-
User Guide for Cisco Security Manager 3.2.2
-
Preface
-
Getting Started with Security Manager
-
Managing User Accounts
-
Working with the Security Manager User Interface
-
Using Map View
-
Preparing Devices for Management
-
Managing the Device Inventory
-
Managing Policies
-
Managing Activities
-
Managing Objects
-
Managing Site-to-Site VPNs
-
Managing Remote Access VPNs
-
Managing Firewall Services
-
Managing IPS Services
-
Managing Routers
-
Managing Firewall Devices
-
Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
-
Managing IPS Devices
-
Managing Deployment
-
Managing FlexConfigs
-
Managing the Security Manager Server
-
Using Monitoring, Troubleshooting, and Diagnostic Tools
-
Administrative Settings User Interface Reference
-
Map View User Interface Reference
-
Device Inventory User Interface Reference
-
Policy User Interface Reference
-
Activities User Interface Reference
-
Policy Object Manager User Interface Reference
-
Site-to-Site VPN User Interface Reference
-
Remote Access VPN User Interface Reference
-
Firewall Services User Interface Reference
-
Router Platform User Interface Reference
-
PIX/ASA/FWSM Platform User Interface Reference
-
Catalyst Platform User Interface Reference
-
IPS User Interface Reference
-
Deployment User Interface Reference
-
Index
-
Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z
Index
Numerics
12.1 and 12.2
managing routers 14-2
12.2(33) SRA
running on Catalyst 6500/7600 devices
path MTU discovery and 10-31
12.2(33) SRB
running on Catalyst 6500/7600 devices
path MTU discovery and 10-31
12.2(33) SXH
running on Catalyst 6500/7600 devices
path MTU discovery and 10-31
3DES encryption algorithm
cluster load balancing
using FQDNs 11-16
in IKE proposals 10-48
802.1x
802.1x Policy page J-132
defining policies 14-90
interface authorization states 14-89
on Cisco IOS routers 14-88
supported topologies 14-90
understanding device roles 14-88
A
AAA
accounting 11-2
authorization 11-2
Cisco IOS routers
AAA Policy page J-65
Accounting tab J-69
Authentication tab J-65
Authorization tab J-67
Command Accounting dialog box J-72
Command Authorization dialog box J-69
defining services 14-48
overview 14-46
supported accounting types 14-47
supported authorization types 14-47
understanding method lists 14-48
configuring on firewall devices 15-29
configuring settings 12-97
credentials for device access 6-4
defining policies 15-31
device administration 15-30
local fallback 15-30
network access 15-31
PIX/ASA/FWSM
AAA page K-59
Accounting tab K-61
Authentication tab K-59
Authorization tab K-61
support 15-30
understanding 15-29
user authentication 11-2
VPN access 15-31
AAA authentication groups
predefined 9-11
using SDI
as the protocol 10-82
AAA firewall I-108
advanced setting
Interactive Authentication Configuration dialog box I-109
AAA Mode Setup page 2-1
AAA rules
AAA Rules page I-54
Add AAA Rules dialog box I-56
adding 12-60
AuthProxy dialog box I-70
configuring settings
for (PIX/ASA) 12-97
for IOS 12-102
deleting 12-66
disabling 12-64
Edit AAA Option dialog box I-69
Edit AAA Rules dialog box I-56
Edit AAA Server Group dialog box I-70
Edit Category dialog box I-71
Edit Description dialog box I-71
Edit Destinations dialog box I-63
editing 12-62
Edit Interface dialog box I-67
Edit Service dialog box I-41, I-65
Edit Sources dialog box I-61
enabling 12-64
MAC exempt address lists
adding 12-100
deleting 12-101
editing 12-100
understanding 12-99
moving down 12-65
moving up 12-65
Show Destination dialog box I-65
Show Interface Contents dialog box I-68
Show Service Contents dialog box I-66
Show Source Contents dialog box I-62
understanding 12-59
AAA Rules page I-54
AAA server group objects
AAA Server Group dialog box F-5
creating 9-13
default server groups on IOS devices 9-12
predefined authentication groups 9-11
understanding 9-10
AAA server objects
AAA Server dialog box F-8
creating 9-18
supported types 9-16
AAA servers
external servers 11-2
supported types on ASA devices 9-16
table of services on ASA devices 9-18
Abort the Job dialog box N-22
About Security Manager command 3-12
ABR
definition 15-76
access control list objects
creating 9-20
extended objects 9-20
standard objects 9-22
web objects 9-23
access control lists
policy discovery 7-13
Access Control page I-101
access controls
access list compilation
enabling 12-92
configuring settings 12-93
object group search
enabling 12-89
per user downloadable ACLs
enabling 12-90
settings 12-87
understanding settings 12-87
Access Group tab
Access Interface Configuration dialog box(ASA) H-104
access list compilation
enabling 12-92
understanding 12-91
Access page (ASA) H-3
access permissions
maps 4-2
access policies, configuring 11-50
access ports
Create and Edit Interface dialog boxes-Access Port mode L-12
understanding 16-5
access rule
CS-MARS query 21-23
look up
from device managers 21-5
access rules
Access Rules page I-1
Adaptive Security Algorithm (ASA) and 12-38
Add Firewall Rule dialog box I-4
adding 12-40
Advanced dialog box I-8
ASA, and 12-39
deleting 12-47
disabling 12-45
Edit Category dialog box I-19
Edit Description dialog box I-20
Edit Destinations dialog box I-12
Edit Firewall Option dialog box I-16
Edit Firewall Rule dialog box I-4
Edit Firewall Rule Expiration dialog box I-20
editing 12-43
Edit Interface dialog box I-18, I-43
Edit Service dialog box I-14
Edit Sources dialog box I-10
enabling 12-45
FWSM, and 12-39
IOS router, and 12-39
logging events for an ACE 12-40
moving down 12-46
moving up 12-46
notes 12-39
PIX Firewalls, and 12-39
recognizing on devices 12-38
rule expiration 12-4
Show Destination Contents dialog box I-13
Show Interface Contents dialog box I-18
Show Service Contents dialog box I-15
Show Source Contents dialog box I-11
viewing related CS-MARS events 21-24
Access Rules page I-1
accounting
configuring on firewall devices 15-29
accounts and credentials
Cisco IOS routers
overview 14-50
accounts and credentials policies
Accounts and Credentials Policy page J-73
User Accounts dialog box J-75
ACL names
conflicts and resolutions 9-30
generating 9-28
identifying original 9-29
naming conventions 9-28
notes 9-30
preserving user-defined 9-26
ACLs
optimizing
caveats 12-35
notes 12-34
Actions Shortcut menu M-7
Active/Active failover
about 15-46
command replication 15-47
configuration synchronization 15-47
Active/Standby failover 15-46
activities
accessing functions 8-7
Activity Manager window E-1
Activity Required dialog box E-7
Approve Activity dialog box E-6
Approved state 8-4
benefits of 8-2
closing 8-10
Create Activity dialog box E-4
creating 8-9
Discard Activity dialog box E-7
discarding 8-15
Edit state 8-4
locking 8-2
managing 8-1
multiple users 8-3
Openable Activities dialog box E-8
opening 8-9
Reject Activity dialog box E-6
Rejected state 8-4
rejecting 8-14
states 8-4
Submit Activity dialog box E-5
Submitted state 8-4
submitting for approval 8-13
understanding 8-1
user interface reference E-1
validating 8-11
viewing change reports 8-10
viewing status and history 8-15
working with 8-6
Activities menu 3-11
Activity Manager command 3-10
Activity Manager window E-1
Activity Required dialog box E-7
activity states E-3
Adaptive Security Appliances
Add/Edit AnyConnect Client Image dialog box (ASA) H-118
Add/Edit AnyConnect Client Profile dialog box (ASA) H-119
Add/Edit Collector dialog box
description 15-63, K-103, K-123
Add/Edit Connection Profile dialog box
SSL tab
Add/Edit Connection Alias dialog box H-36
Add/Edit Connection URL dialog box H-37
Add/Edit Content Rewrite dialog box (ASA) H-107
Add/Edit File Encoding dialog box (ASA) H-110
Add/Edit IGMP Join Group dialog box
description 15-73
Add/Edit IGMP Static Group dialog box
description 15-72
Add/Edit Multicast Route dialog box
Add/Edit PIM Bidirectional Neighbor Filter dialog box
description K-153
Add/Edit PIM Neighbor Filter dialog box
description K-152
Add/Edit Plug-in Entry dialog box (ASA) H-116
Add/Edit Proxy Bypass dialog box (ASA) H-114
Add AAA Rules dialog box I-56
Add Access List dialog box M-80
Add an Entry dialog box M-48
Add Cat6k Block Vlan dialog box M-97
Add Certificate dialog box A-14
Add Cisco Secure Desktop Configuration dialog box F-44
Add Column dialog box F-145
Add Custom Pane dialog box F-145
Add Custom Signature dialog box M-5
Add DCE/RPC Map dialog box F-56
Add Device from Network wizard
Device Credentials page C-17
Add Devices to Group command 3-7
Add Devices to Group dialog box C-35
Add DNS Map dialog box
Filtering tab F-58
overview F-56
Protocol Conformance tab F-58
Add Extended Access Control Entry dialog box F-20
Add Extended Access List dialog box F-19
Add Firewall Rule dialog box I-4
Add FlexConfig dialog box F-48
Add Group dialog box C-36
Add GTP Map dialog box F-68
Add HSI Endpoint IP Address dialog box F-75
Add HSI Group dialog box F-74
Add HTTP Map dialog box
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab F-79
Extension Request Method tab F-82
General tab F-78
overview F-77
Port Misuse tab F-83
RFC Request Method tab F-81
Transfer Encoding tab F-84
ASA 7.2+ and PIX 7.2+ devices F-85
Add IM Map dialog box
ASA and PIX device F-91
Add IPsec Pass Through Map dialog box F-95
Add Language dialog box F-139
Add Link command 3-9
Add Link dialog box B-13
Add Local Rules command 3-8
Add Map Object and Node Properties dialog boxes B-14
Add Map Object command 3-9
Add NetBIOS Map dialog box F-96
Add New Device wizard
Device Credentials page C-17
Add or Edit Skinny Map dialog boxes F-101
Add or Edit Status Providers dialog box A-38
Add Other Devices dialog box N-16
Add Permit Response dialog box F-70
Add Regular Expression dialog box F-105
Add Regular Expression Group dialog box F-104
address pools
defining 15-19
Address Resolution Protocol
Add Row command 3-7
Add Rule Section dialog box I-122
Add Signature Parameter--List Entry Dialog Box M-47
Add SNMP Map dialog box F-103
Add SSL VPN Customization dialog box F-134
