Table Of Contents
Policy User Interface Reference
Policy Menu General Reference
Share Policy Dialog Box
Assign Shared Policy Dialog Box
Local Policy Will Be Replaced Dialog Box
Copy Policies Wizard
Copy Policies Wizard—Copy Policies from this Device Page
Copy Policies Wizard—Select Policies to Copy Page
Copy Policies Wizard—Copy Policies to these Devices Page
Share Policies Wizard
Share Policies Wizard—Share Policies from this Device Page
Share Policies Wizard—Select Policies to Share Page
Shared Policy Assignments Dialog Box
Save Policy As Dialog Box
Rename Policy Dialog Box
Inherit Rules Dialog Box
Discover Policies On Device Dialog Box
Discovery Status Dialog Box
Policy Discovery Status Page
Policy View General Reference
Policy View—Shared Policy Selector Options
Policy View—Assignments Tab
Create a Policy Dialog Box
Policy User Interface Reference
These topics describe the pages that are accessed from the Policy menu and within the Policy view, or that relate to general policy management. The Policy view is used to globally manage all the shared policies configured with Cisco Security Manager:
•
Policy Menu General Reference
•Policy Discovery Status Page
•Policy View General Reference
Policy Menu General Reference
Use the commands on the Policy menu to manage local and shared policies. The commands in the Policy menu use the dialog boxes and wizards described in the following topics:
•Share Policy Dialog Box
•Assign Shared Policy Dialog Box
•Copy Policies Wizard
•Share Policies Wizard
•Shared Policy Assignments Dialog Box
•Save Policy As Dialog Box
•Rename Policy Dialog Box
•Inherit Rules Dialog Box
•Discover Policies On Device Dialog Box
•Discovery Status Dialog Box
Share Policy Dialog Box
Use the Share Policy dialog box to convert a local policy to a shared policy that you can assign to multiple devices or VPNs. For more information, see Sharing a Local Policy, page 7-25.
Navigation Path
In Device view, select a policy from the Device Policies selector, then do one of the following:
•Select Policy > Share Policy.
•Right-click the policy and select Share Policy.
•Click the local device link in the Assigned To field in the policy banner, then click Share Policy in the message dialog box that is opened.
Related Topics
•Assigning a Shared Policy to a Selected Device, page 7-28
•Sharing Multiple Policies of a Selected Device, page 7-26
•Inheriting Rules, page 7-30
•Using the Policy Banner, page 7-24
Field Reference
Table D-1 Share Policy Dialog Box
Element
|
Description
|
Policy Name
|
The name that identifies the shared policy. Unlike local policies, shared policies require a name so that they can be identified when you assign the policy to devices or VPN topologies. Names can contain up to 255 characters, including spaces and special characters.
|
OK button
|
Saves your changes locally on the client and closes the dialog box.
|
Assign Shared Policy Dialog Box
Use the Assign Shared Policy dialog box to assign an existing shared policy to a selected device. Select the desired policy and click OK. For more information, see Assigning a Shared Policy to a Selected Device, page 7-28.
Tip If you assign a shared policy to a device, it replaces the existing local policy. If you are assigning a rule-based policy, a warning message is displayed that gives you the option to inherit the rules of the shared policy instead of replacing the local policy through assignment. For more information on inheriting rules, see Inheritance vs. Assignment, page 7-6.
Navigation Path
In Device view, select a policy from the Device Policies selector, then do one of the following:
•Select Policy > Assign Shared Policy.
•Right-click the policy in the Device Policies selector, then select Assign Shared Policy.
•Click the local device link in the Policy Assigned field in the policy banner.
Related Topics
•Inheriting Rules, page 7-30
•Using the Policy Banner, page 7-24
Local Policy Will Be Replaced Dialog Box
When you assign a rule-based policy, such as access rules or AAA rules, to a device, you are given the option to inherit the rules of the shared policy rather than completely replacing the local policy. Use the Local Policy Will Be Replaced dialog box to make your selection. For more information on the difference between inheritance and assignment, see Inheritance vs. Assignment, page 7-6.
Your options are:
•Assign Policy—Assign the shared policy to replace the existing local policy. If you choose to assign, all local rules are removed and they cannot be retrieved.
•Inherit From Policy—Inherit the rules of the shared policy. If you choose to inherit, the inherited rules are added to the local rules that are already defined in the device's local policy. Use inheritance instead of assignment when the device needs to maintain the set of local rules already defined for it.
