-
User Guide for Cisco Security Manager 3.3
-
Preface
-
Getting Started with Security Manager
-
Working with the Security Manager User Interface
-
Using Map View
-
Preparing Devices for Management
-
Managing the Device Inventory
-
Managing Policies
-
Managing Activities
-
Managing Policy Objects
-
Managing Site-to-Site VPNs
-
Managing Remote Access VPNs
-
Managing Firewall Services
-
Managing IPS Services
-
Managing Routers
-
Managing Firewall Devices
-
Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
-
Managing IPS Devices
-
Managing Deployment
-
Managing FlexConfigs
-
Managing the Security Manager Server
-
Using Monitoring, Troubleshooting, and Diagnostic Tools
-
Administrative Settings User Interface Reference
-
Map View User Interface Reference
-
Device Inventory User Interface Reference
-
Policy User Interface Reference
-
Activities User Interface Reference
-
Policy Object Manager User Interface Reference
-
Site-to-Site VPN User Interface Reference
-
Remote Access VPN User Interface Reference
-
Firewall Services User Interface Reference
-
Router Platform User Interface Reference
-
PIX/ASA/FWSM Platform User Interface Reference
-
Catalyst Platform User Interface Reference
-
IPS User Interface Reference
-
Deployment User Interface Reference
-
Index
-
Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z
Index
Numerics
12.1 and 12.2
managing routers 13-3
3DES encryption algorithm
cluster load balancing
using FQDNs 10-16
in IKE proposals 9-45
802.1x
802.1x Policy page J-128
defining policies 13-85
interface authorization states 13-83
on Cisco IOS routers 13-82
supported topologies 13-84
understanding device roles 13-83
A
AAA
accounting 10-2
authorization 10-2
Cisco IOS routers
AAA Policy page J-64
Accounting tab J-68
Authentication tab J-64
Authorization tab J-65
Command Accounting dialog box J-70
Command Authorization dialog box J-67
defining services 13-46
overview 13-44
supported accounting types 13-45
supported authorization types 13-44
understanding method lists 13-45
configuring on firewall devices 14-28
configuring settings 11-42
credentials for device access 5-5
defining policies 14-32
device administration 14-31
local fallback 14-30
network access 14-31
PIX/ASA/FWSM K-56
Accounting tab K-58
Authentication tab K-57
Authorization tab K-58
support 14-29
understanding 14-28
user authentication 10-2
VPN access 14-31
AAA authentication groups
predefined 8-19
using SDI
as the protocol 9-78
AAA firewall
advanced settings I-73
MAC exempt lists I-76
AAA rules
AAA Rules page I-1
Add AAA Rules dialog box I-4
adding 11-40
AuthProxy dialog box I-8
combining rules
interpreting results 11-11
procedure 11-9
configuring in Map view 3-17
configuring settings
for IOS 11-44
for IOS devices in Map view 3-18
for PIX/ASA/FWSM 11-43
for PIX/ASA/FWSM in Map view 3-17
deleting 11-4
disabling 11-8
Edit AAA Option dialog box I-7
Edit AAA Rules dialog box I-4
Edit AAA Server Group dialog box I-8
editing 11-5
enabling 11-8
moving 11-7
understanding 11-40
AAA Rules page I-1
AAA server group objects
attributes F-6
creating 8-22
default server groups on IOS devices 8-19
predefined authentication groups 8-19
understanding 8-15
AAA server objects
creating 8-20
HTTP-FORM settings F-17
Kerberos settings F-13
LDAP settings F-14
NT settings F-16
RADIUS settings F-10
SDI settings F-16
supported additional types for ASA/PIX/FWSM 8-17
supported types 8-16
TACACS+ settings F-12
understanding 8-15
AAA servers
external servers 10-2
supported types on ASA, PIX, FWSM devices 8-17
Abort the Job dialog box N-22
About Security Manager command 2-12
ABR
definition 14-73
access control list objects
creating 8-23
extended objects 8-23
standard objects 8-25
web objects 8-26
access control lists
in GET VPNs 9-86
policy discovery 6-14
access controls
configuring ACL names 11-23
configuring settings 11-23
configuring settings in Map view 3-17
Access Control Settings page I-67
Access Group tab
Access Group tab (IGMP) K-136
Access Interface Configuration dialog box (ASA) H-96
Access page (ASA) H-2
access permissions
maps 3-2
access policies
configuring 10-44
access ports
Create and Edit Interface dialog boxes-Access Port mode L-12
understanding 15-2
access rule
CS-MARS query 20-24
look up
from device managers 20-5
access rules
access control settings I-67, I-69
Access Rules page I-9
address requirements 11-19
Advanced dialog box I-13
combining rules
interpreting results 11-11
procedure 11-9
configuring 11-21
configuring access control settings 11-23
configuring in Map view 3-17
deleting 11-4
disabling 11-8
Edit Firewall Rule Expiration dialog box I-15
editing 11-5
enabling 11-8
expiration dates 11-22
generating analysis reports 11-24
hit counts
generating 11-26
viewing results I-101
how deployed 11-19
import examples 11-29
importing 11-28
moving 11-7
optimizing during deployment 11-31
rule attributes I-11
understanding 11-17
understanding device-specific behavior 11-19
viewing related CS-MARS events 20-25
working with 11-17
Access Rules page I-9
accounts and credentials
Cisco IOS routers
overview 13-48
PIX/ASA/FWSM
user accounts K-115
user accounts, add/edit K-115
accounts and credentials policies
Accounts and Credentials Policy page J-71
User Accounts dialog box J-73
ACLs
configuring names 11-23
Actions Shortcut menu M-7
Active/Active failover
command replication 14-47
configuration synchronization 14-47
Active/Standby failover 14-46
activities
accessing functions 7-7
Activity Manager window E-1
Activity Required dialog box E-7
Approve Activity dialog box E-6
Approved state 7-4
benefits of 7-2
closing 7-9
Create Activity dialog box E-4
creating 7-8
Discard Activity dialog box E-7
discarding 7-14
Edit state 7-4
locking 7-2
managing 7-1
multiple users 7-3
Openable Activities dialog box E-8
opening 7-9
Reject Activity dialog box E-6
Rejected state 7-4
rejecting 7-13
states 7-4
Submit Activity dialog box E-5
Submitted state 7-4
submitting for approval 7-12
understanding 7-1
user interface reference E-1
validating 7-11
viewing change reports 7-9
viewing status and history 7-14
working with 7-6
Activities menu 2-11
Activity Manager command 2-10
Activity Manager window E-1
Activity Required dialog box E-7
activity states E-3
Add/Edit AnyConnect Client Image dialog box (ASA) H-111
Add/Edit AnyConnect Client Profile dialog box (ASA) H-112
Add/Edit Collector dialog box
description 14-62, K-98, K-118
Add/Edit Connection Profile dialog box
SSL tab
Add/Edit Connection Alias dialog box H-35
Add/Edit Connection URL dialog box H-36
Add/Edit Content Rewrite dialog box (ASA) H-100
Add/Edit DAP Entry Dialog Box > Device H-53
Add/Edit File Encoding dialog box (ASA) H-103
Add/Edit IGMP Join Group dialog box
description 14-70
Add/Edit IGMP Static Group dialog box
description 14-70
Add/Edit Multicast Route dialog box
description K-140, K-141, K-142
Add/Edit PIM Bidirectional Neighbor Filter dialog box
description K-146
Add/Edit PIM Neighbor Filter dialog box
description K-145
Add/Edit Plug-in Entry dialog box (ASA) H-109
Add/Edit Proxy Bypass dialog box (ASA) H-107
Add AAA Rules dialog box I-4
Add AAA Server dialog box F-8
Add AAA Server Group dialog box F-6
Add Access List dialog box M-81
Add an Entry dialog box M-48
Add AOL Class Map dialog box F-61
Add A Port Forwarding Entry dialog box F-152
Add ASA Group Policies dialog box
client configuration settings F-27
client firewall attributes F-28
connection settings F-42
DNS/WINS settings F-40
hardware client attributes F-30
IPSec settings F-31
overview F-25
split tunneling settings F-41
SSL VPN clientless settings F-33
SSL VPN full client settings F-35
SSL VPN settings F-37
Technology settings F-25
Add A Smart Tunnel Entry dialog box F-179
Add Auto Signon Rules dialog box F-39
Add Cat6k Block Vlan dialog box M-99
Add Certificate dialog box A-14
Add Certificate Filter dialog box G-51
Add Cisco Secure Desktop Configuration dialog box F-44
Add Client Access Rules dialog box F-33
Add Client Update dialog box F-195
Add Column dialog box F-173
Add Custom Pane dialog box F-173
Add Custom Signature dialog box M-5
Add DCE/RPC Map dialog box F-86
Add Destinations dialog box I-64
Add Device from Network wizard
Device Credentials page C-18
Add Devices to Group command 2-7
Add Devices to Group dialog box C-36
Add DNS Class Map dialog box F-61
Add DNS Map dialog box
Filtering tab F-89
overview F-87
Protocol Conformance tab F-88
Add eDonkey Class Map dialog box F-61
Add ESMTP Map dialog box F-92
Add Extended Access Control Entry dialog box F-20
Add Extended Access List dialog box F-19
Add External Filter dialog box F-80
Add FastTrack Class Map dialog box F-61
Add File Object dialog box F-47
Add Firewall Rule dialog box I-11
Add FlexConfig dialog box F-48
Add FTP Class Map dialog box F-61
Add FTP Map dialog box F-95
Add Gnutella Class Map dialog box F-61
Add Group dialog box C-37
Add GTP Map dialog box F-99
Add H.323 Class Map dialog box F-61
Add H.323 Map dialog box F-103, F-134
Add HSI Endpoint IP Address dialog box F-105
Add HSI Group dialog box F-104
Add HTTP Class Map dialog box F-61
Add HTTP Map dialog box F-134
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab F-109
Extension Request Method tab F-112
General tab F-108
overview F-107
Port Misuse tab F-113
RFC Request Method tab F-111
Transfer Encoding tab F-114
ASA 7.2+ and PIX 7.2+ devices F-115
Add ICQ Class Map dialog box F-61
Add IKE Proposal dialog box F-53
Add IMAP Class Map dialog box F-61
Add IMAP Map dialog box F-134
Add IM Class Map dialog box F-61
Add IM Map dialog box F-134
ASA and PIX device F-121
IOS device F-124
Add Inspect Parameter Map dialog box F-74
Add Interfaces dialog box I-65
Add IPsec Pass Through Map dialog box F-125
Add IPSec Transform Set dialog box F-57
Add Kazaa2 Class Map dialog box F-61
Add Language dialog box F-167
