-
User Guide for Cisco Security Manager 3.2.1
-
Preface
-
Getting Started with Security Manager
-
Managing User Accounts
-
Working with the Security Manager User Interface
-
Using Map View
-
Preparing Devices for Management
-
Managing the Device Inventory
-
Managing Policies
-
Managing Activities
-
Managing Objects
-
Managing Site-to-Site VPNs
-
Managing Remote Access VPNs
-
Managing Firewall Services
-
Managing IPS Services
-
Managing Routers
-
Managing Firewall Devices
-
Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
-
Managing IPS Devices
-
Managing Deployment
-
Managing FlexConfigs
-
Managing the Security Manager Server
-
Using Monitoring, Troubleshooting, and Diagnostic Tools
-
Administrative Settings User Interface Reference
-
Map View User Interface Reference
-
Device Inventory User Interface Reference
-
Policy User Interface Reference
-
Activities User Interface Reference
-
Policy Object Manager User Interface Reference
-
Site-to-Site VPN User Interface Reference
-
Remote Access VPN User Interface Reference
-
Firewall Services User Interface Reference
-
Router Platform User Interface Reference
-
PIX/ASA/FWSM Platform User Interface Reference
-
IPS User Interface Reference
-
Catalyst Platform User Interface Reference
-
Deployment User Interface Reference
-
FlexConfig User Interface Reference
-
Index
-
Table Of Contents
Policy Object Manager User Interface Reference
Policy Object Manager Window—Work Area Buttons
Policy Object Manager Window—Shortcut Menu
AAA Server Dialog Box—RADIUS Settings
AAA Server Dialog Box—TACACS+ Settings
AAA Server Dialog Box—Kerberos Settings
AAA Server Dialog Box—LDAP Settings
AAA Server Dialog Box—NT Settings
AAA Server Dialog Box—SDI Settings
AAA Server Dialog Box—HTTP-FORM Settings
Add and Edit Extended Access List Pages
Add and Edit Extended Access Control Entry Dialog Boxes
Add and Edit Standard Access List Pages
Add and Edit Standard Access Control Entry Dialog Boxes
Add and Edit WebType Access List Dialog Boxes
Add and Edit Web Access Control Entry Dialog Boxes
ASA User Group Dialog Box—Client Configuration Settings
ASA User Group Dialog Box—Client Firewall Attributes
ASA User Group Dialog Box—Hardware Client Attributes
ASA User Group Dialog Box—IPsec Settings
ASA User Group Dialog Box—SSL VPN Clientless Settings
ASA User Group Dialog Box—SSL VPN Full Client Settings
ASA User Group Dialog Box—SSL VPN Settings
ASA User Group Dialog Box—DNS/WINS Settings
ASA User Group Dialog Box—Split Tunneling
ASA User Group Dialog Box—Connection Settings
Add and Edit File Object Dialog Boxes
Add and Edit DNS Class Maps Dialog Boxes
Add and Edit Match Criterion Dialog Boxes
Add and Edit DNS Class Map > Add and Edit Match Criterion > DNS Class
Add and Edit DNS Class Map > Add and Edit Match Criterion > DNS Type
Add and Edit DNS Class Map > Add and Edit Match Criterion > Domain Name
Add and Edit DNS Class Map > Add and Edit Match Criterion > Header Flag
Add and Edit DNS Class Map > Add and Edit Match Criterion > Question
Add and Edit DNS Class Map > Add and Edit Match Criterion > Resource Record
Add and Edit FTP Class Map Dialog Boxes
Add and Edit FTP Class Map > Add and Edit Match Criterion Dialog Boxes
Add and Edit FTP Class Map > Add and Edit Match Criterion > Request Command
Add and Edit FTP Class Map > Add and Edit Match Criterion > Filename
Add and Edit FTP Class Map > Add and Edit Match Criterion > File Type
Add and Edit FTP Class Map > Add and Edit Match Criterion > Server
Add and Edit FTP Class Map > Add and Edit Match Criterion > Username
Add and Edit H.323 Class Maps Dialog Boxes
Add and Edit H323 Class Map > Add and Edit Match Criterion Dialog Boxes
Add and Edit H.323 Class Map > Add and Edit Match Criterion > Called Party
Add and Edit H.323 Class Map > Add and Edit Match Criterion > Calling Party
Add and Edit H.323 Class Map > Add and Edit Match Criterion > Media Type
Add and Edit HTTP Class Map Dialog Boxes
Add and Edit HTTP Class Map > Add and Edit Match Criterion Dialog Boxes
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request/Response Content Type Mismatch
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Arguments
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Body
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Body Length
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Count
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Length
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Field
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Field Count
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Field Length
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Content Type
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Transfer Encoding
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Header Non-ASCII
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request Method
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request URI
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Request URI Length
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Body ActiveX
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Body Java Applet
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Body
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Body Length
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Count
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Length
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Field
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Field Count
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Field Length
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Content Type
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Transfer Encoding
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Header Non-ASCII
Add and Edit HTTP Class Map > Add and Edit Match Criterion > Response Status Line
Add and Edit IM Class Map Dialog Boxes
Add and Edit IM Class Map > Add and Edit Match Criterion Dialog Boxes
Add and Edit IM Class Map > Add and Edit Match Criterion > Filename
Add and Edit IM Class Map > Add and Edit Match Criterion > Client IP Address
Add and Edit IM Class Map > Add and Edit Match Criterion > Client Login Name
Add and Edit IM Class Map > Add and Edit Match Criterion > Peer IP Address
Add and Edit IM Class Map > Add and Edit Match Criterion > Peer Login Name
Add and Edit IM Class Map > Add and Edit Match Criterion > Protocol
Add and Edit IM Class Map > Add and Edit Match Criterion > Service
Add and Edit IM Class Map > Add and Edit Match Criterion > File Transfer Service Version
Add and Edit SIP Class Map Dialog Boxes
Add and Edit Match Criterion Dialog Boxes
Add and Edit SIP Class Map > Add and Edit Match Criterion > Called Party
Add and Edit SIP Class Map > Add and Edit Match Criterion > Calling Party
Add and Edit SIP Class Map > Add and Edit Match Criterion > Content Length
Add and Edit SIP Class Map > Add and Edit Match Criterion > Content Type
Add and Edit SIP Class Map > Add and Edit Match Criterion > IM Subscriber
Add and Edit SIP Class Map > Add and Edit Match Criterion > Message Path
Add and Edit SIP Class Map > Add and Edit Match Criterion > Third Party Registration
Add and Edit SIP Class Map > Add and Edit Match Criterion > URI Length
Add and Edit SIP Class Map > Add and Edit Match Criterion > Request Method
Add and Edit DCE/RPC Dialog Box
Add and Edit DNS Map Dialog Boxes
Add and Edit DNS Map > Protocol Conformance
Add and Edit DNS Map > Filtering
Add and Edit DNS Map > Mismatch Rate
Add and Edit DNS Map > Match Condition and Action
Add and Edit DNS Map > Add and Edit Match Condition and Action Dialog Boxes
Add and Edit ESMTP Map Dialog Boxes
Add and Edit ESMTP Dialog Boxes > Parameters Tab
Add and Edit ESMTP Dialog Boxes > Add and Edit Match Condition and Action Tab
Add and Edit ESMTP Dialog Boxes > Add and Edit Match Condition and Action Tab > Body Length
Add and Edit ESMTP Dialog Boxes > Add and Edit Match Condition and Action Tab > Body Line Length
Add and Edit ESMTP Dialog Boxes > Add and Edit Match Condition and Action Tab > Commands
Add and Edit ESMTP Dialog Boxes > Add and Edit Match Condition and Action Tab > Command Line Length
Add and Edit ESMTP Dialog Boxes > Add and Edit Match Condition and Action Tab > Header Length
Add and Edit ESMTP Dialog Boxes > Add and Edit Match Condition and Action Tab > Header Line Length
Add and Edit ESMTP Dialog Boxes > Add and Edit Match Condition and Action Tab > To Recipients Count
Add and Edit ESMTP Dialog Boxes > Add and Edit Match Condition and Action Tab > MIME File Type
Add and Edit ESMTP Dialog Boxes > Add and Edit Match Condition and Action Tab > MIME Filename Length
Add and Edit ESMTP Dialog Boxes > Add and Edit Match Condition and Action Tab > MIME Encoding
Add and Edit ESMTP Dialog Boxes > Add and Edit Match Condition and Action Tab > Sender Address
Add and Edit FTP Map Dialog Boxes
Add and Edit FTP Map > Parameters
Add and Edit FTP Map > Match Conditions and Actions
Add and Edit FTP Map > Add and Edit Match Condition and Action Dialog Boxes
Add and Edit GTP Map Dialog Boxes
Add and Edit GTP Map Dialog Boxes > Parameters
Add and Edit GTP Map > Match Condition and Action Tab
Add and Edit H.323 Map Dialog Boxes
Add and Edit H.323 Map - Parameters Tab
Add and Edit H.323 Map - Match Condition and Action Tab
HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS) Page
Add and Edit HTTP Map Dialog Boxes
Add and Edit HTTP Map > General Tab
Add and Edit HTTP Map > Entity Length Tab
Add and Edit HTTP Map > RFC Request Method Tab
Add and Edit HTTP Map > Extension Request Method Tab
Add and Edit HTTP Map > Port Misuse Tab
Add and Edit HTTP Map > Transfer Encoding Tab
HTTP Maps (ASA 7.2/PIX 7.2) Page
Add and Edit HTTP Map Dialog Boxes
Add and Edit HTTP Map > Parameters Tab
