GTP application inspection. The GTP Map object page lets you create, view, and manage GTP inspect maps. GTP is a relatively new protocol designed to provide security for wireless connections to TCP/IP networks, such as the Internet. You can use a GTP map to control timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance.
Note GTP inspection is not available without a special license.
The following topics will help you work with GTP Map objects:
•Creating GTP Map Objects
•Editing GTP Map Objects
•Duplicating GTP Map Objects
•Deleting GTP Map Objects
•Generating Usage Reports for GTP Map Objects
•Viewing GTP Map Object Details
Creating GTP Map Objects
Before You Begin
•Read and understand Guidelines for Managing Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select GTP Maps.
The GTP Maps page appears.
Step 3 From the work area, right-click inside the table, then select New Object.
The Add GTP Map dialog box appears.
Step 4 Enter the name of the object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be a mix of letters and numbers. Spaces are permitted, as are the following special characters: hyphens (-), underscores (_), periods (.), and plus signs (+). The maximum length is 128 characters.
Step 5 (Optional) Enter a description to help you identify the object. A maximum of 1024 characters is allowed and special characters are permitted. If a description is entered, an icon appears when you view the GTP Maps table.
Step 6 (Optional) Enter the Country and Network Codes to include Mobile Country Code (mcc) and Mobile Network Code (mnc).
a. Right-click inside the table, then click Add Row.
b. Enter the Mobile Country Code. The Mobile Country Code is a three-digit value. (000-999). One- or two- digit entries are prepended with 0s. Multiple entries are separated by a comma.
c. Enter the Mobile Network Code. The Mobile Network Code is a three-digit value. (000-999). One- or two- digit entries are prepended with 0s. Multiple entries are separated by a comma.
d. Click OK.
Step 7 Enter the access point names to drop. Multiple entries are separated by a comma.
Step 8 Enter the numeric identifier for the message to drop. Multiple entries are separated by a comma. Values are 1-255. By default, all valid message IDs are allowed.
Step 9 Enter the versions for messages to drop. Multiple entries are separated by a comma. Values are 0-255. Use 0 to identify Version 0 and 1 to identify Version 1. Version 0 of GTP uses port 3386, while Version 1 uses port 2123. By default all GTP versions are allowed.
Step 10 Enter the minimum message length, which specifies the minimum number of bytes allowed in the UDP payload. Values are 1-65536.
Step 11 Enter the maximum message length, which specifies the maximum number of bytes allowed in the UDP payload. Values are 1-65536.
Step 12 (Optional) Select Permit Errors, which permits packets with errors or different GTP versions that are invalid or that encountered an error during inspection to be sent through the security appliance instead of being dropped. By default, all invalid packets or packets that failed during parsing are dropped.
Step 13 (Optional) To permit GTP responses from a GSN that is different from the one to which the response was sent, complete the Permit Response table.
a. Right-click inside the table, then click Add Row.
b. Enter the To Object Group name in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selection. You can also create an object by clicking the Create button in the Object Selector dialog box.
Note Only a named network/host object (except any) can be entered.
c. Enter the From Object Group name in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selection. You can also create an object by clicking the Create button in the Object Selector dialog box.
Note Only a named network/host object (except any) can be entered.
d. Click OK.
Step 14 Enter the request queue, which specifies the maximum requests allowed in the queue. Values are 1-9999999.
Step 15 Enter the tunnel limit, which specifies the maximum number of tunnels allowed. Values are 1-4294967295.
Step 16 Click Edit Timeouts.
The GTP Timeouts dialog box appears.
Step 17 Enter the GSN timeout value, which specifies the idle timeout for the GSN. Timeout value is entered as hh:mm:ss.
Step 18 Enter the PDP context timeout value, which specifies the idle timeout for the PDP context. Timeout value is entered as hh:mm:ss.
Step 19 Enter the request queue timeout value, which specifies the idle timeout for requests. Timeout value is entered as hh:mm:ss.
Step 20 Enter the signaling connections timeout value, which specifies the idle timeout for signaling connections. Timeout value is entered as hh:mm:ss.
Step 21 Enter the tunnel timeout value, which specifies the idle timeout for tunnels. Timeout value is entered as hh:mm:ss.
Step 22 Click OK.
The GTP Timeouts dialog box closes and you return to the Add GTP Map page.
Step 23 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Working with Category Objects.
Step 24 Click OK to save your changes.
The dialog box closes and you return to the GTP Maps page with the new object displayed.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•GTP Maps Page, page C-98
•GTP Map Timeouts Dialog Box, page C-104
•Working with GTP Map Objects
Editing GTP Map Objects
You can edit any user-defined GTP Map object as required. Changes that you make to the object are reflected in all policies that use the object. This procedure describes how to edit a GTP Map object.
Before You Begin
Determine if the object is being used, and which policies, objects, and devices would be affected by the changes. You can generate a usage report for this purpose. See Generating Usage Reports for User Group Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select GTP Maps.
The GTP Maps page appears.
