- Preface
-
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
-
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- Index
- Understanding FlexConfig Policies and Policy Objects
- Configuring FlexConfig Policies and Policy Objects
- FlexConfig Policy Page
- Troubleshooting FlexConfigs
Managing FlexConfigs
FlexConfig policies allow you to configure device commands that are not otherwise supported by Security Manager. By using Flexconfigs, you can extend Security Manager’s control over a device configuration and take advantage of new device features before upgrading the product.
FlexConfig policies are made up of FlexConfig objects. These objects are essentially subroutines that can include scripting language commands, device commands, and variables. You can configure an object to be processed prior to applying the Security Manager configuration to a device, or you can have it processed after the configuration. Security Manager processes your objects in the order you specify so that you can create objects whose processing depends on the processing of another object. A FlexConfig policy object’s contents can range from a single simple command string to elaborate CLI command structures that incorporate scripting and variables.
Note Security Manager can be configured to deploy FlexConfigs only one time after creation or modification of a FlexConfig, or to deploy FlexConfigs with each deployment. By default, Security Manager deploys FlexConfigs one time. If you have FlexConfigs that need to be deployed with each deployment, then you will need disable the "Deploy only new or modified Flexconfigs" setting on the Tools > Security Manager Administration > Deployment page. After changing this setting, you will need manage one-time FlexConfigs by deleting them after they have been deployed. For more information, see Deployment Page.
Understanding policies and objects is central to understanding and using FlexConfig policy objects. For more information on how Security Manager defines and uses polices, see Chapter 5, “Managing Policies” and for information on how Security Manager defines and uses objects, see Chapter 6, “Managing Policy Objects”.
The following topics describe FlexConfig policies and policy objects and how to use them:
Understanding FlexConfig Policies and Policy Objects
FlexConfig policy objects are used in FlexConfig policies. They allow you to configure device features that are not otherwise supported by Security Manager, or to otherwise fine-tune your device configurations. These policy objects include device configuration commands, variables, and optionally, scripting language instructions to control processing. FlexConfig objects are essentially programming routines to add content to the device configurations that Security Manager generates.
You can create FlexConfig policy objects from scratch or you can duplicate one of the objects that are included with Security Manager.
FlexConfig policies are simply an ordered list of FlexConfig policy objects. Your objects are processed in the order that you specify.
The following topics help you understand FlexConfig policy objects and by extension, FlexConfig policies. For more information about policy objects in general, see Chapter 6, “Managing Policy Objects”.
- Using CLI Commands in FlexConfig Policy Objects
- Using Scripting Language Instructions
- Understanding FlexConfig Object Variables
- Predefined FlexConfig Policy Objects
Using CLI Commands in FlexConfig Policy Objects
The configuration commands that you enter into the FlexConfig Editor are actual CLI commands used to configure devices, such as PIX Firewalls and Cisco IOS Routers. You can include CLI commands that are not supported in Security Manager. You are responsible for knowing and implementing the command according to the proper syntax for the device type. See the command reference for the particular operating system for more information.
When you create a Flexconfig policy object, you determine whether the commands and instructions should be added to the beginning or end of the configuration that is generated from regular Security Manager policies:
- Prepended objects—FlexConfig objects that are processed at the beginning of the configurations. If Security Manager policies configure any of the same commands included in the object, the prepended commands are replaced when configuration files are deployed.
- Appended objects—FlexConfig objects that are processed at the end of the configurations, after all other commands in the configuration file and before the write mem command.
If the appended commands are already configured on the device, the device generates an error when you try to add them again. To resolve this, two workarounds are available:
– Enter the command that removes the configuration in question as an appended command. For example, if the command is xyz , enter the following two lines:
– Change the setting that controls the action that the device will take to “warn.” This is set under Tools > Security Administration > Deployment .
The setting change will affect the behavior of devices for all commands being deployed, not just those designated as appended commands.
Note If you are deploying to a device, you should remove most appended commands after the initial deployment. This is especially true for object groups, where any unbound object group is replaced in the Ending Command section during command generation, then re-sent each time the configuration is deployed to a device. The device displays an error because the firewall device shows that the object group already exists. If you are deploying to a file or AUS, the appended commands should remain.
Using Scripting Language Instructions
You can use scripting language instructions in a FlexConfig policy object to control how the commands in the object are processed. Scripting language instructions are a subset of commands supported in the Velocity Template Engine, a Java-based scripting language that supports looping, if/else statements, and variables.
Security Manager supports all Velocity Template Engine commands except the include and parse commands. For information about additional supported commands supported, see the Velocity Template Engine documentation.
