Table Of Contents
Managing Devices
Preparing the Devices for Security Manager to Manage
Setting Up SSL
Setting Up SSL on PIX Firewall, ASA, and FWSM Devices
Setting Up SSL on Cisco IOS Routers
Setting Up SSH
Critical Line-ending Conventions for SSH
Testing Authentication
Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 devices
Preventing Non-SSH Connections—Optional
Setting Up AUS
Setting Up AUS on PIX Firewall and ASA Devices
Setting Up CNS Gateway on an Auto Update Server
Setting Up CNS
Setting Up CNS on PIX Firewall and ASA Devices
Setting Up CNS on Cisco IOS Routers
Setting Up TMS
Changing the Device Transport Protocol on Cisco IOS Routers
Initializing IPS Devices
Understanding the Device View
Filtering the Device Selector
Adding Devices to the Security Manager Inventory
Adding Catalyst 6500/7600 Devices from the Network
Adding VPN SPA Slot Locations
Working with Devices with Dynamically Assigned IP Addresses
Understanding Auto Update Server and Configuration Engine
Adding an Auto Update Server or Configuration Engine
Adding an Auto Update Server or Configuration Engine When Adding a New Device
Adding an Auto Update Server When Adding a Device from Network
Editing the Auto Update Server or Configuration Engine Information
Editing an Auto Update Server or Configuration Engine When Adding a New Device
Editing the Auto Update Server Information when Adding Device from Network
Understanding Device Credentials
Working with Device Connectivity Test
Understanding Device Connectivity Test
Verifying Device Connectivity from Security Manager
Testing Device Connectivity While Adding a Device from the Network
Testing Device Connectivity While Adding a New Device
Testing Device Connectivity After Adding a Device to Security Manager
Understanding Device Properties
Defining Device Properties
Working with Device Policies
Cloning a Device
Deleting Devices from the Security Manager Inventory
Understanding Device Grouping
Working With Device Groups
Creating Device Group Types
Creating Device Groups
Deleting Device Group Types, Device Groups, or Subgroups
Adding Devices to Device Groups
Managing Devices
Before you can manage devices in Security Manager, you must prepare the devices for management, then add those devices to the Security Manager device inventory. After you add the devices, you can view and edit device information, configure policies on devices, copy and share policies, clone devices, and so on. The following topics describe how to manage devices:
•
Preparing the Devices for Security Manager to Manage
•Understanding the Device View
•Adding Devices to the Security Manager Inventory
•Adding Catalyst 6500/7600 Devices from the Network
•Working with Devices with Dynamically Assigned IP Addresses
•Understanding Device Credentials
•Working with Device Connectivity Test
•Understanding Device Properties
•Working with Device Policies
•Cloning a Device
•Deleting Devices from the Security Manager Inventory
•Understanding Device Grouping
Preparing the Devices for Security Manager to Manage
To enable communication between Security Manager and devices, you must configure transport settings on the devices before you add them to the inventory.
Security Manager uses Secure Socket Layer (SSL) as the default transport protocol for PIX Firewall, Adaptive Security Appliances (ASA), Firewall Service Modules (FWSM), and Cisco IOS routers. Therefore, you must configure SSL on these devices. For SSL configuration details, see Setting Up SSL.
Note DES encryption is not supported on Common Services 3.0 and later. Please make sure that all PIX Firewalls and Adaptive Security Appliances that you intend to manage with Cisco Security Manager have a 3DES/AES license.
Security Manager uses Secure Shell (SSH) as the default transport protocol for Catalyst 6500/7600 devices. Therefore, you must configure SSH on these devices. For configuration details see, Setting Up SSH.
You must configure both SSH and SSL transport protocols on Cisco IOS routers. Security Manager uses SSH connections to handle interactive command deployments during SSL deployments. Although SSL is the default, you can change the default to SSH. To change the default protocol from SSL to SSH, see Changing the Device Transport Protocol on Cisco IOS Routers. For SSH configuration details, see Setting Up SSH.
In addition to SSL and SSH, Security Manager supports staged delivery of configurations using AUS, CNS, and TMS transport protocols. Instead of sending configurations directly to devices, Security Manager sends them to another location, such as an Auto Update Server, Configuration Engine, or Token Management Server; then the device communicates with the appropriate server and downloads the configuration files.
If you are using an IPS device, you must initialize it; see Initializing IPS Devices. If you are using an IOS IPS device, you must prepare it for use; see Preparation for Use, page 13-26.
If the device has a static IP address, you must configure the default transport protocols (SSL or SSH) for discovering and deploying the configurations on the device (Table 5-1).
If the device has a dynamic IP address, and it is managed by an Auto Update Server or a CNS-Configuration Engine, you can configure AUS or CNS on that device (Table 5-1).
If a Cisco IOS router has a dynamic IP address and is configured to use an Auto Update Server/CNS Gateway, Security Manager communicates with the Auto Update Server that is running the CNS Gateway protocol to determine the IP address of the router. For such routers, you must configure SSL and SSH in addition to the CNS transport protocol.
Table 5-1 summarizes of the types of devices and the transport settings they support.
Table 5-1 Devices and Transport Settings
Devices
|
Transport Settings
|
PIX Firewall, ASA, FWSM and Cisco IOS routers (default)
|
SSL
|
Cisco IOS routers
|
SSH
|
Catalyst 6500/7600 devices (default)
|
SSH
|
PIX and ASA devices—For devices managed by an Auto Updated Server
|
AUS
|
Cisco IOS routers—For devices managed by a CNS-Configuration Engine
|
CNS
|
Cisco IOS routers—For devices managed by a Token Management Server
|
TMS
|
For details about device types and associated server fields, see Table 5-12.
Related Topics
•Setting Up SSL
•Setting Up SSH
•Setting Up AUS
•Setting Up CNS
•Setting Up TMS
•Changing the Device Transport Protocol on Cisco IOS Routers
Setting Up SSL
Security Manager deploys the configuration to the device using a Secure Socket Layer (SSL) protocol. With this protocol, Security Manager encrypts the configuration file and sends it to the device.
The following topics describe how to set up SSL on devices:
•Setting Up SSL on PIX Firewall, ASA, and FWSM Devices
•Setting Up SSL on Cisco IOS Routers
Setting Up SSL on PIX Firewall, ASA, and FWSM Devices
Table 5-2 describes the tasks to complete before you use SSL as the transport protocol for device management on PIX Firewall, ASA, and FWSM devices.
Table 5-2 Setting Up SSL on PIX Firewall, ASA, and FWSM Devices
| |
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode from the terminal.
Respond to the prompts appropriately. Here are some tips:
1. Enter y when the prompt asks if you want to preconfigure using interactive prompts.
2. Enter the current enable password.
3. Specify the time zone, year, month, day, and time.
4. If the device:
–Is new — Specify the network interface IP address of the device and the network mask that applies to the inside IP address.
–Exists — Verify that the interface IP address and mask are correct.
5. If the device:
–Is new —Specify the hostname and the domain name.
–Exists — Verify that the hostname and domain name are correct.
6. When prompted for the IP address of the host that runs the PIX Device Manager, specify the IP address of the Security Manager server.
7. Enter yes when the prompt asks if you want to write the above changes to Flash.
|
Step 2
|
hostname(config)# http server enable
|
Enables the HTTP server.
|
Step 3
|
hostname(config)# http ip_address [netmask] [if_name]
|
Specifies the host or network authorized to initiate an HTTP connection to the device.
•ip_address - IP address of the Security Manager server.
•netmask - Network mask for the http ip_address.
•if_name - Device interface name (default is inside) from which Security Manager initiates the HTTP connection.
|
Step 4
|
hostname(config)# write memory
|
Stores the current configuration in Flash memory.
|
Setting Up SSL on Cisco IOS Routers
Table 5-3 describes the tasks to complete before you use SSL as the transport protocol for device management on Cisco IOS routers.
Table 5-3 Setting Up SSL on Cisco IOS Routers
| |
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
router(config)# hostname<name>
|
Configures the hostname.
If the device is new, you must configure its hostname.
After you configure the hostname, the device prompt changes to hostname(config)#. For example, if the hostname is router1, the device prompt changes to router1(config)# (see step 3).
|
Step 3
|
router1(config)# ip domain-name <your_domain>
|
Specifies the IP domain name of the router.
If the device is new and is not configured with a domain name, you must specify the IP domain name of the router.
|
Step 4
|
router1(config)# username <username> privilege 15 password 0 <password>
|
Configures level 15 privilege.
SSL requires that you must have level 15 privileges to log in to a Cisco IOS router.
|
Step 5
|
router1(config)# no aaa authorization network <list-name>
|
(Optional) Disables AAA authorization.
If you are using AAA for authorization but would like to use local authorization, use this command to disable the AAA authorization.
•list-name - Character string used to name the list of authorization methods.
|
Step 6
|
router1(config)# no aaa authentication login <list-name>
|
(Optional) Disables AAA authentication at login.
If you are using AAA for authentication but would like to use local authentication, use this command to disable the AAA authentication.
