-
User Guide for Cisco Security Manager 4.0.1
-
Guide to User Documentation for Cisco Security Manager 4.0.1
-
Preface
-
The Basics of Using Security Manager
-
Getting Started with Security Manager
-
Preparing Devices for Management
-
Managing the Device Inventory
-
Managing Activities
-
Managing Policies
-
Managing Policy Objects
-
Managing FlexConfigs
-
Managing Deployment
-
Troubleshooting Device Communication and Deployment
-
Managing the Security Manager Server
-
Configuring Security Manager Administrative Settings
-
-
Firewall Services and NAT
-
Introduction to Firewall Services
-
Managing Firewall AAA Rules
-
Managing Firewall Access Rules
-
Managing Firewall Inspection Rules
-
Managing Firewall Web Filter Rules
-
Managing Firewall Botnet Traffic Filter Rules
-
Managing Zone-based Firewall Rules
-
Managing Transparent Firewall Rules
-
Configuring Network Address Translation
-
- VPN Configuration
-
IPS Configuration
-
Getting Started with IPS Configuration
-
Managing IPS Device Interfaces
-
Configuring Virtual Sensors
-
Defining IPS Signatures
-
Configuring Event Action Rules
-
Managing IPS Anomaly Detection
-
Configuring Global Correlation
-
Configuring Attack Response Controller for Blocking and Rate Limiting
-
Configuring IOS IPS Routers
-
-
PIX/ASA/FWSM Device Configuration
-
Managing Firewall Devices
-
Configuring Device Access Settings on Firewall Devices
-
Configuring Failover
-
Configuring Hostname, Resources, User Accounts, and SLAs
-
Configuring Server Access Settings on Firewall Devices
-
Configuring Logging Policies on Firewall Devices
-
Configuring Multicast Policies on Firewall Devices
-
Configuring Routing Policies on Firewall Devices
-
Configuring Security Policies on Firewall Devices
-
Configuring Service Policy Rules on Firewall Devices
-
Configuring Security Contexts on Firewall Devices
-
PIX/ASA/FWSM Platform User Interface Reference
-
- Router and Switch Device Configuration
- Monitoring and Diagnostics
-
Index
-
Feedback
Table Of Contents
Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z
Index
Numerics
12.1 and 12.2
managing routers 51-2
3DES encryption algorithm
cluster load balancing
using FQDNs 26-18
in IKE proposals 22-2
802.1x
802.1x Policy page 54-5
defining policies 54-4
interface authorization states 54-2
on Cisco IOS routers 54-1
supported topologies 54-3
understanding device roles 54-2
A
AAA
accounting 26-2
authorization 26-2
Cisco IOS routers
AAA Policy page 53-6
Accounting tab 53-10
Authentication tab 53-6
Authorization tab 53-7
Command Accounting dialog box 53-12
Command Authorization dialog box 53-9
defining services 53-4
overview 53-2
supported accounting types 53-3
supported authorization types 53-2
understanding method lists 53-3
configuring access control for IPS 30-19
configuring on firewall devices 39-19
credentials for device access 3-4
defining policies 39-22
device administration 39-22
local fallback 39-21
network access 39-22
PIX/ASA/FWSM 50-36
Accounting tab 50-38
Authentication tab 50-37
Authorization tab 50-38
support 39-20
understanding 39-19
user authentication 26-2
VPN access 39-22
AAA authentication groups
predefined 6-23
AAA firewall
MAC exempt lists 13-20
AAA Firewall page
Advanced Setting tab 13-16
AAA firewall policy
advanced settings 13-16
configuring 13-5
AAA rules
AAA Rules page 13-9
ACL naming conventions 12-5
combining rules
example 12-23
interpreting results 12-21
procedure 12-19
configuring AAA firewall settings (PIX/ASA/FWSM) 13-5
configuring AuthProxy settings (IOS) 13-8
configuring for ASA/PIX/FWSM devices 13-4
configuring for IOS devices 13-7
configuring in Map view 29-22
configuring settings
for IOS devices in Map view 29-23
for PIX/ASA/FWSM in Map view 29-23
deleting 12-8
disabling 12-17
editing 12-9
enabling 12-17
managing 13-1
moving 12-16
preserving ACL names 12-4
properties 13-11
understanding 13-1
understanding how users authenticate 13-2
understanding NAT effects 12-3
understanding processing order 12-2
AAA Rules page 13-9
AAA server group objects
attributes 6-38
creating 6-37
default server groups on IOS devices 6-24
predefined authentication groups 6-23
understanding 6-20
AAA server objects
creating 6-25
HTTP-FORM settings 6-35
Kerberos settings 6-31
LDAP settings 6-32
NT settings 6-34
RADIUS settings 6-28
SDI settings 6-34
supported additional types for ASA/PIX/FWSM 6-21
supported types 6-21
TACACS+ settings 6-30
understanding 6-20
AAA servers
external servers 26-2
supported types on ASA, PIX, FWSM devices 6-21
Abort the Job dialog box 8-48
About Security Manager command 1-28
ABR
definition 46-2
access control list objects
creating 6-40
extended objects 6-41
standard objects 6-43
web objects 6-44
access control lists
GET VPN security policies 25-10
policy discovery 5-15
access control lists (ACLs)
names preserved during discovery 12-4
naming conventions 12-5
resolving naming conflicts 12-6
access controls
configuring ACL names 14-16
configuring settings 14-16
configuring settings in Map view 29-23
Access Control Settings page 14-17
Access Group tab (IGMP) 45-5
Access Interface Configuration dialog box (ASA) 27-87
Access page (ASA) 27-2
access permissions
maps 29-8
access policies
configuring 26-45
access ports
Create and Edit Interface dialog boxes-Access Port mode 58-9
understanding 58-5
access rule
look up
from device managers 60-6
access rules
access control settings 14-17, 14-19
Access Rules page 14-8
ACL naming conventions 12-5
address requirements 14-5
Advanced dialog box 14-13
combining rules
example 12-23
interpreting results 12-21
procedure 12-19
configuring 14-7
configuring access control settings 14-16
configuring in Map view 29-22
controlling non-IP layer-2 traffic 19-1
deleting 12-8
disabling 12-17
Edit Firewall Rule Expiration dialog box 14-15
editing 12-9
enabling 12-17
examples of event analysis
user access to server blocked 59-45
expiration dates 14-16
finding from CS-MARS events 60-23
finding from Event Viewer events 59-43
generating analysis reports 14-21
hit counts
analyzing results 14-26
generating 14-23
how deployed 14-5
import examples 14-32
importing 14-28
IPS blocking, affect of 37-4
managing 14-1
moving 12-16
optimizing during deployment 14-34
packet tracer, analyzing with 60-1
preserving ACL names 12-4
rule attributes 14-11
sharing ACLs among interfaces 11-10
syslog messages supported for look-up 60-24
understanding 14-1
understanding device-specific behavior 14-4
understanding global 14-3
understanding NAT effects 12-3
understanding processing order 12-2
understanding requirements when using inspection 15-4
viewing related CS-MARS events 60-20
Access Rules page 14-8
accounts and credentials
Cisco IOS routers
overview 53-13
PIX/ASA/FWSM
user accounts 42-6
user accounts, add/edit 42-7
accounts and credentials policies
Accounts and Credentials Policy page 53-15
User Accounts dialog box 53-17
ACLs
configuring names 14-16
ACS user authorization
configuring notifications when unavailable 1-19
how permissions affect what you can do 1-9
Active/Active failover
about 41-2
command replication 41-3
configuration synchronization 41-3
Active/Standby failover 41-2
activities
accessing functions 4-7
Activity Manager window 4-8
Approved state 4-4
benefits of 4-2
closing 4-12
creating 4-10
discarding 4-17
Edit state 4-4
locking 4-3
managing 4-1
multiple users 4-4
opening 4-11
overview 1-11
rejecting 4-16
responding to the Activity Required dialog box 4-11
states 4-4
Submitted state 4-4
submitting for approval 4-15
understanding 4-1
validating 4-14
viewing change reports 4-12
viewing status and history 4-18
working with 4-6
Activities menu 1-27
Activity Manager command 1-26
Activity Manager window 4-8
Activity Required dialog box 4-11
Add/Edit AnyConnect Client Image dialog box (ASA) 27-101
Add/Edit AnyConnect Client Profile dialog box (ASA) 27-101
Add/Edit Collector dialog box 44-2
Add/Edit Connection Profile dialog box
SSL tab
Add/Edit Connection Alias dialog box 27-32
Add/Edit Connection URL dialog box 27-32
Add/Edit Content Rewrite dialog box (ASA) 27-91
Add/Edit DAP Entry Dialog Box > Device 27-48
Add/Edit File Encoding dialog box (ASA) 27-93
Add/Edit Multicast Route dialog box 45-8, 45-10
description 45-9
Add/Edit PIM Neighbor Filter dialog box 45-13
Add/Edit Plug-in Entry dialog box (ASA) 27-99
Add/Edit Proxy Bypass dialog box (ASA) 27-97
Add AAA Rule dialog box 13-11
Add AAA Server dialog box 6-26
Add AAA Server Group dialog box 6-38
Add Access List dialog box (Allowed Hosts policy) 30-7
Add an Entry dialog box 33-26
Add AOL Class Map dialog box 15-22, 18-17
Add A Port Forwarding Entry dialog box 28-43
Add ASA Group Policies dialog box
client configuration settings 28-4
client firewall attributes 28-5
connection settings 28-20
DNS/WINS settings 28-18
hardware client attributes 28-7
IPSec settings 28-9
overview 28-1
split tunneling settings 28-19
SSL VPN clientless settings 28-11
SSL VPN full client settings 28-13
SSL VPN settings 28-15
Technology settings 28-1
Add A Smart Tunnel Entry dialog box 28-66
Add Auto Signon Rules dialog box 28-17
Add Cat6k Block Vlan dialog box 37-17
Add Certificate dialog box 11-15
Add Certificate Filter dialog box 21-52
Add Cisco Secure Desktop Configuration dialog box 28-21
Add Client Access Rules dialog box 28-10
Add Client Update dialog box 28-76
Add Column dialog box 28-60
Add Custom Pane dialog box 28-60
Add Custom Signature dialog box 33-12
Add DCE/RPC Map dialog box 15-23
Add Destinations dialog box 12-10
Add Device from Network wizard
Device Credentials page 3-38
Add Devices to Group command 1-22
Add Devices to Group dialog box 3-56
Add DNS Class Map dialog box 15-22
Add DNS Map dialog box
Filtering tab 15-26
overview 15-24
Protocol Conformance tab 15-26
Add eDonkey Class Map dialog box 15-22, 18-17
Add ESMTP Map dialog box 15-30
Add Extended Access Control Entry dialog box 6-47
Add Extended Access List dialog box 6-45
Add External Filter dialog box 18-39
Add FastTrack Class Map dialog box 15-22, 18-17
Add File Object dialog box 28-24
Add Firewall Rule dialog box 14-11
Add FlexConfig dialog box 7-27
Add FTP Class Map dialog box 15-22
Add FTP Map dialog box 15-33
Add Gnutella Class Map dialog box 15-22, 18-17
Add Group dialog box 3-55
Add Group Member dialog box 25-19
Add GTP Map dialog box 15-36
Add H.323 Class Map dialog box 15-22, 18-17
Add H.323 Map dialog box 15-41, 18-32
Add HSI Endpoint IP Address dialog box 15-43
Add HSI Group dialog box 15-43
Add HTTP Class Map dialog box 15-22, 18-17
Add HTTP Map dialog box 18-32
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab 15-48
Extension Request Method tab 15-50
General tab 15-47
overview 15-45
Port Misuse tab 15-51
RFC Request Method tab 15-49
Transfer Encoding tab 15-52
ASA 7.2+ and PIX 7.2+ devices 15-53
Add ICQ Class Map dialog box 15-22, 18-17
Add IKE Proposal dialog box 28-26
Add IMAP Class Map dialog box 15-22, 18-17
Add IMAP Map dialog box 18-32
Add IM Class Map dialog box 15-22
Add IM Map dialog box 18-32
ASA and PIX device 15-59
IOS device 15-62
Add Inspect/Application FW Rule wizard
Address and Port page 15-11
Inspected Protocol page 15-14
Match Traffic page 15-10
Add Inspect Parameter Map dialog box 18-28
Add Interfaces dialog box 12-11
Add Interface Specific Authentication Server Groups dialog box 27-24
Add Interface Specific Client Address Pools dialog box 27-21
Add IP Options Map dialog box 15-64
Add IPsec Pass Through Map dialog box 15-65
Add IPSec Transform Set dialog box 28-28
Add Kazaa2 Class Map dialog box 15-22, 18-17
Add Key Server dialog box 25-19
Add Language dialog box 28-54
Add LDAP Attribute Map dialog box 28-31
Add LDAP Attribute Map Value dialog box 28-32
Add Link command 1-25
Add Link dialog box 29-20
Add Local Rules command 1-24
Add Local Web Filter Class Map dialog box 15-22, 18-17
Add Local Web Filter Parameter Map dialog box 18-36
Add Map Object command 1-25
Add Map Object dialog box 29-17
Add Map Value dialog box 28-33
Add Match Condition and Action dialog box
DNS policy maps 15-27
ESMTP policy maps 15-31
FTP policy maps 15-34
GTP policy maps 15-39
H.323 (IOS) policy maps 18-33
H.323 policy maps 15-44
HTTP (Zone Based IOS) policy maps 18-33
HTTP policy maps 15-55
IM (Zone Based IOS) policy maps 18-33
IMAP policy maps 18-33
IM policy maps 15-60
P2P policy maps 18-33
POP3 policy maps 18-33
SIP (IOS) policy maps 18-33
SIP policy maps 15-69
Skinny policy maps 15-74
SMTP policy maps 18-33
Sun RPC policy maps 18-33
Web Filter policy maps 18-33
Add Match Criterion dialog box
AOL class maps 18-19
DNS class maps 15-27
eDonkey class maps 18-19
FastTrack class maps 18-19
FTP class maps 15-34
Gnutella class maps 18-19
H.323 (IOS) class maps 18-20
H.323 class maps 15-44
HTTP (IOS) class maps 18-20
HTTP class maps 15-55
ICQ class maps 18-19
IMAP class maps 18-22
IM class maps 15-60
Kazaa2 class maps 18-19
Local Web Filter class maps 18-27
MSN Messenger class maps 18-19
N2H2 class maps 18-28
POP3 class maps 18-22
SIP (IOS) class maps 18-23
SIP class maps 15-69
SMTP class maps 18-24
Sun RPC class maps 18-27
Websense class maps 18-28
Windows Messenger class maps 18-19
Yahoo Messenger class maps 18-19
Add MSN Messenger Class Map dialog box 15-22, 18-17
Add N2H2 Parameter Map dialog box 18-37
Add N2H2 Web Filter Class Map dialog box 15-22, 18-17
Add NAT Rule dialog box
ASA 8.3+ 20-35
Add NetBIOS Map dialog box 15-66
Add Network/Host dialog box
General tab 6-65
NAT tab 20-38
Add New Device wizard
Device Credentials page 3-38
Add New Security Association dialog box 21-52
Add or Edit Status Providers dialog box 11-36
Add Other Devices dialog box 8-51
Add P2P Map dialog box 18-32
Add Permit Response dialog box 15-38
Add PIX/ASA/FWSM Web Filter Rule dialog box 16-5
Add PKI Enrollment dialog box
CA Information tab 28-35
Certificate Subject Name tab 28-40
Enrollment Parameters tab 28-39
overview 28-33
Trusted CA Hierarchy tab 28-42
Add POP3 Class Map dialog box 15-22, 18-17
Add Port Forwarding List dialog box 28-42
Add Port List dialog box 6-71
Add Protocol Info Parameter Map dialog box 18-31
Add Regular Expression dialog box 15-77
Add Regular Expression Group dialog box 15-76
Address Pools
PIX/ASA/FWSM 20-17
add/edit 20-18
address pools
overriding in connection profiles 26-7
Add Row command 1-23
Add Rule Section dialog box 12-18
Add Secondary Interface Specific Authentication Server Groups dialog box 27-24
Add Server dialog box
Protocol Info Parameter maps 18-32
Add Service dialog box 6-72
Add Services dialog box 12-11
Add Single Sign On Server dialog boxes 28-44
Add SIP Class Map dialog box 15-22, 18-17
Add SIP Map dialog box 15-67, 18-32
Add Skinny Map dialog box 15-73
Add SLA Monitor dialog box 42-9
Add Smart Tunnel Lists dialog box 28-65
Add SMTP Class Map dialog box 15-22, 18-17
Add SMTP Map dialog box 18-32
Add SNMP Map dialog box 15-75
Add Sources dialog box 12-10
Add SSL VPN Customization dialog box 28-49
Applications 28-58
Copyright Panel 28-56
Custom Panes 28-59
Full Customization 28-57
Home Page 28-61
Informational Panel 28-56
Language 28-53
Logon Form 28-55
Logout Page 28-62
Title Panel 28-52
Toolbar 28-58
Add SSL VPN Gateway dialog box 28-63
Add Standard Access Control Entry dialog box 6-49
Add Standard Access List dialog box 6-45
Add Sun RPC Class Map dialog box 15-22, 18-17
Add Sun RPC Map dialog box 18-32
Add TCP Map dialog box 48-17
Add TCP Option Range Dialog Box 48-19
Add Text Object dialog box 7-29
Add Time Range dialog box 6-53
Add Traffic Flow dialog box 48-13
Add Transparent Firewall Rule dialog box 19-5
Add Trend Content Filter Class Map dialog box 15-22, 18-17
Add Trend Parameter Map dialog box 18-40
Add URL Domain Name dialog box 18-43
Add URLF Glob Parameter Map dialog box 18-43
Add URL Filter Parameter Map dialog box 18-41
Add User dialog box 30-17
Add User Group dialog box
Advanced PIX 6.3 settings 28-77
Browser Proxy settings 28-83
Client (IOS) settings 28-73
Clientless settings 28-78
Client VPN Software Update (IOS) settings 28-76
DNS/WINS settings 28-72
General settings 28-70
IOS Xauth Options settings 28-75
overview 28-68
Split Tunneling settings (Easy VPN/remote access IPSec VPN) 28-72
SSL VPN Connection settings 28-84
SSL VPN Full Tunnel settings 28-79
SSL VPN Split Tunneling settings 28-81
Technology settings 28-68
Thin Client settings 28-79
Add User Profile dialog box 37-12
Add Virtual Sensor dialog box 32-7, 32-8
Add Web Access Control Entry dialog box 6-51
Add Web Filter Map dialog box 18-45
Add WebSense Parameter Map dialog box 18-37
Add Websense Web Filter Class Map dialog box 15-22, 18-17
Add Web Type Access List dialog box 6-45
Add Windows Messenger Class Map dialog box 15-22, 18-17
Add WINS Server dialog box 28-85
Add WINS Server List dialog box 28-84
Add Yahoo Messenger Class Map dialog box 15-22, 18-17
Add Zones dialog box 12-11
admin context 49-1
administration
selecting policies to manage 5-10
administrative settings, configuring 11-1
admin password, changing 10-15
ADSL
ADSL Policy page 52-37
ADSL Settings dialog box 52-38
defining settings 52-35
supported operating modes 52-34
ADSL policies
unable to deploy 9-14
Advanced dialog box
access rules 14-13
Advanced Interface Settings
PIX/ASA 50-17
Advanced NAT Options
PIX/ASA/FWSM
add/edit 20-28
Advanced tab (ASA) 27-102
AES encryption algorithm
in IKE proposals 22-2
AIM-IPS interfaces
IPS Module Interface Settings page 52-23
AIP-SSM/SSC
ASA 48-12
Alarm Indication Signal (AIS) cells 52-50
allowed hosts, configuring for IPS 30-7
Allowed Hosts policy 30-7
Analysis Engine global variables
configuring 30-26
analysis reports
generating 14-21
anomaly detection
configuring 35-6
configuring histograms 35-10
configuring learning accept mode 35-8
configuring signatures 35-4
configuring thresholds 35-10
managing 35-1
modes 35-2
understanding 35-1
understanding histograms 35-9
understanding thresholds 35-9
understanding worms 35-2
when to turn off 35-4
zones
overview 35-3
anti-spoofing 47-2
AOL class map objects
creating 18-15
match criteria 18-19
Apply IPS Update command 1-26
Apply IPS Update wizard 10-9
Approve Activity command 1-28
Approve Activity dialog box 4-16
Approved activity state 4-4
Approve Deployment Job dialog box 8-19, 8-37
Area Border Router
See ABR 46-2
ARP
PIX/ASA/FWSM
configuration 50-31
inspection 50-31
inspection, enable/disable 50-32
table 50-30
ARP table
ASA
ASDM 60-5
Failover
Add Failover Group 41-20
interface configuration 41-22
settings 41-18
failover 41-16
IPS modules 48-12
policy discovery 5-13
rollback, commands to recover from failover misconfiguration 8-62
rollback command conflicts 8-61
rollback restrictions for failover devices 8-58
rollback restrictions for multiple context mode 8-58
security contexts
allocate interfaces 49-8
configuration 49-7
viewing allocated interfaces 49-9
setting up AUS or CNS 2-8
setting up SSL (HTTPS) 2-3
TCP State Bypass 48-3
ASA 5505
ports and interfaces 39-5
ASA 8.3+
NAT policies
Add/Edit NAT rules dialog boxes 20-35
Translation Rules page 20-32
ASA Cluster Load Balance page 27-17
ASA devices
5505
interfaces, add/edit 50-10
interfaces and ports 50-25
port configuration 50-28
AAA support 6-21
adding or changing modules 3-33
adding SSL thumbprints manually 9-4
configuring for event management 59-26
configuring transparent firewall rules 19-1
defining
DNS server IP address 26-16
Easy VPNs
connection profiles 24-11
enabling
DNS lookups 26-16
FlexConfig object samples 7-18
global access rules 14-3
interfaces 50-2
about adding/editing 50-4
add/edit 50-5
advanced settings 50-17
VPND Groups 50-18
licenses 2-11