Add and Edit HTTP Map > Match Condition and Action Tab
Add and Edit HTTP Map > Add and Edit Match Condition and Action Dialog Boxes
IM Maps (ASA 7.2/PIX 7.2) Page
Add and Edit IM Map Dialog Boxes (for ASA 7.2/PIX 7.2)
Add and Edit IM Map > Add and Edit Match Condition and Action Dialog Boxes
Add and Edit IM Map (IOS) Dialog Boxes
Add and Edit IM Map (IOS) > Yahoo! Tab
Add and Edit IM Map (IOS) > MSN Tab
Add and Edit IM Map (IOS) > AOL Tab
Add and Edit IPsec Pass Through Dialog Boxes
Add and Edit NetBIOS Dialog Boxes
Add and Edit SIP Map Dialog Boxes
Add and Edit SIP Map > Parameters Tab
Add and Edit SIP Map > Match Condition and Action Tab
Add and Edit Skinny Map - Parameters Tab
Add and Edit Skinny Map - Match Conditions and Action Tab
Add and Edit Match Condition and Action Dialog Boxes
Add and Edit SNMP Map Dialog Boxes
Regular Expression Groups Page
Add and Edit Regular Expression Group Dialog Boxes
Add and Edit Regular Expression Dialog Boxes
Add and Edit TCP Map Dialog Boxes
Add and Edit TCP Option Range Dialog Boxes
Interface Name Conflict Dialog Box
IPsec Transform Set Dialog Box
Add and Edit LDAP Attribute Map Dialog Boxes
Add and Edit LDAP Attribute Map > Add and Edit LDAP Attribute Map Value
Add and Edit LDAP Attribute Map > Add and Edit LDAP Attribute Map Value > Add and Edit Map Value
PKI Enrollment Dialog Box—CA Information Tab
PKI Enrollment Dialog Box—Enrollment Parameters Tab
PKI Enrollment Dialog Box—Certificate Subject Name Tab
PKI Enrollment Dialog Box—Trusted CA Hierarchy Tab
Port Forwarding List Dialog Box
Add/Edit Port Forwarding Entry Dialog Box
Secure Desktop Configuration Page
Secure Desktop Configuration Dialog Box
Add and Edit Service Dialog Boxes
Single Sign On Server (SSO) Page
Single Sign On Server (SSO) Dialog Box
Add and Edit Bookmarks Dialog Boxes
Add and Edit Bookmark Entry Dialog Boxes
Add and Edit Post Parameter Dialog Boxes
Add and Edit SSL VPN Customization Page Dialog Boxes
SSL VPN Customization Dialog Box—Logon Page
SSL VPN Customization Dialog Box—Logon Page Title Panel
SSL VPN Customization Dialog Box—Language
Add and Edit Language Dialog Boxes
Add and Edit Language Selector Dialog Boxes
SSL VPN Customization Dialog Box—Logon Page Logon Form
SSL VPN Customization Dialog Box—Logon Page Informational Panel
SSL VPN Customization Dialog Box—Logon Page Copyright Panel
SSL VPN Customization Dialog Box—Logon Page Full Customization
SSL VPN Customization Dialog Box—Portal Page
SSL VPN Customization Dialog Box— Portal Page Title Panel
SSL VPN Customization Dialog Box—Toolbar
SSL VPN Customization Dialog Box—Applications
SSL VPN Customization Dialog Box—Custom Panes
Add and Edit Column Dialog Boxes
Add and Edit Custom Pane Dialog Boxes
SSL VPN Customization Dialog Box—Portal Page Home Page
SSL VPN Customization Dialog Box—Logout Page
SSL VPN Smart Tunnel Lists Page
Add and Edit SSL VPN Smart Tunnel List Dialog Boxes
Add and Edit Smart Tunnel Entry Dialog Boxes
Add and Edit Traffic Flow Dialog Boxes
Add and Edit Traffic Flow > Source and Destination IP Address (access-list)
Add and Edit Traffic Flow > Default Inspection Traffic with Access Lists
Add and Edit Traffic Flow > TCP or UDP Destination Port
Add and Edit Traffic Flow > RTP Range
Add and Edit Traffic Flow > Tunnel Group
Add and Edit Traffic Flow > IP Precedence Bits
Add and Edit Traffic Flow > IP DiffServe CodePoints (DSCP) Values
User Group Dialog Box—General Settings
User Group Dialog Box—DNS/WINS Settings
User Group Dialog Box—Split Tunneling
User Group Dialog Box—IOS Client Settings
User Group Dialog Box—IOS Xauth Options
User Group Dialog Box—IOS Client VPN Software Update
User Group Dialog Box—Advanced PIX Options
User Group Dialog Box—Clientless Settings
User Group Dialog Box—Thin Client Settings
User Group Dialog Box—SSL VPN Full Tunnel Settings
User Group Dialog Box—SSL VPN Split Tunneling
User Group Dialog Box—Browser Proxy Settings
User Group Dialog Box—SSL VPN Connection Settings
Add/Edit WINS Server Dialog Box
Policy Object Overrides Window
Create Overrides for Device Dialog Box
Policy Object Manager User Interface Reference
The Policy Object Manager user interface reference contains the following topics:
•
Inspection Class Maps
•
–
–
–
•
–
•
•
•
•
•
Note
Policy Object Manager Window
Use the Policy Object Manager window to:
•
•
•
Navigation Path
Click the Policy Object Manager button on the toolbar or select Tools > Policy Object Manager.
Related Topics
•
•
•
•
•
Field Reference
Table F-1 Policy Object Manager Window
Object Type selector
Lists the object types available in Security Manager. Clicking an object type in the selector displays a table in the work area containing all the objects currently defined for that type. See Object Type Selector.
Work area
Displays the objects that are defined for the type selected in the Object Type selector. For information about the buttons displayed beneath the work area, see Policy Object Manager Window—Work Area Buttons.
Right-clicking anywhere inside the table displays a shortcut menu for performing object operations. See Policy Object Manager Window—Shortcut Menu.
Use the filtering bar located above the table to filter the list of objects displayed in the work area. See Filtering Tables, page 3-17.
Object Type Selector
The Object Type selector is displayed on the left side of the Policy Object Manager window. Select an object type to display a list of objects that have been defined for that type in the work area.
Navigation Path
Click the Policy Object Manager button on the toolbar or select Tools > Policy Object Manager.
Related Topics
•
•
Field Reference
Table F-2 Object Type Selector
AAA Server Groups
Displays a table of defined AAA server group objects. See AAA Server Groups Page.
AAA Servers
Displays a table of defined AAA server objects. See AAA Servers Page.
Access Control Lists
Displays a table of defined ACL objects. See Access Control Lists Page.
ASA User Groups
Displays a table of defined ASA user group objects. See ASA User Groups Page.
Categories
Displays a table of defined category objects. See Categories Page.
Credentials
Displays a table of defined credential objects. See Credentials Page.
FlexConfigs
Displays a table of defined FlexConfig objects. See FlexConfigs Objects Page, page O-7.
IKE Proposals
Displays a table of defined IKE proposal objects. See IKE Proposals Page.
DNS Class Maps
Displays a table of defined DNS class map objects. See DNS Class Maps Page.
FTP Class Maps
Displays a table of defined FTP class map objects. See FTP Class Maps Page.
H.323 Class Maps
Displays a table of defined H.323 class map objects. See H.323 Class Maps Page.
HTTP Class Maps
Displays a table of defined HTTP class map objects. See HTTP Class Maps Page.
IM Class Maps
Displays a table of defined IM class map objects. See IM Class Maps Page.
SIP Class Maps
Displays a table of defined SIP class map objects. See SIP Class Maps Page.
DCE/RPC Policy Maps
Displays a table of defined DCE/RPC policy map objects. See DCE/RPC Maps Page.
DNS Policy Maps
Displays a table of defined DNS map objects. See DNS Maps Page.
ESMTP Policy Maps
Displays a table of defined ESMTP map objects. See ESMTP Maps Page.
FTP Policy Maps
Displays a table of defined FTP map objects. See FTP Maps Page.
GTP Policy Maps
Displays a table of defined GTP map objects. See GTP Maps Page.
H.323 Policy Maps
Displays a table of defined H.323 map objects. See H.323 Maps Page.
HTTP Policy Maps (ASA 7.1.x/PIX 7.1.x/IOS)
Displays a table of defined HTTP map objects for ASA 7.0.x/PIX 7.0.x/IOS devices. See HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS) Page.
HTTP Policy Maps (ASA 7.2/PIX 7.2)
Displays a table of defined HTTP map objects for ASA 7.2/PIX 7.2 devices. See HTTP Maps (ASA 7.2/PIX 7.2) Page.
IM Policy Maps (ASA 7.2/PIX 7.2)
Displays a table of defined IM map objects for ASA 7.2/PIX 7.2. See IM Maps (ASA 7.2/PIX 7.2) Page.
IM Policy Maps (IOS)
Displays a table of defined IM map objects for IOS devices. See IM Maps (IOS) Page.
IPsec Pass Through Policy Maps
Displays a table of defined IPsec Pass Through map objects. See IPsec Pass Through Maps Page.
NetBIOS Policy Maps
Displays a table of defined NetBIOS map objectss. See NetBIOS Maps Page.
SIP Policy Maps
Displays a table of defined SIP map objects. See SIP Maps Page.
Skinny Policy Maps
Displays a table of defined Skinny map objects. See Skinny Maps Page.
SNMP Policy Maps
Displays a table of defined SNMP map objects. See SNMP Maps Page.
Regular Expressions
Displays a table of defined regular expressions objects. See Regular Expressions Page.
Regular Expressions Groups
Displays a table of defined regular expressions group objects. See Regular Expression Groups Page.
TCP Maps
Displays a table of defined TCP map objects. See TCP Maps Page.
Interface Roles
Displays a table of defined interface role objects. See Interface Roles Page.
IPsec Transform Sets
Displays a table of defined IPsec transform set objects. See IPsec Transform Sets Page.
Networks/Hosts
Displays a table of defined network/host objects. See Networks/Hosts Page.
PKI Enrollments
Displays a table of defined PKI enrollment objects. See PKI Enrollments Page.
Port Forwarding List
Displays a table of defined port forwarding list objects. See Port Forwarding List Page.
Secure Desktop Configuration
Displays a table of defined secure desktop configuration objects. See Secure Desktop Configuration Page.
Port Lists
Displays a table of defined port list objects. See Port Lists Page.
Services
Displays a table of defined service objects. See Services Page.
Single Sign On Servers
Displays a table of defined single sign-on server (SSO) objects. See Single Sign On Server (SSO) Page.
SLA Monitors
Displays a table of defined SLA monitor objects. See SLA Monitors Page.