Add LDAP Attribute Map dialog box F-59
Add LDAP Attribute Map Value dialog box F-60
Add Link command 2-9
Add Link dialog box B-13
Add Local Rules command 2-8
Add Local Web Filter Class Map dialog box F-61
Add Local Web Filter Parameter Map dialog box F-77
Add Map Object and Node Properties dialog boxes B-14
Add Map Object command 2-9
Add Map Value dialog box F-61
Add Match Condition and Action dialog box
DNS policy maps F-90
ESMTP policy maps F-94
FTP policy maps F-97
GTP policy maps F-101
H.323 (IOS) policy maps F-135
H.323 policy maps F-106
HTTP (Zone Based IOS) policy maps F-135
HTTP policy maps F-117
IM (Zone Based IOS) policy maps F-135
IMAP policy maps F-135
IM policy maps F-122
P2P policy maps F-135
POP3 policy maps F-135
SIP (IOS) policy maps F-135
SIP policy maps F-129
Skinny policy maps F-133
SMTP policy maps F-135
Sun RPC policy maps F-135
Web Filter policy maps F-135
Add Match Criterion dialog box
AOL class maps F-64
DNS class maps F-90
eDonkey class maps F-64
FastTrack class maps F-64
FTP class maps F-97
Gnutella class maps F-64
H.323 (IOS) class maps F-65
H.323 class maps F-106
HTTP (IOS) class maps F-65
HTTP class maps F-117
ICQ class maps F-64
IMAP class maps F-67
IM class maps F-122
Kazaa2 class maps F-64
Local Web Filter class maps F-72
MSN Messenger class maps F-64
N2H2 class maps F-73
POP3 class maps F-67
SIP (IOS) class maps F-68
SIP class maps F-129
SMTP class maps F-69
Sun RPC class maps F-72
Websense class maps F-73
Windows Messenger class maps F-64
Yahoo Messenger class maps F-64
Add MSN Messenger Class Map dialog box F-61
Add N2H2 Parameter Map dialog box F-78
Add N2H2 Web Filter Class Map dialog box F-61
Add NetBIOS Map dialog box F-126
Add Network/Host dialog box F-141
Add New Device wizard
Device Credentials page C-18
Add or Edit Status Providers dialog box A-38
Add Other Devices dialog box N-15
Add P2P Map dialog box F-134
Add Permit Response dialog box F-100
Add PKI Enrollment dialog box
CA Information tab F-144
Certificate Subject Name tab F-150
Enrollment Parameters tab F-148
overview F-142
Trusted CA Hierarchy tab F-151
Add POP3 Class Map dialog box F-61
Add Port Forwarding List dialog box F-151
Add Port List dialog box F-153
Add Protocol Info Parameter Map dialog box F-76
Add Regular Expression dialog box F-138
Add Regular Expression Group dialog box F-138
Address Pools
PIX/ASA/FWSM K-4
add/edit K-5
address pools
defining 14-19
Address Resolution Protocol
Add Row command 2-7
Add Rule Section dialog box I-90
Add Server dialog box
Protocol Info Parameter maps F-77
Add Service dialog box F-154
Add Services dialog box I-65
Add Signature Parameter--List Entry Dialog Box M-48
Add Single Sign On Server dialog boxes F-156
Add SIP Class Map dialog box F-61
Add SIP Map dialog box F-127, F-134
Add Skinny Map dialog box F-131
Add SLA Monitor dialog box F-158
Add Smart Tunnel Lists dialog box F-177
Add SMTP Class Map dialog box F-61
Add SMTP Map dialog box F-134
Add SNMP Map dialog box F-133
Add Sources dialog box I-64
Add SSL VPN Customization dialog box F-163
Applications F-172
Copyright Panel F-170
Custom Panes F-172
Full Customization F-170
Home Page F-174
Informational Panel F-169
Language F-166
Logon Form F-168
Logout Page F-175
Title Panel F-165
Toolbar F-171
Add SSL VPN Gateway dialog box F-176
Add Standard Access Control Entry dialog box F-22
Add Standard Access List dialog box F-19
Add Sun RPC Class Map dialog box F-61
Add Sun RPC Map dialog box F-134
Add TCP Map dialog box F-139
Add TCP Option Range Dialog Box F-141
Add Text Object dialog box F-181
Add Time Range dialog box F-182
Add Traffic Flow dialog box F-184
Add Transparent Firewall Rule dialog box I-42
Add Trend Content Filter Class Map dialog box F-61
Add Trend Parameter Map dialog box F-81
Add URL Domain Name dialog box F-84
Add URLF Glob Parameter Map dialog box F-84
Add URL Filter Parameter Map dialog box F-82
Add User Group dialog box
Advanced PIX 6.3 settings F-196
Browser Proxy settings F-201
Client (IOS) settings F-192
Clientless settings F-197
Client VPN Software Update (IOS) settings F-195
DNS/WINS settings F-190
General settings F-189
IOS Xauth Options settings F-194
overview F-187
Split Tunneling settings (Easy VPN/remote access IPSec VPN) F-191
SSL VPN Connection settings F-202
SSL VPN Full Tunnel settings F-198
SSL VPN Split Tunneling settings F-200
Technology settings F-187
Thin Client settings F-198
Add User Profile dialog box M-93
Add Virtual Sensor dialog box M-103
Add Web Access Control Entry dialog box F-23
Add Web Filter Map dialog box F-136
Add WebSense Parameter Map dialog box F-78
Add Websense Web Filter Class Map dialog box F-61
Add Web Type Access List dialog box F-19
Add Windows Messenger Class Map dialog box F-61
Add WINS Server dialog box F-204
Add WINS Server List dialog box F-203
Add Yahoo Messenger Class Map dialog box F-61
Add Zones dialog box I-65
admin context
in Performance Monitor 20-10
overview 14-82
administration
selecting router policies to manage 6-10
administrative settings, configuring 19-2
administrative settings pages A-1
admin password, changing 19-13
ADSL
ADSL Policy page J-32
ADSL Settings dialog box J-33
defining settings 13-27
supported operating modes 13-26
Advanced dialog box
access rules I-13
Advanced Interface Settings
PIX/ASA K-37
Advanced NAT Options
PIX/ASA/FWSM
add/edit K-21
advanced SSL VPN settings
configuring 10-61
Advanced tab (ASA) H-113
Advanced tab (IOS) H-120
AES encryption algorithm
in IKE proposals 9-46
in VPN SPA 9-31
AIM-IPS interfaces
IPS Module Interface Settings page J-24
Alarm Indication Signal (AIS) cells 13-34
allocate interfaces
PIX/ASA
security contexts K-202
Allowed host
use of 16-4
Allowed Hosts page M-81
Analysis Engine global variables
configuring 16-8
Analysis Engine tab M-90
analysis reports
generating 11-24
anomaly detection
definition of 12-13
limiting false positives M-55
worm attacks M-55
Anomaly Detection page M-49
anti-spoofing 14-76
AOL class map objects
match criteria F-64
Apply IPS Update command 2-10
Apply IPS Update wizard A-23
Approve Activity command 2-11
Approve Activity dialog box E-6
Approved activity state 7-4
Approve Deployment Job dialog box N-19
Area Border Router
See ABR 14-73
ARP
Layer 2 signatures M-19
PIX/ASA/FWSM
configuration K-51
inspection K-52
inspection, enable/disable K-52
table K-50
protocol M-19
ARP spoof tools
dsniff M-19
ettercap M-19
ARP table
ASA
ASDM 20-2
Failover
Add Failover Group K-88
interface configuration K-89
settings K-85
failover K-83
policy discovery 6-12
rollback, commands to recover from failover misconfiguration 17-38
rollback command conflicts 17-37
rollback restrictions for failover devices 17-34
rollback restrictions for multiple context mode 17-34
security contexts
allocate interfaces K-202
configuration K-200
viewing allocated interfaces K-203
setting up AUS or CNS 4-8
setting up SSL (HTTPS) 4-3
ASA 5505
ports and interfaces 14-5
ASA Cluster Load Balance page H-20
ASA devices
5505
interfaces, add/edit K-30
interfaces and ports K-45
port configuration K-48
AAA support 8-17
adding SSL thumbprints manually 5-22
defining
DNS server IP address 10-14
enabling
DNS lookups 10-14
FlexConfig object samples 18-18
interfaces K-23
about adding/editing K-25
add/edit K-26
advanced settings K-37
VPND Groups K-38
models supported
VPN cluster load balancing 10-16
monitoring service level agreements 8-77
outside IP addresses
associated with DNS entry 10-14
PIX/ASA/FWSM Platform policies K-1
remote access IPSec VPNs
access policies 10-44
remote access IPsec VPNs
creating using wizard 10-10, 10-12
other settings 10-45
shared license client 10-57
shared license server 10-58
remote access SSL VPNs
content rewrite rules 10-47
encoding rules 10-49
encoding settings 10-48
performance settings 10-46
proxy bypass rules 10-50
proxy bypass settings 10-49
remote access VPNs
access policies (ASA) H-94, H-96
advanced settings (ASA) H-113
AnyConnect client image settings (ASA) H-111
AnyConnect client profile settings(ASA) H-112
browser plug-ins (ASA) H-108, H-109
certificate to connection profile map policies 10-33, 10-34
certificate to connection profile map rules 10-35
Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) H-78
Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) H-77
Certificate to Connection Profile Maps > Policies page H-75
Certificate to Connection Profile Maps > Rules page H-76
client settings (ASA) H-110
cluster load balancing 10-14, 10-15, H-20
configuring bookmarks 8-84
configuring portal appearance 8-79
configuring WINS servers for file system access 8-89
connection profiles 10-16, H-22
content rewrite settings (ASA) H-99, H-100
customizing 8-79
dynamic access policies 10-17, 10-18
dynamic access policy (DAP) attributes 10-19, 10-23
Dynamic Access policy page (ASA) H-36
encoding settings (ASA) H-101, H-103
fragmentation settings H-70
Global Settings page H-66
group policies 10-30, H-72, H-73
IKE proposals H-81
ISAKMP/IPsec settings H-67
NAT settings H-69
other settings (ASA) H-97
performance settings (ASA) H-98
post URL method and macro substitutions in bookmarks 8-86
proxy bypass settings (ASA) H-107
proxy settings (ASA) H-103
Public Key Infrastructure (PKI) H-74
secure desktop manager policies 10-24, 10-26
shared license H-114
smart tunnels 8-87
SSL certificate configuration A-12
supported OS versions
redirection using FQDNs 10-15
VPN cluster load balancing
3DES/AES license 10-16
overview 10-14
ASA group policies objects
client configuration settings F-27
client firewall attributes F-28
connection settings F-42
DNS/WINS settings F-40
hardware client attributes F-30
IPSec settings F-31
split tunneling settings F-41
SSL VPN clientless settings F-33
SSL VPN full client settings F-35
SSL VPN settings F-37
technology settings F-25
ASA user group objects
creating 8-28
ASBR
definition 14-73
