-
User Guide for Cisco Security Manager 3.2.2
-
Preface
-
Getting Started with Security Manager
-
Managing User Accounts
-
Working with the Security Manager User Interface
-
Using Map View
-
Preparing Devices for Management
-
Managing the Device Inventory
-
Managing Policies
-
Managing Activities
-
Managing Objects
-
Managing Site-to-Site VPNs
-
Managing Remote Access VPNs
-
Managing Firewall Services
-
Managing IPS Services
-
Managing Routers
-
Managing Firewall Devices
-
Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
-
Managing IPS Devices
-
Managing Deployment
-
Managing FlexConfigs
-
Managing the Security Manager Server
-
Using Monitoring, Troubleshooting, and Diagnostic Tools
-
Administrative Settings User Interface Reference
-
Map View User Interface Reference
-
Device Inventory User Interface Reference
-
Policy User Interface Reference
-
Activities User Interface Reference
-
Policy Object Manager User Interface Reference
-
Site-to-Site VPN User Interface Reference
-
Remote Access VPN User Interface Reference
-
Firewall Services User Interface Reference
-
Router Platform User Interface Reference
-
PIX/ASA/FWSM Platform User Interface Reference
-
Catalyst Platform User Interface Reference
-
IPS User Interface Reference
-
Deployment User Interface Reference
-
Index
-
Table Of Contents
Policy Object Manager User Interface Reference
Policy Object Manager Window Shortcut Menu
Policy Object Add or Edit Dialog Boxes
AAA Server Dialog Box—RADIUS Settings
AAA Server Dialog Box—TACACS+ Settings
AAA Server Dialog Box—Kerberos Settings
AAA Server Dialog Box—LDAP Settings
AAA Server Dialog Box—NT Settings
AAA Server Dialog Box—SDI Settings
AAA Server Dialog Box—HTTP-FORM Settings
Add or Edit Access List Dialog Boxes
Add and Edit Extended Access Control Entry Dialog Boxes
Add and Edit Standard Access Control Entry Dialog Boxes
Add and Edit Web Access Control Entry Dialog Boxes
ASA User Group Dialog Box: Client Configuration Settings
ASA User Group Dialog Box: Client Firewall Attributes
ASA User Group Dialog Box: Hardware Client Attributes
ASA User Group Dialog Box: IPsec Settings
ASA User Group Dialog Box: SSL VPN Clientless Settings
ASA User Group Dialog Box: SSL VPN Full Client Settings
ASA User Group Dialog Box: SSL VPN Settings
ASA User Group Dialog Box: DNS/WINS Settings
ASA User Group Dialog Box: Split Tunneling
ASA User Group Dialog Box: Connection Settings
Add or Edit Secure Desktop Configuration Dialog Box
Add and Edit File Object Dialog Boxes
Add or Edit FlexConfig Dialog Box
FlexConfig Undefined Variables Dialog Box
Add or Edit Class Maps Dialog Boxes
Add or Edit DCE/RPC Dialog Box
Add and Edit DNS Map Dialog Boxes
DNS Map Protocol Conformance Tab
DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Add or Edit ESMTP Map Dialog Boxes
ESMTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Add and Edit FTP Map Dialog Boxes
FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Add and Edit GTP Map Dialog Boxes
Add and Edit Country Network Codes Dialog Boxes
Add and Edit Permit Response Dialog Boxes
GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Add and Edit H.323 Map Dialog Boxes
Add or Edit HSI Group Dialog Boxes
Add or Edit HSI Endpoint IP Address Dialog Boxes
H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices
HTTP Map RFC Request Method Tab
HTTP Map Extension Request Method Tab
HTTP Map Transfer Encoding Tab
Add or Edit HTTP Map Dialog Boxes for ASA 7.2+/PIX 7.2+ Devices
HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes
Add and Edit IM Map Dialog Boxes (for ASA 7.2+/PIX 7.2+)
IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes
Add or Edit IM Map (IOS) Dialog Boxes
Add or Edit IPsec Pass Through Map Dialog Boxes
Add or Edit NetBIOS Map Dialog Boxes
Add or Edit SIP Map Dialog Boxes
SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Add or Edit Skinny Map Dialog Boxes
Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Add and Edit SNMP Map Dialog Boxes
Add and Edit Regular Expression Group Dialog Boxes
Add and Edit Regular Expression Dialog Boxes
Add and Edit TCP Map Dialog Boxes
Add and Edit TCP Option Range Dialog Boxes
Interface Name Conflict Dialog Box
IPsec Transform Set Dialog Box
Add and Edit LDAP Attribute Map Dialog Boxes
Add and Edit LDAP Attribute Map > Add and Edit LDAP Attribute Map Value
Add and Edit LDAP Attribute Map > Add and Edit LDAP Attribute Map Value > Add and Edit Map Value
PKI Enrollment Dialog Box—CA Information Tab
PKI Enrollment Dialog Box—Enrollment Parameters Tab
PKI Enrollment Dialog Box—Certificate Subject Name Tab
PKI Enrollment Dialog Box—Trusted CA Hierarchy Tab
Port Forwarding List Dialog Box
Add/Edit Port Forwarding Entry Dialog Box
Add and Edit Service Dialog Boxes
Add or Edit Single Sign On Server Dialog Boxes
Add or Edit SLA Monitor Dialog Box
Add or Edit Bookmarks Dialog Boxes
Add and Edit Bookmark Entry Dialog Boxes
Add and Edit Post Parameter Dialog Boxes
Add and Edit SSL VPN Customization Dialog Boxes
SSL VPN Customization Dialog Box—Title Panel
SSL VPN Customization Dialog Box—Language
SSL VPN Customization Dialog Box—Logon Form
SSL VPN Customization Dialog Box—Informational Panel
SSL VPN Customization Dialog Box—Copyright Panel
SSL VPN Customization Dialog Box—Full Customization
SSL VPN Customization Dialog Box—Toolbar
SSL VPN Customization Dialog Box—Applications
SSL VPN Customization Dialog Box—Custom Panes
SSL VPN Customization Dialog Box—Home Page
SSL VPN Customization Dialog Box—Logout Page
Add or Edit SSL VPN Gateway Dialog Box
Add and Edit SSL VPN Smart Tunnel List Dialog Boxes
Add and Edit Smart Tunnel Entry Dialog Boxes
Add or Edit Text Object Dialog Box
Add and Edit Traffic Flow Dialog Boxes
User Group Dialog Box—General Settings
User Group Dialog Box—DNS/WINS Settings
User Group Dialog Box—Split Tunneling
User Group Dialog Box—IOS Client Settings
User Group Dialog Box—IOS Xauth Options
User Group Dialog Box—IOS Client VPN Software Update
User Group Dialog Box—Advanced PIX Options
User Group Dialog Box—Clientless Settings
User Group Dialog Box—Thin Client Settings
User Group Dialog Box—SSL VPN Full Tunnel Settings
User Group Dialog Box—SSL VPN Split Tunneling
User Group Dialog Box—Browser Proxy Settings
User Group Dialog Box—SSL VPN Connection Settings
Add or Edit WINS Server List Dialog Box
Add or Edit WINS Server Dialog Box
Policy Object Overrides Window
Create Overrides for Device Dialog Box
Policy Object Manager User Interface Reference
The Policy Object Manager is used to create and globally manage all the policy objects configured with Cisco Security Manager. You use policy objects to simplify the creation of device-level and shared policies.
This chapter contains the following topics:
•
Policy Object Add or Edit Dialog Boxes
•
Policy Object Manager Window
Use the Policy Object Manager window to:
•
•
•
Navigation Path
Click the Policy Object Manager button on the toolbar or select Tools > Policy Object Manager.
Related Topics
•
•
•
•
•
Field Reference
Table F-1 Policy Object Manager Window
Object Type selector or table of contents
(Left pane.)
Lists the object types available in Security Manager. When you select an object type, all existing objects of that type are listed in the table in the right pane.
Filter area
(Right pane.)
Use the filter controls above the policy object table to reduce the number of objects displayed. This can help you find an object you want to work with. For information on filtering tables, see Filtering Tables, page 3-17.
The policy object table in the right pane lists existing objects of the type selected in the table of contents. Using this table, you create new objects and work with existing ones. You can use the buttons below the table, or right-click within the table to see additional commands (see Policy Object Manager Window Shortcut Menu).
Except for the Access Control Lists (ACL) object, there is one table per object type. For ACLs, there are tabs to separate Extended, Standard, and Web ACLs. Select the appropriate tab to work with the desired object type.
The columns in the table vary based on the type of object you select. You can alter the columns displayed in the table by right-clicking the table heading and selecting or deselecting columns in the Show Columns command. You can also sort the information by the contents in a column by clicking the column heading; click the heading to toggle between alphabetical and reverse alphabetical sorting.
