-
User Guide for Cisco Security Manager 3.1
-
Preface
-
Getting to Know Security Manager
-
Performing Administrative Tasks
-
Working With the Security Manager User Interface
-
Using Map View
-
Managing Devices
-
Managing Policies
-
Managing Activities
-
Managing Objects
-
Managing Site-to-Site VPNs
-
Managing Remote Access VPNs
-
Managing SSL VPNs
-
Managing Firewall Services
-
Managing IPS Services
-
Managing Routers
-
Managing Firewall Devices
-
Managing Catalyst Devices
-
Managing IPS Devices
-
Managing Deployment
-
Managing FlexConfigs
-
Using Tools
-
Using Monitoring, Troubleshooting, and Diagnostic Tools
-
Administrative Settings User Interface Reference
-
Map View User Interface Reference
-
Devices User Interface Reference
-
Policy User Interface Reference
-
Activities User Interface Reference
-
Policy Object Manager General Reference
-
Site-to-Site VPN User Interface Reference
-
Remote Access VPN User Interface Reference
-
SSL VPN User Interface Reference
-
Firewall Services User Interface Reference
-
Router Platform User Interface Reference
-
PIX/ASA/FWSM Platform User Interface Reference
-
Catalyst Platform User Interface Reference
-
IPS User Interface Reference
-
Deployment User Interface Reference
-
FlexConfig User Interface Reference
-
Tools User Interface Reference
-
Index
-
Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X -
Index
Numerics
12.1 and 12.2
managing routers 14-3
3DES encryption algorithm
in IKE proposals 9-68
802.1x
802.1x Policy page K-194
defining policies 14-133
interface authorization states 14-131
on Cisco IOS routers 14-129
supported topologies 14-132
understanding device roles 14-130
A
AAA
accounting 10-1
authorization 10-1
Cisco IOS routers
AAA Policy page K-92
Accounting tab K-99
Authentication tab K-94
Authorization tab K-95
Command Accounting dialog box K-102
Command Authorization dialog box K-98
defining services 14-72
overview 14-68
supported accounting types 14-70
supported authorization types 14-69
understanding method lists 14-71
configuring on firewall devices 15-31
configuring settings 12-146
local fallback 15-34
support 15-33
user authentication 10-1
AAA authentication groups
predefined 8-17
AAA Firewall page J-157
AAA Mode Setup page 2-3
AAA rules
AAA Rules page J-78
Add AAA Rules dialog box J-82
adding 12-91
AuthProxy dialog box J-100
configuring settings
for (PIX/ASA) 12-147
for IOS 12-152
copying 12-97
cutting 12-97
deleting 12-100
disabling 12-96
Edit AAA Option dialog box J-99
Edit AAA Rules dialog box J-82
Edit AAA Server Group dialog box J-101
Edit Category dialog box J-102
Edit Description dialog box J-103
Edit Destinations dialog box J-91
editing 12-94
Edit Interface dialog box J-97
Edit Service dialog box J-59, J-94
Edit Sources dialog box J-88
enabling 12-96
MAC exempt address lists
adding 12-150
deleting 12-152
editing 12-151
understanding 12-149
moving down 12-99
moving up 12-99
pasting 12-97
Show Destination dialog box J-93
Show Interface Contents dialog box J-98
Show Service Contents dialog box J-96
Show Source Contents dialog box J-90
understanding 12-89
AAA Rules page J-78
AAA server group objects
AAA Server Group dialog box F-14
AAA Server Groups page F-12
creating 8-19
default server groups on IOS devices 8-18
predefined authentication groups 8-17
understanding 8-16
AAA server objects
AAA Server dialog box F-20
AAA Servers page F-18
creating 8-29
supported types 8-25
AAA servers
external servers 10-1
supported types on ASA devices 8-26
table of services on ASA devices 8-28
Abort Deployment Job dialog box O-28
ABR
definition of 15-95
access control list objects
creating 8-36
example
extended ACL 8-32
standard ACL 8-33
web ACL 8-34
Extended IP ACL tab
Add Extended Access Control Entry dialog box F-39
Add Extended Access List page F-36
Edit Extended Access Control Entry dialog box F-39
Edit Extended Access List page F-36
extended objects 8-36
Extended tab F-34
Add Extended Access Control Entry dialog box F-39
Add Extended Access List page F-36
Edit Extended Access Control Entry dialog box F-39
Edit Extended Access List page F-36
GUI
understanding 8-35
standard objects 8-39
Standard tab F-43
Add Standard Access Control Entry dialog box F-47
Add Standard Access List page F-45
Edit Standard Access Control Entry dialog box F-47
Edit Standard Access List page F-45
understanding 8-31
web objects 8-41
Web tab F-50
Add Web Access Control Entry dialog box F-54
Add WebType Access List page F-52
Edit Web Access Control Entry dialog box F-54
Edit WebType Access List page F-52
access control lists
policy discovery 6-9
Access Control page J-147
access controls
access list compilation
enabling 12-139
configuring settings 12-140
object group search
enabling 12-134
per user downloadable ACLs (PIX/ASA/FWSM) 12-136
settings 12-132
understanding settings 12-132
Access Group tab
Accessing the Cisco NSDB N-12
access list compilation
enabling 12-139
understanding 12-138
Access Page (ASA) I-26
access permissions
maps 4-3
access ports
Create and Edit Interface dialog boxes-Access Port mode M-17
understanding 16-8
access rule lookup
from device manager syslog 21-42
access rules
Access Rules page J-2
Adaptive Security Algorithm (ASA) and 12-51
Add Firewall Rule dialog box J-6
adding 12-61
Advanced dialog box J-12
ASA and 12-53
copying 12-69
cutting 12-69
deleting 12-71
disabling 12-68
Edit Category dialog box J-27
Edit Description dialog box J-28
Edit Destinations dialog box J-18
Edit Firewall Option dialog box J-23
Edit Firewall Rule dialog box J-6
editing 12-65
Edit Interface dialog box J-25, J-61
Edit Service dialog box J-21
Edit Sources dialog box J-15
enabling 12-68
FWSM and 12-53
IOS router and 12-53
logging events for an ACE 12-60
moving down 12-70
moving up 12-70
navigating from
ASDM syslog 21-43
SDM syslog 21-46
navigating to the first match
from syslog 21-42
notes 12-52
pasting 12-69
PIX Firewalls and 12-53
recognizing on devices 12-51
Show Destination Contents dialog box J-20
Show Interface Contents dialog box J-26
Show Service Contents dialog box J-23
Show Source Contents dialog box J-17
understanding 12-49, 12-52, 12-60
Access Rules page J-2
accounting
configuring on firewall devices 15-31
accounts and credentials
Cisco IOS routers
overview 14-75
accounts and credentials policies
Accounts and Credentials Policy page K-105
User Accounts dialog box K-108
ACL errors 18-25
ACL names
conflicts and resolutions 12-57
generating 12-54
identifying original 12-58
naming conventions 12-54
notes 12-59
preserving user-defined 12-56
Actions Shortcut menu N-10
Active/Active failover
about 15-57
command replication 15-58
configuration synchronization 15-58
Active/Standby failover 15-57
activities
accessing functions 7-9
Activity Details tab E-5
Activity Manager window E-1
Activity Required (Create Activity) dialog box E-17
Activity Required (Create or Open Activity) dialog box E-18
and locking 7-4
Approve Activity dialog box E-9
Approved state 7-6
benefits of 7-3
Change Report window E-15
closing 7-12
Create Activity dialog box E-7
creating 7-11
Devices tab E-14
Discard Activity dialog box E-11
discarding 7-19
Edit state 7-5
Errors tab E-12
History tab E-6
managing 7-1
multiple users 7-5
Openable Activities dialog box E-19
opening 7-12
Reject Activity dialog box E-10
Rejected state 7-6
rejecting 7-16
Submit Activity dialog box E-8
Submitted state 7-6
understanding 7-2
validating 7-13
Validation dialog box E-12
viewing details 7-19
viewing historical data 7-20
working with 7-9
Activities menu 3-17
Activity Details tab E-5
Activity Manager window E-1