ASCII limitations for text 2-18
ASDM
access rule look-up 20-6
device manager 20-2
ASR
zone-based firewall
global parameters I-87
restrictions 11-63
assignment overview 1-7
Assignments tab D-17
Assign Shared Policy command 2-8
Assign Shared Policy dialog box D-2
Asymmetric Digital Subscriber Line (ADSL)
on Cisco IOS routers 13-25
Asynchronous Transfer Mode (ATM) 13-30
ATM 13-30
virtual channel connections (VCCs) 13-31
virtual channel identifier (VCI) 13-31
virtual path connections (VPCs) 13-31
virtual path identifier (VPI) 13-31
Atomic ARP engine
described M-19
parameters (table) M-19
Atomic IP engine
parameters (table) M-14
audit logs
configuring default settings A-32
purging entries 19-12
understanding 19-11
working with 19-11
Audit Message Detail dialog box E-9
Audit Report command 2-11
audit reports
generating and viewing 19-12
understanding 19-11
working with 19-11
Audit Report window E-9
AUS
deploying configurations 17-25
deployment method 17-11
setting up 4-7
setting up on PIX Firewall and ASA devices 4-8
Authentication-Authorization-Accounting
see AAA 14-28
Authentication Header (AH) encryption algorithm F-59
authentication methods
in IKE proposals 9-47
preshared keys 9-47
RSA signatures 9-47
authentication testing
SSH 4-5
AuthProxy
configuring settings in Map view 3-18
AuthProxy dialog box
AAA rules I-8
AuthProxy General tab (IOS) I-79, I-81
AuthProxy page I-79
autolink
omitting reserved networks from maps A-2
auto signon rules
ASA group policy objects F-39
Auto Update Server (AUS)
adding 5-14
licensing 19-4
PIX/ASA/FWSM K-96
add/edit server K-98
Auto Update Server Properties dialog box C-12
Auto Update Servers (AUS)
configuring AUS settings on firewall devices 14-52
Available Bit Rate (ABR) 13-32
Available Servers dialog box C-14
B
background, map
setting 3-8
background image, map
deleting 3-9
importing 3-8
scale and position 3-9
setting 3-8
backup.pl command 19-14
Backup command 2-11
backups, Security Manager database 19-14
Banner
PIX/ASA/FWSM K-60
banners
configuring on firewall devices 14-33
benefits of product 1-2
BGP routing
BGP Routing Policy page J-161
defining routes 13-118
Neighbors dialog box J-162
on Cisco IOS routers 13-118
redistributing routes 13-120
Redistribution Mapping dialog box J-164
Redistribution tab J-163
Setup tab J-161
Bidirectional Neighbor Filter
add/edit K-146
Bidirectional Neighbor Filter tab
PIM K-145
blocking
definition of 16-9
Blocking page M-90
Boot image/configuration
PIX/ASA/FWSM K-61
add K-62
boot image and configuration settings
configuring on firewall devices 14-34
bootstrap configuration
Failover K-91
bootstrapping devices
in Performance Monitor 20-8, 20-10
botnet traffic filter rules 11-47
adding static entries 11-50
configuring DNS snooping I-29
configuring in Map view 3-17
configuring the dynamic database 11-49
databases 11-47
Device Blacklist dialog box I-39
Device Whitelist dialog box I-39
Dynamic Blacklist Configuration tab I-35
enabling DNS snooping 11-51
field definitions I-34
illustrations 11-47
task flow 11-48
traffic classification 11-52
Traffic Classification dialog box I-37
Traffic Classification tab I-36
understanding 11-47
Whitelist/Blacklist tab I-38
Bridge Groups
FWSM
add/edit K-44
bridge groups
defining 13-51
FWSM 3.1 14-27
Bridging
PIX/ASA/FWSM K-50
ARP configuration K-51
ARP Inspection K-52
ARP Inspection, enable/disable K-52
ARP Table K-50
MAC Address, add/edit K-54
MAC Address Table K-53
MAC Learning K-54
MAC Learning, enable/disable K-55
Management IP address K-56
bridging
Cisco IOS routers
Bridge Group dialog box J-75
Bridging Policy page J-74
BVI interfaces 13-50
overview 13-50
PIX/ASA/FWSM
configuring on 14-26
broadcasts
enabling directed on routers J-22
browser plug-ins
defining 10-53
understanding 10-52
C
CA server authentication methods
SCEP (Simple Certificate Enrollment Protocol) 9-58
Cat6k Device dialog box M-99
Catalyst 6500/7600 devices
configuring FWSM on 9-33
configuring SSH 4-6
default transport protocol A-12
deployment 17-17
FlexConfig object samples 18-20
policy discovery for FWSM 6-12
rollback restrictions 17-35
Catalyst 6500/7600 switches
including in deployment jobs N-10, N-11
Catalyst 6K tab M-98
Catalyst devices
policy discovery 6-12
remote access VPNs
Dynamic VTI/VRF Aware IPsec settings H-89
high availability H-79
IPsec proposals H-85
user group policies H-93
VPNSM/VPN SPA settings H-87
Catalyst platform policies
general reference L-1
IDSM settings policy
Create and Edit IDSM Data Port VLANs dialog boxes L-32
Create and Edit IDSM EtherChannel VLANs dialog boxes L-31
IDSM Settings page L-30
IDSM Slot-Port Selector dialog box L-33
interfaces/VLANs policy
Access Port Selector dialog box L-6
Create and Edit Interface dialog boxes-Access Port mode L-12
Create and Edit Interface dialog boxes-Dynamic Port mode L-21
Create and Edit Interface dialog boxes-Other mode L-27
Create and Edit Interface dialog boxes-Routed Port mode L-15
Create and Edit Interface dialog boxes-subinterfaces L-25
Create and Edit Interface dialog boxes-Trunk Port mode L-17
Create and Edit VLAN dialog boxes L-4
Create and Edit VLAN Group dialog boxes L-8
Interfaces/VLANs page L-2
Interfaces tab L-10
Service Module Slot Selector dialog box L-9
Summary tab L-29
Trunk Port Selector dialog box L-7
VLAN Groups tab L-7
VLAN Selector dialog box L-10
VLANs tab L-3
VLAN access lists policy
Create and Edit VLAN ACL Content dialog boxes L-37
Create and Edit VLAN ACL dialog boxes L-35
VLAN Access Lists page L-34
Catalyst Summary Info command 2-10
Catalyst switches
configuring SSH 4-6
default transport protocol A-12
showing modules, security contexts, and virtual sensors 5-24
Catalyst switches and 7600 Series routers
access ports 15-2
Catalyst Summary Info page L-1
defining IDSM Data Port VLANs 15-14
defining IDSM EtherChannel VLANs 15-13
defining ports 15-3
defining VACLs 15-10
defining VLAN groups 15-7
defining VLANs 15-5
deleting IDSM Data Port VLANs 15-16
deleting IDSM EtherChannel VLANs 15-14
deleting ports 15-4
deleting VACLs 15-11
deleting VLAN groups 15-8
deleting VLANs 15-6
discovering policies 15-2
generating interface names 15-4
IDSM settings 15-12
IDSM Settings page L-30
interfaces 15-2
Interfaces/VLANs page L-2
managing 15-1
routed ports 15-2
trunk ports 15-2
viewing configuration summary 15-16
VLAN Access Lists page L-34
VLAN ACLs (VACLs) 15-9
VLAN groups 15-7
VLANs 15-5
Catalyst VPN Services Module (VPNSM)
configuring 9-31
configuring in remote access VPNs 10-39
defining settings (site-to-site VPN) G-14
Catalyst VPN Shared Port Adapter (VPN SPA)
configuring a VPN SPA 9-31
configuring in remote access VPNs 10-39
defining settings (site-to-site VPN) G-14
categories
using 8-6
Category Editor dialog box F-43
cautions
significance of i-liv
CDP
definition of 12-4
CEF Interface Settings dialog box J-27
CEF interface settings policies 13-22
certificates, SSL
adding thumbprints manually 5-22
configuring default settings for how handled A-12
certificate to connection profile map policies
configuring 10-34
understanding 10-33
certificate to connection profile map rules
configuring 10-35
understanding 10-35
Change Report dialog box E-8
change reports, viewing 7-9
Change Reports command 2-11
Cisco 7600 Series routers
managing 15-1
Cisco Discovery Protocol (CDP)
enabling CDP on router interfaces J-20
Cisco Express Forwarding (CEF)
CEF Interface Settings policy J-26
CEF router interface settings policies 13-22
importance for QoS 13-100
Cisco IOS routers
802.1x 13-82
AAA 13-44
accounts and credentials 13-48
ADSL 13-25
advanced interface settings 13-18
available interface types 13-13
basic interface settings 13-13
BGP routing 13-118
CNS call-home mode 4-10
CNS event-bus mode 4-9
configuring SSH 4-6
CPU settings 13-54
default AAA server groups 8-19
deploying configurations using TMS 17-26
dialer interfaces 13-22
discovering policies 13-3
Domain Name System (DNS) 13-68
Dynamic Host Configuration Protocol (DHCP) 13-76
EIGRP routing 13-121
host and domain names 13-70
HTTP 13-54
IOS 12.1 and 12.2 13-3
line access 13-57
managing 13-1
memory settings 13-70
NAT 13-4
Network Admission Control (NAC) 13-86
Network Time Protocol (NTP) 13-80
optional SSH settings 13-64
OSPF routing 13-125
permanent virtual connections (PVCs) 13-30
platform policies 13-1
Point-to-Point Protocol (PPP) 13-39
policy discovery 6-12
quality of service (QoS) 13-99
RIP routing 13-136
Secure Device Provisioning (SDP) 13-71
setting up SSL (HTTPS) 4-4
SHDSL 13-28
SNMP 13-66
static routing 13-140
syslog logging 13-92
time zone settings 13-52
transparent bridging 13-50
Cisco IOS Software
FlexConfig object samples 18-20
selecting policy types to manage 6-10
Cisco NSDB M-9
Cisco Secure Desktop configuration objects
creating 8-73
Cisco Security Management Suite server
logging into or exiting 1-8
Cisco Technical Assistance Center
creating diagnostic file 19-16
Cisco Trust Agent (CTA) 13-87
CiscoWorks Common Services
backing up and restoring Security Manager 19-14
logging into or exiting 1-8
Class-Based Policing 13-104
class maps
understanding 8-38
Clear Connection Configuration dialog box I-75
clear xlate
PIX/ASA/FWSM platform K-198
CLI commands
FlexConfig objects 18-2
client connection characteristics
Client Connection Characteristics page G-30
configuring policies for Easy VPN 9-79
clientless access mode 10-4
client settings
configuring 10-55
understanding 10-54
Clock
PIX/ASA/FWSM K-62
clock
Cisco IOS routers
overview 13-52
configuring on firewall devices 14-35
clock settings
Cisco IOS routers
Clock Policy page J-76
Clone Device command 2-6
cloning devices
in VPN topologies 9-17
Close Activity command 2-11
cluster load balancing
configuring 10-15
redirection using FQDNs
3DES/AES 10-16
ASA outside IP addresses 10-14
instead of IP addresses 10-15
OS versions supported 10-15
overview 10-14
