Match All of the Following

When you select this option an AND relationship is created among the filtering criteria you define. An item must satisfy every rule in the filter to be displayed in the list.

For example, if you define the following criteria:

•Name contains OSPF

•Name contains West

When you click OK, the filter is defined as: Name contains OSPF and Name contains West.

Match Any of the Following

When you select this option an OR relationship is created among the filtering criteria you define. An item must satisfy only one of the rules in the filter to be displayed in the list.

For example, if you define the following criteria:

•Name contains OSPF

•Name contains RIP

When you click OK, the filter is defined as: Name contains OSPF or Name contains RIP.

Filter Type

(First field.)

The type of property on which you are filtering. For tables, this is the column heading. You might have only one option for filtering certain lists (for example, you might only be able to filter by the name of the item).

Filter Operator

(Second field.)

The relationship between the filter type and the filter value. The available options depend on the selected type.

Filter Value

(Third field.)

The value on which you want to filter. Depending on the selected type, you either enter a text string in this field, or you select a value from the list.

Filter Content Area

Add button

Remove button

The filter type, operator, and value that you have selected for each criterion.

•To add a criterion, create it in the fields above this area and click Add.

•To remove a criterion, select it and click Remove.

Add Device from Network

Select this option to add devices that are currently active on the network. Security Manager connects directly and securely to the device and discovers its identifying information and properties.

Add from Configuration File

Select this option to add devices by using a copy of the device configuration files.

Add New Device

Select this option to add a device that does not yet exist in the network, so that you can pre-provision it in Security Manager. You can create the device in the system, assign policies to the device, and generate configuration files before installing the device hardware.

Add Device from File

Select this option to add devices from an inventory file in a supported comma-separated values (CSV) format.

IP Type

You can add only devices that have static IP addresses.

If you want to add a device that uses dynamic addresses (supplied by a DHCP server), determine the current IP address for the device, use that address, and after adding the device, update its properties to change the IP Type to Dynamic and to identify the AUS or Configuration Engine that is managing the device.

Hostname

The DNS hostname for the device. Enter the DNS hostname if the IP address is not known.

Note You must enter either the DNS hostname or the IP address, or both.

Domain Name

The DNS domain name for the device.

IP Address

The management IP address of the device. The IP address must be in the dotted quad format, for example, 10.64.3.8.

Note You must enter either the IP address or the DNS hostname, or both.

Display Name

The name to display in the Security Manager Device selector. If you enter a hostname or IP address, it is entered automatically in this field, but you can change it.

The maximum length is 70 characters. Valid characters are: 0-9; uppercase A-Z; lowercase a-z; and the following characters: _ -. : and space.

Note Two devices cannot have the same display name.

OS Type

The family of the operating system running on the device. You must be careful to select the correct type, because your selection affects how Security Manager tries to log into the device and obtain its configuration. The options are:

•IOS 12.3+—For Cisco routers running Cisco IOS Software Release 12.3 or higher. Do not select this for Catalyst 6500/7600 or other Catalyst devices.

Tip Select this option for Aggregation Services Routers (ASR) even if they are running a version of 12.2. The ASR IOS releases are treated as higher releases.

•IOS - 12.2, 12.1—For Cisco routers running Cisco IOS Software Releases 12.2 or 12.1. Do not select this for ASRs, Catalyst 6500/7600, or other Catalyst devices.

•IOS - Catalyst Switch/7600—For all Catalyst switches and 7600 devices.

•ASA—For all ASA devices.

•FWSM—For all FWSM devices.

•IPS—For all devices running the IPS software.

•PIX—For all PIX devices.

Transport Protocol

The protocol Security Manager should use when connecting to the device. Select a protocol that is configured on the device and for which you can supply credentials. Each device type has a default protocol that is the method normally used with the device.

System Context

Whether to discover the system execution space of a PIX Firewall 7, ASA, or FWSM device that is running in multiple-context mode. If you are discovering a device that hosts multiple security contexts, whether you select this checkbox has important implications in how you can configure the device in Security Manager. What gets discovered on the device also depends on whether you select the Discover Policies for Security Contexts checkbox.

•Both System Context and Discover Policies for Security Contexts selected—This is the recommended selection. Security Manager discovers the system execution space and all of the security contexts defined on the device, and lists them in the device selector. The base display name represents the system execution space (for example, 10.10.11.24), whereas the security contexts are represented by nodes with the context name appended to the device name (for example, 10.10.11.24_admin), unless you changed the default naming convention configured on the Discovery page (see Discovery Page, page A-16).

•System Context selected, Discover Policies for Security Contexts deselected—The system execution space is discovered and added to the device selector. You can then discover the policies for the security contexts at a later time. This method might be appropriate if you have one group of people who discover inventory and another group that discovers policies.

•Neither checkbox selected—Only the Admin context gets discovered and added to the device selector. You cannot discover the other security contexts or manage them.

Discover

The type of elements that should be discovered and added to the inventory. You have these options:

•Policies and Inventory—Discover policies, interfaces, and service modules (if applicable). This is the default and recommended option.

When policy discovery is initiated, the system analyzes the configuration on the device, then imports the configured service and platform policies. When inventory discovery is initiated, the system analyzes the interfaces on the device and then imports the interface list. If the device is a composite device, all the service modules in the device are discovered and imported.

If you select this option, the checkboxes below are activated and you can use them to control the types of policies that are discovered.

