Table Of Contents

Working with Building Blocks

Working with Transform Sets

Understanding Transform Sets

Deciding Which Security Protocols to Use

Deciding Which Algorithms to Use With Each Protocol

Transport Mode vs. Tunnel Mode

Predefined Transform Sets

Viewing Existing Transform Sets

Creating a Transform Set

Accessing the Transform Set Wizard

Naming the Transform Set

Defining Transform Set Protocols

Viewing a Summary of the Transform Set

Editing a Transform Set

Deleting a Transform Set

Working with Network Groups

Creating a Network Group

Accessing the Network Group Wizard

Naming the Network Group

Specifying Networks and Contained Groups

Viewing a Summary of the Network Group

Editing a Network Group

Deleting a Network Group

Working with Service Groups

Creating a Service Group

Accessing the Service Group Wizard

Naming the Service Group

Specifying Protocol and Ports

Including Other Service Groups

Viewing a Summary of the Service Groups

Editing a Service Group

Deleting a Service Group

Working with Building Blocks

---

Building blocks in Router MC refer to network groups, transform sets and service groups. Building blocks are reusable, named, global components that can be referenced by name by multiple policies. If you change the definition of a building block, this change is reflected in all policies that reference that building block.

Building blocks aid in policy definition by eliminating the need to define that component each time you define a policy. For example, although transform sets are integral to tunnel policies, you can define several transform sets independently of your tunnel policy definitions. These transform sets are always available for selection when you create tunnel policies (on the object on which you defined them and its descendants). Each transform set can be referenced by multiple tunnel policies.

If you change the definition of a building block, this change is reflected in all policies that reference that building block.

You can define building blocks on any level in the object hierarchy. If you define building blocks on the global level, they will be available for selection in all policies. If you define them on the device group or device level, they will only be available for policies defined on that device group or device.

Building blocks are referenced by name. A building block defined on a lower level object with the same name as a building block defined on the parent object will override the building block on the parent object.

The following topics provide information about the building blocks available in Router MC:

•Working with Transform Sets

•Working with Network Groups

•Working with Service Groups

Working with Transform Sets

A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPSec protected traffic. This combination of rules specifies exactly how your data will be encrypted and authenticated. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

The following topics provide information about transform sets:

•Understanding Transform Sets

•Viewing Existing Transform Sets

•Creating a Transform Set

•Editing a Transform Set

•Deleting a Transform Set

Understanding Transform Sets

A transform set is an acceptable combination of security protocols, algorithms, and other settings to apply to IPSec protected traffic. This combination of rules specifies exactly how your data will be encrypted and authenticated. During the IPSec security association negotiation, the peers agree to use a particular transform set when protecting a particular data flow.

Crypto map entries reference specific transform sets and apply them to the traffic flow specified in the crypto ACL.

Router MC provides you with several predefined transform sets that you can use if they meet your requirements. If not, you can create additional transform sets that you can use in your tunnel policies. The crypto map entry produced when a tunnel policy is deployed to the relevant devices, will reference the transform set(s) you selected for the policy.

The following topics provide information about the combination of security protocols, algorithms, and IPSec modes that you can use in your transform sets:

•Deciding Which Security Protocols to Use

•Deciding Which Algorithms to Use With Each Protocol

•Transport Mode vs. Tunnel Mode

•Predefined Transform Sets

•Creating a Transform Set

Deciding Which Security Protocols to Use

The first step in defining transform sets is to decide on which protocols to use for authentication and confidentiality. Router MC supports AH and ESP IPSec protocols. AH is used for authentication and anti-replay services, while ESP is used for authentication, confidentiality, and anti-replay services. AH authenticates the entire IP packet, including the IP header on the packet. However, it does not provide confidentiality for the data payload of the packet. ESP can provide both authentication and confidentiality services. It uses two separate algorithms to provide these services: a hash algorithm for authentication and a cipher for confidentiality. The difference between AH and ESP authentication is that ESP only authenticates the ESP payload; it does not authenticate the outer IP header. Furthermore, you can use ESP without the authentication services to provide confidentiality services only.

If you require data confidentiality only in your IPSec tunnel implementation, you should use ESP without authentication. By doing so, you gain some performance speed but lose the authentication service.

