Index
Numerics
12.1 and 12.2
managing routers 60-2
3DES encryption algorithm
in IKE proposals 26-6
802.1x
802.1x Policy page 63-5
defining policies 63-4
interface authorization states 63-2
on Cisco IOS routers 63-1
supported topologies 63-3
understanding device roles 63-2
A
AAA
about 48-1
Cisco IOS routers
AAA Policy page 62-6
Accounting tab 62-10
Authentication tab 62-6
Authorization tab 62-7
Command Accounting dialog box 62-12
Command Authorization dialog box 62-9
defining services 62-4
overview 62-2
supported accounting types 62-3
supported authorization types 62-2
understanding method lists 62-3
configuring access control for IPS 36-21
configuring on firewall devices 48-1
credentials for device access 3-4
device administration 48-4
local fallback 48-3
network access 48-4
PIX/ASA/FWSM 48-5
Accounting tab 48-7
Authentication tab 48-5
Authorization tab 48-6
support 48-2
VPN access 48-4
AAA authentication groups
predefined 6-28
AAA firewall
MAC exempt lists 15-26
AAA Firewall page
Advanced Setting tab 15-20
AAA firewall policy
advanced settings 15-20
configuring 15-6
AAA page 15-28
AAA rules
ACL naming conventions 12-5
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring AAA firewall settings (PIX/ASA/FWSM) 15-6
configuring AuthProxy settings (IOS) 15-9
configuring cut-through proxy (ASA) 13-23
configuring for ASA/PIX/FWSM devices 15-4
configuring for IOS devices 15-7
configuring identity aware 13-21
configuring in Map view 35-23
configuring security group aware 14-16
configuring settings
for IOS devices in Map view 35-24
for PIX/ASA/FWSM in Map view 35-24
converting IPv4 12-28
deleting 12-9
disabling 12-20
editing 12-10
enabling 12-20
managing 15-1
moving 12-19
preserving ACL names 12-4
properties 15-13
understanding 15-1
understanding how users authenticate 15-2
understanding NAT effects 12-3
understanding processing order 12-2
AAA Rules page 15-10
AAA server group objects
attributes 6-47
creating 6-46
default server groups on IOS devices 6-29
predefined authentication groups 6-28
understanding 6-25
AAA server objects
creating 6-30
HTTP-FORM settings 6-42
Kerberos settings 6-37
LDAP settings 6-38
NT settings 6-41
RADIUS settings 6-33
SDI settings 6-41
supported additional types for ASA/PIX/FWSM 6-27
supported types 6-26
TACACS+ settings 6-36
understanding 6-25
AAA servers
supported types on ASA, PIX, FWSM devices 6-27
Abort the Job dialog box 8-53
About Configuration Manager command 1-38
ABR
definition 55-49
access control list objects
creating 6-51
extended objects 6-51
standard objects 6-53
unified objects 6-56
web objects 6-54
access control lists
GET VPN security policies 29-10
policy discovery 5-14
access control lists (ACLs)
names preserved during discovery 12-4
naming conventions 12-5
resolving naming conflicts 12-6
access controls
configuring ACL names 16-21
configuring settings 16-21
configuring settings in Map view 35-24
Access Control Settings page 16-22
Access Group tab (IGMP) 54-5
Access Interface Configuration dialog box (ASA) 31-44
access permissions
Event Viewer 68-4
Health and Performance Monitor 70-3
maps 35-8
Report Manager 69-5
access policies
configuring 31-45
reference 31-41
understanding 31-40
access ports
Create and Edit Interface dialog boxes-Access Port mode 67-9
understanding 67-5
access rule
look up
from device managers 71-24
access rules
access control settings 16-22, 16-24
Access Rules page 16-9
ACL naming conventions 12-5
address requirements 16-5
Advanced dialog box 16-16
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring 16-7
configuring access control settings 16-21
configuring identity aware 13-21
configuring in Map view 35-23
configuring security group aware 14-16
controlling non-IP layer-2 traffic 23-1
deleting 12-9
detecting conflicts 16-26
disabling 12-20
editing 12-10
enabling 12-20
examples of event analysis
user access to server blocked 68-56
expiration dates 16-20
finding from CS-MARS events 71-52
finding from Event Viewer events 68-51
generating analysis reports 16-32
hit counts
details 16-34
how deployed 16-5
identity-aware rules
requirements 13-3
import examples 16-42
importing 16-38
IPS blocking, affect of 43-4
managing 16-1
moving 12-19
optimizing during deployment 16-44
packet tracer, analyzing with 71-30
preserving ACL names 12-4
Report Manager reports
firewall traffic reports 69-14
resolving conflicts 16-32
rule attributes 16-13
sharing ACLs among interfaces 11-18
syslog messages supported for look-up 71-53
understanding 16-1
understanding device-specific behavior 16-4
understanding global 16-3
understanding NAT effects 12-3
understanding processing order 12-2
understanding requirements when using inspection 17-4
understanding the automatic conflict detection user interface 16-28
viewing related CS-MARS events 71-49
viewing related events in Event Viewer 68-53
Accounting
Cisco IOS routers
settings 62-10
accounts and credentials
Cisco IOS routers
overview 62-13
PIX/ASA/FWSM
user accounts 51-6
user accounts, add/edit 51-7
accounts and credentials policies
Accounts and Credentials Policy page 62-15
User Accounts dialog box 62-17
ACLs
configuring names 16-21
ACS user authorization
configuring notifications when unavailable 1-26
Event Viewer 68-4
Health and Performance Monitor 70-3
how permissions affect what you can do 1-10
Report Manager 69-5
Active/Active failover
about 50-2
command replication 50-4
configuration synchronization 50-3
Active/Standby failover 50-2
Active Directory (AD)
collecting user statistics 13-25
configuring agent communication options 13-15
enabling for identity-aware firewall 13-8
identifying AD servers and agents 11-36, 13-8
requirements for identity-aware firewall 13-3
activities
accessing functions 4-8, 4-9
Activity Manager window 4-10
Approved state 4-5
approving 4-3, 4-21
benefits of 4-2
closing 4-16
creating 4-14
discarding 4-22
Edit state 4-4
locking 4-3
managing 4-1
multiple users 4-4
opening 4-15
overview 1-19
rejecting 4-21
responding to the Activity Required dialog box 4-14
states 4-4
Submitted state 4-5
submitting for approval 4-20
understanding 4-1
validating 4-18
viewing change reports 4-16
viewing status and history 4-23
working with 4-7
Activities command 1-33
Activities menu 1-35
Activity Manager window 4-10
Activity Required dialog box 4-14
Add/Edit Action Configuration dialog box 53-7
Add/Edit AnyConnect Client Image dialog box (ASA) 31-60
Add/Edit AnyConnect Custom Attributes dialog box (ASA) 31-64, 31-65, 31-66
Add/Edit Applet dialog box 53-4
Add/Edit Collector dialog box 53-2
Add/Edit Content Rewrite dialog box (ASA) 31-49
Add/Edit DAP Entry Dialog Box > Device 32-28
Add/Edit File Encoding dialog box 31-50
Add/Edit Multicast Route dialog box 54-8, 54-10
description 54-9
Add/Edit PIM Neighbor Filter dialog box 54-13
Add/Edit Proxy Bypass dialog box 31-54
Add/Edit Syslog Configuration dialog box 53-6
Add AAA Rule dialog box 15-13
Add AAA Server dialog box 6-31
Add AAA Server Group dialog box 6-47
Add Access List dialog box (Allowed Hosts policy) 36-7
Add Access Rule dialog box 16-13
Add an Entry dialog box 39-30
Add AOL Class Map dialog box 17-26, 21-18
Add A Port Forwarding Entry dialog box 34-37
Add ASA Group Policies dialog box
client configuration settings 34-4
client firewall attributes 34-5
connection settings 34-29
DNS/WINS settings 34-26, 34-27
hardware client attributes 34-7
IPSec settings 34-8
overview 34-1
split tunneling settings 34-28
SSL VPN clientless settings 34-10
SSL VPN full client settings 34-17
SSL VPN settings 34-21
Technology settings 34-1
Add A Smart Tunnel Entry dialog box 34-63, 34-66
Add AS Path Entry dialog box 55-126
Add AS Path Object dialog box 55-125
Add Auto Signon Rules dialog box 34-23
Add Cat6k Block Vlan dialog box 43-16
Add Certificate dialog box 11-24
Add Certificate Filter dialog box 25-56
Add Cisco Secure Desktop Configuration dialog box 34-31
Add Client Access Rules dialog box 34-10
Add Client Update dialog box 34-77
Add Column dialog box 34-57
Add Community List Entry dialog box 55-128
Add Community List Object dialog box 55-127
Add Custom Pane dialog box 34-57
Add Custom Signature dialog box 39-15
Add DCE/RPC Map dialog box 17-28
Add Destinations dialog box 12-11
Add Device from Network wizard
Device Credentials page 3-44
Add Devices to Group command 1-30
Add Devices to Group dialog box 3-61
Add DNS Class Map dialog box 17-26
Add DNS Map dialog box
Filtering tab 17-31
overview 17-29
Protocol Conformance tab 17-30
Add eDonkey Class Map dialog box 17-26, 21-18
Add ESMTP Map dialog box 17-35
Add Extended Access Control Entry dialog box 6-58
Add Extended Access List dialog box 6-57
Add External Filter dialog box 21-41
Add FastTrack Class Map dialog box 17-26, 21-18
Add File Object dialog box 34-33
Add FlexConfig dialog box 7-30
Add FTP Class Map dialog box 17-26
Add FTP Map dialog box 17-38
Add Gnutella Class Map dialog box 17-26, 21-18
Add Group dialog box 3-60
Add Group Member dialog box 29-19
Add GTP Map dialog box 17-41
Add H.323 Class Map dialog box 17-26, 21-18
Add H.323 Map dialog box 17-46, 21-34
Add HSI Endpoint IP Address dialog box 17-49
Add HSI Group dialog box 17-48
Add HTTP Class Map dialog box 17-26, 21-18
Add HTTP Map dialog box 21-34
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab 17-53
Extension Request Method tab 17-56
General tab 17-52
overview 17-51
Port Misuse tab 17-57
RFC Request Method tab 17-55
Transfer Encoding tab 17-58
ASA 7.2+ and PIX 7.2+ devices 17-59
Add ICQ Class Map dialog box 17-26, 21-18
Add IKEv1 Proposal dialog box 26-10
Add IKEv2 Proposal dialog box 26-13
Add IMAP Class Map dialog box 17-26, 21-18
Add IMAP Map dialog box 21-34
Add IM Class Map dialog box 17-26
Add IM Map dialog box 21-34
ASA and PIX device 17-65
IOS device 17-68
Add Inspect/Application FW Rule wizard
Address and Port page 17-12
Inspected Protocol page 17-16
Match Traffic page 17-10
Add Inspect Parameter Map dialog box 21-30
Add Interfaces dialog box 12-13
Add IP Options Map dialog box 17-69
Add IPsec Pass Through Map dialog box 17-75
Add IPSec Transform Set dialog box 26-25
Add IPv4 Pool Object dialog box 6-85
Add IPv6 Map dialog box 17-72
Add IPv6 Pool Object dialog box 6-86
Add Kazaa2 Class Map dialog box 17-26, 21-18
Add Key Server dialog box 29-19
Add Language dialog box 34-52
Add LDAP Attribute Map dialog box 6-44
Add LDAP Attribute Map Value dialog box 6-45
Add Link command 1-32
Add Link dialog box 35-20
Add Local Rules command 1-31
Add Local Web Filter Class Map dialog box 17-26, 21-18
Add Local Web Filter Parameter Map dialog box 21-38
Add MAC Address Pool Object dialog box 6-87
Add Map Object command 1-32
Add Map Object dialog box 35-17
Add Map Value dialog box 6-45
Add Match Condition and Action dialog box
DNS policy maps 17-32
ESMTP policy maps 17-36
FTP policy maps 17-39
GTP policy maps 17-44
H.323 (IOS) policy maps 21-35
H.323 policy maps 17-49
HTTP (Zone Based IOS) policy maps 21-35
HTTP policy maps 17-60
IM (Zone Based IOS) policy maps 21-35
IMAP policy maps 21-35
IM policy maps 17-66
IPv6 policy maps 17-73
P2P policy maps 21-35
POP3 policy maps 21-35
SIP (IOS) policy maps 21-35
SIP policy maps 17-80
Skinny policy maps 17-84
SMTP policy maps 21-35
Sun RPC policy maps 21-35
Web Filter policy maps 21-35
Add Match Criterion dialog box
AOL class maps 21-21
DNS class maps 17-32
eDonkey class maps 21-21
FastTrack class maps 21-21
FTP class maps 17-39
Gnutella class maps 21-21
H.323 (IOS) class maps 21-22
H.323 class maps 17-49
HTTP (IOS) class maps 21-22
HTTP class maps 17-60
ICQ class maps 21-21
IMAP class maps 21-24
IM class maps 17-66
Kazaa2 class maps 21-21
Local Web Filter class maps 21-29
MSN Messenger class maps 21-21
N2H2 class maps 21-30
POP3 class maps 21-24
SIP (IOS) class maps 21-25
SIP class maps 17-80
SMTP class maps 21-26
Sun RPC class maps 21-29
Websense class maps 21-30
Windows Messenger class maps 21-21
Yahoo Messenger class maps 21-21
Add MSN Messenger Class Map dialog box 17-26, 21-18
Add N2H2 Parameter Map dialog box 21-39
Add N2H2 Web Filter Class Map dialog box 17-26, 21-18
Add NAT Rule dialog box
ASA 8.3+ 24-36
Add NetBIOS Map dialog box 17-76
Add Network/Host dialog box
General tab 6-79
NAT tab 24-42
Add New Device wizard
Device Credentials page 3-44
Add New Security Association dialog box 25-57
Add or Edit Plug-in Entry dialog box (ASA) 31-55
Add Other Devices dialog box 8-56
Add P2P Map dialog box 21-34
Add Permit Response dialog box 17-43
Add Per-Session NAT Rule dialog box 24-47
Add PIX/ASA/FWSM Web Filter Rule dialog box 18-5
Add PKI Enrollment dialog box
CA Information tab 26-57
Certificate Subject Name tab 26-62
Enrollment Parameters tab 26-60
overview 26-55
Trusted CA Hierarchy tab 26-63
Add Policy List Object dialog box 55-117
Add POP3 Class Map dialog box 17-26, 21-18
Add Port Forwarding List dialog box 34-36
Add Port List dialog box 6-89
Add Prefix List Entry dialog box 55-122, 55-124
Add Prefix List Object dialog box 55-120, 55-122
Add Protocol Info Parameter Map dialog box 21-33
Add Regular Expression dialog box 17-87
Add Regular Expression Group dialog box 17-86
Address Pools
PIX/ASA/FWSM 24-18
add/edit 24-18
address pools
overriding in connection profiles 30-8
Add Route Map Entry dialog box 55-111
Add Route Map Object dialog box 55-110
