Index Numerics
12.1 and 12.2
managing routers 61-3
3DES encryption algorithm
in IKE proposals 26-6
802.1x
802.1x Policy page 64-5
defining policies 64-4
interface authorization states 64-2
on Cisco IOS routers 64-1
supported topologies 64-3
understanding device roles 64-2
A
AAA
about 48-1
Cisco IOS routers
AAA Policy page 63-6
Accounting tab 63-10
Authentication tab 63-6
Authorization tab 63-8
Command Accounting dialog box 63-13
Command Authorization dialog box 63-10
defining services 63-4
overview 63-2
supported accounting types 63-3
supported authorization types 63-2
understanding method lists 63-3
configuring access control for IPS 36-21
configuring on firewall devices 48-1
credentials for device access 3-4
device administration 48-4
local fallback 48-3
network access 48-4
PIX/ASA/FWSM 48-5
Accounting tab 48-8
Authentication tab 48-5
Authorization tab 48-7
support 48-2
VPN access 48-4
AAA authentication groups
predefined 6-30
AAA firewall
MAC exempt lists 15-26
AAA Firewall page
Advanced Setting tab 15-20
AAA firewall policy
advanced settings 15-20
configuring 15-6
AAA page 15-28
AAA rules
ACL naming conventions 12-5
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring AAA firewall settings (PIX/ASA/FWSM) 15-6
configuring AuthProxy settings (IOS) 15-9
configuring cut-through proxy (ASA) 13-23
configuring for ASA/PIX/FWSM devices 15-4
configuring for IOS devices 15-7
configuring identity aware 13-21
configuring in Map view 35-23
configuring security group aware 14-17
configuring settings
for IOS devices in Map view 35-24
for PIX/ASA/FWSM in Map view 35-24
converting IPv4 12-28
deleting 12-9
disabling 12-20
editing 12-10
enabling 12-20
managing 15-1
moving 12-19
preserving ACL names 12-4
properties 15-13
understanding 15-1
understanding how users authenticate 15-2
understanding NAT effects 12-3
understanding processing order 12-2
AAA Rules page 15-10
AAA server group objects
attributes 6-49
creating 6-48
default server groups on IOS devices 6-31
predefined authentication groups 6-30
understanding 6-27
AAA server objects
creating 6-32
HTTP-FORM settings 6-44
Kerberos settings 6-39
LDAP settings 6-40
NT settings 6-43
RADIUS settings 6-35
SDI settings 6-43
supported additional types for ASA/PIX/FWSM 6-28
supported types 6-28
TACACS+ settings 6-38
understanding 6-27
AAA servers
supported types on ASA, PIX, FWSM devices 6-28
Abort the Job dialog box 8-55
About Configuration Manager command 1-39
ABR
definition 56-75
access control list objects
creating 6-53
extended objects 6-54
standard objects 6-56
unified objects 6-58
web objects 6-57
access control lists
GET VPN security policies 29-10
policy discovery 5-14
access control lists (ACLs)
names preserved during discovery 12-4
naming conventions 12-5
resolving naming conflicts 12-7
access controls
configuring ACL names 16-23
configuring settings 16-23
configuring settings in Map view 35-24
Access Control Settings page 16-24
Access Group tab (IGMP) 55-5
Access Interface Configuration dialog box (ASA) 31-48
access permissions
Event Viewer 69-4
Health and Performance Monitor 71-3
maps 35-8
Report Manager 70-5
access policies
configuring 31-49
reference 31-45
understanding 31-44
access ports
Create and Edit Interface dialog boxes-Access Port mode 68-9
understanding 68-5
access rule
look up
from device managers 72-17
access rules
access control settings 16-24, 16-26
Access Rules page 16-10
ACL naming conventions 12-5
address requirements 16-5
Advanced dialog box 16-17
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring 16-7
configuring access control settings 16-23
configuring identity aware 13-21
configuring in Map view 35-23
configuring security group aware 14-17
controlling non-IP layer-2 traffic 23-1
deleting 12-9
detecting conflicts 16-28
disabling 12-20
editing 12-10
enabling 12-20
examples of event analysis
user access to server blocked 69-59
expiration dates 16-22
finding from CS-MARS events 72-45
finding from Event Viewer events 69-54
generating analysis reports 16-34
hit counts
details 16-36
how deployed 16-5
identity-aware rules
requirements 13-3
import examples 16-44
importing 16-40
IPS blocking, affect of 43-4
managing 16-1
moving 12-19
optimizing during deployment 16-46
packet tracer, analyzing with 72-23
preserving ACL names 12-4
Report Manager reports
firewall traffic reports 70-14
resolving conflicts 16-34
rule attributes 16-14
sharing ACLs among interfaces 11-18
syslog messages supported for look-up 72-46
understanding 16-1
understanding device-specific behavior 16-4
understanding global 16-3
understanding NAT effects 12-3
understanding processing order 12-2
understanding requirements when using inspection 17-4
understanding the automatic conflict detection user interface 16-30
viewing related CS-MARS events 72-42
viewing related events in Event Viewer 69-56
Accounting
Cisco IOS routers
settings 63-10
accounts and credentials
Cisco IOS routers
overview 63-14
PIX/ASA/FWSM
user accounts 51-7
user accounts, add/edit 51-7
accounts and credentials policies
Accounts and Credentials Policy page 63-16
User Accounts dialog box 63-17
ACLs
configuring names 16-23
ACS user authorization
configuring notifications when unavailable 1-27
Event Viewer 69-4
Health and Performance Monitor 71-3
how permissions affect what you can do 1-11
Report Manager 70-5
Active/Active failover
about 50-2
command replication 50-4
configuration synchronization 50-3
Active/Standby failover 50-2
Active Directory (AD)
collecting user statistics 13-25
configuring agent communication options 13-15
enabling for identity-aware firewall 13-8
identifying AD servers and agents 11-38, 13-8
requirements for identity-aware firewall 13-3
activities
accessing functions 4-8, 4-9
Activity Manager window 4-10
Approved state 4-5
approving 4-3, 4-21
benefits of 4-2
closing 4-16
creating 4-14
discarding 4-22
Edit state 4-4
locking 4-3
managing 4-1
multiple users 4-4
opening 4-15
overview 1-20
rejecting 4-21
responding to the Activity Required dialog box 4-14
states 4-4
Submitted state 4-5
submitting for approval 4-20
understanding 4-1
validating 4-18
viewing change reports 4-16
viewing status and history 4-23
working with 4-7
Activities command 1-34
Activities menu 1-36
Activity Manager window 4-10
Activity Required dialog box 4-14
Add/Edit Action Configuration dialog box 54-7
Add/Edit AnyConnect Client Image dialog box (ASA) 31-65
Add/Edit AnyConnect Custom Attributes dialog box (ASA) 31-70, 31-71
Add/Edit Applet dialog box 54-5
Add/Edit Collector dialog box 54-2
Add/Edit Content Rewrite dialog box (ASA) 31-54
Add/Edit DAP Entry Dialog Box > Device 32-30
Add/Edit File Encoding dialog box 31-55
Add/Edit Multicast Route dialog box 55-8, 55-10
description 55-9
Add/Edit PIM Neighbor Filter dialog box 55-13
Add/Edit Proxy Bypass dialog box 31-59
Add/Edit Syslog Configuration dialog box 54-7
Add AAA Rule dialog box 15-13
Add AAA Server dialog box 6-33
Add AAA Server Group dialog box 6-49
Add Access List dialog box (Allowed Hosts policy) 36-7
Add Access Rule dialog box 16-14
Add an Entry dialog box 39-30
Add AOL Class Map dialog box 17-28, 21-19
Add A Port Forwarding Entry dialog box 34-41
Add ASA Group Policies dialog box
client configuration settings 34-6
client firewall attributes 34-7
connection settings 34-33
DNS/WINS settings 34-29, 34-30
hardware client attributes 34-9
IPSec settings 34-10
overview 34-1
split tunneling settings 34-31
SSL VPN clientless settings 34-12
SSL VPN full client settings 34-19
SSL VPN settings 34-25
Technology settings 34-1
Add A Smart Tunnel Entry dialog box 34-67, 34-70
Add AS Path Entry dialog box 56-152
Add AS Path Object dialog box 56-151
Add Auto Signon Rules dialog box 34-27
Add Cat6k Block Vlan dialog box 43-16
Add Certificate dialog box 11-24
Add Certificate Filter dialog box 25-58
Add Cisco Secure Desktop Configuration dialog box 34-35
Add Client Access Rules dialog box 34-12
Add Client Update dialog box 34-81
Add Column dialog box 34-61
Add Community List Entry dialog box 56-154, 56-155
Add Community List Object dialog box 56-153
Add Custom Pane dialog box 34-62
Add Custom Signature dialog box 39-15
Add DCE/RPC Map dialog box 17-29
Add Destinations dialog box 12-11
Add Device from Network wizard
Device Credentials page 3-45
Add Devices to Group command 1-31
Add Devices to Group dialog box 3-63
Add DNS Class Map dialog box 17-28
Add DNS Map dialog box
Filtering tab 17-34, 17-35
overview 17-32
Protocol Conformance tab 17-33
Add eDonkey Class Map dialog box 17-28, 21-19
Add ESMTP Map dialog box 17-39
Add Extended Access Control Entry dialog box 6-61
Add Extended Access List dialog box 6-59
Add External Filter dialog box 21-41
Add FastTrack Class Map dialog box 17-28, 21-19
Add File Object dialog box 34-37
Add FlexConfig dialog box 7-30
Add FTP Class Map dialog box 17-28
Add FTP Map dialog box 17-42
Add Gnutella Class Map dialog box 17-28, 21-19
Add Group dialog box 3-62
Add Group Member dialog box 29-19
Add GTP Map dialog box 17-45
Add H.323 Class Map dialog box 17-28, 21-19
Add H.323 Map dialog box 17-51, 21-34
Add HSI Endpoint IP Address dialog box 17-54
Add HSI Group dialog box 17-53
Add HTTP Class Map dialog box 17-28, 21-19
Add HTTP Map dialog box 21-34
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab 17-58
Extension Request Method tab 17-61
General tab 17-57
overview 17-56
Port Misuse tab 17-62
RFC Request Method tab 17-60
Transfer Encoding tab 17-63
ASA 7.2+ and PIX 7.2+ devices 17-64
Add ICQ Class Map dialog box 17-28, 21-19
Add IKEv1 Proposal dialog box 26-10
Add IKEv2 Proposal dialog box 26-14
Add IMAP Class Map dialog box 17-28, 21-19
Add IMAP Map dialog box 21-34
Add IM Class Map dialog box 17-28
Add IM Map dialog box 21-34
ASA and PIX device 17-70
IOS device 17-73
Add Inspect/Application FW Rule wizard
Address and Port page 17-13
Inspected Protocol page 17-17
Match Traffic page 17-11
Add Inspect Parameter Map dialog box 21-31
Add Interfaces dialog box 12-13
Add IP Options Map dialog box 17-75
Add IPsec Pass Through Map dialog box 17-80
Add IPSec Transform Set dialog box 26-27
Add IPv4 Pool Object dialog box 6-92
Add IPv6 Map dialog box 17-77, 17-91
Add IPv6 Pool Object dialog box 6-93
Add Kazaa2 Class Map dialog box 17-28, 21-19
Add Key Server dialog box 29-19
Add Language dialog box 34-56
Add LDAP Attribute Map dialog box 6-46
Add LDAP Attribute Map Value dialog box 6-47
Add Link command 1-33
Add Link dialog box 35-20
Add Local Rules command 1-32
Add Local Web Filter Class Map dialog box 17-28, 21-19
Add Local Web Filter Parameter Map dialog box 21-38
Add MAC Address Pool Object dialog box 6-94
Add Map Object command 1-33
Add Map Object dialog box 35-18
Add Map Value dialog box 6-47
Add Match Condition and Action dialog box
DNS policy maps 17-36
ESMTP policy maps 17-40
FTP policy maps 17-43
GTP policy maps 17-49
H.323 (IOS) policy maps 21-35
H.323 policy maps 17-54
HTTP (Zone Based IOS) policy maps 21-35
HTTP policy maps 17-66
IM (Zone Based IOS) policy maps 21-35
IMAP policy maps 21-35
IM policy maps 17-71
IPv6 policy maps 17-78, 17-92
P2P policy maps 21-35
POP3 policy maps 21-35
SIP (IOS) policy maps 21-35
SIP policy maps 17-85, 17-95
Skinny policy maps 17-89
SMTP policy maps 21-35
Sun RPC policy maps 21-35
Web Filter policy maps 21-35
Add Match Criterion dialog box
AOL class maps 21-21
DNS class maps 17-36
eDonkey class maps 21-21
FastTrack class maps 21-21
FTP class maps 17-43
Gnutella class maps 21-21
H.323 (IOS) class maps 21-22
H.323 class maps 17-54
HTTP (IOS) class maps 21-22
HTTP class maps 17-66
ICQ class maps 21-21
IMAP class maps 21-25
IM class maps 17-71
Kazaa2 class maps 21-21
Local Web Filter class maps 21-29
MSN Messenger class maps 21-21
N2H2 class maps 21-30
POP3 class maps 21-25
SIP (IOS) class maps 21-25
SIP class maps 17-85, 17-95
SMTP class maps 21-27
Sun RPC class maps 21-29
Websense class maps 21-30
Windows Messenger class maps 21-21
Yahoo Messenger class maps 21-21
Add MSN Messenger Class Map dialog box 17-28, 21-19
Add N2H2 Parameter Map dialog box 21-39
Add N2H2 Web Filter Class Map dialog box 17-28, 21-19
Add NAT Rule dialog box
ASA 8.3+ 24-36
Add NetBIOS Map dialog box 17-81
Add Network/Host dialog box
General tab 6-83
NAT tab 24-42
Add New Device wizard
Device Credentials page 3-45
Add New Security Association dialog box 25-58
Add or Edit Plug-in Entry dialog box (ASA) 31-60
Add Other Devices dialog box 8-58
Add P2P Map dialog box 21-34
Add Permit Response dialog box 17-48
Add Per-Session NAT Rule dialog box 24-47
Add PIX/ASA/FWSM Web Filter Rule dialog box 18-5
Add PKI Enrollment dialog box
CA Information tab 26-60
Certificate Subject Name tab 26-66
Enrollment Parameters tab 26-63
overview 26-58
Trusted CA Hierarchy tab 26-67
Add Policy List Object dialog box 56-143
Add POP3 Class Map dialog box 17-28, 21-19
Add Port Forwarding List dialog box 34-40
Add Port List dialog box 6-102
Add Prefix List Entry dialog box 56-148, 56-150
Add Prefix List Object dialog box 56-146, 56-148
Add Protocol Info Parameter Map dialog box 21-33
Add Regular Expression dialog box 17-108
Add Regular Expression Group dialog box 17-108
Address Pools
PIX/ASA/FWSM 24-18
add/edit 24-19
address pools
overriding in connection profiles 30-8
Add Route Map Entry dialog box 56-137
Add Route Map Object dialog box 56-136
Add Row command 1-31
Add Rule Section dialog box 12-22
Add Server dialog box
Protocol Info Parameter maps 21-34
Add Service dialog box 6-103
Add Services dialog box 12-13
Add Single Sign On Server dialog boxes 34-42
Add SIP Class Map dialog box 17-28, 21-19
Add SIP Map dialog box 17-83, 17-93, 21-34
Add Skinny Map dialog box 17-87
Add SLA Monitor dialog box 51-10
Add Smart Tunnel Auto Signon Entry dialog box 34-72
Add Smart Tunnel Auto Signon Lists dialog box 34-71
Add Smart Tunnel Lists dialog box 34-66, 34-69
Add SMTP Class Map dialog box 17-28, 21-19
Add SMTP Map dialog box 21-34
Add SNMP Map dialog box 17-90
Add Sources dialog box 12-11
Add SSL VPN Customization dialog box 34-51
Applications 34-60
Copyright Panel 34-58
Custom Panes 34-61
Full Customization 34-59
Home Page 34-62
Informational Panel 34-57
Language 34-54
Logon Form 34-56
Logout Page 34-63
Title Panel 34-53
Toolbar 34-59
Add SSL VPN Gateway dialog box 34-64
Add Standard Access Control Entry dialog box 6-64
Add Standard Access List dialog box 6-59
Add Sun RPC Class Map dialog box 17-28, 21-19
Add Sun RPC Map dialog box 21-34
Add TCP Map dialog box 58-22
Add TCP Option Range Dialog Box 58-25
Add Text Object dialog box 7-32
Add Time Range dialog box 6-71
Add Traffic Flow dialog box 58-18
Add Transparent Firewall Rule dialog box 23-5
Add Trend Content Filter Class Map dialog box 17-28, 21-19
Add Trend Parameter Map dialog box 21-42
Add Unified Access Control Entry dialog box 6-67
Add URL Domain Name dialog box 21-45
Add URLF Glob Parameter Map dialog box 21-45
Add URL Filter Parameter Map dialog box 21-43
Add User dialog box 12-12, 36-19
Add User Group dialog box
Advanced PIX 6.3 settings 34-82
Browser Proxy settings 34-87
Client (IOS) settings 34-78
Clientless settings 34-83
Client VPN Software Update (IOS) settings 34-81
DNS/WINS settings 34-77
General settings 34-75
IOS Xauth Options settings 34-80
overview 34-73
Split Tunneling settings (Easy VPN/remote access IPSec VPN) 34-77
SSL VPN Connection settings 34-88
SSL VPN Full Tunnel settings 34-84
SSL VPN Split Tunneling settings 34-86
Technology settings 34-73
Thin Client settings 34-84
Add User Profile dialog box 43-12
Add VDI Server dialog box 34-15
Add Virtual Sensor dialog box 38-7, 38-8
Add Web Access Control Entry dialog box 6-65
Add Web Filter Map dialog box 21-47
Add WebSense Parameter Map dialog box 21-39
Add Websense Web Filter Class Map dialog box 17-28, 21-19
Add Web Type Access List dialog box 6-59
Add Windows Messenger Class Map dialog box 17-28, 21-19
Add WINS Server dialog box 34-90
Add WINS Server List dialog box 34-89
Add Yahoo Messenger Class Map dialog box 17-28, 21-19
Add Zones dialog box 12-13
admin context 59-1
administration
selecting policies to manage 5-11
administrative settings, configuring 11-1
admin password, changing 10-24
ADSL
ADSL Policy page 62-37
ADSL Settings dialog box 62-38
defining settings 62-36
supported operating modes 62-35
ADSL policies
unable to deploy 9-15
Advanced dialog box
access rules 16-17
Advanced NAT Options
PIX/ASA/FWSM
add/edit 24-29
Advanced settings
interface configuration
PIX/ASA/FWSM 46-68
AES encryption algorithm
in IKE proposals 26-6
AIM-IPS interfaces
IPS Module Interface Settings page 62-23
AIP-SSM/SSC
ASA 58-15
Alarm Indication Signal (AIS) cells 62-51
allowed hosts, configuring for IPS 36-7
Allowed Hosts policy 36-7
Analysis Engine global variables
configuring 36-30
analysis reports
generating 16-34
anomaly detection
configuring 41-6
configuring histograms 41-11
configuring learning accept mode 41-8
configuring signatures 41-4
configuring thresholds 41-11
managing 41-1
modes 41-2
understanding 41-1
understanding histograms 41-9
understanding thresholds 41-9
understanding worms 41-2
when to turn off 41-4
zones
overview 41-3
anti-spoofing 57-2
AnyConnect
client images 31-62, 31-64
profiles 31-62, 31-64
editing 31-63
AnyConnect Client Image dialog box (ASA) 31-64
AnyConnect custom attributes 31-70, 31-71
AnyConnect Profile Editor 31-63
AOL class map objects
creating 21-16
match criteria 21-21
applet
embedded event manager 54-3
Apply IPS Update command 1-35
Apply IPS Update wizard 44-7
Approve Activity command 1-36
Approve Activity dialog box 4-21
Approved activity state 4-5
Approve Deployment Job dialog box 8-20, 8-39
Area Border Router
See ABR 56-75
ARP
PIX/ASA/FWSM
configuration 47-5
inspection 47-5
inspection, enable/disable 47-6
table 47-3
ARP table
static entry 47-3, 47-5
ASA
ASDM 72-15
CX 58-17
Auth Proxy Configuration 58-17
CX module
detecting 72-21
Failover
Add Failover Group 50-25
edit bridge group 50-17
FirePOWER module
detecting 72-21
IPS, QoS, and Connection Rules
ASA CX Auth Proxy Configuration 58-17
IPS modules 58-15
policy discovery 5-13
rollback, commands to recover from failover misconfiguration 8-68
rollback command conflicts 8-67
rollback restrictions for failover devices 8-65
rollback restrictions for multiple context mode 8-64
security contexts
allocate interfaces 59-12
configuration 59-9
viewing allocated interfaces 59-12
setting up AUS or CNS 2-8
setting up SSL (HTTPS) 2-3
TCP State Bypass 58-3
ASA 5505
Management IPv6 47-11
ports and interfaces 46-6
ASA 8.3+
NAT policies
Add/Edit NAT rules dialog boxes 24-36
Translation Rules page 24-34
ASA Cluster Load Balance page 31-5
ASA CX
CX
about 58-17
ASA devices
5505
hardware port configuration 46-61
AAA support 6-28
about 46-1
adding or changing modules 3-40
adding SSL thumbprints manually 9-5
Bridge Groups
add/edit 46-62
Catalyst Service Module 46-1
changing those selected for reports 70-22
configuring for event management 69-28
configuring for report management 70-3
configuring IKE and IPsec policies 26-1
configuring IKEv2 authentication 26-68
configuring transparent firewall rules 23-1
Easy VPNs
connection profiles 28-13
Event Viewer support 69-4
FlexConfig object samples 7-20
global access rules 16-3
identity-aware services
configuring to provide 13-7, 14-8
interfaces 46-26
add/edit 46-31
Advanced tab 46-41
configuring 46-3
edit EtherChannel-assigned interface 46-12
EtherChannels 46-9, 46-13
General tab 46-33
IP Type 46-58
IPv6 46-47, 46-73
IPv6, add/edit 46-52
IPv6, add/edit prefixes 46-54, 46-56
LACP 46-12
MAC address 46-60
PPPoE Users 46-71
VPDN groups 46-72
licenses 2-9
monitoring service level agreements 51-8
object group search 16-25
packet capture, using 72-30
packet tracer, using 72-23
remote access SSL VPNs
advanced settings 31-72
Anyconnect client settings 31-62, 31-64
browser plug-ins 31-60
configuring HTTP/HTTPS proxies and proxy bypass 31-57
content rewrite rules 31-53
encoding rules 31-55
Kerberos Constrained Delegation (KCD) 31-66, 31-69
other settings 31-51
performance settings 31-52
server certificate verification settings 31-30, 31-32, 31-73
shared license 31-74
shared license clients (ASA) 31-76
shared license servers (ASA) 31-77
remote access VPNs
access policies (ASA), configuring 31-49
access policies (ASA), reference 31-45
access policies (ASA), understanding 31-44
AnyConnect client image settings (ASA) 31-65
AnyConnect custom attributes (ASA) 31-70, 31-71
certificate to connection profile map policy (IKEv1) 31-36
certificate to connection profile map rules (IKEv1 IPSec) 31-37
cluster load balancing 31-5
configuring bookmarks 31-82
configuring portal appearance 31-78
configuring WINS servers for file system access 31-88
connection profiles 31-7, 31-8
creating IPSec 30-25
creating SSL 30-14
customizing 31-77
device support 30-8
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-11
fragmentation settings 26-31, 26-44
group policies, configuring 31-26
group policies, creating 31-28
group policies, understanding 31-27
IKE proposals 26-9
IKEv2 settings 26-37
IPsec proposals 31-41
ISAKMP/IPsec settings 26-33
managing 31-1
NAT settings 26-42
policy overview 31-2
post URL method and macro substitutions in bookmarks 31-84
proxy bypass rules (ASA) 31-59
Public Key Infrastructure (PKI) 26-56
secure desktop manager policies 32-9
smart tunnels 31-85
understanding IKE 26-5
understanding NAT settings 26-41
wizard 30-13
Report Manager reports
firewall summary botnet reports 70-15
firewall traffic reports 70-14
general VPN reports 70-16
VPN top reports 70-16
selecting for Event Viewer 69-34
selecting policy types to manage 5-11
SSL certificate configuration 11-22
ASA group policies objects
client configuration settings 34-6
client firewall attributes 34-7
connection settings 34-33
DNS/WINS settings 34-29, 34-30
hardware client attributes 34-9
IPSec settings 34-10
split tunneling settings 34-31
SSL VPN clientless settings 34-12
SSL VPN full client settings 34-19
SSL VPN settings 34-25
technology settings 34-1
ASA Image Management 73-16, 73-32
ASAv
about 46-1
ASBR
definition 56-75
ASCII limitations for text 1-50
ASDM
access rule look-up 72-18
device manager 72-15
AS path objects
properties 56-151
ASR
zone-based firewall
global parameters 21-50
restrictions 21-3
assignment overview 1-20
Assignments tab, Policy view 5-54
Assign Shared Policy command 1-32
Assign Shared Policy dialog box 5-44
Asymmetric Digital Subscriber Line (ADSL)
on Cisco IOS routers 62-34
Asymmetric Routing Groups 46-6
Asynchronous Transfer Mode (ATM) 62-47
ATM 62-47
virtual channel connections (VCCs) 62-47
virtual channel identifier (VCI) 62-47
virtual path connections (VPCs) 62-47
virtual path identifier (VPI) 62-47
Attack Response Controller 43-1
attacks
broadcast 17-4
Denial of Service (DoS) 17-5
spoofing 17-4
SYN flooding 17-5
audit logs
configuring default settings 11-62
purging entries 10-23
understanding 10-19
working with 10-19
Audit Message Detail dialog box 10-21
Audit Report command 1-34
audit reports
generating and viewing 10-20
understanding 10-19
working with 10-19
Audit Report window 10-21
AUS
deploying configurations 8-41
deployment method 8-10
setting up 2-8
setting up on PIX Firewall and ASA devices 2-8
Authentication
Cisco IOS routers
settings 63-6
authentication
routing protocols 56-75
Authentication-Authorization-Accounting
see AAA 48-1
Authentication Header (AH) encryption algorithm 26-30
authentication methods
certificates (RSA signatures) 26-8
in IKE proposals 26-8
preshared keys 26-8
authentication testing
SSH 2-6
Authorization
Cisco IOS routers
settings 63-8
authorization proxy (AuthProxy)
configuring AAA rules 15-7
AuthProxy
configuring settings in Map view 35-24
Auth Proxy Configuration
ASA CX 58-17
AuthProxy dialog box 15-19
AuthProxy settings policy
configuring 15-9
autolink
omitting reserved networks from maps 11-3
automatic conflict detection
resolving conflicts 16-34
understanding 16-28
understanding the user interface 16-30
using 16-28
autonomous system paths
See AS paths
auto signon rules
ASA group policy objects 34-27
Auto Update Server (AUS)
adding 3-36
licensing 10-17
PIX/ASA/FWSM 52-1
add/edit server 52-3, 53-2, 53-3, 53-4
troubleshooting deployment 9-18
Auto Update Server Properties dialog box 3-38
Available Bit Rate (ABR) 62-48
Available Servers dialog box 3-39
B
background image, map
deleting 35-13
importing 35-13
scale and position 35-13
setting 35-13
backup
event data store 69-36
backup.pl command 10-25
Backup command 1-35
backups, Security Manager database 10-25
bandwidth
VPN user reports 70-16
banners
configuring on firewall devices 48-9
benefits of product 1-2
BGP routing
BGP Routing Policy page 67-4
defining routes 67-2
Neighbors dialog box 67-6
on Cisco IOS routers 67-1
PIX/ASA/FWSM 56-2, 56-3
General tab 56-5
IPv4 Family - Aggregate Address configuration 56-9, 56-22
IPv4 Family - Filter configuration 56-10
IPv4 Family - General tab 56-7, 56-21
IPv4 Family - Neighbor configuration 56-11, 56-24
IPv4 Family - Network configuration 56-17, 56-29
IPv4 Family - Redistribution configuration 56-18, 56-30
IPv4 Family - Route Injection configuration 56-19, 56-31
IPv4 Family tab 56-6, 56-20
redistributing routes 67-3
Redistribution Mapping dialog box 67-7
Redistribution tab 67-7
Setup tab 67-5
Bidirectional Neighbor Filter 55-14
Bidirectional Neighbor Filter tab
PIM 55-13
blocking, IPS
configuring 43-7
configuring ARC 43-1
configuring blocking devices 43-14
configuring master blocking sensors 43-13
configuring never block hosts and networks 43-17
configuring router blocking interfaces 43-15
configuring user profiles 43-12
configuring VLAN blocking interfaces 43-16
general options 43-10
master blocking sensor 43-6
policy 43-8
rate limiting 43-4
router and switch blocking devices 43-4
strategies 43-3
understanding 43-1
Blocking page 43-8
Boot image/configuration
PIX/ASA 48-10
add/edit 48-12
bootstrap configuration
Failover 50-26
Botnet Traffic Filter Drop Rules Editor 19-13
botnet traffic filter rules
adding static entries 19-5
blocking blacklisted traffic 19-6
configuring DNS snooping 17-19
configuring in Map view 35-23
configuring the dynamic database 19-4
configuring with IPS global correlation 42-1
databases 19-1
Device Blacklist dialog box 19-15
Device Whitelist dialog box 19-15
Drop Rules Editor 19-13
Dynamic Blacklist Configuration tab 19-10
enabling DNS snooping 19-6
field definitions 19-9
illustrations 19-1
mitigating botnet activity 69-65
monitoring
activity using ASDM 69-64
activity using Event Viewer 69-62, 69-64
overview 69-61
understanding botnet syslog events 69-61
overview 19-1
preserving ACL names 12-4
Report Manager reports
firewall summary botnet reports 70-15
task flow 19-2
traffic classification 19-6
Traffic Classification dialog box 19-12
Traffic Classification tab 19-11
understanding 19-1
understanding NAT effects 12-3
understanding processing order 12-2
Whitelist/Blacklist tab 19-14
bridge group
failover
editing 50-17
Bridge Groups
ASA/FWSM
add/edit 46-62
bridge groups
defining 63-20
FWSM 3.1 47-3
Bridging
ASA 5505
Management IPv6 47-11
PIX/ASA/FWSM
ARP configuration 47-5
ARP Inspection 47-5
ARP Inspection, enable/disable 47-6
ARP Table 47-3
MAC Address, add/edit 47-8
MAC Address Table 47-8
MAC Learning 47-9
MAC Learning, enable/disable 47-9
Management IP address 47-10
bridging
Cisco IOS routers
Bridge Group dialog box 63-21
Bridging Policy page 63-21
BVI interfaces 63-19
overview 63-18
configuring transparent firewall rules 23-1
PIX/ASA/FWSM
about 47-1
configuring on 47-1
broadcast attacks, preventing 17-4
broadcasts
enabling directed on routers 62-20
browser plug-ins
configuring 31-60
Bundles 73-13
bypass mode
configuring for IPS 37-12
C
CA server authentication methods
SCEP (Simple Certificate Enrollment Protocol) 26-51
Cat6k Device dialog box 43-14
Catalyst 6500/7600 devices
configuring FWSM in site-to-site VPNs 25-47
configuring SSH 2-6
default transport protocol 11-22
deployment 8-28
FlexConfig object samples 7-22
IPS blocking devices 43-4
policy discovery for FWSM 5-13
rollback restrictions 8-65
Service Modules 46-1
Catalyst 6500/7600 switches
including in deployment jobs 8-28
Catalyst devices
policy discovery 5-13
remote access VPNs
Dynamic VTI/VRF Aware IPsec settings 33-7
high availability 33-11
IPsec proposals 33-4
user group policies 33-13
VPNSM/VPN SPA/VSPA settings 33-6
Catalyst platform policies
IDSM settings policy
Create and Edit IDSM Data Port VLANs dialog boxes 68-49
Create and Edit IDSM EtherChannel VLANs dialog boxes 68-49
IDSM Settings page 68-47
IDSM Slot-Port Selector dialog box 68-50
interfaces/VLANs policy
Access Port Selector dialog box 68-30
Create and Edit Interface dialog boxes-Access Port mode 68-9
Create and Edit Interface dialog boxes-Dynamic Port mode 68-18
Create and Edit Interface dialog boxes-Other mode 68-24
Create and Edit Interface dialog boxes-Routed Port mode 68-12
Create and Edit Interface dialog boxes-subinterfaces 68-22
Create and Edit Interface dialog boxes-Trunk Port mode 68-14
Create and Edit VLAN dialog boxes 68-28
Create and Edit VLAN Group dialog boxes 68-34
Interfaces tab 68-8
Service Module Slot Selector dialog box 68-35
Summary tab 68-3
Trunk Port Selector dialog box 68-31
VLAN Groups tab 68-33
VLAN Selector dialog box 68-35
VLANs tab 68-27
VLAN access lists policy
Create and Edit VLAN ACL Content dialog boxes 68-41
Create and Edit VLAN ACL dialog boxes 68-41
VLAN Access Lists page 68-39
Catalyst Summary Info command 1-35
Catalyst switches
configuring SSH 2-6
default transport protocol 11-22
showing modules, security contexts, and virtual sensors 3-56
Catalyst switches/7600 routers
troubleshooting deployment 9-16
Catalyst switches and 7600 devices
IDSM mode support 68-43
interface deployment failure 9-16
internal VLAN deployment failure 9-16
supported VTP modes 68-1
Catalyst switches and 7600 Series routers
access ports 68-5
Catalyst Summary Info page 68-2
defining IDSM Data Port VLANs 68-46
defining IDSM EtherChannel VLANs 68-44
defining ports 68-6
defining VACLs 68-37
defining VLAN groups 68-32
defining VLANs 68-26
deleting IDSM Data Port VLANs 68-47
deleting IDSM EtherChannel VLANs 68-45
deleting ports 68-7
deleting VACLs 68-38
deleting VLAN groups 68-33
deleting VLANs 68-27
discovering policies 68-1
generating interface names 68-6
IDSM settings 68-43
IDSM Settings page 68-47
interfaces 68-5
managing 68-1
routed ports 68-5
trunk ports 68-5
viewing interface and VLAN summary 68-3
VLAN Access Lists page 68-39
VLAN ACLs (VACLs) 68-36
VLAN groups 68-31
VLANs 68-25
Catalyst VPN Service Port Adapters (VSPAs)
configuring 25-42
Catalyst VPN Services Module (VPNSM)
configuring 25-42
configuring in remote access VPNs 33-6
Catalyst VPN Shared Port Adapter (VPN SPA)
configuring 25-42
configuring in remote access VPNs 33-6
categories
using 6-13
cautions
significance of 2-lxiii
CCO settings 11-4
CDP
configuring mode for IPS 37-12
CEF Interface Settings dialog box 62-27
CEF interface settings policies 62-25
certificates
accepting 11-4, 11-52
retrieving 11-4, 11-52
viewing 11-4, 11-52
certificates, SSL
adding thumbprints manually 9-5
configuring default settings for how handled 11-22
managing IPS 44-10
certificates for ASA image downloads 11-4
certificates for IPS package downloads 11-52
certificate to connection profile map policies
configuring policy 31-36
configuring rules 31-37
certificate trust management 11-4, 11-52
Change Report dialog box 4-18
change reports
selecting session in non-Workflow mode 4-18
viewing 4-16
Change Reports command 1-34
Checkpoint migration
configuring object group search on ASA 8.3+ devices 16-25
Choose a file dialog box 34-39
Cisco 7600 Series routers
managing 68-1
Cisco AnyConnect Profile Editor 31-63
Cisco Configuration Engine
troubleshooting device setup and deployment 9-18
Cisco Discovery Protocol (CDP)
enabling CDP on router interfaces 62-18
Cisco Express Forwarding (CEF)
CEF Interface Settings policy 62-26
CEF router interface settings policies 62-25
importance for QoS 66-2
Cisco IOS IPS
affect of load balancing 45-8
configuration files 45-3
configuration overview 45-4
configuring 45-1
configuring general settings 45-7
configuring interface rules 45-9
getting started 36-1
initial preparation of router 45-5
lightweight signature engines 45-2
limitations and restrictions 45-3
selecting signature category 45-6
understanding 45-1
understanding subsystems and revisions 45-2
Cisco IOS Routers
configuring IOS IPS 45-1
IPS blocking devices 43-4
Cisco IOS routers
802.1x 64-1
AAA 63-2
accounts and credentials 63-14
ADSL 62-34
advanced interface settings 62-13
available interface types 62-2
basic interface settings 62-1
BGP routing 67-1
configuring SSH 2-6
CPU settings 63-25
default AAA server groups 6-31
deploying configurations using TMS 8-43
dialer interfaces 62-28
discovering policies 61-3
Domain Name System (DNS) 63-74
Dynamic Host Configuration Protocol (DHCP) 63-87
EIGRP routing 67-8
host and domain names 63-77
HTTP 63-28
interface deployment failure 9-14
IOS 12.1 and 12.2 61-3
licenses 2-10
line access 63-35
managing 61-1
memory settings 63-78
NAT 24-5
designating interfaces 24-6
dynamic rules 24-10
static rules 24-6
timeouts 24-13
NetFlow 65-1, 65-5, 65-12
Network Admission Control (NAC) 64-8
Network Time Protocol (NTP) 63-96
optional SSH settings 63-63
OSPF routing 67-19
permanent virtual connections (PVCs) 62-47
platform policies 61-1
Point-to-Point Protocol (PPP) 62-71
policy discovery 5-13
quality of service (QoS) 66-1
RIP routing 67-42
Secure Device Provisioning (SDP) 63-81
setting up SSL (HTTPS) 2-4
SHDSL 62-41
SNMP 63-66
static routing 67-50
syslog logging 65-1
time zone settings 63-22
transparent bridging 63-18
Cisco IOS Software
FlexConfig object samples 7-22
selecting policy types to manage 5-11
Cisco Prime Security Manager
see PRSM 72-20, 72-21
Cisco Secure Desktop configuration objects
creating 33-18
Cisco Security Management Suite server
logging into or exiting 1-12
Cisco Technical Assistance Center
creating diagnostic file 10-28
generating data 10-28
generating deployment or discovery status reports 10-30
generating partial database backup 10-30
Cisco Trust Agent (CTA) 64-9
CiscoWorks Common Services
backing up and restoring Security Manager 10-24
logging into or exiting 1-12
CiscoWorks user authorization, affect on what you can do 1-11
Class-Based Policing 66-6
class maps
understanding 6-78
Clear Connection Configuration dialog box 15-25
clear xlate
PIX/ASA/FWSM platform 60-1
CLI commands
FlexConfig objects 7-2
client applications 72-2
client connection characteristics
configuration modes 28-3
configuring policies for Easy VPN 28-7
extended authentication (xauth) 28-4
clientless access mode 30-4
client settings
configuring AnyConnect 31-64
understanding AnyConnect 31-62
client-side file browsing 1-50
enabling or disabling 11-10
CLI prompt
configuring on firewall devices 48-12
Clock
PIX/ASA/FWSM 48-14
clock
Cisco IOS routers
overview 63-22
clock settings
Cisco IOS routers
Clock Policy page 63-23
Clone Device command 1-30
Clone Policy Bundle dialog box 5-58
Clone Policy command 1-32
Clone Policy dialog box 5-47
Close Activity command 1-36
Close All Reports command (Report Manager) 70-8
Close Report command (Report Manager) 70-8
Close Ticket command 1-37
cluster, server
managing 10-2
overview 10-2
splitting server 10-3
synchronizing shared policies 10-5
Cluster Information page, device properties 3-50
clustering 3-9
cluster load balancing
configuring 31-5
understanding 31-5
understanding FQDN redirection 31-5
CNS
deploying configurations 8-41
deployment method 8-10
setting up on PIX Firewall and ASA devices 2-8
color rules, configuring in Event Viewer 69-40
Combine Rules Selection Summary dialog box 12-24
commands
Activities menu 1-36
Edit menu (Configuration Manager) 1-31
Event Viewer File menu 69-9
Event Viewer View menu 69-10
File menu (Configuration Manager) 1-30
Help menu (Configuration Manager) 1-38
Launch menu 1-37
Manage menu 1-34
Map menu 1-33
Policy menu (Configuration Manager) 1-32
Report Manager menus 70-8
Tickets menu 1-36
Tools menu (Configuration Manager) 1-34
View menu (Configuration Manager) 1-31
Common Services
licensing 10-17
communication, device
troubleshooting 9-8
community list objects
properties 56-153
configurable dashboard for IPS and FW 72-1
configuration
initial Security Manager 1-25
understanding rollback 8-63
Configuration Archive
adding configurations from devices 8-59
overview 8-15
rolling back to archived configuration files 8-70
rolling back when deploying to file 8-71
settings 11-6
version viewer 8-60
viewing and comparing configuration versions 8-59
viewing transcripts 8-62
window 8-23
Configuration Archive command 1-34
Configuration Archive page 11-6
Configuration Engine
adding 3-36
setting up 2-8
Configuration Engine Properties dialog box 3-38
configuration files
deploying in non-Workflow mode 8-28
deploying in Workflow mode 8-34, 8-39
deploying to 8-11
deploying to an AUS or CNS 8-41
deploying to a TMS 8-43
deployment process overview 8-1
factory-default configurations 46-2
previewing 8-44
redeploying to devices 8-53
rolling back after deploying to file 8-71
rolling back to archived configurations 8-70
rolling back to devices 8-69
selecting 1-50
web VPN policy discovery restrictions 3-8
configuration location, configuring for IOS IPS 45-7
Configuration Manager
overview 1-14
using 1-14
configurations
adding to the Configuration Archive 8-59
avoiding out-of-band changes 8-47
detecting out-of-band changes 8-45
rollback, commands to recover from failover misconfiguration 8-68
rollback command conflicts 8-67
rolling back 8-63
rolling back Catalyst 6500/7600 8-65
rolling back failover devices 8-65
rolling back IPS and IOS IPS 8-66
rolling back multiple context mode 8-64
understanding out-of-band changes 8-12
viewing and comparing 8-59
configuration session
selecting session for change reports 4-18
viewing change reports 4-16
configuration sessions
discarding 4-22
configuration views 1-14
Configure dialog box 17-22
Configure DNS dialog box 17-19
Configure ESMTP dialog box 17-20
Configure Fragments dialog box 17-20
Configure Hardware Ports
ASA 5505 46-61
Configure IMAP dialog box 17-21
Configure POP3 dialog box 17-21
Configure RPC dialog box 17-21
Configure SMTP dialog box 17-20
Config Version Viewer (Preview Configuration) dialog box 8-44
conflict analysis reports
generating 16-34
conflict detection
resolving conflicts 16-34
understanding 16-28
understanding the user interface 16-30
using 16-28
connection
PIX/ASA/FWSM
identity-aware rules 13-21
rules 58-5
Connection Alias dialog box 31-25, 31-34
Connection Profile dialog box
AAA tab 31-13
General tab 31-10
IPSec tab 31-19
Secondary AAA tab 31-17
SSL tab 31-22
connection profiles
configuring 31-7
configuring for Easy VPN 28-13
properties
AAA 31-13
general 31-10
IPSec 31-19
policy overview 31-8
secondary AAA 31-17
SSL 31-22
sharing among multiple ASAs 30-8
Connection Profiles page 31-8
Connection Settings
MPC rule wizard
tab 58-8
connection timeout
device communication settings 11-22
Connection URL dialog box 31-25
connectivity, testing device 9-1
console
Cisco IOS routers
AAA tab 63-44
Accounting tab 63-47
Authentication tab 63-44
Authorization tab 63-45
Console Policy page 63-42
Setup tab 63-42
console port
Cisco IOS routers
defining AAA settings 63-37
defining setup parameters 63-35
Console timeout
PIX/ASA/FWSM 49-1
Constant Bit Rate (CBR) 62-48
contained modules
showing 3-56
content rewrite rules
defining for SSL VPN on ASA 31-53
Context-Based Access Control
choosing interfaces 17-2
configuring 17-5
configuring identity aware 13-21
preventing DoS attacks on IOS devices 17-5
selecting protocols 17-3
understanding 17-2
understanding access rule requirements 17-4
Context Editor dialog box (IOS) 33-15
contexts
see “security contexts” 59-1
continuity check (CC) cells 62-51
control plane (CP)
defining QoS on 66-12
policing on 66-9
Control Plane Policing 66-9
conventions 2-lxiii
cookie challenges 26-37
Copy command 1-31, 12-9
Copy Policies Between Devices command 1-32
Copy Policies wizard 5-33
CPU settings
defining utilization settings 63-25
overview 63-25
CPU Throttling Policy 11-33
CPU utilization
CPU Policy page 63-26
Create a Clone of Device dialog box 3-56
Create Activity dialog box 4-14
Create a Policy dialog box 5-54
Create Discovery Task dialog box 5-18
Create Extranet VPN Topology wizard
overview 25-66
Create Filter dialog box 1-46
Create Group Policy wizard
Clientless and Thin Client Access Modes page 30-24
Full Tunnel page 30-21
Group Policy page 30-20
using 30-20
Create Overrides for Device dialog box 6-20
Create Policy Bundle dialog box 5-57
Create Text Object dialog box 7-32
Create Ticket dialog box 4-14
Create VPN Topology wizard
Device Selection page 25-32
Edit Endpoints dialog box 25-34
Endpoints page 25-34
GET VPN Group Encryption page 25-54
GET VPN Peers page 25-60
High Availability page 25-52
Name and Technology page 25-30
overview 25-28
VPN Defaults page 25-62
credential objects
attributes 28-9
credentials
configuring on firewall devices 48-17
device manager validation 72-14
IPS module 3-20
service module 3-19
testing 9-1
understanding device 3-4
Credentials page
HTTPS port number
overriding with HTTP policy 3-47
Credentials page, device properties 3-45
crypto maps
understanding 26-19
CSC
MPC rule wizard
tab 58-8
CSDM Policy Editor dialog box 32-46
CS-MARS
access to Security Manager 72-37
configuring servers 11-7
discovering or changing controller used by device 72-39
events
historical and real-time lookup 72-41
looking up 72-41
integrating with Security Manager 72-36
integration with Security Manager 72-36
looking up Security Manager policies based on events 72-45
NetFlow 72-47
query
troubleshooting 72-40
registering in Security Manager 72-38
supported log messages 72-46
viewing access rule events 72-42
viewing IPS signature events 72-44
CS-MARS page 11-7
CSMDiagnostics.zip
setting debug options 11-11
CSMDiagnostics.zip file, creating 10-28
CSM Mobile 72-11
settings page 11-9
CSM Monitor widget 72-7
CSM tab, Licensing page 11-57
CSV (comma-separated values) files
supported formats for device inventory 10-9
CSV file
export HPM data as 71-31
Customize Desktop Settings page 11-10
Customized Toolbar command 1-32
Custom Protocol dialog box 17-22
Custom Report List command (Report Manager) 70-9
Cut command 1-31, 12-9
cut-through proxy, configuring 13-23
CX
ASA module
detecting 72-21
CXSC
MPC rule wizard
tab 58-8
D
Dashboard
CSM Mobile settings page 11-9
Dashboard tabs
default view 72-8
re-arranging 72-8
Dashboard widgets for device heath trends 72-2
database
backing up 10-25
backing up and restoring 10-24
generating partial backups for TAC 10-30
restoring 10-27
DCE/RPC policy map objects
creating 17-22
properties 17-29
DCS.properties file
DCS.doSerialAccessForFWSMVCs property 9-17
DCS.FWSM.checkThreshold property 9-17
SSH settings 9-7
warning message expression properties 9-10
DDNS
PIX/ASA/FWSM 52-18
add interface rules 52-19
update methods 52-19
update methods, add/edit 52-20
dead-peer detection (DPD) 26-33
debugging
configuring debug levels 11-11
Debug Options page 11-11
Default Report Settings command (Report Manager) 70-9
defaults, configuring 11-1
Delete Device command 1-30
Delete Map command 1-33
Delete Map dialog box 35-10
Delete Row command 1-31
Denial of Service (DoS)
preventing in SMTP using zone based firewall 21-27
denial of service (DoS)
preventing using unicast reverse path forwarding (RFP) 62-20
Denial of Service (DoS) attacks
configuring inspection settings to mitigate 17-111
preventing on IOS devices using inspection 17-5
denial of service (DoS) attacks
preventing using IKEv2 cookie challenge 26-37
deny
inspection
rules 17-5
Deploy command 1-31
Deploy Job dialog box 8-39
deployment
Add Other Devices dialog box 8-58
Auto Update Server 8-41
Catalyst 6500/7600 devices 8-28
changes not deployed when using schedules 8-55
changing device message severity level to ignore errors 9-10
changing FWSM multiple-context deployment to serial 9-17
Cisco Networking Services configuration engine 8-41
clearing XLATE on 60-1
configuration files, to 8-11
configurations 8-28
creating jobs in Workflow mode 8-35
creating or editing schedules 8-55
Deployment Manager window 8-16
device communication settings 9-4
devices, directly to 8-9
devices, through intermediate server 8-10
Edit Deploy Method dialog box 8-30
Edit Selected Deployment Method dialog box 8-30
error attempting to remove unreferenced object 9-12
errors
OS version mismatches 8-13
generating status report 10-30
handling OS version mismatches 8-13
managing 8-1
methods 8-8
minimum memory errors for ASA 8.3+ 9-12
non-Workflow mode 8-3
optimizing access rules 16-46
out-of-band changes
avoiding 8-47
detecting and analyzing 8-45
understanding 8-12
process overview 8-1
rolling back archived configurations 8-70
rolling back configurations 8-63
rolling back configurations, Catalyst 6500/7600 8-65
rolling back configurations, command conflicts 8-67
rolling back configurations, commands to recover from failover misconfiguration 8-68
rolling back configurations, failover devices 8-65
rolling back configurations, IPS and IOS IPS devices 8-66
rolling back configurations, multiple context mode 8-64
rolling back configuration when deploying to file 8-71
rolling back to last deployed configuration 8-69
setting debug options 11-11
suspending or resuming schedules 8-58
system settings 11-13
task flow
non-Workflow mode 8-3
Workflow mode 8-5
tips for successful jobs 8-27
TMS server 8-43
troubleshooting 9-1, 9-9
ADSL or PVC deployment failures 9-15
AUS problems 9-18
Catalyst interface settings 9-16
Catalyst internal VLANs 9-16
Catalyst switch and modules 9-16
Configuration Engine problems 9-18
Error Writing to Server messages 9-15
HTTP Response Code 500 messages 9-15
layer 2 interfaces 9-15
mixing deployment methods with routers and VPNs 9-14
router interface settings 9-14
routers 9-14
Security Manager cannot contact device 9-12
VPNs with routing processes 9-13
troubleshooting device communication 9-8
troubleshooting router connection failures 2-2
troubleshooting SSL certificate errors 9-5
troubleshooting VRF-aware IPsec on Catalyst 6500/7600 devices 25-17
understanding 8-1
understanding configuration rollback 8-63
using a Cisco Networking Services (CNS) server 8-41
viewing device details 8-26
viewing job summary 8-26
viewing status and history for jobs and schedules 8-26
viewing transcripts 8-62
Warning - Partial VPN Deployment dialog box 8-31
Workflow mode 8-5, 8-34, 8-39
working with 8-25
Deployment—Create or Edit a Job dialog box 8-35
deployment jobs
aborting 8-55
approval 8-7
approving 8-39
creating and editing in non-Workflow mode 8-28
creating and editing in Workflow mode 8-35
Deployment Manager 8-16
discarding 8-41
including devices in 8-8
multiple users 8-8
redeploying 8-53
rejecting 8-39
states
non-Workflow mode 8-4
Workflow mode 8-6
submitting 8-38
viewing history 8-26
Deployment Manager
overview 8-15, 8-16
Deployment Manager window 8-16
Deployment Schedules tab 8-21
Deployment page
PIX/ASA/FWSM Platform
clear xlate 60-1
Deployment Schedules tab 8-21
Deployments command 1-34
Deployment Settings page 11-13
Deployment Status Details dialog box 8-32
Deployment Workflow Commentary dialog boxes 8-20
Deploy Saved Changes dialog box 8-28
DES encryption algorithm
in IKE proposals 26-6
Designated Router
PIX/ASA/FWSM 55-12
Destination Contents dialog box 12-14
Dest Port Map dialog box 41-12
Detect Out of Band Changes command 1-35
device
AAA administration 48-4
firewall types 46-1
viewing inventory status 72-12
Device Access
FWSM
Resources, add/edit 51-4
PIX/ASA/FWSM 49-1
console timeout 49-1
host name 51-1
HTTP configuration 49-3
HTTP page 49-2
ICMP rules 49-4
ICMP rules, add/edit 49-5
Management Access interface 49-6
Secure Shell, add/edit host 49-8
Secure Shell (SSH) 49-7, 49-8
Server Access 52-1, 53-1
SNMP host access 49-22
SNMP page 49-17
SNMP Trap configuration 49-19
Telnet configuration 49-29
Telnet page 49-29
user accounts 51-7
user accounts, add/edit 51-7
device access policies
defining 63-14
Device Admin
FWSM
Resources 51-3
device administration policies
configuring on firewall devices 48-1
device authentication
adding SSL thumbprints manually 9-5
SSL certificate default configuration 11-22
Device Blacklist dialog box 19-15
device clusters 3-9
device communication
changing device message severity level 9-10
managing settings 9-4
routers without K8/K9 crypto image 9-8
Security Manager cannot contact device after deployment 9-12
troubleshooting failures 9-8
Device Communication page 11-21
device communications
troubleshooting 9-1
device communication settings
connection timeout 11-22
retry count 11-22
socket read timeout 11-22
Device Connectivity Test dialog box 9-3
device credentials
understanding 3-4
Device Credentials page 3-45
Device Delete Validation dialog box 3-59
device groups 3-59, 3-62
adding or removing devices 3-63
creating group types 3-62
deleting groups or types 3-63
understanding 3-60
Device Groups page 3-49, 11-24
device health trends in Dashboard 72-2
Device Information page - Add Device from File 3-33
Device Information page - Configuration File 3-23
Device Information page - Network 3-14
Device Information page- New Device 3-27
device inventory
exporting
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-6
supported CSV formats 10-9
using command line utility 10-10
importing
device with policies 10-13
importing with policies 10-13
managing 3-1
sharing with PRSM 72-22
testing device connectivity 9-1
understanding 3-1
understanding contents 3-3
understanding device clusters 3-9
understanding generic devices 3-8
working with 3-36
device manager
access rule look up 72-17
ASDM 72-15
access rule look-up 72-18
credentials 72-14
IDM 72-15
PDM 72-15
prerequisites 72-16
SDM 72-16
access rule look-up 72-19
starting from HPM 71-3, 71-27
starting from Security Manager 72-14
troubleshooting 72-16
xdm-launcher.exe 72-16
Device Manager command 1-37
Device Properties
Cluster Information page 3-50
Credentials page 3-45
Device Groups page 3-49
General page 3-41
Policy Object Override pages
general reference 3-52
device properties
changes with policy effects 3-54
changing critical 3-52
image version changes with no policy effects 3-53
understanding 3-6
viewing or changing 3-40
Device Properties command 1-35
Device Properties page
creating object overrides 6-19
deleting overrides 6-21
overview 3-40
device response
to appear as an error message 9-10
devices
adding 3-6
adding configurations to the Configuration Archive 8-59
adding from configuration files 3-22
adding from inventory file 3-31
adding from network 3-12
adding local rules to shared policies 5-45
adding manually 3-26
adding or changing modules 3-40
assigning shared policies 5-44
avoiding out-of-band changes 8-47
changing critical properties 3-52
changing those selected for reports 70-22
cloning or duplicating 3-56
cloning shared policies 5-47
communication requirements 2-1
communication settings and certificates 9-4
configuring ASA licenses 2-9
configuring IOS licenses 2-10
configuring local policies 5-31
copying policies between 5-33
creating policy object overrides 6-19
deleting from inventory 3-58
deleting policy object overrides 6-21
deployment through intermediate server 8-10
deployment to 8-9
detecting out-of-band changes 8-45
discovering or changing CS-MARS controller 72-39
discovering policies 5-12
discovering policies on existing devices 5-15
dynamic IP addresses 3-36
image version changes with no policy effects 3-53
including in deployment jobs or schedules 8-8
including unmanaged or non-Cisco in a VPN 25-11
inheriting policy rules 5-47
maps
adding existing managed 35-16
adding new managed 35-16
displaying devices from Device View 35-16
displaying managed 35-16
removing managed 35-16
showing containment for Catalyst switches, ASA, PIX, IPS devices 35-16
modifying policy assignment 5-49
modifying shared policies 5-49
naming conventions 3-3
overview of monitoring 1-7
policy status icons 5-30
preparing for management 2-1
property changes with policy effects 3-54
redeploying configuration files to 8-53
redeploying configurations to replaced hardware 8-53
renaming policies 5-48
replacing policies 5-44
rolling back configurations 8-69, 8-70, 8-71
selecting in site-to-site VPNs 25-32
selecting multiple 1-45
sharing multiple policies 5-42
sharing with PRSM 72-22
showing contained modules 3-56
system variables 7-7
testing connectivity 9-1
troubleshooting communication 9-8
troubleshooting communication and deployment 9-1
troubleshooting device discovery failures 3-7
unassigning policies 5-36
understanding out-of-band changes 8-12
unsharing policies 5-43
using global search to find specific devices 1-42
what counts as a device 3-3
device selector
filtering 1-45
Device Selector dialog box 1-45
Device Server Assignment dialog box 9-9
device status view
working with 3-64
Device Status View command 1-32
Device view
adding local rules to shared policies 5-45
assigning shared policies 5-44
cloning shared policies 5-47
configuring local policies 5-31
configuring VPN topologies 25-19
copying policies between devices 5-33
inheriting policies 5-47
managing policies 5-30
modifying policy assignments 5-49
modifying shared policies 5-49
overview 1-15
policy banner 5-38
policy shortcut menu 5-40
policy status icons 5-30
renaming policies 5-48
sharing local policies 5-41
sharing multiple policies 5-42
unassigning policies 5-36
understanding basic policy management 5-31
understanding shared policies 5-37
unsharing policies 5-43
device view
understanding 3-1
Device View command 1-32
Device Whitelist dialog box 19-15
DHCP
Cisco IOS routers
defining address pools 63-91
defining policies 63-90
DHCP Database dialog box 63-94
DHCP Policy page 63-92
IP Pool dialog box 63-94
overview 63-87
understanding database agents 63-88
understanding option 82 63-89
understanding relay agents 63-88
understanding secured ARP 63-89
configuring passthrough for IOS devices 23-3
PIX/ASA/FWSM 52-10
add/edit servers 52-12
advanced configuration 52-13
configuring DHCP servers 52-10
server options 52-13
traffic blocked 9-15
DHCP relay
interface-specific 46-41
Option 82 46-41, 52-5
PIX/ASA/FWSM 52-5, 52-7
add/edit agent 52-6
add/edit server 52-7
Trusted Interface (Option 82) 46-41, 52-5
DHCPv6 relay
PIX/ASA/FWSM
add/edit agent 52-9
add/edit server 52-9
diagnostics
setting debug options 11-11
diagnostics file, creating 10-28
dial backup
configuring in Easy VPN 28-2
configuring in VPN 25-40
configuring VPN advanced settings 25-41
Dial Backup Settings dialog box 25-41
dialer interfaces
defining BRI properties 62-30
defining profiles 62-28
Dialer Physical Interface dialog box 62-33
Dialer Policy page 62-31
Dialer Profile dialog box 62-32
on Cisco IOS routers 62-28
Diffie-Hellman groups
in IKE proposals 26-7
Digital Subscriber Line (DSL) 62-34
digital subscriber line-access multiplexer (DSLAM) 62-35
directed broadcasts
enabling 62-20
Disable/enable NAT rules 24-34, 24-46
Discard Activity command 1-36
Discard Activity dialog box 4-22
Discard command 1-31
Discard Deployment Job dialog box 8-20
Discard Ticket command 1-37
Discard Ticket dialog box 4-22
discovering
remote access VPNs 30-12
site-to-site VPNs 25-24
Discover Policies on Device command 1-32
Discover VPN Policies command 1-32
Discover VPN Policies wizard 25-24
discovery
default behavior settings 11-25
generating status report 10-30
invalid certificate error 9-7
overview 1-20
security certificate error 9-5, 9-6
setting debug options 11-11
Discovery Settings page 11-25
Discovery Status dialog box 5-23
discovery task
frequently asked questions 5-27
starting 5-15
viewing status 5-22
disk space, monitoring event data store 69-35
Display Actual Size command 1-33
Distributed Traffic Shaping (DTS) 66-7
DMVPN (Dynamic Multipoint VPN)
advantages of using with GRE 27-11
configuring 27-12
configuring GRE modes 27-12
large scale DMVPNs
configuring 27-16
configuring server load balancing 27-17
overview 27-1, 27-9
spoke-to-spoke connections 27-10
supported platforms 25-9
understanding 27-10
DNS
configuring for inspection rules 17-19
PIX/ASA/FWSM
add/edit server group 52-16
add server 52-17
servers page 52-14
DNS class map objects
creating 17-22
match criteria 17-36
DNS policy map objects
creating 17-22
match conditions and actions 17-36
properties 17-32
DNS servers
configuring for IPS global correlation 36-24
DNS snooping 19-6
dock
report windows 70-30
view windows 69-38
Dock Map View command 1-33
documentation
conventions 2-lxiii
Domain AD Server dialog box 13-10
Domain Name System (DNS)
Cisco IOS routers
defining policies 63-75
DNS Policy page 63-76
IP Host dialog box 63-76
overview 63-74
do not ask warnings, resetting 11-10