Applications F-143
Copyright Panel F-141
Custom Panes F-144
Full Customization F-142
Home Page F-146
Informational Panel F-140
Language F-138
Logon Form F-140
Logout Page F-147
Title Panel F-137
Toolbar F-142
Add Standard Access Control Entry dialog box F-22
Add Standard Access List dialog box F-19
Add TCP Map dialog box F-106
Add TCP Option Range Dialog Box F-107
Add Text Object dialog box F-154
Add Traffic Flow dialog box F-157
Add Transparent Firewall Rule dialog box I-96
Add User Profile dialog box M-91
Add Virtual Sensor dialog box M-101
Add Web Access Control Entry dialog box F-23
Add Web Type Access List dialog box F-19
Add WINS Server dialog box F-178
Add WINS Server List dialog box F-177
admin context
in Performance Monitor 21-10
overview 15-84
administration
selecting router policies to manage 7-10
administrative settings, configuring 20-2
ADSL
ADSL Policy page J-33
ADSL Settings dialog box J-34
defining settings 14-28
supported operating modes 14-27
Advanced dialog box
access rules I-8
advanced settings
configuring 11-49
Advanced tab (ASA) H-120
Advanced tab (IOS) H-101
AES encryption algorithm
in IKE proposals 10-48
in VPN SPA 10-30
aging timer
path MTU discovery 10-31
AIM-IPS interfaces
AIM-IPS Interface Settings page J-26
AIM-IPS module
credentials C-24
AIM-IPS Module Discovery dialog box C-24
Alarm Indication Signal (AIS) cells 14-36
Allowed host
use of 17-5
Allowed Hosts page M-80
Analysis Engine global variables
configuring 17-8
Analysis Engine tab M-88
analysis reports
generating 12-6
understanding 12-4
Analysis Reports page I-124
anomaly detection
limiting false positives M-55
worm attacks M-55
Anomaly Detection page M-49
anti-spoofing 15-79
Apply IPS Update command 3-11
Apply IPS Update wizard A-23
Approve Activity command 3-12
Approve Activity dialog box E-6
Approved activity state 8-4
Approve Deployment Job dialog box N-19
approver role 2-16
Area Border Router
See ABR 15-76
ARP
Layer 2 signatures M-19
protocol M-19
ARP spoof tools
dsniff M-19
ettercap M-19
ARP table
ASA
ASDM 21-2
policy discovery 7-12
rollback, commands to recover from failover misconfiguration 18-38
rollback command conflicts 18-37
rollback restrictions for failover devices 18-35
rollback restrictions for multiple context mode 18-35
setting up AUS or CNS 5-8
setting up SSL (HTTPS) 5-3
ASA 5505
ports and interfaces 15-5
ASA Cluster Load Balance page H-24
ASA devices
See also PIX/ASA/FWSM Platform policies
AAA support 9-16
adding SSL thumbprints manually 6-21
defining
DNS server IP address 11-15
enabling
DNS lookups 11-15
models supported
VPN cluster load balancing 11-16
outside IP addresses
associated with DNS entry 11-15
remote access IPSec VPNs
access policies 11-50
creating using wizard 11-10, 11-12
other settings 11-51
performance settings 11-52
remote access SSL VPNs
access settings 11-49
content rewrite rules 11-53
performance settings 11-52
proxies 11-56
proxy bypass rules 11-56
remote access VPNs
access policies (ASA) H-102, H-104
advanced settings (ASA) H-120
AnyConnect client image settings (ASA) H-118
AnyConnect client profile settingss (ASA) H-119
browser plug-ins (ASA) H-116
certificate to connection profile map policies 11-35
certificate to connection profile map rules 11-36
Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) H-80
Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) H-79
Certificate to Connection Profile Maps > Policies page H-77
Certificate to Connection Profile Maps > Rules page H-78
client settings (ASA) H-117
cluster load balancing 11-14, 11-15, H-24
connection profiles 11-16, 11-17, H-25
content rewrite settings (ASA) H-107
dynamic access policies 11-17, 11-18
dynamic access policy (DAP) attributes 11-20, 11-23
Dynamic Access policy page (ASA) H-37
encoding settings (ASA) H-108, H-110
fragmentation settings H-72
Global Settings page H-68
IKE proposals H-81
ISAKMP/IPsec settings H-69
NAT settings H-71
other settings (ASA) H-105
performance settings (ASA) H-105
proxy bypass settings (ASA) H-114
proxy settings (ASA) H-110
Public Key Infrastructure (PKI) H-76
secure desktop manager policies 11-24, 11-26
SSL certificate configuration A-12
supported OS versions
redirection using FQDNs 11-16
table of AAA services 9-18
use of Kerberos 9-17
use of LDAP servers 9-17
use of NT servers 9-17
use of SDI servers 9-17
VPN cluster load balancing
3DES/AES license 11-16
overview 11-15
ASA User Group dialog box F-25
Auto Signon Rules F-39
Client Access Rules dialog box F-33
Client Configuration settings F-27
Client Firewall Attributes F-28
Connection settings F-42
DNS/WINS settings F-39
Hardware Client Attributes F-30
IPsec Settings F-32
Split Tunneling settings F-41
SSL VPN Clientless Settings F-34
SSL VPN Full Client Settings F-35
SSL VPN General Settings F-37
Technology settings F-25
ASA user group objects
Auto Signon Rules F-39
Client Access Rules dialog box F-33
Client Configuration settings F-27
Client Firewall Attributes F-28
Connection settings F-42
creating 9-33
DNS/WINS settings F-39
Hardware Client Attributes F-30
IPsec Settings F-32
Split Tunneling settings F-41
SSL VPN Clientless Settings F-34
SSL VPN Full Client Settings F-35
SSL VPN General Settings F-37
Technology settings F-25
understanding 9-31
ASBR
definition 15-76
ASCII limitations for text 3-21
ASDM
access rule look-up 21-5
device manager 21-2
assignment overview 1-7
Assignments tab D-18
Assign Shared Policy command 3-8
Assign Shared Policy dialog box D-2
Asymmetric Digital Subscriber Line (ADSL)
on Cisco IOS routers 14-27
Asynchronous Transfer Mode (ATM) 14-32
ATM 14-32
virtual channel connections (VCCs) 14-32
virtual channel identifier (VCI) 14-32
virtual path connections (VPCs) 14-32
virtual path identifier (VPI) 14-32
Atomic ARP engine
described M-19
parameters (table) M-19
Atomic IP engine
parameters (table) M-14
audit logs
configuring default settings A-32
purging entries 20-13
understanding 20-11
working with 20-11
Audit Message Detail dialog box E-9
Audit Report command 3-11
audit reports
generating and viewing 20-12
understanding 20-11
working with 20-11
Audit Report window E-9
AUS
deploying configurations 18-25
deployment method 18-11
setting up 5-7
setting up on PIX Firewall and ASA devices 5-8
authentication
configuring on firewall devices 15-29
authentication methods
in IKE proposals 10-49
preshared keys 10-49
RSA signatures 10-49
authentication testing
SSH 5-5
authorization
configuring on firewall devices 15-29
AuthProxy dialog box
AAA rules I-70
AuthProxy General tab (IOS) I-114, I-116
AuthProxy page I-113
autolink
omitting reserved networks from maps A-2
Auto Signon Rules
ASA user group objects F-39
Auto Update Server (AUS)
licensing 20-4
Auto Update Server Properties dialog box C-12
Auto Update Servers (AUS)
configuring AUS settings on firewall devices 15-52
Available Bit Rate (ABR) 14-33
Available Servers dialog box C-14
B
background image, map
deleting 4-11
importing 4-10
overview 4-9
scale and position 4-11
setting 4-10
backslash
when defining subinterfaces 9-63
Backup command 3-11
backups, Security Manager database 20-14
banners
Banner page K-63
configuring on firewall devices 15-32
benefits of product 1-2
BGP routing
BGP Routing Policy page J-162
defining routes 14-123
Neighbors dialog box J-163
on Cisco IOS routers 14-122
redistributing routes 14-125
Redistribution Mapping dialog box J-165
Redistribution tab J-164
Setup tab J-162
blocking
definition of 17-8
Blocking page M-88
boot image and configuration settings
configuring on firewall devices 15-33
bootstrapping devices
in Performance Monitor 21-8, 21-9
bridge groups
defining 14-54
FWSM 3.1 15-27
bridging
Cisco IOS routers
Bridge Group dialog box J-77
Bridging Policy page J-76
BVI interfaces 14-53
overview 14-52
PIX/ASA/FWSM
Add/Edit ARP Inspection dialog box K-55
Add/Edit ARP Table Entry dialog box K-53
Add/Edit MAC Learning dialog box K-58
Add/Edit MAC Table Entry dialog box K-56
ARP Inspection page K-54
ARP Table page K-52
configuring on 15-27
MAC Address Table page K-56
MAC Learning page K-57
Management IP page K-58
browser plug-ins
defining 11-60
understanding 11-58
C
CA server authentication methods
SCEP (Simple Certificate Enrollment Protocol) 10-61
Cat6k Device dialog box M-97
Catalyst 6500/7600 devices
configuring FWSM on 10-34
configuring SSH 5-6
configuring VPNSM on 10-28
configuring VPN SPA on 10-29
default transport protocol A-12
deployment 18-18
path MTU discovery
on tunnel interface 10-31
packet fragmentation 10-31
policy discovery for FWSM 7-12
rollback restrictions 18-35
supported IOS versions
for path MTU discovery 10-31
Catalyst 6500/7600 switches
including in deployment jobs N-11
Catalyst 6500 Series switches
See Catalyst switches and Cisco 7600 Series routers
Catalyst 6K tab M-96
Catalyst devices
policy discovery 7-12
remote access VPNs
Dynamic VTI/VRF Aware IPsec settings H-89
high availability H-93
IPsec proposals H-85
user group policies H-95
VPNSM/VPN SPA settings H-87
Catalyst platform policies
general reference L-1
IDSM settings policy
Create and Edit IDSM Data Port VLANs dialog boxes L-32
Create and Edit IDSM EtherChannel VLANs dialog boxes L-31
IDSM Settings page L-30
IDSM Slot-Port Selector dialog box L-33
interfaces/VLANs policy
Access Port Selector dialog box L-6
Create and Edit Interface dialog boxes-Access Port mode L-12
Create and Edit Interface dialog boxes-Dynamic Port mode L-21
Create and Edit Interface dialog boxes-Other mode L-27
Create and Edit Interface dialog boxes-Routed Port mode L-15
Create and Edit Interface dialog boxes-subinterfaces L-25
Create and Edit Interface dialog boxes-Trunk Port mode L-17
Create and Edit VLAN dialog boxes L-4
Create and Edit VLAN Group dialog boxes L-8
Interfaces/VLANs page L-3
Interfaces tab L-10
Service Module Slot Selector dialog box L-9
Summary tab L-29
Trunk Port Selector dialog box L-7
VLAN Groups tab L-7