models supported
VPN cluster load balancing 26-18
monitoring service level agreements 42-7
object group search 14-19
outside IP addresses
associated with DNS entry 26-16
packet tracer, using 60-1
PIX/ASA/FWSM Platform policies 50-1
remote access IPSec VPNs
access policies 26-45
remote access IPsec VPNs
creating using wizard 26-12, 26-14
other settings 26-46
shared license client 26-59
shared license server 26-59
remote access SSL VPNs
content rewrite rules 26-48
encoding rules 26-50
encoding settings 26-49
performance settings 26-47
proxies 26-51
proxy bypass rules 26-51
proxy bypass settings 26-51
remote access VPNs
access policies (ASA) 27-85, 27-87
advanced settings (ASA) 27-102
AnyConnect client image settings (ASA) 27-101
AnyConnect client profile settings (ASA) 27-101
browser plug-ins (ASA) 27-98, 27-99
certificate to connection profile map policies 26-34, 26-35
certificate to connection profile map rules 26-35, 26-36
Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) 27-70
Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) 27-69
Certificate to Connection Profile Maps > Policies page 27-67
Certificate to Connection Profile Maps > Rules page 27-68
client settings (ASA) 27-99
cluster load balancing 26-16, 26-17, 27-17
configuring bookmarks 26-68
configuring portal appearance 26-63
configuring WINS servers for file system access 26-73
connection profiles 26-18, 27-18
content rewrite settings (ASA) 27-90, 27-91
customizing 26-63
dynamic access policies 26-19, 26-20
dynamic access policy (DAP) attributes 26-22, 26-25
Dynamic Access policy page (ASA) 27-33
encoding settings (ASA) 27-91, 27-93
fragmentation settings 27-64
Global Settings page 27-60
IKE proposals 27-73
ISAKMP/IPsec settings 27-60
NAT settings 27-63
other settings (ASA) 27-88
performance settings (ASA) 27-88
post URL method and macro substitutions in bookmarks 26-70
proxy bypass settings (ASA) 27-97
proxy settings (ASA) 27-94
Public Key Infrastructure (PKI) 27-66
secure desktop manager policies 26-26
shared license 27-103
smart tunnels 26-71
selecting for Event Viewer 59-23
selecting policy types to manage 5-10
SSL certificate configuration 11-14
supported OS versions
redirection using FQDNs 26-17
VPN cluster load balancing
3DES/AES license 26-18
overview 26-16
ASA group policies objects
client configuration settings 28-4
client firewall attributes 28-5
connection settings 28-20
DNS/WINS settings 28-18
hardware client attributes 28-7
IPSec settings 28-9
split tunneling settings 28-19
SSL VPN clientless settings 28-11
SSL VPN full client settings 28-13
SSL VPN settings 28-15
technology settings 28-1
ASBR
definition 46-2
ASCII limitations for text 1-34
ASDM
access rule look-up 60-7
device manager 60-5
ASR
zone-based firewall
global parameters 18-48
restrictions 18-3
assignment overview 1-11
Assignments tab, Policy view 5-50
Assign Shared Policy command 1-24
Assign Shared Policy dialog box 5-40
Asymmetric Digital Subscriber Line (ADSL)
on Cisco IOS routers 52-34
Asynchronous Transfer Mode (ATM) 52-46
ATM 52-46
virtual channel connections (VCCs) 52-47
virtual channel identifier (VCI) 52-47
virtual path connections (VPCs) 52-47
virtual path identifier (VPI) 52-47
Attack Response Controller 37-1
attacks
broadcast 15-4
Denial of Service (DoS) 15-5
spoofing 15-4
SYN flooding 15-5
audit logs
configuring default settings 11-31
purging entries 10-14
understanding 10-11
working with 10-11
Audit Message Detail dialog box 10-12
Audit Report command 1-27
audit reports
generating and viewing 10-12
understanding 10-11
working with 10-11
Audit Report window 10-12
AUS
deploying configurations 8-39
deployment method 8-10
setting up 2-7
setting up on PIX Firewall and ASA devices 2-8
authentication
routing protocols 46-2
Authentication-Authorization-Accounting
see AAA 39-19
Authentication Header (AH) encryption algorithm 28-31
authentication methods
in IKE proposals 22-3
preshared keys 22-3
RSA signatures 22-3
authentication testing
SSH 2-5
authorization proxy (AuthProxy)
configuring AAA rules 13-7
AuthProxy
configuring settings in Map view 29-23
AuthProxy dialog box 13-15
AuthProxy page 13-22
AuthProxy settings policy
configuring 13-8
autolink
omitting reserved networks from maps 11-2
auto signon rules
ASA group policy objects 28-17
Auto Update Server (AUS)
adding 3-29
licensing 10-3
PIX/ASA/FWSM 43-1
add/edit server 43-3
troubleshooting deployment 9-17
Auto Update Server Properties dialog box 3-31
Available Bit Rate (ABR) 52-47
Available Servers dialog box 3-32
B
background image, map
deleting 29-13
importing 29-13
scale and position 29-13
setting 29-13
backup
event data store 59-24
backup.pl command 10-16
Backup command 1-27
backups, Security Manager database 10-16
Banner
PIX/ASA/FWSM 50-40
banners
configuring on firewall devices 39-24
benefits of product 1-2
BGP routing
BGP Routing Policy page 57-4
defining routes 57-2
Neighbors dialog box 57-6
on Cisco IOS routers 57-1
redistributing routes 57-3
Redistribution Mapping dialog box 57-7
Redistribution tab 57-6
Setup tab 57-4
Bidirectional Neighbor Filter 45-14
Bidirectional Neighbor Filter tab
PIM 45-14
blocking, IPS
configuring 37-7
configuring ARC 37-1
configuring blocking devices 37-14
configuring master blocking sensors 37-13
configuring never block hosts and networks 37-18
configuring router blocking interfaces 37-16
configuring user profiles 37-12
configuring VLAN blocking interfaces 37-17
general options 37-11
master blocking sensor 37-6
policy 37-8
rate limiting 37-4
router and switch blocking devices 37-4
strategies 37-3
understanding 37-1
Blocking page 37-8
Boot image/configuration
PIX/ASA/FWSM 50-41
add 50-42
boot image and configuration settings
configuring on firewall devices 39-24
bootstrap configuration
Failover 41-23
Botnet Traffic Filter Drop Rules Editor 17-13
botnet traffic filter rules
adding static entries 17-5
blocking blacklisted traffic 17-7
configuring DNS snooping 15-16
configuring in Map view 29-23
configuring the dynamic database 17-4
configuring with IPS global correlation 36-1
databases 17-1
Device Blacklist dialog box 17-15
Device Whitelist dialog box 17-15
Drop Rules Editor 17-13
Dynamic Blacklist Configuration tab 17-10
enabling DNS snooping 17-6
field definitions 17-9
illustrations 17-1
mitigating botnet activity 59-50
monitoring
activity using ASDM 59-50
activity using Event Viewer 59-48
overview 59-47
understanding botnet syslog events 59-47
overview 17-1
preserving ACL names 12-4
task flow 17-3
traffic classification 17-7
Traffic Classification dialog box 17-12
Traffic Classification tab 17-11
understanding 17-1
understanding NAT effects 12-3
understanding processing order 12-2
Whitelist/Blacklist tab 17-15
Bridge Groups
FWSM
add/edit 50-24
bridge groups
defining 53-19
FWSM 3.1 39-19
Bridging
PIX/ASA/FWSM 50-29
ARP configuration 50-31
ARP Inspection 50-31
ARP Inspection, enable/disable 50-32
ARP Table 50-30
MAC Address, add/edit 50-34
MAC Address Table 50-33
MAC Learning 50-34
MAC Learning, enable/disable 50-35
Management IP address 50-36
bridging
Cisco IOS routers
Bridge Group dialog box 53-21
Bridging Policy page 53-20
BVI interfaces 53-18
overview 53-18
configuring transparent firewall rules 19-1
PIX/ASA/FWSM
configuring on 39-17
broadcast attacks, preventing 15-4
broadcasts
enabling directed on routers 52-20
browser plug-ins
defining 26-55
understanding 26-53
bypass mode
configuring for IPS 31-12
C
CA server authentication methods
SCEP (Simple Certificate Enrollment Protocol) 22-27
Cat6k Device dialog box 37-14
Catalyst 6500/7600 devices
configuring FWSM in site-to-site VPNs 21-43
configuring SSH 2-6
default transport protocol 11-13
deployment 8-26
FlexConfig object samples 7-20
IPS blocking devices 37-4
policy discovery for FWSM 5-13
rollback restrictions 8-59
Catalyst 6500/7600 switches
including in deployment jobs 8-26
Catalyst devices
policy discovery 5-13
remote access VPNs
Dynamic VTI/VRF Aware IPsec settings 27-81
high availability 27-71
IPsec proposals 27-77
user group policies 27-84
VPNSM/VPN SPA settings 27-80
Catalyst platform policies
IDSM settings policy
Create and Edit IDSM Data Port VLANs dialog boxes 58-50
Create and Edit IDSM EtherChannel VLANs dialog boxes 58-49
IDSM Settings page 58-48
IDSM Slot-Port Selector dialog box 58-51
interfaces/VLANs policy
Access Port Selector dialog box 58-30
Create and Edit Interface dialog boxes-Access Port mode 58-9
Create and Edit Interface dialog boxes-Dynamic Port mode 58-18
Create and Edit Interface dialog boxes-Other mode 58-24
Create and Edit Interface dialog boxes-Routed Port mode 58-12
Create and Edit Interface dialog boxes-subinterfaces 58-22
Create and Edit Interface dialog boxes-Trunk Port mode 58-14
Create and Edit VLAN dialog boxes 58-29
Create and Edit VLAN Group dialog boxes 58-34
Interfaces tab 58-7
Service Module Slot Selector dialog box 58-35
Summary tab 58-3
Trunk Port Selector dialog box 58-31
VLAN Groups tab 58-33
VLAN Selector dialog box 58-36
VLANs tab 58-28
VLAN access lists policy
Create and Edit VLAN ACL Content dialog boxes 58-42
Create and Edit VLAN ACL dialog boxes 58-41
VLAN Access Lists page 58-39
Catalyst Summary Info command 1-26
Catalyst switches
configuring SSH 2-6
default transport protocol 11-13
showing modules, security contexts, and virtual sensors 3-46
Catalyst switches/7600 routers
troubleshooting deployment 9-15
Catalyst switches and 7600 devices
IDSM mode support 58-44
interface deployment failure 9-15
internal VLAN deployment failure 9-16
supported VTP modes 58-1
Catalyst switches and 7600 Series routers
access ports 58-5
Catalyst Summary Info page 58-2
defining IDSM Data Port VLANs 58-46
defining IDSM EtherChannel VLANs 58-45
defining ports 58-5
defining VACLs 58-37
defining VLAN groups 58-32
defining VLANs 58-26
deleting IDSM Data Port VLANs 58-48
deleting IDSM EtherChannel VLANs 58-46
deleting ports 58-7
deleting VACLs 58-39
deleting VLAN groups 58-33
deleting VLANs 58-27
discovering policies 58-1
generating interface names 58-6
IDSM settings 58-44
IDSM Settings page 58-48
interfaces 58-5
managing 58-1
routed ports 58-5
trunk ports 58-5
viewing interface and VLAN summary 58-3
VLAN Access Lists page 58-39
VLAN ACLs (VACLs) 58-36
VLAN groups 58-32
VLANs 58-25
Catalyst VPN Service Port Adapters (VSPAs)
configuring 21-38
Catalyst VPN Services Module (VPNSM)
configuring 21-38
configuring in remote access VPNs 26-40
Catalyst VPN Shared Port Adapter (VPN SPA)
configuring 21-38
configuring in remote access VPNs 26-40
categories
using 6-9
cautions
significance of i-liii
CDP
configuring mode for IPS 31-13
CEF Interface Settings dialog box 52-26
CEF interface settings policies 52-24
certificates, SSL
adding thumbprints manually 9-4
configuring default settings for how handled 11-14
certificate to connection profile map policies
configuring 26-35
understanding 26-34
certificate to connection profile map rules
configuring 26-36
understanding 26-35
Change Report dialog box 4-14
change reports
selecting session in non-Workflow mode 4-14
viewing 4-12
Change Reports command 1-27
Checkpoint migration
configuring object group search on ASA 8.3+ devices 14-19
Cisco 7600 Series routers
managing 58-1
Cisco Configuration Engine
troubleshooting device setup and deployment 9-18
Cisco Discovery Protocol (CDP)
enabling CDP on router interfaces 52-18
Cisco Express Forwarding (CEF)
CEF Interface Settings policy 52-25
CEF router interface settings policies 52-24
importance for QoS 56-2
Cisco IOS IPS
affect of load balancing 38-7
configuration files 38-3
configuration overview 38-3
configuring 38-1
configuring general settings 38-7
configuring interface rules 38-8
getting started 30-1
initial preparation of router 38-5
lightweight signature engines 38-2
limitations and restrictions 38-3
selecting signature category 38-6
understanding 38-1
understanding subsystems and revisions 38-2
Cisco IOS Routers
configuring IOS IPS 38-1
IPS blocking devices 37-4
Cisco IOS routers
802.1x 54-1
AAA 53-2
accounts and credentials 53-13
ADSL 52-34
advanced interface settings 52-13
available interface types 52-2
basic interface settings 52-1
BGP routing 57-1
CNS call-home mode 2-10
CNS event-bus mode 2-9
configuring SSH 2-6
CPU settings 53-25
default AAA server groups 6-24
deploying configurations using TMS 8-41
dialer interfaces 52-27
discovering policies 51-3
Domain Name System (DNS) 53-75
Dynamic Host Configuration Protocol (DHCP) 53-88
EIGRP routing 57-8
host and domain names 53-78
HTTP 53-28
interface deployment failure 9-14
IOS 12.1 and 12.2 51-2
licenses 2-12
line access 53-35
managing 51-1
memory settings 53-79
NAT 20-5
designating interfaces 20-6
dynamic rules 20-10
static rules 20-6
timeouts 20-13
Network Admission Control (NAC) 54-8
Network Time Protocol (NTP) 53-97
optional SSH settings 53-63
OSPF routing 57-19
permanent virtual connections (PVCs) 52-46
platform policies 51-1
Point-to-Point Protocol (PPP) 52-70
policy discovery 5-13
quality of service (QoS) 56-1
RIP routing 57-42
Secure Device Provisioning (SDP) 53-82
setting up SSL (HTTPS) 2-4
SHDSL 52-40
SNMP 53-67
static routing 57-50
syslog logging 55-1
time zone settings 53-22
transparent bridging 53-18
Cisco IOS Software
FlexConfig object samples 7-20
selecting policy types to manage 5-10
Cisco Secure Desktop configuration objects
creating 26-61
Cisco Security Management Suite server
logging into or exiting 1-15
Cisco Technical Assistance Center
creating diagnostic file 10-19
Cisco Trust Agent (CTA) 54-9
CiscoWorks Common Services
backing up and restoring Security Manager 10-16
logging into or exiting 1-15
CiscoWorks user authorization, affect on what you can do 1-9
Class-Based Policing 56-6
class maps
understanding 6-60
Clear Connection Configuration dialog box 13-19
CLI commands
FlexConfig objects 7-2
client connection characteristics
Client Connection Characteristics page 24-15
configuring policies for Easy VPN 24-12
clientless access mode 26-4
client settings
configuring 26-57
understanding 26-56
Clock
PIX/ASA/FWSM 50-42
clock
Cisco IOS routers
overview 53-22
configuring on firewall devices 39-25
clock settings
Cisco IOS routers
Clock Policy page 53-23
Clone Device command 1-22
Close Activity command 1-27
cluster load balancing
configuring 26-17
redirection using FQDNs
3DES/AES 26-18
ASA outside IP addresses 26-16
instead of IP addresses 26-17
OS versions supported 26-17
overview 26-16
reverse DNS lookup 26-16
understanding 26-16
CNS
call-home mode 2-10
deploying configurations 8-39
deployment method 8-10
event-bus mode 2-9
setting up on PIX Firewall and ASA devices 2-8
Combine Rules Selection Summary dialog box 12-21
commands
Activities menu 1-27
Edit menu 1-23
File menu 1-22
Help menu 1-28
Map menu 1-24
Policy menu 1-24
Tools menu 1-25
View menu 1-23
Common Services
licensing 10-3
communication, device
troubleshooting 9-7
configuration
initial Security Manager 1-17
understanding rollback 8-57
Configuration Archive
adding configurations from devices 8-52
overview 8-14
rolling back to archived configuration files 8-64
rolling back when deploying to file 8-65
settings 11-3
version viewer 8-54
viewing and comparing configuration versions 8-53
viewing transcripts 8-55
window 8-22
Configuration Archive command 1-27
Configuration Archive page 11-3
Configuration Engine
adding 3-29
CNS call-home mode 2-10
CNS event-bus mode 2-9
setting up 2-7
Configuration Engine Properties dialog box 3-31
configuration files
deploying in non-Workflow mode 8-27
deploying in Workflow mode 8-32, 8-37
deploying to 8-11
deploying to an AUS or CNS 8-39
deploying to a TMS 8-41
deployment process overview 8-1
factory-default configurations 39-1
previewing 8-42
redeploying to devices 8-46
rolling back after deploying to file 8-65
rolling back to archived configurations 8-64
rolling back to devices 8-62
selecting 1-35
web VPN policy discovery restrictions 3-7
configuration location, configuring for IOS IPS 38-7
configurations
adding to the Configuration Archive 8-52
avoiding out-of-band changes 8-45
detecting out-of-band changes 8-43
rollback, commands to recover from failover misconfiguration 8-62
rollback command conflicts 8-61
rolling back 8-56
rolling back Catalyst 6500/7600 8-59
rolling back failover devices 8-58
rolling back IPS and IOS IPS 8-59
rolling back multiple context mode 8-58
understanding out-of-band changes 8-12
viewing and comparing 8-53
configuration session
selecting session for change reports 4-14
viewing change reports 4-12
configuration sessions
discarding 4-17
configuration views 1-5
Configure dialog box 15-18
Configure DNS dialog box 15-16
Configure ESMTP dialog box 15-16
Configure Fragments dialog box 15-17
Configure Hardware Ports
ASA 5505 50-28
Configure IMAP dialog box 15-17
Configure POP3 dialog box 15-17
Configure RPC dialog box 15-18
Configure SMTP dialog box 15-16
Config Version Viewer (Preview Configuration) dialog box 8-42
connection
PIX/ASA/FWSM
rules 48-5
rules wizard 48-6
tab 48-8
Connection Profile dialog box
AAA tab 27-21
General tab 27-19
IPSec tab 27-27
Secondary AAA tab 27-25
SSL tab 27-29
Connection Profile page (ASA) 27-3
connection profiles
configuring 26-18
configuring for Easy VPN 24-11
properties
AAA 27-21
general 27-19
IPSec 27-27
policy overview 27-18
secondary AAA 27-25
SSL 27-29
sharing among multiple ASAs 26-7
understanding 26-18
Connection Profiles page 27-18
Add/Edit Connection Profile dialog box
IPSec tab 27-29
SSL tab 27-29
Connection Profiles Policy page
Add/Edit Connection Profile dialog box
IPSec tab 27-27
connection timeout
device communication settings 11-13
connectivity, testing device 9-1
console
Cisco IOS routers
AAA tab 53-44
Accounting tab 53-47
Authentication tab 53-44
Authorization tab 53-45
Console Policy page 53-42
Setup tab 53-42
console port
Cisco IOS routers
defining AAA settings 53-37
defining setup parameters 53-35
Console timeout
PIX/ASA/FWSM 40-1
Constant Bit Rate (CBR) 52-48
contact credentials
configuring on firewall devices 39-26
contained modules
showing 3-46
content rewrite rules
defining 26-48
understanding 26-48
Content Rewrite tab (ASA) 27-90
Context-Based Access Control
choosing interfaces 15-3
configuring 15-5
preventing DoS attacks on IOS devices 15-5
selecting protocols 15-3
understanding 15-2
understanding access rule requirements 15-4
Context Editor dialog box (IOS) 27-105
contexts
see "security contexts" 49-1
continuity check (CC) cells 52-50
control plane (CP)
defining QoS on 56-13
policing on 56-9
Control Plane Policing 56-9
conventions i-liii
Copy Policies Between Devices command 1-24
Copy Policies wizard 5-30
CPU settings
defining utilization settings 53-25
overview 53-25
CPU Threshold
PIX/ASA/FWSM 50-44
CPU utilization
CPU Policy page 53-26
Create a Clone of Device dialog box 3-46
Create Activity dialog box 4-10
Create a Policy dialog box 5-50
Create Discovery Task dialog box 5-18
Create Filter dialog box 1-31
Create Overrides for Device dialog box 6-16
Create Text Object dialog box 7-29
Create VPN Topology wizard
Device Selection page 21-29
Edit Endpoints dialog box 21-31
Endpoints page 21-31
GET VPN Group Encryption page 21-49
GET VPN Peers page 21-54
High Availability page 21-46
Name and Technology page 21-28
overview 21-26
VPN Defaults page 21-55
credential objects
attributes 28-23
Credentials
PIX/ASA/FWSM 50-44
credentials
device manager validation 60-3
IPS module 3-15
service module 3-14
testing 9-1
understanding device 3-4
Credentials page
HTTPS port number
overriding with HTTP policy 3-39
Credentials page, device properties 3-38