Note During discovery, if you import an ACL that is inactive, it is shown as disabled in Security Manager. If you deploy the same ACL, it will be removed by Security Manager.

•Inventory Only—Discovers interfaces and service modules (if applicable).

•No Discovery—All discovery is skipped. No policy, interface, or service module information for the device is added to the device inventory.

Platform Settings

Whether to discover the platform settings, which are also called platform-specific policy domains. Platform-specific policy domains exist on firewall devices and Cisco IOS routers. These domains contain policies that configure features that are specific to the selected platform. For more information, see Service Policies vs. Platform-Specific Policies, page 6-2.

Firewall Policies

Whether to discover firewall policies, which are also called firewall services. Firewall services include policies such as access rules, inspection rules, AAA rules, web filter rules, and transparent rules. For details see, Chapter 11, "Managing Firewall Services"

IPS Policies

Whether to discover IPS policies such as signatures and virtual sensors. For more information, see Chapter 16, "Managing IPS Devices" and Chapter 12, "Managing IPS Services".

RA VPN Policies

Whether to discover IPSec and SSL remote access VPN policies such as IKE proposals and IPsec proposals. For more information, see Chapter 10, "Managing Remote Access VPNs".

Discover Policies for Security Context

Whether to discover policies for security contexts. Security contexts apply to PIX Firewall, ASA, or FWSM devices. This field is active only if you select Static for IP Type and System Context.

Device Type selector

Organizes the devices by device-type and device-family. Select the device type for the new device. You must select the correct device type for the configuration file you are adding.

System Object ID

The system object identifiers for the device type you selected from the Device Type selector. Select the correct ID for your device.

Configuration Files

The configuration files from the devices you are adding to the inventory. You can specify more than one configuration file, but they must all be for the same device type. Separate the file names with commas.

Click Browse to select the files from the Security Manager server, or manually type in the file names (including the full path). For information on selecting files, see Selecting or Specifying a File or Directory on the Server File System, page 2-19.

Options

The additional options available on the device. Select IPS if the IPS feature is available on the device.

Target OS Version

(Routers only.)

The OS version on which you want to base the router's configuration.

•Select Default to read the OS version from the configuration file.

•Select a specific release number if you want to ensure the desired release is used. If the desired release is not listed, select the release number that is closet but lower than the release running on the device.

You might have to select a specific release when discovering configuration files for Aggregation Services Routers (ASR) or for configuration files that include zone-based firewall policies.

Discover

The type of elements that should be discovered and added to the inventory. You have these options:

•Policies and Inventory—Discover policies, interfaces, and service modules (if applicable). This is the default and recommended option.

When policy discovery is initiated, the system analyzes the configuration file, then imports the configured service and platform policies. When inventory discovery is initiated, the system analyzes the interfaces defined in the file and then imports the interface list.

If you select this option, the checkboxes below are activated and you can use them to control the types of policies that are discovered.

Note During discovery, if you import an ACL that is inactive, it is shown as disabled in Security Manager. If you deploy the same ACL, it will be removed by Security Manager.

•Inventory Only—Discovers interfaces and service modules (if applicable).

•No Discovery—All discovery is skipped. No policy, interface, or service module information for the device is added to the device inventory.

Platform Settings

Whether to discover the platform settings, which are also called platform-specific policy domains. Platform-specific policy domains exist on firewall devices and Cisco IOS routers. These domains contain policies that configure features that are specific to the selected platform. For more information, see Service Policies vs. Platform-Specific Policies, page 6-2.

Firewall Policies

Whether to discover firewall policies, which are also called firewall services. Firewall services include policies such as access rules, inspection rules, AAA rules, web filter rules, and transparent rules. For details see, Chapter 11, "Managing Firewall Services"

IPS Policies

Whether to discover IPS policies such as signatures and virtual sensors. For more information, see Chapter 16, "Managing IPS Devices" and Chapter 12, "Managing IPS Services".

RA VPN Policies

Whether to discover IPSec and SSL remote access VPN policies such as IKE proposals and IPsec proposals. For more information, see Chapter 10, "Managing Remote Access VPNs".

Finish button

Saves your wizard definitions and closes the wizard. The Discovery Status dialog box opens to display the status of the configuration file import and discovery (see Discovery Status Dialog Box, page D-12).

Device Type selector

Organizes the devices by device-type and device-family. Select the device type for the new device.

System Object ID

The system object identifiers for the device type you selected from the Device Type selector. Select the correct ID for your device.

IP Type

Whether the IP address for the device is static (defined on the device) or dynamic (supplied by a DHCP server). Depending on the IP type you select, the displayed fields differ.

Hostname

(Static IP only)

The DNS hostname for the device. Enter the DNS hostname if the IP address is not known.

The maximum length is 70 characters. Valid characters are: 0-9; uppercase A-Z; lowercase a-z; and hyphen (-).

Note You must enter either the DNS hostname or the IP address, or both.

Two devices cannot have the same DNS hostname and domain name combination.

Domain Name

(Static IP only)

The DNS domain name for the device.

The maximum length is 70 characters. Valid characters are: 0-9; uppercase A-Z; lowercase a-z; period (.) and hyphen (-).

IP Address

(Static IP only)

The management IP address of the device. The IP address must be in the dotted quad format, for example 10.64.3.8.

Note You must enter either the IP address or the DNS hostname, or both.