reverse DNS lookup 10-14
understanding 10-14
CNS
call-home mode 4-10
deploying configurations 17-25
deployment method 17-11
event-bus mode 4-9
setting up on PIX Firewall and ASA devices 4-8
collectors (NetFlow) 14-62
Combine Rules Selection Summary dialog box I-103
commands
Activities menu 2-11
Edit menu 2-7
File menu 2-6
Help menu 2-12
Map menu 2-9
Policy menu 2-8
Tools menu 2-9
View menu 2-7
Common Services
licensing 19-4
configuration
initial Security Manager 1-10
understanding rollback 17-33
Configuration Archive
adding configurations from devices 17-31
rolling back to archived configuration files 17-40
settings A-2
version viewer N-28
viewing and comparing configuration versions 17-32
window N-26
Configuration Archive command 2-11
Configuration Archive page A-2
Configuration Engine
adding 5-14
CNS call-home mode 4-10
CNS event-bus mode 4-9
setting up 4-7
Configuration Engine Properties dialog box C-12
configuration files
deploying in non-Workflow mode 17-17
deploying in Workflow mode 17-19, 17-23
deploying to 17-12
deploying to an AUS or CNS 17-25
deploying to a TMS 17-26
deployment process overview 17-2
factory-default configurations 14-1
previewing 17-27
redeploying to devices 17-28
rolling back to archived configurations 17-40
selecting 2-19
web VPN policy discovery restrictions 5-8
configurations
adding to the Configuration Archive 17-31
rollback, commands to recover from failover misconfiguration 17-38
rollback command conflicts 17-37
rolling back 17-33
rolling back Catalyst 6500/7600 17-35
rolling back failover devices 17-34
rolling back IPS and IOS IPS 17-35
rolling back multiple context mode 17-34
rolling back to devices 17-38
understanding out-of-band changes 17-13
viewing and comparing 17-32
configuration views 1-5
Configure DNS dialog box
inspection rules I-29
Configure ESMTP dialog box
inspection rules I-30
Configure Fragments dialog box
inspection rules I-31
Configure Hardware Ports
ASA 5505 K-48
Configure IMAP dialog box
inspection rules I-32
Configure POP3 dialog box
inspection rules I-33
Configure RPC dialog box
inspection rules I-33
Configure SMTP dialog box
inspection rules I-29
Configuring Protocol Platform dialog box I-34
Config Version Viewer (Preview Configuration) dialog box N-17
connection
PIX/ASA/FWSM
rules K-192
rules wizard K-193
tab K-194
Connection Profile page (ASA) H-3
connection profiles
configuring 10-16
understanding 10-16
Connection Profiles page
Add/Edit Connection Profile dialog box
AAA tab H-25
Add/Edit Interface Specific Authentication Server Groups dialog box H-27, H-30
General tab (ASA) H-23
IPSec tab H-32
Secondary AAA tab H-28
SSL tab H-32
Connection Profiles page (ASA) H-22
Connection Profiles Policy page
Add/Edit Connection Profile dialog box
IPSec tab H-31
connection timeout
device communication settings A-12
connectivity, testing device 5-16
console
Cisco IOS routers
AAA tab J-87
Accounting tab J-90
Authentication tab J-87
Authorization tab J-88
Console Policy page J-85
Setup tab J-85
console port
Cisco IOS routers
defining AAA settings 13-59
defining setup parameters 13-57
Console timeout
PIX/ASA/FWSM K-65
console timeout settings
configuring on firewall devices 14-37
Constant Bit Rate (CBR) 13-32
contact credentials
configuring on firewall devices 14-36
contained modules
showing 5-24
content rewrite rules
defining 10-47
understanding 10-47
Content Rewrite tab (ASA) H-99
Context Editor dialog box (IOS) H-116
contexts
continuity check (CC) cells 13-34
control plane (CP)
defining QoS on 13-110
policing on 13-107
Control Plane Policing 13-107
conventions i-liii
Copy Policies Between Devices command 2-8
Copy Policies wizard
Copy Policies from this Device page D-4
Copy Policies to these Devices page D-6
Select Policies to Copy page D-4
understanding D-3
CPU settings
defining utilization settings 13-54
overview 13-54
CPU Threshold
PIX/ASA/FWSM K-64
CPU utilization
CPU Policy page J-78
Create/Edit Group Policies Dialog Box H-73
Create a Clone of Device dialog box C-27
Create Activity dialog box E-4
Create a Policy dialog box D-18
Create Filter dialog box C-1
Create Overrides for Device dialog box F-208
Create Text Object dialog box F-51
Create VPN Topology wizard G-2
credential objects
attributes F-46
creating 8-30
Credentials
PIX/ASA/FWSM K-64
credentials
device manager validation 20-4
IPS module C-25
service module C-23
testing 5-16
understanding device 5-5
Credentials page
HTTPS port number
overriding with HTTP policy C-33
Credentials page (Devices) C-31
crypto connect alternate feature 9-31
crypto engine slot command 9-32
crypto engine slot slot/subslot {inside | outside} command
VRF-Aware IPsec 9-32
crypto maps
dynamic 9-49
in IPsec proposals 9-49
static 9-49
CSDM Policy Editor dialog box H-64
CS-MARS
access to Security Manager 20-21
configuring servers A-3
discovering or changing server used by device 5-23
event
queries 20-21
events
historical 20-22
real-time 20-22
integration with Security Manager 20-16, 20-20
NetFlow 20-17
query
considerations 20-19
registering in Security Manager 20-23
CS-MARS page A-3
CSMDiagnostics.zip
setting debug options A-6
CSM tab, Licensing page A-29
Customize Desktop Settings page A-5
Custom Protocol dialog box
inspection rules I-30
D
database
backing up and restoring 19-14
Days of Week dialog box M-52
DCE/RPC policy map objects
creating 8-42
properties F-86
DCS properties file, SSH settings 5-23
DDNS
configuring on firewall devices 14-57
PIX/ASA/FWSM K-109
add interface rules K-110
update methods K-111
update methods, add/edit K-111
DDoS
protocols M-47
Stacheldraht M-47
TFN M-47
dead-peer detection (DPD) 9-52
debugging
configuring debug levels A-6
Debug Options page A-6
defaults, configuring 19-2
Defaults page (ASA) H-15
Defaults page (IOS) H-18
default virtual sensor
vs0 16-11
Delete Device command 2-6
Delete Map command 2-9
Delete Map dialog box B-10
Delete Row command 2-7
Denial of Service (DoS)
preventing in SMTP using zone based firewall F-69
denial of service (DoS)
preventing using unicast reverse path forwarding (RFP) J-22
Denial of Service (DoS) attacks
configuring inspection settings to mitigate 11-39
Denied Attacker dialog box M-60
Denied Attackers page M-59
Deploy command 2-6
Deploy Job dialog box N-19
deployment
Abort the Job dialog box N-22
Add Other Devices dialog box N-15
Auto Update Server 17-25
Catalyst 6500/7600 devices 17-17
Cisco Networking Services configuration engine 17-25
clearing XLATE on 14-81
configuration files, to 17-12
configurations 17-17
configuring status providers 20-11
creating or editing schedules 17-30
Deploy Job dialog box N-19
Deployment—Create or Edit a Job dialog box N-11
device communication settings 5-21
devices, directly to 17-10
devices, through intermediate server 17-11
dialog box references N-9
Edit Deploy Method dialog box N-13
Edit Selected Deployment Method dialog box N-13
errors
OS version mismatches 17-14
handling OS version mismatches 17-14
IPsec on VPNs
using RADIUS 9-78
managing 17-1
methods 17-10
non-Workflow mode 17-4
Deploy Saved Changes dialog box N-9
optimizing access rules 11-31
out-of-band changes 17-13
process overview 17-2
Redeploy a Job dialog box N-22
Rollback a Job dialog box N-23
rolling back configurations 17-33
rolling back configurations, Catalyst 6500/7600 17-35
rolling back configurations, command conflicts 17-37
rolling back configurations, commands to recover from failover misconfiguration 17-38
rolling back configurations, failover devices 17-34
rolling back configurations, IPS and IOS IPS devices 17-35
rolling back configurations, multiple context mode 17-34
setting debug options A-6
Submit Deployment Job dialog box N-18
suspending or resuming schedules 17-31
system settings A-7
task flow
non-Workflow mode 17-5
Workflow mode 17-6
TMS server 17-26
troubleshooting SSL certificate errors 5-22
understanding 17-1
understanding configuration rollback 17-33
using a Cisco Networking Services (CNS) server 17-25
viewing device details 17-16
viewing job summary 17-16
viewing status and history for jobs and schedules 17-16
Warning - Partial VPN Deployment dialog box N-16
Workflow mode 17-6, 17-19, 17-23
Deployment—Create or Edit a Job dialog box N-11
Deployment Manager window N-3
working with 17-15
Deployment—Create or Edit a Job dialog box N-11
deployment jobs
aborting 17-29
approval 17-9
approving 17-22
creating and editing 17-20
Deployment Manager 17-2
discarding 17-24
including devices in 17-9
multiple users 17-9
redeploying 17-28
rejecting 17-22
states
non-Workflow mode 17-5
Workflow mode 17-7
submitting 17-22
viewing history 17-16
Deployment Manager
overview 17-2
Deployment Manager command 2-10
Deployment Manager window
Deployment Schedules tab N-6
Deployment Manager window in non-Workflow mode N-1
Deployment Manager window in Workflow mode N-3
Deployment page
PIX/ASA/FWSM Platform
clear xlate K-198
Deployment Schedules tab N-6
Deployment Settings page A-7
Deployment Status Details dialog box N-20
Deployment Workflow Commentary dialog boxes N-19
Deploy Saved Changes dialog box N-9
DES encryption algorithm
in IKE proposals 9-45
Destination Contents dialog box I-66
Dest Port Map dialog box M-54
device
AAA administration 14-31
export inventory 5-26
viewing inventory status 5-25
Device Access
FWSM
Resources K-92
Resources, add/edit K-93
PIX/ASA/FWSM K-65
console timeout K-65
host name K-91
HTTP configuration K-67
HTTP page K-66
ICMP rules K-67
ICMP rules, add/edit K-68
Management Access interface K-69
Secure Shell (SSH) K-69
Secure Shell, add/edit host K-70
Server Access K-96
SNMP host access K-73
SNMP page K-71
SNMP Trap configuration K-72
Telnet configuration K-75
Telnet page K-74
user accounts K-115
user accounts, add/edit K-115
device access
configuring on firewall devices 14-37
device access policies
defining 13-48
device administration policies