crypto maps
dynamic 22-6
in IPsec proposals 22-6
static 22-6
CSDM Policy Editor dialog box 27-59
CS-MARS
access to Security Manager 60-16
comparing to other event managers 59-6
configuring servers 11-4
discovering or changing controller used by device 60-17
events
historical and real-time lookup 60-19
looking up 60-19
integrating with Security Manager 60-13
integration with Security Manager 60-14
looking up Security Manager policies based on events 60-23
NetFlow 60-26
query
troubleshooting 60-18
registering in Security Manager 60-16
supported log messages 60-24
viewing access rule events 60-20
viewing IPS signature events 60-22
CS-MARS page 11-4
CSMDiagnostics.zip
setting debug options 11-6
CSMDiagnostics.zip file, creating 10-19
CSM tab, Licensing page 11-27
Customize Desktop Settings page 11-5
Custom Protocol dialog box 15-18
D
database
backing up 10-16
backing up and restoring 10-16
restoring 10-18
DCE/RPC policy map objects
creating 15-19
properties 15-23
DCS.properties file
DCS.doSerialAccessForFWSMVCs property 9-16
DCS.FWSM.checkThreshold property 9-16
SSH settings 9-6
warning message expression properties 9-9
DDNS
PIX/ASA/FWSM 43-14
add interface rules 43-14
update methods 43-15
update methods, add/edit 43-16
dead-peer detection (DPD) 22-13
debugging
configuring debug levels 11-6
Debug Options page 11-6
defaults, configuring 11-1
Defaults page 27-16
Delete Device command 1-22
Delete Map command 1-25
Delete Map dialog box 29-10
Delete Row command 1-23
Denial of Service (DoS)
preventing in SMTP using zone based firewall 18-24
denial of service (DoS)
preventing using unicast reverse path forwarding (RFP) 52-20
Denial of Service (DoS) attacks
configuring inspection settings to mitigate 15-80
preventing on IOS devices using inspection 15-5
Deploy command 1-22
Deploy Job dialog box 8-37
deployment
Add Other Devices dialog box 8-51
Auto Update Server 8-39
Catalyst 6500/7600 devices 8-26
changes not deployed when using schedules 8-49
changing device message severity level to ignore errors 9-9
changing FWSM multiple-context deployment to serial 9-16
Cisco Networking Services configuration engine 8-39
configuration files, to 8-11
configurations 8-27
configuring as a status provider 60-9
creating jobs in Workflow mode 8-33
creating or editing schedules 8-49
Deployment Manager window 8-15
device communication settings 9-4
devices, directly to 8-9
devices, through intermediate server 8-10
Edit Deploy Method dialog box 8-29
Edit Selected Deployment Method dialog box 8-29
errors
OS version mismatches 8-13
handling OS version mismatches 8-13
managing 8-1
methods 8-8
minimum memory errors for ASA 8.3+ 9-11
non-Workflow mode 8-3
optimizing access rules 14-34
out-of-band changes
avoiding 8-45
detecting and analyzing 8-43
understanding 8-12
process overview 8-1
rolling back archived configurations 8-64
rolling back configurations 8-56
rolling back configurations, Catalyst 6500/7600 8-59
rolling back configurations, command conflicts 8-61
rolling back configurations, commands to recover from failover misconfiguration 8-62
rolling back configurations, failover devices 8-58
rolling back configurations, IPS and IOS IPS devices 8-59
rolling back configurations, multiple context mode 8-58
rolling back configuration when deploying to file 8-65
rolling back to last deployed configuration 8-62
setting debug options 11-6
SSL handshake failure 2-2
suspending or resuming schedules 8-52
system settings 11-7
task flow
non-Workflow mode 8-4
Workflow mode 8-5
tips for successful jobs 8-26
TMS server 8-41
ADSL or PVC deployment failures 9-14
AUS problems 9-17
Catalyst interface settings 9-15
Catalyst internal VLANs 9-16
Catalyst switch and modules 9-15
Configuration Engine problems 9-18
Error Writing to Server messages 9-15
HTTP Response Code 500 messages 9-15
layer 2 interfaces 9-14
mixing deployment methods with routers and VPNs 9-13
router interface settings 9-14
routers 9-14
Security Manager cannot contact device 9-11
VPNs with routing processes 9-12
troubleshooting device communication 9-7
troubleshooting router connection failures 2-2
troubleshooting SSL certificate errors 9-4
troubleshooting VRF-aware IPsec on Catalyst 6500/7600 devices 21-16
understanding 8-1
understanding configuration rollback 8-57
using a Cisco Networking Services (CNS) server 8-39
viewing device details 8-25
viewing job summary 8-25
viewing status and history for jobs and schedules 8-24
viewing transcripts 8-55
Warning - Partial VPN Deployment dialog box 8-30
working with 8-24
Deployment—Create or Edit a Job dialog box 8-33
deployment jobs
aborting 8-48
approval 8-7
approving 8-37
creating and editing in non-Workflow mode 8-27
creating and editing in Workflow mode 8-33
Deployment Manager 8-15
discarding 8-39
including devices in 8-8
multiple users 8-8
redeploying 8-46
rejecting 8-37
states
non-Workflow mode 8-4
Workflow mode 8-6
submitting 8-36
viewing history 8-25
Deployment Manager
Deployment Manager command 1-26
Deployment Manager window 8-15
Deployment Schedules tab 8-19
Deployment Schedules tab 8-19
Deployment Settings page 11-7
Deployment Status Details dialog box 8-30
Deployment Workflow Commentary dialog boxes 8-19
Deploy Saved Changes dialog box 8-27
DES encryption algorithm
in IKE proposals 22-2
Designated Router
PIX/ASA/FWSM 45-12
Destination Contents dialog box 12-12
Dest Port Map dialog box 35-12
device
AAA administration 39-22
export inventory 3-49
viewing inventory status 60-9
Device Access
FWSM
Resources, add/edit 42-3
PIX/ASA/FWSM 40-1
console timeout 40-1
host name 42-1
HTTP configuration 40-2
HTTP page 40-2
ICMP rules 40-3
ICMP rules, add/edit 40-4
Management Access interface 40-5
Secure Shell (SSH) 40-5
Secure Shell, add/edit host 40-6
Server Access 43-1
SNMP host access 40-11
SNMP page 40-8
SNMP Trap configuration 40-9
Telnet configuration 40-12
Telnet page 40-11
user accounts 42-6
user accounts, add/edit 42-7
device access policies
defining 53-14
Device Admin
FWSM
Resources 42-3
device administration policies
configuring on firewall devices 39-19
device authentication
adding SSL thumbprints manually 9-4
SSL certificate default configuration 11-14
Device Blacklist dialog box 17-15
device communication
changing device message severity level 9-9
managing settings 9-4
routers without K8/K9 crypto image 9-7
Security Manager cannot contact device after deployment 9-11
troubleshooting failures 9-7
Device Communication page 11-12
device communications
troubleshooting 9-1
device communication settings
connection timeout 11-13
retry count 11-13
socket read timeout 11-13
Device Connectivity Test dialog box 9-3
device credentials
understanding 3-4
Device Credentials page 3-38
Device Delete Validation dialog box 3-48
adding or removing devices 3-56
creating group types 3-55
deleting groups or types 3-56
understanding 3-52
Device Groups page 3-41, 11-16
Device Information page - Add Device from File 3-26
Device Information page - Configuration File 3-18
Device Information page - Network 3-9
Device Information page- New Device 3-21
device inventory
exporting
DCR, CS-MARS, Security Manager formats 3-49
overview 3-49
using command line utility 3-50
managing 3-1
testing device connectivity 9-1
understanding 3-1
understanding contents 3-3
working with 3-29
device manager
access rule look up 60-6
ASDM 60-5
access rule look-up 60-7
credentials 60-3
IDM 60-4
PDM 60-4
prerequisites 60-5
SDM 60-5
access rule look-up 60-8
starting from Security Manager 60-3
troubleshooting 60-5
xdm-launcher.exe 60-5
Device Manager command 1-26
Device OS Management command 1-27
Device Properties
Credentials page 3-38
Device Groups page 3-41
General page 3-34
Policy Object Override pages
general reference 3-42
device properties
changes with policy effects 3-44
changing critical 3-42
image version changes with no policy effects 3-43
understanding 3-5
viewing or changing 3-34
Device Properties command 1-25
Device Properties page
creating object overrides 6-14
deleting overrides 6-17
overview 3-34
device response
to appear as an error message 9-9
devices
adding 3-6
adding configurations to the Configuration Archive 8-52
adding from configuration files 3-16
adding from inventory file 3-24
adding from network 3-8
adding local rules to shared policies 5-41
adding manually 3-20
adding or changing modules 3-33
assigning shared policies 5-40
avoiding out-of-band changes 8-45
changing critical properties 3-42
cloning or duplicating 3-46
communication requirements 2-1
communication settings and certificates 9-4
configuring ASA licenses 2-11
configuring IOS licenses 2-12
configuring local policies 5-29
copying policies between 5-30
copying shared policies 5-43
creating policy object overrides 6-14
deleting from inventory 3-47
deleting policy object overrides 6-17
deployment through intermediate server 8-10
deployment to 8-9
detecting out-of-band changes 8-43
discovering or changing CS-MARS controller 60-17
discovering policies 5-12
discovering policies on existing devices 5-15
dynamic IP addresses 3-29
image version changes with no policy effects 3-43
including in deployment jobs or schedules 8-8
including unmanaged or non-Cisco in a VPN 21-10
inheriting policy rules 5-42
managing operating system 3-52
maps
adding existing managed 29-15
adding new managed 29-15
displaying devices from Device View 29-16
displaying managed 29-15
removing managed 29-16
showing containment for Catalyst switches, ASA, PIX, IPS devices 29-16
modifying policy assignment 5-45
modifying shared policies 5-44
naming conventions 3-3
overview of monitoring 1-14
policy status icons 5-28
preparing for management 2-1
property changes with policy effects 3-44
redeploying configuration files to 8-46
redeploying configurations to replaced hardware 8-47
renaming policies 5-44
replacing policies 5-40
rolling back configurations 8-62, 8-64, 8-65
selecting in site-to-site VPNs 21-29
selecting multiple 1-29
sharing multiple policies 5-38
showing contained modules 3-46
system variables 7-7
testing connectivity 9-1
troubleshooting communication 9-7
troubleshooting communication and deployment 9-1
troubleshooting device discovery failures 3-7
unassigning policies 5-32
understanding out-of-band changes 8-12
unsharing policies 5-39
what counts as a device 3-3
device selector
filtering 1-30
Device Selector dialog box 1-29
Device Server Assignment dialog box 9-8
Device view
adding local rules to shared policies 5-41
assigning shared policies 5-40
configuring local policies 5-29
configuring VPN topologies 21-18
copying policies between devices 5-30
copying shared policies 5-43
inheriting policies 5-42
managing policies 5-27
modifying policy assignments 5-45
modifying shared policies 5-44
overview 1-6
policy banner 5-35
policy shortcut menu 5-36
policy status icons 5-28
renaming policies 5-44
sharing local policies 5-37
sharing multiple policies 5-38
unassigning policies 5-32
understanding basic policy management 5-28
understanding shared policies 5-34
unsharing policies 5-39
device view
understanding 3-1
Device View command 1-23
Device Whitelist dialog box 17-15
DHCP
Cisco IOS routers
defining address pools 53-92
defining policies 53-91
DHCP Database dialog box 53-95
DHCP Policy page 53-93
IP Pool dialog box 53-95
overview 53-88
understanding database agents 53-89
understanding option 82 53-90
understanding relay agents 53-89
understanding secured ARP 53-90
configuring passthrough for IOS devices 19-3
PIX/ASA/FWSM 43-8
add/edit servers 43-9
advanced configuration 43-10
configuring DHCP servers 43-7
server options 43-11
traffic blocked 9-14
DHCP relay
PIX/ASA/FWSM 43-5
add/edit agent 43-6
add/edit server 43-6
diagnostics
setting debug options 11-6
diagnostics file, creating 10-19
dial backup
configuring in Easy VPN 24-2
configuring in VPN 21-36
configuring VPN advanced settings 21-37
Dial Backup Settings dialog box 21-37
dialer interfaces
defining BRI properties 52-29
defining profiles 52-27
Dialer Physical Interface dialog box 52-32
Dialer Policy page 52-30
Dialer Profile dialog box 52-31
on Cisco IOS routers 52-27
Diffie-Hellman groups
in IKE proposals 22-3
Digital Subscriber Line (DSL) 52-34
digital subscriber line-access multiplexer (DSLAM) 52-34
directed broadcasts
enabling 52-20
Disable/enable NAT rules 20-32
Discard Activity command 1-28
Discard Activity dialog box 4-17
Discard command 1-22
Discard Deployment Job dialog box 8-19
discovering
remote access VPNs 26-8
site-to-site VPNs 21-22
Discover Policies on Device command 1-24
Discover VPN Policies command 1-24
Discover VPN Policies wizard 21-22
discovery
default behavior settings 11-17
invalid certificate error 9-6
overview 1-11
security certificate error 9-4, 9-5
setting debug options 11-6
Discovery Settings page 11-17
Discovery Status dialog box 5-21
discovery task
frequently asked questions 5-25
starting 5-15
viewing status 5-20
disk space, monitoring event data store 59-24
Display Actual Size command 1-25
Distributed Traffic Shaping (DTS) 56-6
DMVPN (Dynamic Multipoint VPN)
advantages of using with GRE 23-11
configuring 23-11
configuring GRE modes 23-12
large scale DMVPNs
configuring 23-16
configuring server load balancing 23-17
spoke-to-spoke connections 23-10
supported platforms 21-8
understanding 23-9
DNS
configuring for inspection rules 15-16
PIX/ASA/FWSM
add/edit server group 43-12
add server 43-13
servers page 43-11
DNS class map objects
creating 15-19
match criteria 15-27
DNS policy map objects
creating 15-19
match conditions and actions 15-27
properties 15-24
DNS servers
configuring for IPS global correlation 30-22
DNS snooping 17-6
Dock Map View command 1-25
documentation
conventions i-liii
ordering i-liv
Domain Name System (DNS)
Cisco IOS routers
defining policies 53-76
DNS Policy page 53-77
IP Host dialog box 53-77
overview 53-75
do not ask warnings, resetting 11-5
DSLAM 52-34
duplex
interface 50-29
dynamic access policies
configuring 26-20
understanding 26-19
dynamic access policies (DAP) 27-48
Dynamic Access Policy page
Add/Edit Dynamic Access Policy dialog box
Add/Edit DAP Entry dialog box 27-40
Add/Edit DAP Entry dialog box > AAA Attributes Cisco 27-42
Add/Edit DAP Entry dialog box > AAA Attributes LDAP 27-43
Add/Edit DAP Entry dialog box > AAA Attributes RADIUS 27-44
Add/Edit DAP Entry dialog box > Anti-Spyware 27-45
Add/Edit DAP Entry dialog box > Anti-Virus 27-46
Add/Edit DAP Entry dialog box > Application 27-47
Add/Edit DAP Entry dialog box > File 27-49
Add/Edit DAP Entry dialog box > NAC 27-50
Add/Edit DAP Entry dialog box > Operating System 27-51
Add/Edit DAP Entry dialog box > Personal Firewall 27-51
Add/Edit DAP Entry dialog box > Policy 27-52
Add/Edit DAP Entry dialog box > Process 27-53
Add/Edit DAP Entry dialog box > Registry 27-54
Advanced Expressions tab 27-58
Logical Operators tab 27-55
Main tab 27-36
Dynamic Access Policy page (ASA) 27-33
Cisco Secure Desktop Manager Policy Editor dialog box 27-59
Dynamic Access policy page (ASA) > Add/Edit Dynamic Access Policy dialog box 27-35
Dynamic Blacklist Configuration tab 17-10
dynamic crypto maps 22-6
dynamic filter snooping (DNS)
enabling 15-16
Dynamic Multipoint VPN (DMVPN)
mandatory and optional policies 21-6
dynamic NAT
Cisco IOS routers 20-10
Dynamic Translation Rule
PIX/ASA/FWSM 20-21
add/edit 20-22
dynamic VTI
configuring in Easy VPN 24-2
in remote access VPNs 26-38
Dynamic VTI/VRF Aware IPsec settings tab 27-81
Dynamic VTI tab (site-to-site VPN) 24-9
E
Easy VPN
client connection characteristics 24-12
configuration overview 24-3
configuring dial backup 24-2
configuring dynamic VTI 24-2
configuring high availability 24-2
connection profile policies 24-11
connection profiles (ASA, PIX 7+) 27-18
Dynamic VTI tab 24-9
important configuration notes 24-4
IPsec Proposal page 24-6
IPsec Proposal tab 24-7
IPsec proposals 24-5
mandatory and optional policies 21-6
overview 24-1
supported platforms 21-8
understanding 24-1
user group policies 24-10
User Group Policy page 24-11
Edit AAA Option dialog box 13-15
Edit AAA Rule dialog box 13-11
Edit AAA Server dialog box 6-26
Edit AAA Server Group dialog box 6-38
Edit Actions dialog box 33-8
Edit activity state 4-4
Edit AOL Class Map dialog box 15-22, 18-17
Edit A Port Forwarding Entry dialog box 28-43
Edit ASA Group Policies dialog box
client configuration settings 28-4
client firewall attributes 28-5
connection settings 28-20
DNS/WINS settings 28-18
hardware client attributes 28-7
IPSec settings 28-9
overview 28-1
split tunneling settings 28-19
SSL VPN clientless settings 28-11
SSL VPN full client settings 28-13
SSL VPN settings 28-15
technology settings 28-1
Edit A Smart Tunnel Entry dialog box 28-66
Edit Auto Signon Rules dialog box 28-17
Edit Auto Update Settings dialog box 11-26
Edit Category dialog box 12-12
Edit Cisco Secure Desktop Configuration dialog box 28-21
Edit Client Access Rules dialog box 28-10
Edit Client Update dialog box 28-76
Edit Column dialog box 28-60
Edit Custom Pane dialog box 28-60
Edit DCE/RPC Map dialog box 15-23
Edit Deploy Method dialog box 8-29
Edit Description dialog box 12-12
Edit Destinations dialog box 12-10
Edit Device Groups command 1-22
Edit Device Groups dialog box 3-54
Edit DNS Class Map dialog box 15-22
Edit DNS Map dialog box
Filtering tab 15-26
overview 15-24
Protocol Conformance tab 15-26
Edit eDonkey Class Map dialog box 15-22, 18-17
Edit Endpoints dialog box
FWSM tab 21-43
overview 21-31
Protected Networks tab 21-42
VPN Interface tab 21-32
VPNSM/VPN SPA/VSPA settings, VPN Interface tab 21-38
VRF Aware IPsec tab 21-44
Edit ESMTP Map dialog box 15-30
Edit Extended Access Control Entry dialog box 6-47
Edit Extended Access List dialog box 6-45
Edit External Filter dialog box 18-39
Edit FastTrack Class Map dialog box 15-22, 18-17
Edit Fidelity dialog box 33-9
Edit File Object dialog box 28-24
Edit Firewall Rule dialog box 14-11
Edit Firewall Rule Expiration dialog box 14-15
Edit FlexConfig dialog box 7-27
Edit FTP Class Map dialog box 15-22
Edit FTP Map dialog box 15-33
Edit Gnutella Class Map dialog box 15-22, 18-17
Edit Group Member dialog box 25-21
Edit GTP Map dialog box 15-36
Edit H.323 Class Map dialog box 15-22, 18-17
Edit H.323 Map dialog box 15-41, 18-32
Edit HSI Endpoint IP Address dialog box 15-43
Edit HSI Group dialog box 15-43
Edit HTTP Class Map dialog box 15-22, 18-17
Edit HTTP Map dialog box 18-32
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab 15-48
Extension Request Method tab 15-50
General tab 15-47
overview 15-45
Port Misuse tab 15-51
RFC Request Method tab 15-49
Transfer Encoding tab 15-52
ASA 7.2+ and PIX 7.2+ devices 15-53
Edit ICQ Class Map dialog box 15-22, 18-17
Edit IKE Proposal dialog box 28-26
Edit IMAP Class Map dialog box 15-22, 18-17
Edit IMAP Map dialog box 18-32
Edit IM Class Map dialog box 15-22
Edit IM Map dialog box 18-32
ASA and PIX device 15-59
IOS device 15-62
Edit Inspect/Application FW Rule wizard
Address and Port page 15-11
Inspected Protocol page 15-14
Match Traffic page 15-10
Edit Inspect Parameter Map dialog box 18-28
Edit Interfaces dialog box 12-11
Edit Interface Specific Authentication Server Groups dialog box 27-24
Edit Interface Specific Client Address Pools dialog box 27-21
Edit IP Options Map dialog box 15-64
Edit IPsec Pass Through Map dialog box 15-65
Edit IPSec Transform Set dialog box 28-28
Edit Kazaa2 Class Map dialog box 15-22, 18-17
Edit Key Server dialog box 25-19
Edit Language dialog box 28-54
Edit LDAP Attribute Map dialog box 28-31
Edit LDAP Attribute Map Value dialog box 28-32
Edit Load Balancing Parameters dialog box 23-17