If you need authentication and confidentiality services, use ESP with authentication. It is more resource intensive than ESP without authentication, because it must perform another computation for authentication, but you gain the security of authentication. However, if you need stronger authentication (by having the entire IP packet authenticated) and confidentiality, you should use both AH and ESP in your IPSec tunnel implementation.

When you use both, the ESP protocol is applied to the packet first, and then AH is used to authenticate the entire packet. When using both AH and ESP in your tunnel implementation, you should consider using ESP without authentication services (because authentication is also being provided by the AH protocol) to provide a less resource-intensive implementation.

Deciding Which Algorithms to Use With Each Protocol

The security protocols define the method used for authentication or encryption, but do not define the algorithms used to achieve that method. You must decide on the algorithms to be used with each protocol.

Authentication Hash Algorithms

You have two options for hash algorithm: SHA and MD5:

•MD5 (ah-md5-hmac) produces a 128-bit digest, and uses less processing time for an overall faster performance than SHA, but is considered to be weaker than SHA.

•SHA (ah-sha-hmac) produces a 160-bit digest, and is more resistant to brute-force attacks than MD5. However, it is also more resource intensive than MD5. For implementations that require the highest level of security, use the SHA hash algorithm.

ESP Encryption Algorithms

You have the following options for ESP encryption algorithm: DES, 3DES, and AES.

•DES (Data Encryption Standard) is a symmetric secret-key block algorithm. It is faster than 3DES and uses less system resources, but it is also less secure. If you do not need strong data confidentiality, and if system resources or speed is a concern, you should choose DES.

•3DES (Triple DES) is more secure because it processes each block of data three times, each time with a different key. However, it uses more system resources and is slower than DES. 3DES is the recommended encryption algorithm, assuming that the devices support it.

•AES (Advanced Encryption Standard) provides greater security than DES and is computationally more efficient than 3DES. AES offers three different key strengths: 128-, 192- and 256- bit keys. AES is only supported on devices with IOS 12.2(13)T and higher.

---

Note AES cannot be used in conjunction with a hardware encryption card.

---

Transport Mode vs. Tunnel Mode

When you define a transform set in Router MC, you can choose which IPSec mode of operation to use: transport mode or tunnel mode. Tunnel mode is the recommended mode because of its increased security.

Transport Mode

In transport mode, only the IP payload is encrypted, and the original IP headers are left intact. This mode has the advantage of adding only a few bytes to each packet. It also allows devices on the public network to see the final source and destination of the packet. However, by passing the IP header in the clear, transport mode allows an attacker to perform some traffic analysis. For example, an attacker could see when a company's CEO sent many packets to another senior executive. However, the attacker would only know that IP packets were sent; the attacker would not be able to decipher the contents of the packets.

With transport mode, the destination of the flow must be an IPSec termination device.

Tunnel Mode

In tunnel mode, the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows a router to act as an IPSec proxy. That is, the router performs encryption on behalf of the hosts. The source's router encrypts packets and forwards them along the IPSec tunnel. The destination's router decrypts the original IP datagram and forwards it on to the destination system. The major advantage of tunnel mode is that the end systems do not need to be modified to enjoy the benefits of IPSec. Tunnel mode also protects against traffic analysis. With tunnel mode, an attacker can only determine the tunnel endpoints and not the true source and destination of the tunneled packets, even if they are the same as the tunnel endpoints.

Predefined Transform Sets

Router MC provides various predefined policies for your convenience, including two predefined transform sets. If they meet your requirements, you can use the predefined transform sets instead of having to create your own transform sets.

The predefined transform set "Default-Strong-TS" offers high security using the following parameters:

•Encryption algorithm: 3DES

•Hash algorithm: SHA

•Mode: Tunnel

•No compression

The predefined transform set "Default-Weak-TS" offers lower security using the following parameters:

•Encryption algorithm: DES

•Hash algorithm: SHA

•Mode: Tunnel

•No compression

Viewing Existing Transform Sets

The Transform Sets page, accessed from the Building Blocks section of the Configuration tab, displays a list of transform sets, in table format. Each table row represents a transform set and each table column provides a different field of information for that transform set.

The list of transform sets includes several sample transform sets provided by Router MC and any custom transform sets that were previously defined.

