Table Of Contents
Preparing Devices for Management
Understanding Device Communication Requirements
Setting Up SSL (HTTPS)
Setting Up SSL (HTTPS) on PIX Firewall, ASA and FWSM Devices
Setting Up SSL on Cisco IOS Routers
Setting Up SSH
Critical Line-Ending Conventions for SSH
Testing Authentication
Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices
Preventing Non-SSH Connections (Optional)
Setting Up AUS or CNS
Setting Up AUS on PIX Firewall and ASA Devices
Setting Up CNS on Cisco IOS Routers in Event-Bus Mode
Setting Up CNS on Cisco IOS Routers in Call-Home Mode
Changing the CNS Bootstrap Password on an Auto Update Server
Initializing IPS Devices
Preparing Devices for Management
Before you start to manage a device using Security Manager, you should prepare the device with at least a minimal configuration. The following sections describe the basic device configurations needed for various transport protocols or device types. Before configuring transport protocols, determine the requirements for your devices by reading Understanding Device Communication Requirements.
•
Understanding Device Communication Requirements
•Setting Up SSL (HTTPS)
•Setting Up SSH
•Setting Up AUS or CNS
•Initializing IPS Devices
Understanding Device Communication Requirements
Security Manager provides many different ways for you to manage devices. The easiest methods involve Security Manager directly contacting the devices. Security Manager might access a device during inventory or policy discovery, during configuration deployment, or in response to actions you take in Security Manager that request device contact (such as testing connectivity).
Because you can use off-line methods to add devices to the Security Manager inventory or to deploy configuration changes to the devices, configuring device communication settings for Security Manager's use is optional. However, you typically need to configure basic device communication settings on the devices to implement your off-line or customized configuration deployment tools.
In Security Manager, you can configure which transport protocol to use as the default for a type of device, and change it for specific devices that are configured to respond to a different protocol. Security Manager is configured with default protocols that are the most commonly-used protocols for that type of device. To change the default device communication setting for a type of device, select Tools > Security Manager Administration and select Device Communication from the table of contents (for more information, see Device Communication Page, page A-11). To change the transport setting for a specific device, modify its device properties as described in Viewing or Changing Device Properties, page 6-17.
Security Manager can use these transport protocols:
•SSL (HTTPS)—Secure Socket Layer, which is an HTTPS connection, is the only transport protocol used with PIX Firewalls, Adaptive Security Appliances (ASA), and Firewall Services Modules (FWSM). It is also the default protocol for IPS devices and for routers running Cisco IOS Software release 12.3 or higher.
If you use SSL as the transport protocol on Cisco IOS routers, you must also configure SSH on the routers. Security Manager uses SSH connections to handle interactive command deployments during SSL deployments.
Note DES encryption is not supported on Common Services 3.0 and later. Ensure that all PIX Firewalls and Adaptive Security Appliances that you intend to manage with Security Manager have a 3DES/AES license.
For information on configuring SSL, see Setting Up SSL (HTTPS).
•SSH—Secure Shell is the default transport protocol for Catalyst switches and Catalyst 6500/7600 devices. You can also use it with Cisco IOS routers.
For information on configuring SSH, see Setting Up SSH.
•Telnet—Telnet is the default protocol for routers running Cisco IOS software releases 12.1 and 12.2. You can also use it with Catalyst switches, Catalyst 6500/7600 devices, and routers running Cisco IOS Software release 12.3 and higher. See the Cisco IOS software documentation for configuring Telnet.
•HTTP—You can use HTTP instead of HTTPS (SSL) with IPS devices. HTTP is not the default protocol for any device type.
•TMS—Token Management Server is treated like a transport protocol in Security Manager, but it is not a real transport protocol. Instead, by configuring TMS as the transport protocol of a router, you are telling Security Manager to deploy configurations to a TMS. From the TMS, you can download the configuration to an eToken, plug the eToken into the router's USB bus, and update the configuration. TMS is available only for certain routers running Cisco IOS Software 12.3 or higher.
For information on deploying configurations to a TMS and downloading them to a router, see Deploying Configurations to a Token Management Server, page 18-26.