drill-down reports 70-26
DSLAM 62-35
duration
VPN user reports 70-16
dynamic access policies
attributes 32-4, 32-7
configuring 32-2
managing 32-1
understanding 32-1
dynamic access policies (DAP) 32-30
Dynamic Access Policy page
Add/Edit Dynamic Access Policy dialog box
Add/Edit DAP Entry dialog box 32-21
Add/Edit DAP Entry dialog box > AAA Attributes Cisco 32-22
Add/Edit DAP Entry dialog box > AAA Attributes LDAP 32-24
Add/Edit DAP Entry dialog box > AAA Attributes RADIUS 32-25
Add/Edit DAP Entry dialog box > Anti-Spyware 32-26
Add/Edit DAP Entry dialog box > Anti-Virus 32-27
Add/Edit DAP Entry dialog box > AnyConnect Identity 32-28
Add/Edit DAP Entry dialog box > Application 32-29
Add/Edit DAP Entry dialog box > File 32-31
Add/Edit DAP Entry dialog box > NAC 32-32
Add/Edit DAP Entry dialog box > Operating System 32-33
Add/Edit DAP Entry dialog box > Personal Firewall 32-34
Add/Edit DAP Entry dialog box > Policy 32-35
Add/Edit DAP Entry dialog box > Process 32-36
Add/Edit DAP Entry dialog box > Registry 32-37
Advanced Expressions tab 32-44
Logical Operations tab 32-42
Main tab 32-14
Dynamic Access Policy page (ASA) 32-11
Cisco Secure Desktop Manager Policy Editor dialog box 32-46
Dynamic Access policy page (ASA) > Add/Edit Dynamic Access Policy dialog box 32-12
Dynamic Blacklist Configuration tab 19-10
dynamic crypto maps 26-19
dynamic filter snooping (DNS)
enabling 17-19
Dynamic Multipoint VPN (DMVPN)
mandatory and optional policies 25-6
dynamic NAT
Cisco IOS routers 24-10
Dynamic Translation Rule
PIX/ASA/FWSM 24-22
add/edit 24-23
dynamic VTI
configuring in Easy VPN 28-12
in remote access VPNs 33-7
understanding use in Easy VPN 28-3
E
Easy VPN
configuration modes 28-3
configuration overview 28-5
configuring client connection characteristics 28-7
configuring dial backup 28-2
configuring dynamic VTI 28-12
configuring high availability 28-2
connection profile policies 28-13
connection profiles (ASA, PIX 7+) 31-8
extended authentication (xauth) 28-4
important configuration notes 28-6
IPsec proposals 28-10
mandatory and optional policies 25-6
overview 28-1
supported platforms 25-9
understanding 28-1
understanding dynamic VTI 28-3
user group policies 28-14
ECMP 22-4
Edit AAA Option dialog box 15-19
Edit AAA Rule dialog box 15-13
Edit AAA Server dialog box 6-33
Edit AAA Server Group dialog box 6-49
Edit Access Rule dialog box 16-14
Edit Actions dialog box 39-12
Edit activity state 4-4
Edit AOL Class Map dialog box 17-28, 21-19
Edit A Port Forwarding Entry dialog box 34-41
Edit ASA Group Policies dialog box
client configuration settings 34-6
client firewall attributes 34-7
connection settings 34-33
DNS/WINS settings 34-29, 34-30
hardware client attributes 34-9
IPSec settings 34-10
overview 34-1
split tunneling settings 34-31
SSL VPN clientless settings 34-12
SSL VPN full client settings 34-19
SSL VPN settings 34-25
technology settings 34-1
Edit A Smart Tunnel Entry dialog box 34-67, 34-70
Edit AS Path Entry dialog box 56-152
Edit AS Path Object dialog box 56-151
Edit Auto Signon Rules dialog box 34-27
Edit Auto Update Settings dialog box 11-54
Edit Category dialog box 12-14
Edit Cisco Secure Desktop Configuration dialog box 34-35
Edit Client Access Rules dialog box 34-12
Edit Client Update dialog box 34-81
Edit Column dialog box 34-61
Edit Community List Entry dialog box 56-154, 56-155
Edit Community List Object dialog box 56-153
Edit Custom Pane dialog box 34-62
Edit DCE/RPC Map dialog box 17-29
Edit Deploy Method dialog box 8-30
Edit Description dialog box 12-14
Edit Destinations dialog box 12-11
Edit Device Groups command 1-31
Edit Device Groups dialog box 3-61
Edit DNS Class Map dialog box 17-28
Edit DNS Map dialog box
Filtering tab 17-34, 17-35
overview 17-32
Protocol Conformance tab 17-33
Edit eDonkey Class Map dialog box 17-28, 21-19
Edit Endpoints dialog box
FWSM tab 25-47
overview 25-34
Protected Networks tab 25-46
VPN Interface tab 25-36, 25-50
VPNSM/VPN SPA/VSPA settings, VPN Interface tab 25-42
VRF Aware IPsec tab 25-48
Edit ESMTP Map dialog box 17-39
Edit Extended Access Control Entry dialog box 6-61
Edit Extended Access List dialog box 6-59
Edit External Filter dialog box 21-41
Edit Extranet VPN dialog box
overview 25-66
Edit FastTrack Class Map dialog box 17-28, 21-19
Edit Fidelity dialog box 39-13
Edit File Object dialog box 34-37
Edit FlexConfig dialog box 7-30
Edit FTP Class Map dialog box 17-28
Edit FTP Map dialog box 17-42
Edit Gnutella Class Map dialog box 17-28, 21-19
Edit Group Member dialog box 29-21
Edit GTP Map dialog box 17-45
Edit H.323 Class Map dialog box 17-28, 21-19
Edit H.323 Map dialog box 17-51, 21-34
Edit HSI Endpoint IP Address dialog box 17-54
Edit HSI Group dialog box 17-53
Edit HTTP Class Map dialog box 17-28, 21-19
Edit HTTP Map dialog box 21-34
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab 17-58
Extension Request Method tab 17-61
General tab 17-57
overview 17-56
Port Misuse tab 17-62
RFC Request Method tab 17-60
Transfer Encoding tab 17-63
ASA 7.2+ and PIX 7.2+ devices 17-64
Edit ICQ Class Map dialog box 17-28, 21-19
Edit IKEv1 Proposal dialog box 26-10
Edit IKEv2 Proposal dialog box 26-14
Edit IMAP Class Map dialog box 17-28, 21-19
Edit IMAP Map dialog box 21-34
Edit IM Class Map dialog box 17-28
Edit IM Map dialog box 21-34
ASA and PIX device 17-70
IOS device 17-73
Edit Inspect/Application FW Rule wizard
Address and Port page 17-13
Inspected Protocol page 17-17
Match Traffic page 17-11
Edit Inspect Parameter Map dialog box 21-31
Edit Interfaces dialog box 12-13
Edit IP Options Map dialog box 17-75
Edit IPsec Pass Through Map dialog box 17-80
Edit IPSec Transform Set dialog box 26-27
Edit IPv4 Pool Object dialog box 6-92
Edit IPv6 Map dialog box 17-77, 17-91
Edit IPv6 Pool Object dialog box 6-93
Edit Kazaa2 Class Map dialog box 17-28, 21-19
Edit Key Server dialog box 29-19
Edit Language dialog box 34-56
Edit LDAP Attribute Map dialog box 6-46
Edit LDAP Attribute Map Value dialog box 6-47
Edit Load Balancing Parameters dialog box 27-17
Edit Local Web Filter Class Map dialog box 17-28, 21-19
Edit Local Web Filter Parameter Map dialog box 21-38
Edit MAC Address Pool Object dialog box 6-94
Edit Map Value dialog box 6-47
Edit Match Condition and Action dialog box
DNS policy maps 17-36
ESMTP policy maps 17-40
FTP policy maps 17-43
GTP policy maps 17-49
H.323 (IOS) policy maps 21-35
H.323 policy maps 17-54
HTTP (Zone Based IOS) policy maps 21-35
HTTP policy maps 17-66
IM (Zone Based IOS) policy maps 21-35
IMAP policy maps 21-35
IM policy maps 17-71
IPv6 policy maps 17-78, 17-92
P2P policy maps 21-35
POP3 policy maps 21-35
SIP (IOS) policy maps 21-35
SIP policy maps 17-85, 17-95
Skinny policy maps 17-89
SMTP policy maps 21-35
Sun RPC policy maps 21-35
Web Filter policy maps 21-35
Edit Match Criterion dialog box
AOL class maps 21-21
DNS class maps 17-36
eDonkey class maps 21-21
FastTrack class maps 21-21
FTP class maps 17-43
Gnutella class maps 21-21
H.323 (IOS) class maps 21-22
H.323 class maps 17-54
HTTP (IOS) class maps 21-22
HTTP class maps 17-66
ICQ class maps 21-21
IMAP class maps 21-25
IM class maps 17-71
Kazaa2 class maps 21-21
Local Web Filter class maps 21-29
MSN Messenger class maps 21-21
N2H2 class maps 21-30
POP3 class maps 21-25
SIP (IOS) class maps 21-25
SIP class maps 17-85, 17-95
SMTP class maps 21-27
Sun RPC class maps 21-29
Websense class maps 21-30
Windows Messenger class maps 21-21
Yahoo Messenger class maps 21-21
Edit menu
Configuration Manager 1-31
Edit MSN Messenger Class Map dialog box 17-28, 21-19
Edit N2H2 Parameter Map dialog box 21-39
Edit N2H2 Web Filter Class Map dialog box 17-28, 21-19
Edit NAT Rule dialog box
ASA 8.3+ 24-36
Edit NetBIOS Map dialog box 17-81
Edit Network/Host dialog box
General tab 6-83
NAT tab 24-42
Edit Options dialog box 16-17
Edit P2P Map dialog box 21-34
Edit Permit Response dialog box 17-48
Edit Per-Session NAT Rule dialog box 24-47
Edit PIX/ASA/FWSM Web Filter Rule dialog box 18-5
Edit PKI Enrollment dialog box
CA Information tab 26-60
Certificate Subject Name tab 26-66
Enrollment Parameters tab 26-63
overview 26-58
Trusted CA Hierarchy tab 26-67
Edit Policy Assignments command 1-32
Edit Policy List Object dialog box 56-143
Edit POP3 Class Map dialog box 17-28, 21-19
Edit Port Forwarding List dialog box 34-40
Edit Port List dialog box 6-102
Edit Prefix List Entry dialog box 56-148, 56-150
Edit Prefix List Object dialog box 56-146, 56-148
Edit Protocol Info Parameter Map dialog box 21-33
Edit Regular Expression dialog box 17-108
Edit Regular Expression Group dialog box 17-108
Edit Route Map Entry dialog box 56-137
Edit Route Map Object dialog box 56-136
Edit Row command 1-31
Edit Rule Section dialog box 12-22
Edit Security Association Dialog Box 25-58
Edit Selected Deployment Method dialog box 8-30
Edit Server dialog box
Protocol Info Parameter maps 21-34
Edit Server Group dialog box 15-19
Edit Service dialog box 6-103
Edit Services dialog box 12-13
Edit Signature dialog box 39-15
Edit Signature Parameter—Component List dialog box 39-29
Edit Signature Parameters dialog box 39-24
Edit Single Sign On Server dialog boxes 34-42
Edit SIP Class Map dialog box 17-28, 21-19
Edit SIP Map dialog box 17-83, 17-93, 17-102, 17-103, 21-34
Edit Skinny Map dialog boxes 17-87
Edit SLA Monitor dialog box 51-10
Edit Smart Tunnel Auto Signon Entry dialog box 34-72
Edit Smart Tunnel Auto Signon Lists dialog box 34-71
Edit Smart Tunnel Lists dialog box 34-66, 34-69
Edit SMTP Class Map dialog box 17-28, 21-19
Edit SMTP Map dialog box 21-34
Edit SNMP Map dialog box 17-90
Edit Sources dialog box 12-11
Edit SSL VPN Customization dialog box 34-51
Applications 34-60
Copyright Panel 34-58
Custom Panes 34-61
Full Customization 34-59
Home Page 34-62
Informational Panel 34-57
Language 34-54
Logon Form 34-56
Logout Page 34-63
Title Panel 34-53
Toolbar 34-59
Edit SSL VPN Gateway dialog box 34-64
Edit Standard Access Control Entry dialog box 6-64
Edit Standard Access List dialog box 6-59
Edit Sun RPC Class Map dialog box 17-28, 21-19
Edit Sun RPC Map dialog box 21-34
Edit TCP Map dialog box 58-22
Edit TCP Option Range Dialog Box 58-25
Edit Text Object dialog box 7-32
Edit Time Range dialog box 6-71
Edit Traffic Flow dialog box 58-18
Edit Translated Address dialog box 24-29
Edit Transparent EtherType dialog box 23-7
Edit Transparent Firewall Rule dialog box 23-5
Edit Transparent Mask dialog box 23-7
Edit Trend Content Filter Class Map dialog box 17-28, 21-19
Edit Trend Parameter Map dialog box 21-42
Edit Unified Access Control Entry dialog box 6-67
Edit Update Server Settings dialog box 11-52
Edit URL Domain Name dialog box 21-45
Edit URLF Glob Parameter Map dialog box 21-45
Edit URL Filter Parameter Map dialog box 21-43
Edit User Credentials dialog box 36-19
Edit User dialog box 12-12
Edit User Group dialog box
Advanced PIX 6.3 settings 34-82
Browser Proxy settings 34-87
Client (IOS) settings 34-78
Clientless settings 34-83
Client VPN Software Update (IOS) settings 34-81
DNS/WINS settings 34-77
General settings 34-75
IOS Xauth Options settings 34-80
overview 34-73
Split Tunneling settings (Easy VPN/remote access IPSec VPN) 34-77
SSL VPN Connection settings 34-88
SSL VPN Full Tunnel settings 34-84
SSL VPN Split Tunneling settings 34-86
Technology settings 34-73
Thin Client settings 34-84
Edit VDI Server dialog box 34-15
Edit Virtual Sensor dialog box 38-7, 38-8
Edit VPN dialog box
Device Selection tab 25-32
Edit Endpoints dialog box 25-34
Endpoints tab 25-34
High Availability tab 25-52
Name and Technology tab 25-30
overview 25-28
Edit Web Access Control Entry dialog box 6-65
Edit Web Filter Map dialog box 21-47
Edit Web Filter Options dialog box 18-9
Edit Web Filter Type dialog box 18-8
Edit Websense Parameter Map dialog box 21-39
Edit Websense Web Filter Class Map dialog box 17-28, 21-19
Edit Web Type Access List dialog box 6-59
Edit Windows Messenger Class Map dialog box 17-28, 21-19
Edit WINS Server dialog box 34-90
Edit WINS Server List dialog box 34-89
Edit Yahoo Messenger Class Map dialog box 17-28, 21-19
Edit Zones dialog box 12-13
eDonkey class map objects
creating 21-16
match criteria 21-21
EIGRP routing
defining interface properties 67-10
defining routes 67-9
EIGRP Routing Policy page 67-13
Interface dialog box 67-16
Interfaces tab 67-15
on Cisco IOS routers 67-8
PIX/ASA/FWSM
advanced settings 56-34
Filter Rule configuration 56-40
Filter Rules tab 56-39
Interface configuration 56-48
Interfaces tab 56-47
neighbor configuration 56-42
Neighbors tab 56-41
policy 56-32
redistribution configuration 56-44
Redistribution tab 56-42
Setup tab 56-36
Summary Address configuration 56-46
Summary Address tab 56-45
redistributing routes 67-12
Redistribution Mapping dialog box 67-18
Redistribution tab 67-17
Setup dialog box 67-14
Setup tab 67-13
e-mail
blocking spam using zone-based firewall rules 21-27
preventing DoS attacks 21-27
e-mail notifications
configuring SMTP server 1-27
PIX/ASA/FWSM
recipient set-up 54-8
syslog messages 54-8
embedded event manager
add/edit action configuration 54-7
add/edit applet 54-5
add/edit syslog configuration 54-7
ASA 54-3
Enable/disable NAT rules 24-34, 24-46
Enable PIM and IGMP
PIX/ASA/FWSM 55-1
Encapsulating Security Protocol (ESP) encryption algorithm 26-29
encoding rules
defining for SSL VPN (ASA) 31-55
encryption algorithms
3DES (Triple DES) 26-6
AES (Advanced Encryption Standard) 26-6
DES (Data Encryption Standard) 26-6
in IKE proposals 26-6
endpoints and protected networks
configuring dial backup 25-40
defining in GET VPN topologies 25-60
defining in VPN topologies 25-34
VPN Interface tab 25-36, 25-50
equal-cost multi-path 22-4
Error Writing to Server deployment errors 9-15
ESMTP
configuring for inspection rules 17-20
ESMTP policy map objects
creating 17-22
match conditions and actions 17-40
properties 17-39
EtherChannel
Create and Edit IDSM EtherChannel VLANs dialog boxes 68-49
defining IDSM VLANs 68-44
deleting IDSM VLANs 68-45
EtherChannels
ASA 46-9
edit assigned interface 46-12
LACP 46-12
load balancing 46-13
evaluation license
upgrading to permanent license 10-16
event
lists 54-9
add/edit 54-10
syslog class
add/edit 54-11
syslog message ID
add/edit 54-11
Event Action Filters page 40-7
Event Action Overrides page 40-13
event actions, IPS
configuring filter rules 40-4
configuring network information 40-17
configuring OS maps 40-21
configuring overrides 40-13
configuring settings 40-23
configuring target value ratings 40-17
example filter rule 69-67
filter rule attributes 40-9
filter rules policy 40-7
filter rules tips 40-6
overview 40-1
possible actions 40-2
process overview 40-1
Event Management page 11-27, 11-35
CPU Throttling Policy dialog box 11-33
event manager applet 54-3
Event Manager service
configuring 69-30
managing 69-30
monitoring event store disk space 69-35
monitoring status 69-31
selecting devices to monitor 69-34
starting and stopping 69-30
status icon colors 69-31
events
archiving (backing up) the event data store 69-36
configuring firewall devices (ASA, FWSM) 69-28
configuring IPS devices 69-29
copying 69-53
CS-MARS 72-46
looking up 72-41
looking up policies based on related events 72-45
Netflow support for policy lookup 72-47
viewing access rule events 72-42
viewing IPS signature events 72-44
ensuring time synchronization 69-27
Event Viewer
clearing filters 69-48
context menu 69-49
cross-launching from HPM 69-58
filtering by column 69-45
filtering by events 69-47
filtering overview 69-43
looking up 69-55
looking up policies based on related events 69-54
refreshing event table 69-44
selecting time range 69-43
text searches (quick filter) 69-47
using time slider with filtering 69-44
viewing access rule events 69-56
viewing IPS signature events 69-57
examining details 69-53
examples of analysis
mitigating botnet activity 69-65
monitoring and mitigating botnet activity 69-61
monitoring botnet activity using ASDM 69-64
monitoring botnet activity using Event Viewer 69-62
monitoring botnet activity using Report Manager 69-64
monitoring identity-aware firewall policies 13-27
monitoring TrustSec policies 14-17
overview 69-58
removing false positive IPS events 69-66
understanding botnet syslog events 69-61
user access to server blocked 69-59
performing operations on 69-49
properties 69-18
recovering the event data store 69-36
saving to a file 69-53
understanding Event Viewer access control 69-4
viewing 69-1
Event Viewer
archiving (backing up) the event data store 69-36
arranging views 69-38
ASA devices, configuring to provide events 69-28
columns 69-18
configuring color rules 69-40
configuring Event Manager service 69-30
copying events 69-53
creating custom views 69-41
cross-launching from HPM 69-58
deleting custom views 69-43
editing view name and description 69-41
ensuring time synchronization 69-27
Event Monitoring window 69-14
events
context menu 69-49
historical and real-time lookup 69-55
looking up 69-55
event table
customizing appearance 69-39
event details pane 69-26
refreshing 69-44
time slider 69-25
toolbar 69-16
examining event details 69-53
examples of analysis
mitigating botnet activity 69-65
monitoring and mitigating botnet activity 69-61
monitoring botnet activity 69-62
monitoring identity-aware firewall policies 13-27
monitoring TrustSec policies 14-17
overview 69-58
removing false positive IPS events 69-66
understanding botnet syslog events 69-61
user access to server blocked 69-59
features
historical views 69-2
overview 69-1
policy navigation 69-3
real-time views 69-2
views and filters 69-3
File menu reference 69-9
filters
advantages of using network/host objects 69-67
clearing 69-48
column based 69-45
event based 69-47
overview 69-43
submission requirements for policy objects 69-68
text searches (quick filter) 69-47
time range 69-43
time slider 69-44
floating views 69-38
FWSM devices, configuring to provide events 69-28
IPS devices, configuring to provide events 69-29
limits of 69-4
looking up Security Manager policies based on events 69-54
managing service 69-30
monitoring event store disk space 69-35
monitoring status 69-31
opening views 69-38
overview 69-7
performing operations on 69-49
preparation for use 69-27
recovering the event data store 69-36
saving events 69-53
saving views 69-42
selecting devices to monitor 69-34
settings 11-27, 11-35
starting or stopping the Event Manager service 69-30
status icon colors 69-31
switching between IP addresses and host object names 69-39
switching between real-time and historical views 69-42
syslogs 69-6
troubleshooting
Event Viewer Unavailable message 11-27, 11-36, 69-30
policy objects not available for filtering 69-68
understanding access control 69-4
using 69-37
using views 69-37
viewing access rule events 69-56
viewing IPS signature events 69-57
view list 69-12
View menu reference 69-10
Event Viewer command 1-38
exclusive domains
configuring for IOS devices 18-10
Exit command 1-31
Exit command (Report Manager) 70-8
exiting
Cisco Security Management Suite server 1-12
CiscoWorks Common Services 1-12
Security Manager 1-11, 1-12
expiration dates
configuring for access rules 16-22
export
device inventory
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-6
supported CSV formats 10-9
HPM data 71-31
IPS event action overrides 40-13
IPS event filter rules 40-4, 40-7
policy objects 6-23
reports 70-28
shared policies 10-12
Export Devices or Policies commands 1-30
Export Inventory dialog box 10-6
Export Map command 1-33
External Product Interface dialog box 36-27
External Product Interface policy 36-26
F
factory-default configurations 46-2
failover
Active/Active
command replication 50-4
configuration synchronization 50-3
add new context to group 2 50-8
configuring in site-to-site VPN 25-52
edit bridge group 50-17
FWSM 50-13
advanced settings 50-16
PIX/ASA 50-17
Add Failover Group 50-25
settings 50-21
PIX/ASA/FWSM 50-10
active/active 50-2, 50-3
active/standby 50-2
bootstrap configuration 50-26
configuration basics 50-5
configuring 50-1
interface configuration 50-23
interface MAC address 50-23
security context 50-26
stateful 50-3, 50-4
stateless 50-3
types of 50-2
understanding 50-1
PIX 6.3 50-10
interface configuration 50-12
stateful in site-to-site VPN 25-54
false negatives
definition of 39-23
false positives
definition of 39-23
FastTrack class map objects
creating 21-16
match criteria 21-21
feature sets 1-4
File menu
Configuration Manager 1-30
Event Viewer 69-9
Report Manager 70-8
file objects
attributes 34-37
selecting 34-39
files
deploying to 8-11
selecting or specifying 1-50
Filter Item dialog box 40-9
filter rules, event action (IPS)
attributes 40-9
configuring 40-4
example rule 69-67
exporting 40-4
policy 40-7
tips 40-6
filters
Event Viewer
clearing 69-48
column based 69-45
context menu 69-49
event based 69-47
overview 69-43
refreshing event list 69-44
selecting time range 69-43
text searches (quick filter) 69-47
using time slider 69-44
filtering selectors 1-45
filtering tables 1-48
HPM
column based 71-17
custom 71-18
filters (Event Viewer)
advantages of using network/host objects 69-67
overview 69-3
submission requirements for policy objects 69-68
Find and Replace dialog box 12-17
find and replace in rules policies 12-16
Find Map Node command 1-33
Find Node dialog box 35-12
FirePOWER
ASA module
detecting 72-21
FireSIGHT Management Center
starting from Security Manager 72-20
FireSIGHT Management Center command 1-37
Firewall
AAA IOS Timeout Values 15-30
firewall
AAA firewall
advanced settings 15-20
configuring 15-6
MAC exempt lists 15-26
AAA firewall policy
advanced settings 15-20
configuring 15-6
AAA page 15-28
AAA rules
configuring AAA firewall settings 15-6
configuring AuthProxy settings 15-9
configuring cut-through proxy (ASA) 13-23
configuring for ASA/PIX/FWSM devices 15-4
configuring for IOS devices 15-7
configuring identity aware 13-21
configuring security group aware 14-17
managing 15-1
properties 15-13
understanding 15-1
understanding how users authenticate 15-2
Access Control page 16-24
access controls
per user downloadable ACLs 16-27
access control settings
configuring settings 16-23
access rule
event analysis example, user access blocked 69-59
finding from CS-MARS events 72-45
finding from Event Viewer events 69-54
viewing related CS-MARS events 72-42
viewing related events 69-56
access rules
address requirements 16-5
configuring 16-7
configuring expiration dates 16-22
configuring identity aware 13-21
configuring security group aware 14-17
how deployed 16-5
import examples 16-44
importing 16-40
IPS blocking, affect of 43-4
managing 16-1
optimizing during deployment 16-46
sharing ACLs among interfaces 11-18
understanding 16-1
understanding device-specific behavior 16-4
understanding global 16-3
understanding requirements when using inspection 17-4
ACL naming conventions 12-5
adding rules 12-9
analysis reports 16-34
AuthProxy
configuring 15-9
AuthProxy settings policy
configuring 15-9
botnet traffic filter rules 19-9
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring policies in Map view 35-23
configuring settings 18-15
configuring settings policies in Map view 35-23
conflict detection 16-28
converting IPv4 rules 12-28
deleting rules 12-9
device types 46-1
disabling rules 12-20
editing rules 12-10
enabling rules 12-20
finding and replacing items in rules policies 12-16
Firewall ACL Setting dialog box 16-26
identity-aware policies
collecting user statistics 13-25
configuring 13-7
configuring cut-through proxy 13-23
configuring identity options 13-15
configuring rules 13-21
configuring the ASA 13-7, 14-8
enabling 13-8
filtering VPN traffic 13-26
identifying AD servers and agents 11-38, 13-8
managing 13-1
monitoring 13-27
overview 13-1
requirements 13-3
user identity acquisition 13-2
Inspection page 17-111
inspection rules
add/edit rule wizard 17-11, 17-13, 17-17
choosing interfaces 17-2
configuring 17-5
configuring identity aware 13-21
configuring security group aware 14-17
managing 17-1
preventing DoS attacks on IOS devices 17-5
selecting protocols 17-3, 17-17
understanding 17-2
understanding access rule requirements 17-4
inspection settings
configuring for IOS devices 17-111
introduction 12-1
IPv6 access rules
configuring expiration dates 16-22
sharing ACLs among interfaces 11-18
understanding global 16-3
MAC exempt lists, AAA firewall 15-26
managing rules tables 12-7
moving rules 12-19
object groups
expanding during discovery 12-35
optimizing network object groups during deployment 12-35
overview 12-1
per user downloadable ACLs 16-27
policy discovery 5-13
policy query
example report 12-34
generating reports 12-28
interpreting results 12-32
preserving ACL names 12-4
reference information for AAA rules 15-20
resolving access rule conflicts 16-34
resolving ACL naming conflicts 12-7
rule table sections 12-20
security group aware policies
configuring ISE settings 11-56
configuring rules 14-17
security group-aware policies
configuring 14-7
managing 14-1
system variables 7-9
transparent rules
adding or editing a rule 23-5
configuring 23-1
configuring passthrough for IOS devices 23-3
editing the EtherType 23-7
editing the mask 23-7
managing 23-1
Transparent Rules page 23-3
TrustSec firewall policies
configuring 14-7
managing 14-1
overview 14-1
TrustSec policies
monitoring 14-17
understanding NAT effects 12-3
understanding rule order 12-19
understanding rule processing order 12-2
using rules tables 12-8
Web Filter page 18-16
web filter rules
configuring for ASA, PIX, FWSM devices 18-2
configuring for IOS devices 18-10
managing 18-1
understanding 18-1
zone-based firewall
add/edit zones 21-53
advanced options 21-67
configuring PAM 21-69
configuring rules 21-13, 21-62
configuring settings 21-49
Content Filter tab 21-52
designing network zones 21-1
development overview 21-12
Global Parameters tab 21-50
page 21-50
protocol selection 21-68
rules table 21-58
tabs 21-49
VPN tab 21-50
WAAS tab 21-50
Zones tab 21-50
zone-based firewalls
changing the default drop rule 21-48
general recommendations 21-12
IPSec VPN 21-6
logging 21-1
overview 21-1
restrictions 21-3
Self zone 21-5
troubleshooting 21-54
understanding 21-3
understanding permit/deny and action 21-8
understanding services and protocols 21-11
VRF 21-7
Firewall AAA IOS Timeout Value Setting dialog box 15-30
Firewall AAA MAC Exempt Setting dialog box 15-27
Firewall ACL Setting dialog box 16-26
Firewall Device dialog box 43-14
Firewall Services Module
see FWSM 47-1
Fit to Window command 1-33
FlexConfig objects
adding to policies 7-35
ASA samples 7-20
Catalyst 6500/7600 samples 7-22
changing order in policies 7-35
changing variable values 7-35
Cisco IOS Software samples 7-22
CLI commands 7-2
configuring 7-25
configuring AAA for administrative introducers 63-84
creating 7-28
creating text objects 7-32
deleting variables 7-28
PIX firewall samples 7-23
previewing CLI 7-35
properties 7-30
property selector 7-34
removing from policies 7-35
router samples 7-24
samples 7-19
scripting language
example of looping 7-3
example of looping with if/else statements 7-4
example of two-dimensional looping 7-3
understanding 7-3
system variables
device 7-7
firewalls 7-9
remote access VPN 7-19
router 7-13
understanding 7-7
VPN 7-14
undefined variables 7-33
understanding 7-2
variables 7-5
variables, example 7-6
FlexConfig policies
adding objects 7-35
changing object order 7-35
changing variable values 7-35
configuring 7-25
configuring AAA for administrative introducers 63-84
editing 7-35
previewing CLI 7-35
removing objects 7-35
understanding 7-2
FlexConfig Policy page 7-36
FlexConfig Preview dialog box 7-38
FlexConfigs
creating (scenario) 7-25
managing 7-1
troubleshooting 7-38
FlexConfig Undefined Variables dialog box 7-33
float
report windows 70-30
view windows 69-38
floodguard 57-2
FQDN objects
creating 6-82
understanding 6-80
fragmentation
configuring settings in VPNs 26-31, 26-44
fragments settings 57-2
frequently asked questions
policy discovery 5-27
FTP class map objects
creating 17-22
match criteria 17-43
FTP policy map objects
creating 17-22
match conditions and actions 17-43
properties 17-42
full mesh topologies
description 25-4
partial mesh 25-5
full tunnel client access mode 30-5
FWSM
AAA support 6-28
about 46-1
adding SSL thumbprints manually 9-5
adding when using multiple-context mode 3-7
adding when using non-default HTTPS (SSL) port 3-7
Asymmetric Routing Groups 46-6
Bridge Groups
add/edit 46-62
bridge groups 47-3
changing deployment method to serial for multiple-context mode 9-17
configuring for event management 69-28
configuring FWSM endpoints in site-to-site VPNs 25-47
configuring transparent firewall rules 23-1
credentials 3-19
deleting security contexts 59-7
deployment failures after changing interface policies 9-16
deployment failures in multiple-context mode 9-16
deployment failures with large ACLs 9-17
Device Access
managing Resources 51-2
Resources 51-3
Resources, add/edit 51-4
discovering failover modules 3-7
Event Viewer support 69-4
Failover 50-13
advanced settings 50-16
edit bridge group 50-17
including in deployment jobs 8-28
interfaces
add/edit 46-31
configuring 46-3
General tab 46-33
IPv6 46-47, 46-73
IPv6, add/edit 46-52
IPv6, add/edit prefixes 46-54, 46-56
managing 46-26
packet capture, using 72-30
PDM 72-15
policy discovery 5-13
rollback, commands to recover from failover misconfiguration 8-68
rollback command conflicts 8-67
rollback restrictions for failover devices 8-65
rollback restrictions for multiple context mode 8-64
security contexts
configuration 59-8
selecting policy types to manage 5-11
setting up SSL (HTTPS) 2-3
SSL certificate configuration 11-22
TCP State Bypass 58-3
troubleshooting deployment 9-16
G
General
PIX/ASA/FWSM
security policies 57-1
General Configuration tab, SNMP policy for IPS 36-10
General page, device properties 3-41
General tab, IPS blocking policy 43-10
General tab (Translation Rules)
PIX/ASA/FWSM 24-31
generic routers 3-8
GET VPN
anti-replay, time based 29-11
configuring 29-12
configuring global ISAKMP and IPsec settings 29-16
configuring group members 29-20
cooperative key servers 29-7
defining group encryption 25-54
generating, synchronizing RSA keys 29-13
group members
adding 29-19
editing 29-21
IKE proposal 29-15
key servers
adding 29-19
editing 29-19
mandatory and optional policies 25-6
migrating to 29-23
overview 29-1
receive-only SAs 29-23
registration
choosing the rekey transport mechanism 29-6
configuring fail-close mode 29-8
registration process 29-4
SAs
passive SA mode 29-23
receive-only mode 29-23
security policy 29-10
supported platforms 25-9
troubleshooting 29-25
understanding 29-2
GET VPNs
group encryption policies
certificate authorization 25-58
security associations 25-58
global correlation
configuring 42-1
configuring DNS servers 36-24
configuring HTTP proxy server 36-24
configuring inspection and reputation 42-5
configuring network participation 42-7
configuring with Botnet Traffic Filtering 42-1
data collected 42-3
requirements and limitations 42-4
understanding 42-1
understanding network participation 42-3
understanding reputation 42-2
Global Search
using 1-42
Global Search command 1-31
global settings
remote access VPN
configuring 26-30
Gnutella class map objects
creating 21-16
match criteria 21-21
GRE (generic routing encapsulation) VPN
advantages of IPsec tunneling with GRE 27-3
configuring 27-5
configuring GRE modes 27-6
dynamically addressed spokes 27-5
implementation 27-3
overview 27-1, 27-2
prerequisites for successful configuration 27-3
supported platforms 25-9
understanding 27-2
GRE Dynamic IP
mandatory and optional policies 25-6
GRE Modes Page
DMVPN properties 27-12
GRE or GRE Dynamic IP properties 27-6
overview 27-1
Group Domain of Interpretation (GDOI) protocol 29-3
group encryption
defining in GET VPN topologies 25-54
Group Encryption Policy page (GET VPN) 25-54
group members
adding 29-19
communication flow 29-2
configuring fail-close mode 29-8
editing 29-21
GET VPN
registration process 29-4
security policy ACLs 29-10
group members (GET VPN)
configuring 29-20
Group Members page (GET VPN) 29-20
group policies
configuring 31-26
creating 31-28
understanding 31-27
VPNs
configuring bookmarks 31-82
configuring portal appearance 31-78
configuring WINS servers for file system access 31-88
customizing 31-77
post URL method and macro substitutions in bookmarks 31-84
smart tunnels 31-85
Group Policies page 31-26
groups
adding or removing devices 3-63
creating 3-62
deleting 3-63
understanding 3-60
working with 3-59
group types
creating 3-62
deleting 3-63
GTP map objects
Add Country Network Codes dialog box 17-48
Edit Country Network Codes dialog box 17-48
GTP Map Timeouts dialog box 17-48
GTP policy map objects
creating 17-22
match conditions and actions 17-49
properties 17-45
H
H.323 class map objects
IOS
creating 21-16
match criteria 21-22
match criteria 17-54
H.323 policy map objects
ASA/PIX/FWSM
creating 17-22
properties 17-51
IOS
creating 21-16
match conditions and actions 21-35
match conditions and actions 17-54
hash algorithms
in IKE proposals 26-6
MD5 26-7
SHA 26-6
Health & Performance Monitor command 1-38
Health and Performance Monitor
see HPM 71-1
viewing related events in Event Viewer 69-58
Health and Performance Monitor in Dashboard 72-2
help
accessing 1-52
Help About This Page command 1-38
helper addresses 62-14
Help menu
Configuration Manager 1-38
Help Topics command 1-38
Hide Navigation Window command 1-33
high availability (HA groups)
configuring in Easy VPN 28-2
configuring in site-to-site VPN 25-52
stateful/stateless failover 25-54
high availability policies
configuring in remote access VPNs 33-11
Histogram dialog box 41-13
histograms
configuring anomaly detection 41-11
understanding anomaly detection 41-9
Hit Count Details
example 16-38
Hit Count Details page 16-36
Hit Count Selection Summary Dialog Box 16-20
Hostname
PIX/ASA/FWSM 51-1
hostnames
Cisco IOS routers
defining 63-77
Hostname Policy page 63-78
overview 63-77
HPM
access control 71-3
Alerts
firewall 71-37
IPS 71-35
VPN 71-39
VPN, SNMP configuration 71-40
alerts 71-32
acknowledging 71-42
clearing 71-42
configuring 71-34
history 71-43
viewing 71-41
application window 71-6
Alerts display 71-32
Monitoring display 71-25
columns
Alert table 71-16
Device-related 71-8
showing/hiding 71-8
sorting 71-8
VPN-related 71-13
configuring for 71-4
custom views 71-24
device
monitoring 71-21
monitoring multiple contexts 71-3
priority monitoring 71-32
views 71-21
Device Manager
launching 71-3, 71-27
device manager
cross-launch 71-32
devices
managing 71-5
email notifications
configuring 71-34
export data 71-31
filters
column based 71-17
introduction 71-1
launching 71-4
List Filter 71-19
monitoring
device details 71-28
device status list 71-27
RA and S2S views 71-30
Summary 71-27
VPN details 71-28
VPN Summary list 71-27
overview 71-1
read time-out 2-3, 71-4
Remote Access
log-off user 71-30
settings page 11-36
tables
showing/hiding columns 71-8
sorting columns 71-8
trending 71-2
viewing related events in Event Viewer 69-58
views
closing 71-23
custom 71-24
docking 71-24
floating 71-24
list 71-21
opening 71-23
tiling 71-23
HTML file
export HPM data as 71-31
HTTP
Cisco IOS routers
AAA tab 63-32
Command Authorization Override dialog box 63-34
defining policies 63-29
HTTP Policy page 63-31
overview 63-28
Setup tab 63-31
PIX/ASA/FWSM 49-2
configuration 49-3
HTTP (ASA, PIX) class map objects
creating 17-22
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map objects
creating 17-22
properties 17-56
HTTP (ASA7.2+/PIX7.2+) policy map objects
creating 17-22
properties 17-64
HTTP (IOS) class map objects
creating 21-16
creating for zone-based firewall content filtering 21-36
match criteria 21-22
HTTP (Zone Based IOS) policy map objects
creating 21-16, 21-36
match conditions and actions 21-35
HTTP class map objects
match criteria 17-66
HTTP-FORM
settings in AAA server objects 6-44
HTTP policy
overriding HTTPS port number 3-47
sharing
HTTPS port number 3-47
HTTP policy map objects
match conditions and actions 17-66
HTTP proxy server
configuring for IPS global correlation 36-24
HTTP Response Code 500 deployment errors 9-15
HTTPS
setting up 2-3
troubleshooting certificate errors 9-5
hub-and-spoke topology
description 25-2
joined hub-and-spoke topology 25-5
tiered hub-and-spoke topologies 25-5
I
ICMP rules
PIX/ASA/FWSM 49-4
add/edit 49-5
ICMP settings
configuring on IOS routers 62-18
icons
Configuration Manager toolbar reference 1-39
event table toolbar reference 69-16
Event Viewer status color code 69-31
map elements 35-14
ICQ class map objects
creating 21-16
match criteria 21-21
identity-aware firewall policies
collecting user statistics 13-25
configuring 13-7
configuring cut-through proxy 13-23
configuring identity options 13-15
configuring layer 2 SGT imposition 46-44
configuring rules 13-21
configuring security group tagging 46-44
configuring the ASA 13-7, 14-8
enabling 13-8
filtering VPN traffic 13-26
identifying AD servers and agents 11-38, 13-8
managing 13-1
monitoring 13-27
overview 13-1
requirements 13-3
user identity acquisition 13-2
Identity Configuration wizard
Active Directory Agent Settings 13-13
Active Directory Settings 13-11
Preview 13-15
Identity Settings page 11-38
identity user group objects
creating 13-19
selecting 13-21
user identity acquisition 13-2
idle timeout, Security Manager client 11-10
IDM
device manager 72-15
IDSM
adding when using non-default HTTPS (SSL) port 3-7
Create and Edit IDSM Data Port VLANs dialog boxes 68-49
Create and Edit IDSM EtherChannel VLANs dialog boxes 68-49
credentials 3-19
defining Data Port VLANs 68-46
defining EtherChannel VLANs 68-44
deleting Data Port VLANs 68-47
deleting EtherChannel VLANs 68-45
deployment failures when changing data port VLAN running mode 9-17
IDSM Settings page 68-47
IDSM Slot-Port Selector dialog box 68-50
mode support limitations 68-43
troubleshooting deployment 9-16
understanding settings on Catalyst devices 68-43
IE 10 security settings 10-2
IGMP
PIX/ASA/FWSM
Access Group parameters 55-5
Access Group tab 55-5
enable 55-1
Join Group parameters 55-7
Join Group tab 55-7
page 55-2
parameters 55-4
Protocol tab 55-3
Static Group parameters 55-6
Static Group tab 55-6
ignore error message, configure Security Manager to 9-10
IKE (Internet Key Exchange)
comparing version 1 and 2 26-4
configuring IKE and IPsec policies 26-1
configuring IKEv2 authentication 26-68
configuring proposal 26-9
Diffie-Hellman modulus groups 26-7
encryption algorithms 26-6
hash algorithms 26-6
IKEv2 Authentication policy 26-70, 26-72
overview 26-2
selecting the IKE version for devices in site to site VPNs 26-26
understanding 26-5
IKE keepalive
understanding 26-33
IKE proposal objects
v1 properties 26-10
v2 properties 26-14
IKE proposals (policies)
in GET VPNs 29-15
IKEv2 Authentication dialog box 26-72
IKEv2 Authentication page 26-70
IKEv2 settings
configuring 26-37
configuring cookie challenges 26-37
IM (ASA7.2+/PIX7.2+) policy map objects
creating 17-22
properties 17-70
IM (IOS) policy map objects
creating 17-22
properties 17-73
IM (Zone Based IOS) policy map objects
creating 21-16
match conditions and actions 21-35
IM (Zone based IOS) policy map objects
creating 21-16
Image Management 73-1
supported versions 73-2
Image Manager 73-9, 73-16
abort installation job 73-35
Add Image 73-11
Bootstrapping Devices 73-8
bundled images 73-30
bundles 73-13
create 73-13
delete 73-15
rename 73-15
view images 73-14
compatible images 73-17
configuring install location 73-19
device memory 73-18
devices 73-16
Getting Started 73-1
Installation Job Summary 73-33
installation wizard 73-26
installing compatible images on devices 73-30
installing images on selected devices 73-31
job approval workflow 73-36
jobs 73-32
RAM 73-17
Repository 73-9
retry on installation failure 73-35
roll back 73-35
settings 11-41
supported image types 73-5
supported platforms 73-2
Troubleshooting 73-37
update validation 73-23
updating images on devices 73-20
Using 73-1
Admin Settings 73-6
View All Images 73-10
view device information 73-16
view installation job details 73-34
Image Manager command 1-38
images
view 73-10
image updates 73-20
IMAP
configuring for inspection rules 17-21
IMAP class map objects
creating 21-16
match criteria 21-25
IM applications
match conditions for zone-based firewalls 21-21
protocol information for IM application inspection 21-33
IMAP policy map objects
creating 21-16
match conditions and actions 21-35
IM class map objects
creating 17-22
match criteria 17-71
IM policy map objects
match conditions and actions 17-71
import
device inventory 3-31
device with policies 10-13
policy objects 6-23
Import Background Image dialog box 35-13
Import Rules wizard
Enter Parameters page 16-41
Preview page 16-43
Status page 16-42
inheritance
inheriting rules 5-47
understanding 5-4
understanding signature policies 39-3
versus assignment 5-6
Inherit Rules command 1-32
Inherit Rules dialog box 5-47
Inspect/Application FW Rule wizard
Address and Port page 17-13
Inspected Protocol page 17-17
Match Traffic page 17-11
inspection
deny rules 17-5
global correlation (IPS)
configuring 42-5
inspection map objects
understanding 6-78
inspection rules
ACL naming conventions 12-5
add/edit rule wizard 17-11, 17-13, 17-17
choosing interfaces 17-2
configuring 17-5
configuring custom protocol name 17-22
configuring DNS settings 17-19
configuring ESMTP settings 17-20
configuring fragment inspection 17-20
configuring identity aware 13-21
configuring in Map view 35-23
configuring RPC settings 17-21
configuring security group aware 14-17
configuring settings for IOS devices 17-111
configuring settings in Map view 35-24
configuring SMTP settings 17-20
deep inspection options
IMAP 17-21
POP3 17-21
deleting 12-9
disabling 12-20
editing 12-10
enabling 12-20
Inspection Rules page 17-8
managing 17-1
moving 12-19
preserving ACL names 12-4
preventing DoS attacks on IOS devices 17-5
selecting protocols 17-3, 17-17
understanding 17-2
understanding access rule requirements 17-4
understanding NAT effects 12-3
understanding processing order 12-2
Inspection Rules page 17-8
Inspection settings page 17-111
inspect maps
policy maps
Add Country Network Codes dialog box 17-48
Edit Country Network Codes dialog box 17-48
Inspect parameter map objects
properties 21-31
Inspect Parameters map objects
creating 21-16, 21-36
installing
Security Manager client 1-12
Integrated Local Management Interface (ILMI) 62-50
Interactive Authentication Configuration dialog box 15-24
Interface Name Conflict dialog box 6-78
Interface Properties dialog box 35-19
Interface Role Contents dialog box 12-14
interface role objects
creating 6-74
defining subinterfaces 6-76
distinguishing from interfaces 6-76
handling conflicts between role and interface names 6-78
Interface Role dialog box 6-75
specifying during policy definition 6-76
understanding 6-73
use when a single interface name is allowed 6-77
interfaces
adding or changing modules 3-40
ASA
edit EtherChannel-assigned interface 46-12
EtherChannels 46-9, 46-13
LACP 46-12
ASA/FWSM
IPv6 46-47, 46-73
IPv6, add/edit 46-52
IPv6, add/edit prefixes 46-54, 46-56
ASA 5505 46-6
ASA devices
Advanced tab 46-41
IP Type 46-58
Catalyst switches and 7600 Series routers
Access Port Selector dialog box 68-30
Create and Edit Interface dialog boxes-Access Port mode 68-9
Create and Edit Interface dialog boxes-Dynamic Port mode 68-18
Create and Edit Interface dialog boxes-Other mode 68-24
Create and Edit Interface dialog boxes-Routed Port mode 68-12
Create and Edit Interface dialog boxes-subinterfaces 68-22
Create and Edit Interface dialog boxes-Trunk Port mode 68-14
Create and Edit VLAN dialog boxes 68-28
Create and Edit VLAN Group dialog boxes 68-34
defining ports 68-6
deleting ports 68-7
generating names 68-6
Interfaces/VLANs page-Interfaces tab 68-8
Interfaces/VLANs page-Summary tab 68-3
Interfaces/VLANs page-VLAN Groups tab 68-33
Interfaces/VLANs page-VLANs tab 68-27
Service Module Slot Selector dialog box 68-35
Trunk Port Selector dialog box 68-31
understanding 68-5
VLAN Selector dialog box 68-35
Cisco IOS routers
Advanced Interface Settings dialog box 62-16
Advanced Interface Settings page 62-16
available types 62-2
Create Router Interface dialog box 62-8
defining advanced settings 62-13
defining basic settings 62-4
defining CEF interface settings 62-25
defining IPS module settings 62-22
deleting from 62-6
generating names 62-4
Interface Auto Name Generator dialog box 62-12
overview 62-1
Router Interfaces page 62-7
understanding helper addresses 62-14
configuring IOS IPS rules 45-9
configuring multiple contexts 59-3
distinguishing from interface roles 6-76
failover
MAC address 50-23
PIX/ASA/FWSM 50-23
PIX 6.3 50-12
IPS
configuring 37-6
configuring bypass mode 37-12
configuring CDP mode 37-12
configuring inline interface pairs 37-13
configuring inline VLAN pairs 37-14
configuring physical 37-9
configuring VLAN groups 37-15
deploying VLAN groups 37-5
inline interface mode 37-3
inline VLAN pair mode 37-3
interfaces policy 37-6
managing interface configurations 37-1
physical interface properties 37-10
promiscuous mode 37-2
roles 37-1
sensing modes overview 37-2
understanding 37-1
viewing summary 37-8
VLAN group mode 37-4
IP Type
PIX 6.3 46-30
PIX/ASA
allocation in security contexts 59-12
IP Type 46-58
PPPoE Users 46-71
redundant 46-8
subinterfaces 46-7, 46-15
VPDN groups 46-72
PIX/ASA/FWSM
add/edit 46-31
Advanced settings 46-68
configuring 46-3
contexts 46-5
DDNS update rules 52-19
enabling traffic between same security levels 46-70
General tab 46-33
manage 46-26
management access 49-6
understanding 46-3
PIX/ASA 7+ devices
MAC address 46-60
PIX 6.3
add/edit 46-28
routed and transparent 46-5
specifying during policy definition 6-76
specifying subinterfaces 6-76
throughput delay 62-18
Interface Selector dialog box (VLAN ACL Content) 68-42
Interfaces page (IPS) 37-6
Interface Specific Authentication Server Groups dialog box 31-16
Interface Specific Client Address Pools dialog box 31-12
inventory
deleting devices from 3-58
export devices
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-6
supported CSV formats 10-9
using command line utility 10-10
import devices
device with policies 10-13
inventory, device
adding devices 3-6
adding devices from configuration files 3-22
adding devices from inventory file 3-31
adding devices from network 3-12
adding devices manually 3-26
device status view
working with 3-64
managing 3-1
testing device connectivity 9-1
troubleshooting device discovery failures 3-7
understanding 3-1
understanding contents 3-3
understanding device clusters 3-9
understanding generic devices 3-8
viewing inventory status 72-12
working with 3-36
Inventory Status command 1-35
Inventory Status window 72-13
Inverse ARP 62-61
inverse multiplexing over ATM (IMA) 62-40
IOS devices
configuring transparent firewall rules 23-1
remote access IPSec VPNs
user group policies 33-13
remote access IPsec VPNs
creating using wizard 30-36
remote access SSL VPNs
configuring bookmarks 31-82
configuring WINS servers for file system access 31-88
creating using wizard 30-32
remote access VPNs
configuring SSL VPN policies 33-14
Context Editor dialog box (IOS) 33-15, 33-16
Dynamic VTI/VRF Aware IPsec settings 33-7
high availability 33-11
IPsec proposals 33-4
SDM 72-16
IOS IPS
affect of load balancing 45-8
comparing to IPS appliances and service modules 36-2
configuration files 45-3
configuration overview 45-4
configuring 45-1
configuring general settings 45-7
configuring interface rules 45-9
configuring target value ratings 40-17
event actions
filter rule attributes 40-9
filter rules 40-4, 40-7
filter rules tips 40-6
network information 40-17
overrides 40-13
overview 40-1
possible actions 40-2
process overview 40-1
settings 40-23
getting started 36-1
initial preparation of router 45-5
lightweight signature engines 45-2
limitations and restrictions 45-3
selecting signature category 45-6
signatures
adding custom 39-19
cloning 39-21
configuring 39-4
defining 39-1
detailed information 39-2
editing 39-14
editing Meta engine component list 39-29
editing or tuning parameters 39-23
enabling or disabling 39-14
engines 39-20
exporting 39-9
inheritance 39-3
parameters list 39-24
policy 39-4
shortcut menu 39-10
understanding 39-1
viewing update level 39-9, 39-13
understanding 45-1
understanding subsystems and revisions 45-2
IOS Software Release 12.1 and 12.2
managing routers 61-3
IOS Web Filter Exclusive Domain Name dialog box 18-14
IOS Web Filter Rule and Applet Scanner dialog box 18-13
IP address
supporting dynamic 3-36
IP addresses
network masks 6-81
specifying in policies 6-87
IP Intelligence
settings 11-41
IP Intelligence dialog box 72-35
IP Intelligence in Report Manager 72-35
IP Intelligence Settings in Dashboard 72-2
IP Intelligence using Quick Launch 72-35
IP Intelligence widget 72-35
IP Options policy map objects
creating 17-22
properties 17-75
IPS
IPS Module router interface settings policies 62-22
MPC rule wizard
tab 58-8
PIX/ASA/FWSM
identity-aware rules 13-21
rules 58-5
IPS alerts
properties 69-18
IPS Certificates dialog box 44-10
IPS command 1-34
IPS Devices
selecting for Event Viewer 69-34
IPS devices
adding SSL thumbprints manually 9-5
allowed hosts 36-7
anomaly detection
configuring 41-6
configuring histograms 41-11
configuring learning accept mode 41-8
configuring signatures 41-4
configuring thresholds 41-11
detection zones 41-3
managing 41-1
modes 41-2
understanding 41-1
understanding histograms 41-9
understanding thresholds 41-9
understanding worms 41-2
when to turn off 41-4
blocking
configuring 43-7
configuring ARC 43-1
configuring blocking devices 43-14
configuring master blocking sensors 43-13
configuring never block hosts and networks 43-17
configuring router blocking interfaces 43-15
configuring user profiles 43-12
configuring VLAN blocking interfaces 43-16
general options 43-10
master blocking sensor 43-6
policy 43-8
rate limiting 43-4
router and switch blocking devices 43-4
strategies 43-3
understanding 43-1
capturing network traffic 36-2
certificates 44-10
changing those selected for reports 70-22
configuration overview 36-5
configuration overview for IOS IPS 45-4
configuring AAA 36-21
configuring Analysis Engine global variables 36-30
configuring DNS servers 36-24
configuring for event management 69-29
configuring for report management 70-3
configuring HTTP proxy server 36-24
configuring NTP 36-23
configuring OS maps 40-21
configuring SNMP 36-8
configuring target value ratings 40-17
configuring the external product interface 36-26
configuring user accounts 36-18
credentials, IPS router modules 3-20
deployment of passwords 36-17
deployment topology 36-4
discovery of passwords 36-17
event actions
example filter rule 69-67
filter rule attributes 40-9
filter rules 40-4, 40-7
filter rules tips 40-6
network information 40-17
overrides 40-13
overview 40-1
possible actions 40-2
process overview 40-1
settings 40-23
Event Viewer support 69-4
getting started 36-1
global correlation
configuring 42-1
configuring inspection and reputation 42-5
configuring network participation 42-7
data collected 42-3
requirements and limitations 42-4
understanding 42-1
understanding network participation 42-3
understanding reputation 42-2
initializing 2-10
interfaces
configuring 37-6
configuring bypass mode 37-12
configuring CDP mode 37-12
configuring inline interface pairs 37-13
configuring inline VLAN pairs 37-14
configuring physical 37-9
configuring VLAN groups 37-15
deploying VLAN groups 37-5
inline interface mode 37-3
inline VLAN pair mode 37-3
interfaces policy 37-6
managing interface configurations 37-1
physical interface properties 37-10
promiscuous mode 37-2
roles 37-1
sensing modes overview 37-2
understanding 37-1
viewing summary 37-8
VLAN group mode 37-4
IPS modules for ASA 58-15
license, exporting 11-59
licenses
automating 44-3
managing 44-1
redeploying 44-2
updating 44-1
looking up signature policies for CS-MARS events 72-45
looking up signature policies for Event Viewer events 69-54
managing 44-1
managing user accounts and passwords 36-15
monitoring
removing false positive IPS events 69-66
passive OS fingerprinting 40-19
password requirements 36-20
policy discovery 5-14
rebooting 44-12
Report Manager reports
general VPN reports 70-19
IPS top reports 70-17
rollback restrictions 8-66
showing containment 3-56
signatures
adding custom 39-19
cloning 39-21
configuring 39-4
configuring settings 39-30
defining 39-1
detailed information 39-2
editing 39-14
editing Meta engine component list 39-29
editing or tuning parameters 39-23
enabling or disabling 39-14
engines 39-20
exporting 39-9
inheritance 39-3
parameters list 39-24
policy 39-4
shortcut menu 39-10
understanding 39-1
viewing update level 39-9, 39-13
SSL certificate configuration 11-22
traffic flow notifications 36-30
tuning recommendations 36-4
understanding managed and unmanaged passwords 36-16
understanding network sensing 36-2
understanding user roles 36-15
updates
automatically applying 44-6
checking for and downloading 44-5
configuring server 44-4
managing 44-4
manually applying 44-7
user account attributes 36-19
viewing signature events in CS-MARS 72-44
viewing signature events in Event Viewer 69-57
virtual sensors
advantages 38-3
assigning interfaces 38-4
attributes 38-7
configuring 38-1, 38-5
deleting 38-10
editing policies 38-9
identifying 38-5
inline TCP session tracking mode 38-3
Normalizer mode 38-4
renaming 38-8
restrictions 38-3
understanding 38-1
IPsec
remote access VPNs
access policies for IKEv2 (ASA), configuring 31-49
access policies for IKEv2 (ASA), reference 31-45
access policies for IKEv2 (ASA), understanding 31-44
certificate to connection profile map policy (IKEv1) 31-36
certificate to connection profile map rules (IKEv1) 31-37
cluster load balancing 31-5
configuring IKE and IPsec policies 26-1
connection profiles 31-7
connection profiles (ASA, PIX 7+) 31-8
creating on ASA/PIX 7.0+ 30-25
creating on IOS/PIX 6.3+ 30-36
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-11
Dynamic VTI/VRF Aware IPsec settings 33-7
fragmentation settings 26-31, 26-44
global settings 26-30
group policies, configuring 31-26
group policies, creating 31-28
group policies, understanding 31-27
high availability policies 33-11
IKE proposals 26-9
IKEv2 settings 26-37
ISAKMP/IPsec settings 26-33
NAT settings 26-42
public key infrastructure (PKI) policies 26-56
secure desktop manager policies 32-9
understanding 30-2
understanding IKE 26-5
understanding NAT settings 26-41
user group policies 33-13
VPNSM, VPN SPA, VSPA settings 33-6
wizard 30-13
IPsec/GRE VPN
advantages of IPsec tunneling with GRE 27-3
configuring 27-5
configuring GRE modes 27-6
dynamically addressed spokes 27-5
implementation 27-3
overview 27-1, 27-2
prerequisites for successful configuration 27-3
supported platforms 25-9
understanding 27-2
IPSec Client Software Update dialog box 31-22
IPsec Pass Through policy map objects
creating 17-22
properties 17-80
IPsec Proposal Editor dialog box
ASA and PIX 7.0+ devices 31-41
IOS and PIX 6.3 devices 33-4
IPsec proposals
configuring for Easy VPN 28-10
configuring for remote access VPNs
attributes for ASA and PIX 7.0+ devices 31-41
attributes for IOS and PIX 6.3 devices 33-4
configuring in site-to-site VPNs 26-22
overview 26-2
remote access VPNs
attributes for ASA and PIX 7.0+ devices 31-41
attributes for IOS and PIX 6.3 devices 33-4
configuring for ASA and PIX 7.0+ devices 31-40
configuring for IOS and PIX 6.3 devices 33-3
selecting the IKE version for devices 26-26
understanding 26-18
understanding crypto maps 26-19
understanding site-to-site 26-19
understanding transform sets 26-20
using reverse route injection 26-21
IPsec technologies
defining 25-30
mandatory and optional policies 25-6
policies 25-5
supported platforms 25-9
supported platforms for remote access VPNs 30-8
understanding 25-5
IPSec transform set objects
attributes 26-27
understanding 26-20
IPSec VPN
zone-based firewalls 21-6
IPS event
definition of 40-1
IPS Health Monitor page in Dashboard 72-2
IPS interfaces
IPS Monitoring Information dialog box 62-24
IPS module
credentials 3-20
IPS Module Discovery dialog box 3-20
IPS Module interface settings policies 62-22
IPS Rules dialog box 45-10
IPS sensor
IDM 72-15
IPS sensors
default transport protocol 11-22
IPS signatures
finding from CS-MARS events 72-45
finding from Event Viewer events 69-54
tuning 69-66
viewing related CS-MARS events 72-44
viewing related events in Event Viewer 69-57
IPS tab, Licensing page 11-58
IPS Updates page 11-47
IP Type
interface configuration
ASA and PIX 7+ 46-58
PIX 6.3 46-30
IPv4 pool objects
attributes 6-92
IPv6
interfaces
add/edit 46-52
add/edit prefixes 46-54, 46-56
ASA/FWSM 46-47, 46-73
management IPv4 address requirements 1-8
Neighbor cache 47-7