VLAN Selector dialog box L-10
VLANs tab L-3
VLAN access lists policy
Create and Edit VLAN ACL Content dialog boxes L-37
Create and Edit VLAN ACL dialog boxes L-36
VLAN Access Lists page L-34
Catalyst Summary Info command 3-10
Catalyst switches
configuring SSH 5-6
default transport protocol A-12
showing modules, security contexts, and virtual sensors 6-23
Catalyst switches and 7600 Series routers
access ports 16-5
Catalyst Summary Info page L-1
defining IDSM Data Port VLANs 16-19
defining IDSM EtherChannel VLANs 16-17
defining ports 16-6
defining VACLs 16-14
defining VLAN groups 16-11
defining VLANs 16-9
deleting IDSM Data Port VLANs 16-20
deleting IDSM EtherChannel VLANs 16-18
deleting ports 16-8
deleting VACLs 16-15
deleting VLAN groups 16-12
deleting VLANs 16-10
discovering policies 16-5
generating interface names 16-7
IDSM settings 16-16
IDSM Settings page L-30
interfaces 16-5
Interfaces/VLANs page L-3
managing 16-1
migrating inventory from earlier release 16-2
migrating unmanaged service modules 16-4
routed ports 16-5
trunk ports 16-5
viewing configuration summary 16-21
VLAN Access Lists page L-34
VLAN ACLs (VACLs) 16-13
VLAN groups 16-11
VLANs 16-9
Catalyst VPN Services Module (VPNSM)
configuring 10-32
configuring in remote access VPNs 11-41
defining settings (site-to-site VPN) G-16
understanding configuration 10-28
VPNSM blade configuration 10-28
Catalyst VPN Shared Port Adapter (VPN SPA)
configuring a VPN SPA blade 10-32
configuring in remote access VPNs 11-41
defining settings (site-to-site VPN) G-16
path MTU discovery
crypto maps 10-31
enabling 10-31
supported IOS versions for 10-31
understanding configuration 10-29
categories
using 9-4
Category Editor dialog box F-44
cautions
significance of i-lvi
CDP
definition of 13-4
certificates, SSL
adding thumbprints manually 6-21
configuring default settings for how handled A-12
certificate to connection profile map policies
configuring 11-35
understanding 11-35
certificate to connection profile map rules
configuring 11-36
understanding 11-36
Certification Authority (CA) servers
naming guidelines 9-77
Change Report dialog box E-8
change reports, viewing 8-10
Change Reports command 3-11
Cisco 7600 Series routers
See Catalyst switches and 7600 Series routers
Cisco Discovery Protocol (CDP) J-23
Cisco Express Forwarding (CEF)
importance for QoS 14-104
Cisco IOS routers
802.1x 14-88
AAA 14-46
accounts and credentials 14-50
ADSL 14-27
advanced interface settings 14-20
available interface types 14-15
basic interface settings 14-14
BGP routing 14-122
CNS call-home mode 5-10
CNS event-bus mode 5-9
configuring SSH 5-6
CPU settings 14-56
default AAA server groups 9-12
deploying configurations using TMS 18-26
dialer interfaces 14-23
discovering policies 14-3
Domain Name System (DNS) 14-73
Dynamic Host Configuration Protocol (DHCP) 14-81
EIGRP routing 14-126
host and domain names 14-74
HTTP 14-57
IOS 12.1 and 12.2 14-2
line access 14-60
logging 14-99
managing 14-1
memory settings 14-75
NAT 14-4
Network Admission Control (NAC) 14-92
Network Time Protocol (NTP) 14-86
optional SSH settings 14-68
OSPF routing 14-131
permanent virtual connections (PVCs) 14-32
platform policies 14-1
Point-to-Point Protocol (PPP) 14-40
policy discovery 7-12
quality of service (QoS) 14-103
RIP routing 14-143
Secure Device Provisioning (SDP) 14-76
setting up SSL (HTTPS) 5-4
SHDSL 14-30
SNMP 14-70
static routing 14-147
time zone settings 14-55
transparent bridging 14-52
Cisco IOS Software
selecting policy types to manage 7-10
Cisco PIX firewalls
See PIX/ASA/FWSM Platform policies
Cisco Secure Access Control Server (ACS)
activating NDG feature 2-28
adding devices as AAA clients without NDGs 2-25
adding managed devices 2-25
adding managed devices and configuring NDGs 2-34
adding users 2-24
assigning roles to user groups 2-33
assigning roles to user groups with NDGs 2-34
assigning roles to user groups without NDGs 2-33
associating user roles and permissions 2-20
configuring CiscoWorks AAA mode 2-31
configuring network device groups 2-26
creating network device groups 2-28
customizing user roles 2-19
default roles 2-18
defining system identity user 2-31
integrating with Security Manager 2-21
integration checklist 2-22
integration requirements 2-22
performing integration 2-23
performing integration in CiscoWorks 2-30
registering Security Manager 2-32
restarting Daemon Manager 2-33
understanding user permissions 2-1
Cisco Secure Access Control Server (ACS) integration
creating administration control user 2-29
creating local users in CiscoWorks 2-30
Cisco Secure Access Control Server (ACS) user interface
Add Administrator page 2-29
Group Setup page 2-35
Cisco Secure desktop configuration objects
creating 9-85
understanding 9-85
Cisco Security Management Suite server
logging into or exiting 1-8
Cisco Technical Assistance Center
creating diagnostic file 20-15
Cisco Trust Agent (CTA) 14-94
CiscoWorks Common Services
assigning roles to users 2-17
associating user roles and permissions 2-20
available user roles 2-16
backing up and restoring Security Manager 20-14
configuring AAA mode 2-31
creating local user for Cisco Secure ACS 2-30
defining system identity user 2-31
logging into or exiting 1-8
performing integration for Cisco Secure ACS 2-30
registering Security Manager with Cisco Secure ACS 2-32
understanding user permissions 2-1
Class-Based Policing 14-109
class maps
understanding 9-39
CLI commands
FlexConfig objects 19-2
Client Access Rules dialog box
ASA user group objects F-33
Client Configuration settings
ASA user group objects F-27
client connection characteristics
Client Connection Characteristics page G-62
configuring policies for Easy VPN 10-83
Client Firewall Attributes
ASA user group objects F-28
clientless access mode 11-4
client settings
configuring 11-61
understanding 11-60
clock
Cisco IOS routers
overview 14-55
configuring on firewall devices 15-34
clock settings
Cisco IOS routers
Clock Policy page J-78
Clone Device command 3-6
cloning devices
in VPN topologies 10-16
Close Activity command 3-12
cluster load balancing
configuring 11-15
redirection using FQDNs
3DES/AES 11-16
ASA outside IP addresses 11-15
instead of IP addresses 11-16
OS versions supported 11-16
overview 11-15
reverse DNS lookup 11-15
understanding 11-14
CNS
call-home mode 5-10
deploying configurations 18-25
deployment method 18-11
event-bus mode 5-9
setting up 5-7
setting up on PIX Firewall and ASA devices 5-8
collectors (NetFlow) 15-63
Combine Rules
Rule Combiner Detail Report I-152
Combine Rules Results Summary dialog box I-150
Combine Rules Selection Summary dialog box I-149
combining rules 12-8
criteria notes 12-9
defining criteria 12-10
summary results 12-11
commands
Activities menu 3-11
Edit menu 3-7
Edit menu, table commands 3-20
File menu 3-6
Help menu 3-12
Map menu 3-9
Policy menu 3-8
Tools menu 3-10
View menu 3-8
Common Services
licensing 20-4
configuration
initial Security Manager 1-10
understanding rollback 18-33
Configuration Archive
adding configurations from devices 18-32
rolling back to archived configuration files 18-40
settings A-2
version viewer N-28
viewing and comparing configuration versions 18-32
window N-26
Configuration Archive command 3-11
Configuration Archive page A-2
Configuration Engine Properties dialog box C-12
configuration files
deploying in non-Workflow mode 18-17
deploying in Workflow mode 18-19, 18-24
deploying to 18-12
deploying to an AUS or CNS 18-25
deploying to a TMS 18-26
deployment process overview 18-2
factory-default configurations 15-1
previewing 18-28
redeploying to devices 18-28
rolling back to archived configurations 18-40
selecting 3-22
web VPN policy discovery restrictions 6-7
configurations
adding to the Configuration Archive 18-32
rollback, commands to recover from failover misconfiguration 18-38
rollback command conflicts 18-37
rolling back 18-33
rolling back Catalyst 6500/7600 18-35
rolling back failover devices 18-35
rolling back IPS and IOS IPS 18-36
rolling back multiple context mode 18-35
rolling back to devices 18-39
understanding out-of-band changes 18-13
viewing and comparing 18-32
configuration views 1-5
Configure DNS dialog box
inspection rules I-47
Configure ESMTP dialog box
inspection rules I-49
Configure Fragments dialog box
inspection rules I-49
Configure Hardware Ports dialog box K-50
Configure IMAP dialog box
inspection rules I-50
Configure POP3 dialog box
inspection rules I-51
Configure RPC dialog box
inspection rules I-52
Configure SMTP dialog box
inspection rules I-47
Config Version Viewer (Preview Configuration) dialog box N-17
Connection Profile page (ASA) H-4
connection profiles
configuring 11-17
understanding 11-16
Connection Profiles page H-25
Add/Edit Connection Profile dialog box
AAA tab H-28
Add/Edit Interface Specific Authentication Server Groups dialog box H-31
General tab (ASA) H-26
IPSec tab H-33
SSL tab H-33
Connection Profiles Policy page
Add/Edit Connection Profile dialog box
IPSec tab H-32
Connection settings
ASA user group objects F-42
connection timeout
device communication settings A-12
connectivity, testing device 6-15
console
Cisco IOS routers
AAA tab J-89
Accounting tab J-92
Authentication tab J-89
Authorization tab J-91
Console Policy page J-87
Setup tab J-87
console port
Cisco IOS routers
defining AAA settings 14-62
defining setup parameters 14-61
console timeout settings
configuring on firewall devices 15-37
Constant Bit Rate (CBR) 14-33
contact credentials
configuring on firewall devices 15-35
contained modules
showing 6-23
content rewrite rules
defining 11-53
understanding 11-53
Content Rewrite tab (ASA) H-107
Context Editor dialog box (IOS) H-97
contexts
continuity check (CC) cells 14-36
control plane (CP)
defining QoS on 14-115
policing on 14-111
Control Plane Policing 14-111
conventions i-lv
Copy command 3-7
Copy Policies Between Devices command 3-8
Copy Policies wizard
Copy Policies from this Device page D-4
