- User Guide for Cisco Security Manager 4.8
- Table of Contents
- Preface
-
- The Basics of Using Security Manager
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Firewall Services and NAT
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Traffic Zones
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- VPN Configuration
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
-
- IPS Configuration
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- PIX/ASA/FWSM Device Configuration
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring FXOS Server Access Settings on Firepower 2100 Series Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- User Preferences
- Index
- API Settings Page
- AutoLink Settings Page
- ACL Hit Count Settings Page
- CCO Settings Page
- Configuration Archive Page
- CS-MARS Page
- CSM Mobile Page
- Customize Desktop Page
- Debug Options Page
- Deployment Page
- Device Communication Page
- Device Groups Page
- Discovery Page
- Event Management Page
- Health and Performance Monitor Page
- Report Manager Page
- Identity Settings Page
- Image Manager Page
- IP Intelligence Settings Page
- Eventing Notification Settings Page
- IPS Updates Page
- ISE Settings Page
- Licensing Page
Configuring Security Manager Administrative Settings
Security Manager has default settings for many system functions that you can change if they do not fit the needs of your organization. To view and change these settings, select Tools > Security Manager Administration. You can then select items from the table of contents on the left of the window to view the default settings related to that item.
On most pages, when you change a setting, you must click Save to save your changes. If you make a mistake, you can click Reset to return the values to the previously saved values. You can also click Restore Defaults to return the settings to the Security Manager defaults.
Besides the pages that contain system defaults, the Security Manager Administration window includes items that relate to system administration activities, such as taking over another user’s work or obtaining access to pages in Common Services to perform server security tasks.
The following topics describe the settings and actions available on each of the pages available in the Security Manager Administration window:
- API Settings Page
- AutoLink Settings Page
- CCO Settings Page
- Configuration Archive Page
- CS-MARS Page
- CSM Mobile Page
- Customize Desktop Page
- Debug Options Page
- Deployment Page
- Device Communication Page
- Device Groups Page
- Discovery Page
- Event Management Page
- Health and Performance Monitor Page
- Report Manager Page
- Identity Settings Page
- Image Manager Page
- IP Intelligence Settings Page
- Eventing Notification Settings Page
- IPS Updates Page
- ISE Settings Page
- Licensing Page
- Logs Page
- Policy Management Page
- Policy Objects Page
- Process Monitoring Settings Page
- Single Sign-on Configuration Page
- Rule Expiration Page
- Server Security Page
- Take Over User Session Page
- Ticket Management Page
- Token Management Page
- VPN Policy Defaults Page
- Workflow Page
- Wall Settings Page
API Settings Page
The Security Manager API settings page enables you to enable or disable the API service and change its settings.
Click Tools > Security Manager Administration and select API from the table of contents.
|
|
---|---|
AutoLink Settings Page
The Security Manager Map view provides a graphical view of your VPN and layer 3 network topology. Using device nodes to represent managed devices and map objects to represent unmanaged objects such as devices, clouds, and networks, you can create topology maps with which to study your network. AutoLink settings enable you to exclude any one of five private or reserved networks from Map view. For example, you might want to exclude any test networks that are not relevant to the management tasks you are using Security Manager to perform.
Click Tools > Security Manager Administration and select AutoLink from the table of contents.
ACL Hit Count Settings Page
The Security Manager ACL Hit Count Settings page enables you to configure and change the settings for Hit Count. This feature is available in Security Manager version 4.9 and later for ASA and ASASM devices.
Click Tools > Security Manager Administration and select ACL Hit Count Settings from the table of contents.
CCO Settings Page
Use the CCO Settings page to configure the settings used to connect to Cisco.com.
Also, use the CCO Settings page for certificate trust management. (Security Manager downloads ASA images from Cisco.com over HTTPS, which uses certificates for establishing trust.) The certificate trust management feature on the Image Manager page is new in Security Manager 4.4. It will help you with improved handling of Cisco.com certificates for ASA image downloads:
- You can use it to view a certificate and use discretion in accepting it.
- After you accept a certificate, it is stored on your Security Manager server.
- You can see all your certificates in a summary table on the Image Manager page, and you can use that table to view or remove certificates.
Tip Please be sure to refer to "Retrieve Certificate" in the table below.
For detailed documentation of the certificate trust management feature, refer to Certificate Trust Management.
Select Tools > Security Manager Administration and select CCO Settings from the table of contents.
Configuration Archive Page
Use the Configuration Archive page to define the default settings for the Configuration Archive tool, including how many configuration versions to save and the TFTP server to use for rolling back Cisco IOS software device configurations.
Click Tools > Security Manager Administration and select Configuration Archive from the table of contents.
