Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z

Index

Numerics

12.1 and 12.2

managing routers 57-2

3DES encryption algorithm

in IKE proposals 24-6

802.1x

802.1x Policy page 60-5

defining policies 60-4

interface authorization states 60-2

on Cisco IOS routers 60-1

supported topologies 60-3

understanding device roles 60-2

A

AAA

about 46-1

Cisco IOS routers

AAA Policy page 59-6

Accounting tab 59-10

Authentication tab 59-6

Authorization tab 59-7

Command Accounting dialog box 59-12

Command Authorization dialog box 59-9

defining services 59-4

overview 59-2

supported accounting types 59-3

supported authorization types 59-2

understanding method lists 59-3

configuring access control for IPS 34-19

configuring on firewall devices 46-1

credentials for device access 3-4

device administration 46-4

local fallback 46-3

network access 46-4

PIX/ASA/FWSM 46-5

Accounting tab 46-7

Authentication tab 46-5

Authorization tab 46-6

support 46-2

VPN access 46-4

AAA authentication groups

predefined 6-26

AAA firewall

MAC exempt lists 14-22

AAA Firewall page

Advanced Setting tab 14-18

AAA firewall policy

advanced settings 14-18

configuring 14-6

AAA page 14-24

AAA rules

ACL naming conventions 12-5

combining rules

example 12-26

interpreting results 12-24

procedure 12-21

configuring AAA firewall settings (PIX/ASA/FWSM) 14-6

configuring AuthProxy settings (IOS) 14-8

configuring cut-through proxy (ASA) 13-23

configuring for ASA/PIX/FWSM devices 14-4

configuring for IOS devices 14-7

configuring identity aware 13-21

configuring in Map view 33-22

configuring settings

for IOS devices in Map view 33-23

for PIX/ASA/FWSM in Map view 33-23

deleting 12-9

disabling 12-19

editing 12-9

enabling 12-19

managing 14-1

moving 12-18

preserving ACL names 12-4

properties 14-12

understanding 14-1

understanding how users authenticate 14-2

understanding NAT effects 12-3

understanding processing order 12-2

AAA Rules page 14-9

AAA server group objects

attributes 6-45

creating 6-43

default server groups on IOS devices 6-27

predefined authentication groups 6-26

understanding 6-23

AAA server objects

creating 6-28

HTTP-FORM settings 6-40

Kerberos settings 6-34

LDAP settings 6-35

NT settings 6-38

RADIUS settings 6-31

SDI settings 6-39

supported additional types for ASA/PIX/FWSM 6-24

supported types 6-24

TACACS+ settings 6-33

understanding 6-23

AAA servers

supported types on ASA, PIX, FWSM devices 6-24

Abort the Job dialog box 8-51

About Configuration Manager command 1-35

ABR

definition 53-2

access control list objects

creating 6-48

extended objects 6-48

standard objects 6-50

web objects 6-51

access control lists

GET VPN security policies 27-10

policy discovery 5-14

access control lists (ACLs)

names preserved during discovery 12-4

naming conventions 12-5

resolving naming conflicts 12-6

access controls

configuring ACL names (IPv4 or IPv6) 15-19

configuring settings 15-19

configuring settings in Map view 33-23

Access Control Settings page 15-20

Access Group tab (IGMP) 52-5

Access Interface Configuration dialog box (ASA) 29-36

access permissions

Event Viewer 65-3

Health and Performance Monitor 67-3

maps 33-7

Report Manager 66-5

access policies

configuring 29-36

reference 29-33

understanding 29-32

access ports

Create and Edit Interface dialog boxes-Access Port mode 64-9

understanding 64-5

access rule

look up

from device managers 68-13

access rules

access control settings 15-20, 15-22

Access Rules page 15-9

ACL naming conventions 12-5

address requirements 15-5

Advanced dialog box 15-16

combining rules

example 12-26

interpreting results 12-24

procedure 12-21

configuring 15-7

configuring access control settings 15-19

configuring identity aware 13-21

configuring in Map view 33-22

controlling non-IP layer-2 traffic 21-1

deleting 12-9

detecting conflicts 15-24

disabling 12-19

Edit Firewall Rule Expiration dialog box 15-18

editing 12-9

enabling 12-19

examples of event analysis

user access to server blocked 65-50

expiration dates 15-19

finding from CS-MARS events 68-27

finding from Event Viewer events 65-48

generating analysis reports 15-30

hit counts

analyzing results 15-36

generating 15-32

how deployed 15-5

identity-aware rules

requirements 13-3

import examples 15-42

importing 15-37

IPS blocking, affect of 41-4

managing 15-1

moving 12-18

optimizing during deployment 15-44

packet tracer, analyzing with 68-1

preserving ACL names 12-4

Report Manager reports

firewall traffic reports 66-13

resolving conflicts 15-30

rule attributes 15-12

sharing ACLs among interfaces 11-12

syslog messages supported for look-up 68-28

understanding 15-1

understanding device-specific behavior 15-4

understanding global 15-3

understanding NAT effects 12-3

understanding processing order 12-2

understanding requirements when using inspection 16-4

understanding the automatic conflict detection user interface 15-26

viewing related CS-MARS events 68-24

Access Rules page 15-9

Accounting

Cisco IOS routers

settings 59-10

accounts and credentials

Cisco IOS routers

overview 59-13

PIX/ASA/FWSM

user accounts 49-6

user accounts, add/edit 49-7

accounts and credentials policies

Accounts and Credentials Policy page 59-15

User Accounts dialog box 59-17

ACLs

configuring names (IPv4 or IPv6) 15-19

ACS user authorization

configuring notifications when unavailable 1-23

Event Viewer 65-3

Health and Performance Monitor 67-3

how permissions affect what you can do 1-9

Report Manager 66-5

Active/Active failover

about 48-2

command replication 48-4

configuration synchronization 48-3

Active/Standby failover 48-2

Active Directory (AD)

collecting user statistics 13-25

configuring agent communication options 13-15

enabling for identity-aware firewall 13-8

identifying AD servers and agents 11-25, 13-8

requirements for identity-aware firewall 13-3

activities

accessing functions 4-8, 4-9

Activity Manager window 4-10

Approved state 4-5

approving 4-3, 4-20

benefits of 4-2

closing 4-15

creating 4-13

discarding 4-21

Edit state 4-4

locking 4-3

managing 4-1

multiple users 4-4

opening 4-14

overview 1-17

rejecting 4-20

responding to the Activity Required dialog box 4-14

states 4-4

Submitted state 4-5

submitting for approval 4-19

understanding 4-1

validating 4-18

viewing change reports 4-16

viewing status and history 4-22

working with 4-7

Activities command 1-31

Activities menu 1-32

Activity Manager window 4-10

Activity Required dialog box 4-14

Add/Edit AnyConnect Client Image dialog box (ASA) 29-50

Add/Edit Collector dialog box 51-2

Add/Edit Content Rewrite dialog box (ASA) 29-40

Add/Edit DAP Entry Dialog Box > Device 30-27

Add/Edit File Encoding dialog box 29-41

Add/Edit Multicast Route dialog box 52-8, 52-10

description 52-9

Add/Edit PIM Neighbor Filter dialog box 52-13

Add/Edit Proxy Bypass dialog box 29-45

Add AAA Rule dialog box 14-12

Add AAA Server dialog box 6-29

Add AAA Server Group dialog box 6-45

Add Access List dialog box (Allowed Hosts policy) 34-7

Add Access Rule dialog box 15-12

Add an Entry dialog box 37-26

Add AOL Class Map dialog box 16-23, 20-17

Add A Port Forwarding Entry dialog box 32-26

Add ASA Group Policies dialog box

client configuration settings 32-4

client firewall attributes 32-5

connection settings 32-19

DNS/WINS settings 32-17

hardware client attributes 32-7

IPSec settings 32-8

overview 32-1

split tunneling settings 32-18

SSL VPN clientless settings 32-10

SSL VPN full client settings 32-12

SSL VPN settings 32-14

Technology settings 32-1

Add A Smart Tunnel Entry dialog box 32-49

Add Auto Signon Rules dialog box 32-16

Add Cat6k Block Vlan dialog box 41-16

Add Certificate dialog box 11-18

Add Certificate Filter dialog box 23-54

Add Cisco Secure Desktop Configuration dialog box 32-20

Add Client Access Rules dialog box 32-10

Add Client Update dialog box 32-61

Add Column dialog box 32-43

Add Custom Pane dialog box 32-43

Add Custom Signature dialog box 37-12

Add DCE/RPC Map dialog box 16-24

Add Destinations dialog box 12-11

Add Device from Network wizard

Device Credentials page 3-41

Add Devices to Group command 1-28

Add Devices to Group dialog box 3-57

Add DNS Class Map dialog box 16-23

Add DNS Map dialog box

Filtering tab 16-28

overview 16-26

Protocol Conformance tab 16-27

Add eDonkey Class Map dialog box 16-23, 20-17

Add ESMTP Map dialog box 16-32

Add Extended Access Control Entry dialog box 6-54

Add Extended Access List dialog box 6-53

Add External Filter dialog box 20-39

Add FastTrack Class Map dialog box 16-23, 20-17

Add File Object dialog box 32-22

Add FlexConfig dialog box 7-33

Add FTP Class Map dialog box 16-23

Add FTP Map dialog box 16-35

Add Gnutella Class Map dialog box 16-23, 20-17

Add Group dialog box 3-56

Add Group Member dialog box 27-19

Add GTP Map dialog box 16-38

Add H.323 Class Map dialog box 16-23, 20-17

Add H.323 Map dialog box 16-43, 20-32

Add HSI Endpoint IP Address dialog box 16-46

Add HSI Group dialog box 16-45

Add HTTP Class Map dialog box 16-23, 20-17

Add HTTP Map dialog box 20-32

ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices

Entity Length tab 16-50

Extension Request Method tab 16-53

General tab 16-49

overview 16-48

Port Misuse tab 16-54

RFC Request Method tab 16-52

Transfer Encoding tab 16-55

ASA 7.2+ and PIX 7.2+ devices 16-56

Add ICQ Class Map dialog box 16-23, 20-17

Add IKEv1 Proposal dialog box 24-10

Add IKEv2 Proposal dialog box 24-13

Add IMAP Class Map dialog box 16-23, 20-17

Add IMAP Map dialog box 20-32

Add IM Class Map dialog box 16-23

Add IM Map dialog box 20-32

ASA and PIX device 16-62

IOS device 16-65

Add Inspect/Application FW Rule wizard

Address and Port page 16-12

Inspected Protocol page 16-15

Match Traffic page 16-10

Add Inspect Parameter Map dialog box 20-29

Add Interfaces dialog box 12-13

Add IP Options Map dialog box 16-66

Add IPsec Pass Through Map dialog box 16-71

Add IPSec Transform Set dialog box 24-23

Add IPv6 Map dialog box 16-68

Add IPv6 Network/Host dialog box 6-73

Add Kazaa2 Class Map dialog box 16-23, 20-17

Add Key Server dialog box 27-19

Add Language dialog box 32-38

Add LDAP Attribute Map dialog box 6-41

Add LDAP Attribute Map Value dialog box 6-42

Add Link command 1-30

Add Link dialog box 33-20

Add Local Rules command 1-29

Add Local Web Filter Class Map dialog box 16-23, 20-17

Add Local Web Filter Parameter Map dialog box 20-36

Add Map Object command 1-30

Add Map Object dialog box 33-17

Add Map Value dialog box 6-43

Add Match Condition and Action dialog box

DNS policy maps 16-29

ESMTP policy maps 16-33

FTP policy maps 16-36

GTP policy maps 16-41

H.323 (IOS) policy maps 20-33

H.323 policy maps 16-46

HTTP (Zone Based IOS) policy maps 20-33

HTTP policy maps 16-57

IM (Zone Based IOS) policy maps 20-33

IMAP policy maps 20-33

IM policy maps 16-63

IPv6 policy maps 16-69

P2P policy maps 20-33

POP3 policy maps 20-33

SIP (IOS) policy maps 20-33

SIP policy maps 16-75

Skinny policy maps 16-79

SMTP policy maps 20-33

Sun RPC policy maps 20-33

Web Filter policy maps 20-33

Add Match Criterion dialog box

AOL class maps 20-19

DNS class maps 16-29

eDonkey class maps 20-19

FastTrack class maps 20-19

FTP class maps 16-36

Gnutella class maps 20-19

H.323 (IOS) class maps 20-20

H.323 class maps 16-46

HTTP (IOS) class maps 20-20

HTTP class maps 16-57

ICQ class maps 20-19

IMAP class maps 20-22

IM class maps 16-63

Kazaa2 class maps 20-19

Local Web Filter class maps 20-27

MSN Messenger class maps 20-19

N2H2 class maps 20-28

POP3 class maps 20-22

SIP (IOS) class maps 20-23

SIP class maps 16-75

SMTP class maps 20-24

Sun RPC class maps 20-27

Websense class maps 20-28

Windows Messenger class maps 20-19

Yahoo Messenger class maps 20-19

Add MSN Messenger Class Map dialog box 16-23, 20-17

Add N2H2 Parameter Map dialog box 20-37

Add N2H2 Web Filter Class Map dialog box 16-23, 20-17

Add NAT Rule dialog box

ASA 8.3+ 22-35

Add NetBIOS Map dialog box 16-72

Add Network/Host dialog box

General tab 6-73

NAT tab 22-42

Add New Device wizard

Device Credentials page 3-41

Add New Security Association dialog box 23-55

Add or Edit Plug-in Entry dialog box (ASA) 29-46

Add Other Devices dialog box 8-54

Add P2P Map dialog box 20-32

Add Permit Response dialog box 16-40

Add PIX/ASA/FWSM Web Filter Rule dialog box 17-5

Add PKI Enrollment dialog box

CA Information tab 24-51

Certificate Subject Name tab 24-57

Enrollment Parameters tab 24-55

overview 24-50

Trusted CA Hierarchy tab 24-58

Add POP3 Class Map dialog box 16-23, 20-17

Add Port Forwarding List dialog box 32-25

Add Port List dialog box 6-80

Add Protocol Info Parameter Map dialog box 20-31

Add Regular Expression dialog box 16-82

Add Regular Expression Group dialog box 16-81

Address Pools

PIX/ASA/FWSM 22-17

add/edit 22-17

address pools

overriding in connection profiles 28-8

Add Row command 1-28

Add Rule Section dialog box 12-21

Add Server dialog box

Protocol Info Parameter maps 20-32

Add Service dialog box 6-82

Add Services dialog box 12-12

Add Single Sign On Server dialog boxes 32-27

Add SIP Class Map dialog box 16-23, 20-17

Add SIP Map dialog box 16-73, 20-32

Add Skinny Map dialog box 16-77

Add SLA Monitor dialog box 49-9

Add Smart Tunnel Auto Signon Entry dialog box 32-52

Add Smart Tunnel Auto Signon Lists dialog box 32-51

Add Smart Tunnel Lists dialog box 32-48

Add SMTP Class Map dialog box 16-23, 20-17

Add SMTP Map dialog box 20-32

Add SNMP Map dialog box 16-80

Add Sources dialog box 12-11

Add SSL VPN Customization dialog box 32-32

Applications 32-42

Copyright Panel 32-40

Custom Panes 32-42

Full Customization 32-41

Home Page 32-44

Informational Panel 32-39

Language 32-36

Logon Form 32-38

Logout Page 32-45

Title Panel 32-35

Toolbar 32-41

Add SSL VPN Gateway dialog box 32-46

Add Standard Access Control Entry dialog box 6-57

Add Standard Access List dialog box 6-53

Add Sun RPC Class Map dialog box 16-23, 20-17

Add Sun RPC Map dialog box 20-32

Add TCP Map dialog box 55-20

Add TCP Option Range Dialog Box 55-22

Add Text Object dialog box 7-35

Add Time Range dialog box 6-60

Add Traffic Flow dialog box 55-16

Add Transparent Firewall Rule dialog box 21-5

Add Trend Content Filter Class Map dialog box 16-23, 20-17

Add Trend Parameter Map dialog box 20-40

Add URL Domain Name dialog box 20-43

Add URLF Glob Parameter Map dialog box 20-43

Add URL Filter Parameter Map dialog box 20-41

Add User dialog box 12-12, 34-17

Add User Group dialog box

Advanced PIX 6.3 settings 32-62

Browser Proxy settings 32-68

Client (IOS) settings 32-59

Clientless settings 32-63

Client VPN Software Update (IOS) settings 32-61

DNS/WINS settings 32-57

General settings 32-56

IOS Xauth Options settings 32-60

overview 32-54

Split Tunneling settings (Easy VPN/remote access IPSec VPN) 32-58

SSL VPN Connection settings 32-69

SSL VPN Full Tunnel settings 32-65

SSL VPN Split Tunneling settings 32-66

Technology settings 32-54

Thin Client settings 32-64

Add User Profile dialog box 41-12

Add Virtual Sensor dialog box 36-7, 36-8

Add Web Access Control Entry dialog box 6-58

Add Web Filter Map dialog box 20-45

Add WebSense Parameter Map dialog box 20-37

Add Websense Web Filter Class Map dialog box 16-23, 20-17

Add Web Type Access List dialog box 6-53

Add Windows Messenger Class Map dialog box 16-23, 20-17

Add WINS Server dialog box 32-70

Add WINS Server List dialog box 32-70

Add Yahoo Messenger Class Map dialog box 16-23, 20-17

Add Zones dialog box 12-13

admin context 56-1

administration

selecting policies to manage 5-10

administrative settings, configuring 11-1

admin password, changing 10-22

ADSL

ADSL Policy page 58-36

ADSL Settings dialog box 58-37

defining settings 58-35

supported operating modes 58-34

ADSL policies

unable to deploy 9-14

Advanced dialog box

access rules (IPv4 and IPv6) 15-16

Advanced NAT Options

PIX/ASA/FWSM

add/edit 22-28

Advanced settings

interface configuration

PIX/ASA/FWSM 44-42

AES encryption algorithm

in IKE proposals 24-6

AIM-IPS interfaces

IPS Module Interface Settings page 58-22

AIP-SSM/SSC

ASA 55-13

Alarm Indication Signal (AIS) cells 58-50

allowed hosts, configuring for IPS 34-7

Allowed Hosts policy 34-7

Analysis Engine global variables

configuring 34-26

analysis reports

generating 15-30

anomaly detection

configuring 39-6

configuring histograms 39-11

configuring learning accept mode 39-8

configuring signatures 39-4

configuring thresholds 39-11

managing 39-1

modes 39-2

understanding 39-1

understanding histograms 39-9

understanding thresholds 39-9

understanding worms 39-2

when to turn off 39-4

zones

overview 39-3

anti-spoofing 54-2

AnyConnect

client images 29-48, 29-49

profiles 29-48, 29-49

AnyConnect Client Image dialog box (ASA) 29-49

AOL class map objects

creating 20-15

match criteria 20-19

Apply IPS Update command 1-32

Apply IPS Update wizard 42-7

Approve Activity command 1-33

Approve Activity dialog box 4-20

Approved activity state 4-5

Approve Deployment Job dialog box 8-21, 8-39

Area Border Router

See ABR 53-2

ARP

PIX/ASA/FWSM

configuration 45-4

inspection 45-5

inspection, enable/disable 45-6

table 45-3

ARP table

static entry 45-3, 45-4

ASA

ASDM 68-11

CXSC 55-15

Failover

Add Failover Group 48-23

edit bridge group 48-15

IPS, QoS, and Connection Rules

CXSC Auth Proxy Configuration 55-16

IPS modules 55-13

policy discovery 5-13

rollback, commands to recover from failover misconfiguration 8-65

rollback command conflicts 8-64

rollback restrictions for failover devices 8-61

rollback restrictions for multiple context mode 8-61

security contexts

allocate interfaces 56-11

configuration 56-9

viewing allocated interfaces 56-11

setting up AUS or CNS 2-8

setting up SSL (HTTPS) 2-3

TCP State Bypass 55-3

ASA 5505

Management IPv6 45-10

ports and interfaces 44-6

ASA 8.3+

NAT policies

Add/Edit NAT rules dialog boxes 22-35

Translation Rules page 22-32

ASA Cluster Load Balance page 29-5

ASA devices

5505

hardware port configuration 44-39

AAA support 6-24

about 44-1

adding or changing modules 3-37

adding SSL thumbprints manually 9-4

Bridge Groups

add/edit 44-41

Catalyst Service Module 44-1

changing those selected for reports 66-21

configuring for event management 65-25

configuring for report management 66-3

configuring IKE and IPsec policies 24-1

configuring IKEv2 authentication 24-58

configuring transparent firewall rules 21-1

Easy VPNs

connection profiles 26-13

Event Viewer support 65-4

FlexConfig object samples 7-23

global access rules 15-3

identity-aware services

configuring to provide 13-7

interfaces 44-14

add/edit 44-19

Advanced tab 44-27

configuring 44-2

edit EtherChannel-assigned interface 44-11

EtherChannels 44-8, 44-12

General tab 44-20

IP Type 44-36

IPv6 44-29

IPv6, add/edit 44-33

IPv6, add/edit prefixes 44-34

LACP 44-11

MAC address 44-38

PPPoE Users 44-44

VPDN groups 44-45

licenses 2-11

monitoring service level agreements 49-7

object group search 15-22

packet capture, using 68-8

packet tracer, using 68-1

remote access SSL VPNs

advanced settings 29-54

Anyconnect client settings 29-48, 29-49

browser plug-ins 29-46

configuring HTTP/HTTPS proxies and proxy bypass 29-43

content rewrite rules 29-39

encoding rules 29-41

Kerberos Constrained Delegation (KCD) 29-51, 29-53

other settings 29-37

performance settings 29-38

shared license 29-55

shared license clients (ASA) 29-57

shared license servers (ASA) 29-58

remote access VPNs

access policies (ASA), configuring 29-36

access policies (ASA), reference 29-33

access policies (ASA), understanding 29-32

AnyConnect client image settings (ASA) 29-50

certificate to connection profile map policy (IKEv1) 29-25

certificate to connection profile map rules (IKEv1 IPSec) 29-26

cluster load balancing 29-4, 29-5

configuring bookmarks 29-63

configuring portal appearance 29-59

configuring WINS servers for file system access 29-69

connection profiles 29-6, 29-8

creating IPSec 28-24

creating SSL 28-14

customizing 29-58

device support 28-8

dynamic access policies 30-1, 30-2

dynamic access policy (DAP) attributes 30-3, 30-8

Dynamic Access policy page (ASA) 30-11

fragmentation settings 24-36

group policies, configuring 29-21

group policies, creating 29-23

group policies, understanding 29-22

IKE proposals 24-9

IKEv2 settings 24-30

IPsec proposals 29-30

ISAKMP/IPsec settings 24-26

managing 29-1

NAT settings 24-34

policy overview 29-2

post URL method and macro substitutions in bookmarks 29-65

proxy bypass rules (ASA) 29-45

Public Key Infrastructure (PKI) 24-48

secure desktop manager policies 30-9

smart tunnels 29-66

understanding IKE 24-5

understanding NAT settings 24-33

wizard 28-13

Report Manager reports

firewall summary botnet reports 66-14

firewall traffic reports 66-13

general VPN reports 66-16

VPN top reports 66-15

selecting for Event Viewer 65-30

selecting policy types to manage 5-10

SSL certificate configuration 11-16

ASA group policies objects

client configuration settings 32-4

client firewall attributes 32-5

connection settings 32-19

DNS/WINS settings 32-17

hardware client attributes 32-7

IPSec settings 32-8

split tunneling settings 32-18

SSL VPN clientless settings 32-10

SSL VPN full client settings 32-12

SSL VPN settings 32-14

technology settings 32-1

ASA Image Management 69-12, 69-25

ASBR

definition 53-2

ASCII limitations for text 1-45

ASDM

access rule look-up 68-14

device manager 68-11

ASR

zone-based firewall

global parameters 20-48

restrictions 20-3

assignment overview 1-16

Assignments tab, Policy view 5-51

Assign Shared Policy command 1-29

Assign Shared Policy dialog box 5-41

Asymmetric Digital Subscriber Line (ADSL)