Tip You can select Do not show this again to save your selection and have it applied to all future times that you assign rule-based policies. Otherwise, you are prompted each time you assign policies, so that you can make different selections based on the circumstances. If you select this option, you can turn it off by resetting it on the Customize Desktop administration settings page (see Customize Desktop Page, page A-5).
Navigation Path
The Local Policy Will Be Replaced dialog box is displayed automatically when you click OK in the Assigned Shared Policy dialog box (see Assign Shared Policy Dialog Box).
Copy Policies Wizard
Use the Copy Policies wizard to copy selected policies (both local and shared) to one or more devices that support the selected policies. For example, you can use the Copy Policies wizard to copy a set of firewall service policies and routing policies from one firewall device to fifty other devices with a single operation.
For more information, see Copying Policies Between Devices, page 7-21.
The pages of the Copy Policies wizard are described in the following topics:
•Copy Policies Wizard—Copy Policies from this Device Page
•Copy Policies Wizard—Select Policies to Copy Page
•Copy Policies Wizard—Copy Policies to these Devices Page
Navigation Path
To start the Copy Policies wizard, in Device view, select a device from the Device selector, then do one of the following:
•Select Policy > Copy Policies Between Devices. The Copy Policies wizard starts at step 1 (see Copy Policies Wizard—Copy Policies from this Device Page).
•Right-click the device in the Device selector, then select Copy Policies Between Devices. The Copy Policies wizard starts at step 2 (see Copy Policies Wizard—Select Policies to Copy Page).
Related Topics
•Share Policies Wizard
Copy Policies Wizard—Copy Policies from this Device Page
Use the Copy Policies from this Device page of the Copy Policies wizard to select the device whose policies will be copied to other devices.
If you start the Copy Policies wizard by right-clicking a specific device, the device you right-clicked is automatically selected as the source device and the wizard starts on the Copy Policies Wizard—Select Policies to Copy Page. You can return to the Copy Policies from this Device page by clicking Back.
Navigation Path
For information on starting the Copy Policies wizard, see Copy Policies Wizard.
Related Topics
•Copy Policies Wizard
•Copying Policies Between Devices, page 7-21
Field Reference
Table D-2 Copy Policies Wizard—Copy Policies from this Device Page
Element
|
Description
|
Filter
|
Selects a filter to apply to the device selector, or enables you to create a new filter. By default, the active filter in Device view is applied to the filter displayed in the wizard. For more information, see Filtering Items in Selectors, page 3-14.
Note If you create a filter while working inside the wizard, it is added to the list of filters available in Device view. The active filter in Device view, however, does not change.
|
Device selector
|
Selects the device containing the policies to be copied.
|
Next button
|
Advances to the next wizard page. Security Manager evaluates the device and generates a list of the copyable policies defined on the device.
|
Copy Policies Wizard—Select Policies to Copy Page
Use the Select Policies to Copy page of the Copy Policies wizard to select which policies to copy from the source device to the target devices.
Navigation Path
For information on starting the Copy Policies wizard, see Copy Policies Wizard.
Related Topics
•Copy Policies Wizard
•Copying Policies Between Devices, page 7-21
•Policy Status Icons, page 7-19
Field Reference
Table D-3 Copy Policies Wizard—Select Policies to Copy Page
Element
|
Description
|
Policy selector
|
Selects the policies to copy from the source device to the target devices. Selecting the check box for a policy group selects all of the policies in that group. The selector only includes policies that can be copied; it does not list all policies on the device.
Consider the following when selecting policies:
•When you copy policies between firewall devices (PIX, ASA, FWSM), copying the failover policy automatically copies the interface policy and vice-versa.
•It is usually not a good idea to copy interface policies, because these policies can have specific IP addresses.
•If you select the security contexts policy (for FWSM, PIX Firewall, or ASA devices), you must submit your changes after copying the devices for the contexts to appear in the device selector. In non-Workflow mode, select File > Submit. In Workflow mode, submit your activity.
|
Copy the Global Values of Policy Objects
Copy the Overridden Values of Policy Objects
|
These copy options affect how policies that use policy objects are handled, and they are not mutually exclusive. You can select any combination, and your selection has a significant effect on how the selected policies are copied. These are the possible combinations and their meanings:
•Select neither option—If a selected policy uses a policy object, and an equivalent policy on the target device uses the same policy object, the policy object's value defined on the target device is preserved. If the target device does not use the policy object, it is copied to the target using the policy object's global value (any overrides on the source device are ignored).