SSL VPN Bookmarks
Displays a table of defined SSL VPN bookmark objects. See SSL VPN Bookmarks Page.
SSL VPN Customization
Displays a table of defined SSL VPN customization objects. See SSL VPN Customization Page.
SSL VPN Gateways
Displays a table of defined SSL VPN gateway objects. See SSL VPN Gateways Page.
SSL VPN Smart Tunnel Lists
Displays a list of defined SSL VPN smart tunnel objects. See SSL VPN Smart Tunnel Lists Page.
Style Objects
Displays a table of defined style objects. See WINS Server Lists Page.
Text Objects
Displays a table of defined free-form text objects. See TCP Maps Page.
Time Ranges
Displays a table of defined time range objects. See Time Ranges Page.
Traffic Flows
Displays a table of defined traffic flow objects. See Traffic Flows Page.
User Groups
Displays a table of defined user group objects. See User Groups Objects Page.
WINS Server Lists
Displays a table of defined WINS Server List objects. See WINS Server Lists Page.
Policy Object Manager Window—Work Area Buttons
Use the buttons displayed in the work area of the Policy Object Manager window to perform actions on the objects that are displayed there.
Navigation Path
Click the Policy Object Manager button on the toolbar or select Tools > Policy Object Manager.
Related Topics
•
•
Field Reference
Policy Object Manager Window—Shortcut Menu
Right-click anywhere inside the work area of the Policy Object Manager window to display a shortcut menu for performing various functions on the selected object type.
Navigation Path
Click the Policy Object Manager button on the toolbar or select Tools > Policy Object Manager.
Related Topics
•
•
Field Reference
Table F-4 Policy Object Manager Window—Shortcut Menu
New Object
Opens the dialog box for creating an object of the selected type.
Edit Object
Opens the dialog box for editing the selected object. Only user-defined objects may be edited.
Delete Object
Deletes the selected objects. Only user-defined objects may be deleted.
Edit Device Overrides
Opens the Policy Object Overrides Window. From here, you can create, edit, and delete device-level object overrides.
Create Duplicate
Opens the dialog box for creating a copy of the selected object.
Note
Find Usage
Opens the Object Usage Window, which contains a usage report about the selected object.
View Object
Opens a read-only dialog box containing the complete definition of the selected object.
AAA Server Groups Page
Use the AAA Server Groups page to view, create, edit, copy, and delete AAA server group objects. When defining a policy that uses a AAA server for authentication, authorization, or accounting, you select the server by selecting the server group to which the server belongs.
Navigation Path
Open the Policy Object Manager Window, then select AAA Server Groups from the Object Type selector.
Related Topics
•
•
•
•
Field Reference
Table F-5 AAA Server Groups Page
Filter
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. See Filtering Tables, page 3-17.
[Icon]
The icon that represents the object type. Predefined objects cannot be modified.
Name
The name of the object.
Protocol
The protocol defined for the AAA servers contained in the AAA server group.
Category
The category that is assigned to the object. See Understanding Category Objects, page 9-39.
Overridable
Indicates whether the global object definition can be overridden by object values defined at device level. See Allowing a Global Object to Be Overridden, page 9-164.
Description
Displays an icon if a description is defined for the object. Point at the icon to display a tooltip with the text of the description.
TipNew Object button
Opens the AAA Server Group Dialog Box. From here you can create a AAA server group object.
Edit Object button
Opens the AAA Server Group Dialog Box. From here you can edit the selected user-defined AAA server group.
Note
Delete Object button
Deletes the selected AAA server groups from the table.
Note
AAA Server Group Dialog Box
Use the AAA Server Group dialog box to create, copy, and edit AAA server groups.
Navigation Path
Go to the AAA Server Groups Page in the Policy Object Manager Window, then click New Object or Edit Object beneath the table.
Related Topics
•
•
Field Reference
Table F-6 AAA Server Group Dialog Box
Name
The object name (up to 16 characters when using this object with firewall devices; up to 128 characters for Cisco IOS routers). Object names are not case-sensitive. Spaces are not supported.
For more information, see Guidelines for Managing Objects, page 9-3.
Note
Note
Description
Additional information about the object (up to 1024 characters).
Protocol
The protocol used by the AAA servers in the group:
•
•
•
•
•
•
•
AAA Servers
The AAA servers that comprise the server group. Enter the names of AAA servers or click Select to display an Object Selectors. The selector displays only those AAA servers that match the protocol you selected for the group.
TipMake this Group the Default AAA Server Group (IOS)
Applies only to IOS devices.
When selected, designates this AAA server group as the default group for the RADIUS or TACACS+ protocol. Select this check box if you intend to use a single global group for the selected protocol for all policies on a specific device requiring AAA.
When deselected, creates a AAA server group that is not designated as the default group for that protocol. Leave this check box deselected if you intend to create multiple RADIUS or TACACS+ AAA server groups. Multiple groups can be used to separate different AAA functions (for example, use one group for authentication and a different group for authorization) or to separate different customers in a VRF environment.
Note
Max Failed Attempts (PIX, ASA, FWSM)
Applies only to PIX/ASA/FWSM devices.
The number of connection attempts that can fail before an unresponsive AAA server in the group is deactivated.
Values range from 1 to 5.
Reactivation Mode (PIX, ASA, FWSM)
Applies only to PIX/ASA/FWSM devices.
The method to use when reactivating failed AAA servers in the group:
•
•
Note
Reactivation Deadtime (PIX, ASA, FWSM)
Applies only to PIX/ASA/FWSM devices and only when Depletion is the selected reactivation mode.
The number of minutes that should elapse between the deactivation of the last server in the group and the reactivation of all the servers in the group. Values range from 0 to 1440 minutes (24 hours).
Group Accounting Mode (PIX, ASA, FWSM)
Applies only to PIX/ASA/FWSM devices using RADIUS or TACACS+.
The method for sending accounting messages to the AAA servers in the group:
•
Note
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Categories Page.
Allow Value Override per Device
When selected, allows the global object definition defined here to be changed at the device level. See Allowing a Global Object to Be Overridden, page 9-164.
When deselected, does not allow the global object definition to be overridden.
TipOK button
Saves your changes to the server and closes the dialog box.
AAA Servers Page
Use the AAA Servers page to view, create, edit, copy, and delete AAA server objects. These objects are collected into AAA server group objects.
Navigation Path
Open the Policy Object Manager Window, then select AAA Servers from the Object Type selector.
Related Topics
•
•
•
Field Reference
Table F-7 AAA Servers Page
Filter
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. See Filtering Tables, page 3-17.
[Icon]
The icon that represents the object type. Predefined objects cannot be modified.
Name
The name of the object.
Host
The IP address of the AAA server to which authentication requests will be sent.
Protocol
The protocol defined for the AAA server.
Category
The category that is assigned to the object.
Description
Displays an icon if a description is defined for the object. Point at the icon to display a tooltip with the text of the description.
TipNew Object button
Opens the AAA Server Dialog Box. From here you can create a AAA server object.
Edit Object button
Opens the AAA Server Dialog Box. From here you can edit the selected AAA server object.
Note
Delete Object button
Deletes the selected AAA server objects from the table.
Note
AAA Server Dialog Box
Use AAA Server dialog box to create, copy, and edit a AAA server object.
Navigation Path
Go to the AAA Servers Page in the Policy Object Manager Window, then click New Object or Edit Object beneath the table.
Related Topics
•
•
Field Reference
Table F-8 AAA Server Dialog Box—General Settings
Name
The object name (up to 128 characters). Object names are not case-sensitive. For more information, see Guidelines for Managing Objects, page 9-3.
Description
Additional information about the object (up to 1024 characters).
Host
•
•
Interface
The interface whose IP address should be used for all outgoing RADIUS or TACACS packets (known as the source interface). Enter the name of an interface or interface role, or click Select to display an Object Selectors.
If you enter the name of an interface, make sure the policy that uses this AAA object is assigned to a device containing an interface with this name.
If you enter the name of an interface role, make sure the role represents a single interface, not multiple interfaces.
TipNote
Timeout
The amount of time to wait until the AAA server is considered unresponsive.
Valid values for Cisco IOS routers range from 1-1000 seconds. The default is 5 seconds.
Valid values for ASA devices and other firewall devices running PIX 7.0 is 1-60 seconds. The default is 10 seconds.
Valid values for PIX devices running PIX 6.3 is 1-30 seconds. The default is 5 seconds.
Protocol
The protocol used by the AAA server:
•
•
•
•
•
•
•
Note
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Categories Page.
OK button
Saves your changes to the server and closes the dialog box.
AAA Server Dialog Box—RADIUS Settings
Use the RADIUS settings in the AAA Server dialog box to configure a RADIUS AAA server object.
Navigation Path
Go to the AAA Server Dialog Box, then click RADIUS in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—TACACS+ Settings
Use the TACACS+ settings in the AAA Server dialog box to configure a TACACS+ AAA server object.
Navigation Path
Go to the AAA Server Dialog Box, then click TACACS+ in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—Kerberos Settings
Use the Kerberos settings in the AAA Server dialog box to configure a Kerberos AAA server object.
Note
Navigation Path
Go to the AAA Server Dialog Box, then click Kerberos in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—LDAP Settings
Use the LDAP settings in the AAA Server dialog box to configure a LDAP AAA server object.
Note
Navigation Path
Go to the AAA Server Dialog Box, then click LDAP in the Protocol field.
Related Topics
•
•
Field Reference
Table F-12 AAA Server Dialog Box—LDAP Settings
Enable LDAP over SSL
When selected, establishes a secure SSL connection between the ASA device and the LDAP server.
When deselected, SSL is not used for communications between the ASA device and the LDAP server.
Note
Server Port
The port used for communicating with the AAA server. Default is 389.
LDAP Hierarchy Location
The base distinguished name (DN), which is the location in the LDAP hierarchy where the authentication server should being searching when it receives an authorization request. For example, OU=Cisco. The maximum length is 128 characters.
The string is case-sensitive. Spaces are not permitted, but other special characters are allowed.