Security Manager can also use indirect methods to deploy configurations to devices, staging the configuration on a server that manages the deployment to the devices. These indirect methods also allow you to use dynamic IP addresses on your devices. The methods are not treated as transport protocols, but as adjuncts to the transport protocol for the device. You can use these indirect methods:
•AUS (Auto Update Server)—When you add a device to Security Manager, you can select the AUS server that is managing it. You can use AUS with PIX Firewalls, ASA devices, and Cisco IOS routers.
If you configure the AUS server to support the CNS Gateway protocol, you can use it with Cisco IOS routers that have dynamic IP addresses. However, you must also configure SSH and SSL on the routers.
For information on configuring a device to use an AUS server, see Setting Up AUS or CNS.
•CNS-Configuration Engine—When you add a router to Security Manager, you can select the Configuration Engine that is managing it.
For more information on configuring a router to use a CNS-Configuration Engine server, see Setting Up AUS or CNS.
For information on adding devices that use AUS or CNS servers to Security Manager, and how to add the servers, see these topics:
•Adding Devices to the Device Inventory, page 6-7
•Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 6-14
Setting Up SSL (HTTPS)
With many devices, you can use the Secure Socket Layer (SSL) protocol, also known as HTTPS, to communicate with the device. When you deploy configurations with this protocol, Security Manager encrypts the configuration file before sending it to the device.
The following topics describe how to set up SSL on the devices:
•Setting Up SSL (HTTPS) on PIX Firewall, ASA and FWSM Devices
•Setting Up SSL on Cisco IOS Routers
Setting Up SSL (HTTPS) on PIX Firewall, ASA and FWSM Devices
Table 5-1 describes the tasks to complete before you use SSL as the transport protocol for device management on PIX Firewall, ASA and FWSM devices.
Table 5-1 Setting Up SSL on PIX Firewall, ASA, and FWSM Devices
Steps
|
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode.
Respond to the prompts appropriately. Here are some tips:
1. Enter y when the prompt asks if you want to preconfigure using interactive prompts.
2. Enter the current enable password.
3. Specify the time zone, year, month, day, and time.
4. If the device:
–Is new—Specify the network interface IP address and network mask that applies to the inside IP address of the device.
–Exists—Verify that the interface IP address and mask are correct.
5. If the device:
–Is new—Specify the hostname and the domain name.
–Exists—Verify that the hostname and domain name are correct.
6. When prompted for the IP address of the host that runs the PIX Device Manager, specify the IP address of the Security Manager server.
7. Enter yes when the prompt asks if you want to write the above changes to Flash.
|
Step 2
|
hostname(config)# http server enable
|
Enables the HTTP server.
|
Step 3
|
hostname(config)# httpip_address [netmask] [if_name]
|
Specifies the host or network authorized to initiate an HTTP connection to the device.
•ip_address——IP address of the Security Manager server.
•netmask—Network mask for the IP address.
•if_name—Device interface name (default is inside) from which Security Manager initiates the HTTP connection.
|
Step 4
|
hostname(config)# write memory
|
Saves the current configuration in Flash memory.
|
Setting Up SSL on Cisco IOS Routers
Table 5-2 describes the tasks to complete before you use SSL as the transport protocol for device management on Cisco IOS routers.
Table 5-2 Setting Up SSL on Cisco IOS Routers
Steps
|
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode.
|
Step 2
|
router(config)# hostnamename
|
Configures the hostname.
If the device is new, you must configure its hostname. After you configure the hostname, the device prompt changes to reflect the name.
|
Step 3
|
router1(config)# ip domain-nameyour_domain
|
Specifies the domain name of the router.
If the device is new and is not configured with a domain name, you must specify the IP domain name.
|
Step 4
|
router1(config)# usernameusernameprivilege 15 password 0password
|
Configures level 15 privilege.
SSL requires that you must have level 15 privileges to log in to a Cisco IOS router.
|
Step 5
|
router1(config)# no aaa authorization networklist-name
|
(Optional) Disables AAA authorization.