CS-MARS Page
Use the CS-MARS page to register the Cisco Security Monitoring, Analysis and Response System servers that are monitoring your devices with Security Manager. By registering your CS-MARS servers, you can view messages and events captured in CS-MARS based on a device’s firewall access rules or IPS signature rules configured in Security Manager. You must register a CS-MARS server before users can see events collected from it.
Tip If you are using CS-MARS global controllers, add them instead of the individual local controllers. By adding global controllers, Security Manager can identify the correct local controller for a device automatically, without you having to add each of the local controllers. This simplifies your CS-MARS configuration in Security Manager.
Select Tools > Security Manager Administration and select CS-MARS from the table of contents.
|
|
---|---|
The CS-MARS servers that are registered with Security Manager.
|
|
The type of credentials Security Manager should use to log into CS-MARS when obtaining event information:
|
|
New or Edit CS-MARS Device Dialog Box
Use the New or Edit CS-MARS Device dialog box to register a CS-MARS server with Security Manager. Users can obtain messages or event status for a device’s firewall or IPS policies from the CS-MARS server that is monitoring the device. For more information, see Registering CS-MARS Servers in Security Manager.
From the CS-MARS Page, click the Add button to add a new server, or select a server and click the Edit button.
CSM Mobile Page
Use the CSM Mobile page of the Security Manager Administration window to enable or disable the CSM Mobile feature in Cisco Security Manager. If the CSM Mobile feature is enabled, users can access device health and summary information from mobile devices by navigating to the following link, where <SecManServer> is the DNS name or IP address of the Security Manager server:
https:// <SecManServer> /mobile/
https:// <SecManServer> /mobile
For more information about the types of information provided, see Dashboard Overview.
For more information about CSM Mobile, see CSM Mobile.
Click Tools > Security Manager Administration and select CSM Mobile from the table of contents.
Customize Desktop Page
Use the Customize Desktop page to control whether Security Manager applications close automatically after being idle for a specified time, to reset whether you are prompted to verify your actions in certain circumstances, and to control whether certain file operations can be performed on the Security Manager client.
Select Tools > Security Manager Administration and select Customize Desktop from the table of contents.
- Installing Security Manager License Files
- Importing Policies or Devices
- Exporting the Device Inventory from the Security Manager Client
- Exporting Shared Policies
- Selecting IPS License Files
Debug Options Page
Use the Debug Options page to configure the severity level of messages to include in debugging logs and to determine what other debugging information is collected.
You should change debugging levels only if the Cisco Technical Assistance Center (TAC) asks you to change them. This makes it possible for you to include more detailed information in the CSMDiagnostics.zip file.
After you change the message level for the appropriate subcomponent, redo the actions that are resulting in system problems. After the problems occur, create the CSMDiagnostics.zip file (or the CSMDiagnostics_light.zip file) by selecting Tools > Security Manager Diagnostics... > General Diagnostics... (or Tools > Security Manager Diagnostics... > Light Diagnostics...). You can then reset the debug options to the default levels so that the Security Manager server does not become bogged down collecting extra debug information. For more information about generating the CSMDiagnostics.zip file, see Creating Diagnostics Files for the Cisco Technical Assistance Center.
By default, logs contain messages of the Error severity or worse. The severity levels in order of severity are:
- Severe—Problems that make the system unusable.
- Error—Problems from which Security Manager cannot recover.
- Warning—Unexpected conditions from which Security Manager can recover.
- Info—Informational messages.
- Debug—Internal status information.
Select Tools > Security Manager Administration, then select Debug Options from the table of contents.
Deployment Page
Use the Deployment page to define the default methods by which Security Manager deploys configurations to devices. You can override some of these settings when you create deployment jobs.
Select Tools > Security Manager Administration and select Deployment from the table of contents.
|
|
---|---|
|
|
The maximum number of days the system should keep debugging files. Debug files are automatically deleted. If you decrease the number of days, you can click Purge Now to immediately delete all debugging files older than the number of days specified. |
|
The method to use as the default method for deploying configurations to devices:
You can override this method when you create deployment jobs. |
|
How Security Manager should respond when it detects that changes were made directly on the device CLI since a configuration was last deployed to the device. Out of band change detection works correctly only when deploying to device, not to file, and applies only when the deployment method is configured to obtain the reference configuration from the device (see below for a description of the Reference Configuration setting). This setting specifies the default action, which you can override when you create deployment jobs. You can choose one of the following:
For a more complete discussion of out-of-band change handling, see Understanding How Out-of-Band Changes are Handled. Note For devices in which failover is not configured, if you select the Cancel Deployment option when Out of Band changes are detected, the bootstrap configuration may cause deployments to fail. For deployments to be successful, you must configure failover before discovering the device in Security Manager. |
|
The configuration that Security Manager uses to compare new policies against the previous configuration for the device, if you are deploying the configuration to a file on the Security Manager server.