Add Row command 1-30
Add Rule Section dialog box 12-22
Add Server dialog box
Protocol Info Parameter maps 21-34
Add Service dialog box 6-91
Add Services dialog box 12-13
Add Single Sign On Server dialog boxes 34-38
Add SIP Class Map dialog box 17-26, 21-18
Add SIP Map dialog box 17-78, 21-34
Add Skinny Map dialog box 17-82
Add SLA Monitor dialog box 51-9
Add Smart Tunnel Auto Signon Entry dialog box 34-68
Add Smart Tunnel Auto Signon Lists dialog box 34-67
Add Smart Tunnel Lists dialog box 34-62, 34-65
Add SMTP Class Map dialog box 17-26, 21-18
Add SMTP Map dialog box 21-34
Add SNMP Map dialog box 17-85
Add Sources dialog box 12-11
Add SSL VPN Customization dialog box 34-47
Applications 34-56
Copyright Panel 34-54
Custom Panes 34-56
Full Customization 34-55
Home Page 34-58
Informational Panel 34-53
Language 34-50
Logon Form 34-52
Logout Page 34-59
Title Panel 34-49
Toolbar 34-55
Add SSL VPN Gateway dialog box 34-60
Add Standard Access Control Entry dialog box 6-61
Add Standard Access List dialog box 6-57
Add Sun RPC Class Map dialog box 17-26, 21-18
Add Sun RPC Map dialog box 21-34
Add TCP Map dialog box 57-21
Add TCP Option Range Dialog Box 57-23
Add Text Object dialog box 7-32
Add Time Range dialog box 6-68
Add Traffic Flow dialog box 57-17
Add Transparent Firewall Rule dialog box 23-5
Add Trend Content Filter Class Map dialog box 17-26, 21-18
Add Trend Parameter Map dialog box 21-42
Add Unified Access Control Entry dialog box 6-64
Add URL Domain Name dialog box 21-45
Add URLF Glob Parameter Map dialog box 21-45
Add URL Filter Parameter Map dialog box 21-43
Add User dialog box 12-12, 36-19
Add User Group dialog box
Advanced PIX 6.3 settings 34-78
Browser Proxy settings 34-83
Client (IOS) settings 34-74
Clientless settings 34-79
Client VPN Software Update (IOS) settings 34-77
DNS/WINS settings 34-73
General settings 34-71
IOS Xauth Options settings 34-76
overview 34-69
Split Tunneling settings (Easy VPN/remote access IPSec VPN) 34-73
SSL VPN Connection settings 34-84
SSL VPN Full Tunnel settings 34-80
SSL VPN Split Tunneling settings 34-82
Technology settings 34-69
Thin Client settings 34-80
Add User Profile dialog box 43-12
Add VDI Server dialog box 34-13
Add Virtual Sensor dialog box 38-7, 38-8
Add Web Access Control Entry dialog box 6-62
Add Web Filter Map dialog box 21-47
Add WebSense Parameter Map dialog box 21-39
Add Websense Web Filter Class Map dialog box 17-26, 21-18
Add Web Type Access List dialog box 6-57
Add Windows Messenger Class Map dialog box 17-26, 21-18
Add WINS Server dialog box 34-86
Add WINS Server List dialog box 34-85
Add Yahoo Messenger Class Map dialog box 17-26, 21-18
Add Zones dialog box 12-13
admin context 58-1
administration
selecting policies to manage 5-11
administrative settings, configuring 11-1
admin password, changing 10-24
ADSL
ADSL Policy page 61-36
ADSL Settings dialog box 61-37
defining settings 61-35
supported operating modes 61-34
ADSL policies
unable to deploy 9-15
Advanced dialog box
access rules 16-16
Advanced NAT Options
PIX/ASA/FWSM
add/edit 24-29
Advanced settings
interface configuration
PIX/ASA/FWSM 46-51
AES encryption algorithm
in IKE proposals 26-6
AIM-IPS interfaces
IPS Module Interface Settings page 61-22
AIP-SSM/SSC
ASA 57-14
Alarm Indication Signal (AIS) cells 61-50
allowed hosts, configuring for IPS 36-7
Allowed Hosts policy 36-7
Analysis Engine global variables
configuring 36-30
analysis reports
generating 16-32
anomaly detection
configuring 41-6
configuring histograms 41-11
configuring learning accept mode 41-8
configuring signatures 41-4
configuring thresholds 41-11
managing 41-1
modes 41-2
understanding 41-1
understanding histograms 41-9
understanding thresholds 41-9
understanding worms 41-2
when to turn off 41-4
zones
overview 41-3
anti-spoofing 56-2
AnyConnect
client images 31-57, 31-58
profiles 31-57, 31-58
editing 31-58
AnyConnect Client Image dialog box (ASA) 31-58
AnyConnect custom attributes 31-64, 31-65, 31-66
AnyConnect Profile Editor 31-58
AOL class map objects
creating 21-16
match criteria 21-21
applet
embedded event manager 53-3
Apply IPS Update command 1-34
Apply IPS Update wizard 44-7
Approve Activity command 1-35
Approve Activity dialog box 4-21
Approved activity state 4-5
Approve Deployment Job dialog box 8-20, 8-38
Area Border Router
See ABR 55-49
ARP
PIX/ASA/FWSM
configuration 47-4
inspection 47-5
inspection, enable/disable 47-6
table 47-3
ARP table
static entry 47-3, 47-4
ASA
ASDM 71-22
CX 57-15
Auth Proxy Configuration 57-16
CX module
detecting 71-28
Failover
Add Failover Group 50-24
edit bridge group 50-16
FirePOWER module
detecting 71-28
IPS, QoS, and Connection Rules
ASA CX Auth Proxy Configuration 57-16
IPS modules 57-14
policy discovery 5-13
rollback, commands to recover from failover misconfiguration 8-67
rollback command conflicts 8-66
rollback restrictions for failover devices 8-63
rollback restrictions for multiple context mode 8-63
security contexts
allocate interfaces 58-11
configuration 58-9
viewing allocated interfaces 58-11
setting up AUS or CNS 2-8
setting up SSL (HTTPS) 2-3
TCP State Bypass 57-3
ASA 5505
Management IPv6 47-10
ports and interfaces 46-6
ASA 8.3+
NAT policies
Add/Edit NAT rules dialog boxes 24-36
Translation Rules page 24-33
ASA Cluster Load Balance page 31-5
ASA CX
CX
about 57-15
ASA devices
5505
hardware port configuration 46-48
AAA support 6-27
about 46-1
adding or changing modules 3-39
adding SSL thumbprints manually 9-4
Bridge Groups
add/edit 46-50
Catalyst Service Module 46-1
changing those selected for reports 69-22
configuring for event management 68-26
configuring for report management 69-3
configuring IKE and IPsec policies 26-1
configuring IKEv2 authentication 26-64
configuring transparent firewall rules 23-1
Easy VPNs
connection profiles 28-13
Event Viewer support 68-4
FlexConfig object samples 7-20
global access rules 16-3
identity-aware services
configuring to provide 13-7, 14-8
interfaces 46-21
add/edit 46-26
Advanced tab 46-34
configuring 46-3
edit EtherChannel-assigned interface 46-11
EtherChannels 46-9, 46-13
General tab 46-27
IP Type 46-45
IPv6 46-38, 46-55
IPv6, add/edit 46-42
IPv6, add/edit prefixes 46-43
LACP 46-11
MAC address 46-47
PPPoE Users 46-53
VPDN groups 46-54
licenses 2-11
monitoring service level agreements 51-7
object group search 16-24
packet capture, using 71-36
packet tracer, using 71-30
remote access SSL VPNs
advanced settings 31-66
Anyconnect client settings 31-57, 31-58
browser plug-ins 31-55
configuring HTTP/HTTPS proxies and proxy bypass 31-52
content rewrite rules 31-48
encoding rules 31-50
Kerberos Constrained Delegation (KCD) 31-61, 31-63
other settings 31-46
performance settings 31-47
server certificate verification settings 31-26, 31-27, 31-29, 31-67
shared license 31-68
shared license clients (ASA) 31-70
shared license servers (ASA) 31-71
remote access VPNs
access policies (ASA), configuring 31-45
access policies (ASA), reference 31-41
access policies (ASA), understanding 31-40
AnyConnect client image settings (ASA) 31-60
AnyConnect custom attributes (ASA) 31-64, 31-65, 31-66
certificate to connection profile map policy (IKEv1) 31-33
certificate to connection profile map rules (IKEv1 IPSec) 31-33
cluster load balancing 31-4, 31-5
configuring bookmarks 31-76
configuring portal appearance 31-72
configuring WINS servers for file system access 31-82
connection profiles 31-6, 31-8
creating IPSec 30-24
creating SSL 30-14
customizing 31-71
device support 30-8
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-10
fragmentation settings 26-30, 26-41
group policies, configuring 31-23
group policies, creating 31-25
group policies, understanding 31-24
IKE proposals 26-9
IKEv2 settings 26-35
IPsec proposals 31-37
ISAKMP/IPsec settings 26-31
managing 31-1
NAT settings 26-39
policy overview 31-2
post URL method and macro substitutions in bookmarks 31-78
proxy bypass rules (ASA) 31-54
Public Key Infrastructure (PKI) 26-54
secure desktop manager policies 32-9
smart tunnels 31-79
understanding IKE 26-5
understanding NAT settings 26-38
wizard 30-13
Report Manager reports
firewall summary botnet reports 69-15
firewall traffic reports 69-14
general VPN reports 69-16
VPN top reports 69-16
selecting for Event Viewer 68-32
selecting policy types to manage 5-11
SSL certificate configuration 11-22
ASA group policies objects
client configuration settings 34-4
client firewall attributes 34-5
connection settings 34-29
DNS/WINS settings 34-26, 34-27
hardware client attributes 34-7
IPSec settings 34-8
split tunneling settings 34-28
SSL VPN clientless settings 34-10
SSL VPN full client settings 34-17
SSL VPN settings 34-21
technology settings 34-1
ASA Image Management 72-15, 72-32
ASAv
about 46-1
ASBR
definition 55-49
ASCII limitations for text 1-49
ASDM
access rule look-up 71-25
device manager 71-22
AS path objects
properties 55-125
ASR
zone-based firewall
global parameters 21-50
restrictions 21-3
assignment overview 1-19
Assignments tab, Policy view 5-53
Assign Shared Policy command 1-31
Assign Shared Policy dialog box 5-43
Asymmetric Digital Subscriber Line (ADSL)
on Cisco IOS routers 61-33
Asymmetric Routing Groups 46-5
Asynchronous Transfer Mode (ATM) 61-46
ATM 61-46
virtual channel connections (VCCs) 61-46
virtual channel identifier (VCI) 61-46
virtual path connections (VPCs) 61-46
virtual path identifier (VPI) 61-46
Attack Response Controller 43-1
attacks
broadcast 17-4
Denial of Service (DoS) 17-4
spoofing 17-4
SYN flooding 17-4
audit logs
configuring default settings 11-59
purging entries 10-23
understanding 10-19
working with 10-19
Audit Message Detail dialog box 10-21
Audit Report command 1-33
audit reports
generating and viewing 10-20
understanding 10-19
working with 10-19
Audit Report window 10-21
AUS
deploying configurations 8-41
deployment method 8-10
setting up 2-7
setting up on PIX Firewall and ASA devices 2-8
Authentication
Cisco IOS routers
settings 62-6
authentication
routing protocols 55-49
Authentication-Authorization-Accounting
see AAA 48-1
Authentication Header (AH) encryption algorithm 26-29
authentication methods
certificates (RSA signatures) 26-8
in IKE proposals 26-8
preshared keys 26-8
authentication testing
SSH 2-5
Authorization
Cisco IOS routers
settings 62-7
authorization proxy (AuthProxy)
configuring AAA rules 15-7
AuthProxy
configuring settings in Map view 35-24
Auth Proxy Configuration
ASA CX 57-16
AuthProxy dialog box 15-19
AuthProxy settings policy
configuring 15-9
autolink
omitting reserved networks from maps 11-3
automatic conflict detection
resolving conflicts 16-32
understanding 16-26
understanding the user interface 16-28
using 16-26
autonomous system paths
See AS paths
auto signon rules
ASA group policy objects 34-23
Auto Update Server (AUS)
adding 3-35
licensing 10-17
PIX/ASA/FWSM 52-1
add/edit server 52-3
troubleshooting deployment 9-18
Auto Update Server Properties dialog box 3-36
Available Bit Rate (ABR) 61-47
Available Servers dialog box 3-38
B
background image, map
deleting 35-13
importing 35-13
scale and position 35-13
setting 35-13
backup
event data store 68-33
backup.pl command 10-25
Backup command 1-34
backups, Security Manager database 10-25
bandwidth
VPN user reports 69-16
banners
configuring on firewall devices 48-9
benefits of product 1-2
BGP routing
BGP Routing Policy page 66-4
defining routes 66-2
Neighbors dialog box 66-6
on Cisco IOS routers 66-1
PIX/ASA/FWSM 55-2, 55-3
General tab 55-5
IPv4 Family - Aggregate Address configuration 55-9, 55-22
IPv4 Family - Filter configuration 55-10
IPv4 Family - General tab 55-7, 55-21
IPv4 Family - Neighbor configuration 55-11, 55-24
IPv4 Family - Network configuration 55-17, 55-29
IPv4 Family - Redistribution configuration 55-18, 55-30
IPv4 Family - Route Injection configuration 55-19, 55-31
IPv4 Family tab 55-6, 55-20
redistributing routes 66-3
Redistribution Mapping dialog box 66-7
Redistribution tab 66-6
Setup tab 66-4
Bidirectional Neighbor Filter 54-14
Bidirectional Neighbor Filter tab
PIM 54-13
blocking, IPS
configuring 43-7
configuring ARC 43-1
configuring blocking devices 43-14
configuring master blocking sensors 43-13
configuring never block hosts and networks 43-17
configuring router blocking interfaces 43-15
configuring user profiles 43-12
configuring VLAN blocking interfaces 43-16
general options 43-10
master blocking sensor 43-6
policy 43-8
rate limiting 43-4
router and switch blocking devices 43-4
strategies 43-3
understanding 43-1
Blocking page 43-8
Boot image/configuration
PIX/ASA 48-9
add/edit 48-11
bootstrap configuration
Failover 50-26
Botnet Traffic Filter Drop Rules Editor 19-13
botnet traffic filter rules
adding static entries 19-5
blocking blacklisted traffic 19-6
configuring DNS snooping 17-18
configuring in Map view 35-23
configuring the dynamic database 19-4
configuring with IPS global correlation 42-1
databases 19-1
Device Blacklist dialog box 19-15
Device Whitelist dialog box 19-15
Drop Rules Editor 19-13
Dynamic Blacklist Configuration tab 19-10
enabling DNS snooping 19-6
field definitions 19-9
illustrations 19-1
mitigating botnet activity 68-62
monitoring
activity using ASDM 68-61
activity using Event Viewer 68-59, 68-61
overview 68-58
understanding botnet syslog events 68-58
overview 19-1