Activity Required (Create Activity) dialog box E-17
Activity Required (Create or Open Activity) dialog box E-18
Adaptive Security Appliances
Add/Edit IGMP Join Group dialog box
description 15-91
Add/Edit IGMP Static Group dialog box
description 15-90
Add/Edit Multicast Route dialog box
description L-188
Add AAA Rules dialog box J-82
Add Access List dialog box N-75
Add an Entry dialog box N-32
Add Cat6k Block Vlan dialog box N-97
Add Certificate dialog box A-14
Add Custom Signature dialog box N-7
Add Device from Config File wizard C-29
Device Grouping page C-28
Device Information page - Config File C-30
Add Device From DCR wizard
SSL certificates
manually adding 2-72
obtaining while adding devices 2-72
Add Device from DCR wizard C-45
Device Grouping page C-28
Device Information page - DCR C-45
Add Device From Network Wizard
SSL certificates
manually adding 2-72
obtaining while adding devices 2-72
Add Device from Network Wizard
device connectivity test and 5-45
Add Device from Network wizard C-7
Device Credentials page C-15
Device Grouping page C-28
Device Information page - Network C-8
Add Devices to Groups page C-67
Add Firewall Rule dialog box J-6
Add Groups dialog box C-68
Add HTTP Map dialog box F-264
Add Link dialog box B-21
Add Map Object and Node Properties dialog boxes B-22
Add New Device wizard C-34
device connectivity test 5-46
Device Credentials page C-15
Device Grouping page C-28
Device Information page - New Device C-35
Add Other Devices dialog box O-23
Add Permit Response dialog box F-251
Add Regular Expression dialog box F-412
Add Regular Expression Group dialog box F-408
address pools 15-21
Add Rule Section dialog box J-176
Add Signature Parameter--List Entry Dialog Box N-32
Add Standard Access Control Entry dialog box F-47
Add Standard Access List page F-45
Add Transparent Firewall Rule dialog box J-139
Add User Group Selector dialog box I-53
Add User Profile dialog box N-89
Add Virtual Sensor dialog box N-102
Add Web Access Control Entry dialog box F-54
Add WebType Access List page F-52
admin context
in Performance Monitor
deleting 21-20
importing 21-20
administering Performance Monitor
event thresholds, working with 21-28
administration
selecting policies to manage 6-49
ADSL
ADSL Policy page K-44
ADSL Settings dialog box K-46
defining settings 14-42
supported operating modes 14-41
Advanced dialog box
access rules J-12
AES encryption algorithm
in IKE proposals 9-68
in VPN SPA 9-43
Alarm Indication Signal (AIS) cells 14-54
Alarm Information Dialog table
description 21-40
Alert Aggregation table
description 21-40
Allowed host
use of 17-6
Allowed Hosts page N-74
Analysis J-179
Analysis Engine global variables
configuring 17-11
Analysis Engine tab N-84
analysis reports
generating 12-8
understanding 12-6
Analysis Reports page J-179
anomaly detection
limiting false positives N-43
worm attacks N-43
Anomaly Detection page N-34
anti-spoofing 15-99
anti-virus software policies
modifying
for device manager 21-9
appended CLI commands 19-3
Approve Activity dialog box E-9
Approve Deployment Job dialog box O-25
Approved state 7-6
approvers 2-27
archiving
IEV log files 21-36
area border router 15-95
ARP requests
and CPU usage 21-24
ARP table
ASA
FlexConfig object samples 19-8
ASA devices
AAA support 8-26
rollback and SSL certificates 2-72
show version command 5-45
SSL certificate authentication, selecting A-13
table of AAA services 8-28
use of Kerberos 8-26
use of LDAP servers 8-27
use of NT servers 8-26
use of SDI servers 8-26
see also PIX/ASA/FWSM Platform policies
ASA User Group dialog box F-60
Auto Signon Rules F-79
Client Access Rules dialog box F-71
Client Configuration settings F-62
Client Firewall Attributes F-64
Connection settings F-85
DNS/WINS settings F-80
Hardware Client Attributes F-67
IPsec Settings F-69
Split Tunneling settings F-81
SSL VPN Clientless Settings F-72
SSL VPN Full Tunnel Settings F-75
SSL VPN General Settings F-77
SSL VPN Thin Client Settings F-74
Technology settings F-60
ASA user group objects
ASA User Groups page F-58
Auto Signon Rules F-79
Client Access Rules dialog box F-71
Client Configuration settings F-62
Client Firewall Attributes F-64
Connection settings F-85
creating 8-45
DNS/WINS settings F-80
Hardware Client Attributes F-67
IPsec Settings F-69
Split Tunneling settings F-81
SSL VPN Clientless Settings F-72
SSL VPN Full Tunnel Settings F-75
SSL VPN General Settings F-77
SSL VPN Thin Client Settings F-74
Technology settings F-60
understanding 8-43
ASA User Groups page F-58
ASA User Groups Policy page I-51, I-53
ASBR
definition of 15-95
ASDM
connection graphs 21-5
home page, viewing 21-5
Log Buffer panel 21-43
managing
ASA devices 21-5
firewalls 21-5
FWSM 21-5
multiple instances of 21-5
overview 21-5
performance monitoring and 21-5
Real-time Log Viewer panel 21-45
starting from Security Manager 21-5
syslog message
navigating to access rule in Security Manager 21-42
ASDM home page
at-a-glance monitoring 21-5
dynamic dashboard and 21-5
ASDM instances
maximum number of
for all firewall contexts 21-8
for all FWSM contexts 21-8
ASDM sessions
exceeding the limit 21-8
assignment overview 1-13
Assignments tab D-28
Assign Shared Policy dialog box D-3
Asymmetric Digital Subscriber Line (ADSL)
on Cisco IOS routers 14-39
Asynchronous Transfer Mode (ATM) 14-47
ATM 14-47
virtual channel connections (VCCs) 14-48
virtual channel identifier (VCI) 14-48
virtual path connections (VPCs) 14-48
virtual path identifier (VPI) 14-48
Atomic IP engine
parameters (table) N-18
audit log entries
purging 20-11
audit logs
archiving 2-88
understanding 2-88
Audit Logs Settings page A-30
Audit Message Details dialog box Q-11
Audit Report page Q-8
audit reports
examples for defining 20-9
generating 20-9
understanding 20-7
AUS
setting up 5-13
AUS-managed devices
device connectivity test 5-46
authentication
configuring on firewall devices 15-31
device connectivity test 5-47
for devices using SSL
accepting certificates after rollback 2-72
disabling certificate validation 2-72
manually adding certificates 2-72
retrieving certificates while adding devices 2-72
of Performance Monitor 21-16
authentication credentials
device connectivity test failure 5-45
authentication methods
in IKE proposals 9-70
preshared keys 9-70
RSA signatures 9-70
authentication testing
SSH 5-9
authorization
configuring on firewall devices 15-31
AuthProxy dialog box
AAA rules J-100
AuthProxy General tab (IOS) J-165, J-167
AuthProxy page J-164
autolink
omitting reserved networks from maps A-2
Auto Signon Rules
ASA user group objects F-79
Auto Update Server (AUS) 18-30
licensing 2-83
Auto Update Server Properties dialog box C-13
Auto Update Servers
using to deploy to ASA devices 18-12
using to deploy to PIX firewalls 18-12
Auto Update Servers (AUS)
adding 5-37
configuring AUS settings on firewall devices 15-64
editing 5-40
understanding 5-36
Available Auto Update Servers dialog box C-14
Available Bit Rate (ABR) 14-50
Available CNS-Configuration Engines dialog box C-43
Available Servers dialog box C-41
B
background image, map
deleting 4-14
importing 4-13
overview 4-13
scale and position 4-15
setting 4-14
backslash
when defining subinterfaces 8-117
backups
understanding 20-25
using Common Services 20-25
banners
Banner page L-81
configuring on firewall devices 15-37
benefits of product 1-5
BGP routing
BGP Routing Policy page K-238
defining routes 14-183
Neighbors dialog box K-241
on Cisco IOS routers 14-182
redistributing routes 14-185
Redistribution Mapping dialog box K-244
Redistribution tab K-242
Setup tab K-239
blocking
definition of 17-11