Edit Local Web Filter Class Map dialog box 15-22, 18-17
Edit Local Web Filter Parameter Map dialog box 18-36
Edit Map Value dialog box 28-33
Edit Match Condition and Action dialog box
DNS policy maps 15-27
ESMTP policy maps 15-31
FTP policy maps 15-34
GTP policy maps 15-39
H.323 (IOS) policy maps 18-33
H.323 policy maps 15-44
HTTP (Zone Based IOS) policy maps 18-33
HTTP policy maps 15-55
IM (Zone Based IOS) policy maps 18-33
IMAP policy maps 18-33
IM policy maps 15-60
P2P policy maps 18-33
POP3 policy maps 18-33
SIP (IOS) policy maps 18-33
SIP policy maps 15-69
Skinny policy maps 15-74
SMTP policy maps 18-33
Sun RPC policy maps 18-33
Web Filter policy maps 18-33
Edit Match Criterion dialog box
AOL class maps 18-19
DNS class maps 15-27
eDonkey class maps 18-19
FastTrack class maps 18-19
FTP class maps 15-34
Gnutella class maps 18-19
H.323 (IOS) class maps 18-20
H.323 class maps 15-44
HTTP (IOS) class maps 18-20
HTTP class maps 15-55
ICQ class maps 18-19
IMAP class maps 18-22
IM class maps 15-60
Kazaa2 class maps 18-19
Local Web Filter class maps 18-27
MSN Messenger class maps 18-19
N2H2 class maps 18-28
POP3 class maps 18-22
SIP (IOS) class maps 18-23
SIP class maps 15-69
SMTP class maps 18-24
Sun RPC class maps 18-27
Websense class maps 18-28
Windows Messenger class maps 18-19
Yahoo Messenger class maps 18-19
Edit menu 1-23
Edit MSN Messenger Class Map dialog box 15-22, 18-17
Edit N2H2 Parameter Map dialog box 18-37
Edit N2H2 Web Filter Class Map dialog box 15-22, 18-17
Edit NAT Rule dialog box
ASA 8.3+ 20-35
Edit NetBIOS Map dialog box 15-66
Edit Network/Host dialog box
General tab 6-65
NAT tab 20-38
Edit Options dialog box 14-13
Edit P2P Map dialog box 18-32
Edit Permit Response dialog box 15-38
Edit PIX/ASA/FWSM Web Filter Rule dialog box 16-5
Edit PKI Enrollment dialog box
CA Information tab 28-35
Certificate Subject Name tab 28-40
Enrollment Parameters tab 28-39
overview 28-33
Trusted CA Hierarchy tab 28-42
Edit Policy Assignments command 1-24
Edit POP3 Class Map dialog box 15-22, 18-17
Edit Port Forwarding List dialog box 28-42
Edit Port List dialog box 6-71
Edit Protocol Info Parameter Map dialog box 18-31
Edit Regular Expression dialog box 15-77
Edit Regular Expression Group dialog box 15-76
Edit Row command 1-23
Edit Rule Section dialog box 12-18
Edit Secondary Interface Specific Authentication Server Groups dialog box 27-24
Edit Security Association Dialog Box 21-52
Edit Selected Deployment Method dialog box 8-29
Edit Server dialog box
Protocol Info Parameter maps 18-32
Edit Server Group dialog box 13-16
Edit Service dialog box 6-72
Edit Services dialog box 12-11
Edit Signature dialog box 33-12
Edit Signature Parameter—Component List dialog box 33-25
Edit Signature Parameters dialog box 33-20
Edit Single Sign On Server dialog boxes 28-44
Edit SIP Class Map dialog box 15-22, 18-17
Edit SIP Map dialog box 15-67, 18-32
Edit Skinny Map dialog boxes 15-73
Edit SLA Monitor dialog box 42-9
Edit Smart Tunnel Lists dialog box 28-65
Edit SMTP Class Map dialog box 15-22, 18-17
Edit SMTP Map dialog box 18-32
Edit SNMP Map dialog box 15-75
Edit Sources dialog box 12-10
Edit SSL VPN Customization dialog box 28-49
Applications 28-58
Copyright Panel 28-56
Custom Panes 28-59
Full Customization 28-57
Home Page 28-61
Informational Panel 28-56
Language 28-53
Logon Form 28-55
Logout Page 28-62
Title Panel 28-52
Toolbar 28-58
Edit SSL VPN Gateway dialog box 28-63
Edit Standard Access Control Entry dialog box 6-49
Edit Standard Access List dialog box 6-45
Edit Sun RPC Class Map dialog box 15-22, 18-17
Edit Sun RPC Map dialog box 18-32
Edit TCP Map dialog box 48-17
Edit TCP Option Range Dialog Box 48-19
Edit Text Object dialog box 7-29
Edit Time Range dialog box 6-53
Edit Traffic Flow dialog box 48-13
Edit Translated Address dialog box 20-28
Edit Transparent EtherType dialog box 19-6
Edit Transparent Firewall Rule dialog box 19-5
Edit Transparent Mask dialog box 19-7
Edit Trend Content Filter Class Map dialog box 15-22, 18-17
Edit Trend Parameter Map dialog box 18-40
Edit Update Server Settings dialog box 11-24
Edit URL Domain Name dialog box 18-43
Edit URLF Glob Parameter Map dialog box 18-43
Edit URL Filter Parameter Map dialog box 18-41
Edit User Credentials dialog box 30-17
Edit User Group dialog box
Advanced PIX 6.3 settings 28-77
Browser Proxy settings 28-83
Client (IOS) settings 28-73
Clientless settings 28-78
Client VPN Software Update (IOS) settings 28-76
DNS/WINS settings 28-72
General settings 28-70
IOS Xauth Options settings 28-75
overview 28-68
Split Tunneling settings (Easy VPN/remote access IPSec VPN) 28-72
SSL VPN Connection settings 28-84
SSL VPN Full Tunnel settings 28-79
SSL VPN Split Tunneling settings 28-81
Technology settings 28-68
Thin Client settings 28-79
Edit Virtual Sensor dialog box 32-7, 32-8
Edit VPN dialog box
Device Selection tab 21-29
Edit Endpoints dialog box 21-31
Endpoints tab 21-31
High Availability tab 21-46
Name and Technology tab 21-28
overview 21-26
Edit Web Access Control Entry dialog box 6-51
Edit Web Filter Map dialog box 18-45
Edit Web Filter Options dialog box 16-8
Edit Web Filter Type dialog box 16-8
Edit Websense Parameter Map dialog box 18-37
Edit Websense Web Filter Class Map dialog box 15-22, 18-17
Edit Web Type Access List dialog box 6-45
Edit Windows Messenger Class Map dialog box 15-22, 18-17
Edit WINS Server dialog box 28-85
Edit WINS Server List dialog box 28-84
Edit Yahoo Messenger Class Map dialog box 15-22, 18-17
Edit Zones dialog box 12-11
eDonkey class map objects
creating 18-15
match criteria 18-19
EIGRP routing
defining interface properties 57-10
defining routes 57-9
EIGRP Routing Policy page 57-13
Interface dialog box 57-16
Interfaces tab 57-15
on Cisco IOS routers 57-8
redistributing routes 57-12
Redistribution Mapping dialog box 57-18
Redistribution tab 57-17
Setup dialog box 57-14
Setup tab 57-13
blocking spam using zone-based firewall rules 18-24
preventing DoS attacks 18-24
e-mail notifications
configuring SMTP server 1-19
PIX/ASA/FWSM
recipient set-up 44-3
syslog messages 44-3
Enable/disable NAT rules 20-32
Enable PIM and IGMP
PIX/ASA/FWSM 45-1
Encapsulating Security Protocol (ESP) encryption algorithm 28-30
encoding rules
defining 26-50
encoding settings
understanding 26-49
Encoding tab (ASA) 27-91
encryption algorithms
3DES (Triple DES) 22-2
AES (Advanced Encryption Standard) 22-2
DES (Data Encryption Standard) 22-2
in IKE proposals 22-2
endpoints and protected networks
configuring dial backup 21-36
defining in GET VPN topologies 21-54
defining in VPN topologies 21-31
VPN Interface tab 21-32
Error Writing to Server deployment errors 9-15
ESMTP
configuring for inspection rules 15-16
ESMTP policy map objects
creating 15-19
match conditions and actions 15-31
properties 15-30
EtherChannel
Create and Edit IDSM EtherChannel VLANs dialog boxes 58-49
defining IDSM VLANs 58-45
deleting IDSM VLANs 58-46
evaluation license
upgrading to permanent license 10-2
event
lists 44-4
add/edit 44-5
syslog class
add/edit 44-6
syslog message ID
add/edit 44-6
Event Action Filters page 34-7
Event Action Override dialog box 34-13
Event Action Overrides page 34-12
event actions, IPS
configuring filter rules 34-4
configuring network information 34-14
configuring OS maps 34-17
configuring overrides 34-12
configuring settings 34-20
configuring target value ratings 34-14
example filter rule 59-52
filter rule attributes 34-9
filter rules policy 34-7
filter rules tips 34-6
overview 34-1
possible actions 34-2
process overview 34-1
Event Management page 11-19
Event Manager service
configuring 59-23
managing 59-22
monitoring event store disk space 59-24
selecting devices to monitor 59-23
starting and stopping 59-23
events
archiving (backing up) the event data store 59-24
configuring ASA devices 59-26
configuring IPS devices 59-27
CS-MARS 60-24
looking up 60-19
looking up policies based on related events 60-23
Netflow support for policy lookup 60-26
viewing access rule events 60-20
viewing IPS signature events 60-22
definition 60-9
Event Viewer
looking up policies based on related events 59-43
examples of analysis
mitigating botnet activity 59-50
monitoring and mitigating botnet activity 59-47
monitoring botnet activity using ASDM 59-50
monitoring botnet activity using Event Viewer 59-48
overview 59-45
removing false positive IPS events 59-52
understanding botnet syslog events 59-47
user access to server blocked 59-45
Performance Monitor
troubleshooting status collection 60-10
viewing 60-9
recovering the event data store 59-24
Event Viewer
archiving (backing up) the event data store 59-24
ASA devices, configuring to provide events 59-26
columns 59-16
comparing to other event managers 59-6
configuration 59-26
configuring Event Manager service 59-23
copying events from 59-37
customizing appearance of 59-30
custom view 59-33
examples of analysis
mitigating botnet activity 59-50
monitoring and mitigating botnet activity 59-47
monitoring botnet activity 59-48
overview 59-45
removing false positive IPS events 59-52
understanding botnet syslog events 59-47
user access to server blocked 59-45
filters 59-2
advantages of using network/host objects 59-53
submission requirements for policy objects 59-54
filters and queries 59-37
interface 59-13
IPS devices, configuring to provide events 59-27
limits of 59-4
looking up Security Manager policies based on events 59-43
managing service 59-22
monitoring event store disk space 59-24
quick filter 59-40
recovering the event data store 59-24
right-click filters 59-36
Saving Events to a File 59-37
selecting devices to monitor 59-23
settings 11-19
starting or stopping the Event Manager service 59-23
syslogs 59-5
time slider 59-32
toolbar 59-14
troubleshooting
Event Viewer Unavailable message 11-19, 59-23
policy objects not available for filtering 59-54
using 59-25
using views in 59-28
view selector 59-11
Event Viewer command 1-26
exclusive domains
configuring for IOS devices 16-9
Exit command 1-23
exiting
Cisco Security Management Suite server 1-15
CiscoWorks Common Services 1-15
expiration dates
configuring for access rules 14-16
export
device inventory 3-49
inventory in DCR, CS-MARS, Security Manager formats 3-49
IPS event action overrides 34-12
IPS event filter rules 34-4, 34-7
policy objects 6-17
Export Inventory command 1-26
Export Inventory dialog box 3-49
Export Map command 1-25
External Product Interface dialog box 30-24
External Product Interface policy 30-23
F
factory-default configurations 39-1
Failover
FWSM 41-11
advanced settings 41-13
interface configuration 41-15
PIX/ASA 41-16
Add Failover Group 41-20
interface configuration 41-22
settings 41-18
PIX/ASA/FWSM 41-8
bootstrap configuration 41-23
interface MAC address 41-23
PIX 6.3 41-9
interface configuration 41-10
failover
configuring in site-to-site VPN 21-46
PIX/ASA/FWSM
active/standby 41-2
configuration basics 41-5
configuring 41-1
stateless 41-2
types of 41-2
understanding 41-1
stateful in site-to-site VPN 21-48
false negatives
definition of 33-18
false positives
definition of 33-18
FastTrack class map objects
creating 18-15
match criteria 18-19
feature sets 1-3
File menu 1-22
file objects
attributes 28-24
files
deploying to 8-11
selecting or specifying 1-35
Filter Item dialog box 34-9
filter rules, event action (IPS)
attributes 34-9
configuring 34-4
example rule 59-52
exporting 34-4
policy 34-7
tips 34-6
filters
filtering selectors 1-30
filtering tables 1-33
filters (Event Viewer)
advantages of using network/host objects 59-53
submission requirements for policy objects 59-54
Find and Replace dialog box 12-14
find and replace in rules policies 12-13
Find Map Node command 1-25
Find Node dialog box 29-12
firewall
access rule
event analysis example, user access blocked 59-45
finding from CS-MARS events 60-23
finding from Event Viewer events 59-43
viewing related CS-MARS events 60-20
Firewall AAA IOS Timeout Value Setting dialog box 13-24
Firewall AAA MAC Exempt Setting dialog box 13-21
Firewall ACL Setting dialog box 14-19
Firewall Device dialog box 37-14
firewall devices
policy discovery 5-13
firewalls
system variables 7-9
firewall service module (FWSM)
including in deployment jobs 8-26
firewall services
AAA firewall policy
advanced settings 13-16
configuring 13-5
AAA rules
configuring AAA firewall settings 13-5
configuring AuthProxy settings 13-8
configuring for ASA/PIX/FWSM devices 13-4
configuring for IOS devices 13-7
managing 13-1
properties 13-11
understanding 13-1
understanding how users authenticate 13-2
access rules
address requirements 14-5
configuring 14-7
configuring expiration dates 14-16
how deployed 14-5
import examples 14-32
importing 14-28
IPS blocking, affect of 37-4
managing 14-1
optimizing during deployment 14-34
sharing ACLs among interfaces 11-10
understanding 14-1
understanding device-specific behavior 14-4
understanding global 14-3
understanding requirements when using inspection 15-4
ACL naming conventions 12-5
adding rules 12-8
analysis reports 14-21
AuthProxy settings policy
configuring 13-8
combining rules
example 12-23
interpreting results 12-21
procedure 12-19
configuring policies in Map view 29-22
configuring settings policies in Map view 29-23
deleting rules 12-8
disabling rules 12-17
editing rules 12-9
enabling rules 12-17
finding and replacing items in rules policies 12-13
firewall settings
configuring settings 14-16, 16-14
per user downloadable ACLs 14-20
hit count reports 14-23
inspection rules
add/edit rule wizard 15-10, 15-11, 15-14
choosing interfaces 15-3
configuring 15-5
managing 15-1
preventing DoS attacks on IOS devices 15-5
selecting protocols 15-3, 15-14
understanding 15-2
understanding access rule requirements 15-4
inspection settings
configuring for IOS devices 15-80
introduction 12-1
managing rules tables 12-6
moving rules 12-16
object groups
expanding during discovery 12-31
optimizing network object groups during deployment 12-30
overview 12-1
policy query
example report 12-29
generating reports 12-24
interpreting results 12-28
preserving ACL names 12-4
resolving ACL naming conflicts 12-6
rule table sections 12-17
transparent rules
adding or editing a rule 19-5
configuring 19-1
configuring passthrough for IOS devices 19-3
editing the EtherType 19-6
editing the mask 19-7
managing 19-1
Transparent Rules page 19-3
understanding NAT effects 12-3
understanding rule order 12-16
understanding rule processing order 12-2
using rules tables 12-7
web filter rules
configuring for ASA, PIX, FWSM devices 16-2
configuring for IOS devices 16-9
managing 16-1
understanding 16-1
zone-based firewall
advanced options 18-61
configuring PAM 18-63
configuring rules 18-12, 18-58
configuring settings 18-47
designing network zones 18-1
development overview 18-12
protocol selection 18-62
rules table 18-56
tabs 18-47
zone-based firewalls
changing the default drop rule 18-46
general recommendations 18-11
IPSec VPN 18-6
overview 18-1
restrictions 18-3
Self zone 18-5
troubleshooting 18-52
understanding 18-3
understanding permit/deny and action 18-7
understanding services and protocols 18-10
VRF 18-6
Firewall Services Module
security contexts
configuration 49-5
Firewall Services Module (FWSM)
Bridge Groups
add/edit 50-24
configuring FWSM endpoints in site-to-site VPNs 21-43
Device Access
managing Resources 42-2
Resources 42-3
Resources, add/edit 42-3
Failover 41-11
advanced settings 41-13
interface configuration 41-15
interfaces 50-20
add/edit 50-22
PIX/ASA/FWSM Platform policies 50-1
firewall settings
AAA firewall
advanced settings 13-16
configuring 13-5
MAC exempt lists 13-20
Access Control page 14-17
access controls
per user downloadable ACLs 14-20
AuthProxy
configuring 13-8
AuthProxy page 13-22
botnet traffic filter rules 17-9
Firewall AAA IOS Timeout Value Setting dialog box 13-24
Firewall ACL Setting dialog box 14-19
Inspection page 15-80
MAC exempt lists, AAA firewall 13-20
reference information for AAA rules 13-16
Web Filter page 16-15
zone-based firewall
add/edit zones 18-51
Content Filter tab 18-50
Global Parameters tab 18-48
page 18-48
VPN tab 18-48
WAAS tab 18-48
Zones tab 18-48
zone-based firewalls
logging 18-1
Fit to Window command 1-25
FlexConfig objects
adding to policies 7-32
ASA samples 7-18
Catalyst 6500/7600 samples 7-20
changing order in policies 7-32
changing variable values 7-32
Cisco IOS Software samples 7-20
CLI commands 7-2
configuring 7-22
configuring AAA for administrative introducers 53-85
creating 7-25
creating text objects 7-29
deleting variables 7-25
PIX firewall samples 7-21
previewing CLI 7-32
properties 7-27
property selector 7-31
removing from policies 7-32
router samples 7-21
samples 7-17
scripting language
example of looping 7-3
example of looping with if/else statements 7-4
example of two-dimensional looping 7-3
understanding 7-3
system variables
device 7-7
firewalls 7-9
remote access VPN 7-17
router 7-12
understanding 7-7
VPN 7-13
undefined variables 7-30
understanding 7-1
variables 7-4
variables, example 7-6
FlexConfig policies
adding objects 7-32
changing object order 7-32
changing variable values 7-32
configuring 7-22
configuring AAA for administrative introducers 53-85
editing 7-32
previewing CLI 7-32
removing objects 7-32
understanding 7-1
FlexConfig Policy page 7-33
FlexConfig Preview dialog box 7-35
FlexConfigs
creating (scenario) 7-22
managing 7-1
FlexConfig Undefined Variables dialog box 7-30
floodguard 47-2
FQDN
redirection using
cluster load balancing and 26-16
fragmentation
in remote access VPNs 26-28
in site-to-site VPNs
General Settings tab 22-20
understanding 22-15
maximum transmission unit (MTU) 22-15
fragments settings 47-2
frequently asked questions
policy discovery 5-25
FTP class map objects
creating 15-19
match criteria 15-34
FTP policy map objects
creating 15-19
match conditions and actions 15-34
properties 15-33
full mesh topologies
description 21-4
partial mesh 21-5
full tunnel client access mode 26-5
FWSM
adding when using multiple-context mode 3-7
adding when using non-default HTTPS (SSL) port 3-7
bridge groups 39-19
changing deployment method to serial for multiple-context mode 9-16
credentials 3-14
deleting security contexts 49-4
deployment failures after changing interface policies 9-15
deployment failures in multiple-context mode 9-15
deployment failures with large ACLs 9-16
discovering failover modules 3-6
PDM 60-4
policy discovery 5-13
rollback, commands to recover from failover misconfiguration 8-62
rollback command conflicts 8-61
rollback restrictions for failover devices 8-58
rollback restrictions for multiple context mode 8-58
setting up SSL (HTTPS) 2-3
TCP State Bypass 48-3
troubleshooting deployment 9-15
FWSM devices
AAA support 6-21
adding SSL thumbprints manually 9-4
configuring transparent firewall rules 19-1
selecting policy types to manage 5-10
SSL certificate configuration 11-14
G
Gateway and Context page 27-10
General
PIX/ASA/FWSM
security policies 47-1
General Configuration tab, SNMP policy for IPS 30-10
General page, device properties 3-34
General Settings tab 27-64
General tab (Translation Rules)
PIX/ASA/FWSM 20-30
General tab, IPS blocking policy 37-11
GET VPN
anti-replay, time based 25-12
configuring 25-12
configuring global ISAKMP and IPsec settings 25-16
configuring group members 25-20
cooperative key servers 25-7
defining group encryption 21-49
generating, synchronizing RSA keys 25-13
group members
adding 25-19
editing 25-21
IKE proposal 25-15
key servers
adding 25-19
editing 25-19
mandatory and optional policies 21-6