You can select a custom transform set in the list to edit or delete it. You cannot delete the sample transform sets provided by Router MC.

Table 1-1 describes the elements in the Transform Sets page.

Table 1-1 Transform Sets: GUI Reference 

GUI Element	Description
Check box column	Enables you to select a transform set to edit or delete it. You can select more than one check box at a time.
Name column	Displays the name of the transform set.
Mode column	Displays the IPSec mode of operation, either Transport or Tunnel mode.
Defined On column	Displays the object on which the transform set is defined.
AH Hash column	Displays the AH authentication algorithm selected for the transform set.
ESP Encryption column	Displays the ESP encryption algorithm selected for the transform set.
ESP Hash column	Displays the ESP authentication algorithm selected for the transform set.
Compression column	Indicates whether compression will be used.
Rows per page list box	Enables you to change the number of policies displayed in the list.
Create button	Click to create a new transform set.
Edit button	Click to edit the selected transform set. You cannot edit the sample transform sets provided by Router MC.
Delete button	Click to delete the selected transform set. You cannot delete the sample transform sets provided by Router MC.

Creating a Transform Set

Transform sets play an integral role in tunnel policies in that they determine which protocols and algorithms will be used to secure the specified traffic. Transform sets are created independently of tunnel policies and then each tunnel policy references the relevant transform sets. A single transform set might be referenced by several tunnel policies.

You create a transform set using the Transform Set wizard. The following topics describe the tasks you perform to create a transform set using this wizard:

•Accessing the Transform Set Wizard

•Naming the Transform Set

•Defining Transform Set Protocols

•Viewing a Summary of the Transform Set

---

Note The same transform set wizard pages are used for editing a transform set, enabling you to modify values as required. See Editing a Transform Set for more information.

---

Accessing the Transform Set Wizard

To access the wizard, complete the steps in this procedure.

Before You Begin

•In the Object Selector, select the object on which you want to create the policy.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

---

Step 1 Select Configuration > Building Blocks.

Step 2 Select Transform Sets from the TOC.

The Transform Sets page appears. It contains a list of the transform sets defined on the selected device or device group (if any).

Step 3 Click Create.

The first page of the Transform Set wizard appears. The steps in the wizard are listed in the TOC on the left side of the page.

---

Naming the Transform Set

The Name and Comment page is the first page of the Transform Set wizard. Router MC identifies each transform set that you create by a name that you assign in this page. When you have finished creating the transform set, it is listed by this name in the Transform Sets page. See Viewing Existing Transform Sets for more information. It is also included in the list of transform sets available for selection for a tunnel policy. See Selecting Transform Sets, page 1-15 for more information.

Because the transform set name also enables you to distinguish one transform set from another for reviewing, editing, or deleting transform sets, you should assign a logical name that reflects the contents of the transform set. You can also enter a description of the transform set for quick and easy identification of transform set contents.

Procedure

---

Step 1 Enter a name and description in the fields provided. See Table 1-2 for descriptions of the fields.

Step 2 Click Next. The Protocols page appears.

Step 3 Define the protocols and algorithms for the transform set, as described in Defining Transform Set Protocols.

---

Table 1-2 describes the elements in the Transform Set Name and Comment page.

Table 1-2 Transform Set Name and Comment: GUI Reference 

UI Element	Description
Name field	Enter a unique name for the transform set.
Comment field	Enter a description of the transform set.
Next button	Click to go to the next page in the wizard.
Cancel button	Click to exit the wizard without saving your settings.

Defining Transform Set Protocols

The Protocols page of the Transform Set wizard allows you to select the transform set's protocols and their associated algorithms to determine how traffic will be secured in the IPSec tunnel.

Procedure

---

Step 1 Select the mode and the authentication and encryption algorithms in the fields provided. See Table 1-3 for descriptions of the fields.

Step 2 If Summary appears in the TOC, click Next. The Transform Set Summary page appears, enabling you to verify that the transform set has the required values. Proceed to Viewing a Summary of the Transform Set.

OR

If Summary does not appear in the TOC, click Finish to complete the creation of the transform set, or go back to a previous step in the wizard to change your definitions, as required.

---

Table 1-3 describes the elements in the Transform Set Protocols page.