Blocking page N-85
boot image and configuration settings
configuring on firewall devices 15-39
bootstrapping devices
integration with Performance Monitor 21-19
bridge groups
defining 14-80
bridging
Cisco IOS routers
Bridge Group dialog box K-111
Bridging Policy page K-109
BVI interfaces 14-78
overview 14-77
PIX/ASA/FWSM
Add/Edit ARP Inspection dialog box L-70
Add/Edit ARP Table Entry dialog box L-68
Add/Edit MAC Learning dialog box L-74
Add/Edit MAC Table Entry dialog box L-72
ARP Inspection page L-69
ARP Table page L-66
configuring on 15-28
MAC Address Table page L-71
MAC Learning page L-73
Management IP page L-75
C
caching
device manager image 21-7
user login credentials 2-71
CA server authentication methods
SCEP (Simple Certificate Enrollment Protocol) 9-88
Cat6k Device dialog box N-96
Catalyst 6500/7600 Device Manager access window
opening from Tools menu Q-8
Catalyst 6500/7600 devices
access ports 16-8
Catalyst Summary Info page M-1
configuring FWSM on 9-48
configuring VPNSM on 9-41
configuring VPN SPA on 9-43
defining IDSM Data Port VLANs 16-28
defining IDSM EtherChannel VLANs 16-25
defining ports 16-9
defining VACLs 16-20
defining VLAN groups 16-16
defining VLANs 16-13
deleting IDSM Data Port VLANs 16-30
deleting IDSM EtherChannel VLANs 16-27
deleting ports 16-12
deleting VACLs 16-23
deleting VLAN groups 16-18
deleting VLANs 16-15
deployment 18-39
discovering policies 16-6
generating interface names 16-11
IDSM settings 16-24
IDSM Settings page M-44
interfaces 16-8
Interfaces/VLANs page M-3
managing 16-1
migrating inventory from earlier release 16-2
migrating unmanaged service modules 16-5
policy discovery 6-8
routed ports 16-8
trunk ports 16-8
viewing configuration summary 16-31
VLAN Access Lists page M-50
VLAN ACLs (VACLs) 16-19
VLAN deployment 18-42
VLAN groups 16-16
VLANs 16-12
Catalyst 6500/7600 switches
including in deployment jobs O-5
Catalyst 6500 Series switches
transport protocol for A-10
Catalyst 6500 Series switches. See Catalyst 6500/7600 devices
Catalyst 6K tab N-96
Catalyst platform policies
general reference M-1
IDSM settings policy
Create and Edit IDSM Data Port VLANs dialog boxes M-47
Create and Edit IDSM EtherChannel VLANs dialog boxes M-46
IDSM Settings page M-44
IDSM Slot-Port Selector dialog box M-49
interfaces/VLANs policy
Access Port Selector dialog box M-8
Create and Edit Interface dialog boxes-Access Port mode M-17
Create and Edit Interface dialog boxes-Dynamic Port mode M-31
Create and Edit Interface dialog boxes-Other mode M-39
Create and Edit Interface dialog boxes-Routed Port mode M-22
Create and Edit Interface dialog boxes-subinterfaces M-37
Create and Edit Interface dialog boxes-Trunk Port mode M-25
Create and Edit VLAN dialog boxes M-6
Create and Edit VLAN Group dialog boxes M-11
Interfaces/VLANs page M-3
Interfaces tab M-14
Service Module Slot Selector dialog box M-12
Summary tab M-42
Trunk Port Selector dialog box M-9
VLAN Groups tab M-10
VLAN Selector dialog box M-13
VLANs tab M-4
VLAN access lists policy
Create and Edit VLAN ACL Content dialog boxes M-54
Create and Edit VLAN ACL dialog boxes M-52
VLAN Access Lists page M-50
Catalyst VPN Services Module (VPNSM)
configuring 9-45
configuring in remote access VPNs 10-16
defining settings (site-to-site VPN) G-24
understanding configuration 9-41
VPNSM/VPN SPA Settings dialog box H-26
VPNSM blade configuration 9-41
Catalyst VPN Shared Port Adapter (VPN SPA)
adding location information during Catalyst 6500/7600 discovery 5-33
configuring a VPN SPA blade 9-45
configuring in remote access VPNs 10-16
defining settings (site-to-site VPN) G-24
dialog box for entering VPN SPA locations during discovery C-22
understanding configuration 9-43
VPNSM/VPN SPA Settings dialog box H-26
VPN SPA Slots dialog box C-24
VPN SPA Slot Selector C-25
categories
editing 8-49
understanding 8-48
category objects
Categories page F-87
Category Editor dialog box F-88
certificate authentication
procedure 2-73
certificates, device
Add Certificate dialog box A-14
adding manually 2-73
disabling (caution) 2-72
disabling validation 2-72
manually adding 2-72
obtaining after rollback 2-72
retrieving while adding devices 2-72
selecting for
ASA devices A-13
FWSM devices A-13
IOS devices A-13
IPS devices A-12
PIX devices A-13
settings for authentication A-10
Certification Authority (CA) servers
naming guidelines 8-139
Change Report window E-15
checklist for getting started 1-15
Choose Files dialog box C-33
Cisco 7600 Series routers
transport protocol, selecting A-10
Cisco 7600 Series routers. See Catalyst 6500.7600 devices
Cisco Adaptive Security Appliances
Cisco Adaptive Security Device Manager
Cisco Discovery Protocol (CDP) K-33
Cisco Express Forwarding (CEF)
importance for QoS 14-154
Cisco IOS
FlexConfig object samples 19-10
Cisco IOS devices
SSL certificate authentication, selecting A-13
transport protocols, selecting 2-71
Cisco IOS IPS routers
transport protocol, selecting A-10
Cisco IOS routers
802.1x 14-129
AAA 14-68
accounts and credentials 14-75
ADSL 14-39
advanced interface settings 14-29
available interface types 14-22
basic interface settings 14-21
BGP routing 14-182
CPU settings 14-83
default AAA server groups 8-18
dialer interfaces 14-34
discovering policies 14-4
Domain Name System (DNS) 14-107
Dynamic Host Configuration Protocol (DHCP) 14-119
EIGRP routing 14-187
host and domain names 14-109
HTTP 14-85
IOS 12.1 and 12.2 14-3
line access 14-89
logging 14-146
managing 14-1
memory settings 14-111
NAT 14-5
Network Admission Control (NAC) 14-136
Network Time Protocol (NTP) 14-126
optional SSH settings 14-100
OSPF routing 14-195
permanent virtual connections (PVCs) 14-47
platform policies 14-1
Point-to-Point Protocol (PPP) 14-61
policy discovery 6-8
quality of service (QoS) 14-153
RIP routing 14-212
rollback and SSL certificates 2-72
Secure Device Provisioning (SDP) 14-112
SHDSL 14-44
SNMP 14-103
static routing 14-217
time zone settings 14-81
transparent bridging 14-77
version 12.3
adding from DCR 2-69
transport protocol, selecting 2-69
versions 12.1
adding from DCR 2-69
limitation with Security Manager 2-69
transport protocol, compatibility with IOS 12.3 2-69
transport protocol, using 2-69
versions 12.2
adding from DCR 2-69
limitation with Security Manager 2-69
transport protocol, compatibility with IOS 12.3 2-69
transport protocol, using 2-69
Cisco IPS Event Viewer service
enabling with IEV 21-33
Cisco Networking Services (CNS) 18-32
Cisco Networking System (CSN)
using to deploy to IOS routers 18-13
Cisco PIX firewalls
see PIX/ASA/FWSM Platform policies
Cisco Router and Security Device Manager
Cisco Secure Access Control Server (ACS)
adding users 2-39
associating user roles and permissions 2-32
customizing user roles 2-31
default roles 2-30
integrating with Security Manager 2-34, 2-92
integration checklist 2-37
integration requirements 2-35
performing integration 2-38
performing integration in CiscoWorks 2-47
registering Security Manager 2-51
understanding user permissions 2-3
Cisco Secure Access Control Server (ACS) integration
adding managed devices 2-54
adding system administrator 2-39
checklist of tasks 2-37
configuring CiscoWorks AAA mode 2-50
configuring NDGs 2-54
creating administration control user 2-47
creating local users in CiscoWorks 2-48
customizing user roles 2-31
defining system identity user 2-49
list of ACS procedures 2-38
list of CiscoWorks procedures 2-47
list of requirements 2-35
restarting Daemon Manager 2-51
Cisco Secure Access Control Server (ACS) user interface
Add Administrator page 2-47
Administration Control page 2-47