LDAP Scope
The scope of LDAP searches:
•
•
LDAP Distinguished Name
The DN and password that uniquely identify this ASA device in the LDAP schema (maximum of 128 characters). The DN is similar to a unique key in a database or a fully qualified path for a file.
Note
LDAP Login Directory
The name of the directory object in the LDAP hierarchy used for authenticated binding (maximum of 128 characters). Authenticated binding is required by some LDAP servers (including the Microsoft Active Directory server) before other LDAP operations can be performed.
This string is case-sensitive. Spaces are not permitted in the string, but other special characters are allowed.
LDAP Login Password
The case-sensitive, alphanumeric password for accessing the LDAP server (maximum of 64 characters). Spaces are not allowed.
SASL MD5 Authentication
Establishes a Simple Authentication and Security Layer (SASL) mechanism to authenticate an LDAP client (the ASA device) with an LDAP server.
When selected, the ASA device sends the LDAP server an MD5 value computed from the username and password.
When deselected, the MD5 authentication option is not used.
SASL Kerberos Authentication
Establishes an SASL mechanism to authenticate an LDAP client (the ASA device) to an LDAP server.
When selected, the ASA device sends the LDAP server the username and realm using the GSSAPI (Generic Security Services Application Programming Interface) Kerberos mechanism. This mechanism is stronger than the MD5 mechanism.
When deselected, the Kerberos authentication option is not used.
Note
Kerberos Server Group
Applies only when SASL Kerberos authentication is enabled.
The name of the Kerberos AAA server group used for SASL authentication. The maximum length is 16 characters.
LDAP Server Type
The type of LDAP server used for AAA:
•
•
•
Note
LDAP Attribute Map
The LDAP attribute configuration to bind to the LDAP server. Enter the name of an LDAP attribute map or click Select to display an Object Selectors.
LDAP attribute maps take the attribute names that you define and map them to Cisco-defined attributes. For more information, see Understanding LDAP Attribute Map Objects, page 9-103.
AAA Server Dialog Box—NT Settings
Use the NT settings in the AAA Server dialog box to configure an NT AAA server object.
Note
Navigation Path
Go to the AAA Server Dialog Box, then click NT in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—SDI Settings
Use the SDI settings in the AAA Server dialog box to configure an SDI AAA server object.
Note
Navigation Path
Go to the AAA Server Dialog Box, then click SDI in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—HTTP-FORM Settings
Use the HTTP-FORM settings in the AAA Server dialog box to configure an HTTP-Form AAA server object for single sign-on authentication (SSO).
Note
Navigation Path
Go to the AAA Server Dialog Box, then click HTTP-FORM in the Protocol field.
Related Topics
•
•
Field Reference
Access Control Lists Page
Use the Access Control Lists page to define extended, standard, and web Access Control List objects. You can designate ACL objects as entries within other ACL objects. From this page, you can add, edit, and delete objects. You can also generate usage reports of policies that use the object
Navigation Path
Select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector.
Related Topics
•
•
•
•
Field Reference
Table F-16 Access Control Lists Page
Extended IP ACL tab
Enables you to configure settings for extended ACL objects. For a description of the GUI elements see Table F-17.
Standard IP ACL tab
Enables you to configure settings for standard ACL objects. For a description of the GUI elements, see Table F-20.
Web ACL tab
Enables you to configure settings for web ACL objects. For a description of the GUI elements, see Table F-23.
Filter
Filters the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-17.
New Object button
Enables you to create an object. See Creating Access Control List Objects, page 9-24.
Edit Object button
Enables you to edit the selected object. See Editing Objects, page 9-6.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur. See Deleting Objects, page 9-7.
Note
Extended Tab
Use the Extended tab to define an extended ACL object. From this page, you can add, edit, and delete objects. You can also generate usage reports of policies that use the object. After a configuration is generated for the device, the access-list extended command is used.
Navigation Path
Select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector.
Note
Related Topics
•
•
Field Reference
Table F-17 Extended Tab
Filter
Filters the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-17.
Name
Identifies the name of the ACL object. The number of entries defined for the ACL is shown in brackets beside the ACL name.
You can click the arrow to expand or collapse the contents of the ACL object.
Permit
Shows whether rules permit or deny traffic based on the conditions set.
•
•
Source
Identifies the source network/host object names or host addresses. Multiple entries are separated by commas. See Understanding Network/Host Objects, page 9-104.
Destination
Identifies the destination network/host object names or host addresses. Multiple entries are separated by commas. See Understanding Network/Host Objects, page 9-104.
Service
Identifies service objects that specify the service type of traffic. Multiple entries are separated by commas. See Understanding Service Objects, page 9-123.
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
Description
Displays an icon if a description is defined for the object. Point at the icon to display a tooltip with the text of the description. Descriptions help you identify a policy.
TipNew Object button
Enables you to create an object. See Creating Extended Access Control List Objects, page 9-24.
Edit Object button
Enables you to edit the selected object. See Editing Objects, page 9-6.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur. See Deleting Objects, page 9-7.
Note
Add and Edit Extended Access List Pages
Use the Add and Edit Extended Access List pages to define ACEs for an ACL object. From this page, you can change the order of the ACEs and ACL objects within the table, add or edit ACEs and ACL objects, and delete ACEs and ACL objects.
Navigation Path
Select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
Related Topics
•
•
Field Reference
Table F-18 Add and Edit Extended Access List Pages
Name*
Identifies the name of the ACL object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be letters and numbers. Spaces are permitted, as are the following special characters: hyphens (-), underscores (_), periods (.), and plus signs (+). Maximum length is 128 characters.
Description
Enables you to enter a description to help you identify a rule. Maximum characters allowed is 1024.
Name
Identifies the name of the included ACL object.
Permit
Shows whether rules permit or deny traffic based on the conditions set.
•
•
Source
Identifies the source network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. Accepted formats are:
•
•
•
•
•
* For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 9-106.
Enter the addresses in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
For more information, see Understanding Network/Host Objects, page 9-104.
Destination
Identifies the destination network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. Accepted formats are:
•
•
•
•
•
* For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 9-106.
Enter the addresses in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
For more information, see Understanding Network/Host Objects, page 9-104.
Service
Identifies service objects that specify the service type of traffic. Multiple entries are separated by commas.
Enter the service objects in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Objects selector dialog box.
The following formats are supported:
•
•
•
•
For more information, see Understanding Service Objects, page 9-123.
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
Description
Enables you to enter a description to help you identify a rule. Maximum characters allowed is 1024.
New Object button
Enables you to create an object. See Creating Extended Access Control List Objects, page 9-24.
Edit Object button
Enables you to edit the selected object. SeeEditing Objects, page 9-6.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur. See Deleting Objects, page 9-7.
Note
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
OK button
Saves your changes to the server and closes the page.
Add and Edit Extended Access Control Entry Dialog Boxes
Use the Add or Edit Extended Access Control Entry dialog box to add an ACL object, or add or edit an ACE.
Note
Navigation Path
Select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object. The Add or Edit Extended Access List page appears based on your selection. Right click inside the table, then select Add Row or right-click a row, then select Edit Row.
Related Topics
•
•
Field Reference
Table F-19 Add and Edit Extended Access Control Entry Dialog Boxes
Type
•
•
Note
Action
Describes what should occur based on the conditions set.
•
•
Note
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
Source*
Identifies the source network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. Accepted formats are:
•
•
•
•
•
* For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 9-106.
Enter the addresses in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
For more information, see Understanding Network/Host Objects, page 9-104.
Destination*
Identifies the destination network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. Accepted formats are:
•
•
•
•
•
* For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 9-106.
Enter the addresses in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
For more information, see Understanding Network/Host Objects, page 9-104.
Service*
Identifies service objects that specify the service type of traffic. Multiple entries are separated by commas.
Enter the service objects in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Objects selector dialog box.
The following formats are supported:
•
•
•
•
For more information, see Understanding Service Objects, page 9-123,
Description
(Optional) Enables you to enter a description to help you identify a rule. Maximum characters allowed is 1024.
Available Access Control Lists
Displays the ACL objects that are defined.
Filter
Filters the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-17.
Add >> button
Adds selected ACL objects to the Selected Access Control Lists column.
Remove << button
Removes selected ACL objects from the Selected Access Control Lists column.
Selected Access Control Lists
Displays the ACL objects that are selected.
OK button
Saves your changes to the server and closes the dialog box.
Standard Tab
Use the Standard IP ACL page to define standard ACL objects. From this page, you can add, edit, and delete objects. You can also generate usage reports of policies that use the object. After a configuration is generated for the device, the access-list standard command is shown, which is used in global configuration mode.
Navigation Path
Select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector. Click the Standard tab.
Note
Related Topics
•
•
•
•
Field Reference
Table F-20 Standard ACL Tab
Filter
Filters the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-17.
Name
Identifies the name of the ACL object. The number of entries defined for the ACL is shown in brackets beside the ACL name.
You can click the arrow to expand or collapse the contents of the ACL object.
Permit
Shows whether rules permit or deny traffic based on the conditions set.
•
•
Source
Identifies the source network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. See Understanding Network/Host Objects, page 9-104.
Options
Displays if logging is turned on.
•
•
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
Description
Enables you to enter a description to help you identify a rule. Maximum characters allowed is 1024.
New Object button
Enables you to create an object. See Creating Standard Access Control List Objects, page 9-26.
Edit Object button
Enables you to edit the selected object. See Editing Objects, page 9-6.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur. See Deleting Objects, page 9-7.
Note
Add and Edit Standard Access List Pages
Use the Add and Edit Standard Access List pages define ACEs for an ACL object. From this page, you can change the order of the ACEs and ACL objects within the table, add or edit ACEs and ACL objects, and delete ACEs and ACL objects.
Note
Navigation Path
Select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector. Click the Standard tab. Right-click inside the work area, then select New Object or right-click a row, then select EditObject.
Related Topics
•
•
Field Reference
Table F-21 Add and Edit Standard Access List Pages
Name*
Identifies the name of the ACL object. Object names are not case sensitive. The first character of the name must be a letter. The remaining characters can be letters and numbers. Spaces are permitted, as are the following special characters: hyphens (-), underscores (_), periods (.), and plus signs (+). A maximum of 128 characters is allowed.