Display Name

The name to display in the Security Manager Device selector. If you enter a hostname or IP address, it is entered automatically in this field, but you can change it.

The maximum length is 70 characters. Valid characters are: 0-9; uppercase A-Z; lowercase a-z; and the following characters: _ -. : and space.

Note Two devices cannot have the same display name.

OS Type

The type of operating system. Based on the device type, the OS type is selected automatically.

Image Name

The name of the image that will run on the device.

Target OS Version

The target OS version for which you want to apply the configuration. This selection determines the type of commands used when Security Manager generates configuration files.

Options

The additional options available on the device. Select IPS if the IPS feature is available on the device.

Contexts

Whether the device hosts a single security context (Single) or multiple security contexts (Multi). This field is displayed only if the OS type is an FWSM, ASA, or PIX Firewall 7.0.

Operational Mode

The mode in which the device is operating. This field is displayed only if the OS type is FWSM, ASA, or PIX Firewall 7.0. The options available are: Transparent, Routed, or Mixed. Mixed applies only to FWSM 3.1 and higher devices when you select Multi for Contexts.

This group is named differently depending on the device type you select:

•Auto Update—For PIX Firewall and ASA devices.

•Configuration Engine—For Cisco IOS Routers.

Use these fields to identify the server that manages the device, if any. A server is required for a device with a dynamic IP address. You cannot define a server for Catalyst 6500/7600 or FWSM devices.

Server

The Auto Update Server or Configuration Engine that manages the device.

You can add servers to the list by selecting Add Servers, which opens the Server Properties dialog box (see Server Properties Dialog Box). You can also edit the properties of a server by selecting Edit Server, which opens the Available Servers dialog box (see Available Servers Dialog Box).

For more information on managing this list of servers, see Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 5-14

Device Identity

The string value that uniquely identifies the device in Auto Update Server or the Configuration Engine.

Manage in Cisco Security Manager

Whether Security Manager manages the device. This check box is selected by default.

If the only function of the device you are adding is to serve as a VPN end point, deselect this check box. Security Manager will not manage configurations nor will it upload or download configurations on this device.

Security Context of Unmanaged Device

Whether to manage a security context whose parent (the PIX Firewall, ASA, or FWSM device) is not managed by Security Manager.

This field is active only if the device you selected in the Device selector is a firewall device, such as PIX Firewall, ASA, or FWSM and that firewall device supports security contexts.

You can partition a PIX Firewall, ASA, or FWSM into multiple security firewalls, also known as security contexts. Each context is an independent system with its own configuration and policies. You can manage these standalone contexts in Security Manager, even though the parent device is not managed by Security Manager. For more information, see Configuring Security Contexts on Firewall Devices, page 14-82.

Note If you select this check box, the available target OS version for the security module is displayed in the Target OS Version field.

Finish button

Saves your wizard definitions and closes the wizard.

When you click Finish, the system performs device validation tasks. If your entries are valid, the device definitions are saved and the wizard closes. The device is added to the inventory and it appears in the Device selector.

If errors are found, the system generates error messages and displays the wizard page where the error occurs.

Type

The type of server you are defining, either Auto Update Server or Configuration Engine.

This field is displayed only if you are adding a server. You cannot change the type of an existing server.

For new servers, this field is also not displayed if the title of the dialog box specifies the type of server you are adding.

Server Name

The DNS hostname of the server.

Domain Name

The DNS domain name of the server.

IP Address

The IP address of the server.

Display Name

The name to display in Security Manager for the server.

Username

The username for logging into the server.

Password

The password for accessing the server. In the Confirm field, enter the password again.

Port

The port number that the device managed by the Auto Update Server or Configuration Engine uses to communicate with the server. The port number is typically 443.

URN

This field is displayed only for Auto Update Servers.

The uniform resource name for the Auto Update Server. The URN is the name that identifies the resource on the Internet. The URN is part of a URL, for example, /autoupdate/AutoUpdateServlet. The full URL could be: https://: server ip:443/autoupdate/AutoUpdateServlet

where:

•server ip is the IP address of the Auto Update Server.

•443 is the port number of the Auto Update Server.

•/autoupdate/AutoUpdateServlet is the URN of the Auto Update Server.

Display Name

The name that is displayed in Security Manager for the server.

Type

The type of server: AUS or CE (Configuration Engine).

This field is not displayed if the title of the dialog box specifies the server type.

IP Address

The IP address of the server.

Server Name

The DNS hostname of the server.

Domain Name

The DNS domain name of the server.

Create button

Opens the Server Properties dialog box where you can add a new server (see Server Properties Dialog Box).

Edit button

Opens the Server Properties dialog box where you can edit the information for the selected server (see Server Properties Dialog Box).

Delete button

Deletes the selected server. You are asked to confirm the deletion.

Import Devices From

The inventory file that contains the devices you want to import. Click Browse to select the file on the Security Manager server.

When selecting the file, you must also select the correct file type so that Security Manager can correctly evaluate the comma-separated values (CSV) file.

After you select a file, Security Manager evaluates its contents and displays the list of devices defined in the file in the table in the upper pane of the page. Security Manager automatically selects all devices whose status is Ready to Import. Typically, these are the devices that do not already exist in the device inventory.

The table contains the following columns.

Import

Select this checkbox to add the device to the inventory. You can select or deselect a folder to select or deselect all devices within the folder.