For detailed information on the settings that are displayed in the table, click the Create or Edit buttons below the table and click Help in the dialog box that is opened. Following is a description of the columns that you typically see.
Icon (unlabeled field)
The icon displayed for a policy object type identifies objects of that type wherever they appear, such as in rules tables. If the icon includes the image of a pencil, you can edit it.
Name
The name of the policy object.
Content
A summary of the object definition that might not include all defined settings.
Permit
For ACL objects, if the Access Control Entry (ACE) allows traffic, a check mark appears in the Permit column. If the action is deny, a red circle with a slash appears.
Category
The category object that is assigned to the object, if any. Categories help you organize and identify rules and objects. For more information, see Using Category Objects, page 9-4.
Overridable
Whether a user can override the object properties at the device level. A check mark indicates that the object can be overridden. Not all object types are overridable.
For more information about device overrides, see Creating Device-Level Object Overrides, page 9-117.
Description
If a paper icon appears in this column, there is a description for the object. Double-click the icon to view the description or mouse-over the icon.
Click the New Object button to create a new object. The same icon is used for any button that adds an item to a table.
Clicking this button opens a dialog box to create the object. Click the Help button in the dialog box for information on the selected object type.
Click the Edit Object button to edit the selected object. The same icon is used for editing any object in a table.
The dialog box used for editing the object is the same as the one used for creating the object. If you try to edit a system-defined default object, you are allowed only to view the object contents. Click the Help button in the dialog box for information on the settings. For more information, see Editing Objects, page 9-6.
Click the Delete Object button to delete the selected object. You can delete only user-defined objects that are not currently being used in a policy or another policy object. For more information, see Deleting Objects, page 9-7.
Policy Object Manager Window Shortcut Menu
Right-clicking inside the policy object table in the Policy Object Manager window displays a shortcut menu for performing various functions on the selected object type.
Navigation Path
Click the Policy Object Manager button on the toolbar or select Tools > Policy Object Manager.
Related Topics
Field Reference
Table F-2 Policy Object Manager Window Shortcut Menu
New Object
Select this command to create a new policy object. Click Help in the dialog box that is opened for information specific to the object type.
Edit Object
Select this command to edit the policy object selected in the table. If you select a system-defined default object, you are presented with a view-only look at the object definition. For more information, see Editing Objects, page 9-6.
Delete Object
Select this command to delete the policy object selected in the table. You can delete only user-defined objects that are not being used in a policy or in another policy object. For more information, see Deleting Objects, page 9-7.
Edit Device Overrides
Select this command to change the device-level overrides for this object using the Policy Object Overrides Window. You can create, edit, and delete overrides. For more information, see Creating Device-Level Object Overrides, page 9-117.
Create Duplicate
Select this command to create a copy of the policy object. For more information, see Duplicating Objects, page 9-8.
Find Usage
Select this command to generate a usage report for the selected object using the Object Usage Window. The usage report tells you where the object is currently being used. for more information, see Generating Object Usage Reports, page 9-9.
View Object
Select this command to view the definition of the object using a read-only version of the edit dialog box for the object. For more information, see Viewing Object Details, page 9-10.
Policy Object Add or Edit Dialog Boxes
When you add or edit a policy object, a dialog box is opened that contains the settings for that type of policy object. Click Help in the dialog box for detailed information on the settings available for that type of object.
This section contains the following topics:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
AAA Server Group Dialog Box
Use the AAA Server Group dialog box to create, copy, and edit AAA server groups. When defining a policy that uses a AAA server for authentication, authorization, or accounting, you select the server by selecting the server group to which the server belongs.
Navigation Path
Select Tools > Policy Object Manager, then select AAA Server Groups from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
Related Topics
•
•
Field Reference
Table F-3 AAA Server Group Dialog Box
Name
The object name (up to 16 characters when using this object with firewall devices; up to 128 characters for Cisco IOS routers). Object names are not case-sensitive. Spaces are not supported.
For more information, see Guidelines for Managing Objects, page 9-5.
Note
Note
Description
Additional information about the object (up to 1024 characters).
Protocol
The protocol used by the AAA servers in the group:
•
•
•
•
•
•
•
AAA Servers
The AAA servers that comprise the server group. Enter the names of AAA servers or click Select to display an Object Selectors. The selector displays only those AAA servers that match the protocol you selected for the group.
TipMake this Group the Default AAA Server Group (IOS)
Applies only to IOS devices.
When selected, designates this AAA server group as the default group for the RADIUS or TACACS+ protocol. Select this check box if you intend to use a single global group for the selected protocol for all policies on a specific device requiring AAA.
When deselected, creates a AAA server group that is not designated as the default group for that protocol. Leave this check box deselected if you intend to create multiple RADIUS or TACACS+ AAA server groups. Multiple groups can be used to separate different AAA functions (for example, use one group for authentication and a different group for authorization) or to separate different customers in a VRF environment.
Note
Max Failed Attempts (PIX, ASA, FWSM)
Applies only to PIX/ASA/FWSM devices.
The number of connection attempts that can fail before an unresponsive AAA server in the group is deactivated.
Values range from 1 to 5.
Reactivation Mode (PIX, ASA, FWSM)
Applies only to PIX/ASA/FWSM devices.
The method to use when reactivating failed AAA servers in the group:
•
•
Note
Reactivation Deadtime (PIX, ASA, FWSM)
Applies only to PIX/ASA/FWSM devices and only when Depletion is the selected reactivation mode.
The number of minutes that should elapse between the deactivation of the last server in the group and the reactivation of all the servers in the group. Values range from 0 to 1440 minutes (24 hours).
Group Accounting Mode (PIX, ASA, FWSM)
Applies only to PIX/ASA/FWSM devices using RADIUS or TACACS+.
The method for sending accounting messages to the AAA servers in the group:
•
Note
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Global Object to Be Overridden, page 9-116 and Overriding Global Objects for Individual Devices, page 9-116.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
AAA Server Dialog Box
Use AAA Server dialog box to create, copy, and edit a AAA server object. These objects are collected into AAA server group objects.
Navigation Path
Select Tools > Policy Object Manager, then select AAA Servers from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
Related Topics
•
•
Field Reference
Table F-4 AAA Server Dialog Box—General Settings
Name
The object name (up to 128 characters). Object names are not case-sensitive. For more information, see Guidelines for Managing Objects, page 9-5.
Description
Additional information about the object (up to 1024 characters).
Host
•
•
Interface
The interface whose IP address should be used for all outgoing RADIUS or TACACS packets (known as the source interface). Enter the name of an interface or interface role, or click Select to display an Object Selectors.
If you enter the name of an interface, make sure the policy that uses this AAA object is assigned to a device containing an interface with this name.
If you enter the name of an interface role, make sure the role represents a single interface, not multiple interfaces.
TipNote
Timeout
The amount of time to wait until the AAA server is considered unresponsive.
Valid values for Cisco IOS routers range from 1-1000 seconds. The default is 5 seconds.
Valid values for ASA devices and other firewall devices running PIX 7.0 is 1-60 seconds. The default is 10 seconds.
Valid values for PIX devices running PIX 6.3 is 1-30 seconds. The default is 5 seconds.
Protocol
The protocol used by the AAA server:
•
•
•
•
•
•
•
Note
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
AAA Server Dialog Box—RADIUS Settings
Use the RADIUS settings in the AAA Server dialog box to configure a RADIUS AAA server object.
Navigation Path
Go to the AAA Server Dialog Box, then click RADIUS in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—TACACS+ Settings
Use the TACACS+ settings in the AAA Server dialog box to configure a TACACS+ AAA server object.
Navigation Path
Go to the AAA Server Dialog Box, then click TACACS+ in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—Kerberos Settings
Use the Kerberos settings in the AAA Server dialog box to configure a Kerberos AAA server object.
Note
Navigation Path
Go to the AAA Server Dialog Box, then click Kerberos in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—LDAP Settings
Use the LDAP settings in the AAA Server dialog box to configure a LDAP AAA server object.
Note
Navigation Path
Go to the AAA Server Dialog Box, then click LDAP in the Protocol field.
Related Topics
•
•
Field Reference
Table F-8 AAA Server Dialog Box—LDAP Settings
Enable LDAP over SSL
When selected, establishes a secure SSL connection between the ASA device and the LDAP server.
When deselected, SSL is not used for communications between the ASA device and the LDAP server.
Note
Server Port
The port used for communicating with the AAA server. Default is 389.
LDAP Hierarchy Location
The base distinguished name (DN), which is the location in the LDAP hierarchy where the authentication server should being searching when it receives an authorization request. For example, OU=Cisco. The maximum length is 128 characters.
The string is case-sensitive. Spaces are not permitted, but other special characters are allowed.