Copy Policies to these Devices page D-6
Select Policies to Copy page D-4
understanding D-3
CPU settings
defining utilization settings 14-57
overview 14-56
CPU utilization
CPU Policy page J-80
Create/Edit Group Policies Dialog Box H-75
Create a Clone of Device dialog box C-26
Create Activity dialog box E-4
Create a Policy dialog box D-19
Create Filter dialog box C-1
Create Overrides for Device dialog box F-182
Create Text Object dialog box F-50
Create VPN Topology wizard G-6
credential objects
creating 9-35
understanding 9-35
credentials
AIM-IPS module C-24
device manager validation 21-4
service module C-22
testing 6-15
understanding device 6-4
Credentials objects
Credentials dialog box F-46
Credentials page
HTTPS port number
overriding with HTTP policy C-31
Credentials page (Devices) C-30
crypto engine slot command 10-30
crypto engine slot slot/subslot {inside | outside} command
VRF-Aware IPsec 10-30
crypto maps
dynamic 10-51
in IPsec proposals 10-51
on interface VLANs
IPsec VPN SPAs 10-31
static 10-51
CSDM Policy Editor dialog box H-66
CS-MARS
access to Security Manager 21-20
configuring servers A-3
discovering or changing server used by device 6-23
event
queries 21-21
events
historical 21-21
real-time 21-21
integration with Security Manager 21-16, 21-19
NetFlow 21-17
query
considerations 21-18
registering in Security Manager 21-22
CS-MARS page A-3
CSMDiagnostics.zip
setting debug options A-6
CSM tab, Licensing page A-29
Customize Desktop Settings page A-5
Custom Protocol dialog box
inspection rules I-48
Cut command 3-7
D
Daemon Manager
restarting after Cisco Secure ACS integration 2-33
database
backing up and restoring 20-14
Days of Week dialog box M-52
DCE/RPC policy map objects
creating 9-42
DCS properties file, SSH settings 6-22
DDNS
configuring on firewall devices 15-57
DDoS
protocols M-47
Stacheldraht M-47
TFN M-47
dead-peer detection (DPD) 10-55
debugging
configuring debug levels A-6
Debug Options page A-6
defaults, configuring 20-2
Defaults page (ASA) H-19
Defaults page (IOS) H-22
default virtual sensor
vs0 17-11
Delete Device command 3-6
Delete Map command 3-9
Delete Map dialog box B-10
Delete Row command 3-7
Denied Attacker dialog box M-58
Denied Attackers page M-58
Deploy command 3-6
Deploy Job dialog box N-19
deployment
Abort the Job dialog box N-22
Add Other Devices dialog box N-16
Auto Update Server 18-25
Catalyst 6500/7600 devices 18-18
Cisco Networking Services configuration engine 18-25
clearing XLATE on 15-84
configuration files, to 18-12
configurations 18-17
configuring status providers 21-10
creating or editing schedules 18-30
Deploy Job dialog box N-19
Deployment—Create or Edit a Job dialog box N-12
device communication settings 6-21
devices, directly to 18-10
devices, through intermediate server 18-11
Edit Deploy Method dialog box N-14
Edit Selected Deployment Method dialog box N-14
errors
OS version mismatches 18-14
handling OS version mismatches 18-14
IPsec on VPNs
using RADIUS 10-82
managing 18-1
methods 18-9
non-Workflow mode 18-4
Deploy Saved Changes dialog box N-9
out-of-band changes 18-13
process overview 18-2
Redeploy a Job dialog box N-23
Rollback a Job dialog box N-24
rolling back configurations 18-33
rolling back configurations, Catalyst 6500/7600 18-35
rolling back configurations, command conflicts 18-37
rolling back configurations, commands to recover from failover misconfiguration 18-38
rolling back configurations, failover devices 18-35
rolling back configurations, IPS and IOS IPS devices 18-36
rolling back configurations, multiple context mode 18-35
setting debug options A-6
Submit Deployment Job dialog box N-19
suspending or resuming schedules 18-31
system settings A-7
task flow
non-Workflow mode 18-5
Workflow mode 18-6
TMS server 18-26
troubleshooting SSL certificate errors 6-21
understanding 18-1
understanding configuration rollback 18-33
using a Cisco Networking Services (CNS) server 18-25
viewing device details 18-16
viewing job summary 18-16
viewing status and history for jobs and schedules 18-16
Warning - Partial VPN Deployment dialog box N-16
Workflow mode 18-6, 18-19, 18-24
Deployment—Create or Edit a Job dialog box N-12
Deployment Manager window N-3
working with 18-16
Deployment—Create or Edit a Job dialog box N-12
deployment jobs
aborting 18-30
approval 18-8
approving 18-23
creating and editing 18-20
Deployment Manager 18-2
discarding 18-25
including devices in 18-9
multiple users 18-9
redeploying 18-28
rejecting 18-23
states
non-Workflow mode 18-5
Workflow mode 18-7
submitting 18-22
viewing history 18-16
Deployment Manager
overview 18-2
Deployment Manager command 3-10
Deployment Manager window
Deployment Schedules tab N-6
Deployment Manager window in non-Workflow mode N-1
Deployment Manager window in Workflow mode N-3
Deployment Schedules tab N-6
Deployment Settings page A-7
Deployment Status Details dialog box N-21
Deployment Workflow Commentary dialog boxes N-19
Deploy Saved Changes dialog box N-9
DES encryption algorithm
in IKE proposals 10-47
Dest Port Map dialog box M-54
device
AAA administration 15-30
export inventory 6-25
viewing inventory status 6-25
device access
configuring on firewall devices 15-37
device access policies
defining 14-51
device administration policies
configuring on firewall devices 15-28
device authentication
adding SSL thumbprints manually 6-21
SSL certificate default configuration A-12
Device Communication page A-11
device communication settings
connection timeout A-12
managing 6-21
retry count A-12
socket read timeout A-12
Device Connectivity Test dialog box C-21
device credentials
understanding 6-4
Device Credentials page C-17
Device Delete Validation page C-25
Device Grouping page C-25
adding or removing devices 6-31
creating group types 6-30
deleting groups or types 6-31
understanding 6-28
Device Information page - Add Device from File C-15
Device Information page - Configuration File C-8
Device Information page - Network C-4
Device Information page- New Device C-10
device inventory
exporting
DCR and CS-MARS formats 6-26
overview 6-25
using command line utility 6-26
managing 6-1
testing device connectivity 6-15
understanding 6-1
understanding contents 6-3
user interface reference C-1
working with 6-6
device manager
access rule look up 21-5
ASDM 21-2
access rule look-up 21-5
command 21-4
credentials 21-4
IDM 21-2
PDM 21-2
preparing devices 21-3
prerequisites 21-3
SDM 21-2
access rule look-up 21-6
starting 21-4
starting from Security Manager 21-1
xdm-launcher.exe 21-5
Device Manager command 3-10
Device OS Management command 3-11
Device Properties
Credentials page C-30
Device Groups page C-32
General page C-27
Policy Object Override pages
general reference C-33
device properties
changes with policy effects 6-19
changing critical 6-17
image version changes with no policy effects 6-18
understanding 6-5
viewing or changing 6-17
Device Properties command 3-10
Device Properties page
creating object overrides 9-117
deleting overrides 9-119
overview C-27
devices
adding 6-7
adding configurations to the Configuration Archive 18-32
adding from configuration files 6-10
adding from export file 6-12
adding from network 6-8
adding local rules to shared policies 7-30
adding manually 6-11
adding to Performance Monitor 21-9
assigning shared policies 7-29
changing critical properties 6-17
cloning or duplicating 6-24
communication requirements 5-1
communication settings and certificates 6-21
configuring local policies 7-20
copying policies between 7-21
copying shared policies 7-32
creating policy object overrides 9-117
deleting from inventory 6-24
deleting policy object overrides 9-119
deployment through intermediate server 18-11
deployment to 18-10
discovering or changing CS-MARS server 6-23
discovering policies 7-11
discovering policies on existing devices 7-14
dynamic IP addresses 6-14
image version changes with no policy effects 6-18
including in deployment jobs N-11
including in deployment jobs or schedules 18-9
including in jobs N-13
inheriting policy rules 7-31
managing operating system 6-28
maps
adding existing managed 4-13
adding new managed 4-13
displaying devices from Device View 4-14
displaying managed 4-13
showing containment for Catalyst switches, ASA, PIX, IPS devices 4-14
modifying policy assignment 7-34
modifying shared policies 7-33
naming conventions 6-3
policy status icons 7-19
preparing for management 5-1
property changes with policy effects 6-19
redeploying configuration files to 18-28
redeploying configurations to replaced hardware 18-28
renaming policies 7-32
replacing policies 7-29
rolling back configurations 18-39
sharing multiple policies 7-27
showing contained modules 6-23
testing connectivity 6-15
unassigning policies 7-23
understanding out-of-band changes 18-13
unsharing policies 7-28
what counts as a device 6-3
device selector
filtering 3-14
Device view
adding local rules to shared policies 7-30
assigning shared policies 7-29
configuring local policies 7-20
copying policies between devices 7-21
copying shared policies 7-32
editing site-to-site VPN policies in 10-45
inheriting policies 7-31
managing policies 7-19
managing VPN devices in 10-44
modifying policy assignments 7-34
modifying shared policies 7-33
overview 1-5
policy banner 7-25
policy status icons 7-19
renaming policies 7-32
sharing local policies 7-26
sharing multiple policies 7-27
Site-to-Site VPN Topologies page G-65
unassigning policies 7-23
understanding basic policy management 7-20
understanding shared policies 7-24
unsharing policies 7-28
device view
remote access VPNs
managing 11-7
understanding 6-1
Device View command 3-8
DHCP
Cisco IOS routers
defining address pools 14-85
defining policies 14-84
DHCP Database dialog box J-126
DHCP Policy page J-123
IP Pool dialog box J-126
overview 14-81
understanding database agents 14-82
understanding option 82 14-83
understanding relay agents 14-82
