Table Of Contents

Managing Policies

Understanding Policies

Settings-Based Policies vs. Rule-Based Policies

Service Policies vs. Platform-Specific Policies

Local Policies vs. Shared Policies

Policy Management and Objects

Discovering Policies

Discovering Policies on Devices Already in Security Manager

Viewing Policy Discovery Task Status

Frequently Asked Questions about Policy Discovery

Managing Policies in Device View

Performing Basic Policy Management

Configuring Local Policies in Device View

Policy Status Icons

Copying Policies Between Devices

Unassigning a Policy

Working with Shared Policies in Device View

Sharing a Local Policy

Sharing Multiple Policies of a Selected Device

Unsharing a Policy

Assigning a Shared Policy to a Selected Device

Adding Local Rules to a Shared Policy

Copying a Shared Policy

Renaming a Shared Policy

Modifying Shared Policy Definitions in Device View

Modifying Shared Policy Assignments in Device View

Managing Shared Policies in Policy View

Policy View Selectors

Filtering the Shared Policy Selector

Policy View Work Area

Creating a New Shared Policy

Modifying Policy Assignments in Policy View

Deleting a Shared Policy

Advanced Policy Features

Customizing Policy Management

Understanding Rule Inheritance

Inheriting Rules

Understanding Locking

Managing Policies

---

The following topics describe the concept of policies in Cisco Security Manager and how to use and manage them.

•Understanding Policies

•Discovering Policies

•Managing Policies in Device View

•Working with Shared Policies in Device View

•Managing Shared Policies in Policy View

•Advanced Policy Features

Understanding Policies

In Security Manager, a policy is a set of rules or parameters that define a particular aspect of network configuration. You configure your network by defining policies on devices (which includes individual devices, service modules, and security contexts) and VPN topologies (which are made up of multiple devices), and then deploying the configurations defined by these policies to these devices.

Several types of policies might be required to configure a particular solution. For example, to configure a site-to-site VPN, you might need to configure multiple policies, such as IPSec, IKE, GRE, and so forth.

Policies are assigned to one or more devices. After a policy is assigned to a device, any changes to the policy definition change the behavior of the device.

The following topics describe policies in more detail:

•Settings-Based Policies vs. Rule-Based Policies

•Service Policies vs. Platform-Specific Policies

•Local Policies vs. Shared Policies

•Policy Management and Objects

Settings-Based Policies vs. Rule-Based Policies

Security Manager policies are structured as either rule-based policies or settings-based policies.

Rule-based policies contain one or more rules that govern how to handle traffic on a selected device, such as the access rules and inspection rules defined as part of a firewall service. Rule-based policies can contain hundreds or even thousands of rules, each defining different values for the same set of parameters. The ordering of the rules is very important, as traffic flows are assigned the first rule whose definition matches the flow.

When you define certain types of rule-based policies, such as firewall policies, you can create a policy hierarchy in which policies located at lower levels in the hierarchy acquire properties from the policies located above them. This is known as rule inheritance. For example, you can define a set of inspection rules that apply globally to all firewalls, while supplementing these rules with additional rules that can be applied to a subset of devices. By maintaining common rules in a parent policy, inheritance enables you to reduce the chance of introducing configuration errors that will cause deployment to fail. For more information, see Understanding Rule Inheritance.

Settings-based policies contain sets of related parameters that together define one aspect of security or device operation. For example, when you configure a Cisco IOS router, you can define a quality of service (QoS) policy that defines which interfaces are included in the policy, the type of traffic on which QoS is applied, and the definition of how this traffic should be queued and shaped. Unlike rule-based policies, which can contain hundreds of rules containing values for the same set of parameters, you can define only one set of parameters for each settings-based policy defined on a device.

Related Topics

•Understanding Policies

Service Policies vs. Platform-Specific Policies

Security Manager policies are divided into several domains, each of which represents a major policy category. These domains can be divided into two categories: service policies and platform-specific policies.

Service policies are divided into the following policy domains:

•Firewall.

•Site-to-site VPN.

•Remote Access VPN.

For example, the firewall policy domain contains policies for access rules, inspection rules, and transparent rules, among others. The site-to-site VPN policy domain contains policies for IKE proposals, IPSec proposals, and preshared keys, among others. Service policies can be applied to any kind of device, regardless of platform, although there may be some variation in policy definition depending on the device type.

Platform-specific policy domains exist for firewall devices (PIX/ASA/FWSM) and Cisco IOS routers. These two domains contain policies that configure features that are specific to the selected platform. Not all platform-specific policies are directly related to security. For example, the Router policy domain contains routing policies, identity policies (Network Admission Control and 802.1x), policies related to device administration (DHCP, SNMP, device access), and other policies such as QoS and NAT.

In the case of Cisco IOS routers, you can choose whether Security Manager should manage all platform-specific policies. For more information, see Defining Policy Management Settings, page 2-63.

Related Topics

•Understanding Policies

Local Policies vs. Shared Policies

All policies that you configure on a device or VPN topology can be local or shared. Local policies are particular to the device or VPN on which they are configured. Any changes you make to these policies affect only this device or VPN. Local policies are well-suited to smaller networks and to devices requiring nonstandard configurations. For example, you might configure a local policy on a router that requires a different BGP routing policy than the one used by the other routers in your network.

As your network grows, having local policies on each device greatly complicates the task of properly managing these policies in a comprehensive and efficient manner. To meet this challenge, Security Manager features policy sharing. Sharing a policy makes it possible for you to assign the configuration defined by the policy to multiple devices or VPN topologies. Any changes to a shared policy affect the configuration of each device or VPN topology to which it is assigned.

For example, if you want all the Cisco IOS routers in your network to implement the same Network Admission Control policy, you need to define the shared policy only once. You can then assign the shared policy to all routers with a single action. Any updates you make to the shared policy are immediately reflected in the planned configurations maintained by Security Manager for each device to which the shared policy is assigned. For more information, see Working with Shared Policies in Device View.

Related Topics

•Understanding Policies

Policy Management and Objects

Objects make it easier to configure policies in Security Manager by providing a set of values with a logical, easy-to-remember name that can be applied wherever it is needed. For example, you can define a network/host object called MyNetwork that contains a set of IP addresses in your network. Whenever you configure a policy requiring these addresses, you can simply refer to the MyNetwork object instead of manually entering the addresses each time.

When you define a policy, you can create objects on the fly by clicking the Select button next to any field the accepts an object as a value. For more information, see Selecting Objects for Policies, page 8-256. You can also create and manage objects system-wide from the Policy Object Manager Window, page C-29.

Certain types of objects enable you to override their predefined values at the device level, which enables you to use an object in a policy while retaining the ability to customize particular values. For more information, see Overriding Global Objects for Individual Devices, page 8-250.

For more information about objects and how to use them when defining policies, see Managing Objects, page 8-1.

Related Topics

•Understanding Policies

Discovering Policies

Policy discovery enables you to bring your existing network configuration into Security Manager to be managed. When you initiate policy discovery on a device, the system analyzes the configuration on the device and then translates this configuration into Security Manager policies and policy objects so that the device can be managed. Warnings are displayed if the imported configuration completes only a partial policy definition. If additional settings are required, you must go to the relevant page in the Security Manager interface to complete the policy definition.

Policy discovery can be performed by importing the configuration of a live device or by importing a configuration file. Security Manager supports only device-generated configuration files for discovery. For more information, see Adding Devices from a Configuration File, page 5-44.

When you perform policy discovery, any object groups already configured on firewall devices (PIX, ASA, and FWSM) are brought into Security Manager as policy objects. For more information about how Security Manager policy objects are translated into object groups and vice-versa, see How Policy Objects are Provisioned as PIX Object Groups, page 8-264.

---

Note You can discover objects that have the same definition as existing objects, regardless of the setting you have defined for detecting redundant objects. For more information about this setting, see Defining Policy Object Settings, page 2-65.