Table 1-3 Transform Set Protocols: GUI Reference 

UI Element	Description
Mode list box	Select the IPSec mode of operation, either Transport or Tunnel mode. Tunnel mode is recommended because it provides greater security. See Transport Mode vs. Tunnel Mode for more information.
AH Hash list box	Select an authentication hash algorithm, either MD5 or SHA. If you do not want to use AH authentication, do not make a selection in this field. See Deciding Which Security Protocols to Use and Deciding Which Algorithms to Use With Each Protocol for more information.
ESP Encryption list box	Select an encryption algorithm, either DES, 3DES, or one of the AES options. See Deciding Which Algorithms to Use With Each Protocol for more information.
ESP Hash list box	If you want to use ESP authentication, select an algorithm from the list box, either MD5 or SHA.
Compression check box	Select the check box if you want the data in the IPSec tunnel to be compressed using the LZS algorithm.
Back button	Click to go back to the previous page in the wizard.
Next button	Available only if Summary appears in the TOC. See Defining System Settings, page 1-1. Click to go to the next page in the wizard.
Finish Button	Available only if Summary does not appear in the TOC. See Defining System Settings, page 1-1. Click to exit the wizard and complete the transform set creation or modification process.
Cancel button	Click to exit the wizard without saving your settings.

Viewing a Summary of the Transform Set

---

Note The Transform Set Summary page is not available if the Show Summary Step in Wizards check box in the System Settings page is deselected. See Defining System Settings, page 1-1 for more information.

---

The Summary page provides an overview of your transform set definitions for your verification. See Table 1-4 for a description of the fields and buttons in this page.

Procedure

---

Step 1 Verify that your transform set definitions are correct.

Step 2 Click Finish to complete the creation of the transform set or go back to a previous step in the wizard to change your definitions, as required.

---

Table 1-4 describes the elements in the Transform Set Summary page.

Table 1-4 Transform Set Summary: GUI Reference 

UI Element	Description
Summary of Transform Set area	Lists all your definitions for the transform set.
Back button	Click to go back to the previous page in the wizard.
Finish button	Click to exit the wizard and complete the policy creation or modification process.
Cancel button	Click to exit the wizard without saving your settings.

Editing a Transform Set

You can edit any existing transform set. On deployment, the changes will take effect in all policies that reference the edited transform set.

Before You Begin

•In the Object Selector, select the object on which the transform set you want to edit is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

---

Step 1 Select Configuration > Building Blocks.

Step 2 Select Transform Sets from the TOC. The Transform Sets page appears.

Step 3 Select the check box next to the transform set you want to edit and click Edit. The Name and Comment page of the Transform Set wizard appears. It displays the name and comment for the selected transform set.

Step 4 Select the required page from the TOC or click the Next button to move through the pages in the wizard. Each page shows the values that were defined for the selected transform set and you can edit them as required.

Step 5 Click Finish when you have finished editing the transform set.

---

Deleting a Transform Set

You can delete a transform set if it is not currently being used by a policy.

Before You Begin

•In the Object Selector, select the object on which the transform set you want to delete is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

---

Step 1 Select Configuration > Building Blocks.

Step 2 Select Transform Sets from the TOC. The Transform Sets page appears.

Step 3 Select the check box next to each transform set you want to delete and click Delete. If the transform set is not currently being referenced by a policy, it is deleted from the list of transform sets. If it is being referenced by a policy, an error message will indicate that the transform set cannot be deleted.

---

Working with Network Groups

A network group is a named collection of networks and/or hosts. The network group name can be referenced during the definition of VPN settings and policies, instead of having to specify each network or host individually for each policy definition. For example, when creating a custom ACE for a tunnel policy, you can select a network group to specify the source or the destination traffic flow.

If you change the contents of a network group, the change will be applied to all policies that reference the network group.

Network groups can contain the following:

•Networks or subnets, specified by IP address and subnet masks.

•Individual hosts, specified by IP address or host name.

•Other network groups, specified by selecting a network group name from a list of existing network groups.

The following topics provide information about working with network groups:

•Creating a Network Group

•Editing a Network Group

•Deleting a Network Group

Table 1-5 describes the elements in the Network Groups page.