on Cisco IOS routers 58-33

Asymmetric Routing Groups 44-5

Asynchronous Transfer Mode (ATM) 58-46

ATM 58-46

virtual channel connections (VCCs) 58-46

virtual channel identifier (VCI) 58-46

virtual path connections (VPCs) 58-46

virtual path identifier (VPI) 58-46

Attack Response Controller 41-1

attacks

broadcast 16-4

Denial of Service (DoS) 16-4

spoofing 16-4

SYN flooding 16-4

audit logs

configuring default settings 11-40

purging entries 10-21

understanding 10-18

working with 10-18

Audit Message Detail dialog box 10-20

Audit Report command 1-31

audit reports

generating and viewing 10-19

understanding 10-18

working with 10-18

Audit Report window 10-20

AUS

deploying configurations 8-42

deployment method 8-10

setting up 2-7

setting up on PIX Firewall and ASA devices 2-8

Authentication

Cisco IOS routers

settings 59-6

authentication

routing protocols 53-2

Authentication-Authorization-Accounting

see AAA 46-1

Authentication Header (AH) encryption algorithm 24-25

authentication methods

certificates (RSA signatures) 24-7

in IKE proposals 24-7

preshared keys 24-7

authentication testing

SSH 2-5

Authorization

Cisco IOS routers

settings 59-7

authorization proxy (AuthProxy)

configuring AAA rules 14-7

AuthProxy

configuring settings in Map view 33-23

AuthProxy dialog box 14-17

AuthProxy settings policy

configuring 14-8

autolink

omitting reserved networks from maps 11-2

automatic conflict detection

resolving conflicts 15-30

understanding 15-25

understanding the user interface 15-26

using 15-24

auto signon rules

ASA group policy objects 32-16

Auto Update Server (AUS)

adding 3-33

licensing 10-18

PIX/ASA/FWSM 50-1

add/edit server 50-3

troubleshooting deployment 9-17

Auto Update Server Properties dialog box 3-34

Available Bit Rate (ABR) 58-47

Available Servers dialog box 3-36

B

background image, map

deleting 33-13

importing 33-13

scale and position 33-13

setting 33-12

backup

event data store 65-32

backup.pl command 10-23

Backup command 1-32

backups, Security Manager database 10-23

bandwidth

VPN user reports 66-15, 66-16

banners

configuring on firewall devices 46-8

benefits of product 1-2

BGP routing

BGP Routing Policy page 63-4

defining routes 63-2

Neighbors dialog box 63-6

on Cisco IOS routers 63-1

redistributing routes 63-3

Redistribution Mapping dialog box 63-7

Redistribution tab 63-6

Setup tab 63-4

Bidirectional Neighbor Filter 52-14

Bidirectional Neighbor Filter tab

PIM 52-13

blocking, IPS

configuring 41-7

configuring ARC 41-1

configuring blocking devices 41-14

configuring master blocking sensors 41-13

configuring never block hosts and networks 41-17

configuring router blocking interfaces 41-15

configuring user profiles 41-12

configuring VLAN blocking interfaces 41-16

general options 41-10

master blocking sensor 41-6

policy 41-8

rate limiting 41-4

router and switch blocking devices 41-4

strategies 41-3

understanding 41-1

Blocking page 41-8

Boot image/configuration

PIX/ASA 46-9

add/edit 46-10

bootstrap configuration

Failover 48-25

Botnet Traffic Filter Drop Rules Editor 18-13

botnet traffic filter rules

adding static entries 18-5

blocking blacklisted traffic 18-6

configuring DNS snooping 16-16

configuring in Map view 33-23

configuring the dynamic database 18-4

configuring with IPS global correlation 40-1

databases 18-1

Device Blacklist dialog box 18-15

Device Whitelist dialog box 18-15

Drop Rules Editor 18-13

Dynamic Blacklist Configuration tab 18-10

enabling DNS snooping 18-6

field definitions 18-9

illustrations 18-1

mitigating botnet activity 65-56

monitoring

activity using ASDM 65-55

activity using Event Viewer 65-53, 65-55

overview 65-52

understanding botnet syslog events 65-52

overview 18-1

preserving ACL names 12-4

Report Manager reports

firewall summary botnet reports 66-14

task flow 18-2

traffic classification 18-6

Traffic Classification dialog box 18-12

Traffic Classification tab 18-11

understanding 18-1

understanding NAT effects 12-3

understanding processing order 12-2

Whitelist/Blacklist tab 18-14

bridge group

failover

editing 48-15

Bridge Groups

ASA/FWSM

add/edit 44-41

bridge groups

defining 59-19

FWSM 3.1 45-3

Bridging

ASA 5505

Management IPv6 45-10

PIX/ASA/FWSM

ARP configuration 45-4

ARP Inspection 45-5

ARP Inspection, enable/disable 45-6

ARP Table 45-3

MAC Address, add/edit 45-8

MAC Address Table 45-7

MAC Learning 45-8

MAC Learning, enable/disable 45-9

Management IP address 45-10

bridging

Cisco IOS routers

Bridge Group dialog box 59-21

Bridging Policy page 59-20

BVI interfaces 59-18

overview 59-18

configuring transparent firewall rules 21-1

PIX/ASA/FWSM

about 45-1

configuring on 45-1

broadcast attacks, preventing 16-4

broadcasts

enabling directed on routers 58-20

browser plug-ins

configuring 29-46

bundles 69-9

bypass mode

configuring for IPS 35-12

C

CA server authentication methods

SCEP (Simple Certificate Enrollment Protocol) 24-43

Cat6k Device dialog box 41-14

Catalyst 6500/7600 devices

configuring FWSM in site-to-site VPNs 23-45

configuring SSH 2-6

default transport protocol 11-16

deployment 8-29

FlexConfig object samples 7-25

IPS blocking devices 41-4

policy discovery for FWSM 5-13

rollback restrictions 8-61

Service Modules 44-1

Catalyst 6500/7600 switches

including in deployment jobs 8-28

Catalyst devices

policy discovery 5-13

remote access VPNs

Dynamic VTI/VRF Aware IPsec settings 31-7

high availability 31-11

IPsec proposals 31-4

user group policies 31-13

VPNSM/VPN SPA/VSPA settings 31-6

Catalyst platform policies

IDSM settings policy

Create and Edit IDSM Data Port VLANs dialog boxes 64-49

Create and Edit IDSM EtherChannel VLANs dialog boxes 64-49

IDSM Settings page 64-47

IDSM Slot-Port Selector dialog box 64-50

interfaces/VLANs policy

Access Port Selector dialog box 64-30

Create and Edit Interface dialog boxes-Access Port mode 64-9

Create and Edit Interface dialog boxes-Dynamic Port mode 64-18

Create and Edit Interface dialog boxes-Other mode 64-24

Create and Edit Interface dialog boxes-Routed Port mode 64-12

Create and Edit Interface dialog boxes-subinterfaces 64-22

Create and Edit Interface dialog boxes-Trunk Port mode 64-14

Create and Edit VLAN dialog boxes 64-28

Create and Edit VLAN Group dialog boxes 64-34

Interfaces tab 64-7

Service Module Slot Selector dialog box 64-35

Summary tab 64-3

Trunk Port Selector dialog box 64-31

VLAN Groups tab 64-33

VLAN Selector dialog box 64-35

VLANs tab 64-27

VLAN access lists policy

Create and Edit VLAN ACL Content dialog boxes 64-41

Create and Edit VLAN ACL dialog boxes 64-41

VLAN Access Lists page 64-39

Catalyst Summary Info command 1-32

Catalyst switches

configuring SSH 2-6

default transport protocol 11-16

showing modules, security contexts, and virtual sensors 3-50

Catalyst switches/7600 routers

troubleshooting deployment 9-15

Catalyst switches and 7600 devices

IDSM mode support 64-43

interface deployment failure 9-15

internal VLAN deployment failure 9-15

supported VTP modes 64-1

Catalyst switches and 7600 Series routers

access ports 64-5

Catalyst Summary Info page 64-2

defining IDSM Data Port VLANs 64-46

defining IDSM EtherChannel VLANs 64-44

defining ports 64-5

defining VACLs 64-37

defining VLAN groups 64-32

defining VLANs 64-26

deleting IDSM Data Port VLANs 64-47

deleting IDSM EtherChannel VLANs 64-45

deleting ports 64-7

deleting VACLs 64-38

deleting VLAN groups 64-33

deleting VLANs 64-27

discovering policies 64-1

generating interface names 64-6

IDSM settings 64-43

IDSM Settings page 64-47

interfaces 64-5

managing 64-1

routed ports 64-5

trunk ports 64-5

viewing interface and VLAN summary 64-3

VLAN Access Lists page 64-39

VLAN ACLs (VACLs) 64-36

VLAN groups 64-31

VLANs 64-25

Catalyst VPN Service Port Adapters (VSPAs)

configuring 23-41

Catalyst VPN Services Module (VPNSM)

configuring 23-41

configuring in remote access VPNs 31-6

Catalyst VPN Shared Port Adapter (VPN SPA)

configuring 23-41

configuring in remote access VPNs 31-6

categories

using 6-11

cautions

significance of i-lviii

CDP

configuring mode for IPS 35-13

CEF Interface Settings dialog box 58-26

CEF interface settings policies 58-24

certificates, SSL

adding thumbprints manually 9-4

configuring default settings for how handled 11-16

managing IPS 42-9

certificate to connection profile map policies

configuring policy 29-25

configuring rules 29-26

Change Report dialog box 4-17

change reports

selecting session in non-Workflow mode 4-17

viewing 4-16

Change Reports command 1-31

Checkpoint migration

configuring object group search on ASA 8.3+ devices 15-22

Choose a file dialog box 32-24

Cisco 7600 Series routers

managing 64-1

Cisco Configuration Engine

troubleshooting device setup and deployment 9-17

Cisco Discovery Protocol (CDP)

enabling CDP on router interfaces 58-18

Cisco Express Forwarding (CEF)

CEF Interface Settings policy 58-25

CEF router interface settings policies 58-24

importance for QoS 62-2

Cisco IOS IPS

affect of load balancing 43-7

configuration files 43-3

configuration overview 43-3

configuring 43-1

configuring general settings 43-7

configuring interface rules 43-8

getting started 34-1

initial preparation of router 43-5

lightweight signature engines 43-2

limitations and restrictions 43-3

selecting signature category 43-6

understanding 43-1

understanding subsystems and revisions 43-2

Cisco IOS Routers

configuring IOS IPS 43-1

IPS blocking devices 41-4

Cisco IOS routers

802.1x 60-1

AAA 59-2

accounts and credentials 59-13

ADSL 58-33

advanced interface settings 58-13

available interface types 58-2

basic interface settings 58-1

BGP routing 63-1

CNS call-home mode 2-10

CNS event-bus mode 2-9

configuring SSH 2-6

CPU settings 59-25

default AAA server groups 6-27

deploying configurations using TMS 8-43

dialer interfaces 58-27

discovering policies 57-3

Domain Name System (DNS) 59-74

Dynamic Host Configuration Protocol (DHCP) 59-87

EIGRP routing 63-8

host and domain names 59-77

HTTP 59-28

interface deployment failure 9-13

IOS 12.1 and 12.2 57-2

licenses 2-12

line access 59-35

managing 57-1

memory settings 59-78

NAT 22-5

designating interfaces 22-5

dynamic rules 22-10

static rules 22-6

timeouts 22-13

NetFlow 61-1, 61-5, 61-12

Network Admission Control (NAC) 60-8

Network Time Protocol (NTP) 59-96

optional SSH settings 59-63

OSPF routing 63-19

permanent virtual connections (PVCs) 58-46

platform policies 57-1

Point-to-Point Protocol (PPP) 58-70

policy discovery 5-13

quality of service (QoS) 62-1

RIP routing 63-42

Secure Device Provisioning (SDP) 59-81

setting up SSL (HTTPS) 2-4

SHDSL 58-40

SNMP 59-66

static routing 63-50

syslog logging 61-1

time zone settings 59-22

transparent bridging 59-18

Cisco IOS Software

FlexConfig object samples 7-25

selecting policy types to manage 5-10

Cisco Secure Desktop configuration objects

creating 31-18

Cisco Security Management Suite server

logging into or exiting 1-9

Cisco Technical Assistance Center

creating diagnostic file 10-27

generating data 10-26

generating deployment or discovery status reports 10-28

generating partial database backup 10-28

Cisco Trust Agent (CTA) 60-9

CiscoWorks Common Services

backing up and restoring Security Manager 10-23

logging into or exiting 1-9

CiscoWorks user authorization, affect on what you can do 1-9

Class-Based Policing 62-6

class maps

understanding 6-67

Clear Connection Configuration dialog box 14-21

CLI commands

FlexConfig objects 7-2

client connection characteristics

configuration modes 26-3

configuring policies for Easy VPN 26-7

extended authentication (xauth) 26-4

clientless access mode 28-4

client settings

configuring AnyConnect 29-49

understanding AnyConnect 29-48

client-side file browsing 1-46

enabling or disabling 11-6

Clock

PIX/ASA/FWSM 46-11

clock

Cisco IOS routers

overview 59-22

clock settings

Cisco IOS routers

Clock Policy page 59-23

Clone Device command 1-27

Clone Policy Bundle dialog box 5-55

Clone Policy command 1-29

Clone Policy dialog box 5-44

Close Activity command 1-33

Close All Reports command (Report Manager) 66-8

Close Report command (Report Manager) 66-8

Close Ticket command 1-33

cluster, server

managing 10-2

overview 10-2

splitting server 10-3

synchronizing shared policies 10-4

cluster load balancing

configuring 29-5

understanding 29-4

understanding FQDN redirection 29-5

CNS

call-home mode 2-10

deploying configurations 8-42

deployment method 8-10

event-bus mode 2-9

setting up on PIX Firewall and ASA devices 2-8

color rules, configuring in Event Viewer 65-36

Combine Rules Selection Summary dialog box 12-23

commands

Activities menu 1-32

Edit menu (Configuration Manager) 1-28

Event Viewer File menu 65-8

Event Viewer View menu 65-9

File menu (Configuration Manager) 1-26

Help menu (Configuration Manager) 1-34

Launch menu 1-33

Manage menu 1-30

Map menu 1-29

Policy menu (Configuration Manager) 1-29

Report Manager menus 66-8

Tickets menu 1-33

Tools menu (Configuration Manager) 1-31

View menu (Configuration Manager) 1-28

Common Services

licensing 10-18

communication, device

troubleshooting 9-7

configuration

initial Security Manager 1-22

understanding rollback 8-59

Configuration Archive

adding configurations from devices 8-55

overview 8-16

rolling back to archived configuration files 8-66

rolling back when deploying to file 8-67

settings 11-3

version viewer 8-56

viewing and comparing configuration versions 8-56

viewing transcripts 8-58

window 8-24

Configuration Archive command 1-31

Configuration Archive page 11-3

Configuration Engine

adding 3-33

CNS call-home mode 2-10

CNS event-bus mode 2-9

setting up 2-7

Configuration Engine Properties dialog box 3-34

configuration files

deploying in non-Workflow mode 8-29

deploying in Workflow mode 8-35, 8-40

deploying to 8-11

deploying to an AUS or CNS 8-42

deploying to a TMS 8-43

deployment process overview 8-1

factory-default configurations 44-2

previewing 8-45

redeploying to devices 8-49

rolling back after deploying to file 8-67

rolling back to archived configurations 8-66

rolling back to devices 8-65

selecting 1-46

web VPN policy discovery restrictions 3-8

configuration location, configuring for IOS IPS 43-7

Configuration Manager

overview 1-12

using 1-11

configurations

adding to the Configuration Archive 8-55

avoiding out-of-band changes 8-47

detecting out-of-band changes 8-46

rollback, commands to recover from failover misconfiguration 8-65

rollback command conflicts 8-64

rolling back 8-59

rolling back Catalyst 6500/7600 8-61

rolling back failover devices 8-61

rolling back IPS and IOS IPS 8-62

rolling back multiple context mode 8-61

understanding out-of-band changes 8-12

viewing and comparing 8-56

configuration session

selecting session for change reports 4-17

viewing change reports 4-16

configuration sessions

discarding 4-21

configuration views 1-12

Configure dialog box 16-19

Configure DNS dialog box 16-16

Configure ESMTP dialog box 16-17

Configure Fragments dialog box 16-18

Configure Hardware Ports

ASA 5505 44-39

Configure IMAP dialog box 16-18

Configure POP3 dialog box 16-18

Configure RPC dialog box 16-19

Configure SMTP dialog box 16-17

Config Version Viewer (Preview Configuration) dialog box 8-45

conflict analysis reports

generating 15-30

conflict detection

resolving conflicts 15-30

understanding 15-25

understanding the user interface 15-26

using 15-24

connection

PIX/ASA/FWSM

identity-aware rules 13-21

rules 55-5

Connection Alias dialog box 29-20

Connection Profile dialog box

AAA tab 29-11

General tab 29-9

IPSec tab 29-16

Secondary AAA tab 29-14

SSL tab 29-18

connection profiles

configuring 29-6

configuring for Easy VPN 26-13

properties

AAA 29-11

general 29-9

IPSec 29-16

policy overview 29-8

secondary AAA 29-14

SSL 29-18

sharing among multiple ASAs 28-8

Connection Profiles page 29-8

Connection Settings

MPC rule wizard

tab 55-8

connection timeout

device communication settings 11-16

Connection URL dialog box 29-21

connectivity, testing device 9-1

console

Cisco IOS routers

AAA tab 59-44

Accounting tab 59-47

Authentication tab 59-44

Authorization tab 59-45

Console Policy page 59-42

Setup tab 59-42

console port

Cisco IOS routers

defining AAA settings 59-37

defining setup parameters 59-35

Console timeout

PIX/ASA/FWSM 47-1

Constant Bit Rate (CBR) 58-47

contained modules

showing 3-50

content rewrite rules

defining for SSL VPN on ASA 29-39

Context-Based Access Control

choosing interfaces 16-2

configuring 16-5

configuring identity aware 13-21

preventing DoS attacks on IOS devices 16-4

selecting protocols 16-3

understanding 16-1

understanding access rule requirements 16-4

Context Editor dialog box (IOS) 31-15

contexts

see "security contexts" 56-1

continuity check (CC) cells 58-50

control plane (CP)