LDAP Scope
The scope of LDAP searches:
•
•
LDAP Distinguished Name
The DN and password that uniquely identify this ASA device in the LDAP schema (maximum of 128 characters). The DN is similar to a unique key in a database or a fully qualified path for a file.
Note
LDAP Login Directory
The name of the directory object in the LDAP hierarchy used for authenticated binding (maximum of 128 characters). Authenticated binding is required by some LDAP servers (including the Microsoft Active Directory server) before other LDAP operations can be performed.
This string is case-sensitive. Spaces are not permitted in the string, but other special characters are allowed.
LDAP Login Password
The case-sensitive, alphanumeric password for accessing the LDAP server (maximum of 64 characters). Spaces are not allowed.
SASL MD5 Authentication
Establishes a Simple Authentication and Security Layer (SASL) mechanism to authenticate an LDAP client (the ASA device) with an LDAP server.
When selected, the ASA device sends the LDAP server an MD5 value computed from the username and password.
When deselected, the MD5 authentication option is not used.
SASL Kerberos Authentication
Establishes an SASL mechanism to authenticate an LDAP client (the ASA device) to an LDAP server.
When selected, the ASA device sends the LDAP server the username and realm using the GSSAPI (Generic Security Services Application Programming Interface) Kerberos mechanism. This mechanism is stronger than the MD5 mechanism.
When deselected, the Kerberos authentication option is not used.
Note
Kerberos Server Group
Applies only when SASL Kerberos authentication is enabled.
The name of the Kerberos AAA server group used for SASL authentication. The maximum length is 16 characters.
LDAP Server Type
The type of LDAP server used for AAA:
•
•
•
Note
LDAP Attribute Map
The LDAP attribute configuration to bind to the LDAP server. Enter the name of an LDAP attribute map or click Select to display an Object Selectors.
LDAP attribute maps take the attribute names that you define and map them to Cisco-defined attributes. For more information, see Understanding LDAP Attribute Map Objects, page 9-67.
AAA Server Dialog Box—NT Settings
Use the NT settings in the AAA Server dialog box to configure an NT AAA server object.
Note
Navigation Path
Go to the AAA Server Dialog Box, then click NT in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—SDI Settings
Use the SDI settings in the AAA Server dialog box to configure an SDI AAA server object.
Note
Navigation Path
Go to the AAA Server Dialog Box, then click SDI in the Protocol field.
Related Topics
•
•
Field Reference
AAA Server Dialog Box—HTTP-FORM Settings
Use the HTTP-FORM settings in the AAA Server dialog box to configure an HTTP-Form AAA server object for single sign-on authentication (SSO).
Note
Navigation Path
Go to the AAA Server Dialog Box, then click HTTP-FORM in the Protocol field.
Related Topics
•
•
Field Reference
Add or Edit Access List Dialog Boxes
Use the Add and Edit Access List dialog boxes to define access control entries (ACEs) for an ACL object. From this page, you can change the order of the ACEs and ACL objects within the table, add or edit ACEs and ACL objects, and delete ACEs and ACL objects.
The title of the dialog box indicates the type of ACL you are creating: Extended, Standard, or Web Type. The dialog boxes are essentially the same, the difference being the columns displayed in the ACE table.
Navigation Path
Select Tools > Policy Object Manager, then select Access Control Lists from the Object Type selector. Select the tab for the type of ACL object you want to create, and then right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
•
•
•
•
•
•
•
Field Reference
Table F-12 Add and Edit Access List Dialog Boxes
Name
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Guidelines for Managing Objects, page 9-5.
Description
An optional description of the object.
Access Control Entry table
The access control entries (ACEs) and ACL objects that are part of the ACL. The table displays the name of the entry or object, description, options, services, and other attributes of the entry.
In the Permit column, a green checkmark indicates that the entry permits traffic, whereas a red circle with a slash indicates that traffic is denied.
The source and, if applicable, destination addresses can be host IP addresses, network addresses, or network/host policy objects.
•
–
–
–
•
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Global Object to Be Overridden, page 9-116 and Overriding Global Objects for Individual Devices, page 9-116.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add and Edit Extended Access Control Entry Dialog Boxes
Use the Add or Edit Extended Access Control Entry dialog box to add an access control entry (ACE) or an ACL object to an Extended ACL object.
Navigation Path
From the Add or Edit Access List Dialog Boxes for Extended ACL objects, click the Add button in the ACE table, or select a row and click the Edit button.
Related Topics
•
•
•
Field Reference
Table F-13 Add and Edit Extended Access Control Entry Dialog Boxes
Type
The type of entry you are adding. The fields on the dialog box change based on your selection.
•
•
Action
The action to take on traffic defined in the entry, either to permit (allow) the traffic or to deny (prohibit) it.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Source
Destination
The source or destination of the traffic. You can enter more than one value by separating the items with commas.
You can enter any combination of the following address types. For more information, see Supported IP Address Formats, page 9-69 and Specifying IP Addresses During Policy Definition, page 9-74.
•
•
•
•
•
Service
The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas.
You can enter any combination of the service types. If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter.
•
•
•
•
Description
An optional description of the object.
Advanced button
Click this button to define logging options for the entry:
•
–
–
•
Add and Edit Standard Access Control Entry Dialog Boxes
Use the Add or Edit Standard Access Control Entry dialog box to add an access control entry (ACE) or an ACL object to a Standard ACL object.
Navigation Path
From the Add or Edit Access List Dialog Boxes for Standard ACL objects, click the Add button in the ACE table, or select a row and click the Edit button.
Related Topics
•
•
•
Field Reference
Table F-14 Add and Edit Standard Access Control Entry Dialog Boxes
Type
The type of entry you are adding. The fields on the dialog box change based on your selection.
•
•
Action
The action to take on traffic defined in the entry, either to permit (allow) the traffic or to deny (prohibit) it.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Source
The source of the traffic. You can enter more than one value by separating the items with commas.
You can enter any combination of the following address types. For more information, see Supported IP Address Formats, page 9-69 and Specifying IP Addresses During Policy Definition, page 9-74.
•
•
•
•
•
Description
An optional description of the object.
Log Option
Whether to create log entries when traffic meets the entry criteria. ACL logging generates syslog message 106023 for denied packets. Deny packets must be present to log denied packets.
Add and Edit Web Access Control Entry Dialog Boxes
Use the Add or Edit Web Access Control Entry dialog box to add an access control entry (ACE) or an ACL object to a Web Type ACL object.
Navigation Path
From the Add or Edit Access List Dialog Boxes for Web Type ACL objects, click the Add button in the ACE table, or select a row and click the Edit button.
Related Topics
•
•
•
Field Reference
Table F-15 Add and Edit Web Access Control Entry Dialog Boxes
Type
The type of entry you are adding. The fields on the dialog box change based on your selection.
•
•
Action
The action to take on traffic defined in the entry, either to permit (allow) the traffic or to deny (prohibit) it.
Filter Destination
Whether the entry specifies a network filter (host or network address) or a URL filter (web site address). Your selection changes the fields on the dialog box. The fields are described below.
Destination
(Network Filter only.)
The destination of the traffic. You can enter more than one value by separating the items with commas.
You can enter any combination of the following address types. For more information, see Supported IP Address Formats, page 9-69 and Specifying IP Addresses During Policy Definition, page 9-74.
•
•
•
•
•
Ports
(Network Filter only.)
The port numbers or port list policy objects that define the port the traffic uses, if you want to use port identification. You can enter more than one value by separating the items with commas.
You can enter any combination of the following types:
•
•
•
URL Filter
(URL Filter only.)
The Universal Resource Locator (URL), or web address, of the traffic. You can use an asterisk as a match-all wildcard. For example, http://*.cisco.com matches all servers on the cisco.com network. You can specify any valid URL.
Logging
The type of logging to use for this entry:
•
•
•
Logging Interval
The interval of time, in seconds, used to generate logging messages, from 1 to 600. The default is 300. You can modify this field only if you select a logging level in the Logging field.
Time Range
The time range policy object that defines the time range associated with the entry. The time range defines the access to the device and relies on the device's system clock. For more information, see Understanding Time Range Objects, page 9-108.
Enter the name of the object or click Select to select it from a list. You can also create new time range objects from the selection list.
Note
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Description
An optional description of the object.
ASA User Group Dialog Box
Use the ASA User Group dialog box to create, copy, and edit an ASA user group object. ASA user groups define a set of user-oriented attributes and values for IPsec connections (Easy VPN, remote access and SSL VPN) that are stored either internally (locally) on the device or externally on an AAA server.
Navigation Path
Select Tools > Policy Object Manager, then select ASA Group Policies from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
Tip
Related Topics
•
•
Field Reference
Table F-16 ASA User Group Dialog Box > Technology Settings
Name
The name of the object (up to 128 characters). The object name is displayed in the ASA User Groups page.