---

You can initiate policy discovery when you add a device by selecting the relevant options in the New Device wizard. For more information, see Adding Devices to the Security Manager Inventory, page 5-29.

You can also initiate policy discovery for existing devices from Device view. For more information, see Discovering Policies on Devices Already in Security Manager.

After performing policy discovery, you must submit your changes to make the information available to other users. For more information, see Chapter 7, "Managing Activities." If you make any changes to the discovered policies, you must deploy the changes to the device. For more information, see Chapter 15, "Managing Deployment."

Related Topics

•Viewing Policy Discovery Task Status

•Overriding Global Objects for Individual Devices, page 8-250

•Frequently Asked Questions about Policy Discovery

Discovering Policies on Devices Already in Security Manager

This procedure describes how to discover policies on devices that were already added to Security Manager.

You might initiate policy discovery on existing devices when:

•You discover out-of-band changes in the network, for example, changes to device configurations using CLI commands. In such a situation, you can rediscover existing policies on the device to make sure that the Security Manager database has the most current information.

•You want to discover a subset of policies (for example, platform-specific settings) that was not discovered when you first added the device to Security Manager.

•You want to import the factory-default configuration of a firewall device. For more information, see Understanding Factory-Default Configurations, page 13-2.

---

Caution If you perform policy discovery on a device after configuring policies in Security Manager, the discovered policies overwrite the information you previously configured.

For example, if you select the option to discover platform-specific settings, the resulting configuration overwrites any platform-specific policies you configured in Security Manager. This is true even if the discovered configuration does not include the specific platform-specific policy you configured. To take one possible case, discovering platform-specific settings overwrites any routing policies you have configured for the device in Security Manager, even if the configuration you discover does not contain any routing information.

Another result of rediscovery is that any shared policies that were configured on the device are replaced by the local policies that are discovered.

---

Procedure

---

Step 1 In Device view, select a device from the Device selector.

Step 2 Do one of the following:

•Select Policy > Discover Policies on Device.

•Right-click a device in the Device selector, then select Discover Policies on Device.

The Create Discovery Task dialog box is displayed. See Table C-12 on page C-16 for a description of the fields in this dialog box.

Step 3 (Optional) Modify the default name assigned to the discovery task. The default name is based on the date and time the task is initiated.

Step 4 Select the type of policy discovery to perform:

•Live Device—Discovery is performed on the live device.

•Config File—Discovery is performed using a configuration file. Enter the path to the file, or click Browse to navigate to the file.

•Factory Default Configuration—Discovery is performed using a file containing the factory-default configuration for the selected device.

---

Tip We recommend that you use the Factory Default Configuration settings when performing policy discovery on firewall devices (PIX, ASA, and FWSM) added manually or from the DCR. For more information about factory-default policies, see Understanding Factory-Default Configurations, page 13-2.

---

Step 5 (Optional) Under Policies to Discover, refine the scope of the discovery task by selecting or deselecting the following check boxes:

•Inventory—Discovers basic device information (such as hostname and domain name), interfaces, and security contexts on devices running in multiple mode.

•Platform Settings—[PIX/ASA/FWSM devices only] Discovers platform-specific policies, such as routing policies.

•Firewall Services—Discovers firewall service policies, such as access rules and inspection rules, on all platforms.

---

Note For more information about the difference between different types of policies, see Service Policies vs. Platform-Specific Policies.

---

By default, all options relevant to the device type are selected.

Step 6 Click OK. The discovery task is initiated. You cannot perform other tasks in Security Manager while discovery is in progress.

---

Note If you are discovering policies on a Catalyst 6500/7600 device, you must proceed as described in Step 11 in Adding Devices from the Network, page 5-32.

---

When the task is complete, a message box is displayed. Click OK to close this message box or click Status Detail to view the Discovery Status window. For more information, see Viewing Policy Discovery Task Status.

---

Related Topics

•Discovering Policies

•Frequently Asked Questions about Policy Discovery

•Understanding Policies

•Managing Policies in Device View

•Managing Shared Policies in Policy View

Viewing Policy Discovery Task Status

When you initiate policy discovery a discovery task is created. For each policy discovery initiation, only one task is created regardless of the number of devices being discovered.

You can view the status of the current policy discovery task in the Discovery Status dialog box, which opens automatically when the task is initiated. This dialog box provides updated status information about the discovery task, including summary information about the task and details about each device being discovered.

You can abort a discovery task, if required. When you perform policy discovery on a single device, aborting the task results in partial discovery. In such cases, we recommend deleting the information and starting again. When you perform policy discovery on multiple devices, any devices for which discovery was completed before you aborted the operation are fully discovered. Security Manager automatically discards the information for any partially discovered device.

The Discovery Status dialog box also displays the appropriate warning and error messages if any problems are encountered during the discovery process. For example, if the CLI commands in a configuration file do not define a complete Security Manager policy, a warning message is displayed that you must complete the policy definition in the relevant Security Manager policy page.

For more information, see Discovery Status Dialog Box, page C-18.

To view information about previous discovery tasks, open the Policy Discovery Status dialog box. For more information, see Policy Discovery Status Page, page E-2.

Related Topics

•Discovering Policies on Devices Already in Security Manager

•Frequently Asked Questions about Policy Discovery

•Discovering Policies

Frequently Asked Questions about Policy Discovery

These questions and answers describe how policy discovery processes your device configurations into Security Manager policies:

•How does policy discovery work?

•When should I discover policies?

•How can I determine the results of the discovery?

•Does Security Manager show which commands are not discovered, and what can I do about them?

•How are discovered policies reflected in the user interface?

•I am using Auto Update Server for my PIX or ASA devices. How do I discover policies?

•I am using Cisco Secure ACS to manage authentication and authorization to Security Manager. How does this affect policy discovery?

•If I discover policies on a device and then deploy the policies from Security Manager without changing them, what is the difference between the original configuration on the device and the one that exists after the deployment?

•How does Security Manager handle my current CLI naming schemes for ACLs and object groups?

•Are all configuration commands discovered and brought into Security Manager?

•If I rediscover policies on a device already in Security Manager, what happens to the policies assigned to the device?

•Does Security Manager use existing policies and objects during policy discovery?

•What do I need to know about security contexts on PIX 7.0 and ASA devices in terms of policy discovery?

•What do I need to know about security contexts for Firewall Services Modules (FWSMs) on Catalyst 6500 switches and 7600 routers when I add them and discover policies?

•After adding a device and discovering policies, I cannot submit my changes to the database; instead I get warnings such as "Connection Policies Not Set." What must I do to complete the device addition?

•Can I import policies from my existing VPN/Security Management Suite (VMS) 2.x products into Security Manager?

•Can I discover AAA servers on devices running IOS software that were configured using the server-private command?

•What do I need to know about discovery and device hostnames?

Q. How does policy discovery work?

A. After you select the device whose policies, settings, and interfaces (inventory) you want to discover, Security Manager obtains the running configuration (from live devices) or the supplied configuration (when discovering from configuration files) and translates the CLI into Security Manager policies and objects. The imported configuration is added to the Configuration Archive as the initial configuration for the device. After discovery, you can review the discovered policies and objects and decide whether to commit them to the database. If you dislike them, you can discard them instead. Please note that commit and discard affect all discovered devices as a group and cannot be implemented on a per-device basis.

Q. When should I discover policies?

A. Typically, you should discover policies when you add devices to Security Manager. However, if you are creating devices in Security Manager (instead of importing live devices or configuration files), you must perform policy discovery after adding the device. You should also perform policy discovery in order to synchronize Security Manager with any out-of-band changes that have been made to the device, for example via the CLI.

Q. How can I determine the results of the discovery?

A. When you initiate a discovery task, a window opens that shows you the discovery status and results. You can also view a history of discovery task results on the Policy Discovery Status page (select Tools > Policy Discovery Status).