•Select Copy the Global Values of Policy Objects, but deselect Copy the Overridden Values of Policy Objects—If the source device includes policies that use policy objects, only policies that use global values for the policy objects are copied. If the target device has an equivalent policy that uses local values for the policy object, the local values are replaced by the policy object's global values.
•Deselect Copy the Global Values of Policy Objects, but select Copy the Overridden Values of Policy Objects—If the source device includes policies that use policy objects, only policies that override the policy object's global values are copied. The target devices get the source device's override value for the policy object.
•Select both options—The target device will receive the exact same policy object values that exist on the source device.
|
Back button
|
Returns to the previous wizard page.
|
Next button
|
Advances to the next wizard page. Security Manager evaluates the policies to determine which devices can support all selected policies.
|
Copy Policies Wizard—Copy Policies to these Devices Page
Use the Copy Policies to these Devices page of the Copy Policies wizard to select the devices to which policies from the source device will be copied.
Navigation Path
For information on starting the Copy Policies wizard, see Copy Policies Wizard.
Related Topics
•Copy Policies Wizard
•Copying Policies Between Devices, page 7-21
Field Reference
Table D-4 Copy Configuration Wizard—Copy Policies to these Devices Page
Element
|
Description
|
Filter
|
Selects a filter to apply to the device selector, or enables you to create a new filter. By default, the active filter in Device view is applied to the filter displayed in the wizard. For more information, see Filtering Items in Selectors, page 3-14.
Note If you create a filter while working inside the wizard, it is added to the list of filters available in Device view. The active filter in Device view, however, does not change.
|
Device selector
|
Selects the devices to which policies from the source device should be copied. Selecting the check box for a device group selects all of the devices in that group.
The device selector displays only those devices that support all of the policies you selected to copy. If you do not see all of the devices to which you want to copy policies, you can return to the policy selection page and deselect the more restrictive policies, and use the wizard a second time to copy the restrictive policies to the subset of devices that support them.
The device list is empty if no other device in the inventory can support all selected policies.
|
Preview button
|
Click this button to view a summary of the policies that will be copied. The summary shows the selected devices, the policies that will be copied to them, and any overrides that will be created, updated, or deleted due to the copied policies.
|
Back button
|
Returns to the previous wizard page.
|
Finish Button
|
Starts the copy operation.
Security Manager ensures that the policies are successfully copied to every selected target device. If the copy fails for any target device, the Copy Policy Failed dialog box opens explaining the failures. Security Manager also removes the copied policies from any device to which the copy was successful.
|
Share Policies Wizard
Use the Share Policies wizard to take the policies configured on a particular device and make them shared policies that you can assign to other devices. For more information, see Sharing Multiple Policies of a Selected Device, page 7-26.
The pages of the Share Policies wizard are described in the following topics:
•Share Policies Wizard—Share Policies from this Device Page
•Share Policies Wizard—Select Policies to Share Page
Navigation Path
In Device view, select a device from the Device selector, then do one of the following:
•Select Policy > Share Device Policies.
•Right-click the device in the Device selector, then select Share Device Policies.
Related Topics
•Copy Policies Wizard
Share Policies Wizard—Share Policies from this Device Page
Use the Share Policies from this Device page of the Share Policies wizard to select the device whose policies you want to share.
When you access the Share Policies wizard by right-clicking a specific device, the device you right-clicked is automatically selected as the source device and you are brought directly to the Share Policies Wizard—Select Policies to Share Page. You can return to the Select Source Device page by clicking Back.
Navigation Path
For information on starting the Share Policies wizard, see Share Policies Wizard.
Related Topics
•Share Policies Wizard
•Sharing Multiple Policies of a Selected Device, page 7-26
Field Reference
Table D-5 Share Configuration Wizard—Share Policies from this Device Page
Element
|
Description
|
Filter
|
Selects a filter to apply to the device selector, or enables you to create a new filter. By default, the active filter in Device view is applied to the filter displayed in the wizard. For more information, see Filtering Items in Selectors, page 3-14.
Note If you create a filter while working inside the wizard, it is added to the list of filters available in Device view. The active filter, however, does not change.
|
Device selector
|
Selects the device containing the policies to be shared.
|
Next button
|
Advances to the next wizard page. Security Manager evaluates the device's policies and does not select those that cannot be shared.
|
Share Policies Wizard—Select Policies to Share Page
Use the Select Policies to Share page of the Share Policies wizard to select which policies you want to share.