If you are using AAA for authorization but would like to use local authorization, use this command to disable the AAA authorization.
•list-name—Character string used to name the list of authorization methods.
|
Step 6
|
router1(config)# no aaa authentication loginlist-name
|
(Optional) Disables AAA authentication at login.
If you are using AAA for authentication but would like to use local authentication, use this command to disable the AAA authentication.
•list-name—Character string used to name the list of authentication methods activated when a user logs in.
|
Step 7
|
router1(config)#ip http authentication local
|
(Optional) Enables local authentication for SSL.
Enables Security Manager to authenticate with the local username you created in Step 4.
If you do not enter this command, the default enable password is used for authentication.
Note You can either enable AAA authentication or local authentication. To enable AAA authentication, enter the commands in Step 8 and Step 9. To enable local authentication, enter the command in this step.
|
Step 8
|
router1(config)#ip http authentication aaa
|
(Optional) Enables AAA authentication/authorization for SSL.
|
Step 9
|
router1(config)#ip http authentication aaa login-authenticationlist-name
router1(config)# ip http authentication aaa exec-authorizationlist-name
|
(Optional) If multiple AAA lists are defined, you must enter these commands.
These commands authenticate the user that is contacting the device using the HTTPS protocol. The authentication uses AAA.
•list-name—Character string used to name the list of AAA server groups.
|
Step 10
|
router1(config)# ip http secure-server
|
Enables the HTTPS server.
|
Step 11
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 12
|
router1# show ip http server secure status
|
Verifies that SSL is set up on the device. The Device should respond with an "enabled" status.
|
Setting Up SSH
You can use the Secure Shell (SSH) protocol to communicate with Cisco IOS Routers, Catalyst switches, and Catalyst 6500/7600 devices. This protocol provides strong authentication and secure communications over insecure channels. Security Manager supports both SSH versions 1.5 and 2. Once connected to the device, Security Manager determines which version to use and communicates using that version.
The following topics describe how to set up SSH on the supported devices:
•Critical Line-Ending Conventions for SSH
•Testing Authentication
•Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices
•Preventing Non-SSH Connections (Optional)
Critical Line-Ending Conventions for SSH
The following line-ending conventions for SSH must be observed to avoid system failure:
•Do not end banner message lines with "#", "# ", ">", or "> ". If your system requires a pound sign or greater-than sign at the end of a banner message, ensure that it is followed by two spaces.
•Do not use banner message lines that contain only "Username: " or "Password: "
•Do not customize the device user EXEC mode prompt to not end with ">" or "#".
Testing Authentication
Before you set up SSH, you must test authentication without SSH to make sure the device can be authenticated. You can authenticate with a local username and password or with an authentication, authorization, and accounting (AAA) server running TACACS+ or RADIUS.
To test authentication without SSH using a local or AAA server username and password, enter the commands described in Table 5-3.
Table 5-3 Testing Authentication Without SSH
Steps
|
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode.
|
Step 2
|
hostname(config)#aaa new-model
|
Uses the local username and password in the absence of AAA statements.
Note On Cisco IOS routers, you can use the login local command on VTY lines instead of the aaa new-model command.
|
Step 3
|
hostname(config)# usernamenamepassword 0password
|
(Optional) Configures a user account in the local database of the device.
|
Step 4
|
hostname(config)# exit
|
Exits configuration mode.
|
Step 5
|
hostname# write memory
|
Saves the configuration changes.
|
Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices
Table 5-4 describes the tasks required to set up SSH on Cisco IOS routers, Catalyst switches, and Catalyst 6500/7600 devices.
Tip You must configure SSH on Cisco IOS routers because Security Manager uses SSH connections to handle interactive command deployments during SSL deployments.
Table 5-4 Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 Devices
Steps
|
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode.
|
Step 2
|
router(config)# hostnamename
|
Configures the hostname.
If the device is new, you must configure its hostname. Configuring the host name changes the command prompt to use the name (for example, router1).
|
Step 3
|
router1(config)# ip domain-nameyour_domain
|
Specifies the domain name of the router.