Group Setup page 2-55
New Network Device page 2-46
Shared Components page 2-32
User Setup page 2-39
Cisco Secure ACS
device credentials and 2-70
CiscoSecure ACS
device connectivity test
show version command 5-47
Cisco Secure Desktop (CSD)
configuring in SSL VPN
on an ASA device 11-46
on an IOS router 11-15
Cisco Secure Desktop page I-54
Cisco Security Agent
icon, waving
disallowing device manager 21-12
IEV and modifying policy 21-32
Messages tab
xdm-launcher.exe 21-12
modifying policies
for device manager 21-9
modifying policy for IEV
automatically 21-32
manually 21-32
not installed on Security Manager server
automatically modifying policy for IEV 21-32
preexisting on Security Manager server
manually modifying policy for IEV 21-32
security level
starting device manager 21-12
starting device manager
allowing xdm-launcher.exe 21-12
untrusted applications
xdm-launcher.exe 21-13
Cisco Security Management Suite server
exiting 3-2
logging in to 3-2
Cisco Trust Agent (CTA) 14-138
CiscoWorks Common Services
assigning roles to users 2-28
associating user roles and permissions 2-32
available user roles 2-27
backing up Security Manager with 20-25
configuring AAA mode 2-50
creating local user for Cisco Secure ACS 2-48
defining system identity user 2-49
exiting 3-2
logging in to 3-2
performing integration for Cisco Secure ACS 2-47
registering Security Manager with Cisco Secure ACS 2-51
understanding user permissions 2-3
CiscoWorks Common Services user interface
AAA Setup Mode page 2-50
Local User Setup page 2-48
System Identity Setup page 2-49
Class-Based Policing 14-161
CLI commands
appended commands 19-3
in FlexConfigs 19-2
prepended 19-3
Client Access Rules dialog box
ASA user group objects F-71
Client Configuration settings
ASA user group objects F-62
client connection characteristics
Client Connection Characteristics page G-97
configuring policies for Easy VPN 9-121
Client Firewall Attributes
ASA user group objects F-64
clientless access mode 11-3
clock
Cisco IOS routers
overview 14-81
configuring on firewall devices 15-40
clock settings
Cisco IOS routers
Clock Policy page K-112
cloning devices
in VPN topologies 9-24
cluster load balancing
configuring 10-23
PIX7.0/ASA Cluster Load Balance page H-50
understanding 10-22
CNS
setting up 5-15
CNS-Configuration Engine Properties dialog box C-42
CNS-managed devices
device connectivity test 5-46
Combine Rules
Rule Combiner Detail Report J-219
Combine Rules Results Summary dialog box J-215
Combine Rules Selection Summary dialog box J-214
combining rules 12-11
criteria notes 12-13
defining criteria 12-15
summary results 12-16
commands
Activities menu 3-17
Edit menu 3-11
Edit menu, table commands 3-29
File menu 3-10
Help menu 3-18
Map menu 3-14
Policy menu 3-13
Tools menu 3-15
View menu 3-12
Common Services
licensing 2-83
Common Services backup
of Security Manager 20-25
communication
between IEV client and server 21-34
compatibility
of transport protocol
between IOS 12.1, 12.2 and IOS 12.3 2-69
configuration
frequently asked questions 18-17
Configuration Archive
rolling back to archived configuration files 20-15
settings 2-62
toolbar, customizing 20-12
transcripts, understanding 20-13
version viewer Q-15
viewing configuration files 20-14
viewing transcripts 20-13
window Q-12
Configuration Archive Settings page A-3
configuration changes
and high CPU usage 21-24
Configuration Engines
adding 5-37
editing 5-40
understanding 5-36
configuration files
deploying in non-Workflow mode 18-38
deploying in Workflow mode 18-41
device connectivity errors and 5-49
previewing 18-43
redeploying to devices 18-45
rolling back to archived configurations 20-15
rolling back to devices 18-48
selecting 3-31
understanding factory-default configurations 15-2
viewing 20-14
configuration rollback
performing reload 18-36
configuration views 1-10
Configure DNS dialog box
inspection rules J-67
Configure ESMTP dialog box
inspection rules J-70
Configure Fragments dialog box
inspection rules J-71
Configure IMAP dialog box
inspection rules J-72
Configure POP3 dialog box
inspection rules J-73
configure replace command 18-36
Configure RPC dialog box
inspection rules J-74
Configure SMTP dialog box
inspection rules J-68
connection
server status 3-4
connection protocol
with device manager 21-7
with Performance Monitor 21-16
Connection settings
ASA user group objects F-85
connection timeout
device communication settings and A-11
connectivity error
correcting 5-46
connectivity protocol
device reachability test, displaying C-21
connectivity test
console
Cisco IOS routers
AAA tab K-130
Accounting tab K-134
Authentication tab K-130
Authorization tab K-132
Console Policy page K-126
Setup tab K-127
console port
Cisco IOS routers
defining AAA settings 14-92
defining setup parameters 14-90
console timeout settings
configuring on firewall devices 15-44
Constant Bit Rate (CBR) 14-50
contact credentials
configuring on firewall devices 15-42
contained modules
show 20-5
Contents pane C-7
contexts
continuity check (CC) cells 14-54
control plane (CP)
defining QoS on 14-171
policing on 14-166
Control Plane Policing 14-166
Copy Policies wizard
Copy Policies from this Device page D-6
Copy Policies to these Devices page D-7
Select Policies to Copy page D-8
understanding D-6
counter timer
testing device connectivity 5-50
CPU settings
defining utilization settings 14-84
overview 14-83
CPU usage
associated with services 21-25
causes for increase in
configuration change 21-24
debugging 21-24
disabling STP 21-24
excessive ARP requests 21-24
interrupt level 21-24
more VLANs 21-24
processes with high priority 21-24
security issue 21-23
TCP timer 21-24
description 21-23
increase on
Catalyst 6500/6000 switches 21-24
routers 21-24
show logging exec command
checking 21-24
throttles, overloaded router 21-24
CPU utilization
CPU Policy page K-115
Create a Clone page C-52
Create Activity dialog box E-7
Create a Job dialog box O-12
Create a Policy dialog box D-29
Create Discovery Task dialog box D-16
Create Filter dialog box C-3
Policy Object Manager F-10
Policy view D-26
Create Overrides for Device dialog box F-568
Create Text Object dialog box P-15
Create VPN Topology wizard G-9
credential objects
creating 8-50
understanding 8-50
credentials
for device communication
configured for logging in 2-70
configured on the device 2-70
specifying for device manager 21-10
validation for device manager
error message 21-10
Credentials objects
Credentials dialog box F-90
crypto maps
dynamic 9-73
in IPsec proposals 9-73
static 9-73
CSMDiagnostic.zip file
contents 20-27
default location 20-27
overwriting 20-28
CSMDiagnostics.zip
submitting to technical support 20-28
CSMDiagnostics.zip file
generating
from client 20-28
from server 20-29
CSM tab A-26
CSV file
adding devices from
to Performance Monitor 21-19
Customize Desktop Settings page A-4
Custom Protocol dialog box
inspection rules J-69
D
Daemon Manager
restarting after Cisco Secure ACS integration 2-51
data polling
CPU usage 21-25
for incremental changes 21-17
VPN tunnel status 21-23
data redundancy
of Security Manager and IEV 21-32
Days of Week dialog box N-38
DCR
adding devices from
to Performance Monitor 21-19
adding from
Cisco IOS 12.1, 12.2 routers 2-69
Cisco IOS 12.3 routers 2-69
device communication settings and 2-69
IOS 12.1, 12.2 routers
limitation with Security Manager 2-69
transport protocol
for IOS 12.1, 12.2 routers 2-69
for IOS 12.3 routers 2-69
DCS properties file
defining SSH settings by editing 2-73
dead-peer detection (DPD) 9-79
debugging
high CPU usage and 21-24
default virtual sensor