preserving ACL names 12-4
Report Manager reports
firewall summary botnet reports 69-15
task flow 19-2
traffic classification 19-6
Traffic Classification dialog box 19-12
Traffic Classification tab 19-11
understanding 19-1
understanding NAT effects 12-3
understanding processing order 12-2
Whitelist/Blacklist tab 19-14
bridge group
failover
editing 50-16
Bridge Groups
ASA/FWSM
add/edit 46-50
bridge groups
defining 62-19
FWSM 3.1 47-3
Bridging
ASA 5505
Management IPv6 47-10
PIX/ASA/FWSM
ARP configuration 47-4
ARP Inspection 47-5
ARP Inspection, enable/disable 47-6
ARP Table 47-3
MAC Address, add/edit 47-8
MAC Address Table 47-7
MAC Learning 47-8
MAC Learning, enable/disable 47-9
Management IP address 47-10
bridging
Cisco IOS routers
Bridge Group dialog box 62-21
Bridging Policy page 62-20
BVI interfaces 62-18
overview 62-18
configuring transparent firewall rules 23-1
PIX/ASA/FWSM
about 47-1
configuring on 47-1
broadcast attacks, preventing 17-4
broadcasts
enabling directed on routers 61-20
browser plug-ins
configuring 31-55
Bundles 72-13
bypass mode
configuring for IPS 37-12
C
CA server authentication methods
SCEP (Simple Certificate Enrollment Protocol) 26-49
Cat6k Device dialog box 43-14
Catalyst 6500/7600 devices
configuring FWSM in site-to-site VPNs 25-46
configuring SSH 2-6
default transport protocol 11-22
deployment 8-28
FlexConfig object samples 7-22
IPS blocking devices 43-4
policy discovery for FWSM 5-13
rollback restrictions 8-64
Service Modules 46-1
Catalyst 6500/7600 switches
including in deployment jobs 8-27
Catalyst devices
policy discovery 5-13
remote access VPNs
Dynamic VTI/VRF Aware IPsec settings 33-7
high availability 33-11
IPsec proposals 33-4
user group policies 33-13
VPNSM/VPN SPA/VSPA settings 33-6
Catalyst platform policies
IDSM settings policy
Create and Edit IDSM Data Port VLANs dialog boxes 67-49
Create and Edit IDSM EtherChannel VLANs dialog boxes 67-49
IDSM Settings page 67-47
IDSM Slot-Port Selector dialog box 67-50
interfaces/VLANs policy
Access Port Selector dialog box 67-30
Create and Edit Interface dialog boxes-Access Port mode 67-9
Create and Edit Interface dialog boxes-Dynamic Port mode 67-18
Create and Edit Interface dialog boxes-Other mode 67-24
Create and Edit Interface dialog boxes-Routed Port mode 67-12
Create and Edit Interface dialog boxes-subinterfaces 67-22
Create and Edit Interface dialog boxes-Trunk Port mode 67-14
Create and Edit VLAN dialog boxes 67-28
Create and Edit VLAN Group dialog boxes 67-34
Interfaces tab 67-7
Service Module Slot Selector dialog box 67-35
Summary tab 67-3
Trunk Port Selector dialog box 67-31
VLAN Groups tab 67-33
VLAN Selector dialog box 67-35
VLANs tab 67-27
VLAN access lists policy
Create and Edit VLAN ACL Content dialog boxes 67-41
Create and Edit VLAN ACL dialog boxes 67-41
VLAN Access Lists page 67-39
Catalyst Summary Info command 1-34
Catalyst switches
configuring SSH 2-6
default transport protocol 11-22
showing modules, security contexts, and virtual sensors 3-54
Catalyst switches/7600 routers
troubleshooting deployment 9-15
Catalyst switches and 7600 devices
IDSM mode support 67-43
interface deployment failure 9-16
internal VLAN deployment failure 9-16
supported VTP modes 67-1
Catalyst switches and 7600 Series routers
access ports 67-5
Catalyst Summary Info page 67-2
defining IDSM Data Port VLANs 67-46
defining IDSM EtherChannel VLANs 67-44
defining ports 67-5
defining VACLs 67-37
defining VLAN groups 67-32
defining VLANs 67-26
deleting IDSM Data Port VLANs 67-47
deleting IDSM EtherChannel VLANs 67-45
deleting ports 67-7
deleting VACLs 67-38
deleting VLAN groups 67-33
deleting VLANs 67-27
discovering policies 67-1
generating interface names 67-6
IDSM settings 67-43
IDSM Settings page 67-47
interfaces 67-5
managing 67-1
routed ports 67-5
trunk ports 67-5
viewing interface and VLAN summary 67-3
VLAN Access Lists page 67-39
VLAN ACLs (VACLs) 67-36
VLAN groups 67-31
VLANs 67-25
Catalyst VPN Service Port Adapters (VSPAs)
configuring 25-41
Catalyst VPN Services Module (VPNSM)
configuring 25-41
configuring in remote access VPNs 33-6
Catalyst VPN Shared Port Adapter (VPN SPA)
configuring 25-41
configuring in remote access VPNs 33-6
categories
using 6-13
cautions
significance of iii-lxi
CCO settings 11-4
CDP
configuring mode for IPS 37-12
CEF Interface Settings dialog box 61-26
CEF interface settings policies 61-24
certificates
accepting 11-4, 11-49
retrieving 11-4, 11-49
viewing 11-4, 11-49
certificates, SSL
adding thumbprints manually 9-4
configuring default settings for how handled 11-22
managing IPS 44-10
certificates for ASA image downloads 11-4
certificates for IPS package downloads 11-49
certificate to connection profile map policies
configuring policy 31-33
configuring rules 31-33
certificate trust management 11-4, 11-49
Change Report dialog box 4-18
change reports
selecting session in non-Workflow mode 4-18
viewing 4-16
Change Reports command 1-33
Checkpoint migration
configuring object group search on ASA 8.3+ devices 16-24
Choose a file dialog box 34-35
Cisco 7600 Series routers
managing 67-1
Cisco AnyConnect Profile Editor 31-58
Cisco Configuration Engine
troubleshooting device setup and deployment 9-18
Cisco Discovery Protocol (CDP)
enabling CDP on router interfaces 61-18
Cisco Express Forwarding (CEF)
CEF Interface Settings policy 61-25
CEF router interface settings policies 61-24
importance for QoS 65-2
Cisco IOS IPS
affect of load balancing 45-8
configuration files 45-3
configuration overview 45-4
configuring 45-1
configuring general settings 45-7
configuring interface rules 45-9
getting started 36-1
initial preparation of router 45-5
lightweight signature engines 45-2
limitations and restrictions 45-3
selecting signature category 45-6
understanding 45-1
understanding subsystems and revisions 45-2
Cisco IOS Routers
configuring IOS IPS 45-1
IPS blocking devices 43-4
Cisco IOS routers
802.1x 63-1
AAA 62-2
accounts and credentials 62-13
ADSL 61-33
advanced interface settings 61-13
available interface types 61-2
basic interface settings 61-1
BGP routing 66-1
CNS call-home mode 2-9
CNS event-bus mode 2-8
configuring SSH 2-6
CPU settings 62-25
default AAA server groups 6-29
deploying configurations using TMS 8-42
dialer interfaces 61-27
discovering policies 60-3
Domain Name System (DNS) 62-74
Dynamic Host Configuration Protocol (DHCP) 62-87
EIGRP routing 66-8
host and domain names 62-77
HTTP 62-28
interface deployment failure 9-14
IOS 12.1 and 12.2 60-2
licenses 2-12
line access 62-35
managing 60-1
memory settings 62-78
NAT 24-5
designating interfaces 24-6
dynamic rules 24-10
static rules 24-6
timeouts 24-13
NetFlow 64-1, 64-5, 64-12
Network Admission Control (NAC) 63-8
Network Time Protocol (NTP) 62-96
optional SSH settings 62-63
OSPF routing 66-19
permanent virtual connections (PVCs) 61-46
platform policies 60-1
Point-to-Point Protocol (PPP) 61-70
policy discovery 5-13
quality of service (QoS) 65-1
RIP routing 66-42
Secure Device Provisioning (SDP) 62-81
setting up SSL (HTTPS) 2-4
SHDSL 61-40
SNMP 62-66
static routing 66-50
syslog logging 64-1
time zone settings 62-22
transparent bridging 62-18
Cisco IOS Software
FlexConfig object samples 7-22
selecting policy types to manage 5-11
Cisco Prime Security Manager
see PRSM 71-27, 71-28
Cisco Secure Desktop configuration objects
creating 33-18
Cisco Security Management Suite server
logging into or exiting 1-11
Cisco Technical Assistance Center
creating diagnostic file 10-28
generating data 10-28
generating deployment or discovery status reports 10-30
generating partial database backup 10-30
Cisco Trust Agent (CTA) 63-9
CiscoWorks Common Services
backing up and restoring Security Manager 10-24
logging into or exiting 1-11
CiscoWorks user authorization, affect on what you can do 1-10
Class-Based Policing 65-6
class maps
understanding 6-74
Clear Connection Configuration dialog box 15-25
clear xlate
PIX/ASA/FWSM platform 59-1
CLI commands
FlexConfig objects 7-2
client applications 71-2
client connection characteristics
configuration modes 28-3
configuring policies for Easy VPN 28-7
extended authentication (xauth) 28-4
clientless access mode 30-4
client settings
configuring AnyConnect 31-58
understanding AnyConnect 31-57
client-side file browsing 1-49
enabling or disabling 11-10
CLI prompt
configuring on firewall devices 48-12
Clock
PIX/ASA/FWSM 48-13
clock
Cisco IOS routers
overview 62-22
clock settings
Cisco IOS routers
Clock Policy page 62-23
Clone Device command 1-29
Clone Policy Bundle dialog box 5-57
Clone Policy command 1-31
Clone Policy dialog box 5-46
Close Activity command 1-35
Close All Reports command (Report Manager) 69-8
Close Report command (Report Manager) 69-8
Close Ticket command 1-36
cluster, server
managing 10-2
overview 10-2
splitting server 10-3
synchronizing shared policies 10-5
Cluster Information page, device properties 3-48
clustering 3-9
cluster load balancing
configuring 31-5
understanding 31-4
understanding FQDN redirection 31-5
CNS
call-home mode 2-9
deploying configurations 8-41
deployment method 8-10
event-bus mode 2-8
setting up on PIX Firewall and ASA devices 2-8
color rules, configuring in Event Viewer 68-38
Combine Rules Selection Summary dialog box 12-24
commands
Activities menu 1-35
Edit menu (Configuration Manager) 1-30
Event Viewer File menu 68-9
Event Viewer View menu 68-9
File menu (Configuration Manager) 1-29
Help menu (Configuration Manager) 1-37
Launch menu 1-36
Manage menu 1-33
Map menu 1-32
Policy menu (Configuration Manager) 1-31
Report Manager menus 69-8
Tickets menu 1-35
Tools menu (Configuration Manager) 1-33
View menu (Configuration Manager) 1-30
Common Services
licensing 10-17
communication, device
troubleshooting 9-7
community list objects
properties 55-127
configurable dashboard for IPS and FW 71-1
configuration
initial Security Manager 1-24
understanding rollback 8-62
Configuration Archive
adding configurations from devices 8-57
overview 8-15
rolling back to archived configuration files 8-68
rolling back when deploying to file 8-70
settings 11-6
version viewer 8-59
viewing and comparing configuration versions 8-58
viewing transcripts 8-60
window 8-23
Configuration Archive command 1-33
Configuration Archive page 11-6
Configuration Engine
adding 3-35
CNS call-home mode 2-9
CNS event-bus mode 2-8
setting up 2-7
Configuration Engine Properties dialog box 3-36
configuration files
deploying in non-Workflow mode 8-28
deploying in Workflow mode 8-34, 8-39
deploying to 8-11
deploying to an AUS or CNS 8-41
deploying to a TMS 8-42
deployment process overview 8-1
factory-default configurations 46-2
previewing 8-44
redeploying to devices 8-51
rolling back after deploying to file 8-70
rolling back to archived configurations 8-68
rolling back to devices 8-67
selecting 1-49
web VPN policy discovery restrictions 3-8
configuration location, configuring for IOS IPS 45-7
Configuration Manager
overview 1-13
using 1-13
configurations
adding to the Configuration Archive 8-57
avoiding out-of-band changes 8-46
detecting out-of-band changes 8-45
rollback, commands to recover from failover misconfiguration 8-67
rollback command conflicts 8-66
rolling back 8-61
rolling back Catalyst 6500/7600 8-64
rolling back failover devices 8-63
rolling back IPS and IOS IPS 8-64
rolling back multiple context mode 8-63
understanding out-of-band changes 8-12
viewing and comparing 8-58
configuration session
selecting session for change reports 4-18
viewing change reports 4-16
configuration sessions
discarding 4-22
configuration views 1-13
Configure dialog box 17-21
Configure DNS dialog box 17-18
Configure ESMTP dialog box 17-19
Configure Fragments dialog box 17-19
Configure Hardware Ports
ASA 5505 46-48
Configure IMAP dialog box 17-20
Configure POP3 dialog box 17-20
Configure RPC dialog box 17-20
Configure SMTP dialog box 17-19
Config Version Viewer (Preview Configuration) dialog box 8-44
conflict analysis reports
generating 16-32
conflict detection
resolving conflicts 16-32
understanding 16-26
understanding the user interface 16-28
using 16-26
connection
PIX/ASA/FWSM
identity-aware rules 13-21
rules 57-5
Connection Alias dialog box 31-22, 31-30
Connection Profile dialog box
AAA tab 31-11
General tab 31-9
IPSec tab 31-16
Secondary AAA tab 31-14
SSL tab 31-19
connection profiles
configuring 31-6
configuring for Easy VPN 28-13
properties
AAA 31-11
general 31-9
IPSec 31-16
policy overview 31-8
secondary AAA 31-14
SSL 31-19
sharing among multiple ASAs 30-8
Connection Profiles page 31-8
Connection Settings
MPC rule wizard
tab 57-8
connection timeout
device communication settings 11-22
Connection URL dialog box 31-22
connectivity, testing device 9-1
console
Cisco IOS routers
AAA tab 62-44
Accounting tab 62-47
Authentication tab 62-44
Authorization tab 62-45
Console Policy page 62-42
Setup tab 62-42
console port
Cisco IOS routers
defining AAA settings 62-37
defining setup parameters 62-35
Console timeout
PIX/ASA/FWSM 49-1
Constant Bit Rate (CBR) 61-47
contained modules
showing 3-54
content rewrite rules
defining for SSL VPN on ASA 31-48
Context-Based Access Control
choosing interfaces 17-2
configuring 17-5
configuring identity aware 13-21
preventing DoS attacks on IOS devices 17-4
selecting protocols 17-3
understanding 17-1