Object names are not case sensitive. For more information, see Guidelines for Managing Objects, page 9-5.
Description
Additional information about the object (up to 1024 characters).
Settings pane
A list of settings that you can configure for an ASA user group object.
When you open the ASA user group dialog box, the Technology settings are displayed.
Note
Technology settings
Group Policy Type
Unavailable if you are editing an ASA user group object.
If you are creating or copying an ASA user group object, select where the ASA user group's attributes and values are stored:
•
•
Note
Technology
Unavailable if you are editing an ASA user group object.
If you are creating or copying an ASA user group object, and the ASA user group's attributes are stored on the device, select the type of VPN for which you are creating the ASA user group object:
•
•
•
External Server Group
If the ASA user group's attributes are stored on an external AAA server, specify the AAA server group that will be used for authentication.
You can click Select to open the AAA Server Groups Selector from which you can make your selection.
Password
Available after you have specified the AAA server group that will be used for authentication.
Enter an alphanumeric keyword that will serve as the password to the AAA server. The keyword can be a maximum of 128 characters; spaces are not allowed.
Confirm
After you have entered the alphanumeric keyword that will serve as the password to the AAA server, enter the password again to confirm it.
ASA User Group Dialog Box: Client Configuration Settings
Use the Client Configuration settings page to configure the Cisco client parameters for the ASA user group in an Easy VPN or remote access VPN.
Navigation Path
Open the ASA User Group Dialog Box, select the Easy VPN/Remote Access VPN (or Both) technology, then select Client Configuration under the Easy VPN/ Remote Access VPN folder in the Settings pane.
Related Topics
•
•
Field Reference
ASA User Group Dialog Box: Client Firewall Attributes
Use the Client Firewall Attributes settings to configure the firewall settings for VPN clients for the ASA user group in an Easy VPN or IPSec VPN.
Note
Navigation Path
Open the ASA User Group Dialog Box, select the Easy VPN/Remote Access VPN (or Both) technology, then select Client Firewall Attributes under the Easy VPN/ Remote Access VPN folder in the Settings pane.
Related Topics
•
•
Field Reference
ASA User Group Dialog Box: Hardware Client Attributes
Use the Hardware Client Attributes settings to configure the VPN 3002 Hardware Client settings for the ASA user group in an Easy VPN or IPSec VPN.
Navigation Path
Open the ASA User Group Dialog Box, select the Easy VPN/IPsec Remote Access VPN (or Both) technology, then select Hardware Client Attributes under the Easy VPN/Remote Access VPN folder in the Settings pane.
Related Topics
•
•
Field Reference
ASA User Group Dialog Box: IPsec Settings
Use the IPsec settings to specify tunneling protocols, filters, connection settings, and servers for the ASA user group in an Easy VPN or IPSec VPN. This creates security associations that govern authentication, encryption, encapsulation, and key management.
Navigation Path
Open the ASA User Group Dialog Box, select the Easy VPN/Remote Access VPN (or Both) technology, then select IPsec under the Easy VPN/Remote Access VPN folder in the Settings pane.
Related Topics
•
•
Field Reference
Table F-20 ASA User Group Dialog Box > IPsec Settings
Enable Re-Authentication on IKE Re-Key
When selected, the security appliance prompts the user to enter a username and password during initial Phase 1 IKE negotiation and also prompts for user authentication whenever an IKE rekey occurs, providing additional security.
Note
Enable IPsec Compression
When selected, enables data compression that speeds up data transmission rates for remote dial-in users connecting with modems.
Caution
Enable Perfect Forward Secrecy (PFS)
When selected, enables the use of Perfect Forward Secrecy (PFS) to generate and use a unique session key for each encrypted exchange.
In IPsec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key.
Tunnel Group Lock
Specifies whether to restrict remote users to access through the tunnel group only.
Group-lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting. If you do not configure group-lock, the security appliance authenticates users without regard to the assigned group. Group locking is disabled by default.
Priority
Identifies the priority for this rule.
The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type and/or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it.
Action
Specifies whether this rule permits or denies access.
Client Type
Specifies the type of VPN client to which this rule applies, software or hardware, and for software clients, all Windows clients or a subset.
VPN Client Version
Specifies the versions of the VPN client (software or firmware) to which this rule applies. Multiple entries are separated by a comma.
Create button
Opens a dialog box in which you can create a client access rule. See ASA User Group Dialog Box: Client Access Rules Dialog Box.
Edit button
Opens a dialog box in which you can edit a selected client access rule. See ASA User Group Dialog Box: Client Access Rules Dialog Box.
Delete button
Enables you to delete selected client access rules from the table.
ASA User Group Dialog Box: Client Access Rules Dialog Box
In the Client Access Rules dialog box, you can create or edit the priority, action, VPN client type and VPN client version for a client access rule.
Navigation Path
Open the ASA User Group Dialog Box: IPsec Settings, then click Create, or select an item in the table and click Edit.
Related Topics
•
Field Reference
ASA User Group Dialog Box: SSL VPN Clientless Settings
Clientless settings enable you to configure the Clientless mode of access to the corporate network in an SSL VPN, for the ASA user group object.
In clientless access mode, once a user is authenticated and a session is established, an SSL VPN portal page and toolbar is displayed on the user's web browser. From the portal page, the user can access all available HTTP sites, access web e-mail, and browse Common Internet File System (CIFS) file servers.
Navigation Path
Open the ASA User Group Dialog Box, select the SSL VPN (or Easy VPN/IPSec and SSL) technology, then select Clientless under the SSL VPN folder in the Settings pane.
Related Topics
•
•
Field Reference
Table F-22 ASA User Group Dialog Box > SSL VPN Clientless Settings
Portal Page Websites
A list of websites that will be displayed on the portal page as a bookmark to enable users to access the resources available on the SSL VPN websites.
You can click Select to open the URL List Selector from which you can select the required URL List from a list of URL List objects. For information about the object selector dialog box that opens, see Object Selectors.
Allow Users to Enter Websites
When selected, enables the remote user to input the website URLs directly.
Enable File Server Browsing
When selected, enables the remote user read-only access to browse the shared files on the Common Internet File System (CIFS) file servers.
Enable File Server Entry
When selected, enables the remote user full-write access to modify the shared files on the Common Internet File System (CIFS) file servers.
Enable Hidden Shares
When selected, controls the visibility of hidden shares for CIFS files,
HTTP Proxy
Select one of the following options:
•
•
•
When selected, starts HTTP proxy automatically upon user login.
Filter ACL
Specifies the WebType access control list that will be used to restrict user access to the SSL VPN.
You can click Select to open the Access Control Lists Selector from which you can make your selection.
UNIX Authentication Group ID
Specifies the UNIX authentication group ID.
UNIX Authentication User ID
Specifies the UNIX authentication user ID.
Smart Tunnel
Specifies the name of the smart tunnel assigned to this ASA user group.
Auto Start Smart Tunnel
When selected, starts smart tunnel access automatically upon user login.
Port Forwarding List
Specifies the name of the port forwarding list assigned to this ASA user group. Port forwarding lists contain the set of applications that users of clientless SSL VPN sessions can access over forwarded TCP ports.
Auto Start Port Forwarding
When selected, starts port forwarding automatically upon user login.
Port Forwarding Applet Name
Provides the application name or short description that displays on the end user Port Forwarding Java applet screen. Maximum 64 characters.
ASA User Group Dialog Box: SSL VPN Full Client Settings
Full Client settings enable you to configure the Full Client mode of access to the corporate network in an SSL VPN, for the ASA user group object.
Full Client mode enables access to the corporate network completely over an SSL VPN tunnel. In Full Client access mode, the tunnel connection is determined by the group policy configuration. The full client software, SSL VPN Client (SVC), is downloaded to the remote client, so that a tunnel connection is established when the remote user logs in to the SSL VPN gateway.
Navigation Path
Open the ASA User Group Dialog Box, select the SSL VPN (or Easy VPN/IPSec and SSL) technology, then select Full Client under the SSL VPN folder in the Settings pane.
Related Topics
•
•
Field Reference
ASA User Group Dialog Box: SSL VPN Settings
SSL VPN Settings enable you to configure attributes that are required for Clientless and Port Forwarding access modes to work, including auto signon rules for user access to servers. Auto Signon configures the security appliance to automatically pass SSL VPN user login credentials (username and password) on to internal servers. You can configure multiple auto signon rules. For more information, see Understanding Single Sign-On Server Objects, page 9-89.
Navigation Path
Open the ASA User Group Dialog Box, select the SSL VPN (or Easy VPN/IPSec and SSL) technology, then select Settings under the SSL VPN folder in the Settings pane.