Description
Enables you to enter a description to help you identify a rule. A maximum of 1024 characters is allowed.
Name
Identifies the name of the access control entry.
Permit
Shows whether rules permit or deny traffic based on the conditions set.
•
•
Source*
Identifies the source network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. Accepted formats are:
•
•
•
•
•
* For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 9-106.
Enter the addresses in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
For more information, see Understanding Network/Host Objects, page 9-104.
Options
Displays if logging is turned on.
•
•
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
Description
Enables you to enter a description to help you identify a rule. Maximum characters allowed is 1024.
New Object button
Enables you to create an object. See Creating Standard Access Control List Objects, page 9-26.
Edit Object button
Enables you to edit the selected object. See Editing Objects, page 9-6.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur. See Deleting Objects, page 9-7.
Note
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
Add and Edit Standard Access Control Entry Dialog Boxes
Use the Add and Edit Standard Access Control Entry dialog boxes to add an ACL object, or add or edit an ACE.
Note
Navigation Path
Select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector. Click the Standard tab. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object. The Add or Edit Standard Access List page appears based on your selection. Right-click inside the table, then select Add Row, or right-click a row, then select Edit Row.
Related Topics
•
•
Field Reference
Table F-22 Add and Edit Standard Access Control Entry Dialog Boxes
Type
•
•
Note
Access Control Entry (ACE) Type
Action
Describes what should occur based on the conditions set.
•
•
Note
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
Source*
Identifies the source network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. Accepted formats are:
•
•
•
•
•
* For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 9-106.
Enter the addresses in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
For more information, see Understanding Network/Host Objects, page 9-104.
Description
Enables you to enter a description to help you identify an object or rule. Maximum characters allowed is 1024.
Log option
•
•
Note
Note
Available Access Control Lists
Displays the ACL objects that are defined.
Filter
Filters the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-17.
Add >> button
Adds selected ACL objects to the Selected Access Control Lists column.
Remove << button
Removes selected ACL objects from the Selected Access Control Lists column.
Selected Access Control Lists
Displays the ACL objects that are selected.
OK button
Saves your changes to the server and closes the dialog box.
Web Tab
Use the Web page to define Web ACL objects. You can add and edit WebVPN ACLs and the ACL entries that each ACL contains. From this page, you can add, edit, and delete objects. You can also generate usage reports of policies that use the object. After a configuration is generated for the device, the access-list <name> webtype command is shown, which is used in global configuration mode.
Note
Navigation Path
Select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector. Click the Web tab.
Note
Related Topics
•
•
•
•
Field Reference
Table F-23 Web Tab
Filter
Filters the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-17.
Name
Identifies the name of the ACL object. The number of entries defined for the ACL is shown in brackets beside the ACL name.
You can click the arrow to expand or collapse the contents of the ACL object.
Permit
Shows whether rules permit or deny traffic based on the conditions set.
•
•
Destination
Identifies the destination network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. For more information, see Understanding Network/Host Objects, page 9-104.
TCP Port
Identifies the port range or service port list to which you want to apply the filter (permit or deny user access). Multiple entries are separated by commas.
URLs
Identifies the URLs to which you want to apply the filter (permit or deny user access).
Options
Displays if logging is turned on.
•
•
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
Description
Enables you to enter a description to help you identify a rule. Maximum characters allowed is 1024.
New Object button
Enables you to create an object. See Creating Web Access Control List Objects, page 9-27.
Edit Object button
Enables you to edit the selected object. See Editing Objects, page 9-6.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur. See Deleting Objects, page 9-7.
Note
Add and Edit WebType Access List Dialog Boxes
Use the Add and Edit WebType Access List dialog boxes to add an ACL object or add or edit an ACE. From this page, you can change the order of the ACEs and ACL objects within the table, add or edit ACEs and ACL objects, and delete ACEs and ACL objects.
Navigation Path
Select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector. Click the Web tab. Right-click inside the work area, then select New Object or right-click a row, then select EditObject. The Add or Edit WebType Access List page appears based on your selection. Right-click inside the table, then select Add Row, or right-click a row, then select Edit Row.
Related Topics
•
•
Field Reference
Table F-24 Add and Edit Web Type Access List Dialog Boxes
Name*
Identifies the name of the ACL object. A maximum of 55 characters is allowed.
Description
Enables you to enter a description to help you identify a rule. A maximum of 1024 characters is allowed.
Name
Identifies the name of the access control entry.
Permit
Shows whether rules permit or deny traffic based on the conditions set.
•
•
Destination
Identifies the destination network/host object names or addresses of hosts or networks. Multiple entries are separated by commas. Accepted formats are:
•
•
•
•
•
* For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 9-106.
For more information, see Understanding Network/Host Objects, page 9-104.
TCP Port
Shows the TCP port list information if filter destination is a network filter.
URLs
Shows URL information if filter destination is a URL filter.
Options
Displays if logging is turned on.
•
•
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
Description
Enables you to enter a description to help you identify a rule. A maximum of 1024 characters is allowed.
New Object button
Enables you to create an object. See Creating Web Access Control List Objects, page 9-27.
Edit Object button
Enables you to edit the selected object. See Editing Objects, page 9-6.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur. See Deleting Objects, page 9-7.
Note
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
OK button
Saves your changes to the server and closes the dialog box.
Add and Edit Web Access Control Entry Dialog Boxes
Use the Add and Edit Web Access Control Entry dialog boxes to add an ACL object, or add or edit an ACE.
Navigation Path
Select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector. Click the Web tab. Right-click inside the work area, then select New Object or right-click a row, then select EditObject. The Add or Edit WebType Access List page appears based on your selection. Right-click inside the table, then select Add Row, or right-click a row, then select Edit Row.
Related Topics
•
•
Field Reference
Table F-25 Add and Edit Web Access Control Entry Dialog Boxes
Type
•
•
Note
Action
Enables you to select whether to permit or deny traffic based on the conditions set.
•
•
Filter Destination
Network Filter—When selected, enables you to define the destination and ports.
•
–
–
–
–
–
Note
Enter the addresses in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
•
URL Filter—When selected, enables you to define the URL filter.
•
Logging
•
•
•
•
•
•
•
•
•
•
Logging Interval
Defines the interval of time, in seconds, used to generate logging messages. Values are 1-600 seconds. Default is 300. You must select a logging level from the list for the logging interval value to be recognized.
If you select Default as the logging level, the default logging interval value (300) is used.
Time Range
Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization. See Understanding Time Range Objects, page 9-155.
Enter the time range value in the field provided or click Select, which opens the Object Selector dialog box from which you can make your selection. You can also create a Time Range object by clicking the Create button in the Object Selector dialog box.
Note
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
Description
Enables you to enter a description to help you identify a rule. A maximum of 1024 characters is allowed.
OK button
Saves your changes to the server and closes the dialog box.
ASA User Groups Page
Use the ASA User Groups page to view, create, edit, copy, and delete ASA user group objects. ASA User groups are used in Easy VPNs, remote access VPNs, and SSL VPNs.
ASA user groups define a set of user-oriented attributes and values for IPsec connections (Easy VPN, remote access and SSL VPN) that are stored either internally (locally) on the device or externally on an AAA server.
Navigation Path
Select Tools > Policy Object Manager, then select ASA User Groups from the Object Type selector.
Related Topics
•
•
•
•
Field Reference
Table F-26 ASA User Groups Page
Filter
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. See Filtering Tables, page 3-17.
[Icon]
The icon that represents the object type. Predefined objects cannot be modified.
Name
The name of the ASA user group object. Names can be sorted in ascending or descending order.
Type
The type of ASA user group depending on its configuration:
•
•
Tunneling Protocol
The protocols used after a tunnel is established.
AAA Server Group
The AAA server group used for user authentication.
Category
The category that is assigned to the object, if defined. See Categories Page.
Description
Displays an icon if a description is defined for the object. A tooltip displays the text of the description.
TipNew Object button
Opens the ASA User Group Dialog Box. From here you can create an ASA user group object.
Edit Object button
Opens the ASA User Group Dialog Box. From here you can edit the selected ASA user group object.
Note
Delete Object button
Deletes the selected ASA user group objects from the table.
Note
ASA User Group Dialog Box
Use the ASA User Group dialog box to create, copy, and edit an ASA user group object.
From this dialog box, you can configure the settings that will be applied to an ASA user group object in an Easy VPN topology or remote access VPN, or SSL VPN.
Note
Navigation Path
Go to the ASA User Groups Page, then do one of the following:
•
•
•
Note
Related Topics
•
•
Field Reference
Table F-27 ASA User Group Dialog Box > Technology Settings
Name
The name of the object (up to 128 characters). The object name is displayed in the ASA User Groups page. Object names are not case sensitive. For more information, see Guidelines for Managing Objects, page 9-3.
When naming ASA User Group objects, note the following:
•
•
Description
Additional information about the object (up to 1024 characters).
Settings pane
A list of settings that you can configure for an ASA user group object.
When you open the ASA user group dialog box, the Technology settings are displayed.
Note
Group Policy Type
Unavailable if you are editing an ASA user group object.
If you are creating or copying an ASA user group object, select where the ASA user group's attributes and values are stored:
•
•
Note
Technology
Unavailable if you are editing an ASA user group object.
If you are creating or copying an ASA user group object, and the ASA user group's attributes are stored on the device, select the type of VPN for which you are creating the ASA user group object:
•
•
•
External Server Group
If the ASA user group's attributes are stored on an external AAA server, specify the AAA server group that will be used for authentication.
You can click Select to open the AAA Server Groups Selector from which you can make your selection.
Password
Available after you have specified the AAA server group that will be used for authentication.
Enter an alphanumeric keyword that will serve as the password to the AAA server. The keyword can be a maximum of 128 characters; spaces are not allowed.
Confirm
After you have entered the alphanumeric keyword that will serve as the password to the AAA server, enter the password again to confirm it.
OK button
Saves your changes to the server and closes the dialog box.
ASA User Group Dialog Box—Client Configuration Settings
Use the Client Configuration settings page to configure the Cisco client parameters for the ASA user group in an Easy VPN or remote access VPN.