vs0 17-15
Delete Map dialog box B-14
Deploy Job dialog box O-27
deployment
Abort Deployment Job dialog box O-28
Add Other Devices dialog box O-23
Approve Deployment Job dialog box O-25
Catalyst 6500/7600 devices 18-39
changing methods 18-44
clearing XLATE on 15-104
configurations 18-38
Create a Job dialog box O-12
Deploy Job dialog box O-27
Deployment Rollback dialog box O-29
Details tab O-35
device access 2-71
device details 18-50
Discard Deployment Job dialog box O-26
Edit Deploy Method dialog box O-17
Edit Selected Deployment Method dialog box O-19
errors
OS version mismatches 18-14
errors with ACLs 18-25
frequently asked questions 18-17
handling OS version mismatches 18-14
History tab O-36
ignoring errors 18-25
IOS errors 18-25
jobs
Main toolbar buttons 18-37
managing 18-1
maximum number of devices 18-24
methods 18-11
non-Workflow mode 18-3
Deploy Saved Changes dialog box O-3
Preview Config dialog box O-21
Preview Messages dialog box O-20
Redeploy a Job dialog box O-32
Reject Deployment Job dialog box O-24
Rollback Confirmation dialog box O-31
Submit Deployment Job dialog box O-23
summary 18-49
Summary tab O-34
taskflow
non-Workflow mode 18-3
Workflow mode 18-5
to devices 18-11
to files 18-13
transport protocols
see deployment transport protocols
understanding 18-1
user login credentials 2-71
using a Cisco Networking Services (CNS) server 18-32
using an Auto Update Server (AUS) 18-30
using a Token Management Server (TMS) 18-28
viewing status information 18-37
Warning - Partial VPN Deployment dialog box O-16
Create a Job dialog box O-12
Deployment Manager window O-10
dialog boxes O-9
tasks 18-51
windows O-9
working with 18-36
deployment jobs
aborting 18-47
approval 18-9
approving 18-56
benefits of 18-2
changes 18-10
creating 18-51
discarding 18-57
history 18-57
including devices in 18-10
multiple users 18-10
opening 18-54
rejecting 18-56
states
non-Workflow mode 18-4
Workflow mode 18-8
submitting 18-55
Deployment Manager window
Details tab O-35
History tab O-36
Summary tab O-34
Deployment Manager window in non-Workflow mode O-2
Deployment Manager window in Workflow mode O-10
Deployment Rollback dialog box O-29
Deployment Settings page A-5
Deployment Status Details dialog box 18-37, 18-45, O-6
deployment transport protocols
for ASA devices 18-12
for Catalyst 6500/7600 devices 18-12
for IOS routers 18-12
for PIX firewalls 18-12
Deploy Saved Changes dialog box O-3
DES encryption algorithm
in IKE proposals 9-68
Dest Port Map dialog box N-41
Details dialog box
copying output 5-51
displaying
device software version 5-51
hardware 5-51
license details 5-51
pasting output into a file 5-51
device
admin contexts
deleting from Performance Monitor 21-20
importing into Performance Monitor 21-20
device access
configuring on firewall devices 15-43
Device Access policies N-74
device access policies
defining 14-75
device administration policies
configuring on firewall devices 15-30
Device Admin policies N-74
device authentication
accepting SSL certificates after rollback 2-72
certificates, selecting 2-72
overview 2-70
selecting for
ASA devices A-13
FWSM A-13
IOS devices A-13
IPS devices A-12
PIX devices A-13
device certificates
Add Certificate dialog box A-14
adding manually 2-73
settings for authentication A-10
device communication settings
adding Cisco IOS 12.1, 12.2 routers
communication protocol 2-69
from DCR 2-69
from DCR, workaround 2-69
limitation with Security Manager 2-69
adding IOS routers
from DCR 2-69
transport protocol, selecting 2-69
connection timeout A-11
defining 2-68
device credentials 2-70
HTTPS port number 2-73
overriding HTTP policy 2-73
retry count A-11
socket read timeout A-11
SSL certificates
disabling validation 2-72
manually adding 2-72
obtaining from devices after rollback task 2-72
retrieving while adding devices 2-72
user login credentials 2-70
Device Communication settings page
default transport protocol
device connectivity test 5-46
overview 2-68
device connectivity
testing
after adding to the inventory 5-50
while adding a device from the network 5-47
while adding a new device 5-49
verifying 5-47
device connectivity error
device manager and 21-11
device connectivity test
error message
show version command 5-47
Device Connectivity Test dialog box
closing 5-51
counter timer 5-50
progress bar 5-50
viewing
status of test 5-50
time elapsed 5-50
transport protocol 5-50
device connectivity tests
aborting 5-51
Add Device from Network Wizard 5-45
Add New Device wizard 5-49
cause for failure 5-45
connection protocol C-21
Details dialog box 5-51
Device Connectivity Test dialog box, displaying 5-50
device credentials 5-46
Device Credentials page 5-47
devices, adding 5-46
error, correcting 5-46
error message
incorrect OS type for live devices 5-47
transport protocol 5-46
error messages
device credentials 5-46
getVersion command 5-45
guidelines for working with 5-46
introduction 5-45
overview 5-45
performing before
assigning policies 5-49
generating config files 5-49
performing on devices managed by
AUS 5-46
CNS 5-46
TMS 5-46
protocol used 5-46
retry counts 5-45
show version command 5-45
status, displaying C-21
timeout 5-45
using Device Properties page 5-50
verifying 5-47
device credentials
configuring
on an AAA server 2-70
on the device 2-70
device communication and 2-70
device connectivity test, specifying 5-46
drawbacks in environments
requiring a separate user account 2-70
using external AAA server 2-70
starting device manager and 21-10
understanding 5-43
validation error messages C-27
Device Credentials page C-15
device connectivity test 5-47
HTTPS port number
overriding with HTTP policy 2-73
Device Delete Validation Details dialog box C-51
device group
adding to Performance Monitor 21-19
definition in Performance Monitor 21-19
Device Grouping page C-28
device grouping shortcut menu options C-65
device groups
working with 2-75
Device Information page - Config File C-30
Choose Files dialog box C-33
Device Information page - DCR C-45
Device Information page - Network C-8
Device Information page- New Device C-35
device lists
adding sensors 21-36
deleting sensors 21-36
device manager
and exiting Security Manager 21-7
and Security Manager communication
enabling HTTPS on the device 21-10
associating user roles and permissions 21-8
Cisco Security Agent
modifying policies 21-9
communicating with Security Manager 21-7
connection protocol 21-7
error message 21-11
exiting 21-10
guidelines for working 21-8
hardware requirements 21-14
instances of 21-7
interception of requests from 21-7
interoperability with device software version 21-13
latest IOS versions, support for 21-9
memory impact on
Security Manager client 21-9
Security Manager server 21-9
multiple instances
from different clients 21-8
on the same client 21-8
out-of-band change and 21-2
preferences across sessions 21-10
prerequisites for starting 21-11
progress of the launch 21-13
read-only view 21-2
running show commands 21-10
starting
one instance per device per client 21-8
starting (procedure) 21-10, 21-12
starting for a device
without image installed 21-8
without management IP address 21-9
starting from Security Manager 21-2
syslog
navigating to Security Manager 21-42
Tools menu
show commands 21-10
uninstalling 21-2
versions supported for device software 21-14
device manager image
caching 21-7
default location 21-2
downloading from server 21-7
shipping with Security Manager server 21-2
supported versions (table) 21-14
device manager window
inactive 21-7
minimized 21-7
device OS version
device manager interoperability with 21-13