Step 3 From the work area, right-click the object, then select Edit Object.
The Edit GTP Map dialog box appears.
Step 4 Follow the procedure for Creating GTP Map Objects when making any changes.
Step 5 Click OK to save your changes.
The dialog box closes and you return to the GTP Maps page. The new object information is shown in the table.
Related Topics
•Add and Edit GTP Map Dialog Boxes, page C-100
•GTP Map Timeouts Dialog Box, page C-104
Duplicating GTP Map Objects
An alternative to creating objects from scratch is to duplicate an existing object. The new object contains all the attributes of the original object and a default name. You can then modify the name and all object attributes as required.
This procedure describes how to duplicate a GTP Map object.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select GTP Maps.
The GTP Maps page appears.
Step 3 From the work area, right-click the object to duplicate, then select Create Duplicate.
The Add GTP Map Object dialog box appears. The Name field references the original object name from which the new object is copied and notes that it is a copy. The remaining fields are preconfigured with the same values as the copied object.
Step 4 Rename the new object and make any needed changes.
Step 5 Click OK to save your changes.
The dialog box closes and you return to the GTP Maps page. The new object information is shown in the table.
Related Topics
•GTP Maps Page, page C-98
•Creating GTP Map Objects
Deleting GTP Map Objects
You can delete user-defined GTP Map objects only when they are not being used by any policies or other objects.
Note You might be prevented from deleting an "unreferenced" object from the database, for example, if you replace a local policy that used the object with a shared policy that does not. If object deletion fails, submit or discard all pending changes (in Workflow mode, submit or discard all pending activities), then try again to delete the objects. Alternatively, you can leave unreferenced objects in the database, because they will not affect Security Manager operation.
This procedure describes how to delete GTP Map objects.
Before You Begin
You must delete all references to the GTP Map object before you can remove it from the database. To locate all references to the object, run a usage report. See Generating Usage Reports for GTP Map Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select GTP Maps.
The GTP Map page appears.
Step 3 From the work area, right-click the object to delete, then select Delete Object.
You are prompted to confirm the delete.
Step 4 Click Yes.
The object is removed from the table.
Step 5 (Optional) Verify the deletion of the object by viewing an Audit Report. To generate an Audit Report, select Tools > Audit Report.
Related Topics
•Understanding the Policy Object Manager Window
•Working with GTP Map Objects
•Understanding Audit Reports, page 17-6
Generating Usage Reports for GTP Map Objects
You might need to edit an object, or delete an object from the Security Manager database. Before making such changes, you should determine if the object is referenced and which policies and devices would be affected by the changes. You can generate a usage report for this purpose.
The usage report indicates whether objects are in use (referenced) by another object, policy, or device (in case of device override). Usage reports contain any references in your current activity, as well as references committed to the Security Manager database.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select GTP Maps.
The GTP Maps page appears.
Step 3 From the work area, right-click the object to locate, then select Find Usage.
The Usage Report appears, which includes all references to the object.
Tip Click a column header to sort the table according to the contents of that column. Click the column header again to sort the table in reverse order.
Step 4 (Optional) Filter the information displayed in the Usage Reports window by deselecting one or more of the following check boxes:
•Devices
•Policies
•Other Objects
The deselected entries are removed from the table.
Related Topics
•Object Usage Window, page C-204
•Understanding the Policy Object Manager Window
•Editing GTP Map Objects
•Deleting GTP Map Objects
Viewing GTP Map Object Details
You can view detailed object information in read-only mode, even when the object is locked by another activity. This is useful when you need to view complete configuration details for complex objects whose definitions cannot be fully displayed in the Policy Object Manager window or when your user privileges allow you only to view object information.
Note You can display object details without opening an activity.
This procedure describes how to display complete configuration details for a selected object in read-only mode.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select GTP Maps.
The GTP Map Objects page appears.
Step 3 In the work area, right-click the object to view, then select View Object.
The Edit GTP Map dialog box dialog box is displayed in read-only mode with the latest setting information that has been committed to the Security Manager database. For a description of the fields in this dialog box, see the following:
•Add and Edit GTP Map Dialog Boxes, page C-100
•GTP Map Timeouts Dialog Box, page C-104
Related Topics
•Understanding the Policy Object Manager Window
•Working with GTP Map Objects
•GTP Maps Page, page C-98
Working with HTTP Map Objects
An HTTP map object lets you change the default configuration values used for HTTP application inspection. The HTTP Map object page lets you create, view, and manage HTTP inspect maps. An HTTP Map object defines different HTTP packet criteria to be inspected, as well as the action to be taken when the criteria are met. The HTTP Map object only defines general HTTP protocol-related parameters; it is not specific to any particular traffic flow. This ensures that the same HTTP Map object can be reused for different devices or different traffic flow within a single device.
The enhanced HTTP inspection feature, also known as an application firewall, verifies that HTTP messages conform to RFC 2616, use RFC-defined and supported extension methods, and comply with various other criteria. This can help prevent attackers from using HTTP messages for circumventing network security policy.