Table 1-5 Network Groups: GUI Reference 

GUI Element	Description
Check box column	Enables you to select a network group to edit or delete it. You can select more than one check box at a time.
Name column	Displays the name of the network group. You can click on the network group name to display details about the network group.
Defined On Column	Displays the object on which the network group is defined.
Comment Column	Displays a description of the network group. This is the description that was provided when the network group was created.
Rows per page list box	Enables you to change the number of network groups displayed in the list.
Create button	Click to create a new network group.
Edit button	Click to edit the selected network group.
Delete button	Click to delete the selected network group.

Creating a Network Group

You create a network group using the Network Group wizard.

The following topics describe the tasks you must perform to create a network group using this wizard:

•Accessing the Network Group Wizard

•Naming the Network Group

•Specifying Networks and Contained Groups

•Viewing a Summary of the Network Group

---

Note The same network group wizard pages are used for editing a network group, enabling you to modify values as required. See Editing a Network Group for more information.

---

Accessing the Network Group Wizard

To access the wizard, complete the steps in this procedure.

Before You Begin

•In the Object Selector, select the object on which you want to create the network group.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

---

Step 1 Select Configuration > Building Blocks.

Step 2 Select Network Groups from the TOC.

The Network Groups page appears. It contains a list of the network groups defined on the selected device or device group (if any).

Step 3 Click Create.

The first page of the Network Group wizard appears. The steps in the wizard are listed in the TOC on the left side of the page.

---

Naming the Network Group

The Name and Comment page of the Network Group wizard appears when you click the Create button in the Network Groups page. Router MC identifies each network group you create by a name you assign in this page. When you have finished creating the network group, it is listed by this name in the Network Groups page (see Table 1-5). It is also included as an option for selection wherever network groups can be used.

Procedure

---

Step 1 Enter a name and description in the fields provided. See Table 1-6 for descriptions of the fields.

Step 2 Click Next. The Networks page appears.

Step 3 Proceed to Specifying Networks and Contained Groups.

---

Table 1-6 describes the elements in the Network Group Name and Comment page.

Table 1-6 Network Group Name and Comment: GUI Reference 

UI Element	Description
Name field	Enter a unique name for the network group, for identification purposes.
Comment field	Enter a description of the network group.
Next button	Click to go to the next page in the wizard.
Cancel button	Click to exit the wizard without saving your settings.

Specifying Networks and Contained Groups

In the Networks page of the Network Group wizard you specify the networks/hosts to be included in the network group. A network group can contain other network groups. The Networks page also displays predefined network groups that are available for inclusion in the network group you are creating.

Procedure

---

Step 1 Enter the IP addresses (and masks, if relevant) for each network/host to be included in the network group in the fields provided. You can also select a network group. See Table 1-7 for descriptions of the Networks page.

Step 2 Click >>. The network group is transferred to the right column, indicating that it will be included in the network group being created.

Step 3 If you want to include a predefined network group in the network group being created:

a. Select the network group in the Available Groups area.

b. Click >>. The network group is transferred to the Predefined Groups to be Included area.

Step 4 If Summary appears in the TOC, click Next. The Summary page appears, enabling you to verify that the network group has the required networks/hosts. Proceed to Viewing a Summary of the Network Group.

OR

If Summary does not appear in the TOC, click Finish to complete the creation of the network group, or go back to a previous step in the wizard to change your definitions, as required.

---

Table 1-7 describes the elements in the Network Group Networks page.

Table 1-7 Network Group Networks: GUI Reference 

UI Element	Description
Enter Network/Host field	To add a subnet to the network group, enter the IP address and subnet mask, for example, 192.10.9.1/255.255.255.0. To add a host to the network group, enter the IP address or host name.
>> button	Click to add the specified network/host/network group to the network group.
Delete button	Select a network/host/network group in the list and click the Delete button to delete it from the network group.
Available Groups	Lists existing network groups. You can choose one or more of these network groups to include in the network group being created.
Predefined Groups to be Included	Lists the predefined network groups selected to be included in the network group being created.
>> button	Click to add the selected network group to the network group you are creating. The network group is moved to the Predefined Groups to be Included area.
<< button	Click to remove a selected network group from the Predefined Groups to be Included area. It will not be contained in the network group you are creating.
Back button	Click to go back to the previous page in the wizard.
Next button	Available only if Summary appears in the TOC. See Defining System Settings, page 1-1. Click to go to the next page in the wizard.
Finish Button	Available only if Summary does not appear in the TOC. See Defining System Settings, page 1-1. Click to exit the wizard and complete the network group creation or modification process.
Cancel button	Click to exit the wizard without saving your settings.