•list-name - Character string used to name the list of authentication methods activated when a user logs in.
|
Step 7
|
router1(config)# ip http authentication local
|
(Optional) Enables local authentication for SSL.
Enables Security Manager to authenticate with the local username you created in step 4.
Note If you do not enter this command, the default enable password is used for authentication.
Note You can either enable AAA authentication or local authentication. To enable AAA authentication, enter the commands in step 8 and step 9. To enable local authentication, enter the command in this step.
|
Step 8
|
router1(config)# ip http authentication aaa
|
(Optional) Enables AAA authentication/authorization for SSL.
Note You can either enable AAA authentication or local authentication. To enable AAA authentication, enter the commands in step 8 and step 9. To enable local authentication, enter the command in step 7.
|
Step 9
|
router1(config)# ip http authentication aaa login-authentication <list-name>
router1(config)# ip http authentication aaa exec-authorization <list-name>
|
(Optional) If multiple AAA lists are defined, you must enter these commands.
These commands authenticate the user that is contacting the device using the HTTPS protocol. The authentication uses AAA.
•list-name - Character string used to name the list of AAA server groups.
Note You can either enable AAA authentication or local authentication. To enable AAA authentication, enter the commands in step 8 and step 9. To enable local authentication, enter the command in step 7.
|
Step 10
|
router1(config)# ip http secure-server
|
Enables the HTTPS server.
|
Step 11
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 12
|
router1# 1show ip http server secure status
|
Verifies that SSL is set up on the device. Device responds with an "enabled" status.
|
Setting Up SSH
Security Manager deploys the configuration to Cisco IOS Routers and Catalyst 6500/7600 devices routers using a Secure Shell (SSH). This provides strong authentication and secure communications over insecure channels. Security Manager supports both SSHv1.5 and SSHv2. Once connected to the device, Security Manager determines which version to use and downloads using that version.
The following topics describe the tasks required to set up SSH on Cisco IOS routers and Catalyst 6500/7600 devices:
•Testing Authentication
•Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 devices
•Preventing Non-SSH Connections—Optional
Note Security Manager supports Catalyst 6500/7600 devices running the Cisco IOS software only.
Critical Line-ending Conventions for SSH
The following line-ending conventions for SSH must be observed to avoid system failure:
1. Do not end banner message lines with "#", "# ", ">", or "> " .
If your system requires a pound sign or greater-than sign at the end of a banner message, ensure that it is followed by two spaces.
2. Do not use banner message lines that contain only "Username: " or "Password: "
3. Do not customize the device user-mode prompt to not end with ">" or "#".
Testing Authentication
Before you set up SSH, you must test authentication without SSH to make sure the device can be authenticated. You can authenticate with a local username and password or with an authentication, authorization, and accounting (AAA) server running TACACS+ or RADIUS.
To test authentication without SSH using a local or AAA server username and password, enter the commands described in Table 5-4.
Table 5-4 Testing Authentication Without SSH
| |
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
hostname(config)# aaa new-model
|
Uses the local username and password in the absence of aaa statements.
Note On Cisco IOS routers, you can use the login local command on vty lines instead of the aaa new-model command.
|
Step 3
|
hostname(config)# username <name> password 0 <password>
|
Configures the user in the local database of the device. This command is optional.
|
Step 4
|
hostname(config)# exit
|
Exits configuration mode.
|
Step 5
|
hostname# write memory
|
Saves the configuration changes.
|
Related Topics
•Setting Up SSH
•Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 devices
•Preventing Non-SSH Connections—Optional
Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 devices
Table 5-5 describes the tasks required to set up SSH on Cisco IOS routers and Catalyst 6500/7600 devices.
Note You must configure SSH on Cisco IOS routers because Security Manager uses SSH connections to handle interactive command deployments during SSL deployments.
Table 5-5 Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 Devices
| |
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
router(config)# hostname<name>
|
Configures the hostname.
If the device is new, you must configure its hostname.
After you configure the hostname, the device prompt changes to hostname(config)#. For example, if the hostname is router1, the device prompt changes to router1(config)# (see step 3).
|
Step 3
|
router1(config)# ip domain-name <your_domain>
|
Specifies the IP domain name of the router.
If the device is new and is not configured with a domain name, you must specify the IP domain name of the router.
|
Step 4
|
router1(config)# crypto key generate rsa
|
Generates the RSA key pair for the SSH session.
When the device prompts you to enter the size of the modulus, we recommend that you enter1024.
|
Step 5
|
router1(config)# ip ssh timeout <time>
|
(Optional) Sets the timeout interval in minutes.
|
Step 6
|
router1(config)# ip ssh authentication-retries <n>
|
(Optional) Sets the number of retries.
|
Step 7
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 8
|
router1# write memory
|
Saves the configuration changes.
|
Related Topics
•Setting Up SSH
•Testing Authentication
•Preventing Non-SSH Connections—Optional
Preventing Non-SSH Connections—Optional
After configuring SSH, you can configure the Cisco IOS routers and Catalyst 6500/7600 devices to use SSH connections only. To prevent non-SSH connections, enter the commands described in Table 5-6.
Table 5-6 Preventing Non-SSH Connections (Optional)
| |
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
hostname(config)# line vty <first line number> <last line number>
|
Sets up the router for Telnet access.
•first line number - valid values are 0-1180.
•last line number - valid values are 1-1180.
|
Step 3
|
hostname(config-line)# transport input ssh
|
Prevents non-SSH connections, such as telnet.
|
Step 4
|
hostname(config-line)# end
|
Exits configuration mode.
|
Step 5
|
hostname# write memory
|
Saves the configuration changes.
|
Related Topics
•Setting Up SSH
•Testing Authentication
•Setting Up SSH on Cisco IOS Routers and Catalyst 6500/7600 devices
Setting Up AUS
Security Manager deploys configuration files to the Auto Update Server, where they are stored for later retrieval by the device.
The following topics provide more information:
•Setting Up AUS on PIX Firewall and ASA Devices
•Setting Up CNS Gateway on an Auto Update Server
Setting Up AUS on PIX Firewall and ASA Devices
Devices, such as PIX Firewall and ASA, use the AUS protocol to contact the Auto Update Server for configuration (and image) updates. See the Auto Update Server product documentation for more information.
Table 5-7 describes the tasks to complete before you use AUS as the transport protocol for device management on PIX Firewall and ASA devices.
Table 5-7 Setting Up AUS on PIX Firewall and ASA Devices
| |
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
hostname(config)# auto-update server https://username:password@AUSserver_IP_address:port/autoupdate/AutoUpdateServlet
|
Connects to the AUS.
•username - The username is the one you enter when you use Security Manager.
•password - The password is the one you enter when you use Security Manager.
•The port number is typically 443.
|
Step 3
|
hostname(config)# auto-update poll-period poll_period [retry_count] [retry_period]
|
Specifies the polling period for AUS.
•poll_period - Polling period interval between two updates. Default is 720 minutes (12 hours).
•retry_count - (Optional) Number of times to retry if the server connection attempt fails. Default is 0.
•retry_period - (Optional) Number of minutes between retries. Default is 5.
|
Step 4
|
hostname(config)# auto-update device-id hardware-serial | hostname | ipaddress [<if_name>] | mac-address [<if_name>] | string<text>
|
Configures the device to use the specified unique device ID to identify itself.
•if_name - Device interface name (default is inside).
•text - A unique string name.
|
Step 5
|
hostname(config)# write memory
|
Saves the configuration changes.
|
Setting Up CNS Gateway on an Auto Update Server
An Auto Update Server can provide the CNS event-bus feature to Cisco IOS routers that have dynamic IP addresses obtained from a DHCP server. Security Manager communicates with the Auto Update Server that is running the CNS Gateway protocol to determine the IP address of the device. To configure CNS on a Cisco IOS router in event-bus mode, see Table 5-8.
If you changed the CNS password on a Cisco IOS router, you must change the password in the Auto Update Server also. See Changing the Default CNS Bootstrap Password in the Auto Update Server.
Changing the Default CNS Bootstrap Password in the Auto Update Server
The default CNS bootstrap password configured in an Auto Update Server is callhome. If you changed the CNS password on the router (step 7, Table 5-8), you must change the default CNS bootstrap password in the Auto Update Server also.
This procedure describes how to change the default CNS bootstrap password in an Auto Update Server.
Procedure
Step 1 Open the Windows command prompt on the machine where you installed AUS.
Step 2 Enter set NMSROOT=<dir>.
where <dir> is the directory where you installed AUS. For example, set NMSROOT=C:\Progra~1\CSCOpx.
Step 3 Enter cd %NMSROOT%\MDC\autoupdate\bin\eventgateway.
Step 4 Enter cnspassword <password>.
where <password> is the password you set on the device.
Step 5 Restart the Daemon Manager if it is running.
Related Topics
•Setting Up CNS on Cisco IOS Routers
Setting Up CNS
Security Manager deploys the configuration file to the Cisco Configuration Engine, where it is stored for later retrieval from the device. Devices, such as Cisco IOS router, PIX Firewall, and ASA that use a Dynamic Host Configuration Protocol (DHCP) server, contact the Cisco Configuration Engine for configuration (and image) updates. See the Cisco Configuration Engine product documentation for more information.