understanding secured ARP 14-83
PIX/ASA/FWSM
configuring DHCP relay 15-53
configuring DHCP servers 15-54
diagnostics
setting debug options A-6
diagnostics file, creating 20-15
dial backup
configuring 10-27
configuring in Easy VPN 10-76
Dial Backup Settings dialog box G-23
understanding 10-26
dialer interfaces
defining BRI properties 14-25
defining profiles 14-24
Dialer Physical Interface dialog box J-31
Dialer Policy page J-28
Dialer Profile dialog box J-30
on Cisco IOS routers 14-23
Diffie-Hellman groups
in IKE proposals 10-48
Digital Subscriber Line (DSL) 14-27
digital subscriber line-access multiplexer (DSLAM) 14-27
directed broadcasts
enabling J-26
Discard Activity command 3-12
Discard Activity dialog box E-7
Discard command 3-6
Discard Deployment Job dialog box N-19
discovering remote access VPNs 11-7
discovering site-to-site VPNs 10-12
Discover VPN Policies wizard G-66
Discover Policies on Device command 3-8
Discover Policies On Device dialog box D-11
Discover VPN Policies command 3-8
Discover VPN Policies wizard G-66
Device Selection page G-68
Name and Technology page G-67
discovery
default behavior settings A-16
Map View 4-26
overview 1-7
setting debug options A-6
Discovery Settings page A-16
Discovery Status dialog box D-13
discovery task
frequently asked questions 7-16
starting 7-14
viewing status 7-16
Display Actual Size command 3-9
Distributed Denial of Service
Distributed Traffic Shaping (DTS) 14-109
DMVPN (Dynamic Multipoint VPN)
advantages of using with GRE 10-71
configuring policies 10-72
IPsec technology 10-5
large scale DMVPNs
configuring 10-74
understanding 10-74
understanding 10-70
using with GRE 10-71
DNS
configuring on firewall devices 15-56
DNS/WINS settings
ASA user group objects F-39
DNS class map objects
Add or Edit DNS Class Map dialog box F-54
Add or Edit Match Criterion dialog box F-59
creating 9-41
DNS policy map objects
Add or Edit Match Condition and Action dialog box F-59
creating 9-43
Dock Map View command 3-9
documentation
conventions i-lv
Domain Name System (DNS)
Cisco IOS routers
defining policies 14-73
DNS Policy page J-117
IP Host dialog box J-118
overview 14-73
do not ask warnings, resetting A-5
DSLAM 14-27
duplex
interface K-51
dynamic access policies
configuring 11-18
understanding 11-17
dynamic access policy (DAP) attributes
configuring 11-23
understanding 11-20
Dynamic Access Policy page
Add/Edit Dynamic Access Policy dialog box
Add/Edit DAP Entry dialog box H-46
Add/Edit DAP Entry dialog box > AAA Attributes Cisco H-49
Add/Edit DAP Entry dialog box > AAA Attributes LDAP H-50
Add/Edit DAP Entry dialog box > AAA Attributes RADIUS H-51
Add/Edit DAP Entry dialog box > Anti-Spyware H-52
Add/Edit DAP Entry dialog box > Anti-Virus H-53
Add/Edit DAP Entry dialog box > Application H-54
Add/Edit DAP Entry dialog box > File H-55
Add/Edit DAP Entry dialog box > NAC H-56
Add/Edit DAP Entry dialog box > Operating System H-57
Add/Edit DAP Entry dialog box > Personal Firewall H-58
Add/Edit DAP Entry dialog box > Policy H-59
Add/Edit DAP Entry dialog box > Process H-60
Add/Edit DAP Entry dialog box > Registry H-61
Advanced Expressions tab H-65
Logical Operators tab H-63
Main tab H-40
Dynamic Access policy page (ASA) H-37
Add/Edit Dynamic Access Policy dialog box H-39
Cisco Secure Desktop Manager Policy Editor dialog box H-66
dynamic crypto maps 10-51
dynamic IP devices
GRE for 10-67
dynamic NAT
creating rules on Cisco IOS routers 14-11
dynamic VTI
configuring in Easy VPN 10-76
Dynamic VTI tab (site-to-site VPN) G-54
in remote access VPNs 11-39
Dynamic VTI/VRF Aware IPsec settings tab H-89
E
Easy VPN
Advanced tab G-60
client connection characteristics 10-83
Client VPN Software Update tab G-61
configuring dial backup in 10-76
configuring dynamic VTI in 10-76
configuring high availability in 10-76
Dynamic VTI tab G-54
General tab G-57
IPsec Proposal page G-51
Dynamic VTI tab G-54
IPsec Proposal tab G-52
IPsec proposals 10-79
IPsec tab G-59
IPsec technology 10-5
tunnel group policies 10-81
Tunnel Group Policy page G-56
understanding 10-75
user group policies 10-80
User Group Policy page G-55
Edit AAA Option dialog box I-69
Edit AAA Rules dialog box I-56
Edit AAA Server Group dialog box I-70
Edit Actions dialog box M-7
Edit Auto Update Settings dialog box A-22
Edit Category dialog box
AAA rules I-71
access rules I-19
inspection rules I-53
transparent rules I-101
web filter rules I-86
Edit Cisco Secure Desktop Configuration dialog box F-44
Edit Column dialog box F-145
Edit Custom Pane dialog box F-145
Edit DCE/RPC Map dialog box F-56
Edit Deploy Method dialog box N-14
Edit Description dialog box
AAA rules I-71
access rules I-20
inspection rules I-53
transparent rules I-100
web filter rules I-86
Edit Destinations dialog box I-12
AAA rules I-63
inspection rules I-39
web filter rules I-80
Edit Device Groups command 3-6
Edit Device Groups dialog box C-34
Edit DNS Map dialog box
Filtering tab F-58
overview F-56
Protocol Conformance tab F-58
Edit Endpoints dialog box G-12
Protected Networks tab G-18
VPN Interface tab G-12
Edit Extended Access Control Entry dialog box F-20
Edit Extended Access List dialog box F-19
Edit Fidelity dialog box M-9
Edit Firewall Option dialog box I-16
Edit Firewall Rule dialog box I-4
Edit Firewall Rule Expiration dialog box I-20
Edit FlexConfig dialog box F-48
Edit GTP Map dialog box F-68
Edit HSI Endpoint IP Address dialog box F-75
Edit HSI Group dialog box F-74
Edit HTTP Map dialog box
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab F-79
Extension Request Method tab F-82
General tab F-78
overview F-77
Port Misuse tab F-83
RFC Request Method tab F-81
Transfer Encoding tab F-84
ASA 7.2+ and PIX 7.2+ devices F-85
Edit IM Map dialog box
ASA and PIX device F-91
Edit Inspected Protocol dialog box I-45
Edit Interface dialog box
AAA rules I-67
transparent rules I-99
Edit IPsec Pass Through Map dialog box F-95
Edit Language dialog box F-139
Edit menu 3-7
Edit menu, table commands 3-20
Edit NetBIOS Map dialog box F-96
Edit Permit Response dialog box F-70
Edit Policy Assignments command 3-8
Edit Regular Expression dialog box F-105
Edit Regular Expression Group dialog box F-104
Edit Row command 3-7
Edit Rule Section dialog box I-122
Edit Selected Deployment Method dialog box N-14
Edit Service dialog box
access rules I-14
web filter rules I-82
Edit Signature dialog box M-3
Edit Signature Parameter—Component List dialog box M-47
Edit Signature Parameter—List Entry Dialog Box M-48
Edit Signature Parameters dialog box M-10
Edit Signatures page, Apply IPS Update wizard A-27
Edit SNMP Map dialog box F-103
Edit Sources dialog box I-10
AAA rules I-61
inspection rules I-38
web filter rules I-78
Edit SSL VPN Customization dialog box F-134
Applications F-143
Copyright Panel F-141
Custom Panes F-144
Full Customization F-142
Home Page F-146
Informational Panel F-140
Language F-138
Logon Form F-140
Logout Page F-147
Title Panel F-137
Toolbar F-142
Edit Standard Access Control Entry dialog box F-22
Edit Standard Access List dialog box F-19
Edit state 8-4
Edit TCP Map dialog box F-106
Edit TCP Option Range Dialog Box F-107
Edit Text Object dialog box F-154
Edit Traffic Flow dialog box F-157
Edit Transparent EtherType dialog box I-98
Edit Transparent Firewall Rule dialog box I-96
Edit Transparent Mask dialog box
transparent rules I-99
Edit Update Server Settings dialog box A-21
Edit Virtual Sensor dialog box M-101
Edit Web Access Control Entry dialog box F-23
Edit Web Filter Options dialog box I-85
Edit Web Filter Type dialog box I-84
Edit Web Type Access List dialog box F-19
Edit WINS Server dialog box F-178
Edit WINS Server List dialog box F-177
EIGRP routing
defining interface properties 14-128
defining routes 14-126
Edit Interfaces dialog box J-169
EIGRP Routing Policy page J-166
Interface dialog box J-170
Interfaces tab J-169
on Cisco IOS routers 14-126
redistributing routes 14-130
Redistribution Mapping dialog box J-172
Redistribution tab J-171
Setup dialog box J-168
Setup tab J-167
e-mail notifications
configuring SMTP server 1-12
encoding rules
defining 11-55
understanding 11-54
Encoding tab (ASA) H-108
encryption algorithms
3DES (Triple DES) 10-48
AES (Advanced Encryption Standard) 10-48
DES (Data Encryption Standard) 10-47
in IKE proposals 10-47
endpoints and protected networks
defining in VPN topologies 10-19
Protected Networks tab G-18
understanding 10-18
VPN Interface tab G-12
ESMTP policy map objects
Add or Edit ESMTP Map dialog box F-62
Add or Edit Match Condition and Action dialog box F-63
creating 9-44
EtherChannel
Create and Edit IDSM EtherChannel VLANs dialog boxes L-31
defining IDSM VLANs 16-17
deleting IDSM VLANs 16-18
Ethereal 21-13
evaluation license
upgrading to permanent license 20-3
event
historical 21-21
queries 21-21
access rule 21-23
IPS signatures 21-27
real-time 21-21
Event Action Filters page M-59
Event Action Filters tab
described M-69
Event Action Override dialog box M-64
Event Action Overrides page M-63
Event Action policies M-59
event reporting
Inventory Status 21-11
severity levels 21-12
Exclusive Domain Name dialog box
web filter rules I-93
exclusive domains
adding (IOS) 12-77
deleting (IOS) 12-79
editing (IOS) 12-79
Exclusive Domains tab
web filter rules I-90
Exit command 3-7
exiting
Cisco Security Management Suite server 1-8
CiscoWorks Common Services 1-8
export
device inventory 6-25
Export Inventory command 3-10
Export Inventory dialog box C-34
Export Map command 3-9
External Product Interface dialog box M-85
External Product Interface page M-84
F
factory-default configurations 15-1
failover
link 15-45
PIX/ASA/FWSM
active/active 15-46
active/standby 15-46
configuring 15-44
configuring on 15-48
stateless 15-46
types of 15-46
understanding 15-45
false positives
definition of 13-12
feature sets 1-3
File menu 3-6
file objects
creating 9-37
understanding 9-36
files
deploying to 18-12
selecting or specifying 3-22