specifying addresses in policies 6-87
support in Security Manager 1-8
IPv6 access rules
ACL naming conventions 12-5
deleting 12-9
disabling 12-20
editing 12-10
enabling 12-20
expiration dates 16-22
identity-aware rules
requirements 13-3
moving 12-19
preserving ACL names 12-4
sharing ACLs among interfaces 11-18
understanding global 16-3
understanding processing order 12-2
IPv6 policy map objects
match conditions and actions 17-78, 17-92
properties 17-77, 17-91
IPv6 pool objects
attributes 6-93
IPv6 static routes
PIX/ASA/FWSM
configuration 56-131
ISAKMP/IPsec settings
configuring 26-33
ISE Settings page 11-56
ISR
zone-based firewall
restrictions 21-3
J
job deployment methods
understanding 8-8
jobs
aborting 8-55
approving 8-39
creating and editing deployment in non-Workflow mode 8-28
creating and editing deployment in Workflow mode 8-35
Deployment Manager 8-16
discarding 8-41
including devices in 8-8
rejecting 8-39
states
Workflow mode 8-6
submitting 8-38
joined hub-and-spoke topology 25-5
Join Group tab (IGMP) 55-7
JumpStart 1-24
Jumpstart command 1-38
K
Kazaa2 class map objects
creating 21-16
match criteria 21-21
Kerberos
configuring constrained delegation (KCD) 31-69
description 6-29
settings in AAA server objects 6-39
understanding constrained delegation (KCD) 31-66
key encryption key (KEK), GET VPN 29-4
key servers
adding 29-19
choosing the rekey transport mechanism 29-6
communication flow 29-2
cooperative, for redundancy 29-7
editing 29-19
generating, synchronizing RSA keys 29-13
registration failures 29-8
registration process 29-4
security policy ACLs 29-10
key servers (GET VPN)
configuring 29-18
Key Servers page (GET VPN) 29-18
Key Servers Selection dialog box 29-21
knowledge base structure (IPS) 41-8
L
LACP
interface assigned to an EtherChannel 46-12
large scale Dynamic Multipoint VPN (DMVPN)
mandatory and optional policies 25-6
Launch menu 1-37
Report Manager 70-8
layer 2 SGT imposition 46-44
LDAP
settings in AAA server objects 6-40
LDAP Attribute Map objects
attributes 6-46
learning accept mode (IPS), configuring 41-8
licenses
configuring for ASA devices 2-9
configuring for IOS devices 2-10
exporting IPS 11-59
IPS
automating 44-3
managing 44-1
redeploying 44-2
updating 44-1
Security Manager 10-16
License Update Status Details dialog box 11-62
licensing
Settings page 11-57
Lightweight Directory Access Protocol (LDAP)
description 6-29
lightweight signature engines 45-2
line access
Cisco IOS routers
Console Policy page 63-42
overview 63-35
VTY Policy page 63-50
Link Aggregation Control Protocol 46-12
Link Properties dialog box 35-20
load balancing
configuring in large scale DMVPN 27-16, 27-17
configuring IOS IPS deny actions 45-8
server attributes in large scale DMVPN 27-17
Local Policy Will Be Replaced dialog box 5-44
Local Web Filter class map objects
match criteria 21-29
Local web filter class map objects
creating 21-36
Local Web Filter parameter map objects
properties 21-38
Local web filter parameter map objects
creating 21-36
locking
activities 4-3
devices and policies 5-9
objects 5-10
understanding 5-8
VPN topologies 5-10
Log Buffer window 72-18
logging
Cisco IOS routers
defining NetFlow interfaces 65-15
defining NetFlow parameters 65-6
defining syslog servers 65-3
Logging Setup Policy page 65-7
NetFlow policy page 65-12
overview 65-1
Syslog Server dialog box 65-11
Syslog Servers Policy page 65-10
syslog setup parameters 65-1
syslog severity levels 65-4
PIX/ASA/FWSM 54-1
email notifications 54-8
email recipients 54-8
embedded event manager 54-3
event lists 54-9
event lists, add/edit 54-10
filters 54-12
filters, editing 54-13
levels 54-24
logging setup 54-14
message classes and IDs 54-9
message editing 54-25
message limits 54-18
message limits, add/edit 54-18
NetFlow 54-1
NetFlow, add/edit collector 54-2
rate limit levels 54-17
rate limits, add/edit 54-19
server 54-21
server setup 54-20
set-up 54-15
syslog class 54-11
syslog message ID 54-11
syslog servers 54-26, 54-27
syslog servers, add/edit 54-28
syslog messages supported for CS-MARS queries 72-46
logging in to
Cisco Security Management Suite server 1-12
CiscoWorks Common Services 1-12
logging into
Security Manager 1-11, 1-12
Logging page, IPS platform 36-30
logs
configuring audit log default settings 11-62
configuring debug levels 11-11
Logs page 11-62
loopback cells 62-51
low-latency queuing (LLQ) 66-5
M
MAC address
interface configuration
ASA and PIX 7+ 46-60
PIX/ASA/FWSM
add/edit 47-8
interface 50-23
learning 47-9
learning, enable/disable 47-9
table 47-8
MAC address pool objects
attributes 6-94
MAC exempt lists
configuring 15-7, 15-26
rule attributes 15-27
Maintenance Operation Protocol (MOP), enabling 62-19
Management Access
PIX/ASA/FWSM
interface 49-6
management address
requirements for IPv6 devices 1-8
Management Center for Cisco Security Agents
configuring connection to IPS devices 36-26
connection attributes 36-27
posture ACLs 36-29
Management IP address
PIX/ASA/FWSM 47-10
Management IPv6
ASA 5505 47-11
Manage menu 1-34
Map menu 1-33
map objects
class maps
creating for inspection rules 17-22
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
parameter maps
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
Inspect properties 21-31
Local Web Filter properties 21-38
N2H2 properties 21-39
Protocol Info properties 21-33
Trend properties 21-42
URLF Glob properties 21-45
URL Filter properties 21-43
Websense properties 21-39
policy maps
creating for inspection rules 17-22
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
DCE/RPC properties 17-29
DNS properties 17-32
ESMTP properties 17-39
FTP properties 17-42
GTP properties 17-45
H.323 (ASA/PIX/FWSM) properties 17-51
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) properties 17-56
HTTP (ASA7.2+/PIX7.2+) properties 17-64
IM (ASA7.2+/PIX7.2+) properties 17-70
IM (IOS) properties 17-73
IP Options properties 17-75
IPsec Pass Through properties 17-80
IPv6 properties 17-77, 17-91
NetBIOS properties 17-81
regular expression group properties 17-108
regular expression properties 17-108
SIP (ASA/PIX/FWSM) properties 17-83, 17-93, 17-102, 17-103
Skinny properties 17-87
SNMP properties 17-90
TCP Map properties 58-22
Web Filter properties 21-47
regular expression objects
metacharacters 17-109
understanding 6-78
Map Properties command 1-33
Map Rule dialog box
connection profile map matching rules 31-39
connection profile maps 31-39
maps
access permissions 35-8
adding existing managed devices 35-16
adding new managed devices 35-16
arranging elements 35-11
background color 35-13
background images
deleting 35-13
importing 35-13
scale and position 35-13
setting 35-13
centering elements 35-11
changing the zoom level 35-11
class maps
Class Map dialog box 17-28, 21-19
creating 35-9
default map 35-9
deleting 35-10
displaying devices from Device View 35-16
displaying managed devices 35-16
displaying your network 35-14
elements, understanding 35-14
excluding private and reserved networks 11-3
exporting 35-11
icons 35-14
layer 3 links
autolink settings 11-3
creating 35-19
deleting 35-19
layouts, using 35-11
linking maps 35-13
navigation window 35-4
objects
adding 35-17
deleting 35-17
opening 35-10
overview 35-1
panning 35-11
refreshing 35-1
removing managed devices 35-16
renaming 35-10
saving 35-10
searching for nodes 35-12
selecting elements 35-12
setting background 35-13
showing containment for Catalyst, ASA, PIX, IPS devices 35-16
understanding 35-1
undocking window 35-2
working with 35-8
Map Settings dialog box 35-13
Map View
cloning devices 35-22
configuring firewall policies 35-23
configuring firewall settings policies 35-23
context menu
Layer 3 link 35-7
managed device node 35-5
map background 35-7
map objects 35-7
selected nodes 35-6
VPN connection 35-6
device policies, managing 35-22
discovering device configurations 35-22
icons for elements 35-14
main page 35-2
menus, context 35-5
navigation window 35-4
performing basic policy management 35-22
previewing device configurations 35-22
sharing device policies 35-22
toolbar reference 35-4
VPNs
creating 35-21
displaying existing 35-21
editing or showing peers 35-22
editing policies 35-22
managing 35-20
Map view
Autolink Settings page 11-3
copying between devices 35-22
overview 1-18, 35-1
Map View command 1-32
master blocking sensor 43-6
Master Blocking Sensor dialog box 43-13
maximum receive reconstructed unit (MRRU) 62-82
maximum segment size (MSS) 62-17
MBoundary
PIX/ASA/FWSM
configuration 55-9
interface configuration 55-10
MD5 hash algorithm 26-7
memory-allocation lite 63-80
memory settings
Cisco IOS routers
defining 63-78
overview 63-78
Memory Policy page 63-79
menu reference
Activities 1-36
Configuration Manager overview 1-29
Edit (Configuration Manager) 1-31
File (Configuration Manager) 1-30
File (Event Viewer) 69-9
File (Report Manager) 70-8
Help (Configuration Manager) 1-38
Launch 1-37
Launch (Report Manager) 70-8
Manage 1-34
Map 1-33
Policy (Configuration Manager) 1-32
Tickets 1-36
Tools (Configuration Manager) 1-34
Tools (Report Manager) 70-8
View (Configuration Manager) 1-31
View (Event Viewer) 69-10
message
editing
PIX/ASA/FWSM 54-25
PIX/ASA/FWSM
limits 54-18
limits, add/edit 54-18
rate limits, add/edit 54-19
message classes and IDs
PIX/ASA/FWSM 54-9
metacharacters
URLF Glob parameter maps 21-46
Mobile application for CSM 72-11
Modify Access List dialog box (Allowed Hosts policy) 36-7
Modify Physical Interface Map dialog box 37-10
monitoring
CS-MARS
integrating with Security Manager 72-36
device managers, using 72-14
device status 72-1
network activities 72-1
PRSM, launching 72-20
monitoring widget for server 72-7
mount point
PIX/ASA
add/edit 48-19, 48-20
mount point configuration
ASA 48-18
Move Row Down command 1-31
Move Row Up command 1-31
MPC
a.k.a. Modular Policy Framework 58-6
MRoute
PIX/ASA/FWSM
configuration 55-8
MRoute page
description 55-8
MSN Messenger class map objects
creating 21-16
match criteria 21-21
multicast
PIX/ASA/FWSM
Enable PIM and IGMP 55-1
IGMP Access Group parameters 55-5
IGMP Access Group tab 55-5
IGMP Join Group parameters 55-7
IGMP Join Group tab 55-7
IGMP parameters 55-4
IGMP Protocol tab 55-3
IGMP Static Group parameters 55-6
IGMP Static Group tab 55-6
MBoundary configuration 55-9
MBoundary interface configuration 55-10
MRoute configuration 55-8
Multicast Boundary Filter page 55-9
Multicast Group, add/edit 55-19, 55-21
Multicast Group rule 55-17
PIM Bidirectional Neighbor Filter 55-14
PIM Bidirectional Neighbor Filter tab 55-13
PIM Neighbor Filter 55-13
PIM Neighbor Filter tab 55-12
PIM page 55-11
PIM Protocol dialog box 55-12
PIM Protocol tab 55-11
PIM Rendezvous Point, add/edit 55-16
PIM Rendezvous Points tab 55-15
PIM Request Filter tab 55-18, 55-20
PIM Route Tree tab 55-17
Multicast Boundary Filter page
description 55-9
multicast rekey in GET VPN 29-6
multicast routing
PIX/ASA/FWSM
configuring on 55-1
IGMP 55-2
multicast boundary filters 55-9
multicast routes 55-8
PIM 55-11
Multiclass Multilink PPP (MCMP) 62-75
multilink PPP (MLP) 62-71
defining bundles 62-75
multiple users
activities 4-4
tickets 4-4
N
N2H2 (Smartfilter)
configuring for web filter rules policies 18-15, 18-19
configuring for zone based firewall rules policies 21-36, 21-39, 21-41
N2H2 class map objects
creating 21-36
match criteria 21-30
N2H2 parameter map objects
creating 21-36
properties 21-39
NAC
posture validation not occurring 9-15
NAT
VPN traffic sent unencrypted 9-15
NAT policies
Add/Edit Per-Session NAT rules dialog boxes 24-47
NBAR
enabling protocol discovery 62-19
Neighbor cache 47-7
Neighbor Filter
PIM
PIX/ASA/FWSM 55-13
Neighbor Filter tab
PIM 55-12
NetBIOS logout probe
configuring 13-15
requirements 13-5
NetBIOS policy map objects
creating 17-22
properties 17-81
NetFlow
Cisco IOS routers 65-1, 65-5
interface settings 65-15
configuring
on Cisco IOS routers 65-6
CS-MARS query 72-47
IOS routers 65-12
PIX/ASA/FWSM 54-1
add/edit collector 54-2
network/host objects
attributes 6-83
attributes, NAT 24-42
creating 6-82
naming when provisioned as object groups 6-107
network masks 6-81
optimizing when deploying firewall rules 12-35
understanding 6-80
unspecified value objects 6-86
using in Event Viewer filters 69-67
network access device (NAD) 64-9
Network Address Translation (NAT)
Add/Edit Per-Session NAT rules dialog boxes 24-47
ASA 8.3+
Add/Edit NAT rules dialog boxes 24-36
Translation Rules page 24-34
understanding 24-4
ASA 8.3 devices 24-33
Cisco IOS routers 24-5
Dynamic Rule dialog box 24-11
dynamic rules 24-10
Interface Specification 24-6
Static Rule dialog box 24-7
static rules 24-6
Static Rules tab 24-6
timeouts 24-13
configuring global options for VPNs 26-42
non-ASA 8.3 devices 24-18
No Proxy ARP 24-39, 24-45
PAT pool 24-41
Per-session NAT rules 24-46
PIX/ASA/FWSM
Address Pool dialog box 24-19
Address Pools page 24-18
Advanced NAT Options dialog box 24-29
clearing XLATE on deployment 60-1
configuring on 24-15
configuring translation rules 24-19
Dynamic Rules dialog box 24-23
Dynamic Rules tab 24-22
General tab 24-31
non ASA 8.3 24-18
Policy Dynamic Rules dialog box 24-25
Policy Dynamic Rules tab 24-24
Select Address Pool 24-24
Static Rules dialog box 24-27
Static Rules tab 24-26
Translation Exemptions (NAT 0 ACL) dialog box 24-21
Translation Exemptions (NAT 0 ACL) tab 24-20
Translation Options page 24-16, 24-17
Translation Rules page 24-19
translation types 24-3
transparent mode 24-16
understanding 24-2
round robin allocation 24-41
understanding NAT effects on firewall rules 12-3
understanding NAT settings for VPNs 26-41
understanding NAT traversal 26-41
Network Admission Control (NAC)
Cisco Trust Agent 64-9
components 64-9
defining identity parameters 64-13
defining interface parameters 64-11
defining setup parameters 64-10
Identities tab 64-18
Identity Action dialog box 64-19
Identity Profile dialog box 64-19
Interface Configuration dialog box 64-17
Interfaces tab 64-16
NAC Policy page 64-14
network access device (NAD) 64-9
on Cisco IOS routers 64-8
Setup tab 64-14
supported platforms 64-8
understanding system flow 64-9
Network Information page (IPS) 40-17
network masks
discontiguous 6-81
discovering 6-82
displaying 6-82
understanding 6-81
network participation, IPS
configuring 42-7
data collected 42-3
requirements and limitations 42-4
understanding 42-3
understanding global correlation 42-1
understanding reputation 42-2
network sensing
capturing network traffic 36-2
deployment topology 36-4
overview 36-2
tuning recommendations 36-4
Network Time Protocol (NTP)
Cisco IOS routers
creating NTP servers 63-97
NTP Policy page 63-98
NTP Server dialog box 63-99
overview 63-96
Never Block Host dialog box 43-17
Never Block Network dialog box 43-17
New Activity command 1-36
New Device command 1-30
New Device Groups command 1-31
New Device wizard
Choose Method page 3-6
Device Grouping page 3-49
Device Information page - Add Device from File 3-33
Device Information page - Configuration File 3-23
Device Information page - Network 3-14
Device Information page - New Device 3-27
New Map command 1-33
New or Edit CS-MARS Device dialog box 11-8
New Ticket command 1-37
NHRP
DMVPN spoke-to-spoke connections 27-11
Node Properties dialog box 35-18
Non-Workflow mode
viewing
device details 8-26
non-Workflow mode
changing modes 1-28
comparing with Workflow mode 1-22
configuration files
deploying 8-28
previewing 8-44
configurations
rolling back 8-69
creating tickets 4-14
deployment 8-3
deployment jobs
aborting 8-55
Deployment Status Details dialog box 8-32
opening tickets 4-15
taking over another user session 10-23
understanding 1-22
No Proxy ARP
NAT rule 24-39, 24-45
PIX/ASA/FWSM Platform 56-1
notifications, e-mail
configuring SMTP server 1-27
NS Lookup 72-26, 72-29
NT
settings in AAA server objects 6-43
NTP
PIX/ASA/FWSM 52-21
server configuration 52-21
NTP policy, IPS platform 36-23
NTP server
configuring for IPS devices 36-23
null0 56-128
O
object groups
policy discovery 5-14
object group search
ASA 8.3+ devices 16-25
PIX 6.3 devices 16-27
objects
AAA server
HTTP-FORM settings 6-44
Kerberos settings 6-39
LDAP settings 6-40
NT settings 6-43
RADIUS settings 6-35
SDI settings 6-43
TACACS+ settings 6-38
AAA server groups
attributes 6-49
creating 6-48
default server groups on IOS devices 6-31
predefined authentication groups 6-30
understanding 6-27
AAA servers
creating 6-32
supported additional types for ASA/PIX/FWSM 6-28
supported types 6-28
understanding 6-27
access control lists
creating 6-53
extended objects 6-54
standard objects 6-56
unified objects 6-58
web objects 6-57
ASA group policies
client configuration settings 34-6
client firewall attributes 34-7
connection settings 34-33
DNS/WINS settings 34-29, 34-30
hardware client attributes 34-9
IPSec settings 34-10
split tunneling settings 34-31
SSL VPN clientless settings 34-12
SSL VPN full client settings 34-19
SSL VPN settings 34-25
technology settings 34-1
AS paths
properties 56-151
basic procedures 6-9
categories, using 6-13
changes in Security Manager 4.4 1-10
Cisco Secure Desktop configuration
creating 33-18
class map
creating for inspection rules 17-22
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
cloning (duplicating) 6-14
community lists
properties 56-153
configuring for ASA routing policies 56-132
configuring for remote access VPN 34-1
creating 6-9
credentials
attributes 28-9
DCE/RPC policy map
properties 17-29
deleting 6-16
DNS policy map
properties 17-32
editing 6-12
ESMTP policy map
properties 17-39
exporting 6-23
file objects
attributes 34-37
selecting 34-39
FlexConfig
creating text objects 7-32
properties 7-30
property selector 7-34
undefined variables 7-33
FlexConfigs
adding to policies 7-35
changing order in policies 7-35
changing variable values 7-35
configuring 7-25
configuring AAA for administrative introducers 63-84
creating 7-28
previewing CLI 7-35
removing from policies 7-35
system variables 7-7
understanding 7-2
variables 7-5, 7-6
FTP policy map
properties 17-42
generating usage reports 6-15
GTP policy map
properties 17-45
H.323 (ASA/PIX/FWSM) policy map
properties 17-51
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map
properties 17-56
HTTP (ASA7.2+/PIX7.2+) policy map
properties 17-64
identity user group
creating 13-19
selecting 13-21
user identity acquisition 13-2
IKE proposals
v1 properties 26-10
v2 properties 26-14
IM (ASA7.2+/PIX7.2+) policy map
properties 17-70
IM (IOS) policy map
properties 17-73
importing 6-23
Inspect parameter map
properties 21-31
interface roles
creating 6-74
IP Options policy map
properties 17-75
IPsec Pass Through policy map
properties 17-80
IPSec transform sets
attributes 26-27
understanding 26-20
IPv6 policy map
properties 17-77, 17-91
LDAP attribute map objects
attributes 6-46
Local Web Filter parameter map
properties 21-38
locking
effects on activities 4-3
managing 6-1
maps
understanding 6-78
N2H2 parameter map
properties 21-39
NetBIOS policy map
properties 17-81
network/host
optimizing when deploying firewall rules 12-35
understanding 6-80
using in Event Viewer filters 69-67
network/host objects
naming when provisioned as object groups 6-107
networks/hosts
creating 6-82
unspecified value objects 6-86
object selectors 6-2
overrides
allowing 6-18
creating for multiple devices 6-19
creating for single device 6-19
deleting 6-21
managing 6-17
understanding 6-18
overview 1-20
parameter map
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
PKI enrollments
defining CA server properties 26-60
defining certificate attributes 26-66
defining enrollment parameters 26-63
defining trusted CA hierarchy 26-67
properties 26-58
policy lists
properties 56-143
policy map
creating for inspection rules 17-22
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
port forwarding lists
properties 34-40
port list objects
naming when provisioned as object groups 6-107
port lists
creating 6-100
properties 6-102
prefix lists
properties 56-146, 56-148
Protocol Info parameter map
properties 21-33
provisioning as object groups 6-106
regular expression group policy map
properties 17-108
regular expression objects
metacharacters 17-109
regular expression policy map
properties 17-108
route maps 56-136
creating 56-132
understanding 56-132
security group
creating 14-14
selecting for policies 6-2
service objects
naming when provisioned as object groups 6-107
provisioning as object groups 6-108
services
creating 6-100
single sign-on server
properties 34-42
SIP (ASA/PIX/FWSM) policy map
properties 17-83, 17-93, 17-102, 17-103
Skinny policy map
properties 17-87
SLA monitors
attributes 51-10
configuring 51-9
understanding 51-8
SNMP policy map
properties 17-90
SSL VPN Bookmark
configuring 31-82
post URL method and macro substitutions 31-84
SSL VPN Customization
configuring 31-78
creating custom Logon page 31-82
localizing 31-80
SSL VPN gateway
properties 34-64
SSL VPN smart tunnel auto sign-on list
attributes 34-71
SSL VPN smart tunnel list
attributes 34-66, 34-69
configuring 31-85
TCP Map policy map
properties 58-22
text
creating 7-32
time ranges
attributes for recurring ranges 6-72
configuring 6-71
traffic flow
default inspection traffic 58-20
properties 58-18
Trend parameter map
properties 21-42
TrustSec security group
selecting 14-16
URLF Glob parameter map
properties 21-45
URLF Glob parameter maps
metacharacters 21-46
URL Filter parameter map
properties 21-43
user groups
advanced PIX 6.3 settings 34-82
browser proxy settings 34-87
clientless settings 34-83
client VPN software update (IOS) settings 34-81
DNS/WINS settings 34-77
general settings 34-75
IOS client settings 34-78
IOS Xauth settings 34-80
split tunneling settings (Easy VPN/remote access IPSec VPN) 34-77
SSL VPN connection settings 34-88
SSL VPN full tunnel settings 34-84
SSL VPN split tunneling settings 34-86
technology settings 34-73
thin client settings 34-84
using global search to find specific objects 1-42
viewing details 6-14
Web Filter policy map
properties 21-47
Websense parameter map
properties 21-39
WINS server lists
attributes 34-90
creating 31-88
object selectors 6-2
Object Usage dialog box 6-15
Obsoletes dialog box 39-30
OOB (Out of Band) Changes dialog box 8-48
OOB (out of band changes)
avoiding 8-47
detecting and analyzing 8-45
understanding 8-12
Openable Activities dialog box 4-15
Openable Tickets dialog box 4-15
Open Activity command 1-36
Open command (Report Manager) 70-8
Open Map command 1-33
Open Map dialog box 35-10
Open Ticket command 1-37
OS Identifications tab, IPS Network Information policy 40-21
OS Map dialog box 40-22
OSPF
interaction with NAT 56-75
LSAs 56-75
OSPF interfaces
blocking LSA flooding 67-28
defining on Cisco IOS routers 67-25
disabling MTU mismatch detection 67-27
Interface dialog box 67-31
OSPF Interface Policy page 67-30
understanding
authentication 67-29
cost 67-26
network types 67-29
priority 67-26
timer settings 67-28
OSPF parameters
dead interval 56-100, 56-116
hello interval 56-99
hello multiplier 56-100
retransmit interval 56-100, 56-116
transmit delay 56-100, 56-116
OSPF redistribution
defining mappings 67-22
defining maximum prefix values 67-24
understanding 67-22
OSPF routing
Cisco IOS routers
Area dialog box 67-37
Area tab 67-36
defining area settings 67-21
defining interface settings 67-25
defining setup parameters 67-20
Edit Interfaces dialog box 67-36
Max Prefix Mapping dialog box 67-41
OSPF Process Policy page 67-34
overview 67-19
redistributing routes 67-22
Redistribution Mapping dialog box 67-39
Redistribution tab 67-38
Setup dialog box 67-35
Setup tab 67-35
PIX/ASA/FWSM
advanced settings 56-77
Area/Area networks 56-82
Area Range 56-84
Area tab 56-81
Filtering configuration 56-93
Filtering tab 56-92
Filter Rule configuration 56-94
Filter Rule tab 56-94
General tab 56-76
Interface configuration 56-98
Interface tab 56-96
Neighbors tab 56-85
policy 56-75
Range tab 56-84
Redistribution rule 56-87
Redistribution tab 56-86
static neighbor 56-85
Summary Address configuration 56-96
Summary Address tab 56-95
Virtual Link configuration 56-90
Virtual Link MD5 configuration 56-91
Virtual Link tab 56-89
OSPFv3
LSAs 56-101
OSPFv3 routing
PIX/ASA/FWSM
advanced settings 56-104
Area/Area networks 56-108
Area Range 56-110
Area tab 56-108
Interface configuration 56-114
Interface tab 56-114
policy 56-100
Process tab 56-103
Redistribution rule 56-112
static neighbor 56-118
Summary Prefix configuration 56-113
Virtual Link configuration 56-111
OS version mismatches
handling 8-13
other settings
configuring for SSL VPN (ASA) 31-51
out-of-band changes
avoiding 8-47
detecting and analyzing 8-45
understanding 8-12
overrides
allowing overrides 6-18
creating for multiple devices 6-19
creating for single device 6-19
deleting 6-21
managing 6-17
understanding 6-18
overview
activities 1-20
device monitoring 1-7
IPv6 support 1-8
policies 1-20
ticketing 1-20
user permissions 1-11
workflow 1-20
P
P2P applications
match conditions for zone-based firewalls 21-21
P2P policy map objects
creating 21-16
match conditions and actions 21-35
packageMonitorInterval 44-6
packet capture 72-30
Packet Capture Wizard command 1-35
packet tracer 72-23
Pair dialog box 45-11
PAM
zone-based firewall
configuring 21-69
parameter maps
understanding 6-78
partial_backup.pl command 10-30
partial mesh topologies 25-5
participation, network
configuring 42-7
data collected 42-3
requirements and limitations 42-4
understanding 42-3
understanding global correlation 42-1
understanding reputation 42-2
passive OS fingerprinting on IPS sensors
configuring 40-21
understanding 40-19
Password Requirements policy, IPS platform 36-20
passwords
admin, changing 10-24
configuring IPS requirements 36-20
configuring IPS user account 36-18
discovery and deployment of IPS 36-17
managing IPS requirements 36-15
understanding managed and unmanaged IPS passwords 36-16
Paste command 1-31, 12-9
PAT
pools 24-41
PDF file
export HPM data as 71-31
PDM
device manager 72-15
Peers page 25-34
performance settings
configuring for SSL VPN (ASA) 31-52
performance tuning 44-6
permanent virtual connections (PVC)
Define Mapping dialog box 62-65
PVC Advanced Settings dialog box 62-66
PVC dialog box 62-56
PVC Policy page 62-55
permanent virtual connections (PVCs)
defining ATM PVCs 62-51
defining OAM management 62-54
on Cisco IOS routers 62-47
understanding
ATM management protocols 62-49
ATM service classes 62-48
ILMI 62-50
Operation, Administration, and Maintenance (OAM) 62-51
virtual paths and channels 62-47
per-session NAT rules 24-46
Add/Edit Per-Session NAT rules dialog boxes 24-47
PIM
configuring on firewall devices 55-11
PIX/ASA/FWSM
Bidirectional Neighbor Filter 55-14
Bidirectional Neighbor Filter tab 55-13
enable 55-1
Multicast Group, add/edit 55-19, 55-21
Multicast Group rule 55-17
Neighbor Filter 55-13
Neighbor Filter tab 55-12
page 55-11
PIM Protocol dialog box 55-12
Protocol tab 55-11
Rendezvous Point, add/edit 55-16
Rendezvous Points tab 55-15
Request Filter tab 55-18, 55-20
Route Tree tab 55-17
ping 72-26
Ping, TraceRoute and NSLookup command 1-35
PIX
PDM 72-15
PIX/ASA
boot image/configuration 48-10
add/edit 48-12
failover 50-17
settings 50-21
interfaces
Advanced tab 46-41
IP Type 46-58
MAC address 46-60
PPPoE Users 46-71
redundant 46-8
subinterfaces 46-7, 46-15
VPDN groups 46-72
mount point
add/edit 48-19, 48-20
mount point configuration 48-18
security contexts
allocate interfaces 59-12
configuration 59-9
viewing allocated interfaces 59-12
PIX/ASA/FWSM
AAA 48-5
Authentication tab 48-5
about AAA 48-1
bridging 47-1
clock settings 48-14
configuring banners 48-9
configuring CLI prompt 48-12
credentials 48-17
Device Access
Server Access 52-1, 53-1
device administration policies 48-1
Failover
bootstrap configuration 50-26
interface MAC address 50-23
failover
active/active 50-3
interface configuration 50-23
security context 50-26
understanding 50-1
interfaces
add/edit 46-31
Advanced settings 46-68
configuring 46-3
contexts 46-5
General tab 46-33
managing 46-26
operating modes 46-5
understanding 46-3
security contexts
about 59-1
Server Access
AUS, add/edit server 52-3, 53-2, 53-3, 53-4
AUS page 52-1
DDNS interface rule 52-19
DDNS page 52-18
DDNS update methods 52-19
DDNS update methods, add/edit 52-20
DHCP Relay, add/edit agent 52-6
DHCP Relay, add/edit server 52-7
DHCP Relay page 52-5
DHCP Server, add/edit 52-12
DHCP Server, advanced configuration 52-13
DHCP Server, options 52-13
DHCP Server page 52-10
DHCPv6 Relay, add/edit agent 52-9
DHCPv6 Relay, add/edit server 52-9
DHCPv6 Relay page 52-7
DNS page 52-14
DNS server, add 52-17
DNS server group 52-16
NTP page 52-21
NTP server configuration 52-21
SMTP page 52-22
TFTP server page 52-23
stateful
stateful 50-4
PIX/ASA/FWSM Platform
AAA
Accounting tab 48-8
Authorization tab 48-7
anti-spoofing 57-2
ARP configuration 47-5
ARP Inspection 47-5
enable/disable 47-6
ARP Table 47-3
configuring DHCP servers 52-10
configuring multicast routing 55-1
configuring routing 56-1
Device Access 49-1
console timeout 49-1
host name 51-1
HTTP configuration 49-3
HTTP page 49-2
ICMP rules 49-4
ICMP rules, add/edit 49-5
Management Access interface 49-6
Secure Shell, add/edit host 49-8
Secure Shell (SSH) 49-7, 49-8
SNMP host access 49-22
SNMP page 49-17
SNMP Trap configuration 49-19
Telnet configuration 49-29
Telnet page 49-29
user accounts 51-7
user accounts, add/edit 51-7
failover 50-10
failover configuration 50-1
failover configuration basics 50-5
floodguard 57-2
identity-aware IPS, QoS, and Connection Rules 13-21
IPS, QoS, and Connection Rules
wizard 58-6, 58-8
logging 54-1
email notifications 54-8
email recipients 54-8
embedded event manager 54-3
embedded event manager, add/edit action configuration 54-7
embedded event manager, add/edit applet 54-5
embedded event manager, add/edit syslog configuration 54-7
event lists 54-9
event lists, add/edit 54-10
filters 54-12
filters, editing 54-13
levels 54-24
message classes and IDs 54-9
message editing 54-25
message limits 54-18
message limits, add/edit 54-18
NetFlow 54-1
NetFlow, add/edit collector 54-2
rate limits, add/edit 54-19
server 54-21
set-up 54-15
syslog class 54-11
syslog message ID 54-11
syslog servers 54-27
syslog servers, add/edit 54-28
MAC Address
add/edit 47-8
MAC Address Table 47-8
MAC learning 47-9
enable/disable 47-9
Management IP address 47-10
multicast
Enable PIM and IGMP 55-1
group, add/edit 55-19, 55-21
IGMP Access Group parameters 55-5
IGMP Access Group tab 55-5
IGMP Join Group parameters 55-7
IGMP Join Group tab 55-7
IGMP page 55-2
IGMP parameters 55-4
IGMP Protocol tab 55-3
IGMP Static Group parameters 55-6
IGMP Static Group tab 55-6
MBoundary configuration 55-9
MBoundary interface configuration 55-10
MRoute configuration 55-8
Multicast Boundary Filter page 55-9
Multicast Group rule 55-17
Multicast Routes page 55-8
PIM Bidirectional Neighbor Filter 55-14
PIM Bidirectional Neighbor Filter tab 55-13
PIM Neighbor Filter 55-13
PIM Neighbor Filter tab 55-12
PIM page 55-11
PIM Protocol dialog box 55-12
PIM Protocol tab 55-11
PIM Rendezvous Point, add/edit 55-16
PIM Rendezvous Points tab 55-15
PIM Request Filter tab 55-18, 55-20
PIM Route Tree tab 55-17
NAT policies 24-18
Address Pools dialog box 24-19
Address Pools page 24-18
Advanced NAT Options dialog box 24-29
Dynamic Rules dialog box 24-23
Dynamic Rules tab 24-22
General tab 24-31
Policy Dynamic Rules dialog box 24-25
Policy Dynamic Rules tab 24-24
Select Address Pool 24-24
Static Rules dialog box 24-27
Static Rules tab 24-26
Translation Exemptions (NAT 0 ACL) dialog box 24-21
Translation Exemptions (NAT 0 ACL) tab 24-20
Translation Options page 24-16, 24-17
Translation Rules page 24-19
policy configuration 46-1
priority queues 58-4
priority queues configuration 58-4
routing
BGP 56-2, 56-3
BGP - General tab 56-5
BGP - IPv4 Family - Aggregate Address configuration 56-9, 56-22
BGP - IPv4 Family - Filter configuration 56-10
BGP - IPv4 Family - General tab 56-7, 56-21
BGP - IPv4 Family - Neighbor configuration 56-11, 56-24
BGP - IPv4 Family - Network configuration 56-17, 56-29
BGP - IPv4 Family - Redistribution configuration 56-18, 56-30
BGP - IPv4 Family - Route Injection configuration 56-19, 56-31
BGP - IPv4 Family tab 56-6, 56-20
EIGRP 56-32
EIGRP - advanced settings 56-34
EIGRP - Filter Rule configuration 56-40
EIGRP - Filter Rules tab 56-39
EIGRP - Interface configuration 56-48
EIGRP - Interfaces tab 56-47
EIGRP - neighbor configuration 56-42
EIGRP - Neighbors tab 56-41
EIGRP - redistribution configuration 56-44
EIGRP - Redistribution tab 56-42
EIGRP - Setup tab 56-36
EIGRP - Summary Address configuration 56-46
EIGRP - Summary Address tab 56-45
IPv6 Static Route configuration 56-131
IPv6 Static Route page 56-131
No Proxy ARP 56-1
OSPF 56-75
OSPF - advanced settings 56-77
OSPF - Area/Area networks 56-82
OSPF - Area Range 56-84
OSPF - Area tab 56-81
OSPF - Filtering configuration 56-93
OSPF - Filtering tab 56-92
OSPF - Filter Rule configuration 56-94
OSPF - Filter Rule tab 56-94
OSPF - General tab 56-76
OSPF - Interface configuration 56-98
OSPF - Interface tab 56-96
OSPF - Neighbors tab 56-85
OSPF - Range tab 56-84
OSPF - Redistribution rule 56-87
OSPF - Redistribution tab 56-86
OSPF - static neighbor 56-85
OSPF - Summary Address configuration 56-96
OSPF - Summary Address tab 56-95
OSPFv3 56-100
OSPFv3 - advanced settings 56-104
OSPFv3 - Area/Area networks 56-108
OSPFv3 - Area Range 56-110
OSPFv3 - Area tab 56-108
OSPFv3 - Interface configuration 56-114
OSPFv3 - Interface tab 56-114
OSPFv3 - Process tab 56-103
OSPFv3 - Redistribution rule 56-112
OSPFv3 - static neighbor 56-118
OSPFv3 - Summary Prefix configuration 56-113
OSPFv3 - Virtual Link configuration 56-111
OSPF - Virtual Link configuration 56-90
OSPF - Virtual Link MD5 configuration 56-91
OSPF - Virtual Link tab 56-89
RIP (PIX/ASA 6.3–7.1, FWSM) 56-120
RIP (PIX/ASA 6.3–7.1, FWSM) configuration 56-121
RIP (PIX/ASA 7.2+) 56-122
RIP (PIX/ASA 7.2+) Filtering 56-126
RIP (PIX/ASA 7.2+) Filtering configuration 56-127
RIP (PIX/ASA 7.2+) Interface 56-127
RIP (PIX/ASA 7.2+) Interface configuration 56-128
RIP (PIX/ASA 7.2+) Redistribution 56-125
RIP (PIX/ASA 7.2+) Redistribution configuration 56-125
RIP (PIX/ASA 7.2+) Setup 56-123
RIP page 56-119
static null 0 routing 56-128
Static Route configuration 56-130
Static Route page 56-128, 56-130
security contexts
managing 59-7
security group aware IPS, QoS, and Connection Rules 14-17
security policies 57-1
General configuration 57-3
General page 57-1
timeouts 57-4
service policy
wizard 58-6
Service Policy Rules 58-5
service policy rules 58-1
SNMP configuration 49-14
SNMP Version 3 49-15
traffic class 58-7
Unicast Reverse Path Forwarding 57-2
user preferences 60-1
Deployment page 60-1
Transactional Commit page 60-2
PIX/ASA/FWSM Platform policies
bridging 47-1
configuring fragment settings 57-2
configuring NAT 24-15
transparent mode 24-16
PIX 6.3
Failover
interface configuration 50-12
failover 50-10
interface configuration
IP Type 46-30
interfaces
add/edit 46-28
PIX 7.x
Failover
Add Failover Group 50-25
PIX devices
AAA support 6-28
about 46-1
monitoring service level agreements 51-8
remote access VPNs
IPsec proposals 31-41
user group policies for PIX 6.3 33-13
selecting policy types to manage 5-11
PIX Firewall
setting up AUS or CNS 2-8
setting up SSL (HTTPS) 2-3
PIX Firewalls
configuring transparent firewall rules 23-1
rollback, commands to recover from failover misconfiguration 8-68
rollback command conflicts 8-67
rollback restrictions for failover devices 8-65
rollback restrictions for multiple context mode 8-64
PIX firewalls
access controls
access list compilation 16-28
object group search 16-27
adding SSL thumbprints manually 9-5
FlexConfig object samples 7-23
packet capture, using 72-30
packet tracer, using 72-23
SSL certificate configuration 11-22
PKI (Public Key Infrastructure) policies
CA server authentication methods 26-51
defining multiple CA servers 26-55
enrollment requirements 26-52
understanding 26-51
using TFTP 26-53
PKI enrollment
prerequisites using TFTP 26-53
requirements 26-52
PKI enrollment objects
defining CA server properties 26-60
defining certificate attributes 26-66
defining enrollment parameters 26-63
defining trusted CA hierarchy 26-67
properties 26-58
plug ins
configuring browser 31-60
Point-to-Point Protocol (PPP)
defining connections 62-72
defining multilink PPP bundles 62-75
on Cisco IOS routers 62-71
understanding multilink PPP (MLP) 62-71
Point-to-Point protocol (PPP)
PPP/MLP Policy page 62-76
PPP dialog box 62-77
point-to-point topologies
description 25-3
policies
adding local rules to shared policies 5-45
assigning shared policies 5-44
basic concepts
inheritance vs. assignment 5-6
local vs. shared 5-3
managing 5-31
overview 5-1
rule inheritance 5-4
service vs. platform-specific 5-2
settings-based vs. rule-based 5-2
shared policies in Device view or Site-to-Site VPN Manager 5-37
signature inheritance 39-3
status icons 5-30
cloning shared policies 5-47
configuring IKE and IPsec for VPNs 26-1
copying between devices 5-33
creating shared 5-54
deleting shared 5-56
Device view
configuring local policies 5-31
managing 5-30
modifying assignments 5-49
modifying shared policies 5-49
discovering 5-12
discovering on existing devices 5-15
exporting 10-12
exporting with device inventory 10-6
FlexConfigs
adding objects 7-35
changing object order 7-35
changing variable values 7-35
configuring 7-25
configuring AAA for administrative introducers 63-84
editing 7-35
FlexConfig Policy page 7-36
previewing CLI 7-35
removing objects 7-35
understanding 7-2
importing 10-13
inheriting rules 5-47
locking 5-8
managing 5-1
object selectors 6-2
overview 1-20
performing basic policy management in Map view 35-22
PKI (Public Key Infrastructure) 26-51
policy banner 5-38
policy discovery FAQ 5-27
policy management and objects 5-7
Policy view
managing 5-50
modifying assignments 5-54
preshared keys 26-47
renaming 5-48
router platform policies 61-1
selecting policies to manage 5-11
sharing local 5-41
sharing multiple local policies 5-42
sharing with PRSM 72-22
Site-to-Site VPN Manager
managing 5-30
modifying assignments 5-49
site-to-site VPNs 25-8
specifying interfaces 6-76
specifying IP addresses 6-87
synchronizing among Security Manager servers 10-5
unassigning 5-36
unsharing 5-43
using global search to find specific policies 1-42
viewing discovery task status 5-22
VPN defaults 11-74
policy assignments
modifying in Device view 5-49
modifying in Policy view 5-54
modifying in Site-to-Site VPN Manager 5-49
overview 1-20
policy bundles
cloning 5-58
creating 5-57
managing 5-57
renaming 5-58, 5-59
Policy Bundle view
cloning policy bundles 5-58
creating policy bundles 5-57
renaming policy bundles 5-58, 5-59
Policy Bundle View command 1-32
policy discovery
AAA commands not displayed in AAA policy 5-29
ACL naming conventions 12-5
ACLs 5-14
Catalyst devices 5-13
Catalyst switches and 7600 Series routers 68-1
Cisco IOS routers 5-13, 61-3
frequently asked questions 5-27
IPS devices 5-14
network masks 6-82
object groups 5-14
on existing devices 5-15
overview 1-20
policy objects 5-14
preserving ACL names 12-4
resolving ACL naming conflicts 12-7
security contexts 5-13
understanding 5-12
viewing task status 5-22
VPNs 5-12
web VPN restrictions 3-8
Policy Discovery Status command 1-34
Policy Discovery Status page 5-25
Policy Dynamic Translation Rule
PIX/ASA/FWSM 24-24
add/edit 24-25
policy list objects
properties 56-143
policy management
Settings page 11-64
Policy Management page 11-64
policy maps
understanding 6-78
Policy menu
command reference 1-32
Policy Object Manager
field reference 6-4
shortcut menu 6-8
undocking and docking the window 6-8
Policy Object Manager window
creating overrides 6-19
deleting overrides 6-21
Policy Object Overrides window 6-20
policy objects
AAA server
HTTP-FORM settings 6-44
Kerberos settings 6-39
LDAP settings 6-40
NT settings 6-43
RADIUS settings 6-35
SDI settings 6-43
TACACS+ settings 6-38
AAA server groups
attributes 6-49
creating 6-48
default server groups on IOS devices 6-31
predefined authentication groups 6-30
understanding 6-27
AAA servers
creating 6-32
supported additional types for ASA/PIX/FWSM 6-28
supported types 6-28
understanding 6-27
access control lists
creating 6-53
extended objects 6-54
standard objects 6-56, 6-58
web objects 6-57
ASA group policies
client configuration settings 34-6
client firewall attributes 34-7
connection settings 34-33
DNS/WINS settings 34-29, 34-30
hardware client attributes 34-9
IPSec settings 34-10
split tunneling settings 34-31
SSL VPN clientless settings 34-12
SSL VPN full client settings 34-19
SSL VPN settings 34-25
technology settings 34-1
AS paths
properties 56-151
basic procedures 6-9
categories, using 6-13
changes in Security Manager 4.4 1-10
Cisco Secure Desktop configuration
creating 33-18
class map
creating for inspection rules 17-22
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
cloning (duplicating) 6-14
community lists
properties 56-153
configuring for ASA routing policies 56-132
configuring for remote access VPN 34-1
connection with policy management 5-7
creating 6-9
credentials
attributes 28-9
DCE/RPC policy map
properties 17-29
deleting 6-16
DNS policy map
properties 17-32
editing 6-12
ESMTP policy map
properties 17-39
exporting 6-23
file objects
attributes 34-37
selecting 34-39
FlexConfig
creating text objects 7-32
properties 7-30
property selector 7-34
undefined variables 7-33
FlexConfigs
adding to policies 7-35
changing order in policies 7-35
changing variable values 7-35
configuring 7-25
configuring AAA for administrative introducers 63-84
creating 7-28
previewing CLI 7-35
removing from policies 7-35
system variables 7-7
understanding 7-2
variables 7-5, 7-6
FTP policy map
properties 17-42
generating usage reports 6-15
GTP policy map
properties 17-45
H.323 (ASA/PIX/FWSM) policy map
properties 17-51
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map
properties 17-56
HTTP (ASA7.2+/PIX7.2+) policy map
properties 17-64
identity user group
creating 13-19
selecting 13-21
user identity acquisition 13-2
IKE proposals
v1 properties 26-10
v2 properties 26-14
IM (ASA7.2+/PIX7.2+) policy map
properties 17-70
IM (IOS) policy map
properties 17-73
importing 6-23
Inspect parameter map
properties 21-31
interface roles
creating 6-74
understanding 6-73
IP Options policy map
properties 17-75
IPsec Pass Through policy map
properties 17-80
IPSec transform sets
attributes 26-27
understanding 26-20
IPv6 policy map
properties 17-77, 17-91
LDAP attribute map objects
attributes 6-46
Local Web Filter parameter map
properties 21-38
managing 6-1
maps
understanding 6-78
N2H2 parameter map
properties 21-39
NetBIOS policy map
properties 17-81
network/host
optimizing when deploying firewall rules 12-35
understanding 6-80
using in Event Viewer filters 69-67
network/host objects
naming when provisioned as object groups 6-107
networks/hosts
creating 6-82
unspecified value objects 6-86
object selectors 6-2
overrides 3-52
allowing 6-18
creating for multiple devices 6-19
creating for single device 6-19
deleting 6-21
managing 6-17
understanding 6-18
overview 1-20
parameter map
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
PKI enrollments
defining CA server properties 26-60
defining certificate attributes 26-66
defining enrollment parameters 26-63
defining trusted CA hierarchy 26-67
properties 26-58
policy discovery 5-14
policy lists
properties 56-143
policy map
creating for inspection rules 17-22
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
pools
understanding 6-92
port forwarding lists
properties 34-40
port list objects
naming when provisioned as object groups 6-107
port lists
creating 6-100
properties 6-102
prefix lists
properties 56-146, 56-148
Protocol Info parameter map
properties 21-33
provisioning as object groups 6-106
regular expression group policy map
properties 17-108
regular expression objects
metacharacters 17-109
regular expression policy map
properties 17-108
route maps 56-136
creating 56-132
understanding 56-132
security group
creating 14-14
selecting for policies 6-2
service objects
naming when provisioned as object groups 6-107
provisioning as object groups 6-108
services
creating 6-100
Settings page 11-66
sharing with PRSM 72-22
single sign-on server
properties 34-42
SIP (ASA/PIX/FWSM) policy map
properties 17-83, 17-93, 17-102, 17-103
Skinny policy map
properties 17-87
SLA monitors
attributes 51-10
configuring 51-9
understanding 51-8
SNMP policy map
properties 17-90
SSL VPN bookmark
configuring 31-82
post URL method and macro substitutions 31-84
SSL VPN Customization
configuring 31-78
creating custom Logon page 31-82
localizing 31-80
SSL VPN gateway
properties 34-64
SSL VPN smart tunnel auto sign-on lists
attributes 34-71
SSL VPN smart tunnel lists
attributes 34-66, 34-69
configuring 31-85
TCP Map policy map
properties 58-22
text
creating 7-32
time ranges
attributes for recurring ranges 6-72
configuring 6-71
traffic flow
default inspection traffic 58-20
properties 58-18
Trend parameter map
properties 21-42
TrustSec security group
selecting 14-16
URLF Glob parameter map
properties 21-45
URLF Glob parameter maps
metacharacters 21-46
URL Filter parameter map
properties 21-43
user groups
advanced PIX 6.3 settings 34-82
browser proxy settings 34-87
clientless settings 34-83
client VPN software update (IOS) settings 34-81
DNS/WINS settings 34-77
general settings 34-75
IOS client settings 34-78
IOS Xauth settings 34-80
split tunneling settings (Easy VPN/remote access IPSec VPN) 34-77
SSL VPN connection settings 34-88
SSL VPN full tunnel settings 34-84
SSL VPN split tunneling settings 34-86
technology settings 34-73
thin client settings 34-84
viewing details 6-14
Web Filter policy map
properties 21-47
Websense parameter map
properties 21-39
WINS server lists
attributes 34-90
creating 31-88
Policy Objects command 1-34
policy objects interface
Interface Role dialog box 6-75
SSL VPN Bookmark Entry dialog box 34-45
SSL VPN bookmarks
Add or Edit Bookmarks dialog boxes 34-44
Post Parameters dialog box 34-48
Policy Objects page 11-66
policy query
example report 12-34
generating reports 12-28
interpreting report results 12-32
Querying Device or Policy dialog box 12-29
Policy Query Results dialog box 12-32
Policy view
Assignments tab 5-54
creating shared policies 5-54
deleting shared policies 5-56
filtering shared policy selector 1-45
modifying assignments 5-54
overview 1-16
selectors 5-52
Shared Policy selector options 5-53
understanding 5-50
Policy View command 1-32
pool objects
understanding 6-92
POP3
configuring for inspection rules 17-21
POP3 class map objects
creating 21-16
match criteria 21-25
POP3 policy map objects
creating 21-16
match conditions and actions 21-35
port application mapping
see PAM 21-69
port forwarding list objects
properties 34-40
port list objects
creating 6-100
naming when provisioned as object groups 6-107
properties 6-102
ports
ASA 5505
configure 46-61
Posture ACL dialog box 36-29
PPP dialog box
MLP tab 62-80
PPP tab 62-78
PPPoE Users 46-71
preferences, user
PIX/ASA/FWSM 60-1
Deployment page 60-1
Transactional Commit page 60-2
prefix list objects
properties 56-146, 56-148
pre-provisioning devices 3-26
preshared keys
aggressive mode negotiation 26-48
compared to certificates 26-8
configuring policies for IKEv1 site-to-site VPNs 26-48
FQDN (fully qualified domain name) negotiation 26-48
main mode address negotiation 26-47
understanding 26-47
Preview Configuration command 1-35
Prime Security Manager
see PRSM 72-20
Prime Security Manager command 1-37
print
Report Manager reports 70-27
Print command 1-31
priority queues
PIX/ASA/FWSM
configuration 58-4
page 58-4
Product Authorization Key (PAK) 10-16
productivity categories for Trend class maps 21-20
prompt
configuring on firewall devices 48-12
properties
changes with policy effects 3-54
changing critical device 3-52
image version changes with no policy effects 3-53
understanding device 3-6
viewing or changing device 3-40
Property Selector dialog box 7-34
protected networks
defining in GET VPN topologies 25-60
defining in VPN topologies 25-34
Protected Networks tab 25-46
Protocol Independent Multicast 55-11
Protocol Info parameter map objects
properties 21-33
Protocol Info Parameters map object
creating 21-16
Protocol Map dialog box 41-12
protocols
selecting for inspection 17-3
Protocol tab
IGMP 55-3
proxies
defining HTTP/HTTPS for SSL VPN (ASA) 31-57
proxy ARP
enabling on IOS routers 62-19
proxy bypass rules
defining HTTP/HTTPS for SSL VPN (ASA) 31-57
proxy server
configuring HTTP for IPS global correlation 36-24
PRSM
sharing
devices 72-22
policy objects 72-22
starting from Security Manager 72-20
public key infrastructure (PKI) policies
compared to certificates 26-8
configuring for remote access VPNs 26-56
configuring for site-to-site VPNs 26-54
PVC Advanced Settings dialog box
OAM-PVC tab 62-69
OAM tab 62-67
PVC dialog box
Protocol tab 62-64
QoS tab 62-61
Settings tab 62-58
PVC policies
unable to deploy 9-15
Q
QoS
MPC rule wizard
tab 58-8
PIX/ASA/FWSM
identity-aware rules 13-21
rules 58-5
QoS Class dialog box 66-23
Edit ACLs dialog box 66-25
Marking tab 66-26
Matching tab 66-24
Policing tab 66-29
Queuing and Congestion Avoidance tab 66-27
Shaping tab 66-31
QoS queuing
default class 66-6
defining for classes 66-16
tail drop vs. WRED 66-4
understanding 66-4
understanding LLQ 66-5
quality of service (QoS)
CEF requirements 66-2
defining on control plane 66-12
defining on interfaces 66-10
defining policies 66-10
on Cisco IOS routers 66-1
QoS Class dialog box 66-23
QoS Policy dialog box 66-21
Quality of Service Policy page 66-19
understanding
Control Plane Policing 66-9
default class queuing 66-6
low-latency queuing 66-5
marking parameters 66-3
matching parameters 66-2
policing parameters 66-6
queuing parameters 66-4
shaping parameters 66-6
tail drop and WRED 66-4
token-bucket mechanism 66-8
quality of service (QoS) classes
defining marking parameters 66-15
defining matching parameters 66-13
defining policing parameters 66-17
defining queuing parameters 66-16
defining shaping parameters 66-18
query
CS-MARS
access rule events 72-42
IPS signature events 72-44
looking up policies based on related events 72-45
overview 72-41
troubleshooting 72-40
Event Viewer
access rule events 69-56
IPS signature events 69-57
looking up policies based on related events 69-54
overview 69-55
Querying Device or Policy dialog box 12-29
quick filter
searching for events 69-47
Quick Launch for IP Intelligence 72-35
R
RADIUS
description 6-28
settings in AAA server objects 6-35
RAM
Image Manager 73-17
rate limiting, IPS 43-4
Real-time Log Viewer 72-18
recovery
event data store 69-36
Recurring Ranges dialog box 6-72
Redeploy a Job dialog box 8-53
Redeploying Licenses dialog box 11-60
rediscovering
remote access VPNs 30-12
rediscovering site-to-site VPNs 25-27
Rediscover VPN Policies wizard 25-27
redundant interfaces 46-8
red X in device selector, troubleshooting 9-9
Refresh Map command 1-33
regular expression group objects
properties 17-108
regular expression objects
metacharacters 17-109
properties 17-108
regular IPsec
mandatory and optional policies 25-6
supported platforms 25-9
supported platforms for remote access VPNs 30-8
Reject Activity command 1-36
Reject Activity dialog box 4-21
Reject Deployment Job dialog box 8-20, 8-39
remote access
user
logging off 71-30
remote access VPN
system variables 7-19
Remote Access VPN Configuration wizard
IPsec VPN
Defaults page 30-31
IPsec Settings page (ASA) 30-30
IPsec VPN Connection Profile page (ASA) 30-28
User Groups page 30-36
IPsec VPNs
creating on ASA/PIX 7.0+ 30-25
creating on IOS/PIX 6.3+ 30-36
SSL VPN
Access page (ASA) 30-16
Connection Profile page (ASA) 30-17
Gateway and Context Page (IOS) 30-33
Portal Page Customization Page (IOS) 30-35
SSL VPNs
creating on ASA devices 30-14
creating on IOS devices 30-32
using 30-13
remote access VPNs
ASA devices
configuring bookmarks 31-82
configuring portal appearance 31-78
configuring WINS servers for file system access 31-88
customizing 31-77
post URL method and macro substitutions in bookmarks 31-84
smart tunnels 31-85
configuring using wizard 30-13
device support 30-8
discovering 30-12
IOS devices
configuring bookmarks 31-82
configuring WINS servers for file system access 31-88
IPsec 31-36
access policies for IKEv2 (ASA), configuring 31-49
access policies for IKEv2 (ASA), reference 31-45
access policies for IKEv2 (ASA), understanding 31-44
certificate to connection profile map policy (IKEv1) 31-36
certificate to connection profile map rules (IKEv1) 31-37
cluster load balancing 31-5
configuring IKE and IPsec policies 26-1
connection profiles 31-7
connection profiles (ASA, PIX 7+) 31-8
creating on ASA/PIX 7.0+ 30-25
creating on IOS/PIX 6.3+ 30-36
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-11
Dynamic VTI/VRF Aware IPsec settings 33-7
fragmentation settings 26-31, 26-44
global settings 26-30
group policies, configuring 31-26
group policies, creating 31-28
group policies, understanding 31-27
high availability policies 33-11
IKE proposals 26-9
IKEv2 settings 26-37
ISAKMP/IPsec settings 26-33
NAT settings 26-42
policy overview 30-9
policy overview (ASA, PIX 7.0+) 31-2
policy overview (IOS, PIX 6.3) 33-2
public key infrastructure (PKI) policies 26-56
secure desktop manager policies 32-9
understanding 30-2
understanding IKE 26-5
understanding NAT settings 26-41
user group policies for IOS, PIX 6.3 33-13
VPNSM, VPN SPA, VSPA settings 33-6
IPsec proposals
attributes for ASA and PIX 7.0+ devices 31-41
attributes for IOS and PIX 6.3 devices 33-4
configuring for ASA and PIX 7.0+ devices 31-40
configuring for IOS and PIX 6.3 devices 33-3
managing 30-1
managing (ASA, PIX 7.0+) 31-1
managing (IOS, PIX 6.3) 33-1
rediscovering 30-12
SSL 31-43
access modes 30-4
access policies (ASA), configuring 31-49
access policies (ASA), reference 31-45
access policies (ASA), understanding 31-44
advanced settings (ASA) 31-72
AnyConnect client image settings (ASA) 31-65
AnyConnect client settings (ASA) 31-62, 31-64
AnyConnect custom attributes(ASA) 31-70, 31-71
browser plug-ins (ASA) 31-60
cluster load balancing 31-5
configuring HTTP/HTTPS proxies and proxy bypass(ASA) 31-57
connection profiles 31-7
connection profiles (ASA) 31-8
content rewrite rules (ASA) 31-53
Context Editor dialog box (IOS) 33-15, 33-16
creating on ASA 30-14
creating on IOS devices 30-32
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-11
encoding rules (ASA) 31-55
example 30-3
fragmentation settings 26-31, 26-44
global settings 26-30
group policies, configuring 31-26
group policies, creating 31-28
group policies, understanding 31-27
IKEv2 settings 26-37
ISAKMP/IPsec settings 26-33
Kerberos Constrained Delegation (KCD on ASA) 31-66, 31-69
limitations 30-8
managing support files 30-5
NAT settings 26-42
other settings (ASA) 31-51
performance settings (ASA) 31-52
policies (IOS) 33-14
policy overview 30-9
policy overview (ASA, PIX 7.0+) 31-2
policy overview (IOS, PIX 6.3) 33-2
prerequisites 30-7
proxy bypass rules (ASA) 31-59
public key infrastructure (PKI) policies 26-56
secure desktop manager policies 32-9
server certificate verification (ASA) 31-30, 31-32, 31-73
shared license (ASA) 31-74
shared license clients (ASA) 31-76
shared license servers (ASA) 31-77
understanding 30-2
understanding NAT settings 26-41
wizard 30-13
understanding 30-1
Remote Detection Indication (RDI) cells 62-51
Rename Policy Bundle dialog box 5-58, 5-59
Rename Policy command 1-32
Rename Policy dialog box 5-48
Rendezvous Point
PIX/ASA/FWSM
add/edit 55-16
Rendezvous Points
PIM 55-15
Report Manager
arranging window 70-30
closing 70-32
configuring default settings 70-29
configuring devices to provide reports 70-3
configuring Event Manager service 69-30
configuring schedules 70-34
creating custom reports 70-21
deleting another user’s custom reports 70-32
deleting reports 70-32
deleting schedules 70-36
disabling schedules 70-36
drill-down reports 70-26
editing report settings 70-22
enabling schedules 70-36
examples of analysis
monitoring botnet activity 69-64
exporting reports 70-28
generated report pane and toolbar 70-12
generating reports 70-20
managing custom reports 70-32
opening reports 70-20
overview 70-1, 70-6
printing reports 70-27
renaming reports 70-31
report list 70-9
report settings 70-10
saving reports 70-31
scheduling reports 70-33
settings page 11-38
troubleshooting 70-36
understanding 70-1
understanding access control 70-5
understanding data aggregation 70-4
understanding predefined reports
firewall summary botnet reports 70-15
firewall traffic reports 70-14
general IPS reports 70-19
general VPN reports 70-16
IPS top reports 70-17
overview 70-13
VPN top reports 70-16
using 70-19
viewing schedule results 70-35
viewing schedules 70-33
Report Manager command 1-38
Report Manager in Dashboard 72-2
reports
arranging windows 70-30