Q. Does Security Manager show which commands are not discovered, and what can I do about them?

A. In the task status window, go to the Message Summary section, then select Commands Not Discovered. Any undiscovered commands are listed in the Description field.

Q. How are discovered policies reflected in the user interface?

A. Security Manager converts the device commands into policies. There is no difference in appearance between a policy discovered from a device configuration and one defined directly in Security Manager.

Q. I am using Auto Update Server for my PIX or ASA devices. How do I discover policies?

A. If a device has a static IP address, you can discover policies from the device. If it has a dynamic IP address, you must discover policies from the device's configuration file (offline).

Q. I am using Cisco Secure ACS to manage authentication and authorization to Security Manager. How does this affect policy discovery?

A. You must add all managed devices to Cisco Secure ACS before you can perform policy discovery and manage these devices in Security Manager. This includes security contexts on PIX/ASA/FWSM devices. For more information, see Adding Managed Devices as AAA Clients in Cisco Secure ACS, page 2-26.

Q. If I discover policies on a device and then deploy the policies from Security Manager without changing them, what is the difference between the original configuration on the device and the one that exists after the deployment?

A. Typically, there will be no differences between the new configuration and your original one, assuming you set up FlexConfigs for any unsupported CLI commands (since they are not displayed in Security Manager). However, in certain cases minor changes might occur in your ACL or object-group naming schemes. For more information, see How Policy Objects are Provisioned as PIX Object Groups, page 8-264. In addition, any discovered objects that are not being used by a policy are removed from the configuration. There can also be instances where the new configuration is functionally equivalent to the old one but does not use the same commands.

Q. How does Security Manager handle my current CLI naming schemes for ACLs and object groups?

A. When you discover policies from a device, Security Manager tries to use the same names you have used. However, depending on your naming scheme, some minor differences might occur between what you defined on your device and the policies created through discovery. Additionally, there is a possibility that a naming conflict can occur between an existing ACL or object on the device and the name required for the new policy or object; in this case, Security Manager generates a different name so as not to misconfigure the device. For example, if the name of a discovered object conflicts with an object of the same type that already exists in Security Manager, a suffix is added to the name of the new object to make it unique or a device-level override is created.

Q. Are all configuration commands discovered and brought into Security Manager?

A. No. Security Manager does not discover all device configuration commands. Instead, it discovers security policies. For any configuration commands not discovered, use the FlexConfig feature to include the commands that Security Manager does not support.

Q. If I rediscover policies on a device already in Security Manager, what happens to the policies assigned to the device?

A. If you rediscover policies on a device that you are already managing with Security Manager, the newly discovered policies replace the ones assigned to the device. All policies within the selected policy domain (firewall services, platform settings, or both) are replaced, not just the ones that are different on the device compared to the ones in the Security Manager database. If you assigned shared policies to the device, the assignment is removed and the shared policy is left unchanged (so that other devices that use the shared policy are not affected). After policy discovery, all policies assigned to the device are specific to that device; none of them are shared with other devices. If you want to use shared policies with the device, you must redo the assignments after policy discovery.

Q. Does Security Manager use existing policies and objects during policy discovery?

A. During policy discovery, Security Manager uses existing policy objects (ones that you already defined in Security Manager) when creating policies for the device. However, Security Manager does not reuse existing policies; all policies created during discovery are local to the device being discovered. Thus, you might find it beneficial to define your policy objects (such as network objects) before adding devices to Security Manager.

Q. What do I need to know about security contexts on PIX 7.0 and ASA devices in terms of policy discovery?

A. On devices running PIX 7.0 or ASA software, you can create security contexts, which act like independent firewalls. When you add a device that has security contexts, you should discover all contexts and policies at the same time; otherwise, you will have to discover policies for each context separately. When you add the device, select MULTI for Context and do not select Security Context of Unmanaged Device. (If you select this option, only the admin context is imported, and it has no relationship to other security contexts on the device; select this option only if you want to manage the security context independently from the parent device.) Depending on how you add the device, you might need to select the option to discover security contexts. During discovery, Security Manager identifies each security context and adds it as a separate device to the device list, appending the security context name to the end of the parent's name; for example, if the parent is pix_141, the admin context would be pix_141_admin. When managing PIX 7.0 and ASA devices in Security Manager, you can create new security contexts, or delete existing contexts, as well as creating and deleting policies for those contexts.

Q. What do I need to know about security contexts for Firewall Services Modules (FWSMs) on Catalyst 6500 switches and 7600 routers when I add them and discover policies?

A. On FWSMs, you can create security contexts, which act like independent firewalls. If you use this feature and are running IOS software on the chassis, add the chassis device using the SSH credentials for the chassis. Then Security Manager can identify each FWSM on the chassis, and give you the option to add each of them. During FWSM discovery, Security Manager discovers the security contexts for each FWSM, including the policies for the FWSM and for each context. In the device list, each security context is listed separately and the name of the context is appended to the name of the FWSM on which it is defined. (For example, Cat6K_FW_4 might be the FWSM, and Cat6K_FW_4_context1 would be the context1 security context.) You should always perform policy discovery on the chassis, not on the individual FWSM, so that Security Manager can discover the inventory. However, if you are running the Catalyst OS on the device, you must add the FWSM as a standalone device instead of adding the chassis, since Security Manager does not support the Catalyst OS.

Q. After adding a device and discovering policies, I cannot submit my changes to the database; instead I get warnings such as "Connection Policies Not Set." What must I do to complete the device addition?

A. When you add a device and discover policies (particularly when you add devices from configuration files), Security Manager warns you if the resulting configuration is incomplete in ways that will prevent it from successfully managing the device. Connection policies, for example, are simply the device credentials (user names and passwords) required to log into the device, as well as other connection-related configuration settings (such as HTTP settings). Because these missing settings result in an invalid configuration or prevent Security Manager from contacting and managing the device later, you are prevented from submitting the changes to the database. Ensure that you have complete and valid configurations for these settings, then resubmit your changes to the database.

Q. Can I import policies from my existing VPN/Security Management Suite (VMS) 2.x products into Security Manager?

A. No, you cannot. Instead, add the devices that you were managing with VMS into Security Manager and run policy discovery on them to add their policies to Security Manager.

Q. Can I discover AAA servers on devices running IOS software that were configured using the server-private command?

A. Yes, you can discover these servers. However, Security Manager converts them into standard AAA servers that can be used globally or in multiple AAA server groups. The server-private command is not supported.

Q. What do I need to know about discovery and device hostnames?

A. When you discover a device, the hostname policy is populated with the hostname discovered on the device. However, the hostname listed in Device Properties is not updated with this value. For more information, see Understanding Device Properties, page 5-75.

Managing Policies in Device View

You can use Device view to manage both local policies and shared policies, as described in the following sections:

•Performing Basic Policy Management

•Working with Shared Policies in Device View

To access Device view, select View > Device View or click the Device View button on the toolbar.

Related Topics

•Understanding the Device View, page 5-23

•Managing Shared Policies in Policy View

•Advanced Policy Features

•Understanding Policies

Performing Basic Policy Management

The following topics describe the operations you can perform on local policies in Device view:

•Configuring Local Policies in Device View

•Copying Policies Between Devices

•Unassigning a Policy

Local policies are policies that are specific to the device or VPN topology on which they are configured. They are not shared by other network elements.

Related Topics

•Working with Shared Policies in Device View

•Managing Shared Policies in Policy View

•Understanding Policies

Configuring Local Policies in Device View

Use Device view to configure local platform and service policies on individual firewall devices and Cisco IOS routers. Each policy defines a particular configuration or security task that the device can perform, such as NAT, OSPF routing or inspection rules. Local policies are unnamed and are particular to the individual device on which they have been defined. Any changes that you make to a local policy do not affect other devices that Security Manager is managing.