Device Properties
Credentials page C-57
Device Groups page C-59
General page C-54
Policy Object Override pages
general reference C-60
device properties
defining 5-53
understanding 5-51
Device Properties page
creating object overrides 8-198
deleting overrides 8-201
testing device connectivity 5-50
understanding C-53
device reachability
description 21-19
viewing from
Inventory Status window 21-21
device reachability tests
devices
adding 5-30
adding from DCR
manually adding certificates 2-72
retrieving certificates 2-72
adding from the network
connectivity test 5-46
adding ones not on the network
connectivity test 5-46
adding to Performance Monitor
from CSV file 21-19
from DCR 21-19
manually 21-19
adding to the network
device connectivity failure 5-47
assigning shared policies 6-33
configuring local policies 6-21
copying policies between 6-23
copying shared policies 6-36
creating policy object overrides 8-198
deleting from inventory 5-56
deleting policy object overrides 8-201
deploying to dynamically addressed 18-12
deploying to 18-13
deployment to 18-11
discovering policies 6-7
discovering policies on existing devices 6-10
including in jobs 18-10, O-5, O-14
managing 5-1
maps
adding existing managed 4-18
adding new managed 4-17
displaying devices from Device View 4-19
displaying managed 4-17
showing containment for Catalyst switches, ASA, PIX devices 4-19
modifying policy assignment 6-39
modifying shared policies 6-38
monitoring
enabling and disabling in Performance Monitor 21-20
policy status icons 6-22
preparing 5-2
redeploying configuration files to 18-45
renaming policies 6-37
replacing policies 6-33
rolling back configuration files to 18-48
sharing multiple policies 6-30
show commands
accessing from device manager 21-10
testing connectivity
after adding to the inventory 5-50
while adding a new one 5-49
while adding from the network 5-47
unassigning policies 6-25
unsharing policies 6-32
validating
scheduling device validations 21-20
validation by Performance Monitor 21-20
viewing configuration
from device manager 21-10
working with communication settings UI 2-68
Device selector C-2
device selector
filtering 5-28
device shortcut menu options C-62
Devices page C-2
Devices tab E-14
Devices User Interface Reference C-1
Device view
assigning shared policies 6-33
configuring local policies 6-21
copying policies between devices 6-23
copying shared policies 6-36
editing site-to-site VPN policies in 9-65
managing policies 6-20
managing VPN devices in 9-62
modifying policy assignments 6-39
modifying shared policies 6-38
overview 1-11
policy status icons 6-22
renaming policies 6-37
sharing local policies 6-28
sharing multiple policies 6-30
Site-to-Site VPN Topologies page G-104
unassigning policies 6-25
understanding basic policy management 6-20
understanding shared policies 6-27
unsharing policies 6-32
device view
understanding 5-24
DHCP
Cisco IOS routers
defining address pools 14-125
defining policies 14-123
DHCP Database dialog box K-184
DHCP Policy page K-181
IP Pool dialog box K-185
overview 14-119
understanding database agents 14-120
understanding option 82 14-122
understanding relay agents 14-121
understanding secured ARP 14-122
PIX/ASA/FWSM
configuring DHCP relay 15-66
configuring DHCP servers 15-68
diagnostic executable
generating
CSMDiagnostics.zip file 20-28
running from
client 20-28
server 20-29
diagnostics executable
collecting problem details 20-26
MDCSupport utility, plug-in 20-26
submitting problem report 20-26
dial backup
configuring 9-39
configuring in Easy VPN 9-110
Dial Backup Settings dialog box G-36
understanding 9-38
dialer interfaces
defining BRI properties 14-37
defining profiles 14-35
Dialer Physical Interface dialog box K-42
Dialer Policy page K-38
Dialer Profile dialog box K-40
on Cisco IOS routers 14-34
Diffie-Hellman groups
in IKE proposals 9-69
Digital Subscriber Line (DSL) 14-39
digital subscriber line-access multiplexer (DSLAM) 14-39
directed broadcasts
enabling K-37
Discard Activity dialog box E-11
Discard Deployment Job dialog box O-26
discovering remote access VPNs 10-2
discovering site-to-site VPNs 9-17
Discover VPN Policies wizard G-106
Discover VPN Policies wizard G-106
Device Selection page G-108
Name and Technology page G-107
discovery
device access 2-71
login credentials and 2-71
Map View 4-36
overview 1-13
Settings page A-17
Discovery Details pane Q-4
Discovery Status dialog box D-19
discovery task
frequently asked questions 6-13
starting 6-10
viewing status 6-12
Distinguished Name (DN) matching policies
configuring 10-31
DN Matching Policy page H-52
understanding 10-30
Distinguished Name (DN) matching rules
configuring 10-33
DN Matching Rules page H-54
DN Rule dialog box (lower pane) H-57
DN Rule dialog box (upper pane) H-56
understanding 10-32
Distributed Traffic Shaping (DTS) 14-161
DMVPN (Dynamic Multipoint VPN)
advantages of using with GRE 9-102
configuring policies 9-104
IPsec technology 9-8
large scale DMVPNs
configuring 9-107
understanding 9-107
understanding 9-101
using with GRE 9-102
DNS
configuring on firewall devices 15-70
DNS/WINS settings
ASA user group objects F-80
DNS class map objects
Add DNS Class Map dialog box F-98
creating 8-58
Edit DNS Class Map dialog box F-98
match criterion
DNS class F-102
DNS type F-103
domain name F-104
header flag F-106
question F-107
resource record F-108
DNS Class Maps page F-96
DNS policy map objects
Add DNS Map dialog box F-204
creating 8-72
DNS Maps page F-203
Edit DNS Map dialog box F-204
Filtering tab F-208
match condition
DNS class F-216
DNS type F-218
domain name F-220
header flag F-222
question F-224
resource record F-225
use values in class map F-227
Match Condition and Action tab F-212
Mismatch Rate tab F-210
Protocol Conformance tab F-206
understanding 8-71
Domain Name System (DNS)
Cisco IOS routers
defining policies 14-108
DNS Policy page K-170
IP Host dialog box K-171
overview 14-107
Drill Down Dialog table
description 21-40
DSLAM 14-39
duplex
interface L-65
dynamically assigned IP addresses
adding devices with 5-36
dynamic crypto maps 9-73
dynamic IP devices
GRE for 9-98
dynamic NAT
creating rules on Cisco IOS routers 14-16
dynamic VTI
configuring in Easy VPN 9-111
Dynamic VTI tab (remote access VPN) H-31
Dynamic VTI tab (site-to-site VPN) G-84
in remote access VPNs 10-13
E
Easy VPN
Advanced tab G-94
client connection characteristics 9-121
Client VPN Software Update tab G-96
configuring dial backup in 9-110
configuring dynamic VTI in 9-111
configuring high availability in 9-110
Dynamic VTI tab G-84
General tab G-89
IPsec Proposal page G-78
Dynamic VTI tab G-84
IPsec Proposal tab G-79
IPsec proposals 9-115
IPsec tab G-92
IPsec technology 9-8
tunnel group policies 9-119
Tunnel Group Policy page G-88
understanding 9-109
user group policies 9-117
User Group Policy page G-87
Edit AAA Option dialog box J-99
Edit AAA Rules dialog box J-82
Edit AAA Server Group dialog box J-101
Edit Actions dialog box N-10
Edit Category dialog box
AAA rules J-102
access rules J-27
inspection rules J-76
transparent rules J-146
web filter rules J-124
Edit Deploy Method dialog box O-17
Edit Description dialog box
AAA rules J-103
access rules J-28
inspection rules J-77
transparent rules J-146
web filter rules J-125
Edit Destinations dialog box J-18
AAA rules J-91
inspection rules J-56
web filter rules J-116
Edit Device Groups page C-66
Edit Endpoints dialog box G-18
Protected Networks tab G-27
VPN Interface tab G-19
Edit Extended Access List page F-36
Edit Fidelity dialog box N-12
Edit Firewall Option dialog box J-23