Display Name

The name that will be displayed in the Security Manager Device selector.

Host Name

The host name defined on the device.

Transport

The transport protocol that should be used to connect to the device.

Status

Whether Security Manager can import the device. Devices can be imported only if they have the status Ready to Import. For detailed information on a device's status, select it and read the expanded status information in the Status text box in the lower right corner of the page.

Device Type

The type of device.

Below the device import table is a pane that displays the details for the device selected in the table. The Identity information repeats the table fields. The Status text box displays an extended explanation of the import status.

The Discover Device Settings and Transport groups let you specify how Security Manager should import the device. If you select a folder instead of a device, the settings you select apply to all devices in the folder. The settings are explained below.

Perform Device Discovery

Whether to discover policies directly from the device:

•If the inventory file is in Security Manager format, you must select Perform Device Discovery to discovery inventory and policies (otherwise, the device is added without being evaluated). If you are adding offline or standby devices, you can leave this option deselected to easily add the device to the inventory.

•All other inventory file types require device discovery.

System Context

Whether the selected device is the system execution space on a device running in multiple context mode (that is, more than one security context is defined on the device). If the device is the system execution space, you must select this option for discovery to complete correctly.

Discover

The type of elements that should be discovered and added to the inventory. You have these options:

•Policies and Inventory—Discover policies, interfaces, and service modules (if applicable). This is the default and recommended option.

When policy discovery is initiated, the system analyzes the configuration on the device, then imports the configured service and platform policies. When inventory discovery is initiated, the system analyzes the interfaces on the device and then imports the interface list. If the device is a composite device, all the service modules in the device are discovered and imported.

If you select this option, the checkboxes below are activated and you can use them to control the types of policies that are discovered.

Note During discovery, if you import an ACL that is inactive, it is shown as disabled in Security Manager. If you deploy the same ACL, it will be removed by Security Manager.

•Inventory Only—Discovers interfaces and service modules (if applicable).

Platform Settings

Whether to discover the platform settings, which are also called platform-specific policy domains. Platform-specific policy domains exist on firewall devices and Cisco IOS routers. These domains contain policies that configure features that are specific to the selected platform. For more information, see Service Policies vs. Platform-Specific Policies, page 6-2.

Firewall Policies

Whether to discover firewall policies, which are also called firewall services. Firewall services include policies such as access rules, inspection rules, AAA rules, web filter rules, and transparent rules. For details see, Chapter 11, "Managing Firewall Services"

IPS Policies

Whether to discover IPS policies such as signatures and virtual sensors. For more information, see Chapter 16, "Managing IPS Devices" and Chapter 12, "Managing IPS Services".

RA VPN Policies

Whether to discover IPSec and SSL remote access VPN policies such as IKE proposals and IPsec proposals. For more information, see Chapter 10, "Managing Remote Access VPNs".

Discover Policies for Security Contexts

For devices running in multiple-context mode, where more than one security context is defined on the device, whether to discover those security contexts.

The transport settings determine the method Security Manager will use to contact the device. Each device type has a default method, but you can select your preferred transport method. The device must be configured to respond to the method you select. If you are not performing device discovery, the device is not contacted.

Protocol

The protocol Security Manager should use when connecting to the device.

Server

For devices that use them, the name of the Auto Update Server (AUS) or Configuration Engine server the device uses to obtain configuration updates. The server must already be defined in Security Manager, or you must select the server from the import list, to import devices that use these servers.

Device Identity

For devices that use servers, the string value that uniquely identifies the device in the Auto Update Server or the Configuration Engine.

Next button

Finish button

Click Next to continue to an optional page where you can select a device group for the added files. Otherwise, click Finish.

If you are performing device discovery, the Discovery Status page appears, displaying the status of the device import and discovery. Security Manager attempts to log into each device and obtain the type of information you selected. The login attempts must be successful for the devices to be added to the inventory.

If you are adding devices that contain modules, for example, a Catalyst switch with an FWSM, you are prompted for module discovery information.

Required for all device types. These credentials are used for SSH and Telnet connections, and for HTTP and HTTPS connections if you select Use Primary Credentials in the HTTP group.

Username

The user name for logging into the device.

Note PIX/ASA/FWSM devices require that user names be at least four characters. Passwords can be three to 32 characters; we recommend that passwords be at least eight characters.

Password

The password for logging into the device (User EXEC mode). In the Confirm field, enter the password again.

Enable Password

The password that activates enable mode (Privileged EXEC mode) on the device if the mode is configured on that device. In the Confirm field, enter the password again.

Credentials for making HTTP or HTTPS connections to a device. Some devices support this type of connection, and other devices (such as IPS devices) require it.

Use Primary Credentials

Username

Password

Whether Security Manager should use the configured primary credentials for HTTP and HTTPS connections. If the device uses different credentials for HTTP/HTTPS connections, deselect Use Primary Credentials and enter the username and password configured for HTTP/HTTPS. Reenter the password in the Confirm field.

Note PIX/ASA/FWSM devices require that user names be at least four characters. Passwords can be three to 32 characters; we recommend that passwords be at least eight characters.

HTTP Port

The port to use for HTTP connections. The default is port 80. Change this setting only if the device is configured to accept HTTP connections on a different port.

HTTPs Port

The port to use for HTTPS connections. The default is port 443 (unless a different default is configured in the Security Manager device communication settings). To change the default, first deselect Use Default. Change this setting only if the device is configured to accept HTTPS connections on a different port.