When you configure a policy, a lock is placed on that policy to prevent other users from making changes to the same policy at the same time. See Understanding Locking.

You can modify any local policy assigned to a particular device, provided you have permissions to modify policies and to access that device. For more information about permissions, see Setting Up User Permissions, page 2-2.

After configuring a policy, you must deploy the changes to the device in order to make them active on that device. For more information, see Chapter 15, "Managing Deployment."

Procedure

---

Step 1 In Device view, select a device from the Device selector, then select a policy for that device from the Device Policies selector. The details of the policy appear in the work area.

---

Note For more information about Device view, see Understanding the Device View, page 5-23.

---

Step 2 Modify the definition of the policy as required. For more information, see:

•Chapter 9, "Managing Site-to-Site VPNs."

•Chapter 10, "Managing Remote Access VPNs."

•Chapter 11, "Managing Firewall Services."

•Chapter 12, "Managing Routers."

•Chapter 13, "Managing Firewall Devices."

•Chapter 14, "Using the Catalyst 6500/7600 Device Manager."

Step 3 Click Save to save your changes to the server.

If this is the first time you are configuring this policy on this particular device, the icon next to the selected policy changes to indicate that the policy is configured and assigned locally to the device. For more information about policy status icons, see Table 6-1.

---

Note To deploy the configured policy to the device, see Working with Deployment, page 15-31.

---

---

Related Topics

•Managing Policies in Device View

•Copying Policies Between Devices

•Working with Shared Policies in Device View

Policy Status Icons

You can learn the status of any policy in Security Manager at a glance by viewing the icon displayed next to the policy name, as shown in Table 6-1.

Table 6-1 Policy Status Icons 

Icon	Status
	The policy is not configured. Upon deployment, any policy of this type already present on the device is effectively removed.
	A local policy is configured. The definition of this policy affects only the device/VPN topology on which it is configured.
	A shared policy is configured. Any changes to the definition of this policy affect all of the devices/VPN topologies to which this policy is assigned.

Related Topics

•Understanding Policies

Copying Policies Between Devices

Security Manager enables you to streamline device configuration by copying multiple policies, or even a complete set of policies, from one device to others of the same type. This makes it easy, for example, to quickly configure a new firewall device with the same policies configured on an existing firewall device.

When you copy policies between devices, those policies that are local on the source device are copied locally to the target device. Shared policies assigned to the source device are copied as shared policies to the target device as well.

---

Tip•If your intention is to assign a single shared policy to additional devices, we recommend that you use the assignment feature, rather than copying. For more information about sharing policies in Device view, see Modifying Shared Policy Assignments in Device View.

•To create a new device of the same type that shares the same configuration and properties (including device operating system version, credentials, and grouping attributes) as the source device, use the Clone Device feature. For more information, see Cloning a Device, page 5-82.

---

---

Note Catalyst 6500/7600 devices do not support this feature.

---

Procedure

---

Step 1 In Device view, select a device from the Device selector.

Step 2 Do one of the following:

•Select Policy > Copy Policies Between Devices.

•Right-click a device in the Device selector, then select Copy Policies Between Devices.

The Copy Policies wizard is displayed.

Step 3 On the Copy Policies from this Device page (Table C-3 on page C-6), select the source device from which to copy policies, then click Next. The Copy Policies to these Devices page (Table C-4 on page C-7) is displayed.

---

Note If you selected a device before selecting the Copy Policies Between Devices command, you are automatically brought to the second page of the wizard. You can click Back to return to the first page to select a different device.

---

Step 4 Select the target devices to which you want to copy policies from the source device, then click Next. The Select Policies to Copy page (Table C-5 on page C-8) is displayed.

Step 5 (Optional) If you do not want to copy certain policies, deselect the check box next to those policies. By default, all policy types that are configured on the source device (local and shared) are selected for copying.

---

Note When you copy policies between firewall devices, copying the interfaces policy automatically copies the failover policy and vice-versa.

---

Step 6 Click Finish. The selected policies are copied from the source device to the target device.

---

Note An error message is displayed if the target devices are locked by another user or activity, or if you lack the required permissions.

---

---

Related Topics

•Managing Policies in Device View

•Configuring Local Policies in Device View

Unassigning a Policy

If you unassign a policy that has already been deployed to a device, all the values that are defined for the policy are erased, effectively removing the policy from the device's planned configuration. When you perform deployment, the configuration of this type that already exists on the device is removed.

If you unassign a mandatory policy from a VPN topology (such as the IPSec proposal), Security Manager substitutes a default policy in its place. However, if you unassign an optional policy from a VPN topology, the policy is erased.

Unassigning a policy from a remote access VPN erases the policy, even if it is a mandatory policy. In such cases, deployment will fail unless you create a new definition for the mandatory policy.

Procedure

---

Step 1 Select a device from the Device selector.

Step 2 Right-click a local policy assigned to the device from the Device Policies selector, then select Unassign Policy.

---

Note You cannot use this command to unassign a device access policy on a Cisco IOS router. If you unassign a device access policy that was used to define the password for configuring the device, you might prevent Security Manager from configuring that device in the future. For more information, see Configuring Device Access on Cisco IOS Routers, page 12-26.

---

A message is displayed, warning that you are about to unassign the current policy.

Step 3 Click OK. The icon next to the selected policy reverts to an empty icon to show that the policy was removed from the device's planned configuration. For more information about policy status icons, see Table 6-1.

---

Related Topics

•Configuring Local Policies in Device View

•Copying Policies Between Devices

•Managing Policies in Device View

Working with Shared Policies in Device View

Sharing policies makes it possible to configure multiple devices with common policies, which provides greater consistency in your policy definitions and streamlines your management efforts. Any changes to a shared policy affect all the devices and VPN topologies to which the policy is assigned. This makes it easy, for example, to update all of your Cisco IOS routers with new quality of service policies by updating the shared Quality of Service policy assigned to these devices.

When working in Device view, you can take a local policy (such as a policy created during device discovery) and share it. You can then assign the shared policy to as many devices as you want (provided they are not locked by another user; see Understanding Locking), and you can change these assignments at any time.

In addition, you can take a shared policy that is assigned to a device and turn it into a local policy for that particular device. This enables you to create a special configuration that affects only that device. Other devices assigned the shared policy continue to use the shared policy as before.

---

Note As an alternative to sharing local policies, you can create new shared policies in Policy view. For more information, see Creating a New Shared Policy. After creating the shared policy and assigning it to devices in Policy view, you can return to Device view and perform additional operations on the policy, as described in the sections that follow.

---

The following topics describe how to share policies and the operations that can be performed on them:

•Sharing a Local Policy

•Sharing Multiple Policies of a Selected Device

•Unsharing a Policy

•Assigning a Shared Policy to a Selected Device

•Adding Local Rules to a Shared Policy

•Copying a Shared Policy

•Renaming a Shared Policy

•Modifying Shared Policy Definitions in Device View

•Modifying Shared Policy Assignments in Device View

Shared policies can also be created and managed at the network level using Policy view. For more information, see Managing Shared Policies in Policy View.

Related Topics

•Understanding Policies

•Managing Policies in Device View

Sharing a Local Policy

As your network grows, you might decide to convert a local policy into a shared policy that you can assign to multiple devices. Sharing a policy provides a streamlined management approach that ensures that all devices assigned to the policy are configured in a consistent manner. For example, if you configure a set of firewall inspection rules on a particular device, sharing that device's inspection rules policy makes it possible to assign that policy to other devices, eliminating the need to configure each device individually. In addition, having a shared policy enables you to update the configurations of each assigned device at one time, saving time and promoting greater consistency across your set of managed devices.

When you share a policy, you must name the policy. (Local policies do not have names, because they are associated with only a single device.) This enables you to identify this policy when managing shared policies in Policy view.

Procedure

---

Step 1 In Device view, select a device from the Device selector, then select a local policy for that device from the Device Policies selector. The details of the policy appear in the work area.