If the device is new and is not configured with a domain name, you must specify the IP domain name of the router.
|
Step 4
|
router1(config)# crypto key generate rsa
|
Generates the RSA key pair for the SSH session.
When the device prompts you to enter the size of the modulus, we recommend that you enter 1024.
|
Step 5
|
router1(config)# ip ssh timeouttime
|
(Optional) Sets the timeout interval in minutes.
|
Step 6
|
router1(config)# ip ssh authentication-retriesn
|
(Optional) Sets the number of retries.
|
Step 7
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 8
|
router1# write memory
|
Saves the configuration changes.
|
Related Topics
•Critical Line-Ending Conventions for SSH
•Testing Authentication
•Preventing Non-SSH Connections (Optional)
Preventing Non-SSH Connections (Optional)
After configuring SSH, you can configure the Cisco IOS routers, Catalyst switches, and Catalyst 6500/7600 devices to use SSH connections only. To prevent non-SSH connections, enter the commands described in Table 5-5.
Table 5-5 Preventing Non-SSH Connections (Optional)
Steps
|
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode.
|
Step 2
|
hostname(config)# line vtyfirst line number last line number
|
Sets up the router for Telnet access.
•first line number—valid values are 0 to 1180.
•last line number—valid values are 1 to 1180.
|
Step 3
|
hostname(config-line)# transport input ssh
|
Prevents non-SSH connections, such as Telnet.
|
Step 4
|
hostname(config-line)# end
|
Exits configuration mode.
|
Step 5
|
hostname# write memory
|
Saves the configuration changes.
|
Related Topics
•Critical Line-Ending Conventions for SSH
•Testing Authentication
•Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices
Setting Up AUS or CNS
With many devices, you can use an intermediate transport server to stage configuration updates to the device. These transport servers can also allow you to manage devices that use dynamically assigned IP address (using a DHCP server) instead of static IP addresses. When you deploy configurations using a transport server, Security Manager deploys the configuration to the server, and the device retrieves the configuration from the server. You can use Auto Update Server, running the AUS or CNS protocols, or Cisco Configuration Engine, running the CNS protocol.
The following topics describe how to set up AUS or CNS on the devices:
•Setting Up AUS on PIX Firewall and ASA Devices
•Setting Up CNS on Cisco IOS Routers in Event-Bus Mode
•Setting Up CNS on Cisco IOS Routers in Call-Home Mode
•Changing the CNS Bootstrap Password on an Auto Update Server
Setting Up AUS on PIX Firewall and ASA Devices
You can configure PIX Firewalls and ASA devices to use the AUS protocol to contact an Auto Update Server for configuration and image updates. See the Auto Update Server product documentation for more information.
You can also configure PIX Firewalls and ASA devices to use the CNS Protocol. However, if PIX Firewall and ASA devices are configured for CNS, they actually use the AUS protocol. Thus, the configuration steps for AUS and CNS are identical.
Table 5-6 describes the tasks to complete before you use AUS or CNS as the transport protocol for device management on PIX Firewall and ASA devices.
Table 5-6 Setting Up AUS or CNS on PIX Firewall and ASA Devices
Steps
|
Enter
|
Result
|
Step 1
|
hostname# config terminal
|
Enters configuration mode.
|
Step 2
|
hostname(config)# auto-update server https://username:password@AUSserver_IP_address:port/autoupdate/AutoUpdateServlet
|
Connects to the AUS.
•username—A username that can log into Security Manager.
•password—The password for the username.
•The port number is typically 443.
|
Step 3
|
hostname(config)# auto-update poll-periodpoll_period [retry_count ] [retry_period ]
|
Specifies the polling period for AUS.
•poll_period—The polling period interval between two updates. Default is 720 minutes (12 hours).
•retry_count—(Optional) The number of times to retry if the server connection attempt fails. Default is 0.
•retry_period—(Optional) The number of minutes between retries. Default is 5.
|
Step 4
|
hostname(config)# auto-update device-id [ hardware-serial | hostname | ipaddress [if_name ]|mac-address [if_name ] | stringtext ]
|
Configures the device to use the specified unique device ID to identify itself.