understanding access rule requirements 17-4
Context Editor dialog box (IOS) 33-15
contexts
see “security contexts” 58-1
continuity check (CC) cells 61-50
control plane (CP)
defining QoS on 65-12
policing on 65-9
Control Plane Policing 65-9
conventions iii-lxi
cookie challenges 26-35
Copy command 1-30, 12-9
Copy Policies Between Devices command 1-31
Copy Policies wizard 5-32
CPU settings
defining utilization settings 62-25
overview 62-25
CPU Throttling Policy 11-32
CPU utilization
CPU Policy page 62-26
Create a Clone of Device dialog box 3-54
Create Activity dialog box 4-14
Create a Policy dialog box 5-53
Create Discovery Task dialog box 5-18
Create Extranet VPN Topology wizard
overview 25-65
Create Filter dialog box 1-45
Create Group Policy wizard
Clientless and Thin Client Access Modes page 30-22
Full Tunnel page 30-20
Group Policy page 30-19
using 30-19
Create Overrides for Device dialog box 6-20
Create Policy Bundle dialog box 5-56
Create Text Object dialog box 7-32
Create Ticket dialog box 4-14
Create VPN Topology wizard
Device Selection page 25-32
Edit Endpoints dialog box 25-33
Endpoints page 25-33
GET VPN Group Encryption page 25-53
GET VPN Peers page 25-59
High Availability page 25-50
Name and Technology page 25-30
overview 25-28
VPN Defaults page 25-60
credential objects
attributes 28-9
credentials
configuring on firewall devices 48-15
device manager validation 71-21
IPS module 3-19
service module 3-18
testing 9-1
understanding device 3-4
Credentials page
HTTPS port number
overriding with HTTP policy 3-46
Credentials page, device properties 3-44
crypto maps
understanding 26-18
CSC
MPC rule wizard
tab 57-8
CSDM Policy Editor dialog box 32-40
CS-MARS
access to Security Manager 71-44
configuring servers 11-7
discovering or changing controller used by device 71-46
events
historical and real-time lookup 71-48
looking up 71-48
integrating with Security Manager 71-42
integration with Security Manager 71-43
looking up Security Manager policies based on events 71-52
NetFlow 71-54
query
troubleshooting 71-47
registering in Security Manager 71-45
supported log messages 71-53
viewing access rule events 71-49
viewing IPS signature events 71-51
CS-MARS page 11-7
CSMDiagnostics.zip
setting debug options 11-11
CSMDiagnostics.zip file, creating 10-28
CSM Mobile 71-18
settings page 11-9
CSM Monitor widget 71-14
CSM tab, Licensing page 11-55
CSV (comma-separated values) files
supported formats for device inventory 10-9
CSV file
export HPM data as 70-29
Customize Desktop Settings page 11-10
Customized Toolbar command 1-31
Custom Protocol dialog box 17-21
Custom Report List command (Report Manager) 69-9
Cut command 1-30, 12-9
cut-through proxy, configuring 13-23
CX
ASA module
detecting 71-28
CXSC
MPC rule wizard
tab 57-8
D
Dashboard
CSM Mobile settings page 11-9
Dashboard tabs
default view 71-15
re-arranging 71-15
Dashboard widgets for device heath trends 71-2
database
backing up 10-25
backing up and restoring 10-24
generating partial backups for TAC 10-30
restoring 10-27
DCE/RPC policy map objects
creating 17-21
properties 17-28
DCS.properties file
DCS.doSerialAccessForFWSMVCs property 9-17
DCS.FWSM.checkThreshold property 9-16
SSH settings 9-7
warning message expression properties 9-10
DDNS
PIX/ASA/FWSM 52-18
add interface rules 52-19
update methods 52-19
update methods, add/edit 52-20
dead-peer detection (DPD) 26-31
debugging
configuring debug levels 11-11
Debug Options page 11-11
Default Report Settings command (Report Manager) 69-9
defaults, configuring 11-1
Delete Device command 1-29
Delete Map command 1-32
Delete Map dialog box 35-10
Delete Row command 1-30
Denial of Service (DoS)
preventing in SMTP using zone based firewall 21-26
denial of service (DoS)
preventing using unicast reverse path forwarding (RFP) 61-20
Denial of Service (DoS) attacks
configuring inspection settings to mitigate 17-89
preventing on IOS devices using inspection 17-4
denial of service (DoS) attacks
preventing using IKEv2 cookie challenge 26-35
deny
inspection
rules 17-5
Deploy command 1-29
Deploy Job dialog box 8-39
deployment
Add Other Devices dialog box 8-56
Auto Update Server 8-41
Catalyst 6500/7600 devices 8-28
changes not deployed when using schedules 8-54
changing device message severity level to ignore errors 9-10
changing FWSM multiple-context deployment to serial 9-17
Cisco Networking Services configuration engine 8-41
clearing XLATE on 59-1
configuration files, to 8-11
configurations 8-28
creating jobs in Workflow mode 8-35
creating or editing schedules 8-54
Deployment Manager window 8-16
device communication settings 9-4
devices, directly to 8-9
devices, through intermediate server 8-10
Edit Deploy Method dialog box 8-30
Edit Selected Deployment Method dialog box 8-30
error attempting to remove unreferenced object 9-12
errors
OS version mismatches 8-13
generating status report 10-30
handling OS version mismatches 8-13
managing 8-1
methods 8-8
minimum memory errors for ASA 8.3+ 9-11
non-Workflow mode 8-3
optimizing access rules 16-44
out-of-band changes
avoiding 8-46
detecting and analyzing 8-45
understanding 8-12
process overview 8-1
rolling back archived configurations 8-68
rolling back configurations 8-61
rolling back configurations, Catalyst 6500/7600 8-64
rolling back configurations, command conflicts 8-66
rolling back configurations, commands to recover from failover misconfiguration 8-67
rolling back configurations, failover devices 8-63
rolling back configurations, IPS and IOS IPS devices 8-64
rolling back configurations, multiple context mode 8-63
rolling back configuration when deploying to file 8-70
rolling back to last deployed configuration 8-67
setting debug options 11-11
suspending or resuming schedules 8-57
system settings 11-13
task flow
non-Workflow mode 8-3
Workflow mode 8-5
tips for successful jobs 8-27
TMS server 8-42
troubleshooting 9-1, 9-9
ADSL or PVC deployment failures 9-15
AUS problems 9-18
Catalyst interface settings 9-16
Catalyst internal VLANs 9-16
Catalyst switch and modules 9-15
Configuration Engine problems 9-18
Error Writing to Server messages 9-15
HTTP Response Code 500 messages 9-15
layer 2 interfaces 9-14
mixing deployment methods with routers and VPNs 9-13
router interface settings 9-14
routers 9-14
Security Manager cannot contact device 9-12
VPNs with routing processes 9-13
troubleshooting device communication 9-7
troubleshooting router connection failures 2-2
troubleshooting SSL certificate errors 9-4
troubleshooting VRF-aware IPsec on Catalyst 6500/7600 devices 25-17
understanding 8-1
understanding configuration rollback 8-62
using a Cisco Networking Services (CNS) server 8-41
viewing device details 8-26
viewing job summary 8-26
viewing status and history for jobs and schedules 8-26
viewing transcripts 8-60
Warning - Partial VPN Deployment dialog box 8-31
Workflow mode 8-5, 8-34, 8-39
working with 8-25
Deployment—Create or Edit a Job dialog box 8-35
deployment jobs
aborting 8-53
approval 8-7
approving 8-38
creating and editing in non-Workflow mode 8-28
creating and editing in Workflow mode 8-35
Deployment Manager 8-16
discarding 8-40
including devices in 8-8
multiple users 8-8
redeploying 8-51
rejecting 8-38
states
non-Workflow mode 8-4
Workflow mode 8-6
submitting 8-38
viewing history 8-26
Deployment Manager
overview 8-15, 8-16
Deployment Manager window 8-16
Deployment Schedules tab 8-21
Deployment page
PIX/ASA/FWSM Platform
clear xlate 59-1
Deployment Schedules tab 8-21
Deployments command 1-33
Deployment Settings page 11-13
Deployment Status Details dialog box 8-32
Deployment Workflow Commentary dialog boxes 8-20
Deploy Saved Changes dialog box 8-28
DES encryption algorithm
in IKE proposals 26-6
Designated Router
PIX/ASA/FWSM 54-12
Destination Contents dialog box 12-14
Dest Port Map dialog box 41-12
Detect Out of Band Changes command 1-34
device
AAA administration 48-4
firewall types 46-1
viewing inventory status 71-19
Device Access
FWSM
Resources, add/edit 51-3
PIX/ASA/FWSM 49-1
console timeout 49-1
host name 51-1
HTTP configuration 49-4
HTTP page 49-2
ICMP rules 49-4
ICMP rules, add/edit 49-5
Management Access interface 49-6
Secure Shell, add/edit host 49-7
Secure Shell (SSH) 49-6, 49-8
Server Access 52-1
SNMP host access 49-19
SNMP page 49-14
SNMP Trap configuration 49-16
Telnet configuration 49-24
Telnet page 49-23
user accounts 51-6
user accounts, add/edit 51-7
device access policies
defining 62-14
Device Admin
FWSM
Resources 51-3
device administration policies
configuring on firewall devices 48-1
device authentication
adding SSL thumbprints manually 9-4
SSL certificate default configuration 11-22
Device Blacklist dialog box 19-15
device clusters 3-9
device communication
changing device message severity level 9-10
managing settings 9-4
routers without K8/K9 crypto image 9-7
Security Manager cannot contact device after deployment 9-12
troubleshooting failures 9-7
Device Communication page 11-21
device communications
troubleshooting 9-1
device communication settings
connection timeout 11-22
retry count 11-22
socket read timeout 11-22
Device Connectivity Test dialog box 9-3
device credentials
understanding 3-4
Device Credentials page 3-44
Device Delete Validation dialog box 3-56
device groups 3-57, 3-60
adding or removing devices 3-61
creating group types 3-59
deleting groups or types 3-60
understanding 3-57
Device Groups page 3-48, 11-24
device health trends in Dashboard 71-2
Device Information page - Add Device from File 3-31
Device Information page - Configuration File 3-22
Device Information page - Network 3-14
Device Information page- New Device 3-26
device inventory
exporting
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-6
supported CSV formats 10-9
using command line utility 10-10
importing
device with policies 10-13
importing with policies 10-13
managing 3-1
sharing with PRSM 71-29
testing device connectivity 9-1
understanding 3-1
understanding contents 3-3
understanding device clusters 3-9
understanding generic devices 3-8
working with 3-34
device manager
access rule look up 71-24
ASDM 71-22
access rule look-up 71-25
credentials 71-21
IDM 71-22
PDM 71-22
prerequisites 71-23
SDM 71-23
access rule look-up 71-26
starting from HPM 70-3, 70-26
starting from Security Manager 71-21
troubleshooting 71-23
xdm-launcher.exe 71-23
Device Manager command 1-36
Device Properties
Cluster Information page 3-48
Credentials page 3-44
Device Groups page 3-48
General page 3-40
Policy Object Override pages
general reference 3-50
device properties
changes with policy effects 3-51
changing critical 3-50
image version changes with no policy effects 3-50
understanding 3-6
viewing or changing 3-39
Device Properties command 1-34
Device Properties page
creating object overrides 6-19
deleting overrides 6-21
overview 3-39
device response
to appear as an error message 9-10
devices
adding 3-6
adding configurations to the Configuration Archive 8-57
adding from configuration files 3-20
adding from inventory file 3-29
adding from network 3-12
adding local rules to shared policies 5-44
adding manually 3-25
adding or changing modules 3-39
assigning shared policies 5-43
avoiding out-of-band changes 8-46
changing critical properties 3-50
changing those selected for reports 69-22
cloning or duplicating 3-54
cloning shared policies 5-46
communication requirements 2-1
communication settings and certificates 9-4
configuring ASA licenses 2-11
configuring IOS licenses 2-12
configuring local policies 5-30
copying policies between 5-32
creating policy object overrides 6-19
deleting from inventory 3-55
deleting policy object overrides 6-21
deployment through intermediate server 8-10
deployment to 8-9
detecting out-of-band changes 8-45
discovering or changing CS-MARS controller 71-46
discovering policies 5-12
discovering policies on existing devices 5-15
dynamic IP addresses 3-35
image version changes with no policy effects 3-50
including in deployment jobs or schedules 8-8
including unmanaged or non-Cisco in a VPN 25-11
inheriting policy rules 5-45
maps
adding existing managed 35-16
adding new managed 35-16
displaying devices from Device View 35-16
displaying managed 35-16
removing managed 35-16
showing containment for Catalyst switches, ASA, PIX, IPS devices 35-16
modifying policy assignment 5-48
modifying shared policies 5-47
naming conventions 3-3
overview of monitoring 1-7
policy status icons 5-29
preparing for management 2-1
property changes with policy effects 3-51
redeploying configuration files to 8-51
redeploying configurations to replaced hardware 8-51
renaming policies 5-47
replacing policies 5-43
rolling back configurations 8-67, 8-68, 8-70
selecting in site-to-site VPNs 25-32
selecting multiple 1-44
sharing multiple policies 5-41
sharing with PRSM 71-29
showing contained modules 3-54
system variables 7-7
testing connectivity 9-1
troubleshooting communication 9-7
troubleshooting communication and deployment 9-1
troubleshooting device discovery failures 3-7
unassigning policies 5-35
understanding out-of-band changes 8-12
unsharing policies 5-42
using global search to find specific devices 1-41
what counts as a device 3-3
device selector
filtering 1-44
Device Selector dialog box 1-44
Device Server Assignment dialog box 9-8
device status view