Step 2 Do one of the following:

•Select Policy > Share Policy.

•Right-click the local policy, then select Share Policy.

The Share Policy dialog box is displayed. See Table C-1 on page C-2 for a description of the fields in this dialog box.

Step 3 Enter a name for the shared policy. Policy names can contain up to 255 characters, including spaces and special characters.

Step 4 Click OK to save the policy as a shared policy.

In the Device Policies selector, the icon next to the selected policy type changes to show that the policy is now a shared policy. For more information about policy status icons, see Table 6-1.

Additionally, a header is added to the work area above the policy definition details. This header contains several important pieces of information: the name of the policy (and its inheritance, if applicable) and the number of devices to which the policy is assigned (including the selected device), as well as user privilege and lock indicators (see Understanding Locking), where applicable. You can use the links contained in the header as follows:

•Click the link in the policy name to select a different shared policy to assign to the selected device. See Assigning a Shared Policy to a Selected Device.

•Click the link in the number of assigned devices to edit the list of devices to which the policy is assigned. See Modifying Shared Policy Assignments in Device View.

---

Related Topics

•Unsharing a Policy

•Adding Local Rules to a Shared Policy

•Sharing Multiple Policies of a Selected Device

•Working with Shared Policies in Device View

Sharing Multiple Policies of a Selected Device

With one procedure, you can share multiple local policies configured on a particular device. When you perform this procedure, you can choose to share all the local policies configured on the device or only some of them. For example, you can take all the firewall service policies defined on an ASA device and share them.

Initially, the resulting shared policies are assigned only to the device from which the procedure was performed. You can then however, assign these shared policies to additional devices, as required. See Modifying Shared Policy Assignments in Device View.

This feature provides a convenient way to take the policies configured on a single device and use them as a template for configuring similar devices. For example, after you discover the devices at your branch offices, you can take all the local access rules that you have configured on a similar device and share them with a single procedure so that you can assign them to the branch office devices.

---

Tip To create a new device of the same type that shares the same configuration and properties (including device operating system version, credentials, and grouping attributes) as the source device, use the Clone Device feature. For more information, see Cloning a Device, page 5-82.

---

---

Note Catalyst 6500/7600 devices do not support this feature.

---

Procedure

---

Step 1 (Optional) In Device view, select a device from the Device selector.

Step 2 Do one of the following:

•Select Policy > Share Device Policies.

•Right-click the device, then select Share Device Policies.

The Select Policies from this Device page of the Share Policies wizard is displayed. See Table C-6 on page C-10 for a description of the fields in this page.

Step 3 Select the device from the tree whose policies to convert from local to shared, then click Next.

The Select Policies to Share page of the Share Policies wizard (Table C-7 on page C-11) is displayed. By default, all local policies on the device are selected for sharing.

---

Note If you selected a device before selecting the Share Device Policies command, you go automatically to the second page of the wizard. You can click Back to return to the first page to select a different device.

---

Step 4 (Optional) Deselect the check box next to each local policy that you do not want to share. Policies that are not checked remain local to the selected device.

Step 5 Enter a name for the shared policies. This name will be used by all the policies you are sharing.

Step 6 Click Finish. The selected policies become shared policies, which you can then assign to additional devices as needed. For more information, see Modifying Shared Policy Assignments in Device View.

---

Related Topics

•Copying Policies Between Devices

•Sharing a Local Policy

•Unsharing a Policy

•Working with Shared Policies in Device View

Unsharing a Policy

When you unshare a shared policy assigned to a particular device, you create a copy that becomes a local policy for that device. This means that any subsequent changes made to the local policy affect only this particular device. Other devices assigned the original shared policy continue to use the shared policy as before.

For example, Security Manager might be managing a BGP routing policy called MyBGP, which is assigned to 20 routers. If you decide that one of the routers (Router1) requires a variation of this policy, you can select the device, unshare the policy, and make the changes you need for that router. From that point on, Router1 has a local BGP policy while the other 19 routers continue to use the original shared policy, MyBGP.

Procedure

---

Step 1 In Device view, select a device from the Device selector, then select a shared policy for that device (as shown by the share icon) from the Device Policies selector. The details of the policy appear in the work area.

---

Note For more information about policy status icons, see Table 6-1.

---

Step 2 Do one of the following:

•Select Policy > Unshare Policy.

•Right-click the selected shared policy, then select Unshare Policy.

Step 3 Click OK. The shared policy is converted into a local policy for the selected device. The share icon in the Device Policies selector is replaced by the local policy icon.

---

Related Topics

•Sharing a Local Policy

•Managing Policies in Device View

•Working with Shared Policies in Device View

Assigning a Shared Policy to a Selected Device

You can replace any policy (local or shared) assigned to a selected device with a shared policy of the same type. For example, if you have a local NAT policy assigned to a Cisco IOS router, you can assign a shared NAT policy in its place. Similarly, if a shared NAT policy was assigned to the router, you can replace it with a different shared NAT policy.

---

Tip If you select this option for a rule-based policy, any local rules that you configured are replaced by the rules defined in the shared policy. If you want to use the rules defined in the shared policy and still keep your local rules, select the Inherit Rules option instead. For more information, see Inheriting Rules.

---

Procedure

---

Step 1 In Device view, select a device from the Device selector, then select a policy for that device from the Device Policies selector. The details of the policy appear in the work area.

Step 2 Do one of the following:

•Select Policy > Assign Shared Policy.

•Right-click the policy, then select Policy > Assign Shared Policy.

The current policy is unassigned from the device and the Assign Shared Policy dialog box is displayed. See Table C-2 on page C-4 for a description of the fields in this dialog box.

Step 3 Select a shared policy from the displayed list to assign to the device.

---

Note If you are assigning a rule-based policy, you might need to expand the branches in the selector in order to choose a policy that inherits rules from other policies.

---

Step 4 Click OK. The shared policy is assigned to the selected device.

---

Related Topics

•Unassigning a Policy

•Adding Local Rules to a Shared Policy

•Copying Policies Between Devices

•Working with Shared Policies in Device View

Adding Local Rules to a Shared Policy

After you assign a shared rule-based policy, such as access rules, to a device, you can define additional rules in the policy that are local to that device. Selecting this option creates an inheritance relationship, where the policy defined on the device inherits rules from the shared policy while adding rules that affect only this particular device. For more information about inheritance, see Understanding Rule Inheritance.

Local rules that you add to a device do not affect the shared policy from which the device inherits its remaining rules. For example, if the shared policy Access_Rules_South is assigned to five devices and you define local rules on one of those devices, the access rules policy on that device consists of the rules defined in Access_Rules_South plus the local rules; the other four devices continue to use only the rules defined Access_Rules_South.

Before You Begin

•Assign a shared, rule-based policy to the device. See Assigning a Shared Policy to a Selected Device.

Procedure

---

Step 1 In Device view, select a device from the Device selector, then select a shared policy assigned to that device from the Device Policies selector. You must select a rule-based policy, such as access rules. The details of the policy appear in the work area.

Step 2 Do one of the following:

•Select Policy > Add Local Rules.

•Right-click the policy, then select Add Local Rules.

A message is displayed indicating that the policy on this device is now defined as a child policy that inherits rules from the shared policy. If the shared policy in turn inherits rules from a different shared policy, those rules are automatically inherited as well.

---

Note To change the parent policy from which this policy inherits rules, see Inheriting Rules.

---

Step 3 Click OK to confirm. In the work area, headings are added for local mandatory and default rules in addition to the mandatory and default rules inherited from the shared policy.

In the Device Policies selector, the status icon changes to the icon for a local policy. For more information, see Policy Status Icons.

Step 4 Define local rules as required.

---

Note If you use the Assign Shared Policy option after adding local rules, both the inherited rules and your local rules are replaced with the selected shared policy.