defining QoS on 62-12

policing on 62-9

Control Plane Policing 62-9

conventions i-lvii

cookie challenges 24-30

Copy command 1-28, 12-9

Copy Policies Between Devices command 1-29

Copy Policies wizard 5-31

CPU settings

defining utilization settings 59-25

overview 59-25

CPU utilization

CPU Policy page 59-26

Create a Clone of Device dialog box 3-50

Create Activity dialog box 4-13

Create a Policy dialog box 5-51

Create Discovery Task dialog box 5-18

Create Extranet VPN Topology wizard

overview 23-63

Create Filter dialog box 1-41

Create Group Policy wizard

Clientless and Thin Client Access Modes page 28-22

Full Tunnel page 28-20

Group Policy page 28-19

using 28-19

Create Overrides for Device dialog box 6-18

Create Policy Bundle dialog box 5-54

Create Text Object dialog box 7-35

Create Ticket dialog box 4-13

Create VPN Topology wizard

Device Selection page 23-32

Edit Endpoints dialog box 23-33

Endpoints page 23-33

GET VPN Group Encryption page 23-51

GET VPN Peers page 23-57

High Availability page 23-49

Name and Technology page 23-30

overview 23-28

VPN Defaults page 23-58

credential objects

attributes 26-9

credentials

configuring on firewall devices 46-13

device manager validation 68-10

IPS module 3-17

service module 3-16

testing 9-1

understanding device 3-4

Credentials page

HTTPS port number

overriding with HTTP policy 3-43

Credentials page, device properties 3-41

crypto maps

understanding 24-17

CSC

MPC rule wizard

tab 55-8

CSDM Policy Editor dialog box 30-39

CS-MARS

access to Security Manager 68-19

configuring servers 11-4

discovering or changing controller used by device 68-21

events

historical and real-time lookup 68-23

looking up 68-23

integrating with Security Manager 68-18

integration with Security Manager 68-18

looking up Security Manager policies based on events 68-27

NetFlow 68-29

query

troubleshooting 68-22

registering in Security Manager 68-20

supported log messages 68-28

viewing access rule events 68-24

viewing IPS signature events 68-26

CS-MARS page 11-4

CSMDiagnostics.zip

setting debug options 11-8

CSMDiagnostics.zip file, creating 10-27

CSM tab, Licensing page 11-36

CSV (comma-separated values) files

supported formats for device inventory 10-8

Customize Desktop Settings page 11-6

Customized Toolbar command 1-28

Custom Protocol dialog box 16-19

Custom Report List command (Report Manager) 66-9

Cut command 1-28, 12-9

cut-through proxy, configuring 13-23

CXSC

about 55-15

MPC rule wizard

tab 55-8

CXSC Auth Proxy Configuration

ASA 55-16

D

database

backing up 10-23

backing up and restoring 10-23

generating partial backups for TAC 10-28

restoring 10-25

DCE/RPC policy map objects

creating 16-20

properties 16-24

DCS.properties file

DCS.doSerialAccessForFWSMVCs property 9-16

DCS.FWSM.checkThreshold property 9-16

SSH settings 9-7

warning message expression properties 9-9

DDNS

PIX/ASA/FWSM 50-15

add interface rules 50-16

update methods 50-16

update methods, add/edit 50-17

dead-peer detection (DPD) 24-27

debugging

configuring debug levels 11-8

Debug Options page 11-8

Default Report Settings command (Report Manager) 66-9

defaults, configuring 11-1

Delete Device command 1-27

Delete Map command 1-30

Delete Map dialog box 33-10

Delete Row command 1-28

Denial of Service (DoS)

preventing in SMTP using zone based firewall 20-24

denial of service (DoS)

preventing using unicast reverse path forwarding (RFP) 58-20

Denial of Service (DoS) attacks

configuring inspection settings to mitigate 16-85

preventing on IOS devices using inspection 16-4

denial of service (DoS) attacks

preventing using IKEv2 cookie challenge 24-30

Deploy command 1-27

Deploy Job dialog box 8-40

deployment

Add Other Devices dialog box 8-54

Auto Update Server 8-42

Catalyst 6500/7600 devices 8-29

changes not deployed when using schedules 8-52

changing device message severity level to ignore errors 9-9

changing FWSM multiple-context deployment to serial 9-16

Cisco Networking Services configuration engine 8-42

configuration files, to 8-11

configurations 8-29

creating jobs in Workflow mode 8-36

creating or editing schedules 8-52

Deployment Manager window 8-17

device communication settings 9-4

devices, directly to 8-9

devices, through intermediate server 8-10

Edit Deploy Method dialog box 8-31

Edit Selected Deployment Method dialog box 8-31

errors

OS version mismatches 8-13

generating status report 10-28

handling OS version mismatches 8-13

managing 8-1

methods 8-8

minimum memory errors for ASA 8.3+ 9-11

non-Workflow mode 8-3

optimizing access rules 15-44

out-of-band changes

avoiding 8-47

detecting and analyzing 8-46

understanding 8-12

process overview 8-1

rolling back archived configurations 8-66

rolling back configurations 8-59

rolling back configurations, Catalyst 6500/7600 8-61

rolling back configurations, command conflicts 8-64

rolling back configurations, commands to recover from failover misconfiguration 8-65

rolling back configurations, failover devices 8-61

rolling back configurations, IPS and IOS IPS devices 8-62

rolling back configurations, multiple context mode 8-61

rolling back configuration when deploying to file 8-67

rolling back to last deployed configuration 8-65

setting debug options 11-8

SSL handshake failure 2-2

suspending or resuming schedules 8-55

system settings 11-9

task flow

non-Workflow mode 8-3

Workflow mode 8-5

tips for successful jobs 8-28

TMS server 8-43

troubleshooting 9-1, 9-9

ADSL or PVC deployment failures 9-14

AUS problems 9-17

Catalyst interface settings 9-15

Catalyst internal VLANs 9-15

Catalyst switch and modules 9-15

Configuration Engine problems 9-17

Error Writing to Server messages 9-14

HTTP Response Code 500 messages 9-14

layer 2 interfaces 9-14

mixing deployment methods with routers and VPNs 9-13

router interface settings 9-13

routers 9-13

Security Manager cannot contact device 9-11

VPNs with routing processes 9-12

troubleshooting device communication 9-7

troubleshooting router connection failures 2-2

troubleshooting SSL certificate errors 9-4

troubleshooting VRF-aware IPsec on Catalyst 6500/7600 devices 23-17

understanding 8-1

understanding configuration rollback 8-59

using a Cisco Networking Services (CNS) server 8-42

viewing device details 8-27

viewing job summary 8-27

viewing status and history for jobs and schedules 8-27

viewing transcripts 8-58

Warning - Partial VPN Deployment dialog box 8-32

Workflow mode 8-5, 8-35, 8-40

working with 8-26

Deployment—Create or Edit a Job dialog box 8-36

deployment jobs

aborting 8-51

approval 8-7

approving 8-39

creating and editing in non-Workflow mode 8-29

creating and editing in Workflow mode 8-36

Deployment Manager 8-16

discarding 8-41

including devices in 8-8

multiple users 8-8

redeploying 8-49

rejecting 8-39

states

non-Workflow mode 8-4

Workflow mode 8-6

submitting 8-39

viewing history 8-27

Deployment Manager

overview 8-16

Deployment Manager window 8-17

Deployment Schedules tab 8-22

Deployment Schedules tab 8-22

Deployments command 1-31

Deployment Settings page 11-9

Deployment Status Details dialog box 8-33

Deployment Workflow Commentary dialog boxes 8-21

Deploy Saved Changes dialog box 8-29

DES encryption algorithm

in IKE proposals 24-6

Designated Router

PIX/ASA/FWSM 52-12

Destination Contents dialog box 12-14

Dest Port Map dialog box 39-12

Detect Out of Band Changes command 1-32

device

AAA administration 46-4

firewall types 44-1

viewing inventory status 68-16

Device Access

FWSM

Resources, add/edit 49-3

PIX/ASA/FWSM 47-1

console timeout 47-1

host name 49-1

HTTP configuration 47-2

HTTP page 47-2

ICMP rules 47-3

ICMP rules, add/edit 47-4

Management Access interface 47-5

Secure Shell (SSH) 47-5

Secure Shell, add/edit host 47-6

Server Access 50-1

SNMP host access 47-12

SNMP page 47-8

SNMP Trap configuration 47-9

Telnet configuration 47-14

Telnet page 47-13

user accounts 49-6

user accounts, add/edit 49-7

device access policies

defining 59-14

Device Admin

FWSM

Resources 49-3

device administration policies

configuring on firewall devices 46-1

device authentication

adding SSL thumbprints manually 9-4

SSL certificate default configuration 11-16

Device Blacklist dialog box 18-15

device communication

changing device message severity level 9-9

managing settings 9-4

routers without K8/K9 crypto image 9-7

Security Manager cannot contact device after deployment 9-11

troubleshooting failures 9-7

Device Communication page 11-15

device communications

troubleshooting 9-1

device communication settings

connection timeout 11-16

retry count 11-16

socket read timeout 11-16

Device Connectivity Test dialog box 9-3

device credentials

understanding 3-4

Device Credentials page 3-41

Device Delete Validation dialog box 3-52

device groups 3-53, 3-56

adding or removing devices 3-57

creating group types 3-55

deleting groups or types 3-56

understanding 3-53

Device Groups page 3-45, 11-18

Device Information page - Add Device from File 3-29

Device Information page - Configuration File 3-20

Device Information page - Network 3-11

Device Information page- New Device 3-24

device inventory

exporting

DCR, CS-MARS, Security Manager formats 10-6

device with policies 10-6

overview 10-5

supported CSV formats 10-8

using command line utility 10-9

importing

device with policies 10-14

importing with policies 10-14

managing 3-1

testing device connectivity 9-1

understanding 3-1

understanding contents 3-3

understanding generic devices 3-8

working with 3-32

device manager

access rule look up 68-13

ASDM 68-11

access rule look-up 68-14

credentials 68-10

IDM 68-11

PDM 68-11

prerequisites 68-12

SDM 68-12

access rule look-up 68-15

starting from HPM 67-3, 67-23

starting from Security Manager 68-10

troubleshooting 68-12

xdm-launcher.exe 68-12

Device Manager command 1-34

Device Properties

Credentials page 3-41

Device Groups page 3-45

General page 3-38

Policy Object Override pages

general reference 3-46

device properties

changes with policy effects 3-48

changing critical 3-47

image version changes with no policy effects 3-47

understanding 3-6

viewing or changing 3-37

Device Properties command 1-31

Device Properties page

creating object overrides 6-17

deleting overrides 6-19

overview 3-37

device response

to appear as an error message 9-9

devices

adding 3-6

adding configurations to the Configuration Archive 8-55

adding from configuration files 3-18

adding from inventory file 3-27

adding from network 3-9

adding local rules to shared policies 5-42

adding manually 3-23

adding or changing modules 3-37

assigning shared policies 5-41

avoiding out-of-band changes 8-47

changing critical properties 3-47

changing those selected for reports 66-21

cloning or duplicating 3-50

cloning shared policies 5-44

communication requirements 2-1

communication settings and certificates 9-4

configuring ASA licenses 2-11

configuring IOS licenses 2-12

configuring local policies 5-29

copying policies between 5-31

creating policy object overrides 6-17

deleting from inventory 3-51

deleting policy object overrides 6-19

deployment through intermediate server 8-10

deployment to 8-9

detecting out-of-band changes 8-46

discovering or changing CS-MARS controller 68-21

discovering policies 5-12

discovering policies on existing devices 5-15

dynamic IP addresses 3-33

image version changes with no policy effects 3-47

including in deployment jobs or schedules 8-8

including unmanaged or non-Cisco in a VPN 23-11

inheriting policy rules 5-43

maps

adding existing managed 33-15

adding new managed 33-15

displaying devices from Device View 33-15

displaying managed 33-15

removing managed 33-15

showing containment for Catalyst switches, ASA, PIX, IPS devices 33-16

modifying policy assignment 5-46

modifying shared policies 5-45

naming conventions 3-3

overview of monitoring 1-6

policy status icons 5-28

preparing for management 2-1

property changes with policy effects 3-48

redeploying configuration files to 8-49

redeploying configurations to replaced hardware 8-49

renaming policies 5-45

replacing policies 5-41

rolling back configurations 8-65, 8-66, 8-67

selecting in site-to-site VPNs 23-32

selecting multiple 1-40

sharing multiple policies 5-39

showing contained modules 3-50

system variables 7-7

testing connectivity 9-1

troubleshooting communication 9-7

troubleshooting communication and deployment 9-1

troubleshooting device discovery failures 3-7

unassigning policies 5-33

understanding out-of-band changes 8-12

unsharing policies 5-40

using global search to find specific devices 1-37

what counts as a device 3-3

device selector

filtering 1-40

Device Selector dialog box 1-40

Device Server Assignment dialog box 9-8

Device view

adding local rules to shared policies 5-42

assigning shared policies 5-41

cloning shared policies 5-44

configuring local policies 5-29

configuring VPN topologies 23-19

copying policies between devices 5-31

inheriting policies 5-43

managing policies 5-28

modifying policy assignments 5-46

modifying shared policies 5-45

overview 1-12

policy banner 5-35

policy shortcut menu 5-37

policy status icons 5-28

renaming policies 5-45

sharing local policies 5-38

sharing multiple policies 5-39

unassigning policies 5-33

understanding basic policy management 5-29

understanding shared policies 5-34

unsharing policies 5-40

device view

understanding 3-1

Device View command 1-28

Device Whitelist dialog box 18-15

DHCP

Cisco IOS routers

defining address pools 59-91

defining policies 59-90

DHCP Database dialog box 59-94

DHCP Policy page 59-92

IP Pool dialog box 59-94

overview 59-87

understanding database agents 59-88

understanding option 82 59-89

understanding relay agents 59-88

understanding secured ARP 59-89

configuring passthrough for IOS devices 21-3

PIX/ASA/FWSM 50-7

add/edit servers 50-9

advanced configuration 50-10

configuring DHCP servers 50-7

server options 50-10

traffic blocked 9-14

DHCP relay

PIX/ASA/FWSM 50-5

add/edit agent 50-5

add/edit server 50-6

diagnostics

setting debug options 11-8

diagnostics file, creating 10-27

dial backup

configuring in Easy VPN 26-2

configuring in VPN 23-39

configuring VPN advanced settings 23-40

Dial Backup Settings dialog box 23-40

dialer interfaces

defining BRI properties 58-29

defining profiles 58-27

Dialer Physical Interface dialog box 58-32

Dialer Policy page 58-30

Dialer Profile dialog box 58-31

on Cisco IOS routers 58-27

Diffie-Hellman groups

in IKE proposals 24-7

Digital Subscriber Line (DSL) 58-33

digital subscriber line-access multiplexer (DSLAM) 58-34

directed broadcasts

enabling 58-20

Disable/enable NAT rules 22-32

Discard Activity command 1-33

Discard Activity dialog box 4-21

Discard command 1-27

Discard Deployment Job dialog box 8-21

Discard Ticket command 1-33

Discard Ticket dialog box 4-21

discovering

remote access VPNs 28-12

site-to-site VPNs 23-24

Discover Policies on Device command 1-29

Discover VPN Policies command 1-29

Discover VPN Policies wizard 23-24

discovery

default behavior settings 11-19

generating status report 10-28

invalid certificate error 9-6

overview 1-16

security certificate error 9-4, 9-5

setting debug options 11-8

Discovery Settings page 11-19

Discovery Status dialog box 5-21

discovery task

frequently asked questions 5-25

starting 5-15

viewing status 5-20

disk space, monitoring event data store 65-31

Display Actual Size command 1-30

Distributed Traffic Shaping (DTS) 62-7

DMVPN (Dynamic Multipoint VPN)

advantages of using with GRE 25-11

configuring 25-12

configuring GRE modes 25-12

large scale DMVPNs

configuring 25-16

configuring server load balancing 25-17

overview 25-1, 25-9

spoke-to-spoke connections 25-10

supported platforms 23-9

understanding 25-10

DNS

configuring for inspection rules 16-16

PIX/ASA/FWSM

add/edit server group 50-13

add server 50-14

servers page 50-11

DNS class map objects

creating 16-20

match criteria 16-29

DNS policy map objects

creating 16-20

match conditions and actions 16-29

properties 16-26

DNS servers

configuring for IPS global correlation 34-22

DNS snooping 18-6

dock

report windows 66-25

view windows 65-34

Dock Map View command 1-30

documentation

conventions i-lvii

ordering i-lviii

Domain AD Server dialog box 13-10

Domain Name System (DNS)

Cisco IOS routers

defining policies 59-75

DNS Policy page 59-76

IP Host dialog box 59-76

overview 59-74

do not ask warnings, resetting 11-6

DSLAM 58-34

duration

VPN user reports 66-15, 66-16

dynamic access policies

attributes 30-3, 30-8

configuring 30-2

managing 30-1

understanding 30-1

dynamic access policies (DAP) 30-27

Dynamic Access Policy page

Add/Edit Dynamic Access Policy dialog box

Add/Edit DAP Entry dialog box 30-19

Add/Edit DAP Entry dialog box > AAA Attributes Cisco 30-20

Add/Edit DAP Entry dialog box > AAA Attributes LDAP 30-22

Add/Edit DAP Entry dialog box > AAA Attributes RADIUS 30-23

Add/Edit DAP Entry dialog box > Anti-Spyware 30-23

Add/Edit DAP Entry dialog box > Anti-Virus 30-24

Add/Edit DAP Entry dialog box > AnyConnect Identity 30-25

Add/Edit DAP Entry dialog box > Application 30-26

Add/Edit DAP Entry dialog box > File 30-28

Add/Edit DAP Entry dialog box > NAC 30-29

Add/Edit DAP Entry dialog box > Operating System 30-30

Add/Edit DAP Entry dialog box > Personal Firewall 30-31

Add/Edit DAP Entry dialog box > Policy 30-32

Add/Edit DAP Entry dialog box > Process 30-33

Add/Edit DAP Entry dialog box > Registry 30-34

Advanced Expressions tab 30-38

Logical Operations tab 30-35

Main tab 30-14

Dynamic Access Policy page (ASA) 30-11

Cisco Secure Desktop Manager Policy Editor dialog box 30-39

Dynamic Access policy page (ASA) > Add/Edit Dynamic Access Policy dialog box 30-13

