-
User Guide for Cisco Security Manager 3.2
-
Preface
-
Getting Started with Security Manager
-
Managing User Accounts
-
Working with the Security Manager User Interface
-
Using Map View
-
Preparing Devices for Management
-
Managing the Device Inventory
-
Managing Policies
-
Managing Activities
-
Managing Objects
-
Managing Site-to-Site VPNs
-
Managing Remote Access VPNs
-
Managing SSL VPNs
-
Managing Firewall Services
-
Managing IPS Services
-
Managing Routers
-
Managing Firewall Devices
-
Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
-
Managing IPS Devices
-
Managing Deployment
-
Managing FlexConfigs
-
Managing the Security Manager Server
-
Using Monitoring, Troubleshooting, and Diagnostic Tools
-
Administrative Settings User Interface Reference
-
Map View User Interface Reference
-
Device Inventory User Interface Reference
-
Policy User Interface Reference
-
Activities User Interface Reference
-
Policy Object Manager User Interface Reference
-
Site-to-Site VPN User Interface Reference
-
Remote Access VPN User Interface Reference
-
SSL VPN User Interface Reference
-
Firewall Services User Interface Reference
-
Router Platform User Interface Reference
-
PIX/ASA/FWSM Platform User Interface Reference
-
Catalyst Platform User Interface Reference
-
IPS User Interface Reference
-
Deployment User Interface Reference
-
FlexConfig User Interface Reference
-
Index
-
Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Z
Index
Numerics
12.1 and 12.2
managing routers 15-3
12.2(33) SRA
running on Catalyst 6500/7600 devices
path MTU discovery and 10-44
12.2(33) SRB
running on Catalyst 6500/7600 devices
path MTU discovery and 10-44
12.2(33) SXH
running on Catalyst 6500/7600 devices
path MTU discovery and 10-44
3DES encryption algorithm
cluster load balancing
usign FQDNs 11-25
in IKE proposals 10-68
4.3.2
MARS version
read-only policy lookup 22-61
4.3.4
MARS version
events lookup 22-106
policy lookup, read-write 22-61
5.3.4
MARS version
events lookup 22-106
policy lookup, read-write 22-61
5-tuple data
access rule lookup from MARS and 22-51
low-latency event query 22-66
parsing during access rule lookup 22-55
policy table lookup from MARS and 22-51
802.1x
802.1x Policy page K-179
defining policies 15-131
interface authorization states 15-129
on Cisco IOS routers 15-127
supported topologies 15-130
understanding device roles 15-128
A
AAA
accounting 11-1
authorization 11-1
Cisco IOS routers
AAA Policy page K-87
Accounting tab K-93
Authentication tab K-88
Authorization tab K-90
Command Accounting dialog box K-96
Command Authorization dialog box K-92
defining services 15-70
overview 15-66
supported accounting types 15-67
supported authorization types 15-67
understanding method lists 15-69
configuring on firewall devices 16-37
configuring settings 13-146
credentials for device access 6-4
local fallback 16-40
PIX/ASA/FWSM
AAA page L-75
Accounting tab L-78
Authentication tab L-75
Authorization tab L-77
support 16-39
user authentication 11-1
AAA authentication
and Cisco Secure ACS
for policy lookup 22-74
AAA authentication groups
predefined 9-15
using SDI
as the protocol 10-119
AAA Firewall page J-154
AAA Mode Setup page 2-1
AAA rules
AAA Rules page J-78
Add AAA Rules dialog box J-81
adding 13-93
AuthProxy dialog box J-99
configuring settings
for (PIX/ASA) 13-146
for IOS 13-151
copying 13-99
cutting 13-99
deleting 13-101
disabling 13-98
Edit AAA Option dialog box J-98
Edit AAA Rules dialog box J-81
Edit AAA Server Group dialog box J-100
Edit Category dialog box J-101
Edit Description dialog box J-101
Edit Destinations dialog box J-90
editing 13-96
Edit Interface dialog box J-95
Edit Service dialog box J-59, J-93
Edit Sources dialog box J-87
enabling 13-98
MAC exempt address lists
adding 13-149
deleting 13-151
editing 13-150
understanding 13-148
moving down 13-100
moving up 13-100
pasting 13-99
Show Destination dialog box J-92
Show Interface Contents dialog box J-97
Show Service Contents dialog box J-95
Show Source Contents dialog box J-89
understanding 13-92
AAA Rules page J-78
AAA server group objects
AAA Server Group dialog box F-12
AAA Server Groups page F-10
creating 9-18
default server groups on IOS devices 9-17
predefined authentication groups 9-15
understanding 9-15
AAA server objects
AAA Server dialog box F-17
AAA Servers page F-16
creating 9-28
supported types 9-23
AAA servers
external servers 11-1
supported types on ASA devices 9-24
table of services on ASA devices 9-26
Abort the Job dialog box O-30
About Security Manager command 3-17
ABR
definition of 16-106
access control list objects
creating 9-35
example
extended ACL 9-31
standard ACL 9-32
web ACL 9-33
Extended IP ACL tab
Add Extended Access Control Entry dialog box F-37
Add Extended Access List page F-34
Edit Extended Access Control Entry dialog box F-37
Edit Extended Access List page F-34
extended objects 9-36
Extended tab F-32
Add Extended Access Control Entry dialog box F-37
Add Extended Access List page F-34
Edit Extended Access Control Entry dialog box F-37
Edit Extended Access List page F-34
GUI
understanding 9-34
standard objects 9-38
Standard tab F-41
Add Standard Access Control Entry dialog box F-45
Add Standard Access List page F-42
Edit Standard Access Control Entry dialog box F-45
Edit Standard Access List page F-42
understanding 9-30
web objects 9-40
Web tab F-47
Add Web Access Control Entry dialog box F-52
Add WebType Access List page F-49
Edit Web Access Control Entry dialog box F-52
Edit WebType Access List page F-49
access control lists
policy discovery 7-9
Access Control page J-145
access controls
access list compilation
enabling 13-138
configuring settings 13-140
object group search
enabling 13-133
per user downloadable ACLs (PIX/ASA/FWSM)
enabling 13-136
settings 13-132
understanding settings 13-132
Access Group tab
Accessing the Cisco NSDB N-12
access list compilation
enabling 13-138
understanding 13-137
access lists
adding an implicit ACE 22-114
configured on IOS devices with
log-input keyword 22-43
log keyword 22-43
implicit deny
and MARS events lookup 22-114
Access page (ASA) I-23
access permissions
maps 4-3
access ports
Create and Edit Interface dialog boxes-Access Port mode M-16
understanding 17-8
access rule events
in MARS
looking up policy table 22-52
keywords
ACE hashcodes 22-109
access rule lookup
authentication failure
during connection from MARS 22-51
communication
between MARS and Security Manager 22-71
deployed changes
synchronization with 22-66
device lookup query
sequence of actions 22-54
with a unique hostname 22-54
without any domain and hostname 22-54
device lookup results and 22-55
device software versions
supported for 22-72
devices with multiple contexts
prerequisites for 22-54
error messages 22-67
expanding
network/host objects 22-67
service objects 22-67
for syslog messages
on IOS routers 22-58
for the selected MARS event
with multiple device matches 22-51
with no device match 22-51
from device manager syslog 22-42
from MARS
in read-only mode 22-49
in read-write mode 22-49
overview 22-55
sample case 22-49
taskflow 22-50
without Security Manager client running 22-52
from MARS events
in Security Manager 3.1.1 through 3.0.1 22-55
in Security Manager 3.2 22-55
guidelines for working 22-61
in MARS 4.3.4 and 5.3.4 22-55
parsing raw syslogs 22-55
in read-only mode
supported MARS versions 22-55
supported Security Manager versions 22-55
in read-write mode
improved rule matching accuracy 22-55
supported MARS versions 22-55
supported Security Manager versions 22-55
looking up device in MARS 22-54
MARS session object 22-56
multiple matches
for syslogs with insufficient details for parsing 22-56
starting a new client session 22-64
supported syslog IDs
for firewall devices 22-58
syslog messages supported
by IOS routers 22-58
by security appliances 22-58
syslogs supported for
by firewall devices 22-58
with multiple hostname matches 22-54
with Security Manager client active
in non-Workflow mode 22-52
in Workflow mode 22-52
with Security Manager client timed out 22-64
access rules
Access Rules page J-2
Adaptive Security Algorithm (ASA) and 13-55
Add Firewall Rule dialog box J-6
adding 13-64
Advanced dialog box J-11
ASA and 13-57
conflicting with other ACEs 22-126
disabling 13-71
Edit Category dialog box J-27
Edit Description dialog box J-28
Edit Destinations dialog box J-18
Edit Firewall Option dialog box J-23
Edit Firewall Rule dialog box J-6
Edit Firewall Rule Expiration dialog box J-29
editing 13-69
Edit Interface dialog box J-25, J-62
Edit Service dialog box J-21
Edit Sources dialog box J-15
empty
policy lookup from MARS 22-67
enabling 13-71
events lookup
checklist 22-120
fields provided to MARS 22-113
guidelines 22-116
historical events 22-111
keywords 22-109
large number of hashcodes 22-114
overview 22-113
viewing historical events 22-113
viewing realtime events 22-113
warning message 22-119
FWSM and 13-56
hashcodes
accuracy of syslog matches 22-113
hyperlink in rule numbers
read-only policy table 22-101
implicit
at the end of the access list 22-114
inbound
pre-NAT addresses 22-112
IOS routers and 13-57
logging events for an ACE 13-64
log message generation 22-114
looking up
from MARS events (prerequisites) 22-81
from MARS events (procedure) 22-81
looking up events
Query page, attributes 22-109
modified
after read-only policy display 22-69
modifying
query results in MARS 22-107
moving down 13-73
moving up 13-73
navigating from
ASDM syslog 22-44
SDM syslog 22-47
navigating to
historical events in MARS 22-126
realtime events in MARS 22-126
navigating to the first match
from syslog 22-42
notes 13-56
not synchronized with device 22-69
object grouping
events lookup and 22-117
on higher security interface, inbound
policy lookup 22-69
on lower security interface, inbound
policy lookup 22-69
policy query icon 22-67
on lower security interface, outbound
policy lookup 22-69
optimization
events lookup and 22-117
outbound
post-NAT addresses 22-112
PIX Firewalls, and 13-56
recognizing on devices 13-55
rule expiration 13-6
Show Destination Contents dialog box J-20
Show Interface Contents dialog box J-26
Show Service Contents dialog box J-23
Show Source Contents dialog box J-17
troubleshooting
using MARS events 22-106
unavailable on the device
for MARS syslogs 22-69
understanding 13-53, 13-56, 13-63
with NAT
MARS events lookup 22-112
without logging enabled
events matching a flow 22-114
with PAT
MARS events lookup 22-112
Access Rules page J-2
expanding objects
lookup from MARS events 22-88
highlighted row
after policy lookup from MARS 22-88
Login to CS-MARS dialog box 22-134
looking up
from MARS events 22-88
with Security Manager not installed 22-87
with Security Manager running 22-87
with Security Manager timed out 22-87
navigating
to historical events, matching destination 22-127
to historical events, matching flow 22-126
to historical events, matching rule 22-126
to historical events, matching source 22-127
to realtime events, matching flow 22-126
navigating from
to historical events, matching destination 22-127
to historical events, matching rule 22-124
to realtime events, matching rule 22-124
accounting
configuring on firewall devices 16-37
accounts and credentials
Cisco IOS routers
overview 15-72
accounts and credentials policies
Accounts and Credentials Policy page K-98
User Accounts dialog box K-100
ACL names
as keywords
in MARS events lookup 22-109
conflicts and resolutions 13-61
generating 13-57
identifying original 13-62
naming conventions 13-57
notes 13-62
preserving user-defined 13-59
ACLs
optimizing
caveats 13-51
notes 13-50
Actions Shortcut menu N-9
Active/Active failover
command replication 16-65
configuration synchronization 16-65
Active/Standby failover 16-63
activities
accessing functions 8-9
Activity Manager window E-1
Activity Required dialog box E-10
Approve Activity dialog box E-8
Approved state 8-6
benefits of 8-2
closing 8-13
Create Activity dialog box E-6
creating 8-12
Discard Activity dialog box E-9
discarding 8-20
Edit state 8-5
in an editable state
and policy table lookup from MARS 22-52
locking 8-4
managing 8-1
multiple users 8-5
Openable Activities dialog box E-10
opening 8-13
policy table lookup
with Security Manager client active 22-65
Reject Activity dialog box E-8
Rejected state 8-6
rejecting 8-19
states 8-5
Submit Activity dialog box E-6
Submitted state 8-5
submitting for approval 8-18
understanding 8-1
user interface reference E-1
validating 8-16
viewing change reports 8-14
viewing status and history 8-21
working with 8-9
Activities menu 3-16
Activity Manager command 3-14
Activity Manager window E-1
Activity Required dialog box E-10
activity states E-4
Adaptive Security Appliances
Add/Edit Collector dialog box
description 16-88, L-133, L-160
Add/Edit IGMP Join Group dialog box
description 16-101
Add/Edit IGMP Static Group dialog box
description 16-101
Add/Edit Multicast Route dialog box
Add/Edit PIM Bidirectional Neighbor Filter dialog box
description L-201
Add/Edit PIM Neighbor Filter dialog box
description L-199
Add AAA Rules dialog box J-81
Add Access List dialog box N-110
Add an Entry dialog box N-68
Add Cat6k Block Vlan dialog box N-130
Add Certificate dialog box A-18
Add Custom Signature dialog box N-7
Add Device from Network wizard
Device Credentials page C-22
Add Devices to Group command 3-10
Add Devices to Group dialog box C-46
Add Event Action Filter dialog box
fields with
default values 22-97
values from MARS events 22-97
read-only signature policy page
in the MARS GUI 22-97
Add Firewall Rule dialog box J-6
Add Group dialog box C-47
Add Link command 3-13
Add Link dialog box B-19
Add Local Rules command 3-12