Navigation Path
For information on starting the Share Policies wizard, see Share Policies Wizard.
Related Topics
•Share Policies Wizard
•Sharing Multiple Policies of a Selected Device, page 7-26
Field Reference
Table D-6 Share Policies Wizard—Select Policies to Share Page
Element
|
Description
|
Policy selector
|
Selects the policies to share. Selecting the check box for a policy group selects all of the policies in that group. By default, all configured policies (local and shared) are selected.
Tip If you select a policy that is already shared, Security Manager creates a copy of that policy using the name that you define in the wizard.
|
Save policies as
|
The name to give to the policies you are sharing. All policies are given the same name.
|
Shared Policy Assignments Dialog Box
Use the Shared Policy Assignments dialog box to modify the list of devices or VPN topologies to which you have assigned a selected shared policy. For more information, see Modifying Shared Policy Assignments in Device View, page 7-33.
You can also modify policy assignments from Policy view. See Modifying Policy Assignments in Policy View, page 7-38.
Navigation Path
In Device view, select a shared policy from the Device Policies selector, then do one of the following:
•Select Policy > Edit Policy Assignments.
•Right-click the policy in the Device Policies selector, then select Edit Policy Assignments.
•Click the n device link in the Assigned To field in the policy banner.
Related Topics
•Assigning a Shared Policy to a Selected Device, page 7-28
•Inheriting Rules, page 7-30
•Inheritance vs. Assignment, page 7-6
•Using the Policy Banner, page 7-24
Field Reference
Table D-7 Shared Policy Assignments Dialog Box
Element
|
Description
|
Available Devices/VPNs
|
Lists all devices or VPN topologies to which the policy is not assigned. To assign the selected policy to additional devices or VPNs, select one or more items from this list, then click >> to add them to the Assigned Devices list.
|
Assigned Devices/VPNs
|
Lists all devices or VPNs to which the selected policy has been assigned. The list of assigned policies does not include inherited policies. To remove items from this list, select the item, then click <<.
If you unassign a shared, mandatory policy from a VPN (for example, IKE), a default policy is configured automatically in its place. Unassigning a VPN policy that is not mandatory removes the policy completely from the VPN.
If you unassign a shared policy from a remote access VPN, an empty policy (that is, a policy instance with no values) is configured in its place, even if it is a mandatory policy, such as IKE. In such cases, you must configure a new policy in order to avoid validation errors during deployment.
If you unassign a shared policy from a device, an empty policy is assigned in its place, effectively removing that policy type from the device configuration.
|
OK button
|
Saves your changes locally on the client and closes the dialog box.
|
Save Policy As Dialog Box
Use the Save Policy As dialog box to duplicate an existing shared policy under a new name. For more information, see Copying a Shared Policy, page 7-31.
Tip If you copy a policy in Device view, the new policy is assigned to the selected device. If you want to copy a policy without changing policy assignments, make the copy in Policy view.
Navigation Path
Select a shared policy in either Device view or Policy view, then do one of the following:
•Select Policy > Save Policy As.
•Right-click the shared policy, then select Save Policy As.
Field Reference
Table D-8 Save Policy As Dialog Box
Element
|
Description
|
Policy Name
|
The name that identifies the shared policy. Names can contain up to 255 characters, including spaces and special characters.
|
OK button
|
Saves your changes locally on the client and closes the dialog box.
|
Rename Policy Dialog Box
Use the Rename Policy dialog box to change the name of a selected shared policy. For more information, see Renaming a Shared Policy, page 7-32.
Navigation Path
Select a shared policy in either Device view or Policy view, then do one of the following:
•Select Policy > Rename Policy.
•Right-click the policy, then select Rename Policy.
Field Reference
Table D-9 Rename Policy Dialog Box
Element
|
Description
|
Policy Name
|
The new name to assign to the selected shared policy. Names can contain up to 255 characters, including spaces and special characters.
|
OK button
|
Saves your changes locally on the client and closes the dialog box.
|
Inherit Rules Dialog Box
Use the Inherit Rules dialog box to have a rule-based policy (such as access rules) inherit the rules of a shared policy of the same type. For more information, see Inheriting Rules, page 7-30.