closing 70-32
configuring default settings for reports 70-29
configuring devices for Report Manager reporting 70-3
configuring schedules 70-34
creating custom 70-21
deleting 70-32
deleting another user’s in Report Manager 70-32
deleting schedules 70-36
deployment status 10-30
disabling schedules 70-36
discovery status 10-30
drilling down 70-26
editing settings 70-22
enabling schedules 70-36
example policy query 12-34
exporting 70-28
generating 70-20
generating access rule analysis 16-34
generating policy query 12-28
interpreting policy query 12-32
managing 70-1
managing custom 70-32
opening 70-20
overview of available types 70-2
predefined Report Manager
firewall summary botnet reports 70-15
firewall traffic reports 70-14
general IPS reports 70-19
general VPN reports 70-16
IPS top reports 70-17
overview 70-13
VPN top reports 70-16
printing 70-27
renaming 70-31
Report Manager
generated report pane and toolbar 70-12
overview 70-6
report list 70-9
report settings 70-10
saving 70-31
scheduling in Report Manager 70-33
understanding Report Manager 70-1
understanding Report Manager access control 70-5
understanding Report Manager data aggregation 70-4
using Report Manager 70-19
viewing schedule results 70-35
viewing schedules 70-33
reputation
configuring global correlation 42-5
understanding IPS global correlation 42-2
Request Filter
PIM 55-18, 55-20
Resources
FWSM 51-3
add/edit 51-4
managing 51-2
restorebackup.pl command 10-27
restore database 10-27
Resume Deployment Schedule dialog box 8-20, 8-58
retry count
device communication 11-22
reverse route injection 26-21
RIP
PIX/ASA/FWSM 56-119
(PIX/ASA 6.3–7.1, FWSM) 56-120
(PIX/ASA 6.3–7.1, FWSM) configuration 56-121
(PIX/ASA 7.2+) 56-122
(PIX/ASA 7.2+) Filtering 56-126
(PIX/ASA 7.2+) Filtering configuration 56-127
(PIX/ASA 7.2+) Interface 56-127
(PIX/ASA 7.2+) Interface configuration 56-128
(PIX/ASA 7.2+) Redistribution 56-125
(PIX/ASA 7.2+) Redistribution configuration 56-125
(PIX/ASA 7.2+) Setup 56-123
RIP routing
Cisco IOS routers
Authentication dialog box 67-47
Authentication tab 67-46
defining interface authentication 67-43
defining setup parameters 67-42
overview 67-42
redistributing routes 67-44
Redistribution Mapping dialog box 67-49
Redistribution tab 67-48
RIP Routing Policy page 67-45
Setup tab 67-45
roles, IPS user 36-15
rollback
archived configuration files 8-70
last deployed configuration 8-69
when deploying to file 8-71
Rollback a Job dialog box 8-69
round robin allocation
PAT 24-41
routed ports
Create and Edit Interface dialog boxes-Routed Port mode 68-12
understanding 68-5
route map objects
creating 56-132
properties 56-136
understanding 56-132
Router Block Interface dialog box 43-15
Router Device dialog box 43-14
router platform interface
802.1x Policy page 64-5
AAA policy
AAA Policy page 63-6
Accounting tab 63-10
Authentication tab 63-6
Authorization tab 63-8
Command Accounting dialog box 63-13
Command Authorization dialog box 63-10
accounts and credentials policy
Accounts and Credentials Policy page 63-16
User Accounts dialog box 63-17
ADSL policy
ADSL Policy page 62-37
ADSL Settings dialog box 62-38
advanced interface settings policy
Advanced Interface Settings dialog box 62-16
Advanced Interface Settings page 62-16
BGP policy
BGP Neighbors dialog box 67-6
BGP Redistribution tab 67-7
BGP Routing Policy page 67-4
BGP Setup tab 67-5
Redistribution Mapping dialog box 67-7
bridging policy
Bridge Group dialog box 63-21
Bridging Policy page 63-21
CEF interface policy 62-26
CEF Interface Settings dialog box 62-27
Clock Policy page 63-23
console policy
AAA tab 63-44
Accounting tab 63-47
Authentication tab 63-44
Authorization tab 63-45
Command Accounting dialog box 63-61
Command Authorization dialog box 63-60
Console Policy page 63-42
Setup tab 63-42
CPU Policy page 63-26
DHCP policy
DHCP Database dialog box 63-94
DHCP Policy page 63-92
IP Pool dialog box 63-94
dialer interface policy
Dialer Physical Interface dialog box 62-33
Dialer Policy page 62-31
Dialer Profile dialog box 62-32
DNS policy
IP Host dialog box 63-76
DNS Policy page 63-76
EIGRP policy
EIGRP Routing Policy page 67-13
Interface dialog box 67-16
Interfaces tab 67-15
Redistribution Mapping dialog box 67-18
Redistribution tab 67-17
Setup dialog box 67-14
Setup tab 67-13
Hostname Policy page 63-78
HTTP policy
AAA tab 63-32
Command Authorization Override dialog box 63-34
HTTP Policy page 63-31
Setup tab 63-31
interfaces policy
Create Router Interface dialog box 62-8
Interface Auto Name Generator dialog box 62-12
Router Interfaces page 62-7
IPS interface policy
IPS Monitoring Information dialog box 62-24
IPS Module interface policy
IPS Module Interface Policy Page 62-23
logging policy
Syslog Server dialog box 65-11
logging setup policy
Logging Setup Policy page 65-7
Memory Policy page 63-79
NAC policy
Identities tab 64-18
Identity Action dialog box 64-19
Identity Profile dialog box 64-19
Interface Configuration dialog box 64-17
Interfaces tab 64-16
NAC Policy page 64-14
Setup tab 64-14
NAT policy
Dynamic Rule dialog box 24-11
Interface Specification tab 24-6
Static Rule dialog box 24-7
Static Rules tab 24-6
NetFlow policy 65-5, 65-12
NTP policy
NTP Policy page 63-98
NTP Server dialog box 63-99
OSPF policy
Area dialog box 67-37
Area tab 67-36
Interface dialog box 67-31
Max Prefix Mapping dialog box 67-41
OSPF Interface Policy page 67-30
OSPF Process Policy page 67-34
Redistribution Mapping dialog box 67-39
Redistribution tab 67-38
Setup dialog box 67-35
Setup tab 67-35
PPP/MLP policy
PPP/MLP Policy page 62-76
PPP dialog box 62-77
PVC policy
Define Mapping dialog box 62-65
PVC Advanced Settings dialog box 62-66
PVC dialog box 62-56
PVC Policy page 62-55
QoS policy
QoS Class dialog box 66-23
QoS Policy dialog box 66-21
Quality of Service Policy page 66-19
RIP policy
Authentication dialog box 67-47
Authentication tab 67-46
Redistribution Mapping dialog box 67-49
Redistribution tab 67-48
RIP Routing Policy page 67-45
Setup tab 67-45
Secure Device Provisioning Policy page 63-85
Secure Shell Policy page 63-64
SHDSL policy
Controller Auto Name Generator dialog box 62-46
SHDSL Controller dialog box 62-43
SHDSL Policy page 62-42
SNMP policy
Permission dialog box 63-70
SNMP Policy page 63-69
SNMP Traps dialog box 63-72
Trap Receiver dialog box 63-71
static routing policy
Static Routing dialog box 67-52
Static Routing Policy page 67-51
syslog servers policy
Syslog Servers Policy page 65-10
VTY policy
Command Accounting dialog box 63-61
Command Authorization dialog box 63-60
VTY Line dialog box 63-51
VTY Policy page 63-50
router platform policies
Device Admin policies
AAA 63-2
accounts and credentials 63-14
CPU settings 63-25
DHCP 63-87
DNS 63-74
host and domain names 63-77
HTTP 63-28
line access 63-35
memory settings 63-78
optional SSH settings 63-63
Secure Device Provisioning (SDP) 63-81
SNMP 63-66
time zone settings 63-22
transparent bridging 63-18
Identity policies
802.1x 64-1
Network Admission Control (NAC) 64-8
Interface policies
ADSL 62-34
advanced settings 62-13
basic settings 62-1
dialer interfaces 62-28
PPP 62-71
PVC 62-47
SHDSL 62-41
Logging policies 65-1
NAT 24-5
dynamic rules 24-10
static rules 24-6
timeouts 24-13
NetFlow policies 65-1
Network Time Protocol (NTP) 63-96
quality of service (QoS) 66-1
Routing policies
BGP routing 67-1
EIGRP routing 67-8
OSPF routing 67-19
RIP routing 67-42
static routing 67-50
routers
adding SSL thumbprints manually 9-5
CEF interface settings policies 62-25
Cisco Discovery Protocol (CDP) settings 62-18
communication requirements 2-1
configuring SSH 2-6
default transport protocol for 12.1 and 12.2 11-22
default transport protocol for 12.3 and above 11-22
deploying configurations using TMS 8-43
enabling directed broadcasts 62-20
enabling Maintenance Operation Protocol (MOP) 62-19
enabling NBAR protocol discovery 62-19
enabling proxy ARP 62-19
enabling unicast reverse path forwarding (RFP) 62-20
enabling virtual fragment reassembly (VFR) 62-19
FlexConfig object samples 7-24
generating interface names 62-4
ICMP message settings 62-18
IPS Module interface settings policies 62-22
licenses 2-10
mixing deployment methods 9-14
selecting policy types to manage 5-11
setting up SSL (HTTPS) 2-4
SSL certificate configuration 11-22
system variables 7-13
troubleshooting deployment 9-14
Route Tree
PIM 55-17
routing
PIX/ASA/FWSM
about EIGRP 56-33
about OSPF 56-75
about OSPFv3 56-101
authentication 56-75
BGP 56-2, 56-3
BGP - General tab 56-5
BGP - IPv4 Family - Aggregate Address configuration 56-9, 56-22
BGP - IPv4 Family - Filter configuration 56-10
BGP - IPv4 Family - General tab 56-7, 56-21
BGP - IPv4 Family - Neighbor configuration 56-11, 56-24
BGP - IPv4 Family - Network configuration 56-17, 56-29
BGP - IPv4 Family - Redistribution configuration 56-18, 56-30
BGP - IPv4 Family - Route Injection configuration 56-19, 56-31
BGP - IPv4 Family tab 56-6, 56-20
configuring on 56-1
configuring static routes 56-128
EIGRP 56-32
EIGRP - advanced settings 56-34
EIGRP - Filter Rule configuration 56-40
EIGRP - Filter Rules tab 56-39
EIGRP - Interface configuration 56-48
EIGRP - Interfaces tab 56-47
EIGRP - neighbor configuration 56-42
EIGRP - Neighbors tab 56-41
EIGRP - redistribution configuration 56-44
EIGRP - Redistribution tab 56-42
EIGRP - Setup tab 56-36
EIGRP - Summary Address configuration 56-46
EIGRP - Summary Address tab 56-45
IPv6 Static Route configuration 56-131
No Proxy ARP 56-1
OSPF 56-75
OSPF - advanced settings 56-77
OSPF - Area/Area networks 56-82
OSPF - Area Range 56-84
OSPF - Area tab 56-81
OSPF - Filtering configuration 56-93
OSPF - Filtering tab 56-92
OSPF - Filter Rule configuration 56-94
OSPF - Filter Rule tab 56-94
OSPF - General tab 56-76
OSPF - Interface configuration 56-98
OSPF - Interface tab 56-96
OSPF - Neighbors tab 56-85
OSPF - Range tab 56-84
OSPF - Redistribution rule 56-87
OSPF - Redistribution tab 56-86
OSPF - static neighbor 56-85
OSPF - Summary Address configuration 56-96
OSPF - Summary Address tab 56-95
OSPFv3 56-100, 56-101
OSPFv3 - advanced settings 56-104
OSPFv3 - Area/Area networks 56-108
OSPFv3 - Area Range 56-110
OSPFv3 - Area tab 56-108
OSPFv3 - Interface configuration 56-114
OSPFv3 - Interface tab 56-114
OSPFv3 - Process tab 56-103
OSPFv3 - Redistribution rule 56-112
OSPFv3 - static neighbor 56-118
OSPFv3 - Summary Prefix configuration 56-113
OSPFv3 - Virtual Link configuration 56-111
OSPF - Virtual Link configuration 56-90
OSPF - Virtual Link MD5 configuration 56-91
OSPF - Virtual Link tab 56-89
RIP (PIX/ASA 6.3–7.1, FWSM) 56-120
RIP (PIX/ASA 6.3–7.1, FWSM) configuration 56-121
RIP (PIX/ASA 7.2+) 56-122
RIP (PIX/ASA 7.2+) Filtering 56-126
RIP (PIX/ASA 7.2+) Filtering configuration 56-127
RIP (PIX/ASA 7.2+) Interface 56-127
RIP (PIX/ASA 7.2+) Interface configuration 56-128
RIP (PIX/ASA 7.2+) Redistribution 56-125
RIP (PIX/ASA 7.2+) Redistribution configuration 56-125
RIP (PIX/ASA 7.2+) Setup 56-123
RIP page 56-119
static null 0 routing 56-128
Static Route configuration 56-130
VPNs with routing processes 9-13
routing redistribution
BGP Redistribution Mapping dialog box 67-7
BGP Redistribution tab 67-7
EIGRP Redistribution Mapping dialog box 67-18
EIGRP Redistribution tab 67-17
into BGP 67-3
into EIGRP 67-12
into OSPF 67-22
into RIP 67-44
OSPF Max Prefix Mapping dialog box 67-41
OSPF Process Redistribution tab 67-38
OSPF Redistribution Mapping dialog box 67-39
RIP Redistribution Mapping dialog box 67-49
RIP Redistribution tab 67-48
RPC
configuring for inspection rules 17-21
RSA keys
generating, synchronizing for GET VPN 29-13
Rule Analysis Detail Report
generating 16-34
Rule Combiner Results dialog box 12-25
rule expiration
configuring for access rules 16-22
Rule Expiration page 11-69
rules
default 5-5
mandatory 5-5
rules tables
adding rules 12-9
columns and headings 1-49
commands, Edit menu 1-31
converting IPv4 rules 12-28
cut, copy, and paste rules 12-9
disabling rules 12-20
enabling rules 12-20
filtering 1-48
finding and replacing items 12-16
removing rules 12-9
sections 12-20
using 12-8
rule tables
moving rules 12-19
RX-Boot Mode Credentials dialog box 3-48
S
Save As command (Report Manager) 70-8
Save command 1-30
Save command (Report Manager) 70-8
Save Map As command 1-33
Save Map As dialog box 35-10
Save Map command 1-33
ScanSafe Web Security Settings 20-6
scenarios
creating FlexConfigs 7-25
SCEP (Simple Certificate Enrollment Protocol)
CA server authentication 26-51
Schedule dialog box 8-56
schedules
configuring in Report Manager 70-34
deleting in Report Manager 70-36
disabling in Report Manager 70-36
enabling in Report Manager 70-36
reports in Report Manager 70-33
viewing in Report Manager 70-33
viewing results in Report Manager 70-35
schedules, deployment
changes not deployed 8-55
creating or editing 8-55
including devices 8-8
suspending or resuming 8-58
viewing status and history 8-26
scripting language
examples
looping 7-3
looping with if/else statements 7-4
looping with two-dimensional arrays 7-3
FlexConfig objects 7-3
SDEE
subscriptions for IOS IPS 45-8
SDI
settings in AAA server objects 6-43
SDM
access rule look-up 72-19
device manager 72-16
searching for items 1-42
Secondary Interface Specific Authentication Server Groups dialog box 31-16
secure desktop manager policies
configuring 32-9
Secure Device Provisioning (SDP)
configuring AAA for administrative introducers 63-84
contents of bootstrap 63-82
defining policies 63-83
Secure Device Provisioning page 63-85
understanding
introducers 63-81
petitioners 63-81
registrars 63-81
TTI 63-81
workflow 63-82
SecureID servers (SDI)
description 6-29
Secure Shell
PIX/ASA/FWSM
add/edit SSH host 49-8
Secure Shell (SSH)
Cisco IOS routers
defining optional settings 63-63
optional settings overview 63-63
Secure Shell Policy page 63-64
PIX/ASA/FWSM 49-7, 49-8
security associations
GET VPN
using passive mode during migration 29-23
security certificate
invalid during discovery 9-7
security context
Failover page 50-26
security contexts
adding to failover group 2 50-8
admin context
overview 59-1
configuring multiple 59-3
configuring on firewall devices 59-1
deleting FWSM 59-7
discovering policies 5-13
FWSM 59-8
configuration 59-8
managing Resources 51-2
Resources 51-3
PIX/ASA
allocate interfaces 59-12
configuration 59-9
viewing allocated interfaces 59-12
PIX/ASA/FWSM
enabling multi-context mode 59-1
managing 59-7
restoring single-context mode 59-1
rollback, commands to recover from failover misconfiguration 8-68
rollback command conflicts 8-67
rollback restrictions 8-64
rollback restrictions for failover devices 8-65
showing containment 3-56
security group aware firewall policies
configuring ISE settings 11-56
security group-aware firewall policies
configuring 14-7
managing 14-1
overview 14-1
security group objects
creating 14-14
security group tagging 46-44
Security Manager
access by CS-MARS 72-37
applications overview 1-6
archiving (backing up) the event data store 69-36
backing up and restoring database 10-24
Configuration Manager interface overview 1-14
configuring administrative settings 11-1
getting started 1-1
how permissions affect what you can do 1-11
initial configuration 1-25
installing client 1-12
integrating with Security Manager 72-36
integration with CS-MARS 72-36
logging into and exiting 1-12
managing the server 10-1
overview 1-1
recovering the event data store 69-36
reports overview 70-2
server cluster
managing 10-2
overview 10-2
splitting server 10-3
synchronizing shared policies 10-5
server management and administration 10-1
using 1-14
Security Manager Administration command 1-36
Security Manager Diagnostics command 1-36
Security Manager Online command 1-38
security policies
PIX/ASA/FWSM 57-1
General configuration 57-3
General page 57-1
timeouts 57-4
security ratings for Trend class maps 21-20
see LACP 46-12
Select Address Pool
PIX/ASA/FWSM Platform 24-24
Select Interfaces dialog box 35-20
selectors
filtering items 1-45
using 1-45
selector trees
selecting items 1-45
Select Policy Object dialog box 35-18
Select VPN to Configure dialog box 35-22
self near-end crosstalk (SNEXT) 62-46
Self zone 21-5
sensors, IPS
allowed hosts 36-7
anomaly detection
configuring 41-6
configuring histograms 41-11
configuring learning accept mode 41-8
configuring signatures 41-4
configuring thresholds 41-11
detection zones 41-3
managing 41-1
modes 41-2
understanding 41-1
understanding histograms 41-9
understanding thresholds 41-9
understanding worms 41-2
when to turn off 41-4
blocking
configuring 43-7
configuring ARC 43-1
configuring blocking devices 43-14
configuring master blocking sensors 43-13
configuring never block hosts and networks 43-17
configuring router blocking interfaces 43-15
configuring user profiles 43-12
configuring VLAN blocking interfaces 43-16
general options 43-10
master blocking sensor 43-6
policy 43-8
rate limiting 43-4
router and switch blocking devices 43-4
strategies 43-3
understanding 43-1
capturing network traffic 36-2
certificates 44-10
configuration overview 36-5
configuration overview for IOS IPS 45-4
configuring AAA 36-21
configuring Analysis Engine global variables 36-30
configuring DNS servers 36-24
configuring HTTP proxy server 36-24
configuring NTP 36-23
configuring OS maps 40-21
configuring SNMP 36-8
configuring target value ratings 40-17
configuring the external product interface 36-26
configuring user accounts 36-18
deployment of passwords 36-17
deployment topology 36-4
discovery of passwords 36-17
event actions
example filter rule 69-67
filter rule attributes 40-9
filter rules 40-4, 40-7
filter rules tips 40-6
network information 40-17
overrides 40-13
overview 40-1
possible actions 40-2
process overview 40-1
settings 40-23
getting started 36-1
global correlation
configuring 42-1
configuring inspection and reputation 42-5
configuring network participation 42-7
data collected 42-3
requirements and limitations 42-4
understanding 42-1
understanding network participation 42-3
understanding reputation 42-2
interfaces
configuring 37-6
configuring bypass mode 37-12
configuring CDP mode 37-12
configuring inline interface pairs 37-13
configuring inline VLAN pairs 37-14
configuring physical 37-9
configuring VLAN groups 37-15
deploying VLAN groups 37-5
inline interface mode 37-3
inline VLAN pair mode 37-3
interfaces policy 37-6
managing interface configurations 37-1
physical interface properties 37-10
promiscuous mode 37-2
roles 37-1
sensing modes overview 37-2
understanding 37-1
viewing summary 37-8
VLAN group mode 37-4
IPS modules for ASA 58-15
licenses
automating 44-3
managing 44-1
redeploying 44-2
updating 44-1
managing 44-1
managing user accounts and passwords 36-15
monitoring
removing false positive IPS events 69-66
passive OS fingerprinting 40-19
password requirements 36-20
rebooting 44-12
signatures
adding custom 39-19
cloning 39-21
configuring 39-4
configuring settings 39-30
defining 39-1
detailed information 39-2
editing 39-14
editing Meta engine component list 39-29
editing or tuning parameters 39-23
enabling or disabling 39-14
engines 39-20
exporting 39-9
inheritance 39-3
parameters list 39-24
policy 39-4
shortcut menu 39-10
understanding 39-1
viewing update level 39-9, 39-13
traffic flow notifications 36-30
tuning recommendations 36-4
understanding managed and unmanaged passwords 36-16
understanding network sensing 36-2
understanding user roles 36-15
updates
automatically applying 44-6
checking for and downloading 44-5
configuring server 44-4
managing 44-4
manually applying 44-7
user account attributes 36-19
virtual sensors
advantages 38-3
assigning interfaces 38-4
attributes 38-7
configuring 38-1, 38-5
deleting 38-10
editing policies 38-9
identifying 38-5
inline TCP session tracking mode 38-3
Normalizer mode 38-4
renaming 38-8
restrictions 38-3
understanding 38-1
sensorupdate.properties 44-6
server
managing Security Manager 10-1
syslog
PIX/ASA/FWSM 54-21, 54-27
server, IPS update 44-4
server, Security Manager
configuring administrative settings 11-1
managing or administrating 10-1
Server Access
PIX/ASA/FWSM 52-1, 53-1
AUS, add/edit server 52-3, 53-2, 53-3, 53-4
AUS page 52-1
DDNS interface rule 52-19
DDNS page 52-18
DDNS update methods 52-19
DDNS update methods, add/edit 52-20
DHCP Relay, add/edit agent 52-6
DHCP Relay, add/edit server 52-7
DHCP Relay page 52-5
DHCP Server, add/edit 52-12
DHCP Server, advanced configuration 52-13
DHCP Server, options 52-13
DHCP Server page 52-10
DHCPv6 Relay, add/edit agent 52-9
DHCPv6 Relay, add/edit server 52-9
DHCPv6 Relay page 52-7
DNS page 52-14
DNS server, add 52-17
DNS server group 52-16
NTP page 52-21
NTP server configuration 52-21
SMTP page 52-22
TFTP server page 52-23
server cluster, Security Manager
managing 10-2
overview 10-2
splitting server 10-3
synchronizing shared policies 10-5
Server Load Balance page 27-17
server load balancing
configuring for large scale DMVPN 27-16, 27-17
server attributes in large scale DMVPN 27-17
Server Properties dialog box 3-38
Server Security page 10-2
Server Security Settings page 11-70
Service
ASA CX
Auth Proxy Configuration 58-17
PIX/ASA/FWSM
identity-aware IPS, QoS, and Connection Rules 13-21
IPS, QoS, and Connection Rules wizard 58-6, 58-8
policy wizard 58-6
priority queues 58-4
priority queues configuration 58-4
security group aware IPS, QoS, and Connection Rules 14-17
Service Policy Rules 58-5
traffic class 58-7
service, Event Manager
configuring 69-30
managing 69-30
monitoring event store disk space 69-35
monitoring status 69-31
selecting devices to monitor 69-34
starting or stopping 69-30
status icon colors 69-31
service agreement contracts 10-16
Service Contents dialog box 12-14
Service Device Provisioning (SDP)
on Cisco IOS routers 63-81
Service Module Credentials dialog box 3-19
Service Modules
Catalyst
firewalls 46-1
service objects
creating 6-100
naming when provisioned as object groups 6-107
provisioning as object groups 6-108
Services dialog box 6-103
understanding 6-100
service policy
configuring identity-aware rules 13-21
configuring security group aware rules 14-17
Service Policy (MPC) Rule Wizard 58-6
Connection Settings tab 58-8
CSC tab 58-8
CXSC tab 58-8
IPS tab 58-8
QoS tab 58-8
User Statistics tab 58-8
service policy rules
configuring on firewall devices 58-1
services
specifying 6-100
Set Linked Map dialog box 35-13
Settings
ScanSafe 20-6
settings
device communications 9-4
Settings, Event Actions policy 40-23
settings, report
editing 70-22
Settings pages
Autolink 11-3
CCO Settings 11-4
Configuration Archive 11-6
CS-MARS 11-7
CSM Mobile 11-9
Customize Desktop 11-10
Debug Options 11-11
Deployment 11-13
Device Communication 11-21
Device Groups 11-24
Discovery 11-25
Event Management 11-27, 11-35
CPU Throttling Policy 11-33
Health and Performance Monitor 11-36
Identity 11-38
Image Manager 11-41
IP Intelligence Settings 11-41
ISE 11-56
Licensing 11-57
Logs 11-62
Policy Management 11-64
Policy Objects 11-66
Report Manager 11-38
Rule Expiration 11-69
Server Security 11-70
Take Over User Session 11-71
Ticket Management 11-72
Token Management 11-73
VPN Policy Defaults 11-74
Workflow 11-75
SHA hash algorithm 26-6
Share Device Policies command 1-32
shared license clients
configuring 31-76
shared license servers
configuring 31-77
shared policies
cloning (copying) 5-47
Device view
adding local rules to selected device 5-45
assigning to selected device 5-44
modifying 5-49
modifying assignments 5-49
policy banner 5-38
sharing local 5-41
sharing multiple local policies 5-42
unsharing 5-43
working with 5-37
exporting 10-12
exporting with device inventory 10-6
importing 10-13
inheriting policies 5-47
Policy Bundle view
cloning 5-58
creating 5-57
renaming 5-58, 5-59
Policy view
creating 5-54
deleting 5-56
managing 5-50
modifying assignments 5-54
renaming 5-48
Site-to-Site VPN Manager
assigning to selected device 5-44
modifying assignments 5-49
sharing local 5-41
unsharing 5-43
working with 5-37
synchronizing among Security Manager servers 10-5
Shared Policy Assignments dialog box 5-49
Share Policies wizard 5-42
Share Policy command 1-32
Share Policy dialog box 5-41
SHDSL
Controller Auto Name Generator dialog box 62-46
defining controllers 62-41
on Cisco IOS routers 62-41
SHDSL Controller dialog box 62-43
SHDSL Policy page 62-42
shortcut menu commands
policies in Device view and Site-to-Site VPN Manager 5-40
Show Containment command 1-35
Show Devices On Map command 1-33
Show Devices on Map dialog box 35-16
Show Navigation Window command 1-33
Show VPN Peers dialog box 35-22
Show VPNs On Map command 1-33
Show VPNs on Map dialog box 35-21
signatures
adding custom 39-19
cloning 39-21
configuring 39-4
configuring settings 39-30
defining 39-1
detailed information 39-2
editing 39-14
editing Meta engine component list 39-29
editing or tuning parameters 39-23
enabling or disabling 39-14
engines 39-20
exporting 39-9
finding from CS-MARS events 72-45
finding from Event Viewer events 69-54
inheritance 39-3
parameters list 39-24
policy 39-4
selecting category for Cisco IOS IPS 45-6
shortcut menu 39-10
tuning 69-66
tuning recommendations 36-4
understanding 39-1
updates
automatically applying 44-6
checking for and downloading 44-5
configuring server 44-4
managing 44-4
manually applying 44-7
viewing related CS-MARS events 72-44
viewing related events 69-57
viewing update level 39-9, 39-13
Signature Settings page 39-30
Signatures page
overview 39-4
shortcut menu 39-10
Simple Network Management Protocol
see SNMP 49-14
single sign on server (SSO) objects
properties 34-42
SIP (ASA, PIX) class map objects
creating 17-22
SIP (ASA/PIX/FWSM) policy map objects
creating 17-22
properties 17-83, 17-93, 17-102, 17-103
SIP (IOS) class map objects
creating 21-16
match criteria 21-25
SIP (IOS) policy map objects
creating 21-16
match conditions and actions 21-35
SIP class map objects
match criteria 17-85, 17-95
SIP policy map objects
match conditions and actions 17-85, 17-95
Site-to-Site VPN Manager
assigning shared policies 5-44
copying shared policies 5-47
managing policies 5-30
modifying policy assignments 5-49
policy banner 5-38
policy shortcut menu 5-40
renaming policies 5-48
sharing local policies 5-41
unassigning policies 5-36
understanding shared policies 5-37
unsharing policies 5-43
Site-to-Site VPN Manager window 25-18
Site-to-Site VPN policy page (Device view) 25-19
site-to-site VPNs
accessing topologies and policies 25-17
configuring global settings
configuring fragmentation settings 26-31, 26-44
configuring IKEv2 settings 26-37
configuring ISAKMP/IPsec settings 26-33
configuring NAT settings 26-42
overview 26-30
understanding NAT settings 26-41
configuring IKE and IPsec policies 26-1
creating or editing Extranet VPN topologies 25-66
creating or editing VPN topologies 25-28
discovering 25-24
managing 25-1
rediscovering 25-27
repairing discovered VPNs with multiple spoke definitions 25-26
understanding discovery 25-20
understanding topologies 25-2
using device overrides to customize VPN policies 25-13
viewing summary of VPN configuration 25-63
Site-to-Site VPNs command 1-34
Skinny policy map objects
creating 17-22
match conditions and actions 17-89
properties 17-87
SLA monitor objects
attributes 51-10
configuring 51-9
understanding 51-8
Smartfilter (N2H2)
configuring for web filter rules policies 18-15, 18-19
configuring for zone based firewall rules policies 21-36, 21-39, 21-41
Smart Tunnel Auto Signon Entry dialog box 34-72
Smart Tunnel Auto Signon Lists dialog box 34-71
smart tunnels
configuring for ASA SSL VPNs 31-85
SMTP
configuring for inspection rules 17-20
preventing DoS attacks using zone based firewall 21-27
preventing spam using zone based firewall 21-27
SMTP class map objects
creating 21-16
match criteria 21-27
SMTP policy map objects
creating 21-16
match conditions and actions 21-35
SMTP server
configuring 1-27
PIX/ASA/FWSM 52-22
SNEXT 62-46
SNMP
about SNMP Version 3 49-15
Cisco IOS routers
defining agent properties 63-67
enabling traps 63-68
overview 63-66
Permission dialog box 63-70
SNMP Policy page 63-69
SNMP Traps dialog box 63-72
Trap Receiver dialog box 63-71
configuring for HPM S2S polling 71-40
configuring for IPS sensors 36-8
configuring on firewall devices 49-14
IPS general options 36-10
IPS trap options 36-11, 36-13
PIX/ASA/FWSM 49-17
groups 49-24
host access 49-22
MIBs 49-14
OIDs 49-14
SNMPv3 49-24, 49-25
Trap configuration 49-19
users 49-25
terminology 49-15
SNMP Credentials dialog box 3-48
SNMP policy map objects
creating 17-22
properties 17-90
SNMP Trap Communication dialog box 36-12, 36-14
SNMP Trap Communication tab, SNMP policy for IPS 36-11, 36-13
socket read timeout
device communication 11-22
Software Application Support contracts 10-16
Source Contents dialog box 12-14
spam
blocking spam using zone-based firewall rules 21-27
spoke-to-spoke connections, DMVPN 27-10
spoofing, preventing 57-1, 57-3
spoofing attacks, preventing 17-4
SSH
configuring on IOS routers, Catalyst switches, Catalyst 6500/7600 devices 2-6
line ending conventions 2-5
preventing non-SSH connections 2-7
setting up 2-5
testing authentication 2-6
troubleshooting connections 9-7
SSL
remote access SSL VPNs
advanced settings (ASA) 31-72
AnyConnect client settings (ASA) 31-62, 31-64
browser plug-ins 31-60
content rewrite rules (ASA) 31-53
encoding rules (ASA) 31-55
Kerberos Constrained Delegation (KCD on ASA) 31-66, 31-69
proxy bypass rules (ASA) 31-59
remote access VPNs 31-43
access modes 30-4
access policies (ASA), configuring 31-49
access policies (ASA), reference 31-45
access policies (ASA), understanding 31-44
AnyConnect client image settings (ASA) 31-65
AnyConnect custom attributes (ASA) 31-70, 31-71
cluster load balancing 31-5
configuring HTTP/HTTPS proxies and proxy bypass(ASA) 31-57
connection profiles 31-7
connection profiles (ASA) 31-8
Context Editor dialog box (IOS) 33-15, 33-16
creating on ASA 30-14
creating on IOS devices 30-32
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-11
example 30-3
fragmentation settings 26-31, 26-44
global settings 26-30
group policies, configuring 31-26
group policies, creating 31-28
group policies, understanding 31-27
IKEv2 settings 26-37
ISAKMP/IPsec settings 26-33
limitations 30-8
managing support files 30-5
NAT settings 26-42
other settings (ASA) 31-51
performance settings (ASA) 31-52
policies (IOS) 33-14
prerequisites 30-7
public key infrastructure (PKI) policies 26-56
secure desktop manager policies 32-9
server certificate verification (ASA) 31-30, 31-32, 31-73
shared license clients (ASA) 31-76
shared licenses (ASA) 31-74
shared license servers (ASA) 31-77
understanding 30-2
understanding NAT settings 26-41
wizard 30-13
setting up 2-3
troubleshooting certificate errors 9-5
VPN
sharing connection profiles on ASAs 30-8
SSL authentication certificates
adding thumbprints manually 9-5
configuring default settings for how handled 11-22
SSL VPN
policy discovery restriction 3-8
SSL VPN Access page (ASA) 31-45
SSL VPN bookmark objects
configuring 31-82
post URL method and macro substitutions 31-84
SSL VPN Bookmarks objects
SSL VPN Bookmarks dialog box 34-45
SSL VPN Configuration wizard
Access page (ASA) 30-16
Connection Profile page (ASA) 30-17
Gateway and Context Page (IOS) 30-33
Portal Page Customization Page (IOS) 30-35
SSL VPN Customization objects
configuring 31-78
creating custom Logon page 31-82
localizing 31-80
SSL VPN gateway objects
properties 34-64
SSL VPN Other Settings page (ASA)
Advanced tab 31-72
Client Settings tab 31-64
Content Rewrite tab 31-53
Encoding tab 31-55
Microsoft KCD Server tab 31-66, 31-69
overview 31-51
Performance tab 31-52
Proxy tab 31-57
SSL Server Verification tab 31-30, 31-32, 31-73
SSL VPN Policy page (IOS) 33-14
SSL VPNs
ASA devices
configuring bookmarks 31-82
configuring portal appearance 31-78
configuring WINS servers for file system access 31-88
customizing 31-77
post URL method and macro substitutions in bookmarks 31-84
smart tunnels 31-85
IOS devices
configuring bookmarks 31-82
configuring WINS servers for file system access 31-88
SSL VPN Shared License page (ASA) 31-74
SSL VPN smart tunnel auto sign-on list objects
attributes 34-71
SSL VPN smart tunnel list objects
attributes 34-66, 34-69
configuring 31-85
stateful failover 50-3, 50-4
site-to-site VPN 25-54
stateless failover 50-3
states
activity 4-4
ticket 4-4
static crypto maps 26-19
Static Group tab (IGMP) 55-6
static NAT
Cisco IOS routers
disable automatic aliasing 24-7
disable payload 24-10
on Cisco IOS routers 24-6
static null 0 routing 56-128
static routes
configuring on firewall devices 56-128
PIX/ASA/FWSM
configuration 56-130
static routing
Cisco IOS routers
defining on 67-50
overview 67-50
Static Routing dialog box 67-52
Static Routing Policy page 67-51
Static Rule
PIX/ASA/FWSM 24-26
add/edit 24-27
status
activity 4-4
ticket 4-4
subinterfaces 46-7, 46-15
specifying during policy definition 6-76
Submit Activity command 1-36
Submit Activity dialog box 4-20
Submit and Deploy command 1-30
Submit command 1-30
Submit Deployment Job dialog box 8-38
Submitted activity state 4-5
Submit Ticket command 1-37
Sun RPC class map objects
creating 21-16
match criteria 21-29
Sun RPC policy map objects
creating 21-16
match conditions and actions 21-35
support, technical
creating diagnostic file 10-28
generating data 10-28
generating deployment or discovery status reports 10-30
generating partial database backup 10-30
Suspend Deployment Schedule dialog box 8-20, 8-58
switches
communication requirements 2-1
SYN flooding attacks, preventing 17-5
syslog
access rule look-up 72-17
deeply parsed for Event Viewer 69-6
logging
PIX/ASA/FWSM 54-1
message properties 69-18
syslog messages supported for policy lookup 72-46
syslog relay
CPU throttling policy 11-33
syslogs
Cisco IOS routers 65-1
system variables
devices 7-7
firewall 7-9
FlexConfigs 7-7
remote access VPN 7-19
routers 7-13
VPN 7-14
T
tables
using 1-48
tables, rules
adding rules 12-9
columns and headings 1-49
commands, Edit menu 1-31
converting IPv4 rules 12-28
cut, copy, and paste rules 12-9
disabling rules 12-20
enabling rules 12-20
filtering 1-48
finding and replacing items 12-16
removing rules 12-9
sections 12-20
using 12-8
TACACS+
description 6-28
settings in AAA server objects 6-38
Take Over User Session page 11-71
Target Value Rating dialog box 40-19
Target Value Ratings, IPS Network Information policy 40-17
target value ratings (IPS) 40-17
task flow
deployment
non-Workflow mode 8-3
Workflow mode 8-5
taskflow 1-19
TCP Map objects
properties 58-22
TCP State Bypass
ASA/FWSM 58-3
Telnet
PIX/ASA/FWSM 49-29
configuration 49-29
text fields
ASCII limitations 1-50
finding text in multiple-line 1-50
navigating 1-50
using 1-49
text objects
creating 7-32
TFTP servers
PIX/ASA/FWSM 52-23
thin client access mode 30-4
thresholds
configuring anomaly detection 41-11
understanding anomaly detection 41-9
throughput
VPN user reports 70-16
ticketing
overview 1-20
Ticket Management
settings 11-72
ticket management
comparing workflow modes 1-22
Ticket Manager window 4-10
tickets
closing 4-16
creating 4-14
discarding 4-22
multiple users 4-4
opening 4-15
states 4-4
Ticket Manager window 4-10
understanding 4-1
using global search to find specific tickets 1-42
validating 4-18
viewing change reports 4-16
viewing status and history 4-23
working with 4-7
Tickets menu 1-36
tiered hub-and-spoke topologies 25-5
time
changing range for reports 70-22
timeouts
on firewall devices 57-4
timeouts (NAT)
Cisco IOS routers 24-13
Timeout Value
Firewall AAA 15-30
time range objects
attributes for recurring ranges 6-72
configuring 6-71
time slider (Event Viewer)
filtering with 69-44
using 69-25
time synchronization
on IOS routers 63-96
time zone settings
certificate errors 9-7
Cisco IOS routers
Clock Policy page 63-23
defining time zone and DST 63-22
overview 63-22
TMS
deploying configurations 8-43
deployment method 8-10
Token Management page 11-73
Token Management System (TMS)
settings 11-73
toolbar
activities 4-8, 4-9
toolbar reference
Configuration Manager 1-39
event table in Event Viewer 69-16
toolbars
Report Manager generated report 70-12
Report Manager report settings 70-10
Tools menu
Configuration Manager 1-34
Report Manager 70-8
Trace Route 72-26
TraceRoute 72-28
traffic class
PIX/ASA/FWSM
rules wizard 58-7
Traffic Classification dialog box 19-12
Traffic Classification tab 19-11
traffic encryption key (KEK), GET VPN 29-4
traffic flow notifications
configuring for IPS 36-30
traffic flow objects
default inspection traffic 58-20
properties 58-18
traffic match criteria 58-2
traffic zones 22-1
asymmetric routing 22-1
benefits 22-1
clustering 22-8
configuring 22-9
Equal-Cost Multi-Path (ECMP) 22-4
failover 22-8
firewall mode 22-8
guidelines 22-8
load balancing 22-1
lost route 22-1
prerequisites 22-7
security levels 22-6
supported services 22-6
understanding 22-6
transactional commit model 60-2
Transactional Commit page
PIX/ASA/FWSM Platform 60-2
transcripts
viewing 8-59
Transcript Viewer window 8-62
transform sets
attributes 26-27
understanding 26-20
Translation Exemption (NAT-0 ACL) Rule
PIX/ASA/FWSM 24-20
add/edit 24-21
Translation Options
PIX/ASA/FWSM 24-16, 24-17
Translation Rules
Add/Edit Per-Session NAT rules dialog boxes 24-47
ASA 8.3+ 24-34
Add/Edit NAT rules dialog boxes 24-36
per-session NAT rules 24-46
PIX/ASA/FWSM 24-19
translation table
clearing on deployment 60-1
transparent bridging
Cisco IOS routers
BVI interfaces 63-19
overview 63-18
defining bridge groups 63-20
transparent firewall
configuring on PIX/ASA/FWSM 47-1
NAT 24-16
transparent rules
adding or editing a rule 23-5
configuring 23-1
configuring DHCP passthrough for IOS devices 23-3
configuring in Map view 35-23
deleting 12-9
disabling 12-20
editing 12-10
editing the EtherType 23-7
editing the mask 23-7
enabling 12-20
managing 23-1
moving 12-19
Transparent Rules page 23-3
understanding processing order 12-2
Transparent Rules page 23-3
transport protocols
device defaults 11-22
overview of device requirements 2-1
transport settings
AUS 2-8
Configuration Engine 2-8
SSH 2-5
SSL (HTTPS) 2-3
traps, SNMP
configuring for IPS sensors 36-8
IPS options 36-11, 36-13
trees
selecting items 1-45
Trend class map objects
creating 21-36
Trend parameter map objects
creating 21-36
properties 21-42
troubleshooting
AUS deployment 9-18
Catalyst switch and module deployment 9-16
Configuration Engine deployment 9-18
creating diagnostics file 10-28
CS-MARS queries 72-40
deleted FWSM contexts do not remove configuration files 59-7
deployment 9-9
device communication and deployment 9-1
device discovery failures 3-7
device managers 72-16
device managers, using 72-14
devices marked with red X in device selector 9-9
error attempting to remove unreferenced object 9-12
Event Manager service status 69-31
Event Viewer Unavailable message 11-27, 11-36, 69-30
FlexConfigs 7-38
FWSM multiple-context deployment failures 9-17
generating data for TAC 10-28
generating deployment or discovery status reports 10-30
GET VPN registration failure 29-9
global correlation (IPS) configuration 42-4
ignoring device errors during deployment 9-10
invalid certificate error 9-7
minimum memory errors for ASA 8.3+ 9-12
mixing deployment methods 9-14
Not able to connect to server message, Report Manager 70-36
online help, problems accessing 1-52
packet capture, using 72-30
packet tracer, using 72-23
policy objects not available in Event Viewer 69-68
preshared key policies in VPN not discovered 25-23
Report Manager 70-36
router connection failures 2-2
router deployment 9-14
Security Manager cannot contact device after deployment 9-12
SSL certificate errors 9-5, 9-6
user interface problems 1-51
VPN crypto traffic unexpectedly dropped on GET VPN interfaces 29-9
VPNs with routing processes 9-13
VRF-aware IPsec deployment failures on Catalyst 6500/7600 devices 25-17
trunk ports
Create and Edit Interface dialog boxes-Trunk Port mode 68-14
understanding 68-5
Trusted Transitive Introduction (TTI)
use in SDP policies 63-81
TrustSec
Add/Edit Connection Peer dialog box 14-13
configuring connection peers 14-13
configuring ISE settings 11-56
configuring SXP 14-8
configuring SXP connection peers 14-12
security group objects
creating 14-14
SGT role mapping 14-11
TrustSec firewall policies
configuring 14-7
configuring rules 14-17
managing 14-1
TrustSec policies
monitoring 14-17
TrustSec security group objects
selecting 14-16
U
Unassign Policy command 1-32
Undock Map View command 1-33
unicast rekey in GET VPN 29-6
Unicast Reverse Path Forwarding 57-1, 57-3
unicast reverse path forwarding
enabling on routers 62-20
Unshare Policy command 1-32
Unspecified Bit Rate (UBR) 62-49
Unspecified Bit Rate Plus (UBR+) 62-49
Update Level dialog box 39-9, 39-13
updating images on devices 73-20
Updating Licenses from File dialog box 11-61
Updating Licenses via CCO dialog box 11-60
URLF Glob parameter map objects
metacharacters 21-46
properties 21-45
URL Filter parameter map objects
creating 21-36
properties 21-43
usage reports
generating 6-15
user accounts
configuring IPS 36-18
configuring IPS password requirements 36-20
discovery and deployment of IPS 36-17
IPS account attributes 36-19
managing IPS device 36-15
PIX/ASA/FWSM 51-7
add/edit 51-7
rolling back configurations 8-64
understanding IPS user roles 36-15
understanding managed and unmanaged passwords 36-16
User Accounts policy, IPS devices 36-18
user group objects
advanced PIX 6.3 settings 34-82
browser proxy settings 34-87
clientless settings 34-83
client VPN software update (IOS) settings 34-81
DNS/WINS settings 34-77
general settings 34-75
IOS client settings 34-78
IOS Xauth settings 34-80
split tunneling settings (Easy VPN/remote access IPSec VPN) 34-77
SSL VPN connection settings 34-88
SSL VPN full tunnel settings 34-84
SSL VPN split tunneling settings 34-86
technology settings 34-73
thin client settings 34-84
user group policies
configuring for Easy VPN 28-14
configuring for remote access IPsec VPNs on IOS/PIX 6.3 33-13
User Group Policy page 33-13
user identity acquisition 13-2
user interface
applications overview 1-6
basic features 1-29
dialog box too big for screen 1-52
freezing 1-51
how permissions affect what you can do 1-11
Java errors 1-52
maps toolbar reference 35-4
map view 35-1
menu reference for Configuration Manager 1-29
missing text 1-52
overview of Configuration Manager 1-14
rules tables 12-8
searching for items 1-42
selecting items in a tree 1-45
selecting or specifying files 1-50
table
columns and headings 1-49
sections 12-20
tables 1-48
text fields
ASCII limitations 1-50
finding text in multiple-line 1-50
navigating 1-50
using 1-49
toolbars
Configuration Manager 1-39
event table in Event Viewer 69-16
troubleshooting 1-51
wizards 1-47
user login credentials for device access 3-4
user passwords
changing 10-24
user preferences
PIX/ASA/FWSM 60-1
Deployment page 60-1
Transactional Commit page 60-2
user roles, IPS 36-15
users
how permissions affect what you can do 1-11
taking over configuration session 10-23
User Statistics
MPC rule wizard
tab 58-8
user statistics, collecting 13-25
user taskflow 1-19
V
Validate Activity command 1-36
Validate command 1-30
Validate Ticket command 1-37
Validation dialog box 4-18
validation error messages 4-18
Values Assignment dialog box 7-37
Variable Bit Rate-Non-Real Time (VBR-nrt) 62-49
Variable Bit Rate-Real Time (VBR-rt) 62-49
variables
deleting FlexConfig 7-28
FlexConfig objects 7-5, 7-6
changing variable values 7-35
VDI servers 34-15
Velocity Engine error message 7-38
Velocity Template Engine
scripting language 7-3
View Changes command 1-30, 1-36, 1-37
viewing interface allocations 59-12
View menu
Configuration Manager 1-31
Event Viewer 69-10
views
Device 1-15
Event Viewer
clearing filters 69-48
column based filters 69-45
event based filters 69-47
filtering overview 69-43
refreshing event table 69-44
selecting time range 69-43
switching between real-time and historical 69-42
text searches (quick filter) 69-47
using time slider with filtering 69-44
HPM 71-21
column-based filters 71-17
Map 1-18
overview 1-14
Policy 1-16
views (Event Viewer)
arranging 69-38
configuring color rules 69-40
creating custom 69-41
customizing event table appearance 69-39
deleting custom 69-43
editing description 69-41
editing name 69-41
Event Monitoring window overview 69-14
Event Viewer overview 69-7
floating 69-38
list 69-12
opening 69-38
overview 69-3
saving 69-42
using 69-37
virtual ASA
about 46-1
virtual channel identifier (VCI) 62-47
virtual firewalls
See security contexts
virtual fragment reassembly (VFR) 62-19
virtual path identifier (VPI) 62-47
Virtual Routing Forwarding (VRF)
VRF-Aware IPsec 25-14
virtual sensors
advantages 38-3
assigning interfaces 38-4
attributes 38-7
configuring 38-1, 38-5
deleting 38-10
discovering policies 5-14
editing policies 38-9
identifying 38-5
inline TCP session tracking mode 38-3
Normalizer mode 38-4
renaming 38-8
restrictions 38-3
showing containment 3-56
understanding 38-1
Virtual Sensors page 38-5
virtual terminal (VTY)
Cisco IOS routers
defining AAA settings 63-40
defining line groups 63-38
defining line setup parameters 63-38
virtual terminal (VTY) lines
Cisco IOS routers
VTY Line dialog box 63-51
VTY Policy page 63-50
VLAN
configuring IPS groups 37-15
configuring IPS inline pairs 37-14
VLAN ACLs (VACLs)
defining 68-37
deleting 68-38
understanding 68-36
VLAN access maps 68-37
VLANs
Catalyst switches and 7600 Series routers
Create and Edit VLAN ACL Content dialog boxes 68-41
Create and Edit VLAN ACL dialog boxes 68-41
Create and Edit VLAN dialog boxes 68-28
defining 68-26
defining Data Port for IDSM 68-46
defining EtherChannel for IDSM 68-44
defining groups 68-32
defining VACLs 68-37
deleting 68-27
deleting Data Port for IDSM 68-47
deleting EtherChannel for IDSM 68-45
deleting groups 68-33
deleting VACLs 68-38
Interfaces/VLANs page-VLANs tab 68-27
understanding 68-25
understanding VACLs 68-36
understanding VLAN groups 68-31
VLAN Access Lists page 68-39
VPDN groups 46-72
VPN
configuring policy defaults 11-74, 25-12
mixing deployment methods 9-14
policy discovery restriction for web VPNs 3-8
Report Manager reports
general VPN reports 70-16
VPN top reports 70-16
system variables 7-14
traffic sent unencrypted 9-15
updating routing processes 9-13
using device overrides to customize VPN policies 25-13
zone-based firewall 21-6
VPN default policies
configuring 25-12
factory defaults 25-12
understanding 25-12
VPN discovery
prerequisites 25-21
procedure 25-24
rules 25-22
supported and unsupported technologies and topologies 25-20
understanding 25-20
VPN global settings
GET VPN
VPN Global Settings for GET page 29-16
VPN Global Settings policy
General Settings tab 26-31, 26-44
IKEv2 tab 26-37
ISAKMP/IPsec tab 26-33
NAT Settings tab 26-42
VPN Peers dialog box 35-22
VPN Policy Defaults page 11-74
VPN rediscovery 25-27
VPNs
AAA services 48-4
ASA devices
configuring bookmarks 31-82
configuring portal appearance 31-78
configuring WINS servers for file system access 31-88
customizing 31-77
post URL method and macro substitutions in bookmarks 31-84
smart tunnels 31-85
configuring remote access using wizard 30-13
creating in Map view 35-21
Easy VPN
connection profiles 28-13
connection profiles (ASA, PIX 7+) 31-8
IOS devices
configuring bookmarks 31-82
configuring WINS servers for file system access 31-88
IPsec
access policies for IKEv2 (ASA), configuring 31-49
access policies for IKEv2 (ASA), reference 31-45
access policies for IKEv2 (ASA), understanding 31-44
certificate to connection profile map policy (IKEv1) 31-36
certificate to connection profile map rules (IKEv1) 31-37
cluster load balancing 31-5
configuring IKE and IPsec policies 26-1
connection profiles 31-7
connection profiles (ASA, PIX 7+) 31-8
creating on ASA/PIX 7.0+ 30-25
creating on IOS/PIX 6.3+ 30-36
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-11
Dynamic VTI/VRF Aware IPsec settings 33-7
fragmentation settings 26-31, 26-44
global settings 26-30
group policies, configuring 31-26
group policies, creating 31-28
group policies, understanding 31-27
high availability policies 33-11
IKE proposals 26-9
IKEv2 authentication 26-68, 26-70, 26-72
IKEv2 settings 26-37
ISAKMP/IPsec settings 26-33
NAT settings 26-42
public key infrastructure (PKI) policies 26-56
secure desktop manager policies 32-9
understanding IKE 26-5
understanding NAT settings 26-41
user group policies for IOS, PIX 6.3 33-13
VPNSM, VPN SPA, VSPA settings 33-6
IPsec proposals
attributes for ASA and PIX 7.0+ devices 31-41
attributes for IOS and PIX 6.3 devices 33-4
configuring for ASA and PIX 7.0+ devices 31-40
configuring for IOS and PIX 6.3 devices 33-3
Map view 35-20
policy discovery 5-12
remote access
access modes 30-4
device support 30-8
discovering 30-12
managing 30-1
managing (ASA, PIX 7.0+) 31-1
managing (IOS, PIX 6.3) 33-1
SSL 31-43
remote access IPSec
understanding 30-2
remote access SSL
example 30-3
limitations 30-8
managing support files 30-5
prerequisites 30-7
understanding 30-2
shared policies 5-4
site-to-site
configuring IKE and IPsec policies 26-1
policies overview 25-8
site-to-site VPNs 25-1
SSL
access policies (ASA), configuring 31-49
access policies (ASA), reference 31-45
access policies (ASA), understanding 31-44
advanced settings (ASA) 31-72
AnyConnect client image settings (ASA) 31-65
AnyConnect client settings (ASA) 31-62, 31-64
AnyConnect custom attributes (ASA) 31-70, 31-71
browser plug-ins (ASA) 31-60
cluster load balancing 31-5
configuring HTTP/HTTPS proxies and proxy bypass(ASA) 31-57
connection profiles 31-7
connection profiles (ASA) 31-8
content rewrite rules (ASA) 31-53
Context Editor dialog box (IOS) 33-15, 33-16
creating on ASA 30-14
creating on IOS devices 30-32
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-11
encoding rules (ASA) 31-55
fragmentation settings 26-31, 26-44
global settings 26-30
group policies, configuring 31-26
group policies, creating 31-28
group policies, understanding 31-27
IKEv2 settings 26-37
ISAKMP/IPsec settings 26-33
Kerberos Constrained Delegation (KCD on ASA) 31-66, 31-69
NAT settings 26-42
other settings (ASA) 31-51
performance settings (ASA) 31-52
policies (IOS) 33-14
proxy bypass rules (ASA) 31-59
public key infrastructure (PKI) policies 26-56
secure desktop manager policies 32-9
server certificate verification (ASA) 31-30, 31-32, 31-73
shared license (ASA) 31-74
shared license clients (ASA) 31-76
shared license servers (ASA) 31-77
understanding NAT settings 26-41
wizard 30-13
understanding 30-1
VPN Service Port Adapters (VSPAs)
configuring 25-42
VPN Services Module (VPNSM)
configuring 25-42
VPN Shared Port Adapter (VPN SPA)
configuring 25-42
VPNSM/VPN SPA/VSPA Settings dialog box 33-6
VPN Summary page 25-63
VPN topologies
accessing 25-17
assigning initial policies to new 25-62
assigning shared policies 5-44
cloning device VPN assignments 3-56
cloning shared policies 5-47
configuring dial backup 25-40
configuring GET VPN peers 25-60
configuring in Device view 25-19
creating or editing 25-28
creating or editing Extranet 25-66
defining endpoints and protected networks 25-34
defining GET VPN group encryption 25-54
deleting 25-71
discovering 25-20, 25-24
full mesh 25-4
hub-and-spoke 25-2
including unmanaged or non-Cisco devices 25-11
joined hub-and-spoke 25-5
locking 5-10
naming 25-30
partial mesh 25-5
point-to-point 25-3
rediscovering 25-27
removing devices 25-32
renaming policies 5-48
repairing discovered VPNs with multiple spoke definitions 25-26
selecting devices 25-32
tiered hub-and-spoke 25-5
unassigning policies 5-36
understanding 25-2
unsharing policies 5-43
using device overrides to customize VPN policies 25-13
viewing summary of VPN configuration 25-63
VRF-Aware IPsec
changing on Catalyst switches and 7600 routers 25-17
configuring 25-48
one-box solution 25-14
two-box solution 25-15
understanding 25-14
VRF-Aware IPsec tab (site-to-site VPN) 25-48
VTP modes, for Catalyst switches 68-1
VTY Line dialog box 63-51
Accounting tab 63-57
Authentication tab 63-55
Authorization tab 63-56
Setup tab 63-52
W
WAN interface card (WIC) 62-36
Warning - Partial VPN Deployment dialog box 8-31
warnings
significance of 2-lxiii
Web Filter policy map objects
creating 21-36
match conditions and actions 21-35
properties 21-47
web filter rules
ACL naming conventions 12-5
ASA/FWSM/PIX
converting IPv4 12-28
deleting 12-9
editing 12-10
moving 12-19
attributes (IOS) 18-13
configuring exclusive domains for IOS devices 18-10
configuring for ASA, PIX, FWSM devices 18-2
configuring for IOS devices 18-10
configuring in Map view 35-23
disabling 12-20
enabling 12-20
exclusive domain names (IOS) 18-14
managing 18-1
preserving ACL names 12-4
understanding 18-1
understanding NAT effects 12-3
understanding processing order 12-2
Web Filter Rules page (ASA/FWSM/PIX) 18-3
Web Filter Rules page (IOS) 18-12
web filter server properties 18-19
Web Filter Rules page (ASA/FWSM/PIX) 18-3
Web Filter Rules page (IOS) 18-12
Web Filter Server Configuration dialog box 18-19
web filter servers
attributes 18-19
configuring settings 18-15
configuring settings in Map view 35-24
configuring zone-based firewall settings in Map view 35-24
Web Filter settings page 18-16
Websense
configuring for web filter rules policies 18-15, 18-19
configuring for zone based firewall rules policies 21-36, 21-39, 21-41
Websense class map objects
creating 21-36
match criteria 21-30
Websense parameter map objects
creating 21-36
properties 21-39
web VPN
policy discovery restriction 3-8
Weighted Random Early Detection (WRED) 66-4
Whitelist/Blacklist tab 19-14
windows
arranging report 70-30
arranging views 69-38
closing report 70-32
undocking maps 35-2
Windows Messenger class map objects
creating 21-16
match criteria 21-21
Windows NT servers
use by ASA, PIX, and FWSM devices 6-29
Windows Server 2012 security settings 10-2
WINS Server Lists objects
attributes 34-90
creating 31-88
wizard
installation manager 73-26
wizards
configuring remote access SSL VPNs on ASA devices 30-14
configuring remote access SSL VPNs on IOS devices 30-32
configuring remote access VPNs 30-13
Copy Policies 5-33
Create Extranet VPN Topology 25-66
Create VPN Topology 25-28
creating remote access IPsec VPNs on ASA/PIX 7.0+ devices 30-25
creating remote access IPsec VPNs on IOS/PIX 6.3 devices 30-36
creating user group policies 30-20
Discover VPN policies 25-24
New Device 3-6
Rediscover VPN policies 25-27
Share Policies 5-42
wizards, using 1-47
workflow
overview 1-20
Workflow mode
changing modes 1-28
comparing with non-Workflow mode 1-22
configuration files
deploying 8-34, 8-39
previewing 8-44
configurations
rolling back 8-69
creating activities 4-14
deployment
viewing device details 8-26
viewing job history 8-26
jobs
aborting 8-55
approving 8-39
discarding 8-41
rejecting 8-39
states 8-6
submitting 8-38
opening activities 4-15
understanding 1-21
workflow modes
changing 1-28
comparing 1-22
Workflow Settings page 11-75
working with 3-59
worms
configuring IPS anomaly detection signatures 41-4
understanding 41-2
understanding IPS anomaly detection 41-1
understanding when to turn off anomaly detection 41-4
X
xdm-launcher.exe
device manager 72-16
XLATE table
clearing on deployment 60-1
Y
Yahoo Messenger class map objects
creating 21-16
match criteria 21-21
Z
zone-based firewall
add/edit zones 21-53
advanced options 21-67
changing the default drop rule 21-48
configuring PAM 21-69
configuring rules 21-13, 21-62
configuring settings 21-49
configuring settings in Map view 35-24
Content Filter tab 21-52
designing network zones 21-1
development overview 21-12
general recommendations 21-12
Global Parameters tab 21-50
IPSec VPN 21-6
logging 21-1
overview 21-1
page 21-50
preserving ACL names 12-4
protocol selection 21-68
restrictions 21-3
rules table 21-58
Self zone 21-5
tabs 21-49
troubleshooting 21-54
understanding 21-3
understanding NAT effects 12-3
understanding permit/deny and action 21-8
understanding processing order 12-2
understanding services and protocols 21-11
VPN tab 21-50
VRF 21-7
WAAS tab 21-50
Zones tab 21-50
zone-based firewall rules
configuring in Map view 35-23
deleting 12-9
disabling 12-20
editing 12-10
enabling 12-20
moving 12-19
zone-based firewall rules policies
blocking spam using zone-based firewall rules 21-27
configuring map objects for content filtering rules 21-36
configuring map objects for inspection rules 21-16
creating zones 6-74
inspection parameters 21-31
match conditions for IM applications 21-21
match conditions for P2P applications 21-21
preventing SMTP DoS attacks 21-27
protocol information for IM application inspection 21-33
understanding interface role objects 6-73
Zone Contents dialog box 12-14
zones
creating 6-74
understanding interface role objects 6-73
zones, anomaly detection 41-3
Zoom In command 1-33
Zoom Out command 1-33
Index
Numerics
12.1 and 12.2
managing routers 61-3
3DES encryption algorithm
in IKE proposals 26-6