IPS RDEP Mode

The connection method to use for contacting IPS devices when making RDEP or SDEE connections (for event monitoring).

Certificate Common Name

The name assigned to the certificate. The common name can be the name of a person, system, or other entity that was assigned to the certificate. In the Confirm field, enter the common name again.

RX-Boot Mode button

Opens the RX-Boot Mode Credentials dialog box, where you can enter the credentials for booting the router from a reduced command-set image (RX-Boot). See RX-Boot Mode Credentials Dialog Box.

If these credentials are for a Cisco router that runs from flash memory (where it boots only from the first file in flash), you must run an image other than the one in flash to upgrade the flash image. The RX-Boot credentials are for running this other image.

SNMP button

Opens the SNMP Credentials dialog box, where you can specify the SNMP community strings defined on the device. See SNMP Credentials Dialog Box.

Test Connectivity button

Tests whether Security Manager can connect to the device using the credentials you entered and the configured transport method. For more information about testing device connectivity, see Testing Device Connectivity, page 5-16

This button appears only if you are adding a device manually. If you are adding a device from the network, Security Manager automatically performs the test when you click Next or Finish.

Next button

Continues to the next wizard page.

If you are adding devices from the network, Security Manager tests whether it can connect to the device using the identity and credentials you supplied. The Device Connectivity Test dialog box stays open while the test is in progress (see Device Connectivity Test Dialog Box). If the test fails, click Details to see detailed error information.

Finish button

Saves your wizard changes and closes the wizard.

The behavior of clicking Finish differs depending on whether you are adding devices from the network or you are manually defining a device.

•Adding Devices from the Network—Security Manager tests whether it can connect to the device using the identity and credentials you supplied.

If the test succeeds, the Discovery Status page appears, displaying the status of the device import and discovery. Security Manager attempts to log into each device and obtain the type of information you selected, even if you selected no discovery. The login attempts must be successful for the devices to be added to the inventory.

If you are adding devices that contain modules, for example, a Catalyst switch with an FWSM, you are prompted for module discovery information.

•Adding Devices Manually—The system performs device validation tasks. If the data you entered is incorrect, the system generates error messages and displays the wizard page where the error occurs with a red error icon corresponding to it.

Username

The RX-Boot Mode username.

Password

The RX-Boot Mode password. In the Confirm field, enter the password again.

These are the credentials for devices running SNMP version 2.

RO Community String

The read-only community string. In the Confirm field, enter the community string again.

RW Community String

The read-write community string. In the Confirm field, enter the community string again.

These are the credentials for devices running SNMP version 3.

Username

The SNMP version 3 username.

Password

The SNMP version 3 password. In the Confirm field, enter the password again.

Auth Algorithm

The authorization algorithm for encrypting the password. You can select MD5 or SHA-1.

Connectivity Protocol

The transport protocol being used to log into the device. Security Manager uses the protocol specified in the device properties for the device, which is usually the default protocol configured on the Device Communications page (see Device Communication Page, page A-11).

Connectivity Status

Displays the status of the test and the time elapsed since the start of the test.

Details button

Click this button to display detailed information about the result of the test.

•Passed tests—The details display the output of the show version command for PIX Firewall, Adaptive Security Appliances (ASA), Firewall Service Modules (FWSM), Cisco IOS routers, and VPN Services Modules (VPNSM), or the output of the getVersion command for IPS Sensors and Cisco IOS IPS Sensors. You can copy the command output and paste it into a file for analysis.

•Failed tests—The detailed error message.

Abort button

Stops the connectivity test before it is completed.

Discovery Mode

The types of policies to discovery for this module:

•Discover Inventory and Policies—Discover inventory and security policies. This is the recommended option.

•Discover Inventory Only—Do not discover security policies, but discover inventory, such as VLAN configuration, security contexts, and interfaces. You can discover the policy configuration later by right-clicking the service module and then selecting Discover Policies on Device.

•Do Not Discover Module—Skip discovery on this module and do not add it to the inventory.

Connect to FWSM

How Security Manager should access the FWSM:

•Directly—Connect to the FWSM using its management IP address. This is the recommended approach. It is the required method if you are connecting to a failover device; otherwise, Security Manager might connect to a standby FWSM after a failover.

•via Chassis—Connect to the FWSM through the chassis. This method has the restriction that there should be fewer than 20 security contexts defined on the FWSM. Security Manager connects to the Catalyst device through SSH and then to the FWSM through the session command. The number of concurrent SSH sessions is limited on a Catalyst device, with a default of 5. Policy discovery uses one SSH session for each security context, so a large number of contexts might lead to connection failures. If you select Directly, Security Manager connects to the FWSM through SSL, which has a greater concurrent session limit.

Management IP

The management IP address for the service module.

For FWSMs, this field is not available if you select via Chassis for the connection method.

Username

The user name for the service module.

For FWSMs running in multiple-context mode, a footnote explains which context's username and password to enter, either the system or the admin context. If you are connecting to a multiple-context mode device through the switch chassis, you must configure the same username and password for both the system execution space and the admin context, and specify those credentials in this dialog box.

Note User names be at least four characters. Passwords can be three to 32 characters; we recommend that passwords be at least eight characters.

Password

The User EXEC mode password for the service module. In the Confirm field, enter the password again.