The following topics describe how to set up CNS on devices:
•Setting Up CNS on PIX Firewall and ASA Devices
•Setting Up CNS on Cisco IOS Routers in Event-Bus Mode
Setting Up CNS on PIX Firewall and ASA Devices
If PIX Firewall and ASA devices are configured for CNS, they use the AUS protocol. The required steps are identical to the steps that you follow when you configure PIX Firewall and ASA for AUS. See Setting Up AUS.
Setting Up CNS on Cisco IOS Routers
The following tables describes the tasks to complete before you use CNS as the transport protocol for device management on Cisco IOS routers. You can configure CNS in the event-bus mode or the call-home mode.
•To configure CNS in event-bus mode, see Table 5-8.
•To configure CNS in call-home mode, see Table 5-9.
Table 5-8 Setting Up CNS on Cisco IOS Routers in Event-Bus Mode
| |
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
router(config)# hostname<name>
|
Configures the hostname.
If the device is new, you must configure its hostname.
After you configure the hostname, the device prompt changes to hostname(config)#. For example, if the hostname is router1, the device prompt changes to router1(config)# (see step 3).
|
Step 3
|
router1(config)# ip domain-name <your_domain>
|
Specifies the IP domain name of the router.
If the device is new and is not configured with a domain name, you must specify the IP domain name of the router.
|
Step 4
|
router1(config)# cns trusted-server all-agents <ip_address>
|
Specifies the trusted server for the CNS agent.
•ip_address - The IP address of the trusted server.
|
Step 5
|
router1(config)# cns event <ip_address> [port]
|
Configures the CNS event gateway, which provides CNS event services to Cisco IOS clients.
•ip_address - IP address of the event gateway.
•port - The port is an optional parameter, and by default it is either 11011 (with no encryption) or 11012 (with encryption).
|
Step 6
|
router1(config)# cns config partial <ip_address>
|
Starts the CNS configuration agent and accepts a partial configuration.
|
Step 7
|
router1(config)# cns password <password>
|
Sets the CNS password.
•<password> - The password you want to set on the router.
You can set the CNS password to callhome (which is the default bootstrap password in AUS) or you can set a different password.
If you set a different password on the router, you must change the default CNS bootstrap password in the Auto Update Server. For instructions, see Changing the Default CNS Bootstrap Password in the Auto Update Server.
Note For information on how to authenticate a Cisco IOS router on a Configuration Engine, see the Cisco CNS Configuration Engine Administrator Guide.
|
Step 8
|
router1(config)# cns exec
|
Enables and configures the CNS execute agent.
|
Step 9
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 10
|
router1# copy running startup
|
Saves the configuration changes to NVRAM.
|
Table 5-9 Setting Up CNS on Cisco IOS Routers in Call-Home Mode
| |
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode from the terminal.
|
Step 2
|
router(config)# hostname<name>
|
Configures the hostname.
If the device is new, you must configure its hostname.
After you configure the hostname, the device prompt changes to hostname(config)#. For example, if the hostname is router1, the device prompt changes to router1(config)# (see step 3).
|
Step 3
|
router1(config)# ip domain-name <your_domain>
|
Specifies the IP domain name of the router.
If the device is new and is not configured with a domain name, you must specify the IP domain name of the router.
|
Step 4
|
router1(config)# cns trusted-server all-agents <ip_address>
|
Specifies the trusted server for the CNS agent.
•ip_address - IP address of the trusted server.
|
Step 5
|
router1(config)# kron occurrence occurrence-name [user username] {in [[numdays:]numhours:]nummin | at hours:min [[month] day-of-month] [day-of-week]} {oneshot | recurring}
|
Specifies schedule parameters for a Command Scheduler occurrence and enters kron-occurrence configuration mode.
•occurrence-name - Name of occurrence. Length of occurrence-name is from 1 to 31 characters. If the occurrence-name is new, an occurrence structure will be created. If the occurrence-name is not new, the existing occurrence will be edited.
•username - (Optional) Name of user.
•numdays: - (Optional) Number of days. Identifies that the occurrence is to run after a specified time interval. The timer starts when the occurrence is configured. If used, add a colon after the number.
•numhours: - (Optional) Number of hours. If used, add a colon after the number.
•nummin - Number of minutes.
•hours: - Hour as a number using the 24-hour clock. Identifies that the occurrence is to run at a specified calendar date and time. Add a colon after the number.
•min - Minute as a number.
•month - (Optional) Month name. If used, you must also specify day-of-month.
•day-of-month - (Optional) Day of month as a number.
•day-of-week - (Optional) Name of the day of the week.
•oneshot - Identifies that the occurrence is to run only once. After the occurrence runs, the configuration is removed.
•recurring - Identifies that the occurrence is to run on a recurring basis.
|
Step 6
|
router1(config-kron-occurrence)# policy-list <list-name>
|
Specifies the policy list associated with a Command Scheduler occurrence.
Use the kron occurrence and policy-list commands to schedule one or more policy lists to run at the same time or interval.
•list-name - Name of policy. Length of list-name is from 1 to 31 characters. If the list-name is new, a policy list structure will be created. If the list-name is not new, the existing policy list will be edited.
|
Step 7
|
router1(config-kron-occurrence)# exit
|
Exits kron-occurrence and returns to configuration mode.
|
Step 8
|
router1(config)# kron policy-list <list-name>
|
Specifies a name for a Command Scheduler policy and enters kron-policy configuration mode.
•list-name - Name of policy. Length of list-name is from 1 to 31 characters. If the list-name is new, a policy list structure will be created. If the list-name is not new, the existing policy list will be edited.
|
Step 9
|
router1(config-kron-policy)# cli cns config retrieve <ip_address> page /cns/JobbedDynaConfig status http://<ip_address>/cns/PostStatus
|
Retrieves the config from the staged CNS job.
•ip address - IP address of the CNS server.
•JobbedDynaConfig status - You must use JobbedDynaConfig status so that the device retrieves the config from the staged CNS job; otherwise, the device retrieves the template associated with the device.
|
Step 10
|
router1(config-kron-policy)# exit
|
Exits kron-policy configuration mode and returns to configuration mode.
|
Step 11
|
router1(config)# cns exec
|
Enables and configures the CNS execute agent.
|
Step 12
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 13
|
router1# copy running startup
|
Saves the configuration changes to NVRAM.
|
Related Topics
•Setting Up CNS Gateway on an Auto Update Server
•Changing the Default CNS Bootstrap Password in the Auto Update Server
Setting Up TMS
Security Manager uses FTP to deploy the configuration file to the Token Management Server (TMS), from which it can be downloaded and encrypted onto an eToken. The eToken can then be connected to the USB port of a router and the configuration downloaded. See TMS product documentation for more information.
To download the configuration from the eToken to the router, plug the eToken into the router, then enter the commands as described in Table 5-10.
Table 5-10 Setting Up TMS on Cisco IOS Routers
| |
Enter
|
Result
|
Step 1
|
router# crypto pki token <usb_token_id> login <PIN>
|
Logs into the eToken.
•usb_token_id - Depending on the port in which the e-token is inserted, usb_token_id could either be usbtoken0 or usbtoken1.
•PIN - By default is 1234567890.
|
Step 2
|
router# config terminal
|
Enters configuration mode from the terminal.
|
Step 3
|
router(config)# crypto pki token default secondary config CCCD
|
Enables configuration provisioning with eToken.
CCCD is the private sector on the eToken where the configuration file resides. When you enter this command, the CLI on the e-token merges with the CLI on the router.
|
Step 4
|
router(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 5
|
router# write memory
|
Keeps the CLI on the router after you disconnect the eToken.
|
Changing the Device Transport Protocol on Cisco IOS Routers
Security Manager uses Secure Socket Layer (SSL) as the default transport protocol on Cisco IOS routers. Although SSL is the default, you can change the default to SSH.
•You can change the default protocol from SSL to SSH on all Cisco IOS routers from the Device Communication page. For the procedure, see Defining Connection and Transport Protocol Settings in the UI, page 2-71.
•You can change the default protocol from SSL to SSH on a single Cisco IOS router from the General page.
This procedure describes how to change the default protocol from SSL to SSH on a selected Cisco IOS router.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Do one of the following:
•In the Device selector, double-click the Cisco IOS router. The Device Properties page appears.
•In the Device selector, right-click the Cisco IOS router to display menu options, then select Device Properties. The Device Properties page appears.
Step 3 Click General. The General page appears.
Step 4 From the Transport Settings field, select SSH.
Step 5 Click Save.
Note If you select the Use Default option, the transport protocol set in the Device Communications page (Tools > Security Manager Administration > Device Communication) is used.
Related Topics
•General Page, page C-54
•Preparing the Devices for Security Manager to Manage
Initializing IPS Devices
To initialize an IPS device, you must configure the following settings. These are network settings, and only a user with administrator privileges on the IPS device can configure them:
•Sensor name
•IP address
•Netmask
•Default route
•Enable TLS/SSL (to enable TLS/SSL in the web server on the device)
•Web server port
•Use default ports
You configure these settings through the setup command in Intrusion Prevention System Device Manager (IDM) or in a command-line session, depending upon which platform is used by your IPS device. The platform is one of the following:
•Sensor appliance
•IDSM-2
•AIP-SSM
•NM-CIDS
For detailed information on these settings, refer to the technical documentation for your IPS device.