Note When you enable HTTP inspection with an HTTP map, strict HTTP inspection with the action reset and log is enabled by default. You can change the actions performed in response to inspection failure, but you cannot disable strict inspection as long as the HTTP map remains enabled.
In many cases, you can configure the criteria and how the security appliance responds when the criteria are not met. The criteria that you can apply to HTTP messages include the following:
•Does not include any method on a configurable list.
•Message body size is within configurable limits.
•Request and response message header size is within a configurable limit.
•URI length is within a configurable limit.
•Content-type in the message body matches the header.
•Content-type in the response message matches the accept-type field in the request message.
•Content-type in the message is included in a predefined internal list.
•Message meets HTTP RFC format criteria.
•Presence or absence of selected supported applications.
•Presence or absence of selected encoding types.
Note The actions you can specify for messages that fail the criteria set using the different configuration commands include allow, reset, or drop. In addition to these actions, you can specify to log the event or not.
The following topics will help you work with HTTP Map objects:
•Creating HTTP Map Objects
•Editing HTTP Map Objects
•Duplicating HTTP Map Objects
•Deleting HTTP Map Objects
•Generating Usage Reports for HTTP Map Objects
•Viewing HTTP Map Object Details
Creating HTTP Map Objects
Before You Begin
•Read and understand Guidelines for Managing Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select HTTP Maps.
The HTTP Maps page appears.
Step 3 From the work area, right-click inside the table, then select New Object.
The Add HTTP Map page appears.
Step 4 Enter the name of the object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be a mix of letters and numbers. Spaces are permitted, as are the following special characters: hyphens (-), underscores (_), periods (.), and plus signs (+). The maximum length is 128 characters.
Step 5 (Optional) Enter a description to help you identify the object. A maximum of 1024 characters is allowed and special characters are permitted. If a description is entered, an icon appears when you view the HTTP Maps table.
Step 6 Configure settings for any of the following tabs:
•General Tab.
•Entity Length Tab.
•RFC Request Method Tab.
•Extension Request Method Tab.
•Port Misuse Tab.
•Encoding Tab.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•HTTP Maps Page, page C-106
•Working with HTTP Map Objects
General Tab
The General tab lets you define the action taken when non-compliant HTTP requests are received and to enable verification of content type.
Procedure
Step 1 (Optional) Select Take action for non-RFC 2616 compliant traffic, which specifies the action taken by the security appliance when it receives traffic that fails to comply with RFC 2616.
Step 2 Select the action taken when a message fails the inspection:
•Allow Packet—Allows the message.
•Drop Packet—Closes the connection.
•Reset Connection (default)—Sends a TCP reset message to client and server.
Step 3 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message when it receives a packet that uses a non-compliant method.
Step 4 (Optional) Select Verify Content-type field belongs to the supported internal content-type list, which enables content verification based on comparing the content type field in the HTTP response to the preconfigured list of supported content types.
Step 5 (Optional) Select Verify Content-type field for response matches the Accept field of request, which enables content verification based on comparing the content type field in the HTTP response to the type specified in the Accept field in the HTTP request.
Step 6 Select the action taken when a message fails the inspection:
•Allow Packet—Allows the message.
•Drop Packet—Closes the connection.
•Reset Connection (default)—Sends a TCP reset message to client and server.
Step 7 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message when it receives a packet that uses a non-compliant method.
Step 8 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Working with Category Objects.
Step 9 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Related Topics
•General Tab, page C-108
•Working with HTTP Map Objects
Entity Length Tab
The Entity Length tab lets you define the permitted lengths for the URI, HTTP header, and HTTP body.
Procedure
Step 1 (Optional) Select Inspect URI Length, which causes the security appliance to inspect the length of the URI in each HTTP request.
Step 2 Enter the maximum number of bytes allowed for the length of the HTTP request URI. Values are 1-65535.
Step 3 Select the action that the security appliance should take when inspection for the URI length fails.
•Allow Packet—Allows the HTTP request even though it contains a URI that exceeds the permitted maximum length.
•Drop Packet—Drops the HTTP request if it contains a URI that exceeds the permitted maximum length.
•Reset Selection—Resets the TCP connection when it receives the HTTP request with a URI that exceeds the permitted maximum length.
Step 4 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message when it receives the HTTP request with a URI that exceeds the permitted maximum length.
Step 5 (Optional) Select Inspect Maximum Header Length, which causes the security appliance to inspect the length of the header in each HTTP request or response.
Step 6 Enter the request bytes, which specifies the maximum number of bytes allowed for the length of the header in the HTTP request. Values are 1-65535.
Step 7 Enter the response bytes, which specifies the maximum number of bytes allowed for the length of the header in the HTTP response. Values are 1-65535.
Step 8 Select the action that the security appliance should take when inspection for the HTTP header length fails. Values are 1-65535.
•Allow Packet—Allows the HTTP request even though it contains a header that exceeds the permitted maximum length.
•Drop Packet—Drops the HTTP request if it contains a header that exceeds the permitted maximum length.