Dynamic Blacklist Configuration tab 18-10

dynamic crypto maps 24-17

dynamic filter snooping (DNS)

enabling 16-16

Dynamic Multipoint VPN (DMVPN)

mandatory and optional policies 23-6

dynamic NAT

Cisco IOS routers 22-10

Dynamic Translation Rule

PIX/ASA/FWSM 22-21

add/edit 22-21

dynamic VTI

configuring in Easy VPN 26-12

in remote access VPNs 31-7

understanding use in Easy VPN 26-2

E

Easy VPN

configuration modes 26-3

configuration overview 26-5

configuring client connection characteristics 26-7

configuring dial backup 26-2

configuring dynamic VTI 26-12

configuring high availability 26-2

connection profile policies 26-13

connection profiles (ASA, PIX 7+) 29-8

extended authentication (xauth) 26-4

important configuration notes 26-6

IPsec proposals 26-10

mandatory and optional policies 23-6

overview 26-1

supported platforms 23-9

understanding 26-1

understanding dynamic VTI 26-2

user group policies 26-14

Edit AAA Option dialog box 14-17

Edit AAA Rule dialog box 14-12

Edit AAA Server dialog box 6-29

Edit AAA Server Group dialog box 6-45

Edit Access Rule dialog box 15-12

Edit Actions dialog box 37-8

Edit activity state 4-4

Edit AOL Class Map dialog box 16-23, 20-17

Edit A Port Forwarding Entry dialog box 32-26

Edit ASA Group Policies dialog box

client configuration settings 32-4

client firewall attributes 32-5

connection settings 32-19

DNS/WINS settings 32-17

hardware client attributes 32-7

IPSec settings 32-8

overview 32-1

split tunneling settings 32-18

SSL VPN clientless settings 32-10

SSL VPN full client settings 32-12

SSL VPN settings 32-14

technology settings 32-1

Edit A Smart Tunnel Entry dialog box 32-49

Edit Auto Signon Rules dialog box 32-16

Edit Auto Update Settings dialog box 11-34

Edit Category dialog box 12-14

Edit Cisco Secure Desktop Configuration dialog box 32-20

Edit Client Access Rules dialog box 32-10

Edit Client Update dialog box 32-61

Edit Column dialog box 32-43

Edit Custom Pane dialog box 32-43

Edit DCE/RPC Map dialog box 16-24

Edit Deploy Method dialog box 8-31

Edit Description dialog box 12-14

Edit Destinations dialog box 12-11

Edit Device Groups command 1-27

Edit Device Groups dialog box 3-55

Edit DNS Class Map dialog box 16-23

Edit DNS Map dialog box

Filtering tab 16-28

overview 16-26

Protocol Conformance tab 16-27

Edit eDonkey Class Map dialog box 16-23, 20-17

Edit Endpoints dialog box

FWSM tab 23-45

overview 23-33

Protected Networks tab 23-45

VPN Interface tab 23-35

VPNSM/VPN SPA/VSPA settings, VPN Interface tab 23-41

VRF Aware IPsec tab 23-46

Edit ESMTP Map dialog box 16-32

Edit Extended Access Control Entry dialog box 6-54

Edit Extended Access List dialog box 6-53

Edit External Filter dialog box 20-39

Edit Extranet VPN dialog box

overview 23-63

Edit FastTrack Class Map dialog box 16-23, 20-17

Edit Fidelity dialog box 37-9

Edit File Object dialog box 32-22

Edit Firewall Rule Expiration dialog box 15-18

Edit FlexConfig dialog box 7-33

Edit FTP Class Map dialog box 16-23

Edit FTP Map dialog box 16-35

Edit Gnutella Class Map dialog box 16-23, 20-17

Edit Group Member dialog box 27-21

Edit GTP Map dialog box 16-38

Edit H.323 Class Map dialog box 16-23, 20-17

Edit H.323 Map dialog box 16-43, 20-32

Edit HSI Endpoint IP Address dialog box 16-46

Edit HSI Group dialog box 16-45

Edit HTTP Class Map dialog box 16-23, 20-17

Edit HTTP Map dialog box 20-32

ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices

Entity Length tab 16-50

Extension Request Method tab 16-53

General tab 16-49

overview 16-48

Port Misuse tab 16-54

RFC Request Method tab 16-52

Transfer Encoding tab 16-55

ASA 7.2+ and PIX 7.2+ devices 16-56

Edit ICQ Class Map dialog box 16-23, 20-17

Edit IKEv1 Proposal dialog box 24-10

Edit IKEv2 Proposal dialog box 24-13

Edit IMAP Class Map dialog box 16-23, 20-17

Edit IMAP Map dialog box 20-32

Edit IM Class Map dialog box 16-23

Edit IM Map dialog box 20-32

ASA and PIX device 16-62

IOS device 16-65

Edit Inspect/Application FW Rule wizard

Address and Port page 16-12

Inspected Protocol page 16-15

Match Traffic page 16-10

Edit Inspect Parameter Map dialog box 20-29

Edit Interfaces dialog box 12-13

Edit IP Options Map dialog box 16-66

Edit IPsec Pass Through Map dialog box 16-71

Edit IPSec Transform Set dialog box 24-23

Edit IPv6 Map dialog box 16-68

Edit IPv6 Network/Host dialog box 6-73

Edit Kazaa2 Class Map dialog box 16-23, 20-17

Edit Key Server dialog box 27-19

Edit Language dialog box 32-38

Edit LDAP Attribute Map dialog box 6-41

Edit LDAP Attribute Map Value dialog box 6-42

Edit Load Balancing Parameters dialog box 25-17

Edit Local Web Filter Class Map dialog box 16-23, 20-17

Edit Local Web Filter Parameter Map dialog box 20-36

Edit Map Value dialog box 6-43

Edit Match Condition and Action dialog box

DNS policy maps 16-29

ESMTP policy maps 16-33

FTP policy maps 16-36

GTP policy maps 16-41

H.323 (IOS) policy maps 20-33

H.323 policy maps 16-46

HTTP (Zone Based IOS) policy maps 20-33

HTTP policy maps 16-57

IM (Zone Based IOS) policy maps 20-33

IMAP policy maps 20-33

IM policy maps 16-63

IPv6 policy maps 16-69

P2P policy maps 20-33

POP3 policy maps 20-33

SIP (IOS) policy maps 20-33

SIP policy maps 16-75

Skinny policy maps 16-79

SMTP policy maps 20-33

Sun RPC policy maps 20-33

Web Filter policy maps 20-33

Edit Match Criterion dialog box

AOL class maps 20-19

DNS class maps 16-29

eDonkey class maps 20-19

FastTrack class maps 20-19

FTP class maps 16-36

Gnutella class maps 20-19

H.323 (IOS) class maps 20-20

H.323 class maps 16-46

HTTP (IOS) class maps 20-20

HTTP class maps 16-57

ICQ class maps 20-19

IMAP class maps 20-22

IM class maps 16-63

Kazaa2 class maps 20-19

Local Web Filter class maps 20-27

MSN Messenger class maps 20-19

N2H2 class maps 20-28

POP3 class maps 20-22

SIP (IOS) class maps 20-23

SIP class maps 16-75

SMTP class maps 20-24

Sun RPC class maps 20-27

Websense class maps 20-28

Windows Messenger class maps 20-19

Yahoo Messenger class maps 20-19

Edit menu

Configuration Manager 1-28

Edit MSN Messenger Class Map dialog box 16-23, 20-17

Edit N2H2 Parameter Map dialog box 20-37

Edit N2H2 Web Filter Class Map dialog box 16-23, 20-17

Edit NAT Rule dialog box

ASA 8.3+ 22-35

Edit NetBIOS Map dialog box 16-72

Edit Network/Host dialog box

General tab 6-73

NAT tab 22-42

Edit Options dialog box 15-16

Edit P2P Map dialog box 20-32

Edit Permit Response dialog box 16-40

Edit PIX/ASA/FWSM Web Filter Rule dialog box 17-5

Edit PKI Enrollment dialog box

CA Information tab 24-51

Certificate Subject Name tab 24-57

Enrollment Parameters tab 24-55

overview 24-50

Trusted CA Hierarchy tab 24-58

Edit Policy Assignments command 1-29

Edit POP3 Class Map dialog box 16-23, 20-17

Edit Port Forwarding List dialog box 32-25

Edit Port List dialog box 6-80

Edit Protocol Info Parameter Map dialog box 20-31

Edit Regular Expression dialog box 16-82

Edit Regular Expression Group dialog box 16-81

Edit Row command 1-28

Edit Rule Section dialog box 12-21

Edit Security Association Dialog Box 23-55

Edit Selected Deployment Method dialog box 8-31

Edit Server dialog box

Protocol Info Parameter maps 20-32

Edit Server Group dialog box 14-17

Edit Service dialog box 6-82

Edit Services dialog box 12-12

Edit Signature dialog box 37-12

Edit Signature Parameter—Component List dialog box 37-25

Edit Signature Parameters dialog box 37-20

Edit Single Sign On Server dialog boxes 32-27

Edit SIP Class Map dialog box 16-23, 20-17

Edit SIP Map dialog box 16-73, 20-32

Edit Skinny Map dialog boxes 16-77

Edit SLA Monitor dialog box 49-9

Edit Smart Tunnel Auto Signon Entry dialog box 32-52

Edit Smart Tunnel Auto Signon Lists dialog box 32-51

Edit Smart Tunnel Lists dialog box 32-48

Edit SMTP Class Map dialog box 16-23, 20-17

Edit SMTP Map dialog box 20-32

Edit SNMP Map dialog box 16-80

Edit Sources dialog box 12-11

Edit SSL VPN Customization dialog box 32-32

Applications 32-42

Copyright Panel 32-40

Custom Panes 32-42

Full Customization 32-41

Home Page 32-44

Informational Panel 32-39

Language 32-36

Logon Form 32-38

Logout Page 32-45

Title Panel 32-35

Toolbar 32-41

Edit SSL VPN Gateway dialog box 32-46

Edit Standard Access Control Entry dialog box 6-57

Edit Standard Access List dialog box 6-53

Edit Sun RPC Class Map dialog box 16-23, 20-17

Edit Sun RPC Map dialog box 20-32

Edit TCP Map dialog box 55-20

Edit TCP Option Range Dialog Box 55-22

Edit Text Object dialog box 7-35

Edit Time Range dialog box 6-60

Edit Traffic Flow dialog box 55-16

Edit Translated Address dialog box 22-27

Edit Transparent EtherType dialog box 21-6

Edit Transparent Firewall Rule dialog box 21-5

Edit Transparent Mask dialog box 21-7

Edit Trend Content Filter Class Map dialog box 16-23, 20-17

Edit Trend Parameter Map dialog box 20-40

Edit Update Server Settings dialog box 11-32

Edit URL Domain Name dialog box 20-43

Edit URLF Glob Parameter Map dialog box 20-43

Edit URL Filter Parameter Map dialog box 20-41

Edit User Credentials dialog box 34-17

Edit User dialog box 12-12

Edit User Group dialog box

Advanced PIX 6.3 settings 32-62

Browser Proxy settings 32-68

Client (IOS) settings 32-59

Clientless settings 32-63

Client VPN Software Update (IOS) settings 32-61

DNS/WINS settings 32-57

General settings 32-56

IOS Xauth Options settings 32-60

overview 32-54

Split Tunneling settings (Easy VPN/remote access IPSec VPN) 32-58

SSL VPN Connection settings 32-69

SSL VPN Full Tunnel settings 32-65

SSL VPN Split Tunneling settings 32-66

Technology settings 32-54

Thin Client settings 32-64

Edit Virtual Sensor dialog box 36-7, 36-8

Edit VPN dialog box

Device Selection tab 23-32

Edit Endpoints dialog box 23-33

Endpoints tab 23-33

High Availability tab 23-49

Name and Technology tab 23-30

overview 23-28

Edit Web Access Control Entry dialog box 6-58

Edit Web Filter Map dialog box 20-45

Edit Web Filter Options dialog box 17-9

Edit Web Filter Type dialog box 17-8

Edit Websense Parameter Map dialog box 20-37

Edit Websense Web Filter Class Map dialog box 16-23, 20-17

Edit Web Type Access List dialog box 6-53

Edit Windows Messenger Class Map dialog box 16-23, 20-17

Edit WINS Server dialog box 32-70

Edit WINS Server List dialog box 32-70

Edit Yahoo Messenger Class Map dialog box 16-23, 20-17

Edit Zones dialog box 12-13

eDonkey class map objects

creating 20-15

match criteria 20-19

EIGRP routing

defining interface properties 63-10

defining routes 63-9

EIGRP Routing Policy page 63-13

Interface dialog box 63-16

Interfaces tab 63-15

on Cisco IOS routers 63-8

redistributing routes 63-12

Redistribution Mapping dialog box 63-18

Redistribution tab 63-17

Setup dialog box 63-14

Setup tab 63-13

e-mail

blocking spam using zone-based firewall rules 20-24

preventing DoS attacks 20-24

e-mail notifications

configuring SMTP server 1-23

PIX/ASA/FWSM

recipient set-up 51-3

syslog messages 51-2

Enable/disable NAT rules 22-32

Enable PIM and IGMP

PIX/ASA/FWSM 52-1

Encapsulating Security Protocol (ESP) encryption algorithm 24-25

encoding rules

defining for SSL VPN (ASA) 29-41

encryption algorithms

3DES (Triple DES) 24-6

AES (Advanced Encryption Standard) 24-6

DES (Data Encryption Standard) 24-6

in IKE proposals 24-6

endpoints and protected networks

configuring dial backup 23-39

defining in GET VPN topologies 23-57

defining in VPN topologies 23-33

VPN Interface tab 23-35

Error Writing to Server deployment errors 9-14

ESMTP

configuring for inspection rules 16-17

ESMTP policy map objects

creating 16-20

match conditions and actions 16-33

properties 16-32

EtherChannel

Create and Edit IDSM EtherChannel VLANs dialog boxes 64-49

defining IDSM VLANs 64-44

deleting IDSM VLANs 64-45

EtherChannels

ASA 44-8

edit assigned interface 44-11

LACP 44-11

load balancing 44-12

evaluation license

upgrading to permanent license 10-16

event

lists 51-4

add/edit 51-5

syslog class

add/edit 51-6

syslog message ID

add/edit 51-6

Event Action Filters page 38-7

Event Action Override dialog box 38-14

Event Action Overrides page 38-13

event actions, IPS

configuring filter rules 38-4

configuring network information 38-14

configuring OS maps 38-18

configuring overrides 38-13

configuring settings 38-21

configuring target value ratings 38-15

example filter rule 65-58

filter rule attributes 38-9

filter rules policy 38-7

filter rules tips 38-6

overview 38-1

possible actions 38-2

process overview 38-1

Event Management page 11-21

Event Manager service

configuring 65-27

managing 65-27

monitoring event store disk space 65-31

monitoring status 65-28

selecting devices to monitor 65-30

starting and stopping 65-27

status icon colors 65-28

events

archiving (backing up) the event data store 65-32

configuring firewall devices (ASA, FWSM) 65-25

configuring IPS devices 65-26

copying 65-47

CS-MARS 68-28

looking up 68-23

looking up policies based on related events 68-27

Netflow support for policy lookup 68-29

viewing access rule events 68-24

viewing IPS signature events 68-26

ensuring time synchronization 65-24

Event Viewer

clearing filters 65-44

context menu 65-45

filtering by column 65-41

filtering by events 65-43

filtering overview 65-39

looking up policies based on related events 65-48

refreshing event table 65-40

selecting time range 65-39

text searches (quick filter) 65-43

using time slider with filtering 65-40

examining details 65-47

examples of analysis

mitigating botnet activity 65-56

monitoring and mitigating botnet activity 65-52

monitoring botnet activity using ASDM 65-55

monitoring botnet activity using Event Viewer 65-53

monitoring botnet activity using Report Manager 65-55

monitoring identity-aware firewall policies 13-27

overview 65-50

removing false positive IPS events 65-57

understanding botnet syslog events 65-52

user access to server blocked 65-50

performing operations on 65-45

properties 65-16

recovering the event data store 65-32

saving to a file 65-48

understanding Event Viewer access control 65-3

viewing 65-1

Event Viewer

archiving (backing up) the event data store 65-32

arranging views 65-34

ASA devices, configuring to provide events 65-25

columns 65-16

configuring color rules 65-36

configuring Event Manager service 65-27

copying events 65-47

creating custom views 65-37

deleting custom views 65-39

editing view name and description 65-37

ensuring time synchronization 65-24

Event Monitoring window 65-12

events

context menu 65-45

event table

customizing appearance 65-35

event details pane 65-24

refreshing 65-40

time slider 65-23

toolbar 65-14

examining event details 65-47

examples of analysis

mitigating botnet activity 65-56

monitoring and mitigating botnet activity 65-52

monitoring botnet activity 65-53

monitoring identity-aware firewall policies 13-27

overview 65-50

removing false positive IPS events 65-57

understanding botnet syslog events 65-52

user access to server blocked 65-50

features

historical views 65-2

overview 65-1

policy navigation 65-3

real-time views 65-2

views and filters 65-3

File menu reference 65-8

filters

advantages of using network/host objects 65-58

clearing 65-44

column based 65-41

event based 65-43

overview 65-39

submission requirements for policy objects 65-59

text searches (quick filter) 65-43

time range 65-39

time slider 65-40

floating views 65-34

FWSM devices, configuring to provide events 65-25

IPS devices, configuring to provide events 65-26

limits of 65-4

looking up Security Manager policies based on events 65-48

managing service 65-27

monitoring event store disk space 65-31

monitoring status 65-28

opening views 65-34

overview 65-7

performing operations on 65-45

preparation for use 65-24

recovering the event data store 65-32

saving events 65-48

saving views 65-38

selecting devices to monitor 65-30

settings 11-21

starting or stopping the Event Manager service 65-27

status icon colors 65-28

switching between IP addresses and host object names 65-35

switching between real-time and historical views 65-38

syslogs 65-6

troubleshooting

Event Viewer Unavailable message 11-21, 11-24, 65-27

policy objects not available for filtering 65-59

understanding access control 65-3

using 65-33

using views 65-33

view list 65-11

View menu reference 65-9

Event Viewer command 1-34

exclusive domains

configuring for IOS devices 17-10

Exit command 1-28

Exit command (Report Manager) 66-8

exiting

Cisco Security Management Suite server 1-9

CiscoWorks Common Services 1-9

Security Manager 1-8, 1-10

expiration dates

configuring for access rules 15-19

export

device inventory

DCR, CS-MARS, Security Manager formats 10-6

device with policies 10-6

overview 10-5

supported CSV formats 10-8

IPS event action overrides 38-13

IPS event filter rules 38-4, 38-7

policy objects 6-20

reports 66-23

shared policies 10-12

Export Devices or Policies commands 1-27

Export Inventory dialog box 10-6

Export Map command 1-30

External Product Interface dialog box 34-24

External Product Interface policy 34-23

F

factory-default configurations 44-2

failover

Active/Active

command replication 48-4

configuration synchronization 48-3

configuring in site-to-site VPN 23-49

edit bridge group 48-15

FWSM 48-11

advanced settings 48-14

PIX/ASA 48-16

Add Failover Group 48-23

settings 48-19

PIX/ASA/FWSM 48-8

active/active 48-2, 48-3

active/standby 48-2

bootstrap configuration 48-25

configuration basics 48-5

configuring 48-1

interface configuration 48-22

interface MAC address 48-21

security context 48-24

stateful 48-3, 48-4

stateless 48-3

types of 48-2

understanding 48-1

PIX 6.3 48-9

interface configuration 48-10

stateful in site-to-site VPN 23-51

false negatives

definition of 37-18

false positives

definition of 37-18

FastTrack class map objects

creating 20-15

match criteria 20-19

feature sets 1-4

File menu

Configuration Manager 1-26

Event Viewer 65-8

Report Manager 66-8

file objects

attributes 32-22

selecting 32-24

files

deploying to 8-11

selecting or specifying 1-46

Filter Item dialog box 38-9

filter rules, event action (IPS)

attributes 38-9

configuring 38-4

example rule 65-58

exporting 38-4

policy 38-7

tips 38-6

filters

Event Viewer

clearing 65-44

column based 65-41

context menu 65-45

event based 65-43

overview 65-39

refreshing event list 65-40

selecting time range 65-39

text searches (quick filter) 65-43

using time slider 65-40

filtering selectors 1-40

filtering tables 1-43

HPM

column based 67-13

custom 67-13

filters (Event Viewer)