Related Topics
•
•
•
Field Reference
Table F-24 ASA User Group Dialog Box > SSL VPN Settings
Clientless/Port Forwarding Setting
Home Page
The URL of the SSL VPN home page on which the available websites appear as links.
Authentication Failure Message
The error message displayed on the login page if a user authentication failure occurs.
Minimum Keepalive Object Size (kilobytes)
Specifies the minimum size (in kilobytes) of an IKE keepalive packet that can be stored in the cache on the security appliance.
Single Sign On Server
Specifies the Single Sign On (SSO) server that allows users to enter their username and password once, and be able to access a range of servers.
You can click Select to open a dialog box that lists all available SSO servers from which you can make your selection, or create an SSO server object. See Understanding Single Sign-On Server Objects, page 9-89.
Enable HTTP Compression
When selected, enables an HTTP compressed object to be cached on the security appliance.
IP Address
The IP address of the SSO server that receives the login credentials.
Mask
The IP mask of the SSO server that receives the login credentials.
URL
The URL used to specify the SSO server that receives the login credentials.
Authentication Type
The authentication method used to configure SSO—HTTP Basic, NTLM authentication, or both of these.
Up/Down buttons
Enable you to change the order of the Auto Signon rules.
Note
Add button
Opens a dialog box in which you can create an Auto Signon rule. See ASA User Group Dialog Box: Auto Signon Rules Dialog Box.
Edit button
Opens a dialog box in which you can edit the parameters of a selected Auto Signon rule. See ASA User Group Dialog Box: Auto Signon Rules Dialog Box.
Delete button
Removes selected Auto Signon rules from the table.
Portal Page Customization
Specifies the customization profile that defines the appearance of the portal page that allows the remote user access to all the resources available on the SSL VPN networks.
You can click Select to open a dialog box that lists all available SSL VPN customization objects, from which you can make your selection. See Understanding SSL VPN Customization Objects, page 9-97.
User Storage Location
Specifies the location where personalized user information is stored between clientless SSL VPN sessions.
Storage Key
Specifies the storage key used to protect data stored between sessions.
Post Max Size
Specifies the maximum size allowed for a posted object. The range is 0 through 2147483647.
Upload Max Size
Specifies the maximum size allowed for a uploaded object. The range is 0 through 2147483647.
Download Max Size
Specifies the maximum size allowed for a downloaded object. The range is 0 through 2147483647.
ASA User Group Dialog Box: Auto Signon Rules Dialog Box
Use this dialog box to configure the Auto Signon rules that the security appliance uses to pass SSL VPN user login credentials on to an internal server. You can configure multiple Auto Signon rules—the security appliance processes them according to the input order.
Navigation Path
Open the ASA User Group Dialog Box: SSL VPN Settings, then click Create, or select an item in the table and click Edit.
Related Topics
•
•
Field Reference
ASA User Group Dialog Box: DNS/WINS Settings
Configuring the DNS/WINS settings for your ASA user group enable you to define the DNS and WINS servers and the domain name that should be pushed to clients associated with the ASA user group.
Note
Navigation Path
Open the ASA User Group Dialog Box, select the On Device group policy source, then select DNS/WINS in the Settings pane.
Related Topics
•
•
Field Reference
ASA User Group Dialog Box: Split Tunneling
Split tunneling lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. The split tunneling policy is applied to a specific network.
Configuring split tunneling for your ASA user group enables you to specify a secure tunnel to the central site and simultaneous clear text tunnels to the Internet.
Note
Navigation Path
Open the ASA User Group Dialog Box, select the On Device group policy source, then select Split Tunneling in the Settings pane.
Related Topics
•
•
Field Reference
ASA User Group Dialog Box: Connection Settings
An Easy VPN, remote access VPN, or SSL VPN session is disconnected if the client is connected longer than the session timeout, or if it is idle longer than the idle timeout.
Use this page to configure the connection settings for the ASA user group, including the banner text.
Navigation Path
Open the ASA User Group Dialog Box, select the Internal group policy type, then select Connection Settings in the Settings pane.
Related Topics
•
•
Field Reference
Table F-28 ASA User Group Dialog Box > Connection Settings
Filter ACL
Specifies the Access Control List (ACL) that will be used to restrict user access to the SSL VPN.
You can click Select to open the Access Control Lists Selector from which you can make your selection.
Banner Text
The banner, for example, a welcome message that is displayed on remote clients when they connect. Banner text can be a maximum of 500 characters.
Access hours
Enables you to enter a time range value that allows VPN access based on specific times of the day and weekly access.
The time range relies on the system clock of the security appliance; therefore, the feature works best with NTP synchronization.
Note
You can click Select to open the Time Ranges Selector from which you can make your selection. See Understanding Time Range Objects, page 9-108.
Max Simultaneous Logins
Specifies the number of simultaneous logins allowed for any user.
Values are 0-2147483647. A zero (0) value disables login and prevents user access. A user group policy can inherit this value from another user group policy.
Note
Max Connect Time
Enables you to specify the amount of time that the security appliance should allow for a connection. Options are:
•
•
Idle Timeout (min)
Enables you to specify the amount of time that the security appliance should terminate a connection if there is no communication activity. Options are:
•
•
Category Editor Dialog Box
Use the Category Editor dialog box to edit the name or description of a category object. Category objects help you categorize and readily identify rules and other objects.
Navigation Path
Select Tools > Policy Object Manager, select Categories from the Object Type Selector, and click Edit Object.
Related Topics
•
Field Reference
Add or Edit Secure Desktop Configuration Dialog Box
Use the Add or Edit Cisco Secure Desktop Configuration dialog box to create, copy, and edit Cisco Secure Desktop Configuration objects for IOS routers. You can configure the settings required for Windows clients who are connecting from different location types, enable or restrict web browsing and file access for Windows CE clients, and configure the cache cleaner for Macintosh and Linux clients.
Cisco Secure Desktop (CSD) secures network endpoints by providing a reliable means of eliminating all traces of sensitive data by providing a single, secure location for session activity and removal on the client system.
Navigation Path
Select Tools > Policy Object Manager, then select Cisco Secure Desktop (Router) from the Object Type Selector. Right-click inside the work area and select New Object, or right-click a row and select Edit Object.
Related Topics
•
Field Reference
Table F-30 Secure Desktop Configuration Dialog Box
Name
The Secure Desktop Configuration object name (up to 128 characters). Object names are not case-sensitive. For more information, see Guidelines for Managing Objects, page 9-5.
Description
Additional information about the Secure Desktop Configuration object (up to 1024 characters).
Windows Locations
Enable you to create a group of settings for Windows clients connecting from a particular type of location, such as Work, Home, or Insecure. Once you create a location, you can specify how to determine that clients are connecting from that particular location.
For each location you want to configure, enter its name in the field provided, and click Add to move it to the Locations field. You can reorder the locations using the Move Up/Move Down buttons.
CSD checks locations in the order listed in this dialog box, and grants privileges to client PCs based on the first location definition they match. For more information, see Understanding Cisco Secure Desktop Configuration Objects, page 9-85.
Close all open browser windows after installation
When selected (the default), closes all the open browser windows after the Secure Desktop installation.
VPN Feature Policy
Select the check boxes to enable these features if installation or location matching fails:
•
•
•
•
VPN Feature Policy
The Windows CE options enable you to configure a VPN feature policy to enable or restrict web browsing and remote server file access for remote clients running Microsoft Windows CE.
Select the Web Browsing and File Access check boxes to enable these features, if required.
Note
Launch Cleanup Upon Global Timeout
When selected, enables you to set a global timeout after which CSD launches the cache cleaner, then specify the timeout period after which the cleanup will begin. The default is 5 minutes.
Note
Launch Cleanup Upon Exiting of Browser
When selected, configures the cache cleaner to be launched when all the browser windows are closed.
Enable Canceling of Cleaning
When selected, enables the remote user to cancel the cleaning of the cache.
Secure Delete
Select the number of passes for CSD to perform a "Windows-delete" cleanup. The default is 1 pass.
CSD encrypts and writes the cache to the remote client's disk. Upon termination of the Secure Desktop, CSD converts all bits occupied by the cache to all 0's, then to all 1's, and then to randomized 0's and 1's.
Enable Web Browsing if Mac or Linux Installation Fails
When selected, allows web browsing (but disables other remote access features) if the cache cleaner installation fails.
VPN Feature Policy
Enables you to configure a VPN Feature Policy that allows or restricts web browsing, remote server file access, and port forwarding for Macintosh and Linux clients.
Select the check boxes if you want to enable these features after a successful installation:
•
•
•
Note
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Credentials Dialog Box
Use the Credentials dialog box to create, copy and edit Credential objects. Credential objects are used in Easy VPN configuration during IKE Extended Authentication (Xauth).