Add Map Object and Node Properties dialog boxes B-21
Add Map Object command 3-13
Add New Device wizard
Device Credentials page C-22
Add or Edit Status Providers dialog box A-48
Add Other Devices dialog box O-21
Add Permit Response dialog box F-276
Add Regular Expression dialog box F-457
Add Regular Expression Group dialog box F-453
address pools
defining 16-25
Address Resolution Protocol
Add Row command 3-11
Add Rule Section dialog box J-173
Add Signature Parameter--List Entry Dialog Box N-67
Add Standard Access Control Entry dialog box F-45
Add Standard Access List page F-42
Add Transparent Firewall Rule dialog box J-137
Add User Group Selector dialog box I-47
Add User Profile dialog box N-122
Add Virtual Sensor dialog box N-135
Add Web Access Control Entry dialog box F-52
Add WebType Access List page F-49
admin context
in Performance Monitor
deleting 22-20
importing 22-20
overview 16-117
administering Performance Monitor
event thresholds, working with 22-28
administration
See also managing user accounts
selecting router policies to manage 7-47
administrative settings, configuring 21-2
Admin role
adding Security Manager
to MARS 22-75
ADSL
ADSL Policy page K-42
ADSL Settings dialog box K-44
defining settings 15-40
supported operating modes 15-39
Advanced dialog box
access rules J-11
AES encryption algorithm
in IKE proposals 10-68
in VPN SPA 10-42
aging timer
path MTU discovery 10-44
AIM-IPS interfaces
AIM-IPS Interface Settings page K-34
AIM-IPS module
credentials C-31
AIM-IPS Module Discovery dialog box C-31
Alarm Indication Signal (AIS) cells 15-52
Alarm Information table
description 22-40
Alert Aggregation table
description 22-40
Allowed host
use of 18-6
Allowed Hosts page N-109
Analysis Engine global variables
configuring 18-10
Analysis Engine tab N-118
analysis reports
generating 13-9
understanding 13-7
Analysis Reports page J-176
anomaly detection
limiting false positives N-78
worm attacks N-78
Anomaly Detection page N-70
anti-spoofing 16-110
anti-virus software policies
modifying
for device manager 22-9
appended CLI commands 20-2
Apply IPS Update command 3-15
Apply IPS Update wizard A-28
Approve Activity command 3-17
Approve Activity dialog box E-8
Approved activity state 8-6
Approve Deployment Job dialog box O-26
approvers 2-26
associating with user account
for policy lookup from MARS 22-74
archiving
IEV log files 22-37
area border routers 16-106
ARP
Layer 2 signatures N-29
protocol N-29
ARP requests
and CPU usage 22-24
ARP spoof tools
dsniff N-29
ettercap N-29
ARP table
ASA
rollback, commands to recover from failover misconfiguration 19-58
rollback command conflicts 19-56
rollback restrictions for failover devices 19-53
rollback restrictions for multiple context mode 19-52
ASA devices
See also PIX/ASA/FWSM Platform policies
AAA support 9-24
adding SSL thumbprints manually 6-25
defining
DNS server IP address 11-23
enabling
DNS lookups 11-23
events lookup
ACE hashcodes 22-109
models supported
VPN cluster load balancing 11-25
outside IP addresses
associated with DNS entry 11-23
SSL certificate configuration A-16
supported OS versions
redirection using FQDNs 11-24
supported software versions
for policy and events lookup 22-73
syslog messages
looking up Access Rules page 22-43
table of AAA services 9-26
use of Kerberos 9-25
use of LDAP servers 9-25
use of NT servers 9-25
use of SDI servers 9-25
VPN cluster load balancing
3DES/AES license 11-25
overview 11-23
with multiple contexts
and policy lookup from MARS 22-54
MARS events lookup 22-117
prerequisite for policy table lookup 22-54
ASA User Group dialog box F-56
Auto Signon Rules F-75
Client Access Rules dialog box F-67
Client Configuration settings F-59
Client Firewall Attributes F-60
Connection settings F-80
DNS/WINS settings F-76
Hardware Client Attributes F-63
IPsec Settings F-65
Split Tunneling settings F-78
SSL VPN Clientless Settings F-68
SSL VPN Full Tunnel Settings F-71
SSL VPN General Settings F-73
SSL VPN Thin Client Settings F-70
Technology settings F-56
ASA User Group objects
ASA User Groups page F-55
Auto Signon Rules F-75
Client Access Rules dialog box F-67
Client Configuration settings F-59
Client Firewall Attributes F-60
Connection settings F-80
creating 9-44
DNS/WINS settings F-76
Hardware Client Attributes F-63
IPsec Settings F-65
Split Tunneling settings F-78
SSL VPN Clientless Settings F-68
SSL VPN Full Tunnel Settings F-71
SSL VPN General Settings F-73
SSL VPN Thin Client Settings F-70
Technology settings F-56
understanding 9-42
ASA User Groups page F-55
ASA User Groups Policy page I-46, I-47
ASBR
definition of 16-106
ASDM
connection graphs 22-5
connection-related messages 22-43
home page, viewing 22-5
Log Buffer panel 22-44
managing
ASA devices 22-5
firewalls 22-5
FWSM 22-5
multiple instances of 22-5
overview 22-5
performance monitoring and 22-5
Real-time Log Viewer panel 22-46
starting from Security Manager 22-5
syslog messages
navigating to access rule in Security Manager 22-42
ASDM home page
at-a-glance monitoring 22-5
dynamic dashboard and 22-5
ASDM instances
maximum number of
for all firewall contexts 22-8
for all FWSM contexts 22-8
ASDM sessions
exceeding the limit 22-8
assignment overview 1-11
Assignments tab D-29
Assign Shared Policy command 3-12
Assign Shared Policy dialog box D-3
Asymmetric Digital Subscriber Line (ADSL)
on Cisco IOS routers 15-38
Asynchronous Transfer Mode (ATM) 15-46
ATM 15-46
virtual channel connections (VCCs) 15-47
virtual channel identifier (VCI) 15-47
virtual path connections (VPCs) 15-47
virtual path identifier (VPI) 15-47
Atomic ARP engine
described N-29
parameters (table) N-29
Atomic IP engine
parameters (table) N-21
audit logs
configuring default settings A-39
purging entries 21-17
understanding 21-15
working with 21-14
Audit Message Detail dialog box E-12
Audit Report command 3-15
audit reports
generating and viewing 21-16
understanding 21-15
working with 21-14
Audit Report window E-12
AUS
See Auto Update Servers 5-13
authentication
configuring on firewall devices 16-37
of MARS for policy lookup
Security Manager deleted from MARS 22-63
of MARS with Security Manager
for events lookup 22-108
of Performance Monitor 22-16
of Security Manager with MARS
error message 22-108
successful 22-108
authentication methods
in IKE proposals 10-70
preshared keys 10-70
RSA signatures 10-70
authentication settings
events lookup
allowing saving of credentials 22-107
Security Manager user account not in MARS 22-118
using MARS credentials 22-107
using Security Manager credentials 22-107
for events lookup
Security Manager credentials 22-123
for MARS to access
Security Manager 22-74
policy table lookup
allow saving of credentials 22-79
using MARS credentials 22-79
using Security Manager credentials 22-79
authentication testing
SSH 5-10
authorization
configuring on firewall devices 16-37
AuthProxy dialog box
AAA rules J-99
AuthProxy General tab (IOS) J-161, J-164
AuthProxy page J-161
autolink
omitting reserved networks from maps A-2
Auto Signon Rules
ASA User Group objects F-75
Auto Update Servers
configuring AUS settings on firewall devices 16-72
deploy using 19-24
licensing 21-5
managing 6-19
Server Properties dialog box C-15
setting up 5-13
using to deploy to ASA devices 19-13
using to deploy to PIX firewalls 19-13
Available Bit Rate (ABR) 15-48
Available Servers dialog box C-18
B
background image, map
deleting 4-14
importing 4-13
overview 4-13
scale and position 4-15
setting 4-14
backslash
when defining subinterfaces 9-135
Backup command 3-16
backups, Security Manager database 21-18
backward compatibility
of policy table lookup
with Security Manager 3.0.x, 3.1.x 22-61
banners
Banner page L-80
configuring on firewall devices 16-43
benefits of product 1-3
BGP routing
BGP Routing Policy page K-219
defining routes 15-180
Neighbors dialog box K-222
on Cisco IOS routers 15-179
redistributing routes 15-182
Redistribution Mapping dialog box K-224
Redistribution tab K-223
Setup tab K-220
blocking
definition of 18-11
Blocking page N-119
boot image and configuration settings
configuring on firewall devices 16-45
bootstrapping
devices
for events lookup 22-121
for policy lookup 22-71
Security Manager server
for communication with MARS 22-74
for policy lookup 22-72
bootstrapping devices
integration with Performance Monitor 22-20
managed by MARS 22-71
bridge groups
defining 15-78
bridging
Cisco IOS routers
Bridge Group dialog box K-103
Bridging Policy page K-102
BVI interfaces 15-76
overview 15-75
PIX/ASA/FWSM
Add/Edit ARP Inspection dialog box L-69
Add/Edit ARP Table Entry dialog box L-67
Add/Edit MAC Learning dialog box L-73
Add/Edit MAC Table Entry dialog box L-71
ARP Inspection page L-68
ARP Table page L-65
configuring on 16-34
MAC Address Table page L-70
MAC Learning page L-72
Management IP page L-74
browser settings
File Download dialog box 22-88
reusing windows
for events lookup 22-119
saving in trusted folder
SSL certificate of MARS 22-129
C
caching
device manager image 22-7
MARS events
sessionization 22-66
MARS login credentials
during events lookup 22-119
policy rules
in read-only policy window 22-65
reusing query results 22-65
Security Manager credentials
until MARS session is active 22-63
CA server authentication methods
SCEP (Simple Certificate Enrollment Protocol) 10-87
Cat6k Device dialog box N-129
Catalyst 6500/7600 devices
configuring FWSM on 10-48
configuring SSH 5-11
configuring VPNSM on 10-39
configuring VPN SPA on 10-41
default transport protocol A-15
deployment 19-32
path MTU discovery
on tunnel interface 10-44
packet fragmentation 10-44
policy discovery 7-8
rollback restrictions 19-53
supported IOS versions
for path MTU discovery 10-44
Catalyst 6500 Series switches
See Catalyst switches and Cisco 7600 Series routers
Catalyst 6K tab N-129
Catalyst platform policies
general reference M-1
IDSM settings policy
Create and Edit IDSM Data Port VLANs dialog boxes M-43
Create and Edit IDSM EtherChannel VLANs dialog boxes M-42
IDSM Settings page M-40
IDSM Slot-Port Selector dialog box M-44
interfaces/VLANs policy
Access Port Selector dialog box M-8
Create and Edit Interface dialog boxes-Access Port mode M-16
Create and Edit Interface dialog boxes-Dynamic Port mode M-28
Create and Edit Interface dialog boxes-Other mode M-35
Create and Edit Interface dialog boxes-Routed Port mode M-20
Create and Edit Interface dialog boxes-subinterfaces M-33
Create and Edit Interface dialog boxes-Trunk Port mode M-23
Create and Edit VLAN dialog boxes M-5
Create and Edit VLAN Group dialog boxes M-11
Interfaces/VLANs page M-3
Interfaces tab M-14
Service Module Slot Selector dialog box M-12
Summary tab M-38
Trunk Port Selector dialog box M-9
VLAN Groups tab M-10
VLAN Selector dialog box M-13
VLANs tab M-4
VLAN access lists policy
Create and Edit VLAN ACL Content dialog boxes M-49
Create and Edit VLAN ACL dialog boxes M-47
VLAN Access Lists page M-45
Catalyst Summary Info command 3-15
Catalyst switches and 7600 Series routers
access ports 17-8
Catalyst Summary Info page M-1
configuring SSH 5-11
default transport protocol A-15
defining IDSM Data Port VLANs 17-28
defining IDSM EtherChannel VLANs 17-25
defining ports 17-9
defining VACLs 17-21
defining VLAN groups 17-17
defining VLANs 17-14
deleting IDSM Data Port VLANs 17-30
deleting IDSM EtherChannel VLANs 17-27
deleting ports 17-12
deleting VACLs 17-23
deleting VLAN groups 17-18
deleting VLANs 17-16
discovering policies 17-6
generating interface names 17-11
IDSM settings 17-24
IDSM Settings page M-40
including in deployment jobs O-14
interfaces 17-8
Interfaces/VLANs page M-3
managing 17-1
migrating inventory from earlier release 17-2
migrating unmanaged service modules 17-5
routed ports 17-8
showing modules and security contexts 6-28
supported software versions
for policy and events lookup 22-73
trunk ports 17-8
viewing configuration summary 17-31
VLAN Access Lists page M-45
VLAN ACLs (VACLs) 17-19
VLAN groups 17-16
VLANs 17-13
Catalyst VPN Services Module (VPNSM)
configuring 10-45
configuring in remote access VPNs 11-16
defining settings (site-to-site VPN) G-21
understanding configuration 10-39
VPNSM/VPN SPA Settings dialog box H-23
VPNSM blade configuration 10-39
Catalyst VPN Shared Port Adapter (VPN SPA)
configuring a VPN SPA blade 10-45
configuring in remote access VPNs 11-16
defining settings (site-to-site VPN) G-21
path MTU discovery
crypto maps 10-44
enabling 10-44
supported IOS versions for 10-44
understanding configuration 10-41
VPNSM/VPN SPA Settings dialog box H-23
categories
editing 9-48
understanding 9-48
category objects
Categories page F-82
Category Editor dialog box F-83
cautions
significance of iii-lxxxvi
certificate comparison
by MARS
conflict detection 22-62
storing a fresh copy after prompting 22-62
storing a fresh copy automatically 22-62
certificates
presented by Security Manager
compared by MARS during policy lookup 22-62
certificates, SSL
adding thumbprints manually 6-25
configuring default settings for how handled A-16
Certification Authority (CA) servers
naming guidelines 9-158
Change Report dialog box E-11
change reports, viewing 8-14
Change Reports command 3-16
Cisco 7600 Series routers
See Catalyst switches and 7600 Series routers
Cisco Adaptive Security Device Manager
Cisco Discovery Protocol (CDP) K-30
Cisco Express Forwarding (CEF)
importance for QoS 15-152
Cisco IOS devices
access lists with
log-input keyword 22-43
log keyword 22-43
syslog messages
looking up Access Rules page 22-43
Cisco IOS routers
802.1x 15-127
AAA 15-66
access lists with
log-input keyword 22-58
log keyword 22-58
access rule lookup
from MARS 22-50
accounts and credentials 15-72
ADSL 15-38
advanced interface settings 15-28