working with 3-61
Device Status View command 1-31
Device view
adding local rules to shared policies 5-44
assigning shared policies 5-43
cloning shared policies 5-46
configuring local policies 5-30
configuring VPN topologies 25-19
copying policies between devices 5-32
inheriting policies 5-45
managing policies 5-29
modifying policy assignments 5-48
modifying shared policies 5-47
overview 1-14
policy banner 5-37
policy shortcut menu 5-39
policy status icons 5-29
renaming policies 5-47
sharing local policies 5-40
sharing multiple policies 5-41
unassigning policies 5-35
understanding basic policy management 5-30
understanding shared policies 5-36
unsharing policies 5-42
device view
understanding 3-1
Device View command 1-31
Device Whitelist dialog box 19-15
DHCP
Cisco IOS routers
defining address pools 62-91
defining policies 62-90
DHCP Database dialog box 62-94
DHCP Policy page 62-92
IP Pool dialog box 62-94
overview 62-87
understanding database agents 62-88
understanding option 82 62-89
understanding relay agents 62-88
understanding secured ARP 62-89
configuring passthrough for IOS devices 23-3
PIX/ASA/FWSM 52-10
add/edit servers 52-12
advanced configuration 52-13
configuring DHCP servers 52-10
server options 52-13
traffic blocked 9-15
DHCP relay
interface-specific 46-34
Option 82 46-34, 52-5
PIX/ASA/FWSM 52-5, 52-7
add/edit agent 52-6
add/edit server 52-7
Trusted Interface (Option 82) 46-34, 52-5
DHCPv6 relay
PIX/ASA/FWSM
add/edit agent 52-9
add/edit server 52-9
diagnostics
setting debug options 11-11
diagnostics file, creating 10-28
dial backup
configuring in Easy VPN 28-2
configuring in VPN 25-39
configuring VPN advanced settings 25-40
Dial Backup Settings dialog box 25-40
dialer interfaces
defining BRI properties 61-29
defining profiles 61-27
Dialer Physical Interface dialog box 61-32
Dialer Policy page 61-30
Dialer Profile dialog box 61-31
on Cisco IOS routers 61-27
Diffie-Hellman groups
in IKE proposals 26-7
Digital Subscriber Line (DSL) 61-33
digital subscriber line-access multiplexer (DSLAM) 61-34
directed broadcasts
enabling 61-20
Disable/enable NAT rules 24-33, 24-46
Discard Activity command 1-35
Discard Activity dialog box 4-22
Discard command 1-30
Discard Deployment Job dialog box 8-20
Discard Ticket command 1-36
Discard Ticket dialog box 4-22
discovering
remote access VPNs 30-12
site-to-site VPNs 25-24
Discover Policies on Device command 1-31
Discover VPN Policies command 1-31
Discover VPN Policies wizard 25-24
discovery
default behavior settings 11-25
generating status report 10-30
invalid certificate error 9-6
overview 1-19
security certificate error 9-4, 9-6
setting debug options 11-11
Discovery Settings page 11-25
Discovery Status dialog box 5-22
discovery task
frequently asked questions 5-26
starting 5-15
viewing status 5-22
disk space, monitoring event data store 68-33
Display Actual Size command 1-32
Distributed Traffic Shaping (DTS) 65-7
DMVPN (Dynamic Multipoint VPN)
advantages of using with GRE 27-11
configuring 27-12
configuring GRE modes 27-12
large scale DMVPNs
configuring 27-16
configuring server load balancing 27-17
overview 27-1, 27-9
spoke-to-spoke connections 27-10
supported platforms 25-9
understanding 27-10
DNS
configuring for inspection rules 17-18
PIX/ASA/FWSM
add/edit server group 52-16
add server 52-17
servers page 52-14
DNS class map objects
creating 17-21
match criteria 17-32
DNS policy map objects
creating 17-21
match conditions and actions 17-32
properties 17-29
DNS servers
configuring for IPS global correlation 36-24
DNS snooping 19-6
dock
report windows 69-29
view windows 68-36
Dock Map View command 1-32
documentation
conventions iii-lxi
Domain AD Server dialog box 13-10
Domain Name System (DNS)
Cisco IOS routers
defining policies 62-75
DNS Policy page 62-76
IP Host dialog box 62-76
overview 62-74
do not ask warnings, resetting 11-10
drill-down reports 69-26
DSLAM 61-34
duration
VPN user reports 69-16
dynamic access policies
attributes 32-4, 32-7
configuring 32-2
managing 32-1
understanding 32-1
dynamic access policies (DAP) 32-28
Dynamic Access Policy page
Add/Edit Dynamic Access Policy dialog box
Add/Edit DAP Entry dialog box 32-19
Add/Edit DAP Entry dialog box > AAA Attributes Cisco 32-21
Add/Edit DAP Entry dialog box > AAA Attributes LDAP 32-22
Add/Edit DAP Entry dialog box > AAA Attributes RADIUS 32-24
Add/Edit DAP Entry dialog box > Anti-Spyware 32-24
Add/Edit DAP Entry dialog box > Anti-Virus 32-25
Add/Edit DAP Entry dialog box > AnyConnect Identity 32-27
Add/Edit DAP Entry dialog box > Application 32-28
Add/Edit DAP Entry dialog box > File 32-29
Add/Edit DAP Entry dialog box > NAC 32-31
Add/Edit DAP Entry dialog box > Operating System 32-31
Add/Edit DAP Entry dialog box > Personal Firewall 32-32
Add/Edit DAP Entry dialog box > Policy 32-33
Add/Edit DAP Entry dialog box > Process 32-34
Add/Edit DAP Entry dialog box > Registry 32-35
Advanced Expressions tab 32-39
Logical Operations tab 32-36
Main tab 32-13
Dynamic Access Policy page (ASA) 32-10
Cisco Secure Desktop Manager Policy Editor dialog box 32-40
Dynamic Access policy page (ASA) > Add/Edit Dynamic Access Policy dialog box 32-12
Dynamic Blacklist Configuration tab 19-10
dynamic crypto maps 26-18
dynamic filter snooping (DNS)
enabling 17-18
Dynamic Multipoint VPN (DMVPN)
mandatory and optional policies 25-6
dynamic NAT
Cisco IOS routers 24-10
Dynamic Translation Rule
PIX/ASA/FWSM 24-22
add/edit 24-22
dynamic VTI
configuring in Easy VPN 28-12
in remote access VPNs 33-7
understanding use in Easy VPN 28-2
E
Easy VPN
configuration modes 28-3
configuration overview 28-5
configuring client connection characteristics 28-7
configuring dial backup 28-2
configuring dynamic VTI 28-12
configuring high availability 28-2
connection profile policies 28-13
connection profiles (ASA, PIX 7+) 31-8
extended authentication (xauth) 28-4
important configuration notes 28-6
IPsec proposals 28-10
mandatory and optional policies 25-6
overview 28-1
supported platforms 25-9
understanding 28-1
understanding dynamic VTI 28-2
user group policies 28-14
ECMP 22-4
Edit AAA Option dialog box 15-19
Edit AAA Rule dialog box 15-13
Edit AAA Server dialog box 6-31
Edit AAA Server Group dialog box 6-47
Edit Access Rule dialog box 16-13
Edit Actions dialog box 39-12
Edit activity state 4-4
Edit AOL Class Map dialog box 17-26, 21-18
Edit A Port Forwarding Entry dialog box 34-37
Edit ASA Group Policies dialog box
client configuration settings 34-4
client firewall attributes 34-5
connection settings 34-29
DNS/WINS settings 34-26, 34-27
hardware client attributes 34-7
IPSec settings 34-8
overview 34-1
split tunneling settings 34-28
SSL VPN clientless settings 34-10
SSL VPN full client settings 34-17
SSL VPN settings 34-21
technology settings 34-1
Edit A Smart Tunnel Entry dialog box 34-63, 34-66
Edit AS Path Entry dialog box 55-126
Edit AS Path Object dialog box 55-125
Edit Auto Signon Rules dialog box 34-23
Edit Auto Update Settings dialog box 11-52
Edit Category dialog box 12-14
Edit Cisco Secure Desktop Configuration dialog box 34-31
Edit Client Access Rules dialog box 34-10
Edit Client Update dialog box 34-77
Edit Column dialog box 34-57
Edit Community List Entry dialog box 55-128
Edit Community List Object dialog box 55-127
Edit Custom Pane dialog box 34-57
Edit DCE/RPC Map dialog box 17-28
Edit Deploy Method dialog box 8-30
Edit Description dialog box 12-14
Edit Destinations dialog box 12-11
Edit Device Groups command 1-30
Edit Device Groups dialog box 3-59
Edit DNS Class Map dialog box 17-26
Edit DNS Map dialog box
Filtering tab 17-31
overview 17-29
Protocol Conformance tab 17-30
Edit eDonkey Class Map dialog box 17-26, 21-18
Edit Endpoints dialog box
FWSM tab 25-46
overview 25-33
Protected Networks tab 25-45
VPN Interface tab 25-35, 25-49
VPNSM/VPN SPA/VSPA settings, VPN Interface tab 25-41
VRF Aware IPsec tab 25-47
Edit ESMTP Map dialog box 17-35
Edit Extended Access Control Entry dialog box 6-58
Edit Extended Access List dialog box 6-57
Edit External Filter dialog box 21-41
Edit Extranet VPN dialog box
overview 25-65
Edit FastTrack Class Map dialog box 17-26, 21-18
Edit Fidelity dialog box 39-13
Edit File Object dialog box 34-33
Edit FlexConfig dialog box 7-30
Edit FTP Class Map dialog box 17-26
Edit FTP Map dialog box 17-38
Edit Gnutella Class Map dialog box 17-26, 21-18
Edit Group Member dialog box 29-21
Edit GTP Map dialog box 17-41
Edit H.323 Class Map dialog box 17-26, 21-18
Edit H.323 Map dialog box 17-46, 21-34
Edit HSI Endpoint IP Address dialog box 17-49
Edit HSI Group dialog box 17-48
Edit HTTP Class Map dialog box 17-26, 21-18
Edit HTTP Map dialog box 21-34
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab 17-53
Extension Request Method tab 17-56
General tab 17-52
overview 17-51
Port Misuse tab 17-57
RFC Request Method tab 17-55
Transfer Encoding tab 17-58
ASA 7.2+ and PIX 7.2+ devices 17-59
Edit ICQ Class Map dialog box 17-26, 21-18
Edit IKEv1 Proposal dialog box 26-10
Edit IKEv2 Proposal dialog box 26-13
Edit IMAP Class Map dialog box 17-26, 21-18
Edit IMAP Map dialog box 21-34
Edit IM Class Map dialog box 17-26
Edit IM Map dialog box 21-34
ASA and PIX device 17-65
IOS device 17-68
Edit Inspect/Application FW Rule wizard
Address and Port page 17-12
Inspected Protocol page 17-16
Match Traffic page 17-10
Edit Inspect Parameter Map dialog box 21-30
Edit Interfaces dialog box 12-13
Edit IP Options Map dialog box 17-69
Edit IPsec Pass Through Map dialog box 17-75
Edit IPSec Transform Set dialog box 26-25
Edit IPv4 Pool Object dialog box 6-85
Edit IPv6 Map dialog box 17-72
Edit IPv6 Pool Object dialog box 6-86
Edit Kazaa2 Class Map dialog box 17-26, 21-18
Edit Key Server dialog box 29-19
Edit Language dialog box 34-52
Edit LDAP Attribute Map dialog box 6-44
Edit LDAP Attribute Map Value dialog box 6-45
Edit Load Balancing Parameters dialog box 27-17
Edit Local Web Filter Class Map dialog box 17-26, 21-18
Edit Local Web Filter Parameter Map dialog box 21-38
Edit MAC Address Pool Object dialog box 6-87
Edit Map Value dialog box 6-45
Edit Match Condition and Action dialog box
DNS policy maps 17-32
ESMTP policy maps 17-36
FTP policy maps 17-39
GTP policy maps 17-44
H.323 (IOS) policy maps 21-35
H.323 policy maps 17-49
HTTP (Zone Based IOS) policy maps 21-35
HTTP policy maps 17-60
IM (Zone Based IOS) policy maps 21-35
IMAP policy maps 21-35
IM policy maps 17-66
IPv6 policy maps 17-73
P2P policy maps 21-35
POP3 policy maps 21-35
SIP (IOS) policy maps 21-35
SIP policy maps 17-80
Skinny policy maps 17-84
SMTP policy maps 21-35
Sun RPC policy maps 21-35
Web Filter policy maps 21-35
Edit Match Criterion dialog box
AOL class maps 21-21
DNS class maps 17-32
eDonkey class maps 21-21
FastTrack class maps 21-21
FTP class maps 17-39
Gnutella class maps 21-21
H.323 (IOS) class maps 21-22
H.323 class maps 17-49
HTTP (IOS) class maps 21-22
HTTP class maps 17-60
ICQ class maps 21-21
IMAP class maps 21-24
IM class maps 17-66
Kazaa2 class maps 21-21
Local Web Filter class maps 21-29
MSN Messenger class maps 21-21
N2H2 class maps 21-30
POP3 class maps 21-24
SIP (IOS) class maps 21-25
SIP class maps 17-80
SMTP class maps 21-26
Sun RPC class maps 21-29
Websense class maps 21-30
Windows Messenger class maps 21-21
Yahoo Messenger class maps 21-21
Edit menu
Configuration Manager 1-30
Edit MSN Messenger Class Map dialog box 17-26, 21-18
Edit N2H2 Parameter Map dialog box 21-39
Edit N2H2 Web Filter Class Map dialog box 17-26, 21-18
Edit NAT Rule dialog box
ASA 8.3+ 24-36
Edit NetBIOS Map dialog box 17-76
Edit Network/Host dialog box
General tab 6-79
NAT tab 24-42
Edit Options dialog box 16-16
Edit P2P Map dialog box 21-34
Edit Permit Response dialog box 17-43
Edit Per-Session NAT Rule dialog box 24-47
Edit PIX/ASA/FWSM Web Filter Rule dialog box 18-5
Edit PKI Enrollment dialog box
CA Information tab 26-57
Certificate Subject Name tab 26-62
Enrollment Parameters tab 26-60
overview 26-55
Trusted CA Hierarchy tab 26-63
Edit Policy Assignments command 1-31
Edit Policy List Object dialog box 55-117
Edit POP3 Class Map dialog box 17-26, 21-18
Edit Port Forwarding List dialog box 34-36
Edit Port List dialog box 6-89
Edit Prefix List Entry dialog box 55-122, 55-124
Edit Prefix List Object dialog box 55-120, 55-122
Edit Protocol Info Parameter Map dialog box 21-33
Edit Regular Expression dialog box 17-87
Edit Regular Expression Group dialog box 17-86
Edit Route Map Entry dialog box 55-111
Edit Route Map Object dialog box 55-110
Edit Row command 1-30
Edit Rule Section dialog box 12-22
Edit Security Association Dialog Box 25-57
Edit Selected Deployment Method dialog box 8-30
Edit Server dialog box
Protocol Info Parameter maps 21-34
Edit Server Group dialog box 15-19
Edit Service dialog box 6-91
Edit Services dialog box 12-13
Edit Signature dialog box 39-15
Edit Signature Parameter—Component List dialog box 39-29
Edit Signature Parameters dialog box 39-24
Edit Single Sign On Server dialog boxes 34-38
Edit SIP Class Map dialog box 17-26, 21-18
Edit SIP Map dialog box 17-78, 21-34
Edit Skinny Map dialog boxes 17-82
Edit SLA Monitor dialog box 51-9
Edit Smart Tunnel Auto Signon Entry dialog box 34-68
Edit Smart Tunnel Auto Signon Lists dialog box 34-67
Edit Smart Tunnel Lists dialog box 34-62, 34-65