Viewing a Summary of the Network Group

---

Note The Network Group Summary page is not available if the Show Summary Step in Wizards check box in the System Settings page is deselected. See Defining System Settings, page 1-1 for more information.

---

The Summary page provides an overview of your network group definitions for your verification. See Table 1-8 for a description of the fields and buttons in this page.

Procedure

---

Step 1 Verify that your network group definitions are correct.

Step 2 Click Finish to complete the creation of the network group or go back to a previous step in the wizard to change your definitions, as required.

---

Table 1-8 describes the elements in the Network Group Summary page.

Table 1-8 Network Group Summary: GUI Reference 

UI Element	Description
Network Group Summary area	Lists all your definitions for the network group.
Back button	Click to go back to the previous page in the wizard.
Finish button	Click to exit the wizard and complete the network group creation or modification process.
Cancel button	Click to exit the wizard without saving your settings.

Editing a Network Group

You can edit any existing network group. On deployment, your changes will be applied on all devices with policies that reference the edited network group.

Before You Begin

•In the Object Selector, select the object on which the network group you want to edit is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

---

Step 1 Select Configuration > Building Blocks.

Step 2 Select Network Groups from the TOC. The Network Groups page appears. It contains a list of the network groups defined on the selected device or device group (if any).

Step 3 Select the check box next to the network group you want to edit and click Edit. The Name and Comment page of the Network Group wizard appears. It displays the name and comment for the selected network group.

Step 4 Select the required page from the TOC or click the Next button to move through the pages in the wizard. Each page shows the values that were defined for the selected network group and you can edit them as required.

Step 5 Click Finish when you have finished editing the network group.

---

Deleting a Network Group

You can delete a network group if it is not currently being referenced by a policy.

Before You Begin

•In the Object Selector, select the object on which the network group you want to delete is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

---

Step 1 Select Configuration > Building Blocks.

Step 2 Select Network Groups from the TOC. The Network Groups page appears.

Step 3 Select the check box next to each network group you want to delete and click Delete. If the network group is not currently being referenced by a policy, it is deleted from the list of network groups. If it is being referenced by a policy, an error message will indicate that the network group cannot be deleted.

---

Working with Service Groups

Services are pre-defined mappings of protocol and port definitions that describe network services that are used when defining access rules. In Router MC, you can create service groups. One service group may include one or more different services.

Service groups can be referenced when defining access rules for firewall functionality. See Defining the Parameters for the Access Rule, page 1-36.

---

Note If you change the contents of a service group, the change will be applied to all access rules that reference that service group.

---

Access the Service Groups page by selecting Configuration  >  Building Blocks  >  Service Groups.

The Service Groups page displays a scrollable table listing all the currently defined service groups. By clicking on any heading title, and then clicking the arrow that is displayed alongside, you can switch the list to display from ascending to descending order, and vice versa.

In the Service Groups page you can create, edit, and delete service groups.

The following topics provide information about working with service groups:

•Creating a Service Group

•Editing a Service Group

•Deleting a Service Group

Table 1-9 describes the elements in the Service Groups page.

Table 1-9 Service Groups: GUI Reference 

GUI Element	Description
Check box column	Enables you to select a service group to edit or delete it. You can select more than one check box at a time.
Name column	Displays the name of the service group.
Transport column	Displays the protocol that is used for the service group.
Source Ports column	Displays the source port numbers that are defined for the service group.
Dest Ports column	Displays the destination port numbers that are defined for the service group.
Service Groups column	Displays the services that are part of the service group.
Defined On column	Displays the object on which the service group is defined.
Create button	Click to create a new service group.
Edit button	Click to edit the selected service group.
Delete button	Click to delete the selected service group.

Creating a Service Group

You create a service group using the Service Group wizard.