The following topics provide examples of the most commonly used functions:
Scripting Language Example 1: Looping
A plain old telephone service (POTS) dial peer enables incoming calls to be received by a telephony device by associating a telephone number to a voice port. The following example enables caller ID for a set of POTS dial peers.
Scripting Language Example 2: Looping with Two-Dimensional Arrays
In this example, a set of phone numbers is associated to voice ports so that incoming calls can be received at a router.
Example 3: Looping with If/Else Statements
In this example, a set of phone numbers is associated to voice ports so that incoming calls can be received at a router. In addition, another set of phone numbers is associated to IP addresses to enable Voice Over IP outgoing calls from the router.
Understanding FlexConfig Object Variables
Variables in FlexConfig policy objects start with the $ character. For example, in the following line, $inside is a variable:
There are three types of variables you can use in a FlexConfig policy object:
- Policy object variables—Static variables that reference a specific property. For example, Text objects are a type of policy object variable. They are a name and value pair, and the value can be a single string, a list of strings, or a table of strings. Their flexibility allows you to enter any type of textual data to be referenced and acted upon by any policy object.
There are three ways to add policy object variables to a FlexConfig policy object. First, move the cursor to the desired location, and then:
– Right-click and select Create Text Object . This command opens a dialog box where you can create a simple single-value text object and assign it a value. When you click OK, the variable is added to the object, and it is added to the list of defined Text objects in the Policy Object Manager window so that you can use it in other objects or edit its definition. For an example of creating simple text variables, see Example of FlexConfig Policy Object Variables.
– Right-click and select a policy object type from the Insert Policy Object sub-menu. These commands open a selector dialog box where you can select the specific policy object that contains the variable that you want to insert. After selecting the policy object, you are presented with the Property Selector dialog box, where you choose the specific property of the object that you want to use and optionally change the name of the variable associated with the property.
By using this technique, you can add a property from an existing policy object when you know that the property has the value that you want to use. For example, if you want to insert a variable that specifies the RADIUS protocol from the AAA Server Group policy object named RADIUS, you would right-click, select Insert Policy Object > AAA Server Group , select RADIUS in the AAA Server Group Selector dialog box, click OK, and then select Protocol in the Object Property field on the AAA Server Group Property Selector dialog box and click OK. The $protocol variable is inserted at the cursor, and the value for the property as defined in the selected object is added to the variables list.
– Type in a variable name. If you type in a variable, you cannot assign it a value until you click OK on the Add or Edit FlexConfig dialog box. You will be prompted that a variable is undefined, and given the opportunity to define its value. In the FlexConfig Undefined Variable dialog box, you can select the object type of the policy object that contains the desired value, which will prompt you to select the specific policy object and variable. This is essentially identical to the process for inserting policy object variables described above. The technique you use is a matter of personal preference; the end result is the same.
- System variables—Dynamic variables that reference a value during deployment when the configuration is generated. The values are obtained from either the target device or policies configured for the target device. You can declare system variables to be optional in FlexConfig policy objects, which means that the variables do not need to be assigned a value for it to be deployed to the device.
To insert a system variable into a FlexConfig policy object, move the cursor to the desired location, right-click, and select the variable from the Insert System Variable sub-menus. For a description of the available system variables, see FlexConfig System Variables.
- Local Variables—Variables that are local in the looping and assignment derivatives (the for each and set statements). Local variables get their values directly from the Velocity Template Engine. There is no need to supply values for the local variables.
To insert a local variable, simply type it in. When you click OK on the Add or Edit FlexConfig dialog box, you will be asked if you want to define the undefined variable. You can click No, or if you click Yes to define other variables, you can leave the object type of the local variable as Undefined.
Example of FlexConfig Policy Object Variables
Using CLI commands and variables, you can create a FlexConfig policy object to name the inside interface and crypto map on a Cisco router:
The following example shows how to create a FlexConfig policy object that adds these commands and configures the value of $inside as serial0 and $mapname as my_crypto .
When you add the FlexConfig policy object to a device, and the configuration is generated, the following output is created:
Step 1 Select Manage > Policy Objects to open the Policy Object Manager (see Policy Object Manager).
Step 2 Select FlexConfigs from the table of contents. The table in the right pane lists the existing FlexConfig objects.
Step 3 Right-click in the table and select New Object . The Add FlexConfig dialog box appears (see Add or Edit FlexConfig Dialog Box).
Step 4 Enter a name and optionally a description for the object.
Tip You can also enter a group name. Groups help you find FlexConfig objects if you create a lot of them. Either type in a group name, or select an existing one from the drop-down list.
Step 5 Keep Appended for Type so that the commands are added at the end of the device configuration.