migrating to 25-23
overview 25-1
receive-only SAs 25-23
registration
choosing the rekey transport mechanism 25-6
configuring fail-close mode 25-8
registration process 25-4
SAs
passive SA mode 25-23
receive-only mode 25-23
security policy 25-10
supported platforms 21-8
troubleshooting 25-25
understanding 25-2
GET VPNs
group encryption policies
certificate authorization 21-52
security associations 21-52
global correlation
configuring 36-1
configuring DNS servers 30-22
configuring HTTP proxy server 30-22
configuring inspection and reputation 36-5
configuring network participation 36-6
configuring with Botnet Traffic Filtering 36-1
data collected 36-3
requirements and limitations 36-4
understanding 36-1
understanding network participation 36-3
understanding reputation 36-2
global settings
remote access VPN
configuring 26-28
understanding 26-28
Global Settings page 27-60
Gnutella class map objects
creating 18-15
match criteria 18-19
GRE (generic routing encapsulation) VPN
advantages of IPsec tunneling with GRE 23-3
configuring 23-5
configuring GRE modes 23-6
dynamically addressed spokes 23-5
implementation 23-3
prerequisites for successful configuration 23-3
supported platforms 21-8
understanding 23-2
GRE Dynamic IP
mandatory and optional policies 21-6
GRE Modes Page
DMVPN properties 23-12
GRE or GRE Dynamic IP properties 23-6
overview 23-1
Group Domain of Interpretation (GDOI) protocol 25-3
group encryption
defining in GET VPN topologies 21-49
Group Encryption Policy page (GET VPN) 21-49
group members
adding 25-19
communication flow 25-2
configuring fail-close mode 25-8
editing 25-21
GET VPN
registration process 25-4
security policy ACLs 25-10
group members (GET VPN)
configuring 25-20
Group Members page (GET VPN) 25-20
group policies
understanding 26-30
VPNs
ASA devices 26-31
configuring bookmarks 26-68
configuring portal appearance 26-63
configuring WINS servers for file system access 26-73
customizing 26-63
post URL method and macro substitutions in bookmarks 26-70
smart tunnels 26-71
Group Policies page 27-66
groups
adding or removing devices 3-56
creating 3-55
deleting 3-56
understanding 3-52
working with 3-52
group types
creating 3-55
deleting 3-56
GTP map objects
Add Country Network Codes dialog box 15-38
Edit Country Network Codes dialog box 15-38
GTP Map Timeouts dialog box 15-39
GTP policy map objects
creating 15-19
match conditions and actions 15-39
properties 15-36
H
H.323 (ASA, PIX) class map objects
creating 15-19
H.323 (ASA/PIX/FWSM) policy map objects
creating 15-19
properties 15-41
H.323 (IOS) class map objects
creating 18-15
match criteria 18-20
H.323 (IOS) policy map objects
creating 18-15
match conditions and actions 18-33
H.323 class map objects
match criteria 15-44
H.323 policy map objects
match conditions and actions 15-44
hash algorithms
in IKE proposals 22-2
MD5 22-2
SHA 22-2
help
accessing 1-36
Help About This Page command 1-28
helper addresses 52-14
Help menu 1-28
Help Topics command 1-28
Hide Navigation Window command 1-25
high availability (HA groups)
configuring in Easy VPN 24-2
configuring in site-to-site VPN 21-46
in remote access VPNs 26-41
stateful/stateless failover 21-48
High Availability page 27-71
high availability policies
configuring 26-41
understanding 26-41
Histogram dialog box 35-13
histograms
configuring anomaly detection 35-10
understanding anomaly detection 35-9
hit count
generating reports 14-23
Hit Count Query Results page 14-26
Hit Count Selection Summary Dialog Box 14-25
Hostname
PIX/ASA/FWSM 42-1
hostnames
Cisco IOS routers
defining 53-78
Hostname Policy page 53-79
overview 53-78
HTTP
Cisco IOS routers
AAA tab 53-32
Command Authorization Override dialog box 53-34
defining policies 53-29
HTTP Policy page 53-31
overview 53-28
Setup tab 53-31
PIX/ASA/FWSM 40-2
configuration 40-2
HTTP (ASA, PIX) class map objects
creating 15-19
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map objects
creating 15-19
properties 15-45
HTTP (ASA7.2+/PIX7.2+) policy map objects
creating 15-19
properties 15-53
HTTP (IOS) class map objects
creating 18-15
creating for zone-based firewall content filtering 18-34
match criteria 18-20
HTTP (Zone Based IOS) policy map objects
match conditions and actions 18-33
HTTP class map objects
match criteria 15-55
HTTP-FORM
settings in AAA server objects 6-35
HTTP policy
overriding HTTPS port number 3-39
sharing
HTTPS port number 3-39
HTTP policy map objects
match conditions and actions 15-55
HTTP proxy server
configuring for IPS global correlation 30-22
HTTP Response Code 500 deployment errors 9-15
HTTPS
setting up 2-3
troubleshooting certificate errors 9-4
hub-and-spoke topology
description 21-2
joined hub-and-spoke topology 21-5
tiered hub-and-spoke topologies 21-5
I
ICMP rules
PIX/ASA/FWSM 40-3
add/edit 40-4
ICMP settings
configuring on IOS routers 52-18
icons
map elements 29-14
toolbar reference 1-28
ICQ class map objects
creating 18-15
match criteria 18-19
idle timeout, Security Manager client 11-5
IDM
device manager 60-4
IDSM
adding when using non-default HTTPS (SSL) port 3-7
Create and Edit IDSM Data Port VLANs dialog boxes 58-50
Create and Edit IDSM EtherChannel VLANs dialog boxes 58-49
credentials 3-14
defining Data Port VLANs 58-46
defining EtherChannel VLANs 58-45
deleting Data Port VLANs 58-48
deleting EtherChannel VLANs 58-46
deployment failures when changing data port VLAN running mode 9-16
IDSM Settings page 58-48
IDSM Slot-Port Selector dialog box 58-51
mode support limitations 58-44
troubleshooting deployment 9-15
understanding settings on Catalyst devices 58-44
IGMP
PIX/ASA/FWSM
Access Group parameters 45-5
Access Group tab 45-5
enable 45-1
Join Group parameters 45-7
Join Group tab 45-7
page 45-2
parameters 45-4
Protocol tab 45-3
Static Group parameters 45-6
Static Group tab 45-6
ignore error message, configure Security Manager to 9-9
IKE (Internet Key Exchange)
aggressive mode negotiation 22-1
main mode negotiation 22-1
proposals 22-1
understanding 22-1
IKE keepalive
understanding 22-13
IKE proposal objects
properties 28-26
IKE Proposal page 27-73
IKE proposals (policies)
configuring 22-4
IKE Proposal page (site-to-site VPN) 22-4
in GET VPNs 25-15
IM (ASA7.2+/PIX7.2+) policy map objects
creating 15-19
properties 15-59
IM (IOS) policy map objects
creating 15-19
properties 15-62
IM (Zone Based IOS) policy map objects
creating 18-15
match conditions and actions 18-33
IM (Zone based IOS) policy map objects
creating 18-15
IMAP
configuring for inspection rules 15-17
IMAP class map objects
creating 18-15
match criteria 18-22
IM applications
match conditions for zone-based firewalls 18-19
protocol information for IM application inspection 18-31
IMAP policy map objects
creating 18-15
match conditions and actions 18-33
IM class map objects
creating 15-19
match criteria 15-60
IM policy map objects
match conditions and actions 15-60
import
device inventory 3-24
policy objects 6-17
Import Background Image dialog box 29-13
Import Rules wizard
Enter Parameters page 14-29
Preview page 14-31
Status page 14-30
inheritance
inheriting rules 5-42
understanding 5-4
understanding signature policies 33-3
versus assignment 5-6
Inherit Rules command 1-24
Inherit Rules dialog box 5-42
Inspect/Application FW Rule wizard
Address and Port page 15-11
Inspected Protocol page 15-14
Match Traffic page 15-10
inspection
global correlation (IPS)
configuring 36-5
inspection map objects
understanding 6-60
inspection rules
ACL naming conventions 12-5
add/edit rule wizard 15-10, 15-11, 15-14
choosing interfaces 15-3
configuring 15-5
configuring custom protocol name 15-18
configuring DNS settings 15-16
configuring ESMTP settings 15-16
configuring fragment inspection 15-17
configuring in Map view 29-23
configuring RPC settings 15-18
configuring settings for IOS devices 15-80
configuring settings in Map view 29-23
configuring SMTP settings 15-16
deep inspection options
IMAP 15-17
POP3 15-17
deleting 12-8
disabling 12-17
editing 12-9
enabling 12-17
Inspection Rules page 15-7
managing 15-1
moving 12-16
preserving ACL names 12-4
preventing DoS attacks on IOS devices 15-5
selecting protocols 15-3, 15-14
understanding 15-2
understanding access rule requirements 15-4
understanding NAT effects 12-3
understanding processing order 12-2
Inspection Rules page 15-7
Inspection settings page 15-80
inspect maps
policy maps
Add Country Network Codes dialog box 15-38
Edit Country Network Codes dialog box 15-38
Inspect parameter map objects
properties 18-28
Inspect Parameters map objects
installing
Security Manager client 1-16
Integrated Local Management Interface (ILMI) 52-49
Interactive Authentication Configuration dialog box 13-18
interface
add and edit 39-7
duplex 50-29
IP type
ASA and PIX 7+ 39-10
PIX 6.3 39-11
MAC address 39-13
management 39-6
media type 39-13
Interface Name Conflict dialog box 6-60
Interface Properties dialog box 29-18
Interface Role Contents dialog box 12-12
interface role objects
creating 6-56
defining subinterfaces 6-58
distinguishing from interfaces 6-58
handling conflicts between role and interface names 6-60
Interface Role dialog box 6-57
specifying during policy definition 6-58
understanding 6-55
use when a single interface name is allowed 6-59
interfaces
adding or changing modules 3-33
ASA 5505 50-25
add/edit 50-10
ASA devices 50-2
about adding/editing 50-4
add/edit 50-5
advanced settings 50-17
VPND Groups 50-18
Catalyst switches and 7600 Series routers
Access Port Selector dialog box 58-30
Create and Edit Interface dialog boxes-Access Port mode 58-9
Create and Edit Interface dialog boxes-Dynamic Port mode 58-18
Create and Edit Interface dialog boxes-Other mode 58-24
Create and Edit Interface dialog boxes-Routed Port mode 58-12
Create and Edit Interface dialog boxes-subinterfaces 58-22
Create and Edit Interface dialog boxes-Trunk Port mode 58-14
Create and Edit VLAN dialog boxes 58-29
Create and Edit VLAN Group dialog boxes 58-34
defining ports 58-5
deleting ports 58-7
generating names 58-6
Interfaces/VLANs page-Interfaces tab 58-7
Interfaces/VLANs page-Summary tab 58-3
Interfaces/VLANs page-VLAN Groups tab 58-33
Interfaces/VLANs page-VLANs tab 58-28
Service Module Slot Selector dialog box 58-35
Trunk Port Selector dialog box 58-31
understanding 58-5
VLAN Selector dialog box 58-36
checklist for configuring multiple contexts 49-2
Cisco IOS routers
Advanced Interface Settings dialog box 52-16
Advanced Interface Settings page 52-15
available types 52-2
Create Router Interface dialog box 52-8
defining advanced settings 52-13
defining basic settings 52-3
defining CEF interface settings 52-24
defining IPS module settings 52-22
deleting from 52-6
generating names 52-4
Interface Auto Name Generator dialog box 52-12
overview 52-1
Router Interfaces page 52-7
understanding helper addresses 52-14
configuring IOS IPS rules 38-8
contexts 39-5
distinguishing from interface roles 6-58
failover
FWSM 41-15
MAC address 41-23
PIX/ASA 41-22
PIX 6.3 41-10
FWSM 50-20
add/edit 50-22
IPS
configuring 31-6
configuring bypass mode 31-12
configuring CDP mode 31-13
configuring inline interface pairs 31-13
configuring inline VLAN pairs 31-14
configuring physical 31-10
configuring VLAN groups 31-15
deploying VLAN groups 31-5
inline interface mode 31-3
inline VLAN pair mode 31-3
interfaces policy 31-6
managing interface configurations 31-1
physical interface properties 31-11
promiscuous mode 31-2
roles 31-1
sensing modes overview 31-2
understanding 31-1
viewing summary 31-8
VLAN group mode 31-4
PIX/ASA 50-2
about adding/editing 50-4
add/edit 50-5
advanced settings 50-17
allocation in security contexts 49-8
VPND Groups 50-18
PIX/ASA/FWSM
configuring 39-2
DDNS update rules 43-14
enabling traffic between same security levels 39-14, 39-15
management access 40-5
managing the PPPoE users list 39-15
managing VPDN groups 39-16
troubleshooting 39-17
understanding 39-2
PIX 6.3
add/edit 50-14
PIX Firewall 50-2
about adding/editing 50-4
add/edit 50-5
advanced settings 50-17
VPND Groups 50-18
redundant 39-4
routed and transparent 39-4
specifying during policy definition 6-58
specifying subinterfaces 6-58
throughput delay 52-18
Interface Selector dialog box (VLAN ACL Content) 58-43
Interfaces page (IPS) 31-6
inventory
deleting devices from 3-47
export devices
DCR, CS-MARS, Security Manager formats 3-49
overview 3-49
using command line utility 3-50
inventory, device
adding devices 3-6
adding devices from configuration files 3-16
adding devices from inventory file 3-24
adding devices from network 3-8
adding devices manually 3-20
managing 3-1
testing device connectivity 9-1
troubleshooting device discovery failures 3-7
troubleshooting Performance Monitor status collection 60-10
understanding 3-1
understanding contents 3-3
viewing inventory status 60-9
working with 3-29
Inventory Status command 1-26
Inventory Status window 60-11
Inverse ARP 52-60
inverse multiplexing over ATM (IMA) 52-39
IOS devices
configuring transparent firewall rules 19-1
remote access IPSec VPNs
user group policies 26-43
remote access IPsec VPNs
creating using wizard 26-11
user group policies 26-42
remote access SSL VPNs
configuring bookmarks 26-68
configuring for IOS devices 26-60
configuring WINS servers for file system access 26-73
creating using wizard 26-10
remote access VPNs
Context Editor dialog box (IOS) 27-105, 27-107
Dynamic VTI/VRF Aware IPsec settings 27-81
high availability 27-71
IPsec proposals 27-77
SSL VPN policies 27-105
user group policies 27-84
SDM 60-5
IOS IPS
affect of load balancing 38-7
comparing to IPS appliances and service modules 30-1
configuration files 38-3
configuration overview 38-3
configuring 38-1
configuring general settings 38-7
configuring interface rules 38-8
configuring target value ratings 34-14
event actions
filter rule attributes 34-9
filter rules tips 34-6
network information 34-14
overrides 34-12
overview 34-1
possible actions 34-2
process overview 34-1
settings 34-20
getting started 30-1
initial preparation of router 38-5
lightweight signature engines 38-2
limitations and restrictions 38-3
selecting signature category 38-6
signatures
adding custom 33-15
cloning 33-18
configuring 33-3
defining 33-1
detailed information 33-2
editing 33-11
editing Meta engine component list 33-25
editing or tuning parameters 33-18
enabling or disabling 33-10
engines 33-16
exporting 33-6
inheritance 33-3
parameters list 33-20
policy 33-4
shortcut menu 33-7
understanding 33-1
viewing update level 33-9
understanding 38-1
understanding subsystems and revisions 38-2
IOS Software Release 12.1 and 12.2
managing routers 51-2
IOS Web Filter Exclusive Domain Name dialog box 16-13
IOS Web Filter Rule and Applet Scanner dialog box 16-12
IP address
supporting dynamic 3-29
IP addresses
network masks 6-63
specifying in policies 6-68
IP Options policy map objects
creating 15-19
properties 15-64
IPS
IPS Module router interface settings policies 52-22
PIX/ASA/FWSM
rules 48-5
rules wizard 48-6
tab 48-8
updates, automatically applying 10-7
updates, checking for and downloading 10-6
updates, configuring server 10-5
updates, managing 10-5
updates, manually applying 10-9
IPS Devices
selecting for Event Viewer 59-23
IPS devices
adding SSL thumbprints manually 9-4
allowed hosts 30-7
anomaly detection
configuring 35-6
configuring histograms 35-10
configuring learning accept mode 35-8
configuring signatures 35-4
configuring thresholds 35-10
detection zones 35-3
managing 35-1
modes 35-2
understanding 35-1
understanding histograms 35-9
understanding thresholds 35-9
understanding worms 35-2
when to turn off 35-4
blocking
configuring 37-7
configuring ARC 37-1
configuring blocking devices 37-14
configuring master blocking sensors 37-13
configuring never block hosts and networks 37-18
configuring router blocking interfaces 37-16
configuring user profiles 37-12
configuring VLAN blocking interfaces 37-17
general options 37-11
master blocking sensor 37-6
policy 37-8
rate limiting 37-4
router and switch blocking devices 37-4
strategies 37-3
understanding 37-1
capturing network traffic 30-2
configuration overview 30-5
configuration overview for IOS IPS 38-3
configuring AAA 30-19
configuring Analysis Engine global variables 30-26
configuring DNS servers 30-22
configuring for event management 59-27
configuring HTTP proxy server 30-22
configuring NTP 30-21
configuring OS maps 34-17
configuring SNMP 30-8
configuring target value ratings 34-14
configuring the external product interface 30-23
configuring user accounts 30-16
credentials, IPS router modules 3-15
deployment of passwords 30-15
deployment topology 30-4
discovery of passwords 30-15
event actions
example filter rule 59-52
filter rule attributes 34-9
filter rules tips 34-6
network information 34-14
overrides 34-12
overview 34-1
possible actions 34-2
process overview 34-1
settings 34-20
getting started 30-1
global correlation
configuring 36-1
configuring inspection and reputation 36-5
configuring network participation 36-6
data collected 36-3
requirements and limitations 36-4
understanding 36-1
understanding network participation 36-3
understanding reputation 36-2
initializing 2-12
interfaces
configuring 31-6
configuring bypass mode 31-12
configuring CDP mode 31-13
configuring inline interface pairs 31-13
configuring inline VLAN pairs 31-14
configuring physical 31-10
configuring VLAN groups 31-15
deploying VLAN groups 31-5
inline interface mode 31-3
inline VLAN pair mode 31-3
interfaces policy 31-6
managing interface configurations 31-1
physical interface properties 31-11
promiscuous mode 31-2
roles 31-1
sensing modes overview 31-2
understanding 31-1
viewing summary 31-8
VLAN group mode 31-4
IPS modules for ASA 48-12
license, exporting 11-28
license, redeploying 10-4
license, updating 10-3
license, updating automatically 10-4
looking up signature policies for CS-MARS events 60-23
looking up signature policies for Event Viewer events 59-43
managing user accounts and passwords 30-13
monitoring
removing false positive IPS events 59-52
passive OS fingerprinting 34-16
password requirements 30-18
policy discovery 5-13
rollback restrictions 8-59
showing containment 3-46
signatures
adding custom 33-15
cloning 33-18
configuring 33-3
configuring settings 33-27
defining 33-1
detailed information 33-2
editing 33-11
editing Meta engine component list 33-25
editing or tuning parameters 33-18
enabling or disabling 33-10
engines 33-16
exporting 33-6
inheritance 33-3
parameters list 33-20
policy 33-4
shortcut menu 33-7
understanding 33-1
viewing update level 33-9
SSL certificate configuration 11-14
traffic flow notifications 30-26
tuning recommendations 30-4
understanding managed and unmanaged passwords 30-14
understanding network sensing 30-1
understanding user roles 30-13
user account attributes 30-17
viewing signature events in CS-MARS 60-22
virtual sensors
advantages 32-2
assigning interfaces 32-4
attributes 32-7
deleting 32-10
editing policies 32-9
identifying 32-5
inline TCP session tracking mode 32-3
Normalizer mode 32-4
renaming 32-8
restrictions 32-2
understanding 32-1
IPsec
proposals 26-38
remote access VPNs
certificate to connection profile map policies 26-34, 26-35
certificate to connection profile map rules 26-35, 26-36
Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) 27-70
Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) 27-69
Certificate to Connection Profile Maps > Policies page 27-67
Certificate to Connection Profile Maps > Rules page 27-68
cluster load balancing 26-16, 26-17, 27-17
connection profiles 26-18
connection profiles (ASA, PIX 7+) 27-18