---

Note During the creation of a service group, it is important not to define services within each other. For example, do not define Service A as a service group that contains Service B, when Service B is already a service group that contains Service A. This could create an infinite loop during deployment.

---

The following topics describe the tasks you perform to create a service group using this wizard:

•Accessing the Service Group Wizard

•Naming the Service Group

•Specifying Protocol and Ports

•Including Other Service Groups

•Viewing a Summary of the Service Groups

---

Note The same Service Group Wizard pages are used for editing a service group, enabling you to modify values as required. See Editing a Service Group for more information.

---

Accessing the Service Group Wizard

To access the wizard, complete the steps in this procedure.

Before You Begin

•In the Object Selector, select the object on which you want to create the network group.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

---

Step 1 Select Configuration > Building Blocks.

Step 2 Select Service Groups from the TOC.

The Service Groups page appears. It contains a list of the service groups defined on the selected object.

Step 3 Click Create.

The first page of the Service Group wizard appears. The steps in the wizard are listed in the TOC on the left side of the page. You can click on a step in the TOC to go directly to its corresponding page, or you can click the Next button to move sequentially through the wizard pages.

---

Naming the Service Group

The Name and Comment page of the Service Group wizard appears when you click the Create button in the Service Groups page. Router MC identifies each service group you create by a name you assign in this page. When you have finished creating the service group, it is listed by this name in the Service Groups page (see Table 1-9). It is also included as an option for selection wherever service groups can be used.

Procedure

---

Step 1 Enter a name and description in the fields provided. See Table 1-10 for descriptions of the fields.

Step 2 Click Next. The Protocol and Ports page appears.

Step 3 Proceed to Specifying Protocol and Ports.

---

Table 1-10 describes the elements in the Service Group Name and Comment page.

Table 1-10 Service Group Name and Comment: GUI Reference 

UI Element	Description
Name field	Enter a unique name for the service group, for identification purposes.
Comment field	Enter a description of the service group.
Next button	Click to go to the next page in the wizard.
Cancel button	Click to exit the wizard without saving your settings.

Specifying Protocol and Ports

In the Protocol and Ports page of the Service Group wizard, you specify the protocol and port definitions that describe the service group you are creating.

In this page, you can define both ACL and CBAC protocols. You can only define a CBAC protocol if the ACL protocol is "tcp" or "udp".

Procedure

---

Step 1 Enter the protocols and ports in the fields provided. See Table 1-11 for descriptions of the Protocol and Ports page.

Step 2 Click Next. The Contained Service Groups page appears. See Including Other Service Groups.

---

Table 1-11 describes the elements in the Protocol and Ports page.

Table 1-11 Protocol and Ports: GUI Reference 

UI Element	Description
ACL:
Protocol list box	Select an ACL protocol from the list. If your required protocol is not in the list, select the "blank" option from the list.
IP Protocol Number	If you selected a protocol from the Protocol list box, you do not need to enter a number here (the field will be unavailable). If you selected the "blank" protocol, you must enter the IP number of the required protocol in this field.
Source Ports	This field is only available if you selected "tcp" or "udp" in the Protocol list box. Enter the source ports that will be contained in the service group. Multiple entries must be separated by commas. You can also define a range of ports, if required. Note When defining a range of ports, make sure the range you specify does not contain spaces. If you enter an invalid range, an error message will indicate the permissible range of numbers.
Destination Ports	This field is only available if you selected "tcp" or "udp" in the Protocol list box. Enter the destination ports that will be contained in the service group. Multiple entries must be separated by commas. You can also define a range of ports, if required. Note When defining a range of ports, make sure the range you specify does not contain spaces. If you enter an invalid range, an error message will indicate the permissible range of numbers.
ICMP Qualifier list box	This list box is only available if you selected "icmp" in the Protocol list box. Select the required message (qualifier) for the ICMP service, from the list of predefined ICMP messages provided by Router MC.
CBAC:
Keyword list box	This list box is only available if you selected "tcp" or "udp" for the ACL protocol. Select the required CBAC keyword from the list. Note If you selected "tcp" for the ACL protocol, you will be unable to select "udp" for the CBAC keyword (the option will be unavailable). Similarly, if you selected "udp" for the ACL protocol, you will be unable to select "tcp" for the CBAC keyword.
Back button	Click to go back to the previous page in the wizard.
Next button	Click to go to the next page in the wizard.
Cancel button	Click to exit the wizard without saving your settings.