Step 6 Create the content of the object:
a. Click in the FlexConfig edit box (the large white box) and type in interface followed by a space.
b. Right-click and select Create Text Object .
c. In the Create Text Object dialog box, enter inside as the name and serial0 as the value. Click OK to add the variable.
d. Press Enter to move to the next line and type crypto map followed by a space.
e. Right-click and select Create Text Object .
f. In the Create Text Object dialog box, enter mapname as the name and my_crypto as the value. Click OK to add the variable.
Step 7 Click the Validate FlexConfig icon button above the edit box to check the integrity and deployability of the object. If any errors are identified, fix them.
Step 8 Click OK to save the policy object. You can now add the object to a device’s local or shared FlexConfig policy.
FlexConfig System Variables
System variables reference values during deployment when commands are generated. Security Manager provides a set of defined system variables for you to use in defining FlexConfig policy objects. The values come from the policies you create for the target devices. The values for these variables are required unless otherwise noted. For information about these variables, see the following tables:
- Device system variables—Table 7-1. For more information about discovering or configuring devices to obtain values for these variables, see Chapter 3, “Managing the Device Inventory”.
- Firewall system variables—Table 7-2. For more information about firewall policies, see Chapter 45, “Managing Firewall Devices” and Chapter 12, “Introduction to Firewall Services”.
- Router platform system variables—Table 7-3. For more information about router policies, see Chapter 58, “Managing Routers”.
- VPN system variables—Table 7-4. For more information about VPN policies, see Chapter 24, “Managing Site-to-Site VPNs: The Basics”.
- Remote access system variables—Table 7-5. For more information about remote access policies, see Chapter 29, “Managing Remote Access VPNs: The Basics”.
Variables related to the VPN in which a device participates. Configure VPNs to generate values for these variables. |
||
Virtual private network (VPN) topology type. Possible values are HUB_AND_SPOKE, POINT_TO_POINT, and FULL_MESH. |
||
Details about the role of the device in the VPN. Possible values are PEER, HUB, and SPOKE. |
||
Variables related to devices in the VPN in which a device participates. Configure VPNs to generate values for these variables. |
||
IP address of the VPN endpoint. In IPSec, the endpoint is the VPN interface; in GRE, it is the tunnel source. |
||
Name of the VPN endpoint. In IPSec, the endpoint is the VPN interface; in GRE, it is the tunnel source. |
||
Variables related to remote peers in which a device participates. Configure VPNs to generate values for these variables. |
||
Interface tunnel IP addresses of remote peers of failover hubs. This value is used in DMVPN for next hop resolution protocol (NHRP). |
||
Protected networks (interface and network IP addresses) of remote peers of failover hubs. |
||
IP address of the VPN endpoint of remote peers. In IPSec, the endpoint is the VPN interface; in GRE, it is the tunnel source. |
||
Interface tunnel IP addresses of remote peers. This value is used in DMVPN for next hop resolution protocol (NHRP). |
||
Protected networks (interface and network IP addresses) of remote peers. |
||
Tunnel sources (if included in the interface tunnel of remote peers). |
||
Variables related to IPSec Proposal policies. For more information, see Configuring IPsec Proposals in Site-to-Site VPNs and Configuring High Availability in Your VPN Topology. Configure the IPSec Proposal policy to generate values for these variables. |
||
Variables related to Preshared Key and IKE Proposal policies. For more information, see Configuring IKEv1 Preshared Key Policies. |
||
Authentication method of the IKE policy. Possible values are pre-share, rsa-sig, rsa-encr, dsa-sig. Configure an IKE Proposal policy to generate values for this variable. |
||
Priority number of the IKE policy Configure an IKE Proposal policy to generate values for this variable. |
||
Negotiation method. Possible values are MAIN_ADDRESS, MAIN_HOST, and AGGRESSIVE. Configure a Preshared Key policy to generate values for this variable. |
||
Variables related to GRE Modes policies. For more information, see Understanding the GRE Modes Page. |
||
Interface tunnel number of remote peers of failover hubs, for example, tunnel0. |
||
Process number of the interior gateway protocol (IGP). Configure GRE Modes policies to generate values for this variable. |
||
Type of secured interior gateway protocol (IGP) used. Possible values are STATIC, OSPF, EIGRP, RIPV2, BGP, and ODR. Configure GRE Modes policies to generate values for this variable. |
||
Whether DMVPN is configured for spoke-to-spoke connectivity. Possible values are true or false. Configure GRE Modes policies to generate values for this variable. |
||
Interface tunnel number of remote peers, for example, tunnel0. |
||
Variables related to virtual routing and forwarding (VRF). For more information, see Configuring VRF Aware IPsec Settings. Configure VPN VRF settings to generate values for these variables. |
||