•Reset Selection— Resets the TCP connection when it receives the HTTP request with a header that exceeds the permitted maximum length.
Step 9 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message when it receives the HTTP request with a header that exceeds the permitted maximum length.
Step 10 (Optional) Select Inspect Body Length, which causes the security appliance to inspect the size recognized as being within configurable limits.
Step 11 Enter the minimum and maximum threshold values in bytes.
Step 12 Select the action that the security appliance should take when inspection for the body length fails. Values are 1-65535 bytes.
•Allow Packet—Allows the HTTP request even though it contains a header that exceeds the permitted maximum length.
•Drop Packet—Drops the HTTP request if it contains a header that exceeds the permitted maximum length.
•Reset Selection— Resets the TCP connection when it receives the HTTP request with a header that exceeds the permitted maximum length.
Step 13 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message when it receives the HTTP request with a body length that exceeds the permitted threshold values.
Step 14 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Working with Category Objects.
Step 15 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Related Topics
•Entity Length Tab, page C-110
•Working with HTTP Map Objects
RFC Request Method Tab
The RFC Request Method tab lets you define the action that the security appliance should take when specific request methods are used in the HTTP request.
Procedure
Step 1 Select from the list of available methods to specify when you want the security appliance to take different actions in response to HTTP requests using different methods.
Step 2 Select the action that the security appliance should take when it receives an HTTP message containing the selected method. Each of the selected methods can have a separate action.
•Allow Packet—Allows the HTTP request.
•Drop Packet—Drops the HTTP request.
•Reset Connection—Resets the TCP connection.
Step 3 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message. The syslog is generated when the security appliance receives the HTTP request containing the selected method. You can specify a different option for each selected method.
Step 4 Click >>. The method selected, along with action and syslog information, is displayed in the table.
Timesaver You can select multiple methods at a time if the action and syslog requests are the same for each.
Step 5 Select Specify the action to be applied for the remaining available methods above to inspect packets for all other methods by using a default action.
Note If you do not set a default action, packet inspection is performed only for the specific methods selected in Step 1.
Step 6 Select the action that the security appliance should take when it receives the HTTP request containing any method that is not included in the method table.
•Allow Packet—Allows the HTTP request.
•Drop Packet—Drops the HTTP request.
•Reset Selection—Resets the TCP connection.
Step 7 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message. The syslog is generated when the security appliance receives the HTTP request containing the selected method. You can specify a different option for each selected method.To generate a syslog message, select the check box.
Step 8 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Working with Category Objects.
Step 9 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Related Topics
•RFC Request Method Tab, page C-112
•Working with HTTP Map Objects
Extension Request Method Tab
The Extension Request Method tab lets you define the action taken when specific extension request methods are used in the HTTP request.
Procedure
Step 1 Select from the list of available methods to specify when you want the security appliance to inspect packets for specific methods only.
Step 2 Select the action that the security appliance should take when it receives an HTTP message containing the selected method. Each selected method can have a separate action.
•Allow Packet—Allows the HTTP request containing the methods that are not included in the method table.
•Drop Packet—Drops the HTTP request if it contains any method that is not included in the method table.
•Reset Connection—Resets the TCP connection if the HTTP message contains any method that is not included in the method table.
Step 3 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message. The syslog is generated when the security appliance receives the HTTP request containing the selected method. You can specify a different option for each selected method.
Step 4 Click >>. The method selected, along with action and syslog information, is displayed in the table.
Timesaver You can select multiple methods at a time if the action and syslog requests are the same for each.
Step 5 Select Specify the action to be applied for the remaining available methods above to inspect packets for all other methods by using a default action.
Note If you do not set a default action, packet inspection is performed only for the specific methods selected in Step 1.
Step 6 Select the action taken by the security appliance when it receives the HTTP request containing any method that is not included in the method table.
•Allow Packet—Allows the HTTP request containing the methods that are not included in the method table.
•Drop Packet—Drops the HTTP request if it contains any method that is not included in the method table.
•Reset Selection—Resets the TCP connection if the HTTP message contains any method that is not included in the method table.
Step 7 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message. The syslog is generated when the security appliance receives the HTTP request containing the selected method. You can specify a different option for each selected method.
Step 8 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Working with Category Objects.
Step 9 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Related Topics
•Ext Request Method Tab, page C-114
•Working with HTTP Map Objects
Port Misuse Tab
The Port Misuse tab lets you enable application firewall inspection.
Procedure
Step 1 Select from the list of available categories that you can specify when you want the security appliance to take different actions in response to HTTP requests using different categories.
Step 2 Select the action taken by the security appliance when it receives the HTTP request containing one of the categories in the category table.
•Allow Packet—Allows the HTTP request containing any of the categories in the category table.
•Drop Packet—Drops the HTTP request if it includes any category in the category table.
•Reset Selection—Resets the TCP connection if the HTTP message includes any category in the category table.
Step 3 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message if the HTTP message includes any category in the category table.