advantages of using network/host objects 65-58

overview 65-3

submission requirements for policy objects 65-59

Find and Replace dialog box 12-16

find and replace in rules policies 12-15

Find Map Node command 1-30

Find Node dialog box 33-12

Firewall

AAA IOS Timeout Values 14-26

firewall

AAA firewall

advanced settings 14-18

configuring 14-6

MAC exempt lists 14-22

AAA firewall policy

advanced settings 14-18

configuring 14-6

AAA page 14-24

AAA rules

configuring AAA firewall settings 14-6

configuring AuthProxy settings 14-8

configuring cut-through proxy (ASA) 13-23

configuring for ASA/PIX/FWSM devices 14-4

configuring for IOS devices 14-7

configuring identity aware 13-21

managing 14-1

properties 14-12

understanding 14-1

understanding how users authenticate 14-2

Access Control page (IPv4 and IPv6) 15-20

access controls

per user downloadable ACLs 15-24

access control settings

configuring settings 15-19

access rule

event analysis example, user access blocked 65-50

finding from CS-MARS events 68-27

finding from Event Viewer events 65-48

viewing related CS-MARS events 68-24

access rules

address requirements 15-5

configuring 15-7

configuring expiration dates 15-19

configuring identity aware 13-21

how deployed 15-5

import examples 15-42

importing 15-37

IPS blocking, affect of 41-4

managing 15-1

optimizing during deployment 15-44

sharing ACLs among interfaces 11-12

understanding 15-1

understanding device-specific behavior 15-4

understanding global 15-3

understanding requirements when using inspection 16-4

ACL naming conventions 12-5

adding rules 12-9

analysis reports 15-30

AuthProxy

configuring 14-8

AuthProxy settings policy

configuring 14-8

botnet traffic filter rules 18-9

combining rules

example 12-26

interpreting results 12-24

procedure 12-21

configuring policies in Map view 33-22

configuring settings 17-15

configuring settings policies in Map view 33-23

conflict detection 15-24

deleting rules 12-9

device types 44-1

disabling rules 12-19

editing rules 12-9

enabling rules 12-19

finding and replacing items in rules policies 12-15

Firewall ACL Setting dialog box (IPv4 or IPv6) 15-22

hit count reports 15-32

identity-aware policies

collecting user statistics 13-25

configuring 13-7

configuring cut-through proxy 13-23

configuring identity options 13-15

configuring rules 13-21

configuring the ASA 13-7

enabling 13-8

filtering VPN traffic 13-26

identifying AD servers and agents 11-25, 13-8

managing 13-1

monitoring 13-27

overview 13-1

requirements 13-3

user identity acquisition 13-2

Inspection page 16-85

inspection rules

add/edit rule wizard 16-10, 16-12, 16-15

choosing interfaces 16-2

configuring 16-5

configuring identity aware 13-21

managing 16-1

preventing DoS attacks on IOS devices 16-4

selecting protocols 16-3, 16-15

understanding 16-1

understanding access rule requirements 16-4

inspection settings

configuring for IOS devices 16-85

introduction 12-1

IPv6 access control settings

configuring settings 15-19

IPv6 access rules

configuring 15-7

configuring expiration dates 15-19

configuring identity aware 13-21

sharing ACLs among interfaces 11-12

understanding 15-1

understanding global 15-3

MAC exempt lists, AAA firewall 14-22

managing rules tables 12-7

moving rules 12-18

object groups

expanding during discovery 12-34

optimizing network object groups during deployment 12-33

overview 12-1

per user downloadable ACLs 15-24

policy discovery 5-13

policy query

example report 12-32

generating reports 12-27

interpreting results 12-31

preserving ACL names 12-4

reference information for AAA rules 14-18

resolving access rule conflicts 15-30

resolving ACL naming conflicts 12-6

rule table sections 12-19

system variables 7-10

transparent rules

adding or editing a rule 21-5

configuring 21-1

configuring passthrough for IOS devices 21-3

editing the EtherType 21-6

editing the mask 21-7

managing 21-1

Transparent Rules page 21-3

understanding NAT effects 12-3

understanding rule order 12-18

understanding rule processing order 12-2

using rules tables 12-7

Web Filter page 17-16

web filter rules

configuring for ASA, PIX, FWSM devices 17-2

configuring for IOS devices 17-10

managing 17-1

understanding 17-1

zone-based firewall

add/edit zones 20-51

advanced options 20-62

configuring PAM 20-64

configuring rules 20-12, 20-58

configuring settings 20-47

Content Filter tab 20-50

designing network zones 20-1

development overview 20-11

Global Parameters tab 20-48

page 20-48

protocol selection 20-63

rules table 20-56

tabs 20-47

VPN tab 20-48

WAAS tab 20-48

Zones tab 20-48

zone-based firewalls

changing the default drop rule 20-46

general recommendations 20-11

IPSec VPN 20-5

logging 20-1

overview 20-1

restrictions 20-3

Self zone 20-5

troubleshooting 20-52

understanding 20-3

understanding permit/deny and action 20-7

understanding services and protocols 20-10

VRF 20-6

Firewall AAA IOS Timeout Value Setting dialog box 14-26

Firewall AAA MAC Exempt Setting dialog box 14-23

Firewall ACL Setting dialog box 15-22

Firewall Device dialog box 41-14

Firewall Services Module

see FWSM 45-1

Fit to Window command 1-30

FlexConfig objects

adding to policies 7-38

ASA samples 7-23

Catalyst 6500/7600 samples 7-25

changing order in policies 7-38

changing variable values 7-38

Cisco IOS Software samples 7-25

CLI commands 7-2

configuring 7-28

configuring AAA for administrative introducers 59-84

creating 7-31

creating text objects 7-35

deleting variables 7-31

PIX firewall samples 7-26

previewing CLI 7-38

properties 7-33

property selector 7-37

removing from policies 7-38

router samples 7-26

samples 7-22

scripting language

example of looping 7-3

example of looping with if/else statements 7-4

example of two-dimensional looping 7-3

understanding 7-3

system variables

device 7-7

firewalls 7-10

remote access VPN 7-22

router 7-15

understanding 7-7

VPN 7-16

undefined variables 7-36

understanding 7-2

variables 7-5

variables, example 7-6

FlexConfig policies

adding objects 7-38

changing object order 7-38

changing variable values 7-38

configuring 7-28

configuring AAA for administrative introducers 59-84

editing 7-38

previewing CLI 7-38

removing objects 7-38

understanding 7-2

FlexConfig Policy page 7-39

FlexConfig Preview dialog box 7-41

FlexConfigs

creating (scenario) 7-28

managing 7-1

troubleshooting 7-41

FlexConfig Undefined Variables dialog box 7-36

float

report windows 66-25

view windows 65-34

floodguard 54-2

FQDN objects

creating 6-71

understanding 6-69

fragmentation

configuring settings in VPNs 24-36

fragments settings 54-2

frequently asked questions

policy discovery 5-25

FTP class map objects

creating 16-20

match criteria 16-36

FTP policy map objects

creating 16-20

match conditions and actions 16-36

properties 16-35

full mesh topologies

description 23-4

partial mesh 23-5

full tunnel client access mode 28-5

FWSM

AAA support 6-24

about 44-1

adding SSL thumbprints manually 9-4

adding when using multiple-context mode 3-7

adding when using non-default HTTPS (SSL) port 3-7

Asymmetric Routing Groups 44-5

Bridge Groups

add/edit 44-41

bridge groups 45-3

changing deployment method to serial for multiple-context mode 9-16

configuring for event management 65-25

configuring FWSM endpoints in site-to-site VPNs 23-45

configuring transparent firewall rules 21-1

credentials 3-16

deleting security contexts 56-7

deployment failures after changing interface policies 9-15

deployment failures in multiple-context mode 9-15

deployment failures with large ACLs 9-16

Device Access

managing Resources 49-2

Resources 49-3

Resources, add/edit 49-3

discovering failover modules 3-7

Event Viewer support 65-4

Failover 48-11

advanced settings 48-14

edit bridge group 48-15

including in deployment jobs 8-28

interfaces

add/edit 44-19

configuring 44-2

General tab 44-20

IPv6 44-29

IPv6, add/edit 44-33

IPv6, add/edit prefixes 44-34

managing 44-14

packet capture, using 68-8

PDM 68-11

policy discovery 5-13

rollback, commands to recover from failover misconfiguration 8-65

rollback command conflicts 8-64

rollback restrictions for failover devices 8-61

rollback restrictions for multiple context mode 8-61

security contexts

configuration 56-8

selecting policy types to manage 5-10

setting up SSL (HTTPS) 2-3

SSL certificate configuration 11-16

TCP State Bypass 55-3

troubleshooting deployment 9-15

G

General

PIX/ASA/FWSM

security policies 54-1

General Configuration tab, SNMP policy for IPS 34-10

General page, device properties 3-38

General tab (Translation Rules)

PIX/ASA/FWSM 22-30

General tab, IPS blocking policy 41-10

generic routers 3-8

GET VPN

anti-replay, time based 27-11

configuring 27-12

configuring global ISAKMP and IPsec settings 27-16

configuring group members 27-20

cooperative key servers 27-7

defining group encryption 23-51

generating, synchronizing RSA keys 27-13

group members

adding 27-19

editing 27-21

IKE proposal 27-15

key servers

adding 27-19

editing 27-19

mandatory and optional policies 23-6

migrating to 27-23

overview 27-1

receive-only SAs 27-23

registration

choosing the rekey transport mechanism 27-6

configuring fail-close mode 27-8

registration process 27-4

SAs

passive SA mode 27-23

receive-only mode 27-23

security policy 27-10

supported platforms 23-9

troubleshooting 27-25

understanding 27-2

GET VPNs

group encryption policies

certificate authorization 23-54

security associations 23-55

global correlation

configuring 40-1

configuring DNS servers 34-22

configuring HTTP proxy server 34-23

configuring inspection and reputation 40-5

configuring network participation 40-7

configuring with Botnet Traffic Filtering 40-1

data collected 40-3

requirements and limitations 40-4

understanding 40-1

understanding network participation 40-3

understanding reputation 40-2

Global Search

using 1-37

global settings

remote access VPN

configuring 24-26

Gnutella class map objects

creating 20-15

match criteria 20-19

GRE (generic routing encapsulation) VPN

advantages of IPsec tunneling with GRE 25-3

configuring 25-5

configuring GRE modes 25-6

dynamically addressed spokes 25-5

implementation 25-3

overview 25-1, 25-2

prerequisites for successful configuration 25-3

supported platforms 23-9

understanding 25-2

GRE Dynamic IP

mandatory and optional policies 23-6

GRE Modes Page

DMVPN properties 25-12

GRE or GRE Dynamic IP properties 25-6

overview 25-1

Group Domain of Interpretation (GDOI) protocol 27-3

group encryption

defining in GET VPN topologies 23-51

Group Encryption Policy page (GET VPN) 23-51

group members

adding 27-19

communication flow 27-2

configuring fail-close mode 27-8

editing 27-21

GET VPN

registration process 27-4

security policy ACLs 27-10

group members (GET VPN)

configuring 27-20

Group Members page (GET VPN) 27-20

group policies

configuring 29-21

creating 29-23

understanding 29-22

VPNs

configuring bookmarks 29-63

configuring portal appearance 29-59

configuring WINS servers for file system access 29-69

customizing 29-58

post URL method and macro substitutions in bookmarks 29-65

smart tunnels 29-66

Group Policies page 29-21

groups

adding or removing devices 3-57

creating 3-56

deleting 3-56

understanding 3-53

working with 3-53

group types

creating 3-55

deleting 3-56

GTP map objects

Add Country Network Codes dialog box 16-40

Edit Country Network Codes dialog box 16-40

GTP Map Timeouts dialog box 16-41

GTP policy map objects

creating 16-20

match conditions and actions 16-41

properties 16-38

H

H.323 class map objects

IOS

creating 20-15

match criteria 20-20

match criteria 16-46

H.323 policy map objects

ASA/PIX/FWSM

creating 16-20

properties 16-43

IOS

creating 20-15

match conditions and actions 20-33

match conditions and actions 16-46

hash algorithms

in IKE proposals 24-6

MD5 24-7

SHA 24-6

Health & Performance Monitor command 1-34

Health and Performance Monitor

see HPM 67-1

help

accessing 1-47

Help About This Page command 1-35

helper addresses 58-14

Help menu

Configuration Manager 1-34

Help Topics command 1-35

Hide Navigation Window command 1-30

high availability (HA groups)

configuring in Easy VPN 26-2

configuring in site-to-site VPN 23-49

stateful/stateless failover 23-51

high availability policies

configuring in remote access VPNs 31-11

Histogram dialog box 39-13

histograms

configuring anomaly detection 39-11

understanding anomaly detection 39-9

hit count

generating reports 15-32

Hit Count Query Results page 15-36

Hit Count Selection Summary Dialog Box 15-35

Hostname

PIX/ASA/FWSM 49-1

hostnames

Cisco IOS routers

defining 59-77

Hostname Policy page 59-78

overview 59-77

HPM

access control 67-3

Alerts

firewall 67-29

IPS 67-28

alerts 67-24

acknowledging 67-31

clearing 67-31

configuring 67-27

history 67-32

viewing 67-31

application window 67-6

Alerts display 67-25

Monitoring display 67-21

columns

Alert table 67-12

Device-related 67-8

showing/hiding 67-7

sorting 67-7

VPN-related 67-10

configuring for 67-4

custom views 67-20

device

monitoring 67-16

monitoring multiple contexts 67-3

priority monitoring 67-24

views 67-17

Device Manager

launching 67-3, 67-23

device manager

cross-launch 67-24

devices

managing 67-5

email notifications

configuring 67-27

filters

column based 67-13

introduction 67-1

launching 67-4

List Filter 67-15

monitoring

device details 67-23

device status list 67-22

RA and S2S views 67-24

Summary 67-22

overview 67-1

Remote Access

log-off user 67-24

settings page 11-24

tables

showing/hiding columns 67-7

sorting columns 67-7

trending 67-2

views

closing 67-18

custom 67-20

docking 67-19

floating 67-19

list 67-17

opening 67-18

tiling 67-19

HTTP

Cisco IOS routers

AAA tab 59-32

Command Authorization Override dialog box 59-34

defining policies 59-29

HTTP Policy page 59-31

overview 59-28

Setup tab 59-31

PIX/ASA/FWSM 47-2

configuration 47-2

HTTP (ASA, PIX) class map objects

creating 16-20

HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map objects

creating 16-20

properties 16-48

HTTP (ASA7.2+/PIX7.2+) policy map objects

creating 16-20

properties 16-56

HTTP (IOS) class map objects

creating 20-15

creating for zone-based firewall content filtering 20-34

match criteria 20-20

HTTP (Zone Based IOS) policy map objects

creating 20-15, 20-34

match conditions and actions 20-33

HTTP class map objects

match criteria 16-57

HTTP-FORM

settings in AAA server objects 6-40

HTTP policy

overriding HTTPS port number 3-43

sharing

HTTPS port number 3-43

HTTP policy map objects

match conditions and actions 16-57

HTTP proxy server

configuring for IPS global correlation 34-23

HTTP Response Code 500 deployment errors 9-14

HTTPS

setting up 2-3

troubleshooting certificate errors 9-4

hub-and-spoke topology

description 23-2

joined hub-and-spoke topology 23-5

tiered hub-and-spoke topologies 23-5

I

ICMP rules

PIX/ASA/FWSM 47-3

add/edit 47-4

ICMP settings

configuring on IOS routers 58-18

icons

Configuration Manager toolbar reference 1-35

event table toolbar reference 65-14

Event Viewer status color code 65-28

map elements 33-13

ICQ class map objects

creating 20-15

match criteria 20-19

identity-aware firewall policies

collecting user statistics 13-25

configuring 13-7

configuring cut-through proxy 13-23

configuring identity options 13-15

configuring rules 13-21

configuring the ASA 13-7

enabling 13-8

filtering VPN traffic 13-26

identifying AD servers and agents 11-25, 13-8

managing 13-1

monitoring 13-27

overview 13-1

requirements 13-3

user identity acquisition 13-2

Identity Configuration wizard

Active Directory Agent Settings 13-13

Active Directory Settings 13-11

Preview 13-15

Identity Settings page 11-25

identity user group objects

creating 13-19

selecting 13-21

user identity acquisition 13-2

idle timeout, Security Manager client 11-6

IDM

device manager 68-11

IDSM

adding when using non-default HTTPS (SSL) port 3-7

Create and Edit IDSM Data Port VLANs dialog boxes 64-49

Create and Edit IDSM EtherChannel VLANs dialog boxes 64-49

credentials 3-16

defining Data Port VLANs 64-46

defining EtherChannel VLANs 64-44

deleting Data Port VLANs 64-47

deleting EtherChannel VLANs 64-45

deployment failures when changing data port VLAN running mode 9-16

IDSM Settings page 64-47

IDSM Slot-Port Selector dialog box 64-50

mode support limitations 64-43

troubleshooting deployment 9-15

understanding settings on Catalyst devices 64-43

IGMP

PIX/ASA/FWSM

Access Group parameters 52-5

Access Group tab 52-5

enable 52-1

Join Group parameters 52-7

Join Group tab 52-7

page 52-2

parameters 52-4

Protocol tab 52-3

Static Group parameters 52-6

Static Group tab 52-6

ignore error message, configure Security Manager to 9-9

IKE (Internet Key Exchange)

comparing version 1 and 2 24-4

configuring IKE and IPsec policies 24-1

configuring IKEv2 authentication 24-58

configuring proposal 24-9

Diffie-Hellman modulus groups 24-7

encryption algorithms 24-6

hash algorithms 24-6

IKEv2 Authentication policy 24-60, 24-62

overview 24-2

selecting the IKE version for devices in site to site VPNs 24-22

understanding 24-5

IKE keepalive

understanding 24-27

IKE proposal objects

v1 properties 24-10

v2 properties 24-13

IKE proposals (policies)

in GET VPNs 27-15

IKEv2 Authentication dialog box 24-62

IKEv2 Authentication page 24-60

IKEv2 settings

configuring 24-30

configuring cookie challenges 24-30

IM (ASA7.2+/PIX7.2+) policy map objects

creating 16-20

properties 16-62

IM (IOS) policy map objects

creating 16-20

properties 16-65

IM (Zone Based IOS) policy map objects

creating 20-15

match conditions and actions 20-33

IM (Zone based IOS) policy map objects

creating 20-15

Image Management 69-1

supported versions 69-2

image management

abort installation job 69-28

Image Manager 69-7, 69-12, 69-25

Getting Started 69-1

settings 11-27

supported image types 69-2

supported platforms 69-2

image manager 69-11

Add Image 69-8

bundle 69-9

bundled images 69-23

compatible images 69-13

configuring install location 69-14

create bundle 69-10

delete bundle 69-12

deleting images from a bundle 69-12

device information 69-12

device memory 69-14

Installation Job Summary 69-26

installation wizard 69-19

installing compatible images on devices 69-24

installing images on selected devices 69-25

job approval workflow 69-29

RAM 69-13

renaming a bundle 69-11

retry on installation failure 69-28

roll back 69-29

update validation 69-17

updating images on devices 69-15

view installation job details 69-27

Image Manager command 1-34

images

view 69-7

image updates 69-15

IMAP

configuring for inspection rules 16-18

IMAP class map objects

creating 20-15

match criteria 20-22

IM applications

match conditions for zone-based firewalls 20-19

protocol information for IM application inspection 20-31

IMAP policy map objects

creating 20-15

match conditions and actions 20-33

IM class map objects

creating 16-20

match criteria 16-63

IM policy map objects

match conditions and actions 16-63

import

device inventory 3-27

device with policies 10-14

policy objects 6-20

Import Background Image dialog box 33-12

Import Rules wizard

Enter Parameters page 15-39

Preview page 15-41

Status page 15-40

inheritance

inheriting rules 5-43

understanding 5-4

understanding signature policies 37-2

versus assignment 5-6

Inherit Rules command 1-29

Inherit Rules dialog box 5-43

Inspect/Application FW Rule wizard

Address and Port page 16-12

Inspected Protocol page 16-15

Match Traffic page 16-10

inspection

global correlation (IPS)