Edit SMTP Class Map dialog box 17-26, 21-18
Edit SMTP Map dialog box 21-34
Edit SNMP Map dialog box 17-85
Edit Sources dialog box 12-11
Edit SSL VPN Customization dialog box 34-47
Applications 34-56
Copyright Panel 34-54
Custom Panes 34-56
Full Customization 34-55
Home Page 34-58
Informational Panel 34-53
Language 34-50
Logon Form 34-52
Logout Page 34-59
Title Panel 34-49
Toolbar 34-55
Edit SSL VPN Gateway dialog box 34-60
Edit Standard Access Control Entry dialog box 6-61
Edit Standard Access List dialog box 6-57
Edit Sun RPC Class Map dialog box 17-26, 21-18
Edit Sun RPC Map dialog box 21-34
Edit TCP Map dialog box 57-21
Edit TCP Option Range Dialog Box 57-23
Edit Text Object dialog box 7-32
Edit Time Range dialog box 6-68
Edit Traffic Flow dialog box 57-17
Edit Translated Address dialog box 24-28
Edit Transparent EtherType dialog box 23-6
Edit Transparent Firewall Rule dialog box 23-5
Edit Transparent Mask dialog box 23-7
Edit Trend Content Filter Class Map dialog box 17-26, 21-18
Edit Trend Parameter Map dialog box 21-42
Edit Unified Access Control Entry dialog box 6-64
Edit Update Server Settings dialog box 11-49
Edit URL Domain Name dialog box 21-45
Edit URLF Glob Parameter Map dialog box 21-45
Edit URL Filter Parameter Map dialog box 21-43
Edit User Credentials dialog box 36-19
Edit User dialog box 12-12
Edit User Group dialog box
Advanced PIX 6.3 settings 34-78
Browser Proxy settings 34-83
Client (IOS) settings 34-74
Clientless settings 34-79
Client VPN Software Update (IOS) settings 34-77
DNS/WINS settings 34-73
General settings 34-71
IOS Xauth Options settings 34-76
overview 34-69
Split Tunneling settings (Easy VPN/remote access IPSec VPN) 34-73
SSL VPN Connection settings 34-84
SSL VPN Full Tunnel settings 34-80
SSL VPN Split Tunneling settings 34-82
Technology settings 34-69
Thin Client settings 34-80
Edit VDI Server dialog box 34-13
Edit Virtual Sensor dialog box 38-7, 38-8
Edit VPN dialog box
Device Selection tab 25-32
Edit Endpoints dialog box 25-33
Endpoints tab 25-33
High Availability tab 25-50
Name and Technology tab 25-30
overview 25-28
Edit Web Access Control Entry dialog box 6-62
Edit Web Filter Map dialog box 21-47
Edit Web Filter Options dialog box 18-9
Edit Web Filter Type dialog box 18-8
Edit Websense Parameter Map dialog box 21-39
Edit Websense Web Filter Class Map dialog box 17-26, 21-18
Edit Web Type Access List dialog box 6-57
Edit Windows Messenger Class Map dialog box 17-26, 21-18
Edit WINS Server dialog box 34-86
Edit WINS Server List dialog box 34-85
Edit Yahoo Messenger Class Map dialog box 17-26, 21-18
Edit Zones dialog box 12-13
eDonkey class map objects
creating 21-16
match criteria 21-21
EIGRP routing
defining interface properties 66-10
defining routes 66-9
EIGRP Routing Policy page 66-13
Interface dialog box 66-16
Interfaces tab 66-15
on Cisco IOS routers 66-8
PIX/ASA/FWSM
advanced settings 55-34
Filter Rule configuration 55-40
Filter Rules tab 55-39
Interface configuration 55-48
Interfaces tab 55-47
neighbor configuration 55-42
Neighbors tab 55-41
policy 55-32
redistribution configuration 55-44
Redistribution tab 55-42
Setup tab 55-36
Summary Address configuration 55-46
Summary Address tab 55-45
redistributing routes 66-12
Redistribution Mapping dialog box 66-18
Redistribution tab 66-17
Setup dialog box 66-14
Setup tab 66-13
e-mail
blocking spam using zone-based firewall rules 21-26
preventing DoS attacks 21-26
e-mail notifications
configuring SMTP server 1-26
PIX/ASA/FWSM
recipient set-up 53-8
syslog messages 53-8
embedded event manager
add/edit action configuration 53-7
add/edit applet 53-4
add/edit syslog configuration 53-6
ASA 53-3
Enable/disable NAT rules 24-33, 24-46
Enable PIM and IGMP
PIX/ASA/FWSM 54-1
Encapsulating Security Protocol (ESP) encryption algorithm 26-28
encoding rules
defining for SSL VPN (ASA) 31-50
encryption algorithms
3DES (Triple DES) 26-6
AES (Advanced Encryption Standard) 26-6
DES (Data Encryption Standard) 26-6
in IKE proposals 26-6
endpoints and protected networks
configuring dial backup 25-39
defining in GET VPN topologies 25-59
defining in VPN topologies 25-33
VPN Interface tab 25-35, 25-49
equal-cost multi-path 22-4
Error Writing to Server deployment errors 9-15
ESMTP
configuring for inspection rules 17-19
ESMTP policy map objects
creating 17-21
match conditions and actions 17-36
properties 17-35
EtherChannel
Create and Edit IDSM EtherChannel VLANs dialog boxes 67-49
defining IDSM VLANs 67-44
deleting IDSM VLANs 67-45
EtherChannels
ASA 46-9
edit assigned interface 46-11
LACP 46-11
load balancing 46-13
evaluation license
upgrading to permanent license 10-16
event
lists 53-9
add/edit 53-10
syslog class
add/edit 53-11
syslog message ID
add/edit 53-11
Event Action Filters page 40-7
Event Action Overrides page 40-13
event actions, IPS
configuring filter rules 40-4
configuring network information 40-17
configuring OS maps 40-21
configuring overrides 40-13
configuring settings 40-23
configuring target value ratings 40-17
example filter rule 68-64
filter rule attributes 40-9
filter rules policy 40-7
filter rules tips 40-6
overview 40-1
possible actions 40-2
process overview 40-1
Event Management page 11-27, 11-33
CPU Throttling Policy dialog box 11-32
event manager applet 53-3
Event Manager service
configuring 68-28
managing 68-28
monitoring event store disk space 68-33
monitoring status 68-30
selecting devices to monitor 68-32
starting and stopping 68-28
status icon colors 68-30
events
archiving (backing up) the event data store 68-33
configuring firewall devices (ASA, FWSM) 68-26
configuring IPS devices 68-28
copying 68-50
CS-MARS 71-53
looking up 71-48
looking up policies based on related events 71-52
Netflow support for policy lookup 71-54
viewing access rule events 71-49
viewing IPS signature events 71-51
ensuring time synchronization 68-26
Event Viewer
clearing filters 68-46
context menu 68-47
cross-launching from HPM 68-55
filtering by column 68-42
filtering by events 68-45
filtering overview 68-40
looking up 68-52
looking up policies based on related events 68-51
refreshing event table 68-42
selecting time range 68-41
text searches (quick filter) 68-45
using time slider with filtering 68-41
viewing access rule events 68-53
viewing IPS signature events 68-54
examining details 68-50
examples of analysis
mitigating botnet activity 68-62
monitoring and mitigating botnet activity 68-58
monitoring botnet activity using ASDM 68-61
monitoring botnet activity using Event Viewer 68-59
monitoring botnet activity using Report Manager 68-61
monitoring identity-aware firewall policies 13-27
monitoring TrustSec policies 14-17
overview 68-55
removing false positive IPS events 68-63
understanding botnet syslog events 68-58
user access to server blocked 68-56
performing operations on 68-46
properties 68-17
recovering the event data store 68-33
saving to a file 68-51
understanding Event Viewer access control 68-4
viewing 68-1
Event Viewer
archiving (backing up) the event data store 68-33
arranging views 68-36
ASA devices, configuring to provide events 68-26
columns 68-17
configuring color rules 68-38
configuring Event Manager service 68-28
copying events 68-50
creating custom views 68-38
cross-launching from HPM 68-55
deleting custom views 68-40
editing view name and description 68-39
ensuring time synchronization 68-26
Event Monitoring window 68-13
events
context menu 68-47
historical and real-time lookup 68-52
looking up 68-52
event table
customizing appearance 68-36
event details pane 68-25
refreshing 68-42
time slider 68-24
toolbar 68-15
examining event details 68-50
examples of analysis
mitigating botnet activity 68-62
monitoring and mitigating botnet activity 68-58
monitoring botnet activity 68-59
monitoring identity-aware firewall policies 13-27
monitoring TrustSec policies 14-17
overview 68-55
removing false positive IPS events 68-63
understanding botnet syslog events 68-58
user access to server blocked 68-56
features
historical views 68-2
overview 68-1
policy navigation 68-3
real-time views 68-2
views and filters 68-3
File menu reference 68-9
filters
advantages of using network/host objects 68-64
clearing 68-46
column based 68-42
event based 68-45
overview 68-40
submission requirements for policy objects 68-65
text searches (quick filter) 68-45
time range 68-41
time slider 68-41
floating views 68-36
FWSM devices, configuring to provide events 68-26
IPS devices, configuring to provide events 68-28
limits of 68-4
looking up Security Manager policies based on events 68-51
managing service 68-28
monitoring event store disk space 68-33
monitoring status 68-30
opening views 68-35
overview 68-7
performing operations on 68-46
preparation for use 68-26
recovering the event data store 68-33
saving events 68-51
saving views 68-40
selecting devices to monitor 68-32
settings 11-27, 11-33
starting or stopping the Event Manager service 68-28
status icon colors 68-30
switching between IP addresses and host object names 68-37
switching between real-time and historical views 68-39
syslogs 68-6
troubleshooting
Event Viewer Unavailable message 11-27, 11-35, 68-29
policy objects not available for filtering 68-65
understanding access control 68-4
using 68-34
using views 68-35
viewing access rule events 68-53
viewing IPS signature events 68-54
view list 68-11
View menu reference 68-9
Event Viewer command 1-37
exclusive domains
configuring for IOS devices 18-10
Exit command 1-30
Exit command (Report Manager) 69-8
exiting
Cisco Security Management Suite server 1-11
CiscoWorks Common Services 1-11
Security Manager 1-10, 1-11
expiration dates
configuring for access rules 16-20
export
device inventory
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-6
supported CSV formats 10-9
HPM data 70-29
IPS event action overrides 40-13
IPS event filter rules 40-4, 40-7
policy objects 6-22
reports 69-28
shared policies 10-12
Export Devices or Policies commands 1-29
Export Inventory dialog box 10-6
Export Map command 1-32
External Product Interface dialog box 36-27
External Product Interface policy 36-26
F
factory-default configurations 46-2
failover
Active/Active
command replication 50-4
configuration synchronization 50-3
add new context to group 2 50-7
configuring in site-to-site VPN 25-50
edit bridge group 50-16
FWSM 50-12
advanced settings 50-15
PIX/ASA 50-17
Add Failover Group 50-24
settings 50-20
PIX/ASA/FWSM 50-10
active/active 50-2, 50-3
active/standby 50-2
bootstrap configuration 50-26
configuration basics 50-5
configuring 50-1
interface configuration 50-23
interface MAC address 50-22
security context 50-25
stateful 50-3, 50-4
stateless 50-3
types of 50-2
understanding 50-1
PIX 6.3 50-10
interface configuration 50-11
stateful in site-to-site VPN 25-52
false negatives
definition of 39-23
false positives
definition of 39-23
FastTrack class map objects
creating 21-16
match criteria 21-21
feature sets 1-4
File menu
Configuration Manager 1-29
Event Viewer 68-9
Report Manager 69-8
file objects
attributes 34-33
selecting 34-35
files
deploying to 8-11
selecting or specifying 1-49
Filter Item dialog box 40-9
filter rules, event action (IPS)
attributes 40-9
configuring 40-4
example rule 68-64
exporting 40-4
policy 40-7
tips 40-6
filters
Event Viewer
clearing 68-46
column based 68-42
context menu 68-47
event based 68-45
overview 68-40
refreshing event list 68-42
selecting time range 68-41
text searches (quick filter) 68-45
using time slider 68-41
filtering selectors 1-44
filtering tables 1-47
HPM
column based 70-17
custom 70-17
filters (Event Viewer)
advantages of using network/host objects 68-64
overview 68-3
submission requirements for policy objects 68-65
Find and Replace dialog box 12-17
find and replace in rules policies 12-16
Find Map Node command 1-32
Find Node dialog box 35-12
FirePOWER
ASA module
detecting 71-28
FireSIGHT Management Center
starting from Security Manager 71-27
FireSIGHT Management Center command 1-36
Firewall
AAA IOS Timeout Values 15-30
firewall
AAA firewall
advanced settings 15-20
configuring 15-6
MAC exempt lists 15-26
AAA firewall policy
advanced settings 15-20
configuring 15-6
AAA page 15-28
AAA rules
configuring AAA firewall settings 15-6
configuring AuthProxy settings 15-9
configuring cut-through proxy (ASA) 13-23
configuring for ASA/PIX/FWSM devices 15-4
configuring for IOS devices 15-7
configuring identity aware 13-21
configuring security group aware 14-16
managing 15-1
properties 15-13
understanding 15-1
understanding how users authenticate 15-2
Access Control page 16-22
access controls
per user downloadable ACLs 16-25
access control settings
configuring settings 16-21
access rule
event analysis example, user access blocked 68-56
finding from CS-MARS events 71-52
finding from Event Viewer events 68-51
viewing related CS-MARS events 71-49
viewing related events 68-53
access rules
address requirements 16-5
configuring 16-7
configuring expiration dates 16-20
configuring identity aware 13-21
configuring security group aware 14-16
how deployed 16-5
import examples 16-42
importing 16-38
IPS blocking, affect of 43-4
managing 16-1
optimizing during deployment 16-44
sharing ACLs among interfaces 11-18
understanding 16-1
understanding device-specific behavior 16-4
understanding global 16-3