Step 4 Click >>. The category is moved to the table and the action and syslog information is displayed.
Timesaver You can select multiple categories at a time if the action and syslog requests are the same for each.
Step 5 Select Specify the action to be applied for the remaining available categories above to inspect packets for all other categories by using a default action.
Note If you do not set a default action, packet inspection is performed only for the specific categories selected in Step 1.
Step 6 Select the action taken by the security appliance when it receives the HTTP request containing any category that is not in the category table.
•Allow Packet—Allows the HTTP request containing the categories that are not in the category table.
•Drop Packet—Drops the HTTP request if it contains any category that is not in the category table.
•Reset Selection—Resets the TCP connection if the HTTP message contains any category that is not in the category table.
Step 7 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message. The syslog is generated when the security appliance receives the HTTP request containing the selected category. You can specify a different option for each of the selected categories.
Step 8 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Working with Category Objects.
Step 9 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Related Topics
•Port Misuse Tab, page C-116
•Working with HTTP Map Objects
Encoding Tab
The Encoding tab lets you define the action that the security appliance should take when specific transfer encoding types are used in the HTTP request.
Procedure
Step 1 Select from the list of available transfer encoding types that you can specify when you want the security appliance to take different actions in response to HTTP requests using different transfer encoding types.
Step 2 Select the action taken by the security appliance when it receives the HTTP request containing one of the transfer encoding types in the transfer encoding type table.
•Allow Packet—Allows the HTTP request containing any transfer encoding type in the transfer encoding type table.
•Drop Packet—Drops the HTTP request if it includes any transfer encoding type in the transfer encoding type table.
•Reset Selection—Resets the TCP connection if the HTTP message includes any transfer encoding type in the transfer encoding type table.
Step 3 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message if the HTTP message includes any transfer encoding type in the transfer encoding type table.
Step 4 Click >>. The method is moved to the table and the action and syslog information is displayed.
Timesaver You can select multiple methods at a time if the action and syslog requests are the same for each.
Step 5 Select Specify the action to be applied for the remaining available encoding types above to inspect packets for all other methods by using a default action.
Note If you do not set a default action, packet inspection is performed only for the specific methods selected in Step 1.
Step 6 Select the action taken by the security appliance when it receives the HTTP request containing any method that is not included in the method table.
•Allow Packet—Allows the HTTP request containing the methods that are not included in the method table.
•Drop Packet—Drops the HTTP request if it contains any method that is not included in the method table.
•Reset Selection—Resets the TCP connection if the HTTP message contains any method that is not included in the method table.
Step 7 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message. The syslog is generated when the security appliance receives the HTTP request containing the selected method. You can specify a different option for each selected method.
Step 8 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Working with Category Objects.
Step 9 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Related Topics
•Encoding Tab, page C-118
•Working with HTTP Map Objects
Editing HTTP Map Objects
You can edit any user-defined HTTP Map object as required. Changes that you make to the object are reflected in all policies that use the object. This procedure describes how to edit an HTTP Map object.
Before You Begin
Determine if the object is being used, and which policies, objects, and devices would be affected by the changes. You can generate a usage report for this purpose. See Generating Usage Reports for User Group Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select HTTP Maps.
The HTTP Maps page appears.
Step 3 From the work area, right-click the object, then select Edit Object.
The Edit HTTP Map dialog box appears.
Step 4 Follow the procedure for Creating HTTP Map Objects when making any changes.
Step 5 Click OK to save your changes.
The dialog box closes and you return to the HTTP Maps page. The new object information is shown in the table.
Related Topics
•HTTP Maps Page, page C-106
•Working with HTTP Map Objects
Duplicating HTTP Map Objects
An alternative to creating objects from scratch is to duplicate an existing object. The new object contains all the attributes of the original object and a default name. You can then modify the name and all object attributes as required.
This procedure describes how to duplicate an HTTP Map object.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select HTTP Maps.
The HTTP Maps page appears.
Step 3 From the work area, right-click the object to duplicate, then select Create Duplicate.
The Add HTTP Map dialog box appears. The Name field references the original object name from which the new object is copied and notes that it is a copy. The remaining fields are preconfigured with the same values as the copied object.
Step 4 Rename the new object and make all necessary configuration changes.
Step 5 Click OK to save your changes.
The dialog box closes and you return to the HTTP Maps page. The new object information is shown in the table.
Related Topics
•HTTP Maps Page, page C-106
•Working with HTTP Map Objects
Deleting HTTP Map Objects
You can delete user-defined HTTP Map objects only when they are not being used by any policies or other objects.
Note You might be prevented from deleting an "unreferenced" object from the database, for example, if you replace a local policy that used the object with a shared policy that does not. If object deletion fails, submit or discard all pending changes (in Workflow mode, submit or discard all pending activities), then try again to delete the objects. Alternatively, you can leave unreferenced objects in the database, because they will not affect Security Manager operation.
This procedure describes how to delete HTTP Map objects.