Filter Item dialog box M-60
filters
defined using signature categories 13-16
filtering selectors 3-14
filtering tables 3-17
find and replace
defining criteria 12-15
notes 12-13
understanding regular expressions 12-14
using 12-12
Find and Replace page I-123
Find Map Node command 3-9
Find Node dialog box B-10
firewall
access rule
CS-MARS query 21-23
Firewall AAA IOS Timeout Value Setting dialog box I-117
Firewall AAA MAC Exempt Setting dialog box I-113
Firewall ACL Setting dialog box I-104
Firewall Device dialog box M-95
firewall devices
policy discovery 7-12
firewall policy properties 12-2
firewall service module (FWSM)
including in deployment jobs N-11, N-13
firewall services
AAA rules
adding 12-60
understanding 12-59
access rules
adding 12-40
deleting 12-47
disabling 12-45
editing 12-43
enabling 12-45
logging events for an ACE 12-40
moving down 12-46
moving up 12-46
notes 12-39
recognizing on devices 12-38
ACL names
conflicts and resolutions 9-30
generating 9-28
identifying original 9-29
naming conventions 9-28
notes 9-30
preserving user-defined 9-26
analysis reports 12-4
generating 12-6
Combine Rules
Rule Combiner Detail Report I-152
Combine Rules Results Summary dialog box I-150
Combine Rules Selection Summary dialog box I-149
combining rules 12-8
criteria notes 12-9
defining criteria 12-10
summary results 12-11
find and replace
defining criteria 12-15
notes 12-13
understanding regular expressions 12-14
using 12-12
Find and Replace page I-123
firewall settings
access list compilation 12-91
configuring settings 12-93, 12-95, 12-97, 12-104
firewall ACL 12-94
for (PIX/ASA) 12-97
for IOS 12-102
per user downloadable ACLs 12-90
understanding 12-87, 12-88, 12-99
hit count
changing displayed results 12-20
changing displayed results, filtering columns 12-21
generating reports 12-17
sorting columns 12-21
understanding 12-16
understanding report results 12-18
viewing details 12-22
importing rules 12-22
extended access list 12-23
how to 12-25
notes 12-23
standard access list 12-24
Import Rules
Show Destination Contents dialog box I-134
Show Interface Contents dialog box I-135
Show Service Contents dialog box I-134
Show Source Contents dialog box I-133
Import Rules - Enter Parameters dialog box I-127
Import Rules - Preview page I-130
Objects tab I-132
Rules tab I-130
Import Rules - Status page I-129
inspection rules
custom destination ports 12-51
default inspection traffic 12-51
deleting 12-58
destination address and port (IOS) inspection rules 12-52
disabling 12-56
editing 12-55
enabling 12-56
moving down 12-58
moving up 12-58
source and destination address and port 12-53
supported features 12-97
understanding 12-48
managing 12-1
managing rules tables 12-3
Map View 4-17
object groups
expanding during discovery 12-36
optimizing ACLs 12-33
caveats 12-35
notes 12-34
optimizing policy objects
in rules 12-35
notes 12-36
policy query
generating reports 12-27
report results 12-27
understanding 12-26
policy query details example 12-30
policy query parameters 12-28
policy query results table 12-28
rule sections
Add Rule Section dialog box I-122
Edit Rule Section dialog box I-122
rule table sections
adding 12-31
adding to an existing section 12-32
editing 12-32
notes 12-31
removing an existing section 12-33
removing from an existing section 12-32
understanding 12-30
Firewall Services Module (FWSM)
See also PIX/ASA/FWSM Platform policies
configuring with VPNSM 10-34
FWSM blades 10-34
FWSM tab (site-to-site VPN) G-19
understanding configuration 10-34
firewall settings
AAA firewall I-108
advanced setting I-108
Access Control page I-101
access controls
access list compilation 12-91
object group search 12-88
per user downloadable ACLs 12-90
AuthProxy General tab (IOS) I-114
AuthProxy page I-113
AuthProxy Timeout tab (IOS) I-116
configuring settings
firewall ACL 12-94
Firewall AAA IOS Timeout Value Setting dialog box I-117
Firewall AAA MAC Exempt Setting dialog box I-113
Firewall ACL Setting dialog box I-104
Inspection page I-106
Web Filter page I-118
Web Filter Server Configuration dialog box I-121
Firewall tab M-95
Fit to Window command 3-9
FlexConfig objects
adding to policies 19-26
changing order in policies 19-26
changing variable values 19-26
CLI commands 19-2
configuring 19-21
configuring AAA for administrative introducers 14-80
creating 19-24
deleting variables 19-24
previewing CLI 19-26
removing from policies 19-26
samples 19-16
scripting language
example of looping 19-3
example of looping with if/else statements 19-4
example of two-dimensional looping 19-3
understanding 19-3
system variables
understanding 19-7
understanding 19-1
variables 19-5
variables, example 19-6
FlexConfig policies
adding objects 19-26
changing object order 19-26
changing variable values 19-26
configuring 19-21
configuring AAA for administrative introducers 14-80
editing 19-26
previewing CLI 19-26
removing objects 19-26
understanding 19-1
FlexConfig Policy page 19-27
FlexConfig Preview dialog box 19-29
FlexConfigs
creating (scenario) 19-21
managing 19-1
FlexConfig Undefined Variables dialog box F-51
Flood engine
described M-21
floodguard 15-79
Flood Host engine
parameters (table) M-21
Flood Net engine
parameters (table) M-22
FQDN
redirection using
cluster load balancing and 11-15
fragmentation
in remote access VPNs 11-28
in site-to-site VPNs
General Settings tab G-37
understanding 10-56
maximum transmission unit (MTU) 10-56
path MTU discovery and 10-31
fragments settings 15-79
frequently asked questions
policy discovery 7-16
FTP class map objects
Add or Edit FTP Class Map dialog box F-54
Add or Edit Match Criterion dialog box F-66
creating 9-41
FTP policy map objects
Add or Edit Match Condition and Action dialog box F-66
creating 9-45
full mesh topologies
description 10-4
diagram 10-4
full tunnel client access mode 11-4
FWSM
See Firewall Services Module (FWSM)
bridge groups 15-27
credentials C-22
PDM 21-2
policy discovery 7-12
rollback, commands to recover from failover misconfiguration 18-38
rollback command conflicts 18-37
rollback restrictions for failover devices 18-35
rollback restrictions for multiple context mode 18-35
setting up SSL (HTTPS) 5-3
FWSM devices
adding SSL thumbprints manually 6-21
SSL certificate configuration A-12
G
Gateway and Context page H-13
General Configuration tab M-81
General page, device properties C-27
general settings
configuring 11-46
General Settings tab H-72
General sub-tab M-53
General tab M-89
General tab (IOS) H-97
global settings
configuring 11-28
understanding 11-28
Global Settings page H-68
GRE (generic routing encapsulation)
advantages of IPsec tunneling with GRE 10-65
configuring policies 10-69
for devices with dynamic IP 10-67
GRE Modes page G-43
implementation 10-65
IPsec technology 10-5
prerequisites for successful configuration 10-66
understanding in site-to-site VPNs 10-65
using DMVPN with 10-71
GRE Dynamic IP
configuring policies 10-69
for dynamically addressed spokes 10-67
IPsec technology 10-5
group policies
understanding 11-30
Group Policies page H-74
groups
adding or removing devices 6-31
creating 6-30
deleting 6-31
understanding 6-28
working with 6-28
group types
creating 6-30
deleting 6-31
GTP map objects
Add Country Network Codes dialog box F-70
Edit Country Network Codes dialog box F-70
GTP Map Timeouts dialog box F-71
GTP policy map objects
Add or Edit Match Condition and Action dialog box F-71
creating 9-46
H
H.323 class map objects
Add or Edit H.323 Class Map dialog box F-54
Add or Edit Match Criterion dialog box F-75
creating 9-41
H.323 policy map objects
Add H.323 Map dialog box F-73
Add or Edit Match Condition and Action dialog box F-75
creating 9-47
Edit H.323 Map dialog box F-73
Hardware Client Attributes
ASA user group objects F-30
hash algorithms
in IKE proposals 10-48
MD5 10-48
SHA 10-48
help
accessing 3-23
Help About This Page command 3-12
help desk user role 2-16
helper addresses 14-21
Help menu 3-12
Help Topics command 3-12
Hide Navigation Window command 3-9
high availability (HA groups)
configuring in Easy VPN 10-76
configuring in site-to-site VPN 10-42
High Availability page (site-to-site VPN) G-24
in remote access VPNs 11-42, 11-43
prerequisites 10-41
stateful failover 10-41
stateless failover 10-41
understanding in site-to-site VPN 10-41
High Availability page H-93
high availability policies
configuring 11-43
understanding 11-42
Histogram dialog box M-54
historical events
CS-MARS 21-21
hit count
changing displayed results 12-20
filtering columns 12-21
sorting columns 12-21
viewing details 12-22
generating reports 12-17
understanding 12-16
understanding report results 12-18
Hit Count page I-145
hostnames
Cisco IOS routers
defining 14-74
Hostname Policy page J-119
overview 14-74
hostname settings
configuring on firewall devices 15-50
HSRP 15-27
HTTP
Cisco IOS routers
AAA tab J-84
Command Authorization Override dialog box J-86
defining policies 14-58
HTTP Policy page J-82
overview 14-57
Setup tab J-83
HTTP class map objects
Add or Edit HTTP Class Map dialog box F-54
Add or Edit Match Criterion dialog box F-87
creating 9-41
HTTP policy
overriding HTTPS port number C-31
sharing
HTTPS port number C-31
HTTP policy map objects
ASA7.1.x/PIX7.1.x/FWSM3.x/IOS
creating 9-49
ASA7.2+/PIX7.2+
Add or Edit Match Condition and Action dialog box F-87
ASA7.2/PIX7.2
creating 9-50
understanding 9-48
HTTPS
setting up 5-3
troubleshooting certificate errors 6-21
HTTP settings
configuring on firewall devices 15-37
hub-and-spoke topology
description 10-2
diagram 10-2
I
ICMP settings
configuring on firewall devices 15-38
configuring on IOS routers J-24
icons
map elements B-2
toolbar reference 3-12
idle timeout, Security Manager client A-5
IDM
device manager 21-2
IDSM
Create and Edit IDSM Data Port VLANs dialog boxes L-32
Create and Edit IDSM EtherChannel VLANs dialog boxes L-31
credentials C-22
defining Data Port VLANs 16-19
defining EtherChannel VLANs 16-17