available interface types 15-21
basic interface settings 15-20
BGP routing 15-179
configuring SSH 5-11
CPU settings 15-81
default AAA server groups 9-17
dialer interfaces 15-33
discovering policies 15-4
Domain Name System (DNS) 15-105
Dynamic Host Configuration Protocol (DHCP) 15-117
EIGRP routing 15-184
host and domain names 15-107
HTTP 15-83
IOS 12.1 and 12.2 15-3
line access 15-87
logging 15-144
managing 15-1
memory settings 15-108
NAT 15-5
Network Admission Control (NAC) 15-134
Network Time Protocol (NTP) 15-124
optional SSH settings 15-98
OSPF routing 15-192
permanent virtual connections (PVCs) 15-46
platform policies 15-1
Point-to-Point Protocol (PPP) 15-58
policy discovery 7-8
quality of service (QoS) 15-151
RIP routing 15-208
Secure Device Provisioning (SDP) 15-110
SHDSL 15-43
SNMP 15-101
static routing 15-215
supported software versions
for policy and events lookup 22-73
supported syslog IDs
for policy lookup 22-59
time zone settings 15-79
transparent bridging 15-75
Cisco IOS Software
selecting policy types to manage 7-47
Cisco IPS Event Viewer service
enabling with IEV 22-34
Cisco Networking Services (CNS) 19-26
Cisco Networking System (CNS)
using to deploy to IOS routers 19-13
Cisco Network Security Database
Cisco PIX Firewalls
See PIX/ASA/FWSM Platform policies
Cisco Router and Security Device Manager
Cisco Secure Access Control Server (ACS)
adding users 2-37
associating user roles and permissions 2-31
customizing user roles 2-30
default roles 2-29
integrating with Security Manager 2-33
integration checklist 2-35
integration requirements 2-34
performing integration 2-37
performing integration in CiscoWorks 2-46
registering Security Manager 2-50
understanding user permissions 2-1
Cisco Secure Access Control Server (ACS) integration 2-33
adding managed devices 2-53
adding system administrator 2-37
checklist of tasks 2-35
configuring CiscoWorks AAA mode 2-49
configuring NDGs 2-53
creating administration control user 2-45
creating local users in CiscoWorks 2-46
customizing user roles 2-30
defining system identity user 2-47
list of ACS procedures 2-37
list of CiscoWorks procedures 2-46
list of requirements 2-34
restarting Daemon Manager 2-50
Cisco Secure Access Control Server (ACS) user interface
Add Administrator page 2-46
Administration Control page 2-45
Group Setup page 2-54
New Network Device page 2-44
Shared Components page 2-30
User Setup page 2-38
Cisco Secure ACS
access settings for
MARS appliance 22-74
roles for
policy table lookup 22-74
Cisco Secure Desktop (CSD)
configuring in SSL VPN
on an ASA device 12-44
on an IOS router 12-15
Cisco Secure Desktop page I-48
Cisco Security Agent
icon, waving
disallowing device manager 22-13
IEV and modifying policy 22-32
Messages tab
xdm-launcher.exe 22-12
modifying policies
for device manager 22-9
modifying policy for IEV
automatically 22-32
manually 22-32
not installed on Security Manager server
automatically modifying policy for IEV 22-32
preexisting on Security Manager server
manually modifying policy for IEV 22-32
security level
starting device manager 22-12
starting device manager
allowing xdm-launcher.exe 22-12
untrusted applications
xdm-launcher.exe 22-13
Cisco Security Management Suite server
logging in to or exiting 1-13
Cisco Security Manager Policy Query page
Cisco Security MARS
Cisco Technical Assistance Center
creating diagnostic file 21-19
Cisco Trust Agent (CTA) 15-136
CiscoWorks Common Services
assigning roles to users 2-27
associating user roles and permissions 2-31
available user roles 2-26
backing up and restoring Security Manager 21-18
configuring AAA mode 2-49
creating local user for Cisco Secure ACS 2-46
defining system identity user 2-47
logging in to or exiting 1-13
performing integration for Cisco Secure ACS 2-46
registering Security Manager with Cisco Secure ACS 2-50
understanding user permissions 2-1
CiscoWorks Common Services user interface
AAA Setup Mode page 2-49
Local User Setup page 2-46
System Identity Setup page 2-47
Class-Based Policing 15-159
CLI commands
appended commands 20-2
in FlexConfigs 20-2
prepended 20-2
Client Access Rules dialog box
ASA User Group objects F-67
Client Configuration settings
ASA User Group objects F-59
client connection characteristics
Client Connection Characteristics page G-82
configuring policies for Easy VPN 10-120
Client Firewall Attributes
ASA User Group objects F-60
clientless access mode 12-3
clock
Cisco IOS routers
overview 15-79
configuring on firewall devices 16-46
clock settings
Cisco IOS routers
Clock Policy page K-104
Clone Device command 3-9
cloning devices
in VPN topologies 10-23
Close Activity command 3-16
cluster load balancing
configuring 11-23
PIX7.0/ASA Cluster Load Balance page H-45
redirection using FQDNs
3DES/AES 11-25
ASA outside IP addresses 11-23
instead of IP addresses 11-24
OS versions supported 11-24
overview 11-22
reverse DNS lookup 11-23
understanding 11-21
CNS
setting up 5-16
CNS-Configuration Engine Properties dialog box C-15
collectors, NetFlow 16-88
color-coding
keywords
for first ten occurrences 22-129
query results page of MARS 22-129
combining rules 13-12
Combine Rules Results Summary dialog box J-211
Combine Rules Selection Summary dialog box J-210
criteria notes 13-14
defining criteria 13-15
Rule Combiner Detail Report J-215
summary results 13-16
commands
Activities menu 3-16
Edit menu 3-10
Edit menu, table commands 3-29
File menu 3-9
Help menu 3-17
Map menu 3-13
Policy menu 3-12
Tools menu 3-14
View menu 3-11
Common Services
AAA authentication for
MARS appliance 22-74
licensing 21-5
MARS user account, creating 22-74
MARS user not defined in
policy lookup 22-64
user account not defined in
logging in to MARS 22-64
Common Services roles
policy table lookup from MARS
Help Desk role 22-62
communication
between IEV client and server 22-34
configuration
frequently asked questions 19-17
initial Security Manager 1-15
understanding rollback 19-50
Configuration Archive
adding configurations from devices 19-48
rolling back to archived configuration files 19-60
settings A-3
version viewer O-40
viewing and comparing configuration versions 19-49
window O-37
Configuration Archive command 3-16
Configuration Archive page A-3
configuration changes
and high CPU usage 22-24
Configuration Engine
managing 6-19
configuration files
deploying in non-Workflow mode 19-32
deploying in Workflow mode 19-34, 19-41
factory-default configurations 16-2
previewing 19-43
redeploying to devices 19-43
rolling back to archived configurations 19-60
selecting 3-31
configurations
adding to the Configuration Archive 19-48
rollback, commands to recover from failover misconfiguration 19-58
rollback command conflicts 19-56
rolling back 19-50
rolling back Catalyst 6500/7600 19-53
rolling back failover devices 19-53
rolling back IPS and IOS IPS 19-54
rolling back multiple context mode 19-52
rolling back to devices 19-58
viewing and comparing 19-49
configuration views 1-8
Configure DNS dialog box
inspection rules J-67
Configure ESMTP dialog box
inspection rules J-70
Configure Fragments dialog box
inspection rules J-71
Configure Hardware Ports L-63
Configure IMAP dialog box
inspection rules J-72
Configure POP3 dialog box
inspection rules J-73
Configure RPC dialog box
inspection rules J-74
Configure SMTP dialog box
inspection rules J-68
Config Version Viewer (Preview Configuration) dialog box O-24
connection establishment messages
looking up access rules from MARS 22-51
looking up from access rules
matching a flow 22-113
connection protocol
between MARS and Security Manager
for policy table lookup 22-51
with device manager 22-7
with MARS 22-79
with Performance Monitor 22-16
connection-related messages
access rule lookup from MARS 22-51
contents 22-43
generated by
ASA devices 22-43
FWSM blades 22-43
outbound traffic, policy lookup 22-68
generation, interval 22-43
ICMP
access rule lookup from MARS events 22-56
management traffic
NP Identity Ifc keyword 22-56
number of matches
for access rule lookup 22-56
TCP
access rule lookup from MARS events 22-55
UDP
access rule lookup from MARS events 22-55
Connection settings
ASA User Group objects F-80
connection setup message
and session termination 22-55
common ID with teardown message 22-55
defining 22-55
connection teardown messages
2-minute gap with
connection setup 22-68
and corresponding setup syslog 22-55
direction details 22-55
in a different session from setup 22-68
looking up access rules from MARS 22-51
looking up from access rules
for a traffic flow 22-113
pre-NATed addresses 22-55
realtime event viewer 22-68
connection timeout
device communication settings A-14
connectivity, testing device 6-21
connectivity failure
from MARS to Security Manager
error message 22-62
connectivity protocol
between Security Manager and MARS
for events lookup 22-107
connectivity test
between MARS and Security Manager
configuring administrative host 22-80
correct credentials 22-80
error message 22-80
failure due to incorrect credentials 22-63
success 22-80
console
Cisco IOS routers
AAA tab K-121
Accounting tab K-125
Authentication tab K-121
Authorization tab K-123
Console Policy page K-117
Setup tab K-118
console port
Cisco IOS routers
defining AAA settings 15-90
defining setup parameters 15-87
console timeout settings
configuring on firewall devices 16-50
Constant Bit Rate (CBR) 15-48
contact credentials
configuring on firewall devices 16-48
contained modules
showing 6-28
Context Data events
looking up
from signature policies 22-115
on IPS and IDS sensors
policy query icon and 22-60
contexts
continuity check (CC) cells 15-52
control plane (CP)
defining QoS on 15-168
policing on 15-163
control plane policing 15-163
conventions iii-lxxxv
Copy command 3-10
Copy Policies Between Devices command 3-12
Copy Policies wizard
Copy Policies from this Device page D-6
Copy Policies to these Devices page D-9
Select Policies to Copy page D-7
understanding D-6
CPU settings
defining utilization settings 15-82
overview 15-81
CPU usage
associated with services 22-25
causes for increase in
configuration change 22-24
debugging 22-24
disabling STP 22-24
excessive ARP requests 22-24
interrupt level 22-24
more VLANs 22-24
processes with high priority 22-24
security issues 22-24
TCP timer 22-24
description 22-24
increase on
Catalyst 6500/6000 switches 22-24
routers 22-24
show logging exec command
checking 22-24
throttles, overloaded router 22-24
CPU utilization
CPU Policy page K-107
Create a Clone of Device dialog box C-34
Create Activity dialog box E-6
Create a Policy dialog box D-30
Create Filter dialog box C-1
Create Overrides for Device dialog box F-599
Create Text Object dialog box P-14
Create VPN Topology wizard G-8
credential objects
creating 9-50
understanding 9-49
credentials
AIM-IPS module C-31
service module C-28
specifying for device manager 22-10
testing 6-21
understanding device 6-4
validation for device manager
error message 22-10
Credentials objects
Credentials dialog box F-85
Credentials page
HTTPS port number
overriding with HTTP policy C-41
Credentials page (Devices) C-39
Credentials page (Policy Objects) F-84
cross-launch authentication settings
for events lookup
disabling saving of credentials 22-123
using MARS login credentials 22-123
using Security Manager credentials 22-123
for policy lookup
allow saving of credentials 22-79
prompting user for credentials 22-79
using MARS credentials 22-79
modifying
to disable saving of Security Manager credentials 22-64
saving in MARS
for Security Manager not added 22-75
cross-launching
Security Manager client
from MARS events 22-49
without secure connection 22-62
crypto engine slot command 10-42
crypto engine slot slot/subslot {inside | outside} command
VRF-Aware IPsec 10-42
crypto maps
dynamic 10-73
in IPsec proposals 10-73
on interface VLANs
IPsec VPN SPAs 10-44
static 10-73
CS-MARS
changing server used by device 6-27
configuring 1-25
configuring servers A-4
discovering server used by device 6-27
CS-MARS page A-4
authentication, configuring
to query events 22-123
configuring MARS devices
for querying events 22-123
CsmContentProvider file
downloading
during policy lookup 22-88
File Download dialog box
preventing from appearing 22-88
CSMDiagnostics.zip
setting debug options A-7
CSM tab, Licensing page A-34
CSV file
adding devices from
to Performance Monitor 22-20
Customize Desktop Settings page A-7
Custom Protocol dialog box
inspection rules J-69
custom signatures
policy lookup for 22-60
unknown device event type 22-94
Cut command 3-10
D
Daemon Manager
not running on Security Manager
policy table lookup 22-62
restarting after Cisco Secure ACS integration 2-50
database
backing up and restoring 21-18
data polling
CPU usage 22-25
for incremental changes 22-17
VPN tunnel status 22-23
data redundancy
of Security Manager and IEV 22-33
Days of Week dialog box N-74
DCE/RPC policy map objects
creating 9-74
understanding 9-73
DCE/RPC Policy Maps
Add DCE/RPC dialog box F-201
DCE/RPC Maps page F-200
Edit DCE/RPC dialog box F-201
DCR
adding devices from
to Performance Monitor 22-20
DCS properties file, SSH settings 6-26
DDNS
configuring on firewall devices 16-80
DDoS
protocols N-66
Stacheldraht N-66
TFN N-66
dead-peer detection (DPD) 10-79
debugging
configuring debug levels A-7
high CPU usage and 22-24
Debug Options page A-7
defaults, configuring 21-2
default virtual sensor
vs0 18-15
Delete Device command 3-9
Delete Map command 3-13
Delete Map dialog box B-13
Delete Row command 3-11
Deploy command 3-10
Deploy Job dialog box O-27
deployment
Abort the Job dialog box O-30
Add Other Devices dialog box O-21
Catalyst 6500/7600 devices 19-32
clearing XLATE on 16-116