understanding requirements when using inspection 17-4
ACL naming conventions 12-5
adding rules 12-9
analysis reports 16-32
AuthProxy
configuring 15-9
AuthProxy settings policy
configuring 15-9
botnet traffic filter rules 19-9
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring policies in Map view 35-23
configuring settings 18-15
configuring settings policies in Map view 35-23
conflict detection 16-26
converting IPv4 rules 12-28
deleting rules 12-9
device types 46-1
disabling rules 12-20
editing rules 12-10
enabling rules 12-20
finding and replacing items in rules policies 12-16
Firewall ACL Setting dialog box 16-24
identity-aware policies
collecting user statistics 13-25
configuring 13-7
configuring cut-through proxy 13-23
configuring identity options 13-15
configuring rules 13-21
configuring the ASA 13-7, 14-8
enabling 13-8
filtering VPN traffic 13-26
identifying AD servers and agents 11-36, 13-8
managing 13-1
monitoring 13-27
overview 13-1
requirements 13-3
user identity acquisition 13-2
Inspection page 17-89
inspection rules
add/edit rule wizard 17-10, 17-12, 17-16
choosing interfaces 17-2
configuring 17-5
configuring identity aware 13-21
configuring security group aware 14-16
managing 17-1
preventing DoS attacks on IOS devices 17-4
selecting protocols 17-3, 17-16
understanding 17-1
understanding access rule requirements 17-4
inspection settings
configuring for IOS devices 17-89
introduction 12-1
IPv6 access rules
configuring expiration dates 16-20
sharing ACLs among interfaces 11-18
understanding global 16-3
MAC exempt lists, AAA firewall 15-26
managing rules tables 12-7
moving rules 12-19
object groups
expanding during discovery 12-35
optimizing network object groups during deployment 12-35
overview 12-1
per user downloadable ACLs 16-25
policy discovery 5-13
policy query
example report 12-34
generating reports 12-28
interpreting results 12-32
preserving ACL names 12-4
reference information for AAA rules 15-20
resolving access rule conflicts 16-32
resolving ACL naming conflicts 12-6
rule table sections 12-20
security group aware policies
configuring ISE settings 11-54
configuring rules 14-16
security group-aware policies
configuring 14-7
managing 14-1
system variables 7-9
transparent rules
adding or editing a rule 23-5
configuring 23-1
configuring passthrough for IOS devices 23-3
editing the EtherType 23-6
editing the mask 23-7
managing 23-1
Transparent Rules page 23-3
TrustSec firewall policies
configuring 14-7
managing 14-1
overview 14-1
TrustSec policies
monitoring 14-17
understanding NAT effects 12-3
understanding rule order 12-19
understanding rule processing order 12-2
using rules tables 12-7
Web Filter page 18-16
web filter rules
configuring for ASA, PIX, FWSM devices 18-2
configuring for IOS devices 18-10
managing 18-1
understanding 18-1
zone-based firewall
add/edit zones 21-53
advanced options 21-67
configuring PAM 21-69
configuring rules 21-13, 21-62
configuring settings 21-49
Content Filter tab 21-52
designing network zones 21-1
development overview 21-12
Global Parameters tab 21-50
page 21-50
protocol selection 21-68
rules table 21-58
tabs 21-49
VPN tab 21-50
WAAS tab 21-50
Zones tab 21-50
zone-based firewalls
changing the default drop rule 21-48
general recommendations 21-12
IPSec VPN 21-6
logging 21-1
overview 21-1
restrictions 21-3
Self zone 21-5
troubleshooting 21-54
understanding 21-3
understanding permit/deny and action 21-8
understanding services and protocols 21-11
VRF 21-7
Firewall AAA IOS Timeout Value Setting dialog box 15-30
Firewall AAA MAC Exempt Setting dialog box 15-27
Firewall ACL Setting dialog box 16-24
Firewall Device dialog box 43-14
Firewall Services Module
see FWSM 47-1
Fit to Window command 1-32
FlexConfig objects
adding to policies 7-35
ASA samples 7-20
Catalyst 6500/7600 samples 7-22
changing order in policies 7-35
changing variable values 7-35
Cisco IOS Software samples 7-22
CLI commands 7-2
configuring 7-25
configuring AAA for administrative introducers 62-84
creating 7-28
creating text objects 7-32
deleting variables 7-28
PIX firewall samples 7-23
previewing CLI 7-35
properties 7-30
property selector 7-34
removing from policies 7-35
router samples 7-24
samples 7-19
scripting language
example of looping 7-3
example of looping with if/else statements 7-4
example of two-dimensional looping 7-3
understanding 7-3
system variables
device 7-7
firewalls 7-9
remote access VPN 7-19
router 7-13
understanding 7-7
VPN 7-14
undefined variables 7-33
understanding 7-2
variables 7-5
variables, example 7-6
FlexConfig policies
adding objects 7-35
changing object order 7-35
changing variable values 7-35
configuring 7-25
configuring AAA for administrative introducers 62-84
editing 7-35
previewing CLI 7-35
removing objects 7-35
understanding 7-2
FlexConfig Policy page 7-36
FlexConfig Preview dialog box 7-38
FlexConfigs
creating (scenario) 7-25
managing 7-1
troubleshooting 7-38
FlexConfig Undefined Variables dialog box 7-33
float
report windows 69-29
view windows 68-36
floodguard 56-2
FQDN objects
creating 6-78
understanding 6-76
fragmentation
configuring settings in VPNs 26-30, 26-41
fragments settings 56-2
frequently asked questions
policy discovery 5-26
FTP class map objects
creating 17-21
match criteria 17-39
FTP policy map objects
creating 17-21
match conditions and actions 17-39
properties 17-38
full mesh topologies
description 25-4
partial mesh 25-5
full tunnel client access mode 30-5
FWSM
AAA support 6-27
about 46-1
adding SSL thumbprints manually 9-4
adding when using multiple-context mode 3-7
adding when using non-default HTTPS (SSL) port 3-7
Asymmetric Routing Groups 46-5
Bridge Groups
add/edit 46-50
bridge groups 47-3
changing deployment method to serial for multiple-context mode 9-17
configuring for event management 68-26
configuring FWSM endpoints in site-to-site VPNs 25-46
configuring transparent firewall rules 23-1
credentials 3-18
deleting security contexts 58-7
deployment failures after changing interface policies 9-16
deployment failures in multiple-context mode 9-16
deployment failures with large ACLs 9-16
Device Access
managing Resources 51-2
Resources 51-3
Resources, add/edit 51-3
discovering failover modules 3-7
Event Viewer support 68-4
Failover 50-12
advanced settings 50-15
edit bridge group 50-16
including in deployment jobs 8-27
interfaces
add/edit 46-26
configuring 46-3
General tab 46-27
IPv6 46-38, 46-55
IPv6, add/edit 46-42
IPv6, add/edit prefixes 46-43
managing 46-21
packet capture, using 71-36
PDM 71-22
policy discovery 5-13
rollback, commands to recover from failover misconfiguration 8-67
rollback command conflicts 8-66
rollback restrictions for failover devices 8-63
rollback restrictions for multiple context mode 8-63
security contexts
configuration 58-8
selecting policy types to manage 5-11
setting up SSL (HTTPS) 2-3
SSL certificate configuration 11-22
TCP State Bypass 57-3
troubleshooting deployment 9-15
G
General
PIX/ASA/FWSM
security policies 56-1
General Configuration tab, SNMP policy for IPS 36-10
General page, device properties 3-40
General tab, IPS blocking policy 43-10
General tab (Translation Rules)
PIX/ASA/FWSM 24-31
generic routers 3-8
GET VPN
anti-replay, time based 29-11
configuring 29-12
configuring global ISAKMP and IPsec settings 29-16
configuring group members 29-20
cooperative key servers 29-7
defining group encryption 25-53
generating, synchronizing RSA keys 29-13
group members
adding 29-19
editing 29-21
IKE proposal 29-15
key servers
adding 29-19
editing 29-19
mandatory and optional policies 25-6
migrating to 29-23
overview 29-1
receive-only SAs 29-23
registration
choosing the rekey transport mechanism 29-6
configuring fail-close mode 29-8
registration process 29-4
SAs
passive SA mode 29-23
receive-only mode 29-23
security policy 29-10
supported platforms 25-9
troubleshooting 29-25
understanding 29-2
GET VPNs
group encryption policies
certificate authorization 25-56
security associations 25-57
global correlation
configuring 42-1
configuring DNS servers 36-24
configuring HTTP proxy server 36-24
configuring inspection and reputation 42-5
configuring network participation 42-7
configuring with Botnet Traffic Filtering 42-1
data collected 42-3
requirements and limitations 42-4
understanding 42-1
understanding network participation 42-3
understanding reputation 42-2
Global Search
using 1-41
Global Search command 1-30
global settings
remote access VPN
configuring 26-29
Gnutella class map objects
creating 21-16
match criteria 21-21
GRE (generic routing encapsulation) VPN
advantages of IPsec tunneling with GRE 27-3
configuring 27-5
configuring GRE modes 27-6
dynamically addressed spokes 27-5
implementation 27-3
overview 27-1, 27-2
prerequisites for successful configuration 27-3
supported platforms 25-9
understanding 27-2
GRE Dynamic IP
mandatory and optional policies 25-6
GRE Modes Page
DMVPN properties 27-12
GRE or GRE Dynamic IP properties 27-6
overview 27-1
Group Domain of Interpretation (GDOI) protocol 29-3
group encryption
defining in GET VPN topologies 25-53
Group Encryption Policy page (GET VPN) 25-53
group members
adding 29-19
communication flow 29-2
configuring fail-close mode 29-8
editing 29-21
GET VPN
registration process 29-4
security policy ACLs 29-10
group members (GET VPN)
configuring 29-20
Group Members page (GET VPN) 29-20
group policies
configuring 31-23
creating 31-25
understanding 31-24
VPNs
configuring bookmarks 31-76
configuring portal appearance 31-72
configuring WINS servers for file system access 31-82
customizing 31-71
post URL method and macro substitutions in bookmarks 31-78
smart tunnels 31-79
Group Policies page 31-23
groups
adding or removing devices 3-61
creating 3-60
deleting 3-60
understanding 3-57
working with 3-57
group types
creating 3-59
deleting 3-60
GTP map objects
Add Country Network Codes dialog box 17-43
Edit Country Network Codes dialog box 17-43
GTP Map Timeouts dialog box 17-44
GTP policy map objects
creating 17-21
match conditions and actions 17-44
properties 17-41
H
H.323 class map objects
IOS
creating 21-16
match criteria 21-22
match criteria 17-49
H.323 policy map objects
ASA/PIX/FWSM
creating 17-21
properties 17-46
IOS
creating 21-16
match conditions and actions 21-35
match conditions and actions 17-49
hash algorithms
in IKE proposals 26-6
MD5 26-7
SHA 26-6
Health & Performance Monitor command 1-37
Health and Performance Monitor
see HPM 70-1
viewing related events in Event Viewer 68-55
Health and Performance Monitor in Dashboard 71-2
help
accessing 1-51
Help About This Page command 1-37
helper addresses 61-14
Help menu
Configuration Manager 1-37
Help Topics command 1-37
Hide Navigation Window command 1-32
high availability (HA groups)
configuring in Easy VPN 28-2
configuring in site-to-site VPN 25-50
stateful/stateless failover 25-52
high availability policies
configuring in remote access VPNs 33-11
Histogram dialog box 41-13
histograms
configuring anomaly detection 41-11
understanding anomaly detection 41-9
Hit Count Details
example 16-36
Hit Count Details page 16-34
Hit Count Selection Summary Dialog Box 16-19
Hostname
PIX/ASA/FWSM 51-1
hostnames
Cisco IOS routers
defining 62-77
Hostname Policy page 62-78
overview 62-77
HPM
access control 70-3
Alerts
firewall 70-35
IPS 70-33
VPN 70-36
VPN, SNMP configuration 70-37
alerts 70-30
acknowledging 70-39
clearing 70-39
configuring 70-32
history 70-40
viewing 70-38
application window 70-6
Alerts display 70-30
Monitoring display 70-24
columns
Alert table 70-16
Device-related 70-8
showing/hiding 70-8
sorting 70-8
VPN-related 70-12
configuring for 70-4
custom views 70-23
device
monitoring 70-20
monitoring multiple contexts 70-3
priority monitoring 70-30
views 70-21
Device Manager
launching 70-3, 70-26
device manager
cross-launch 70-30
devices
managing 70-5
email notifications
configuring 70-32
export data 70-29
filters
column based 70-17
introduction 70-1
launching 70-4
List Filter 70-19
monitoring
device details 70-27
device status list 70-26
RA and S2S views 70-28
Summary 70-26
VPN details 70-27
VPN Summary list 70-26
overview 70-1
read time-out 2-3, 70-4
Remote Access
log-off user 70-28
settings page 11-35
tables
showing/hiding columns 70-8
sorting columns 70-8
trending 70-2
viewing related events in Event Viewer 68-55
views
closing 70-22
custom 70-23
docking 70-23
floating 70-23
list 70-21
opening 70-22
tiling 70-22
HTML file
export HPM data as 70-29
HTTP
Cisco IOS routers
AAA tab 62-32
Command Authorization Override dialog box 62-34
defining policies 62-29
HTTP Policy page 62-31
overview 62-28
Setup tab 62-31
PIX/ASA/FWSM 49-2
configuration 49-4
HTTP (ASA, PIX) class map objects
creating 17-21
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map objects
creating 17-21
properties 17-51
HTTP (ASA7.2+/PIX7.2+) policy map objects
creating 17-21
properties 17-59
HTTP (IOS) class map objects
creating 21-16
creating for zone-based firewall content filtering 21-36
match criteria 21-22
HTTP (Zone Based IOS) policy map objects
creating 21-16, 21-36
match conditions and actions 21-35
HTTP class map objects
match criteria 17-60
HTTP-FORM
settings in AAA server objects 6-42
HTTP policy
overriding HTTPS port number 3-46
sharing
HTTPS port number 3-46
HTTP policy map objects