Including Other Service Groups

A service group can contain other service groups. The Contained Groups page of the Service Group wizard shows the existing service groups available for inclusion in the service group you are creating. See Table 1-12 for descriptions of the Contained Groups page.

Procedure

---

Step 1 Select the required service group in the left column.

Step 2 Click < Add >>. The service group is transferred to the right column, indicating that it will be included in the service group being created.

Step 3 If Summary appears in the TOC, click Next. The Service Group Summary page appears, enabling you to verify that the service group has the required contained service groups. Proceed to Viewing a Summary of the Service Groups.

OR

If Summary does not appear in the TOC, click Finish to complete the creation of the service group, or go back to a previous step in the wizard to change your definitions, as required.

---

Table 1-12 describes the elements in the Contained Groups page.

Table 1-12 Contained Groups: GUI Reference 

UI Element	Description
Available Service Groups column	Lists the available service groups. You can choose one of these service groups to include in the service group being created.
Selected Service Groups column	Lists the service groups that will be included in the service group you are creating.
< Add >> button	Click to add the selected service group to the service group you are creating. The service group is moved to the Selected Service Groups column.
<< Remove > button	Click to remove a service group from the Selected Service Groups area. It will not be contained in the service group you are creating.
Back button	Click to go back to the previous page in the wizard.
Next button	Available only if Summary appears in the TOC. See Defining System Settings, page 1-1. Click to go to the next page in the wizard.
Finish Button	Available only if Summary does not appear in the TOC. See Defining System Settings, page 1-1. Click to exit the wizard and complete the service groups creation or modification process.
Cancel button	Click to exit the wizard without saving your settings.

Viewing a Summary of the Service Groups

---

Note The Service Groups Summary page is not available if the Show Summary Step in Wizards check box in the System Settings page is deselected. See Defining System Settings, page 1-1 for more information.

---

The Service Groups Summary page provides an overview of your service group definitions for your verification. See Table 1-13 for a description of the fields and buttons in this page.

Procedure

---

Step 1 Verify that your service group definitions are correct.

Step 2 Click Finish to complete the creation of the service group or go back to a previous step in the wizard to change your definitions, as required.

---

Table 1-13 describes the elements in the Service Groups Summary page.

Table 1-13 Service Groups Summary: GUI Reference 

UI Element	Description
Service Group Summary area	Lists all your definitions for the service group.
Back button	Click to go back to the previous page in the wizard.
Finish button	Click to exit the wizard and complete the service group creation or modification process.
Cancel button	Click to exit the wizard without saving your settings.

Editing a Service Group

You can edit any existing service group. On deployment, your changes will be applied on all devices with policies that reference the edited service group.

Before You Begin

•In the Object Selector, select the object on which the service group you want to edit is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

---

Step 1 Select Configuration > Building Blocks.

Step 2 Select Service Groups from the TOC. The Service Groups page appears. It contains a list of the service groups defined on the selected object. See Table 1-9 for a description of the elements in the Service Groups page.

Step 3 Select the check box next to the service group you want to edit and click Edit. The Name and Comment page of the Service Group wizard appears. It displays the name and comment for the selected service group.

Step 4 Select the required page from the TOC or click the Next button to move through the pages in the wizard. Each page shows the values that were defined for the selected service group and you can edit them as required.

Step 5 Click Finish when you have finished editing the service group.

---

Deleting a Service Group

You can delete a service group if it is not currently being referenced by a policy.

Before You Begin

•In the Object Selector, select the object on which the service group you want to delete is defined.

•If workflow mode is enabled, make sure that you are working within the context of an open activity.

Procedure

---

Step 1 Select Configuration > Building Blocks.

Step 2 Select Service Groups from the TOC. The Service Groups page appears. See Table 1-9 for a description of the elements in the Service Groups page.

Step 3 Select the check box next to each service group you want to delete and click Delete.

If the service group is not currently being referenced by a policy, it is deleted from the list of service groups. If it is being referenced by a policy, an error message will indicate that the service group cannot be deleted.

---