Navigation Path
Select a shared rule-based policy in either Device view or Policy view, then do one of the following:
•Select Policy > Inherit Rules.
•Right-click the policy, then select Inherit Rules.
•Click the link in the Inherits From field in the policy banner.
Related Topics
•Inheritance vs. Assignment, page 7-6
•Assigning a Shared Policy to a Selected Device, page 7-28
•Using the Policy Banner, page 7-24
Field Reference
Table D-10 Inherit Rules Dialog Box
Element
|
Description
|
Policy selector
|
Selects the parent policy, that is, the policy whose rules should be inherited. Policies can inherit only from shared policies of the same type.
The name of the selected parent policy is displayed below the selector.
Tip Select No Inheritance to remove an existing policy inheritance relationship.
|
OK button
|
Saves your changes locally on the client and closes the dialog box.
|
Discover Policies On Device Dialog Box
Use the Discover Policies On Device dialog box to have Security Manager discover the policies for a device that is already in the device inventory. You can also discover policies when you add the device to the inventory. For more information about adding devices, see Adding Devices to the Device Inventory, page 6-7.
Navigation Path
In Device view, select a device from the Device selector and do one of the following:
•Select Policy > Discover Policies on Device.
•Right-click the device in the Device selector and select Discover Policies on Device.
Related Topics
•Discovering Policies on Devices Already in Security Manager, page 7-14
•Discovering Policies, page 7-11
•Viewing Policy Discovery Task Status, page 7-15
•Selecting or Specifying a File or Directory on the Server File System, page 3-22
•Discovery Status Dialog Box
Field Reference
Table D-11 Discover Policies On Device Dialog Box
Element
|
Description
|
Discovery Task Name
|
The name assigned to the discovery task. Security Manager automatically generates a name for the task based on the current date and time, but you can modify this name as desired.
|
Discover From
Config. File
|
The source of policy information to be discovered:
•Live Device—Discover policies directly from the device.
•Config File—Discover policies from a configuration file. Specify the location of the file in the Config File field. Click Browse to select the file on the Security Manager server.
You can discover policies only from configuration files that were generated from the device (for example, with the show run command). For more information, see Adding Devices from Configuration Files, page 6-10.
•Factory Default Configuration—Performs discovery on a firewall device using a file containing the factory-default settings for that device. Security Manager automatically chooses the appropriate file for the selected device. For more information, see Default Firewall Configurations, page 15-1.
|
Discover Policies for Security Contexts
|
Whether to discover policies for each security context that is configured on a firewall device running in multiple-context mode. This field applies only to PIX, ASA, and FWSM devices.
When deselected, Security Manager treats the entire device as having a single set of policies configured in single-context mode.
For more information about security contexts, see Configuring Security Contexts on Firewall Devices, page 15-80.
|
Policies to Discover
|
The policy types to discover on the selected device:
•Inventory—Includes device information such as the hostname and domain name, interfaces, and security contexts (for firewall devices running in multiple-context mode). On Cisco IOS routers, this option also discovers all interface-related policies, such as DSL, PPP, and PVC policies.
•Platform Settings—Includes all platform-specific policies that can be configured on the selected device. For example, if you are performing policy discovery on a PIX firewall device, this option includes such policies as device administration policies, multicast policies, and routing policies.
•Firewall Services—Includes all firewall service policies. For more information, see Chapter 12, "Managing Firewall Services".
•RA VPN Policies—Includes all IPSec and SSL remote access VPN policies that are configured on the selected device. For more information, see Chapter 11, "Managing Remote Access VPNs".
•IPS—Includes all IPS policies that are configured on the selected device. For more information, see Chapter 17, "Managing IPS Devices" and Chapter 13, "Managing IPS Services".
|
Discovery Status Dialog Box
Use the Discovery Status dialog box to view detailed information about the current policy discovery task. The dialog box includes general information about the status of the task, as well as detailed information about any warnings or errors generated by the device being discovered.
The Discovery Status dialog box opens automatically when you initiate a discovery task on existing devices and when you add devices from the network, from a configuration file, or from an export file. For more information about initiating a discovery task, see Discover Policies On Device Dialog Box.