configurations 19-32
configuring status provider 1-24
creating or editing schedules 19-46
Deploy Job dialog box O-27
Deployment—Create or Edit a Job dialog box O-15
device communication settings 6-24
Edit Deploy Method dialog box O-19
Edit Selected Deployment Method dialog box O-19
errors
OS version mismatches 19-14
frequently asked questions 19-17
handling OS version mismatches 19-14
IPsec on VPNs
using RADIUS 10-119
managing 19-1
maximum number of devices 19-21
methods 19-11
non-Workflow mode 19-3
Deploy Saved Changes dialog box O-13
of access rule changes
synchronization with device 22-66
Redeploy a Job dialog box O-31
Rollback a Job dialog box O-33
rolling back configurations 19-50
rolling back configurations, Catalyst 6500/7600 19-53
rolling back configurations, command conflicts 19-56
rolling back configurations, commands to recover from failover misconfiguration 19-58
rolling back configurations, failover devices 19-53
rolling back configurations, IPS and IOS IPS devices 19-54
rolling back configurations, multiple context mode 19-52
Submit Deployment Job dialog box O-25
suspending or resuming schedules 19-47
system settings A-9
taskflow
non-Workflow mode 19-3
Workflow mode 19-6
to devices 19-11
to files 19-14
understanding 19-1
understanding configuration rollback 19-50
using a Cisco Networking Services (CNS) server 19-26
using an Auto Update Server (AUS) 19-24
using a Token Management Server (TMS) 19-21
viewing device details 19-30
viewing job summary 19-30
viewing status and history for jobs and schedules 19-30
Warning - Partial VPN Deployment dialog box O-22
Workflow mode 19-5, 19-34, 19-41
Deployment—Create or Edit a Job dialog box O-15
Deployment Manager window O-4
working with 19-29
Deployment—Create or Edit a Job dialog box O-15
deployment jobs
aborting 19-45
approval 19-9
approving 19-39
benefits of 19-2
creating and editing 19-36
discarding 19-42
including devices in 19-10
multiple users 19-10
redeploying 19-43
rejecting 19-39
states
non-Workflow mode 19-5
Workflow mode 19-7
submitting 19-39
viewing history 19-30
Deployment Manager command 3-14
Deployment Manager window
Deployment Schedules tab O-9
Deployment Manager window in non-Workflow mode O-1
Deployment Manager window in Workflow mode O-4
Deployment Schedules tab O-9
Deployment Settings page A-9
Deployment Status Details dialog box O-28
deployment transport protocols
for ASA devices 19-12
for Catalyst 6500/7600 devices 19-12
for IOS routers 19-12
for PIX firewalls 19-12
Deployment Workflow Commentary dialog boxes O-26
Deploy Saved Changes dialog box O-13
DES encryption algorithm
in IKE proposals 10-68
Dest Port Map dialog box N-76
device
admin contexts
deleting from Performance Monitor 22-20
importing into Performance Monitor 22-20
export inventory 6-31
showing contained modules 6-28
viewing inventory status 6-30
device access
configuring on firewall devices 16-49
Device Access policies N-109
device access policies
defining 15-73
device administration policies
configuring on firewall devices 16-36
Device Admin policies N-108
device authentication
adding SSL thumbprints manually 6-25
SSL certificate default configuration A-16
Device Communication page A-14
device communication settings
connection timeout A-14
managing 6-24
retry count A-14
socket read timeout A-15
device connectivity error
device manager and 22-11
Device Connectivity Test dialog box C-27
device credentials
starting device manager and 22-10
understanding 6-4
Device Credentials page C-22
Device Delete Validation page C-33
Device Grouping page C-32
device groups 6-40
adding or removing devices 6-41
adding to Performance Monitor 22-20
creating group types 6-39
definition in Performance Monitor 22-20
deleting groups or types 6-40
understanding 6-36
working with 6-36
Device Information page - Add Device from File C-19
Device Information page - Configuration File C-10
Device Information page - Network C-5
Device Information page- New Device C-12
device inventory
exporting
DCR and CS-MARS formats 6-32
overview 6-31
using command line utility 6-33
managing 6-1
testing device connectivity 6-21
understanding 6-1
user interface reference C-1
working with 6-8
device lists
adding sensors 22-36
deleting sensors 22-36
device lookup
for policy query from MARS
discovered devices 22-53
multiple matching hostnames 22-54
parameters passed 22-53
renaming device name 22-54
reporting IP address 22-54
single matching hostname 22-54
without domain name 22-54
device manager
and exiting Security Manager 22-7
and Security Manager communication
enabling HTTPS on the device 22-10
associating user roles and permissions 22-8
Cisco Security Agent
modifying policies 22-9
communicating with Security Manager 22-7
connection protocol 22-7
error message 22-11
exiting 22-10
guidelines for working 22-8
hardware requirements 22-13
instances of 22-7
interception of requests from 22-7
interoperability with device software version 22-13
latest IOS versions, support for 22-9
memory impact on
Security Manager client 22-9
Security Manager server 22-9
multiple instances
from different clients 22-8
on the same client 22-8
out-of-band change and 22-2
preferences across sessions 22-10
prerequisites for starting 22-11
progress of the launch 22-13
read-only view 22-2
running show commands 22-10
starting
for virtuals sensors 22-10
from Security Manager 22-2
guidelines 22-7
one instance per device per client 22-8
procedure 22-11
without image installed 22-8
without management IP address 22-9
syslog
navigating to Security Manager 22-42
Tools menu
show commands 22-10
uninstalling 22-2
versions supported for device software 22-14
Device Manager command 3-15
device manager image
caching 22-7
default location 22-2
downloading from server 22-7
shipping with Security Manager server 22-2
supported versions (table) 22-14
device manager window
inactive 22-7
minimized 22-7
Device OS Management command 3-15
device OS version
device manager interoperability with 22-13
Device Properties
Credentials page C-39
Device Groups page C-42
General page C-36
Policy Object Override pages
general reference C-42
device properties
changing 6-23
understanding 6-6
viewing 6-23
Device Properties command 3-14
Device Properties page
creating object overrides 9-216
deleting a MARS appliance 22-118
deleting overrides 9-219
discovering
MARS 22-117
overview C-36
Device properties page
selecting a MARS device
from a list 22-118
device reachability
description 22-19
viewing from
Inventory Status window 22-21
devices
access rule lookup
from MARS 22-50
added to MARS only
policy lookup 22-67
adding 6-8
adding configurations to the Configuration Archive 19-48
adding from configuration files 6-13
adding from export file 6-16
adding from network 6-10
adding manually 6-14
adding to MARS 22-71
adding to Performance Monitor
from CSV file 22-20
from DCR 22-20
manually 22-20
assigning shared policies 7-32
bootstrapping
for policy lookup 22-71
managed by MARS 22-71
changing CS-MARS server 6-27
cloning 6-29
communication requirements 5-1
communication settings and certificates 6-24
configuring local policies 7-19
copying policies between 7-21
copying shared policies 7-35
creating policy object overrides 9-216
deleting from inventory 6-30
deleting policy object overrides 9-219
deploying to dynamically addressed 19-13
deployment to 19-11
discovered but not submitted
policy lookup, error 22-67
discovering CS-MARS server 6-27
discovering policies 7-7
discovering policies on existing devices 7-10
duplicating
see cloning 6-29
dynamic IP addresses 6-19
including in deployment jobs O-14
including in deployment jobs or schedules 19-10
including in jobs O-17
in MARS
multiple matches during policy lookup 22-51
no match during policy lookup 22-51
time synchronization, recommendation 22-70
managed by MARS and Security Manager
running compatible software version 22-70
managed by Security Manager
preparing for policy lookup 22-71
management traffic
between MARS and 22-70
managing operating system 6-35
maps
adding existing managed 4-18
adding new managed 4-17
displaying devices from Device view 4-19
displaying managed 4-17
showing containment for Catalyst switches, ASA, PIX devices 4-18
mitigation
monitored by MARS 22-70
modifying policy assignment 7-38
modifying shared policies 7-37
monitored by
multiple MARS appliances 22-107
one MARS appliance 22-107
monitoring
enabling and disabling in Performance Monitor 22-21
not added to MARS
events lookup, error 22-116
notification traffic
between MARS and 22-70
policy status icons 7-20
preparing for management 5-1
redeploying configuration files to 19-43
renaming policies 7-36
replacing policies 7-32
reporting
monitored by MARS 22-70
rolling back configurations 19-58
sharing multiple policies 7-29
show commands
accessing from device manager 22-10
signature policies
unassigned from 22-117
software versions
supported by MARS and Security Manager 22-72
synchronization with
changed policies 22-66
testing connectivity 6-21
unassigning policies 7-23
unsharing policies 7-31
validating
scheduling device validations 22-20
validation by Performance Monitor 22-20
versions supported for policy lookup
by MARS and Security Manager 22-66
viewing configuration
from device manager 22-10
with IP address and hostname
for events lookup 22-109
with matching hostname
policy lookup from MARS 22-54
with matching IP address
policy lookup from MARS 22-54
with multiple contexts
Device Properties page 22-54
differing host and context names 22-54
logging configuration 22-58
policy query icon 22-61
reporting IP address in MARS 22-61
setting hostname for policy lookup from MARS 22-54
without a unique match
policy lookup from MARS 22-54
without matching host and domain names
policy lookup from MARS 22-54
Device selector
Access Rules page
for events lookup 22-134
device selector
filtering 3-20
Device view
assigning shared policies 7-32
configuring local policies 7-19
copying policies between devices 7-21
copying shared policies 7-35
editing site-to-site VPN policies in 10-65
managing policies 7-18
managing VPN devices in 10-62
modifying policy assignments 7-38
modifying shared policies 7-37
overview 1-8
policy banner 7-26
policy status icons 7-20
renaming policies 7-36
sharing local policies 7-28
sharing multiple policies 7-29
Site-to-Site VPN Topologies page G-85
unassigning policies 7-23
understanding 6-2
understanding basic policy management 7-18
understanding shared policies 7-25
unsharing policies 7-31
Device View command 3-11
DHCP
Cisco IOS routers
defining address pools 15-123
defining policies 15-121
DHCP Database dialog box K-170
DHCP Policy page K-167
IP Pool dialog box K-171
overview 15-117
understanding database agents 15-118
understanding option 82 15-119
understanding relay agents 15-119
understanding secured ARP 15-120
PIX/ASA/FWSM
configuring DHCP relay 16-74
configuring DHCP servers 16-75
diagnostics
setting debug options A-7
diagnostics file, creating 21-19
dial backup
configuring 10-37
configuring in Easy VPN 10-109
Dial Backup Settings dialog box G-32
understanding 10-36
dialer interfaces
defining BRI properties 15-36
defining profiles 15-34
Dialer Physical Interface dialog box K-40
Dialer Policy page K-36
Dialer Profile dialog box K-38
on Cisco IOS routers 15-33
Diffie-Hellman groups
in IKE proposals 10-69
Digital Subscriber Line (DSL) 15-38
digital subscriber line-access multiplexer (DSLAM) 15-38
directed broadcasts
enabling K-33
Discard Activity command 3-17
Discard Activity dialog box E-9
Discard command 3-10
Discard Deployment Job dialog box O-26
discovering
MARS
after deleting 22-118
saving setting across instances 22-118
MARS device
before events lookup 22-107
during events lookup 22-107
discovering remote access VPNs 11-2
discovering site-to-site VPNs 10-16
Discover VPN Policies wizard G-87
Discover Policies on Device command 3-12
Discover Policies On Device dialog box D-17
Discover VPN Policies command 3-12
Discover VPN Policies wizard G-87
Device Selection page G-89
Name and Technology page G-88
discovery
default behavior settings A-20
in MARS
devices that do not allow 22-54
devices that support 22-54
Map view 4-36
of MARS
into Security Manager 22-117
overview 1-11
Discovery Settings page A-20
Discovery Status dialog box D-19
discovery task
frequently asked questions 7-13
starting 7-10
viewing status 7-12
Display Actual Size command 3-13
Distinguished Name (DN) matching policies
configuring 11-32
DN Matching Policy page H-48
understanding 11-31
Distinguished Name (DN) matching rules
configuring 11-34
DN Matching Rules page H-49
DN Rule dialog box (lower pane) H-52
DN Rule dialog box (upper pane) H-51
understanding 11-33
Distributed Denial of Service
Distributed Traffic Shaping (DTS) 15-159
DMVPN (Dynamic Multipoint VPN)
advantages of using with GRE 10-101
configuring policies 10-103
IPsec technology 10-8
large scale DMVPNs
configuring 10-107
understanding 10-106
understanding 10-101
using with GRE 10-101
DNS
configuring on firewall devices 16-78
DNS/WINS settings
ASA User Group objects F-76
DNS class map objects
Add DNS Class Map dialog box F-93
creating 9-58
Edit DNS Class Map dialog box F-93
match criterion
DNS class F-96
DNS type F-97
domain name F-98
header flag F-99
question F-101
resource record F-102
DNS Class Maps page F-91
DNS policy map objects
Add DNS Map dialog box F-204
creating 9-76
DNS Maps page F-203
Edit DNS Map dialog box F-204
Filtering tab F-208
match condition
DNS class F-216
DNS type F-217
domain name F-219
header flag F-221
question F-222
resource record F-224
use values in class map F-225
Match Condition and Action tab F-212
Mismatch Rate tab F-210