configuring on firewall devices 14-28
device authentication
adding SSL thumbprints manually 5-22
SSL certificate default configuration A-12
Device Blacklist dialog box I-39
Device Communication page A-11
device communication settings
connection timeout A-12
managing 5-21
retry count A-12
socket read timeout A-12
Device Connectivity Test dialog box C-22
device credentials
understanding 5-5
Device Credentials page C-18
Device Delete Validation page C-26
Device Grouping page C-26
adding or removing devices 5-32
creating group types 5-31
deleting groups or types 5-32
understanding 5-30
Device Information page - Add Device from File C-15
Device Information page - Configuration File C-8
Device Information page - Network C-4
Device Information page- New Device C-10
device inventory
exporting
DCR, CS-MARS, Security Manager formats 5-26
overview 5-26
using command line utility 5-28
managing 5-1
testing device connectivity 5-16
understanding 5-1
understanding contents 5-3
user interface reference C-1
working with 5-7
device manager
access rule look up 20-5
ASDM 20-2
access rule look-up 20-6
command 20-5
credentials 20-4
IDM 20-2
PDM 20-2
preparing devices 20-3
prerequisites 20-3
SDM 20-2
access rule look-up 20-7
starting 20-4
starting from Security Manager 20-1
xdm-launcher.exe 20-5
Device Manager command 2-10
Device OS Management command 2-11
Device Properties
Credentials page C-31
Device Groups page C-33
General page C-28
Policy Object Override pages
general reference C-34
device properties
changes with policy effects 5-19
changing critical 5-18
image version changes with no policy effects 5-18
understanding 5-6
viewing or changing 5-17
Device Properties command 2-10
Device Properties page
creating object overrides 8-11
deleting overrides 8-12
overview C-28
devices
adding 5-7
adding configurations to the Configuration Archive 17-31
adding from configuration files 5-10
adding from inventory file 5-12
adding from network 5-8
adding local rules to shared policies 6-30
adding manually 5-11
adding to Performance Monitor 20-10
assigning shared policies 6-29
changing critical properties 5-18
cloning or duplicating 5-24
communication requirements 4-1
communication settings and certificates 5-21
configuring local policies 6-20
copying policies between 6-22
copying shared policies 6-32
creating policy object overrides 8-11
deleting from inventory 5-25
deleting policy object overrides 8-12
deployment through intermediate server 17-11
deployment to 17-10
discovering or changing CS-MARS server 5-23
discovering policies 6-11
discovering policies on existing devices 6-14
dynamic IP addresses 5-14
image version changes with no policy effects 5-18
including in deployment jobs N-10, N-11
including in deployment jobs or schedules 17-9
inheriting policy rules 6-32
managing operating system 5-29
maps
adding existing managed 3-10
adding new managed 3-10
displaying devices from Device View 3-11
displaying managed 3-10
showing containment for Catalyst switches, ASA, PIX, IPS devices 3-11
modifying policy assignment 6-34
modifying shared policies 6-34
naming conventions 5-3
policy status icons 6-19
preparing for management 4-1
property changes with policy effects 5-19
redeploying configuration files to 17-28
redeploying configurations to replaced hardware 17-28
renaming policies 6-33
replacing policies 6-29
rolling back configurations 17-38
sharing multiple policies 6-28
showing contained modules 5-24
system variables 18-7
testing connectivity 5-16
unassigning policies 6-23
understanding out-of-band changes 17-13
unsharing policies 6-29
what counts as a device 5-3
device selector
filtering 2-14
Device Server Assignment dialog box C-38
Device view
adding local rules to shared policies 6-30
assigning shared policies 6-29
configuring local policies 6-20
copying policies between devices 6-22
copying shared policies 6-32
editing site-to-site VPN policies in 9-43
inheriting policies 6-32
managing policies 6-19
managing VPN devices in 9-42
modifying policy assignments 6-34
modifying shared policies 6-34
policy banner 6-25
policy status icons 6-19
remote access VPNs
managing 10-7
renaming policies 6-33
sharing local policies 6-27
sharing multiple policies 6-28
Site-to-Site VPN Topologies page G-76
unassigning policies 6-23
understanding basic policy management 6-20
understanding shared policies 6-25
unsharing policies 6-29
device view
understanding 5-1
Device View command 2-8
Device Whitelist dialog box I-39
DHCP
Cisco IOS routers
defining address pools 13-79
defining policies 13-78
DHCP Database dialog box J-121
DHCP Policy page J-119
IP Pool dialog box J-122
overview 13-76
understanding database agents 13-76
understanding option 82 13-77
understanding relay agents 13-77
understanding secured ARP 13-78
PIX/ASA/FWSM
add/edit servers K-104
advanced configuration K-104
configuring DHCP relay 14-53
configuring DHCP servers 14-54
server options K-105
servers page K-102
DHCP relay
PIX/ASA/FWSM K-99
add/edit agent K-100
add/edit server K-101
diagnostics
setting debug options A-6
diagnostics file, creating 19-16
dial backup
configuring 9-29
configuring in Easy VPN 9-72
Dial Backup Settings dialog box G-22
understanding 9-29
dialer interfaces
defining BRI properties 13-24
defining profiles 13-23
Dialer Physical Interface dialog box J-30
Dialer Policy page J-28
Dialer Profile dialog box J-29
on Cisco IOS routers 13-22
Diffie-Hellman groups
in IKE proposals 9-46
Digital Subscriber Line (DSL) 13-25
digital subscriber line-access multiplexer (DSLAM) 13-25
directed broadcasts
enabling J-22
Discard Activity command 2-12
Discard Activity dialog box E-7
Discard command 2-6
Discard Deployment Job dialog box N-19
discovering
remote access VPNs 10-6
site-to-site VPNs 9-12
discovering site-to-site VPNs
wizard G-77
Discover Policies on Device command 2-8
Discover Policies On Device dialog box D-10
Discover VPN Policies command 2-8
Discover VPN Policies wizard G-77
Name and Technology page G-78
Discover VPN Policies wizard > Device Selection page G-79
discovery
default behavior settings A-16
overview 1-7
setting debug options A-6
Discovery Settings page A-16
Discovery Status dialog box D-12
discovery task
frequently asked questions 6-17
starting 6-14
viewing status 6-16
Display Actual Size command 2-9
Distributed Denial of Service
Distributed Traffic Shaping (DTS) 13-104
DMVPN (Dynamic Multipoint VPN)
advantages of using with GRE 9-67
configuring policies 9-68
large scale DMVPNs
configuring 9-70
understanding 9-70
understanding 9-67
using with GRE 9-67
DMVPN policies G-46
DNS
configuring for inspection rules I-29
configuring on firewall devices 14-56
definition of 16-7
PIX/ASA/FWSM
add server K-108
add server group K-107
look-up K-108
servers page K-106
DNS class map objects
creating 8-41
match criteria F-90
DNS policy map objects
creating 8-43
match conditions and actions F-90
properties F-87
DNS requirement for IPS 16-7
DNS server identification for IPS M-88
DNS snooping 11-51
Dock Map View command 2-9
documentation
conventions i-liii
Domain Name System (DNS)
Cisco IOS routers
defining policies 13-69
DNS Policy page J-113
IP Host dialog box J-114
overview 13-68
do not ask warnings, resetting A-5
DSLAM 13-25
duplex
interface K-49
dynamic access policies
configuring 10-18
understanding 10-17
dynamic access policies (DAP) H-53
Dynamic Access Policy page
Add/Edit Dynamic Access Policy dialog box
Add/Edit DAP Entry dialog box H-45
Add/Edit DAP Entry dialog box > AAA Attributes Cisco H-47
Add/Edit DAP Entry dialog box > AAA Attributes LDAP H-48
Add/Edit DAP Entry dialog box > AAA Attributes RADIUS H-49
Add/Edit DAP Entry dialog box > Anti-Spyware H-50
Add/Edit DAP Entry dialog box > Anti-Virus H-51
Add/Edit DAP Entry dialog box > Application H-52
Add/Edit DAP Entry dialog box > File H-54
Add/Edit DAP Entry dialog box > NAC H-55
Add/Edit DAP Entry dialog box > Operating System H-55
Add/Edit DAP Entry dialog box > Personal Firewall H-56
Add/Edit DAP Entry dialog box > Policy H-57
Add/Edit DAP Entry dialog box > Process H-58
Add/Edit DAP Entry dialog box > Registry H-59
Advanced Expressions tab H-63
Logical Operators tab H-60
Main tab H-39
Dynamic Access Policy page (ASA) H-36
Cisco Secure Desktop Manager Policy Editor dialog box H-64
Dynamic Access policy page (ASA) > Add/Edit Dynamic Access Policy dialog box H-38
Dynamic Blacklist Configuration tab I-35
dynamic crypto maps 9-49
dynamic filter snooping (DNS)
enabling I-29
dynamic IP devices
and GRE
understanding 9-64
Dynamic Multipoint VPN (DMVPN) 9-5
dynamic NAT
creating rules on Cisco IOS routers 13-10
Dynamic Translation Rule
PIX/ASA/FWSM K-9
add/edit K-11
dynamic VTI
configuring in Easy VPN 9-72
in remote access VPNs 10-37
Dynamic VTI/VRF Aware IPsec settings tab H-89
Dynamic VTI tab (site-to-site VPN) G-41
E
Easy VPN 9-5
Advanced tab G-37
client connection characteristics 9-79
Client VPN Software Update tab G-38
configuring dial backup in 9-72
configuring dynamic VTI in 9-72
configuring high availability in 9-72
Dynamic VTI tab G-41
General tab G-33
IPsec Proposal page G-38
IPsec Proposal tab G-39
IPsec tab G-35
tunnel group policies 9-78
Tunnel Group Policy page G-33
understanding 9-71
user group policies 9-77
User Group Policy page G-64
with dial backup 9-71
with Dynamic Virtual Tunnel Interfaces (DVTI) 9-71
with high availability 9-71
Edit AAA Option dialog box I-7
Edit AAA Rules dialog box I-4
Edit AAA Server dialog box F-8
Edit AAA Server Group dialog box F-6, I-8
Edit Actions dialog box M-8
Edit AOL Class Map dialog box F-61
Edit A Port Forwarding Entry dialog box F-152
Edit ASA Group Policies dialog box
client configuration settings F-27
client firewall attributes F-28
connection settings F-42
DNS/WINS settings F-40
hardware client attributes F-30
IPSec settings F-31
overview F-25
split tunneling settings F-41