After comparing the configurations, Security Manager generates the correct CLI for deployment. |
|
The configuration that Security Manager uses to compare new policies against the previous configuration for the device, if you are deploying the configuration directly to the device (or to a transport server).
After comparing the configurations, Security Manager generates the correct CLI for deployment. |
|
Whether deployments to devices should continue even if there are minor device configuration errors. |
|
Whether to save the running configuration to the startup configuration (using the write memory command) after deploying a configuration to a device. This applies to PIX, FWSM, ASA, or Cisco IOS devices. If you deselect this check box, the startup configuration is not changed, which means your configuration changes will be lost if the device reloads for any reason. |
|
Whether the list of changed devices you see when you create a deployment job has all changed devices preselected. If you deselect this option, users must manually select the devices to include in the deployment job. |
|
Whether the deployment job and schedule status information should be automatically refreshed in the Deployment Manager window. If you deselect this option, you must click the Refresh button to refresh the information manually. |
|
Whether to have Security Manager delete files related to the SSL VPN configuration from the device if the files are no longer referred to by the device’s SSL VPN configuration. If you deselect this option, unused files remain on the device after deployment. |
|
Mask Passwords and Keys When Viewing Configs and Transcripts |
The conditions, if any, under which Security Manager will mask the following items so that they cannot be read: passwords for users, enable mode, Telnet, and console; SNMP community strings; keys, including those for TACACS+, Preshared Key, RADIUS server, ISAKMP, failover, web VPN attributes, logging policy attributes, AAA, AUS, OSPF, RIP, NTP, logging FTP server, point-to-point protocol, Storage Key, single sign-on server, load balancing, HTTP/HTTPS proxy, and the IPSEC shared key.
|
Whether to deploy FlexConfigs only one time after creation or modification of a FlexConfig, or to deploy all FlexConfigs with each deployment. This option is selected by default. Note If you have FlexConfigs that need to be deployed with each deployment, then you will need to disable this option. After changing this setting, you will need to manage one-time FlexConfigs by deleting them after they have been deployed. |
|
|
|
How firewall rules are deployed. You can choose one of the following:
Note For FWSM devices, this option affects processing only if you also select the Let FWSM Decide When to Compile Access Lists option. |
|
How ACL names are deployed to devices if the access rule does not have a name in Security Manager. |
|
Whether Security Manager should share a single access control list (ACL) for an access rule policy with more than one interface. If you do not select this option, Security Manager creates unique ACLs for every interface to which you apply an IPv4 or IPv6 access rule policy. The sharing of ACLs is done only for ACLs created by access rule policies. If you select this option, Security Manager evaluates the access rules policy for each interface and deploys the minimum number required to implement your policy while preserving your ACL naming requirements. For example, if you use an interface role to assign the same rules to four interfaces, you specify Reset to CS-Manager generated names for the Firewall Access-List Names property, and you do not specify ACL names for the interfaces in the access control settings policy, only a single ACL is deployed, and each interface uses that ACL. If you select this option, keep the following in mind:
|
|
Whether to have the Firewall Services Module (FWSM) automatically determine when to compile access lists. Selecting this option might increase deployment speed but traffic might be disrupted and the system might become incapable of reporting ACL compilation error messages. If you select this option, you can use the Optimize the Deployment of Access Rules For Traffic setting to mitigate potential traffic disruptions. When deselected, Security Manager controls ACL compilation to avoid traffic interruption and to minimize peak memory usage on the device. |
|
Whether to delete any access lists that are not being used by other CLI commands managed by Security Manager from devices during deployment. Note After enabling this option, Security Manager will remove access lists during deployment that are not used in any policies managed or discovered by Security Manager. If any policy that is NOT discovered or managed by Security Manager is using such an access list, Security Manager will still attempt to delete that object during deployment. This also applies to access lists that are used in FlexConfigs but are not used in any other policies managed by Security Manager. |
|
Whether to display ACL warning messages and remarks during deployment. |
|
Whether to deploy the section name under which access rules are organized. This option ensures that if a device is discovered or rediscovered, the section names will not be lost. |
|
Whether to deploy the rule number used in the Cisco Security Manager user interface. This option helps in correlating an access rule in a device configuration to its position in rule table. |
|
|
|
Remove Unreferenced Object Groups from Device (PIX, ASA, FWSM, IOS 12.4(20)T+) |