Protocol Conformance tab F-206
understanding 9-75
Dock Map View command 3-13
documentation
conventions iii-lxxxv
Domain Name System (DNS)
Cisco IOS routers
defining policies 15-106
DNS Policy page K-158
IP Host dialog box K-159
overview 15-105
do not ask warnings, resetting A-7
Drill Down Dialog table
description 22-40
DSLAM 15-38
duplex
interface L-64
dynamic crypto maps 10-73
dynamic IP devices
GRE for 10-97
dynamic NAT
creating rules on Cisco IOS routers 15-16
dynamic VTI
configuring in Easy VPN 10-110
Dynamic VTI tab (remote access VPN) H-27
Dynamic VTI tab (site-to-site VPN) G-71
in remote access VPNs 11-13
E
Easy VPN
Advanced tab G-79
client connection characteristics 10-120
Client VPN Software Update tab G-81
configuring dial backup in 10-109
configuring dynamic VTI in 10-110
configuring high availability in 10-110
Dynamic VTI tab G-71
General tab G-75
IPsec Proposal page G-68
Dynamic VTI tab G-71
IPsec Proposal tab G-69
IPsec proposals 10-114
IPsec tab G-77
IPsec technology 10-8
tunnel group policies 10-118
Tunnel Group Policy page G-74
understanding 10-109
user group policies 10-116
User Group Policy page G-73
Edit AAA Option dialog box J-98
Edit AAA Rules dialog box J-81
Edit AAA Server Group dialog box J-100
Edit Actions dialog box N-10
Edit Auto Update Settings dialog box A-28
Edit Category dialog box
AAA rules J-101
access rules J-27
inspection rules J-76
transparent rules J-143
web filter rules J-122
Edit Deploy Method dialog box O-19
Edit Description dialog box
AAA rules J-101
access rules J-28
inspection rules J-77
transparent rules J-143
web filter rules J-123
Edit Destinations dialog box J-18
AAA rules J-90
inspection rules J-56
web filter rules J-114
Edit Device Groups command 3-10
Edit Device Groups dialog box C-45
Edit Endpoints dialog box G-15
Protected Networks tab G-24
VPN Interface tab G-17
Edit Extended Access List page F-34
Edit Fidelity dialog box N-12
Edit Firewall Option dialog box J-23
Edit Firewall Rule dialog box J-6
Edit Firewall Rule Expiration dialog box J-29
Edit Inspected Protocol dialog box J-65
Edit Interface dialog box
AAA rules J-95
transparent rules J-141
Edit menu 3-10
Edit menu, table commands 3-29
Edit Permit Response dialog box F-276
Edit Policy Assignments command 3-12
Edit Regular Expression dialog box F-457
Edit Regular Expression Group dialog box F-453
Edit Row command 3-11
Edit Rule Section dialog box J-173
Edit Selected Deployment Method dialog box O-19
Edit Service dialog box
access rules J-21
web filter rules J-117
Edit Signature dialog box N-4
Edit Signature Parameter—Component List dialog box N-67
Edit Signature Parameter—List Entry Dialog Box N-68
Edit Signature Parameters dialog box N-13
Edit Signatures page, Apply IPS Update wizard A-33
Edit Sources dialog box J-15
AAA rules J-87
inspection rules J-53
web filter rules J-111
Edit Standard Access Control Entry dialog box F-45
Edit Standard Access List page F-42
Edit state 8-5
Edit Transparent EtherType dialog box J-140
Edit Transparent Firewall Rule dialog box J-137
Edit Transparent Mask dialog box
transparent rules J-141
Edit Update Server Settings dialog box A-26
Edit Virtual Sensor dialog box N-135
Edit Web Access Control Entry dialog box F-52
Edit Web Filter Options dialog box J-121
Edit Web Filter Type dialog box J-120
Edit WebType Access List page F-49
EIGRP routing
defining interface properties 15-187
defining routes 15-185
Edit Interfaces dialog box K-229
EIGRP Routing Policy page K-226
Interface dialog box K-231
Interfaces tab K-229
on Cisco IOS routers 15-184
redistributing routes 15-190
Redistribution Mapping dialog box K-234
Redistribution tab K-232
Setup dialog box K-227
Setup tab K-226
e-mail notifications
configuring SMTP server 1-18
enabling
HTTPS on the device
for starting device manager 22-10
encryption algorithms
3DES (Triple DES) 10-68
AES (Advanced Encryption Standard) 10-68
DES (Data Encryption Standard) 10-68
in IKE proposals 10-68
endpoints and protected networks
defining in VPN topologies 10-27
Protected Networks tab G-24
understanding 10-25
VPN Interface tab G-17
error messages
device manager-related
connectivity to the device 22-11
credentials validation 22-10
hostname not configured 22-11
SSL not enabled on the device 22-11
starting a second instance 22-11
events lookup from policies
authentication failure 22-108
device not added to MARS 22-116
HTTPS not enabled on Security Manager 22-117
MARS appliance is shut down 22-116
MARS appliance not configured 22-116
MARS unreachable during discovery 22-118
Security Manager user not in MARS database 22-118
IEV server installation 22-36
policy table lookup from MARS
access rules not on device 22-67
addition of multiple Security Managers to Local Controller 22-61
changed Security Manager credentials not updated in MARS 22-63
connection setup syslog unavailable 22-68
connection teardown events in realtime viewer 22-68
connectivity to Security Manager 22-62
Daemon Manager not running on Security Manager 22-62
device added to MARS only 22-67
discovered but unsubmitted devices 22-67
empty access rules 22-67
HTTPS not enabled on Security Manager 22-62
implicit permit statement in access rules 22-68
incorrect Security Manager login credentials 22-63
management traffic events 22-68
modal dialog box open 22-65
modified signature on device 22-69
RPC connection failure 22-66
unsynchronized changes 22-66
testing connectivity
between MARS and Security Manager 22-80
ESMTP policy map objects
Add ESMTP Map dialog box F-228
Add Match Condition and Action tab F-231
creating 9-79
Edit ESMTP Map dialog box F-228
Edit Match Condition and Action tab F-231
ESMTP Maps page F-227
match condition
Body Length F-232
Body Line Length F-234
Command Line Length F-238
Command Recipient Count F-237
Commands F-235
Echo Reply Parameters F-240
Header Length F-241
Header Line Length F-243
Invalid Recipients Count F-245
MIME Encolding F-250
MIME Filename Length F-248
MIME File Type F-247
Sender Address F-251
Sender Address Length F-253
To Recipients Count F-244
Parameters tab F-229
understanding 9-79
EtherChannel
Create and Edit IDSM EtherChannel VLANs dialog boxes M-42
defining IDSM VLANs 17-25
deleting IDSM VLANs 17-27
Ethereal
description 22-35
location 22-35
evaluation license
upgrading to permanent license 21-4
event action filters
configuring
during policy table lookup from MARS 22-53
saving as a local policy 22-97
Event Action Filters page N-82
Event Action Filters tab
described N-95
Event Action Override dialog box N-89
Event Action Overrides page N-88
Event Action policies N-82
Event Browser window
viewing VPN tunnel status 22-22
event data
Inventory Status window 22-18
network outage 22-17
overwriting older events 22-16
persisting new events 22-16
restarting Daemon Manager 22-17
viewing in real time 22-38
events
categories
failure 22-29
performance 22-29
definition 22-19
examining
generated by access rule 22-107
generated by signature 22-107
in MARS
caching, sessionization 22-66
identifier 22-109
in MARS, generated by
access rules 22-52
connection setup/teardown 22-52
IPS signatures 22-52
management traffic 22-68
in MARS, identifying
for access rule lookup 22-82
logs
countering security threats 22-106
editing policies 22-106
querying for
from access rule table 22-107
thresholds 22-19
thresholds, working with 22-28
events lookup
ACE hashcodes 22-109
adding MARS
to Security Manager 22-122
advantages 22-106
browser settings 22-119
caching
MARS credentials 22-119
device software versions
supported for 22-72
discovering MARS devices 22-107
for the first time
prompting for MARS credentials 22-133
from access rules
hashcodes 22-113
object grouping 22-117
optimization enabled 22-117
prepopulated fields in Query page 22-109
with NAT 22-112
with PAT 22-112
from default signatures 22-117
from policies
checklist 22-120
error message 22-116, 22-117, 22-118
for multiple contexts 22-117
guidelines 22-116
historical events, overview 22-111
overview 22-106
realtime event viewer 22-111
reusing discovered MARS 22-118
with added and reachable devices 22-109
from signatures
for virtual sensors 22-110
Query page 22-110
with multiple selections 22-110
HTTPS connection 22-107
Login to CS-MARS dialog box
from Access Rules page 22-133
from Signatures page 22-133
MARS session timeout
and user credentials 22-133
matching a flow
fields passed to MARS 22-115
matching an access rule 22-113
realtime events
most current data 22-112
taskflow 22-107
XML queries
from Security Manager to MARS 22-109
event threshold
configuring (procedure) 22-28
creating, guidelines 22-28
recording, alarm 22-28
event types
configuring for service 22-27
enabling threshold 22-27
in MARS
definition 22-109
predefined 22-109
matching rules
for deny ACEs 22-114
for permit ACEs 22-114
supported for service type 22-27
Exclusive Domain Name dialog box
web filter rules J-132
exclusive domains
adding (IOS) 13-118
deleting (IOS) 13-121
editing (IOS) 13-120
Exclusive Domains tab
web filter rules J-128
Exit command 3-10
exiting
Cisco Security Management Suite server 1-13
CiscoWorks Common Services 1-13
device manager 22-10
IEV client 22-35
Expanded Details Dialog table
description 22-40
export
device inventory 6-31
Export Inventory command 3-15
Export Inventory dialog box C-44
Export Map command 3-13
Extended tab F-32
Add Extended Access List page F-34
Edit Extended Access List page F-34
External Product Interface dialog box N-115
External Product Interface page N-113
F
factory-default configurations 16-2
failover
PIX/ASA/FWSM
active/standby 16-63
stateless 16-63
types of 16-63
understanding 16-62
failover link 16-62
failure metric
configuring threshold 22-29
false positives
definition of 14-16
minimizing
signature tuning 22-59
tuning signatures 22-59
feature sets 1-5
File Download dialog box
policy table lookup
from MARS events 22-88
preventing from appearing 22-88
File menu 3-9
files
deploying to 19-14
selecting or specifying 3-31
Filter Item dialog box N-84
filters
defined using signature categories 14-22
filtering selectors 3-20
filtering tables 3-24
find and replace
defining criteria 13-22
notes 13-19
understanding regular expressions 13-20
using 13-18
Find and Replace page J-174
Finding CS-MARS Device dialog box
discovery, aborting 22-127
progress of discovery 22-127
Find Map Node command 3-13
Find Node dialog box B-14
Firewall AAA IOS Timeout Value Setting dialog box J-165
Firewall AAA MAC Exempt Setting dialog box J-160
Firewall ACL Setting dialog box J-148
Firewall Device dialog box N-128
firewall policy properties 13-3
firewall service module (FWSM)
including in deployment jobs O-14, O-17
firewall services
AAA rules
adding 13-93
understanding 13-92
access rules
adding 13-64
disabling 13-71
editing 13-69
enabling 13-71
logging events for an ACE 13-64
moving down 13-73
moving up 13-73
notes 13-56
recognizing on devices 13-55
ACL names
conflicts and resolutions 13-61
generating 13-57
identifying original 13-62
naming conventions 13-57
notes 13-62
preserving user-defined 13-59
analysis reports 13-7
generating 13-9
Combine Rules
Rule Combiner Detail Report J-215
Combine Rules Results Summary dialog box J-211
Combine Rules Selection Summary dialog box J-210
combining rules 13-12
criteria notes 13-14
defining criteria 13-15
summary results 13-16
find and replace
defining criteria 13-22
notes 13-19
understanding regular expressions 13-20
using 13-18
Find and Replace page J-174
firewall settings
access list compilation 13-137
configuring settings 13-140, 13-143, 13-146, 13-155
enabling 13-133, 13-136, 13-138
firewall ACL 13-141
for (PIX/ASA) 13-146
for IOS 13-151
per user downloadable ACLs 13-135
hit count
changing displayed results 13-30
changing displayed results, filtering columns 13-30
generating reports 13-25
sorting columns 13-31
understanding 13-23
understanding report results 13-26
viewing details 13-32
importing rules 13-32
extended access list 13-34
how to 13-36
notes 13-33
standard access list 13-35
Import Rules
Show Destination Contents dialog box J-189
Show Interface Contents dialog box J-191
Show Service Contents dialog box J-190
Show Source Contents dialog box J-188
Import Rules - Enter Parameters dialog box J-180
Import Rules - Preview page J-183
Objects tab J-187
Rules tab J-184
Import Rules - Status page J-182
inspection rules
copying 13-89
custom destination ports 13-81
cutting 13-89
default inspection traffic 13-80
deleting 13-91
destination address and port (IOS) inspection rules 13-82
disabling 13-88
editing 13-86
enabling 13-88
moving down 13-90
moving up 13-90
pasting 13-89
source and destination address and port 13-84
supported features 13-145
managing 13-1
managing rules tables 13-5
Map View 4-23
object groups
expanding during discovery 13-52
optimizing ACLs 13-47
caveats 13-51
notes 13-50
optimizing policy objects
in rules 13-51
notes 13-52
policy query
generating reports 13-39
report results 13-39
understanding 13-37
policy query details example 13-43
policy query parameters 13-40
policy query results table 13-41
rule sections
Add Rule Section dialog box J-173
Edit Rule Section dialog box J-173
rule table sections
adding 13-45
adding to an existing section 13-46
editing 13-46
notes 13-44
removing an existing section 13-47
removing from an existing section 13-46
understanding 13-44
Firewall Services Module (FWSM)
See also PIX/ASA/FWSM Platform policies
configuring with VPNSM 10-48
FWSM blades 10-48
FWSM Settings tab (remote access VPN) H-25
FWSM tab (site-to-site VPN) G-26
understanding configuration 10-48
firewall settings
AAA Firewall page J-154
Access Control page J-145
access controls
access list compilation 13-137