configuring 40-5

inspection map objects

understanding 6-67

inspection rules

ACL naming conventions 12-5

add/edit rule wizard 16-10, 16-12, 16-15

choosing interfaces 16-2

configuring 16-5

configuring custom protocol name 16-19

configuring DNS settings 16-16

configuring ESMTP settings 16-17

configuring fragment inspection 16-18

configuring identity aware 13-21

configuring in Map view 33-22

configuring RPC settings 16-19

configuring settings for IOS devices 16-85

configuring settings in Map view 33-23

configuring SMTP settings 16-17

deep inspection options

IMAP 16-18

POP3 16-18

deleting 12-9

disabling 12-19

editing 12-9

enabling 12-19

Inspection Rules page 16-7

managing 16-1

moving 12-18

preserving ACL names 12-4

preventing DoS attacks on IOS devices 16-4

selecting protocols 16-3, 16-15

understanding 16-1

understanding access rule requirements 16-4

understanding NAT effects 12-3

understanding processing order 12-2

Inspection Rules page 16-7

Inspection settings page 16-85

inspect maps

policy maps

Add Country Network Codes dialog box 16-40

Edit Country Network Codes dialog box 16-40

Inspect parameter map objects

properties 20-29

Inspect Parameters map objects

creating 20-15, 20-34

installing

Security Manager client 1-10

Integrated Local Management Interface (ILMI) 58-49

Interactive Authentication Configuration dialog box 14-20

Interface Name Conflict dialog box 6-66

Interface Properties dialog box 33-18

Interface Role Contents dialog box 12-14

interface role objects

creating 6-63

defining subinterfaces 6-65

distinguishing from interfaces 6-65

handling conflicts between role and interface names 6-66

Interface Role dialog box 6-64

specifying during policy definition 6-65

understanding 6-62

use when a single interface name is allowed 6-66

interfaces

adding or changing modules 3-37

ASA

edit EtherChannel-assigned interface 44-11

EtherChannels 44-8, 44-12

LACP 44-11

ASA/FWSM

IPv6 44-29

IPv6, add/edit 44-33

IPv6, add/edit prefixes 44-34

ASA 5505 44-6

ASA devices

Advanced tab 44-27

IP Type 44-36

Catalyst switches and 7600 Series routers

Access Port Selector dialog box 64-30

Create and Edit Interface dialog boxes-Access Port mode 64-9

Create and Edit Interface dialog boxes-Dynamic Port mode 64-18

Create and Edit Interface dialog boxes-Other mode 64-24

Create and Edit Interface dialog boxes-Routed Port mode 64-12

Create and Edit Interface dialog boxes-subinterfaces 64-22

Create and Edit Interface dialog boxes-Trunk Port mode 64-14

Create and Edit VLAN dialog boxes 64-28

Create and Edit VLAN Group dialog boxes 64-34

defining ports 64-5

deleting ports 64-7

generating names 64-6

Interfaces/VLANs page-Interfaces tab 64-7

Interfaces/VLANs page-Summary tab 64-3

Interfaces/VLANs page-VLAN Groups tab 64-33

Interfaces/VLANs page-VLANs tab 64-27

Service Module Slot Selector dialog box 64-35

Trunk Port Selector dialog box 64-31

understanding 64-5

VLAN Selector dialog box 64-35

Cisco IOS routers

Advanced Interface Settings dialog box 58-16

Advanced Interface Settings page 58-15

available types 58-2

Create Router Interface dialog box 58-8

defining advanced settings 58-13

defining basic settings 58-3

defining CEF interface settings 58-24

defining IPS module settings 58-22

deleting from 58-6

generating names 58-4

Interface Auto Name Generator dialog box 58-12

overview 58-1

Router Interfaces page 58-7

understanding helper addresses 58-14

configuring IOS IPS rules 43-8

configuring multiple contexts 56-2

distinguishing from interface roles 6-65

failover

MAC address 48-21

PIX/ASA/FWSM 48-22

PIX 6.3 48-10

IPS

configuring 35-6

configuring bypass mode 35-12

configuring CDP mode 35-13

configuring inline interface pairs 35-13

configuring inline VLAN pairs 35-14

configuring physical 35-10

configuring VLAN groups 35-15

deploying VLAN groups 35-5

inline interface mode 35-3

inline VLAN pair mode 35-3

interfaces policy 35-6

managing interface configurations 35-1

physical interface properties 35-11

promiscuous mode 35-2

roles 35-1

sensing modes overview 35-2

understanding 35-1

viewing summary 35-8

VLAN group mode 35-4

IP Type

PIX 6.3 44-18

PIX/ASA

allocation in security contexts 56-11

IP Type 44-36

PPPoE Users 44-44

redundant 44-7

subinterfaces 44-7

VPDN groups 44-45

PIX/ASA/FWSM

add/edit 44-19

Advanced settings 44-42

configuring 44-2

contexts 44-5

DDNS update rules 50-16

enabling traffic between same security levels 44-43

General tab 44-20

manage 44-14

management access 47-5

understanding 44-3

PIX/ASA 7+ devices

MAC address 44-38

PIX 6.3

add/edit 44-15

routed and transparent 44-4

specifying during policy definition 6-65

specifying subinterfaces 6-65

throughput delay 58-18

Interface Selector dialog box (VLAN ACL Content) 64-42

Interfaces page (IPS) 35-6

Interface Specific Authentication Server Groups dialog box 29-13

Interface Specific Client Address Pools dialog box 29-10

inventory

deleting devices from 3-51

export devices

DCR, CS-MARS, Security Manager formats 10-6

device with policies 10-6

overview 10-5

supported CSV formats 10-8

using command line utility 10-9

import devices

device with policies 10-14

inventory, device

adding devices 3-6

adding devices from configuration files 3-18

adding devices from inventory file 3-27

adding devices from network 3-9

adding devices manually 3-23

managing 3-1

testing device connectivity 9-1

troubleshooting device discovery failures 3-7

understanding 3-1

understanding contents 3-3

understanding generic devices 3-8

viewing inventory status 68-16

working with 3-32

Inventory Status command 1-32

Inventory Status window 68-16

Inverse ARP 58-60

inverse multiplexing over ATM (IMA) 58-39

IOS devices

configuring transparent firewall rules 21-1

remote access IPSec VPNs

user group policies 31-13

remote access IPsec VPNs

creating using wizard 28-35

remote access SSL VPNs

configuring bookmarks 29-63

configuring WINS servers for file system access 29-69

creating using wizard 28-31

remote access VPNs

configuring SSL VPN policies 31-14

Context Editor dialog box (IOS) 31-15, 31-16

Dynamic VTI/VRF Aware IPsec settings 31-7

high availability 31-11

IPsec proposals 31-4

SDM 68-12

IOS IPS

affect of load balancing 43-7

comparing to IPS appliances and service modules 34-1

configuration files 43-3

configuration overview 43-3

configuring 43-1

configuring general settings 43-7

configuring interface rules 43-8

configuring target value ratings 38-15

event actions

filter rule attributes 38-9

filter rules 38-4, 38-7

filter rules tips 38-6

network information 38-14

overrides 38-13

overview 38-1

possible actions 38-2

process overview 38-1

settings 38-21

getting started 34-1

initial preparation of router 43-5

lightweight signature engines 43-2

limitations and restrictions 43-3

selecting signature category 43-6

signatures

adding custom 37-15

cloning 37-18

configuring 37-3

defining 37-1

detailed information 37-2

editing 37-11

editing Meta engine component list 37-25

editing or tuning parameters 37-18

enabling or disabling 37-10

engines 37-16

exporting 37-6

inheritance 37-2

parameters list 37-20

policy 37-4

shortcut menu 37-7

understanding 37-1

viewing update level 37-9

understanding 43-1

understanding subsystems and revisions 43-2

IOS Software Release 12.1 and 12.2

managing routers 57-2

IOS Web Filter Exclusive Domain Name dialog box 17-14

IOS Web Filter Rule and Applet Scanner dialog box 17-13

IP address

supporting dynamic 3-33

IP addresses

network masks 6-70

specifying in policies 6-76

specifying IPv6 in policies 6-77

IP Options policy map objects

creating 16-20

properties 16-66

IPS

IPS Module router interface settings policies 58-22

MPC rule wizard

tab 55-8

PIX/ASA/FWSM

identity-aware rules 13-21

rules 55-5

IPS alerts

properties 65-16

IPS Certificates dialog box 42-9

IPS command 1-31

IPS Devices

selecting for Event Viewer 65-30

IPS devices

adding SSL thumbprints manually 9-4

allowed hosts 34-7

anomaly detection

configuring 39-6

configuring histograms 39-11

configuring learning accept mode 39-8

configuring signatures 39-4

configuring thresholds 39-11

detection zones 39-3

managing 39-1

modes 39-2

understanding 39-1

understanding histograms 39-9

understanding thresholds 39-9

understanding worms 39-2

when to turn off 39-4

blocking

configuring 41-7

configuring ARC 41-1

configuring blocking devices 41-14

configuring master blocking sensors 41-13

configuring never block hosts and networks 41-17

configuring router blocking interfaces 41-15

configuring user profiles 41-12

configuring VLAN blocking interfaces 41-16

general options 41-10

master blocking sensor 41-6

policy 41-8

rate limiting 41-4

router and switch blocking devices 41-4

strategies 41-3

understanding 41-1

capturing network traffic 34-2

certificates 42-9

changing those selected for reports 66-21

configuration overview 34-5

configuration overview for IOS IPS 43-3

configuring AAA 34-19

configuring Analysis Engine global variables 34-26

configuring DNS servers 34-22

configuring for event management 65-26

configuring for report management 66-3

configuring HTTP proxy server 34-23

configuring NTP 34-21

configuring OS maps 38-18

configuring SNMP 34-8

configuring target value ratings 38-15

configuring the external product interface 34-23

configuring user accounts 34-16

credentials, IPS router modules 3-17

deployment of passwords 34-15

deployment topology 34-4

discovery of passwords 34-15

event actions

example filter rule 65-58

filter rule attributes 38-9

filter rules 38-4, 38-7

filter rules tips 38-6

network information 38-14

overrides 38-13

overview 38-1

possible actions 38-2

process overview 38-1

settings 38-21

Event Viewer support 65-4

getting started 34-1

global correlation

configuring 40-1

configuring inspection and reputation 40-5

configuring network participation 40-7

data collected 40-3

requirements and limitations 40-4

understanding 40-1

understanding network participation 40-3

understanding reputation 40-2

initializing 2-12

interfaces

configuring 35-6

configuring bypass mode 35-12

configuring CDP mode 35-13

configuring inline interface pairs 35-13

configuring inline VLAN pairs 35-14

configuring physical 35-10

configuring VLAN groups 35-15

deploying VLAN groups 35-5

inline interface mode 35-3

inline VLAN pair mode 35-3

interfaces policy 35-6

managing interface configurations 35-1

physical interface properties 35-11

promiscuous mode 35-2

roles 35-1

sensing modes overview 35-2

understanding 35-1

viewing summary 35-8

VLAN group mode 35-4

IPS modules for ASA 55-13

license, exporting 11-38

licenses

automating 42-3

managing 42-1

redeploying 42-2

updating 42-1

looking up signature policies for CS-MARS events 68-27

looking up signature policies for Event Viewer events 65-48

managing 42-1

managing user accounts and passwords 34-13

monitoring

removing false positive IPS events 65-57

passive OS fingerprinting 38-17

password requirements 34-18

policy discovery 5-13

rebooting 42-11

Report Manager reports

general VPN reports 66-17

IPS top reports 66-16

rollback restrictions 8-62

showing containment 3-50

signatures

adding custom 37-15

cloning 37-18

configuring 37-3

configuring settings 37-26

defining 37-1

detailed information 37-2

editing 37-11

editing Meta engine component list 37-25

editing or tuning parameters 37-18

enabling or disabling 37-10

engines 37-16

exporting 37-6

inheritance 37-2

parameters list 37-20

policy 37-4

shortcut menu 37-7

understanding 37-1

viewing update level 37-9

SSL certificate configuration 11-16

traffic flow notifications 34-26

tuning recommendations 34-4

understanding managed and unmanaged passwords 34-14

understanding network sensing 34-1

understanding user roles 34-13

updates

automatically applying 42-6

checking for and downloading 42-5

configuring server 42-4

managing 42-4

manually applying 42-7

user account attributes 34-17

viewing signature events in CS-MARS 68-26

virtual sensors

advantages 36-3

assigning interfaces 36-4

attributes 36-7

configuring 36-1, 36-5

deleting 36-10

editing policies 36-9

identifying 36-5

inline TCP session tracking mode 36-3

Normalizer mode 36-4

renaming 36-8

restrictions 36-3

understanding 36-1

IPsec

remote access VPNs

access policies for IKEv2 (ASA), configuring 29-36

access policies for IKEv2 (ASA), reference 29-33

access policies for IKEv2 (ASA), understanding 29-32

certificate to connection profile map policy (IKEv1) 29-25

certificate to connection profile map rules (IKEv1) 29-26

cluster load balancing 29-4, 29-5

configuring IKE and IPsec policies 24-1

connection profiles 29-6

connection profiles (ASA, PIX 7+) 29-8

creating on ASA/PIX 7.0+ 28-24

creating on IOS/PIX 6.3+ 28-35

dynamic access policies 30-1, 30-2

dynamic access policy (DAP) attributes 30-3, 30-8

Dynamic Access policy page (ASA) 30-11

Dynamic VTI/VRF Aware IPsec settings 31-7

fragmentation settings 24-36

global settings 24-26

group policies, configuring 29-21

group policies, creating 29-23

group policies, understanding 29-22

high availability policies 31-11

IKE proposals 24-9

IKEv2 settings 24-30

ISAKMP/IPsec settings 24-26

NAT settings 24-34

public key infrastructure (PKI) policies 24-48

secure desktop manager policies 30-9

understanding 28-2

understanding IKE 24-5

understanding NAT settings 24-33

user group policies 31-13

VPNSM, VPN SPA, VSPA settings 31-6

wizard 28-13

IPsec/GRE VPN

advantages of IPsec tunneling with GRE 25-3

configuring 25-5

configuring GRE modes 25-6

dynamically addressed spokes 25-5

implementation 25-3

overview 25-1, 25-2

prerequisites for successful configuration 25-3

supported platforms 23-9

understanding 25-2

IPSec Client Software Update dialog box 29-18

IPsec Pass Through policy map objects

creating 16-20

properties 16-71

IPsec Proposal Editor dialog box

ASA and PIX 7.0+ devices 29-30

IOS and PIX 6.3 devices 31-4

IPsec proposals

configuring for Easy VPN 26-10

configuring for remote access VPNs

attributes for ASA and PIX 7.0+ devices 29-30

attributes for IOS and PIX 6.3 devices 31-4

configuring in site-to-site VPNs 24-19

overview 24-2

remote access VPNs

attributes for ASA and PIX 7.0+ devices 29-30

attributes for IOS and PIX 6.3 devices 31-4

configuring for ASA and PIX 7.0+ devices 29-29

configuring for IOS and PIX 6.3 devices 31-3

selecting the IKE version for devices 24-22

understanding 24-16

understanding crypto maps 24-17

understanding site-to-site 24-16

understanding transform sets 24-17

using reverse route injection 24-18

IPsec technologies

defining 23-30

mandatory and optional policies 23-6

policies 23-5

supported platforms 23-9

supported platforms for remote access VPNs 28-8

understanding 23-5

IPSec transform set objects

attributes 24-23

understanding 24-17

IPSec VPN

zone-based firewalls 20-5

IPS event

definition of 38-1

IPS interfaces

IPS Monitoring Information dialog box 58-23

IPS module

credentials 3-17

IPS Module Discovery dialog box 3-17

IPS Module interface settings policies 58-22

IPS Rules dialog box 43-9

IPS sensor

IDM 68-11

IPS sensors

default transport protocol 11-16

IPS signatures

finding from CS-MARS events 68-27

finding from Event Viewer events 65-48

tuning 65-57

viewing related CS-MARS events 68-26

IPS tab, Licensing page 11-36

IPS Updates page 11-28

IP Type

interface configuration

ASA and PIX 7+ 44-36

PIX 6.3 44-18

IPv6

interfaces

add/edit 44-33

add/edit prefixes 44-34

ASA/FWSM 44-29

management IPv4 address requirements 1-7

Neighbor cache 45-6

specifying addresses in policies 6-77

support in Security Manager 1-7

IPv6 access controls

configuring settings 15-19

IPv6 Access Control Settings page 15-20

IPv6 access rules

access control settings 15-20, 15-22

Access Rules page 15-9

ACL naming conventions 12-5

Advanced dialog box 15-16

configuring 15-7

configuring access control settings 15-19

configuring identity aware 13-21

deleting 12-9

disabling 12-19

Edit Firewall Rule Expiration dialog box 15-18

editing 12-9

enabling 12-19

expiration dates 15-19

identity-aware rules

requirements 13-3

moving 12-18

preserving ACL names 12-4

rule attributes 15-12

sharing ACLs among interfaces 11-12

understanding 15-1

understanding global 15-3

understanding processing order 12-2

IPv6 Access Rules page 15-9

IPv6 Firewall ACL Setting dialog box 15-22

IPv6 policy map objects

match conditions and actions 16-69

properties 16-68

IPv6 static routes

PIX/ASA/FWSM

configuration 53-32

ISAKMP/IPsec settings

configuring 24-26

ISR

zone-based firewall

restrictions 20-3

J

job deployment methods

understanding 8-8

jobs

aborting 8-51

approving 8-39

creating and editing deployment in non-Workflow mode 8-29

creating and editing deployment in Workflow mode 8-36

Deployment Manager 8-16

discarding 8-41

including devices in 8-8

rejecting 8-39

states

Workflow mode 8-6

submitting 8-39

joined hub-and-spoke topology 23-5

Join Group tab (IGMP) 52-7

JumpStart 1-21

Jumpstart command 1-35

K

Kazaa2 class map objects

creating 20-15

match criteria 20-19

Kerberos

configuring constrained delegation (KCD) 29-53

description 6-24

settings in AAA server objects 6-34

understanding constrained delegation (KCD) 29-51

key encryption key (KEK), GET VPN 27-4

key servers

adding 27-19

choosing the rekey transport mechanism 27-6

communication flow 27-2

cooperative, for redundancy 27-7

editing 27-19

generating, synchronizing RSA keys 27-13

registration failures 27-8

registration process 27-4

security policy ACLs 27-10

key servers (GET VPN)

configuring 27-18

Key Servers page (GET VPN) 27-18

Key Servers Selection dialog box 27-21

knowledge base structure (IPS) 39-8

L

LACP

interface assigned to an EtherChannel 44-11

large scale Dynamic Multipoint VPN (DMVPN)

mandatory and optional policies 23-6

Launch menu 1-33

Report Manager 66-8

LDAP

settings in AAA server objects 6-35

LDAP Attribute Map objects

attributes 6-41

learning accept mode (IPS), configuring 39-8

licenses

configuring for ASA devices 2-11

configuring for IOS devices 2-12

exporting IPS 11-38

IPS

automating 42-3

managing 42-1

redeploying 42-2

updating 42-1

Security Manager 10-16

License Update Status Details dialog box 11-39

licensing

Settings page 11-35

Lightweight Directory Access Protocol (LDAP)