Navigation Path
Open the ASA User Group Dialog Box, select the Easy VPN/Remote Access VPN (or Both) technology, then select Client Configuration under the Easy VPN/ Remote Access VPN folder in the Settings pane.
Related Topics
•
•
Field Reference
ASA User Group Dialog Box—Client Firewall Attributes
Use the Client Firewall Attributes settings to configure the firewall settings for VPN clients for the ASA user group in an Easy VPN or IPSec VPN.
Note
Navigation Path
Open the ASA User Group Dialog Box, select the Easy VPN/Remote Access VPN (or Both ) technology, then select Client Firewall Attributes under the Easy VPN/ Remote Access VPN folder in the Settings pane.
Related Topics
•
•
Field Reference
ASA User Group Dialog Box—Hardware Client Attributes
Use the Hardware Client Attributes settings to configure the VPN 3002 Hardware Client settings for the ASA user group in an Easy VPN or IPSec VPN.
Navigation Path
Open the ASA User Group Dialog Box, select the Easy VPN/IPsec Remote Access VPN (or Both ) technology, then select Hardware Client Attributes under the Easy VPN/Remote Access VPN folder in the Settings pane.
Related Topics
•
•
Field Reference
ASA User Group Dialog Box—IPsec Settings
Use the IPsec settings to specify tunneling protocols, filters, connection settings, and servers for the ASA user group in an Easy VPN or IPSec VPN. This creates security associations that govern authentication, encryption, encapsulation, and key management.
Navigation Path
Open the ASA User Group Dialog Box, select the Easy VPN/Remote Access VPN (or Both) technology, then select IPsec under the Easy VPN/Remote Access VPN folder in the Settings pane.
Related Topics
•
•
Field Reference
Table F-31 ASA User Group Dialog Box > IPsec Settings
Enable Re-Authentication on IKE Re-Key
When selected, the security appliance prompts the user to enter a username and password during initial Phase 1 IKE negotiation and also prompts for user authentication whenever an IKE rekey occurs, providing additional security.
Note
Enable IPsec Compression
When selected, enables data compression that speeds up data transmission rates for remote dial-in users connecting with modems.
Caution
Enable Perfect Forward Secrecy (PFS)
When selected, enables the use of Perfect Forward Secrecy (PFS) to generate and use a unique session key for each encrypted exchange.
In IPsec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key.
Tunnel Group Lock
Specifies whether to restrict remote users to access through the tunnel group only.
Group-lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting. If you do not configure group-lock, the security appliance authenticates users without regard to the assigned group. Group locking is disabled by default.
Priority
Identifies the priority for this rule.
The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type and/or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it.
Action
Specifies whether this rule permits or denies access.
Client Type
Specifies the type of VPN client to which this rule applies, software or hardware, and for software clients, all Windows clients or a subset.
VPN Client Version
Specifies the versions of the VPN client (software or firmware) to which this rule applies. Multiple entries are separated by a comma.
Create button
Opens a dialog box in which you can create a client access rule. See ASA User Group Dialog Box—Client Access Rules Dialog Box.
Edit button
Opens a dialog box in which you can edit a selected client access rule. See ASA User Group Dialog Box—Client Access Rules Dialog Box.
Delete button
Enables you to delete selected client access rules from the table.
ASA User Group Dialog Box—Client Access Rules Dialog Box
In the Client Access Rules dialog box, you can create or edit the priority, action, VPN client type and VPN client version for a client access rule.
Navigation Path
Open the ASA User Group Dialog Box—IPsec Settings, then click Create, or select an item in the table and click Edit.
Related Topics
•
Field Reference
ASA User Group Dialog Box—SSL VPN Clientless Settings
Clientless settings enable you to configure the Clientless mode of access to the corporate network in an SSL VPN, for the ASA user group object.
In clientless access mode, once a user is authenticated and a session is established, an SSL VPN portal page and toolbar is displayed on the user's web browser. From the portal page, the user can access all available HTTP sites, access web e-mail, and browse Common Internet File System (CIFS) file servers.
Navigation Path
Open the ASA User Group Dialog Box, select the SSL VPN (or Easy VPN/IPSec and SSL) technology, then select Clientless under the SSL VPN folder in the Settings pane.
Related Topics
•
•
Field Reference
Table F-33 ASA User Group Dialog Box > SSL VPN Clientless Settings
Portal Page Websites
A list of websites that will be displayed on the portal page as a bookmark to enable users to access the resources available on the SSL VPN websites.
You can click Select to open the URL List Selector from which you can select the required URL List from a list of URL List objects. For information about the object selector dialog box that opens, see Object Selectors.
Allow Users to Enter Websites
When selected, enables the remote user to input the website URLs directly.
Enable File Server Browsing
When selected, enables the remote user read-only access to browse the shared files on the Common Internet File System (CIFS) file servers.
Enable File Server Entry
When selected, enables the remote user full-write access to modify the shared files on the Common Internet File System (CIFS) file servers.
Enable Hidden Shares
When selected, controls the visibility of hidden shares for CIFS files,
HTTP Proxy
Select one of the following options:
•
•
•
Filter ACL
Specifies the WebType access control list that will be used to restrict user access to the SSL VPN.
You can click Select to open the Access Control Lists Selector from which you can make your selection.
UNIX Authentication Group ID
Specifies the UNIX authentication group ID.
UNIX Authentication User ID
Specifies the UNIX authentication user ID.
Smart Tunnel
Specifies the name of the smart tunnel assigned to this ASA user group.
Auto Start Smart Tunnel
When selected, starts smart tunnel access automatically upon user login.
Port Forwarding List
Specifies the name of the port forwarding list assigned to this ASA user group. Port forwarding lists contain the set of applications that users of clientless SSL VPN sessions can access over forwarded TCP ports.
Auto Start Port Forwarding
When selected, starts port forwarding automatically upon user login.
Port Forwarding Applet Name
Provides the application name or short description that displays on the end user Port Forwarding Java applet screen. Maximum 64 characters.
ASA User Group Dialog Box—SSL VPN Full Client Settings
Full Client settings enable you to configure the Full Client mode of access to the corporate network in an SSL VPN, for the ASA user group object.
Full Client mode enables access to the corporate network completely over an SSL VPN tunnel. In Full Client access mode, the tunnel connection is determined by the group policy configuration. The Full Client software, SSL VPN Client (SVC), is downloaded to the remote client, so that a tunnel connection is established when the remote user logs in to the SSL VPN gateway.
Navigation Path
Open the ASA User Group Dialog Box, select the SSL VPN (or Easy VPN/IPSec and SSL) technology, then select Full Client under the SSL VPN folder in the Settings pane.
Related Topics
•
•
Field Reference
ASA User Group Dialog Box—SSL VPN Settings
SSL VPN Settings enable you to configure attributes that are required for Clientless and Port Forwarding access modes to work, including auto signon rules for user access to servers. Auto Signon configures the security appliance to automatically pass SSL VPN user login credentials (username and password) on to internal servers. You can configure multiple auto signon rules. For more information, see Understanding Single Sign-On Server Objects, page 9-126.
Navigation Path
Open the ASA User Group Dialog Box, select the SSL VPN (or Easy VPN/IPSec and SSL) technology, then select Settings under the SSL VPN folder in the Settings pane.
Related Topics
•
•
•
Field Reference
Table F-35 ASA User Group Dialog Box > SSL VPN Settings
Home Page
The URL of the SSL VPN home page on which the available websites appear as links.
Authentication Failure Message
The error message displayed on the login page if a user authentication failure occurs.
Minimum Keepalive Object Size (kilobytes)
Specifies the minimum size (in kilobytes) of an IKE keepalive packet that can be stored in the cache on the security appliance.
Single Sign On Server
Specifies the Single Sign On (SSO) server that allows users to enter their username and password once, and be able to access a range of servers.
You can click Select to open a dialog box that lists all available SSO servers from which you can make your selection, or create an SSO server object. See Understanding Single Sign-On Server Objects, page 9-126.
Enable HTTP Compression
When selected, enables an HTTP compressed object to be cached on the security appliance.
IP Address
The IP address of the SSO server that receives the login credentials.
Mask
The IP mask of the SSO server that receives the login credentials.
URL
The URL used to specify the SSO server that receives the login credentials.
Authentication Type
The authentication method used to configure SSO—HTTP Basic, NTLM authentication, or both of these.
Up/Down buttons
Enable you to change the order of the Auto Signon rules.
Note
Add button
Opens a dialog box in which you can create an Auto Signon rule. See ASA User Group Dialog Box—Auto Signon Rules Dialog Box.
Edit button
Opens a dialog box in which you can edit the parameters of a selected Auto Signon rule. See ASA User Group Dialog Box—Auto Signon Rules Dialog Box.
Delete button
Removes selected Auto Signon rules from the table.
Portal Page Customization
Specifies the customization profile that defines the appearance of the portal page that allows the remote user access to all the resources available on the SSL VPN networks.
You can click Select to open a dialog box that lists all available SSL VPN customization objects, from which you can make your selection. See Understanding SSL VPN Customization Objects, page 9-134.
User Storage Location
Specifies the location where personalized user information is stored between clientless SSL VPN sessions.
Storage Key
Specifies the storage key used to protect data stored between sessions.
Post Max Size
Specifies the maximum size allowed for a posted object. The range is 0 through 2147483647.
Upload Max Size
Specifies the maximum size allowed for a uploaded object. The range is 0 through 2147483647.
Download Max Size
Specifies the maximum size allowed for a downloaded object. The range is 0 through 2147483647.
ASA User Group Dialog Box—Auto Signon Rules Dialog Box
Use this dialog box to configure the Auto Signon rules that the security appliance uses to pass SSL VPN user login credentials on to an internal server. You can configure multiple Auto Signon rules—the security appliance processes them according to the input order.
Navigation Path
Open the ASA User Group Dialog Box—SSL VPN Settings, then click Create, or select an item in the table and click Edit.
Related Topics
•
•
Field Reference
ASA User Group Dialog Box—DNS/WINS Settings
Configuring the DNS/WINS settings for your ASA user group enable you to define the DNS and WINS servers and the domain name that should be pushed to clients associated with the ASA user group.