SSL VPN clientless settings F-33
SSL VPN full client settings F-35
SSL VPN settings F-37
technology settings F-25
Edit A Smart Tunnel Entry dialog box F-179
Edit Auto Signon Rules dialog box F-39
Edit Auto Update Settings dialog box A-23
Edit Category dialog box I-66
Edit Cisco Secure Desktop Configuration dialog box F-44
Edit Client Access Rules dialog box F-33
Edit Client Update dialog box F-195
Edit Column dialog box F-173
Edit Custom Pane dialog box F-173
Edit DCE/RPC Map dialog box F-86
Edit Deploy Method dialog box N-13
Edit Description dialog box I-66
Edit Destinations dialog box I-64
Edit Device Groups command 2-6
Edit Device Groups dialog box C-36
Edit DNS Class Map dialog box F-61
Edit DNS Map dialog box
Filtering tab F-89
overview F-87
Protocol Conformance tab F-88
Edit eDonkey Class Map dialog box F-61
Edit Endpoints dialog box G-10
Protected Networks tab G-17
VPN Interface tab G-10
Edit ESMTP Map dialog box F-92
Edit Extended Access Control Entry dialog box F-20
Edit Extended Access List dialog box F-19
Edit External Filter dialog box F-80
Edit FastTrack Class Map dialog box F-61
Edit Fidelity dialog box M-9
Edit File Object dialog box F-47
Edit Firewall Rule dialog box I-11
Edit Firewall Rule Expiration dialog box I-15
Edit FlexConfig dialog box F-48
Edit FTP Class Map dialog box F-61
Edit FTP Map dialog box F-95
Edit Gnutella Class Map dialog box F-61
Edit GTP Map dialog box F-99
Edit H.323 Class Map dialog box F-61
Edit H.323 Map dialog box F-103, F-134
Edit HSI Endpoint IP Address dialog box F-105
Edit HSI Group dialog box F-104
Edit HTTP Class Map dialog box F-61
Edit HTTP Map dialog box F-134
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab F-109
Extension Request Method tab F-112
General tab F-108
overview F-107
Port Misuse tab F-113
RFC Request Method tab F-111
Transfer Encoding tab F-114
ASA 7.2+ and PIX 7.2+ devices F-115
Edit ICQ Class Map dialog box F-61
Edit IKE Proposal dialog box F-53
Edit IMAP Class Map dialog box F-61
Edit IMAP Map dialog box F-134
Edit IM Class Map dialog box F-61
Edit IM Map dialog box F-134
ASA and PIX device F-121
IOS device F-124
Edit Inspected Protocol dialog box I-21
Edit Inspect Parameter Map dialog box F-74
Edit Interfaces dialog box I-65
Edit IPsec Pass Through Map dialog box F-125
Edit IPSec Transform Set dialog box F-57
Edit Kazaa2 Class Map dialog box F-61
Edit Language dialog box F-167
Edit LDAP Attribute Map dialog box F-59
Edit LDAP Attribute Map Value dialog box F-60
Edit Local Web Filter Class Map dialog box F-61
Edit Local Web Filter Parameter Map dialog box F-77
Edit Map Value dialog box F-61
Edit Match Condition and Action dialog box
DNS policy maps F-90
ESMTP policy maps F-94
FTP policy maps F-97
GTP policy maps F-101
H.323 (IOS) policy maps F-135
H.323 policy maps F-106
HTTP (Zone Based IOS) policy maps F-135
HTTP policy maps F-117
IM (Zone Based IOS)policy maps F-135
IMAP policy maps F-135
IM policy maps F-122
P2P policy maps F-135
POP3 policy maps F-135
SIP (IOS) policy maps F-135
SIP policy maps F-129
Skinny policy maps F-133
SMTP policy maps F-135
Sun RPC policy maps F-135
Web Filter policy maps F-135
Edit Match Criterion dialog box
AOL class maps F-64
DNS class maps F-90
eDonkey class maps F-64
FastTrack class maps F-64
FTP class maps F-97
Gnutella class maps F-64
H.323 (IOS) class maps F-65
H.323 class maps F-106
HTTP (IOS) class maps F-65
HTTP class maps F-117
ICQ class maps F-64
IMAP class maps F-67
IM class maps F-122
Kazaa2 class maps F-64
Local Web Filter class maps F-72
MSN Messenger class maps F-64
N2H2 class maps F-73
POP3 class maps F-67
SIP (IOS) class maps F-68
SIP class maps F-129
SMTP class maps F-69
Sun RPC class maps F-72
Websense class maps F-73
Windows Messenger class maps F-64
Yahoo Messenger class maps F-64
Edit menu 2-7
Edit MSN Messenger Class Map dialog box F-61
Edit N2H2 Parameter Map dialog box F-78
Edit N2H2 Web Filter Class Map dialog box F-61
Edit NetBIOS Map dialog box F-126
Edit Network/Host dialog box F-141
Edit Options dialog box I-13
Edit P2P Map dialog box F-134
Edit Permit Response dialog box F-100
Edit PKI Enrollment dialog box
CA Information tab F-144
Certificate Subject Name tab F-150
Enrollment Parameters tab F-148
overview F-142
Trusted CA Hierarchy tab F-151
Edit Policy Assignments command 2-8
Edit POP3 Class Map dialog box F-61
Edit Port Forwarding List dialog box F-151
Edit Port List dialog box F-153
Edit Protocol Info Parameter Map dialog box F-76
Edit Regular Expression dialog box F-138
Edit Regular Expression Group dialog box F-138
Edit Row command 2-7
Edit Rule Section dialog box I-90
Edit Selected Deployment Method dialog box N-13
Edit Server dialog box
Protocol Info Parameter maps F-77
Edit Service dialog box F-154
Edit Services dialog box I-65
Edit Signature dialog box M-3
Edit Signature Parameter—Component List dialog box M-47
Edit Signature Parameter—List Entry Dialog Box M-48
Edit Signature Parameters dialog box M-10
Edit Signatures page, Apply IPS Update wizard A-27
Edit Single Sign On Server dialog boxes F-156
Edit SIP Class Map dialog box F-61
Edit SIP Map dialog box F-127, F-134
Edit Skinny Map dialog boxes F-131
Edit SLA Monitor dialog box F-158
Edit Smart Tunnel Lists dialog box F-177
Edit SMTP Class Map dialog box F-61
Edit SMTP Map dialog box F-134
Edit SNMP Map dialog box F-133
Edit Sources dialog box I-64
Edit SSL VPN Customization dialog box F-163
Applications F-172
Copyright Panel F-170
Custom Panes F-172
Full Customization F-170
Home Page F-174
Informational Panel F-169
Language F-166
Logon Form F-168
Logout Page F-175
Title Panel F-165
Toolbar F-171
Edit SSL VPN Gateway dialog box F-176
Edit Standard Access Control Entry dialog box F-22
Edit Standard Access List dialog box F-19
Edit state 7-4
Edit Sun RPC Class Map dialog box F-61
Edit Sun RPC Map dialog box F-134
Edit TCP Map dialog box F-139
Edit TCP Option Range Dialog Box F-141
Edit Text Object dialog box F-181
Edit Time Range dialog box F-182
Edit Traffic Flow dialog box F-184
Edit Transparent EtherType dialog box I-44
Edit Transparent Firewall Rule dialog box I-42
Edit Transparent Mask dialog box
transparent rules I-45
Edit Trend Content Filter Class Map dialog box F-61
Edit Trend Parameter Map dialog box F-81
Edit Update Server Settings dialog box A-21
Edit URL Domain Name dialog box F-84
Edit URLF Glob Parameter Map dialog box F-84
Edit URL Filter Parameter Map dialog box F-82
Edit User Group dialog box
Advanced PIX 6.3 settings F-196
Browser Proxy settings F-201
Client (IOS) settings F-192
Clientless settings F-197
Client VPN Software Update (IOS) settings F-195
DNS/WINS settings F-190
General settings F-189
IOS Xauth Options settings F-194
overview F-187
Split Tunneling settings (Easy VPN/remote access IPSec VPN) F-191
SSL VPN Connection settings F-202
SSL VPN Full Tunnel settings F-198
SSL VPN Split Tunneling settings F-200
Technology settings F-187
Thin Client settings F-198
Edit Virtual Sensor dialog box M-103
Edit Web Access Control Entry dialog box F-23
Edit Web Filter Map dialog box F-136
Edit Web Filter Options dialog box I-50
Edit Web Filter Type dialog box I-49
Edit Websense Parameter Map dialog box F-78
Edit Websense Web Filter Class Map dialog box F-61
Edit Web Type Access List dialog box F-19
Edit Windows Messenger Class Map dialog box F-61
Edit WINS Server dialog box F-204
Edit WINS Server List dialog box F-203
Edit Yahoo Messenger Class Map dialog box F-61
Edit Zones dialog box I-65
eDonkey class map objects
match criteria F-64
EIGRP routing
defining interface properties 13-122
defining routes 13-121
EIGRP Routing Policy page J-165
Interface dialog box J-168
Interfaces tab J-167
on Cisco IOS routers 13-121
redistributing routes 13-124
Redistribution Mapping dialog box J-170
Redistribution tab J-169
Setup dialog box J-166
Setup tab J-166
blocking spam using zone-based firewall rules F-69
preventing DoS attacks F-69
e-mail notifications
configuring SMTP server 1-12
PIX/ASA/FWSM
recipient set-up K-119
syslog messages K-118
Enable PIM and IGMP
PIX/ASA/FWSM K-134
Encapsulating Security Protocol (ESP) encryption algorithm F-59
encoding rules
defining 10-49
encoding settings
understanding 10-48
Encoding tab (ASA) H-101
encryption algorithms
3DES (Triple DES) 9-45
AES (Advanced Encryption Standard) 9-46
DES (Data Encryption Standard) 9-45
in IKE proposals 9-45
endpoints and protected networks
defining in VPN topologies 9-20, 9-23
understanding 9-19
VPN Interface tab G-10
ESMTP policy map objects
creating 8-44
match conditions and actions F-94
properties F-92
EtherChannel
Create and Edit IDSM EtherChannel VLANs dialog boxes L-31
defining IDSM VLANs 15-13
deleting IDSM VLANs 15-14
Ethereal 20-14
evaluation license
upgrading to permanent license 19-3
event
historical 20-22
lists K-119
add/edit K-121
queries 20-21
access rule 20-24
IPS signatures 20-28
real-time 20-22
syslog class
add/edit K-122
syslog message ID
add/edit K-122
Event Action Filters page M-61
Event Action Filters tab
described M-70
Event Action Override dialog box M-65
Event Action Overrides page M-64
Event Action policies M-60
event reporting
Inventory Status 20-12
severity levels 20-12
exclusive domains
configuring for IOS devices 11-56
Exit command 2-7
exiting
Cisco Security Management Suite server 1-8
CiscoWorks Common Services 1-8
expiration dates
configuring for access rules 11-22
export
device inventory 5-26
Export Inventory command 2-10
Export Inventory dialog box C-35
Export Map command 2-9
External Product Interface dialog box M-86
External Product Interface page M-85
F
factory-default configurations 14-1
Failover
FWSM K-78
advanced settings K-81
interface configuration K-82
PIX/ASA K-83
Add Failover Group K-88
interface configuration K-89
settings K-85
PIX/ASA/FWSM K-75
bootstrap configuration K-91