Related Topics
•Viewing Policy Discovery Task Status, page 7-15
•Discovering Policies, page 7-11
•Adding Devices from the Network, page 6-8
•Adding Devices from Configuration Files, page 6-10
•Adding Devices from an Export File, page 6-13
Field Reference
Table D-12 Discovery Status Dialog Box
Element
|
Description
|
Progress bar
|
Indicates what percentage of the discovery task on the current device has been completed.
|
Status
|
The current state of the discovery task.
|
Devices to be discovered
|
The total number of devices being discovered during this task. The number includes service modules, security contexts, and virtual sensors.
|
Devices discovered successfully
|
The number of devices discovered without errors.
|
Devices discovered with errors
|
The number of devices that generated errors during discovery.
|
Discovery Details table
|
The devices that are being discovered. Select a device to see the messages generated during the discovery of that device in the message list below the summary list. Besides the device name, information in the table includes:
•Severity—The overall severity level of the discovery task. For example, if the discovery task completed successfully, an Information icon is displayed. If the task failed, an Error icon is displayed.
•State—The current state of the policy discovery task for the selected device:
–Device Added—The device has been added to Security Manager, but policy discovery has not yet started.
–Discovery Started—Policy discovery has started.
–Reading and Parsing Device Config—The policy discovery task is interpreting the device configuration.
–Importing Objects—The policy discovery task is importing objects from the configuration.
–Importing Policies—The policy discovery task is importing policies from the configuration.
–Discovery Complete—Policy discovery has been completed successfully.
–Discovery Failed—Policy discovery failed due to errors.
•Discovered From—The source of policy information. For example, when discovering from a configuration file, this field displays the name and path of the file.
|
Messages list
|
The messages generated during the discovery for the selected device. Select a message to see detailed information in the fields to the right of the list.
|
Description
|
Additional information about the message selected in the message list.
|
Action
|
The steps you should take to resolve the described problem.
|
Abort button
|
Aborts the discovery task.
If you abort the task when performing policy discovery on a single device, the result is partial discovery of that device. In such cases, we recommend deleting the information (for example, by discarding the activity) and starting again.
If you abort the task when performing policy discovery on multiple devices, Security Manager automatically discards the information for any partially discovered device. Devices for which discovery was completed before you aborted the operation are fully discovered.
|
Policy Discovery Status Page
Use the Policy Discovery Status page to view the status of previous policy discovery and device addition tasks.
Navigation Path
Select Tools > Policy Discovery Status.
Related Topics
•Viewing Policy Discovery Task Status, page 7-15
Field Reference
Table D-13 Policy Discovery Status Page
Element
|
Description
|
Task Table
The upper portion of the window lists the previous policy discovery or device addition tasks. Select a task to view detailed information about it in the lower portion of the window. The columns in the table provide overall status information for the task.
When adding devices that contain security contexts, the context discovery appears as a separate Policy Discovery task.
|
Name
|
The name of the discovery or device addition task. This might be a system generated name or a name you specified when rediscovering device policies.
|
Type
|
The type of task, either Policy Discovery (when you rediscover device policies) or Add Device (when you add a device using the New Device wizard and elect to discover policies).
|
Start Time
|
The time the task started.
|
End Time
|
The time the task stopped.
|
Status
|
The overall status of the task. One of the following:
•Completed successfully—The task succeeded.
•Completed with errors—The task was partially successful. This could occur if all policies were not discovered or if the device was added but no policies were discovered.
•Completed with warnings—The task was successful but a minor problem occurred.
•Failed—The task failed. No polices were discovered or no device was added because of errors or because you stopped discovery.
|
Refresh button
|
Click this button to refresh the task list to update the information if there are tasks running in the background or if new tasks were created.
|
Delete button
|
Click this button to delete the selected task from the database. Deleting old tasks does not affect the related devices or discovered policies.
|
Discovery Details or Import Details Tables
These tables display the devices included in the selected task. The name differs depending on the type of task (Discovery Details for Policy Discovery tasks, Import Details for Add Device tasks).
Select a device to see the messages generated during the task for that device in the message list below the table.
|
Device
|
The name of the device. If the name is followed by (deleted), the device is no longer in the Security Manager inventory.
|
Config File
(Import Details only)
|
The location of the configuration file. This field is displayed only if you are importing from a configuration file.
|
Task Type
(Import Details only)
|
One of the following:
•Import only—Adding devices to Security Manager.
•Import and Discover—Adding devices and discovering policies and inventory, or adding devices and discovering policies.
|
Severity
|
An icon for one of the following is displayed:
•Error—The device addition or policy discovery failed.