•if_name—The device interface name (default is inside).
•text—A unique string name.
|
Step 5
|
hostname(config)# write memory
|
Saves the configuration changes.
|
Setting Up CNS on Cisco IOS Routers in Event-Bus Mode
You can configure Cisco IOS routers to use the CNS protocol to contact a Cisco Configuration Engine for configuration and image updates. The Configuration Engine can operate in two modes, event-bus and call-home. The following table describes the tasks to complete to configure a router to use event-bus mode. For information on using call-home mode, see Setting Up CNS on Cisco IOS Routers in Call-Home Mode.
See the Configuration Engine product documentation for more information about configuring and using the product.
Table 5-7 Setting Up CNS on Cisco IOS Routers in Event-Bus Mode
Steps
|
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode.
|
Step 2
|
router(config)# hostnamename
|
Configures the hostname.
If the device is new, you must configure its hostname. After you configure the hostname, the device prompt changes to reflect the name.
|
Step 3
|
router1(config)# ip domain-nameyour_domain
|
Specifies the domain name of the router.
If the device is new and is not configured with a domain name, you must specify the domain name of the router.
|
Step 4
|
router1(config)# cns trusted-server all-agentsip_address
|
Specifies the trusted server for the CNS agent. Enter the IP address of the trusted server.
|
Step 5
|
router1(config)# cns eventip_address [port ]
|
Configures the CNS event gateway, which provides CNS event services to Cisco IOS clients.
•ip_address—IP address of the event gateway.
•port—The port is an optional parameter, and by default it is either 11011 (with no encryption) or 11012 (with encryption).
|
Step 6
|
router1(config)# cns config partialip_address
|
Starts the CNS configuration agent and accepts a partial configuration.
|
Step 7
|
router1(config)# cns passwordpassword
|
Sets the CNS password.
You can set the CNS password to callhome (which is the default bootstrap password in AUS) or you can set a different password.
If you set a different password on the router, you must change the default CNS bootstrap password in the Auto Update Server. For instructions, see Changing the CNS Bootstrap Password on an Auto Update Server.
Note For information on how to authenticate a Cisco IOS router on a Configuration Engine, see the Cisco CNS Configuration Engine Administrator Guide.
|
Step 8
|
router1(config)# cns exec
|
Enables and configures the CNS execute agent.
|
Step 9
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 10
|
router1# copy running startup
|
Saves the configuration changes.
|
Setting Up CNS on Cisco IOS Routers in Call-Home Mode
You can configure Cisco IOS routers to use the CNS protocol to contact a Cisco Configuration Engine for configuration and image updates. The Configuration Engine can operate in two modes, event-bus and call-home. The following table describes the tasks to complete to configure a router to use call-home mode. For information on using event-bus mode, see Setting Up CNS on Cisco IOS Routers in Event-Bus Mode.
See the Configuration Engine product documentation for more information about configuring and using the product.
Table 5-8 Setting Up CNS on Cisco IOS Routers in Call-Home Mode
Steps
|
Enter
|
Result
|
Step 1
|
router# config terminal
|
Enters configuration mode.
|
Step 2
|
router(config)# hostnamename
|
Configures the hostname.
If the device is new, you must configure its hostname. After you configure the hostname, the device prompt changes to reflect the name.
|
Step 3
|
router1(config)# ip domain-nameyour_domain
|
Specifies the domain name of the router.
If the device is new and is not configured with a domain name, you must specify the domain name of the router.
|
Step 4
|
router1(config)# cns trusted-server all-agentsip_address
|
Specifies the trusted server for the CNS agent. Enter the IP address of the trusted server.
|
Step 5
|
router1(config)# kron occurrenceoccurrence-name [userusername ] {in [[numdays:]numhours:]nummin | athours:min [[month] day-of-month] [day-of-week]} {oneshot | recurring}
|
Specifies schedule parameters for a Command Scheduler occurrence and enters kron-occurrence configuration mode.
•occurrence-name—The name of the occurrence. The name can be from 1 to 31 characters. If the occurrence-name is new, an occurrence structure will be created. If the occurrence-name is not new, the existing occurrence will be edited.