Note For information on preparing an IOS IPS device for use, see Preparation for Use, page 13-26.
Understanding the Device View
The Device View button opens the Devices page, from which you can add and delete devices from the Security Manager inventory and manage device policies, properties, and interfaces centrally.
This is a device-centric view in which you can see all devices that you are managing and you can select specific devices to view their properties and define their settings and policies. You can define security policies locally on specific devices. You can then share those policies to make them globally available to be assigned to other devices.
The Devices page contains two panes. The left pane contains two elements: the Device selector, located in the top left pane, and the Policy selector, located in the bottom left pane. The right pane is the main content area. Figure 5-1 shows the Devices page.
Figure 5-1 Devices Page
Device selector—Contains the following:
•Add and Delete buttons—Enables you to add and delete devices from the Security Manager inventory.
•Filter field—Enables you to display a subset of devices based on the filtering criteria you define. For details, see Filtering the Device Selector.
•Device tree—Lists the device groups and devices that exist in the system. Each device type is represented by an icon. For information about the icons, see Figure 5-2.
Figure 5-2 Device Icons
1
|
Adaptive Security Appliances (ASA)
|
5
|
Catalyst 6500 Series Switch
|
2
|
PIX Firewall
|
6
|
Catalyst 7600 Series Router
|
3
|
Firewall Services Module (FWSM)
|
7
|
VPN 3000 Concentrator
|
4
|
Cisco IOS Router
|
8
|
Intrusion Prevention System (IPS)
|
•Device shortcut menu options—Provides easy access to several tasks, such as device properties, containment, cloning device, showing devices in a map, discovering policies on a device, and so on. You can access these options by right-clicking a device in the Device selector. For a complete list of menu options, see Device Shortcut Menu Options, page C-62.
•Device Grouping shortcut menu options—Provides access to several grouping tasks, such as add group, edit group information, add devices to group, and add a device to Security Manager. For details, see Device Group Shortcut Menu Options, page C-65.
Policy selector—Contains the following:
•Policy groups—Lists the policy groups that are supported on the selected device type. The policy groups that are displayed are dependent on four factors:
–Type of device selected in the Device selector.
–Operating system supported on the device.
–Target operating system version running on the device.
–Containment of the device. For details, see Show Containment, page C-62.
For details, see Working with Device Policies.
•Device policy shortcut menu options—Provides easy access to several tasks, such as assign shared policy, share policy, unassign policy, rename policy, and so on. You can access these options by right-clicking a policy in the Policy selector. For a complete list of menu options, see Policy Selector Shortcut Menu Options, page C-63.
Contents pane—The main content area.
The information displayed in this area depends on the device you select from the Device selector and the option you select from the Policy selector.
Related Topics
•Devices Page, page C-2
•Adding Catalyst 6500/7600 Devices from the Network
•Deleting Devices from the Security Manager Inventory
•Filtering the Device Selector
•Device Shortcut Menu Options, page C-62
•Policy Selector Shortcut Menu Options, page C-63
•Device Group Shortcut Menu Options, page C-65
Filtering the Device Selector
You can view a subset of devices in the Device selector by defining the filtering criteria in the Create a Filter dialog box.
Note•For each device tree, you can have a maximum of 10 filters for each user. After that, a newly created filter replaces the older one: The 11th filter replaces the first filter.
•After you create the filters, you cannot delete them.
•A filter that you created in the Devices page, window, or wizard is added to the filter list.
When you create a filter in the Devices page, it becomes the last-applied topmost active filter in the Device selector. This filter is carried forward from the Devices page to other windows and wizards as the first active filter.
However, if you apply a new filter to a window or a wizard, this filter is not carried backwards to the Devices page as the topmost active filter. The Devices page retains its original last-applied filter.
This procedure describes how to filter devices in the Device selector.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Click the arrow in the Filter field in the Device selector pane, then select Create Filter. The Create Filter dialog box appears.
Step 3 Select one of the following from the Filter Type field (first field):
•Name—Select this option to filter the devices by device name.
•Type—Select this option to filter the devices by device type.
Step 4 Select an option in the Filter Relation field (second field) to narrow down the filter results.
Step 5 Do one of the following:
•If you selected Name in the Filter Type field, enter a string value in the Filter Value field (third field): either the device name or part of the device name.
•If you selected Type in the Filter Type field, select the appropriate option in the Filter Value field (third field): ASA, ASA IPS, PIX Firewall, Catalyst 6500/7600 devices, FWSM, IPSSM, Router, Cisco IDS Network Module, or Sensor.
Step 6 Click Add. Based on the filter name, filter relation, and filter value that you selected, a row of filter controls is displayed in the filter control content area.
To delete the selected row of filter controls from the filter control content area, click Remove.
Step 7 Click one of the following radio buttons:
•Match Any of the Following—Clicking this radio button creates an "or" relationship between all of the filter controls that you created in the filter control area.
•Match All of the Following—Clicking this radio button creates an "and" relationship between all of the filter controls that you created in the filter control area.
See, Filter Control Relationship Example.
Step 8 Click OK. The filter is available from the filter field arrow in the Device selector pane.
Filter Control Relationship Example
To understand the "OR" and "AND" filter control relationship, see Table 5-11.
.
Table 5-11 Filter Control Relationship Example
If the following device types exist in Security Manager...
|
And the following device names exist in Security Manager...
|
If you select "Name contains a or Type is ASA," an OR relationship is created and the following devices are displayed:
|
If you select "Name contains a and Type is ASA," an AND relationship is created and the following devices are displayed:
|
PIX Firewall
|
pix_506
|
-
|
-
|
PIX Firewall
|
pix_520
|
-
|
-
|
ASA
|
asa_5510
|
asa_5510
|
asa_5510
|
Router
|
router_1601
|
-
|
-
|
Router
|
ISDN_access_router_761
|
ISDN_access_router_761
|
-
|
Catalyst 6500/7600 devices
|
catalyst_6506
|
catalyst_6506
|
-
|
Related Topics
•Create Filter Dialog Box, page C-3
•Understanding the Device View
Adding Devices to the Security Manager Inventory
When you add a device to Security Manager, you bring in a range of identifying information for the device, such as its DNS name and IP address. This information is added during device discovery. You can also bring existing network configurations associated with a device by initiating policy discovery. For complete information on discovery, see Discovering Policies, page 6-7. Once you add the device, it appears in the Security Manager device inventory.
You can add the following types of devices to Security Manager:
•Live devices already on the network.
•New devices not yet on the network.
•One or more devices from the Device Credentials Repository (DCR).
•Devices whose identifying information is stored in a configuration file.
Security Manager provides a wizard to help you add a device.
Note You must use device discovery to add Catalyst 6500/7600 devices with VPN Services Module and devices with dynamic IP addresses.
Caution Cisco Security Manager 3.1 does not support IOS version 12.4(11)T and later routers that use the Cisco CNS Configuration Engine to manage and deploy configurations.
Before You Begin
•Prepare the devices to be managed by Security Manager. For more information, see Preparing the Devices for Security Manager to Manage.
•If you are using ACS for authentication, define the devices in ACS. See Adding Managed Devices as AAA Clients in Cisco Secure ACS, page 2-41.
Procedure
Step 1 Click the Device View button on the toolbar.
Step 2 Select File > New Device or click the New Device button in the Device selector. The Choose Method page of the New Device wizard appears with four options.
Step 3 Select the method by which you want to add the device:
•Add device from network—Add a live device from the network. Security Manager connects directly and securely to the device and discovers its identifying information and properties.
•Add device(s) from config file—Add devices from a configuration file.
•Add new device—Add a single device before it is live on your network. You can create the device in the system, assign policies to the device, and generate configuration files before receiving the device hardware.
•Add device from DCR—Add devices from the Device Credentials Repository (DCR). The DCR resides on the CiscoWorks Server and is a common database of device attributes and device credential information for use by CiscoWorks component applications.
Note By default, Security Manager uses Telnet as the transport protocol for communicating with routers running IOS 12.1 or 12.2 and uses SSL and SSH as the transport protocol for routers running IOS 12.3 and later. When you add a live device using the Add Device From Network option, you can specify that the device is running IOS 12.1 or 12.2, which enables Security Manager to select the appropriate transport protocol (Telnet). However, when you add a router running IOS 12.1 or 12.2 from the DCR, Security Manager automatically selects the default transport protocol for routers running IOS 12.3 or later. As a result, Security Manager cannot communicate with the device and the operation fails.
To import a router running IOS 12.1 or 12.2 from the DCR, you must temporarily change the default transport protocol for routers running IOS 12.3 or later to Telnet. For a detailed procedure, please see the FAQ and Troubleshooting Guide for Cisco Security Manager 3.x.
Step 4 Enter the device information, such as IP type, IP address, hostname, and so on, and set discovery options.