802.1x
802.1x Policy page 64-5
defining policies 64-4
interface authorization states 64-2
on Cisco IOS routers 64-1
supported topologies 64-3
understanding device roles 64-2
A
AAA
about 48-1
Cisco IOS routers
AAA Policy page 63-6
Accounting tab 63-10
Authentication tab 63-6
Authorization tab 63-8
Command Accounting dialog box 63-13
Command Authorization dialog box 63-10
defining services 63-4
overview 63-2
supported accounting types 63-3
supported authorization types 63-2
understanding method lists 63-3
configuring access control for IPS 36-21
configuring on firewall devices 48-1
credentials for device access 3-4
device administration 48-4
local fallback 48-3
network access 48-4
PIX/ASA/FWSM 48-5
Accounting tab 48-8
Authentication tab 48-5
Authorization tab 48-7
support 48-2
VPN access 48-4
AAA authentication groups
predefined 6-30
AAA firewall
MAC exempt lists 15-26
AAA Firewall page
Advanced Setting tab 15-20
AAA firewall policy
advanced settings 15-20
configuring 15-6
AAA page 15-28
AAA rules
ACL naming conventions 12-5
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring AAA firewall settings (PIX/ASA/FWSM) 15-6
configuring AuthProxy settings (IOS) 15-9
configuring cut-through proxy (ASA) 13-23
configuring for ASA/PIX/FWSM devices 15-4
configuring for IOS devices 15-7
configuring identity aware 13-21
configuring in Map view 35-23
configuring security group aware 14-17
configuring settings
for IOS devices in Map view 35-24
for PIX/ASA/FWSM in Map view 35-24
converting IPv4 12-28
deleting 12-9
disabling 12-20
editing 12-10
enabling 12-20
managing 15-1
moving 12-19
preserving ACL names 12-4
properties 15-13
understanding 15-1
understanding how users authenticate 15-2
understanding NAT effects 12-3
understanding processing order 12-2
AAA Rules page 15-10
AAA server group objects
attributes 6-49
creating 6-48
default server groups on IOS devices 6-31
predefined authentication groups 6-30
understanding 6-27
AAA server objects
creating 6-32
HTTP-FORM settings 6-44
Kerberos settings 6-39
LDAP settings 6-40
NT settings 6-43
RADIUS settings 6-35
SDI settings 6-43
supported additional types for ASA/PIX/FWSM 6-28
supported types 6-28
TACACS+ settings 6-38
understanding 6-27
AAA servers
supported types on ASA, PIX, FWSM devices 6-28
Abort the Job dialog box 8-55
About Configuration Manager command 1-39
ABR
definition 56-75
access control list objects
creating 6-53
extended objects 6-54
standard objects 6-56
unified objects 6-58
web objects 6-57
access control lists
GET VPN security policies 29-10
policy discovery 5-14
access control lists (ACLs)
names preserved during discovery 12-4
naming conventions 12-5
resolving naming conflicts 12-7
access controls
configuring ACL names 16-23
configuring settings 16-23
configuring settings in Map view 35-24
Access Control Settings page 16-24
Access Group tab (IGMP) 55-5
Access Interface Configuration dialog box (ASA) 31-48
access permissions
Event Viewer 69-4
Health and Performance Monitor 71-3
maps 35-8
Report Manager 70-5
access policies
configuring 31-49
reference 31-45
understanding 31-44
access ports
Create and Edit Interface dialog boxes-Access Port mode 68-9
understanding 68-5
access rule
look up
from device managers 72-17
access rules
access control settings 16-24, 16-26
Access Rules page 16-10
ACL naming conventions 12-5
address requirements 16-5
Advanced dialog box 16-17
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring 16-7
configuring access control settings 16-23
configuring identity aware 13-21
configuring in Map view 35-23
configuring security group aware 14-17
controlling non-IP layer-2 traffic 23-1
deleting 12-9
detecting conflicts 16-28
disabling 12-20
editing 12-10
enabling 12-20
examples of event analysis
user access to server blocked 69-59
expiration dates 16-22
finding from CS-MARS events 72-45
finding from Event Viewer events 69-54
generating analysis reports 16-34
hit counts
details 16-36
how deployed 16-5
identity-aware rules
requirements 13-3
import examples 16-44
importing 16-40
IPS blocking, affect of 43-4
managing 16-1
moving 12-19
optimizing during deployment 16-46
packet tracer, analyzing with 72-23
preserving ACL names 12-4
Report Manager reports
firewall traffic reports 70-14
resolving conflicts 16-34
rule attributes 16-14
sharing ACLs among interfaces 11-18
syslog messages supported for look-up 72-46
understanding 16-1
understanding device-specific behavior 16-4
understanding global 16-3
understanding NAT effects 12-3
understanding processing order 12-2
understanding requirements when using inspection 17-4
understanding the automatic conflict detection user interface 16-30
viewing related CS-MARS events 72-42
viewing related events in Event Viewer 69-56
Accounting
Cisco IOS routers
settings 63-10
accounts and credentials
Cisco IOS routers
overview 63-14
PIX/ASA/FWSM
user accounts 51-7
user accounts, add/edit 51-7
accounts and credentials policies
Accounts and Credentials Policy page 63-16
User Accounts dialog box 63-17
ACLs
configuring names 16-23
ACS user authorization
configuring notifications when unavailable 1-27
Event Viewer 69-4
Health and Performance Monitor 71-3
how permissions affect what you can do 1-11
Report Manager 70-5
Active/Active failover
about 50-2
command replication 50-4
configuration synchronization 50-3
Active/Standby failover 50-2
Active Directory (AD)
collecting user statistics 13-25
configuring agent communication options 13-15
enabling for identity-aware firewall 13-8
identifying AD servers and agents 11-38, 13-8
requirements for identity-aware firewall 13-3
activities
accessing functions 4-8, 4-9
Activity Manager window 4-10
Approved state 4-5
approving 4-3, 4-21
benefits of 4-2
closing 4-16
creating 4-14
discarding 4-22
Edit state 4-4
locking 4-3
managing 4-1
multiple users 4-4
opening 4-15
overview 1-20
rejecting 4-21
responding to the Activity Required dialog box 4-14
states 4-4
Submitted state 4-5
submitting for approval 4-20
understanding 4-1
validating 4-18
viewing change reports 4-16
viewing status and history 4-23
working with 4-7
Activities command 1-34
Activities menu 1-36
Activity Manager window 4-10
Activity Required dialog box 4-14
Add/Edit Action Configuration dialog box 54-7
Add/Edit AnyConnect Client Image dialog box (ASA) 31-65
Add/Edit AnyConnect Custom Attributes dialog box (ASA) 31-70, 31-71
Add/Edit Applet dialog box 54-5
Add/Edit Collector dialog box 54-2
Add/Edit Content Rewrite dialog box (ASA) 31-54
Add/Edit DAP Entry Dialog Box > Device 32-30
Add/Edit File Encoding dialog box 31-55
Add/Edit Multicast Route dialog box 55-8, 55-10
description 55-9
Add/Edit PIM Neighbor Filter dialog box 55-13
Add/Edit Proxy Bypass dialog box 31-59
Add/Edit Syslog Configuration dialog box 54-7
Add AAA Rule dialog box 15-13
Add AAA Server dialog box 6-33
Add AAA Server Group dialog box 6-49
Add Access List dialog box (Allowed Hosts policy) 36-7
Add Access Rule dialog box 16-14
Add an Entry dialog box 39-30
Add AOL Class Map dialog box 17-28, 21-19
Add A Port Forwarding Entry dialog box 34-41
Add ASA Group Policies dialog box
client configuration settings 34-6
client firewall attributes 34-7
connection settings 34-33
DNS/WINS settings 34-29, 34-30
hardware client attributes 34-9
IPSec settings 34-10
overview 34-1
split tunneling settings 34-31
SSL VPN clientless settings 34-12
SSL VPN full client settings 34-19
SSL VPN settings 34-25
Technology settings 34-1
Add A Smart Tunnel Entry dialog box 34-67, 34-70
Add AS Path Entry dialog box 56-152
Add AS Path Object dialog box 56-151
Add Auto Signon Rules dialog box 34-27
Add Cat6k Block Vlan dialog box 43-16
Add Certificate dialog box 11-24
Add Certificate Filter dialog box 25-58
Add Cisco Secure Desktop Configuration dialog box 34-35
Add Client Access Rules dialog box 34-12
Add Client Update dialog box 34-81
Add Column dialog box 34-61
Add Community List Entry dialog box 56-154, 56-155
Add Community List Object dialog box 56-153
Add Custom Pane dialog box 34-62
Add Custom Signature dialog box 39-15
Add DCE/RPC Map dialog box 17-29
Add Destinations dialog box 12-11
Add Device from Network wizard
Device Credentials page 3-45
Add Devices to Group command 1-31
Add Devices to Group dialog box 3-63
Add DNS Class Map dialog box 17-28
Add DNS Map dialog box
Filtering tab 17-34, 17-35
overview 17-32
Protocol Conformance tab 17-33
Add eDonkey Class Map dialog box 17-28, 21-19
Add ESMTP Map dialog box 17-39
Add Extended Access Control Entry dialog box 6-61
Add Extended Access List dialog box 6-59
Add External Filter dialog box 21-41
Add FastTrack Class Map dialog box 17-28, 21-19
Add File Object dialog box 34-37
Add FlexConfig dialog box 7-30
Add FTP Class Map dialog box 17-28
Add FTP Map dialog box 17-42
Add Gnutella Class Map dialog box 17-28, 21-19
Add Group dialog box 3-62
Add Group Member dialog box 29-19
Add GTP Map dialog box 17-45
Add H.323 Class Map dialog box 17-28, 21-19
Add H.323 Map dialog box 17-51, 21-34
Add HSI Endpoint IP Address dialog box 17-54
Add HSI Group dialog box 17-53
Add HTTP Class Map dialog box 17-28, 21-19
Add HTTP Map dialog box 21-34
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab 17-58
Extension Request Method tab 17-61
General tab 17-57
overview 17-56
Port Misuse tab 17-62
RFC Request Method tab 17-60
Transfer Encoding tab 17-63
ASA 7.2+ and PIX 7.2+ devices 17-64
Add ICQ Class Map dialog box 17-28, 21-19
Add IKEv1 Proposal dialog box 26-10
Add IKEv2 Proposal dialog box 26-14
Add IMAP Class Map dialog box 17-28, 21-19
Add IMAP Map dialog box 21-34
Add IM Class Map dialog box 17-28
Add IM Map dialog box 21-34
ASA and PIX device 17-70
IOS device 17-73
Add Inspect/Application FW Rule wizard
Address and Port page 17-13
Inspected Protocol page 17-17
Match Traffic page 17-11
Add Inspect Parameter Map dialog box 21-31
Add Interfaces dialog box 12-13
Add IP Options Map dialog box 17-75
Add IPsec Pass Through Map dialog box 17-80
Add IPSec Transform Set dialog box 26-27
Add IPv4 Pool Object dialog box 6-92
Add IPv6 Map dialog box 17-77, 17-91
Add IPv6 Pool Object dialog box 6-93
Add Kazaa2 Class Map dialog box 17-28, 21-19
Add Key Server dialog box 29-19
Add Language dialog box 34-56
Add LDAP Attribute Map dialog box 6-46
Add LDAP Attribute Map Value dialog box 6-47
Add Link command 1-33
Add Link dialog box 35-20
Add Local Rules command 1-32
Add Local Web Filter Class Map dialog box 17-28, 21-19
Add Local Web Filter Parameter Map dialog box 21-38
Add MAC Address Pool Object dialog box 6-94
Add Map Object command 1-33
Add Map Object dialog box 35-18
Add Map Value dialog box 6-47
Add Match Condition and Action dialog box
DNS policy maps 17-36
ESMTP policy maps 17-40
FTP policy maps 17-43
GTP policy maps 17-49
H.323 (IOS) policy maps 21-35
H.323 policy maps 17-54
HTTP (Zone Based IOS) policy maps 21-35
HTTP policy maps 17-66
IM (Zone Based IOS) policy maps 21-35
IMAP policy maps 21-35
IM policy maps 17-71
IPv6 policy maps 17-78, 17-92
P2P policy maps 21-35
POP3 policy maps 21-35
SIP (IOS) policy maps 21-35
SIP policy maps 17-85, 17-95
Skinny policy maps 17-89
SMTP policy maps 21-35
Sun RPC policy maps 21-35
Web Filter policy maps 21-35
Add Match Criterion dialog box
AOL class maps 21-21
DNS class maps 17-36
eDonkey class maps 21-21
FastTrack class maps 21-21
FTP class maps 17-43
Gnutella class maps 21-21
H.323 (IOS) class maps 21-22
H.323 class maps 17-54
HTTP (IOS) class maps 21-22
HTTP class maps 17-66
ICQ class maps 21-21
IMAP class maps 21-25
IM class maps 17-71
Kazaa2 class maps 21-21
Local Web Filter class maps 21-29
MSN Messenger class maps 21-21
N2H2 class maps 21-30
POP3 class maps 21-25
SIP (IOS) class maps 21-25
SIP class maps 17-85, 17-95
SMTP class maps 21-27
Sun RPC class maps 21-29
Websense class maps 21-30
Windows Messenger class maps 21-21
Yahoo Messenger class maps 21-21
Add MSN Messenger Class Map dialog box 17-28, 21-19
Add N2H2 Parameter Map dialog box 21-39
Add N2H2 Web Filter Class Map dialog box 17-28, 21-19
Add NAT Rule dialog box
ASA 8.3+ 24-36
Add NetBIOS Map dialog box 17-81
Add Network/Host dialog box
General tab 6-83
NAT tab 24-42
Add New Device wizard
Device Credentials page 3-45
Add New Security Association dialog box 25-58
Add or Edit Plug-in Entry dialog box (ASA) 31-60
Add Other Devices dialog box 8-58
Add P2P Map dialog box 21-34
Add Permit Response dialog box 17-48
Add Per-Session NAT Rule dialog box 24-47
Add PIX/ASA/FWSM Web Filter Rule dialog box 18-5
Add PKI Enrollment dialog box
CA Information tab 26-60
Certificate Subject Name tab 26-66
Enrollment Parameters tab 26-63
overview 26-58
Trusted CA Hierarchy tab 26-67
Add Policy List Object dialog box 56-143
Add POP3 Class Map dialog box 17-28, 21-19
Add Port Forwarding List dialog box 34-40
Add Port List dialog box 6-102
Add Prefix List Entry dialog box 56-148, 56-150
Add Prefix List Object dialog box 56-146, 56-148
Add Protocol Info Parameter Map dialog box 21-33
Add Regular Expression dialog box 17-108
Add Regular Expression Group dialog box 17-108
Address Pools
PIX/ASA/FWSM 24-18
add/edit 24-19
address pools
overriding in connection profiles 30-8
Add Route Map Entry dialog box 56-137
Add Route Map Object dialog box 56-136
Add Row command 1-31
Add Rule Section dialog box 12-22
Add Server dialog box
Protocol Info Parameter maps 21-34
Add Service dialog box 6-103
Add Services dialog box 12-13
Add Single Sign On Server dialog boxes 34-42
Add SIP Class Map dialog box 17-28, 21-19
Add SIP Map dialog box 17-83, 17-93, 21-34
Add Skinny Map dialog box 17-87
Add SLA Monitor dialog box 51-10
Add Smart Tunnel Auto Signon Entry dialog box 34-72
Add Smart Tunnel Auto Signon Lists dialog box 34-71
Add Smart Tunnel Lists dialog box 34-66, 34-69
Add SMTP Class Map dialog box 17-28, 21-19
Add SMTP Map dialog box 21-34
Add SNMP Map dialog box 17-90
Add Sources dialog box 12-11
Add SSL VPN Customization dialog box 34-51
Applications 34-60
Copyright Panel 34-58
Custom Panes 34-61
Full Customization 34-59
Home Page 34-62
Informational Panel 34-57
Language 34-54
Logon Form 34-56
Logout Page 34-63
Title Panel 34-53
Toolbar 34-59
Add SSL VPN Gateway dialog box 34-64
Add Standard Access Control Entry dialog box 6-64
Add Standard Access List dialog box 6-59
Add Sun RPC Class Map dialog box 17-28, 21-19
Add Sun RPC Map dialog box 21-34
Add TCP Map dialog box 58-22
Add TCP Option Range Dialog Box 58-25
Add Text Object dialog box 7-32
Add Time Range dialog box 6-71
Add Traffic Flow dialog box 58-18
Add Transparent Firewall Rule dialog box 23-5
Add Trend Content Filter Class Map dialog box 17-28, 21-19
Add Trend Parameter Map dialog box 21-42
Add Unified Access Control Entry dialog box 6-67
Add URL Domain Name dialog box 21-45
Add URLF Glob Parameter Map dialog box 21-45
Add URL Filter Parameter Map dialog box 21-43
Add User dialog box 12-12, 36-19
Add User Group dialog box
Advanced PIX 6.3 settings 34-82
Browser Proxy settings 34-87
Client (IOS) settings 34-78
Clientless settings 34-83
Client VPN Software Update (IOS) settings 34-81
DNS/WINS settings 34-77
General settings 34-75
IOS Xauth Options settings 34-80
overview 34-73
Split Tunneling settings (Easy VPN/remote access IPSec VPN) 34-77
SSL VPN Connection settings 34-88
SSL VPN Full Tunnel settings 34-84
SSL VPN Split Tunneling settings 34-86
Technology settings 34-73
Thin Client settings 34-84
Add User Profile dialog box 43-12
Add VDI Server dialog box 34-15
Add Virtual Sensor dialog box 38-7, 38-8
Add Web Access Control Entry dialog box 6-65
Add Web Filter Map dialog box 21-47
Add WebSense Parameter Map dialog box 21-39
Add Websense Web Filter Class Map dialog box 17-28, 21-19
Add Web Type Access List dialog box 6-59
Add Windows Messenger Class Map dialog box 17-28, 21-19
Add WINS Server dialog box 34-90
Add WINS Server List dialog box 34-89
Add Yahoo Messenger Class Map dialog box 17-28, 21-19
Add Zones dialog box 12-13
admin context 59-1
administration
selecting policies to manage 5-11
administrative settings, configuring 11-1
admin password, changing 10-24
ADSL
ADSL Policy page 62-37
ADSL Settings dialog box 62-38
defining settings 62-36
supported operating modes 62-35
ADSL policies
unable to deploy 9-15
Advanced dialog box
access rules 16-17
Advanced NAT Options
PIX/ASA/FWSM
add/edit 24-29
Advanced settings
interface configuration
PIX/ASA/FWSM 46-68
AES encryption algorithm
in IKE proposals 26-6
AIM-IPS interfaces
IPS Module Interface Settings page 62-23
AIP-SSM/SSC
ASA 58-15
Alarm Indication Signal (AIS) cells 62-51
allowed hosts, configuring for IPS 36-7
Allowed Hosts policy 36-7
Analysis Engine global variables
configuring 36-30
analysis reports
generating 16-34
anomaly detection
configuring 41-6
configuring histograms 41-11
configuring learning accept mode 41-8
configuring signatures 41-4
configuring thresholds 41-11
managing 41-1
modes 41-2
understanding 41-1
understanding histograms 41-9
understanding thresholds 41-9
understanding worms 41-2
when to turn off 41-4
zones
overview 41-3
anti-spoofing 57-2
AnyConnect
client images 31-62, 31-64
profiles 31-62, 31-64
editing 31-63
AnyConnect Client Image dialog box (ASA) 31-64
AnyConnect custom attributes 31-70, 31-71
AnyConnect Profile Editor 31-63
AOL class map objects
creating 21-16
match criteria 21-21
applet
embedded event manager 54-3
Apply IPS Update command 1-35
Apply IPS Update wizard 44-7
Approve Activity command 1-36
Approve Activity dialog box 4-21
Approved activity state 4-5
Approve Deployment Job dialog box 8-20, 8-39
Area Border Router
See ABR 56-75
ARP
PIX/ASA/FWSM
configuration 47-5
inspection 47-5
inspection, enable/disable 47-6
table 47-3
ARP table
static entry 47-3, 47-5
ASA
ASDM 72-15
CX 58-17
Auth Proxy Configuration 58-17
CX module
detecting 72-21
Failover
Add Failover Group 50-25
edit bridge group 50-17
FirePOWER module
detecting 72-21
IPS, QoS, and Connection Rules
ASA CX Auth Proxy Configuration 58-17
IPS modules 58-15
policy discovery 5-13
rollback, commands to recover from failover misconfiguration 8-68
rollback command conflicts 8-67
rollback restrictions for failover devices 8-65
rollback restrictions for multiple context mode 8-64
security contexts
allocate interfaces 59-12
configuration 59-9
viewing allocated interfaces 59-12
setting up AUS or CNS 2-8
setting up SSL (HTTPS) 2-3
TCP State Bypass 58-3
ASA 5505
Management IPv6 47-11
ports and interfaces 46-6
ASA 8.3+
NAT policies
Add/Edit NAT rules dialog boxes 24-36
Translation Rules page 24-34
ASA Cluster Load Balance page 31-5
ASA CX
CX
about 58-17
ASA devices
5505
hardware port configuration 46-61
AAA support 6-28
about 46-1
adding or changing modules 3-40
adding SSL thumbprints manually 9-5
Bridge Groups
add/edit 46-62
Catalyst Service Module 46-1
changing those selected for reports 70-22
configuring for event management 69-28
configuring for report management 70-3
configuring IKE and IPsec policies 26-1
configuring IKEv2 authentication 26-68
configuring transparent firewall rules 23-1
Easy VPNs
connection profiles 28-13
Event Viewer support 69-4
FlexConfig object samples 7-20
global access rules 16-3
identity-aware services
configuring to provide 13-7, 14-8
interfaces 46-26
add/edit 46-31
Advanced tab 46-41
configuring 46-3
edit EtherChannel-assigned interface 46-12
EtherChannels 46-9, 46-13
General tab 46-33
IP Type 46-58
IPv6 46-47, 46-73
IPv6, add/edit 46-52
IPv6, add/edit prefixes 46-54, 46-56
LACP 46-12
MAC address 46-60
PPPoE Users 46-71
VPDN groups 46-72
licenses 2-9
monitoring service level agreements 51-8
object group search 16-25
packet capture, using 72-30
packet tracer, using 72-23
remote access SSL VPNs
advanced settings 31-72
Anyconnect client settings 31-62, 31-64
browser plug-ins 31-60
configuring HTTP/HTTPS proxies and proxy bypass 31-57
content rewrite rules 31-53
encoding rules 31-55
Kerberos Constrained Delegation (KCD) 31-66, 31-69
other settings 31-51
performance settings 31-52
server certificate verification settings 31-30, 31-32, 31-73
shared license 31-74
shared license clients (ASA) 31-76
shared license servers (ASA) 31-77
remote access VPNs
access policies (ASA), configuring 31-49
access policies (ASA), reference 31-45
access policies (ASA), understanding 31-44
AnyConnect client image settings (ASA) 31-65
AnyConnect custom attributes (ASA) 31-70, 31-71
certificate to connection profile map policy (IKEv1) 31-36
certificate to connection profile map rules (IKEv1 IPSec) 31-37
cluster load balancing 31-5
configuring bookmarks 31-82
configuring portal appearance 31-78
configuring WINS servers for file system access 31-88
connection profiles 31-7, 31-8
creating IPSec 30-25
creating SSL 30-14
customizing 31-77
device support 30-8
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-11
fragmentation settings 26-31, 26-44
group policies, configuring 31-26
group policies, creating 31-28
group policies, understanding 31-27
IKE proposals 26-9
IKEv2 settings 26-37
IPsec proposals 31-41
ISAKMP/IPsec settings 26-33
managing 31-1
NAT settings 26-42
policy overview 31-2
post URL method and macro substitutions in bookmarks 31-84
proxy bypass rules (ASA) 31-59
Public Key Infrastructure (PKI) 26-56
secure desktop manager policies 32-9
smart tunnels 31-85
understanding IKE 26-5
understanding NAT settings 26-41
wizard 30-13
Report Manager reports
firewall summary botnet reports 70-15
firewall traffic reports 70-14
general VPN reports 70-16
VPN top reports 70-16
selecting for Event Viewer 69-34
selecting policy types to manage 5-11
SSL certificate configuration 11-22
ASA group policies objects
client configuration settings 34-6
client firewall attributes 34-7
connection settings 34-33
DNS/WINS settings 34-29, 34-30
hardware client attributes 34-9
IPSec settings 34-10
split tunneling settings 34-31
SSL VPN clientless settings 34-12
SSL VPN full client settings 34-19
SSL VPN settings 34-25
technology settings 34-1
ASA Image Management 73-16, 73-32
ASAv
about 46-1
ASBR
definition 56-75
ASCII limitations for text 1-50
ASDM
access rule look-up 72-18
device manager 72-15
AS path objects
properties 56-151
ASR
zone-based firewall
global parameters 21-50
restrictions 21-3
assignment overview 1-20
Assignments tab, Policy view 5-54
Assign Shared Policy command 1-32
Assign Shared Policy dialog box 5-44
Asymmetric Digital Subscriber Line (ADSL)
on Cisco IOS routers 62-34
Asymmetric Routing Groups 46-6
Asynchronous Transfer Mode (ATM) 62-47
ATM 62-47
virtual channel connections (VCCs) 62-47
virtual channel identifier (VCI) 62-47
virtual path connections (VPCs) 62-47
virtual path identifier (VPI) 62-47
Attack Response Controller 43-1
attacks
broadcast 17-4
Denial of Service (DoS) 17-5
spoofing 17-4
SYN flooding 17-5
audit logs
configuring default settings 11-62
purging entries 10-23
understanding 10-19
working with 10-19
Audit Message Detail dialog box 10-21
Audit Report command 1-34
audit reports
generating and viewing 10-20
understanding 10-19
working with 10-19
Audit Report window 10-21
AUS
deploying configurations 8-41
deployment method 8-10
setting up 2-8
setting up on PIX Firewall and ASA devices 2-8
Authentication
Cisco IOS routers
settings 63-6
authentication
routing protocols 56-75
Authentication-Authorization-Accounting
see AAA 48-1
Authentication Header (AH) encryption algorithm 26-30
authentication methods
certificates (RSA signatures) 26-8
in IKE proposals 26-8
preshared keys 26-8
authentication testing
SSH 2-6
Authorization
Cisco IOS routers
settings 63-8
authorization proxy (AuthProxy)
configuring AAA rules 15-7
AuthProxy
configuring settings in Map view 35-24
Auth Proxy Configuration
ASA CX 58-17
AuthProxy dialog box 15-19
AuthProxy settings policy
configuring 15-9
autolink
omitting reserved networks from maps 11-3
automatic conflict detection
resolving conflicts 16-34
understanding 16-28
understanding the user interface 16-30
using 16-28
autonomous system paths
See AS paths
auto signon rules
ASA group policy objects 34-27
Auto Update Server (AUS)
adding 3-36
licensing 10-17
PIX/ASA/FWSM 52-1
add/edit server 52-3, 53-2, 53-3, 53-4
troubleshooting deployment 9-18
Auto Update Server Properties dialog box 3-38
Available Bit Rate (ABR) 62-48
Available Servers dialog box 3-39
B
background image, map
deleting 35-13
importing 35-13
scale and position 35-13
setting 35-13
backup
event data store 69-36
backup.pl command 10-25
Backup command 1-35
backups, Security Manager database 10-25
bandwidth
VPN user reports 70-16
banners
configuring on firewall devices 48-9
benefits of product 1-2
BGP routing
BGP Routing Policy page 67-4
defining routes 67-2
Neighbors dialog box 67-6
on Cisco IOS routers 67-1
PIX/ASA/FWSM 56-2, 56-3
General tab 56-5
IPv4 Family - Aggregate Address configuration 56-9, 56-22
IPv4 Family - Filter configuration 56-10
IPv4 Family - General tab 56-7, 56-21
IPv4 Family - Neighbor configuration 56-11, 56-24
IPv4 Family - Network configuration 56-17, 56-29
IPv4 Family - Redistribution configuration 56-18, 56-30
IPv4 Family - Route Injection configuration 56-19, 56-31
IPv4 Family tab 56-6, 56-20
redistributing routes 67-3
Redistribution Mapping dialog box 67-7
Redistribution tab 67-7
Setup tab 67-5
Bidirectional Neighbor Filter 55-14
Bidirectional Neighbor Filter tab
PIM 55-13
blocking, IPS
configuring 43-7
configuring ARC 43-1
configuring blocking devices 43-14
configuring master blocking sensors 43-13
configuring never block hosts and networks 43-17
configuring router blocking interfaces 43-15
configuring user profiles 43-12
configuring VLAN blocking interfaces 43-16
general options 43-10
master blocking sensor 43-6
policy 43-8
rate limiting 43-4
router and switch blocking devices 43-4
strategies 43-3
understanding 43-1
Blocking page 43-8
Boot image/configuration
PIX/ASA 48-10
add/edit 48-12
bootstrap configuration
Failover 50-26
Botnet Traffic Filter Drop Rules Editor 19-13
botnet traffic filter rules
adding static entries 19-5
blocking blacklisted traffic 19-6
configuring DNS snooping 17-19
configuring in Map view 35-23
configuring the dynamic database 19-4
configuring with IPS global correlation 42-1
databases 19-1
Device Blacklist dialog box 19-15
Device Whitelist dialog box 19-15
Drop Rules Editor 19-13
Dynamic Blacklist Configuration tab 19-10
enabling DNS snooping 19-6
field definitions 19-9
illustrations 19-1
mitigating botnet activity 69-65
monitoring
activity using ASDM 69-64
activity using Event Viewer 69-62, 69-64
overview 69-61
understanding botnet syslog events 69-61
overview 19-1
preserving ACL names 12-4
Report Manager reports
firewall summary botnet reports 70-15
task flow 19-2
traffic classification 19-6
Traffic Classification dialog box 19-12
Traffic Classification tab 19-11
understanding 19-1
understanding NAT effects 12-3
understanding processing order 12-2
Whitelist/Blacklist tab 19-14
bridge group
failover
editing 50-17
Bridge Groups
ASA/FWSM
add/edit 46-62
bridge groups
defining 63-20
FWSM 3.1 47-3
Bridging
ASA 5505
Management IPv6 47-11
PIX/ASA/FWSM
ARP configuration 47-5
ARP Inspection 47-5
ARP Inspection, enable/disable 47-6
ARP Table 47-3
MAC Address, add/edit 47-8
MAC Address Table 47-8
MAC Learning 47-9
MAC Learning, enable/disable 47-9
Management IP address 47-10
bridging
Cisco IOS routers
Bridge Group dialog box 63-21
Bridging Policy page 63-21
BVI interfaces 63-19
overview 63-18
configuring transparent firewall rules 23-1
PIX/ASA/FWSM
about 47-1
configuring on 47-1
broadcast attacks, preventing 17-4
broadcasts
enabling directed on routers 62-20
browser plug-ins
configuring 31-60
Bundles 73-13
bypass mode
configuring for IPS 37-12
C
CA server authentication methods
SCEP (Simple Certificate Enrollment Protocol) 26-51
Cat6k Device dialog box 43-14
Catalyst 6500/7600 devices
configuring FWSM in site-to-site VPNs 25-47
configuring SSH 2-6
default transport protocol 11-22
deployment 8-28
FlexConfig object samples 7-22
IPS blocking devices 43-4
policy discovery for FWSM 5-13
rollback restrictions 8-65
Service Modules 46-1
Catalyst 6500/7600 switches
including in deployment jobs 8-28
Catalyst devices
policy discovery 5-13
remote access VPNs
Dynamic VTI/VRF Aware IPsec settings 33-7
high availability 33-11
IPsec proposals 33-4
user group policies 33-13
VPNSM/VPN SPA/VSPA settings 33-6
Catalyst platform policies
IDSM settings policy
Create and Edit IDSM Data Port VLANs dialog boxes 68-49
Create and Edit IDSM EtherChannel VLANs dialog boxes 68-49
IDSM Settings page 68-47
IDSM Slot-Port Selector dialog box 68-50
interfaces/VLANs policy
Access Port Selector dialog box 68-30
Create and Edit Interface dialog boxes-Access Port mode 68-9
Create and Edit Interface dialog boxes-Dynamic Port mode 68-18
Create and Edit Interface dialog boxes-Other mode 68-24
Create and Edit Interface dialog boxes-Routed Port mode 68-12
Create and Edit Interface dialog boxes-subinterfaces 68-22
Create and Edit Interface dialog boxes-Trunk Port mode 68-14
Create and Edit VLAN dialog boxes 68-28
Create and Edit VLAN Group dialog boxes 68-34
Interfaces tab 68-8
Service Module Slot Selector dialog box 68-35
Summary tab 68-3
Trunk Port Selector dialog box 68-31
VLAN Groups tab 68-33
VLAN Selector dialog box 68-35
VLANs tab 68-27
VLAN access lists policy
Create and Edit VLAN ACL Content dialog boxes 68-41
Create and Edit VLAN ACL dialog boxes 68-41
VLAN Access Lists page 68-39
Catalyst Summary Info command 1-35
Catalyst switches
configuring SSH 2-6
default transport protocol 11-22
showing modules, security contexts, and virtual sensors 3-56
Catalyst switches/7600 routers
troubleshooting deployment 9-16
Catalyst switches and 7600 devices
IDSM mode support 68-43
interface deployment failure 9-16
internal VLAN deployment failure 9-16
supported VTP modes 68-1
Catalyst switches and 7600 Series routers
access ports 68-5
Catalyst Summary Info page 68-2
defining IDSM Data Port VLANs 68-46
defining IDSM EtherChannel VLANs 68-44
defining ports 68-6
defining VACLs 68-37
defining VLAN groups 68-32
defining VLANs 68-26
deleting IDSM Data Port VLANs 68-47
deleting IDSM EtherChannel VLANs 68-45
deleting ports 68-7
deleting VACLs 68-38
deleting VLAN groups 68-33
deleting VLANs 68-27
discovering policies 68-1
generating interface names 68-6
IDSM settings 68-43
IDSM Settings page 68-47
interfaces 68-5
managing 68-1
routed ports 68-5
trunk ports 68-5
viewing interface and VLAN summary 68-3
VLAN Access Lists page 68-39
VLAN ACLs (VACLs) 68-36
VLAN groups 68-31
VLANs 68-25
Catalyst VPN Service Port Adapters (VSPAs)
configuring 25-42
Catalyst VPN Services Module (VPNSM)
configuring 25-42
configuring in remote access VPNs 33-6
Catalyst VPN Shared Port Adapter (VPN SPA)
configuring 25-42
configuring in remote access VPNs 33-6
categories
using 6-13
cautions
significance of 2-lxiii
CCO settings 11-4
CDP
configuring mode for IPS 37-12
CEF Interface Settings dialog box 62-27
CEF interface settings policies 62-25
certificates
accepting 11-4, 11-52
retrieving 11-4, 11-52
viewing 11-4, 11-52
certificates, SSL
adding thumbprints manually 9-5
configuring default settings for how handled 11-22
managing IPS 44-10
certificates for ASA image downloads 11-4
certificates for IPS package downloads 11-52
certificate to connection profile map policies
configuring policy 31-36
configuring rules 31-37
certificate trust management 11-4, 11-52
Change Report dialog box 4-18
change reports
selecting session in non-Workflow mode 4-18
viewing 4-16
Change Reports command 1-34
Checkpoint migration
configuring object group search on ASA 8.3+ devices 16-25
Choose a file dialog box 34-39
Cisco 7600 Series routers
managing 68-1
Cisco AnyConnect Profile Editor 31-63
Cisco Configuration Engine
troubleshooting device setup and deployment 9-18
Cisco Discovery Protocol (CDP)
enabling CDP on router interfaces 62-18
Cisco Express Forwarding (CEF)
CEF Interface Settings policy 62-26
CEF router interface settings policies 62-25
importance for QoS 66-2
Cisco IOS IPS
affect of load balancing 45-8
configuration files 45-3
configuration overview 45-4
configuring 45-1
configuring general settings 45-7
configuring interface rules 45-9
getting started 36-1
initial preparation of router 45-5
lightweight signature engines 45-2
limitations and restrictions 45-3
selecting signature category 45-6
understanding 45-1
understanding subsystems and revisions 45-2
Cisco IOS Routers
configuring IOS IPS 45-1
IPS blocking devices 43-4
Cisco IOS routers
802.1x 64-1
AAA 63-2
accounts and credentials 63-14
ADSL 62-34
advanced interface settings 62-13
available interface types 62-2
basic interface settings 62-1
BGP routing 67-1
configuring SSH 2-6
CPU settings 63-25
default AAA server groups 6-31
deploying configurations using TMS 8-43
dialer interfaces 62-28
discovering policies 61-3
Domain Name System (DNS) 63-74
Dynamic Host Configuration Protocol (DHCP) 63-87
EIGRP routing 67-8
host and domain names 63-77
HTTP 63-28
interface deployment failure 9-14
IOS 12.1 and 12.2 61-3
licenses 2-10
line access 63-35
managing 61-1
memory settings 63-78
NAT 24-5
designating interfaces 24-6
dynamic rules 24-10
static rules 24-6
timeouts 24-13
NetFlow 65-1, 65-5, 65-12
Network Admission Control (NAC) 64-8
Network Time Protocol (NTP) 63-96
optional SSH settings 63-63
OSPF routing 67-19
permanent virtual connections (PVCs) 62-47
platform policies 61-1
Point-to-Point Protocol (PPP) 62-71
policy discovery 5-13
quality of service (QoS) 66-1
RIP routing 67-42
Secure Device Provisioning (SDP) 63-81
setting up SSL (HTTPS) 2-4
SHDSL 62-41
SNMP 63-66
static routing 67-50
syslog logging 65-1
time zone settings 63-22
transparent bridging 63-18
Cisco IOS Software
FlexConfig object samples 7-22
selecting policy types to manage 5-11
Cisco Prime Security Manager
see PRSM 72-20, 72-21
Cisco Secure Desktop configuration objects
creating 33-18
Cisco Security Management Suite server
logging into or exiting 1-12
Cisco Technical Assistance Center
creating diagnostic file 10-28
generating data 10-28
generating deployment or discovery status reports 10-30
generating partial database backup 10-30
Cisco Trust Agent (CTA) 64-9
CiscoWorks Common Services
backing up and restoring Security Manager 10-24
logging into or exiting 1-12
CiscoWorks user authorization, affect on what you can do 1-11
Class-Based Policing 66-6
class maps
understanding 6-78
Clear Connection Configuration dialog box 15-25
clear xlate
PIX/ASA/FWSM platform 60-1
CLI commands
FlexConfig objects 7-2
client applications 72-2
client connection characteristics
configuration modes 28-3
configuring policies for Easy VPN 28-7
extended authentication (xauth) 28-4
clientless access mode 30-4
client settings
configuring AnyConnect 31-64
understanding AnyConnect 31-62
client-side file browsing 1-50
enabling or disabling 11-10
CLI prompt
configuring on firewall devices 48-12
Clock
PIX/ASA/FWSM 48-14
clock
Cisco IOS routers
overview 63-22
clock settings
Cisco IOS routers
Clock Policy page 63-23
Clone Device command 1-30
Clone Policy Bundle dialog box 5-58
Clone Policy command 1-32
Clone Policy dialog box 5-47
Close Activity command 1-36
Close All Reports command (Report Manager) 70-8
Close Report command (Report Manager) 70-8
Close Ticket command 1-37
cluster, server
managing 10-2
overview 10-2
splitting server 10-3
synchronizing shared policies 10-5
Cluster Information page, device properties 3-50
clustering 3-9
cluster load balancing
configuring 31-5
understanding 31-5
understanding FQDN redirection 31-5
CNS
deploying configurations 8-41
deployment method 8-10
setting up on PIX Firewall and ASA devices 2-8
color rules, configuring in Event Viewer 69-40
Combine Rules Selection Summary dialog box 12-24
commands
Activities menu 1-36
Edit menu (Configuration Manager) 1-31
Event Viewer File menu 69-9
Event Viewer View menu 69-10
File menu (Configuration Manager) 1-30
Help menu (Configuration Manager) 1-38
Launch menu 1-37
Manage menu 1-34
Map menu 1-33
Policy menu (Configuration Manager) 1-32
Report Manager menus 70-8
Tickets menu 1-36
Tools menu (Configuration Manager) 1-34
View menu (Configuration Manager) 1-31
Common Services
licensing 10-17
communication, device
troubleshooting 9-8
community list objects
properties 56-153
configurable dashboard for IPS and FW 72-1
configuration
initial Security Manager 1-25
understanding rollback 8-63
Configuration Archive
adding configurations from devices 8-59
overview 8-15
rolling back to archived configuration files 8-70
rolling back when deploying to file 8-71
settings 11-6
version viewer 8-60
viewing and comparing configuration versions 8-59
viewing transcripts 8-62
window 8-23
Configuration Archive command 1-34
Configuration Archive page 11-6
Configuration Engine
adding 3-36
setting up 2-8
Configuration Engine Properties dialog box 3-38
configuration files
deploying in non-Workflow mode 8-28
deploying in Workflow mode 8-34, 8-39
deploying to 8-11
deploying to an AUS or CNS 8-41
deploying to a TMS 8-43
deployment process overview 8-1
factory-default configurations 46-2
previewing 8-44
redeploying to devices 8-53
rolling back after deploying to file 8-71
rolling back to archived configurations 8-70
rolling back to devices 8-69
selecting 1-50
web VPN policy discovery restrictions 3-8
configuration location, configuring for IOS IPS 45-7
Configuration Manager
overview 1-14
using 1-14
configurations
adding to the Configuration Archive 8-59
avoiding out-of-band changes 8-47
detecting out-of-band changes 8-45
rollback, commands to recover from failover misconfiguration 8-68
rollback command conflicts 8-67
rolling back 8-63
rolling back Catalyst 6500/7600 8-65
rolling back failover devices 8-65
rolling back IPS and IOS IPS 8-66
rolling back multiple context mode 8-64
understanding out-of-band changes 8-12
viewing and comparing 8-59
configuration session
selecting session for change reports 4-18
viewing change reports 4-16
configuration sessions
discarding 4-22
configuration views 1-14
Configure dialog box 17-22
Configure DNS dialog box 17-19
Configure ESMTP dialog box 17-20
Configure Fragments dialog box 17-20
Configure Hardware Ports
ASA 5505 46-61
Configure IMAP dialog box 17-21
Configure POP3 dialog box 17-21
Configure RPC dialog box 17-21
Configure SMTP dialog box 17-20
Config Version Viewer (Preview Configuration) dialog box 8-44
conflict analysis reports
generating 16-34
conflict detection
resolving conflicts 16-34
understanding 16-28
understanding the user interface 16-30
using 16-28
connection
PIX/ASA/FWSM
identity-aware rules 13-21
rules 58-5
Connection Alias dialog box 31-25, 31-34
Connection Profile dialog box
AAA tab 31-13
General tab 31-10
IPSec tab 31-19
Secondary AAA tab 31-17
SSL tab 31-22
connection profiles
configuring 31-7
configuring for Easy VPN 28-13
properties
AAA 31-13
general 31-10
IPSec 31-19
policy overview 31-8
secondary AAA 31-17
SSL 31-22
sharing among multiple ASAs 30-8
Connection Profiles page 31-8
Connection Settings
MPC rule wizard
tab 58-8
connection timeout
device communication settings 11-22
Connection URL dialog box 31-25
connectivity, testing device 9-1
console
Cisco IOS routers
AAA tab 63-44
Accounting tab 63-47
Authentication tab 63-44
Authorization tab 63-45
Console Policy page 63-42
Setup tab 63-42
console port
Cisco IOS routers
defining AAA settings 63-37
defining setup parameters 63-35
Console timeout
PIX/ASA/FWSM 49-1
Constant Bit Rate (CBR) 62-48
contained modules
showing 3-56
content rewrite rules
defining for SSL VPN on ASA 31-53
Context-Based Access Control
choosing interfaces 17-2
configuring 17-5
configuring identity aware 13-21
preventing DoS attacks on IOS devices 17-5
selecting protocols 17-3
understanding 17-2
understanding access rule requirements 17-4
Context Editor dialog box (IOS) 33-15
contexts
see “security contexts” 59-1
continuity check (CC) cells 62-51
control plane (CP)
defining QoS on 66-12
policing on 66-9
Control Plane Policing 66-9
conventions 2-lxiii
cookie challenges 26-37
Copy command 1-31, 12-9
Copy Policies Between Devices command 1-32
Copy Policies wizard 5-33
CPU settings
defining utilization settings 63-25
overview 63-25
CPU Throttling Policy 11-33
CPU utilization
CPU Policy page 63-26
Create a Clone of Device dialog box 3-56
Create Activity dialog box 4-14
Create a Policy dialog box 5-54
Create Discovery Task dialog box 5-18
Create Extranet VPN Topology wizard
overview 25-66
Create Filter dialog box 1-46
Create Group Policy wizard
Clientless and Thin Client Access Modes page 30-24
Full Tunnel page 30-21
Group Policy page 30-20
using 30-20
Create Overrides for Device dialog box 6-20
Create Policy Bundle dialog box 5-57
Create Text Object dialog box 7-32
Create Ticket dialog box 4-14
Create VPN Topology wizard
Device Selection page 25-32
Edit Endpoints dialog box 25-34
Endpoints page 25-34
GET VPN Group Encryption page 25-54
GET VPN Peers page 25-60
High Availability page 25-52
Name and Technology page 25-30
overview 25-28
VPN Defaults page 25-62
credential objects
attributes 28-9
credentials
configuring on firewall devices 48-17
device manager validation 72-14
IPS module 3-20
service module 3-19
testing 9-1
understanding device 3-4
Credentials page
HTTPS port number
overriding with HTTP policy 3-47
Credentials page, device properties 3-45
crypto maps
understanding 26-19
CSC
MPC rule wizard
tab 58-8
CSDM Policy Editor dialog box 32-46
CS-MARS
access to Security Manager 72-37
configuring servers 11-7
discovering or changing controller used by device 72-39
events
historical and real-time lookup 72-41
looking up 72-41
integrating with Security Manager 72-36
integration with Security Manager 72-36
looking up Security Manager policies based on events 72-45
NetFlow 72-47
query
troubleshooting 72-40
registering in Security Manager 72-38
supported log messages 72-46
viewing access rule events 72-42
viewing IPS signature events 72-44
CS-MARS page 11-7
CSMDiagnostics.zip
setting debug options 11-11
CSMDiagnostics.zip file, creating 10-28
CSM Mobile 72-11
settings page 11-9
CSM Monitor widget 72-7
CSM tab, Licensing page 11-57
CSV (comma-separated values) files
supported formats for device inventory 10-9
CSV file
export HPM data as 71-31
Customize Desktop Settings page 11-10
Customized Toolbar command 1-32
Custom Protocol dialog box 17-22
Custom Report List command (Report Manager) 70-9
Cut command 1-31, 12-9
cut-through proxy, configuring 13-23
CX
ASA module
detecting 72-21
CXSC
MPC rule wizard
tab 58-8
D
Dashboard
CSM Mobile settings page 11-9
Dashboard tabs
default view 72-8
re-arranging 72-8
Dashboard widgets for device heath trends 72-2
database
backing up 10-25
backing up and restoring 10-24
generating partial backups for TAC 10-30
restoring 10-27
DCE/RPC policy map objects
creating 17-22
properties 17-29
DCS.properties file
DCS.doSerialAccessForFWSMVCs property 9-17
DCS.FWSM.checkThreshold property 9-17
SSH settings 9-7
warning message expression properties 9-10
DDNS
PIX/ASA/FWSM 52-18
add interface rules 52-19
update methods 52-19
update methods, add/edit 52-20
dead-peer detection (DPD) 26-33
debugging
configuring debug levels 11-11
Debug Options page 11-11
Default Report Settings command (Report Manager) 70-9
defaults, configuring 11-1
Delete Device command 1-30
Delete Map command 1-33
Delete Map dialog box 35-10
Delete Row command 1-31
Denial of Service (DoS)
preventing in SMTP using zone based firewall 21-27
denial of service (DoS)
preventing using unicast reverse path forwarding (RFP) 62-20
Denial of Service (DoS) attacks
configuring inspection settings to mitigate 17-111
preventing on IOS devices using inspection 17-5
denial of service (DoS) attacks
preventing using IKEv2 cookie challenge 26-37
deny
inspection
rules 17-5
Deploy command 1-31
Deploy Job dialog box 8-39
deployment
Add Other Devices dialog box 8-58
Auto Update Server 8-41
Catalyst 6500/7600 devices 8-28
changes not deployed when using schedules 8-55
changing device message severity level to ignore errors 9-10
changing FWSM multiple-context deployment to serial 9-17
Cisco Networking Services configuration engine 8-41
clearing XLATE on 60-1
configuration files, to 8-11
configurations 8-28
creating jobs in Workflow mode 8-35
creating or editing schedules 8-55
Deployment Manager window 8-16
device communication settings 9-4
devices, directly to 8-9
devices, through intermediate server 8-10
Edit Deploy Method dialog box 8-30
Edit Selected Deployment Method dialog box 8-30
error attempting to remove unreferenced object 9-12
errors
OS version mismatches 8-13
generating status report 10-30
handling OS version mismatches 8-13
managing 8-1
methods 8-8
minimum memory errors for ASA 8.3+ 9-12
non-Workflow mode 8-3
optimizing access rules 16-46
out-of-band changes
avoiding 8-47
detecting and analyzing 8-45
understanding 8-12
process overview 8-1
rolling back archived configurations 8-70
rolling back configurations 8-63
rolling back configurations, Catalyst 6500/7600 8-65
rolling back configurations, command conflicts 8-67
rolling back configurations, commands to recover from failover misconfiguration 8-68
rolling back configurations, failover devices 8-65
rolling back configurations, IPS and IOS IPS devices 8-66
rolling back configurations, multiple context mode 8-64
rolling back configuration when deploying to file 8-71
rolling back to last deployed configuration 8-69
setting debug options 11-11
suspending or resuming schedules 8-58
system settings 11-13
task flow
non-Workflow mode 8-3
Workflow mode 8-5
tips for successful jobs 8-27
TMS server 8-43
troubleshooting 9-1, 9-9
ADSL or PVC deployment failures 9-15
AUS problems 9-18
Catalyst interface settings 9-16
Catalyst internal VLANs 9-16
Catalyst switch and modules 9-16
Configuration Engine problems 9-18
Error Writing to Server messages 9-15
HTTP Response Code 500 messages 9-15
layer 2 interfaces 9-15
mixing deployment methods with routers and VPNs 9-14
router interface settings 9-14
routers 9-14
Security Manager cannot contact device 9-12
VPNs with routing processes 9-13
troubleshooting device communication 9-8
troubleshooting router connection failures 2-2
troubleshooting SSL certificate errors 9-5
troubleshooting VRF-aware IPsec on Catalyst 6500/7600 devices 25-17
understanding 8-1
understanding configuration rollback 8-63
using a Cisco Networking Services (CNS) server 8-41
viewing device details 8-26
viewing job summary 8-26
viewing status and history for jobs and schedules 8-26
viewing transcripts 8-62
Warning - Partial VPN Deployment dialog box 8-31
Workflow mode 8-5, 8-34, 8-39
working with 8-25
Deployment—Create or Edit a Job dialog box 8-35
deployment jobs
aborting 8-55
approval 8-7
approving 8-39
creating and editing in non-Workflow mode 8-28
creating and editing in Workflow mode 8-35
Deployment Manager 8-16
discarding 8-41
including devices in 8-8
multiple users 8-8
redeploying 8-53
rejecting 8-39
states
non-Workflow mode 8-4
Workflow mode 8-6
submitting 8-38
viewing history 8-26
Deployment Manager
overview 8-15, 8-16
Deployment Manager window 8-16
Deployment Schedules tab 8-21
Deployment page
PIX/ASA/FWSM Platform
clear xlate 60-1
Deployment Schedules tab 8-21
Deployments command 1-34
Deployment Settings page 11-13
Deployment Status Details dialog box 8-32
Deployment Workflow Commentary dialog boxes 8-20
Deploy Saved Changes dialog box 8-28
DES encryption algorithm
in IKE proposals 26-6
Designated Router
PIX/ASA/FWSM 55-12
Destination Contents dialog box 12-14
Dest Port Map dialog box 41-12
Detect Out of Band Changes command 1-35
device
AAA administration 48-4
firewall types 46-1
viewing inventory status 72-12
Device Access
FWSM
Resources, add/edit 51-4
PIX/ASA/FWSM 49-1
console timeout 49-1
host name 51-1
HTTP configuration 49-3
HTTP page 49-2
ICMP rules 49-4
ICMP rules, add/edit 49-5
Management Access interface 49-6
Secure Shell, add/edit host 49-8
Secure Shell (SSH) 49-7, 49-8
Server Access 52-1, 53-1
SNMP host access 49-22
SNMP page 49-17
SNMP Trap configuration 49-19
Telnet configuration 49-29
Telnet page 49-29
user accounts 51-7
user accounts, add/edit 51-7
device access policies
defining 63-14
Device Admin
FWSM
Resources 51-3
device administration policies
configuring on firewall devices 48-1
device authentication
adding SSL thumbprints manually 9-5
SSL certificate default configuration 11-22
Device Blacklist dialog box 19-15
device clusters 3-9
device communication
changing device message severity level 9-10
managing settings 9-4
routers without K8/K9 crypto image 9-8
Security Manager cannot contact device after deployment 9-12
troubleshooting failures 9-8
Device Communication page 11-21
device communications
troubleshooting 9-1
device communication settings
connection timeout 11-22
retry count 11-22
socket read timeout 11-22
Device Connectivity Test dialog box 9-3
device credentials
understanding 3-4
Device Credentials page 3-45
Device Delete Validation dialog box 3-59
device groups 3-59, 3-62
adding or removing devices 3-63
creating group types 3-62
deleting groups or types 3-63
understanding 3-60
Device Groups page 3-49, 11-24
device health trends in Dashboard 72-2
Device Information page - Add Device from File 3-33
Device Information page - Configuration File 3-23
Device Information page - Network 3-14
Device Information page- New Device 3-27
device inventory
exporting
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-6
supported CSV formats 10-9
using command line utility 10-10
importing
device with policies 10-13
importing with policies 10-13
managing 3-1
sharing with PRSM 72-22
testing device connectivity 9-1
understanding 3-1
understanding contents 3-3
understanding device clusters 3-9
understanding generic devices 3-8
working with 3-36
device manager
access rule look up 72-17
ASDM 72-15
access rule look-up 72-18
credentials 72-14
IDM 72-15
PDM 72-15
prerequisites 72-16
SDM 72-16
access rule look-up 72-19
starting from HPM 71-3, 71-27
starting from Security Manager 72-14
troubleshooting 72-16
xdm-launcher.exe 72-16
Device Manager command 1-37
Device Properties
Cluster Information page 3-50
Credentials page 3-45
Device Groups page 3-49
General page 3-41
Policy Object Override pages
general reference 3-52
device properties
changes with policy effects 3-54
changing critical 3-52
image version changes with no policy effects 3-53
understanding 3-6
viewing or changing 3-40
Device Properties command 1-35
Device Properties page
creating object overrides 6-19
deleting overrides 6-21
overview 3-40
device response
to appear as an error message 9-10
devices
adding 3-6
adding configurations to the Configuration Archive 8-59
adding from configuration files 3-22
adding from inventory file 3-31
adding from network 3-12
adding local rules to shared policies 5-45
adding manually 3-26
adding or changing modules 3-40
assigning shared policies 5-44
avoiding out-of-band changes 8-47
changing critical properties 3-52
changing those selected for reports 70-22
cloning or duplicating 3-56
cloning shared policies 5-47
communication requirements 2-1
communication settings and certificates 9-4
configuring ASA licenses 2-9
configuring IOS licenses 2-10
configuring local policies 5-31
copying policies between 5-33
creating policy object overrides 6-19
deleting from inventory 3-58
deleting policy object overrides 6-21
deployment through intermediate server 8-10
deployment to 8-9
detecting out-of-band changes 8-45
discovering or changing CS-MARS controller 72-39
discovering policies 5-12
discovering policies on existing devices 5-15
dynamic IP addresses 3-36
image version changes with no policy effects 3-53
including in deployment jobs or schedules 8-8
including unmanaged or non-Cisco in a VPN 25-11
inheriting policy rules 5-47
maps
adding existing managed 35-16
adding new managed 35-16
displaying devices from Device View 35-16
displaying managed 35-16
removing managed 35-16
showing containment for Catalyst switches, ASA, PIX, IPS devices 35-16
modifying policy assignment 5-49
modifying shared policies 5-49
naming conventions 3-3
overview of monitoring 1-7
policy status icons 5-30
preparing for management 2-1
property changes with policy effects 3-54
redeploying configuration files to 8-53
redeploying configurations to replaced hardware 8-53
renaming policies 5-48
replacing policies 5-44
rolling back configurations 8-69, 8-70, 8-71
selecting in site-to-site VPNs 25-32
selecting multiple 1-45
sharing multiple policies 5-42
sharing with PRSM 72-22
showing contained modules 3-56
system variables 7-7
testing connectivity 9-1
troubleshooting communication 9-8
troubleshooting communication and deployment 9-1
troubleshooting device discovery failures 3-7
unassigning policies 5-36
understanding out-of-band changes 8-12
unsharing policies 5-43
using global search to find specific devices 1-42
what counts as a device 3-3
device selector
filtering 1-45
Device Selector dialog box 1-45
Device Server Assignment dialog box 9-9
device status view
working with 3-64
Device Status View command 1-32
Device view
adding local rules to shared policies 5-45
assigning shared policies 5-44
cloning shared policies 5-47
configuring local policies 5-31
configuring VPN topologies 25-19
copying policies between devices 5-33
inheriting policies 5-47
managing policies 5-30
modifying policy assignments 5-49
modifying shared policies 5-49
overview 1-15
policy banner 5-38
policy shortcut menu 5-40
policy status icons 5-30
renaming policies 5-48
sharing local policies 5-41
sharing multiple policies 5-42
unassigning policies 5-36
understanding basic policy management 5-31
understanding shared policies 5-37
unsharing policies 5-43
device view
understanding 3-1
Device View command 1-32
Device Whitelist dialog box 19-15
DHCP
Cisco IOS routers
defining address pools 63-91
defining policies 63-90
DHCP Database dialog box 63-94
DHCP Policy page 63-92
IP Pool dialog box 63-94
overview 63-87
understanding database agents 63-88
understanding option 82 63-89
understanding relay agents 63-88
understanding secured ARP 63-89
configuring passthrough for IOS devices 23-3
PIX/ASA/FWSM 52-10
add/edit servers 52-12
advanced configuration 52-13
configuring DHCP servers 52-10
server options 52-13
traffic blocked 9-15
DHCP relay
interface-specific 46-41
Option 82 46-41, 52-5
PIX/ASA/FWSM 52-5, 52-7
add/edit agent 52-6
add/edit server 52-7
Trusted Interface (Option 82) 46-41, 52-5
DHCPv6 relay
PIX/ASA/FWSM
add/edit agent 52-9
add/edit server 52-9
diagnostics
setting debug options 11-11
diagnostics file, creating 10-28
dial backup
configuring in Easy VPN 28-2
configuring in VPN 25-40
configuring VPN advanced settings 25-41
Dial Backup Settings dialog box 25-41
dialer interfaces
defining BRI properties 62-30
defining profiles 62-28
Dialer Physical Interface dialog box 62-33
Dialer Policy page 62-31
Dialer Profile dialog box 62-32
on Cisco IOS routers 62-28
Diffie-Hellman groups
in IKE proposals 26-7
Digital Subscriber Line (DSL) 62-34
digital subscriber line-access multiplexer (DSLAM) 62-35
directed broadcasts
enabling 62-20
Disable/enable NAT rules 24-34, 24-46
Discard Activity command 1-36
Discard Activity dialog box 4-22
Discard command 1-31
Discard Deployment Job dialog box 8-20
Discard Ticket command 1-37
Discard Ticket dialog box 4-22
discovering
remote access VPNs 30-12
site-to-site VPNs 25-24
Discover Policies on Device command 1-32
Discover VPN Policies command 1-32
Discover VPN Policies wizard 25-24
discovery
default behavior settings 11-25
generating status report 10-30
invalid certificate error 9-7
overview 1-20
security certificate error 9-5, 9-6
setting debug options 11-11
Discovery Settings page 11-25
Discovery Status dialog box 5-23
discovery task
frequently asked questions 5-27
starting 5-15
viewing status 5-22
disk space, monitoring event data store 69-35
Display Actual Size command 1-33
Distributed Traffic Shaping (DTS) 66-7
DMVPN (Dynamic Multipoint VPN)
advantages of using with GRE 27-11
configuring 27-12
configuring GRE modes 27-12
large scale DMVPNs
configuring 27-16
configuring server load balancing 27-17
overview 27-1, 27-9
spoke-to-spoke connections 27-10
supported platforms 25-9
understanding 27-10
DNS
configuring for inspection rules 17-19
PIX/ASA/FWSM
add/edit server group 52-16
add server 52-17
servers page 52-14
DNS class map objects
creating 17-22
match criteria 17-36
DNS policy map objects
creating 17-22
match conditions and actions 17-36
properties 17-32
DNS servers
configuring for IPS global correlation 36-24
DNS snooping 19-6
dock
report windows 70-30
view windows 69-38
Dock Map View command 1-33
documentation
conventions 2-lxiii
Domain AD Server dialog box 13-10
Domain Name System (DNS)
Cisco IOS routers
defining policies 63-75
DNS Policy page 63-76
IP Host dialog box 63-76
overview 63-74
do not ask warnings, resetting 11-10
drill-down reports 70-26
DSLAM 62-35
duration
VPN user reports 70-16
dynamic access policies