match conditions and actions 17-60
HTTP proxy server
configuring for IPS global correlation 36-24
HTTP Response Code 500 deployment errors 9-15
HTTPS
setting up 2-3
troubleshooting certificate errors 9-4
hub-and-spoke topology
description 25-2
joined hub-and-spoke topology 25-5
tiered hub-and-spoke topologies 25-5
I
ICMP rules
PIX/ASA/FWSM 49-4
add/edit 49-5
ICMP settings
configuring on IOS routers 61-18
icons
Configuration Manager toolbar reference 1-38
event table toolbar reference 68-15
Event Viewer status color code 68-30
map elements 35-14
ICQ class map objects
creating 21-16
match criteria 21-21
identity-aware firewall policies
collecting user statistics 13-25
configuring 13-7
configuring cut-through proxy 13-23
configuring identity options 13-15
configuring layer 2 SGT imposition 46-37
configuring rules 13-21
configuring security group tagging 46-37
configuring the ASA 13-7, 14-8
enabling 13-8
filtering VPN traffic 13-26
identifying AD servers and agents 11-36, 13-8
managing 13-1
monitoring 13-27
overview 13-1
requirements 13-3
user identity acquisition 13-2
Identity Configuration wizard
Active Directory Agent Settings 13-13
Active Directory Settings 13-11
Preview 13-15
Identity Settings page 11-36
identity user group objects
creating 13-19
selecting 13-21
user identity acquisition 13-2
idle timeout, Security Manager client 11-10
IDM
device manager 71-22
IDSM
adding when using non-default HTTPS (SSL) port 3-7
Create and Edit IDSM Data Port VLANs dialog boxes 67-49
Create and Edit IDSM EtherChannel VLANs dialog boxes 67-49
credentials 3-18
defining Data Port VLANs 67-46
defining EtherChannel VLANs 67-44
deleting Data Port VLANs 67-47
deleting EtherChannel VLANs 67-45
deployment failures when changing data port VLAN running mode 9-16
IDSM Settings page 67-47
IDSM Slot-Port Selector dialog box 67-50
mode support limitations 67-43
troubleshooting deployment 9-15
understanding settings on Catalyst devices 67-43
IE 10 security settings 10-2
IGMP
PIX/ASA/FWSM
Access Group parameters 54-5
Access Group tab 54-5
enable 54-1
Join Group parameters 54-7
Join Group tab 54-7
page 54-2
parameters 54-4
Protocol tab 54-3
Static Group parameters 54-6
Static Group tab 54-6
ignore error message, configure Security Manager to 9-10
IKE (Internet Key Exchange)
comparing version 1 and 2 26-4
configuring IKE and IPsec policies 26-1
configuring IKEv2 authentication 26-64
configuring proposal 26-9
Diffie-Hellman modulus groups 26-7
encryption algorithms 26-6
hash algorithms 26-6
IKEv2 Authentication policy 26-65, 26-68
overview 26-2
selecting the IKE version for devices in site to site VPNs 26-25
understanding 26-5
IKE keepalive
understanding 26-31
IKE proposal objects
v1 properties 26-10
v2 properties 26-13
IKE proposals (policies)
in GET VPNs 29-15
IKEv2 Authentication dialog box 26-68
IKEv2 Authentication page 26-65
IKEv2 settings
configuring 26-35
configuring cookie challenges 26-35
IM (ASA7.2+/PIX7.2+) policy map objects
creating 17-21
properties 17-65
IM (IOS) policy map objects
creating 17-21
properties 17-68
IM (Zone Based IOS) policy map objects
creating 21-16
match conditions and actions 21-35
IM (Zone based IOS) policy map objects
creating 21-16
Image Management 72-1
supported versions 72-2
Image Manager 72-9, 72-15
abort installation job 72-34
Add Image 72-11
Bootstrapping Devices 72-8
bundled images 72-30
bundles 72-13
create 72-13
delete 72-15
rename 72-14
view images 72-14
compatible images 72-17
configuring install location 72-19
device memory 72-18
devices 72-15
Getting Started 72-1
Installation Job Summary 72-32
installation wizard 72-25
installing compatible images on devices 72-30
installing images on selected devices 72-31
job approval workflow 72-35
jobs 72-32
RAM 72-17
Repository 72-9
retry on installation failure 72-34
roll back 72-35
settings 11-38
supported image types 72-5
supported platforms 72-2
Troubleshooting 72-37
update validation 72-22
updating images on devices 72-20
Using 72-1
Admin Settings 72-6
View All Images 72-9
view device information 72-16
view installation job details 72-33
Image Manager command 1-37
images
view 72-9
image updates 72-20
IMAP
configuring for inspection rules 17-20
IMAP class map objects
creating 21-16
match criteria 21-24
IM applications
match conditions for zone-based firewalls 21-21
protocol information for IM application inspection 21-33
IMAP policy map objects
creating 21-16
match conditions and actions 21-35
IM class map objects
creating 17-21
match criteria 17-66
IM policy map objects
match conditions and actions 17-66
import
device inventory 3-29
device with policies 10-13
policy objects 6-22
Import Background Image dialog box 35-13
Import Rules wizard
Enter Parameters page 16-39
Preview page 16-41
Status page 16-40
inheritance
inheriting rules 5-45
understanding 5-4
understanding signature policies 39-3
versus assignment 5-6
Inherit Rules command 1-31
Inherit Rules dialog box 5-45
Inspect/Application FW Rule wizard
Address and Port page 17-12
Inspected Protocol page 17-16
Match Traffic page 17-10
inspection
deny rules 17-5
global correlation (IPS)
configuring 42-5
inspection map objects
understanding 6-74
inspection rules
ACL naming conventions 12-5
add/edit rule wizard 17-10, 17-12, 17-16
choosing interfaces 17-2
configuring 17-5
configuring custom protocol name 17-21
configuring DNS settings 17-18
configuring ESMTP settings 17-19
configuring fragment inspection 17-19
configuring identity aware 13-21
configuring in Map view 35-23
configuring RPC settings 17-20
configuring security group aware 14-16
configuring settings for IOS devices 17-89
configuring settings in Map view 35-24
configuring SMTP settings 17-19
deep inspection options
IMAP 17-20
POP3 17-20
deleting 12-9
disabling 12-20
editing 12-10
enabling 12-20
Inspection Rules page 17-7
managing 17-1
moving 12-19
preserving ACL names 12-4
preventing DoS attacks on IOS devices 17-4
selecting protocols 17-3, 17-16
understanding 17-1
understanding access rule requirements 17-4
understanding NAT effects 12-3
understanding processing order 12-2
Inspection Rules page 17-7
Inspection settings page 17-89
inspect maps
policy maps
Add Country Network Codes dialog box 17-43
Edit Country Network Codes dialog box 17-43
Inspect parameter map objects
properties 21-30
Inspect Parameters map objects
creating 21-16, 21-36
installing
Security Manager client 1-11
Integrated Local Management Interface (ILMI) 61-49
Interactive Authentication Configuration dialog box 15-24
Interface Name Conflict dialog box 6-74
Interface Properties dialog box 35-18
Interface Role Contents dialog box 12-14
interface role objects
creating 6-70
defining subinterfaces 6-73
distinguishing from interfaces 6-72
handling conflicts between role and interface names 6-74
Interface Role dialog box 6-71
specifying during policy definition 6-72
understanding 6-69
use when a single interface name is allowed 6-73
interfaces
adding or changing modules 3-39
ASA
edit EtherChannel-assigned interface 46-11
EtherChannels 46-9, 46-13
LACP 46-11
ASA/FWSM
IPv6 46-38, 46-55
IPv6, add/edit 46-42
IPv6, add/edit prefixes 46-43
ASA 5505 46-6
ASA devices
Advanced tab 46-34
IP Type 46-45
Catalyst switches and 7600 Series routers
Access Port Selector dialog box 67-30
Create and Edit Interface dialog boxes-Access Port mode 67-9
Create and Edit Interface dialog boxes-Dynamic Port mode 67-18
Create and Edit Interface dialog boxes-Other mode 67-24
Create and Edit Interface dialog boxes-Routed Port mode 67-12
Create and Edit Interface dialog boxes-subinterfaces 67-22
Create and Edit Interface dialog boxes-Trunk Port mode 67-14
Create and Edit VLAN dialog boxes 67-28
Create and Edit VLAN Group dialog boxes 67-34
defining ports 67-5
deleting ports 67-7
generating names 67-6
Interfaces/VLANs page-Interfaces tab 67-7
Interfaces/VLANs page-Summary tab 67-3
Interfaces/VLANs page-VLAN Groups tab 67-33
Interfaces/VLANs page-VLANs tab 67-27
Service Module Slot Selector dialog box 67-35
Trunk Port Selector dialog box 67-31
understanding 67-5
VLAN Selector dialog box 67-35
Cisco IOS routers
Advanced Interface Settings dialog box 61-16
Advanced Interface Settings page 61-15
available types 61-2
Create Router Interface dialog box 61-8
defining advanced settings 61-13
defining basic settings 61-3
defining CEF interface settings 61-24
defining IPS module settings 61-22
deleting from 61-6
generating names 61-4
Interface Auto Name Generator dialog box 61-12
overview 61-1
Router Interfaces page 61-7
understanding helper addresses 61-14
configuring IOS IPS rules 45-9
configuring multiple contexts 58-2
distinguishing from interface roles 6-72
failover
MAC address 50-22
PIX/ASA/FWSM 50-23
PIX 6.3 50-11
IPS
configuring 37-6
configuring bypass mode 37-12
configuring CDP mode 37-12
configuring inline interface pairs 37-13
configuring inline VLAN pairs 37-14
configuring physical 37-9
configuring VLAN groups 37-15
deploying VLAN groups 37-5
inline interface mode 37-3
inline VLAN pair mode 37-3
interfaces policy 37-6
managing interface configurations 37-1
physical interface properties 37-10
promiscuous mode 37-2
roles 37-1
sensing modes overview 37-2
understanding 37-1
viewing summary 37-8
VLAN group mode 37-4
IP Type
PIX 6.3 46-25
PIX/ASA
allocation in security contexts 58-11
IP Type 46-45
PPPoE Users 46-53
redundant 46-8
subinterfaces 46-7, 46-14
VPDN groups 46-54
PIX/ASA/FWSM
add/edit 46-26
Advanced settings 46-51
configuring 46-3
contexts 46-5
DDNS update rules 52-19
enabling traffic between same security levels 46-53
General tab 46-27
manage 46-21
management access 49-6
understanding 46-3
PIX/ASA 7+ devices
MAC address 46-47
PIX 6.3
add/edit 46-23
routed and transparent 46-4
specifying during policy definition 6-72
specifying subinterfaces 6-73
throughput delay 61-18
Interface Selector dialog box (VLAN ACL Content) 67-42
Interfaces page (IPS) 37-6
Interface Specific Authentication Server Groups dialog box 31-13
Interface Specific Client Address Pools dialog box 31-10
inventory
deleting devices from 3-55
export devices
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-6
supported CSV formats 10-9
using command line utility 10-10
import devices
device with policies 10-13
inventory, device
adding devices 3-6
adding devices from configuration files 3-20
adding devices from inventory file 3-29
adding devices from network 3-12
adding devices manually 3-25
device status view
working with 3-61
managing 3-1
testing device connectivity 9-1
troubleshooting device discovery failures 3-7
understanding 3-1
understanding contents 3-3
understanding device clusters 3-9
understanding generic devices 3-8
viewing inventory status 71-19
working with 3-34
Inventory Status command 1-34
Inventory Status window 71-20
Inverse ARP 61-60
inverse multiplexing over ATM (IMA) 61-39
IOS devices
configuring transparent firewall rules 23-1
remote access IPSec VPNs
user group policies 33-13
remote access IPsec VPNs
creating using wizard 30-35
remote access SSL VPNs
configuring bookmarks 31-76
configuring WINS servers for file system access 31-82
creating using wizard 30-31
remote access VPNs
configuring SSL VPN policies 33-14
Context Editor dialog box (IOS) 33-15, 33-16
Dynamic VTI/VRF Aware IPsec settings 33-7
high availability 33-11
IPsec proposals 33-4
SDM 71-23
IOS IPS
affect of load balancing 45-8
comparing to IPS appliances and service modules 36-1
configuration files 45-3
configuration overview 45-4
configuring 45-1
configuring general settings 45-7
configuring interface rules 45-9
configuring target value ratings 40-17
event actions
filter rule attributes 40-9
filter rules 40-4, 40-7
filter rules tips 40-6
network information 40-17
overrides 40-13
overview 40-1
possible actions 40-2
process overview 40-1
settings 40-23
getting started 36-1
initial preparation of router 45-5
lightweight signature engines 45-2
limitations and restrictions 45-3
selecting signature category 45-6
signatures
adding custom 39-19
cloning 39-21
configuring 39-4
defining 39-1
detailed information 39-2
editing 39-14
editing Meta engine component list 39-29
editing or tuning parameters 39-23
enabling or disabling 39-14
engines 39-20
exporting 39-9
inheritance 39-3
parameters list 39-24
policy 39-4
shortcut menu 39-10
understanding 39-1
viewing update level 39-9, 39-13
understanding 45-1
understanding subsystems and revisions 45-2
IOS Software Release 12.1 and 12.2
managing routers 60-2
IOS Web Filter Exclusive Domain Name dialog box 18-14
IOS Web Filter Rule and Applet Scanner dialog box 18-13
IP address
supporting dynamic 3-35
IP addresses
network masks 6-77
specifying in policies 6-83
IP Intelligence
settings 11-39
IP Intelligence dialog box 71-41
IP Intelligence in Report Manager 71-42
IP Intelligence Settings in Dashboard 71-2
IP Intelligence using Quick Launch 71-41
IP Intelligence widget 71-42
IP Options policy map objects
creating 17-21
properties 17-69
IPS
IPS Module router interface settings policies 61-22
MPC rule wizard
tab 57-8
PIX/ASA/FWSM
identity-aware rules 13-21
rules 57-5
IPS alerts
properties 68-17
IPS Certificates dialog box 44-10
IPS command 1-33
IPS Devices
selecting for Event Viewer 68-32
IPS devices
adding SSL thumbprints manually 9-4
allowed hosts 36-7
anomaly detection
configuring