Before You Begin
You must delete all references to the HTTP Map object before you can remove it from the database. To locate all references to the object, run a usage report. See Generating Usage Reports for HTTP Map Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select HTTP Maps.
The HTTP Maps page appears.
Step 3 From the work area, right-click the object to delete, then select Delete Object.
You are prompted to confirm the delete.
Step 4 Click Yes.
The object is removed from the table.
Step 5 (Optional) Verify the deletion of the object by viewing an Audit Report. To generate an Audit Report, select Tools > Audit Report.
Related Topics
•Understanding the Policy Object Manager Window
•Working with HTTP Map Objects
•Understanding Audit Reports, page 17-6
Generating Usage Reports for HTTP Map Objects
You might need to edit an object, or delete an object from the Security Manager database. Before making such changes, you should determine if the object is referenced and which policies and devices would be affected by the changes. You can generate a usage report for this purpose.
The usage report indicates whether objects are in use (referenced) by another object, policy, or device (in case of device override). Usage reports contain any references in your current activity, as well as references committed to the Security Manager database.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select HTTP Maps.
The HTTP Maps page appears.
Step 3 Right-click the object to locate, then select Find Usage.
The Usage Report appears, which includes all references to the object.
Tip Click a column header to sort the table according to the contents of that column. Click the column header again to sort the table in reverse order.
Step 4 (Optional) Filter the information displayed in the Usage Reports window by deselecting one or more of the following check boxes:
•Devices
•Policies
•Other Objects
The deselected entries are removed from the table.
Related Topics
•Object Usage Window, page C-204
•Understanding the Policy Object Manager Window
•Editing HTTP Map Objects
•Deleting HTTP Map Objects
Viewing HTTP Map Object Details
You can view detailed object information in read-only mode, even when the object is locked by another activity. This is useful when you need to view complete configuration details for complex objects whose definitions cannot be fully displayed in the Policy Object Manager window or when your user privileges allow you only to view object information.
Note You can display object details without opening an activity.
This procedure describes how to display complete configuration details for a selected object in read-only mode.
Procedure
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select HTTP Maps.
The HTTP Maps page appears.
Step 3 In the work area, right-click the object to view, then select View Object.
The Edit HTTP Map dialog box dialog box is displayed in read-only mode with the latest setting information that has been committed to the Security Manager database. For a description of the fields in this dialog box, see the following:
•General Tab, page C-108
•Entity Length Tab, page C-110
•RFC Request Method Tab, page C-112
•Ext Request Method Tab, page C-114
•Port Misuse Tab, page C-116
•Encoding Tab, page C-118
Related Topics
•Understanding the Policy Object Manager Window
•Working with HTTP Map Objects
•HTTP Maps Page, page C-106
Working with IKE Proposal Objects
Internet Key Exchange (IKE) proposal objects contain the parameters required for IKE proposals when defining remote access VPN policies. IKE is a key management protocol that facilitates the management of IPSec-based communications. It is used to authenticate IPSec peers, negotiate and distribute IPSec encryption keys, and automatically establish IPSec security associations (SAs).
The IKE negotiation comprises two phases. Phase 1 negotiates a security association between two IKE peers, which enables the peers to communicate securely in Phase 2. During Phase 2 negotiation, IKE establishes security associations (SAs) for other applications, such as IPSec. Both phases use proposals when they negotiate a connection.
For more information about IKE proposals, see Understanding IKE, page 9-59.
The following topics describe how to work with IKE proposal objects:
•Creating IKE Proposal Objects
•Duplicating IKE Proposal Objects
•Editing IKE Proposal Objects
•Viewing IKE Proposal Object Details
•Generating Usage Reports for IKE Proposal Objects
•Deleting IKE Proposal Objects
Related Topics
•Understanding the Policy Object Manager Window
•Managing Objects
Creating IKE Proposal Objects
You can create IKE proposal objects to use when you define IKE proposals for remote access VPN policies. When you create an IKE proposal object, you must enter the priority of the proposal and define the encryption and authentication methods to use. Additionally, you can modify the default lifetime of the SA, if required.
This procedure describes how to create IKE proposal objects.
Tip You can also create IKE proposal objects when defining policies that use this object type. For more information, see Selecting Objects for Policies.
Before You Begin
•Read and understand Guidelines for Managing Objects.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select IKE Proposals from the Object Type selector.
Step 3 Right-click in the work area, then select New Object.
The IKE Proposal dialog box appears. For a description of the fields in this dialog box, see Table C-67 on page C-124.
Step 4 Enter a name for the object.
Step 5 (Optional) Enter a description for the object. The maximum length is 1024 characters (special characters are permitted).
Step 6 Enter a priority value for the IKE proposal. (Lower values indicate higher priorities.) If the remote IPSec peer does not support the parameters selected in your first priority policy, the device tries to use the parameters defined in the policy with the next lowest priority number.
Step 7 Select the encryption algorithm to use to establish the Phase 1 SA for protecting Phase 2 negotiations. See Deciding Which Encryption Algorithm to Use, page 9-60.