•If adding from network, see Device Information Page—Network, page C-8.
•If adding from a configuration file, see Device Information Page—Config File, page C-30.
•If adding a new device, see Device Information Page—New Device, page C-35.
•If adding from DCR, see Device Information Page—DCR, page C-45.
Step 5 If you are adding a device from the network or adding a new device, enter primary device credentials and enter SDEE, HTTP, RX-Boot Mode, and SNMP, as required. See Device Credentials Page, page C-15.
Step 6 (Optional.) Add the device to a group. See Device Grouping Page, page C-28.
Step 7 Click Finish.
The Task Status page displays the status of the device import and discovery. If the data you entered is incorrect, the system generates the appropriate number of error messages and displays a table showing the pages on which the error or errors occur with a red error icon corresponding to it.
Note You can end device import and discovery by clicking Abort on the Task Status page. This button is enabled during device import and discovery.
Step 8 Click Close to close this page. This button is enabled after device import and discovery are completed.
•If you are adding a Catalyst 6500/7600 devices, and want to proceed with FWSM inventory and policy discovery, Yes to go to the Firewall Service Module Credentials page. See Adding Catalyst 6500/7600 Devices from the Network.
Adding Catalyst 6500/7600 Devices from the Network
If you are adding a Catalyst 6500/7600 device and you have completed all the steps in the Adding Devices from the Network topic, you are asked if you want to proceed with FWSM inventory and policy discovery. Click Yes to display the Firewall Service Module Credentials and VPN SPA Slot Location page. If you click No, the VPN SPA Slots window appears giving you the opportunity to manually enter the locations of any Catalyst VPN Shared Port Adapter (VPN SPA) service modules (VPN SPAs) installed on Catalyst 6500/7600 devices.
Each device can have from 3 to 13 slots, and each of these slots divides into subslots that can hold one or two VPN SPAs. Security Manager allows you to enter the subslot location to help you manage the device. The dialog box appears when you initiate discovery for Catalyst 6500/7600 devices. For elements in the Firewall Service Module Credentials page, see FWSM Credentials and VPN SPA Slot Location Dialog Box, page C-22.
This procedure describes how to enter the information on the Firewall Service Module Credentials and VPN SPA Slot Location page.
Procedure
Step 1 (Optional) Enter the management IP address for each slot.
The slots represent FWSMs on the Catalyst 6500/7600 devices. Although this step is optional, we recommend that you enter the management IP address. For details, see FWSM Credentials and VPN SPA Slot Location Dialog Box, page C-22.
Step 2 Enter the username, password, and enable password for each slot.
If the device you are adding is a multi-mode FWSM, note the following:
•Multi-mode FWSMs contain System Space and Admin Context. If you entered the management IP address in step 1, Security Manager uses the credentials you entered in this step to access the FWSM System Space (through the session command from the Catalyst 6500/7600 devices) and the Admin Context (through SSL). Therefore, in the Catalyst 6500/7600 devices, you must configure the same username, password, and enable password for both System Space and Admin Context and enter them in this dialog box.
•If you did not enter the management IP address in step 1, Security Manager uses the credentials you entered in this step to access the FWSM System Space (through the session command from the Catalyst 6500/7600 devices) and the Admin Context (through the changeto context command from the System Space). Therefore, you must enter the System Space credentials in this dialog box.
Step 3 If you do not want to discover policies for a particular slot, deselect the Discover Policies check box for that slot. The Discover Policies check box is selected by default.
If you deselect the check box, only inventory data, such as VLAN configuration, security contexts, and interfaces are discovered. You can discover the policy configuration later by right-clicking an FWSM and selecting Discover Policies on Device.
Step 4 Click OK. The Task Status page appears. After inventory and policy discovery for all of the security contexts is completed, the Task Completed dialog box appears.
Step 5 Select Yes to submit the activity. The Validation Result dialog box appears.
We recommend that you submit the activity, otherwise the FWSMs and the security contexts will not appear in the Device selector.
Step 6 Do one of the following:
•Click OK to submit the activity.
The activity is submitted and the FWSM and security context appears in the Device selector.
•Click Details... to view the results of the validation.
•Click Cancel to cancel the operation.
Related Topics
•FWSM Credentials and VPN SPA Slot Location Dialog Box, page C-22
Adding VPN SPA Slot Locations
Use the VPN SPA Slots dialog box to add the locations of any Cisco Share Port Adapters (VPN SPAs) installed on Catalyst 6500/7600 devices. Each of two slots on these devices can hold one or two VPN SPAs, and Security Manager allows you to enter this information to help you manage the device. FWSMs occupy a whole slot in the 6Catalyst 6500/7600 devices, and each VPN SPAs occupies half a slot. Each slot can therefore hold two VPN SPAs in each of two subslots, numbered 0 and 1. For a description of the fields on this page, see VPN SPA Slots Dialog Box, page C-24.
This procedure describes how to add in VPN SPA Slot locations to Catalyst 6500/7600 device information.
Procedure
Step 1 Do one of the following:
•Enter the slot number on the left of the "/" and subslot (numbered 0 and 1) to the right of the "/".
•Click Select to select slot and subslot locations from a list of available slot and subslots.
Step 2 Do one of the following:
•Click OK to confirm.
•Click Cancel to cancel the operation.
Working with Devices with Dynamically Assigned IP Addresses
You can add devices that have dynamic IP addresses to the Security Manager inventory. From the Add Device from Network or Add New Device wizards, select the dynamic IP type, then select Auto Update Server or Configuration Engine. Security Manager uses the device identity information to retrieve the device IP address from an Auto Update Server or Configuration Engine that can be reached.
You can add these devices one at a time. You cannot add dynamic IP devices from a file.
Related Topics
•Understanding Auto Update Server and Configuration Engine
•Adding an Auto Update Server or Configuration Engine
•Editing the Auto Update Server or Configuration Engine Information
Understanding Auto Update Server and Configuration Engine
Auto Update Server (AUS) is a tool for upgrading device configuration files on PIX Firewall and ASA devices that use the auto update feature.
Cisco Configuration Engine is a tool for upgrading device configuration files on Cisco IOS routers and PIX Firewalls that use the configuration engine feature.
Security Manager cannot initiate direct communication with devices that acquire their interface addresses using DHCP because their IP addresses are not known ahead of time. Furthermore, these devices might not be running, or they might be behind firewalls and NAT boundaries when the management system must make changes. These devices connect to an Auto Update Server or Configuration Engine to get device information.
For a summary of the device types and associated servers, see Table 5-12
Table 5-12 Device Types and Associated Servers
Device Types with Dynamic IP Addresses
|
Servers
|
PIX Firewall and ASA (that use the auto update feature)
|
Auto Update Server
|
Cisco IOS routers and PIX Firewall (that use the configuration engine feature)
|
Configuration Engine
|
Cisco IOS routers
|
Auto Update Server (running the CNS Gateway protocol)
|
Related Topics
•Adding an Auto Update Server or Configuration Engine
•Editing the Auto Update Server or Configuration Engine Information
•Adding Devices to the Security Manager Inventory
Adding an Auto Update Server or Configuration Engine
If you want to use an Auto Update Server or Configuration Engine as the management server, you can add it to Security Manager. After you add the server, it appears in the Available AUS Managers or Available CE Managers list.
If the Auto Update Server or Configuration Engine that is managing the selected device does not appear in the Available AUS Managers or Available CE Managers list, you can add the Auto Update Server or Configuration Engine in the following ways:
•From the Add New Device page. See Adding an Auto Update Server or Configuration Engine When Adding a New Device.
•From the Add Device from Network page. See Adding an Auto Update Server When Adding a Device from Network.
•From the device properties page, select the General option. See Defining Device Properties.
Adding an Auto Update Server or Configuration Engine When Adding a New Device
If the Auto Update Server or Configuration Engine that is managing the selected device does not appear in the Available AUS Managers or Available CE Managers list, you can add the Auto Update Server or Configuration Engine.
This procedure describes how to add an Auto Update Server or Configuration Engine when you add a new device.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Select File > New Device or click the New Device button in the Device selector. The Choose Method page of the New Device wizard appears with four options.
Step 3 Select Add New Device, then click Next. The Add New Device page appears.
Step 4 From the IP Type field, select Dynamic.
Step 5 Enter the hostname, domain name, IP address, and display name. For more information, see Identity, page C-36.
Step 6 Enter the device operating system information, such as OS type, image name, target OS version, contexts, and operational mode. For more information, see Operating System, page C-37.
Step 7 Depending on the device type you select, the Auto Update or CNS-Configuration Engine field appears:
•Auto Update—Displayed for PIX Firewall and ASA devices.
•CNS-Configuration Engine—Displayed for Cisco IOS routers.
Note This field is not active for Catalyst 6500/7600 devices and FWSM devices.
Click the arrow to display a list of servers. Select the server that is managing the device. If the server does not appear in the list, do the following:
a. Click the arrow, then select + Add Server... The Server Properties dialog box appears.
b. Enter the information in the required fields. For a description of the fields on the page, see Server Properties Dialog Box, page C-40.
c. Click OK. The new server is added to the list of available servers.