interface MAC address K-90
PIX 6.3 K-76
interface configuration K-77
failover
link 14-45
PIX/ASA/FWSM
active/standby 14-46
configuring 14-45
configuring on 14-49
stateless 14-46
types of 14-46
understanding 14-45
false positives
definition of 12-11
FastTrack class map objects
match criteria F-64
feature sets 1-3
File menu 2-6
file objects
attributes F-47
creating 8-31
files
deploying to 17-12
selecting or specifying 2-19
Filter Item dialog box M-62
filters
defined using signature categories 12-18
filtering selectors 2-14
filtering tables 2-16
Find and Replace dialog box I-91
find and replace in rules policies 11-6
Find Map Node command 2-9
Find Node dialog box B-10
firewall
access rule
CS-MARS query 20-24
Firewall AAA IOS Timeout Value Setting dialog box I-82
Firewall AAA MAC Exempt Setting dialog box I-78
Firewall ACL Setting dialog box I-69
Firewall Device dialog box M-97
firewall devices
policy discovery 6-12
firewalls
system variables 18-9
firewall service module (FWSM)
including in deployment jobs N-10, N-12
firewall services
AAA rules
adding 11-40
understanding 11-40
access rules
address requirements 11-19
configuring 11-21
configuring expiration dates 11-22
how deployed 11-19
import examples 11-29
importing 11-28
optimizing during deployment 11-31
understanding 11-17
understanding device-specific behavior 11-19
working with 11-17
adding rules 11-4
analysis reports 11-24
combining rules
interpreting results 11-11
procedure 11-9
common edit and show dialog boxes I-64
configuring policies in Map view 3-16
configuring settings policies in Map view 3-17
deleting rules 11-4
disabling rules 11-8
editing rules 11-5
enabling rules 11-8
finding and replacing items in rules policies 11-6
firewall settings
configuring settings 11-23, 11-42, 11-57
for IOS 11-44
for PIX/ASA/FWSM 11-43
per user downloadable ACLs I-70
hit count reports 11-26
inspection rules
custom destination ports 11-36
default inspection traffic 11-36
destination address and port (IOS) inspection rules 11-37
source and destination address and port 11-38
supported features 11-33
inspection settings
configuring for IOS devices 11-39
managing 11-1
managing rules tables 11-2
moving rules 11-7
object groups
expanding during discovery 11-16
optimizing network object groups during deployment 11-15
policy query
generating reports 11-12
report results 11-14
rule table sections 11-8
understanding rule order 11-7
user interface reference I-1
using rules tables 11-3
web filter rules
configuring for IOS devices 11-56
zone-based firewall
advanced options I-60
configuring PAM I-62
configuring settings 11-70
designing network zones 11-66
protocol selection I-61
rules table I-54
tabs 11-70
zone-based firewalls
about 11-61
IPSec VPN 11-65
overview 11-60
restrictions 11-63
Self zone 11-63
understanding 11-62
VRF 11-65
Firewall Services Module
security contexts
configuration K-199
Firewall Services Module (FWSM) 9-33
Bridge Groups
add/edit K-44
Failover K-78
advanced settings K-81
interface configuration K-82
FWSM tab (site-to-site VPN) G-18
interfaces K-40
add/edit K-42
PIX/ASA/FWSM Platform policies K-1
understanding configuration 9-33
Firewall Services Module(FWSM)
Device Access
Resources K-92
Resources, add/edit K-93
firewall settings
AAA firewall I-73
advanced setting I-73
MAC exempt lists I-76
Access Control page I-67
access controls
per user downloadable ACLs I-70
AuthProxy General tab (IOS) I-79
AuthProxy page I-79
AuthProxy Timeout tab (IOS) I-81
botnet traffic filter rules I-34
Firewall AAA IOS Timeout Value Setting dialog box I-82
Firewall ACL Setting dialog box I-69
Inspection page I-70
MAC exempt lists, AAA firewall I-76
reference information I-67
Web Filter page I-83
zone-based firewall
add/edit zones I-90
Content Filter tab I-89
Global Parameters tab I-87
page I-87
VPN tab I-87
WAAS tab I-87
Zones tab I-87
zone-based firewalls
logging 11-61
Firewall tab M-97
Fit to Window command 2-9
FlexConfig objects
adding to policies 18-28
ASA samples 18-18
Catalyst 6500/7600 samples 18-20
changing order in policies 18-28
changing variable values 18-28
Cisco IOS Software samples 18-20
CLI commands 18-2
configuring 18-23
configuring AAA for administrative introducers 13-75
creating 18-26
deleting variables 18-26
PIX firewall samples 18-21
previewing CLI 18-28
removing from policies 18-28
router samples 18-22
samples 18-17
scripting language
example of looping 18-3
example of looping with if/else statements 18-4
example of two-dimensional looping 18-3
understanding 18-3
system variables
device 18-7
firewalls 18-9
remote access VPN 18-17
router 18-12
understanding 18-7
VPN 18-13
understanding 18-1
variables 18-5
variables, example 18-6
FlexConfig policies
adding objects 18-28
changing object order 18-28
changing variable values 18-28
configuring 18-23
configuring AAA for administrative introducers 13-75
editing 18-28
previewing CLI 18-28
removing objects 18-28
understanding 18-1
FlexConfig Policy page 18-29
FlexConfig Preview dialog box 18-31
FlexConfigs
creating (scenario) 18-23
managing 18-1
FlexConfig Undefined Variables dialog box F-51
Flood engine
described M-21
floodguard 14-76
Flood Host engine
parameters (table) M-21
Flood Net engine
parameters (table) M-22
FQDN
redirection using
cluster load balancing and 10-14
fragmentation
in remote access VPNs 10-27
in site-to-site VPNs
General Settings tab G-69
understanding 9-54
maximum transmission unit (MTU) 9-54
fragments settings 14-76
frequently asked questions
policy discovery 6-17
FTP class map objects
creating 8-41
match criteria F-97
FTP policy map objects
creating 8-45
match conditions and actions F-97
properties F-95
full mesh topologies
description 9-4
diagram 9-4
full tunnel client access mode 10-4
FWSM
bridge groups 14-27
credentials C-23
PDM 20-2
policy discovery 6-12
rollback, commands to recover from failover misconfiguration 17-38
rollback command conflicts 17-37
rollback restrictions for failover devices 17-34
rollback restrictions for multiple context mode 17-34
setting up SSL (HTTPS) 4-3
FWSM devices
AAA support 8-17
adding SSL thumbprints manually 5-22
SSL certificate configuration A-12
G
Gateway and Context page H-10
General
PIX/ASA/FWSM
security policies K-186
General Configuration tab M-82
General page, device properties C-28
General Settings tab H-70
General sub-tab M-53
General tab M-91
General tab (SSL VPNs and IOS devices) H-116
General tab (Translation Rules)
PIX/ASA/FWSM K-19
GET VPN 9-5
communication flow 9-84
defining group encryption in 9-22
features 9-85
group members
access control lists 9-86
adding G-26
editing G-27
IKE proposal G-54
key servers
adding G-26
editing G-27
recieve-only SAs 9-87
SAs
recieve-only mode 9-87
understanding 9-82, 9-83, 9-84, 9-85, 9-86, 9-87
GET VPN Peers page G-25
GET VPNs
group encryption policies
certificate authorization G-51
global settings
remote access VPN
configuring 10-27
understanding 10-27
Global Settings page H-66
Gnutella class map objects
match criteria F-64
GRE (generic routing encapsulation)
advantages of IPsec tunneling with GRE 9-62
configuring policies 9-65
for devices with dynamic IP 9-64
GRE Modes page G-42
implementation 9-62
prerequisites for successful configuration 9-63
understanding in site-to-site VPNs 9-62
using DMVPN with 9-67
GRE Dynamic IP 9-5
configuring policies 9-65
for dynamically addressed spokes 9-64
GRE Dynamic IP policy G-43
GRE mode G-43
DMVPN policy G-46
GRE Modes Page > DMVPN Policy G-46
GRE Modes Page > GRE or GRE Dynamic IP Policy G-43
group encryption
defining in GET VPN topologies 9-22
group encryption (GET VPN)
group encryption (policies)
Group Encryption Policy page (site-to-site VPN) G-50, G-52
Group Encryption Policy page (GET VPN) G-6
group members
adding G-26
communication flow 9-84
editing G-27
GET VPN
access control lists 9-86
group members (GET VPN)
Group Members page (GET VPN) G-53
group policies
understanding 10-29
VPNs
ASA devices 10-30
configuring bookmarks 8-84
configuring portal appearance 8-79
configuring WINS servers for file system access 8-89
customizing 8-79
post URL method and macro substitutions in bookmarks 8-86
smart tunnels 8-87
Group Policies page H-72
groups
adding or removing devices 5-32
creating 5-32
deleting 5-32
understanding 5-30
working with 5-29
group types
creating 5-31
deleting 5-32
GTP map objects
Add Country Network Codes dialog box F-100
Edit Country Network Codes dialog box F-100
GTP Map Timeouts dialog box F-101
GTP policy map objects
creating 8-46
match conditions and actions F-101
properties F-99
H
H.323 (ASA, PIX) class map objects
creating 8-41
H.323 (ASA/PIX/FWSM) policy map objects
creating 8-47
properties F-103
H.323 (IOS) class map objects
match criteria F-65
H.323 (IOS) policy map objects
creating 8-57
match conditions and actions F-135
H.323 class map objects
match criteria F-106
H.323 policy map objects
match conditions and actions F-106
hash algorithms
in IKE proposals 9-46
MD5 9-46
SHA 9-46
help
accessing 2-20
Help About This Page command 2-12
helper addresses 13-19
Help menu 2-12
Help Topics command 2-12
Hide Navigation Window command 2-9
high availability (HA groups)
configuring in Easy VPN 9-72
configuring in site-to-site VPN 9-41
High Availability page (site-to-site VPN) G-23
in remote access VPNs 10-40, 10-41
prerequisites 9-40
stateful failover 9-39
stateless failover 9-39
understanding in site-to-site VPN 9-39
High Availability page H-79
high availability policies
configuring 10-41
understanding 10-40
Histogram dialog box M-54
historical events
CS-MARS 20-22
hit count
generating reports 11-26
Hit Count Query Results page I-101
Hit Count Selection Summary Dialog Box I-101
Hostname
PIX/ASA/FWSM K-91
hostnames
Cisco IOS routers
defining 13-70
Hostname Policy page J-115
overview 13-70
hostname settings
configuring on firewall devices 14-51