attributes 32-4, 32-7
configuring 32-2
managing 32-1
understanding 32-1
dynamic access policies (DAP) 32-30
Dynamic Access Policy page
Add/Edit Dynamic Access Policy dialog box
Add/Edit DAP Entry dialog box 32-21
Add/Edit DAP Entry dialog box > AAA Attributes Cisco 32-22
Add/Edit DAP Entry dialog box > AAA Attributes LDAP 32-24
Add/Edit DAP Entry dialog box > AAA Attributes RADIUS 32-25
Add/Edit DAP Entry dialog box > Anti-Spyware 32-26
Add/Edit DAP Entry dialog box > Anti-Virus 32-27
Add/Edit DAP Entry dialog box > AnyConnect Identity 32-28
Add/Edit DAP Entry dialog box > Application 32-29
Add/Edit DAP Entry dialog box > File 32-31
Add/Edit DAP Entry dialog box > NAC 32-32
Add/Edit DAP Entry dialog box > Operating System 32-33
Add/Edit DAP Entry dialog box > Personal Firewall 32-34
Add/Edit DAP Entry dialog box > Policy 32-35
Add/Edit DAP Entry dialog box > Process 32-36
Add/Edit DAP Entry dialog box > Registry 32-37
Advanced Expressions tab 32-44
Logical Operations tab 32-42
Main tab 32-14
Dynamic Access Policy page (ASA) 32-11
Cisco Secure Desktop Manager Policy Editor dialog box 32-46
Dynamic Access policy page (ASA) > Add/Edit Dynamic Access Policy dialog box 32-12
Dynamic Blacklist Configuration tab 19-10
dynamic crypto maps 26-19
dynamic filter snooping (DNS)
enabling 17-19
Dynamic Multipoint VPN (DMVPN)
mandatory and optional policies 25-6
dynamic NAT
Cisco IOS routers 24-10
Dynamic Translation Rule
PIX/ASA/FWSM 24-22
add/edit 24-23
dynamic VTI
configuring in Easy VPN 28-12
in remote access VPNs 33-7
understanding use in Easy VPN 28-3
E
Easy VPN
configuration modes 28-3
configuration overview 28-5
configuring client connection characteristics 28-7
configuring dial backup 28-2
configuring dynamic VTI 28-12
configuring high availability 28-2
connection profile policies 28-13
connection profiles (ASA, PIX 7+) 31-8
extended authentication (xauth) 28-4
important configuration notes 28-6
IPsec proposals 28-10
mandatory and optional policies 25-6
overview 28-1
supported platforms 25-9
understanding 28-1
understanding dynamic VTI 28-3
user group policies 28-14
ECMP 22-4
Edit AAA Option dialog box 15-19
Edit AAA Rule dialog box 15-13
Edit AAA Server dialog box 6-33
Edit AAA Server Group dialog box 6-49
Edit Access Rule dialog box 16-14
Edit Actions dialog box 39-12
Edit activity state 4-4
Edit AOL Class Map dialog box 17-28, 21-19
Edit A Port Forwarding Entry dialog box 34-41
Edit ASA Group Policies dialog box
client configuration settings 34-6
client firewall attributes 34-7
connection settings 34-33
DNS/WINS settings 34-29, 34-30
hardware client attributes 34-9
IPSec settings 34-10
overview 34-1
split tunneling settings 34-31
SSL VPN clientless settings 34-12
SSL VPN full client settings 34-19
SSL VPN settings 34-25
technology settings 34-1
Edit A Smart Tunnel Entry dialog box 34-67, 34-70
Edit AS Path Entry dialog box 56-152
Edit AS Path Object dialog box 56-151
Edit Auto Signon Rules dialog box 34-27
Edit Auto Update Settings dialog box 11-54
Edit Category dialog box 12-14
Edit Cisco Secure Desktop Configuration dialog box 34-35
Edit Client Access Rules dialog box 34-12
Edit Client Update dialog box 34-81
Edit Column dialog box 34-61
Edit Community List Entry dialog box 56-154, 56-155
Edit Community List Object dialog box 56-153
Edit Custom Pane dialog box 34-62
Edit DCE/RPC Map dialog box 17-29
Edit Deploy Method dialog box 8-30
Edit Description dialog box 12-14
Edit Destinations dialog box 12-11
Edit Device Groups command 1-31
Edit Device Groups dialog box 3-61
Edit DNS Class Map dialog box 17-28
Edit DNS Map dialog box
Filtering tab 17-34, 17-35
overview 17-32
Protocol Conformance tab 17-33
Edit eDonkey Class Map dialog box 17-28, 21-19
Edit Endpoints dialog box
FWSM tab 25-47
overview 25-34
Protected Networks tab 25-46
VPN Interface tab 25-36, 25-50
VPNSM/VPN SPA/VSPA settings, VPN Interface tab 25-42
VRF Aware IPsec tab 25-48
Edit ESMTP Map dialog box 17-39
Edit Extended Access Control Entry dialog box 6-61
Edit Extended Access List dialog box 6-59
Edit External Filter dialog box 21-41
Edit Extranet VPN dialog box
overview 25-66
Edit FastTrack Class Map dialog box 17-28, 21-19
Edit Fidelity dialog box 39-13
Edit File Object dialog box 34-37
Edit FlexConfig dialog box 7-30
Edit FTP Class Map dialog box 17-28
Edit FTP Map dialog box 17-42
Edit Gnutella Class Map dialog box 17-28, 21-19
Edit Group Member dialog box 29-21
Edit GTP Map dialog box 17-45
Edit H.323 Class Map dialog box 17-28, 21-19
Edit H.323 Map dialog box 17-51, 21-34
Edit HSI Endpoint IP Address dialog box 17-54
Edit HSI Group dialog box 17-53
Edit HTTP Class Map dialog box 17-28, 21-19
Edit HTTP Map dialog box 21-34
ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS devices
Entity Length tab 17-58
Extension Request Method tab 17-61
General tab 17-57
overview 17-56
Port Misuse tab 17-62
RFC Request Method tab 17-60
Transfer Encoding tab 17-63
ASA 7.2+ and PIX 7.2+ devices 17-64
Edit ICQ Class Map dialog box 17-28, 21-19
Edit IKEv1 Proposal dialog box 26-10
Edit IKEv2 Proposal dialog box 26-14
Edit IMAP Class Map dialog box 17-28, 21-19
Edit IMAP Map dialog box 21-34
Edit IM Class Map dialog box 17-28
Edit IM Map dialog box 21-34
ASA and PIX device 17-70
IOS device 17-73
Edit Inspect/Application FW Rule wizard
Address and Port page 17-13
Inspected Protocol page 17-17
Match Traffic page 17-11
Edit Inspect Parameter Map dialog box 21-31
Edit Interfaces dialog box 12-13
Edit IP Options Map dialog box 17-75
Edit IPsec Pass Through Map dialog box 17-80
Edit IPSec Transform Set dialog box 26-27
Edit IPv4 Pool Object dialog box 6-92
Edit IPv6 Map dialog box 17-77, 17-91
Edit IPv6 Pool Object dialog box 6-93
Edit Kazaa2 Class Map dialog box 17-28, 21-19
Edit Key Server dialog box 29-19
Edit Language dialog box 34-56
Edit LDAP Attribute Map dialog box 6-46
Edit LDAP Attribute Map Value dialog box 6-47
Edit Load Balancing Parameters dialog box 27-17
Edit Local Web Filter Class Map dialog box 17-28, 21-19
Edit Local Web Filter Parameter Map dialog box 21-38
Edit MAC Address Pool Object dialog box 6-94
Edit Map Value dialog box 6-47
Edit Match Condition and Action dialog box
DNS policy maps 17-36
ESMTP policy maps 17-40
FTP policy maps 17-43
GTP policy maps 17-49
H.323 (IOS) policy maps 21-35
H.323 policy maps 17-54
HTTP (Zone Based IOS) policy maps 21-35
HTTP policy maps 17-66
IM (Zone Based IOS) policy maps 21-35
IMAP policy maps 21-35
IM policy maps 17-71
IPv6 policy maps 17-78, 17-92
P2P policy maps 21-35
POP3 policy maps 21-35
SIP (IOS) policy maps 21-35
SIP policy maps 17-85, 17-95
Skinny policy maps 17-89
SMTP policy maps 21-35
Sun RPC policy maps 21-35
Web Filter policy maps 21-35
Edit Match Criterion dialog box
AOL class maps 21-21
DNS class maps 17-36
eDonkey class maps 21-21
FastTrack class maps 21-21
FTP class maps 17-43
Gnutella class maps 21-21
H.323 (IOS) class maps 21-22
H.323 class maps 17-54
HTTP (IOS) class maps 21-22
HTTP class maps 17-66
ICQ class maps 21-21
IMAP class maps 21-25
IM class maps 17-71
Kazaa2 class maps 21-21
Local Web Filter class maps 21-29
MSN Messenger class maps 21-21
N2H2 class maps 21-30
POP3 class maps 21-25
SIP (IOS) class maps 21-25
SIP class maps 17-85, 17-95
SMTP class maps 21-27
Sun RPC class maps 21-29
Websense class maps 21-30
Windows Messenger class maps 21-21
Yahoo Messenger class maps 21-21
Edit menu
Configuration Manager 1-31
Edit MSN Messenger Class Map dialog box 17-28, 21-19
Edit N2H2 Parameter Map dialog box 21-39
Edit N2H2 Web Filter Class Map dialog box 17-28, 21-19
Edit NAT Rule dialog box
ASA 8.3+ 24-36
Edit NetBIOS Map dialog box 17-81
Edit Network/Host dialog box
General tab 6-83
NAT tab 24-42
Edit Options dialog box 16-17
Edit P2P Map dialog box 21-34
Edit Permit Response dialog box 17-48
Edit Per-Session NAT Rule dialog box 24-47
Edit PIX/ASA/FWSM Web Filter Rule dialog box 18-5
Edit PKI Enrollment dialog box
CA Information tab 26-60
Certificate Subject Name tab 26-66
Enrollment Parameters tab 26-63
overview 26-58
Trusted CA Hierarchy tab 26-67
Edit Policy Assignments command 1-32
Edit Policy List Object dialog box 56-143
Edit POP3 Class Map dialog box 17-28, 21-19
Edit Port Forwarding List dialog box 34-40
Edit Port List dialog box 6-102
Edit Prefix List Entry dialog box 56-148, 56-150
Edit Prefix List Object dialog box 56-146, 56-148
Edit Protocol Info Parameter Map dialog box 21-33
Edit Regular Expression dialog box 17-108
Edit Regular Expression Group dialog box 17-108
Edit Route Map Entry dialog box 56-137
Edit Route Map Object dialog box 56-136
Edit Row command 1-31
Edit Rule Section dialog box 12-22
Edit Security Association Dialog Box 25-58
Edit Selected Deployment Method dialog box 8-30
Edit Server dialog box
Protocol Info Parameter maps 21-34
Edit Server Group dialog box 15-19
Edit Service dialog box 6-103
Edit Services dialog box 12-13
Edit Signature dialog box 39-15
Edit Signature Parameter—Component List dialog box 39-29
Edit Signature Parameters dialog box 39-24
Edit Single Sign On Server dialog boxes 34-42
Edit SIP Class Map dialog box 17-28, 21-19
Edit SIP Map dialog box 17-83, 17-93, 17-102, 17-103, 21-34
Edit Skinny Map dialog boxes 17-87
Edit SLA Monitor dialog box 51-10
Edit Smart Tunnel Auto Signon Entry dialog box 34-72
Edit Smart Tunnel Auto Signon Lists dialog box 34-71
Edit Smart Tunnel Lists dialog box 34-66, 34-69
Edit SMTP Class Map dialog box 17-28, 21-19
Edit SMTP Map dialog box 21-34
Edit SNMP Map dialog box 17-90
Edit Sources dialog box 12-11
Edit SSL VPN Customization dialog box 34-51
Applications 34-60
Copyright Panel 34-58
Custom Panes 34-61
Full Customization 34-59
Home Page 34-62
Informational Panel 34-57
Language 34-54
Logon Form 34-56
Logout Page 34-63
Title Panel 34-53
Toolbar 34-59
Edit SSL VPN Gateway dialog box 34-64
Edit Standard Access Control Entry dialog box 6-64
Edit Standard Access List dialog box 6-59
Edit Sun RPC Class Map dialog box 17-28, 21-19
Edit Sun RPC Map dialog box 21-34
Edit TCP Map dialog box 58-22
Edit TCP Option Range Dialog Box 58-25
Edit Text Object dialog box 7-32
Edit Time Range dialog box 6-71
Edit Traffic Flow dialog box 58-18
Edit Translated Address dialog box 24-29
Edit Transparent EtherType dialog box 23-7
Edit Transparent Firewall Rule dialog box 23-5
Edit Transparent Mask dialog box 23-7
Edit Trend Content Filter Class Map dialog box 17-28, 21-19
Edit Trend Parameter Map dialog box 21-42
Edit Unified Access Control Entry dialog box 6-67
Edit Update Server Settings dialog box 11-52
Edit URL Domain Name dialog box 21-45
Edit URLF Glob Parameter Map dialog box 21-45
Edit URL Filter Parameter Map dialog box 21-43
Edit User Credentials dialog box 36-19
Edit User dialog box 12-12
Edit User Group dialog box
Advanced PIX 6.3 settings 34-82
Browser Proxy settings 34-87
Client (IOS) settings 34-78
Clientless settings 34-83
Client VPN Software Update (IOS) settings 34-81
DNS/WINS settings 34-77
General settings 34-75
IOS Xauth Options settings 34-80
overview 34-73
Split Tunneling settings (Easy VPN/remote access IPSec VPN) 34-77
SSL VPN Connection settings 34-88
SSL VPN Full Tunnel settings 34-84
SSL VPN Split Tunneling settings 34-86
Technology settings 34-73
Thin Client settings 34-84
Edit VDI Server dialog box 34-15
Edit Virtual Sensor dialog box 38-7, 38-8
Edit VPN dialog box
Device Selection tab 25-32
Edit Endpoints dialog box 25-34
Endpoints tab 25-34
High Availability tab 25-52
Name and Technology tab 25-30
overview 25-28
Edit Web Access Control Entry dialog box 6-65
Edit Web Filter Map dialog box 21-47
Edit Web Filter Options dialog box 18-9
Edit Web Filter Type dialog box 18-8
Edit Websense Parameter Map dialog box 21-39
Edit Websense Web Filter Class Map dialog box 17-28, 21-19
Edit Web Type Access List dialog box 6-59
Edit Windows Messenger Class Map dialog box 17-28, 21-19
Edit WINS Server dialog box 34-90
Edit WINS Server List dialog box 34-89
Edit Yahoo Messenger Class Map dialog box 17-28, 21-19
Edit Zones dialog box 12-13
eDonkey class map objects
creating 21-16
match criteria 21-21
EIGRP routing
defining interface properties 67-10
defining routes 67-9
EIGRP Routing Policy page 67-13
Interface dialog box 67-16
Interfaces tab 67-15
on Cisco IOS routers 67-8
PIX/ASA/FWSM
advanced settings 56-34
Filter Rule configuration 56-40
Filter Rules tab 56-39
Interface configuration 56-48
Interfaces tab 56-47
neighbor configuration 56-42
Neighbors tab 56-41
policy 56-32
redistribution configuration 56-44
Redistribution tab 56-42
Setup tab 56-36
Summary Address configuration 56-46
Summary Address tab 56-45
redistributing routes 67-12
Redistribution Mapping dialog box 67-18
Redistribution tab 67-17
Setup dialog box 67-14
Setup tab 67-13
e-mail
blocking spam using zone-based firewall rules 21-27
preventing DoS attacks 21-27
e-mail notifications
configuring SMTP server 1-27
PIX/ASA/FWSM
recipient set-up 54-8
syslog messages 54-8
embedded event manager
add/edit action configuration 54-7
add/edit applet 54-5
add/edit syslog configuration 54-7
ASA 54-3
Enable/disable NAT rules 24-34, 24-46
Enable PIM and IGMP
PIX/ASA/FWSM 55-1
Encapsulating Security Protocol (ESP) encryption algorithm 26-29
encoding rules
defining for SSL VPN (ASA) 31-55
encryption algorithms
3DES (Triple DES) 26-6
AES (Advanced Encryption Standard) 26-6
DES (Data Encryption Standard) 26-6
in IKE proposals 26-6
endpoints and protected networks
configuring dial backup 25-40
defining in GET VPN topologies 25-60
defining in VPN topologies 25-34
VPN Interface tab 25-36, 25-50
equal-cost multi-path 22-4
Error Writing to Server deployment errors 9-15
ESMTP
configuring for inspection rules 17-20
ESMTP policy map objects
creating 17-22
match conditions and actions 17-40
properties 17-39
EtherChannel
Create and Edit IDSM EtherChannel VLANs dialog boxes 68-49
defining IDSM VLANs 68-44
deleting IDSM VLANs 68-45
EtherChannels
ASA 46-9
edit assigned interface 46-12
LACP 46-12
load balancing 46-13
evaluation license
upgrading to permanent license 10-16
event
lists 54-9
add/edit 54-10
syslog class
add/edit 54-11
syslog message ID
add/edit 54-11
Event Action Filters page 40-7
Event Action Overrides page 40-13
event actions, IPS
configuring filter rules 40-4
configuring network information 40-17
configuring OS maps 40-21
configuring overrides 40-13
configuring settings 40-23
configuring target value ratings 40-17
example filter rule 69-67
filter rule attributes 40-9
filter rules policy 40-7
filter rules tips 40-6
overview 40-1
possible actions 40-2
process overview 40-1
Event Management page 11-27, 11-35
CPU Throttling Policy dialog box 11-33
event manager applet 54-3
Event Manager service
configuring 69-30
managing 69-30
monitoring event store disk space 69-35
monitoring status 69-31
selecting devices to monitor 69-34
starting and stopping 69-30
status icon colors 69-31
events
archiving (backing up) the event data store 69-36
configuring firewall devices (ASA, FWSM) 69-28
configuring IPS devices 69-29
copying 69-53
CS-MARS 72-46
looking up 72-41
looking up policies based on related events 72-45
Netflow support for policy lookup 72-47
viewing access rule events 72-42
viewing IPS signature events 72-44
ensuring time synchronization 69-27
Event Viewer
clearing filters 69-48
context menu 69-49
cross-launching from HPM 69-58
filtering by column 69-45
filtering by events 69-47
filtering overview 69-43
looking up 69-55
looking up policies based on related events 69-54
refreshing event table 69-44
selecting time range 69-43
text searches (quick filter) 69-47
using time slider with filtering 69-44
viewing access rule events 69-56
viewing IPS signature events 69-57
examining details 69-53
examples of analysis
mitigating botnet activity 69-65
monitoring and mitigating botnet activity 69-61
monitoring botnet activity using ASDM 69-64
monitoring botnet activity using Event Viewer 69-62
monitoring botnet activity using Report Manager 69-64
monitoring identity-aware firewall policies 13-27
monitoring TrustSec policies 14-17
overview 69-58
removing false positive IPS events 69-66
understanding botnet syslog events 69-61
user access to server blocked 69-59
performing operations on 69-49
properties 69-18
recovering the event data store 69-36
saving to a file 69-53
understanding Event Viewer access control 69-4
viewing 69-1
Event Viewer
archiving (backing up) the event data store 69-36
arranging views 69-38
ASA devices, configuring to provide events 69-28
columns 69-18
configuring color rules 69-40
configuring Event Manager service 69-30
copying events 69-53
creating custom views 69-41
cross-launching from HPM 69-58
deleting custom views 69-43
editing view name and description 69-41
ensuring time synchronization 69-27
Event Monitoring window 69-14
events
context menu 69-49
historical and real-time lookup 69-55
looking up 69-55
event table
customizing appearance 69-39
event details pane 69-26
refreshing 69-44
time slider 69-25
toolbar 69-16
examining event details 69-53
examples of analysis
mitigating botnet activity 69-65
monitoring and mitigating botnet activity 69-61
monitoring botnet activity 69-62
monitoring identity-aware firewall policies 13-27
monitoring TrustSec policies 14-17
overview 69-58
removing false positive IPS events 69-66
understanding botnet syslog events 69-61
user access to server blocked 69-59
features
historical views 69-2
overview 69-1
policy navigation 69-3
real-time views 69-2
views and filters 69-3
File menu reference 69-9
filters
advantages of using network/host objects 69-67
clearing 69-48
column based 69-45
event based 69-47
overview 69-43
submission requirements for policy objects 69-68
text searches (quick filter) 69-47
time range 69-43
time slider 69-44
floating views 69-38
FWSM devices, configuring to provide events 69-28
IPS devices, configuring to provide events 69-29
limits of 69-4
looking up Security Manager policies based on events 69-54
managing service 69-30
monitoring event store disk space 69-35
monitoring status 69-31
opening views 69-38
overview 69-7
performing operations on 69-49
preparation for use 69-27
recovering the event data store 69-36
saving events 69-53
saving views 69-42
selecting devices to monitor 69-34
settings 11-27, 11-35
starting or stopping the Event Manager service 69-30
status icon colors 69-31
switching between IP addresses and host object names 69-39
switching between real-time and historical views 69-42
syslogs 69-6
troubleshooting
Event Viewer Unavailable message 11-27, 11-36, 69-30
policy objects not available for filtering 69-68
understanding access control 69-4
using 69-37
using views 69-37
viewing access rule events 69-56
viewing IPS signature events 69-57
view list 69-12
View menu reference 69-10
Event Viewer command 1-38
exclusive domains
configuring for IOS devices 18-10
Exit command 1-31
Exit command (Report Manager) 70-8
exiting
Cisco Security Management Suite server 1-12
CiscoWorks Common Services 1-12
Security Manager 1-11, 1-12
expiration dates
configuring for access rules 16-22
export
device inventory
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-6
supported CSV formats 10-9
HPM data 71-31
IPS event action overrides 40-13
IPS event filter rules 40-4, 40-7
policy objects 6-23
reports 70-28
shared policies 10-12
Export Devices or Policies commands 1-30
Export Inventory dialog box 10-6
Export Map command 1-33
External Product Interface dialog box 36-27
External Product Interface policy 36-26
F
factory-default configurations 46-2
failover
Active/Active
command replication 50-4
configuration synchronization 50-3
add new context to group 2 50-8
configuring in site-to-site VPN 25-52
edit bridge group 50-17
FWSM 50-13
advanced settings 50-16
PIX/ASA 50-17
Add Failover Group 50-25
settings 50-21
PIX/ASA/FWSM 50-10
active/active 50-2, 50-3
active/standby 50-2
bootstrap configuration 50-26
configuration basics 50-5
configuring 50-1
interface configuration 50-23
interface MAC address 50-23
security context 50-26
stateful 50-3, 50-4
stateless 50-3
types of 50-2
understanding 50-1
PIX 6.3 50-10
interface configuration 50-12
stateful in site-to-site VPN 25-54
false negatives
definition of 39-23
false positives
definition of 39-23
FastTrack class map objects
creating 21-16
match criteria 21-21
feature sets 1-4
File menu
Configuration Manager 1-30
Event Viewer 69-9
Report Manager 70-8
file objects
attributes 34-37
selecting 34-39
files
deploying to 8-11
selecting or specifying 1-50
Filter Item dialog box 40-9
filter rules, event action (IPS)
attributes 40-9
configuring 40-4
example rule 69-67
exporting 40-4
policy 40-7
tips 40-6
filters
Event Viewer
clearing 69-48
column based 69-45
context menu 69-49
event based 69-47
overview 69-43
refreshing event list 69-44
selecting time range 69-43
text searches (quick filter) 69-47
using time slider 69-44
filtering selectors 1-45
filtering tables 1-48
HPM
column based 71-17
custom 71-18
filters (Event Viewer)
advantages of using network/host objects 69-67
overview 69-3
submission requirements for policy objects 69-68
Find and Replace dialog box 12-17
find and replace in rules policies 12-16
Find Map Node command 1-33
Find Node dialog box 35-12
FirePOWER
ASA module
detecting 72-21
FireSIGHT Management Center
starting from Security Manager 72-20
FireSIGHT Management Center command 1-37
Firewall
AAA IOS Timeout Values 15-30
firewall
AAA firewall
advanced settings 15-20
configuring 15-6
MAC exempt lists 15-26
AAA firewall policy
advanced settings 15-20
configuring 15-6
AAA page 15-28
AAA rules
configuring AAA firewall settings 15-6
configuring AuthProxy settings 15-9
configuring cut-through proxy (ASA) 13-23
configuring for ASA/PIX/FWSM devices 15-4
configuring for IOS devices 15-7
configuring identity aware 13-21
configuring security group aware 14-17
managing 15-1
properties 15-13
understanding 15-1
understanding how users authenticate 15-2
Access Control page 16-24
access controls
per user downloadable ACLs 16-27
access control settings
configuring settings 16-23
access rule
event analysis example, user access blocked 69-59
finding from CS-MARS events 72-45
finding from Event Viewer events 69-54
viewing related CS-MARS events 72-42
viewing related events 69-56
access rules
address requirements 16-5
configuring 16-7
configuring expiration dates 16-22
configuring identity aware 13-21
configuring security group aware 14-17
how deployed 16-5
import examples 16-44
importing 16-40
IPS blocking, affect of 43-4
managing 16-1
optimizing during deployment 16-46
sharing ACLs among interfaces 11-18
understanding 16-1
understanding device-specific behavior 16-4
understanding global 16-3
understanding requirements when using inspection 17-4
ACL naming conventions 12-5
adding rules 12-9
analysis reports 16-34
AuthProxy
configuring 15-9
AuthProxy settings policy
configuring 15-9
botnet traffic filter rules 19-9
combining rules
example 12-27
interpreting results 12-25
procedure 12-22
configuring policies in Map view 35-23
configuring settings 18-15
configuring settings policies in Map view 35-23
conflict detection 16-28
converting IPv4 rules 12-28
deleting rules 12-9
device types 46-1
disabling rules 12-20
editing rules 12-10
enabling rules 12-20
finding and replacing items in rules policies 12-16
Firewall ACL Setting dialog box 16-26
identity-aware policies
collecting user statistics 13-25
configuring 13-7
configuring cut-through proxy 13-23
configuring identity options 13-15
configuring rules 13-21
configuring the ASA 13-7, 14-8
enabling 13-8
filtering VPN traffic 13-26
identifying AD servers and agents 11-38, 13-8
managing 13-1
monitoring 13-27
overview 13-1
requirements 13-3
user identity acquisition 13-2
Inspection page 17-111
inspection rules
add/edit rule wizard 17-11, 17-13, 17-17
choosing interfaces 17-2
configuring 17-5
configuring identity aware 13-21
configuring security group aware 14-17
managing 17-1
preventing DoS attacks on IOS devices 17-5
selecting protocols 17-3, 17-17
understanding 17-2
understanding access rule requirements 17-4
inspection settings
configuring for IOS devices 17-111
introduction 12-1
IPv6 access rules
configuring expiration dates 16-22
sharing ACLs among interfaces 11-18
understanding global 16-3
MAC exempt lists, AAA firewall 15-26
managing rules tables 12-7
moving rules 12-19
object groups
expanding during discovery 12-35
optimizing network object groups during deployment 12-35
overview 12-1
per user downloadable ACLs 16-27
policy discovery 5-13
policy query
example report 12-34
generating reports 12-28
interpreting results 12-32
preserving ACL names 12-4
reference information for AAA rules 15-20
resolving access rule conflicts 16-34
resolving ACL naming conflicts 12-7
rule table sections 12-20
security group aware policies
configuring ISE settings 11-56
configuring rules 14-17
security group-aware policies
configuring 14-7
managing 14-1
system variables 7-9
transparent rules
adding or editing a rule 23-5
configuring 23-1
configuring passthrough for IOS devices 23-3
editing the EtherType 23-7
editing the mask 23-7
managing 23-1
Transparent Rules page 23-3
TrustSec firewall policies
configuring 14-7
managing 14-1
overview 14-1
TrustSec policies
monitoring 14-17
understanding NAT effects 12-3
understanding rule order 12-19
understanding rule processing order 12-2
using rules tables 12-8
Web Filter page 18-16
web filter rules
configuring for ASA, PIX, FWSM devices 18-2
configuring for IOS devices 18-10
managing 18-1
understanding 18-1
zone-based firewall
add/edit zones 21-53
advanced options 21-67
configuring PAM 21-69
configuring rules 21-13, 21-62
configuring settings 21-49
Content Filter tab 21-52
designing network zones 21-1
development overview 21-12
Global Parameters tab 21-50
page 21-50
protocol selection 21-68
rules table 21-58
tabs 21-49
VPN tab 21-50
WAAS tab 21-50
Zones tab 21-50
zone-based firewalls
changing the default drop rule 21-48
general recommendations 21-12
IPSec VPN 21-6
logging 21-1
overview 21-1
restrictions 21-3
Self zone 21-5
troubleshooting 21-54
understanding 21-3
understanding permit/deny and action 21-8
understanding services and protocols 21-11
VRF 21-7
Firewall AAA IOS Timeout Value Setting dialog box 15-30
Firewall AAA MAC Exempt Setting dialog box 15-27
Firewall ACL Setting dialog box 16-26
Firewall Device dialog box 43-14
Firewall Services Module
see FWSM 47-1
Fit to Window command 1-33
FlexConfig objects
adding to policies 7-35
ASA samples 7-20
Catalyst 6500/7600 samples 7-22
changing order in policies 7-35
changing variable values 7-35
Cisco IOS Software samples 7-22
CLI commands 7-2
configuring 7-25
configuring AAA for administrative introducers 63-84
creating 7-28
creating text objects 7-32
deleting variables 7-28
PIX firewall samples 7-23
previewing CLI 7-35
properties 7-30
property selector 7-34
removing from policies 7-35
router samples 7-24
samples 7-19
scripting language
example of looping 7-3
example of looping with if/else statements 7-4
example of two-dimensional looping 7-3
understanding 7-3
system variables
device 7-7
firewalls 7-9
remote access VPN 7-19
router 7-13
understanding 7-7
VPN 7-14
undefined variables 7-33
understanding 7-2
variables 7-5
variables, example 7-6
FlexConfig policies
adding objects 7-35
changing object order 7-35
changing variable values 7-35
configuring 7-25
configuring AAA for administrative introducers 63-84
editing 7-35
previewing CLI 7-35
removing objects 7-35
understanding 7-2
FlexConfig Policy page 7-36
FlexConfig Preview dialog box 7-38
FlexConfigs
creating (scenario) 7-25
managing 7-1
troubleshooting 7-38
FlexConfig Undefined Variables dialog box 7-33
float
report windows 70-30
view windows 69-38
floodguard 57-2
FQDN objects
creating 6-82
understanding 6-80
fragmentation
configuring settings in VPNs 26-31, 26-44
fragments settings 57-2
frequently asked questions
policy discovery 5-27
FTP class map objects
creating 17-22
match criteria 17-43
FTP policy map objects
creating 17-22
match conditions and actions 17-43
properties 17-42
full mesh topologies
description 25-4
partial mesh 25-5
full tunnel client access mode 30-5
FWSM
AAA support 6-28
about 46-1
adding SSL thumbprints manually 9-5
adding when using multiple-context mode 3-7
adding when using non-default HTTPS (SSL) port 3-7
Asymmetric Routing Groups 46-6
Bridge Groups
add/edit 46-62
bridge groups 47-3
changing deployment method to serial for multiple-context mode 9-17
configuring for event management 69-28
configuring FWSM endpoints in site-to-site VPNs 25-47
configuring transparent firewall rules 23-1
credentials 3-19
deleting security contexts 59-7
deployment failures after changing interface policies 9-16
deployment failures in multiple-context mode 9-16
deployment failures with large ACLs 9-17
Device Access
managing Resources 51-2
Resources 51-3
Resources, add/edit 51-4
discovering failover modules 3-7
Event Viewer support 69-4
Failover 50-13
advanced settings 50-16
edit bridge group 50-17
including in deployment jobs 8-28
interfaces
add/edit 46-31
configuring 46-3
General tab 46-33
IPv6 46-47, 46-73
IPv6, add/edit 46-52
IPv6, add/edit prefixes 46-54, 46-56
managing 46-26
packet capture, using 72-30
PDM 72-15
policy discovery 5-13
rollback, commands to recover from failover misconfiguration 8-68
rollback command conflicts 8-67
rollback restrictions for failover devices 8-65
rollback restrictions for multiple context mode 8-64
security contexts
configuration 59-8
selecting policy types to manage 5-11
setting up SSL (HTTPS) 2-3
SSL certificate configuration 11-22
TCP State Bypass 58-3
troubleshooting deployment 9-16
G
General
PIX/ASA/FWSM
security policies 57-1
General Configuration tab, SNMP policy for IPS 36-10
General page, device properties 3-41
General tab, IPS blocking policy 43-10
General tab (Translation Rules)
PIX/ASA/FWSM 24-31
generic routers 3-8
GET VPN
anti-replay, time based 29-11
configuring 29-12
configuring global ISAKMP and IPsec settings 29-16
configuring group members 29-20
cooperative key servers 29-7
defining group encryption 25-54
generating, synchronizing RSA keys 29-13
group members
adding 29-19
editing 29-21
IKE proposal 29-15
key servers
adding 29-19
editing 29-19
mandatory and optional policies 25-6
migrating to 29-23
overview 29-1
receive-only SAs 29-23
registration
choosing the rekey transport mechanism 29-6
configuring fail-close mode 29-8
registration process 29-4
SAs
passive SA mode 29-23
receive-only mode 29-23
security policy 29-10
supported platforms 25-9
troubleshooting 29-25
understanding 29-2
GET VPNs
group encryption policies
certificate authorization 25-58
security associations 25-58
global correlation
configuring 42-1
configuring DNS servers 36-24
configuring HTTP proxy server 36-24
configuring inspection and reputation 42-5
configuring network participation 42-7
configuring with Botnet Traffic Filtering 42-1
data collected 42-3
requirements and limitations 42-4
understanding 42-1
understanding network participation 42-3
understanding reputation 42-2
Global Search
using 1-42
Global Search command 1-31
global settings
remote access VPN
configuring 26-30
Gnutella class map objects
creating 21-16
match criteria 21-21
GRE (generic routing encapsulation) VPN
advantages of IPsec tunneling with GRE 27-3
configuring 27-5
configuring GRE modes 27-6
dynamically addressed spokes 27-5
implementation 27-3
overview 27-1, 27-2
prerequisites for successful configuration 27-3
supported platforms 25-9
understanding 27-2
GRE Dynamic IP
mandatory and optional policies 25-6
GRE Modes Page
DMVPN properties 27-12
GRE or GRE Dynamic IP properties 27-6
overview 27-1
Group Domain of Interpretation (GDOI) protocol 29-3
group encryption
defining in GET VPN topologies 25-54
Group Encryption Policy page (GET VPN) 25-54
group members
adding 29-19
communication flow 29-2
configuring fail-close mode 29-8
editing 29-21
GET VPN
registration process 29-4
security policy ACLs 29-10
group members (GET VPN)
configuring 29-20
Group Members page (GET VPN) 29-20
group policies
configuring 31-26
creating 31-28
understanding 31-27
VPNs
configuring bookmarks 31-82
configuring portal appearance 31-78
configuring WINS servers for file system access 31-88
customizing 31-77
post URL method and macro substitutions in bookmarks 31-84
smart tunnels 31-85
Group Policies page 31-26
groups
adding or removing devices 3-63
creating 3-62
deleting 3-63
understanding 3-60
working with 3-59
group types
creating 3-62
deleting 3-63
GTP map objects
Add Country Network Codes dialog box 17-48
Edit Country Network Codes dialog box 17-48
GTP Map Timeouts dialog box 17-48
GTP policy map objects
creating 17-22
match conditions and actions 17-49
properties 17-45
H
H.323 class map objects
IOS
creating 21-16
match criteria 21-22
match criteria 17-54
H.323 policy map objects
ASA/PIX/FWSM
creating 17-22
properties 17-51
IOS
creating 21-16
match conditions and actions 21-35
match conditions and actions 17-54
hash algorithms
in IKE proposals 26-6
MD5 26-7
SHA 26-6
Health & Performance Monitor command 1-38
Health and Performance Monitor
see HPM 71-1
viewing related events in Event Viewer 69-58
Health and Performance Monitor in Dashboard 72-2
help
accessing 1-52
Help About This Page command 1-38
helper addresses 62-14
Help menu
Configuration Manager 1-38
Help Topics command 1-38
Hide Navigation Window command 1-33
high availability (HA groups)
configuring in Easy VPN 28-2
configuring in site-to-site VPN 25-52
stateful/stateless failover 25-54
high availability policies
configuring in remote access VPNs 33-11
Histogram dialog box 41-13
histograms
configuring anomaly detection 41-11
understanding anomaly detection 41-9
Hit Count Details
example 16-38
Hit Count Details page 16-36
Hit Count Selection Summary Dialog Box 16-20
Hostname
PIX/ASA/FWSM 51-1
hostnames
Cisco IOS routers
defining 63-77
Hostname Policy page 63-78
overview 63-77
HPM
access control 71-3
Alerts
firewall 71-37
IPS 71-35
VPN 71-39
VPN, SNMP configuration 71-40
alerts 71-32
acknowledging 71-42
clearing 71-42
configuring 71-34
history 71-43
viewing 71-41
application window 71-6
Alerts display 71-32
Monitoring display 71-25
columns
Alert table 71-16
Device-related 71-8
showing/hiding 71-8
sorting 71-8
VPN-related 71-13
configuring for 71-4
custom views 71-24
device
monitoring 71-21
monitoring multiple contexts 71-3
priority monitoring 71-32
views 71-21
Device Manager
launching 71-3, 71-27
device manager
cross-launch 71-32
devices
managing 71-5
email notifications
configuring 71-34
export data 71-31
filters
column based 71-17
introduction 71-1
launching 71-4
List Filter 71-19
monitoring
device details 71-28
device status list 71-27
RA and S2S views 71-30
Summary 71-27
VPN details 71-28
VPN Summary list 71-27
overview 71-1
read time-out 2-3, 71-4
Remote Access
log-off user 71-30
settings page 11-36
tables
showing/hiding columns 71-8
sorting columns 71-8
trending 71-2
viewing related events in Event Viewer 69-58
views
closing 71-23
custom 71-24
docking 71-24
floating 71-24
list 71-21
opening 71-23
tiling 71-23
HTML file
export HPM data as 71-31
HTTP
Cisco IOS routers
AAA tab 63-32
Command Authorization Override dialog box 63-34
defining policies 63-29
HTTP Policy page 63-31
overview 63-28
Setup tab 63-31
PIX/ASA/FWSM 49-2
configuration 49-3
HTTP (ASA, PIX) class map objects
creating 17-22
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map objects
creating 17-22
properties 17-56
HTTP (ASA7.2+/PIX7.2+) policy map objects
creating 17-22
properties 17-64
HTTP (IOS) class map objects
creating 21-16
creating for zone-based firewall content filtering 21-36
match criteria 21-22
HTTP (Zone Based IOS) policy map objects
creating 21-16, 21-36
match conditions and actions 21-35
HTTP class map objects
match criteria 17-66
HTTP-FORM
settings in AAA server objects 6-44
HTTP policy
overriding HTTPS port number 3-47
sharing
HTTPS port number 3-47
HTTP policy map objects
match conditions and actions 17-66
HTTP proxy server
configuring for IPS global correlation 36-24
HTTP Response Code 500 deployment errors 9-15
HTTPS
setting up 2-3
troubleshooting certificate errors 9-5
hub-and-spoke topology
description 25-2
joined hub-and-spoke topology 25-5
tiered hub-and-spoke topologies 25-5
I
ICMP rules
PIX/ASA/FWSM 49-4
add/edit 49-5
ICMP settings
configuring on IOS routers 62-18
icons
Configuration Manager toolbar reference 1-39
event table toolbar reference 69-16
Event Viewer status color code 69-31
map elements 35-14
ICQ class map objects
creating 21-16
match criteria 21-21
identity-aware firewall policies
collecting user statistics 13-25
configuring 13-7
configuring cut-through proxy 13-23
configuring identity options 13-15
configuring layer 2 SGT imposition 46-44
configuring rules 13-21
configuring security group tagging 46-44
configuring the ASA 13-7, 14-8
enabling 13-8
filtering VPN traffic 13-26
identifying AD servers and agents 11-38, 13-8
managing 13-1
monitoring 13-27
overview 13-1
requirements 13-3
user identity acquisition 13-2
Identity Configuration wizard
Active Directory Agent Settings 13-13
Active Directory Settings 13-11
Preview 13-15
Identity Settings page 11-38
identity user group objects
creating 13-19
selecting 13-21
user identity acquisition 13-2
idle timeout, Security Manager client 11-10
IDM
device manager 72-15
IDSM
adding when using non-default HTTPS (SSL) port 3-7
Create and Edit IDSM Data Port VLANs dialog boxes 68-49
Create and Edit IDSM EtherChannel VLANs dialog boxes 68-49
credentials 3-19
defining Data Port VLANs 68-46
defining EtherChannel VLANs 68-44
deleting Data Port VLANs 68-47
deleting EtherChannel VLANs 68-45
deployment failures when changing data port VLAN running mode 9-17
IDSM Settings page 68-47
IDSM Slot-Port Selector dialog box 68-50
mode support limitations 68-43
troubleshooting deployment 9-16
understanding settings on Catalyst devices 68-43
IE 10 security settings 10-2
IGMP
PIX/ASA/FWSM
Access Group parameters 55-5
Access Group tab 55-5
enable 55-1
Join Group parameters 55-7
Join Group tab 55-7
page 55-2
parameters 55-4
Protocol tab 55-3
Static Group parameters 55-6
Static Group tab 55-6
ignore error message, configure Security Manager to 9-10
IKE (Internet Key Exchange)
comparing version 1 and 2 26-4
configuring IKE and IPsec policies 26-1
configuring IKEv2 authentication 26-68
configuring proposal 26-9
Diffie-Hellman modulus groups 26-7
encryption algorithms 26-6
hash algorithms 26-6
IKEv2 Authentication policy 26-70, 26-72
overview 26-2
selecting the IKE version for devices in site to site VPNs 26-26
understanding 26-5
IKE keepalive
understanding 26-33
IKE proposal objects
v1 properties 26-10
v2 properties 26-14
IKE proposals (policies)
in GET VPNs 29-15
IKEv2 Authentication dialog box 26-72
IKEv2 Authentication page 26-70
IKEv2 settings
configuring 26-37
configuring cookie challenges 26-37
IM (ASA7.2+/PIX7.2+) policy map objects
creating 17-22
properties 17-70
IM (IOS) policy map objects
creating 17-22
properties 17-73
IM (Zone Based IOS) policy map objects
creating 21-16
match conditions and actions 21-35
IM (Zone based IOS) policy map objects
creating 21-16
Image Management 73-1
supported versions 73-2
Image Manager 73-9, 73-16
abort installation job 73-35
Add Image 73-11
Bootstrapping Devices 73-8
bundled images 73-30
bundles 73-13
create 73-13
delete 73-15
rename 73-15
view images 73-14
compatible images 73-17
configuring install location 73-19
device memory 73-18
devices 73-16
Getting Started 73-1
Installation Job Summary 73-33
installation wizard 73-26
installing compatible images on devices 73-30
installing images on selected devices 73-31
job approval workflow 73-36
jobs 73-32
RAM 73-17
Repository 73-9
retry on installation failure 73-35
roll back 73-35
settings 11-41
supported image types 73-5
supported platforms 73-2
Troubleshooting 73-37
update validation 73-23
updating images on devices 73-20
Using 73-1
Admin Settings 73-6
View All Images 73-10
view device information 73-16
view installation job details 73-34
Image Manager command 1-38
images
view 73-10
image updates 73-20
IMAP
configuring for inspection rules 17-21
IMAP class map objects
creating 21-16
match criteria 21-25
IM applications
match conditions for zone-based firewalls 21-21
protocol information for IM application inspection 21-33
IMAP policy map objects
creating 21-16
match conditions and actions 21-35
IM class map objects
creating 17-22
match criteria 17-71
IM policy map objects
match conditions and actions 17-71
import
device inventory 3-31
device with policies 10-13
policy objects 6-23
Import Background Image dialog box 35-13
Import Rules wizard
Enter Parameters page 16-41
Preview page 16-43
Status page 16-42
inheritance
inheriting rules 5-47
understanding 5-4
understanding signature policies 39-3
versus assignment 5-6
Inherit Rules command 1-32
Inherit Rules dialog box 5-47
Inspect/Application FW Rule wizard
Address and Port page 17-13
Inspected Protocol page 17-17
Match Traffic page 17-11
inspection
deny rules 17-5
global correlation (IPS)
configuring 42-5
inspection map objects
understanding 6-78
inspection rules
ACL naming conventions 12-5
add/edit rule wizard 17-11, 17-13, 17-17
choosing interfaces 17-2
configuring 17-5
configuring custom protocol name 17-22
configuring DNS settings 17-19
configuring ESMTP settings 17-20
configuring fragment inspection 17-20
configuring identity aware 13-21
configuring in Map view 35-23
configuring RPC settings 17-21
configuring security group aware 14-17
configuring settings for IOS devices 17-111
configuring settings in Map view 35-24
configuring SMTP settings 17-20
deep inspection options
IMAP 17-21
POP3 17-21
deleting 12-9
disabling 12-20
editing 12-10
enabling 12-20
Inspection Rules page 17-8
managing 17-1
moving 12-19
preserving ACL names 12-4
preventing DoS attacks on IOS devices 17-5
selecting protocols 17-3, 17-17
understanding 17-2
understanding access rule requirements 17-4
understanding NAT effects 12-3
understanding processing order 12-2
Inspection Rules page 17-8
Inspection settings page 17-111
inspect maps
policy maps
Add Country Network Codes dialog box 17-48
Edit Country Network Codes dialog box 17-48
Inspect parameter map objects
properties 21-31
Inspect Parameters map objects
creating 21-16, 21-36
installing
Security Manager client 1-12
Integrated Local Management Interface (ILMI) 62-50
Interactive Authentication Configuration dialog box 15-24
Interface Name Conflict dialog box 6-78
Interface Properties dialog box 35-19
Interface Role Contents dialog box 12-14
interface role objects
creating 6-74
defining subinterfaces 6-76
distinguishing from interfaces 6-76
handling conflicts between role and interface names 6-78
Interface Role dialog box 6-75
specifying during policy definition 6-76
understanding 6-73
use when a single interface name is allowed 6-77
interfaces
adding or changing modules 3-40
ASA
edit EtherChannel-assigned interface 46-12
EtherChannels 46-9, 46-13
LACP 46-12
ASA/FWSM
IPv6 46-47, 46-73
IPv6, add/edit 46-52
IPv6, add/edit prefixes 46-54, 46-56
ASA 5505 46-6
ASA devices
Advanced tab 46-41
IP Type 46-58
Catalyst switches and 7600 Series routers
Access Port Selector dialog box 68-30
Create and Edit Interface dialog boxes-Access Port mode 68-9
Create and Edit Interface dialog boxes-Dynamic Port mode 68-18
Create and Edit Interface dialog boxes-Other mode 68-24
Create and Edit Interface dialog boxes-Routed Port mode 68-12
Create and Edit Interface dialog boxes-subinterfaces 68-22
Create and Edit Interface dialog boxes-Trunk Port mode 68-14
Create and Edit VLAN dialog boxes 68-28
Create and Edit VLAN Group dialog boxes 68-34
defining ports 68-6
deleting ports 68-7
generating names 68-6
Interfaces/VLANs page-Interfaces tab 68-8
Interfaces/VLANs page-Summary tab 68-3
Interfaces/VLANs page-VLAN Groups tab 68-33
Interfaces/VLANs page-VLANs tab 68-27
Service Module Slot Selector dialog box 68-35
Trunk Port Selector dialog box 68-31
understanding 68-5
VLAN Selector dialog box 68-35
Cisco IOS routers
Advanced Interface Settings dialog box 62-16
Advanced Interface Settings page 62-16
available types 62-2
Create Router Interface dialog box 62-8
defining advanced settings 62-13
defining basic settings 62-4
defining CEF interface settings 62-25
defining IPS module settings 62-22
deleting from 62-6
generating names 62-4
Interface Auto Name Generator dialog box 62-12
overview 62-1
Router Interfaces page 62-7
understanding helper addresses 62-14
configuring IOS IPS rules 45-9
configuring multiple contexts 59-3
distinguishing from interface roles 6-76
failover
MAC address 50-23
PIX/ASA/FWSM 50-23
PIX 6.3 50-12
IPS
configuring 37-6
configuring bypass mode 37-12
configuring CDP mode 37-12
configuring inline interface pairs 37-13
configuring inline VLAN pairs 37-14
configuring physical 37-9
configuring VLAN groups 37-15
deploying VLAN groups 37-5
inline interface mode 37-3
inline VLAN pair mode 37-3
interfaces policy 37-6
managing interface configurations 37-1
physical interface properties 37-10
promiscuous mode 37-2
roles 37-1
sensing modes overview 37-2
understanding 37-1
viewing summary 37-8
VLAN group mode 37-4
IP Type
PIX 6.3 46-30
PIX/ASA
allocation in security contexts 59-12
IP Type 46-58
PPPoE Users 46-71
redundant 46-8
subinterfaces 46-7, 46-15
VPDN groups 46-72
PIX/ASA/FWSM
add/edit 46-31
Advanced settings 46-68
configuring 46-3
contexts 46-5
DDNS update rules 52-19
enabling traffic between same security levels 46-70
General tab 46-33
manage 46-26
management access 49-6
understanding 46-3
PIX/ASA 7+ devices
MAC address 46-60
PIX 6.3
add/edit 46-28
routed and transparent 46-5
specifying during policy definition 6-76
specifying subinterfaces 6-76
throughput delay 62-18
Interface Selector dialog box (VLAN ACL Content) 68-42
Interfaces page (IPS) 37-6
Interface Specific Authentication Server Groups dialog box 31-16
Interface Specific Client Address Pools dialog box 31-12
inventory
deleting devices from 3-58
export devices
DCR, CS-MARS, Security Manager formats 10-6
device with policies 10-6
overview 10-6
supported CSV formats 10-9
using command line utility 10-10
import devices
device with policies 10-13
inventory, device
adding devices 3-6
adding devices from configuration files 3-22
adding devices from inventory file 3-31
adding devices from network 3-12
adding devices manually 3-26
device status view
working with 3-64
managing 3-1
testing device connectivity 9-1
troubleshooting device discovery failures 3-7
understanding 3-1
understanding contents 3-3
understanding device clusters 3-9
understanding generic devices 3-8
viewing inventory status 72-12
working with 3-36
Inventory Status command 1-35
Inventory Status window 72-13
Inverse ARP 62-61
inverse multiplexing over ATM (IMA) 62-40
IOS devices
configuring transparent firewall rules 23-1
remote access IPSec VPNs
user group policies 33-13
remote access IPsec VPNs
creating using wizard 30-36
remote access SSL VPNs
configuring bookmarks 31-82
configuring WINS servers for file system access 31-88
creating using wizard 30-32
remote access VPNs
configuring SSL VPN policies 33-14
Context Editor dialog box (IOS) 33-15, 33-16
Dynamic VTI/VRF Aware IPsec settings 33-7
high availability 33-11
IPsec proposals 33-4
SDM 72-16
IOS IPS
affect of load balancing 45-8
comparing to IPS appliances and service modules 36-2
configuration files 45-3
configuration overview 45-4
configuring 45-1
configuring general settings 45-7
configuring interface rules 45-9
configuring target value ratings 40-17
event actions
filter rule attributes 40-9
filter rules 40-4, 40-7
filter rules tips 40-6
network information 40-17
overrides 40-13
overview 40-1
possible actions 40-2
process overview 40-1
settings 40-23
getting started 36-1
initial preparation of router 45-5
lightweight signature engines 45-2
limitations and restrictions 45-3
selecting signature category 45-6
signatures
adding custom 39-19
cloning 39-21
configuring 39-4
defining 39-1
detailed information 39-2
editing 39-14
editing Meta engine component list 39-29
editing or tuning parameters 39-23
enabling or disabling 39-14
engines 39-20
exporting 39-9
inheritance 39-3
parameters list 39-24
policy 39-4
shortcut menu 39-10
understanding 39-1
viewing update level 39-9, 39-13
understanding 45-1
understanding subsystems and revisions 45-2
IOS Software Release 12.1 and 12.2
managing routers 61-3
IOS Web Filter Exclusive Domain Name dialog box 18-14
IOS Web Filter Rule and Applet Scanner dialog box 18-13
IP address
supporting dynamic 3-36
IP addresses
network masks 6-81
specifying in policies 6-87
IP Intelligence
settings 11-41
IP Intelligence dialog box 72-35
IP Intelligence in Report Manager 72-35
IP Intelligence Settings in Dashboard 72-2
IP Intelligence using Quick Launch 72-35
IP Intelligence widget 72-35
IP Options policy map objects
creating 17-22
properties 17-75
IPS
IPS Module router interface settings policies 62-22
MPC rule wizard
tab 58-8
PIX/ASA/FWSM
identity-aware rules 13-21
rules 58-5
IPS alerts
properties 69-18
IPS Certificates dialog box 44-10
IPS command 1-34
IPS Devices
selecting for Event Viewer 69-34
IPS devices
adding SSL thumbprints manually 9-5
allowed hosts 36-7
anomaly detection
configuring 41-6
configuring histograms 41-11
configuring learning accept mode 41-8
configuring signatures 41-4
configuring thresholds 41-11
detection zones 41-3
managing 41-1
modes 41-2
understanding 41-1
understanding histograms 41-9
understanding thresholds 41-9
understanding worms 41-2
when to turn off 41-4
blocking
configuring 43-7
configuring ARC 43-1
configuring blocking devices 43-14
configuring master blocking sensors 43-13
configuring never block hosts and networks 43-17
configuring router blocking interfaces 43-15
configuring user profiles 43-12
configuring VLAN blocking interfaces 43-16
general options 43-10
master blocking sensor 43-6
policy 43-8
rate limiting 43-4
router and switch blocking devices 43-4
strategies 43-3
understanding 43-1
capturing network traffic 36-2
certificates 44-10
changing those selected for reports 70-22
configuration overview 36-5
configuration overview for IOS IPS 45-4
configuring AAA 36-21
configuring Analysis Engine global variables 36-30
configuring DNS servers 36-24
configuring for event management 69-29
configuring for report management 70-3
configuring HTTP proxy server 36-24
configuring NTP 36-23
configuring OS maps 40-21
configuring SNMP 36-8
configuring target value ratings 40-17
configuring the external product interface 36-26
configuring user accounts 36-18
credentials, IPS router modules 3-20
deployment of passwords 36-17
deployment topology 36-4
discovery of passwords 36-17
event actions
example filter rule 69-67
filter rule attributes 40-9
filter rules 40-4, 40-7
filter rules tips 40-6
network information 40-17
overrides 40-13
overview 40-1
possible actions 40-2
process overview 40-1
settings 40-23
Event Viewer support 69-4
getting started 36-1
global correlation
configuring 42-1
configuring inspection and reputation 42-5
configuring network participation 42-7
data collected 42-3
requirements and limitations 42-4
understanding 42-1
understanding network participation 42-3
understanding reputation 42-2
initializing 2-10
interfaces
configuring 37-6
configuring bypass mode 37-12
configuring CDP mode 37-12
configuring inline interface pairs 37-13
configuring inline VLAN pairs 37-14
configuring physical 37-9
configuring VLAN groups 37-15
deploying VLAN groups 37-5
inline interface mode 37-3
inline VLAN pair mode 37-3
interfaces policy 37-6
managing interface configurations 37-1
physical interface properties 37-10
promiscuous mode 37-2
roles 37-1
sensing modes overview 37-2
understanding 37-1
viewing summary 37-8
VLAN group mode 37-4
IPS modules for ASA 58-15
license, exporting 11-59
licenses
automating 44-3
managing 44-1
redeploying 44-2
updating 44-1
looking up signature policies for CS-MARS events 72-45
looking up signature policies for Event Viewer events 69-54
managing 44-1
managing user accounts and passwords 36-15
monitoring
removing false positive IPS events 69-66
passive OS fingerprinting 40-19
password requirements 36-20
policy discovery 5-14
rebooting 44-12
Report Manager reports
general VPN reports 70-19
IPS top reports 70-17
rollback restrictions 8-66
showing containment 3-56
signatures
adding custom 39-19
cloning 39-21
configuring 39-4
configuring settings 39-30
defining 39-1
detailed information 39-2
editing 39-14
editing Meta engine component list 39-29
editing or tuning parameters 39-23
enabling or disabling 39-14
engines 39-20
exporting 39-9
inheritance 39-3
parameters list 39-24
policy 39-4
shortcut menu 39-10
understanding 39-1
viewing update level 39-9, 39-13
SSL certificate configuration 11-22
traffic flow notifications 36-30
tuning recommendations 36-4
understanding managed and unmanaged passwords 36-16
understanding network sensing 36-2
understanding user roles 36-15
updates
automatically applying 44-6
checking for and downloading 44-5
configuring server 44-4
managing 44-4
manually applying 44-7
user account attributes 36-19
viewing signature events in CS-MARS 72-44
viewing signature events in Event Viewer 69-57
virtual sensors
advantages 38-3
assigning interfaces 38-4
attributes 38-7
configuring 38-1, 38-5
deleting 38-10
editing policies 38-9
identifying 38-5
inline TCP session tracking mode 38-3
Normalizer mode 38-4
renaming 38-8
restrictions 38-3
understanding 38-1
IPsec
remote access VPNs
access policies for IKEv2 (ASA), configuring 31-49
access policies for IKEv2 (ASA), reference 31-45
access policies for IKEv2 (ASA), understanding 31-44
certificate to connection profile map policy (IKEv1) 31-36
certificate to connection profile map rules (IKEv1) 31-37
cluster load balancing 31-5
configuring IKE and IPsec policies 26-1
connection profiles 31-7
connection profiles (ASA, PIX 7+) 31-8
creating on ASA/PIX 7.0+ 30-25
creating on IOS/PIX 6.3+ 30-36
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-11
Dynamic VTI/VRF Aware IPsec settings 33-7
fragmentation settings 26-31, 26-44
global settings 26-30
group policies, configuring 31-26
group policies, creating 31-28
group policies, understanding 31-27
high availability policies 33-11
IKE proposals 26-9
IKEv2 settings 26-37
ISAKMP/IPsec settings 26-33
NAT settings 26-42
public key infrastructure (PKI) policies 26-56
secure desktop manager policies 32-9
understanding 30-2
understanding IKE 26-5
understanding NAT settings 26-41
user group policies 33-13
VPNSM, VPN SPA, VSPA settings 33-6
wizard 30-13
IPsec/GRE VPN
advantages of IPsec tunneling with GRE 27-3
configuring 27-5
configuring GRE modes 27-6
dynamically addressed spokes 27-5
implementation 27-3
overview 27-1, 27-2
prerequisites for successful configuration 27-3
supported platforms 25-9
understanding 27-2
IPSec Client Software Update dialog box 31-22
IPsec Pass Through policy map objects
creating 17-22
properties 17-80
IPsec Proposal Editor dialog box
ASA and PIX 7.0+ devices 31-41
IOS and PIX 6.3 devices 33-4
IPsec proposals
configuring for Easy VPN 28-10
configuring for remote access VPNs
attributes for ASA and PIX 7.0+ devices 31-41
attributes for IOS and PIX 6.3 devices 33-4
configuring in site-to-site VPNs 26-22
overview 26-2
remote access VPNs
attributes for ASA and PIX 7.0+ devices 31-41
attributes for IOS and PIX 6.3 devices 33-4
configuring for ASA and PIX 7.0+ devices 31-40
configuring for IOS and PIX 6.3 devices 33-3
selecting the IKE version for devices 26-26
understanding 26-18
understanding crypto maps 26-19
understanding site-to-site 26-19
understanding transform sets 26-20
using reverse route injection 26-21
IPsec technologies
defining 25-30
mandatory and optional policies 25-6
policies 25-5
supported platforms 25-9
supported platforms for remote access VPNs 30-8
understanding 25-5
IPSec transform set objects
attributes 26-27
understanding 26-20
IPSec VPN
zone-based firewalls 21-6
IPS event
definition of 40-1
IPS Health Monitor page in Dashboard 72-2
IPS interfaces
IPS Monitoring Information dialog box 62-24
IPS module
credentials 3-20
IPS Module Discovery dialog box 3-20
IPS Module interface settings policies 62-22
IPS Rules dialog box 45-10
IPS sensor
IDM 72-15
IPS sensors
default transport protocol 11-22
IPS signatures
finding from CS-MARS events 72-45
finding from Event Viewer events 69-54
tuning 69-66
viewing related CS-MARS events 72-44
viewing related events in Event Viewer 69-57
IPS tab, Licensing page 11-58
IPS Updates page 11-47
IP Type
interface configuration
ASA and PIX 7+ 46-58
PIX 6.3 46-30
IPv4 pool objects
attributes 6-92
IPv6
interfaces
add/edit 46-52
add/edit prefixes 46-54, 46-56
ASA/FWSM 46-47, 46-73
management IPv4 address requirements 1-8
Neighbor cache 47-7
specifying addresses in policies 6-87