Multiprotocol label switching (MPLS) interface IP addresses. |
||
Interior gateway protocol (IGP) values. IGP is used for routing the IPSec aggregator toward the Provider Edge (PE)/Multiprotocol Label Switching (MPLS) network. |
||
Virtual routing and forwarding (VRF) solution. Possible values are 1BOX and 2BOX. |
||
Variables related to certificate authority policies. For more information, see Configuring IKEv1 Public Key Infrastructure Policies in Site-to-Site VPNs. |
||
Certificate authority (CA) names. Configure PKI policies to generate values for this variable. |
||
Variables related to EZVPN. For more information, see Understanding Easy VPN. |
||
Configure User Group policies to generate values for this variable. |
||
Variables related to dial backup configurations. For more information, see Configuring Dial Backup. |
||
Variables related to Group Encrypted Transport (GET) VPN. For more information, see Understanding Group Encrypted Transport (GET) VPNs. |
||
Name of the Group Domain of Interpretation (GDOI) group. Configure the Group Encryption policy to generate values for this variable (Manage > Site-to-Site VPNs > Group Encryption Policy > Group Settings). |
||
VPN-enabled outside interface to the provider edge (PE). Traffic originating or terminating on this interface is evaluated for encryption or decryption, as appropriate. Configure group members to generate values for this variable (Manage > Site-to-Site VPNs > Group Members). |
||
Name of the profile that defines the parameters to be used for IPsec encryption between two group members. Configure the Group Encryption policy to generate values for this variable (Manage > Site-to-Site VPNs > Group Encryption Policy > Security Associations). |
||
Interface on the key server assigned to handle group domain of interpretation (GDOI) registrations. If no registration interface is specified, GDOI registrations can occur on any interface. Configure key servers to generate values for this variable (Manage > Site-to-Site VPNs > Key Servers). |
Predefined FlexConfig Policy Objects
Security Manager provides predefined FlexConfig policy objects for you to use. These policy objects have predefined commands and scripting.
Predefined FlexConfig policy objects are read-only objects. To edit these predefined FlexConfig policy objects, duplicate the desired object, make changes to the copy, and save it with a new name. This way, the original predefined FlexConfigs remain unchanged. For lists of these predefined policy objects and further information on each, see the following tables:
- Predefined ASA FlexConfig Policy Objects—Table 7-8
- Predefined Catalyst FlexConfig Policy Objects—Table 7-7
- Predefined Cisco IOS FlexConfig Policy Objects—Table 7-8
- Predefined PIX Firewall FlexConfig Policy Objects—Table 7-9
- Predefined Router FlexConfig Policy Objects—Table 7-10
Generates a compiled access list for NAT 0 access-control lists. |
|
Configuring FlexConfig Policies and Policy Objects
You create and manage FlexConfig policy objects in the same way that you create other policy objects. The following topics describe how to create FlexConfig policies and policy objects. For information on other tasks you can perform with FlexConfig policy objects (such as deleting them), see Working with Policy Objects—Basic Procedures.
A FlexConfig Creation Scenario
This scenario takes you through the steps to set up Media Gateway Control Protocol (MGCP) for an ASA device using one of the predefined FlexConfig policy objects that are shipped with Security Manager. MGCP is used by the call agent application to control media gateways (devices that convert telephone circuit audio to data packets). Security Manager does not support MGCP configuration, but you can use a FlexConfig policy object to provide a configuration. This illustrates how FlexConfigs enable you to customize, for your network, what is not otherwise supported in Security Manager.
In this scenario, you do the following:
1. Create a policy object by duplicating an existing policy object.
2. Assign the policy object to a device.
3. Preview the configuration to verify that it is correct.
4. Share the policy object with another device.
5. Deploy the configuration to the devices.
You can use this scenario as an example to implement other features by creating copies of and modifying predefined FlexConfig policy objects or by creating your own objects.
Add two ASA devices to Security Manager for this scenario.
Step 1 Duplicate the FlexConfig policy object by doing the following:
a. Select Manage > Policy Objects to open the Policy Object Manager (see Policy Object Manager).
b. Select FlexConfigs from the table of contents. The table in the right pane lists the existing FlexConfig objects.
c. Right-click ASA_MGCP FlexConfig and select Clone Object . The Add FlexConfig dialog box appears (see Add or Edit FlexConfig Dialog Box).
d. Enter a name for the new FlexConfig object, for this example, MyASA_MGCP.
e. Enter a new group name and a description of the object.
Tip The group name and description are optional. We recommend you establish descriptions and groups for objects you create.
f. Click OK . The new FlexConfig object appears in the list.
Step 2 Duplicate and edit the $callAgentList text object.