Note
Navigation Path
Open the ASA User Group Dialog Box, select the On Device group policy source, then select DNS/WINS in the Settings pane.
Related Topics
•
•
Field Reference
ASA User Group Dialog Box—Split Tunneling
Split tunneling lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. The split tunneling policy is applied to a specific network.
Configuring split tunneling for your ASA user group enables you to specify a secure tunnel to the central site and simultaneous clear text tunnels to the Internet.
Note
Navigation Path
Open the ASA User Group Dialog Box, select the On Device group policy source, then select Split Tunneling in the Settings pane.
Related Topics
•
•
Field Reference
ASA User Group Dialog Box—Connection Settings
An Easy VPN, remote access VPN, or SSL VPN session is disconnected if the client is connected longer than the session timeout, or if it is idle longer than the idle timeout.
Use this page to configure the connection settings for the ASA user group, including the banner text.
Navigation Path
Open the ASA User Group Dialog Box, select the Internal group policy type, then select Connection Settings in the Settings pane.
Related Topics
•
•
Field Reference
Table F-39 ASA User Group Dialog Box > Connection Settings
Filter ACL
Specifies the Access Control List (ACL) that will be used to restrict user access to the SSL VPN.
You can click Select to open the Access Control Lists Selector from which you can make your selection.
Banner Text
The banner, for example, a welcome message that is displayed on remote clients when they connect. Banner text can be a maximum of 500 characters.
Access hours
Enables you to enter a time range value that allows VPN access based on specific times of the day and weekly access.
The time range relies on the system clock of the security appliance; therefore, the feature works best with NTP synchronization.
Note
You can click Select to open the Time Ranges Selector from which you can make your selection. See Understanding Time Range Objects, page 9-155.
Max Simultaneous Logins
Specifies the number of simultaneous logins allowed for any user.
Values are 0-2147483647. A zero (0) value disables login and prevents user access. A user group policy can inherit this value from another user group policy.
Note
Max Connect Time
Enables you to specify the amount of time that the security appliance should allow for a connection. Options are:
•
•
Idle Timeout (min)
Enables you to specify the amount of time that the security appliance should terminate a connection if there is no communication activity. Options are:
•
•
Categories Page
Use the Categories page to view or edit category objects. Categories objects help you categorize and readily identify rules and other objects.
Navigation Path
Open the Policy Object Manager Window, then select Categories from the Object Type selector.
Related Topics
•
•
•
Field Reference
Table F-40 Categories Page
Filter
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. See Filtering Tables, page 3-17.
[Icon]
The icon that represents the object type. Predefined objects cannot be modified.
Name
The name of the object.
Display
The category that is assigned to the object.
Description
Displays an icon if a description is defined for the object. Point at the icon to display a tooltip with the text of the description.
TipEdit Object button
Opens the Category Editor Dialog Box. From here you can edit the selected category.
Category Editor Dialog Box
Use the Category Editor dialog box to edit a category object. You can edit the name of the object as well as its description.
Navigation Path
Go to the Categories Page in the Policy Object Manager Window, then click Edit Object beneath the table.
Related Topics
•
•
Field Reference
Credentials Page
Use the Credentials page to view, create, edit, copy, and delete Credential objects.
Credential objects are used in Easy VPN configuration during IKE Extended Authentication (Xauth).
Navigation Path
Open the Policy Object Manager Window, then select Credentials from the Object Type selector.
Related Topics
•
•
•
•
•
Field Reference
Table F-42 Credentials Page
Filter
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. See Filtering Tables, page 3-17.
[Icon]
The icon that represents the object type. Predefined objects cannot be modified.
Name
The name of the Credentials object.
Username
The name that identifies the user during Xauth authentication.
Category
The category that is assigned to the object. See Categories Page.
Overridable
Indicates whether the global object definition can be overridden by object values defined at device level. See Allowing a Global Object to Be Overridden, page 9-164.
Description
Displays an icon if a description is defined for the object. Point at the icon to display a tooltip with the text of the description.
TipNew Object button
Opens the Credentials Dialog Box. From here you can create a Credentials object.
Edit Object button
Opens the Credentials Dialog Box. From here you can edit the selected Credentials object.
Note
Delete Object button
Deletes the selected Credentials objects from the table.
Note
Credentials Dialog Box
Use the Credentials dialog box to create, copy and edit Credential objects.
Navigation Path
Go to the Credentials Page in the Policy Object Manager Window, then click New Object or Edit Object beneath the table.
Related Topics
•
•
•
Field Reference
Table F-43 Credentials Dialog Box
Name
The Credentials object name (up to 128 characters). Object names are not case-sensitive. For more information, see Guidelines for Managing Objects, page 9-3.
Description
Additional information about the Credentials object (up to 1024 characters).
Username
Enter a name that will be used to identify the user during Xauth authentication.
Password
Enter an alphanumeric keyword that will serve as the password to identify the user during Xauth authentication (maximum of 128 characters; spaces are not allowed).
Confirm
Enter the password again to confirm it.
Category
The category assigned to the Credentials object. Categories help you organize and identify rules and objects. See Categories Page.
Allow Value Override per Device
Allows you to configure different Xauth credentials on the remote client.
When selected, the global Credentials List object definition defined here is changed at the device level. See Allowing a Global Object to Be Overridden, page 9-164.
When deselected, does not allow the global object definition to be overridden.
TipOK button
Saves your changes to the server and closes the dialog box.
File Objects Page
Use the File Objects page to view, create, edit, or delete file objects. For more information, see Understanding File Objects, page 9-42.
Navigation Path
Select Tools > Policy Object Manager, then select File Objects from the Object Type selector.
Related Topics
•
•
•
•
•
Field Reference
Table F-44 File Objects Page
Filter
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. See Filtering Tables, page 3-17.
[Icon]
The icon that represents the object type. Predefined objects cannot be modified.
Name
The name of the file object. Names can be sorted in ascending or descending order.
Type
The type of configuration file.
Category
Provides an intermediate level of detail to objects and helps you identify rules and objects by use of color coding. See Understanding Category Objects, page 9-39.
Note
Description
Displays an icon if a description is defined for the object. A tooltip displays the text of the description.
TipNew Object button
Enables you to create an object. See Creating File Objects, page 9-43.
Edit Object button
Enables you to edit the selected object. See Editing Objects, page 9-6.
Note
Delete Object button
Deletes the selected file objects from the table.
Note
Add and Edit File Object Dialog Boxes
Use the Add and Edit File Object dialog boxes to create, copy, and edit file objects.
Navigation Path
Select Tools > Policy Object Manager, then select File Objects from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
Related Topics
•
•
Field Reference
Table F-45 Add and Edit File Object Dialog Boxes
Name
The customization object name (up to 128 characters). Object names are not case-sensitive. Names can be sorted in ascending or descending order. For more information, see Guidelines for Managing Objects, page 9-3.
Description
A description of the file object, if required.
You can use uppercase and lowercase characters and most alphanumeric or symbol characters. The value can be up to 1024 characters.
File Type
Identifies the file type:
•
•
•
•
•
File*
Allows you to enter the file selection manually, or click Browse to help you make your selection.
File Name on Device
Identifies the file name on the device. By default the same filename is deployed to the device. It is possible, however, to specify a different filename to be deployed.
During file discovery from devices when files from different devices are discovered into Security Manager, filenames might need to be modified to keep them unique within Security Manager. If renaming occurs, the file-name-on-device field is set automatically, by way of Security Manager's discovery process, to its original filename on the device.
Category
Provides an intermediate level of detail to objects and helps you identify rules and objects by use of color coding. See Understanding Category Objects, page 9-39.
Note
OK button
Saves your changes to the server and closes the dialog box.
IKE Proposals Page
Use the IKE Proposals page to view, create, edit, or delete IKE proposal objects. IKE proposal objects contain the parameters required for IKE proposals when defining remote access and site-to-site VPN policies.
Navigation Path
Open the Policy Object Manager Window, then select IKE Proposals from the Object Type selector.
Related Topics
•
•
•
•
Field Reference
Table F-46 IKE Proposals Page
Filter
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. See Filtering Tables, page 3-17.
[Icon]
The icon that represents the object type. Predefined objects cannot be modified.
Name
The name of the object.
Priority
The priority value of the IKE proposal.
Hash
The hash algorithm used in the IKE proposal for authentication.
Encryption
The encryption algorithm used in the IKE proposal.
DH Group
The Diffie-Hellman modulus group used in the IKE proposal.
Lifetime
The lifetime of the security association (SA) defined by this IKE proposal.
Authentication
The authentication method used in the IKE proposal.
Category
The category that is assigned to the object. See Categories Page.
Description
Displays an icon if a description is defined for the object. Point at the icon to display a tooltip with the text of the description.
TipNew Object button
Opens the IKE Proposal Dialog Box. From here you can create an IKE proposal object.
Edit Object button
Opens the IKE Proposal Dialog Box. From here you can edit the selected IKE proposal object.
Note
Delete Object button
Deletes the selected IKE proposals from the table.
Note
IKE Proposal Dialog Box
Use the IKE Proposal dialog box to create, copy, and edit an IKE proposal object.
Navigation Path
Go to the IKE Proposals Page in the Policy Object Manager Window, then click New Object or Edit Object beneath the table.
Note
Related Topics
•
•
•
Field Reference
Table F-47 IKE Proposal Dialog Box
Name
The object name (up to 128 characters). Object names are not case-sensitive. For more information, see Guidelines for Managing Objects, page 9-3.
Description
Additional information about the object (up to 1024 characters).
Priority
The priority value of the IKE proposal. The priority value determines the order of the IKE proposals compared by the two negotiating peers when attempting to find a common SA.
Valid values range from 1 to 10000. The lower the number, the higher the priority.
Note
Encryption Algorithm
The encryption algorithm used to establish the Phase 1 SA for protecting Phase 2 negotiations:
•
•
•
•
•
Hash Algorithm
The hash algorithm used in the IKE proposal. The hash algorithm creates a message digest, which is used to ensure message integrity. Options are:
•
•
Modulus Group
The Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers:
•
•
•
•
Note
Lifetime
The lifetime of the SA, in seconds. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers.