support in Security Manager 1-8
IPv6 access rules
ACL naming conventions 12-5
deleting 12-9
disabling 12-20
editing 12-10
enabling 12-20
expiration dates 16-22
identity-aware rules
requirements 13-3
moving 12-19
preserving ACL names 12-4
sharing ACLs among interfaces 11-18
understanding global 16-3
understanding processing order 12-2
IPv6 policy map objects
match conditions and actions 17-78, 17-92
properties 17-77, 17-91
IPv6 pool objects
attributes 6-93
IPv6 static routes
PIX/ASA/FWSM
configuration 56-131
ISAKMP/IPsec settings
configuring 26-33
ISE Settings page 11-56
ISR
zone-based firewall
restrictions 21-3
J
job deployment methods
understanding 8-8
jobs
aborting 8-55
approving 8-39
creating and editing deployment in non-Workflow mode 8-28
creating and editing deployment in Workflow mode 8-35
Deployment Manager 8-16
discarding 8-41
including devices in 8-8
rejecting 8-39
states
Workflow mode 8-6
submitting 8-38
joined hub-and-spoke topology 25-5
Join Group tab (IGMP) 55-7
JumpStart 1-24
Jumpstart command 1-38
K
Kazaa2 class map objects
creating 21-16
match criteria 21-21
Kerberos
configuring constrained delegation (KCD) 31-69
description 6-29
settings in AAA server objects 6-39
understanding constrained delegation (KCD) 31-66
key encryption key (KEK), GET VPN 29-4
key servers
adding 29-19
choosing the rekey transport mechanism 29-6
communication flow 29-2
cooperative, for redundancy 29-7
editing 29-19
generating, synchronizing RSA keys 29-13
registration failures 29-8
registration process 29-4
security policy ACLs 29-10
key servers (GET VPN)
configuring 29-18
Key Servers page (GET VPN) 29-18
Key Servers Selection dialog box 29-21
knowledge base structure (IPS) 41-8
L
LACP
interface assigned to an EtherChannel 46-12
large scale Dynamic Multipoint VPN (DMVPN)
mandatory and optional policies 25-6
Launch menu 1-37
Report Manager 70-8
layer 2 SGT imposition 46-44
LDAP
settings in AAA server objects 6-40
LDAP Attribute Map objects
attributes 6-46
learning accept mode (IPS), configuring 41-8
licenses
configuring for ASA devices 2-9
configuring for IOS devices 2-10
exporting IPS 11-59
IPS
automating 44-3
managing 44-1
redeploying 44-2
updating 44-1
Security Manager 10-16
License Update Status Details dialog box 11-62
licensing
Settings page 11-57
Lightweight Directory Access Protocol (LDAP)
description 6-29
lightweight signature engines 45-2
line access
Cisco IOS routers
Console Policy page 63-42
overview 63-35
VTY Policy page 63-50
Link Aggregation Control Protocol 46-12
Link Properties dialog box 35-20
load balancing
configuring in large scale DMVPN 27-16, 27-17
configuring IOS IPS deny actions 45-8
server attributes in large scale DMVPN 27-17
Local Policy Will Be Replaced dialog box 5-44
Local Web Filter class map objects
match criteria 21-29
Local web filter class map objects
creating 21-36
Local Web Filter parameter map objects
properties 21-38
Local web filter parameter map objects
creating 21-36
locking
activities 4-3
devices and policies 5-9
objects 5-10
understanding 5-8
VPN topologies 5-10
Log Buffer window 72-18
logging
Cisco IOS routers
defining NetFlow interfaces 65-15
defining NetFlow parameters 65-6
defining syslog servers 65-3
Logging Setup Policy page 65-7
NetFlow policy page 65-12
overview 65-1
Syslog Server dialog box 65-11
Syslog Servers Policy page 65-10
syslog setup parameters 65-1
syslog severity levels 65-4
PIX/ASA/FWSM 54-1
email notifications 54-8
email recipients 54-8
embedded event manager 54-3
event lists 54-9
event lists, add/edit 54-10
filters 54-12
filters, editing 54-13
levels 54-24
logging setup 54-14
message classes and IDs 54-9
message editing 54-25
message limits 54-18
message limits, add/edit 54-18
NetFlow 54-1
NetFlow, add/edit collector 54-2
rate limit levels 54-17
rate limits, add/edit 54-19
server 54-21
server setup 54-20
set-up 54-15
syslog class 54-11
syslog message ID 54-11
syslog servers 54-26, 54-27
syslog servers, add/edit 54-28
syslog messages supported for CS-MARS queries 72-46
logging in to
Cisco Security Management Suite server 1-12
CiscoWorks Common Services 1-12
logging into
Security Manager 1-11, 1-12
Logging page, IPS platform 36-30
logs
configuring audit log default settings 11-62
configuring debug levels 11-11
Logs page 11-62
loopback cells 62-51
low-latency queuing (LLQ) 66-5
M
MAC address
interface configuration
ASA and PIX 7+ 46-60
PIX/ASA/FWSM
add/edit 47-8
interface 50-23
learning 47-9
learning, enable/disable 47-9
table 47-8
MAC address pool objects
attributes 6-94
MAC exempt lists
configuring 15-7, 15-26
rule attributes 15-27
Maintenance Operation Protocol (MOP), enabling 62-19
Management Access
PIX/ASA/FWSM
interface 49-6
management address
requirements for IPv6 devices 1-8
Management Center for Cisco Security Agents
configuring connection to IPS devices 36-26
connection attributes 36-27
posture ACLs 36-29
Management IP address
PIX/ASA/FWSM 47-10
Management IPv6
ASA 5505 47-11
Manage menu 1-34
Map menu 1-33
map objects
class maps
creating for inspection rules 17-22
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
parameter maps
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
Inspect properties 21-31
Local Web Filter properties 21-38
N2H2 properties 21-39
Protocol Info properties 21-33
Trend properties 21-42
URLF Glob properties 21-45
URL Filter properties 21-43
Websense properties 21-39
policy maps
creating for inspection rules 17-22
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
DCE/RPC properties 17-29
DNS properties 17-32
ESMTP properties 17-39
FTP properties 17-42
GTP properties 17-45
H.323 (ASA/PIX/FWSM) properties 17-51
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) properties 17-56
HTTP (ASA7.2+/PIX7.2+) properties 17-64
IM (ASA7.2+/PIX7.2+) properties 17-70
IM (IOS) properties 17-73
IP Options properties 17-75
IPsec Pass Through properties 17-80
IPv6 properties 17-77, 17-91
NetBIOS properties 17-81
regular expression group properties 17-108
regular expression properties 17-108
SIP (ASA/PIX/FWSM) properties 17-83, 17-93, 17-102, 17-103
Skinny properties 17-87
SNMP properties 17-90
TCP Map properties 58-22
Web Filter properties 21-47
regular expression objects
metacharacters 17-109
understanding 6-78
Map Properties command 1-33
Map Rule dialog box
connection profile map matching rules 31-39
connection profile maps 31-39
maps
access permissions 35-8
adding existing managed devices 35-16
adding new managed devices 35-16
arranging elements 35-11
background color 35-13
background images
deleting 35-13
importing 35-13
scale and position 35-13
setting 35-13
centering elements 35-11
changing the zoom level 35-11
class maps
Class Map dialog box 17-28, 21-19
creating 35-9
default map 35-9
deleting 35-10
displaying devices from Device View 35-16
displaying managed devices 35-16
displaying your network 35-14
elements, understanding 35-14
excluding private and reserved networks 11-3
exporting 35-11
icons 35-14
layer 3 links
autolink settings 11-3
creating 35-19
deleting 35-19
layouts, using 35-11
linking maps 35-13
navigation window 35-4
objects
adding 35-17
deleting 35-17
opening 35-10
overview 35-1
panning 35-11
refreshing 35-1
removing managed devices 35-16
renaming 35-10
saving 35-10
searching for nodes 35-12
selecting elements 35-12
setting background 35-13
showing containment for Catalyst, ASA, PIX, IPS devices 35-16
understanding 35-1
undocking window 35-2
working with 35-8
Map Settings dialog box 35-13
Map View
cloning devices 35-22
configuring firewall policies 35-23
configuring firewall settings policies 35-23
context menu
Layer 3 link 35-7
managed device node 35-5
map background 35-7
map objects 35-7
selected nodes 35-6
VPN connection 35-6
device policies, managing 35-22
discovering device configurations 35-22
icons for elements 35-14
main page 35-2
menus, context 35-5
navigation window 35-4
performing basic policy management 35-22
previewing device configurations 35-22
sharing device policies 35-22
toolbar reference 35-4
VPNs
creating 35-21
displaying existing 35-21
editing or showing peers 35-22
editing policies 35-22
managing 35-20
Map view
Autolink Settings page 11-3
copying between devices 35-22
overview 1-18, 35-1
Map View command 1-32
master blocking sensor 43-6
Master Blocking Sensor dialog box 43-13
maximum receive reconstructed unit (MRRU) 62-82
maximum segment size (MSS) 62-17
MBoundary
PIX/ASA/FWSM
configuration 55-9
interface configuration 55-10
MD5 hash algorithm 26-7
memory-allocation lite 63-80
memory settings
Cisco IOS routers
defining 63-78
overview 63-78
Memory Policy page 63-79
menu reference
Activities 1-36
Configuration Manager overview 1-29
Edit (Configuration Manager) 1-31
File (Configuration Manager) 1-30
File (Event Viewer) 69-9
File (Report Manager) 70-8
Help (Configuration Manager) 1-38
Launch 1-37
Launch (Report Manager) 70-8
Manage 1-34
Map 1-33
Policy (Configuration Manager) 1-32
Tickets 1-36
Tools (Configuration Manager) 1-34
Tools (Report Manager) 70-8
View (Configuration Manager) 1-31
View (Event Viewer) 69-10
message
editing
PIX/ASA/FWSM 54-25
PIX/ASA/FWSM
limits 54-18
limits, add/edit 54-18
rate limits, add/edit 54-19
message classes and IDs
PIX/ASA/FWSM 54-9
metacharacters
URLF Glob parameter maps 21-46
Mobile application for CSM 72-11
Modify Access List dialog box (Allowed Hosts policy) 36-7
Modify Physical Interface Map dialog box 37-10
monitoring
CS-MARS
integrating with Security Manager 72-36
device managers, using 72-14
device status 72-1
network activities 72-1
PRSM, launching 72-20
monitoring widget for server 72-7
mount point
PIX/ASA
add/edit 48-19, 48-20
mount point configuration
ASA 48-18
Move Row Down command 1-31
Move Row Up command 1-31
MPC
a.k.a. Modular Policy Framework 58-6
MRoute
PIX/ASA/FWSM
configuration 55-8
MRoute page
description 55-8
MSN Messenger class map objects
creating 21-16
match criteria 21-21
multicast
PIX/ASA/FWSM
Enable PIM and IGMP 55-1
IGMP Access Group parameters 55-5
IGMP Access Group tab 55-5
IGMP Join Group parameters 55-7
IGMP Join Group tab 55-7
IGMP parameters 55-4
IGMP Protocol tab 55-3
IGMP Static Group parameters 55-6
IGMP Static Group tab 55-6
MBoundary configuration 55-9
MBoundary interface configuration 55-10
MRoute configuration 55-8
Multicast Boundary Filter page 55-9
Multicast Group, add/edit 55-19, 55-21
Multicast Group rule 55-17
PIM Bidirectional Neighbor Filter 55-14
PIM Bidirectional Neighbor Filter tab 55-13
PIM Neighbor Filter 55-13
PIM Neighbor Filter tab 55-12
PIM page 55-11
PIM Protocol dialog box 55-12
PIM Protocol tab 55-11
PIM Rendezvous Point, add/edit 55-16
PIM Rendezvous Points tab 55-15
PIM Request Filter tab 55-18, 55-20
PIM Route Tree tab 55-17
Multicast Boundary Filter page
description 55-9
multicast rekey in GET VPN 29-6
multicast routing
PIX/ASA/FWSM
configuring on 55-1
IGMP 55-2
multicast boundary filters 55-9
multicast routes 55-8
PIM 55-11
Multiclass Multilink PPP (MCMP) 62-75
multilink PPP (MLP) 62-71
defining bundles 62-75
multiple users
activities 4-4
tickets 4-4
N
N2H2 (Smartfilter)
configuring for web filter rules policies 18-15, 18-19
configuring for zone based firewall rules policies 21-36, 21-39, 21-41
N2H2 class map objects
creating 21-36
match criteria 21-30
N2H2 parameter map objects
creating 21-36
properties 21-39
NAC
posture validation not occurring 9-15
NAT
VPN traffic sent unencrypted 9-15
NAT policies
Add/Edit Per-Session NAT rules dialog boxes 24-47
NBAR
enabling protocol discovery 62-19
Neighbor cache 47-7
Neighbor Filter
PIM
PIX/ASA/FWSM 55-13
Neighbor Filter tab
PIM 55-12
NetBIOS logout probe
configuring 13-15
requirements 13-5
NetBIOS policy map objects
creating 17-22
properties 17-81
NetFlow
Cisco IOS routers 65-1, 65-5
interface settings 65-15
configuring
on Cisco IOS routers 65-6
CS-MARS query 72-47
IOS routers 65-12
PIX/ASA/FWSM 54-1
add/edit collector 54-2
network/host objects
attributes 6-83
attributes, NAT 24-42
creating 6-82
naming when provisioned as object groups 6-107
network masks 6-81
optimizing when deploying firewall rules 12-35
understanding 6-80
unspecified value objects 6-86
using in Event Viewer filters 69-67
network access device (NAD) 64-9
Network Address Translation (NAT)
Add/Edit Per-Session NAT rules dialog boxes 24-47
ASA 8.3+
Add/Edit NAT rules dialog boxes 24-36
Translation Rules page 24-34
understanding 24-4
ASA 8.3 devices 24-33
Cisco IOS routers 24-5
Dynamic Rule dialog box 24-11
dynamic rules 24-10
Interface Specification 24-6
Static Rule dialog box 24-7
static rules 24-6
Static Rules tab 24-6
timeouts 24-13
configuring global options for VPNs 26-42
non-ASA 8.3 devices 24-18
No Proxy ARP 24-39, 24-45
PAT pool 24-41
Per-session NAT rules 24-46
PIX/ASA/FWSM
Address Pool dialog box 24-19
Address Pools page 24-18
Advanced NAT Options dialog box 24-29
clearing XLATE on deployment 60-1
configuring on 24-15
configuring translation rules 24-19
Dynamic Rules dialog box 24-23
Dynamic Rules tab 24-22
General tab 24-31
non ASA 8.3 24-18
Policy Dynamic Rules dialog box 24-25
Policy Dynamic Rules tab 24-24
Select Address Pool 24-24
Static Rules dialog box 24-27
Static Rules tab 24-26
Translation Exemptions (NAT 0 ACL) dialog box 24-21
Translation Exemptions (NAT 0 ACL) tab 24-20
Translation Options page 24-16, 24-17
Translation Rules page 24-19
translation types 24-3
transparent mode 24-16
understanding 24-2
round robin allocation 24-41
understanding NAT effects on firewall rules 12-3
understanding NAT settings for VPNs 26-41
understanding NAT traversal 26-41
Network Admission Control (NAC)
Cisco Trust Agent 64-9
components 64-9
defining identity parameters 64-13
defining interface parameters 64-11
defining setup parameters 64-10
Identities tab 64-18
Identity Action dialog box 64-19
Identity Profile dialog box 64-19
Interface Configuration dialog box 64-17
Interfaces tab 64-16
NAC Policy page 64-14
network access device (NAD) 64-9
on Cisco IOS routers 64-8
Setup tab 64-14
supported platforms 64-8
understanding system flow 64-9
Network Information page (IPS) 40-17
network masks
discontiguous 6-81
discovering 6-82
displaying 6-82
understanding 6-81
network participation, IPS
configuring 42-7
data collected 42-3
requirements and limitations 42-4
understanding 42-3
understanding global correlation 42-1
understanding reputation 42-2
network sensing
capturing network traffic 36-2
deployment topology 36-4
overview 36-2
tuning recommendations 36-4
Network Time Protocol (NTP)
Cisco IOS routers
creating NTP servers 63-97
NTP Policy page 63-98
NTP Server dialog box 63-99
overview 63-96
Never Block Host dialog box 43-17
Never Block Network dialog box 43-17
New Activity command 1-36
New Device command 1-30
New Device Groups command 1-31
New Device wizard
Choose Method page 3-6
Device Grouping page 3-49
Device Information page - Add Device from File 3-33
Device Information page - Configuration File 3-23
Device Information page - Network 3-14
Device Information page - New Device 3-27
New Map command 1-33
New or Edit CS-MARS Device dialog box 11-8
New Ticket command 1-37
NHRP
DMVPN spoke-to-spoke connections 27-11
Node Properties dialog box 35-18
Non-Workflow mode
viewing
device details 8-26
non-Workflow mode
changing modes 1-28
comparing with Workflow mode 1-22
configuration files
deploying 8-28
previewing 8-44
configurations
rolling back 8-69
creating tickets 4-14
deployment 8-3
deployment jobs
aborting 8-55
Deployment Status Details dialog box 8-32
opening tickets 4-15
taking over another user session 10-23
understanding 1-22
No Proxy ARP
NAT rule 24-39, 24-45
PIX/ASA/FWSM Platform 56-1
notifications, e-mail
configuring SMTP server 1-27
NS Lookup 72-26, 72-29
NT
settings in AAA server objects 6-43
NTP
PIX/ASA/FWSM 52-21
server configuration 52-21
NTP policy, IPS platform 36-23
NTP server
configuring for IPS devices 36-23
null0 56-128
O
object groups
policy discovery 5-14
object group search
ASA 8.3+ devices 16-25
PIX 6.3 devices 16-27
objects
AAA server
HTTP-FORM settings 6-44
Kerberos settings 6-39
LDAP settings 6-40
NT settings 6-43
RADIUS settings 6-35
SDI settings 6-43
TACACS+ settings 6-38
AAA server groups
attributes 6-49
creating 6-48
default server groups on IOS devices 6-31
predefined authentication groups 6-30
understanding 6-27
AAA servers
creating 6-32
supported additional types for ASA/PIX/FWSM 6-28
supported types 6-28
understanding 6-27
access control lists
creating 6-53
extended objects 6-54
standard objects 6-56
unified objects 6-58
web objects 6-57
ASA group policies
client configuration settings 34-6
client firewall attributes 34-7
connection settings 34-33
DNS/WINS settings 34-29, 34-30
hardware client attributes 34-9
IPSec settings 34-10
split tunneling settings 34-31
SSL VPN clientless settings 34-12
SSL VPN full client settings 34-19
SSL VPN settings 34-25
technology settings 34-1
AS paths
properties 56-151
basic procedures 6-9
categories, using 6-13
changes in Security Manager 4.4 1-10
Cisco Secure Desktop configuration
creating 33-18
class map
creating for inspection rules 17-22
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
cloning (duplicating) 6-14
community lists
properties 56-153
configuring for ASA routing policies 56-132
configuring for remote access VPN 34-1
creating 6-9
credentials
attributes 28-9
DCE/RPC policy map
properties 17-29
deleting 6-16
DNS policy map
properties 17-32
editing 6-12
ESMTP policy map
properties 17-39
exporting 6-23
file objects
attributes 34-37
selecting 34-39
FlexConfig
creating text objects 7-32
properties 7-30
property selector 7-34
undefined variables 7-33
FlexConfigs
adding to policies 7-35
changing order in policies 7-35
changing variable values 7-35
configuring 7-25
configuring AAA for administrative introducers 63-84
creating 7-28
previewing CLI 7-35
removing from policies 7-35
system variables 7-7
understanding 7-2
variables 7-5, 7-6
FTP policy map
properties 17-42
generating usage reports 6-15
GTP policy map
properties 17-45
H.323 (ASA/PIX/FWSM) policy map
properties 17-51
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map
properties 17-56
HTTP (ASA7.2+/PIX7.2+) policy map
properties 17-64
identity user group
creating 13-19
selecting 13-21
user identity acquisition 13-2
IKE proposals
v1 properties 26-10
v2 properties 26-14
IM (ASA7.2+/PIX7.2+) policy map
properties 17-70
IM (IOS) policy map
properties 17-73
importing 6-23
Inspect parameter map
properties 21-31
interface roles
creating 6-74
IP Options policy map
properties 17-75
IPsec Pass Through policy map
properties 17-80
IPSec transform sets
attributes 26-27
understanding 26-20
IPv6 policy map
properties 17-77, 17-91
LDAP attribute map objects
attributes 6-46
Local Web Filter parameter map
properties 21-38
locking
effects on activities 4-3
managing 6-1
maps
understanding 6-78
N2H2 parameter map
properties 21-39
NetBIOS policy map
properties 17-81
network/host
optimizing when deploying firewall rules 12-35
understanding 6-80
using in Event Viewer filters 69-67
network/host objects
naming when provisioned as object groups 6-107
networks/hosts
creating 6-82
unspecified value objects 6-86
object selectors 6-2
overrides
allowing 6-18
creating for multiple devices 6-19
creating for single device 6-19
deleting 6-21
managing 6-17
understanding 6-18
overview 1-20
parameter map
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
PKI enrollments
defining CA server properties 26-60
defining certificate attributes 26-66
defining enrollment parameters 26-63
defining trusted CA hierarchy 26-67
properties 26-58
policy lists
properties 56-143
policy map
creating for inspection rules 17-22
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
port forwarding lists
properties 34-40
port list objects
naming when provisioned as object groups 6-107
port lists
creating 6-100
properties 6-102
prefix lists
properties 56-146, 56-148
Protocol Info parameter map
properties 21-33
provisioning as object groups 6-106
regular expression group policy map
properties 17-108
regular expression objects
metacharacters 17-109
regular expression policy map
properties 17-108
route maps 56-136
creating 56-132
understanding 56-132
security group
creating 14-14
selecting for policies 6-2
service objects
naming when provisioned as object groups 6-107
provisioning as object groups 6-108
services
creating 6-100
single sign-on server
properties 34-42
SIP (ASA/PIX/FWSM) policy map
properties 17-83, 17-93, 17-102, 17-103
Skinny policy map
properties 17-87
SLA monitors
attributes 51-10
configuring 51-9
understanding 51-8
SNMP policy map
properties 17-90
SSL VPN Bookmark
configuring 31-82
post URL method and macro substitutions 31-84
SSL VPN Customization
configuring 31-78
creating custom Logon page 31-82
localizing 31-80
SSL VPN gateway
properties 34-64
SSL VPN smart tunnel auto sign-on list
attributes 34-71
SSL VPN smart tunnel list
attributes 34-66, 34-69
configuring 31-85
TCP Map policy map
properties 58-22
text
creating 7-32
time ranges
attributes for recurring ranges 6-72
configuring 6-71
traffic flow
default inspection traffic 58-20
properties 58-18
Trend parameter map
properties 21-42
TrustSec security group
selecting 14-16
URLF Glob parameter map
properties 21-45
URLF Glob parameter maps
metacharacters 21-46
URL Filter parameter map
properties 21-43
user groups
advanced PIX 6.3 settings 34-82
browser proxy settings 34-87
clientless settings 34-83
client VPN software update (IOS) settings 34-81
DNS/WINS settings 34-77
general settings 34-75
IOS client settings 34-78
IOS Xauth settings 34-80
split tunneling settings (Easy VPN/remote access IPSec VPN) 34-77
SSL VPN connection settings 34-88
SSL VPN full tunnel settings 34-84
SSL VPN split tunneling settings 34-86
technology settings 34-73
thin client settings 34-84
using global search to find specific objects 1-42
viewing details 6-14
Web Filter policy map
properties 21-47
Websense parameter map
properties 21-39
WINS server lists
attributes 34-90
creating 31-88
object selectors 6-2
Object Usage dialog box 6-15
Obsoletes dialog box 39-30
OOB (Out of Band) Changes dialog box 8-48
OOB (out of band changes)
avoiding 8-47
detecting and analyzing 8-45
understanding 8-12
Openable Activities dialog box 4-15
Openable Tickets dialog box 4-15
Open Activity command 1-36
Open command (Report Manager) 70-8
Open Map command 1-33
Open Map dialog box 35-10
Open Ticket command 1-37
OS Identifications tab, IPS Network Information policy 40-21
OS Map dialog box 40-22
OSPF
interaction with NAT 56-75
LSAs 56-75
OSPF interfaces
blocking LSA flooding 67-28
defining on Cisco IOS routers 67-25
disabling MTU mismatch detection 67-27
Interface dialog box 67-31
OSPF Interface Policy page 67-30
understanding
authentication 67-29
cost 67-26
network types 67-29
priority 67-26
timer settings 67-28
OSPF parameters
dead interval 56-100, 56-116
hello interval 56-99
hello multiplier 56-100
retransmit interval 56-100, 56-116
transmit delay 56-100, 56-116
OSPF redistribution
defining mappings 67-22
defining maximum prefix values 67-24
understanding 67-22
OSPF routing
Cisco IOS routers
Area dialog box 67-37
Area tab 67-36
defining area settings 67-21
defining interface settings 67-25
defining setup parameters 67-20
Edit Interfaces dialog box 67-36
Max Prefix Mapping dialog box 67-41
OSPF Process Policy page 67-34
overview 67-19
redistributing routes 67-22
Redistribution Mapping dialog box 67-39
Redistribution tab 67-38
Setup dialog box 67-35
Setup tab 67-35
PIX/ASA/FWSM
advanced settings 56-77
Area/Area networks 56-82
Area Range 56-84
Area tab 56-81
Filtering configuration 56-93
Filtering tab 56-92
Filter Rule configuration 56-94
Filter Rule tab 56-94
General tab 56-76
Interface configuration 56-98
Interface tab 56-96
Neighbors tab 56-85
policy 56-75
Range tab 56-84
Redistribution rule 56-87
Redistribution tab 56-86
static neighbor 56-85
Summary Address configuration 56-96
Summary Address tab 56-95
Virtual Link configuration 56-90
Virtual Link MD5 configuration 56-91
Virtual Link tab 56-89
OSPFv3
LSAs 56-101
OSPFv3 routing
PIX/ASA/FWSM
advanced settings 56-104
Area/Area networks 56-108
Area Range 56-110
Area tab 56-108
Interface configuration 56-114
Interface tab 56-114
policy 56-100
Process tab 56-103
Redistribution rule 56-112
static neighbor 56-118
Summary Prefix configuration 56-113
Virtual Link configuration 56-111
OS version mismatches
handling 8-13
other settings
configuring for SSL VPN (ASA) 31-51
out-of-band changes
avoiding 8-47
detecting and analyzing 8-45
understanding 8-12
overrides
allowing overrides 6-18
creating for multiple devices 6-19
creating for single device 6-19
deleting 6-21
managing 6-17
understanding 6-18
overview
activities 1-20
device monitoring 1-7
IPv6 support 1-8
policies 1-20
ticketing 1-20
user permissions 1-11
workflow 1-20
P
P2P applications
match conditions for zone-based firewalls 21-21
P2P policy map objects
creating 21-16
match conditions and actions 21-35
packageMonitorInterval 44-6
packet capture 72-30
Packet Capture Wizard command 1-35
packet tracer 72-23
Pair dialog box 45-11
PAM
zone-based firewall
configuring 21-69
parameter maps
understanding 6-78
partial_backup.pl command 10-30
partial mesh topologies 25-5
participation, network
configuring 42-7
data collected 42-3
requirements and limitations 42-4
understanding 42-3
understanding global correlation 42-1
understanding reputation 42-2
passive OS fingerprinting on IPS sensors
configuring 40-21
understanding 40-19
Password Requirements policy, IPS platform 36-20
passwords
admin, changing 10-24
configuring IPS requirements 36-20
configuring IPS user account 36-18
discovery and deployment of IPS 36-17
managing IPS requirements 36-15
understanding managed and unmanaged IPS passwords 36-16
Paste command 1-31, 12-9
PAT
pools 24-41
PDF file
export HPM data as 71-31
PDM
device manager 72-15
Peers page 25-34
performance settings
configuring for SSL VPN (ASA) 31-52
performance tuning 44-6
permanent virtual connections (PVC)
Define Mapping dialog box 62-65
PVC Advanced Settings dialog box 62-66
PVC dialog box 62-56
PVC Policy page 62-55
permanent virtual connections (PVCs)
defining ATM PVCs 62-51
defining OAM management 62-54
on Cisco IOS routers 62-47
understanding
ATM management protocols 62-49
ATM service classes 62-48
ILMI 62-50
Operation, Administration, and Maintenance (OAM) 62-51
virtual paths and channels 62-47
per-session NAT rules 24-46
Add/Edit Per-Session NAT rules dialog boxes 24-47
PIM
configuring on firewall devices 55-11
PIX/ASA/FWSM
Bidirectional Neighbor Filter 55-14
Bidirectional Neighbor Filter tab 55-13
enable 55-1
Multicast Group, add/edit 55-19, 55-21
Multicast Group rule 55-17
Neighbor Filter 55-13
Neighbor Filter tab 55-12
page 55-11
PIM Protocol dialog box 55-12
Protocol tab 55-11
Rendezvous Point, add/edit 55-16
Rendezvous Points tab 55-15
Request Filter tab 55-18, 55-20
Route Tree tab 55-17
ping 72-26
Ping, TraceRoute and NSLookup command 1-35
PIX
PDM 72-15
PIX/ASA
boot image/configuration 48-10
add/edit 48-12
failover 50-17
settings 50-21
interfaces
Advanced tab 46-41
IP Type 46-58
MAC address 46-60
PPPoE Users 46-71
redundant 46-8
subinterfaces 46-7, 46-15
VPDN groups 46-72
mount point
add/edit 48-19, 48-20
mount point configuration 48-18
security contexts
allocate interfaces 59-12
configuration 59-9
viewing allocated interfaces 59-12
PIX/ASA/FWSM
AAA 48-5
Authentication tab 48-5
about AAA 48-1
bridging 47-1
clock settings 48-14
configuring banners 48-9
configuring CLI prompt 48-12
credentials 48-17
Device Access
Server Access 52-1, 53-1
device administration policies 48-1
Failover
bootstrap configuration 50-26
interface MAC address 50-23
failover
active/active 50-3
interface configuration 50-23
security context 50-26
understanding 50-1
interfaces
add/edit 46-31
Advanced settings 46-68
configuring 46-3
contexts 46-5
General tab 46-33
managing 46-26
operating modes 46-5
understanding 46-3
security contexts
about 59-1
Server Access
AUS, add/edit server 52-3, 53-2, 53-3, 53-4
AUS page 52-1
DDNS interface rule 52-19
DDNS page 52-18
DDNS update methods 52-19
DDNS update methods, add/edit 52-20
DHCP Relay, add/edit agent 52-6
DHCP Relay, add/edit server 52-7
DHCP Relay page 52-5
DHCP Server, add/edit 52-12
DHCP Server, advanced configuration 52-13
DHCP Server, options 52-13
DHCP Server page 52-10
DHCPv6 Relay, add/edit agent 52-9
DHCPv6 Relay, add/edit server 52-9
DHCPv6 Relay page 52-7
DNS page 52-14
DNS server, add 52-17
DNS server group 52-16
NTP page 52-21
NTP server configuration 52-21
SMTP page 52-22
TFTP server page 52-23
stateful
stateful 50-4
PIX/ASA/FWSM Platform
AAA
Accounting tab 48-8
Authorization tab 48-7
anti-spoofing 57-2
ARP configuration 47-5
ARP Inspection 47-5
enable/disable 47-6
ARP Table 47-3
configuring DHCP servers 52-10
configuring multicast routing 55-1
configuring routing 56-1
Device Access 49-1
console timeout 49-1
host name 51-1
HTTP configuration 49-3
HTTP page 49-2
ICMP rules 49-4
ICMP rules, add/edit 49-5
Management Access interface 49-6
Secure Shell, add/edit host 49-8
Secure Shell (SSH) 49-7, 49-8
SNMP host access 49-22
SNMP page 49-17
SNMP Trap configuration 49-19
Telnet configuration 49-29
Telnet page 49-29
user accounts 51-7
user accounts, add/edit 51-7
failover 50-10
failover configuration 50-1
failover configuration basics 50-5
floodguard 57-2
identity-aware IPS, QoS, and Connection Rules 13-21
IPS, QoS, and Connection Rules
wizard 58-6, 58-8
logging 54-1
email notifications 54-8
email recipients 54-8
embedded event manager 54-3
embedded event manager, add/edit action configuration 54-7
embedded event manager, add/edit applet 54-5
embedded event manager, add/edit syslog configuration 54-7
event lists 54-9
event lists, add/edit 54-10
filters 54-12
filters, editing 54-13
levels 54-24
message classes and IDs 54-9
message editing 54-25
message limits 54-18
message limits, add/edit 54-18
NetFlow 54-1
NetFlow, add/edit collector 54-2
rate limits, add/edit 54-19
server 54-21
set-up 54-15
syslog class 54-11
syslog message ID 54-11
syslog servers 54-27
syslog servers, add/edit 54-28
MAC Address
add/edit 47-8
MAC Address Table 47-8
MAC learning 47-9
enable/disable 47-9
Management IP address 47-10
multicast
Enable PIM and IGMP 55-1
group, add/edit 55-19, 55-21
IGMP Access Group parameters 55-5
IGMP Access Group tab 55-5
IGMP Join Group parameters 55-7
IGMP Join Group tab 55-7
IGMP page 55-2
IGMP parameters 55-4
IGMP Protocol tab 55-3
IGMP Static Group parameters 55-6
IGMP Static Group tab 55-6
MBoundary configuration 55-9
MBoundary interface configuration 55-10
MRoute configuration 55-8
Multicast Boundary Filter page 55-9
Multicast Group rule 55-17
Multicast Routes page 55-8
PIM Bidirectional Neighbor Filter 55-14
PIM Bidirectional Neighbor Filter tab 55-13
PIM Neighbor Filter 55-13
PIM Neighbor Filter tab 55-12
PIM page 55-11
PIM Protocol dialog box 55-12
PIM Protocol tab 55-11
PIM Rendezvous Point, add/edit 55-16
PIM Rendezvous Points tab 55-15
PIM Request Filter tab 55-18, 55-20
PIM Route Tree tab 55-17
NAT policies 24-18
Address Pools dialog box 24-19
Address Pools page 24-18
Advanced NAT Options dialog box 24-29
Dynamic Rules dialog box 24-23
Dynamic Rules tab 24-22
General tab 24-31
Policy Dynamic Rules dialog box 24-25
Policy Dynamic Rules tab 24-24
Select Address Pool 24-24
Static Rules dialog box 24-27
Static Rules tab 24-26
Translation Exemptions (NAT 0 ACL) dialog box 24-21
Translation Exemptions (NAT 0 ACL) tab 24-20
Translation Options page 24-16, 24-17
Translation Rules page 24-19
policy configuration 46-1
priority queues 58-4
priority queues configuration 58-4
routing
BGP 56-2, 56-3
BGP - General tab 56-5
BGP - IPv4 Family - Aggregate Address configuration 56-9, 56-22
BGP - IPv4 Family - Filter configuration 56-10
BGP - IPv4 Family - General tab 56-7, 56-21
BGP - IPv4 Family - Neighbor configuration 56-11, 56-24
BGP - IPv4 Family - Network configuration 56-17, 56-29
BGP - IPv4 Family - Redistribution configuration 56-18, 56-30
BGP - IPv4 Family - Route Injection configuration 56-19, 56-31
BGP - IPv4 Family tab 56-6, 56-20
EIGRP 56-32
EIGRP - advanced settings 56-34
EIGRP - Filter Rule configuration 56-40
EIGRP - Filter Rules tab 56-39
EIGRP - Interface configuration 56-48
EIGRP - Interfaces tab 56-47
EIGRP - neighbor configuration 56-42
EIGRP - Neighbors tab 56-41
EIGRP - redistribution configuration 56-44
EIGRP - Redistribution tab 56-42
EIGRP - Setup tab 56-36
EIGRP - Summary Address configuration 56-46
EIGRP - Summary Address tab 56-45
IPv6 Static Route configuration 56-131
IPv6 Static Route page 56-131
No Proxy ARP 56-1
OSPF 56-75
OSPF - advanced settings 56-77
OSPF - Area/Area networks 56-82
OSPF - Area Range 56-84
OSPF - Area tab 56-81
OSPF - Filtering configuration 56-93
OSPF - Filtering tab 56-92
OSPF - Filter Rule configuration 56-94
OSPF - Filter Rule tab 56-94
OSPF - General tab 56-76
OSPF - Interface configuration 56-98
OSPF - Interface tab 56-96
OSPF - Neighbors tab 56-85
OSPF - Range tab 56-84
OSPF - Redistribution rule 56-87
OSPF - Redistribution tab 56-86
OSPF - static neighbor 56-85
OSPF - Summary Address configuration 56-96
OSPF - Summary Address tab 56-95
OSPFv3 56-100
OSPFv3 - advanced settings 56-104
OSPFv3 - Area/Area networks 56-108
OSPFv3 - Area Range 56-110
OSPFv3 - Area tab 56-108
OSPFv3 - Interface configuration 56-114
OSPFv3 - Interface tab 56-114
OSPFv3 - Process tab 56-103
OSPFv3 - Redistribution rule 56-112
OSPFv3 - static neighbor 56-118
OSPFv3 - Summary Prefix configuration 56-113
OSPFv3 - Virtual Link configuration 56-111
OSPF - Virtual Link configuration 56-90
OSPF - Virtual Link MD5 configuration 56-91
OSPF - Virtual Link tab 56-89
RIP (PIX/ASA 6.3–7.1, FWSM) 56-120
RIP (PIX/ASA 6.3–7.1, FWSM) configuration 56-121
RIP (PIX/ASA 7.2+) 56-122
RIP (PIX/ASA 7.2+) Filtering 56-126
RIP (PIX/ASA 7.2+) Filtering configuration 56-127
RIP (PIX/ASA 7.2+) Interface 56-127
RIP (PIX/ASA 7.2+) Interface configuration 56-128
RIP (PIX/ASA 7.2+) Redistribution 56-125
RIP (PIX/ASA 7.2+) Redistribution configuration 56-125
RIP (PIX/ASA 7.2+) Setup 56-123
RIP page 56-119
static null 0 routing 56-128
Static Route configuration 56-130
Static Route page 56-128, 56-130
security contexts
managing 59-7
security group aware IPS, QoS, and Connection Rules 14-17
security policies 57-1
General configuration 57-3
General page 57-1
timeouts 57-4
service policy
wizard 58-6
Service Policy Rules 58-5
service policy rules 58-1
SNMP configuration 49-14
SNMP Version 3 49-15
traffic class 58-7
Unicast Reverse Path Forwarding 57-2
user preferences 60-1
Deployment page 60-1
Transactional Commit page 60-2
PIX/ASA/FWSM Platform policies
bridging 47-1
configuring fragment settings 57-2
configuring NAT 24-15
transparent mode 24-16
PIX 6.3
Failover
interface configuration 50-12
failover 50-10
interface configuration
IP Type 46-30
interfaces
add/edit 46-28
PIX 7.x
Failover
Add Failover Group 50-25
PIX devices
AAA support 6-28
about 46-1
monitoring service level agreements 51-8
remote access VPNs
IPsec proposals 31-41
user group policies for PIX 6.3 33-13
selecting policy types to manage 5-11
PIX Firewall
setting up AUS or CNS 2-8
setting up SSL (HTTPS) 2-3
PIX Firewalls
configuring transparent firewall rules 23-1
rollback, commands to recover from failover misconfiguration 8-68
rollback command conflicts 8-67
rollback restrictions for failover devices 8-65
rollback restrictions for multiple context mode 8-64
PIX firewalls
access controls
access list compilation 16-28
object group search 16-27
adding SSL thumbprints manually 9-5
FlexConfig object samples 7-23
packet capture, using 72-30
packet tracer, using 72-23
SSL certificate configuration 11-22
PKI (Public Key Infrastructure) policies
CA server authentication methods 26-51
defining multiple CA servers 26-55
enrollment requirements 26-52
understanding 26-51
using TFTP 26-53
PKI enrollment
prerequisites using TFTP 26-53
requirements 26-52
PKI enrollment objects
defining CA server properties 26-60
defining certificate attributes 26-66
defining enrollment parameters 26-63
defining trusted CA hierarchy 26-67
properties 26-58
plug ins
configuring browser 31-60
Point-to-Point Protocol (PPP)
defining connections 62-72
defining multilink PPP bundles 62-75
on Cisco IOS routers 62-71
understanding multilink PPP (MLP) 62-71
Point-to-Point protocol (PPP)
PPP/MLP Policy page 62-76
PPP dialog box 62-77
point-to-point topologies
description 25-3
policies
adding local rules to shared policies 5-45
assigning shared policies 5-44
basic concepts
inheritance vs. assignment 5-6
local vs. shared 5-3
managing 5-31
overview 5-1
rule inheritance 5-4
service vs. platform-specific 5-2
settings-based vs. rule-based 5-2
shared policies in Device view or Site-to-Site VPN Manager 5-37
signature inheritance 39-3
status icons 5-30
cloning shared policies 5-47
configuring IKE and IPsec for VPNs 26-1
copying between devices 5-33
creating shared 5-54
deleting shared 5-56
Device view
configuring local policies 5-31
managing 5-30
modifying assignments 5-49
modifying shared policies 5-49
discovering 5-12
discovering on existing devices 5-15
exporting 10-12
exporting with device inventory 10-6
FlexConfigs
adding objects 7-35
changing object order 7-35
changing variable values 7-35
configuring 7-25
configuring AAA for administrative introducers 63-84
editing 7-35
FlexConfig Policy page 7-36
previewing CLI 7-35
removing objects 7-35
understanding 7-2
importing 10-13
inheriting rules 5-47
locking 5-8
managing 5-1
object selectors 6-2
overview 1-20
performing basic policy management in Map view 35-22
PKI (Public Key Infrastructure) 26-51
policy banner 5-38
policy discovery FAQ 5-27
policy management and objects 5-7
Policy view
managing 5-50
modifying assignments 5-54
preshared keys 26-47
renaming 5-48
router platform policies 61-1
selecting policies to manage 5-11
sharing local 5-41
sharing multiple local policies 5-42
sharing with PRSM 72-22
Site-to-Site VPN Manager
managing 5-30
modifying assignments 5-49
site-to-site VPNs 25-8
specifying interfaces 6-76
specifying IP addresses 6-87
synchronizing among Security Manager servers 10-5
unassigning 5-36
unsharing 5-43
using global search to find specific policies 1-42
viewing discovery task status 5-22
VPN defaults 11-74
policy assignments
modifying in Device view 5-49
modifying in Policy view 5-54
modifying in Site-to-Site VPN Manager 5-49
overview 1-20
policy bundles
cloning 5-58
creating 5-57
managing 5-57
renaming 5-58, 5-59
Policy Bundle view
cloning policy bundles 5-58
creating policy bundles 5-57
renaming policy bundles 5-58, 5-59
Policy Bundle View command 1-32
policy discovery
AAA commands not displayed in AAA policy 5-29
ACL naming conventions 12-5
ACLs 5-14
Catalyst devices 5-13
Catalyst switches and 7600 Series routers 68-1
Cisco IOS routers 5-13, 61-3
frequently asked questions 5-27
IPS devices 5-14
network masks 6-82
object groups 5-14
on existing devices 5-15
overview 1-20
policy objects 5-14
preserving ACL names 12-4
resolving ACL naming conflicts 12-7
security contexts 5-13
understanding 5-12
viewing task status 5-22
VPNs 5-12
web VPN restrictions 3-8
Policy Discovery Status command 1-34
Policy Discovery Status page 5-25
Policy Dynamic Translation Rule
PIX/ASA/FWSM 24-24
add/edit 24-25
policy list objects
properties 56-143
policy management
Settings page 11-64
Policy Management page 11-64
policy maps
understanding 6-78
Policy menu
command reference 1-32
Policy Object Manager
field reference 6-4
shortcut menu 6-8
undocking and docking the window 6-8
Policy Object Manager window
creating overrides 6-19
deleting overrides 6-21
Policy Object Overrides window 6-20
policy objects
AAA server
HTTP-FORM settings 6-44
Kerberos settings 6-39
LDAP settings 6-40
NT settings 6-43
RADIUS settings 6-35
SDI settings 6-43
TACACS+ settings 6-38
AAA server groups
attributes 6-49
creating 6-48
default server groups on IOS devices 6-31
predefined authentication groups 6-30
understanding 6-27
AAA servers
creating 6-32
supported additional types for ASA/PIX/FWSM 6-28
supported types 6-28
understanding 6-27
access control lists
creating 6-53
extended objects 6-54
standard objects 6-56, 6-58
web objects 6-57
ASA group policies
client configuration settings 34-6
client firewall attributes 34-7
connection settings 34-33
DNS/WINS settings 34-29, 34-30
hardware client attributes 34-9
IPSec settings 34-10
split tunneling settings 34-31
SSL VPN clientless settings 34-12
SSL VPN full client settings 34-19
SSL VPN settings 34-25
technology settings 34-1
AS paths
properties 56-151
basic procedures 6-9
categories, using 6-13
changes in Security Manager 4.4 1-10
Cisco Secure Desktop configuration
creating 33-18
class map
creating for inspection rules 17-22
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
cloning (duplicating) 6-14
community lists
properties 56-153
configuring for ASA routing policies 56-132
configuring for remote access VPN 34-1
connection with policy management 5-7
creating 6-9
credentials
attributes 28-9
DCE/RPC policy map
properties 17-29
deleting 6-16
DNS policy map
properties 17-32
editing 6-12
ESMTP policy map
properties 17-39
exporting 6-23
file objects
attributes 34-37
selecting 34-39
FlexConfig
creating text objects 7-32
properties 7-30
property selector 7-34
undefined variables 7-33
FlexConfigs
adding to policies 7-35
changing order in policies 7-35
changing variable values 7-35
configuring 7-25
configuring AAA for administrative introducers 63-84
creating 7-28
previewing CLI 7-35
removing from policies 7-35
system variables 7-7
understanding 7-2
variables 7-5, 7-6
FTP policy map
properties 17-42
generating usage reports 6-15
GTP policy map
properties 17-45
H.323 (ASA/PIX/FWSM) policy map
properties 17-51
HTTP (ASA7.1.x/PIX7.1.x/FWSM3.x/IOS) policy map
properties 17-56
HTTP (ASA7.2+/PIX7.2+) policy map
properties 17-64
identity user group
creating 13-19
selecting 13-21
user identity acquisition 13-2
IKE proposals
v1 properties 26-10
v2 properties 26-14
IM (ASA7.2+/PIX7.2+) policy map
properties 17-70
IM (IOS) policy map
properties 17-73
importing 6-23
Inspect parameter map
properties 21-31
interface roles
creating 6-74
understanding 6-73
IP Options policy map
properties 17-75
IPsec Pass Through policy map
properties 17-80
IPSec transform sets
attributes 26-27
understanding 26-20
IPv6 policy map
properties 17-77, 17-91
LDAP attribute map objects
attributes 6-46
Local Web Filter parameter map
properties 21-38
managing 6-1
maps
understanding 6-78
N2H2 parameter map
properties 21-39
NetBIOS policy map
properties 17-81
network/host
optimizing when deploying firewall rules 12-35
understanding 6-80
using in Event Viewer filters 69-67
network/host objects
naming when provisioned as object groups 6-107
networks/hosts
creating 6-82
unspecified value objects 6-86
object selectors 6-2
overrides 3-52
allowing 6-18
creating for multiple devices 6-19
creating for single device 6-19
deleting 6-21
managing 6-17
understanding 6-18
overview 1-20
parameter map
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
PKI enrollments
defining CA server properties 26-60
defining certificate attributes 26-66
defining enrollment parameters 26-63
defining trusted CA hierarchy 26-67
properties 26-58
policy discovery 5-14
policy lists
properties 56-143
policy map
creating for inspection rules 17-22
creating for zone-based firewall content filtering 21-36
creating for zone-based firewall inspection 21-16
pools
understanding 6-92
port forwarding lists
properties 34-40
port list objects
naming when provisioned as object groups 6-107
port lists
creating 6-100
properties 6-102
prefix lists
properties 56-146, 56-148
Protocol Info parameter map
properties 21-33
provisioning as object groups 6-106
regular expression group policy map
properties 17-108
regular expression objects
metacharacters 17-109
regular expression policy map
properties 17-108
route maps 56-136
creating 56-132
understanding 56-132
security group
creating 14-14
selecting for policies 6-2
service objects
naming when provisioned as object groups 6-107
provisioning as object groups 6-108
services
creating 6-100
Settings page 11-66
sharing with PRSM 72-22
single sign-on server
properties 34-42
SIP (ASA/PIX/FWSM) policy map
properties 17-83, 17-93, 17-102, 17-103
Skinny policy map
properties 17-87
SLA monitors
attributes 51-10
configuring 51-9
understanding 51-8
SNMP policy map
properties 17-90
SSL VPN bookmark
configuring 31-82
post URL method and macro substitutions 31-84
SSL VPN Customization
configuring 31-78
creating custom Logon page 31-82
localizing 31-80
SSL VPN gateway
properties 34-64
SSL VPN smart tunnel auto sign-on lists
attributes 34-71
SSL VPN smart tunnel lists
attributes 34-66, 34-69
configuring 31-85
TCP Map policy map
properties 58-22
text
creating 7-32
time ranges
attributes for recurring ranges 6-72
configuring 6-71
traffic flow
default inspection traffic 58-20
properties 58-18
Trend parameter map
properties 21-42
TrustSec security group
selecting 14-16
URLF Glob parameter map
properties 21-45
URLF Glob parameter maps
metacharacters 21-46
URL Filter parameter map
properties 21-43
user groups
advanced PIX 6.3 settings 34-82
browser proxy settings 34-87
clientless settings 34-83
client VPN software update (IOS) settings 34-81
DNS/WINS settings 34-77
general settings 34-75
IOS client settings 34-78
IOS Xauth settings 34-80
split tunneling settings (Easy VPN/remote access IPSec VPN) 34-77
SSL VPN connection settings 34-88
SSL VPN full tunnel settings 34-84
SSL VPN split tunneling settings 34-86
technology settings 34-73
thin client settings 34-84
viewing details 6-14
Web Filter policy map
properties 21-47
Websense parameter map
properties 21-39
WINS server lists
attributes 34-90
creating 31-88
Policy Objects command 1-34
policy objects interface
Interface Role dialog box 6-75
SSL VPN Bookmark Entry dialog box 34-45
SSL VPN bookmarks
Add or Edit Bookmarks dialog boxes 34-44
Post Parameters dialog box 34-48
Policy Objects page 11-66
policy query
example report 12-34
generating reports 12-28
interpreting report results 12-32
Querying Device or Policy dialog box 12-29
Policy Query Results dialog box 12-32
Policy view
Assignments tab 5-54
creating shared policies 5-54
deleting shared policies 5-56
filtering shared policy selector 1-45
modifying assignments 5-54
overview 1-16
selectors 5-52
Shared Policy selector options 5-53
understanding 5-50
Policy View command 1-32
pool objects
understanding 6-92
POP3
configuring for inspection rules 17-21
POP3 class map objects
creating 21-16
match criteria 21-25
POP3 policy map objects
creating 21-16
match conditions and actions 21-35
port application mapping
see PAM 21-69
port forwarding list objects
properties 34-40
port list objects
creating 6-100
naming when provisioned as object groups 6-107
properties 6-102
ports
ASA 5505
configure 46-61
Posture ACL dialog box 36-29
PPP dialog box
MLP tab 62-80
PPP tab 62-78
PPPoE Users 46-71
preferences, user
PIX/ASA/FWSM 60-1
Deployment page 60-1
Transactional Commit page 60-2
prefix list objects
properties 56-146, 56-148
pre-provisioning devices 3-26
preshared keys
aggressive mode negotiation 26-48
compared to certificates 26-8
configuring policies for IKEv1 site-to-site VPNs 26-48
FQDN (fully qualified domain name) negotiation 26-48
main mode address negotiation 26-47
understanding 26-47
Preview Configuration command 1-35
Prime Security Manager
see PRSM 72-20
Prime Security Manager command 1-37
print
Report Manager reports 70-27
Print command 1-31
priority queues
PIX/ASA/FWSM
configuration 58-4
page 58-4
Product Authorization Key (PAK) 10-16
productivity categories for Trend class maps 21-20
prompt
configuring on firewall devices 48-12
properties
changes with policy effects 3-54
changing critical device 3-52
image version changes with no policy effects 3-53
understanding device 3-6
viewing or changing device 3-40
Property Selector dialog box 7-34
protected networks
defining in GET VPN topologies 25-60
defining in VPN topologies 25-34
Protected Networks tab 25-46
Protocol Independent Multicast 55-11
Protocol Info parameter map objects
properties 21-33
Protocol Info Parameters map object
creating 21-16
Protocol Map dialog box 41-12
protocols
selecting for inspection 17-3
Protocol tab
IGMP 55-3
proxies
defining HTTP/HTTPS for SSL VPN (ASA) 31-57
proxy ARP
enabling on IOS routers 62-19
proxy bypass rules
defining HTTP/HTTPS for SSL VPN (ASA) 31-57
proxy server
configuring HTTP for IPS global correlation 36-24
PRSM
sharing
devices 72-22
policy objects 72-22
starting from Security Manager 72-20
public key infrastructure (PKI) policies
compared to certificates 26-8
configuring for remote access VPNs 26-56
configuring for site-to-site VPNs 26-54
PVC Advanced Settings dialog box
OAM-PVC tab 62-69
OAM tab 62-67
PVC dialog box
Protocol tab 62-64
QoS tab 62-61
Settings tab 62-58
PVC policies
unable to deploy 9-15
Q
QoS
MPC rule wizard
tab 58-8
PIX/ASA/FWSM
identity-aware rules 13-21
rules 58-5
QoS Class dialog box 66-23
Edit ACLs dialog box 66-25
Marking tab 66-26
Matching tab 66-24
Policing tab 66-29
Queuing and Congestion Avoidance tab 66-27
Shaping tab 66-31
QoS queuing
default class 66-6
defining for classes 66-16
tail drop vs. WRED 66-4
understanding 66-4
understanding LLQ 66-5
quality of service (QoS)
CEF requirements 66-2
defining on control plane 66-12
defining on interfaces 66-10
defining policies 66-10
on Cisco IOS routers 66-1
QoS Class dialog box 66-23
QoS Policy dialog box 66-21
Quality of Service Policy page 66-19
understanding
Control Plane Policing 66-9
default class queuing 66-6
low-latency queuing 66-5
marking parameters 66-3
matching parameters 66-2
policing parameters 66-6
queuing parameters 66-4
shaping parameters 66-6
tail drop and WRED 66-4
token-bucket mechanism 66-8
quality of service (QoS) classes
defining marking parameters 66-15
defining matching parameters 66-13
defining policing parameters 66-17
defining queuing parameters 66-16
defining shaping parameters 66-18
query
CS-MARS
access rule events 72-42
IPS signature events 72-44
looking up policies based on related events 72-45
overview 72-41
troubleshooting 72-40
Event Viewer
access rule events 69-56
IPS signature events 69-57
looking up policies based on related events 69-54
overview 69-55
Querying Device or Policy dialog box 12-29
quick filter
searching for events 69-47
Quick Launch for IP Intelligence 72-35
R
RADIUS
description 6-28
settings in AAA server objects 6-35
RAM
Image Manager 73-17
rate limiting, IPS 43-4
Real-time Log Viewer 72-18
recovery
event data store 69-36
Recurring Ranges dialog box 6-72
Redeploy a Job dialog box 8-53
Redeploying Licenses dialog box 11-60
rediscovering
remote access VPNs 30-12
rediscovering site-to-site VPNs 25-27
Rediscover VPN Policies wizard 25-27
redundant interfaces 46-8
red X in device selector, troubleshooting 9-9
Refresh Map command 1-33
regular expression group objects
properties 17-108
regular expression objects
metacharacters 17-109
properties 17-108
regular IPsec
mandatory and optional policies 25-6
supported platforms 25-9
supported platforms for remote access VPNs 30-8
Reject Activity command 1-36
Reject Activity dialog box 4-21
Reject Deployment Job dialog box 8-20, 8-39
remote access
user
logging off 71-30
remote access VPN
system variables 7-19
Remote Access VPN Configuration wizard
IPsec VPN
Defaults page 30-31
IPsec Settings page (ASA) 30-30
IPsec VPN Connection Profile page (ASA) 30-28
User Groups page 30-36
IPsec VPNs
creating on ASA/PIX 7.0+ 30-25
creating on IOS/PIX 6.3+ 30-36
SSL VPN
Access page (ASA) 30-16
Connection Profile page (ASA) 30-17
Gateway and Context Page (IOS) 30-33
Portal Page Customization Page (IOS) 30-35
SSL VPNs
creating on ASA devices 30-14
creating on IOS devices 30-32
using 30-13
remote access VPNs
ASA devices
configuring bookmarks 31-82
configuring portal appearance 31-78
configuring WINS servers for file system access 31-88
customizing 31-77
post URL method and macro substitutions in bookmarks 31-84
smart tunnels 31-85
configuring using wizard 30-13
device support 30-8
discovering 30-12
IOS devices
configuring bookmarks 31-82
configuring WINS servers for file system access 31-88
IPsec 31-36
access policies for IKEv2 (ASA), configuring 31-49
access policies for IKEv2 (ASA), reference 31-45
access policies for IKEv2 (ASA), understanding 31-44
certificate to connection profile map policy (IKEv1) 31-36
certificate to connection profile map rules (IKEv1) 31-37
cluster load balancing 31-5
configuring IKE and IPsec policies 26-1
connection profiles 31-7
connection profiles (ASA, PIX 7+) 31-8
creating on ASA/PIX 7.0+ 30-25
creating on IOS/PIX 6.3+ 30-36
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-11
Dynamic VTI/VRF Aware IPsec settings 33-7
fragmentation settings 26-31, 26-44
global settings 26-30
group policies, configuring 31-26
group policies, creating 31-28
group policies, understanding 31-27
high availability policies 33-11
IKE proposals 26-9
IKEv2 settings 26-37
ISAKMP/IPsec settings 26-33
NAT settings 26-42
policy overview 30-9
policy overview (ASA, PIX 7.0+) 31-2
policy overview (IOS, PIX 6.3) 33-2
public key infrastructure (PKI) policies 26-56
secure desktop manager policies 32-9
understanding 30-2
understanding IKE 26-5
understanding NAT settings 26-41
user group policies for IOS, PIX 6.3 33-13
VPNSM, VPN SPA, VSPA settings 33-6
IPsec proposals
attributes for ASA and PIX 7.0+ devices 31-41
attributes for IOS and PIX 6.3 devices 33-4
configuring for ASA and PIX 7.0+ devices 31-40
configuring for IOS and PIX 6.3 devices 33-3
managing 30-1
managing (ASA, PIX 7.0+) 31-1
managing (IOS, PIX 6.3) 33-1
rediscovering 30-12
SSL 31-43
access modes 30-4
access policies (ASA), configuring 31-49
access policies (ASA), reference 31-45
access policies (ASA), understanding 31-44
advanced settings (ASA) 31-72
AnyConnect client image settings (ASA) 31-65
AnyConnect client settings (ASA) 31-62, 31-64
AnyConnect custom attributes(ASA) 31-70, 31-71
browser plug-ins (ASA) 31-60
cluster load balancing 31-5
configuring HTTP/HTTPS proxies and proxy bypass(ASA) 31-57
connection profiles 31-7
connection profiles (ASA) 31-8
content rewrite rules (ASA) 31-53
Context Editor dialog box (IOS) 33-15, 33-16
creating on ASA 30-14
creating on IOS devices 30-32
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-11
encoding rules (ASA) 31-55
example 30-3
fragmentation settings 26-31, 26-44
global settings 26-30
group policies, configuring 31-26
group policies, creating 31-28
group policies, understanding 31-27
IKEv2 settings 26-37
ISAKMP/IPsec settings 26-33
Kerberos Constrained Delegation (KCD on ASA) 31-66, 31-69
limitations 30-8
managing support files 30-5
NAT settings 26-42
other settings (ASA) 31-51
performance settings (ASA) 31-52
policies (IOS) 33-14
policy overview 30-9
policy overview (ASA, PIX 7.0+) 31-2
policy overview (IOS, PIX 6.3) 33-2
prerequisites 30-7
proxy bypass rules (ASA) 31-59
public key infrastructure (PKI) policies 26-56
secure desktop manager policies 32-9
server certificate verification (ASA) 31-30, 31-32, 31-73
shared license (ASA) 31-74
shared license clients (ASA) 31-76
shared license servers (ASA) 31-77
understanding 30-2
understanding NAT settings 26-41
wizard 30-13
understanding 30-1
Remote Detection Indication (RDI) cells 62-51
Rename Policy Bundle dialog box 5-58, 5-59
Rename Policy command 1-32
Rename Policy dialog box 5-48
Rendezvous Point
PIX/ASA/FWSM
add/edit 55-16
Rendezvous Points
PIM 55-15
Report Manager
arranging window 70-30
closing 70-32
configuring default settings 70-29
configuring devices to provide reports 70-3
configuring Event Manager service 69-30
configuring schedules 70-34
creating custom reports 70-21
deleting another user’s custom reports 70-32
deleting reports 70-32
deleting schedules 70-36
disabling schedules 70-36
drill-down reports 70-26
editing report settings 70-22
enabling schedules 70-36
examples of analysis
monitoring botnet activity 69-64
exporting reports 70-28
generated report pane and toolbar 70-12
generating reports 70-20
managing custom reports 70-32
opening reports 70-20
overview 70-1, 70-6
printing reports 70-27
renaming reports 70-31
report list 70-9
report settings 70-10
saving reports 70-31
scheduling reports 70-33
settings page 11-38
troubleshooting 70-36
understanding 70-1
understanding access control 70-5
understanding data aggregation 70-4
understanding predefined reports
firewall summary botnet reports 70-15
firewall traffic reports 70-14
general IPS reports 70-19
general VPN reports 70-16
IPS top reports 70-17
overview 70-13
VPN top reports 70-16
using 70-19
viewing schedule results 70-35
viewing schedules 70-33
Report Manager command 1-38
Report Manager in Dashboard 72-2
reports