For a summary of the device types and the server fields associated with them, see Device Types and Associated Servers
Related Topics
•Understanding Auto Update Server and Configuration Engine
•Editing the Auto Update Server or Configuration Engine Information
•Adding Devices to the Security Manager Inventory
Adding an Auto Update Server When Adding a Device from Network
If the Auto Update Server that is managing the selected device does not appear in the Available AUS Managers list, you can add the Auto Update Server.
This procedure describes how to add an Auto Update Server when you add a device from the network.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Select File > New Device or click the New Device button in the Device selector. The Choose Method page of the New Device wizard appears with four options.
Step 3 Select Add Device from Network, then click Next. The Add Device from Network page appears.
Step 4 From the Device IP Type field, select Dynamic.
Step 5 Enter the string value that uniquely identifies the device in Auto Update Server in the Device Identity field.
Step 6 From the CNS Gateway field, click the arrow to display a list of available Auto Update Servers. Select the Auto Update Server that is running the CNS Gateway protocol.
Security Manager communicates with the Auto Update Server running the CNS Gateway protocol to retrieve the IP address of an IOS device, then performs discovery directly from the device.
Step 7 If the Auto Update Server does not appear in the list, do the following:
a. Click the arrow, then select + Add Auto Update Server... The Auto Update Server Properties dialog box appears.
b. Enter the information in the required fields. For a description of the fields on the page, see Auto Update Server Properties Dialog Box, page C-13.
c. After you click OK in the Auto Update Server Properties dialog box, the new Auto Update Server is added to the list of Available Servers.
Step 8 Enter the display name.
For more information, see Device Information Page—Network, page C-8.
Note Only Cisco IOS routers with a dynamic IP address can be associated with an Auto Update Server running the CNS Gateway protocol.
Related Topics
•Understanding Auto Update Server and Configuration Engine
•Editing the Auto Update Server or Configuration Engine Information
•Adding Devices to the Security Manager Inventory
Editing the Auto Update Server or Configuration Engine Information
You can edit the Auto Update Server or Configuration Engine information in three ways:
•From the device properties page, select the General option. For the procedure, see Working with Device Policies.
•From the Add New Device page. For the procedure, see Editing an Auto Update Server or Configuration Engine When Adding a New Device.
•From the Add device from Network page. For the procedure, see Editing the Auto Update Server Information when Adding Device from Network.
Editing an Auto Update Server or Configuration Engine When Adding a New Device
This procedure describes how to edit the Auto Update Server or Configuration Engine information when you add a new device to Security Manager.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Select File > New Device or click the New Device button in the Device selector. The Choose Method page of the New Device wizard appears with four options.
Step 3 Select Add New Device, then click Next. The Add New Device page appears.
Step 4 From the IP Type field, select Dynamic.
Step 5 Enter the hostname, domain name, IP address, and display name. For more information, see Identity, page C-36.
Step 6 Enter the device operating system information, such as OS type, image name, target OS version, contexts, and operational mode. For more information, see Operating System, page C-37.
Step 7 Depending on the device type you select, the Auto Update or CNS-Configuration Engine field appears:
•Auto Update—Displayed for PIX Firewall and ASA devices.
•CNS-Configuration Engine—Displayed for Cisco IOS routers.
Note This field is not active for Catalyst 6500/7600 devices and FWSM devices.
Step 8 Click the arrow in the Auto Update or the CNS-Configuration Engine field, then select Edit Servers.
The Available Servers dialog box appears. For a description of the fields on the page, see Available Servers Dialog Box, page C-41.
Step 9 Select the server then click Edit.
The Auto Update Server Properties page or the CNS-Configuration Engine Properties page appears. For a description of the fields on the page, see Auto Update Server Properties Dialog Box, page C-13 or CNS-Configuration Engine Properties Dialog Box, page C-42.
Step 10 Select the field to edit, then enter the changed information.
Step 11 Click OK. The Available Servers dialog box appears.
Step 12 Click OK.
Related Topics
•Understanding Auto Update Server and Configuration Engine
•Adding an Auto Update Server or Configuration Engine
•Adding Devices to the Security Manager Inventory
Editing the Auto Update Server Information when Adding Device from Network
This procedure describes how to edit the Auto Update Server information when you add a device that is already in the network.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Select File > New Device or click the New Device button in the Device selector. The Choose Method page of the New Device wizard appears with four options.
Step 3 Select Add Device from Network, then click Next. The Add Device from Network page appears.
Step 4 From the Device IP Type field, select Dynamic.
Step 5 Enter the string value that uniquely identifies the device in Auto Update Server in the Device Identity field.
Step 6 Click the arrow in the CNS Gateway field, then select Edit Auto Update Server.
The Available Auto Update Server dialog box appears. For a description of the fields on the page, see Available Auto Update Servers Dialog Box, page C-14.
Step 7 Select the Auto Update Server, then click Edit.
The Auto Update Server Properties appears. For a description of the fields on the page, see Auto Update Server Properties Dialog Box, page C-13.
Step 8 Select the field to edit, then replace it with the desired information.
Step 9 Click OK.
Related Topics
•Understanding Auto Update Server and Configuration Engine
•Adding an Auto Update Server or Configuration Engine
•Adding Devices to the Security Manager Inventory
Understanding Device Credentials
Security Manager requires certain device credentials for logging in to the device. When adding a device to the Security Manager database, you are also adding it to the DCR, which makes the credentials available to all Ciscoworks applications such as Resource Manager Essentials (RME) or Monitoring Center for Performance (Performance Monitor). For this reason, the Device Credentials page includes a wider range of optional fields for credentials that you might want to store for possible use by these other applications, or ignore if not required for your purposes.
You can provide device credentials in two ways:
•When you add a device into Security Manager.
•From the Device Properties page.
For information about the elements in the device credentials page, see Device Credentials Page, page C-15.
You can provide the following device credentials:
•Primary Credentials—Username and password for logging into the device. This information is required for device communication.
•SDEE Credentials—Security Device Event Exchange (SDEE) is a standard that specifies the format of messages and protocol used to communicate events generated by security devices. SDEE uses a pull mechanism: requests come from the network management application and the Intrusion Detection System/Intrusion Prevention System (IDS/IPS) router responds. SDEE uses HTTP and XML to provide a standardized interface.
SDEE is used for event management on IPS-supported devices. Security Manager uses SDEE to query the IPS supported devices after deployment to verify that the deployment was successful.
•HTTP Credentials—Web browsers and Web servers use HTTP to transfer files, such as text and graphic files. HTTP credentials are required for devices that support SDEE. SDEE uses HTTP and XML to provide a standardized interface. HTTP credentials are optional for other types of devices.
•Rx-Boot Mode—(Optional) Some Cisco routers are designed to run from flash memory where they boot only from the first file in flash. This means that you must run an image other than that in flash to upgrade the flash image. That image is a reduced command-set image referred to as Rx-Boot (a ROM-based image).
•SNMP Credentials—(Optional) The Simple Network Management Protocol (SNMP) is an application-layer protocol that facilitates the exchange of management information between network devices. It is part of the TCP/IP suite. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth.
Note You can use a maximum of 70 characters to define device credentials. Security Manager does not restrict the characters you can use to define them. However, you may not add spaces in passwords.
Related Topics
•Device Credentials Page, page C-15
•Adding Devices to the Security Manager Inventory
Working with Device Connectivity Test
In Cisco Security Manager 3.0.1 and earlier, you cannot validate whether a device that is added to the Security Manager inventory can be reached. Although Security Manager validates the data you entered, it does not validate whether the data you entered allows you to contact the device.
In Security Manager 3.1, you can verify, when you are adding the device, whether Security Manager can contact the device. Security Manager displays the root cause for any device connectivity failure, such as the transport protocol not being configured on the device, or invalid or null authentication credentials. If the connection-related configuration settings result in an invalid configuration, or prevent Security Manager from contacting and managing the device, you are prevented from submitting the changes to the database. You need to ensure that you have complete and valid configurations for these settings, then resubmit your changes to the database. In addition, you can test device connectivity from the Device Properties page for devices that have been added previously to the Security Manager inventory.
Understanding Device Connectivity Test
When you test the communication between Security Manager and devices that have been, or are being, added to the inventory, Security Manager uses the device connection timeout and retry count values specified in the Device Communication page. By default, the device connection timeout is 180 seconds. This is how long Security Manager attempts to establish a connection with a device before timing out multiplied by the number of times Security Manager should re-attempt establishing a device connection after timing out. If the device can be reached, Security Manager runs the show version command on PIX Firewall, Adaptive Security Appliances (ASA), Firewall Service Modules (FWSM), and Cisco IOS routers, or it executes the getVersion command on IPS Sensors and Cisco IOS IPS Sensors. You can view the output of the command to read information about the hardware, software version running on the device, license agreement, and other system-related parameters. If the device connectivity test fails, an error message is displayed.