deleting Data Port VLANs 16-20
deleting EtherChannel VLANs 16-18
IDSM Settings page L-30
IDSM Slot-Port Selector dialog box L-33
understanding settings on Catalyst devices 16-16
IEV
IPS Event Viewer 21-12
IGMP
configuring on firewall devices 15-72
IKE (Internet Key Exchange)
aggressive mode negotiation 10-47
main mode negotiation 10-47
proposals 10-47
understanding 10-47
IKE keepalive
understanding 10-55
IKE proposal objects
creating 9-38
IKE Proposal dialog box F-52
understanding 9-38
IKE Proposal page H-81
IKE proposals (policies)
configuring 10-49
IKE Proposal page (site-to-site VPN) G-28
IKE protocol
using RADIUS
as the authentication method 10-82
IM class map objects
Add or Edit IM Class Map dialog box F-54
Add or Edit Match Criterion dialog box F-92
creating 9-41
IM policy map objects
ASA7.2+/PIX7.2+
Add or Edit Match Condition and Action dialog box F-92
creating 9-51
IOS
Add or Edit IM Map dialog box F-94
creating 9-52
Import Background Image dialog box B-12
importing rules 12-22
examples
extended access list 12-23
standard access list 12-24
how to 12-25
notes 12-23
Import Rules
Show Destination Contents dialog box I-134
Show Interface Contents dialog box I-135
Show Service Contents dialog box I-134
Show Source Contents dialog box I-133
Import Rules - Enter Parameters dialog box I-127
Import Rules - Preview page I-130
Objects tab I-132
Rules tab I-130
Import Rules - Status page I-129
inheritance
for signatures 13-8
inheriting rules 7-31
Inherit Rules dialog box D-10
understanding 7-4
versus assignment 7-6
Inherit Rules command 3-8
Inherit Rules dialog box D-10
Inline Pairs tab M-72
inspection map objects
class maps
creating 9-41
understanding 9-39
LDAP map objects
creating 9-67
understanding 9-67
policy maps
creating 9-44
creating DCE/RPC 9-42
creating DNS 9-43
creating FTP 9-45
creating GTP 9-46
creating H.323 9-47
creating HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) 9-49
creating HTTP (ASA 7.2+/PIX 7.2+) 9-50
creating IM for ASA/PIX 9-51
creating IM for IOS devices 9-52
creating IPSec Pass Through 9-53
creating NetBIOS 9-54
creating SIP 9-55
creating Skinny 9-56
creating SNMP 9-57
understanding 9-40
understanding HTTP 9-48
regular expression group objects
creating 9-58
regular expression objects
creating 9-58
metacharacters 9-59
traffic flow objects
creating 9-109
understanding 9-110
understanding 9-39
Inspection page I-106
inspection rules
adding 12-49
Add Inspection Rule dialog box I-23
Configure DNS dialog box I-47
Configure ESMTP dialog box I-49
Configure Fragments dialog box I-49
Configure IMAP dialog box I-50
Configure POP3 dialog box I-51
Configure RPC dialog box I-52
Configure SMTP dialog box I-47
configuring custom destination ports 12-51
configuring default inspection traffic 12-51
configuring settings 12-95
configuring source and destination address and port (asa/fwsm3.x) 12-53
Custom Protocol dialog box I-48
deleting 12-58
disabling 12-56
Edit Category dialog box I-53
Edit Description dialog box I-53
Edit Destinations dialog box I-39
editing 12-55
Edit Inspected Protocol dialog box I-45
Edit Inspection Rule dialog box I-23
Edit Sources dialog box I-38
enabling 12-56
Inspection Rules page I-21
Limit Inspection Between Source and Destination IP Addresses (ASA) page I-29
Match Traffic by Custom Destination Ports page I-32
Match Traffic by Destination Address and Port (IOS) page I-33
Match Traffic by Source and Destination Address and Port (ASA) page I-34
Match Traffic to Default Protocol Ports page I-26
moving down 12-58
moving up 12-58
Show Destination Contents dialog box I-40
Show Interface Contents dialog box I-44
Show Service Contents dialog box I-42
Show Source Contents dialog box I-39
supported features 12-97
understanding 12-48
Inspection Rules page I-21
inspect maps
class maps
Add or Edit Match Criterion dialog box F-59, F-66, F-75, F-87, F-92, F-99
Class Map dialog box F-54
policy maps
Add Country Network Codes dialog box F-70
Add or Edit FTP Map dialog box F-65
Add or Edit IM Map dialog box F-94
Add or Edit Match Condition and Action dialog box F-59, F-63, F-66, F-71, F-75, F-87, F-92, F-99, F-103
Add or Edit SIP Map dialog box F-97
Edit Country Network Codes dialog box F-70
installing
Security Manager client 1-9
Integrated Local Management Interface (ILMI) 14-35
Interactive Authentication Configuration dialog box I-109
interface
add and edit 15-6
duplex K-51
IP type
ASA and PIX 7+ 15-10
PIX 6.3 15-11
MAC address 15-12
management 15-5
media type 15-13
Interface Notifications tab M-87
Interface Pair dialog box M-73
interface pairs
described M-73
Interface Pairs dialog box
described M-73
Interface Properties dialog box B-15
interface role objects
creating 9-62
defining subinterfaces 9-63
distinguishing from interfaces 9-63
exceptional cases 9-64
Interface Name Conflict dialog box F-109
Interface Role dialog box F-108
specifying during policy definition 9-63
understanding 9-61
interfaces
Catalyst switches and 7600 Series routers
Access Port Selector dialog box L-6
Create and Edit Interface dialog boxes-Access Port mode L-12
Create and Edit Interface dialog boxes-Dynamic Port mode L-21
Create and Edit Interface dialog boxes-Other mode L-27
Create and Edit Interface dialog boxes-Routed Port mode L-15
Create and Edit Interface dialog boxes-subinterfaces L-25
Create and Edit Interface dialog boxes-Trunk Port mode L-17
Create and Edit VLAN dialog boxes L-4
Create and Edit VLAN Group dialog boxes L-8
defining ports 16-6
deleting ports 16-8
generating names 16-7
Interfaces/VLANs page L-3
Interfaces/VLANs page-Interfaces tab L-10
Interfaces/VLANs page-Summary tab L-29
Interfaces/VLANs page-VLAN Groups tab L-7
Interfaces/VLANs page-VLANs tab L-3
Service Module Slot Selector dialog box L-9
Trunk Port Selector dialog box L-7
understanding 16-5
VLAN Selector dialog box L-10
Cisco IOS routers
Advanced Interface Settings dialog box J-21
Advanced Interface Settings page J-20
available types 14-15
Create Router Interface dialog box J-14
defining advanced settings 14-22
defining basic settings 14-16
deleting from 14-19
generating interface names 14-19
Interface Auto Name Generator dialog box J-19
overview 14-14
Router Interfaces page J-13
understanding advanced settings 14-20
understanding helper addresses 14-21
contexts 15-4
defining subinterfaces 9-63
distinguishing from interface roles 9-63
Interface Name Conflict dialog box F-109
PIX/ASA/FWSM
checklist for configuring multiple contexts 15-86
configuring 15-2
enabling traffic between same security levels 15-14, 15-15
managing the PPPoE users list 15-15
managing VPDN groups 15-16
troubleshooting 15-17
understanding 15-2
redundant 15-4
routed and transparent 15-4
specifying during policy definition 9-63
Interfaces page M-70
Interfaces pane
described M-70
Internal Zone tab M-52
inventory
deleting devices from 6-24
export devices
DCR and CS-MARS formats 6-26
overview 6-25
using command line utility 6-26
migrating Catalyst data 16-2
migrating unmanaged service modules 16-4
inventory, device
adding devices 6-7
adding devices from configuration files 6-10
adding devices from export file 6-12
adding devices from network 6-8
adding devices manually 6-11
managing 6-1
testing device connectivity 6-15
understanding 6-1
understanding contents 6-3
user interface reference C-1
viewing inventory status 6-25
working with 6-6
inventory report
status window C-37
Inventory Status
event monitoring 21-11
Inventory Status command 3-10
Inventory Status window C-37
and Performance Monitor 21-7
Inverse ARP J-47
inverse multiplexing over ATM (IMA) J-35
IOS device
remote access VPNs
Dynamic VTI/VRF Aware IPsec settings H-89
IOS devices
remote access IPSec VPNs
advanced settings 11-49
creating using wizard 11-10
general settings 11-46
portal page 11-47
secure desktop software 11-48
user group policies 11-44
remote access SSL VPNs
configuring 11-45
creating using wizard 11-8
secure desktop manager policies 11-27
remote access VPNs
Context Editor dialog box (IOS) H-97, H-99, H-100, H-101
high availability H-93
IPsec proposals H-85
SSL VPN policies H-96
user group policies H-95
SDM 21-2
IOS Software Release 12.1 and 12.2
managing routers 14-2
IOS Web Filter Rule and Applet Scanner dialog box I-90
IP address
supporting dynamic 6-14
transparent firewall management K-58
IP addresses
network/host optimization 9-69
network masks 9-70
specifying in policies 9-74
supported formats 9-69
IPS
updates, automatically applying 20-9
updates, checking for and downloading 20-8
updates, configuring server 20-7
updates, managing 20-7
updates, manually applying 20-10
IPS devices
adding SSL thumbprints manually 6-21
credentials, AIM-IPS module C-24
initializing 5-11
license, redeploying 20-5
license, updating 20-4
license, updating automatically 20-6
policy discovery 7-13
rollback restrictions 18-36
showing containment 6-23
SSL certificate configuration A-12
IPSec
remote access VPNs
certificate to connection profile map policies 11-35
certificate to connection profile map rules 11-36
Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) H-80
Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) H-79
Certificate to Connection Profile Maps > Policies page H-77
Certificate to Connection Profile Maps > Rules page H-78
cluster load balancing 11-14, 11-15, H-24
connection profiles 11-16, 11-17
connection profiles (ASA) H-25
creating using wizard 11-10, 11-12
dynamic access policies 11-17, 11-18
dynamic access policy (DAP) attributes 11-20, 11-23
Dynamic Access policy page (ASA) H-37
Dynamic VTI/VRF Aware IPsec settings H-89
fragmentation settings H-72
global settings 11-28
Global Settings page H-68
high availability H-93
high availability policies 11-42, 11-43
IKE proposals H-81
IPsec proposals H-82, H-84, H-85
ISAKMP/IPsec settings H-69
NAT settings H-71
Public Key Infrastructure (PKI) H-76
public key infrastructure (PKI) policies 11-33