The original ASA_MGCP FlexConfig object uses the variable $callAgentList, which is a text object. The text object is read-only and cannot be edited. Duplicating the text object enables you to edit the duplicate object to apply to your network settings.
a. Select Text Objects from the table of contents.
b. Right-click callAgentList and select Clone Object . The Add Text Object dialog box appears.
c. Edit the name of the text object. For this example change it to mycallAgentList.
d. Double-click the first value in column A and enter the IP address for a call agent in your network. For this example, change the value to 10.10.10.10.
e. Double-click the first value in column B and enter the port number for a call agent in your network. For this example, change the value to 105.
f. Change the IP address and port number values for another call agent. For this example, change the IP address to 20.20.20.20 and the port number to 106. Or, if you have only one call agent in your network, you could remove the second row in the table by decreasing the number in the Number of Rows field. Similarly, if you have more than two call agents, you can add rows by increasing the number in this field.
This concept is similar for increasing and decreasing the number of columns by increasing or decreasing the Number of Columns field.
g. Click OK . The new text object appears in the list of text objects.
Step 3 Edit the new FlexConfig policy object to use the new variable by doing the following:
a. Select FlexConfigs from the table of contents.
b. Double-click MyASA_MGCP. The Edit FlexConfig dialog box appears.
c. Edit $callAgentList to read $mycallAgentList.
A warning appears that reads: “The following variables are undefined: mycallAgentList Define them now?”
The FlexConfig Undefined Variables dialog box appears with mycallAgentList listed in the Variable Name column.
f. From the Object Type list, select Text Objects . The Text Objects window appears.
g. Select mycallAgentList from the Available Text Objects list and click OK .
h. In the FlexConfig Undefined Variables window, click OK .
The mycallAgentList variable appears in the Variables list of the Edit FlexConfig dialog box.
i. In the Edit FlexConfig dialog box, click OK .
j. Close the Policy Object Manager window.
Step 4 Assign the new FlexConfig policy object to a device by doing the following:
a. From the Device view, select the device for which you want to set up MGCP.
b. Select FlexConfigs from the Policy selector. The FlexConfigs Policy page appears.
c. Click the Add button. The FlexConfigs Selector dialog box appears.
d. Select the new MyASA_MGCP FlexConfig policy object and click >> to add the policy object to the Selected FlexConfigs column.
You can select multiple policy objects at one time by holding either the Ctrl (for multiple selections) or Shift (for multiple continuous selections) keys while selecting.
The MyASA_MGCP policy object is added to the Appended FlexConfigs table, because the object is set to be appended to the configuration. You configure FlexConfig policy objects that you want added to the beginning of the configuration as prepended policy objects.
Step 5 Preview the commands before they are generated and sent to the device by doing the following:
a. From the FlexConfigs Policy page, select the MyASA_MGCP policy object.
The commands that are generated with this FlexConfig policy object and the values assigned to the selected device appear. Note the changed values:
Step 6 If you have additional ASA devices that require MGCP, you can share this policy with them by doing the following:
a. Right-click FlexConfigs in the Policy selector and select Share Policy .
The Share Policy dialog box appears.
b. Enter a name for the policy and click OK . For this example, enter MyShared_ASA_MGCP.
The banner above the FlexConfigs policy now shows that the device is using a shared policy and displays the name of the policy.
c. In the FlexConfigs banner, click the link in the Assigned To field. In this example, the link should be labeled 1 Device , which indicates that this shared policy is assigned to one device (the device you are viewing).
Clicking the link opens the Shared Policy Assignments dialog box. Using this dialog box, you can select the other devices that should use this policy in the Available Devices list, and click >> to add them to the list of devices that are assigned the policy.
d. Click OK . The Shared Policy Assignments dialog box closes, and the additional devices you selected are configured to use the shared policy. The link in the banner changes to indicate the number of devices that now use this policy (in this example, 2 Devices ).
Tip You can also share policies from Policy view. Select View > Policy View, select FlexConfigs in the policy type selector, select the MyShared_ASA_MGCP policy, click the Assignments tab, select the devices to which you want to assign the policy, click>>, and then Save.
Step 7 Submit your changes and deploy the configurations to the devices. For information about deploying configurations, see Working with Deployment and the Configuration Archive.
Creating FlexConfig Policy Objects
You can create FlexConfig policy objects to configure features on devices that are not supported by Security Manager. For more information about FlexConfig objects, see Understanding FlexConfig Policies and Policy Objects.
Tip You can also create FlexConfig policy objects when defining policies or objects that use this object type. For more information, see Selecting Objects for Policies.
Ensure that your commands do not conflict in any way with the VPN or firewall configuration on the devices.
- Security Manager does not manipulate or validate your commands; it simply deploys them to the devices.
- If there is more than one set of commands for an interface, only the last set of commands is deployed. Therefore, we recommend you not use beginning and ending commands to configure interfaces.