creating using wizard 26-11, 26-14
dynamic access policies 26-19, 26-20
dynamic access policy (DAP) attributes 26-22, 26-25
Dynamic Access policy page (ASA) 27-33
Dynamic VTI/VRF Aware IPsec settings 27-81
fragmentation settings 27-64
global settings 26-28
Global Settings page 27-60
group policies 27-66
high availability 27-71
high availability policies 26-41
IKE proposals 27-73
ISAKMP/IPsec settings 27-60
NAT settings 27-63
Public Key Infrastructure (PKI) 27-66
public key infrastructure (PKI) policies 26-33
public key infrastructure (PKI) proposals 26-37
secure desktop manager policies 26-26
understanding 26-2
user group policies 26-42, 26-43, 27-84
VPNSM/VPN SPA settings 27-80
IPsec/GRE VPN
advantages of IPsec tunneling with GRE 23-3
configuring 23-5
configuring GRE modes 23-6
dynamically addressed spokes 23-5
implementation 23-3
prerequisites for successful configuration 23-3
supported platforms 21-8
understanding 23-2
IPsec Pass Through policy map objects
creating 15-19
properties 15-65
IPsec Proposal Editor dialog box (for IOS Routers and Catalyst 6500/7600 Devices) 27-77
IPsec Proposal Editor dialog box (for PIX and ASA Devices) 27-75
IPsec Proposal page 27-74
IPsec proposals
configuring 26-39
remote access VPNs 27-74, 27-75, 27-77
configuring 26-39
understanding 26-38
IPsec proposals (policies)
configuring for Easy VPN 24-5
configuring in site-to-site VPNs 22-9
IPsec Proposal page (in Easy VPN)
IPsec Proposal tab 24-7
usage 24-6
IPsec Proposal page (site-to-site VPN) 22-9
using crypto maps in 22-6
using reverse route injection in 22-8
using transform sets in 22-7
IPsec Settings page (ASA) 27-14
IPsec technologies
defining 21-28
mandatory and optional policies 21-6
policies 21-5
supported platforms 21-8
understanding 21-5
IPSec transform set objects
attributes 28-28
supported modes 28-30
supported protocols 28-30
IPsec tunnels
understanding policies 22-5
IPSec VPN
zone-based firewalls 18-6
IPsec VPN
Remote Access Configuration wizard
Defaults page 27-16
IPsec Settings page (ASA) 27-14
IPsec VPN Connection Profile page (ASA) 27-13
User Group Policy page (IOS) 27-15
IPsec VPN Connection Profile page (ASA) 27-13
IPS event
definition of 34-1
IPS interfaces
IPS Monitoring Information dialog box 52-24
IPS module
credentials 3-15
IPS Module Discovery dialog box 3-15
IPS Module interface settings policies 52-22
IPS Rules dialog box 38-9
IPS sensor
IDM 60-4
IPS sensors
default transport protocol 11-13
IPS signatures
finding from CS-MARS events 60-23
finding from Event Viewer events 59-43
tuning 59-52
viewing related CS-MARS events 60-22
IPS tab, Licensing page 11-27
IPS Updates page 11-20
ISAKMP/IPsec settings
IKE keepalive 22-13
in remote access VPNs 26-28
in site-to-site VPNs 22-13
ISAKMP/IPsec Settings tab (site-to-site VPN) 22-16
ISAKMP/IPsec Settings tab 27-60
ISR
zone-based firewall
restrictions 18-3
J
job deployment methods
understanding 8-8
jobs
aborting 8-48
approving 8-37
creating and editing deployment in non-Workflow mode 8-27
creating and editing deployment in Workflow mode 8-33
Deployment Manager 8-15
discarding 8-39
including devices in 8-8
rejecting 8-37
states
Workflow mode 8-6
submitting 8-36
joined hub-and-spoke topology 21-5
Join Group tab (IGMP) 45-7
JumpStart 1-17
Jumpstart command 1-28
K
Kazaa2 class map objects
creating 18-15
match criteria 18-19
Kerberos
description 6-21
settings in AAA server objects 6-31
key encryption key (KEK), GET VPN 25-4
key servers
adding 25-19
choosing the rekey transport mechanism 25-6
communication flow 25-2
cooperative, for redundancy 25-7
editing 25-19
generating, synchronizing RSA keys 25-13
registration failures 25-8
registration process 25-4
security policy ACLs 25-10
key servers (GET VPN)
configuring 25-18
Key Servers page (GET VPN) 25-18
Key Servers Selection dialog box 25-21
knowledge base structure (IPS) 35-8
L
large scale Dynamic Multipoint VPN (DMVPN)
mandatory and optional policies 21-6
LDAP
settings in AAA server objects 6-32
LDAP Attribute Map objects
attributes 28-31
learning accept mode (IPS), configuring 35-8
licenses
configuring for ASA devices 2-11
configuring for IOS devices 2-12
exporting IPS 11-28
managing 10-2
redeploying IPS 10-4
Security Manager 10-2
updating IPS 10-3
updating IPS, automating 10-4
License Update Status Details dialog box 11-30
licensing
Settings page 11-26
Lightweight Directory Access Protocol (LDAP)
description 6-22
lightweight signature engines 38-2
line access
Cisco IOS routers
Console Policy page 53-42
overview 53-35
VTY Policy page 53-50
Link Properties dialog box 29-19
load balancing
configuring in large scale DMVPN 23-16, 23-17
configuring IOS IPS deny actions 38-7
server attributes in large scale DMVPN 23-17
load-balancing devices
in a VPN cluster
redirection using FQDN 26-16
Local Policy Will Be Replaced dialog box 5-40
Local Web Filter class map objects
match criteria 18-27
Local web filter class map objects
creating 18-34
Local Web Filter parameter map objects
properties 18-36
Local web filter parameter map objects
creating 18-34
locking
activities 4-3
devices and policies 5-8
objects 5-10
understanding 5-7
VPN topologies 5-9
Log Buffer window 60-7
logging
Cisco IOS routers
defining NetFlow interfaces 55-15
defining NetFlow parameters 55-6
defining syslog servers 55-3
Logging Setup Policy page 55-7
NetFlow policy page 55-12
overview 55-1
Syslog Server dialog box 55-11
Syslog Servers Policy page 55-10
syslog setup parameters 55-1
syslog severity levels 55-4
PIX/ASA/FWSM 44-1
email notifications 44-3
email recipients 44-3
event lists 44-4
event lists, add/edit 44-5
filters 44-7
filters, editing 44-8
levels 44-17
logging setup 44-9
message classes and IDs 44-4
message editing 44-18
message limits 44-12
message limits, add/edit 44-13
NetFlow 44-1
NetFlow, add/edit collector 44-2
rate limit levels 44-11
rate limits, add/edit 44-14
server 44-15
server setup 44-14
set-up 44-10
syslog class 44-6
syslog message ID 44-6
syslog servers, add/edit 44-21
syslog messages supported for CS-MARS queries 60-24
logging in to
Cisco Security Management Suite server 1-15
CiscoWorks Common Services 1-15
logging into
Logging page, IPS platform 30-26
logs
configuring audit log default settings 11-31
configuring debug levels 11-6
Logs page 11-31
loopback cells 52-50
low-latency queuing (LLQ) 56-5
M
MAC address
PIX/ASA/FWSM
add/edit 50-34
interface 41-23
learning 50-34
learning, enable/disable 50-35
table 50-33
MAC exempt lists
rule attributes 13-21
Maintenance Operation Protocol (MOP), enabling 52-19
Management Access
PIX/ASA/FWSM
interface 40-5
Management Center for Cisco Security Agents
configuring connection to IPS devices 30-23
connection attributes 30-24
posture ACLs 30-25
Management IP address
PIX/ASA/FWSM 50-36
managing the PPPoE users list 39-15
managing VPDN groups 39-16
Map menu 1-24
map objects
class maps
creating for inspection rules 15-19
creating for zone-based firewall content filtering 18-34
creating for zone-based firewall inspection 18-15
parameter maps
creating for zone-based firewall content filtering 18-34
creating for zone-based firewall inspection 18-15
Inspect properties 18-28
Local Web Filter properties 18-36
N2H2 properties 18-37
Protocol Info properties 18-31
Trend properties 18-40
URLF Glob properties 18-43
URL Filter properties 18-41
Websense properties 18-37
policy maps
creating for inspection rules 15-19
creating for zone-based firewall content filtering 18-34
creating for zone-based firewall inspection 18-15
DCE/RPC properties 15-23
DNS properties 15-24
ESMTP properties 15-30
FTP properties 15-33
GTP properties 15-36
H.323 (ASA/PIX/FWSM) properties 15-41
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) properties 15-45
HTTP (ASA7.2+/PIX7.2+) properties 15-53
IM (ASA7.2+/PIX7.2+) properties 15-59
IM (IOS) properties 15-62
IP Options properties 15-64
IPsec Pass Through properties 15-65
NetBIOS properties 15-66
regular expression group properties 15-76
regular expression properties 15-77
SIP (ASA/PIX/FWSM) properties 15-67
Skinny properties 15-73
SNMP properties 15-75
TCP Map properties 48-17
Web Filter properties 18-45
regular expression objects
metacharacters 15-78
understanding 6-60
Map Properties command 1-25
Map Rule dialog box (lower pane) 27-70
Map Rule dialog box (upper pane) 27-69
maps
access permissions 29-8
adding existing managed devices 29-15
adding new managed devices 29-15
arranging elements 29-11
background color 29-13
background images
deleting 29-13
importing 29-13
scale and position 29-13
setting 29-13
centering elements 29-11
changing the zoom level 29-11
class maps
Class Map dialog box 15-22, 18-17
creating 29-9
default map 29-9
deleting 29-10
displaying devices from Device View 29-16
displaying managed devices 29-15
displaying your network 29-13
elements, understanding 29-14
excluding private and reserved networks 11-2
exporting 29-10
icons 29-14
layer 3 links
autolink settings 11-2
creating 29-19
deleting 29-19
layouts, using 29-11
linking maps 29-12
navigation window 29-4
objects
adding 29-16
deleting 29-16
opening 29-9
overview 29-1
panning 29-11
refreshing 29-1
removing managed devices 29-16
renaming 29-10
saving 29-10
searching for nodes 29-12
selecting elements 29-12
setting background 29-13
showing containment for Catalyst, ASA, PIX, IPS devices 29-16
understanding 29-1
undocking window 29-2
working with 29-8
Map Settings dialog box 29-13
Map View
cloning devices 29-22
configuring firewall policies 29-22
configuring firewall settings policies 29-23
context menu
Layer 3 link 29-6
managed device node 29-4
map background 29-7
map objects 29-7
selected nodes 29-6
VPN connection 29-6
device policies, managing 29-21
discovering device configurations 29-22
icons for elements 29-14
main page 29-2
menus, context 29-4
navigation window 29-4
performing basic policy management 29-22
previewing device configurations 29-22
sharing device policies 29-22
toolbar reference 29-3
VPNs
creating 29-21
displaying existing 29-20
editing or showing peers 29-21
editing policies 29-21
managing 29-20
Map view
Autolink Settings page 11-2
copying between devices 29-22
Map View command 1-23
master blocking sensor 37-6
Master Blocking Sensor dialog box 37-13
maximum receive reconstructed unit (MRRU) 52-81
maximum segment size (MSS) 52-17
maximum transmission unit (MTU) 22-15
MBoundary
PIX/ASA/FWSM
configuration 45-9
interface configuration 45-10
MD5 hash algorithm 22-2
memory-allocation lite 53-81
memory settings
Cisco IOS routers
defining 53-79
overview 53-79
Memory Policy page 53-80
menu reference
Activities 1-27
Edit 1-23
File 1-22
Help 1-28
Map 1-24
overview 1-21
Policy 1-24
Tools 1-25
View 1-23
message
editing
PIX/ASA/FWSM 44-18
PIX/ASA/FWSM
limits 44-12
limits, add/edit 44-13
rate limits, add/edit 44-14
message classes and IDs
PIX/ASA/FWSM 44-4
metacharacters
URLF Glob parameter maps 18-44
Modify Access List dialog box (Allowed Hosts policy) 30-7
Modify Physical Interface Map dialog box 31-11
monitoring
CS-MARS
integrating with Security Manager 60-13
device managers, using 60-3
device status 60-1
network activities 60-1
Move Row Down command 1-23
Move Row Up command 1-23
MRoute
PIX/ASA/FWSM
configuration 45-8
MRoute page
description 45-8
MSN Messenger class map objects
creating 18-15
match criteria 18-19
multicast
PIX/ASA/FWSM
Enable PIM and IGMP 45-1
IGMP Access Group parameters 45-5
IGMP Access Group tab 45-5
IGMP Join Group parameters 45-7
IGMP Join Group tab 45-7
IGMP parameters 45-4
IGMP Protocol tab 45-3
IGMP Static Group parameters 45-6
IGMP Static Group tab 45-6
MBoundary configuration 45-9
MBoundary interface configuration 45-10
MRoute configuration 45-8
Multicast Boundary Filter page 45-9
Multicast Group, add/edit 45-20
Multicast Group rule 45-17
PIM Bidirectional Neighbor Filter 45-14
PIM Bidirectional Neighbor Filter tab 45-14
PIM Neighbor Filter 45-13
PIM Neighbor Filter tab 45-13
PIM page 45-11
PIM Protocol dialog box 45-12
PIM Protocol tab 45-11
PIM Rendezvous Point, add/edit 45-16
PIM Rendezvous Points tab 45-15
PIM Request Filter tab 45-19
PIM Route Tree tab 45-18
Multicast Boundary Filter page
description 45-9
multicast rekey in GET VPN 25-6
multicast routing
PIX/ASA/FWSM
configuring on 45-1
IGMP 45-2
multicast boundary filters 45-9
multicast routes 45-8
PIM 45-11
Multiclass Multilink PPP (MCMP) 52-74
multilink PPP (MLP) 52-70
defining bundles 52-74
multiple users
activities 4-4
N
N2H2 (Smartfilter)
configuring for web filter rules policies 16-14, 16-18
configuring for zone based firewall rules policies 18-34, 18-37, 18-39
N2H2 class map objects
creating 18-34
match criteria 18-28
N2H2 parameter map objects
creating 18-34
properties 18-37
NAC
posture validation not occurring 9-14
NAT
VPN traffic sent unencrypted 9-14
NAT Settings tab 27-63
NAT traversal 22-14
NBAR
enabling protocol discovery 52-19
Neighbor Filter
PIM
PIX/ASA/FWSM 45-13
Neighbor Filter tab
PIM 45-13
NetBIOS policy map objects
creating 15-19
properties 15-66
NetFlow
interface settings 55-15
configuring
on Cisco IOS routers 55-6
CS-MARS query 60-26
IOS routers 55-12
PIX/ASA/FWSM 44-1
add/edit collector 44-2
network/host objects
attributes 6-65
attributes, NAT 20-38
creating 6-64
naming when provisioned as object groups 6-75
network masks 6-63
optimizing when deploying firewall rules 12-30
understanding 6-62
unspecified value objects 6-67
using in Event Viewer filters 59-53
network access device (NAD) 54-9
Network Address Translation (NAT)
ASA 8.3+
Add/Edit NAT rules dialog boxes 20-35
Translation Rules page 20-32
understanding 20-4
ASA 8.3 devices 20-32
Cisco IOS routers 20-5
Dynamic Rule dialog box 20-11
dynamic rules 20-10
Interface Specification 20-6
Static Rule dialog box 20-7
static rules 20-6
Static Rules tab 20-6
timeouts 20-13
configuring in remote access VPNs 26-28
configuring in site-to-site VPNs 22-13
configuring NAT traversal 22-14
NAT Settings tab (site-to-site VPN) 22-19
non-ASA 8.3 devices 20-17
PIX/ASA/FWSM
Address Pool dialog box 20-18
Address Pools page 20-17
Advanced NAT Options dialog box 20-28
configuring on 20-15
configuring translation rules 20-18
Dynamic Rules dialog box 20-22
Dynamic Rules tab 20-21
General tab 20-30
non ASA 8.3 20-17
Policy Dynamic Rules dialog box 20-24
Policy Dynamic Rules tab 20-23
Select Address Pool 20-22
Static Rules dialog box 20-26
Static Rules tab 20-25
Translation Exemptions (NAT 0 ACL) dialog box 20-20
Translation Exemptions (NAT 0 ACL) tab 20-19
Translation Options page 20-16
Translation Rules page 20-18
translation types 20-3
transparent mode 20-15
understanding 20-2
understanding NAT effects on firewall rules 12-3
Network Admission Control (NAC)
Cisco Trust Agent 54-9
components 54-9
defining identity parameters 54-13
defining interface parameters 54-11
defining setup parameters 54-10
Identities tab 54-18
Identity Action dialog box 54-19
Identity Profile dialog box 54-19
Interface Configuration dialog box 54-17
Interfaces tab 54-16
NAC Policy page 54-14
network access device (NAD) 54-9
on Cisco IOS routers 54-8
Setup tab 54-14
supported platforms 54-8
understanding system flow 54-9
Network Information page (IPS) 34-14
network masks
discontiguous 6-63
discovering 6-63
displaying 6-64
understanding 6-63
network participation, IPS
configuring 36-6
data collected 36-3
requirements and limitations 36-4
understanding 36-3
understanding global correlation 36-1
understanding reputation 36-2
network sensing
capturing network traffic 30-2
deployment topology 30-4
overview 30-1
tuning recommendations 30-4
Network Time Protocol (NTP)
Cisco IOS routers
creating NTP servers 53-98
NTP Policy page 53-99
NTP Server dialog box 53-100
overview 53-97
Never Block Host dialog box 37-18
Never Block Network dialog box 37-18
New Activity command 1-27
New Device command 1-22
New Device Groups command 1-22
New Device wizard
Choose Method page 3-6
Device Grouping page 3-41
Device Information page - Add Device from File 3-26
Device Information page - Configuration File 3-18
Device Information page - Network 3-9
Device Information page - New Device 3-21
New Map command 1-24
New or Edit CS-MARS Device dialog box 11-5
NHRP
DMVPN spoke-to-spoke connections 23-11
Node Properties dialog box 29-17
Non-Workflow mode
viewing
device details 8-25
non-Workflow mode
changing modes 1-20
comparing with Workflow mode 1-13
configuration files
deploying 8-27
previewing 8-42
configurations
rolling back 8-62
deployment 8-3
deployment jobs
aborting 8-48
Deployment Status Details dialog box 8-30
taking over another user session 10-15
understanding 1-13
No Proxy ARP
PIX/ASA/FWSM Platform 46-1
notifications, e-mail
configuring SMTP server 1-19
NT
settings in AAA server objects 6-34
NTP
PIX/ASA/FWSM 43-16
server configuration 43-17
NTP policy, IPS platform 30-21
NTP server
configuring for IPS devices 30-21
O
object groups
policy discovery 5-14
object group search
ASA 8.3+ devices 14-19
PIX 6.3 devices 14-20
objects
AAA server
HTTP-FORM settings 6-35
Kerberos settings 6-31
LDAP settings 6-32
NT settings 6-34
RADIUS settings 6-28
SDI settings 6-34
TACACS+ settings 6-30
AAA server groups
attributes 6-38
creating 6-37
default server groups on IOS devices 6-24
predefined authentication groups 6-23
understanding 6-20
AAA servers
creating 6-25
supported additional types for ASA/PIX/FWSM 6-21
supported types 6-21
understanding 6-20
access control lists
creating 6-40
extended objects 6-41
standard objects 6-43
web objects 6-44
ASA group policies
client configuration settings 28-4
client firewall attributes 28-5
connection settings 28-20
DNS/WINS settings 28-18
hardware client attributes 28-7
IPSec settings 28-9
split tunneling settings 28-19
SSL VPN clientless settings 28-11
SSL VPN full client settings 28-13
SSL VPN settings 28-15
technology settings 28-1
basic procedures 6-6
categories, using 6-9
Cisco Secure Desktop configuration
creating 26-61
class map
creating for inspection rules 15-19
creating for zone-based firewall content filtering 18-34
creating for zone-based firewall inspection 18-15
creating 6-6
credentials
attributes 28-23
DCE/RPC policy map
properties 15-23
deleting 6-12
DNS policy map
properties 15-24
duplicating 6-10
editing 6-9
ESMTP policy map
properties 15-30
exporting 6-17
file objects
attributes 28-24
FlexConfig
creating text objects 7-29
properties 7-27
property selector 7-31
undefined variables 7-30
FlexConfigs
adding to policies 7-32
changing order in policies 7-32
changing variable values 7-32
configuring 7-22
configuring AAA for administrative introducers 53-85
creating 7-25
previewing CLI 7-32
removing from policies 7-32
system variables 7-7
understanding 7-1
FTP policy map
properties 15-33
generating usage reports 6-11
GTP policy map
properties 15-36
H.323 (ASA/PIX/FWSM) policy map
properties 15-41
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map
properties 15-45
HTTP (ASA7.2+/PIX7.2+) policy map
properties 15-53
IKE proposals
properties 28-26
IM (ASA7.2+/PIX7.2+) policy map
properties 15-59
IM (IOS) policy map
properties 15-62
importing 6-17
Inspect parameter map
properties 18-28
interface roles
creating 6-56
IP Options policy map
properties 15-64
IPsec Pass Through policy map
properties 15-65
IPSec transform sets
attributes 28-28
LDAP attribute map objects
attributes 28-31
Local Web Filter parameter map
properties 18-36
locking
effects on activities 4-3
managing 6-1
maps
understanding 6-60
N2H2 parameter map
properties 18-37
NetBIOS policy map
properties 15-66
network/host
optimizing when deploying firewall rules 12-30