public key infrastructure (PKI) proposals 11-37, 11-38
secure desktop manager policies 11-24, 11-26, 11-27
understanding 11-2
user group policies 11-44, H-95
VPNSM/VPN SPA settings H-87
IPsec Pass Through policy map objects
creating 9-53
IPsec Proposal Editor dialog box (for IOS Routers and Catalyst 6500/7600 Devices) H-85
IPsec Proposal Editor dialog box (for PIX and ASA Devices) H-84
IPsec Proposal page H-82
IPSec proposals
configuring 11-39
understanding 11-38
IPsec proposals (policies)
configuring for Easy VPN 10-79
configuring in site-to-site VPNs 10-53
IPsec Proposal page (in Easy VPN)
IPsec Proposal tab G-52
usage G-51
IPsec Proposal page (site-to-site VPN) G-29
using crypto maps in 10-51
using reverse route injection in 10-52
using transform sets in 10-51
IPsec Settings
ASA user group objects F-32
IPSec Settings page (ASA) H-18
IPsec technologies
defining 10-15
DMVPN 10-5
Easy VPN 10-5
GRE 10-5
GRE Dynamic IP 10-5
mandatory policies 10-6
optional policies 10-6
regular IPsec 10-5
understanding 10-5
working with policies 10-5
IPsec transform set objects
creating 9-66
IPsec Transform Set dialog box F-110
supported modes 9-65
supported protocols 9-65
understanding 9-64
IPsec tunnels
understanding policies 10-50
IPSec VPN
Remote Access Configuration wizard
Defaults page (ASA) H-19
Defaults page (IOS) H-22
IPSec Settings page (ASA) H-18
IPSec VPN Connection Profile page (ASA) H-16
User Group Policy page (IOS) H-21
IPSec VPN Connection Profile page (ASA) H-16
IPS Event Viewer 21-12
accessing signatures in Security Manager 21-14, 21-15
Ethereal 21-13
starting 21-13
using with Security Manager 21-13
IPS Event Viewer command 3-11
IPS interfaces
IPS Monitoring Information dialog box J-28
IPS sensor
IDM 21-2
IPS sensors
default transport protocol A-12
IPS signature
CS-MARS query 21-27
IPS signatures
accessing from IEV 21-14
Realtime Dashboard 21-15
Views display 21-15
viewing related CS-MARS events 21-27
IPS tab, Licensing page A-29
IPS Updates page A-17
IPS User Interface Reference M-1
ISAKMP/IPsec settings
IKE keepalive 10-55
in remote access VPNs 11-28
in site-to-site VPNs 10-55
ISAKMP/IPsec Settings tab (site-to-site VPN) G-33
ISAKMP/IPsec Settings tab H-69
J
job deployment methods
understanding 18-9
jobs
aborting 18-30
approving 18-23
creating and editing 18-20
Deployment Manager 18-2
discarding 18-25
including devices in 18-9
rejecting 18-23
states
Workflow mode 18-7
submitting 18-22
joined hub-and-spoke topology 10-5
Join Group tab
description 15-72
JumpStart 1-10
Jumpstart command 3-12
K
Kerberos
use by ASA devices 9-17
knowledge base
histogram M-54
tree structure M-54
knowledge basescanner threshold M-54
L
Layer 2 firewall
LDAP map objects
Add LDAP Attribute Map dialog box F-112
Add LDAP Attribute Map Value dialog box F-113
Add Map Value dialog box F-113
creating 9-67
Edit LDAP Attribute Map dialog box F-112
Edit LDAP Attribute Map Value dialog box F-113
Edit Map Value dialog box F-113
understanding 9-67
Learning Accept Mode tab M-50
licenses
managing 20-3
redeploying IPS 20-5
Security Manager 20-3
updating IPS 20-4
updating IPS, automating 20-6
License Update Status Details dialog box A-31
licensing
Settings page A-28
Lightweight Directory Access Protocol (LDAP)
use by ASA devices 9-17
Limit Inspection Between Source and Destination IP Addresses (ASA) page I-29
line access
Cisco IOS routers
Console Policy page J-87
overview 14-60
VTY Policy page J-96
load balancing M-103
load-balancing devices
in a VPN cluster
redirection using FQDN 11-15
Local Policy Will Be Replaced dialog box D-2
locking
activities 8-2
committed configuration 8-2
devices and policies 7-8
objects 7-10
understanding 7-7
VPN topologies 7-9
Log Buffer window 21-5
logging
Cisco IOS routers
defining setup parameters 14-100
defining syslog servers 14-102
Logging Setup Policy page J-142
overview 14-99
Syslog Server dialog box J-147
Syslog Servers Policy page J-145
understanding severity levels 14-99
NetFlow 15-63
PIX/ASA/FWSM
configuring on 15-62
e-mail setup 15-64
event lists 15-65
logging filters 15-66
logging setup 15-67
rate limit levels 15-68
server setup 15-69
syslog servers 15-70
logging command
class option
message class variables K-126
logging in to
Cisco Security Management Suite server 1-8
CiscoWorks Common Services 1-8
logging into
Logging page M-87
logs
configuring audit log default settings A-32
configuring debug levels A-6
Logs page A-32
LOKI
described M-47
protocol M-46
loopback cells 14-36
low-latency queuing (LLQ) 14-108
M
MAC address table
learning, disabling K-57
overview K-56
MAC exempt address lists
adding 12-100
deleting 12-101
editing 12-100
understanding 12-99
management access settings
configuring on firewall devices 15-40
Management Center for Cisco Security Agents 17-4
Management Center for Cisco Security Agents tab M-84
managing the PPPoE users list 15-15
managing VPDN groups 15-16
Map menu 3-9
Map Properties command 3-9
Map Rule dialog box (lower pane) H-80
Map Rule dialog box (upper pane) H-79
maps
access permissions 4-2
adding existing managed devices 4-13
adding new managed devices 4-13
background color 4-9
background images
deleting 4-11
importing 4-10
overview 4-9
scale and position 4-11
setting 4-10
centering elements 4-6
changing the zoom level 4-6
creating 4-3
default map 4-8
deleting 4-4
displaying devices from Device View 4-14
displaying managed devices 4-13
displaying your network 4-12
elements, understanding 4-12
excluding private and reserved networks A-2
exporting 4-4
icons B-2
Layer 3 automatic connectivity display 4-17
Layer 3 link
creating 4-16
deleting 4-16
displaying 4-16
layouts, using 4-7
navigating 4-5
navigation window 4-5
objects
adding 4-15
deleting 4-15
user created overview 4-15
opening 4-3
overview 4-1
panning 4-5
refreshing 4-8
saving 4-3
searching for elements 4-7
selecting elements 4-6
showing containment for Catalyst, ASA, PIX, IPS devices 4-14
understanding 4-1
undocking window 4-7
unlinked, using 4-8
working with 4-2
Map Settings dialog box B-11
Map View
cloning devices 4-25
context menu
Layer 3 link B-7
managed device node B-6
map background B-8
map objects B-8
selected nodes B-7
VPN connection B-7
copying policies between devices 4-25
device policies, managing 4-24
dialog box reference B-9
discovering device configurations 4-26
firewall
AAA rules 4-18
access rules 4-18
ACL settings 4-20
AuthProxy settings 4-20
inspection rules 4-18
inspection settings 4-20
policies 4-17
services 4-17
settings 4-19
transparent rules 4-19
web filter rules 4-19
web filter settings 4-21
icons for elements B-2
main page B-1
menus B-5
navigation window B-5
previewing device configurations 4-26
sharing device policies 4-25
toolbar reference B-4
user interface reference B-1
VPNs
adding or removing tunnels 4-24
creating 4-21
creating full mesh or hub and spoke 4-22
creating point-to-point 4-21
displaying existing 4-23
editing peers 4-23
editing policies 4-23
listing peers 4-24
managing 4-21
Map view
Autolink Settings page A-2
Map View command 3-8
master blocking sensor
definition of 17-9
Master Blocking Sensor dialog box M-92
Master Blocking Sensors tab M-91
Master engine
general parameters (table) M-23
universal parameters M-23
Match Traffic by Custom Destination Ports page
inspection rules I-32
Match Traffic by Destination Address and Port (IOS) page
inspection rules I-33
Match Traffic by Source and Destination Address and Port (ASA) page
inspection rules I-34
Match Traffic to Default Protocol Ports
inspection rules I-26
maximum receive reconstructed unit (MRRU) J-64
maximum segment size (MSS) J-23
maximum transmission unit (MTU) 10-56
MD5 hash algorithm 10-48
memory-allocation lite J-120
memory settings
Cisco IOS routers
defining 14-75
overview 14-75
Memory Policy page J-119
menu reference
Activities 3-11
Edit 3-7
Edit, table commands 3-20
File 3-6
Help 3-12
Map 3-9
overview 3-5
Policy 3-8
Tools 3-10
View 3-8
message classes
list of K-126
Meta engine
parameters (table) M-14
modify permissions 2-8
additional types 2-14
for objects 2-10
for policies 2-9
Modify Physical Interface Map dialog box M-72
monitoring
and device managers 21-1
CS-MARS events 21-16
device status 21-1
IPS sensors 21-12
network activities 21-1
with status providers 21-7
Move Row Down command 3-7
Move Row Up command 3-7
MRoute page
description 15-73
Multicast Boundary Filter page
description 15-73
multicast routing
PIX/ASA/FWSM
configuring on 15-71
enabling 15-71
IGMP 15-72
multicast boundary filters 15-73
multicast routes 15-73
PIM 15-74
multicast traffic 15-27
Multiclass Multilink PPP (MCMP) 14-45
multilink PPP (MLP) 14-41
defining bundles 14-45
multiple users
activities 8-3
Multi String engine
described M-17
parameters (table) M-17
Regex M-17
MySDN 13-8
N
NAT Settings tab H-71
NAT traversal 10-56
NBAR
enabling protocol discovery J-25
NetBIOS policy map objects
creating 9-54
NetFlow J-23
configuring 15-63
CS-MARS query 21-17
managing 15-63
network/host objects
creating 9-71
Network/Host dialog box F-114
network masks 9-70
null value objects 9-73
optimizing 9-69
provisioning as PIX object groups 9-123
supported IP address formats 9-69
understanding 9-68
network access device (NAD) 14-94
Network Access Restriction (NAR) 2-22
Network Address Translation (NAT)
Cisco IOS routers
creating dynamic rules 14-11
creating static rules 14-5
designating interfaces 14-4
Dynamic Rule dialog box J-10
Dynamic Rules tab J-9
Edit Inside Interfaces dialog box J-3
Edit Outside Interfaces dialog box J-4
Interface Specification tab J-3
NAT Policy page J-2
overview 14-4
specifying timeouts 14-13
Static Rule dialog box J-6
Static Rules tab J-5
Timeouts tab J-12
configuring in remote access VPNs 11-28
configuring in site-to-site VPNs 10-55
configuring NAT traversal 10-56
NAT Settings tab (site-to-site VPN) G-35
PIX/ASA/FWSM
Address Pool dialog box K-5
Address Pools page K-4
clearing XLATE on deployment 15-84
configuring on 15-17
configuring