Enable Password

(FWSM only)

The Privileged EXEC mode password for the service module. In the Confirm field, enter the password again.

Discovery

The type of discovery for this module:

•Discover Inventory and Policies—Discover inventory and security policies. This is the recommended option.

•Discover Inventory Only—Do not discover security policies, but discover inventory, such as virtual sensors and interfaces. You can discover the policy configuration later by right-clicking the module and selecting Discover Policies on Device.

•Do Not Discover Module—Skip discovery on this module and do not add it to the inventory.

IP Address

The management IP address for the module.

The credentials required to log into the module.

Username

The username for the module.

Password

The password for the specified username. In the Confirm field, enter the password again.

HTTP Port

The port configured for HTTP access to the module. The default is 80.

HTTPS Port

The port configured for SSL (HTTPS) access to the module. The default is defined on the Device Communication page (Tools > Security Manager Administration > Device Communication, for more information, see Device Communication Page, page A-11). The port typically used is 443.

To override the default, deselect Use Default and enter the correct port number.

IPS RDEP Mode

The connection method to use for contacting IPS devices when making RDEP or SDEE connections (for event monitoring).

Certificate Common Name

The name assigned to the certificate. The common name can be the name of a person, system, or other entity that was assigned to the certificate. In the Confirm field, enter the common name again.

Group Types, such as Department and Location

The group types defined in Security Manager, for example, Department or Location. Each field contains a list of the device groups defined within that group type. Select the device groups to which the device should belong.

If you want to create a new device group, or group type, select Edit Groups from the drop-down list for any of the existing group types. This opens the Edit Device Groups page, where you can create new groups and group types or delete them (see Edit Device Groups Dialog Box).

Set values as default

Whether to set the selected groups as the default groups. If you select this option, other devices you add are automatically added to these groups.

Finish button

Saves your wizard definitions and closes the wizard.

After you click Finish, the system performs device validation tasks. If the data you entered is incorrect, the system generates error messages and displays the wizard page where the error occurs with a red error icon corresponding to it. Depending on the method you are using to add devices to the inventory, the Discovery Status dialog box might open displaying the status of policy and inventory discovery.

Severity

Displays one or all of the following:

•Error icon—A problem was detected that will prevent you from deleting the device.

•Warning icon—Proceed with caution.

•Information icon—A minor problem exists.

Device

Displays the name of the device that you are trying to delete.

Result

Provides detailed information about the problem. Double click a row or click the Details button to view long messages.

Details button

Displays the Device Delete Validation Details dialog box, which displays the same information about the selected row in a more readable format.

IP Type

The device IP type of the cloned device: Static or Dynamic. You cannot change the IP type when cloning a device.

Hostname

(Static IP only)

The DNS hostname for the cloned device.

The maximum length is 70 characters. Valid characters are: 0-9; uppercase A-Z; lowercase a-z; and the following characters: -

Domain Name

(Static IP only)

The DNS domain name for the cloned device. If you do not provide the domain name, Security Manager uses the default domain name configured on the server.

IP Address

(Static IP only)

The management IP address of the cloned device, for example, 10.10.100.1.

Note If you do not know the IP address, enter the DNS hostname in the appropriate field. You must enter either the IP address or the DNS hostname for devices with static IP addresses.

Display Name

The unique name for the cloned device. This is the name that appears in Security Manager device lists.

The maximum length is 70 characters. Valid characters are: 0-9; uppercase A-Z; lowercase a-z; and the following characters: _ -. : and space.

Device Identity

The string value that uniquely identifies the device in Auto Update Server or Configuration Engine. This field appears only if the device is configured to use one of these servers.

Clone VPN Assignments

Whether to copy the VPN assignments defined for the device. This field is displayed only if the device supports VPN assignments.

Device Type

The type of device.

IP Type

Whether the IP address for the device is static (defined on the device) or dynamic (supplied by a DHCP server). Depending on the IP type you select, the displayed fields differ.

Hostname

(Static IP only)

The DNS hostname for the device.

This is not necessarily the same name that is configured as the hostname on the device. This property is not updated with the hostname specified in the Hostname device property. It is also not updated with the name defined in the device configuration if you rediscover the device.

If you added the device to Security Manager by adding its configuration file, the hostname is initially set to the name specified in the configuration file. If no hostname is specified in the configuration, the name of the file is used as the DNS hostname.

Domain Name

(Static IP only)

The DNS domain name for the device.

IP Address

(Static IP only)

The management IP address of the device, for example 192.168.3.8.

Display Name

The name to display in the Security Manager Device selector.

The maximum length is 70 characters. Valid characters are: 0-9; uppercase A-Z; lowercase a-z; and the following characters: _ -. : and space.

OS Type

The family of the operating system running on the device.

Image Name

The name of the image running on the device. The image name is updated whenever you deploy to the device or rediscover its policies.

Running OS Version

The version of the operating system running on the device.

Target OS Version

The OS version on which you want to base the device's configuration. When creating a configuration file using the rules you configure, Security Manager uses commands available in the target OS version. This field is read-only for IPS devices.

You cannot change the target OS version to a version that significantly changes the feature set available for the device. For more information, see Changes That Change the Feature Set in Security Manager, page 5-19.

Options

A read-only field whose values are NONE or IPS. The value IPS indicates that the IPS feature is available on the device.

IPS Running OS Version

A read-only field that displays the version of IOS IPS running on the router. This field does not appear if the Options field has the value of NONE.