Step 8 Select the hash algorithm to use for authentication and ensuring data integrity. See Deciding Which Hash Algorithm to Use, page 9-61.
Step 9 In the Modulus Group field, select the Diffie-Hellman group to use for deriving a shared secret between two IPSec peers without transmitting it to each other. See Deciding Which Diffie-Hellman Group to Use, page 9-61.
Step 10 Enter the SA lifetime, in seconds. The default is 86400 seconds (one day). As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPSec security associations can be set up more quickly than with shorter lifetimes.
Step 11 Select the method of authentication to use to establish the identity of each IPSec peer. See Deciding Which Authentication Method to Use, page 9-62.
Step 12 (Optional) Under Category, select a color to help you identify this object in the Objects table and in rule tables. See Working with Category Objects.
Step 13 Click OK to save your definitions. The new object appears in the table in the Policy Object Manager window.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•Understanding the Policy Object Manager Window
•Working with IKE Proposal Objects
Duplicating IKE Proposal Objects
An alternative to creating a policy object from scratch is to duplicate an existing object. The new object contains all the attributes of the copied object and a default name. You can then modify the name and all attributes as required.
Duplicating is particularly useful for creating new objects that are based on predefined objects that cannot be edited.
This procedure describes how to duplicate an IKE proposal object.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window is displayed.
Step 2 Select IKE Proposals from the Object Type selector.
Step 3 In the work area, right-click the object you want to duplicate, then select Create Duplicate.
The IKE Proposal dialog box appears. The Name field contains the following default name for the new object: Copy of name of copied object. The remaining fields contain the same values as the copied object. For a description of the fields in this dialog box, see Table C-67 on page C-124.
Step 4 Modify the name of the new object and its configuration, as required.
Step 5 Click OK to save your changes.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•Understanding the Policy Object Manager Window
•Working with IKE Proposal Objects
Editing IKE Proposal Objects
You can edit any user-defined IKE proposal object as required. Changes that you make to the object are reflected in all policies that use the object. This procedure describes how to edit an IKE proposal object.
Note Predefined objects cannot be edited, but they can be copied. See Duplicating IKE Proposal Objects.
Tip You can also edit IKE proposal objects when you define policies or objects that use this object type. For more information, see Selecting Objects for Policies.
Before You Begin
•Determine if the object is being used, and which policies, objects, and devices would be affected by the changes. You can generate a usage report for this purpose. See Generating Usage Reports for IKE Proposal Objects.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select IKE Proposals from the Object Type selector.
Step 3 In the work area, right-click the object you want to edit, then select Edit Object.
The IKE Proposal dialog box appears. See Table C-67 on page C-124 for a description of the fields in this dialog box.
Step 4 Modify the fields in the dialog box as required, then click OK to save your changes.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•Understanding the Policy Object Manager Window
•Working with IKE Proposal Objects
Viewing IKE Proposal Object Details
You can view detailed object information in read-only mode, even when the object is locked by another activity. This is useful when you need to view complete configuration details for complex objects whose definitions cannot be fully displayed in the Policy Object Manager window or when your user privileges allow you only to view object information.
Note You can display object details without opening an activity.
This procedure describes how to display complete configuration details for a selected object in read-only mode.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window is displayed.
Step 2 Select IKE Proposals from the Object Type selector.
Step 3 In the work area, right-click the object that you want to view configuration details for, then select View Object.
The IKE Proposal dialog box appears in read-only mode. For a description of the fields in this dialog box, see Table C-67 on page C-124.
Related Topics
•Understanding the Policy Object Manager Window
•Working with IKE Proposal Objects
Generating Usage Reports for IKE Proposal Objects
Before you make any changes to a user-defined IKE proposal object, you should determine if the object is being used. You can do this by generating usage reports that show which policies, objects, and devices are using the selected object and would therefore be affected by changes to that object. Usage reports contain any references to the selected object in your current activity as well as references found in the data committed to the Security Manager database.
This procedure describes how to generate a usage report.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select IKE Proposals from the Object Type selector.
Step 3 In the work area, right-click the object for which you want to generate a report, then select Find Usage.
The Usage Reports window appears, displaying all references to the selected object. See Table C-113 on page C-205 for a description of the fields in this window.
Tip Click a column header to sort the table according to the contents of that column. Click the column header again to sort the table in reverse order.
Step 4 (Optional) Filter the information displayed in the usage report by deselecting one or more of the following check boxes:
•Devices
•Policies
•Other Objects
The deselected entries are removed from the report.
Related Topics
•Understanding the Policy Object Manager Window
•Working with IKE Proposal Objects
Deleting IKE Proposal Objects
This procedure describes how to delete IKE proposal objects. You can delete user-defined objects, but you cannot delete predefined objects. In addition, you can delete objects only when they are not being used by policies or other objects.
Note You might be prevented from deleting an unreferenced object from the database, for example, if you replace a local policy that used the object with a shared policy that does not. If object deletion fails, submit or discard all pending changes (in Workflow mode, submit or discard all pending activities), then try again to delete the object. Alternatively, you can leave unreferenced objects in the database, because they will not affect Security Manager operation.