understanding 6-62
using in Event Viewer filters 59-53
network/host objects
naming when provisioned as object groups 6-75
networks/hosts
creating 6-64
unspecified value objects 6-67
object selectors 6-2
overrides
allowing 6-13
creating for multiple devices 6-15
creating for single device 6-14
deleting 6-17
managing 6-12
understanding 6-13
overview 1-11
parameter map
creating for zone-based firewall content filtering 18-34
creating for zone-based firewall inspection 18-15
PKI enrollments
defining CA server properties 28-35
defining certificate attributes 28-40
defining enrollment parameters 28-39
defining trusted CA hierarchy 28-42
properties 28-33
policy map
creating for inspection rules 15-19
creating for zone-based firewall content filtering 18-34
creating for zone-based firewall inspection 18-15
port forwarding lists
properties 28-42
port list objects
naming when provisioned as object groups 6-75
port lists
creating 6-69
properties 6-71
Protocol Info parameter map
properties 18-31
provisioning as object groups 6-75
regular expression group policy map
properties 15-76
regular expression objects
metacharacters 15-78
regular expression policy map
properties 15-77
selecting for policies 6-2
service objects
naming when provisioned as object groups 6-75
provisioning as object groups 6-76
services
creating 6-69
single sign-on server
properties 28-44
SIP (ASA/PIX/FWSM) policy map
properties 15-67
Skinny policy map
properties 15-73
SLA monitors
attributes 42-9
configuring 42-8
understanding 42-7
SNMP policy map
properties 15-75
SSL VPN Bookmark
configuring 26-68
post URL method and macro substitutions 26-70
SSL VPN Customization
configuring 26-63
creating custom Logon page 26-67
localizing 26-66
SSL VPN gateway
properties 28-63
SSL VPN smart tunnel list
attributes 28-65
configuring 26-71
TCP Map policy map
properties 48-17
text
creating 7-29
time ranges
attributes for recurring ranges 6-54
configuring 6-53
traffic flow
default inspection traffic 48-15
properties 48-13
Trend parameter map
properties 18-40
URLF Glob parameter map
properties 18-43
URLF Glob parameter maps
metacharacters 18-44
URL Filter parameter map
properties 18-41
user groups
advanced PIX 6.3 settings 28-77
browser proxy settings 28-83
clientless settings 28-78
client VPN software update (IOS) settings 28-76
DNS/WINS settings 28-72
general settings 28-70
IOS client settings 28-73
IOS Xauth settings 28-75
split tunneling settings (Easy VPN/remote access IPSec VPN) 28-72
SSL VPN connection settings 28-84
SSL VPN full tunnel settings 28-79
SSL VPN split tunneling settings 28-81
technology settings 28-68
thin client settings 28-79
viewing details 6-10
Web Filter policy map
properties 18-45
Websense parameter map
properties 18-37
WINS server lists
attributes 28-85
creating 26-73
object selectors 6-2
Object Usage dialog box 6-11
Obsoletes dialog box 33-26
OOB (Out of Band) Changes dialog box 8-45
OOB (out of band changes)
avoiding 8-45
detecting and analyzing 8-43
understanding 8-12
Openable Activities dialog box 4-11
Open Activity command 1-27
Open Map command 1-24
Open Map dialog box 29-9
OS Identifications tab, IPS Network Information policy 34-17
OS Management
settings page 11-17
OS management
software image management, understanding 3-52
OS Map dialog box 34-20
OSPF
interaction with NAT 46-2
LSAs 46-2
OSPF interfaces
blocking LSA flooding 57-27
defining on Cisco IOS routers 57-25
disabling MTU mismatch detection 57-27
Interface dialog box 57-31
OSPF Interface Policy page 57-30
understanding
authentication 57-29
cost 57-26
network types 57-29
priority 57-26
timer settings 57-28
OSPF parameters
dead interval 46-25
hello interval 46-24
retransmit interval 46-25
transmit delay 46-24
OSPF redistribution
defining mappings 57-22
defining maximum prefix values 57-23
understanding 57-22
OSPF routing
Cisco IOS routers
Area dialog box 57-37
Area tab 57-37
defining area settings 57-21
defining interface settings 57-25
defining setup parameters 57-20
Edit Interfaces dialog box 57-36
Max Prefix Mapping dialog box 57-41
OSPF Process Policy page 57-34
overview 57-19
redistributing routes 57-22
Redistribution Mapping dialog box 57-39
Redistribution tab 57-38
Setup dialog box 57-36
Setup tab 57-35
PIX/ASA/FWSM
advanced settings 46-4
Area/Area networks 46-6
Area Range 46-9
Area tab 46-6
Filtering configuration 46-19
Filtering tab 46-17
General tab 46-3
Interface configuration 46-23
Interface tab 46-21
Neighbors tab 46-10
policy 46-2
Range tab 46-8
Redistribution rule 46-13
Redistribution tab 46-11
static neighbor 46-11
Summary Address configuration 46-21
Summary Address tab 46-20
Virtual Link configuration 46-15
Virtual Link MD5 configuration 46-17
Virtual Link tab 46-14
OS version mismatches
handling 8-13
other settings
configuring 26-46
out-of-band changes
avoiding 8-45
detecting and analyzing 8-43
understanding 8-12
overrides
allowing overrides 6-13
creating for multiple devices 6-15
creating for single device 6-14
deleting 6-17
managing 6-12
understanding 6-13
overview
activities 1-11
device monitoring 1-14
policies 1-11
user permissions 1-9
workflow 1-11
P
P2P applications
match conditions for zone-based firewalls 18-19
P2P policy map objects
creating 18-15
match conditions and actions 18-33
packageMonitorInterval 10-7
packet tracer 60-1
pagination size in event viewer 59-15
Pair dialog box 38-10
PAM
zone-based firewall
configuring 18-63
parameter maps
understanding 6-60
partial mesh topologies 21-5
participation, network
configuring 36-6
data collected 36-3
requirements and limitations 36-4
understanding 36-3
understanding global correlation 36-1
understanding reputation 36-2
passive OS fingerprinting on IPS sensors
configuring 34-17
understanding 34-16
Password Requirements policy, IPS platform 30-18
passwords
admin, changing 10-15
configuring IPS requirements 30-18
configuring IPS user account 30-16
discovery and deployment of IPS 30-15
managing IPS requirements 30-13
understanding managed and unmanaged IPS passwords 30-14
PDM
device manager 60-4
Peers page 21-31
Performance Monitor
comparing to other event managers 59-6
configuring in Security Manager 60-9
enabling or disabling 11-35
troubleshooting status collection 60-10
performance settings
defining 26-47
performance settings (remote access SSL VPNs)
understanding 26-47
Performance tab (ASA) 27-88
performance tuning 10-7
permanent virtual connections (PVC)
Define Mapping dialog box 52-64
PVC Advanced Settings dialog box 52-65
PVC dialog box 52-55
PVC Policy page 52-54
permanent virtual connections (PVCs)
defining ATM PVCs 52-50
defining OAM management 52-53
on Cisco IOS routers 52-46
understanding
ATM management protocols 52-49
ATM service classes 52-47
ILMI 52-49
Operation, Administration, and Maintenance (OAM) 52-50
virtual paths and channels 52-47
PIM
configuring on firewall devices 45-11
PIX/ASA/FWSM
Bidirectional Neighbor Filter 45-14
Bidirectional Neighbor Filter tab 45-14
enable 45-1
Multicast Group, add/edit 45-20
Multicast Group rule 45-17
Neighbor Filter 45-13
Neighbor Filter tab 45-13
page 45-11
PIM Protocol dialog box 45-12
Protocol tab 45-11
Rendezvous Point, add/edit 45-16
Rendezvous Points tab 45-15
Request Filter tab 45-19
Route Tree tab 45-18
PIX
PDM 60-4
PIX/ASA
security contexts
allocate interfaces 49-8
configuration 49-7
viewing allocated interfaces 49-9
PIX/ASA/FWSM
Device Access
Server Access 43-1
Failover
bootstrap configuration 41-23
interface MAC address 41-23
Server Access
AUS, add/edit server 43-3
AUS page 43-1
DDNS interface rule 43-14
DDNS page 43-14
DDNS update methods 43-15
DDNS update methods, add/edit 43-16
DHCP Relay, add/edit agent 43-6
DHCP Relay, add/edit server 43-6
DHCP Relay page 43-5
DHCP Server, add/edit 43-9
DHCP Server, advanced configuration 43-10
DHCP Server, options 43-11
DHCP Server page 43-8
DNS page 43-11
DNS server, add 43-13
DNS server group 43-12
NTP page 43-16
NTP server configuration 43-17
SMTP page 43-18
TFTP server page 43-18
PIX/ASA/FWSM Platform
AAA 50-36
Accounting tab 50-38
Authentication tab 50-37
Authorization tab 50-38
anti-spoofing 47-2
ARP configuration 50-31
ARP Inspection 50-31
enable/disable 50-32
ARP Table 50-30
banners 50-40
boot image/configuration 50-41
add 50-42
bridging 50-29
clock 50-42
configuring AAA 39-19
configuring DHCP servers 43-7
configuring multicast routing 45-1
configuring routing 46-1
CPU threshold 50-44
credentials 50-44
Device Access 40-1
console timeout 40-1
host name 42-1
HTTP configuration 40-2
HTTP page 40-2
ICMP rules 40-3
ICMP rules, add/edit 40-4
Management Access interface 40-5
Secure Shell (SSH) 40-5
Secure Shell, add/edit host 40-6
SNMP host access 40-11
SNMP page 40-8
SNMP Trap configuration 40-9
Telnet configuration 40-12
Telnet page 40-11
user accounts 42-6
user accounts, add/edit 42-7
Failover 41-8
failover configuration 41-1
failover configuration basics 41-5
floodguard 47-2
IPS, QoS, and Connection Rules 48-5
logging 44-1
email notifications 44-3
email recipients 44-3
event lists 44-4
event lists, add/edit 44-5
filters 44-7
filters, editing 44-8
levels 44-17
message classes and IDs 44-4
message editing 44-18
message limits 44-12
message limits, add/edit 44-13
NetFlow 44-1
NetFlow, add/edit collector 44-2
rate limits, add/edit 44-14
server 44-15
set-up 44-10
syslog class 44-6
syslog message ID 44-6
syslog servers 44-20
syslog servers, add/edit 44-21
MAC Address
add/edit 50-34
MAC Address Table 50-33
MAC learning 50-34
enable/disable 50-35
Management IP address 50-36
multicast
Enable PIM and IGMP 45-1
group, add/edit 45-20
IGMP Access Group parameters 45-5
IGMP Access Group tab 45-5
IGMP Join Group parameters 45-7
IGMP Join Group tab 45-7
IGMP page 45-2
IGMP parameters 45-4
IGMP Protocol tab 45-3
IGMP Static Group parameters 45-6
IGMP Static Group tab 45-6
MBoundary configuration 45-9
MBoundary interface configuration 45-10
MRoute configuration 45-8
Multicast Boundary Filter page 45-9
Multicast Group rule 45-17
Multicast Routes page 45-8
PIM Bidirectional Neighbor Filter 45-14
PIM Bidirectional Neighbor Filter tab 45-14
PIM Neighbor Filter 45-13
PIM Neighbor Filter tab 45-13
PIM page 45-11
PIM Protocol dialog box 45-12
PIM Protocol tab 45-11
PIM Rendezvous Point, add/edit 45-16
PIM Rendezvous Points tab 45-15
PIM Request Filter tab 45-19
PIM Route Tree tab 45-18
NAT policies 20-17
Address Pools dialog box 20-18
Address Pools page 20-17
Advanced NAT Options dialog box 20-28
Dynamic Rules dialog box 20-22
Dynamic Rules tab 20-21
General tab 20-30
Policy Dynamic Rules dialog box 20-24
Policy Dynamic Rules tab 20-23
Select Address Pool 20-22
Static Rules dialog box 20-26
Static Rules tab 20-25
Translation Exemptions (NAT 0 ACL) dialog box 20-20
Translation Exemptions (NAT 0 ACL) tab 20-19
Translation Options page 20-16
Translation Rules page 20-18
policy configuration 39-1
priority queues 48-4
priority queues configuration 48-4
routing
No Proxy ARP 46-1
OSPF 46-2
OSPF - advanced settings 46-4
OSPF - Area/Area networks 46-6
OSPF - Area Range 46-9
OSPF - Area tab 46-6
OSPF - Filtering configuration 46-19
OSPF - Filtering tab 46-17
OSPF - General tab 46-3
OSPF - Interface configuration 46-23
OSPF - Interface tab 46-21
OSPF - Neighbors tab 46-10
OSPF - Range tab 46-8
OSPF - Redistribution rule 46-13
OSPF - Redistribution tab 46-11
OSPF - static neighbor 46-11
OSPF - Summary Address configuration 46-21
OSPF - Summary Address tab 46-20
OSPF - Virtual Link configuration 46-15
OSPF - Virtual Link MD5 configuration 46-17
OSPF - Virtual Link tab 46-14
RIP (PIX/ASA 6.3-7.1, FWSM) 46-26
RIP (PIX/ASA 6.3-7.1, FWSM) configuration 46-27
RIP (PIX/ASA 7.2+) 46-28
RIP (PIX/ASA 7.2+) Filtering 46-32
RIP (PIX/ASA 7.2+) Filtering configuration 46-32
RIP (PIX/ASA 7.2+) Interface 46-33
RIP (PIX/ASA 7.2+) Interface configuration 46-33
RIP (PIX/ASA 7.2+) Redistribution 46-30
RIP (PIX/ASA 7.2+) Redistribution configuration 46-31
RIP (PIX/ASA 7.2+) Setup 46-29
RIP page 46-25
Static Route configuration 46-34
Static Route page 46-34
security contexts 49-4
security policies 47-1
General configuration 47-3
General page 47-1
timeouts 47-4
service policy
wizard 48-6
service policy rules 48-1
SNMP configuration 40-7
traffic class 48-7
Unicast Reverse Path Forwarding 47-2
PIX/ASA/FWSM Platform policies
about contexts 39-5
bridging 39-17
configuring banners 39-24
configuring boot image and configuration settings 39-24
configuring clock 39-25
configuring contact credentials 39-26
configuring device administration policies 39-19
configuring fragment settings 47-2
configuring interfaces 39-2
configuring NAT 20-15
transparent mode 20-15
configuring security contexts 49-1
operating modes 39-4
PIX 6.3
Failover 41-9
interface configuration 41-10
interfaces
add/edit 50-14
PIX 7.x
Failover
Add Failover Group 41-20
interface configuration 41-22
settings 41-18
failover 41-16
PIX devices
AAA support 6-21
monitoring service level agreements 42-7
remote access VPNs
IPsec proposals 27-75
user group policies 27-84
selecting policy types to manage 5-10
PIX Firewall
interfaces 50-2
about adding/editing 50-4
add/edit 50-5
advanced settings 50-17
VPND Groups 50-18
PIX/ASA/FWSM Platform policies 50-1
setting up AUS or CNS 2-8
setting up SSL (HTTPS) 2-3
PIX Firewalls
configuring transparent firewall rules 19-1
rollback, commands to recover from failover misconfiguration 8-62
rollback command conflicts 8-61
rollback restrictions for failover devices 8-58
rollback restrictions for multiple context mode 8-58
PIX firewalls
access controls
access list compilation 14-20
object group search 14-20
adding SSL thumbprints manually 9-4
FlexConfig object samples 7-21
packet tracer, using 60-1
SSL certificate configuration 11-14
PKI (Public Key Infrastructure) policies
CA server authentication methods 22-27
configuring 22-31
defining multiple CA servers 22-30
enrollment prerequisites 22-28
Public Key Infrastructure page (site-to-site VPN) 22-32
understanding 22-26
using TFTP 22-29
PKI enrollment
prerequisites 22-28
prerequisites using TFTP 22-29
PKI enrollment objects
defining CA server properties 28-35
defining certificate attributes 28-40
defining enrollment parameters 28-39
defining trusted CA hierarchy 28-42
properties 28-33
Plug-in tab (ASA) 27-98
Point-to-Point Protocol (PPP)
defining connections 52-71
defining multilink PPP bundles 52-74
on Cisco IOS routers 52-70
understanding multilink PPP (MLP) 52-70
Point-to-Point protocol (PPP)
PPP/MLP Policy page 52-75
PPP dialog box 52-76
point-to-point topologies
description 21-3
policies
adding local rules to shared policies 5-41
assigning shared policies 5-40
basic concepts
inheritance vs. assignment 5-6
local vs. shared 5-3
managing 5-28
overview 5-1
rule inheritance 5-4
service vs. platform-specific 5-2
settings-based vs. rule-based 5-2
shared policies in Device view or Site-to-Site VPN Manager 5-34
signature inheritance 33-3
status icons 5-28
configuring common site-to-site VPNs 22-1
copying between devices 5-30
copying shared policies 5-43
creating shared 5-50
deleting shared 5-52
Device view
configuring local policies 5-29
managing 5-27
modifying assignments 5-45
modifying shared policies 5-44
discovering 5-12
discovering on existing devices 5-15
FlexConfigs
adding objects 7-32
changing object order 7-32
changing variable values 7-32
configuring 7-22
configuring AAA for administrative introducers 53-85
editing 7-32
FlexConfig Policy page 7-33
previewing CLI 7-32
removing objects 7-32
understanding 7-1
group
understanding 26-30
inheriting rules 5-42
locking 5-7
managing 5-1
object selectors 6-2
overview 1-11
performing basic policy management in Map view 29-22
PKI (Public Key Infrastructure) 22-26
policy banner 5-35
policy discovery FAQ 5-25
policy management and objects 5-7
Policy view
managing 5-46
modifying assignments 5-50
preshared keys 22-22
renaming 5-44
router platform policies 51-1
selecting policies to manage 5-10
sharing local 5-37
sharing multiple local policies 5-38
Site-to-Site VPN Manager
managing 5-27
modifying assignments 5-45
site-to-site VPNs 21-8
specifying interfaces 6-58
specifying IP addresses 6-68
unassigning 5-32
unsharing 5-39
viewing discovery task status 5-20
VPN defaults 11-39
policy assignments
modifying in Device view 5-45
modifying in Policy view 5-50
modifying in Site-to-Site VPN Manager 5-45
policy discovery
AAA commands not displayed in AAA policy 5-27
ACL naming conventions 12-5
ACLs 5-15
Catalyst devices 5-13
Catalyst switches and 7600 Series routers 58-1
frequently asked questions 5-25
IPS devices 5-13
network masks 6-63
object groups 5-14
on existing devices 5-15
policy objects 5-14
preserving ACL names 12-4
resolving ACL naming conflicts 12-6
security contexts 5-13
understanding 5-12
viewing task status 5-20
VPNs 5-12
web VPN restrictions 3-7
Policy Discovery Status command 1-26
Policy Discovery Status page 5-23
Policy Dynamic Translation Rule
PIX/ASA/FWSM 20-23
add/edit 20-24
policy management
Settings page 11-31
Policy Management page 11-31
policy maps
understanding 6-60
Policy menu
command reference 1-24
Policy Object Manager command 1-26
Policy Object Manager window
creating overrides 6-15
deleting overrides 6-17
field reference 6-3
shortcut menu 6-5
Policy Object Overrides window 6-16
policy objects
AAA server
HTTP-FORM settings 6-35
Kerberos settings 6-31
LDAP settings 6-32
NT settings 6-34
RADIUS settings 6-28
SDI settings 6-34
TACACS+ settings 6-30
AAA server groups
attributes 6-38
creating 6-37
default server groups on IOS devices 6-24
predefined authentication groups 6-23
understanding 6-20
AAA servers
creating 6-25
supported additional types for ASA/PIX/FWSM 6-21
supported types 6-21
understanding 6-20
access control lists
creating 6-40
extended objects 6-41
standard objects 6-43
web objects 6-44
ASA group policies
client configuration settings 28-4
client firewall attributes 28-5
connection settings 28-20
DNS/WINS settings 28-18
hardware client attributes 28-7
IPSec settings 28-9
split tunneling settings 28-19
SSL VPN clientless settings 28-11
SSL VPN full client settings 28-13
SSL VPN settings 28-15
technology settings 28-1
basic procedures 6-6
categories, using 6-9
Cisco Secure Desktop configuration
creating 26-61
class map
creating for inspection rules 15-19
creating for zone-based firewall content filtering 18-34
creating for zone-based firewall inspection 18-15
connection with policy management 5-7
creating 6-6
credentials
attributes 28-23
DCE/RPC policy map
properties 15-23
deleting 6-12
DNS policy map
properties 15-24
duplicating 6-10
editing 6-9
ESMTP policy map
properties 15-30
exporting 6-17
file objects
attributes 28-24
FlexConfig
creating text objects 7-29
properties 7-27
property selector 7-31
undefined variables 7-30
FlexConfigs
adding to policies 7-32
changing order in policies 7-32
changing variable values 7-32
configuring 7-22
configuring AAA for administrative introducers 53-85
creating 7-25
previewing CLI 7-32
removing from policies 7-32
system variables 7-7
understanding 7-1
FTP policy map
properties 15-33
generating usage reports 6-11
GTP policy map
properties 15-36
H.323 (ASA/PIX/FWSM) policy map
properties 15-41
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map
properties 15-45
HTTP (ASA7.2+/PIX7.2+) policy map
properties 15-53
IKE proposals
properties 28-26
IM (ASA7.2+/PIX7.2+) policy map
properties 15-59
IM (IOS) policy map
properties 15-62
importing 6-17
Inspect parameter map
properties 18-28
interface roles
creating 6-56
understanding 6-55
IP Options policy map
properties 15-64