object group search 13-132
per user downloadable ACLs (PIX/ASA/FWSM) 13-135
AuthProxy General tab (IOS) J-161
AuthProxy page J-161
AuthProxy Timeout tab (IOS) J-164
configuring settings
firewall ACL 13-141
Firewall AAA IOS Timeout Value Setting dialog box J-165
Firewall AAA MAC Exempt Setting dialog box J-160
Firewall ACL Setting dialog box J-148
Inspection page J-151
Web Filter page J-167
Web Filter Server Configuration dialog box J-171
Firewall tab N-127
Fit to Window command 3-13
FlexConfig Editor dialog box P-11
FlexConfig objects
deleting 20-43
duplicating 20-38
editing 20-40
generating usage reports for 20-42
viewing details 20-41
FlexConfig object variables
deleting 20-48
FlexConfig policies P-1
understanding 20-31
FlexConfig Policy page P-2
FlexConfig Policy Preview dialog box P-9
FlexConfigs
adding 20-45
CLI commands in 20-2
creating (scenario) 20-31
deleting 20-46
example 20-7
managing 20-1
previewing 20-47
reordering 20-46
scripting language
understanding 20-3
working with 20-36
FlexConfigs objects page P-10
FlexConfig system variables
understanding 20-14
FlexConfig Undefined Variables dialog box P-15
Flood engine
described N-32
floodguard 16-110
Flood Host engine
parameters (table) N-32
Flood Net engine
parameters (table) N-33
FQDN
redirection using
cluster load balancing and 11-22
fragmentation
in remote access VPNs 11-28
General Settings tab H-43
in site-to-site VPNs
General Settings tab G-49
understanding 10-81
maximum transmission unit (MTU) 10-81
path MTU discovery and 10-44
fragments settings 16-110
frequently asked questions
policy discovery 7-13
FTP class map objects
Add FTP Class Map dialog box F-105
Add Match Criterion dialog box F-107
creating 9-60
Edit FTP Class Map dialog box F-105
Edit Match Criterion dialog box F-107
FTP Class Maps page F-103
match criterion
filename F-110
file type F-111
request command F-108
server F-112
username F-114
FTP policy map objects
creating 9-82
FTP Maps page F-254
match condition
filename F-262
file type F-264
request command F-261
server F-266
username F-267
use values in class map F-269
Match Conditions and Actions tab F-258
Parameters tab F-257
understanding 9-82
full mesh topologies
description 10-5
diagram 10-5
full tunnel client access mode 12-4
FWSM
See also Firewall Services Module (FWSM)
access rule lookup
from MARS 22-50
credentials C-28
multiple contexts
MARS events lookup 22-117
rollback, commands to recover from failover misconfiguration 19-58
rollback command conflicts 19-56
rollback restrictions for failover devices 19-53
rollback restrictions for multiple context mode 19-52
supported software versions
for policy and events lookup 22-73
syslog messages
looking up Access Rules page 22-43
with multiple contexts
and policy lookup from MARS 22-54
prerequisite for policy table lookup 22-54
FWSM devices
adding SSL thumbprints manually 6-25
SSL certificate configuration A-16
FWSM Settings tab (remote access VPN) H-25
G
Gateway and Context page I-2
gateways
intermediate
allowing flows between MARS and devices 22-70
General Configuration tab N-110
General page, device properties C-36
General subtab N-75
General tab N-119
Global Controller
adding to
Security Manager 22-117
policy query icon for events 22-61
policy table lookup and 22-61
viewing Security Manager server from 22-61
zone planning for
Security Manager mapping 22-75
GRE (generic routing encapsulation)
advantages of IPsec tunneling with GRE 10-94
configuring policies 10-98
for devices with dynamic IP 10-97
GRE Modes page G-57
implementation 10-94
IPsec technology 10-8
prerequisites for successful configuration 10-95
understanding in site-to-site VPNs 10-93
using DMVPN with 10-101
GRE Dynamic IP
configuring policies 10-98
for dynamically addressed spokes 10-97
IPsec technology 10-8
groups
adding or removing devices 6-41
creating 6-40
deleting 6-40
understanding 6-36
working with 6-36
group types
creating 6-39
deleting 6-40
GTP map objects
Add Country Network Codes dialog box F-275
Add Permit Response dialog box F-276
Edit Country Network Codes dialog box F-275
Edit Permit Response dialog box F-276
GTP Map Timeouts dialog box F-278
GTP Map Timeouts dialog box F-278
GTP policy map objects
Add GTP Map dialog box F-271
creating 9-85
Edit GTP Map dialog box F-271
GTP Maps page F-269
GTP Map Timeouts dialog box F-278
match condition
access point name F-281
message ID F-282
message length F-284
version F-285
Match Condition and Action tab F-279
Parameters tab F-273
understanding 9-84
H
H.323 class map objects
Add H.323 Class Map dialog box F-117
Add Match Criterion dialog box
Called Party F-119
Calling Party F-120
Media Type F-121
creating 9-63
Edit H.323 Class Map dialog box F-117
Edit Match Criterion dialog box
Called Party F-119
Calling Party F-120
Media Type F-121
H.323 Class Maps page F-115
H.323 policy map objects
Add H.323 Map dialog box F-288
Match Condition and Action tab F-292
Parameters tab F-289
Add HSI Endpoint IP Address dialog box F-291
Add HSI Group dialog box F-291
creating 9-89
Edit H.323 Map dialog box F-288
Match Condition and Action tab F-292
Parameters tab F-289
Edit HSI Endpoint IP Address dialog box F-291
Edit HSI Group dialog box F-291
H.323 Maps page F-286
match parameters
called party F-293
calling party F-294
media type F-296
use values in class map F-297
understanding 9-88
Hardware Client Attributes
ASA User Group objects F-63
hardware requirements
for device manager 22-13
hash algorithms
in IKE proposals 10-69
MD5 10-69
SHA 10-69
hashcodes
ACE
accuracy of syslog matches 22-113
ASA 7.0 and later 22-109
PIX 7.0 and later 22-109
supported device OS versions 22-113
as a keyword
in MARS query criteria 22-114
exceeding 10000
error message during events lookup 22-114
in large access rules
looking up events 22-114
not supported in syslogs
events lookup 22-119
warning message
for devices that do not support 22-126
help
accessing 3-32
Help About This Page command 3-17
Help Desk role
modifying policy
from read-only policy table 22-74
help desk users 2-26
helper addresses 15-29
Help menu 3-17
Help Topics command 3-17
Hide Navigation Window command 3-13
high availability
of Security Manager and IEV 22-33
high availability (HA groups)
configuring a policy in remote access VPN 11-20
configuring in Easy VPN 10-110
configuring in site-to-site VPN 10-60
High Availability page (remote access VPN) H-33
High Availability page (site-to-site VPN) G-33
in remote access VPNs 11-19
prerequisites 10-59
stateful failover 10-58
stateless failover 10-58
understanding in site-to-site VPN 10-58
Histogram dialog box N-77
historical events
filtering time 22-108
forensic analysis tools 22-111
looking up
from signature policies 22-131
lookup, fields populated
in query criteria results 22-108
lookup from access rules
connection-related messages 22-113
matching a flow 22-113
matching a rule 22-113
matching destination 22-127
matching source 22-127
lookup from policies
running query manually 22-108
matching
destination 22-127
flow 22-127
for the last 10 minutes 22-108
rule 22-126
source 22-127
overview 22-111
policy lookup
error message 22-66
querying for
Query Criteria Result page 22-108
sessionizing data 22-111
historical events lookup
device versions
supported for 22-72
hit count
changing displayed results 13-30
filtering columns 13-30
sorting columns 13-31
viewing details 13-32
generating reports 13-25
understanding 13-23
understanding report results 13-26
Hit Count page J-205
home page
ASDM, viewing 22-5
PDM, viewing 22-4
SDM, viewing 22-6
hostnames
Cisco IOS routers
defining 15-107
Hostname Policy page K-160
overview 15-107
hostname settings
configuring on firewall devices 16-70
hosts
adding Security Manager on
a new one 22-76
an existing one 22-76
HSRP 16-35
HTTP
Cisco IOS routers
AAA tab K-112
Command Authorization Override dialog box K-116
defining policies 15-83
HTTP Policy page K-110
overview 15-83
Setup tab K-111
HTTP class map objects
Add HTTP Class Map dialog box F-124
Add Match Criterion dialog box F-126
creating 9-65
Edit HTTP Class Map dialog box F-124
Edit Match Criterion dialog box F-126
match criterion
request/response content type mismatch F-129
request arguments F-130
request body F-131
request body length F-133
request header content type F-141
request header count F-134
request header field F-136
request header field count F-137
request header field length F-139
request header length F-135
request header non-ascii F-144
request header transfer encoding F-142
request method F-145
request uri F-146
request uri length F-148
response body F-151
response body activeX F-149
response body java applet F-150
response body length F-152
response header content type F-160
response header count F-153
response header field F-155
response header field count F-157
response header field length F-159
response header length F-154
response header non-ascii F-164
response header transfer encoding F-162
response status line F-165
HTTP Class Maps page F-122
HTTP policy
overriding HTTPS port number C-41
sharing
HTTPS port number C-41
HTTP policy map objects
ASA7.1.x/PIX7.1.x/FWSM3.x/IOS
creating 9-93
ASA7.1.x/PIX7.1.x/IOS
entity length 9-95
Entity Length tab F-304
extension request method 9-98
Extension Request Method tab F-310
general 9-94
General tab F-302
port misuse 9-100
Port Misuse tab F-312
RFC request method 9-97
RFC Request Method tab F-307
transfer encoding 9-101
Transfer Encoding tab F-315
ASA7.2/PIX7.2
creating 9-103
Edit HTTP Map dialog box F-320
Edit Match Condition and Action dialog box F-325
Match Condition and Action tab F-323
Parameters tab F-322
request/response content type F-330
request arguments F-331
request body F-333
request body length F-334
request header content type F-345
request header count F-336
request header field F-338
request header field count F-341
request header field length F-343
request header length F-337
request header non-ascii F-349
request header transfer encoding F-347
request method F-350
request uri F-352
request uri length F-354
response body F-358
response body activeX F-356
response body header length F-362
response body java applet F-357
response body length F-359
response header content type F-369
response header count F-361
response header field F-363
response header field count F-366
response header field length F-367
response header non-ascii F-373
response header transfer encoding F-371
response status line F-375
use values in class map F-377
HTTP Maps (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) page F-297
HTTP Maps (ASA7.1.x/PIX7.1.x/IOS)
Add HTTP Map dialog box F-300
Edit HTTP Map dialog box F-300
HTTP Maps (ASA7.2/PIX7.2) page F-318
understanding 9-91
HTTPS
communication between
Security Manager and MARS 22-117
HTTP settings
configuring on firewall devices 16-50
hub-and-spoke topology
description 10-3
diagram 10-4
I
ICMP connection-related messages
absence of necessary parameters 22-56
access rule lookup from MARS 22-56
accuracy of matching policies 22-56
example
for an ASA device 22-57
management traffic
access rule lookup 22-56
ICMP settings
configuring on firewall devices 16-52
configuring on IOS routers K-31
icons
map elements B-3
toolbar reference 3-18
identifying 22-70
idle session timeout
of MARS
events lookup 22-124
of Security Manager
authentication of MARS 22-63
login credentials prompt during policy lookup 22-63
policy table lookup 22-63
idle timeout
exceeded for MARS session
without Security Manager client open before lookup 22-63
with Security Manager login credentials for lookup 22-63
idle timeout, Security Manager client A-7
IDM
editing settings
Monitoring button 22-10
managing IPS sensors 22-3
maximum number of sessions 22-9
overview 22-3
starting from Security Manager 22-3
IDM GUI
Configuration button 22-3
File menu 22-3
Monitoring button 22-3
IDM sessions
maximum number of
for IPS sensors 22-9
IDSM
Create and Edit IDSM Data Port VLANs dialog boxes M-43
Create and Edit IDSM EtherChannel VLANs dialog boxes M-42
credentials C-28
defining Data Port VLANs 17-28
defining EtherChannel VLANs 17-25
deleting Data Port VLANs 17-30
deleting EtherChannel VLANs 17-27
IDSM Settings page M-40
IDSM Slot-Port Selector dialog box M-44
understanding settings on Catalyst devices 17-24
IDSM-2 modules
supported software versions
for policy and events lookup 22-73
IDS sensors
Context Data events
and signature policy lookup 22-60
Packet Data events
and signature policy lookup 22-60
signature policy lookup
from MARS events 22-59
IEV
archiving log files 22-37
as a client-server application
IEV client 22-32
IEV server 22-32
capabilities of 22-32
Cisco IPS Event Viewer service 22-33
communication between client and server 22-34
database, backup and restore 22-36
description 22-32
Ethereal 22-35
guidelines for working 22-35
installing
anti-virus software 22-32
host-based IDS software 22-32
Wise installer 22-32
IPS signature policy lookup
from Realtime Dashboard 22-38
from Views tab 22-39
JRE version 22-35
monitoring up to five sensors 22-35
my.cnf file 22-34
MySQL service 22-33
navigating to signature policy in Security Manager 22-38
overview 22-32
specifying Ethereal location 22-35
starting
overview 22-32
procedure 22-37
Windows services 22-33
with Security Manager
in DR mode 22-33
in HA mode 22-33
IEV client
closing 22-37
communicating with IEV server 22-34
communicating with server 22-32
connection protocol with server 22-34
downloading from server 22-32
exiting 22-35
Java application 22-34
location of runtime files 22-36
requirements 22-32
starting
multiple instances from different clients 22-36
one instance per client 22-36