After you enter the device contact information and device credentials in the Add Device from Network Wizard and close the wizard, or advance to the next step of the wizard, Security Manager checks whether the device is already running in the network and is reachable. If device connectivity fails, the device cannot be added and an error message states that Security Manager cannot communicate with the device. To correct the connectivity error between Security Manager and the device you are trying to add, look for common network problems, such as hardware, media, and booting errors, excessive traffic causing queues to overflow, duplicate MAC or IP addresses on the device, physical discrepancies, such as link, duplex, and speed mismatch, or logical discrepancies, such as VLAN and VTP inconsistencies or ATM network misconfiguration.
Keep the following points in mind while testing whether a device can be reached from Security Manager:
•You can test device connectivity when you add devices (both static and dynamic IP addresses) using only the Add Device from Network or Add New Device wizards.
•The device connectivity test uses the transport mechanism or protocol configured for the device. If you configured a default transport protocol for contacting all Catalyst 6500 Series switches and Cisco 7600 Series routers from the Device Communication settings page, the same protocol is used to test whether the device can be reached.
•The device connectivity test can be performed for all devices and OS versions supported by Security Manager. However, if the device is managed by an Auto Update Server, Token Management Server (TMS) or a CNS-Configuration Engine, you cannot test connectivity between Security Manager and the device.
•If you chose to connect to the device from Security Manager using device credentials (on the Device Communication settings page) and did not specify the username and password for logging in to the device or you entered incorrect credentials while adding the device, the device connectivity test fails and an error message is displayed. Make sure that you have valid and complete configurations by editing the device credentials information.
•If you did not configure the transport protocol on the device, the device connectivity test fails and an error message is displayed. Make sure that you configure the transport settings on each device that has not been added to the inventory, or configure the transport protocol from the Device Properties page of the Security Manager GUI for devices that have been added to the inventory.
•If you configure the device to perform authentication with an external AAA server, such as Cisco Secure Access Control Server (ACS), and do not enable command authorization, an error message is displayed when Security Manager attempts to run the show version command on the device that can be reached.
•While you add a device from the network, the operating system you specify must be correct for the IP address you enter for the device on the Device Information page. Otherwise, after you enter the device credentials and click Next or Finish from the Device Credentials page, an error message is displayed when device connectivity test is performed. For example, while adding the device to Security Manager, if you enter the IP address of a connected live ASA device from the network and choose the OS type as PIX, an error message states that the OS type you chose is not supported for the device. To correct the error, make sure that you choose the correct OS type of the device.
Verifying Device Connectivity from Security Manager
The following topics describe how to verify connectivity between Security Manager and the device, depending on how you are adding the device.
•Testing Device Connectivity While Adding a Device from the Network
•Testing Device Connectivity While Adding a New Device
•Testing Device Connectivity After Adding a Device to Security Manager
Testing Device Connectivity While Adding a Device from the Network
Security Manager tests whether a device can be reached when you add the device from the network. The addition of the device to Security Manager inventory is successful only if device connectivity succeeds. This procedure describes how to test connectivity when you add a device from the network.
Before You Begin
•Prepare the devices to be managed by Security Manager. For more information, see Preparing the Devices for Security Manager to Manage.
•If you are using ACS for authentication, define the devices in ACS. See Associating NDGs and Roles with User Groups, page 2-54.
Procedure
Step 1 Click the Device View button on the toolbar.
Step 2 In the Device selector, click the Add button. The New Device wizard opens.
Step 3 Select Add Device(s) from Network, then click Next. The New Device - Device Information page appears.
Step 4 Enter the device information, such as IP type, IP address, hostname, and so on, and set discovery options. For more information, see Device Information Page—Network, page C-8.
Step 5 Click Next to continue. The Device Credentials page appears.
Step 6 Enter primary device credentials, as required. See Device Credentials Page, page C-15.
Step 7 Do one of the following:
•Click Finish.
•Click Next to continue.
Security Manager tests device connectivity and displays the progress of the test. If the device cannot be reached, an error message is displayed. When the network is not functioning properly under normal conditions, you can troubleshoot the error messages generated to see the difference between normal and abnormal operation. Security Manager prevents you from adding the device to the inventory until you correct the error.
Testing Device Connectivity While Adding a New Device
When you add a single device to the Security Manager inventory for preprovisioning, you can test the communication between Security Manager and the device. Before you assign policies to the device and generate configuration files, you can correct device connectivity errors, if any. This procedure describes how to test connectivity when you add a device from the network.
Before You Begin
•Prepare the devices to be managed by Security Manager. For more information, see Preparing the Devices for Security Manager to Manage.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Click the Add button in the Device selector. The New Device - Choose Method page appears.
Step 3 Select Add New Device, then click Next. The New Device - Device Information page appears.
Step 4 Enter the device information. For details, see Device Information Page—New Device, page C-35.
Step 5 Click Next to continue. The Device Credentials page appears.
Step 6 Enter the username and password under Primary Credentials. See Device Credentials Page, page C-15.
Step 7 Click the Test Connectivity button at the bottom of the page.
The Device Connectivity Test dialog box appears. You cannot perform other tasks while the device connectivity test is in progress. A test-in-progress indication bar appears when the connectivity test is running and a counter timer displays the number of seconds elapsed since the start of the test. The transport protocol used to test device connectivity, the status of connectivity test, and the time elapsed are displayed.
For more information, see Device Connectivity Test Dialog Box, page C-20.
Step 8 Do one of the following in the Device Connectivity Test dialog box.
•Click Details to display information about the hardware, software version running on the device, license agreement, and other system-related parameters.
Tip You can copy and paste the command output into a file for later analysis.
•Click Abort to end device connectivity test. This button is enabled while device connectivity is in progress.
•Click Close to close this dialog box. This button is enabled after device connectivity test is completed.
Step 9 Do one of the following:
•Click Finish.
•Click Next to continue.
Testing Device Connectivity After Adding a Device to Security Manager
If you want to test device connectivity after you add devices to Security Manager, use the Device Properties page. This procedure describes how to test connectivity for devices that have been previously added to the inventory.
Procedure
Step 1 Click the Device View button on the toolbar. The Devices page appears.
Step 2 Double-click a device in the Device selector. The Device Properties page appears.
Step 3 Click Credentials from the left pane. The Credentials page appears.
Step 4 Click the Test Connectivity button at the bottom of the page.
The Device Connectivity Test dialog box appears. You cannot perform other tasks while the device connectivity test is in progress. A test-in-progress indication bar appears when the connectivity test is running and a counter timer displays the number of seconds elapsed since the start of the test. The transport protocol used to test device connectivity, the status of connectivity test, and the time elapsed are displayed.
For more information, see Device Connectivity Test Dialog Box, page C-20.
Step 5 Do one of the following in the Device Connectivity Test dialog box.
•Click Details to open the Details dialog box that displays information about the hardware, software version running on the device, license agreement, and other system-related parameters.
Tip You can copy and paste the command output from the Details dialog box into a file for later analysis.
•Click Abort to end device connectivity test. This button is enabled while device connectivity is in progress.
•Click Close to close this dialog box. This button is enabled after device connectivity test is completed.
Understanding Device Properties
You define device properties when you add devices to Security Manager. Device properties are general information about the device, credentials, the group the device is assigned to, and policy overrides. You must provide some of device property information, such as device identity and primary credentials, when you add the device, but you can add other information later from the Device Properties page.
To open this page, do one of the following:
•In the Device selector, double-click a device.
•In the Device selector, right-click the device, then select Device Properties.
The Device Properties page has two panes. The left pane contains the General, Credentials, Device Groups, and Policy Object Overrides options.
•General—Contains general information about the device, such as device identity, the operating system running on the device, and DCS settings.
•Credentials—Contains device primary credentials (username, password, and enable password), SNMP credentials, Rx-Boot Mode credentials, and HTTP credentials.
•Device Groups—Contains the groups to which the device is assigned.
•Policy Object Overrides—Contains global settings of certain types of reusable policy objects, which you can override.
If you click a device property option, the corresponding information is displayed in the right pane. For information about the elements in this page, see Device Properties Page, page C-53.
From the Device Properties page you can:
•View device properties.
•Define device properties. If you did not define the device properties when you added the device to the Security Manager inventory, you can define them in this page.
•Edit device properties.
Note•Security Manager does not assume that the DNS hostname that appears on the Device Properties page is the same as the hostname that you configured on the device.
•When you add a device to Security Manager, you must enter either the management IP address or the DNS hostname. Because it is not possible to determine the management interface and, therefore, the management IP address when you discover from a configuration file, the hostname in the configuration file is used as the DNS hostname. If the hostname is missing in the CLI of the configuration file, the configuration filename is used as the DNS hostname.
•During live device discovery, the DNS hostname in the Device Properties page is not updated with the hostname configured on the device. Therefore, if you want to specify the DNS hostname for the device, you must specify it manually when you add the device to Security Manager or on the Device Properties page.
•If the DNS hostname or display name of the security context you are discovering exists in DCR, Security Manager appends it with a _01, _02, and so on to give it a unique name.
The following topics describe how to use the Device Properties page:
•Defining Device Properties
•Working with Device Policies
•Working with Device Policies
Defining Device Properties
You can define device properties when you add a device or you can use the Device Properties page to define them later.
This procedure describes how to define device properties in the Device Properties page.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Do one of the following:
•In the Device selector, double-click a device. The Device Properties page appears.