description 6-25

lightweight signature engines 43-2

line access

Cisco IOS routers

Console Policy page 59-42

overview 59-35

VTY Policy page 59-50

Link Aggregation Control Protocol 44-11

Link Properties dialog box 33-19

load balancing

configuring in large scale DMVPN 25-16, 25-17

configuring IOS IPS deny actions 43-7

server attributes in large scale DMVPN 25-17

Local Policy Will Be Replaced dialog box 5-41

Local Web Filter class map objects

match criteria 20-27

Local web filter class map objects

creating 20-34

Local Web Filter parameter map objects

properties 20-36

Local web filter parameter map objects

creating 20-34

locking

activities 4-3

devices and policies 5-9

objects 5-10

understanding 5-7

VPN topologies 5-9

Log Buffer window 68-14

logging

Cisco IOS routers

defining NetFlow interfaces 61-15

defining NetFlow parameters 61-6

defining syslog servers 61-3

Logging Setup Policy page 61-7

NetFlow policy page 61-12

overview 61-1

Syslog Server dialog box 61-11

Syslog Servers Policy page 61-10

syslog setup parameters 61-1

syslog severity levels 61-4

PIX/ASA/FWSM 51-1

email notifications 51-2

email recipients 51-3

event lists 51-4

event lists, add/edit 51-5

filters 51-7

filters, editing 51-8

levels 51-17

logging setup 51-9

message classes and IDs 51-4

message editing 51-18

message limits 51-13

message limits, add/edit 51-13

NetFlow 51-1

NetFlow, add/edit collector 51-2

rate limit levels 51-12

rate limits, add/edit 51-14

server 51-16

server setup 51-15

set-up 51-10

syslog class 51-6

syslog message ID 51-6

syslog servers 51-19, 51-20

syslog servers, add/edit 51-21

syslog messages supported for CS-MARS queries 68-28

logging in to

Cisco Security Management Suite server 1-9

CiscoWorks Common Services 1-9

logging into

Security Manager 1-8, 1-10

Logging page, IPS platform 34-26

logs

configuring audit log default settings 11-40

configuring debug levels 11-8

Logs page 11-40

loopback cells 58-50

low-latency queuing (LLQ) 62-5

M

MAC address

interface configuration

ASA and PIX 7+ 44-38

PIX/ASA/FWSM

add/edit 45-8

interface 48-21

learning 45-8

learning, enable/disable 45-9

table 45-7

MAC exempt lists

configuring 14-6, 14-22

rule attributes 14-23

Maintenance Operation Protocol (MOP), enabling 58-19

Management Access

PIX/ASA/FWSM

interface 47-5

management address

requirements for IPv6 devices 1-7

Management Center for Cisco Security Agents

configuring connection to IPS devices 34-23

connection attributes 34-24

posture ACLs 34-26

Management IP address

PIX/ASA/FWSM 45-10

Management IPv6

ASA 5505 45-10

Manage menu 1-30

Map menu 1-29

map objects

class maps

creating for inspection rules 16-20

creating for zone-based firewall content filtering 20-34

creating for zone-based firewall inspection 20-15

parameter maps

creating for zone-based firewall content filtering 20-34

creating for zone-based firewall inspection 20-15

Inspect properties 20-29

Local Web Filter properties 20-36

N2H2 properties 20-37

Protocol Info properties 20-31

Trend properties 20-40

URLF Glob properties 20-43

URL Filter properties 20-41

Websense properties 20-37

policy maps

creating for inspection rules 16-20

creating for zone-based firewall content filtering 20-34

creating for zone-based firewall inspection 20-15

DCE/RPC properties 16-24

DNS properties 16-26

ESMTP properties 16-32

FTP properties 16-35

GTP properties 16-38

H.323 (ASA/PIX/FWSM) properties 16-43

HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) properties 16-48

HTTP (ASA7.2+/PIX7.2+) properties 16-56

IM (ASA7.2+/PIX7.2+) properties 16-62

IM (IOS) properties 16-65

IP Options properties 16-66

IPsec Pass Through properties 16-71

IPv6 properties 16-68

NetBIOS properties 16-72

regular expression group properties 16-81

regular expression properties 16-82

SIP (ASA/PIX/FWSM) properties 16-73

Skinny properties 16-77

SNMP properties 16-80

TCP Map properties 55-20

Web Filter properties 20-45

regular expression objects

metacharacters 16-83

understanding 6-67

Map Properties command 1-30

Map Rule dialog box

connection profile map matching rules 29-29

connection profile maps 29-28

maps

access permissions 33-7

adding existing managed devices 33-15

adding new managed devices 33-15

arranging elements 33-10

background color 33-13

background images

deleting 33-13

importing 33-13

scale and position 33-13

setting 33-12

centering elements 33-11

changing the zoom level 33-11

class maps

Class Map dialog box 16-23, 20-17

creating 33-8

default map 33-8

deleting 33-10

displaying devices from Device View 33-15

displaying managed devices 33-15

displaying your network 33-13

elements, understanding 33-13

excluding private and reserved networks 11-2

exporting 33-10

icons 33-13

layer 3 links

autolink settings 11-2

creating 33-18

deleting 33-19

layouts, using 33-10

linking maps 33-12

navigation window 33-4

objects

adding 33-16

deleting 33-16

opening 33-9

overview 33-1

panning 33-11

refreshing 33-1

removing managed devices 33-15

renaming 33-9

saving 33-9

searching for nodes 33-12

selecting elements 33-11

setting background 33-12

showing containment for Catalyst, ASA, PIX, IPS devices 33-16

understanding 33-1

undocking window 33-2

working with 33-8

Map Settings dialog box 33-12

Map View

cloning devices 33-22

configuring firewall policies 33-22

configuring firewall settings policies 33-23

context menu

Layer 3 link 33-6

managed device node 33-4

map background 33-7

map objects 33-6

selected nodes 33-5

VPN connection 33-6

device policies, managing 33-21

discovering device configurations 33-22

icons for elements 33-13

main page 33-2

menus, context 33-4

navigation window 33-4

performing basic policy management 33-22

previewing device configurations 33-22

sharing device policies 33-22

toolbar reference 33-3

VPNs

creating 33-21

displaying existing 33-20

editing or showing peers 33-21

editing policies 33-21

managing 33-20

Map view

Autolink Settings page 11-2

copying between devices 33-22

overview 1-14, 33-1

Map View command 1-28

master blocking sensor 41-6

Master Blocking Sensor dialog box 41-13

maximum receive reconstructed unit (MRRU) 58-81

maximum segment size (MSS) 58-17

MBoundary

PIX/ASA/FWSM

configuration 52-9

interface configuration 52-10

MD5 hash algorithm 24-7

memory-allocation lite 59-80

memory settings

Cisco IOS routers

defining 59-78

overview 59-78

Memory Policy page 59-79

menu reference

Activities 1-32

Configuration Manager overview 1-26

Edit (Configuration Manager) 1-28

File (Configuration Manager) 1-26

File (Event Viewer) 65-8

File (Report Manager) 66-8

Help (Configuration Manager) 1-34

Launch 1-33

Launch (Report Manager) 66-8

Manage 1-30

Map 1-29

Policy (Configuration Manager) 1-29

Tickets 1-33

Tools (Configuration Manager) 1-31

Tools (Report Manager) 66-8

View (Configuration Manager) 1-28

View (Event Viewer) 65-9

message

editing

PIX/ASA/FWSM 51-18

PIX/ASA/FWSM

limits 51-13

limits, add/edit 51-13

rate limits, add/edit 51-14

message classes and IDs

PIX/ASA/FWSM 51-4

metacharacters

URLF Glob parameter maps 20-44

Modify Access List dialog box (Allowed Hosts policy) 34-7

Modify Physical Interface Map dialog box 35-11

monitoring

CS-MARS

integrating with Security Manager 68-18

device managers, using 68-10

device status 68-1

network activities 68-1

Move Row Down command 1-28

Move Row Up command 1-28

MPC

a.k.a. Modular Policy Framework 55-6

MRoute

PIX/ASA/FWSM

configuration 52-8

MRoute page

description 52-8

MSN Messenger class map objects

creating 20-15

match criteria 20-19

multicast

PIX/ASA/FWSM

Enable PIM and IGMP 52-1

IGMP Access Group parameters 52-5

IGMP Access Group tab 52-5

IGMP Join Group parameters 52-7

IGMP Join Group tab 52-7

IGMP parameters 52-4

IGMP Protocol tab 52-3

IGMP Static Group parameters 52-6

IGMP Static Group tab 52-6

MBoundary configuration 52-9

MBoundary interface configuration 52-10

MRoute configuration 52-8

Multicast Boundary Filter page 52-9

Multicast Group, add/edit 52-19

Multicast Group rule 52-17

PIM Bidirectional Neighbor Filter 52-14

PIM Bidirectional Neighbor Filter tab 52-13

PIM Neighbor Filter 52-13

PIM Neighbor Filter tab 52-12

PIM page 52-11

PIM Protocol dialog box 52-12

PIM Protocol tab 52-11

PIM Rendezvous Point, add/edit 52-16

PIM Rendezvous Points tab 52-15

PIM Request Filter tab 52-18

PIM Route Tree tab 52-17

Multicast Boundary Filter page

description 52-9

multicast rekey in GET VPN 27-6

multicast routing

PIX/ASA/FWSM

configuring on 52-1

IGMP 52-2

multicast boundary filters 52-9

multicast routes 52-8

PIM 52-11

Multiclass Multilink PPP (MCMP) 58-74

multilink PPP (MLP) 58-70

defining bundles 58-74

multiple users

activities 4-4

tickets 4-4

N

N2H2 (Smartfilter)

configuring for web filter rules policies 17-15, 17-19

configuring for zone based firewall rules policies 20-34, 20-37, 20-39

N2H2 class map objects

creating 20-34

match criteria 20-28

N2H2 parameter map objects

creating 20-34

properties 20-37

NAC

posture validation not occurring 9-14

NAT

VPN traffic sent unencrypted 9-14

NBAR

enabling protocol discovery 58-19

Neighbor cache 45-6

Neighbor Filter

PIM

PIX/ASA/FWSM 52-13

Neighbor Filter tab

PIM 52-12

NetBIOS logout probe

configuring 13-15

requirements 13-5

NetBIOS policy map objects

creating 16-20

properties 16-72

NetFlow

Cisco IOS routers 61-1, 61-5

interface settings 61-15

configuring

on Cisco IOS routers 61-6

CS-MARS query 68-29

IOS routers 61-12

PIX/ASA/FWSM 51-1

add/edit collector 51-2

network/host-IPv6 objects

attributes 6-73

creating 6-71

understanding 6-69

unspecified value objects 6-75

network/host objects

attributes 6-73

attributes, NAT 22-42

creating 6-71

naming when provisioned as object groups 6-84

network masks 6-70

optimizing when deploying firewall rules 12-33

understanding 6-69

unspecified value objects 6-75

using in Event Viewer filters 65-58

network access device (NAD) 60-9

Network Address Translation (NAT)

ASA 8.3+

Add/Edit NAT rules dialog boxes 22-35

Translation Rules page 22-32

understanding 22-3

ASA 8.3 devices 22-32

Cisco IOS routers 22-5

Dynamic Rule dialog box 22-11

dynamic rules 22-10

Interface Specification 22-5

Static Rule dialog box 22-7

static rules 22-6

Static Rules tab 22-6

timeouts 22-13

configuring global options for VPNs 24-34

non-ASA 8.3 devices 22-17

No Proxy ARP 22-40

PAT pool 22-41

PIX/ASA/FWSM

Address Pool dialog box 22-17

Address Pools page 22-17

Advanced NAT Options dialog box 22-28

configuring on 22-15

configuring translation rules 22-18

Dynamic Rules dialog box 22-21

Dynamic Rules tab 22-21

General tab 22-30

non ASA 8.3 22-17

Policy Dynamic Rules dialog box 22-24

Policy Dynamic Rules tab 22-23

Select Address Pool 22-22

Static Rules dialog box 22-26

Static Rules tab 22-25

Translation Exemptions (NAT 0 ACL) dialog box 22-20

Translation Exemptions (NAT 0 ACL) tab 22-19

Translation Options page 22-15

Translation Rules page 22-18

translation types 22-3

transparent mode 22-15

understanding 22-2

round robin allocation 22-41

understanding NAT effects on firewall rules 12-3

understanding NAT settings for VPNs 24-33

understanding NAT traversal 24-34

Network Admission Control (NAC)

Cisco Trust Agent 60-9

components 60-9

defining identity parameters 60-13

defining interface parameters 60-11

defining setup parameters 60-10

Identities tab 60-18

Identity Action dialog box 60-19

Identity Profile dialog box 60-19

Interface Configuration dialog box 60-17

Interfaces tab 60-16

NAC Policy page 60-14

network access device (NAD) 60-9

on Cisco IOS routers 60-8

Setup tab 60-14

supported platforms 60-8

understanding system flow 60-9

Network Information page (IPS) 38-14

network masks

discontiguous 6-70

discovering 6-70

displaying 6-71

understanding 6-70

network participation, IPS

configuring 40-7

data collected 40-3

requirements and limitations 40-4

understanding 40-3

understanding global correlation 40-1

understanding reputation 40-2

network sensing

capturing network traffic 34-2

deployment topology 34-4

overview 34-1

tuning recommendations 34-4

Network Time Protocol (NTP)

Cisco IOS routers

creating NTP servers 59-97

NTP Policy page 59-98

NTP Server dialog box 59-99

overview 59-96

Never Block Host dialog box 41-17

Never Block Network dialog box 41-17

New Activity command 1-32

New Device command 1-26

New Device Groups command 1-27

New Device wizard

Choose Method page 3-6

Device Grouping page 3-45

Device Information page - Add Device from File 3-29

Device Information page - Configuration File 3-20

Device Information page - Network 3-11

Device Information page - New Device 3-24

New Map command 1-29

New or Edit CS-MARS Device dialog box 11-5

New Ticket command 1-33

NHRP

DMVPN spoke-to-spoke connections 25-11

Node Properties dialog box 33-17

Non-Workflow mode

viewing

device details 8-27

non-Workflow mode

changing modes 1-24

comparing with Workflow mode 1-19

configuration files

deploying 8-29

previewing 8-45

configurations

rolling back 8-65

creating tickets 4-13

deployment 8-3

deployment jobs

aborting 8-51

Deployment Status Details dialog box 8-33

opening tickets 4-14

taking over another user session 10-22

understanding 1-19

No Proxy ARP

NAT rule 22-40

PIX/ASA/FWSM Platform 53-1

notifications, e-mail

configuring SMTP server 1-23

NS Lookup 68-4, 68-7

NT

settings in AAA server objects 6-38

NTP

PIX/ASA/FWSM 50-17

server configuration 50-18

NTP policy, IPS platform 34-21

NTP server

configuring for IPS devices 34-21

O

object groups

policy discovery 5-14

object group search

ASA 8.3+ devices 15-22

PIX 6.3 devices 15-24

objects

AAA server

HTTP-FORM settings 6-40

Kerberos settings 6-34

LDAP settings 6-35

NT settings 6-38

RADIUS settings 6-31

SDI settings 6-39

TACACS+ settings 6-33

AAA server groups

attributes 6-45

creating 6-43

default server groups on IOS devices 6-27

predefined authentication groups 6-26

understanding 6-23

AAA servers

creating 6-28

supported additional types for ASA/PIX/FWSM 6-24

supported types 6-24

understanding 6-23

access control lists

creating 6-48

extended objects 6-48

standard objects 6-50

web objects 6-51

ASA group policies

client configuration settings 32-4

client firewall attributes 32-5

connection settings 32-19

DNS/WINS settings 32-17

hardware client attributes 32-7

IPSec settings 32-8

split tunneling settings 32-18

SSL VPN clientless settings 32-10

SSL VPN full client settings 32-12

SSL VPN settings 32-14

technology settings 32-1

basic procedures 6-8

categories, using 6-11

Cisco Secure Desktop configuration

creating 31-18

class map

creating for inspection rules 16-20

creating for zone-based firewall content filtering 20-34

creating for zone-based firewall inspection 20-15

cloning (duplicating) 6-12

configuring for remote access VPN 32-1

creating 6-8

credentials

attributes 26-9

DCE/RPC policy map

properties 16-24

deleting 6-14

DNS policy map

properties 16-26

editing 6-10

ESMTP policy map

properties 16-32

exporting 6-20

file objects

attributes 32-22

selecting 32-24

FlexConfig

creating text objects 7-35

properties 7-33

property selector 7-37

undefined variables 7-36

FlexConfigs

adding to policies 7-38

changing order in policies 7-38

changing variable values 7-38

configuring 7-28

configuring AAA for administrative introducers 59-84

creating 7-31

previewing CLI 7-38

removing from policies 7-38

system variables 7-7

understanding 7-2

variables 7-5, 7-6

FTP policy map

properties 16-35

generating usage reports 6-13

GTP policy map

properties 16-38

H.323 (ASA/PIX/FWSM) policy map

properties 16-43

HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map

properties 16-48

HTTP (ASA7.2+/PIX7.2+) policy map

properties 16-56

identity user group

creating 13-19

selecting 13-21

user identity acquisition 13-2

IKE proposals

v1 properties 24-10

v2 properties 24-13

IM (ASA7.2+/PIX7.2+) policy map

properties 16-62

IM (IOS) policy map

properties 16-65

importing 6-20

Inspect parameter map

properties 20-29

interface roles

creating 6-63

IP Options policy map

properties 16-66

IPsec Pass Through policy map

properties 16-71

IPSec transform sets

attributes 24-23

understanding 24-17

IPv6 policy map

properties 16-68

LDAP attribute map objects

attributes 6-41

Local Web Filter parameter map

properties 20-36

locking

effects on activities 4-3

managing 6-1

maps

understanding 6-67

N2H2 parameter map

properties 20-37

NetBIOS policy map

properties 16-72

network/host

optimizing when deploying firewall rules 12-33

understanding 6-69

using in Event Viewer filters 65-58

network/host objects

naming when provisioned as object groups 6-84

networks/hosts

creating 6-71

unspecified value objects 6-75

networks/hosts-IPv6

creating 6-71

understanding 6-69

networks/hosts-IPv6 objects

unspecified value objects 6-75

object selectors 6-2

overrides

allowing 6-16

creating for multiple devices 6-17

creating for single device 6-17

deleting 6-19

managing 6-15

understanding 6-16

overview 1-16

parameter map

creating for zone-based firewall content filtering 20-34

creating for zone-based firewall inspection 20-15

PKI enrollments

defining CA server properties 24-51

defining certificate attributes 24-57

defining enrollment parameters 24-55

defining trusted CA hierarchy 24-58

properties 24-50

policy map

creating for inspection rules 16-20

creating for zone-based firewall content filtering 20-34

creating for zone-based firewall inspection 20-15

port forwarding lists

properties 32-25

port list objects

naming when provisioned as object groups 6-84

port lists

creating 6-79

properties 6-80

Protocol Info parameter map

properties 20-31

provisioning as object groups 6-84

regular expression group policy map

properties 16-81

regular expression objects

metacharacters 16-83

regular expression policy map

properties 16-82

selecting for policies 6-2

service objects

naming when provisioned as object groups 6-84

provisioning as object groups 6-85

services

creating 6-79

single sign-on server

properties 32-27

SIP (ASA/PIX/FWSM) policy map

properties 16-73

Skinny policy map

properties 16-77

SLA monitors

attributes 49-9

configuring 49-8

understanding 49-7

SNMP policy map

properties 16-80

SSL VPN Bookmark

configuring 29-63

post URL method and macro substitutions 29-65

SSL VPN Customization

configuring 29-59

creating custom Logon page 29-63

localizing 29-61

SSL VPN gateway

properties 32-46

SSL VPN smart tunnel auto sign-on list

attributes 32-51

SSL VPN smart tunnel list

attributes 32-48

configuring 29-66

TCP Map policy map

properties 55-20

text

creating 7-35

time ranges

attributes for recurring ranges 6-61

configuring 6-60

traffic flow

default inspection traffic 55-18

properties 55-16

Trend parameter map

properties 20-40

URLF Glob parameter map

properties 20-43

URLF Glob parameter maps

metacharacters 20-44

URL Filter parameter map

properties 20-41

user groups

advanced PIX 6.3 settings 32-62

browser proxy settings 32-68

clientless settings 32-63

client VPN software update (IOS) settings 32-61

DNS/WINS settings 32-57

general settings 32-56

IOS client settings 32-59

IOS Xauth settings 32-60

split tunneling settings (Easy VPN/remote access IPSec VPN) 32-58

SSL VPN connection settings 32-69

SSL VPN full tunnel settings 32-65

SSL VPN split tunneling settings 32-66

technology settings 32-54

thin client settings 32-64

using global search to find specific objects 1-37

viewing details 6-12

Web Filter policy map

properties 20-45

Websense parameter map

properties 20-37

WINS server lists

attributes 32-70

creating 29-69

object selectors 6-2

Object Usage dialog box 6-13

Obsoletes dialog box 37-26

OOB (Out of Band) Changes dialog box 8-48

OOB (out of band changes)

avoiding 8-47

detecting and analyzing 8-46

understanding 8-12

Openable Activities dialog box 4-14

Openable Tickets dialog box 4-14

Open Activity command 1-33

Open command (Report Manager) 66-8

Open Map command 1-29

Open Map dialog box 33-9

Open Ticket command 1-33

OS Identifications tab, IPS Network Information policy 38-18

OS Map dialog box 38-20

OSPF

interaction with NAT 53-2

LSAs 53-2

OSPF interfaces

blocking LSA flooding 63-27

defining on Cisco IOS routers 63-25

disabling MTU mismatch detection 63-27

Interface dialog box 63-31

OSPF Interface Policy page 63-30

understanding

authentication 63-29

cost 63-26

network types 63-29

priority 63-26

timer settings 63-28

OSPF parameters

dead interval 53-21

hello interval 53-21

retransmit interval 53-21

transmit delay 53-21

OSPF redistribution

defining mappings 63-22

defining maximum prefix values 63-23

understanding 63-22

OSPF routing

Cisco IOS routers

Area dialog box 63-37

Area tab 63-36

defining area settings 63-21

defining interface settings 63-25

defining setup parameters 63-20

Edit Interfaces dialog box 63-36

Max Prefix Mapping dialog box 63-41

OSPF Process Policy page 63-34

overview 63-19

redistributing routes 63-22

Redistribution Mapping dialog box 63-39

Redistribution tab 63-38

Setup dialog box 63-35

Setup tab 63-35

PIX/ASA/FWSM

advanced settings 53-4

Area/Area networks 53-7

Area Range 53-9

Area tab 53-6

Filtering configuration 53-16

Filtering tab 53-15

General tab 53-3

Interface configuration 53-20

Interface tab 53-18

Neighbors tab 53-10

policy 53-2

Range tab 53-8

Redistribution rule 53-11

Redistribution tab 53-11

static neighbor 53-10

Summary Address configuration 53-18

Summary Address tab 53-17

Virtual Link configuration 53-13

Virtual Link MD5 configuration 53-15

Virtual Link tab 53-13

OS version mismatches

handling 8-13

other settings

configuring for SSL VPN (ASA) 29-37

out-of-band changes

avoiding 8-47

detecting and analyzing 8-46

understanding 8-12

overrides

allowing overrides 6-16

creating for multiple devices 6-17

creating for single device 6-17

deleting 6-19

managing 6-15

understanding 6-16

overview

activities 1-17

device monitoring 1-6

IPv6 support 1-7

policies 1-16

ticketing 1-17

user permissions 1-9

workflow 1-17

P

P2P applications

match conditions for zone-based firewalls 20-19

P2P policy map objects

creating 20-15

match conditions and actions 20-33

packageMonitorInterval 42-6

packet capture 68-8

Packet Capture Wizard command 1-32

packet tracer 68-1

Pair dialog box 43-10

PAM

zone-based firewall

configuring 20-64

parameter maps

understanding 6-67

partial_backup.pl command 10-28

partial mesh topologies 23-5

participation, network

configuring 40-7

data collected 40-3

requirements and limitations 40-4

understanding 40-3

understanding global correlation 40-1

understanding reputation 40-2

passive OS fingerprinting on IPS sensors

configuring 38-18

understanding 38-17

Password Requirements policy, IPS platform 34-18

passwords

admin, changing 10-22

configuring IPS requirements 34-18

configuring IPS user account 34-16

discovery and deployment of IPS 34-15

managing IPS requirements 34-13

understanding managed and unmanaged IPS passwords 34-14

Paste command 1-28, 12-9

PAT

pools 22-41

PDM

device manager 68-11

Peers page 23-33

performance settings

configuring for SSL VPN (ASA) 29-38

performance tuning 42-6

permanent virtual connections (PVC)