Navigation Path
Select Tools > Policy Object Manager, then select Credentials from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
Related Topics
•
•
•
Field Reference
Table F-31 Credentials Dialog Box
Name
The Credentials object name (up to 128 characters). Object names are not case-sensitive. For more information, see Guidelines for Managing Objects, page 9-5.
Description
Additional information about the Credentials object (up to 1024 characters).
Username
Enter a name that will be used to identify the user during Xauth authentication.
Password
Enter an alphanumeric keyword that will serve as the password to identify the user during Xauth authentication (maximum of 128 characters; spaces are not allowed).
Confirm
Enter the password again to confirm it.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Global Object to Be Overridden, page 9-116 and Overriding Global Objects for Individual Devices, page 9-116.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add and Edit File Object Dialog Boxes
Use the Add and Edit File Object dialog boxes to create, copy, and edit file objects.
Navigation Path
Select Tools > Policy Object Manager, then select File Objects from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
Related Topics
•
•
Field Reference
Table F-32 Add and Edit File Object Dialog Boxes
Name
The customization object name (up to 128 characters). Object names are not case-sensitive. Names can be sorted in ascending or descending order. For more information, see Guidelines for Managing Objects, page 9-5.
Description
A description of the file object, if required.
You can use uppercase and lowercase characters and most alphanumeric or symbol characters. The value can be up to 1024 characters.
File Type
Identifies the file type:
•
•
•
•
•
File
Allows you to enter the file selection manually, or click Browse to help you make your selection.
File Name on Device
Identifies the file name on the device. By default the same filename is deployed to the device. It is possible, however, to specify a different filename to be deployed.
During file discovery from devices when files from different devices are discovered into Security Manager, filenames might need to be modified to keep them unique within Security Manager. If renaming occurs, the file-name-on-device field is set automatically, by way of Security Manager's discovery process, to its original filename on the device.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Add or Edit FlexConfig Dialog Box
Use the Add or Edit FlexConfig dialog box to create or edit FlexConfig policy objects. FlexConfig objects are small programs that allow you to add configuration commands before or after the configurations generated from Security Manager policies, so that you can extend the abilities of the product to configure your devices. You use these policy objects in FlexConfig device or shared policies.
Before creating FlexConfig policy objects, read the sections in Understanding FlexConfig Policies and Policy Objects, page 19-1.
Navigation Path
Select Tools > Policy Object Manager, then select FlexConfigs from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Related Topics
•
•
•
Field Reference
Table F-33 FlexConfigs Editor Dialog Box
Name
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Guidelines for Managing Objects, page 9-5.
Description
An optional description of the object.
Group
The name of the group of FlexConfig objects to which this object belongs, if any. You can type in a name, or select an existing name from the list. This field is for informational purposes only, and can help you find a FlexConfig object in the FlexConfig Objects page in the Policy Object Manager.
Type
Whether the commands in the object are prepended (put at the beginning) or appended (put at the end) of configurations.
Negate For
The name of the FlexConfig object whose commands are undone in this FlexConfig object. This field is for informational purposes only and does not affect the processing of the object.
For example, if FlexConfig A has the command banner login, and FlexConfig B has the command no banner login, FlexConfig B negates the configuration for FlexConfig A.
Object Body edit box
The commands and instructions to produce the desired configuration file output. You can type in the following types of data:
•
•
•
Undo button
Deletes the previous action.
Redo button
Performs the previously undone action.
Cut button
Deletes the highlighted text and copies it to the clipboard.
Copy button
Copies the highlighted text to the clipboard.
Paste button
Pastes previously cut or copied text.
Find button
Locates the specified text string in the object body.
Validate FlexConfig button
Checks the integrity and deployability of the FlexConfig object.
This table lists the variables that are used in the FlexConfig object.
Name
The name of the variable. Click the cell to edit the name, which also changes the name in the FlexConfig object body.
Default Value
The value to use when one is not provided. Click the cell to edit the value for user-defined variables. You cannot edit system-defined variables.
Note
Object Property
The property of the object. The object property name is in the following format:
type.name.data.property
where
•
•
•
•
Dimension
The structure of the data in the variable. Possible values are:
•
•
•
Optional
Whether the variable is required to have a value.
Description
A description of the contents of the object. Click the cell to edit the description.
Create Text Object Dialog Box
Use the Create Text Object dialog box as a shortcut to create text objects of dimension 0, which are single-value variables, for use in FlexConfig policy objects. Enter the name of the variable and the value to assign to it. When you click OK, the variable is added to the FlexConfig object at the cursor location and it is added to the list of variables for the object.
Navigation Path
In the Add or Edit FlexConfig Dialog Box, right-click in the object body field and select Create Text Object.
Tip
FlexConfig Undefined Variables Dialog Box
Use the FlexConfig Undefined Variables dialog box to define variables used in the FlexConfig object that have not yet been defined. You can choose from a list of policy object types or add a new policy object to use.
Each row in the table represents a single undefined variable.
Tip
Navigation Path
In the Add or Edit FlexConfig Dialog Box, if you enter a variable name but do not define its values, when you click OK, Security Manager displays a warning and asks if you want to define the variables. If you click Yes, this dialog box is opened.
Field Reference
Table F-34 FlexConfig Undefined Variables Dialog Box
Variable Name
The name of the undefined variable that you used in the FlexConfig object.
Object Type
The type of policy object that contains the value you want to assign to the variable. For local variables, use the Undefined object type.
For variables you want to define, you must select the specific policy object and value within that object to assign to the selected variable.
You start by selecting the type of policy object from this list. You are then prompted to select the specific policy object. When you click OK, you are prompted to select the specific property within that object that contains the desired value (see Property Selector Dialog Box). When you select the value on the Property Selector dialog box and click OK, the value is assigned to the variable.
Object Property
The property of the object. For a detailed explanation, see Add or Edit FlexConfig Dialog Box.
Optional
Whether the variable is required to have a value.
Property Selector Dialog Box
Use the Property Selector dialog box to select the specific property within a selected policy object that you want to assign to a variable within a FlexConfig policy object. The title of the dialog box indicates the type of policy object that you selected (for example, AAA Server Groups Property Selector).
For more information on variables, see Understanding FlexConfig Object Variables, page 19-5.
Navigation Path
•
•
Field Reference
Table F-35 Property Selector Dialog Box
Object Property
The property of the object that contains the value you want to assign to the variable. For specific information on the properties, see the explanation of the fields for the dialog box used for adding or editing objects of that type. You can find a list of links to the relevant topics at Policy Object Add or Edit Dialog Boxes.
Name
The name of variable. This field is not available when you are defining undefined variables.
Description
An optional description of the variable. This field is not available when you are defining undefined variables.
IKE Proposal Dialog Box
Use the IKE Proposal dialog box to create, copy, and edit an IKE proposal object. IKE proposal objects contain the parameters required for IKE proposals when defining remote access and site-to-site VPN policies.
Navigation Path
Select Tools > Policy Object Manager, then select IKE Proposals from the Object Type Selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
Tip
Related Topics
•
•
•
Field Reference
Table F-36 IKE Proposal Dialog Box
Name
The object name (up to 128 characters). Object names are not case-sensitive. For more information, see Guidelines for Managing Objects, page 9-5.
Description
Additional information about the object (up to 1024 characters).
Priority
The priority value of the IKE proposal. The priority value determines the order of the IKE proposals compared by the two negotiating peers when attempting to find a common SA.
Valid values range from 1 to 10000. The lower the number, the higher the priority.
Note
Encryption Algorithm
The encryption algorithm used to establish the Phase 1 SA for protecting Phase 2 negotiations:
•
•
•
•
•
Hash Algorithm
The hash algorithm used in the IKE proposal. The hash algorithm creates a message digest, which is used to ensure message integrity. Options are:
•
•
Modulus Group
The Diffie-Hellman group to use for deriving a shared secret between the two IPsec peers:
•
•
•
•
Note
Lifetime
The lifetime of the SA, in seconds. When the lifetime is exceeded, the SA expires and must be renegotiated between the two peers.
As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be.
Authentication Method
The method of authentication to use between the two peers:
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Add or Edit Class Maps Dialog Boxes
Use the Add and Edit Class Map dialog boxes to define a class map for inspection for devices running ASA/PIX 7.2 and higher. You can create class maps for DNS, FTP, H.323, HTTP, IM, and SIP inspection, and the name of the dialog box indicates the type of map you are creating.
An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map policy object is that you can reuse class maps.
Navigation Path
Select Tools > Policy Object Manager, then select any item in the Inspect Maps > Class Maps folder in the table of contents. Right-click inside the work area, then select New Object, or right-click a row, then select Edit Object.
Related Topics
•
•
Field Reference
Table F-37 Add or Edit Class Maps Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
Match All table
The Match All table lists the criteria included in the class map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion and the criterion and value that is inspected.