starting from Security Manager 22-37
uninstalling 22-32
IEV server
communicating with client
modifying firewall software policy 22-32
installing
error message 22-36
installing during server installation 22-32
installing on a server with CSA 22-32
location of installed files 22-36
processing IEV client requests 22-34
requirements 22-32
IGMP
configuring on firewall devices 16-100
IIS
adding Security Manager
on an existing host 22-77
IKE (Internet Key Exchange)
aggressive mode negotiation 10-67
main mode negotiation 10-67
proposals 10-67
understanding 10-67
IKE keepalive
understanding 10-79
IKE negotiation
phase 1 22-22
phase 2 22-22
IKE proposal objects
creating 9-54
IKE Proposal dialog box F-89
IKE Proposals page F-87
understanding 9-53
IKE proposals (policies)
configuring 10-71
configuring on remote access VPN servers 11-18, H-32
IKE Proposal page (remote access VPN) H-32
IKE Proposal page (site-to-site VPN) G-38
understanding in remote access VPNs 11-18
IKE protocol
using RADIUS
as the authentication method 10-119
IKE SAs
timeout values 22-22
IM class map objects
Add IM Class Map dialog box F-168, F-170
creating 9-69
Edit IM Class Map dialog box F-168, F-170
IM Class Maps page F-166
match criterion
client IP address F-173
client login name F-174
filename F-172
file transfer service version F-179
peer IP address F-175
peer login name F-176
protocol F-177
service F-178
implicit deny
at the end of access lists 22-114
syslog messages, generation 22-114
implicit permit
configured in access rules
lookup from MARS events 22-68
IM policy map objects
ASA7.2/PIX7.2
creating 9-108
IM maps
client IP address F-386
client login name F-387
Edit Match Condition and Action dialog box F-381
filename F-384
file transfer service version F-395
MSN tab F-403
peer IP address F-389
peer login name F-390
protocol F-392
service F-393
use values in class map F-396
IM Maps (ASA7.2/PIX7.2) page F-378
IM Maps (IOS) page F-397
IOS
Add IM Map dialog box F-399
AOL tab F-406
creating 9-111
Edit IM Map dialog box F-399
MSN tab F-403
Yahoo tab F-400
understanding 9-107
Import Background Image dialog box B-17
importing rules 13-32
examples
extended access list 13-34
standard access list 13-35
how to 13-36
notes 13-33
Import Rules
Show Destination Contents dialog box J-189
Show Interface Contents dialog box J-191
Show Service Contents dialog box J-190
Show Source Contents dialog box J-188
Import Rules - Enter Parameters dialog box J-180
Import Rules - Preview page J-183
Objects tab J-187
Rules tab J-184
Import Rules - Status page J-182
Incident Details page
accessing from
a search 22-83
Dashboard 22-82
Incidents page 22-82
Query/Reports tab 22-82
navigating to
read-only policy page 22-82
read-only signature policy page 22-89
policy query icon
for access rule lookup 22-83
for signature lookup 22-89
incident ID
Dashboard 22-82
Incidents page 22-82
locating using a search 22-83
Query Results page 22-82
incidents
correlation to events 22-81
description 22-81
in MARS
policy table lookup and 22-51
investigating 22-107
looking up access rule
and editing 22-81
ranked by bytes transmitted 22-82
ranked by sessions 22-82
Incidents page
detecting incidents 22-81
viewing rules, events 22-81
inheritance
for signatures 14-11
inheriting rules 7-52
Inherit Rules dialog box D-16
understanding 7-48
versus assignment 7-51
Inherit Rules command 3-12
Inherit Rules dialog box D-16
Inline Pairs tab N-99
inspection map objects
class maps
creating 9-58, 9-60, 9-63, 9-65, 9-69, 9-71
understanding 9-56
LDAP map objects
creating 9-142
understanding 9-141
policy maps
creating 9-74, 9-76, 9-79, 9-82, 9-85, 9-89, 9-93, 9-103, 9-108, 9-111, 9-113, 9-115, 9-117, 9-121, 9-123
entity length 9-95
extension request method 9-98
general 9-94
port misuse 9-100
RFC request method 9-97
transfer encoding 9-101
understanding 9-57, 9-73, 9-75, 9-79, 9-82, 9-84, 9-88, 9-91, 9-107, 9-112, 9-115, 9-116, 9-120, 9-123
regular expression group objects
creating 9-125
regular expression objects
creating 9-126
notes 9-130
understanding 9-128
traffic flow objects
creating 9-193
understanding 9-195
understanding 9-56
Inspection page J-151
inspection rules
adding 13-77
Add Inspection Rule dialog box J-34
Configure DNS dialog box J-67
Configure ESMTP dialog box J-70
Configure Fragments dialog box J-71
Configure IMAP dialog box J-72
Configure POP3 dialog box J-73
Configure RPC dialog box J-74
Configure SMTP dialog box J-68
configuring custom destination ports 13-81
configuring default inspection traffic 13-80
configuring settings 13-143
configuring source and destination address and port (asa/fwsm3.x) 13-84
copying 13-89
Custom Protocol dialog box J-69
cutting 13-89
deleting 13-91
disabling 13-88
Edit Category dialog box J-76
Edit Description dialog box J-77
Edit Destinations dialog box J-56
editing 13-86
Edit Inspected Protocol dialog box J-65
Edit Inspection Rule dialog box J-34
Edit Sources dialog box J-53
enabling 13-88
Inspection Rules page J-30
Limit Inspection Between Source and Destination IP Addresses (ASA) page J-41
Match Traffic by Custom Destination Ports page J-45
Match Traffic by Destination Address and Port (IOS) page J-46
Match Traffic by Source and Destination Address and Port (ASA) page J-49
Match Traffic to Default Protocol Ports page J-38
moving down 13-90
moving up 13-90
pasting 13-89
Show Destination Contents dialog box J-58
Show Interface Contents dialog box J-63
Show Service Contents dialog box J-61
Show Source Contents dialog box J-55
supported features 13-145
Inspection Rules page J-30
inspect maps
Add Regular Expression dialog box F-457
Add Regular Expression Group dialog box F-453
class maps
Add FTP Class Map dialog box F-105
Add HTTP Class Map dialog box F-124
Add IM Class Map dialog box F-168
Add Match Criterion dialog box F-94, F-107, F-126, F-170, F-185
Add SIP Class Map dialog box F-183
called party F-187
calling party F-188
client IP address F-173
client login name F-174
content length F-190
content type F-190
DNS class F-96
DNS Class Map dialog box F-93
DNS Class Maps page F-91
DNS type F-97
domain name F-98
Edit FTP Class Map dialog box F-105
Edit HTTP Class Map dialog box F-124
Edit IM Class Map dialog box F-168
Edit Match Criterion dialog box F-94, F-107, F-126, F-170, F-185
Edit SIP Class Map dialog box F-183
file transfer service version F-179
file type F-111
FTP Class Maps page F-103
header flag F-99
HTTP Class Maps page F-122
IM Class Maps page F-166
IM subscriber F-192
message path F-193
peer IP address F-175
peer login name F-176
protocol F-177
question F-101
request/response content type mismatch F-129
request arguments F-130
request body F-131
request body length F-133
request command F-108
request header content type F-141
request header count F-134
request header field F-136
request header field count F-137
request header field length F-139
request header length F-135
request header non-ascii F-144
request header transfer encoding F-142
request uri F-146
request uri length F-148
resource record F-102
response body F-151
response body activeX F-149
response body java applet F-150
response body length F-152
response header content type F-160
response header count F-153
response header field F-155
response header field count F-157
response header field length F-159
response header length F-154
response header non-ascii F-164
response header transfer encoding F-162
response status line F-165
server F-112
service F-178
SIP Class Maps page F-181
third party registration F-195
uri length F-196
username F-114
Edit Regular Expression dialog box F-457
Edit Regular Expression Group dialog box F-453
policy maps
access point name F-281
Add Country Network Codes dialog box F-275
Add DNS Map dialog box F-204
Add FTP Map dialog box F-256
Add GTP Map dialog box F-271
Add HTTP Map dialog box F-300, F-320
Add IM Map dialog box F-379, F-399
Add Match Condition and Action dialog box F-259, F-325, F-381
Add Match Condition dialog box F-213
Add Permit Response dialog box F-276
Add SIP Map dialog box F-417
AOL tab F-406
called party F-424
calling party F-426
client IP address F-386
client login name F-387
content length F-428
content type F-429
DNS class F-216
DNS Maps page F-203
DNS type F-217
domain name F-219
Edit Country Network Codes dialog box F-275
Edit DNS Map dialog box F-204
Edit FTP Map dialog box F-256
Edit GTP Map dialog box F-271
Edit HTTP Map dialog box F-300
Edit IM Map dialog box F-379, F-399
Edit Match Condition and Action dialog box F-259
Edit Match Condition dialog box F-213
Edit Permit Response dialog box F-276
Edit SIP Map dialog box F-417
Entity Length tab F-304
Extension Request Method tab F-310
file transfer service version F-395
file type F-264
Filtering tab F-208
FTP Maps page F-254
General tab F-302
GTP Maps page F-269
GTP Map Timeouts dialog box F-278
header flag F-221
HTTP Maps (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) page F-297
HTTP Maps (ASA7.2/PIX7.2) page F-318
IM Maps (ASA7.2/PIX7.2) page F-378
IM Maps (IOS) page F-397
IM subscriber F-431
Match Condition and Action tab F-212, F-279, F-323, F-421
Match Conditions and Actions tab F-258
message ID F-282
message length F-284
message path F-433
Mismatch Rate tab F-210
MSN tab F-403
Parameters tab F-257, F-273, F-322, F-419
peer IP address F-389
peer login name F-390
Port Misuse tab F-312
protocol F-392
Protocol Conformance tab F-206
question F-222
request/response content type mismatch F-330
request arguments F-331
request body F-333
request body length F-334
request command F-261
request header content type F-345
request header count F-336
request header field F-338
request header field count F-341
request header field length F-343
request header length F-337
request header non-ascii F-349
request header transfer encoding F-347
request uri F-352
request uri length F-354
resource record F-224
response body F-358
response body activeX F-356
response body java applet F-357
response body length F-359
response header content type F-369
response header count F-361
response header field F-363
response header field count F-366
response header field length F-367
response header length F-362
response header non-ascii F-373
response header transfer encoding F-371
response status line F-375
RFC Request Method tab F-307
server F-266
service F-393
SIP Maps page F-415
third party registration F-435
Transfer Encoding tab F-315
uri length F-437
username F-267
use values in class map F-225, F-269, F-377, F-396, F-441
version F-285
Yahoo tab F-400
Regular Expression Groups page F-452
Regular Expressions page F-455
TCP map objects
Add TCP Map dialog box F-460
Edit TCP Map dialog box F-460
TCP Maps page F-459
installing
Security Manager client 1-14
Integrated Local Management Interface (ILMI) 15-50
interface
duplex L-64
Interface Notifications tab N-117
interface objects
read-only access rule table
displayed in MARS 22-102, 22-103
viewing contents
from read-only policy table 22-87
Interface Pair dialog box N-100
interface pairs
described N-100
Interface Pairs dialog box
described N-100
Interface Properties dialog box B-22
interface role objects
creating 9-133
defining subinterfaces 9-135
distinguishing from interfaces 9-136
exceptional cases 9-136
Interface Name Conflict dialog box F-466
Interface Role dialog box F-464
Interface Roles page F-462
specifying during policy definition 9-135
understanding 9-132
interfaces
Catalyst switches and 7600 Series routers
Access Port Selector dialog box M-8
Create and Edit Interface dialog boxes-Access Port mode M-16
Create and Edit Interface dialog boxes-Dynamic Port mode M-28
Create and Edit Interface dialog boxes-Other mode M-35
Create and Edit Interface dialog boxes-Routed Port mode M-20
Create and Edit Interface dialog boxes-subinterfaces M-33
Create and Edit Interface dialog boxes-Trunk Port mode M-23
Create and Edit VLAN dialog boxes M-5
Create and Edit VLAN Group dialog boxes M-11
defining ports 17-9
deleting ports 17-12
generating names 17-11
Interfaces/VLANs page M-3
Interfaces/VLANs page-Interfaces tab M-14
Interfaces/VLANs page-Summary tab M-38
Interfaces/VLANs page-VLAN Groups tab M-10
Interfaces/VLANs page-VLANs tab M-4
Service Module Slot Selector dialog box M-12
Trunk Port Selector dialog box M-9
understanding 17-8
VLAN Selector dialog box M-13
Cisco IOS routers
Advanced Interface Settings dialog box K-27
Advanced Interface Settings page K-25
available types 15-21
Create Router Interface dialog box K-18
defining advanced settings 15-31
defining basic settings 15-23
deleting from 15-27
generating interface names 15-26
Interface Auto Name Generator dialog box K-24
overview 15-20
Router Interfaces page K-17
understanding advanced settings 15-28
understanding helper addresses 15-29
contexts 16-6
defining subinterfaces 9-135
distinguishing from interface roles 9-136
Interface Name Conflict dialog box F-466
PIX/ASA/FWSM
checklist for configuring multiple contexts 16-118
configuring 16-2
enabling traffic between same security levels 16-19, 16-20
managing the PPPoE users list 16-21
managing VPDN groups 16-22
troubleshooting 16-23
understanding 16-3
routed and transparent 16-5
specifying during policy definition 9-135
Interfaces page N-96
Interfaces pane
described N-97
Internal Zone tab N-74
Internet Explorer
accessing MARS GUI using
for access rule lookup 22-83
for signature policy lookup 22-97
cached passwords
policy table lookup 22-83
File Download dialog box 22-88
remembered passwords
policy table lookup 22-83
reusing browser instances 22-119
Internet Information Services
interoperability
between device manager and device OS 22-13
interoperation
of MARS and Security Manager
for events lookup 22-106