- When editing FlexConfig objects that involve route-maps (for example, OSPF or multicast route-maps), you must define the corresponding access control lists (ACLs) before the route-maps. This is a device requirement. If you do not define ACLs before route-maps, you will get a deployment error.
- A FlexConfig Creation Scenario
- Working with Policy Objects—Basic Procedures
- Creating Policy Objects
- Chapter 5, “Managing Policies”
Step 1 Select Manage > Policy Objects to open the Policy Object Manager window (see Policy Object Manager).
Step 2 Select FlexConfigs from the Policy Object Type selector.
Step 3 Right-click inside the work area and select New Object .
The Add FlexConfig Object dialog box appears (see Add or Edit FlexConfig Dialog Box).
Step 4 Enter a name for the object and optionally a description. Other optional informational fields include:
- Group—Select an existing group name or type in a new one. These names can help you identify the use of an object.
- Negate For—If this FlexConfig object is designed to negate another, enter the name of the FlexConfig object whose commands are undone by this object.
Step 5 In the Type field, select whether commands in the object are to be prepended (put at the beginning) or appended (put at the end) of the configurations generated from Security Manager policies.
Step 6 In the object body area, enter the commands and instructions to produce the desired configuration file output. You can type in the following types of data:
- Scripting commands to control processing. For more information, see Using Scripting Language Instructions.
- CLI commands that are supported by the operating system running on the devices to which you will deploy the FlexConfig policy object. For more information, see Using CLI Commands in FlexConfig Policy Objects.
- Variables. You can insert variables using the right-click menu, which allows you to create simple single-value text variables ( Create Text Object ), select variables from existing policy objects ( Insert Policy Object ), or select system variables ( Insert System Variable ). For more information, see Understanding FlexConfig Object Variables.
Tip If you want to remove a variable, select it in the object body and click the Cut button or press the Backspace or Delete key. When you click OK to save your changes, the variable is removed from the list of variables.
Step 7 Click the Validate FlexConfig icon button above the object body to check the integrity and deployability of the object.
Step 8 Click OK to save the object.
Add or Edit FlexConfig Dialog Box
Use the Add or Edit FlexConfig dialog box to create or edit FlexConfig policy objects. FlexConfig objects are small programs that allow you to add configuration commands before or after the configurations generated from Security Manager policies, so that you can extend the abilities of the product to configure your devices. You use these policy objects in FlexConfig device or shared policies.
Before creating FlexConfig policy objects, read the sections in Understanding FlexConfig Policies and Policy Objects.
Select Manage > Policy Objects , then select FlexConfigs from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object .
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
|
The name of the group of FlexConfig objects to which this object belongs, if any. You can type in a name, or select an existing name from the list. This field is for informational purposes only, and can help you find a FlexConfig object in the FlexConfig Objects page in the Policy Object Manager. |
|
Whether the commands in the object are prepended (put at the beginning) or appended (put at the end) of configurations. |
|
The name of the FlexConfig object whose commands are undone in this FlexConfig object. This field is for informational purposes only and does not affect the processing of the object. For example, if FlexConfig A has the command banner login , and FlexConfig B has the command no banner login , FlexConfig B negates the configuration for FlexConfig A. |
|
The commands and instructions to produce the desired configuration file output. You can type in the following types of data:
|
|
Deletes the highlighted text and copies it to the clipboard. |
|
Checks the integrity and deployability of the FlexConfig object. |
|
This table lists the variables that are used in the FlexConfig object. |
|
The name of the variable. Click the cell to edit the name, which also changes the name in the FlexConfig object body. |
|
The value to use when one is not provided. Click the cell to edit the value for user-defined variables. You cannot edit system-defined variables. Note Except for optional variables, if a default value is not provided, you must provide a value for the variable. |
|
The property of the object. The object property name is in the following format: |
|
The structure of the data in the variable. Possible values are: |
|
A description of the contents of the object. Click the cell to edit the description. |
Create Text Object Dialog Box
Use the Create Text Object dialog box as a shortcut to create text objects of dimension 0, which are single-value variables, for use in FlexConfig policy objects. Enter the name of the variable and the value to assign to it. When you click OK , the variable is added to the FlexConfig object at the cursor location and it is added to the list of variables for the object.
In the Add or Edit FlexConfig Dialog Box, right-click in the object body field and select Create Text Object .
Tip If you want to create a multiple-value text object, right-click and select Insert Policy Object > Text Objects, and click the Add button under the available objects list. For more information, see Add or Edit Text Object Dialog Box.
Add or Edit Text Object Dialog Box
Use the Add or Edit Text Object dialog box to create, edit, duplicate, and view text objects. Create a text object if you need textual data to be referenced and acted upon by another policy object that accepts text objects.