•
–
–
–
–
–
–
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Global Object to Be Overridden, page 9-116 and Overriding Global Objects for Individual Devices, page 9-116.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add or Edit DCE/RPC Dialog Box
Use the Add or Edit DCE/RPC Map dialog boxes to define a map for DCE/RPC inspection.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Policy Maps > DCE/RPC Maps from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.
Related Topics
•
•
Field Reference
Table F-38 Add and Edit DCE/RPC Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
Pinhole Timeout
The timeout for DCE/RPC pinholes. The default is 2 minutes (00:02:00). Valid values are between 00:00:01 and 1193:00:00.
Enforce Endpoint Mapper Service
Whether to enforce the endpoint mapper service during binding. Using this service, a client queries a server, called the Endpoint Mapper, for the dynamically allocated network information of a required service.
Enable Endpoint Mapper Service Lookup
Service Lookup Timeout
Whether to enable the lookup operation of the endpoint mapper service. If you select this option, you can enter the time out for the lookup operation. If you do not specify a timeout, the pinhole timeout or default pinhole timeout value is used. Valid values are between 00:00:01 and 1193:00:00.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Global Object to Be Overridden, page 9-116 and Overriding Global Objects for Individual Devices, page 9-116.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add and Edit DNS Map Dialog Boxes
Use the Add and Edit DNS Map dialog boxes to define DNS Maps for inspection.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Policy Maps > DNS Maps from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.
Related Topics
•
•
•
Field Reference
Table F-39 Add and Edit DNS Map Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
Defines DNS security settings and actions. For a description of the options on this tab, see DNS Map Protocol Conformance Tab.
Defines the filtering settings for DNS. For a description of the options on this tab, see DNS Map Filtering Tab.
The Log When DNS ID Mismatch Rate Exceeds option determines whether you want to report excessive instances of DNS identifier mismatches based on the following criteria:
•
•
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
•
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Global Object to Be Overridden, page 9-116 and Overriding Global Objects for Individual Devices, page 9-116.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
DNS Map Protocol Conformance Tab
Use the Protocol Conformance tab to define DNS security settings and actions for a DNS map.
Navigation Path
Click the Protocol Conformance tab on the Add and Edit DNS Map Dialog Boxes.
Related Topics
•
•
Field Reference
DNS Map Filtering Tab
Use the Filtering tab to define DNS filtering settings and actions for a DNS map.
Navigation Path
Click the Filtering tab on the Add and Edit DNS Map Dialog Boxes.
Related Topics
•
•
Field Reference
DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit DNS Match Criterion (for DNS class maps) or Match Condition and Action (for DNS policy maps) dialog boxes to do the following:
•
•
•
The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.
Navigation Path
When creating a DNS class map, in the Policy Object Manager, from the Add or Edit Class Maps Dialog Boxes for DNS, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
When creating a DNS policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit DNS Map Dialog Boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
Related Topics
•
•
•
Field Reference
Add or Edit ESMTP Map Dialog Boxes
Use the Add and Edit ESMTP Map dialog boxes to define the match criterion and values for the ESMTP inspect map.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Policy Maps > ESMTP Maps from the Object Type selector. Right-click inside the table, then select New Object or right-click a row and select Edit Object.
Related Topics
•
•
Field Reference
Table F-43 Add and Edit ESMTP Map Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
Mask Server Banner
Whether to mask the server banner to prevent the client from discovering server information.
Configure Mail Relay
Domain Name
Action
Whether to have ESMTP inspection detect mail relay. When you select this option, enter the domain name you are inspecting and select the action you want to take when mail relay is detected.
Special Character (ASA7.2.3+/PIX7.2.3+)
Action
Whether you want to detect special characters in sender or receiver email addresses. If you select this option, select the action you want to take when special characters are detected.
Allow TLS (ASA7.2.3+, 8.0.3+/PIX7.2.3)
Action Log
Whether to allow a TLS proxy on the security appliance. If you select this option, you can also select Action Log to create a log entry when TLS is detected.
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
•
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Global Object to Be Overridden, page 9-116 and Overriding Global Objects for Individual Devices, page 9-116.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
ESMTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Use the Add or Edit Match Condition and Action dialog boxes to define the match criterion, value, and action for an ESMTP policy map.
The fields on this dialog box change based on the criterion you select. You can use the following criteria:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Navigation Path
In the Policy Object Manager, from the Match Condition and Action tab on the Add or Edit ESMTP Map Dialog Boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
Related Topics
•
•
Field Reference
Add and Edit FTP Map Dialog Boxes
Use the Add and Edit FTP Map dialog boxes to define the match criterion and values for an FTP inspect map. You can use an FTP map to block specific FTP protocol methods, such as an FTP PUT, from passing through the security appliance and reaching your FTP server. Security Manager uses the ftp-map command to configure the map on the device.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Policy Maps > FTP Maps from the Object Type selector. Right-click inside the table, then select New Object or right-click a row, then select Edit Object.
Related Topics
•
•
Field Reference
Table F-45 Add and Edit FTP Map Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
Mask Greeting Banner from Server
Whether to mask the greeting banner from the FTP server to prevent the client from discovering server information.
Mask Reply to SYST Command
Whether to mask the reply to the syst command to prevent the client from discovering server information.
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
•
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Global Object to Be Overridden, page 9-116 and Overriding Global Objects for Individual Devices, page 9-116.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Validate For
Validate button
The device platforms for which to validate the object. Select the platform for which you intend to use this object and click Validate to determine if the object is configured in a way that will prevent policy deployment.
FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit FTP Match Criterion (for FTP class maps) or Match Condition and Action (for FTP policy maps) dialog boxes to do the following:
•
•
•
The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.
Navigation Path
When creating an FTP class map, in the Policy Object Manager, from the Add or Edit Class Maps Dialog Boxes for FTP, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
When creating an FTP policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit FTP Map Dialog Boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
Related Topics
•
•
•
Field Reference
Add and Edit GTP Map Dialog Boxes
Use the Add and Edit GTP Map dialog boxes to define the match criterion and values for a GTP inspect map.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Policy Maps > GTP Maps from the Object Type selector. Right-click inside the work area, then select New Object, or right-click a row and select Edit Object.
Related Topics
•
•
Field Reference
Table F-47 Add and Edit GTP Map Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
Country and Network Codes Table
The three-digit Mobile Country Code (mcc) and Mobile Network Code (mnc) to include in the map. The codes are 000 to 999.
•
•
•
Permit Response Table
The Network/Host policy objects for which you will allow GTP responses from a GSN that is different from the one to which the response was sent.
•
•
•
Request Queue
The maximum requests allowed in the queue. When the limit has been reached and a new request arrives, the request that has been in the queue for the longest time is removed. Values are 1-9999999. The default is 200.
Tunnel Limit
The maximum number of tunnels allowed.
Permit Errors
Whether to permit packets with errors or different GTP versions. By default, all invalid packets or packets that failed during parsing are dropped.
Edit Timeouts button
Click this button to configure time out values for various operations. For more information about the options, see GTP Map Timeouts Dialog Box.
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
•
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Global Object to Be Overridden, page 9-116 and Overriding Global Objects for Individual Devices, page 9-116.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Validate For
Validate button
The device platforms for which to validate the object. Select the platform for which you intend to use this object and click Validate to determine if the object is configured in a way that will prevent policy deployment.
Add and Edit Country Network Codes Dialog Boxes
Use the Add and Edit Country Network Codes dialog boxes to add Mobile Country Code (mcc) and Mobile Network Code (mnc) values to the GTP policy map. The codes can be 000 to 999.
Navigation Path
From the Add and Edit GTP Map Dialog Boxes, click the Add button in the Country and Network codes table, or select a row and click the Edit button.
Add and Edit Permit Response Dialog Boxes
Use the Add and Edit Permit Response dialog boxes to permit GTP responses from a GSN that is different from the one to which the response was sent.
Enter the name of a Network/Host policy object that defines the destination (To Object Group) and source (From Object Group) of the traffic. You can click Select to select the object from a list, where you can also create an new object by clicking the Create button in the Object Selector dialog box.
You cannot use the Network/Host object named "any."
Navigation Path
From the Add and Edit GTP Map Dialog Boxes, click the Add button in the Permit Response table, or select a row and click the Edit button.
GTP Map Timeouts Dialog Box
Use the GTP Map Timeouts dialog box to set timeout values for a GTP Map.
Navigation Path
From the Add and Edit GTP Map Dialog Boxes, click the Edit Timeouts button on the Parameters tab.
Field Reference
GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Use the Add or Edit Match Condition and Action dialog boxes to define the match criterion, value, and action for a GTP policy map.
The fields on this dialog box change based on the criterion you select.