Edit Firewall Rule dialog box J-6
Edit Inspected Protocol dialog box J-65
Edit Interface dialog box
AAA rules J-97
transparent rules J-144
Edit menu 3-11
Edit menu, table commands 3-29
Edit Permit Response dialog box F-251
Edit Proxy Server Settings dialog box A-23
Edit Regular Expression dialog box F-412
Edit Regular Expression Group dialog box F-408
Edit Rule Section dialog box J-176
Edit Selected Deployment Method dialog box O-19
Edit Service dialog box
access rules J-21
web filter rules J-119
Edit Signature dialog box N-4
Edit Signature Parameter--Component List dialog box N-31
Edit Signature Parameter--List Entry Dialog Box N-32
Edit Signature Parameters dialog box N-13
Edit Sources dialog box J-15
AAA rules J-88
inspection rules J-53
web filter rules J-113
Edit Standard Access Control Entry dialog box F-47
Edit Standard Access List page F-45
Edit state 7-5
Edit Transparent EtherType dialog box J-143
Edit Transparent Firewall Rule dialog box J-139
Edit Transparent Mask dialog box
transparent rules J-144
Edit Virtual Sensor dialog box N-103
Edit Web Access Control Entry dialog box F-54
Edit Web Filter Options dialog box J-123
Edit Web Filter Type dialog box J-122
Edit WebType Access List page F-52
EIGRP routing
defining interface properties 14-190
defining routes 14-188
Edit Interfaces dialog box K-249
EIGRP Routing Policy page K-246
Interface dialog box K-251
Interfaces tab K-250
on Cisco IOS routers 14-187
redistributing routes 14-193
Redistribution Mapping dialog box K-255
Redistribution tab K-253
Setup dialog box K-248
Setup tab K-247
enabling
HTTPS on the device
for starting device manager 21-10
encryption algorithms
3DES (Triple DES) 9-68
AES (Advanced Encryption Standard) 9-68
DES (Data Encryption Standard) 9-68
in IKE proposals 9-68
endpoints and protected networks
defining in VPN topologies 9-28
Protected Networks tab G-27
understanding 9-26
VPN Interface tab G-19
error message
IEV server installation 21-35
error messages
device connectivity test
incorrect credentials 5-46
incorrect OS type for live devices 5-47
show version command 5-47
transport protocol not configured 5-46
device manager-related
connectivity to the device 21-11
credentials validation 21-10
hostname not configured 21-11
SSL not enabled on the device 21-11
starting a second instance 21-11
errors
deployment 18-25
Errors tab E-12
EtherChannel
Create and Edit IDSM EtherChannel VLANs dialog boxes M-46
defining IDSM VLANs 16-25
deleting IDSM VLANs 16-27
Ethereal
description 21-35
location 21-35
evaluation license
upgrading to permanent license 2-82
Event Action Filters page N-47
Event Action Filters tab
described N-60
Event Action Override dialog box N-53
Event Action Overrides page N-52
Event Action policies N-46
Event Browser window
viewing VPN tunnel status 21-22
event data
Inventory Status window 21-18
network outage 21-17
overwriting older events 21-16
persisting new events 21-16
restarting Daemon Manager 21-17
viewing in real time 21-38
events
categories
failure 21-29
performance 21-29
definition 21-18
threshold 21-18
thresholds, working with 21-28
event threshold
configuring (procedure) 21-28
creating, guidelines 21-28
recording, alarm 21-28
event type
configuring for service 21-27
enabling threshold 21-27
supported for service type 21-27
Exclusive Domain Name dialog box
web filter rules J-134
exclusive domains
adding (IOS) 12-117
deleting (IOS) 12-120
editing (IOS) 12-119
Exclusive Domains tab
web filter rules J-130
exiting
Cisco Security Management Suite server 3-2
CiscoWorks Common Services 3-2
device manager 21-10
IEV client 21-34
login credentials and 2-71
Expanded Details Dialog table
description 21-40
Extended ACL tab F-34
Add Extended Access List page F-36
Edit Extended Access List page F-36
External Product Interface dialog box N-81
External Product Interface page N-80
F
factory-default configurations 15-2
failover
PIX/ASA/FWSM
active/active 15-57
active/standby 15-57
configuring on 15-55
stateful 15-60
stateless 15-59
types of 15-57
understanding 15-56
failover link 15-56
failure metric
configuring threshold 21-29
false positives
definition of 13-16
feature sets 1-7
File menu 3-10
files
deploying to 18-13
selecting 3-31
Filter Item dialog box N-48
filters
defined using signature categories 13-22
find and replace
defining criteria 12-22
notes 12-19
understanding regular expressions 12-20
using 12-18
Find and Replace page J-177
Find Node dialog box B-15
Firewall AAA IOS Timeout Value Setting dialog box J-168
Firewall AAA MAC Exempt Setting dialog box J-163
Firewall ACL Setting dialog box J-151
Firewall Device dialog box N-95
firewall mode
changing 15-29
firewall policy properties 12-3
firewall service module (FWSM)
including in deployment jobs O-5, O-14
Firewall Service Module Credentials and VPN SPA Slot Location dialog box C-22
firewall services
AAA rules
adding 12-91
understanding 12-89
access controls
object group search 12-134
access rules
adding 12-61
copying 12-69
cutting 12-69
deleting 12-71
disabling 12-68
editing 12-65
enabling 12-68
logging events for an ACE 12-60
moving down 12-70
moving up 12-70
notes 12-52
pasting 12-69
recognizing on devices 12-51
ACL names
conflicts and resolutions 12-57
generating 12-54
identifying original 12-58
naming conventions 12-54
notes 12-59
preserving user-defined 12-56
analysis reports 12-6
generating 12-8
Combine Rules
Rule Combiner Detail Report J-219
Combine Rules Results Summary dialog box J-215
Combine Rules Selection Summary dialog box J-214
combining rules 12-11
criteria notes 12-13
defining criteria 12-15
summary results 12-16
find and replace
defining criteria 12-22
notes 12-19
understanding regular expressions 12-20
using 12-18
Find and Replace page J-177
firewall settings
AAA 12-146
AAA rules 12-147, 12-149, 12-150, 12-151, 12-152
access controls 12-132, 12-138, 12-139, 12-140
configuring settings 12-142
inspection rules 12-143
per user downloadable ACLs 12-135, 12-136
understanding 12-133
web filter servers 12-156, 12-158, 12-160, 12-161
hit count
changing displayed results 12-27, 12-28, 12-29
changing displayed results, filtering columns 12-28
generating reports 12-25
understanding 12-24
understanding report results 12-26
importing rules 12-32
how to 12-36
notes 12-33
Import Rules
Show Destination Contents dialog box J-192
Show Interface Contents dialog box J-194
Show Service Contents dialog box J-193
Show Source Contents dialog box J-191
Import Rules - Enter Parameters dialog box J-183
Import Rules - Preview page J-186
Objects tab J-190
Rules tab J-187
Import Rules - Status page J-185
inspection rules
configuring 12-77, 12-78, 12-80, 12-81
copying 12-86
cutting 12-86
deleting 12-88
disabling 12-86
editing 12-83
enabling 12-86
moving down 12-87
moving up 12-87
pasting 12-86
supported features 12-145
managing 12-1
managing rules tables 12-5
Map View 4-24
object groups
expanding during discovery 12-49
optimizing policy objects
in rules 12-47
notes 12-48
policy query
generating reports 12-39
report results 12-40
understanding 12-37
policy query details example 12-43
policy query parameters 12-40
policy query results table 12-41
rule sections
Add Rule Section dialog box J-176
Edit Rule Section dialog box J-176
rule table sections
adding 12-45
adding to an existing section 12-46
editing 12-46
notes 12-44
removing an existing section 12-47
removing from an existing section 12-46
understanding 12-44
Firewall Services Module (FWSM)
configuring with VPNSM 9-49
FWSM blades 9-48
FWSM Settings tab (remote access VPN) H-29
FWSM tab (site-to-site VPN) G-29
understanding configuration 9-48