•In the Device selector, right-click the device to display menu options, then select Device Properties. The Device Properties page appears.
Step 3 Define general information about the device, such as device identity, the operating system running on the device, and DCS settings:
a. Click General. The General page appears.
b. Enter the information in the appropriate fields. For more information, see General Page, page C-54.
c. Click Save.
Step 4 Define device credentials, such as username and password:
a. Click Credentials. The Credentials page appears.
b. Enter the information in the appropriate fields. For more information, see Credentials Page, page C-57.
c. Click Save.
Step 5 Assign groups to a device:
a. Click Device Groups. The Device Groups page appears.
b. Enter the device grouping information. For more information, see Device Groups Page, page C-59.
c. Click Save.
Step 6 Define policy object overrides:
a. Click Policy Object Overrides. The Policy Object Overrides folder expands.
b. Click a policy object. The corresponding page appears in the right pane.
c. Enter the information in the appropriate fields. For more information, see Policy Object Override Pages, page C-60.
d. Click Save.
Related Topics
•Understanding Device Properties
•General Page, page C-54
•Credentials Page, page C-57
•Policy Object Override Pages, page C-60
•Device Groups Page, page C-59
•Working with Device Policies
Working with Device Policies
In Security Manager, a policy is a set of rules or parameters that define a particular aspect of network configuration. You configure your network by defining policies on devices (which includes individual devices, service modules, and security contexts) and VPN topologies (which are made up of multiple devices), and then deploying the configurations defined by these policies to these devices.
Several policy types might be required to configure a particular solution. For example, to configure a site-to-site VPN, you might need to configure multiple policies, such as IPSec, IKE, GRE, and so forth.
Policies are assigned to one or more devices. After a policy is assigned to a device, any changes to the policy definition change the behavior of the device.
You can use Device view to manage both local policies and shared policies.
For details, see Managing Policies in Device View, page 6-20.
Cloning a Device
A cloned (duplicate) device shares the configurations and properties of the source device. Cloning a device saves you time because you do not need to re-create configuration and properties on the new device.
The cloned device shares the device operating system version, credentials, and grouping attributes with the source device, but it has its own unique identity, such as display name, IP address, hostname, and domain name. You can clone only one device at a time.
Note You cannot clone a Catalyst 6500/7600 device.
This procedure describes how to clone a device.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Right-click the device in the Device selector to clone, then select Clone. The Create a Clone of <device name> page appears.
Step 3 Enter the information in the appropriate fields. See Create a Clone of <device name> Page, page C-52.
Step 4 Click OK. A clone of the source device with its unique display name is created in the Device selector.
Related Topics
•Create a Clone of <device name> Page, page C-52
•Copying Policies Between Devices, page 6-23
Deleting Devices from the Security Manager Inventory
This procedure describes how to delete devices from the Security Manager inventory.
Procedure
Step 1 Click the Device View button in the toolbar. The Devices page appears.
Step 2 Select the device to delete from the Device selector.
Step 3 Click the Delete button.
A Warning dialog box appears asking if you want to delete the selected nodes and presents the following two options:
•The Delete from DCR check box is selected by default. If you delete a device with this check box selected, the device is deleted from Security Manager and from DCR. If you do not want to delete the device from DCR, deselect this check box.
•Click Details to launch the Device Delete Validation Details dialog box to view details about the device deletion. For more information see Device Delete Validation Details Dialog Box, page C-51.
Step 4 Click OK to continue. If all looks okay, the device is deleted.
If there are errors or warnings, the Device Delete Validation page appears displaying the status of the deletion.
For more information, see Device Delete Validation Page, page C-49.
Step 5 Look for any warnings listed in the Severity column to determine if you want to continue.
•To see more information on the deletion details, click Details.
•To continue with the deletion, click OK to confirm. Otherwise, click Cancel.
Related Topics
•Device Delete Validation Page, page C-49
•Device Delete Validation Details Dialog Box, page C-51
Understanding Device Grouping
Device grouping enables you to view a subset of devices that you define. By default, Security Manager provides two Group Types: Department and Location, and one folder called ALL. The ALL folder contains all of the devices that are added to Security Manager.
Note Device groups and subgroups are simple, arbitrary, organizational collections of devices that you create for more effective network visualization. They are not policy-sharing entities. They are distinct from the various policy object groups (for example AAA server group objects, service group objects, and user group objects). For information on policy objects, see Introduction to Objects, page 8-1.
You can create groups under the default group types, Department and Location, and assign devices to them or you can create new group types. You can create a maximum of 10 group types.
You cannot assign a device directly to a group type. You must create a group under a group type, and then assign a device to that group. For example, under Department (group type), you can create a group called Finance, and assign routerx to it (Figure 5-3).
Figure 5-3 Device Groups
You can create subgroups and assign a device to it. For example, under Location, you can create a group called United States; under United States, you can create a subgroup called California; and under California, you can create a subgroup called San Jose and assign routerx to it (Figure 5-3).
You can assign a device to multiple groups. When you do so, that device shows up in multiple groups in the Device selector. If you assign a device, for example, routerx, to the San Jose location and to the Finance department (Figure 5-3), that device, routerx, appears in both of these groups.
Note The device can be in only one group in a group type. For example, under the group type, Location, you can assign routerx to San Jose, but you cannot assign routerx to San Jose and California.
After you assign the device to groups, that device appears in the appropriate groups and in the ALL folder in the Device selector.
You can assign devices to groups in four ways:
•From the Device Grouping page in any of the add device wizards.
•From the device group shortcut menu options. See Device Group Shortcut Menu Options, page C-65.
•From the Device Properties page. For more information, see Working with Device Policies.
•From the Tools menu options. Select Tools > Security Manager Administration > Device Groups.
Related Topics
•Working With Device Groups
•Adding Devices to Device Groups
•Edit Device Groups Page, page C-66
Working With Device Groups
You can create device group types and device groups, delete device groups, and modify device group names. The following topics describe how to perform these tasks:
•Creating Device Group Types
•Creating Device Groups
•Deleting Device Group Types, Device Groups, or Subgroups
Creating Device Group Types
Security Manager has two predefined device group types: Location and Department. You can create device groups under these device group types and assign a device to them or you can create new group types.
Note Remember that device group types are the top-level categories in your device group hierarchy. If you would rather add a device group (lower-level), see Creating Device Groups
This procedure describes how to create device group types.
Procedure
Step 1 Select File >Edit Device Groups...
The Edit Device Groups page opens.
Step 2 Click the Add Type button in the Device Groups page. A new device group type field is created
Step 3 Enter a name for this group type, then press Enter.
Step 4 Click OK.
Related Topics
•Understanding Device Grouping
•Edit Device Groups Page, page C-66
Creating Device Groups
This procedure describes the most direct method to create device groups.
Note Device groups are the lower-level categories in your device group hierarchy, and are added either beneath a device group type (top-level) or beneath another device group. If you would rather add a device type group (top-level), see Creating Device Group Types.
Procedure
Step 1 In the Device selector, right-click the device group type or a device group under which you want to create the group, then select New Device Group. The Add Group dialog box appears. See Add Group Dialog Box, page C-68.
Step 2 Enter a name for this device group, then press Enter.
Step 3 Click OK. The new device group is created beneath the device group type or device group that you initially right-clicked(Figure 5-3).
Related Topics
•Understanding Device Grouping
•Add Group Dialog Box, page C-68
•Adding Devices to Device Groups
•Edit Device Groups Page, page C-66
Deleting Device Group Types, Device Groups, or Subgroups
This procedure describes how to delete device groups, subgroups, or device group types.
Procedure
Step 1 Do one of the following:
•Right-click a device group type or a device group in the Device selector, then select Edit Device Groups... to display the Edit Device Groups page.
•Select File >Edit Device Groups... to display the Edit Device Groups page.
•Select Tools > Security Manager Administration > Device Groups to display the Device Groups page.
Step 2 Click a device group type or device group to delete.
Step 3 Click the Delete button.
Step 4 Click OK.
Note•All device groups and device subgroups beneath the item you delete are also deleted.
•When you delete a device group, or a device subgroup, all devices contained beneath that group or subgroup are no longer associated with that group type.
•You can choose to delete the predefined group types, Location and Department.
Related Topics
•Understanding Device Grouping
•Edit Device Groups Page, page C-66
Adding Devices to Device Groups
You must create a device group before you add devices to it. To create groups, see Creating Device Groups.
This procedure describes how to add devices to a group:
Procedure
Step 1 From the Device selector, right-click the device group to which you want to add devices, then select Add Devices to Group. The Add Devices to Group page appears.
Step 2 From the Device Groups pane, select a device, or devices from different device groups, or select an entire group, then click >>. The individual device or devices in the selected device group move to the Selected Devices pane.
Step 3 Click OK. The devices in the Selected Devices pane are added to the device group you initially selected in the Device selector.
Note A device can be in only one device group in a device group type. If you assign a device to two groups that belong to one group type, you will get a warning message.
Related Topics
•Understanding Device Grouping
•Device Group Shortcut Menu Options, page C-65