---

---

Related Topics

•Copying a Shared Policy

•Assigning a Shared Policy to a Selected Device

•Unsharing a Policy

•Working with Shared Policies in Device View

Copying a Shared Policy

You can save an existing shared policy under a new name. This provides a useful shortcut for creating a new policy that contains the same definitions as an existing one. You can then change the policy definition, as required.

If you save a rule-based policy with inheritance under a new name, the new policy contains the same inheritance properties as the policy from which it was created. For more information, see Understanding Rule Inheritance.

Procedure

---

Step 1 In Device view, select a device from the Device selector, then select a shared policy assigned to that device from the Device Policies selector. The details of the policy appear in the work area.

Step 2 Do one of the following:

•Select Policy > Save Policy As.

•Right-click the policy, then select Save Policy As.

The Save Policy As dialog box is displayed. See Table C-9 on page C-13 for a description of the fields in this dialog box.

---

Note You can also rename a policy from Policy view by selecting a policy type from the Policy Type selector, then right-clicking a policy in the Shared Policy selector. For more information, see Policy View Selectors.

---

Step 3 Enter a name for the new policy.

Step 4 Click OK. The new policy is saved and appears in the selector next to the policy from which it was created. You can then modify the definition of the policy, as required.

---

Related Topics

•Managing Shared Policies in Policy View

•Renaming a Shared Policy

•Deleting a Shared Policy

Renaming a Shared Policy

You can rename a shared policy. The new name is immediately reflected in all devices and VPN topologies to which the policy is assigned.

Procedure

---

Step 1 In Device view, select a device from the Device selector, then select a shared policy assigned to that device from the Device Policies selector. The details of the policy appear in the work area.

Step 2 Do one of the following:

•Select Policy > Rename Policy.

•Right-click the policy, then select Rename Policy.

The Rename Policy dialog box is displayed. See Table C-10 on page C-14 for a description of the fields in this dialog box.

---

Note You can also rename a policy from Policy view by selecting a policy type from the Policy Type selector, then right-clicking a policy in the Shared Policy selector. For more information, see Policy View Selectors.

---

Step 3 Enter a new name for the selected policy. Policy names can contain up to 255 characters, including spaces and special characters.

Step 4 Click OK. The selected policy is renamed.

---

Related Topics

•Managing Shared Policies in Policy View

•Copying a Shared Policy

•Deleting a Shared Policy

Modifying Shared Policy Definitions in Device View

You can modify any shared policy in Device view by selecting one of the devices to which the policy is assigned, making the necessary changes, and then saving these changes to the Security Manager server. By default, any changes made to a shared policy in Device view automatically affect all devices to which the shared policy is assigned.

---

Note To apply your changes only to the device that you are modifying, you must first unshare the policy (see Unsharing a Policy). This action converts the policy to a local policy and prevents your changes from affecting other devices in the network.

---

Procedure

---

Step 1 In Device view, select a device from the Device selector, then select a shared policy for that device from the Device Policies selector. The details of the policy appear in the work area.

Step 2 Redefine the policy, as required.

Step 3 Click Save. A message is displayed, reminding you that the changes you made will be applied to all devices to which the policy is assigned.

---

Tip To prevent this warning message from appearing in the future, select the Do not show in the future check box before confirming the save.

---

Step 4 Click OK to confirm the save, or click Cancel to cancel the operation.

---

Related Topics

•Modifying Shared Policy Assignments in Device View

•Configuring Local Policies in Device View

•Managing Policies in Device View

Modifying Shared Policy Assignments in Device View

You can modify the list of devices assigned a particular shared policy as required. If you remove a device from a policy assignment, that policy is effectively removed from the device's planned configuration. Upon deployment, any configuration of that type that exists on the device is removed. For more information, see Unassigning a Policy.

---

Caution Use the policy assignment feature with care, as unassigning a policy can have unintended consequences. For example, if you unassign a device access policy from a Cisco IOS router and then deploy that change, you might prevent Security Manager from configuring that device in the future. For more information, see Configuring Device Access on Cisco IOS Routers, page 12-26.

---

Policy assignment can also be modified from Policy view. For more information, see Modifying Policy Assignments in Policy View.

Procedure

---

Step 1 In Device view, select a device from the Device selector, then select a shared policy for that device from the Device Policies selector. The details of the policy appear in the work area.

Step 2 Do one of the following:

•Select Policy > Edit Policy Assignments.

•Right-click the policy, then select Edit Policy Assignments.

---

Tip You can also edit policy assignments by clicking the assignment link located in the header above the work area.

---

Step 3 Modify the list of devices to which the policy is assigned, as follows:

•To assign the selected policy to additional devices, select one or more devices from the Available Devices list, then click >> to move them to the Assigned Devices list.

•To unassign the selected policy from devices, select one or more devices from the Assigned Devices list, then click << to return them to the Available Devices list. Devices that are unassigned from the policy remove this policy from their running configuration during deployment.

Step 4 Click OK to save your definitions.

---

Related Topics

•Modifying Shared Policy Definitions in Device View

•Unassigning a Policy

•Copying Policies Between Devices

•Working with Shared Policies in Device View

Managing Shared Policies in Policy View

Policy view enables you to manage shared policies in Security Manager at the system level. With Policy view you can quickly view all the shared policies that are defined for a particular policy type, edit their definitions, and modify their device assignments. Additionally, you can create a new shared policy for later assignment to devices.

To access Policy view, select View > Policy View or click the Policy View button on the toolbar.

Policy view is divided into the following sections:

•Policy Type selector.

•Shared Policy selector.

•Work area.

Figure 6-1 Policy View

Related Topics

•Policy View Selectors

•Policy View Work Area

•Managing Policies in Device View

•Working with Shared Policies in Device View

Policy View Selectors

Policy view contains two selectors. The upper selector displays all the policy types available for a selected policy domain. The root of the policy type selector is the policy domain name. To display the policy types for a different policy domain, click the root of the tree and select a different domain from the list. Options are:

•Firewall services.

•NAT (PIX/ASA platform).

•NAT (router platform).

•Site-to-Site VPN.

•Remote Access VPN.

•PIX/ASA platform.

•Router platform.

•FlexConfigs

You can expand and collapse the selector as required to view all the available policy types and subtypes. The Policy Type selector also includes a shortcut menu for creating a new shared policy of a selected type.

Selecting a policy type from the Policy Type selector displays all the shared policies of that type in the Shared Policy selector. Local policies configured in Device view are not displayed.

For example, when you select a configuration policy type, such as NAT translation rules, the Shared Policy selector displays a flat list of each shared policy of that type. If you select a rule-based policy type, such as firewall access rules, the Shared Policy selector displays a hierarchical tree of shared policies. This enables you to view the inheritance relationships among the various policies. The Shared Policy selector includes a shortcut menu with options for actions that can be performed on that policy, such as renaming it.

---

Tip You can create and apply a filter to shorten the list of policies displayed in the Shared Policy selector. For more information about filters, see Filtering the Shared Policy Selector.

---

Related Topics

•Policy View Work Area

•Managing Shared Policies in Policy View

Filtering the Shared Policy Selector

You can filter the list of policies displayed in the Shared Policy selector according to the policy name. For example, if you have dozens of access rule policies, you can create and apply a filter so that only those access rule policies having a certain name are displayed in the selector.

Each user can define a maximum of 10 filters for the Shared Policy selector. After that, creating an additional filter replaces the oldest one in the list. In other words, the 11th filter replaces the first filter.

Filters are created and applied from the Filter list displayed above the Shared Policy selector.

Procedure

---

Step 1 In Policy view, select Create Filter from the Filter list displayed above the Shared Policy selector. The Create Filter dialog box is displayed. See Table C-18 on page C-25 for a description of the fields in this dialog box.