Before You Begin
•Determine if the object is currently being used and which policies, objects, and devices would be affected by the deletion. You can generate a usage report for this purpose. See Generating Usage Reports for IKE Proposal Objects.
Procedure
Step 1 Select Tools > Policy Object Manager.
Step 2 Select IKE Proposals from the Object Type selector.
Step 3 In the work area, right-click a user-defined object, then select Delete Object.
Tip You can select multiple objects by pressing Ctrl and clicking on the desired objects.
Step 4 When prompted, click Yes to confirm the deletion.
Step 5 To verify that the object was deleted, select Tools > Audit Report and view the generated report.
Related Topics
•Understanding the Policy Object Manager Window
•Working with IKE Proposal Objects
Working with Interface Role Objects
Interface role objects enable you to apply policies to specific interfaces on multiple devices without having to manually define the name of each interface. Because most devices follow a standard naming convention for their interfaces, you can define a naming pattern that describes a particular interface type and then assign a policy to all interfaces matching that pattern.
For example, you might define an interface role with a naming pattern of DMZ*. When you include this interface role in a policy, the policy is applied to all interfaces whose name begins with "DMZ" on the selected devices. As a result, you can, for example, assign a policy that enables anti-spoof checking on all DMZ interfaces to all relevant device interfaces with a single action. Interface roles can refer to any of the actual interfaces on the device, including physical interfaces, subinterfaces, and virtual interfaces, such as loopback interfaces.
Interface roles serve as an indirection entity between interfaces on the one hand and policies on the other. This enables you to apply policies to particular device interfaces based on the assigned role. Additionally, if you change the naming convention used for a particular interface type, you do not need to determine which policies are affected by the change. All you do is edit the interface role. Interface roles are especially useful when applying policies to new devices. As long as the devices you are adding share the same interface naming scheme as existing devices, the relevant policies can be extended to them without the need to make additional assignments.
Security Manager includes the following predefined interface roles:
•All-Interfaces
•Internal
•External
The following topics describe how to work with interface role objects:
•Creating Interface Role Objects
•Duplicating Interface Role Objects
•Editing Interface Role Objects
•Viewing Interface Role Object Details
•Managing Interface Role Overrides
•Generating Usage Reports for Interface Role Objects
•Deleting Interface Role Objects
•Specifying Interfaces During Policy Definition
•Exceptional Cases When Using Interface Roles
Related Topics
•Understanding the Policy Object Manager Window
•Managing Objects
Creating Interface Role Objects
You can create interface role objects that represent one or more interfaces on devices. These interface roles can then be used when you define policies that require interfaces. When you create an interface role object, you must define the naming pattern of the device interfaces to include in the object. Interface roles can refer to any of the actual interfaces on the device, including physical interfaces, subinterfaces, and virtual interfaces.
Objects are defined at the global level, which means that they are applied identically to every object and policy that references them. However, you can override interface role object definitions at the device level, which enables you to associate the role with specific interfaces on a particular device. For more information, see Managing Interface Role Overrides.
This procedure describes how to create interface role objects.
Tip You can also create interface role objects when you define policies or objects that use this object type. For more information, see Selecting Objects for Policies.
Before You Begin
•Read and understand Guidelines for Managing Objects.
Procedure
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select Interface Roles from the Object Type selector.
Step 3 Right-click in the work area, then select New Object.
The Interface Role dialog box appears. For a description of the fields in this dialog box, see Table C-69 on page C-128.
Step 4 Enter a name for the object.
Step 5 (Optional) Enter a description for the object. The maximum length is 1024 characters (special characters are permitted).
Step 6 Enter one or more naming patterns for the interface role object. This pattern defines the device interfaces to include in the definition of the interface role.
You can use an asterisk (*) as a wildcard at the end of a pattern to represent multiple interfaces with similar names. (An asterisk can also be used on its own to indicate all interfaces.) Separate multiple patterns with commas.
Step 7 (Optional) Under Category, select a color to help you identify this object in the Objects table and in rule tables. See Working with Category Objects.
Step 8 (Optional) Select the Allow Value Override per Device check box to allow the properties of this object to be redefined on individual devices. By default, all interface role objects can be overridden. See Allowing a Global Object to Be Overridden.
Step 9 Click OK to save your definitions. The new object appears in the table in the Policy Object Manager window.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Defining Policy Object Settings, page 2-65.
Related Topics
•Specifying Interfaces During Policy Definition
•Understanding the Policy Object Manager Window
•Working with Interface Role Objects
•Exceptional Cases When Using Interface Roles
Duplicating Interface Role Objects
An alternative to creating a policy object from scratch is to duplicate an existing object. The new object contains all the attributes of the copied object and a default name. You can then modify the name and all attributes as required.
Duplicating is particularly useful for creating new objects that are based on predefined objects that cannot be edited.
This procedure describes how to duplicate an interface role object.