Host posture ACLs in IPS M-87
HSRP 14-27
HTTP
Cisco IOS routers
AAA tab J-82
Command Authorization Override dialog box J-84
defining policies 13-55
HTTP Policy page J-80
overview 13-54
Setup tab J-81
PIX/ASA/FWSM K-66
configuration K-67
HTTP (ASA, PIX) class map objects
creating 8-41
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map objects
creating 8-49
properties F-107
HTTP (ASA7.2+/PIX7.2+) policy map objects
creating 8-50
properties F-115
HTTP (IOS) class map objects
creating for zone-based firewall content filtering 8-59
match criteria F-65
HTTP (Zone Based IOS) policy map objects
match conditions and actions F-135
HTTP class map objects
match criteria F-117
HTTP-FORM
settings in AAA server objects F-17
HTTP policy
overriding HTTPS port number C-33
sharing
HTTPS port number C-33
HTTP policy map objects
match conditions and actions F-117
understanding 8-49
HTTPS
setting up 4-3
troubleshooting certificate errors 5-22
HTTP settings
configuring on firewall devices 14-38
hub-and-spoke topology
description 9-2
diagram 9-2
I
ICMP rules
PIX/ASA/FWSM K-67
add/edit K-68
ICMP settings
configuring on firewall devices 14-38
configuring on IOS routers J-20
icons
map elements B-2
toolbar reference 2-12
ICQ class map objects
match criteria F-64
idle timeout, Security Manager client A-5
IDM
device manager 20-2
IDSM
Create and Edit IDSM Data Port VLANs dialog boxes L-32
Create and Edit IDSM EtherChannel VLANs dialog boxes L-31
credentials C-23
defining Data Port VLANs 15-14
defining EtherChannel VLANs 15-13
deleting Data Port VLANs 15-16
deleting EtherChannel VLANs 15-14
IDSM Settings page L-30
IDSM Slot-Port Selector dialog box L-33
understanding settings on Catalyst devices 15-12
IEV
IPS Event Viewer 20-13
IGMP
configuring on firewall devices 14-70
PIX/ASA/FWSM
Access Group parameters K-137
Access Group tab K-136
enable K-134
Join Group parameters K-139
Join Group tab K-138
page K-134
parameters K-135
Protocol tab K-134
Static Group parameters K-138
Static Group tab K-137
IKE (Internet Key Exchange)
aggressive mode negotiation 9-45
main mode negotiation 9-45
proposals 9-45
understanding 9-45
IKE keepalive
understanding 9-52
IKE proposal objects
creating 8-32
properties F-53
IKE Proposal page H-81
IKE proposals (policies)
configuring 9-47
IKE Proposal page (site-to-site VPN) G-53
in GET VPNs G-54
IKE protocol
using RADIUS
as the authentication method 9-78
IM (ASA7.2+/PIX7.2+) policy map objects
creating 8-51
properties F-121
IM (IOS) policy map objects
creating 8-52
properties F-124
IM (Zone Based IOS) policy map objects
creating 8-57
match conditions and actions F-135
IM (Zone based IOS) policy map objects
creating 8-57
IMAP class map objects
match criteria F-67
IM applications
match conditions for zone-based firewalls F-64
protocol information for IM application inspection F-76
IMAP policy map objects
creating 8-57
match conditions and actions F-135
IM class map objects
creating 8-41
match criteria F-122
IM policy map objects
match conditions and actions F-122
Import Background Image dialog box B-11
Import Rules wizard
Enter Parameters page I-94
Preview page I-96
Status page I-95
inheritance
for signatures 12-8
inheriting rules 6-32
Inherit Rules dialog box D-10
understanding 6-4
versus assignment 6-6
Inherit Rules command 2-8
Inherit Rules dialog box D-10
Inline Pairs tab M-74
Inspected Protocol page
inspection rules I-21
Inspection/Reputation
definition of 12-15
inspection map objects
class maps
creating 8-41
understanding 8-38
inspection rules
adding 11-34
Add Inspection Rule dialog box I-18
Configure DNS dialog box I-29
Configure ESMTP dialog box I-30
Configure Fragments dialog box I-31
Configure IMAP dialog box I-32
Configure POP3 dialog box I-33
Configure RPC dialog box I-33
Configure SMTP dialog box I-29
configuring custom destination ports 11-36
configuring default inspection traffic 11-36
configuring in Map view 3-17
configuring settings I-70
configuring settings for IOS devices 11-39
configuring settings in Map view 3-18
configuring source and destination address and port (asa/fwsm3.x) 11-38
Custom Protocol dialog box I-30
deleting 11-4
disabling 11-8
editing 11-5
Edit Inspection Rule dialog box I-18
enabling 11-8
Inspected Protocol page I-21
Inspection Rules page I-16
Limit Inspection Between Source and Destination IP Addresses (ASA) page I-23
Match Traffic by Custom Destination Ports page I-25
Match Traffic by Destination Address and Port (IOS) page I-25
Match Traffic by Source and Destination Address and Port (ASA) page I-27
moving 11-7
protocols allowing configuration I-22
supported features 11-33
Inspection Rules page I-16
Inspection settings page I-70
inspect maps
policy maps
Add Country Network Codes dialog box F-100
Edit Country Network Codes dialog box F-100
Inspect parameter map objects
properties F-74
Inspect Parameters map objects
installing
Security Manager client 1-9
Integrated Local Management Interface (ILMI) 13-33
Interactive Authentication Configuration dialog box I-74
interface
add and edit 14-6
duplex K-49
IP type
ASA and PIX 7+ 14-10
PIX 6.3 14-11
MAC address 14-12
management 14-5
media type 14-13
Interface Name Conflict dialog box F-57
Interface Notifications tab M-89
Interface Pair dialog box M-74
interface pairs
described M-74
Interface Pairs dialog box
described M-74
Interface Properties dialog box B-14
Interface Role Contents dialog box I-66
interface role objects
creating 8-34
defining subinterfaces 8-35
distinguishing from interfaces 8-35
exceptional cases 8-35
Interface Name Conflict dialog box F-57
Interface Role dialog box F-56
specifying during policy definition 8-35
understanding 8-33
interfaces
ASA 5505 K-45
add/edit K-30
ASA devices K-23
about adding/editing K-25
add/edit K-26
advanced settings K-37
VPND Groups K-38
Catalyst switches and 7600 Series routers
Access Port Selector dialog box L-6
Create and Edit Interface dialog boxes-Access Port mode L-12
Create and Edit Interface dialog boxes-Dynamic Port mode L-21
Create and Edit Interface dialog boxes-Other mode L-27
Create and Edit Interface dialog boxes-Routed Port mode L-15
Create and Edit Interface dialog boxes-subinterfaces L-25
Create and Edit Interface dialog boxes-Trunk Port mode L-17
Create and Edit VLAN dialog boxes L-4
Create and Edit VLAN Group dialog boxes L-8
defining ports 15-3
deleting ports 15-4
generating names 15-4
Interfaces/VLANs page L-2
Interfaces/VLANs page-Interfaces tab L-10
Interfaces/VLANs page-Summary tab L-29
Interfaces/VLANs page-VLAN Groups tab L-7
Interfaces/VLANs page-VLANs tab L-3
Service Module Slot Selector dialog box L-9
Trunk Port Selector dialog box L-7
understanding 15-2
VLAN Selector dialog box L-10
checklist for configuring multiple contexts 14-83
Cisco IOS routers
Advanced Interface Settings dialog box J-18
Advanced Interface Settings page J-17
available types 13-13
Create Router Interface dialog box J-12
defining advanced settings 13-18
defining basic settings 13-15
defining CEF interface settings 13-22
defining IPS module settings 13-21
deleting from 13-17
generating names 13-16
Interface Auto Name Generator dialog box J-17
overview 13-13
Router Interfaces page J-11
understanding helper addresses 13-19
contexts 14-5
distinguishing from interface roles 8-35
failover
FWSM K-82
MAC address K-90
PIX/ASA K-89
PIX 6.3 K-77
FWSM K-40
add/edit K-42
PIX/ASA K-23
about adding/editing K-25
add/edit K-26
advanced settings K-37
VPND Groups K-38
PIX/ASA/FWSM
configuring 14-2
DDNS update rules K-110
DNS look-up K-108
enabling traffic between same security levels 14-14, 14-15
management access K-69
managing the PPPoE users list 14-15
managing VPDN groups 14-16
troubleshooting 14-17
understanding 14-2
PIX 6.3
add/edit K-34
PIX Firewall K-23
about adding/editing K-25
add/edit K-26
advanced settings K-37
VPND Groups K-38
redundant 14-4
routed and transparent 14-4
specifying during policy definition 8-35
specifying subinterfaces 8-35
throughput delay J-20
Interface Selector dialog box (VLAN ACL Content) L-38
Interfaces page M-71
Interfaces pane
described M-71
Internal Zone tab M-52
inventory
deleting devices from 5-25
export devices
DCR, CS-MARS, Security Manager formats 5-26
overview 5-26
using command line utility 5-28
inventory, device
adding devices 5-7
adding devices from configuration files 5-10
adding devices from inventory file 5-12
adding devices from network 5-8
adding devices manually 5-11
managing 5-1
testing device connectivity 5-16
understanding 5-1
understanding contents 5-3
user interface reference C-1
viewing inventory status 5-25
working with 5-7
inventory report
status window C-39
Inventory Status
event monitoring 20-12
Inventory Status command 2-10
Inventory Status window C-39
and Performance Monitor 20-7
Inverse ARP J-46
inverse multiplexing over ATM (IMA) J-35
IOS devices
remote access IPSec VPNs
user group policies 10-42
remote access IPsec VPNs
creating using wizard 10-10
user group policies 10-41
remote access SSL VPNs
advanced settings 10-61
configuring 10-58
configuring bookmarks 8-84
configuring WINS servers for file system access 8-89
Context Editor dialog box (IOS) H-120
creating using wizard 10-8
portal page 10-60
secure desktop manager policies 10-26
secure desktop software 10-61
remote access VPNs
Context Editor dialog box (IOS) H-116, H-118, H-119
Dynamic VTI/VRF Aware IPsec settings H-89
general settings 10-59
high availability H-79
IPsec proposals H-85
SSL VPN policies H-115
user group policies H-93
SDM 20-2
IOS IPS
description of 12-20
preparation of router 12-21
support of minor revisions 12-20
IOS IPS configuration 12-1
IOS IPS general settings 12-21
IOS IPS interface rules 12-22
IOS IPS limitations and restrictions 12-20
IOS IPS management 12-1
IOS IPS policies 12-19
IOS IPS signature policies 12-21
IOS IPS signature sets 12-21
IOS Software R