IPS Target OS Version

A read-only field that displays the target version of IOS IPS running on the router. This field does not appear if the Options field has the value of NONE.

Contexts

Whether the device hosts a single security context (Single) or multiple security contexts (Multi). This field is displayed only if the OS type is an FWSM, ASA, or PIX Firewall 7.0.

Operational Mode

The mode in which the device is operating. This field is displayed only if the OS type is FWSM, ASA, or PIX Firewall 7.0. The options available are: Transparent, Routed, or Mixed. Mixed applies only to FWSM 3.1 and higher devices when you select Multi for Contexts.

Transport Protocol

The transport protocol that Security Manager should use when accessing the device or deploying configurations to it. If you select Use Default, the transport protocol set in the Device Communication page (Tools > Security Manager Administration > Device Communication) is used (see Device Communication Page, page A-11). You can select a different protocol if the device is not configured to use the default protocol.

The available transport protocols differ depending on what the device type supports.

Monitored By

The CS-MARS server that monitors this device, if any.

Click Discover CS-MARS to have Security Manager determine which CS-MARS server is monitoring the device. If only one CS-MARS server is monitoring it, the field is updated with the server name. If there is more than one, you are prompted to select the CS-MARS server to use. Your selection determines which server is accessed when you try to view CS-MARS collected syslogs or events when viewing firewall access rules or IPS signatures in the policy rule tables for the device.

Before you can discover a CS-MARS server for the device, the server must be register with Security Manager on the CS-MARS administration page (Tools > Security Manager Administration > CS-MARS). For more information, see CS-MARS Page, page A-3.

This group is named differently depending on the device type:

•Auto Update—For PIX Firewall, FWSM, and ASA devices.

•Configuration Engine—For Cisco IOS routers.

Use these fields to identify the server that manages the device, if any. A server is required for a device with a dynamic IP address.

Server

The Auto Update Server or Configuration Engine that manages the device.

You can add servers to the list by selecting Add Servers, which opens the Server Properties dialog box (see Server Properties Dialog Box. You can also edit the properties of a server by selecting Edit Server, which opens the Available Servers dialog box (see Available Servers Dialog Box).

For more information on managing this list of servers, see Adding, Editing, or Deleting Auto Update Servers or Configuration Engines, page 5-14

Device Identity

The string value that uniquely identifies the device in Auto Update Server or the Configuration Engine.

Manage in Cisco Security Manager

Whether Security Manager manages the device.

If the only function of the device is to serve as a VPN end point, deselect this check box. Security Manager will not manage configurations nor will it upload or download configurations on this device.

Required for all device types. These credentials are used for SSH and Telnet connections, and for HTTP and HTTPS connections if you select Use Primary Credentials in the HTTP group.

Username

The user name for logging into the device.

Note PIX/ASA/FWSM devices require that user names be at least four characters. Passwords can be three to 32 characters; we recommend that passwords be at least eight characters.

Password

The password for logging into the device (User EXEC mode). In the Confirm field, enter the password again.

Enable Password

The password that activates enable mode (Privileged EXEC mode) on the device if the mode is configured on that device. In the Confirm field, enter the password again.

Credentials for making HTTP or HTTPS connections to a device. Some devices support this type of connection, and other devices (such as IPS devices) require it.

Use Primary Credentials

Username

Password

Whether Security Manager should use the configured primary credentials for HTTP and HTTPS connections. If the device uses different credentials for HTTP/HTTPS connections, deselect Use Primary Credentials and enter the user name and password configured for HTTP/HTTPS. Reenter the password in the Confirm field.

Note PIX/ASA/FWSM devices require that user names be at least four characters. Passwords can be three to 32 characters; we recommend that passwords be at least eight characters.

HTTP Port

The port to use for HTTP connections. The default is port 80. Change this setting only if the device is configured to accept HTTP connections on a different port.

HTTPs Port

The port to use for HTTPS connections. The default is port 443 (unless a different default is configured in the Security Manager device communication settings). To change the default, first deselect Use Default. Change this setting only if the device is configured to accept HTTPS connections on a different port.

Note If you configure the local HTTP policy to be a shared policy and assign the HTTP policy to multiple devices, the HTTPS port number setting in the shared policy overrides the port number configured in the Device Credentials page for all devices to which the policy is assigned.

IPS RDEP Mode

The connection method to use for contacting IPS devices when making RDEP or SDEE connections (for event monitoring).

Certificate Common Name

The name assigned to the certificate. The common name can be the name of a person, system, or other entity that was assigned to the certificate. In the Confirm field, enter the common name again.

Authentication Certificate Thumbprint

The certificate thumbprint for the device that is available in the Security Manager certificate data store. Click Retrieve From Device to obtain the current certificate from the device and to replace the one stored in Security Manager.

RX-Boot Mode button

Opens the RX-Boot Mode Credentials dialog box, where you can enter the credentials for booting the router from a reduced command-set image (RX-Boot). See RX-Boot Mode Credentials Dialog Box.

If these credentials are for a Cisco router that runs from flash memory (where it boots only from the first file in flash), you must run an image other than the one in flash to upgrade the flash image. The RX-Boot credentials are for running this other image.

SNMP button

Opens the SNMP Credentials dialog box, where you can specify the SNMP community strings defined on the device. See SNMP Credentials Dialog Box.