IPsec Pass Through policy map
properties 15-65
IPSec transform sets
attributes 28-28
LDAP attribute map objects
attributes 28-31
Local Web Filter parameter map
properties 18-36
managing 6-1
maps
understanding 6-60
N2H2 parameter map
properties 18-37
NetBIOS policy map
properties 15-66
network/host
optimizing when deploying firewall rules 12-30
understanding 6-62
using in Event Viewer filters 59-53
network/host objects
naming when provisioned as object groups 6-75
networks/hosts
creating 6-64
unspecified value objects 6-67
object selectors 6-2
overrides 3-42
allowing 6-13
creating for multiple devices 6-15
creating for single device 6-14
deleting 6-17
managing 6-12
understanding 6-13
overview 1-11
parameter map
creating for zone-based firewall content filtering 18-34
creating for zone-based firewall inspection 18-15
PKI enrollments
defining CA server properties 28-35
defining certificate attributes 28-40
defining enrollment parameters 28-39
defining trusted CA hierarchy 28-42
properties 28-33
policy discovery 5-14
policy map
creating for inspection rules 15-19
creating for zone-based firewall content filtering 18-34
creating for zone-based firewall inspection 18-15
port forwarding lists
properties 28-42
port list objects
naming when provisioned as object groups 6-75
port lists
creating 6-69
properties 6-71
Protocol Info parameter map
properties 18-31
provisioning as object groups 6-75
regular expression group policy map
properties 15-76
regular expression objects
metacharacters 15-78
regular expression policy map
properties 15-77
selecting for policies 6-2
service objects
naming when provisioned as object groups 6-75
provisioning as object groups 6-76
services
creating 6-69
Settings page 11-32
single sign-on server
properties 28-44
SIP (ASA/PIX/FWSM) policy map
properties 15-67
Skinny policy map
properties 15-73
SLA monitors
attributes 42-9
configuring 42-8
understanding 42-7
SNMP policy map
properties 15-75
SSL VPN bookmark
configuring 26-68
post URL method and macro substitutions 26-70
SSL VPN Customization
configuring 26-63
creating custom Logon page 26-67
localizing 26-66
SSL VPN gateway
properties 28-63
SSL VPN smart tunnel lists
attributes 28-65
configuring 26-71
TCP Map policy map
properties 48-17
text
creating 7-29
time ranges
attributes for recurring ranges 6-54
configuring 6-53
traffic flow
default inspection traffic 48-15
properties 48-13
Trend parameter map
properties 18-40
URLF Glob parameter map
properties 18-43
URLF Glob parameter maps
metacharacters 18-44
URL Filter parameter map
properties 18-41
user groups
advanced PIX 6.3 settings 28-77
browser proxy settings 28-83
clientless settings 28-78
client VPN software update (IOS) settings 28-76
DNS/WINS settings 28-72
general settings 28-70
IOS client settings 28-73
IOS Xauth settings 28-75
split tunneling settings (Easy VPN/remote access IPSec VPN) 28-72
SSL VPN connection settings 28-84
SSL VPN full tunnel settings 28-79
SSL VPN split tunneling settings 28-81
technology settings 28-68
thin client settings 28-79
viewing details 6-10
VPN-related object reference 28-1
Web Filter policy map
properties 18-45
Websense parameter map
properties 18-37
WINS server lists
attributes 28-85
creating 26-73
policy objects interface
Interface Role dialog box 6-57
SSL VPN Bookmark Entry dialog box 28-47
SSL VPN bookmarks
Add or Edit Bookmarks dialog boxes 28-46
Post Parameters dialog box 28-49
Policy Objects page 11-32
policy query
example report 12-29
generating reports 12-24
interpreting report results 12-28
Querying Device or Policy dialog box 12-25
Policy Query Results dialog box 12-28
Policy view
Assignments tab 5-50
creating shared policies 5-50
deleting shared policies 5-52
filtering shared policy selector 1-30
modifying assignments 5-50
overview 1-7
selectors 5-48
Shared Policy selector options 5-49
understanding 5-46
Policy View command 1-23
POP3
configuring for inspection rules 15-17
POP3 class map objects
creating 18-15
match criteria 18-22
POP3 policy map objects
creating 18-15
match conditions and actions 18-33
Port Address Translation (PAT) 22-13
Portal Page Customization page 27-11
port application mapping
see PAM 18-63
port forwarding list objects
properties 28-42
port list objects
creating 6-69
naming when provisioned as object groups 6-75
properties 6-71
ports
ASA 5505 50-25
configure 50-28
Posture ACL dialog box 30-25
PPP dialog box
MLP tab 52-79
PPP tab 52-77
pre-provisioning devices 3-20
preshared key authentication methods 22-3
preshared key negotiation methods
aggressive mode 22-23
FQDN (fully qualified domain name) 22-23
main mode address 22-23
preshared keys
aggressive mode negotiation 22-22
configuring policies 22-23
FQDN (fully qualified domain name) negotiation 22-22
main mode address negotiation 22-22
Preshared Key page 22-24
understanding 22-22
Preview Configuration command 1-26
Print command 1-23
priority queues
PIX/ASA/FWSM
configuration 48-4
page 48-4
Product Authorization Key (PAK) 10-2
productivity categories for Trend class maps 18-18
properties
changes with policy effects 3-44
changing critical device 3-42
image version changes with no policy effects 3-43
understanding device 3-5
viewing or changing device 3-34
Property Selector dialog box 7-31
protected networks
defining in GET VPN topologies 21-54
defining in VPN topologies 21-31
Protected Networks tab 21-42
Protocol Independent Multicast 45-11
Protocol Info parameter map objects
properties 18-31
Protocol Info Parameters map object
creating 18-15
Protocol Map dialog box 35-12
protocols
selecting for inspection 15-3
Protocol tab
IGMP 45-3
proxies
defining 26-51
understanding 26-51
proxy ARP
enabling on IOS routers 52-19
proxy bypass rules
defining 26-51
proxy bypass settings
understanding 26-51
proxy server
configuring HTTP for IPS global correlation 30-22
Proxy tab (ASA) 27-94
Public Key Infrastructure (PKI) page 27-66
public key infrastructure (PKI) policies
configuring 26-33
public key infrastructure (PKI) proposals
configuring 26-37
understanding 26-37
PVC Advanced Settings dialog box
OAM-PVC tab 52-68
OAM tab 52-66
PVC dialog box
Protocol tab 52-63
QoS tab 52-60
Settings tab 52-57
PVC policies
unable to deploy 9-14
Q
QoS
PIX/ASA/FWSM
rules 48-5
rules wizard 48-6
tab 48-8
QoS Class dialog box 56-23
Edit ACLs dialog box 56-26
Marking tab 56-26
Matching tab 56-24
Policing tab 56-29
Queuing and Congestion Avoidance tab 56-27
Shaping tab 56-31
QoS queuing
default class 56-6
defining for classes 56-16
tail drop vs. WRED 56-4
understanding 56-4
understanding LLQ 56-5
quality of service (QoS)
CEF requirements 56-2
defining on control plane 56-13
defining on interfaces 56-10
defining policies 56-10
on Cisco IOS routers 56-1
QoS Class dialog box 56-23
QoS Policy dialog box 56-21
Quality of Service Policy page 56-20
understanding
Control Plane Policing 56-9
default class queuing 56-6
low-latency queuing 56-5
marking parameters 56-3
matching parameters 56-2
policing parameters 56-6
queuing parameters 56-4
shaping parameters 56-6
tail drop and WRED 56-4
token-bucket mechanism 56-8
quality of service (QoS) classes
defining marking parameters 56-15
defining matching parameters 56-14
defining policing parameters 56-17
defining queuing parameters 56-16
defining shaping parameters 56-19
query
CS-MARS
access rule events 60-20
IPS signature events 60-22
looking up policies based on related events 60-23
overview 60-19
troubleshooting 60-18
Event Viewer
looking up policies based on related events 59-43
Querying Device or Policy dialog box 12-25
R
RADIUS
description 6-21
settings in AAA server objects 6-28
rate limiting, IPS 37-4
Real-time Log Viewer 60-7
recovery
event data store 59-24
Recurring Ranges dialog box 6-54
Redeploy a Job dialog box 8-46
Redeploying Licenses dialog box 11-29
rediscovering
remote access VPNs 26-8
rediscovering site-to-site VPNs 21-25
Rediscover VPN Policies wizard 21-25
redundant interfaces 39-4
red X in device selector, troubleshooting 9-8
Refresh Map command 1-25
regular expression group objects
properties 15-76
regular expression objects
metacharacters 15-78
properties 15-77
regular IPsec
mandatory and optional policies 21-6
supported platforms 21-8
Reject Activity command 1-28
Reject Activity dialog box 4-16
Reject Deployment Job dialog box 8-19, 8-37
Remote Access Configuration wizard 27-1
IPsec VPN
Defaults page 27-16
IPsec Settings page (ASA) 27-14
IPsec VPN Connection Profile page (ASA) 27-13
User Group Policy page (IOS) 27-15
SSL VPN
Access page (ASA) 27-2
Connection Profile page (ASA) 27-3
Gateway and Context page 27-10
Portal Page Customization page 27-11
remote access SSL VPNs
cluster load balancing 26-16
remote access VPN
system variables 7-17
Remote Access VPN Configuration Wizard
IPsec VPNs
creating 26-11
Remote Access VPN Configuration wizard
IPsec VPNs
creating 26-14
SSL VPNs
using 26-9
remote access VPN policies
redirection using an FQDN
cluster load balancing and 26-16
remote access VPNs
ASA devices
configuring bookmarks 26-68
configuring portal appearance 26-63
configuring WINS servers for file system access 26-73
customizing 26-63
group policies 26-31
post URL method and macro substitutions in bookmarks 26-70
smart tunnels 26-71
configuring
using wizard 26-9
discovering 26-8
IOS devices
configuring bookmarks 26-68
configuring WINS servers for file system access 26-73
certificate to connection profile map policies 26-34, 26-35
certificate to connection profile map rules 26-35, 26-36
Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) 27-70
Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) 27-69
Certificate to Connection Profile Maps > Policies page 27-67
Certificate to Connection Profile Maps > Rules page 27-68
cluster load balancing 26-16, 26-17, 27-17
connection profiles 26-18
connection profiles (ASA) 26-18
connection profiles (ASA, PIX 7+) 27-18
creating using wizard 26-11, 26-14
dynamic access policies 26-19, 26-20
dynamic access policy (DAP) attributes 26-22, 26-25
Dynamic Access policy page (ASA) 27-33
Dynamic VTI/VRF Aware IPsec settings 27-81
fragmentation settings 27-64
global settings 26-28
Global Settings page 27-60
group policies 27-66
high availability 27-71
high availability policies 26-41
IKE proposals 27-73
ISAKMP/IPsec settings 27-60
NAT settings 27-63
Public Key Infrastructure (PKI) 27-66
public key infrastructure (PKI) policies 26-33
public key infrastructure (PKI) proposals 26-37
secure desktop manager policies 26-26
understanding 26-2
user group policies 26-42, 26-43, 27-84
VPNSM/VPN SPA settings 27-80
IPsec proposals 26-38, 27-74, 27-75, 27-77
configuring 26-39
managing 26-1
rediscovering 26-8
access modes 26-4
access policies (ASA) 26-45, 27-85, 27-87
advanced settings (ASA) 27-102
AnyConnect client image settings (ASA) 27-101
AnyConnect client profile settings (ASA) 27-101
browser plug-ins 26-55
browser plug-ins (ASA) 26-53, 27-98, 27-99
certificate to connection profile map policies 26-34, 26-35
certificate to connection profile map rules 26-35, 26-36
Certificate to Connection Profile Maps > Map Rule dialog box (lower pane) 27-70
Certificate to Connection Profile Maps > Map Rule dialog box (upper pane) 27-69
Certificate to Connection Profile Maps > Policies page 27-67
Certificate to Connection Profile Maps > Rules page 27-68
client settings 26-57
client settings (ASA) 26-56, 27-99
cluster load balancing 26-17, 27-17
connection profiles 26-18
connection profiles (ASA) 27-18
content rewrite rules 26-48
content rewrite settings (ASA) 27-90, 27-91
Context Editor dialog box (IOS) 27-105, 27-107
creating using wizard 26-10, 26-12
dynamic access policies 26-19, 26-20
dynamic access policy (DAP) attributes 26-22, 26-25
Dynamic Access policy page (ASA) 27-33
encoding rules 26-50
encoding settings 26-49
encoding settings (ASA) 27-91, 27-93
example 26-4
fragmentation settings 27-64
global settings 26-28
Global Settings page 27-60
group policies 27-66
ISAKMP/IPsec settings 27-60
limitations 26-7
managing support files 26-5
NAT settings 27-63
other settings (ASA) 26-46, 27-88
performance settings 26-47
performance settings (ASA) 26-47, 27-88
policies (IOS) 27-105
prerequisites 26-7
proxies 26-51
proxy bypass rules 26-51
proxy bypass settings (ASA) 26-51, 27-97
proxy settings (ASA) 27-94
Public Key Infrastructure (PKI) 27-66
public key infrastructure (PKI) policies 26-33
secure desktop manager policies 26-26
shared license (ASA) 27-103
shared license clients 26-59
shared license server 26-59
understanding 26-3
understanding 26-2
user interface reference 27-1
VPN client in 26-2
VPN gateway in 26-2
remote access VPN servers
configuring devices as 26-9
configuring policies on 26-9
Remote Access Configuration wizard 26-9
Remote Detection Indication (RDI) cells 52-50
Rename Policy command 1-24
Rename Policy dialog box 5-44
Rendezvous Point
PIX/ASA/FWSM
add/edit 45-16
Rendezvous Points
PIM 45-15
reports
example policy query 12-29
generating access rule analysis 14-21
generating policy query 12-24
interpreting policy query 12-28
reputation
configuring global correlation 36-5
understanding IPS global correlation 36-2
Request Filter
PIM 45-19
Resources
FWSM 42-3
add/edit 42-3
managing 42-2
restorebackup.pl command 10-18
restore database 10-18
Resume Deployment Schedule dialog box 8-19, 8-52
retry count
device communication 11-13
reverse route injection 22-8
RIP
PIX/ASA/FWSM 46-25
(PIX/ASA 6.3-7.1, FWSM) 46-26
(PIX/ASA 6.3-7.1, FWSM) configuration 46-27
(PIX/ASA 7.2+) 46-28
(PIX/ASA 7.2+) Filtering 46-32
(PIX/ASA 7.2+) Filtering configuration 46-32
(PIX/ASA 7.2+) Interface 46-33
(PIX/ASA 7.2+) Interface configuration 46-33
(PIX/ASA 7.2+) Redistribution 46-30
(PIX/ASA 7.2+) Redistribution configuration 46-31
(PIX/ASA 7.2+) Setup 46-29
RIP routing
Cisco IOS routers
Authentication dialog box 57-47
Authentication tab 57-46
defining interface authentication 57-43
defining setup parameters 57-43
overview 57-42
redistributing routes 57-44
Redistribution Mapping dialog box 57-49
Redistribution tab 57-48
RIP Routing Policy page 57-45
Setup tab 57-46
roles, IPS user 30-13
rollback
archived configuration files 8-64
last deployed configuration 8-62
when deploying to file 8-65
Rollback a Job dialog box 8-62
routed ports
Create and Edit Interface dialog boxes-Routed Port mode 58-12
understanding 58-5
Router Block Interface dialog box 37-16
Router Device dialog box 37-14
router platform interface
802.1x Policy page 54-5
AAA policy
AAA Policy page 53-6
Accounting tab 53-10
Authentication tab 53-6
Authorization tab 53-7
Command Accounting dialog box 53-12
Command Authorization dialog box 53-9
accounts and credentials policy
Accounts and Credentials Policy page 53-15
User Accounts dialog box 53-17
ADSL policy
ADSL Policy page 52-37
ADSL Settings dialog box 52-38
advanced interface settings policy
Advanced Interface Settings dialog box 52-16
Advanced Interface Settings page 52-15
BGP policy
BGP Neighbors dialog box 57-6
BGP Redistribution tab 57-6
BGP Routing Policy page 57-4
BGP Setup tab 57-4
Redistribution Mapping dialog box 57-7
bridging policy
Bridge Group dialog box 53-21
Bridging Policy page 53-20
CEF interface policy 52-25
CEF Interface Settings dialog box 52-26
Clock Policy page 53-23
console policy
AAA tab 53-44
Accounting tab 53-47
Authentication tab 53-44
Authorization tab 53-45
Command Accounting dialog box 53-62
Command Authorization dialog box 53-61
Console Policy page 53-42
Setup tab 53-42
CPU Policy page 53-26
DHCP policy
DHCP Database dialog box 53-95
DHCP Policy page 53-93
IP Pool dialog box 53-95
dialer interface policy
Dialer Physical Interface dialog box 52-32
Dialer Policy page 52-30
Dialer Profile dialog box 52-31
DNS policy
IP Host dialog box 53-77
DNS Policy page 53-77
EIGRP policy
EIGRP Routing Policy page 57-13
Interface dialog box 57-16
Interfaces tab 57-15
Redistribution Mapping dialog box 57-18
Redistribution tab 57-17
Setup dialog box 57-14
Setup tab 57-13
Hostname Policy page 53-79
HTTP policy
AAA tab 53-32
Command Authorization Override dialog box 53-34
HTTP Policy page 53-31
Setup tab 53-31
interfaces policy
Create Router Interface dialog box 52-8
Interface Auto Name Generator dialog box 52-12
Router Interfaces page 52-7
IPS interface policy
IPS Monitoring Information dialog box 52-24
IPS Module interface policy
IPS Module Interface Policy Page 52-23
logging policy
Syslog Server dialog box 55-11
logging setup policy
Logging Setup Policy page 55-7
Memory Policy page 53-80
NAC policy
Identities tab 54-18
Identity Action dialog box 54-19
Identity Profile dialog box 54-19
Interface Configuration dialog box 54-17
Interfaces tab 54-16
NAC Policy page 54-14
Setup tab 54-14
NAT policy
Dynamic Rule dialog box 20-11
Interface Specification tab 20-6
Static Rule dialog box 20-7
Static Rules tab 20-6
NTP policy
NTP Policy page 53-99
NTP Server dialog box 53-100
OSPF policy
Area dialog box 57-37
Area tab 57-37
Interface dialog box 57-31
Max Prefix Mapping dialog box 57-41
OSPF Interface Policy page 57-30
OSPF Process Policy page 57-34
Redistribution Mapping dialog box 57-39
Redistribution tab 57-38
Setup dialog box 57-36
Setup tab 57-35
PPP/MLP policy
PPP/MLP Policy page 52-75
PPP dialog box 52-76
PVC policy
Define Mapping dialog box 52-64
PVC Advanced Settings dialog box 52-65
PVC dialog box 52-55
PVC Policy page 52-54
QoS policy
QoS Class dialog box 56-23
QoS Policy dialog box 56-21
Quality of Service Policy page 56-20
RIP policy
Authentication dialog box 57-47
Authentication tab 57-46
Redistribution Mapping dialog box 57-49
Redistribution tab 57-48
RIP Routing Policy page 57-45
Setup tab 57-46
Secure Device Provisioning Policy page 53-86
Secure Shell Policy page 53-65
SHDSL policy
Controller Auto Name Generator dialog box 52-45
SHDSL Controller dialog box 52-43
SHDSL Policy page 52-42
SNMP policy
Permission dialog box 53-71
SNMP Policy page 53-70
SNMP Traps dialog box 53-73
Trap Receiver dialog box 53-72
static routing policy
Static Routing dialog box 57-53
Static Routing Policy page 57-52
syslog servers policy
Syslog Servers Policy page 55-10
VTY policy
Command Accounting dialog box 53-62
Command Authorization dialog box 53-61
VTY Line dialog box 53-51
VTY Policy page 53-50
router platform policies
Device Admin policies
AAA 53-2
accounts and credentials 53-13
CPU settings 53-25
DHCP 53-88
DNS 53-75
host and domain names 53-78
HTTP 53-28
line access 53-35
memory settings 53-79
optional SSH settings 53-63
Secure Device Provisioning (SDP) 53-82
SNMP 53-67
time zone settings 53-22
transparent bridging 53-18
Identity policies
802.1x 54-1
Network Admission Control (NAC) 54-8
Interface policies
ADSL 52-34
advanced settings 52-13
basic settings 52-1
dialer interfaces 52-27
PPP 52-70
PVC 52-46
SHDSL 52-40
Logging policies 55-1
NAT 20-5
dynamic rules 20-10
static rules 20-6
timeouts 20-13
NetFlow policies 55-1
Network Time Protocol (NTP) 53-97
quality of service (QoS) 56-1
Routing policies
BGP routing 57-1
EIGRP routing 57-8
OSPF routing 57-19
RIP routing 57-42
static routing 57-50
routers
adding SSL thumbprints manually 9-4
CEF interface settings policies 52-24
Cisco Discovery Protocol (CDP) settings 52-18
CNS call-home mode 2-10
CNS event-bus mode 2-9
communication requirements 2-1
configuring SSH 2-6
default transport protocol for 12.1 and 12.2 11-13
default transport protocol for 12.3 and above 11-13
deploying configurations using TMS 8-41
enabling directed broadcasts 52-20
enabling Maintenance Operation Protocol (MOP) 52-19
enabling NBAR protocol discovery 52-19
enabling proxy ARP