arranging windows 70-30
closing 70-32
configuring default settings for reports 70-29
configuring devices for Report Manager reporting 70-3
configuring schedules 70-34
creating custom 70-21
deleting 70-32
deleting another user’s in Report Manager 70-32
deleting schedules 70-36
deployment status 10-30
disabling schedules 70-36
discovery status 10-30
drilling down 70-26
editing settings 70-22
enabling schedules 70-36
example policy query 12-34
exporting 70-28
generating 70-20
generating access rule analysis 16-34
generating policy query 12-28
interpreting policy query 12-32
managing 70-1
managing custom 70-32
opening 70-20
overview of available types 70-2
predefined Report Manager
firewall summary botnet reports 70-15
firewall traffic reports 70-14
general IPS reports 70-19
general VPN reports 70-16
IPS top reports 70-17
overview 70-13
VPN top reports 70-16
printing 70-27
renaming 70-31
Report Manager
generated report pane and toolbar 70-12
overview 70-6
report list 70-9
report settings 70-10
saving 70-31
scheduling in Report Manager 70-33
understanding Report Manager 70-1
understanding Report Manager access control 70-5
understanding Report Manager data aggregation 70-4
using Report Manager 70-19
viewing schedule results 70-35
viewing schedules 70-33
reputation
configuring global correlation 42-5
understanding IPS global correlation 42-2
Request Filter
PIM 55-18, 55-20
Resources
FWSM 51-3
add/edit 51-4
managing 51-2
restorebackup.pl command 10-27
restore database 10-27
Resume Deployment Schedule dialog box 8-20, 8-58
retry count
device communication 11-22
reverse route injection 26-21
RIP
PIX/ASA/FWSM 56-119
(PIX/ASA 6.3–7.1, FWSM) 56-120
(PIX/ASA 6.3–7.1, FWSM) configuration 56-121
(PIX/ASA 7.2+) 56-122
(PIX/ASA 7.2+) Filtering 56-126
(PIX/ASA 7.2+) Filtering configuration 56-127
(PIX/ASA 7.2+) Interface 56-127
(PIX/ASA 7.2+) Interface configuration 56-128
(PIX/ASA 7.2+) Redistribution 56-125
(PIX/ASA 7.2+) Redistribution configuration 56-125
(PIX/ASA 7.2+) Setup 56-123
RIP routing
Cisco IOS routers
Authentication dialog box 67-47
Authentication tab 67-46
defining interface authentication 67-43
defining setup parameters 67-42
overview 67-42
redistributing routes 67-44
Redistribution Mapping dialog box 67-49
Redistribution tab 67-48
RIP Routing Policy page 67-45
Setup tab 67-45
roles, IPS user 36-15
rollback
archived configuration files 8-70
last deployed configuration 8-69
when deploying to file 8-71
Rollback a Job dialog box 8-69
round robin allocation
PAT 24-41
routed ports
Create and Edit Interface dialog boxes-Routed Port mode 68-12
understanding 68-5
route map objects
creating 56-132
properties 56-136
understanding 56-132
Router Block Interface dialog box 43-15
Router Device dialog box 43-14
router platform interface
802.1x Policy page 64-5
AAA policy
AAA Policy page 63-6
Accounting tab 63-10
Authentication tab 63-6
Authorization tab 63-8
Command Accounting dialog box 63-13
Command Authorization dialog box 63-10
accounts and credentials policy
Accounts and Credentials Policy page 63-16
User Accounts dialog box 63-17
ADSL policy
ADSL Policy page 62-37
ADSL Settings dialog box 62-38
advanced interface settings policy
Advanced Interface Settings dialog box 62-16
Advanced Interface Settings page 62-16
BGP policy
BGP Neighbors dialog box 67-6
BGP Redistribution tab 67-7
BGP Routing Policy page 67-4
BGP Setup tab 67-5
Redistribution Mapping dialog box 67-7
bridging policy
Bridge Group dialog box 63-21
Bridging Policy page 63-21
CEF interface policy 62-26
CEF Interface Settings dialog box 62-27
Clock Policy page 63-23
console policy
AAA tab 63-44
Accounting tab 63-47
Authentication tab 63-44
Authorization tab 63-45
Command Accounting dialog box 63-61
Command Authorization dialog box 63-60
Console Policy page 63-42
Setup tab 63-42
CPU Policy page 63-26
DHCP policy
DHCP Database dialog box 63-94
DHCP Policy page 63-92
IP Pool dialog box 63-94
dialer interface policy
Dialer Physical Interface dialog box 62-33
Dialer Policy page 62-31
Dialer Profile dialog box 62-32
DNS policy
IP Host dialog box 63-76
DNS Policy page 63-76
EIGRP policy
EIGRP Routing Policy page 67-13
Interface dialog box 67-16
Interfaces tab 67-15
Redistribution Mapping dialog box 67-18
Redistribution tab 67-17
Setup dialog box 67-14
Setup tab 67-13
Hostname Policy page 63-78
HTTP policy
AAA tab 63-32
Command Authorization Override dialog box 63-34
HTTP Policy page 63-31
Setup tab 63-31
interfaces policy
Create Router Interface dialog box 62-8
Interface Auto Name Generator dialog box 62-12
Router Interfaces page 62-7
IPS interface policy
IPS Monitoring Information dialog box 62-24
IPS Module interface policy
IPS Module Interface Policy Page 62-23
logging policy
Syslog Server dialog box 65-11
logging setup policy
Logging Setup Policy page 65-7
Memory Policy page 63-79
NAC policy
Identities tab 64-18
Identity Action dialog box 64-19
Identity Profile dialog box 64-19
Interface Configuration dialog box 64-17
Interfaces tab 64-16
NAC Policy page 64-14
Setup tab 64-14
NAT policy
Dynamic Rule dialog box 24-11
Interface Specification tab 24-6
Static Rule dialog box 24-7
Static Rules tab 24-6
NetFlow policy 65-5, 65-12
NTP policy
NTP Policy page 63-98
NTP Server dialog box 63-99
OSPF policy
Area dialog box 67-37
Area tab 67-36
Interface dialog box 67-31
Max Prefix Mapping dialog box 67-41
OSPF Interface Policy page 67-30
OSPF Process Policy page 67-34
Redistribution Mapping dialog box 67-39
Redistribution tab 67-38
Setup dialog box 67-35
Setup tab 67-35
PPP/MLP policy
PPP/MLP Policy page 62-76
PPP dialog box 62-77
PVC policy
Define Mapping dialog box 62-65
PVC Advanced Settings dialog box 62-66
PVC dialog box 62-56
PVC Policy page 62-55
QoS policy
QoS Class dialog box 66-23
QoS Policy dialog box 66-21
Quality of Service Policy page 66-19
RIP policy
Authentication dialog box 67-47
Authentication tab 67-46
Redistribution Mapping dialog box 67-49
Redistribution tab 67-48
RIP Routing Policy page 67-45
Setup tab 67-45
Secure Device Provisioning Policy page 63-85
Secure Shell Policy page 63-64
SHDSL policy
Controller Auto Name Generator dialog box 62-46
SHDSL Controller dialog box 62-43
SHDSL Policy page 62-42
SNMP policy
Permission dialog box 63-70
SNMP Policy page 63-69
SNMP Traps dialog box 63-72
Trap Receiver dialog box 63-71
static routing policy
Static Routing dialog box 67-52
Static Routing Policy page 67-51
syslog servers policy
Syslog Servers Policy page 65-10
VTY policy
Command Accounting dialog box 63-61
Command Authorization dialog box 63-60
VTY Line dialog box 63-51
VTY Policy page 63-50
router platform policies
Device Admin policies
AAA 63-2
accounts and credentials 63-14
CPU settings 63-25
DHCP 63-87
DNS 63-74
host and domain names 63-77
HTTP 63-28
line access 63-35
memory settings 63-78
optional SSH settings 63-63
Secure Device Provisioning (SDP) 63-81
SNMP 63-66
time zone settings 63-22
transparent bridging 63-18
Identity policies
802.1x 64-1
Network Admission Control (NAC) 64-8
Interface policies
ADSL 62-34
advanced settings 62-13
basic settings 62-1
dialer interfaces 62-28
PPP 62-71
PVC 62-47
SHDSL 62-41
Logging policies 65-1
NAT 24-5
dynamic rules 24-10
static rules 24-6
timeouts 24-13
NetFlow policies 65-1
Network Time Protocol (NTP) 63-96
quality of service (QoS) 66-1
Routing policies
BGP routing 67-1
EIGRP routing 67-8
OSPF routing 67-19
RIP routing 67-42
static routing 67-50
routers
adding SSL thumbprints manually 9-5
CEF interface settings policies 62-25
Cisco Discovery Protocol (CDP) settings 62-18
communication requirements 2-1
configuring SSH 2-6
default transport protocol for 12.1 and 12.2 11-22
default transport protocol for 12.3 and above 11-22
deploying configurations using TMS 8-43
enabling directed broadcasts 62-20
enabling Maintenance Operation Protocol (MOP) 62-19
enabling NBAR protocol discovery 62-19
enabling proxy ARP 62-19
enabling unicast reverse path forwarding (RFP) 62-20
enabling virtual fragment reassembly (VFR) 62-19
FlexConfig object samples 7-24
generating interface names 62-4
ICMP message settings 62-18
IPS Module interface settings policies 62-22
licenses 2-10
mixing deployment methods 9-14
selecting policy types to manage 5-11
setting up SSL (HTTPS) 2-4
SSL certificate configuration 11-22
system variables 7-13
troubleshooting deployment 9-14
Route Tree
PIM 55-17
routing
PIX/ASA/FWSM
about EIGRP 56-33
about OSPF 56-75
about OSPFv3 56-101
authentication 56-75
BGP 56-2, 56-3
BGP - General tab 56-5
BGP - IPv4 Family - Aggregate Address configuration 56-9, 56-22
BGP - IPv4 Family - Filter configuration 56-10
BGP - IPv4 Family - General tab 56-7, 56-21
BGP - IPv4 Family - Neighbor configuration 56-11, 56-24
BGP - IPv4 Family - Network configuration 56-17, 56-29
BGP - IPv4 Family - Redistribution configuration 56-18, 56-30
BGP - IPv4 Family - Route Injection configuration 56-19, 56-31
BGP - IPv4 Family tab 56-6, 56-20
configuring on 56-1
configuring static routes 56-128
EIGRP 56-32
EIGRP - advanced settings 56-34
EIGRP - Filter Rule configuration 56-40
EIGRP - Filter Rules tab 56-39
EIGRP - Interface configuration 56-48
EIGRP - Interfaces tab 56-47
EIGRP - neighbor configuration 56-42
EIGRP - Neighbors tab 56-41
EIGRP - redistribution configuration 56-44
EIGRP - Redistribution tab 56-42
EIGRP - Setup tab 56-36
EIGRP - Summary Address configuration 56-46
EIGRP - Summary Address tab 56-45
IPv6 Static Route configuration 56-131
No Proxy ARP 56-1
OSPF 56-75
OSPF - advanced settings 56-77
OSPF - Area/Area networks 56-82
OSPF - Area Range 56-84
OSPF - Area tab 56-81
OSPF - Filtering configuration 56-93
OSPF - Filtering tab 56-92
OSPF - Filter Rule configuration 56-94
OSPF - Filter Rule tab 56-94
OSPF - General tab 56-76
OSPF - Interface configuration 56-98
OSPF - Interface tab 56-96
OSPF - Neighbors tab 56-85
OSPF - Range tab 56-84
OSPF - Redistribution rule 56-87
OSPF - Redistribution tab 56-86
OSPF - static neighbor 56-85
OSPF - Summary Address configuration 56-96
OSPF - Summary Address tab 56-95
OSPFv3 56-100, 56-101
OSPFv3 - advanced settings 56-104
OSPFv3 - Area/Area networks 56-108
OSPFv3 - Area Range 56-110
OSPFv3 - Area tab 56-108
OSPFv3 - Interface configuration 56-114
OSPFv3 - Interface tab 56-114
OSPFv3 - Process tab 56-103
OSPFv3 - Redistribution rule 56-112
OSPFv3 - static neighbor 56-118
OSPFv3 - Summary Prefix configuration 56-113
OSPFv3 - Virtual Link configuration 56-111
OSPF - Virtual Link configuration 56-90
OSPF - Virtual Link MD5 configuration 56-91
OSPF - Virtual Link tab 56-89
RIP (PIX/ASA 6.3–7.1, FWSM) 56-120
RIP (PIX/ASA 6.3–7.1, FWSM) configuration 56-121
RIP (PIX/ASA 7.2+) 56-122
RIP (PIX/ASA 7.2+) Filtering 56-126
RIP (PIX/ASA 7.2+) Filtering configuration 56-127
RIP (PIX/ASA 7.2+) Interface 56-127
RIP (PIX/ASA 7.2+) Interface configuration 56-128
RIP (PIX/ASA 7.2+) Redistribution 56-125
RIP (PIX/ASA 7.2+) Redistribution configuration 56-125
RIP (PIX/ASA 7.2+) Setup 56-123
RIP page 56-119
static null 0 routing 56-128
Static Route configuration 56-130
VPNs with routing processes 9-13
routing redistribution
BGP Redistribution Mapping dialog box 67-7
BGP Redistribution tab 67-7
EIGRP Redistribution Mapping dialog box 67-18
EIGRP Redistribution tab 67-17
into BGP 67-3
into EIGRP 67-12
into OSPF 67-22
into RIP 67-44
OSPF Max Prefix Mapping dialog box 67-41
OSPF Process Redistribution tab 67-38
OSPF Redistribution Mapping dialog box 67-39
RIP Redistribution Mapping dialog box 67-49
RIP Redistribution tab 67-48
RPC
configuring for inspection rules 17-21
RSA keys
generating, synchronizing for GET VPN 29-13
Rule Analysis Detail Report
generating 16-34
Rule Combiner Results dialog box 12-25
rule expiration
configuring for access rules 16-22
Rule Expiration page 11-69
rules
default 5-5
mandatory 5-5
rules tables
adding rules 12-9
columns and headings 1-49
commands, Edit menu 1-31
converting IPv4 rules 12-28
cut, copy, and paste rules 12-9
disabling rules 12-20
enabling rules 12-20
filtering 1-48
finding and replacing items 12-16
removing rules 12-9
sections 12-20
using 12-8
rule tables
moving rules 12-19
RX-Boot Mode Credentials dialog box 3-48
S
Save As command (Report Manager) 70-8
Save command 1-30
Save command (Report Manager) 70-8
Save Map As command 1-33
Save Map As dialog box 35-10
Save Map command 1-33
ScanSafe Web Security Settings 20-6
scenarios
creating FlexConfigs 7-25
SCEP (Simple Certificate Enrollment Protocol)
CA server authentication 26-51
Schedule dialog box 8-56
schedules
configuring in Report Manager 70-34
deleting in Report Manager 70-36
disabling in Report Manager 70-36
enabling in Report Manager 70-36
reports in Report Manager 70-33
viewing in Report Manager 70-33
viewing results in Report Manager 70-35
schedules, deployment
changes not deployed 8-55
creating or editing 8-55
including devices 8-8
suspending or resuming 8-58
viewing status and history 8-26
scripting language
examples
looping 7-3
looping with if/else statements 7-4
looping with two-dimensional arrays 7-3
FlexConfig objects 7-3
SDEE
subscriptions for IOS IPS 45-8
SDI
settings in AAA server objects 6-43
SDM
access rule look-up 72-19
device manager 72-16
searching for items 1-42
Secondary Interface Specific Authentication Server Groups dialog box 31-16
secure desktop manager policies
configuring 32-9
Secure Device Provisioning (SDP)
configuring AAA for administrative introducers 63-84
contents of bootstrap 63-82
defining policies 63-83
Secure Device Provisioning page 63-85
understanding
introducers 63-81
petitioners 63-81
registrars 63-81
TTI 63-81
workflow 63-82
SecureID servers (SDI)
description 6-29
Secure Shell
PIX/ASA/FWSM
add/edit SSH host 49-8
Secure Shell (SSH)
Cisco IOS routers
defining optional settings 63-63
optional settings overview 63-63
Secure Shell Policy page 63-64
PIX/ASA/FWSM 49-7, 49-8
security associations
GET VPN
using passive mode during migration 29-23
security certificate
invalid during discovery 9-7
security context
Failover page 50-26
security contexts
adding to failover group 2 50-8
admin context
overview 59-1
configuring multiple 59-3
configuring on firewall devices 59-1
deleting FWSM 59-7
discovering policies 5-13
FWSM 59-8
configuration 59-8
managing Resources 51-2
Resources 51-3
PIX/ASA
allocate interfaces 59-12
configuration 59-9
viewing allocated interfaces 59-12
PIX/ASA/FWSM
enabling multi-context mode 59-1
managing 59-7
restoring single-context mode 59-1
rollback, commands to recover from failover misconfiguration 8-68
rollback command conflicts 8-67
rollback restrictions 8-64
rollback restrictions for failover devices 8-65
showing containment 3-56
security group aware firewall policies
configuring ISE settings 11-56
security group-aware firewall policies
configuring 14-7
managing 14-1
overview 14-1
security group objects
creating 14-14
security group tagging 46-44
Security Manager
access by CS-MARS 72-37
applications overview 1-6
archiving (backing up) the event data store 69-36
backing up and restoring database 10-24
Configuration Manager interface overview 1-14
configuring administrative settings 11-1
getting started 1-1
how permissions affect what you can do 1-11
initial configuration 1-25
installing client 1-12
integrating with Security Manager 72-36
integration with CS-MARS 72-36
logging into and exiting 1-12
managing the server 10-1
overview 1-1
recovering the event data store 69-36
reports overview 70-2
server cluster
managing 10-2
overview 10-2
splitting server 10-3
synchronizing shared policies 10-5
server management and administration 10-1
using 1-14
Security Manager Administration command 1-36
Security Manager Diagnostics command 1-36
Security Manager Online command 1-38
security policies
PIX/ASA/FWSM 57-1
General configuration 57-3
General page 57-1
timeouts 57-4
security ratings for Trend class maps 21-20
see LACP 46-12
Select Address Pool
PIX/ASA/FWSM Platform 24-24
Select Interfaces dialog box 35-20
selectors
filtering items 1-45
using 1-45
selector trees
selecting items 1-45
Select Policy Object dialog box 35-18
Select VPN to Configure dialog box 35-22
self near-end crosstalk (SNEXT) 62-46
Self zone 21-5
sensors, IPS
allowed hosts 36-7
anomaly detection
configuring 41-6
configuring histograms 41-11
configuring learning accept mode 41-8
configuring signatures 41-4
configuring thresholds 41-11
detection zones 41-3
managing 41-1
modes 41-2
understanding 41-1
understanding histograms 41-9
understanding thresholds 41-9
understanding worms 41-2
when to turn off 41-4
blocking
configuring 43-7
configuring ARC 43-1
configuring blocking devices 43-14
configuring master blocking sensors 43-13
configuring never block hosts and networks 43-17
configuring router blocking interfaces 43-15
configuring user profiles 43-12
configuring VLAN blocking interfaces 43-16
general options 43-10
master blocking sensor 43-6
policy 43-8
rate limiting 43-4
router and switch blocking devices 43-4
strategies 43-3
understanding 43-1
capturing network traffic 36-2
certificates 44-10
configuration overview 36-5
configuration overview for IOS IPS 45-4
configuring AAA 36-21
configuring Analysis Engine global variables 36-30
configuring DNS servers 36-24
configuring HTTP proxy server 36-24
configuring NTP 36-23
configuring OS maps 40-21
configuring SNMP 36-8
configuring target value ratings 40-17
configuring the external product interface 36-26
configuring user accounts 36-18
deployment of passwords 36-17
deployment topology 36-4
discovery of passwords 36-17
event actions
example filter rule 69-67
filter rule attributes 40-9
filter rules 40-4, 40-7
filter rules tips 40-6
network information 40-17
overrides 40-13
overview 40-1
possible actions 40-2
process overview 40-1
settings 40-23
getting started 36-1
global correlation
configuring 42-1
configuring inspection and reputation 42-5
configuring network participation 42-7
data collected 42-3
requirements and limitations 42-4
understanding 42-1
understanding network participation 42-3
understanding reputation 42-2
interfaces
configuring 37-6
configuring bypass mode 37-12
configuring CDP mode 37-12
configuring inline interface pairs 37-13
configuring inline VLAN pairs 37-14
configuring physical 37-9
configuring VLAN groups 37-15
deploying VLAN groups 37-5
inline interface mode 37-3
inline VLAN pair mode 37-3
interfaces policy 37-6
managing interface configurations 37-1
physical interface properties 37-10
promiscuous mode 37-2
roles 37-1
sensing modes overview 37-2
understanding 37-1
viewing summary 37-8
VLAN group mode 37-4
IPS modules for ASA 58-15
licenses
automating 44-3
managing 44-1
redeploying 44-2
updating 44-1
managing 44-1
managing user accounts and passwords 36-15
monitoring
removing false positive IPS events 69-66
passive OS fingerprinting 40-19
password requirements 36-20
rebooting 44-12
signatures
adding custom 39-19
cloning 39-21
configuring 39-4
configuring settings 39-30
defining 39-1
detailed information 39-2
editing 39-14
editing Meta engine component list 39-29
editing or tuning parameters 39-23
enabling or disabling 39-14
engines 39-20
exporting 39-9
inheritance 39-3
parameters list 39-24
policy 39-4
shortcut menu 39-10
understanding 39-1
viewing update level 39-9, 39-13
traffic flow notifications 36-30
tuning recommendations 36-4
understanding managed and unmanaged passwords 36-16
understanding network sensing 36-2
understanding user roles 36-15
updates
automatically applying 44-6
checking for and downloading 44-5
configuring server 44-4
managing 44-4
manually applying 44-7
user account attributes 36-19
virtual sensors
advantages 38-3
assigning interfaces 38-4
attributes 38-7
configuring 38-1, 38-5
deleting 38-10
editing policies 38-9
identifying 38-5
inline TCP session tracking mode 38-3
Normalizer mode 38-4
renaming 38-8
restrictions 38-3
understanding 38-1
sensorupdate.properties 44-6
server
managing Security Manager 10-1
syslog
PIX/ASA/FWSM 54-21, 54-27
server, IPS update 44-4
server, Security Manager
configuring administrative settings 11-1
managing or administrating 10-1
Server Access
PIX/ASA/FWSM 52-1, 53-1
AUS, add/edit server 52-3, 53-2, 53-3, 53-4
AUS page 52-1
DDNS interface rule 52-19
DDNS page 52-18
DDNS update methods 52-19
DDNS update methods, add/edit 52-20
DHCP Relay, add/edit agent 52-6
DHCP Relay, add/edit server 52-7
DHCP Relay page 52-5
DHCP Server, add/edit 52-12
DHCP Server, advanced configuration 52-13
DHCP Server, options 52-13
DHCP Server page 52-10
DHCPv6 Relay, add/edit agent 52-9
DHCPv6 Relay, add/edit server 52-9
DHCPv6 Relay page 52-7
DNS page 52-14
DNS server, add 52-17
DNS server group 52-16
NTP page 52-21
NTP server configuration 52-21
SMTP page 52-22
TFTP server page 52-23
server cluster, Security Manager
managing 10-2
overview 10-2
splitting server 10-3
synchronizing shared policies 10-5
Server Load Balance page 27-17
server load balancing
configuring for large scale DMVPN 27-16, 27-17
server attributes in large scale DMVPN 27-17
Server Properties dialog box 3-38
Server Security page 10-2
Server Security Settings page 11-70
Service
ASA CX
Auth Proxy Configuration 58-17
PIX/ASA/FWSM
identity-aware IPS, QoS, and Connection Rules 13-21
IPS, QoS, and Connection Rules wizard 58-6, 58-8
policy wizard 58-6
priority queues 58-4
priority queues configuration 58-4
security group aware IPS, QoS, and Connection Rules 14-17
Service Policy Rules 58-5
traffic class 58-7
service, Event Manager
configuring 69-30
managing 69-30
monitoring event store disk space 69-35
monitoring status 69-31
selecting devices to monitor 69-34
starting or stopping 69-30
status icon colors 69-31
service agreement contracts 10-16
Service Contents dialog box 12-14
Service Device Provisioning (SDP)
on Cisco IOS routers 63-81
Service Module Credentials dialog box 3-19
Service Modules
Catalyst
firewalls 46-1
service objects
creating 6-100
naming when provisioned as object groups 6-107
provisioning as object groups 6-108
Services dialog box 6-103
understanding 6-100
service policy
configuring identity-aware rules 13-21
configuring security group aware rules 14-17
Service Policy (MPC) Rule Wizard 58-6
Connection Settings tab 58-8
CSC tab 58-8
CXSC tab 58-8
IPS tab 58-8
QoS tab 58-8
User Statistics tab 58-8
service policy rules
configuring on firewall devices 58-1
services
specifying 6-100
Set Linked Map dialog box 35-13
Settings
ScanSafe 20-6
settings
device communications 9-4
Settings, Event Actions policy 40-23
settings, report
editing 70-22
Settings pages
Autolink 11-3
CCO Settings 11-4
Configuration Archive 11-6
CS-MARS 11-7
CSM Mobile 11-9
Customize Desktop 11-10
Debug Options 11-11
Deployment 11-13
Device Communication 11-21
Device Groups 11-24
Discovery 11-25
Event Management 11-27, 11-35
CPU Throttling Policy 11-33
Health and Performance Monitor 11-36
Identity 11-38
Image Manager 11-41
IP Intelligence Settings 11-41
ISE 11-56
Licensing 11-57
Logs 11-62
Policy Management 11-64
Policy Objects 11-66
Report Manager 11-38
Rule Expiration 11-69
Server Security 11-70
Take Over User Session 11-71
Ticket Management 11-72
Token Management 11-73
VPN Policy Defaults 11-74
Workflow 11-75
SHA hash algorithm 26-6
Share Device Policies command 1-32
shared license clients
configuring 31-76
shared license servers
configuring 31-77
shared policies
cloning (copying) 5-47
Device view
adding local rules to selected device 5-45
assigning to selected device 5-44
modifying 5-49
modifying assignments 5-49
policy banner 5-38
sharing local 5-41
sharing multiple local policies 5-42
unsharing 5-43
working with 5-37
exporting 10-12
exporting with device inventory 10-6
importing 10-13
inheriting policies 5-47
Policy Bundle view
cloning 5-58
creating 5-57
renaming 5-58, 5-59
Policy view
creating 5-54
deleting 5-56
managing 5-50
modifying assignments 5-54
renaming 5-48
Site-to-Site VPN Manager
assigning to selected device 5-44
modifying assignments 5-49
sharing local 5-41
unsharing 5-43
working with 5-37
synchronizing among Security Manager servers 10-5
Shared Policy Assignments dialog box 5-49
Share Policies wizard 5-42
Share Policy command 1-32
Share Policy dialog box 5-41
SHDSL
Controller Auto Name Generator dialog box 62-46
defining controllers 62-41
on Cisco IOS routers 62-41
SHDSL Controller dialog box 62-43
SHDSL Policy page 62-42
shortcut menu commands
policies in Device view and Site-to-Site VPN Manager 5-40
Show Containment command 1-35
Show Devices On Map command 1-33
Show Devices on Map dialog box 35-16
Show Navigation Window command 1-33
Show VPN Peers dialog box 35-22
Show VPNs On Map command 1-33
Show VPNs on Map dialog box 35-21
signatures
adding custom 39-19
cloning 39-21
configuring 39-4
configuring settings 39-30
defining 39-1
detailed information 39-2
editing 39-14
editing Meta engine component list 39-29
editing or tuning parameters 39-23
enabling or disabling 39-14
engines 39-20
exporting 39-9
finding from CS-MARS events 72-45
finding from Event Viewer events 69-54
inheritance 39-3
parameters list 39-24
policy 39-4
selecting category for Cisco IOS IPS 45-6
shortcut menu 39-10
tuning 69-66
tuning recommendations 36-4
understanding 39-1
updates
automatically applying 44-6
checking for and downloading 44-5
configuring server 44-4
managing 44-4
manually applying 44-7
viewing related CS-MARS events 72-44
viewing related events 69-57
viewing update level 39-9, 39-13
Signature Settings page 39-30
Signatures page
overview 39-4
shortcut menu 39-10
Simple Network Management Protocol
see SNMP 49-14
single sign on server (SSO) objects
properties 34-42
SIP (ASA, PIX) class map objects
creating 17-22
SIP (ASA/PIX/FWSM) policy map objects
creating 17-22
properties 17-83, 17-93, 17-102, 17-103
SIP (IOS) class map objects
creating 21-16
match criteria 21-25
SIP (IOS) policy map objects
creating 21-16
match conditions and actions 21-35
SIP class map objects
match criteria 17-85, 17-95
SIP policy map objects
match conditions and actions 17-85, 17-95
Site-to-Site VPN Manager
assigning shared policies 5-44
copying shared policies 5-47
managing policies 5-30
modifying policy assignments 5-49
policy banner 5-38
policy shortcut menu 5-40
renaming policies 5-48
sharing local policies 5-41
unassigning policies 5-36
understanding shared policies 5-37
unsharing policies 5-43
Site-to-Site VPN Manager window 25-18
Site-to-Site VPN policy page (Device view) 25-19
site-to-site VPNs
accessing topologies and policies 25-17
configuring global settings
configuring fragmentation settings 26-31, 26-44
configuring IKEv2 settings 26-37
configuring ISAKMP/IPsec settings 26-33
configuring NAT settings 26-42
overview 26-30
understanding NAT settings 26-41
configuring IKE and IPsec policies 26-1
creating or editing Extranet VPN topologies 25-66
creating or editing VPN topologies 25-28
discovering 25-24
managing 25-1
rediscovering 25-27
repairing discovered VPNs with multiple spoke definitions 25-26
understanding discovery 25-20
understanding topologies 25-2
using device overrides to customize VPN policies 25-13
viewing summary of VPN configuration 25-63
Site-to-Site VPNs command 1-34
Skinny policy map objects
creating 17-22
match conditions and actions 17-89
properties 17-87
SLA monitor objects
attributes 51-10
configuring 51-9
understanding 51-8
Smartfilter (N2H2)
configuring for web filter rules policies 18-15, 18-19
configuring for zone based firewall rules policies 21-36, 21-39, 21-41
Smart Tunnel Auto Signon Entry dialog box 34-72
Smart Tunnel Auto Signon Lists dialog box 34-71
smart tunnels
configuring for ASA SSL VPNs 31-85
SMTP
configuring for inspection rules 17-20
preventing DoS attacks using zone based firewall 21-27
preventing spam using zone based firewall 21-27
SMTP class map objects
creating 21-16
match criteria 21-27
SMTP policy map objects
creating 21-16
match conditions and actions 21-35
SMTP server
configuring 1-27
PIX/ASA/FWSM 52-22
SNEXT 62-46
SNMP
about SNMP Version 3 49-15
Cisco IOS routers
defining agent properties 63-67
enabling traps 63-68
overview 63-66
Permission dialog box 63-70
SNMP Policy page 63-69
SNMP Traps dialog box 63-72
Trap Receiver dialog box 63-71
configuring for HPM S2S polling 71-40
configuring for IPS sensors 36-8
configuring on firewall devices 49-14
IPS general options 36-10
IPS trap options 36-11, 36-13
PIX/ASA/FWSM 49-17
groups 49-24
host access 49-22
MIBs 49-14
OIDs 49-14
SNMPv3 49-24, 49-25
Trap configuration 49-19
users 49-25
terminology 49-15
SNMP Credentials dialog box 3-48
SNMP policy map objects
creating 17-22
properties 17-90
SNMP Trap Communication dialog box 36-12, 36-14
SNMP Trap Communication tab, SNMP policy for IPS 36-11, 36-13
socket read timeout
device communication 11-22
Software Application Support contracts 10-16
Source Contents dialog box 12-14
spam
blocking spam using zone-based firewall rules 21-27
spoke-to-spoke connections, DMVPN 27-10
spoofing, preventing 57-1, 57-3
spoofing attacks, preventing 17-4
SSH
configuring on IOS routers, Catalyst switches, Catalyst 6500/7600 devices 2-6
line ending conventions 2-5
preventing non-SSH connections 2-7
setting up 2-5
testing authentication 2-6
troubleshooting connections 9-7
SSL
remote access SSL VPNs
advanced settings (ASA) 31-72
AnyConnect client settings (ASA) 31-62, 31-64
browser plug-ins 31-60
content rewrite rules (ASA) 31-53
encoding rules (ASA) 31-55
Kerberos Constrained Delegation (KCD on ASA) 31-66, 31-69
proxy bypass rules (ASA) 31-59
remote access VPNs 31-43
access modes 30-4
access policies (ASA), configuring 31-49
access policies (ASA), reference 31-45
access policies (ASA), understanding 31-44
AnyConnect client image settings (ASA) 31-65
AnyConnect custom attributes (ASA) 31-70, 31-71
cluster load balancing 31-5
configuring HTTP/HTTPS proxies and proxy bypass(ASA) 31-57
connection profiles 31-7
connection profiles (ASA) 31-8
Context Editor dialog box (IOS) 33-15, 33-16
creating on ASA 30-14
creating on IOS devices 30-32
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-11
example 30-3
fragmentation settings 26-31, 26-44
global settings 26-30
group policies, configuring 31-26
group policies, creating 31-28
group policies, understanding 31-27
IKEv2 settings 26-37
ISAKMP/IPsec settings 26-33
limitations 30-8
managing support files 30-5
NAT settings 26-42
other settings (ASA) 31-51
performance settings (ASA) 31-52
policies (IOS) 33-14
prerequisites 30-7
public key infrastructure (PKI) policies 26-56
secure desktop manager policies 32-9
server certificate verification (ASA) 31-30, 31-32, 31-73
shared license clients (ASA) 31-76
shared licenses (ASA) 31-74
shared license servers (ASA) 31-77
understanding 30-2
understanding NAT settings 26-41
wizard 30-13
setting up 2-3
troubleshooting certificate errors 9-5
VPN
sharing connection profiles on ASAs 30-8
SSL authentication certificates
adding thumbprints manually 9-5
configuring default settings for how handled 11-22
SSL VPN
policy discovery restriction 3-8
SSL VPN Access page (ASA) 31-45
SSL VPN bookmark objects
configuring 31-82
post URL method and macro substitutions 31-84
SSL VPN Bookmarks objects
SSL VPN Bookmarks dialog box 34-45
SSL VPN Configuration wizard
Access page (ASA) 30-16
Connection Profile page (ASA) 30-17
Gateway and Context Page (IOS) 30-33
Portal Page Customization Page (IOS) 30-35
SSL VPN Customization objects
configuring 31-78
creating custom Logon page 31-82
localizing 31-80
SSL VPN gateway objects
properties 34-64
SSL VPN Other Settings page (ASA)
Advanced tab 31-72
Client Settings tab 31-64
Content Rewrite tab 31-53
Encoding tab 31-55
Microsoft KCD Server tab 31-66, 31-69
overview 31-51
Performance tab 31-52
Proxy tab 31-57
SSL Server Verification tab 31-30, 31-32, 31-73
SSL VPN Policy page (IOS) 33-14
SSL VPNs
ASA devices
configuring bookmarks 31-82
configuring portal appearance 31-78
configuring WINS servers for file system access 31-88
customizing 31-77
post URL method and macro substitutions in bookmarks 31-84
smart tunnels 31-85
IOS devices
configuring bookmarks 31-82
configuring WINS servers for file system access 31-88
SSL VPN Shared License page (ASA) 31-74
SSL VPN smart tunnel auto sign-on list objects
attributes 34-71
SSL VPN smart tunnel list objects
attributes 34-66, 34-69
configuring 31-85
stateful failover 50-3, 50-4
site-to-site VPN 25-54
stateless failover 50-3
states
activity 4-4
ticket 4-4
static crypto maps 26-19
Static Group tab (IGMP) 55-6
static NAT
Cisco IOS routers
disable automatic aliasing 24-7
disable payload 24-10
on Cisco IOS routers 24-6
static null 0 routing 56-128
static routes
configuring on firewall devices 56-128
PIX/ASA/FWSM
configuration 56-130
static routing
Cisco IOS routers
defining on 67-50
overview 67-50
Static Routing dialog box 67-52
Static Routing Policy page 67-51
Static Rule
PIX/ASA/FWSM 24-26
add/edit 24-27
status
activity 4-4
ticket 4-4
subinterfaces 46-7, 46-15
specifying during policy definition 6-76
Submit Activity command 1-36
Submit Activity dialog box 4-20
Submit and Deploy command 1-30
Submit command 1-30
Submit Deployment Job dialog box 8-38
Submitted activity state 4-5
Submit Ticket command 1-37
Sun RPC class map objects
creating 21-16
match criteria 21-29
Sun RPC policy map objects
creating 21-16
match conditions and actions 21-35
support, technical
creating diagnostic file 10-28
generating data 10-28
generating deployment or discovery status reports 10-30
generating partial database backup 10-30
Suspend Deployment Schedule dialog box 8-20, 8-58
switches
communication requirements 2-1
SYN flooding attacks, preventing 17-5
syslog
access rule look-up 72-17
deeply parsed for Event Viewer 69-6
logging
PIX/ASA/FWSM 54-1
message properties 69-18
syslog messages supported for policy lookup 72-46
syslog relay
CPU throttling policy 11-33
syslogs
Cisco IOS routers 65-1
system variables
devices 7-7
firewall 7-9
FlexConfigs 7-7
remote access VPN 7-19
routers 7-13
VPN 7-14
T
tables
using 1-48
tables, rules
adding rules 12-9
columns and headings 1-49
commands, Edit menu 1-31
converting IPv4 rules 12-28
cut, copy, and paste rules 12-9
disabling rules 12-20
enabling rules 12-20
filtering 1-48
finding and replacing items 12-16
removing rules 12-9
sections 12-20
using 12-8
TACACS+
description 6-28
settings in AAA server objects 6-38
Take Over User Session page 11-71
Target Value Rating dialog box 40-19
Target Value Ratings, IPS Network Information policy 40-17
target value ratings (IPS) 40-17
task flow
deployment
non-Workflow mode 8-3
Workflow mode 8-5
taskflow 1-19
TCP Map objects
properties 58-22
TCP State Bypass
ASA/FWSM 58-3
Telnet
PIX/ASA/FWSM 49-29
configuration 49-29
text fields
ASCII limitations 1-50
finding text in multiple-line 1-50
navigating 1-50
using 1-49
text objects
creating 7-32
TFTP servers
PIX/ASA/FWSM 52-23
thin client access mode 30-4
thresholds
configuring anomaly detection 41-11
understanding anomaly detection 41-9
throughput
VPN user reports 70-16
ticketing
overview 1-20
Ticket Management
settings 11-72
ticket management
comparing workflow modes 1-22
Ticket Manager window 4-10
tickets
closing 4-16
creating 4-14
discarding 4-22
multiple users 4-4
opening 4-15
states 4-4
Ticket Manager window 4-10
understanding 4-1
using global search to find specific tickets 1-42
validating 4-18
viewing change reports 4-16
viewing status and history 4-23
working with 4-7
Tickets menu 1-36
tiered hub-and-spoke topologies 25-5
time
changing range for reports 70-22
timeouts
on firewall devices 57-4
timeouts (NAT)
Cisco IOS routers 24-13
Timeout Value
Firewall AAA 15-30
time range objects
attributes for recurring ranges 6-72
configuring 6-71
time slider (Event Viewer)
filtering with 69-44
using 69-25
time synchronization
on IOS routers 63-96
time zone settings
certificate errors 9-7
Cisco IOS routers
Clock Policy page 63-23
defining time zone and DST 63-22
overview 63-22
TMS
deploying configurations 8-43
deployment method 8-10
Token Management page 11-73
Token Management System (TMS)
settings 11-73
toolbar
activities 4-8, 4-9
toolbar reference
Configuration Manager 1-39
event table in Event Viewer 69-16
toolbars
Report Manager generated report 70-12
Report Manager report settings 70-10
Tools menu
Configuration Manager 1-34
Report Manager 70-8
Trace Route 72-26
TraceRoute 72-28
traffic class
PIX/ASA/FWSM
rules wizard 58-7
Traffic Classification dialog box 19-12
Traffic Classification tab 19-11
traffic encryption key (KEK), GET VPN 29-4
traffic flow notifications
configuring for IPS 36-30
traffic flow objects
default inspection traffic 58-20
properties 58-18
traffic match criteria 58-2
traffic zones 22-1
asymmetric routing 22-1
benefits 22-1
clustering 22-8
configuring 22-9
Equal-Cost Multi-Path (ECMP) 22-4
failover 22-8
firewall mode 22-8
guidelines 22-8
load balancing 22-1
lost route 22-1
prerequisites 22-7
security levels 22-6
supported services 22-6
understanding 22-6
transactional commit model 60-2
Transactional Commit page
PIX/ASA/FWSM Platform 60-2
transcripts
viewing 8-59
Transcript Viewer window 8-62
transform sets
attributes 26-27
understanding 26-20
Translation Exemption (NAT-0 ACL) Rule
PIX/ASA/FWSM 24-20
add/edit 24-21
Translation Options
PIX/ASA/FWSM 24-16, 24-17
Translation Rules
Add/Edit Per-Session NAT rules dialog boxes 24-47
ASA 8.3+ 24-34
Add/Edit NAT rules dialog boxes 24-36
per-session NAT rules 24-46
PIX/ASA/FWSM 24-19
translation table
clearing on deployment 60-1
transparent bridging
Cisco IOS routers
BVI interfaces 63-19
overview 63-18
defining bridge groups 63-20
transparent firewall
configuring on PIX/ASA/FWSM 47-1
NAT 24-16
transparent rules
adding or editing a rule 23-5
configuring 23-1
configuring DHCP passthrough for IOS devices 23-3
configuring in Map view 35-23
deleting 12-9
disabling 12-20
editing 12-10
editing the EtherType 23-7
editing the mask 23-7
enabling 12-20
managing 23-1
moving 12-19
Transparent Rules page 23-3
understanding processing order 12-2
Transparent Rules page 23-3
transport protocols
device defaults 11-22
overview of device requirements 2-1
transport settings
AUS 2-8
Configuration Engine 2-8
SSH 2-5
SSL (HTTPS) 2-3
traps, SNMP
configuring for IPS sensors 36-8
IPS options 36-11, 36-13
trees
selecting items 1-45
Trend class map objects
creating 21-36
Trend parameter map objects
creating 21-36
properties 21-42
troubleshooting
AUS deployment 9-18
Catalyst switch and module deployment 9-16
Configuration Engine deployment 9-18
creating diagnostics file 10-28
CS-MARS queries 72-40
deleted FWSM contexts do not remove configuration files 59-7
deployment 9-9
device communication and deployment 9-1
device discovery failures 3-7
device managers 72-16
device managers, using 72-14
devices marked with red X in device selector 9-9
error attempting to remove unreferenced object 9-12
Event Manager service status 69-31
Event Viewer Unavailable message 11-27, 11-36, 69-30
FlexConfigs 7-38
FWSM multiple-context deployment failures 9-17
generating data for TAC 10-28
generating deployment or discovery status reports 10-30
GET VPN registration failure 29-9
global correlation (IPS) configuration 42-4
ignoring device errors during deployment 9-10
invalid certificate error 9-7
minimum memory errors for ASA 8.3+ 9-12
mixing deployment methods 9-14
Not able to connect to server message, Report Manager 70-36
online help, problems accessing 1-52
packet capture, using 72-30
packet tracer, using 72-23
policy objects not available in Event Viewer 69-68
preshared key policies in VPN not discovered 25-23
Report Manager 70-36
router connection failures 2-2
router deployment 9-14
Security Manager cannot contact device after deployment 9-12
SSL certificate errors 9-5, 9-6
user interface problems 1-51
VPN crypto traffic unexpectedly dropped on GET VPN interfaces 29-9
VPNs with routing processes 9-13
VRF-aware IPsec deployment failures on Catalyst 6500/7600 devices 25-17
trunk ports
Create and Edit Interface dialog boxes-Trunk Port mode 68-14
understanding 68-5
Trusted Transitive Introduction (TTI)
use in SDP policies 63-81
TrustSec
Add/Edit Connection Peer dialog box 14-13
configuring connection peers 14-13
configuring ISE settings 11-56
configuring SXP 14-8
configuring SXP connection peers 14-12
security group objects
creating 14-14
SGT role mapping 14-11
TrustSec firewall policies
configuring 14-7
configuring rules 14-17
managing 14-1
TrustSec policies
monitoring 14-17
TrustSec security group objects
selecting 14-16
U
Unassign Policy command 1-32
Undock Map View command 1-33
unicast rekey in GET VPN 29-6
Unicast Reverse Path Forwarding 57-1, 57-3
unicast reverse path forwarding
enabling on routers 62-20
Unshare Policy command 1-32
Unspecified Bit Rate (UBR) 62-49
Unspecified Bit Rate Plus (UBR+) 62-49
Update Level dialog box 39-9, 39-13
updating images on devices 73-20
Updating Licenses from File dialog box 11-61
Updating Licenses via CCO dialog box 11-60
URLF Glob parameter map objects
metacharacters 21-46
properties 21-45
URL Filter parameter map objects
creating 21-36
properties 21-43
usage reports
generating 6-15
user accounts
configuring IPS 36-18
configuring IPS password requirements 36-20
discovery and deployment of IPS 36-17
IPS account attributes 36-19
managing IPS device 36-15
PIX/ASA/FWSM 51-7
add/edit 51-7
rolling back configurations 8-64
understanding IPS user roles 36-15
understanding managed and unmanaged passwords 36-16
User Accounts policy, IPS devices 36-18
user group objects
advanced PIX 6.3 settings 34-82
browser proxy settings 34-87
clientless settings 34-83
client VPN software update (IOS) settings 34-81
DNS/WINS settings 34-77
general settings 34-75
IOS client settings 34-78
IOS Xauth settings 34-80
split tunneling settings (Easy VPN/remote access IPSec VPN) 34-77
SSL VPN connection settings 34-88
SSL VPN full tunnel settings 34-84
SSL VPN split tunneling settings 34-86
technology settings 34-73
thin client settings 34-84
user group policies
configuring for Easy VPN 28-14
configuring for remote access IPsec VPNs on IOS/PIX 6.3 33-13
User Group Policy page 33-13
user identity acquisition 13-2
user interface
applications overview 1-6
basic features 1-29
dialog box too big for screen 1-52
freezing 1-51
how permissions affect what you can do 1-11
Java errors 1-52
maps toolbar reference 35-4
map view 35-1
menu reference for Configuration Manager 1-29
missing text 1-52
overview of Configuration Manager 1-14
rules tables 12-8
searching for items 1-42
selecting items in a tree 1-45
selecting or specifying files 1-50
table
columns and headings 1-49
sections 12-20
tables 1-48
text fields
ASCII limitations 1-50
finding text in multiple-line 1-50
navigating 1-50
using 1-49
toolbars
Configuration Manager 1-39
event table in Event Viewer 69-16
troubleshooting 1-51
wizards 1-47
user login credentials for device access 3-4
user passwords
changing 10-24
user preferences
PIX/ASA/FWSM 60-1
Deployment page 60-1
Transactional Commit page 60-2
user roles, IPS 36-15
users
how permissions affect what you can do 1-11
taking over configuration session 10-23
User Statistics
MPC rule wizard
tab 58-8
user statistics, collecting 13-25
user taskflow 1-19
V
Validate Activity command 1-36
Validate command 1-30
Validate Ticket command 1-37
Validation dialog box 4-18
validation error messages 4-18
Values Assignment dialog box 7-37
Variable Bit Rate-Non-Real Time (VBR-nrt) 62-49
Variable Bit Rate-Real Time (VBR-rt) 62-49
variables
deleting FlexConfig 7-28
FlexConfig objects 7-5, 7-6
changing variable values 7-35
VDI servers 34-15
Velocity Engine error message 7-38
Velocity Template Engine
scripting language 7-3
View Changes command 1-30, 1-36, 1-37
viewing interface allocations 59-12
View menu
Configuration Manager 1-31
Event Viewer 69-10
views
Device 1-15
Event Viewer
clearing filters 69-48
column based filters 69-45
event based filters 69-47
filtering overview 69-43
refreshing event table 69-44
selecting time range 69-43
switching between real-time and historical 69-42
text searches (quick filter) 69-47
using time slider with filtering 69-44
HPM 71-21
column-based filters 71-17
Map 1-18
overview 1-14
Policy 1-16
views (Event Viewer)
arranging 69-38
configuring color rules 69-40
creating custom 69-41
customizing event table appearance 69-39
deleting custom 69-43
editing description 69-41
editing name 69-41
Event Monitoring window overview 69-14
Event Viewer overview 69-7
floating 69-38
list 69-12
opening 69-38
overview 69-3
saving 69-42
using 69-37
virtual ASA
about 46-1
virtual channel identifier (VCI) 62-47
virtual firewalls
See security contexts
virtual fragment reassembly (VFR) 62-19
virtual path identifier (VPI) 62-47
Virtual Routing Forwarding (VRF)
VRF-Aware IPsec 25-14
virtual sensors
advantages 38-3
assigning interfaces 38-4
attributes 38-7
configuring 38-1, 38-5
deleting 38-10
discovering policies 5-14
editing policies 38-9
identifying 38-5
inline TCP session tracking mode 38-3
Normalizer mode 38-4
renaming 38-8
restrictions 38-3
showing containment 3-56
understanding 38-1
Virtual Sensors page 38-5
virtual terminal (VTY)
Cisco IOS routers
defining AAA settings 63-40
defining line groups 63-38
defining line setup parameters 63-38
virtual terminal (VTY) lines
Cisco IOS routers
VTY Line dialog box 63-51
VTY Policy page 63-50
VLAN
configuring IPS groups 37-15
configuring IPS inline pairs 37-14
VLAN ACLs (VACLs)
defining 68-37
deleting 68-38
understanding 68-36
VLAN access maps 68-37
VLANs
Catalyst switches and 7600 Series routers
Create and Edit VLAN ACL Content dialog boxes 68-41
Create and Edit VLAN ACL dialog boxes 68-41
Create and Edit VLAN dialog boxes 68-28
defining 68-26
defining Data Port for IDSM 68-46
defining EtherChannel for IDSM 68-44
defining groups 68-32
defining VACLs 68-37
deleting 68-27
deleting Data Port for IDSM 68-47
deleting EtherChannel for IDSM 68-45
deleting groups 68-33
deleting VACLs 68-38
Interfaces/VLANs page-VLANs tab 68-27
understanding 68-25
understanding VACLs 68-36
understanding VLAN groups 68-31
VLAN Access Lists page 68-39
VPDN groups 46-72
VPN
configuring policy defaults 11-74, 25-12
mixing deployment methods 9-14
policy discovery restriction for web VPNs 3-8
Report Manager reports
general VPN reports 70-16
VPN top reports 70-16
system variables 7-14
traffic sent unencrypted 9-15
updating routing processes 9-13
using device overrides to customize VPN policies 25-13
zone-based firewall 21-6
VPN default policies
configuring 25-12
factory defaults 25-12
understanding 25-12
VPN discovery
prerequisites 25-21
procedure 25-24
rules 25-22
supported and unsupported technologies and topologies 25-20
understanding 25-20
VPN global settings
GET VPN
VPN Global Settings for GET page 29-16
VPN Global Settings policy
General Settings tab 26-31, 26-44
IKEv2 tab 26-37
ISAKMP/IPsec tab 26-33
NAT Settings tab 26-42
VPN Peers dialog box 35-22
VPN Policy Defaults page 11-74
VPN rediscovery 25-27
VPNs
AAA services 48-4
ASA devices
configuring bookmarks 31-82
configuring portal appearance 31-78
configuring WINS servers for file system access 31-88
customizing 31-77
post URL method and macro substitutions in bookmarks 31-84
smart tunnels 31-85
configuring remote access using wizard 30-13
creating in Map view 35-21
Easy VPN
connection profiles 28-13
connection profiles (ASA, PIX 7+) 31-8
IOS devices
configuring bookmarks 31-82
configuring WINS servers for file system access 31-88
IPsec
access policies for IKEv2 (ASA), configuring 31-49
access policies for IKEv2 (ASA), reference 31-45
access policies for IKEv2 (ASA), understanding 31-44
certificate to connection profile map policy (IKEv1) 31-36
certificate to connection profile map rules (IKEv1) 31-37
cluster load balancing 31-5
configuring IKE and IPsec policies 26-1
connection profiles 31-7
connection profiles (ASA, PIX 7+) 31-8
creating on ASA/PIX 7.0+ 30-25
creating on IOS/PIX 6.3+ 30-36
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-11
Dynamic VTI/VRF Aware IPsec settings 33-7
fragmentation settings 26-31, 26-44
global settings 26-30
group policies, configuring 31-26
group policies, creating 31-28
group policies, understanding 31-27
high availability policies 33-11
IKE proposals 26-9
IKEv2 authentication 26-68, 26-70, 26-72
IKEv2 settings 26-37
ISAKMP/IPsec settings 26-33
NAT settings 26-42
public key infrastructure (PKI) policies 26-56
secure desktop manager policies 32-9
understanding IKE 26-5
understanding NAT settings 26-41
user group policies for IOS, PIX 6.3 33-13
VPNSM, VPN SPA, VSPA settings 33-6
IPsec proposals
attributes for ASA and PIX 7.0+ devices 31-41
attributes for IOS and PIX 6.3 devices 33-4
configuring for ASA and PIX 7.0+ devices 31-40
configuring for IOS and PIX 6.3 devices 33-3
Map view 35-20
policy discovery 5-12
remote access
access modes 30-4
device support 30-8
discovering 30-12
managing 30-1
managing (ASA, PIX 7.0+) 31-1
managing (IOS, PIX 6.3) 33-1
SSL 31-43
remote access IPSec
understanding 30-2
remote access SSL
example 30-3
limitations 30-8
managing support files 30-5
prerequisites 30-7
understanding 30-2
shared policies 5-4
site-to-site
configuring IKE and IPsec policies 26-1
policies overview 25-8
site-to-site VPNs 25-1
SSL
access policies (ASA), configuring 31-49
access policies (ASA), reference 31-45
access policies (ASA), understanding 31-44
advanced settings (ASA) 31-72
AnyConnect client image settings (ASA) 31-65
AnyConnect client settings (ASA) 31-62, 31-64
AnyConnect custom attributes (ASA) 31-70, 31-71
browser plug-ins (ASA) 31-60
cluster load balancing 31-5
configuring HTTP/HTTPS proxies and proxy bypass(ASA) 31-57
connection profiles 31-7
connection profiles (ASA) 31-8
content rewrite rules (ASA) 31-53
Context Editor dialog box (IOS) 33-15, 33-16
creating on ASA 30-14
creating on IOS devices 30-32
dynamic access policies 32-1, 32-2
dynamic access policy (DAP) attributes 32-4, 32-7
Dynamic Access policy page (ASA) 32-11
encoding rules (ASA) 31-55
fragmentation settings 26-31, 26-44
global settings 26-30
group policies, configuring 31-26
group policies, creating 31-28
group policies, understanding 31-27
IKEv2 settings 26-37
ISAKMP/IPsec settings 26-33
Kerberos Constrained Delegation (KCD on ASA) 31-66, 31-69
NAT settings 26-42
other settings (ASA) 31-51
performance settings (ASA) 31-52
policies (IOS) 33-14
proxy bypass rules (ASA) 31-59
public key infrastructure (PKI) policies 26-56
secure desktop manager policies 32-9
server certificate verification (ASA) 31-30, 31-32, 31-73
shared license (ASA) 31-74
shared license clients (ASA) 31-76
shared license servers (ASA) 31-77
understanding NAT settings 26-41
wizard 30-13
understanding 30-1
VPN Service Port Adapters (VSPAs)
configuring 25-42
VPN Services Module (VPNSM)
configuring 25-42
VPN Shared Port Adapter (VPN SPA)
configuring 25-42
VPNSM/VPN SPA/VSPA Settings dialog box 33-6
VPN Summary page 25-63
VPN topologies
accessing 25-17
assigning initial policies to new 25-62
assigning shared policies 5-44
cloning device VPN assignments 3-56
cloning shared policies 5-47
configuring dial backup 25-40
configuring GET VPN peers 25-60
configuring in Device view 25-19
creating or editing 25-28
creating or editing Extranet 25-66
defining endpoints and protected networks 25-34
defining GET VPN group encryption 25-54
deleting 25-71
discovering 25-20, 25-24
full mesh 25-4
hub-and-spoke 25-2
including unmanaged or non-Cisco devices 25-11
joined hub-and-spoke 25-5
locking 5-10
naming 25-30
partial mesh 25-5
point-to-point 25-3
rediscovering 25-27
removing devices 25-32
renaming policies 5-48
repairing discovered VPNs with multiple spoke definitions 25-26
selecting devices 25-32
tiered hub-and-spoke 25-5
unassigning policies 5-36
understanding 25-2
unsharing policies 5-43
using device overrides to customize VPN policies 25-13
viewing summary of VPN configuration 25-63
VRF-Aware IPsec
changing on Catalyst switches and 7600 routers 25-17
configuring 25-48
one-box solution 25-14
two-box solution 25-15
understanding 25-14
VRF-Aware IPsec tab (site-to-site VPN) 25-48
VTP modes, for Catalyst switches 68-1
VTY Line dialog box 63-51
Accounting tab 63-57
Authentication tab 63-55
Authorization tab 63-56
Setup tab 63-52
W
WAN interface card (WIC) 62-36
Warning - Partial VPN Deployment dialog box 8-31
warnings
significance of 2-lxiii
Web Filter policy map objects
creating 21-36
match conditions and actions 21-35
properties 21-47
web filter rules
ACL naming conventions 12-5
ASA/FWSM/PIX
converting IPv4 12-28
deleting 12-9
editing 12-10
moving 12-19
attributes (IOS) 18-13
configuring exclusive domains for IOS devices 18-10
configuring for ASA, PIX, FWSM devices 18-2
configuring for IOS devices 18-10
configuring in Map view 35-23
disabling 12-20
enabling 12-20
exclusive domain names (IOS) 18-14
managing 18-1
preserving ACL names 12-4
understanding 18-1
understanding NAT effects 12-3
understanding processing order 12-2
Web Filter Rules page (ASA/FWSM/PIX) 18-3
Web Filter Rules page (IOS) 18-12
web filter server properties 18-19
Web Filter Rules page (ASA/FWSM/PIX) 18-3
Web Filter Rules page (IOS) 18-12
Web Filter Server Configuration dialog box 18-19
web filter servers
attributes 18-19
configuring settings 18-15
configuring settings in Map view 35-24
configuring zone-based firewall settings in Map view 35-24
Web Filter settings page 18-16
Websense
configuring for web filter rules policies 18-15, 18-19
configuring for zone based firewall rules policies 21-36, 21-39, 21-41
Websense class map objects
creating 21-36
match criteria 21-30
Websense parameter map objects
creating 21-36
properties 21-39
web VPN
policy discovery restriction 3-8
Weighted Random Early Detection (WRED) 66-4
Whitelist/Blacklist tab 19-14
windows
arranging report 70-30
arranging views 69-38
closing report 70-32
undocking maps 35-2
Windows Messenger class map objects
creating 21-16
match criteria 21-21
Windows NT servers
use by ASA, PIX, and FWSM devices 6-29
Windows Server 2012 security settings 10-2
WINS Server Lists objects
attributes 34-90
creating 31-88
wizard
installation manager 73-26
wizards
configuring remote access SSL VPNs on ASA devices 30-14
configuring remote access SSL VPNs on IOS devices 30-32
configuring remote access VPNs 30-13
Copy Policies 5-33
Create Extranet VPN Topology 25-66
Create VPN Topology 25-28
creating remote access IPsec VPNs on ASA/PIX 7.0+ devices 30-25
creating remote access IPsec VPNs on IOS/PIX 6.3 devices 30-36
creating user group policies 30-20
Discover VPN policies 25-24
New Device 3-6
Rediscover VPN policies 25-27
Share Policies 5-42
wizards, using 1-47
workflow
overview 1-20
Workflow mode
changing modes 1-28
comparing with non-Workflow mode 1-22
configuration files
deploying 8-34, 8-39
previewing 8-44
configurations
rolling back 8-69
creating activities 4-14
deployment
viewing device details 8-26
viewing job history 8-26
jobs
aborting 8-55
approving 8-39
discarding 8-41
rejecting 8-39
states 8-6
submitting 8-38
opening activities 4-15
understanding 1-21
workflow modes
changing 1-28
comparing 1-22
Workflow Settings page 11-75
working with 3-59
worms
configuring IPS anomaly detection signatures 41-4
understanding 41-2
understanding IPS anomaly detection 41-1
understanding when to turn off anomaly detection 41-4
X
xdm-launcher.exe
device manager 72-16
XLATE table
clearing on deployment 60-1
Y
Yahoo Messenger class map objects
creating 21-16
match criteria 21-21
Z
zone-based firewall
add/edit zones 21-53
advanced options 21-67
changing the default drop rule 21-48
configuring PAM 21-69
configuring rules 21-13, 21-62
configuring settings 21-49
configuring settings in Map view 35-24
Content Filter tab 21-52
designing network zones 21-1
development overview 21-12
general recommendations 21-12
Global Parameters tab 21-50
IPSec VPN 21-6
logging 21-1
overview 21-1
page 21-50
preserving ACL names 12-4
protocol selection 21-68
restrictions 21-3
rules table 21-58
Self zone 21-5
tabs 21-49
troubleshooting 21-54
understanding 21-3
understanding NAT effects 12-3
understanding permit/deny and action 21-8
understanding processing order 12-2
understanding services and protocols 21-11
VPN tab 21-50
VRF 21-7
WAAS tab 21-50
Zones tab 21-50
zone-based firewall rules
configuring in Map view 35-23
deleting 12-9
disabling 12-20
editing 12-10
enabling 12-20
moving 12-19
zone-based firewall rules policies
blocking spam using zone-based firewall rules 21-27
configuring map objects for content filtering rules 21-36
configuring map objects for inspection rules 21-16
creating zones 6-74
inspection parameters 21-31
match conditions for IM applications 21-21
match conditions for P2P applications 21-21
preventing SMTP DoS attacks 21-27
protocol information for IM application inspection 21-33
understanding interface role objects 6-73
Zone Contents dialog box 12-14
zones
creating 6-74
understanding interface role objects 6-73
zones, anomaly detection 41-3
Zoom In command 1-33
Zoom Out command 1-33