Test Connectivity button

Tests whether Security Manager can connect to the device using the credentials you entered and the configured transport method. For more information about testing device connectivity, see Testing Device Connectivity, page 5-16

Group Types, such as Department and Location

The group types defined in Security Manager, for example, Department or Location. Each field contains a list of the device groups defined within that group type. Select the device groups to which the device should belong.

If you want to create a new device group, or group type, select Edit Groups from the drop-down list for any of the existing group types. This opens the Edit Device Groups page, where you can create new groups and group types or delete them (see Edit Device Groups Dialog Box).

Set values as default

Whether to set the selected groups as the default groups. If you select this option, other devices you add are automatically added to these groups.

Available Devices pane

Contains two elements:

•Filter field—Filters and displays a subset of devices and groups based on the filtering criteria you define. For more information, see Create Filter Dialog Box.

•Device Selector—Displays the devices whose information you have the permission to export from Security Manager.

>> button

<< button

Moves the selected devices from one pane to the other pane.

To add a single device or multiple devices, select the devices or a group from the Available Devices pane, then click >>. The selected devices or all of the devices in the selected group move to the Selected Devices pane.

To remove a device from the Selected Devices pane, select the device from the Selected Devices pane, then click <<. The selected device moves to the Available Devices pane.

Selected Devices pane

Displays all the devices whose information you are exporting.

Export Inventory To

Browse button

The file name and path where the export file should be created. You can select only a location on the Security Manager server.

Click Browse to open the Save As dialog box, where you can navigate to the desired folder, enter a name for the file, and select the file type to specify the desired organization of the CSV file.

Groups

Displays the device groups and group types.

To rename a group or type, select it and then click it again to make the text editable. Type in the new name and press Enter.

Add Type button

Click this button to create a new group type. The type is added with a default name. Overtype the name and press Enter.

Add Group to Type button

Click this button to add a device group to the selected device group or group type.

Delete button (trash can)

Click this button to delete the selected device group or group type and all device groups that it contains. Deleting a device group or group type does not delete any devices it contains.

Available Devices pane

Contains two elements:

•Filter field—Filters and displays a subset of devices and groups based on the filtering criteria you define. For more information, see Create Filter Dialog Box.

•Device Selector—Displays the devices that you have the permission to manage in Security Manager.

>> button

<< button

Moves the selected devices from one pane to the other pane.

To add a single device or multiple devices, select the devices or a group from the Available Devices pane, then click >>. The selected devices or all of the devices in the selected group move to the Selected Devices pane.

To remove a device from the Selected Devices pane, select the device from the Selected Devices pane, then click <<. The selected device moves to the Available Devices pane.

Selected Devices pane

Displays all the devices that you selected to add to a group.

Available Devices

Lists all devices managed by AUS and CNS with a red X icon. To assign an AUS or Configuration Engine to devices, select one or more items from this list, then click >> to add them to the Selected Devices list.

Selected Devices

Lists all devices for which you want to assign an AUS or Configuration Engine. To remove devices from this list, select the devices, then click <<.

Server

Enables you to select or add an Auto Update Server or a Configuration Engine. If the server does not appear in the list, select + Add Server... to display the Server Properties dialog box. For more information, see Server Properties Dialog Box.

You can click on the column headings to sort the list based on that field.

Export button

Click this button to export the inventory as a comma-separated values (CSV) file. You are prompted to specify a file name and to select a folder on the Security Manager server. You can use the export file for reference or analysis.

Filter

When expanded, displays the filter bar, which enables you to filter the information based on conditions you set. For more information, see Filtering Tables, page 2-16.

Display Name

The name of the device as it is displayed in Security Manager.

Deployment

The status of the configuration deployment for the device. This column appears only if you enabled Deployment as a status provider (see Status Page, page A-37).

Performance Monitor

The status for the device as reported by Performance Monitor. This column appears only if you configured the device to be monitored by a Performance Monitor server, and you configured Security Manager to obtain status from that server. For more information, see Status Page, page A-37.

OS Type

The family of the operating system running on the device, for example, IOS, IPS, ASA, FWSM, or PIX.

Running OS Version

The version of the operating system running on the device.

Target OS Version

The target OS version for which you want to apply the configuration. Configurations are based on the commands supported by this version.

Host Name.Domain Name

The DNS host and domain names for the device.

IP Address

The management IP address of the device.

Device Type

The type of device.

Inventory

Lists summary information about the selected device's device properties, deployment methods, device group membership, and the parent device for modules.

Policy

Lists the current status of the policies that can be configured for the selected device, whether the policy is unassigned (not defined), a local policy, or a shared policy.

Policy Object Overrides

Lists policy objects that have overrides defined for the selected device. For more information on policy object overrides, see Policy Object Override Pages.

Status

Lists status providers with any status messages for the selected device. The time stamp indicates the time of the last change in status for the device, not the time of the latest polling of the device.

Also shown is the highest severity level of the status messages. For Performance Monitor, the event statuses are equivalent to the following Performance Monitor event priorities:

•Critical events—P1, P2.

•Major events—P3.

•Minor events—P4.

•Warning events—P5.

Navigation buttons

Click the navigation buttons to move through the inventory list. From left to right, buttons mean go to the first device in the list, go to the previous device, go to the next device, and go to the last device. The center field indicates which device is currently selected based on the row number (for example 5/10 means the fifth of 10 devices in the list).