Text objects are a type of policy object variable. They are a name and value pair, where the value can be a single string, a list of strings, or a table of strings. You can enter any type of textual data to be referenced and acted upon by FlexConfig policies. For more information about FlexConfigs, see Chapter 7, “Managing FlexConfigs”.
Create the variable by first selecting the dimension: a simple single-value variable (dimension 0), a list of variables (dimension 1) or a table or variables (dimension 2). After you create the desired grid by selecting the dimension and if applicable, the number of rows and columns, enter the data into each cell by first clicking in the cell.
Select Manage > Policy Objects , then select Text Objects from the Object Type Selector. Right-click inside the work area and select New Object or right-click a row and select Edit Object .
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
|
An optional description of the object (up to 1024 characters). |
|
The number of data rows in the variable if the dimension is 1 or 2. |
|
The number of data columns in the variable if the dimension is 2. |
|
The content of the text object. Click the cell and enter the data. |
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects. |
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices. If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object. |
FlexConfig Undefined Variables Dialog Box
Use the FlexConfig Undefined Variables dialog box to define variables used in the FlexConfig object that have not yet been defined. You can choose from a list of policy object types or add a new policy object to use.
Each row in the table represents a single undefined variable.
Tip You do not need to define local variables, those used by the scripting language for processing control. For more information about variables, see Understanding FlexConfig Object Variables.
In the Add or Edit FlexConfig Dialog Box, if you enter a variable name but do not define its values, when you click OK , Security Manager displays a warning and asks if you want to define the variables. If you click Yes , this dialog box is opened.
The name of the undefined variable that you used in the FlexConfig object. |
|
The type of policy object that contains the value you want to assign to the variable. For local variables, use the Undefined object type. For variables you want to define, you must select the specific policy object and value within that object to assign to the selected variable. You start by selecting the type of policy object from this list. You are then prompted to select the specific policy object. When you click OK , you are prompted to select the specific property within that object that contains the desired value (see Property Selector Dialog Box). When you select the value on the Property Selector dialog box and click OK , the value is assigned to the variable. |
|
The property of the object. For a detailed explanation, see Add or Edit FlexConfig Dialog Box. |
|
Property Selector Dialog Box
Use the Property Selector dialog box to select the specific property within a selected policy object that you want to assign to a variable within a FlexConfig policy object. The title of the dialog box indicates the type of policy object that you selected (for example, AAA Server Groups Property Selector).
For more information on variables, see Understanding FlexConfig Object Variables.
- In the Add or Edit FlexConfig Dialog Box, right-click and select a specific policy object group type from the Insert Policy Object menu, select a specific policy object when prompted, and click OK .
- In the FlexConfig Undefined Variables Dialog Box, select a policy object type from the Object Type field, select a specific policy object when prompted, and click OK .
Editing FlexConfig Policies
You can assign FlexConfig policies to devices using either Device view or Policy view (for shared policies) by selecting FlexConfigs from the policy selector. You can deploy configurations containing these policies as you would deploy any configuration generated by Security Manager. For a scenario that takes you through setting up a FlexConfig policy object and creating a shared FlexConfig policy, see A FlexConfig Creation Scenario.
When you edit a FlexConfig policy, you can perform the following actions:
- Add FlexConfig objects —To add a FlexConfig object to a policy, click the Add icon button and select the desired object. You can also create new objects from the object selector dialog box. The objects are added to the prepended or appended list depending on how the objects themselves are defined.
- Remove FlexConfig objects —If you no longer want to include an object in the policy, select it and click the Remove icon button. This action removes the object from the policy, but it does not delete the object from Security Manager. For information on deleting objects, see Deleting Objects.
- Change the order of the objects —Objects are processed in the order you specify. If an object depends on the processing of another object, it is important that you order them correctly. Select the object whose order you want to change and click the Up or Down arrow buttons until the object is in the desired location.
When changing the order of FlexConfig objects that involve route-maps (for example, OSPF or multicast route-maps), make sure that the corresponding access control lists (ACLs) are defined before the route-maps. This is a device requirement. If you do not define ACLs before route-maps, you will get a deployment error.
- Change the values assigned to the variables used in a policy object —If you want to configure a variable with a different value for a particular device, creating a device-level override for the object, select the object and click Values . In the Values Assignment dialog box, click in the Values cell to change the value. For more information, see Values Assignment Dialog Box.
- Preview the CLI that will be generated for a policy object —In Device view, you can view the CLI that will be generated for a policy object by selecting the object and clicking Preview . This is especially useful for checking that the CLI commands generated are what you intend to implement on the device.