•Information—The device was added successfully or policy discovery was successful.
|
State
Details
|
These fields have the same meaning, although different names are used in the Discovery Details and Import Details tables. The fields describe the status of the task for the device:
•Device Added—The device was successfully added to the inventory.
•Device Add Failed—The device was not added to the inventory.
•Discovery Completed—Discovery succeeded and the discovered policies are added to the Security Manager database.
•Discovery Failed—No polices were discovered because errors occurred.
|
Discovered From
(Discovery Details only)
|
One of the following:
•Live Device—Security Manager contacted the device to obtain configuration and policy information.
•File—Security Manager obtained the configuration and policy information from a configuration file.
|
Messages list
|
The messages generated during the task for the selected device. Select a message to see detailed information in the fields to the right of the list. The severity icons have these meanings:
•Error—A problem was detected.
•Warning—A minor problem occurred during discovery.
•Information—An informational message about the selected device.
|
Description
|
Additional information about the message selected in the message list.
|
Action
|
The steps you should take to resolve the described problem.
|
Policy View General Reference
Use Policy view to globally manage all the shared policies configured with Cisco Security Manager. Unlike Device view, which you use to manage all the policies configured on a selected device, Policy view enables you to manage all shared policies of a particular type regardless of device. For a general explanation of policy view, see Managing Shared Policies in Policy View, page 7-34.
Most of the pages and dialog boxes that are displayed in Policy view are the same as those displayed for specific policy types in Device view. The following topics describe some of the general features that are unique to Policy view:
•Policy View—Shared Policy Selector Options
•Policy View—Assignments Tab
•Create a Policy Dialog Box
Policy View—Shared Policy Selector Options
Right-click a policy in the Shared Policy selector of Policy view to display a shortcut menu for performing functions on the selected policy.
Related Topics
•Policy View Selectors, page 7-36
•Managing Shared Policies in Policy View, page 7-34
Field Reference
Policy View—Assignments Tab
Use the Assignments tab in Policy view to modify the list of devices or VPNs to which the selected shared policy is assigned. For more information, see Modifying Policy Assignments in Policy View, page 7-38.
Navigation Path
In Policy view, select a policy from the Shared Policy selector, then click the Assignments tab in the work area.
Related Topics
•Managing Shared Policies in Policy View, page 7-34
Field Reference
Table D-15 Policy View—Assignments Tab
Element
|
Description
|
Available Devices/VPNs
|
Lists all devices or VPN topologies to which the policy is not assigned. To assign the selected policy to additional devices or VPNs, select one or more items from this list, then click >> to add them to the Assigned Devices list.
|
Assigned Devices/VPNs
|
Lists all devices or VPNs to which the selected policy has been assigned. The list of assigned policies does not include inherited policies. To remove items from this list, select the item, then click <<.
If you unassign a shared, mandatory policy from a VPN (for example, IKE), a default policy is configured automatically in its place. Unassigning a VPN policy that is not mandatory removes the policy completely from the VPN.
If you unassign a shared policy from a remote access VPN, an empty policy (that is, a policy instance with no values) is configured in its place, even if it is a mandatory policy, such as IKE. In such cases, you must configure a new policy in order to avoid validation errors during deployment.
If you unassign a shared policy from a device, an empty policy is assigned in its place, effectively removing that policy type from the device configuration.
|
Save button
|
Saves your changes to the server but keeps them private. To publish your changes, click the Submit button on the toolbar.
|
Create a Policy Dialog Box
When working in Policy view, use the Create a Policy dialog box to create a new shared policy of the selected policy type. For more information, see Creating a New Shared Policy, page 7-38.
Tip The new policy is initially not assigned to any devices or VPN topologies. For information about assigning the policy, see Policy View—Assignments Tab.
Navigation Path
In Policy view, do one of the following:
•Right-click a policy type in the Policy Types selector, then select New [name of policy] Policy.
•Right-click a policy in the Shared Policy selector, then select New [name of policy] Policy.
•Click the Create a Policy button beneath the Shared Policy selector.
Related Topics
•Managing Shared Policies in Policy View, page 7-34
•Deleting a Shared Policy, page 7-39
Field Reference
Table D-16 Create a Policy Dialog Box
Element
|
Description
|
Policy Name
|
The name for the new shared policy. Names can contain up to 255 characters, including spaces and special characters.
|
OK button
|
Saves your changes locally on the client and closes the dialog box.
|
Feedback