for policy lookup 22-48
Intrusion Prevention System Device Manager
inventory
deleting devices from 6-30
export devices
DCR and CS-MARS formats 6-32
overview 6-31
using command line utility 6-33
migrating Catalyst data 17-2
migrating unmanaged service modules 17-5
inventory, device
adding devices 6-8
adding devices from configuration files 6-13
adding devices from export file 6-16
adding devices from network 6-10
adding devices manually 6-14
managing 6-1
testing device connectivity 6-21
understanding 6-1
user interface reference C-1
viewing inventory status 6-30
working with 6-8
inventory report
status window C-49
Inventory Status command 3-15
Inventory Status window 22-18, C-49
event status, displaying
for devices added to Security Manager and Performance Monitor 22-19
event status fields 22-18
viewing
site-to-site VPN tunnel status 22-23
viewing event status 22-15
viewing high CPU usage 22-25
Inverse ARP K-63
inverse multiplexing over ATM (IMA) K-46
IOS IPS devices
looking up MARS events
from signature policies 22-115
MARS events lookup 22-110
signature policy lookup
from MARS 22-51
IOS IPS sensors
supported software versions
for policy and events lookup 22-73
IOS routers
deployment
using Token Management Servers (TMS) 19-13
IOS Software Release 12.1 and 12.2
managing routers 15-3
IOS Web Filter Rule and Applet Scanner dialog box J-128
IP addresses
management, transparent firewall L-74
network/host optimization 9-145
network masks 9-146
specifying in policies 9-153
supported formats 9-145
supporting dynamic 6-19
IPS
updates, automatically applying 21-11
updates, checking for and downloading 21-10
updates, configuring server 21-9
updates, managing 21-8
updates, manually applying 21-13
IPS devices
adding SSL thumbprints manually 6-25
credentials, AIM-IPS module C-31
initializing 5-23
license, redeploying 21-7
license, updating 21-6
license, updating automatically 21-7
rollback restrictions 19-54
SSL certificate configuration A-16
IPsec Pass Through policy map objects
Add IPsec Pass Through Map dialog box F-410
creating 9-113
Edit IPsec Pass Through Map dialog box F-410
understanding 9-112
IPsec Pass Through Policy Maps
IPsec Pass Through Maps page F-408
IPsec proposals (policies)
configuring for Easy VPN 10-114
configuring in remote access VPNs 11-14
configuring in site-to-site VPNs 10-77
IPsec Proposal Editor (remote access VPN)
IOS and Catalyst 6500/7600 devices H-20
PIX and ASA devices H-18
IPsec Proposal page (in Easy VPN)
IPsec Proposal tab G-69
usage G-68
IPsec Proposal page (remote access VPN) H-15
IPsec Proposal page (site-to-site VPN) G-40
understanding in remote access VPNs 11-12
using crypto maps in 10-73
using reverse route injection in 10-75
using transform sets in 10-74
IPsec SAs
timeout values 22-22
IPsec Settings
ASA User Group objects F-65
IPsec technologies
defining 10-20
DMVPN 10-8
Easy VPN 10-8
GRE 10-8
GRE Dynamic IP 10-8
mandatory policies 10-8
optional policies 10-8
regular IPsec 10-8
understanding 10-8
working with policies 10-8
IPsec transform set objects
creating 9-140
IPsec Transform Set dialog box F-468
IPsec Transform Sets page F-467
supported modes 9-139
supported protocols 9-138
understanding 9-137
IPsec tunnels
understanding policies 10-72
IPS events
error message
invalid details 22-69
in MARS
fired by a signature 22-59
signature policy lookup 22-52
keywords for 22-109
IPS Event Viewer
IPS Event Viewer command 3-15
IPS interfaces
IPS Monitoring Information dialog box K-35
IPS sensors
Context Data events
and events lookup 22-115
and signature policy lookup 22-60
default transport protocol A-15
forwarding events to MARS 22-110
looking up MARS events
from signature policies 22-115
managing 22-3
MARS events lookup 22-110
network protection and 22-3
Packet Data events
and events lookup 22-115
and signature policy lookup 22-60
signature policy lookup
from MARS 22-51
supported software versions
for policy and events lookup 22-73
IPS signature policy
events lookup
checklist 22-120
guidelines 22-116
keywords 22-116
lookup
from Realtime Dashboard 22-38
from Views tab 22-39
navigating from IEV 22-38
navigating from Realtime Dashboard
in non-Workflow mode 22-39
in Workflow mode 22-39
navigating from Views tab
in non-Workflow mode 22-41
in Workflow mode 22-41
navigating to
MARS events 22-115
IPS signature policy lookup
authentication failure
during connection from MARS 22-51
communication
between MARS and Security Manager 22-71
device lookup query
sequence of actions 22-54
device software versions
supported for 22-72
error message, invalid events 22-69
error message, modified signature 22-69
event action filter, configuring 22-53
fields parsed from raw syslogs
for IPS events in MARS 22-59
for MARS events of type
Context Data 22-60
Packet Data 22-60
from MARS
for virtual sensors, error message 22-52
sample case 22-49
taskflow 22-50
without Security Manager client running 22-52
guidelines for working 22-61
looking up devices in MARS 22-54
overview 22-59
signature ID, using 22-60
starting a new client session 22-64
subsignature ID, using 22-60
with Security Manager client active
in non-Workflow mode 22-52
in Workflow mode 22-52
with Security Manager client timed out 22-64
IPS tab, Licensing page A-35
IPS Updates page A-22
IPS User Interface Reference N-1
IPS virtual sensors
events lookup
keywords 22-109
signature policy lookup
from MARS events 22-60
ISAKMP/IPsec settings
IKE keepalive 10-79
in remote access VPNs 11-28
in site-to-site VPNs 10-78
ISAKMP/IPsec Settings tab (remote access VPN) H-39
ISAKMP/IPsec Settings tab (site-to-site VPN) G-44
J
job deployment methods
understanding 19-11
jobs
aborting 19-45
approving 19-39
benefits of 19-2
creating and editing 19-36
discarding 19-42
including devices in 19-10
rejecting 19-39
states
Workflow mode 19-7
submitting 19-39
joined hub-and-spoke topology 10-7
Join Group tab
description 16-101
JumpStart 1-15
Jumpstart command 3-17
K
Kerberos
use by ASA devices 9-25
keywords
color coding 22-114
coloring for the first ten
in Query Criteria page 22-114
dimmed out
in Query Criteria page 22-114
hashcodes exceeding 10000
error message during events lookup 22-114
in MARS queries 22-109
knowledge base
histogram N-77
tree structure N-77
knowledge basescanner threshold N-77
L
Layer 2 firewall
LDAP Attribute Maps page F-471
LDAP map objects
Add LDAP Attribute Map dialog box F-472
Add LDAP Attribute Map Value dialog box F-474
Add Map Value dialog box F-475
creating 9-142
Edit LDAP Attribute Map dialog box F-472
Edit LDAP Attribute Map Value dialog box F-474
Edit Map Value dialog box F-475
understanding 9-141
Learning Accept Mode tab N-71
licenses
managing 21-3
redeploying IPS 21-7
Security Manager 21-4
updating IPS 21-6
updating IPS, automating 21-7
License Update Status Details dialog box A-38
licensing
Settings page A-34
Lightweight Directory Access Protocol (LDAP)
use by ASA devices 9-25
Limit Inspection Between Source and Destination IP Addresses (ASA) page J-41
line access
Cisco IOS routers
Console Policy page K-117
overview 15-87
VTY Policy page K-129
load balancing N-137
load-balancing devices
in a VPN cluster
redirection using FQDN 11-23
Local Controller
adding
multiple Security Manager servers to 22-61
one Security Manager server to 22-61
adding multiple
to Security Manager 22-117
adding Security Manager to
prerequisites 22-75
procedure 22-75
supported versions 22-75
using Admin role 22-75
associating with Security Manager 22-107
defining for Security Manager
access IP address 22-77
credentials for discovery 22-78
hostname 22-77
interface details 22-78
operating system 22-78
reporting IP address 22-77
discovery
before events lookup 22-107
during events lookup 22-107
mapping to Security Manager 22-75
more than one
monitoring the same device 22-107
policy lookup
for managed devices 22-75
querying one Security Manager 22-75
same Security Manager on multiple
defining 22-75
Security Manager not added to
user credential fields 22-75
single
monitoring the same device 22-107
zone planning for multiple
mapping to Security Manager 22-75
Local Policy Will Be Replaced dialog box D-4
Local User Setup page
defining
MARS user account 22-79
locking
activities 8-4
committed configuration 8-4
devices 7-55
objects 7-57
policies 7-55
understanding 7-53
VPN topologies 7-57
Log Buffer panel
viewing log messages 22-44
logging
Cisco IOS routers
defining setup parameters 15-146
defining syslog servers 15-149
Logging Setup Policy page K-192
overview 15-144
Syslog Server dialog box K-198
Syslog Servers Policy page K-197
understanding severity levels 15-145
disabled for permit ACEs
events lookup 22-119
NetFlow 16-87
PIX/ASA/FWSM
configuring on 16-86
e-mail setup 16-89
event lists 16-90
logging filters 16-92
logging setup 16-93
rate limit levels 16-95
server setup 16-96
syslog servers 16-98
logging command
class option
message class variables L-163
logging in to
Cisco Security Management Suite server 1-13
CiscoWorks Common Services 1-13
MARS
using an account not in Common Services 22-64
using read/write privileges 22-64
after error during policy lookup 22-66
using a different account from the one in MARS 22-64
logging level
changing for firewalls
and syslogs in MARS 22-58
default
large number of events 22-58
logging message command 22-58
Logging page N-117
logging traffic
between MARS and monitored devices
enabling 22-70
login credentials
of Security Manager
saved in MARS during policy lookup 22-63
login credentials, Security Manager
authenticating MARS
Security Manager deleted from MARS 22-63
deleting
from User Configuration page 22-64
editing
from User Configuration page in MARS 22-63
read-only signature policy table 22-104
saving during policy lookup 22-79
using a different account from the one in MARS
for policy lookup 22-64
login dialog box
read-only policy page
disabling saving of credentials 22-79
enabling saving of credentials 22-79
log-input keyword
access lists on IOS routers 22-58
output details 22-58
log-input keywords
configured for access lists 22-43
Login to CS-MARS dialog box
accessing from
Access Rules page 22-134
Signatures page 22-134
authenticating Security Manager
for events lookup 22-133
login username, MARS 22-134
MARS credentials not saved in database 22-133
MARS events lookup from policies 22-133
MARS session timeout and 22-133
not displayed when
MARS credentials cached 22-133
reusing MARS credentials during lookup 22-134
option to prompt for credentials selected
in CS-MARS page 22-133
password, MARS 22-134
performing events lookup for the first time 22-133
scenarios for display 22-133
scenarios for not displaying 22-133
Login to CS-MARS ip_address dialog box
MARS user credentials
for authenticating Security Manager 22-118
login username, MARS
Login to CS-MARS dialog box 22-134
login username, Security Manager
read-only access rule table 22-100
read-only signature policy table 22-104
log keywords
access lists on IOS routers 22-58
configured for access lists 22-43
output details 22-58
logs
configuring audit log default settings A-39
configuring debug levels A-7
Logs page A-39
LOKI
described N-66
protocol N-66
looking up
access rules
from MARS, overview 22-55
from MARS, procedure 22-81
from MARS events (prerequisites) 22-81
from Multiple Devices window 22-83
from Multiple Events window 22-83
from Policy Table window 22-83
supported device manager versions 22-42
Access Rules page
from device manager syslog 22-42
devices in MARS
for policy table query 22-54
events from signatures
for virtual sensors 22-110
historical events in MARS
for an IPS signature 22-130
matching a flow 22-125
matching a rule 22-125
matching destination 22-127
matching source 22-127
IPS signature from
Realtime Dashboard 22-38
Views tab 22-40
MARS events
advantages 22-106
from default signature 22-117
from large access rules 22-114
from policies 22-106
MARS events from
access rules, overlapping 22-119
realtime events in MARS
for an IPS signature 22-130
matching a flow 22-125
matching a rule 22-125
matching destination 22-127
matching source 22-127
signature policies
from MARS events (overview) 22-88
from MARS events (prerequisites) 22-89
from MARS events (procedure) 22-90
loopback cells 15-52
low-latency query
for MARS events
display of policy query icon 22-66
parsing 22-66
navigating
from access rules 22-107
from signatures 22-107
low-latency queuing (LLQ) 15-158
M
MAC address table
learning, disabling L-72
overview L-70
MAC exempt address lists
adding 13-149
deleting 13-151
editing 13-150
understanding 13-148
management access settings
configuring on firewall devices 16-54
Management Center for Cisco Security Agents 18-6
Management Center for Cisco Security Agents tab N-114
management IP address
defining for multiple contexts
events lookup 22-117
management IP addresses
devices without 22-9
starting device manager 22-9
management protocols
supported for device platforms
in Performance Monitor 22-21
management traffic
between MARS and monitored devices
enabling 22-70
connection-related messages
access rule lookup from MARS 22-56
policy lookup
error message 22-68
managing the PPPoE users list 16-21
managing VPDN groups 16-22
manually adding
devices to Performance Monitor 22-20
Map menu 3-13
mapping
between monitored devices
and MARS 22-107
Local Controller
to Security Manager 22-75
Map Properties command 3-13
maps
access permissions 4-3
adding existing managed devices 4-18
adding new managed devices 4-17
background color 4-12
background images
deleting 4-14
importing 4-13
overview 4-13
scale and position 4-15
setting 4-14
centering elements 4-9
changing the zoom level 4-8
creating 4-3
default map 4-11