Define Mapping dialog box 58-64

PVC Advanced Settings dialog box 58-65

PVC dialog box 58-55

PVC Policy page 58-54

permanent virtual connections (PVCs)

defining ATM PVCs 58-50

defining OAM management 58-53

on Cisco IOS routers 58-46

understanding

ATM management protocols 58-48

ATM service classes 58-47

ILMI 58-49

Operation, Administration, and Maintenance (OAM) 58-50

virtual paths and channels 58-46

PIM

configuring on firewall devices 52-11

PIX/ASA/FWSM

Bidirectional Neighbor Filter 52-14

Bidirectional Neighbor Filter tab 52-13

enable 52-1

Multicast Group, add/edit 52-19

Multicast Group rule 52-17

Neighbor Filter 52-13

Neighbor Filter tab 52-12

page 52-11

PIM Protocol dialog box 52-12

Protocol tab 52-11

Rendezvous Point, add/edit 52-16

Rendezvous Points tab 52-15

Request Filter tab 52-18

Route Tree tab 52-17

ping 68-4

Ping, TraceRoute and NSLookup command 1-32

PIX

PDM 68-11

PIX/ASA

boot image/configuration 46-9

add/edit 46-10

failover 48-16

settings 48-19

interfaces

Advanced tab 44-27

IP Type 44-36

MAC address 44-38

PPPoE Users 44-44

redundant 44-7

subinterfaces 44-7

VPDN groups 44-45

security contexts

allocate interfaces 56-11

configuration 56-9

viewing allocated interfaces 56-11

PIX/ASA/FWSM

AAA 46-5

Authentication tab 46-5

about AAA 46-1

bridging 45-1

clock settings 46-11

configuring banners 46-8

credentials 46-13

Device Access

Server Access 50-1

device administration policies 46-1

Failover

bootstrap configuration 48-25

interface MAC address 48-21

failover

active/active 48-3

interface configuration 48-22

security context 48-24

understanding 48-1

interfaces

add/edit 44-19

Advanced settings 44-42

configuring 44-2

contexts 44-5

General tab 44-20

managing 44-14

operating modes 44-4

understanding 44-3

security contexts

about 56-1

Server Access

AUS, add/edit server 50-3

AUS page 50-1

DDNS interface rule 50-16

DDNS page 50-15

DDNS update methods 50-16

DDNS update methods, add/edit 50-17

DHCP Relay, add/edit agent 50-5

DHCP Relay, add/edit server 50-6

DHCP Relay page 50-5

DHCP Server, add/edit 50-9

DHCP Server, advanced configuration 50-10

DHCP Server, options 50-10

DHCP Server page 50-7

DNS page 50-11

DNS server, add 50-14

DNS server group 50-13

NTP page 50-17

NTP server configuration 50-18

SMTP page 50-19

TFTP server page 50-20

stateful

stateful 48-4

PIX/ASA/FWSM Platform

AAA

Accounting tab 46-7

Authorization tab 46-6

anti-spoofing 54-2

ARP configuration 45-4

ARP Inspection 45-5

enable/disable 45-6

ARP Table 45-3

configuring DHCP servers 50-7

configuring multicast routing 52-1

configuring routing 53-1

Device Access 47-1

console timeout 47-1

host name 49-1

HTTP configuration 47-2

HTTP page 47-2

ICMP rules 47-3

ICMP rules, add/edit 47-4

Management Access interface 47-5

Secure Shell (SSH) 47-5

Secure Shell, add/edit host 47-6

SNMP host access 47-12

SNMP page 47-8

SNMP Trap configuration 47-9

Telnet configuration 47-14

Telnet page 47-13

user accounts 49-6

user accounts, add/edit 49-7

failover 48-8

failover configuration 48-1

failover configuration basics 48-5

floodguard 54-2

identity-aware IPS, QoS, and Connection Rules 13-21

IPS, QoS, and Connection Rules 55-5

wizard 55-6, 55-8

logging 51-1

email notifications 51-2

email recipients 51-3

event lists 51-4

event lists, add/edit 51-5

filters 51-7

filters, editing 51-8

levels 51-17

message classes and IDs 51-4

message editing 51-18

message limits 51-13

message limits, add/edit 51-13

NetFlow 51-1

NetFlow, add/edit collector 51-2

rate limits, add/edit 51-14

server 51-16

set-up 51-10

syslog class 51-6

syslog message ID 51-6

syslog servers 51-20

syslog servers, add/edit 51-21

MAC Address

add/edit 45-8

MAC Address Table 45-7

MAC learning 45-8

enable/disable 45-9

Management IP address 45-10

multicast

Enable PIM and IGMP 52-1

group, add/edit 52-19

IGMP Access Group parameters 52-5

IGMP Access Group tab 52-5

IGMP Join Group parameters 52-7

IGMP Join Group tab 52-7

IGMP page 52-2

IGMP parameters 52-4

IGMP Protocol tab 52-3

IGMP Static Group parameters 52-6

IGMP Static Group tab 52-6

MBoundary configuration 52-9

MBoundary interface configuration 52-10

MRoute configuration 52-8

Multicast Boundary Filter page 52-9

Multicast Group rule 52-17

Multicast Routes page 52-8

PIM Bidirectional Neighbor Filter 52-14

PIM Bidirectional Neighbor Filter tab 52-13

PIM Neighbor Filter 52-13

PIM Neighbor Filter tab 52-12

PIM page 52-11

PIM Protocol dialog box 52-12

PIM Protocol tab 52-11

PIM Rendezvous Point, add/edit 52-16

PIM Rendezvous Points tab 52-15

PIM Request Filter tab 52-18

PIM Route Tree tab 52-17

NAT policies 22-17

Address Pools dialog box 22-17

Address Pools page 22-17

Advanced NAT Options dialog box 22-28

Dynamic Rules dialog box 22-21

Dynamic Rules tab 22-21

General tab 22-30

Policy Dynamic Rules dialog box 22-24

Policy Dynamic Rules tab 22-23

Select Address Pool 22-22

Static Rules dialog box 22-26

Static Rules tab 22-25

Translation Exemptions (NAT 0 ACL) dialog box 22-20

Translation Exemptions (NAT 0 ACL) tab 22-19

Translation Options page 22-15

Translation Rules page 22-18

policy configuration 44-1

priority queues 55-4

priority queues configuration 55-4

routing

IPv6 Static Route configuration 53-32

IPv6 Static Route page 53-32

No Proxy ARP 53-1

OSPF 53-2

OSPF - advanced settings 53-4

OSPF - Area/Area networks 53-7

OSPF - Area Range 53-9

OSPF - Area tab 53-6

OSPF - Filtering configuration 53-16

OSPF - Filtering tab 53-15

OSPF - General tab 53-3

OSPF - Interface configuration 53-20

OSPF - Interface tab 53-18

OSPF - Neighbors tab 53-10

OSPF - Range tab 53-8

OSPF - Redistribution rule 53-11

OSPF - Redistribution tab 53-11

OSPF - static neighbor 53-10

OSPF - Summary Address configuration 53-18

OSPF - Summary Address tab 53-17

OSPF - Virtual Link configuration 53-13

OSPF - Virtual Link MD5 configuration 53-15

OSPF - Virtual Link tab 53-13

RIP (PIX/ASA 6.3-7.1, FWSM) 53-22

RIP (PIX/ASA 6.3-7.1, FWSM) configuration 53-23

RIP (PIX/ASA 7.2+) 53-24

RIP (PIX/ASA 7.2+) Filtering 53-28

RIP (PIX/ASA 7.2+) Filtering configuration 53-29

RIP (PIX/ASA 7.2+) Interface 53-29

RIP (PIX/ASA 7.2+) Interface configuration 53-30

RIP (PIX/ASA 7.2+) Redistribution 53-27

RIP (PIX/ASA 7.2+) Redistribution configuration 53-27

RIP (PIX/ASA 7.2+) Setup 53-25

RIP page 53-21

Static Route configuration 53-31

Static Route page 53-30, 53-31

security contexts

managing 56-7

security policies 54-1

General configuration 54-3

General page 54-1

timeouts 54-4

service policy

wizard 55-6

service policy rules 55-1

SNMP configuration 47-7

traffic class 55-7

Unicast Reverse Path Forwarding 54-2

PIX/ASA/FWSM Platform policies

bridging 45-1

configuring fragment settings 54-2

configuring NAT 22-15

transparent mode 22-15

PIX 6.3

Failover

interface configuration 48-10

failover 48-9

interface configuration

IP Type 44-18

interfaces

add/edit 44-15

PIX 7.x

Failover

Add Failover Group 48-23

PIX devices

AAA support 6-24

about 44-1

monitoring service level agreements 49-7

remote access VPNs

IPsec proposals 29-30

user group policies for PIX 6.3 31-13

selecting policy types to manage 5-10

PIX Firewall

setting up AUS or CNS 2-8

setting up SSL (HTTPS) 2-3

PIX Firewalls

configuring transparent firewall rules 21-1

rollback, commands to recover from failover misconfiguration 8-65

rollback command conflicts 8-64

rollback restrictions for failover devices 8-61

rollback restrictions for multiple context mode 8-61

PIX firewalls

access controls

access list compilation 15-24

object group search 15-24

adding SSL thumbprints manually 9-4

FlexConfig object samples 7-26

packet capture, using 68-8

packet tracer, using 68-1

SSL certificate configuration 11-16

PKI (Public Key Infrastructure) policies

CA server authentication methods 24-43

defining multiple CA servers 24-47

enrollment requirements 24-44

understanding 24-43

using TFTP 24-45

PKI enrollment

prerequisites using TFTP 24-45

requirements 24-44

PKI enrollment objects

defining CA server properties 24-51

defining certificate attributes 24-57

defining enrollment parameters 24-55

defining trusted CA hierarchy 24-58

properties 24-50

plug ins

configuring browser 29-46

Point-to-Point Protocol (PPP)

defining connections 58-71

defining multilink PPP bundles 58-74

on Cisco IOS routers 58-70

understanding multilink PPP (MLP) 58-70

Point-to-Point protocol (PPP)

PPP/MLP Policy page 58-75

PPP dialog box 58-76

point-to-point topologies

description 23-3

policies

adding local rules to shared policies 5-42

assigning shared policies 5-41

basic concepts

inheritance vs. assignment 5-6

local vs. shared 5-3

managing 5-29

overview 5-1

rule inheritance 5-4

service vs. platform-specific 5-2

settings-based vs. rule-based 5-2

shared policies in Device view or Site-to-Site VPN Manager 5-34

signature inheritance 37-2

status icons 5-28

cloning shared policies 5-44

configuring IKE and IPsec for VPNs 24-1

copying between devices 5-31

creating shared 5-51

deleting shared 5-53

Device view

configuring local policies 5-29

managing 5-28

modifying assignments 5-46

modifying shared policies 5-45

discovering 5-12

discovering on existing devices 5-15

exporting 10-12

exporting with device inventory 10-6

FlexConfigs

adding objects 7-38

changing object order 7-38

changing variable values 7-38

configuring 7-28

configuring AAA for administrative introducers 59-84

editing 7-38

FlexConfig Policy page 7-39

previewing CLI 7-38

removing objects 7-38

understanding 7-2

importing 10-14

inheriting rules 5-43

locking 5-7

managing 5-1

object selectors 6-2

overview 1-16

performing basic policy management in Map view 33-22

PKI (Public Key Infrastructure) 24-43

policy banner 5-35

policy discovery FAQ 5-25

policy management and objects 5-7

Policy view

managing 5-47

modifying assignments 5-51

preshared keys 24-39

renaming 5-45

router platform policies 57-1

selecting policies to manage 5-10

sharing local 5-38

sharing multiple local policies 5-39

Site-to-Site VPN Manager

managing 5-28

modifying assignments 5-46

site-to-site VPNs 23-8

specifying interfaces 6-65

specifying IP addresses 6-76

specifying IPv6 addresses 6-77

synchronizing among Security Manager servers 10-4

unassigning 5-33

unsharing 5-40

using global search to find specific policies 1-37

viewing discovery task status 5-20

VPN defaults 11-48

policy assignments

modifying in Device view 5-46

modifying in Policy view 5-51

modifying in Site-to-Site VPN Manager 5-46

overview 1-16

policy bundles

cloning 5-55

creating 5-54

managing 5-53

renaming 5-55, 5-56

Policy Bundle view

cloning policy bundles 5-55

creating policy bundles 5-54

renaming policy bundles 5-55, 5-56

policy discovery

AAA commands not displayed in AAA policy 5-27

ACL naming conventions 12-5

ACLs 5-14

Catalyst devices 5-13

Catalyst switches and 7600 Series routers 64-1

Cisco IOS routers 5-13, 57-3

frequently asked questions 5-25

IPS devices 5-13

network masks 6-70

object groups 5-14

on existing devices 5-15

overview 1-16

policy objects 5-14

preserving ACL names 12-4

resolving ACL naming conflicts 12-6

security contexts 5-13

understanding 5-12

viewing task status 5-20

VPNs 5-12

web VPN restrictions 3-8

Policy Discovery Status command 1-31

Policy Discovery Status page 5-23

Policy Dynamic Translation Rule

PIX/ASA/FWSM 22-23

add/edit 22-24

policy management

Settings page 11-41

Policy Management page 11-41

policy maps

understanding 6-67

Policy menu

command reference 1-29

Policy Object Manager window

creating overrides 6-17

deleting overrides 6-19

field reference 6-4

shortcut menu 6-7

Policy Object Overrides window 6-18

policy objects

AAA server

HTTP-FORM settings 6-40

Kerberos settings 6-34

LDAP settings 6-35

NT settings 6-38

RADIUS settings 6-31

SDI settings 6-39

TACACS+ settings 6-33

AAA server groups

attributes 6-45

creating 6-43

default server groups on IOS devices 6-27

predefined authentication groups 6-26

understanding 6-23

AAA servers

creating 6-28

supported additional types for ASA/PIX/FWSM 6-24

supported types 6-24

understanding 6-23

access control lists

creating 6-48

extended objects 6-48

standard objects 6-50

web objects 6-51

ASA group policies

client configuration settings 32-4

client firewall attributes 32-5

connection settings 32-19

DNS/WINS settings 32-17

hardware client attributes 32-7

IPSec settings 32-8

split tunneling settings 32-18

SSL VPN clientless settings 32-10

SSL VPN full client settings 32-12

SSL VPN settings 32-14

technology settings 32-1

basic procedures 6-8

categories, using 6-11

Cisco Secure Desktop configuration

creating 31-18

class map

creating for inspection rules 16-20

creating for zone-based firewall content filtering 20-34

creating for zone-based firewall inspection 20-15

cloning (duplicating) 6-12

configuring for remote access VPN 32-1

connection with policy management 5-7

creating 6-8

credentials

attributes 26-9

DCE/RPC policy map

properties 16-24

deleting 6-14

DNS policy map

properties 16-26

editing 6-10

ESMTP policy map

properties 16-32

exporting 6-20

file objects

attributes 32-22

selecting 32-24

FlexConfig

creating text objects 7-35

properties 7-33

property selector 7-37

undefined variables 7-36

FlexConfigs

adding to policies 7-38

changing order in policies 7-38

changing variable values 7-38

configuring 7-28

configuring AAA for administrative introducers 59-84

creating 7-31

previewing CLI 7-38

removing from policies 7-38

system variables 7-7

understanding 7-2

variables 7-5, 7-6

FTP policy map

properties 16-35

generating usage reports 6-13

GTP policy map

properties 16-38

H.323 (ASA/PIX/FWSM) policy map

properties 16-43

HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map

properties 16-48

HTTP (ASA7.2+/PIX7.2+) policy map

properties 16-56

identity user group

creating 13-19

selecting 13-21

user identity acquisition 13-2

IKE proposals

v1 properties 24-10

v2 properties 24-13

IM (ASA7.2+/PIX7.2+) policy map

properties 16-62

IM (IOS) policy map

properties 16-65

importing 6-20

Inspect parameter map

properties 20-29

interface roles

creating 6-63

understanding 6-62

IP Options policy map

properties 16-66

IPsec Pass Through policy map

properties 16-71

IPSec transform sets

attributes 24-23

understanding 24-17

IPv6 policy map

properties 16-68

LDAP attribute map objects

attributes 6-41

Local Web Filter parameter map

properties 20-36

managing 6-1

maps

understanding 6-67

N2H2 parameter map

properties 20-37

NetBIOS policy map

properties 16-72

network/host

optimizing when deploying firewall rules 12-33

understanding 6-69

using in Event Viewer filters 65-58

network/host-IPv6

unspecified value objects 6-75

network/host objects

naming when provisioned as object groups 6-84

networks/hosts

creating 6-71

unspecified value objects 6-75

networks/hosts-IPv6

creating 6-71

understanding 6-69

object selectors 6-2

overrides 3-46

allowing 6-16

creating for multiple devices 6-17

creating for single device 6-17

deleting 6-19

managing 6-15

understanding 6-16

overview 1-16

parameter map

creating for zone-based firewall content filtering 20-34

creating for zone-based firewall inspection 20-15

PKI enrollments

defining CA server properties 24-51

defining certificate attributes 24-57

defining enrollment parameters 24-55

defining trusted CA hierarchy 24-58

properties 24-50

policy discovery 5-14

policy map

creating for inspection rules 16-20

creating for zone-based firewall content filtering 20-34

creating for zone-based firewall inspection 20-15

port forwarding lists

properties 32-25

port list objects

naming when provisioned as object groups 6-84

port lists

creating 6-79

properties 6-80

Protocol Info parameter map

properties 20-31

provisioning as object groups 6-84

regular expression group policy map

properties 16-81

regular expression objects

metacharacters 16-83

regular expression policy map

properties 16-82

selecting for policies 6-2

service objects

naming when provisioned as object groups 6-84

provisioning as object groups 6-85

services

creating 6-79

Settings page 11-42

single sign-on server

properties 32-27

SIP (ASA/PIX/FWSM) policy map

properties 16-73

Skinny policy map

properties 16-77

SLA monitors

attributes 49-9

configuring 49-8

understanding 49-7

SNMP policy map

properties 16-80

SSL VPN bookmark

configuring 29-63

post URL method and macro substitutions 29-65

SSL VPN Customization

configuring 29-59

creating custom Logon page 29-63

localizing 29-61

SSL VPN gateway

properties 32-46

SSL VPN smart tunnel auto sign-on lists

attributes 32-51

SSL VPN smart tunnel lists

attributes 32-48

configuring 29-66

TCP Map policy map

properties 55-20

text

creating 7-35

time ranges

attributes for recurring ranges 6-61

configuring 6-60

traffic flow

default inspection traffic 55-18

properties 55-16

Trend parameter map

properties 20-40

URLF Glob parameter map

properties 20-43

URLF Glob parameter maps

metacharacters 20-44

URL Filter parameter map

properties 20-41

user groups

advanced PIX 6.3 settings 32-62

browser proxy settings 32-68

clientless settings 32-63

client VPN software update (IOS) settings 32-61

DNS/WINS settings 32-57

general settings 32-56

IOS client settings 32-59

IOS Xauth settings 32-60

split tunneling settings (Easy VPN/remote access IPSec VPN) 32-58

SSL VPN connection settings 32-69

SSL VPN full tunnel settings 32-65

SSL VPN split tunneling settings 32-66

technology settings 32-54

thin client settings 32-64

viewing details 6-12

Web Filter policy map

properties 20-45

Websense parameter map

properties 20-37

WINS server lists

attributes 32-70

creating 29-69

Policy Objects command 1-31

policy objects interface

Interface Role dialog box 6-64

SSL VPN Bookmark Entry dialog box 32-30

SSL VPN bookmarks

Add or Edit Bookmarks dialog boxes 32-29

Post Parameters dialog box 32-32

Policy Objects page 11-42

policy query

example report 12-32

generating reports 12-27

interpreting report results 12-31

Querying Device or Policy dialog box 12-28

Policy Query Results dialog box 12-31

Policy view

Assignments tab 5-51

creating shared policies 5-51

deleting shared policies 5-53

filtering shared policy selector 1-40

modifying assignments 5-51

overview 1-13

selectors 5-49

Shared Policy selector options 5-50

understanding 5-47

Policy View command 1-28

POP3

configuring for inspection rules 16-18

POP3 class map objects

creating 20-15

match criteria 20-22

POP3 policy map objects

creating 20-15

match conditions and actions 20-33

port application mapping

see PAM 20-64

port forwarding list objects

properties 32-25

port list objects

creating 6-79

naming when provisioned as object groups 6-84

properties 6-80

ports

ASA 5505

configure 44-39

Posture ACL dialog box 34-26

PPP dialog box

MLP tab 58-79

PPP tab 58-77

PPPoE Users 44-44

pre-provisioning devices 3-23

preshared keys

aggressive mode negotiation 24-40

compared to certificates 24-7

configuring policies for IKEv1 site-to-site VPNs 24-40

FQDN (fully qualified domain name) negotiation 24-40

main mode address negotiation 24-39

understanding 24-39

Preview Configuration command 1-32

print

Report Manager reports 66-23

Print command 1-28

priority queues

PIX/ASA/FWSM

configuration 55-4

page 55-4

Product Authorization Key (PAK) 10-16

productivity categories for Trend class maps 20-18

properties

changes with policy effects 3-48

changing critical device 3-47

image version changes with no policy effects 3-47

understanding device 3-6

viewing or changing device 3-37

Property Selector dialog box 7-37

protected networks

defining in GET VPN topologies 23-57

defining in VPN topologies 23-33

Protected Networks tab 23-45

Protocol Independent Multicast 52-11

Protocol Info parameter map objects

properties 20-31

Protocol Info Parameters map object

creating 20-15

Protocol Map dialog box 39-12

protocols

selecting for inspection 16-3

Protocol tab

IGMP 52-3

proxies

defining HTTP/HTTPS for SSL VPN (ASA) 29-43

proxy ARP

enabling on IOS routers 58-19

proxy bypass rules

defining HTTP/HTTPS for SSL VPN (ASA) 29-43

proxy server

configuring HTTP for IPS global correlation 34-23

public key infrastructure (PKI) policies

compared to certificates 24-7

configuring for remote access VPNs 24-48

configuring for site-to-site VPNs 24-46

PVC Advanced Settings dialog box

OAM-PVC tab 58-68

OAM tab 58-66

PVC dialog box

Protocol tab 58-63

QoS tab 58-60

Settings tab 58-57

PVC policies

unable to deploy 9-14

Q

QoS

MPC rule wizard

tab 55-8