see also PIX/ASA/FWSM Platform policies
firewall settings
AAA Firewall page J-157
Access Control page J-147
access controls
access list compilation 12-138
object group search 12-133
per user downloadable ACLs (PIX/ASA/FWSM) 12-135
AuthProxy General tab (IOS) J-165
AuthProxy page J-164
AuthProxy Timeout tab (IOS) J-167
configuring settings
firewall ACL 12-142
Firewall AAA IOS Timeout Value Setting dialog box J-168
Firewall AAA MAC Exempt Setting dialog box J-163
Firewall ACL Setting dialog box J-151
Inspection page J-154
Web Filter page J-170
Web Filter Server Configuration dialog box J-174
firewall system variables 19-14, 19-17
Firewall tab N-94
FlexConfig Editor dialog box P-11
FlexConfig objects
ASA samples 19-8
Cisco IOS samples 19-10
deleting 19-49
duplicating 19-43
editing 19-45
generating usage reports for 19-47
PIX samples 19-11
router samples 19-12
viewing details 19-47
FlexConfig object variables
deleting 19-53
FlexConfig policies P-1
understanding 19-36
FlexConfig Policy page P-1
FlexConfig Policy Preview dialog box P-9
FlexConfigs
adding 19-50
CLI commands in 19-2
creating (scenario) 19-36
deleting 19-51
example 19-7
managing 19-1
previewing 19-52
reordering 19-52
scripting language
understanding 19-3
working with 19-41
FlexConfigs objects page P-10
FlexConfig system variables
remote access 19-35
routers 19-24
understanding 19-13
VPNs 19-25
FlexConfig Undefined Variables dialog box P-16
floodguard 15-99
fragmentation
in remote access VPNs 10-27
General Settings tab H-47
in site-to-site VPNs
General Settings tab G-56
understanding 9-82
maximum transmission unit (MTU) 9-82
fragments settings 15-99
frequently asked questions
policy discovery 6-13
FTP class map objects
Add FTP Class Map dialog box F-111
Add Match Criterion dialog box F-113
creating 8-61
Edit FTP Class Map dialog box F-111
Edit Match Criterion dialog box F-113
FTP Class Maps page F-109
match criterion
filename F-116
file type F-117
request command F-115
server F-119
username F-120
FTP policy map objects
creating 8-75
FTP Maps page F-228
match condition
filename F-237
file type F-238
request command F-235
server F-239
username F-241
use values in class map F-242
Match Conditions and Actions tab F-232
Parameters tab F-231
understanding 8-75
full mesh topologies
description 9-6
diagram 9-6
full tunnel client access mode 11-4
FWSM
rollback and SSL certificates 2-72
see Firewall Services Module (FWSM)
show version command 5-45
SSL certificate authentication, selecting A-13
FWSM Settings tab (remote access VPN) H-29
G
Gateway and Context page I-2
General Configuration tab N-76
General page C-54
General sub-tab N-40
General tab N-86
getting started
checklist 1-15
getting to know Security Manager
getVersion command
device connectivity test and 5-45
GRE (generic routing encapsulation)
advantages of IPsec tunneling with GRE 9-94
configuring policies 9-99
for devices with dynamic IP 9-98
GRE Modes page G-66
implementation 9-95
IPsec technology 9-8
prerequisites for successful configuration 9-96
understanding in site-to-site VPNs 9-94
using DMVPN with 9-102
GRE Dynamic IP
configuring policies 9-99
for dynamically addressed spokes 9-98
IPsec technology 9-8
groups
add C-68
add devices to C-67
adding devices to 5-62
creating 5-60
deleting 5-61
group types
creating 5-59
deleting 5-61
GTP map objects
Add Country Network Codes dialog box F-250
Add Permit Response dialog box F-251
Edit Country Network Codes dialog box F-250
Edit Permit Response dialog box F-251
GTP Map Timeouts dialog box F-252
GTP Map Timeouts dialog box F-252
GTP policy map objects
Add GTP Map dialog box F-245
creating 8-79
Edit GTP Map dialog box F-245
GTP Maps page F-243
GTP Map Timeouts dialog box F-252
match condition
access point name F-255
message ID F-257
message length F-259
version F-260
Match Condition and Action tab F-254
Parameters tab F-247
understanding 8-78
GUI timeout
H
Hardware Client Attributes
ASA user group objects F-67
hardware requirements
for device manager 21-14
hash algorithms
in IKE proposals 9-69
MD5 9-69
SHA 9-69
help
accessing 3-32
help desk users 2-27
helper addresses 14-30
Help menu 3-18
high availability
of Security Manager and IEV 21-32
high availability (HA groups)
configuring a policy in remote access VPN 10-20
configuring in Easy VPN 9-110
configuring in site-to-site VPN 9-60
High Availability page (remote access VPN) H-37
High Availability page (site-to-site VPN) G-38
in remote access VPNs 10-19
prerequisites 9-59
stateful failover 9-59
stateless failover 9-59
understanding in site-to-site VPN 9-58
Histogram dialog box N-42
History tab E-6
hit count
changing displayed results 12-27
filtering columns 12-28
sorting columns 12-28
viewing details 12-29
generating reports 12-25
understanding 12-24
understanding report results 12-26
Hit Count page J-209
home page
ASDM, viewing 21-5
PDM, viewing 21-4
SDM, viewing 21-6
hostnames
Cisco IOS routers
defining 14-110
Hostname Policy page K-172
overview 14-109
hostname settings
configuring on firewall devices 15-62
HSRP 15-29
HTTP
Cisco IOS routers
AAA tab K-122
Command Authorization Override dialog box K-125
defining policies 14-86
HTTP Policy page K-119
overview 14-85
Setup tab K-120
HTTP class map objects
Add HTTP Class Map dialog box F-123
Add Match Criterion dialog box F-125
creating 8-63
Edit HTTP Class Map dialog box F-123
Edit Match Criterion dialog box F-125
match criterion
request/response content type mismatch F-128
request arguments F-129
request body F-131
request body length F-132
request header content type F-141
request header count F-133
request header field F-135
request header field count F-138
request header field length F-139
request header length F-134
request header non-ascii F-145
request header transfer encoding F-143
request method F-146
request uri F-148
request uri length F-149
response body F-152
response body activeX F-150
response body java applet F-151
response body length F-153
response header content type F-162
response header count F-154
response header field F-156
response header field count F-159
response header field length F-160
response header length F-155
response header non-ascii F-166
response header transfer encoding F-164
response status line F-167
HTTP Class Maps page F-121
HTTP Credentials dialog box C-19
HTTP policy
overriding HTTPS port number 2-73
sharing
HTTPS port number 2-73
HTTP policy map objects
ASA7.1.x/PIX7.1.x/FWSM3.x/IOS
creating 8-83
ASA7.1.x/PIX7.1.x/IOS 8-89
creating 8-85, 8-86, 8-88, 8-90, 8-92
Entity Length tab F-269
Extension Request Method tab F-274
General tab F-266
Port Misuse tab F-277
RFC Request Method tab F-271
Transfer Encoding tab F-280
ASA7.2/PIX7.2
creating 8-93
Edit HTTP Map dialog box F-285
Edit Match Condition and Action dialog box F-291
match condition F-295, F-296, F-298, F-300, F-301, F-302, F-304, F-306, F-309, F-311, F-313, F-315, F-316, F-319, F-320, F-322, F-323, F-324, F-325, F-327, F-328, F-330, F-332, F-334, F-336, F-339, F-341, F-342, F-344
Match Condition and Action tab F-289
Parameters tab F-287
HTTP Maps (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) page F-261
HTTP Maps (ASA7.1.x/PIX7.1.x/IOS) F-264
Add HTTP Map dialog box F-264
HTTP Maps (ASA7.2/PIX7.2) page F-283
understanding 8-82
HTTP settings
configuring on firewall devices 15-45
HTTPS port number
communication with the device 2-73
entering globally for all devices 2-73
overriding HTTP policy settings 2-73
hub-and-spoke topology
description 9-3
diagram 9-4
I
ICMP settings
configuring on firewall devices 15-46
configuring on IOS routers