•username—(Optional) The name of the user.
•in [[numdays:]numhours:]nummin—The occurance should run after waiting the specified time. You can enter a number of days, hours, or minutes, or a combination of them. The timer starts when the occurance is configured.
•athours:min [[month] day-of-month] [day-of-week]—The occurance should run at the specified hour and minute on the specified month and day, or day of the week. Specify the hour using the 24-hour clock.
•oneshot—Specifies that the occurrence is to run only once. After the occurrence runs, the configuration is removed.
•recurring—Specifies that the occurrence is to run on a recurring basis.
|
Step 6
|
router1(config-kron-occurrence)# policy-listlist-name
|
Specifies the policy list associated with a Command Scheduler occurrence. The name can be 1 to 31 characters. If the list-name is new, a policy list structure is created. If the list-name is not new, the existing policy list is edited.
Use the kron occurrence and policy-list commands to schedule one or more policy lists to run at the same time or interval.
|
Step 7
|
router1(config-kron-occurrence)# exit
|
Exits kron-occurrence and returns to configuration mode.
|
Step 8
|
router1(config)# kron policy-listlist-name
|
Specifies a name for a Command Scheduler policy and enters kron-policy configuration mode. The name can be 1 to 31 characters. If the list-name is new, a policy list structure is created. If the list-name is not new, the existing policy list is edited.
|
Step 9
|
router1(config-kron-policy)# cli cns config retrieveip_addresspage /cns/JobbedDynaConfig status http://ip_address/cns/PostStatus
|
Retrieves the configuration from the staged CNS job. Specify the IP address of the CNS server.
You must use JobbedDynaConfig status so that the device retrieves the config from the staged CNS job; otherwise, the device retrieves the template associated with the device.
|
Step 10
|
router1(config-kron-policy)# exit
|
Exits kron-policy configuration mode and returns to configuration mode.
|
Step 11
|
router1(config)# cns exec
|
Enables and configures the CNS execute agent.
|
Step 12
|
router1(config)# exit
|
Exits configuration mode and returns to Exec mode.
|
Step 13
|
router1# copy running startup
|
Saves the configuration changes.
|
Changing the CNS Bootstrap Password on an Auto Update Server
An Auto Update Server can provide the CNS event-bus feature to Cisco IOS routers that have dynamic IP addresses obtained from a DHCP server. Security Manager communicates with the Auto Update Server that is running the CNS Gateway protocol to determine the IP address of the device. To configure CNS on a Cisco IOS router in event-bus mode, see Setting Up CNS on Cisco IOS Routers in Event-Bus Mode.
The CNS password configured on the Cisco IOS router must be the same as the CNS bootstrap password configured in AUS. The default CNS bootstrap password configured in an Auto Update Server is callhome. Use the following procedure to configure a different password on the server.
Step 1 Log into Microsoft Windows on the Auto Update Server and open a Windows command prompt.
Step 2 Enter the following command, where dir is the directory where you installed AUS:
set NMSROOT=dir
For example, if you installed the product in the default directory, enter:
set NMSROOT=C:\Progra~1\CSCOpx
Step 3 Entercd %NMSROOT%\MDC\autoupdate\bin\eventgateway.
Step 4 Enter the following command, specifying the CNS password configured on the router:
cnspassword password
Step 5 Restart the Daemon Manager if it is running.
Initializing IPS Devices
To initialize an IPS device, you must configure the following settings. These are network settings, and only a user with administrator privileges on the IPS device can configure them:
•Sensor name
•IP address
•Netmask
•Default route
•Enable TLS/SSL (to enable TLS/SSL in the web server on the device)
•Web server port
•Use default ports
You configure these settings through the setup command in Intrusion Prevention System Device Manager (IDM) or in a command-line session, depending upon which platform is used by your IPS device. The platform is one of the following:
•Sensor appliance
•IDSM-2
•AIP-SSM
•NM-CIDS
For detailed information on these settings, refer to the technical documentation for your IPS device.
Note For information on preparing an IOS IPS device for use, see Preparation for Use, page 13-17.