Navigation Path
In the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit GTP Map Dialog Boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
Related Topics
•
•
Field Reference
Add and Edit H.323 Map Dialog Boxes
Use the Add and Edit H.323 Map dialog boxes to define the match criterion and values for an H.323 inspect map.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Policy Maps > H.323 Maps from the Object Type selector. Right-click inside the work area, then select New Object, or right-click a row and select Edit Object.
Related Topics
•
•
Field Reference
Table F-50 Add and Edit H.323 Map Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
HSI Group table
The HSI groups to include in the map. The group number, IP address of the HSI host, and IP addresses and interface names of the clients connected to the security appliance are shown in the table. Up to five HSI hosts per group, and up to ten end points per HSI group, are allowed.
•
•
•
Call Duration Limit
The call duration limit in seconds. The range is from 0:0:0 to 1163:0:0. A value of 0 means never timeout.
Enforce Presence of Calling and Called Party Numbers
Whether to enforce calling and called party numbers used in call setup.
Check State Transition on H.225 Messages
Whether to enable state checking validation on H.225 messages.
Check State Transition on RAS Messages
Whether to enable state checking validation on RAS messages.
Check for H.245 Tunneling
Action
Whether to enforce H.245 tunnel blocking and perform the action you select in the Action list box.
Check RTP Packets for Protocol Conformance
Whether to check RTP packets flowing through the pinholes for protocol conformance.
Payload Type must be Audio or Video based on Signaling Exchange
Whether to enforce the payload type to be audio or video based on the signaling exchange.
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
•
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Global Object to Be Overridden, page 9-116 and Overriding Global Objects for Individual Devices, page 9-116.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Add or Edit HSI Group Dialog Boxes
Use the Add or Edit HSI group dialog boxes to add HSI groups to an H.323 policy inspection map.
Navigation Path
From the Parameters tab on the Add and Edit H.323 Map Dialog Boxes, click the Add Row button in the HSI group table, or select a row and click the Edit Row button.
Related Topics
•
•
Field Reference
Table F-51 Add and Edit HSI Group Dialog Boxes
Group ID
The HSI group ID number (0 to 2147483647).
IP Address
The IP address of the HSI host.
Endpoint table
The end points associated with HSI group. You can add up to 10 end points per group. For each end point, you specify the IP address and interface policy group.
•
•
•
Add or Edit HSI Endpoint IP Address Dialog Boxes
Us the Add or Edit HSI Endpoint IP Address dialog box to add end points to an HSI group.
Navigation Path
From the Add or Edit HSI Group Dialog Boxes, click the Add Row button in the end point table, or select a row and click the Edit Row button.
Related Topics
•
•
Field Reference
H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit H.323 Match Criterion (for H.323 class maps) or Match Condition and Action (for H.323 policy maps) dialog boxes to do the following:
•
•
•
The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.
Navigation Path
When creating an H.323 class map, in the Policy Object Manager, from the Add or Edit Class Maps Dialog Boxes for H.323, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
When creating an H.323 policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit H.323 Map Dialog Boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
Related Topics
•
•
•
Field Reference
Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices
Use the Add and Edit HTTP Map dialog boxes to define HTTP maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x, and IOS devices.
The enhanced HTTP inspection feature, which is also known as an application firewall, verifies that HTTP messages conform to RFC 2616, use RFC-defined methods, and comply with various other criteria. This can help prevent attackers from using HTTP messages for circumventing network security policy.
When you enable HTTP inspection with an HTTP map, strict HTTP inspection with the action reset and log is enabled by default. You can change the actions performed in response to inspection failure, but you cannot disable strict inspection as long as the HTTP map remains enabled. Security Manager uses the http-map command to configure the map on the device.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Policy Maps > HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM3.x/IOS) from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.
Related Topics
•
•
Field Reference
Table F-54 Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
General tab
Defines the action taken when non-compliant HTTP requests are received and to enable verification of content type. For a description of the options, see HTTP Map General Tab.
Entity Length tab
Defines the action taken if the length of the HTTP content falls outside of configured targets. For a description of the options, see HTTP Map Entity Length Tab.
RFC Request Method tab
Defines the action that the security appliance should take when specific RFC request methods are used in the HTTP request. For a description of the options, see HTTP Map RFC Request Method Tab.
Extension Request Method tab
Defines the action taken when specific extension request methods are used in the HTTP request. For a description of the options, see HTTP Map Extension Request Method Tab.
Port Misuse tab
Defines the action taken when specific undesirable applications are encountered. For a description of the options, see HTTP Map Port Misuse Tab.
Transfer Encoding tab
Defines the action taken when specific transfer encoding types are used in the HTTP request. For a description of the options, see HTTP Map Transfer Encoding Tab.
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Global Object to Be Overridden, page 9-116 and Overriding Global Objects for Individual Devices, page 9-116.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
HTTP Map General Tab
Use the General tab to define the action taken when non-compliant HTTP requests are received and to enable verification of content type.
Navigation Path
Click the General tab on the Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices.
Related Topics
•
•
Field Reference
HTTP Map Entity Length Tab
Use the Entity Length tab to enable inspection based on the length of the HTTP content.
Navigation Path
Click the Entity Length tab on the Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices.
Related Topics
•
•
Field Reference
HTTP Map RFC Request Method Tab
Use the RFC Request Method tab to define the action to take when specific request methods are used in the HTTP request.
Navigation Path
Click the RFC Request Method tab on the Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices.
Related Topics
•
•
Field Reference
HTTP Map Extension Request Method Tab
Use the Extension Request Method tab to define the action taken when specific extension request methods are used in the HTTP request.
Navigation Path
Click the Extension Request Method tab on the Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices.
Related Topics
•
•
Field Reference
HTTP Map Port Misuse Tab
Use the Port Misuse tab to enable port misuse application firewall inspection. The application categories you can configure are:
•
•
•
Navigation Path
Click the Port Misuse tab on the Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices.
Related Topics
•
•
Field Reference
HTTP Map Transfer Encoding Tab
Use the Transfer Encoding tab to enable inspection based on the transfer encoding type. The encoding types that you can configure are:
•
•
•
•
•
Navigation Path
Click the Transfer Encoding tab on the Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices.
Related Topics
•
•
Field Reference
Add or Edit HTTP Map Dialog Boxes for ASA 7.2+/PIX 7.2+ Devices
Use the Add and Edit HTTP Map dialog boxes to define the match criterion and values for the HTTP inspect map for ASA and PIX software releases 7.2 and higher.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Policy Maps > HTTP Maps (ASA 7.2+/PIX 7.2+) from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.
Related Topics
•
•
•
Field Reference
Table F-61 Add and Edit HTTP Map Dialog Boxes (ASA 7.2+/PIX 7.2+)
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
Body Match Maximum
The maximum number of characters in the body of an HTTP message that should be searched in a body match.
TipCheck for protocol violations
Whether to check for protocol violations.
Action
The action to take based on the defined settings. You can drop, reset, or log the connection.
Spoof Server
Enables you to replace the server HTTP header value with the specified string.
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
•
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Allow Value Override per Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Global Object to Be Overridden, page 9-116 and Overriding Global Objects for Individual Devices, page 9-116.
If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.
Overrides: None
Shows that no overrides exist on the device. You must manually set overrides in order to change the display. For more information, see Overriding Global Objects for Individual Devices, page 9-116.
Note
HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit HTTP Match Criterion (for HTTP class maps) or Match Condition and Action (for HTTP policy maps) dialog boxes to do the following:
•
•
•
These types of maps are used only for devices running ASA 7.2 or higher, or PIX 7.2 or higher, operating systems.
The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map. You can use the following criteria:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Navigation Path
When creating an HTTP class map, in the Policy Object Manager, from the Add or Edit Class Maps Dialog Boxes for HTTP, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
When creating an HTTP policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add or Edit HTTP Map Dialog Boxes for ASA 7.2+/PIX 7.2+ Devices, right-click inside the table, then select Add Row or right-click a row, then select Edit Row.
Related Topics
•
•
•
Field Reference
Add and Edit IM Map Dialog Boxes (for ASA 7.2+/PIX 7.2+)
Use the Add and Edit IM Map dialog boxes to define settings for define an Instant Messenger (IM) inspect map for devices running ASA/PIX 7.2 or higher.
Navigation Path
Select Tools > Policy Object Manager, then select Inspect Maps > Policy Maps > IM Maps (ASA 7.2+/PIX 7.2+) from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.
Related Topics
•
•
Field Reference
Table F-63 Add and Edit IM Map Dialog Boxes
Name
The name of the policy object. A maximum of 40 characters is allowed.
Description
A description of the policy object. A maximum of 200 characters is allowed.
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
•
•
•
Category
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 9-4.
Allow Value Override per Device
Overrides
Edit button