Step 2 Define filter criteria:

a. Name is automatically selected from the Filter Type list on the left. Policies can be filtered by name only.

b. Select an operator from the list in the center. The operator defines how the filter relates to the policy name. Options are: contains, doesn't contain, is, isn't, begins with, and ends with.

c. Enter a string representing the policy name or partial policy name in the field on the right.

For example, if you define the criteria as Name begins with HQ, the filter will include only those shared policies whose names begin with HQ.

d. Click Add. The defined criteria are displayed in the content area of the dialog box.

---

Note To remove criteria from the filter definition, select it in the content area, then click Remove.

---

e. Repeat steps b through d to add criteria to the filter.

Step 3 Select one of the following options:

•Match Any of the Following—Creates an OR relationship among the filter criteria. Policies matching any of your criteria are included in the filter.

•Match All of the Following—Creates an AND relationship among the filter criteria. Only those policies matching all your criteria are included in the filter.

Step 4 Click OK. The filter is saved and added to the Filter list.

Step 5 To apply the filter, select it from the Filter list. To display policies without a filter, select None from the Filter list.

---

Related Topics

•Policy View Selectors

•Managing Shared Policies in Policy View

Policy View Work Area

The work area in Policy view contains the following tabs:

•Details—Contains the definition of the selected policy. The information displayed on the Details tab is identical to the information displayed in Device view and can be modified in exactly the same way. For more information about configuring policies, see:

–Chapter 9, "Managing Site-to-Site VPNs."

–Chapter 10, "Managing Remote Access VPNs."

–Chapter 11, "Managing Firewall Services."

–Chapter 12, "Managing Routers."

–Chapter 13, "Managing Firewall Devices."

–Chapter 14, "Using the Catalyst 6500/7600 Device Manager."

•Assignments—Contains the device assignments for the selected policy, enabling you to add and remove devices as required. For more information, see Modifying Policy Assignments in Policy View.

Related Topics

•Policy View Selectors

•Managing Shared Policies in Policy View

Creating a New Shared Policy

Use Policy view to create a new shared policy. In most cases, the new policy starts out undefined, but in certain cases (for example, many site-to-site VPN policies, such as IPSec proposals and GRE modes) default values are supplied. In all cases, the new policy is not initially assigned to any devices. If the new policy is a rule-based policy that supports inheritance, it can be created as a child of an existing shared policy of the same type. For more information, see Understanding Rule Inheritance.

---

Tip You can also create shared policies by converting local policies in Device view. For more information, see Sharing a Local Policy.

---

Procedure

---

Step 1 In Policy view, select a policy type in the Policy Type selector.

Step 2 Do one of the following:

•Right-click the policy type in the Policy Type selector, then select New [policy type] Policy.

•Right-click a policy in the Shared Policy selector, then select New [policy type] Policy.

•Click the Create a Policy button beneath the Shared Policy selector.

The Create a Policy dialog box is displayed. See Table C-20 on page C-28 for a description of the fields in this dialog box.

Step 3 Enter a name for the new policy. Policy names can contain up to 255 characters, including spaces and special characters.

Step 4 Click OK to save your definitions. The new policy appears in the Shared Policy selector.

To configure a definition for the new shared policy, see Policy View Work Area. To assign the new shared policy, see Modifying Policy Assignments in Policy View.

---

Related Topics

•Managing Shared Policies in Policy View

Modifying Policy Assignments in Policy View

Use the Assignments tab in Policy view to modify the list of devices or VPN topologies to which you assigned a selected shared policy. Assigning a policy to a device or VPN overwrites any policy of the same type (local or shared) that was previously assigned to the device in Security Manager. When deployed, the newly assigned policy overrides any policy of the same type that is already configured on the device, whether it was configured using Security Manager or using another method, such as the CLI.

When you unassign a shared policy from a device or VPN topology, Security Manager removes the policy from the planned configuration of that device or VPN topology. When the configuration defined by the policy is deployed, any configuration of the same type that is already configured on the device (including the devices in the VPN topology) is removed. For more information, see Unassigning a Policy.

Therefore, if your intention when performing unassign is to assign a different shared policy to a particular device or VPN topology, it is important to select the replacement policy and perform the assignment before performing deployment.

---

Note Assigning a replacement policy is particularly important when you use a device access policy to configure the enable password or enable secret password on a Cisco IOS router. If you unassign this policy and fail to define a different password in its place before deployment, Security Manager might be unable to configure this device in the future. For more information, see Configuring Device Access on Cisco IOS Routers, page 12-26.

---

Alternatively, you can return to Device view and replace the shared policy assigned to the device with a different shared policy. For more information, see Assigning a Shared Policy to a Selected Device.

---

Note If you unassign a mandatory site-to-site VPN policy, such as an IKE proposal policy, Security Manager automatically replaces it with a default policy. If you unassign a mandatory remote access VPN policy, you must manually configure a new policy of that same type or deployment will fail.

---

Procedure

---

Step 1 In Policy view, select a policy type from the Policy Type selector, then select a policy from the Shared Policy selector. See Policy View Selectors.

Step 2 Click the Assignments tab in the work area. See Table C-19 on page C-27 for a description of the fields on this tab.

Step 3 Modify the list of devices or VPNs to which the policy is assigned, as follows:

•To assign the selected policy to additional devices or VPNs, select one or more items from the Available Devices/VPNs list, then click << to move them to the Assigned Devices/VPNs list.

•To unassign the selected policy from devices or VPNs, select one or more items from the Assigned Devices/VPNs list, then click << to return them to the Available Devices/VPNs list.

Step 4 Click Save to save your definitions.

---

Related Topics

•Modifying Shared Policy Assignments in Device View

•Managing Shared Policies in Policy View

Deleting a Shared Policy

Use Policy view to delete a shared policy from Security Manager. You can delete a policy only if it is not assigned to any devices or VPN topologies. For more information, see Modifying Policy Assignments in Policy View.

Procedure

---

Step 1 In Policy view, select a policy type from the Policy Type selector, then select a policy from the Shared Policy selector. See Policy View Selectors.

Step 2 (Optional) Click the Assignment tab to verify that the selected policy is not assigned to any devices or VPN topologies. If any assignments still exist, you must remove them before continuing.

Step 3 Do one of the following:

•Right-click the policy, then select Delete Policy.

•Click the Delete a Policy button beneath the Shared Policy selector.

A confirmation message is displayed.

Step 4 Click OK. The selected policy is deleted.

---

Related Topics

•Creating a New Shared Policy

•Copying a Shared Policy

•Managing Shared Policies in Policy View

Advanced Policy Features

The following sections describe advanced policy features available in Security Manager:

•Customizing Policy Management

•Understanding Rule Inheritance

•Understanding Locking

Customizing Policy Management

When you manage Cisco IOS routers, you have the option of selecting which policy types to manage with Security Manager and which policy types to leave unmanaged. Managing a policy type means that Security Manager controls the configuration of the policy and considers the information that it stores in its database about that policy to be the desired configuration. Security Manager does not configure unmanaged policy types, nor does it track configurations of these types that were configured using other methods. For example, if you decide not to manage SNMP policies, any SNMP configurations that you configured using CLI commands are unknown to Security Manager.

The ability to customize policy management on a Cisco IOS router makes it possible, for example, to use Security Manager to manage DHCP and NAT policies on Cisco IOS routers while leaving routing protocol policies, such as EIGRP and RIP, unmanaged. These settings, which can be modified only by a user with administrative permissions, affect all Security Manager users.

Unmanaged policies are removed from both Device view and Policy view. Any existing policies of that type, local or shared, are removed from the Security Manager database.

You cannot unmanage a policy type if you have configured and assigned policies of that type in Security Manager. You must first remove the assignments and then unassign the policy type. If the configurations defined by those policies have already been deployed, these configurations are left in place on the devices, but the policies will no longer be stored in the database or accessible from the Security Manager interface. Configurations that were defined using CLI commands or FlexConfigs are left in place.