As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be.
Authentication Method
The method of authentication to use between the two peers:
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Categories Page.
OK button
Saves your changes to the server and closes the dialog box.
DNS Class Maps Page
Use the DNS Class Maps page to define DNS class maps for DNS inspection. From this page, you can add, edit, and delete objects, and edit policy override settings. You can also generate usage reports of policies that use the object.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Class Maps > DNS Class Maps from the Object Type selector.
Related Topics
•
•
•
•
•
Field Reference
Table F-48 DNS Class Maps Page
Filter
Filters the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-17.
[Icon]
The icon that represents the object type. Predefined objects cannot be modified.
Name
Shows the name of the DNS class map. Names can be sorted in ascending or descending order.
Criterion
Shows the criterion of the DNS class map.
Type
Shows the match type, which can be a positive or negative match.
Value
Shows the value to match in the DNS class map.
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
Overridable
Indicates whether the global object definition can be overridden by object values defined at device level. See Allowing a Global Object to Be Overridden, page 9-164.
Description
Displays an icon if a description is defined for the object. Point at the icon to display a tooltip with the text of the description. Descriptions help you identify a policy.
TipAdd Object button
Enables you to create an object. See Creating DNS Class Map Objects, page 9-48.
Edit Object button
Enables you to edit the selected object. See Editing Objects, page 9-6.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur. See Deleting Objects, page 9-7.
Note
Add and Edit DNS Class Maps Dialog Boxes
Use the Add and Edit DNS Traffic Class Map dialog boxes to define a DNS class map.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Class Maps > DNS Class Maps from the Object Type selector. Right-click inside the work area, then select New Object, or right-click a row, then select Edit Object.
Related Topics
•
•
Field Reference
Table F-49 Add and Edit DNS Class Maps Dialog Boxes
Name*
Enables you to enter the name of the DNS class map. A maximum of 40 characters is allowed.
Description
Enables you to enter the description of the DNS class map. A maximum of 200 characters is allowed.
Criterion
Shows the criterion of DNS traffic to match.
Type
Shows the match type, which can be a positive or negative match.
Value
Shows the value to match in the DNS class map.
New Object button
Enables you to create an object. See Creating DNS Class Map Objects, page 9-48.
Edit Object button
Enables you to edit the selected object. See Editing Objects, page 9-6.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur. See Deleting Objects, page 9-7.
Note
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
Allow Value Override per Device
Allows you to configure different Xauth credentials on the remote client.
When selected, the global Credentials List object definition defined here is changed at the device level. See Allowing a Global Object to Be Overridden, page 9-164.
When deselected, does not allow the global object definition to be overridden.
TipOverrides: None
Shows that no overrides exist on the device. You must manually set overrides in order to change the display. For more information, see Overriding Global Objects for Individual Devices, page 9-164.
Note
OK button
Saves your changes to the server and closes the page.
Add and Edit Match Criterion Dialog Boxes
Use the Add and Edit Match Criterion dialog boxes to define the match criterion and value for the DNS class map.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Class Maps > DNS Class Maps from the Object Type selector. Right-click inside the work area, then select Add Row or right-click a row, then select Edit Row.
Related Topics
•
•
Field Reference
Table F-50 Add and Edit Match Criterion Dialog Boxes
Criterion
Specifies which criterion of DNS traffic to match:
•
•
•
•
•
•
Type
Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if Doesn't Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.
•
•
Value
•
•
•
OK button
Saves your changes to the server and closes the dialog box.
Add and Edit DNS Class Map > Add and Edit Match Criterion > DNS Class
Select DNS Class to match a DNS query or resource record class.
Note
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Class Maps > DNS Class Maps from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object. The Add or Edit DNS Class Map dialog box appears based on your selection. Right-click inside the table, then select Add Row or right-click a row, then select Edit Row. The Add or Edit Match Criterion dialog box appears based on your selection. Select DNS Class as your criterion.
Related Topics
•
•
Field Reference
Add and Edit DNS Class Map > Add and Edit Match Criterion > DNS Type
Select DNS Type to match a DNS query or resource record type.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Class Maps > DNS Class Maps from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object. The Add or Edit DNS Class Map dialog box appears based on your selection. Right-click inside the table, then select Add Row or right-click a row, then select Edit Row. Select DNS Type as your criterion.
Related Topics
•
•
Field Reference
Add and Edit DNS Class Map > Add and Edit Match Criterion > Domain Name
Select Domain Name to match on the DNS domain name.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Class Maps > DNS Class Maps from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object. The Add or Edit DNS Class Map dialog box appears based on your selection. Right-click inside the table, then select Add Row or right-click a row, then select Edit Row. Select Domain Name as your criterion.
Related Topics
•
•
Field Reference
Add and Edit DNS Class Map > Add and Edit Match Criterion > Header Flag
Select Header Flag to specify the value details for the DNS header flag match.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Class Maps > DNS Class Maps from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object. The Add or Edit DNS Class Map dialog box appears based on your selection. Right-click inside the table, then select Add Row or right-click a row, then select Edit Row. Select Header Flag as your criterion.
Related Topics
•
•
Field Reference
Add and Edit DNS Class Map > Add and Edit Match Criterion > Question
Select Question to match a DNS question section.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Class Maps > DNS Class Maps from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object. The Add or Edit DNS Class Map dialog box appears based on your selection. Right-click inside the table, then select Add Row or right-click a row, then select Edit Row. Select Question as your criterion.
Related Topics
•
•
Field Reference
Add and Edit DNS Class Map > Add and Edit Match Criterion > Resource Record
Select Resource Record to match a DNS resource record.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Class Maps > DNS Class Maps from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object. The Add or Edit DNS Class Map dialog box appears based on your selection. Right-click inside the table, then select Add Row or right-click a row, then select Edit Row. Select Resource Record as your criterion.
Related Topics
•
•
Field Reference
FTP Class Maps Page
Use the FTP Class Maps page to define FTP class maps for FTP inspection. From this page, you can add, edit, and delete objects, and edit policy override settings. You can also generate usage reports of policies that use the object.
An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Class Maps > FTP Class Maps from the Object Type selector.
Related Topics
•
•
•
•
•
Field Reference
Table F-57 FTP Class Maps Page
Filter
Filters the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-17.
[Icon]
The icon that represents the object type. Predefined objects cannot be modified.
Name
Shows the name of the FTP class map. Names can be shown in ascending or descending order.
Criterion
Shows the criterion of the FTP class map.
Type
Shows the match type, which can be a positive or negative match.
Value
Shows the value to match in the FTP class map.
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
Overridable
Indicates whether the global object definition can be overridden by object values defined at device level. See Allowing a Global Object to Be Overridden, page 9-164.
Description
Displays an icon if a description is defined for the object. Point at the icon to display a tooltip with the text of the description. Descriptions help you identify a policy.
TipNew Object button
Enables you to create an object. See Creating FTP Class Map Objects, page 9-49.
Edit Object button
Enables you to edit the selected object. See Editing Objects, page 9-6.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur. See Deleting Objects, page 9-7.
Note
Add and Edit FTP Class Map Dialog Boxes
Use the Add and Edit FTP Class Map dialog boxes to define an FTP class map.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Class Maps > FTP Class Maps from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
Related Topics
•
•
Field Reference
Table F-58 Add and Edit FTP Class Map Dialog Boxes
Name*
Identifies the name of the FTP class map. A maximum of 40 characters is allowed.
Description
Enables you to add a description for the class map. A maximum of 200 characters is allowed.
Criterion
Shows the criterion of the FTP traffic to match.
Type
Shows the match type, which can be a positive or negative match.
Value
Shows the value to match in the FTP class map.
New Object button
Enables you to create an object. See Creating FTP Class Map Objects, page 9-49.
Edit Object button
Enables you to edit the selected object. See Editing Objects, page 9-6.
Delete Object button
Enables you to delete a selected object. If the object is used in a rule or nested within another object, you are prompted to modify or delete the reference before the deletion can occur. See Deleting Objects, page 9-7.
Note
Category
Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding. See Understanding Category Objects, page 9-39.
Note
Allow Value Override per Device
Allows you to configure different Xauth credentials on the remote client.
When selected, the global Credentials List object definition defined here is changed at the device level. See Allowing a Global Object to Be Overridden, page 9-164.
When deselected, does not allow the global object definition to be overridden.
TipOverrides: None
Shows that no overrides exist on the device. You must manually set overrides in order to change the display. For more information, see Overriding Global Objects for Individual Devices, page 9-164.
Note
OK button
Saves your changes to the server and closes the page.
Add and Edit FTP Class Map > Add and Edit Match Criterion Dialog Boxes
Use the Add and Edit FTP Match Criterion dialog boxes to define the match criterion and value for the FTP class map.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Class Maps > FTP Class Maps from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object. The Add or Edit FTP Class Map dialog box appears based on your selection. Right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
Note
Related Topics
•
•
Field Reference
Table F-59 Add and Edit FTP Class Map > Add and Edit Match Criterion Dialog Boxes
Criterion
Specifies which criterion of FTP traffic to match:
•
•
•
•
•
Type
Specifies whether the class map includes traffic that matches or that does not match the criterion. For example, if Doesn't Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.
•
•
Request Commands
Specifies which request commands to match. For a description of the GUI elements, see Table F-60.
OK button
Saves your changes to the server and closes the dialog box.
Add and Edit FTP Class Map > Add and Edit Match Criterion > Request Command
Select Request Command to base the match one or more request commands to match.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Class Maps > FTP Class Maps from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object. The Add or Edit FTP Class Map dialog box appears based on your selection. Right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
Note
Related Topics
•
•
Field Reference
Add and Edit FTP Class Map > Add and Edit Match Criterion > Filename
Select File Name to base the match on the FTP transfer filename.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Class Maps > FTP Class Maps from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object. The Add or Edit FTP Class Map dialog box appears based on your selection. Right-click inside the table, then select Add Row or right-click a row, then select Edit Row. Select Filename as your criterion.
Related Topics
•
•
Field Reference
Add and Edit FTP Class Map > Add and Edit Match Criterion > File Type </