Note During deployment, when the FlexConfig policy objects are compiled on the Security Manager server, the correct system variable values and settings are used to generate commands. However, because the Preview function does not have access to these values the way it normally would during deployment, it might not display some CLI commands. In addition, because the Preview function generates CLI commands on the client, some macros used in FlexConfig policy objects reflect client settings instead of server settings.
FlexConfig Policy Page
Use the FlexConfig Policy page to create FlexConfig policies. FlexConfig policies contain ordered lists of FlexConfig policy objects, which are subroutines that allow you to extend the ability of Security Manager to configure your devices. For more information on FlexConfig policy objects, see Understanding FlexConfig Policies and Policy Objects.
- (Device view) Select FlexConfigs from the Policy selector.
- (Policy view) Select FlexConfigs from the Policy Type selector and select an existing policy or click the Create a Policy button to create a new one.
The FlexConfig policy objects that are added to the beginning of the configuration. The objects are processed in the order shown. |
|
The FlexConfig policy objects that are added to the end of the configuration. The objects are processed in the order shown. |
|
Click this button to view, modify, or validate the values assigned to the variables used in the selected FlexConfig policy object using the Values Assignment Dialog Box. |
|
Click this button to view the CLI commands that will be generated for the selected FlexConfig policy object. In Policy view, you can preview CLI by first clicking Values , selecting a device in the Values Assignment dialog box, and clicking Preview . |
|
Click these buttons to move the selected object up or down in the list. The objects are processed in the displayed order, so it is important that an object whose processing depends on the processing of another object comes after the object it depends on. |
|
Click this button to add a FlexConfig policy object to the policy. The object itself defines whether it will be added to the prepended or appended list. You can create new FlexConfig objects or select existing ones. |
|
Click this button to edit the selected FlexConfig policy object. Your changes affect all devices that use the edited object; your changes are not local policy object overrides for the device. Note If you selected a predefined FlexConfig policy object packaged with Security Manager, or an object for which you do not have edit permission, you are allowed only to view the object definition. |
|
Click this button to remove the selected object from the policy The object is not deleted from Security Manager; it is simply removed from the FlexConfig policy. |
Values Assignment Dialog Box
Use the Values Assignment dialog box to view the variables used in a FlexConfig policy object, validate the object, or preview the CLI generated from the object. For more information, see Understanding FlexConfig Object Variables.
Select an object and click Values from the FlexConfig Policy Page.
The devices to which the shared FlexConfig policy has been assigned. Select the device for which you want to display variable values. |
|
The value to use for the variable. To change the value, double-click the cell. When you change this value, Security Manager creates a device-level override for the policy object. If the policy object is configured so that its values cannot be overridden, you cannot edit the value. If there is no default value for the variable, you must provide a value unless it is an optional variable. |
|
The value assigned to the variable in the policy object. Double-click this cell to view the definition of the policy object that defines the variable’s value. |
|
Whether you can override the value of the variable. You can edit the value of only those variables that have a checkmark in this column. |
|
The property of the object. For a detailed explanation, see Add or Edit FlexConfig Dialog Box. |
|
Click this button to validate the Velocity Template Language syntax and make sure that all required variables have values, that variables do not start with SYS_, and that referenced policy objects exist. |
|
Click this button to display the generated CLI commands for the selected FlexConfig policy object. |
FlexConfig Preview Dialog Box
Use the FlexConfig Preview dialog box to view the generated CLI commands based on the variables of the selected object defined in the FlexConfig policy.
To open the FlexConfig Policy Preview dialog box, do one of the following:
- In the Values Assignment Dialog Box, click Preview . In Policy view, you must first select a device.
- (Device view) Select a device and click FlexConfig (see FlexConfig Policy Page). Select an object in the FlexConfig policy and click Preview .
Troubleshooting FlexConfigs
Problem: When adding a FlexConfig using the Cisco Security Manager client, you might receive the following error message:
This problem is due to administrator privilege rights on Microsoft Windows. In Microsoft Windows Vista and Microsoft Windows 7, Security Manager requires administrator privileges in order to use the FlexConfig feature.
Solution: To resolve this issue, launch the Security Manager client with administrator privileges in either of the following ways:
- To launch the Security Manager client with administrator privileges, right-click the Configuration Manager shortcut and select Run as administrator .
- To permanently enable administrator privileges for the Security Manager client, right-click the Configuration Manager shortcut and select Properties . On the Compatibility tab, select Run this program as an administrator , and then select OK .
Problem: When using FlexConfigs to deploy to an ASA firewall the following two commands in one job: reload in x noconfirm , reload cancel , you will receive the following error message:
Unfortunately, deployment always fails due to fact that both commands are pushed too fast, such that the reload cancel is sent before the reload schedule is activated on the device.
Solution: To work around this problem, the commands must be sent in two separate deployments created manually.