If you change a particular policy from unmanaged to managed, you can again modify the configuration of that policy using Security Manager.

---

Note Features that are unmanaged by Security Manager can still be modified manually with CLI commands or FlexConfigs. For more information about FlexConfigs, see Chapter 16, "Managing FlexConfigs."

---

To customize policy management of Cisco IOS routers, see Defining Policy Management Settings, page 2-63.

Related Topics

•Understanding Policies

•Advanced Policy Features

Understanding Rule Inheritance

Inheritance refers to the capability of Security Manager to enforce hierarchical lists of first-match, rule-based policies such as access rules. Within the hierarchy, rules defined in policies at a lower level in the hierarchy (called child policies) extend or override the properties of rules defined in policies that are directly above them in the hierarchy (called parent policies).

This policy hierarchy can extend to multiple levels. For example, you can define an access rule policy for the routers at branch offices that inherits rules from a parent policy that determines access at the regional level. This policy, in turn, can inherit rules from a global access rules policy at the top of the hierarchy that sets certain rules at the corporate level. This ability to define rule-based policies in a hierarchical manner gives you great flexibility when defining your rule sets.

Inheritance determines the ordering of rules inside a rule-based policy. Individual rules are defined as either mandatory or default, and are ordered as follows:

1. Mandatory rules inherited from the parent policy.

2. Mandatory rules defined inside the child policy.

3. Default rules defined inside the child policy.

4. Default rules inherited from the parent policy.

Structuring inheritance in this manner enables you to define mandatory rules at the global level that cannot be superseded by any rules defined within policies located at a lower level in the policy hierarchy. For example, you can define a mandatory rule at the highest level in the policy hierarchy denying all HTTP traffic. If all other access rule policies inherit rules from this parent policy, the mandatory rule denying HTTP traffic will always appear at the top of the access rules list. If another user attempts to define an access rule in a child policy that overwrites this mandatory rule by permitting HTTP traffic, the rule will have no effect. Mandatory rules defined within a child policy are always placed after mandatory rules defined in a parent policy.

Default rules always appear after the mandatory rules in the table. With default rules, the order is reversed—default rules defined in a child policy appear before default rules inherited from the parent policy. Having default rules makes it possible to define a global default rule, such as "deny any any", that appears at the end of all access rule lists and provides a final measure of security should gaps exist in the mandatory rules and default rules that appear above it in the rules table.

Security Manager displays separate rule tables for mandatory and default rules inside all rule-based policies. An inherited rule can be modified only inside the parent policy in which it was defined. It cannot be modified inside a child policy.

Related Topics

•Understanding Access Rules, page 11-10

•Inheriting Rules

•Advanced Policy Features

Inheriting Rules

This procedure describes how certain types of rule-based policies, such as access rules, can inherit rules from shared policies of the same type. Child policies inherit both the mandatory rules and default rules that are defined in the parent policy.

---

Note When working in Device view, you can then define additional rules that are local to the selected device. For more information, see Adding Local Rules to a Shared Policy.

---

You can edit rule inheritance from either Device view or Policy view.

Procedure

---

Step 1 Do one of the following:

•From Device view, select a device from the Device selector, then a rule-based policy from the Device Policies selector.

•From Policy view, select a rule-based policy type from the Policy Type selector, then a policy from the Shared Policy selector.

Step 2 Do one of the following:

•Select Policy > Inherit Rules.

•Right-click the policy, then select Inherit Rules.

Step 3 The Inherit Rules dialog box is displayed, containing a list of all shared policies of the selected type, including any inheritance relationships among them. See Table C-11 on page C-15 for a description of the fields in this dialog box.

Step 4 Click the policy from which to inherit rules, or select the root of the list (marked No Inheritance) to remove any inheritance from the child policy. The name of the parent policy is displayed below the selector.

For example, if you select an access rules policy called West Coast, your access policy inherits the rules of the West Coast policy. If the West Coast policy is a child policy of another access rules policy called US, your policy inherits the properties of the West Coast policy, which in turn inherits the properties of the US policy.

Step 5 Click OK to save your definitions. The work area displays the inherited rules under the name of the parent policy and any local rules, if defined, under the name of the original shared policy.

---

Related Topics

•Understanding Rule Inheritance

•Advanced Policy Features

•Understanding Policies

Understanding Locking

Security Manager has a locking mechanism that is useful in organizations where several people have the authority to make configuration changes. It prevents a potential situation in which two or more people are making changes to the same device, policy, policy assignment, or object at the same time. When a lock is applied, a message is displayed across the top of the work area to other users who access that device or policy.

After is locked is enabled, it remains in place until you either submit your changes (when working in non-Workflow mode) or submit and approve the activity (when working in Workflow mode). If you discard the activity, any locks generated by the activity are also discarded. For more information about workflow modes, see Selecting a Workflow Mode, page 2-40.

Locking and Devices

When you perform any sort of configuration on a device, a lock is placed on that device to prevent other users from making changes to that device.

Locking and Policies

When you define a policy, the policy is locked. This prevents other users from modifying this policy or assigning it to other devices. They may, however, unassign the policy from a different device.

In the case of a rule-based policy that is a parent to other policies that inherit rules from it, the policy and all its descendants are locked. In certain cases, locking a policy also locks related policies located within the same policy domain.

When you assign a policy to a device without changing its definition, other users are prevented from modifying the definition of that policy. They may, however, assign or unassign this policy from other devices.

When you modify the definition of a policy and change its assignments, other users are prevented from making any changes to this policy or assigning the policy to additional devices. They may, however, unassign the policy from other devices.

Table 6-2 summarizes the effects of policy locks in Security Manager.

Table 6-2 Policy Locks 

If Another User/Activity...	You Cannot...	You Can...
Changes a policy definition.	Modify the policy or assign it to other devices.	Unassign the policy from other devices.
Changes the definition of a rule-based policy with descendants.	Modify or assign the parent policy or any of the descendants.	Unassign the policy from other devices.
Change a policy assignment without changing its definition.	Modify the policy.	Assign and unassign the policy from other devices.
Change a policy definition and change its assignment.	Modify the policy or assign it to other devices.	Unassign the policy from other devices.

---

Note Device locks and policy locks operate independently of one another. For example, you may encounter a situation where the policy lock does not prevent you from performing an operation on a particular device, but a device lock on that device does.

---

Locking and VPN Topologies

When you change the device assignment for a VPN topology, or make changes to a specific VPN policy, a lock is placed on the complete topology. This means that other users cannot make changes to the device assignment, nor can they make changes to any of the VPN policies defined for that topology.

In order to view and modify VPN policies, you must have the required permissions for each of the devices that make up the VPN topology. Permissions are also required to add a device to a VPN topology. If you have different levels of permissions to the devices that make up the VPN topology, the lowest permission level is applied to the entire topology.

For example, if you have read/write permissions to the devices that comprise the spokes in a hub-and-spoke VPN, but read-only permissions to the device serving as the hub, you are granted read-only permission to the policies and composition of the hub-and-spoke topology. For more information about permissions, see Setting Up User Permissions, page 2-2.

Locking and Objects

When you create or modify a reusable object, that object is locked to prevent other users from modifying or deleting the same object. However, an object lock does not prevent you from modifying the definition or assignment of a policy that uses that object. Similarly, the lock placed on a policy does not prevent you from making changes to an object that is included in the policy definition.

When an object makes use of other objects (such as network/host objects, service group objects, and AAA server group objects), the lock on the object does not prevent another user from modifying those other objects. For example, when you modify a AAA server group object, the lock on that object does not prevent another user from modifying any of the AAA servers that make up the AAA server group.

When an object is locked, users who try to modify that object see a read-only version of the relevant dialog box. When you are working in Workflow mode, a message indicates which activity has locked the object.

Related Topics

•Understanding Policies

•Advanced Policy Features