Whether Security Manager should remove object groups that are not being used by other CLI commands managed by Security Manager from devices during deployment. Object groups include network/host, service, and identity user groups. Note After enabling this option, Security Manager will remove objects during deployment that are not used in any policies managed or discovered by Security Manager. If any policy that is NOT discovered or managed by Security Manager is using such an object, Security Manager will still attempt to delete that object during deployment. In such cases, deployment will fail with a transcript error indicating that it was unable to delete the object. |
Create Object Groups for Policy Objects (PIX, ASA, FWSM, IOS 12.4(20)T+) Create Object Groups for Multiple Sources, Destinations or Services in a Rule (PIX, ASA, FWSM, IOS 12.4(20)T+) Optimize Network Object Groups During Deployment (PIX, ASA, FWSM, IOS 12.4(20)T+) |
Whether Security Manager should create object groups, such as network objects, service group objects, and identity user group objects, to replace comma-separated values in a rule table cell for the indicated devices. When deselected, Security Manager flattens the object groups to display the IP addresses, sources and destinations, users, ports, and protocols for these devices. If you select this option, you can also select these options:
|
|
|
Remove Unreferenced Signature and Event Action Variables from IPS Device (IPS Parameters object group) |
Whether to delete the unused variables from the sensor (IPS device) configuration during the next deployment. IPS Event and Signature Variables are defined as policy objects in Security Manager. Disabled by default (checkbox is cleared by default); that is, do not remove the unreferenced variables. Applies to the following variables; applies to both IPv4 and IPv6: |
Device Communication Page
Use the Device Communication page to define default settings for communicating with devices. These settings mainly affect device inventory and policy discovery and configuration deployment. You can override the transport settings for individual devices in the device properties for the device.
If you change the transport protocol settings, ensure that your devices are appropriately configured to accept those types of connections.
Select Tools > Security Manager Administration and select Device Communication from the table of contents.
- Adding Devices to the Device Inventory
- Chapter 3, “Managing the Device Inventory”
- Chapter 2, “Preparing Devices for Management”
- Viewing or Changing Device Properties
|
|
---|---|
|
|
The number of seconds that Security Manager has to establish a connection with a device before timing out. |
|
The number of times that Security Manager should try to establish a connection to a device before concluding that the connection cannot be completed. The default value is 3. |
|
For SSH and Telnet sessions, the maximum number of seconds Security Manager can wait for incoming data before concluding that the connection is lost. |
|
The default transport protocol for IPS sensors and routers that include the IPS feature. The default is HTTPS. |
|
The default transport protocol for routers that run Cisco IOS software release 12.3 and above. The default is HTTPS. |
|
The default transport protocol for Catalyst 6500/7600 devices and all other Catalyst switches, regardless of the Cisco IOS software version running on the devices. The default is SSH. |
|
The default transport protocol for routers that run Cisco IOS software releases 12.1 and 12.2. The default is Telnet. |
|
The type of credentials Security Manager should use when accessing devices. For more information, see Understanding Device Credentials.
|
|
Device Authentication Certificates (IPS) Device Authentication Certificates (Router) |
How to handle device authentication certificates for SSL (HTTPS) communications. You can configure different behaviors for different types of devices, but the settings have the same meaning:
|
For devices that use SSL, whether to obtain the certificate installed on an IPS device, firewall device, FWSM, ASA, or Cisco IOS router from the device when you roll back the configuration on the device. |
|
The default port number that the device uses for secure communication with Security Manager (as well as other management applications that use these protocols). This value overrides the HTTPS port number that you configure in the HTTP policy for a device. Note If you configure the local HTTP policy to be a shared policy and assign the HTTP policy to multiple devices, the HTTPS port number setting in the shared policy overrides the port number configured in the Device Properties Credentials page for all devices to which the policy is assigned. In addition to providing access to the device through the Cisco web browser user interface, the HTTPS port number is used by device management applications (such as the Cisco Router and Security Device Manager (SDM)) and monitoring tools to communicate with the device. Note The security appliance can support both SSL VPN connections and HTTPS connections for device manager administrative sessions simultaneously on the same interface. Both HTTPS and SSL VPN use port 443 by default. Therefore, to enable both HTTPS and SSL VPN on the same interface, you must specify a different port number for either HTTPS or WebVPN. An alternative is to configure SSL VPN and HTTPS on different interfaces. |
|
Whether Security Manager can overwrite the SSH key for a device when it changes on the device. For SSH connections, a correct key is required for successful communication. Deselect this check box with caution, and only if you require a greater level of security. Security Manager does not communicate with the device if keys are changed on the device. |
|
Add Certificate Dialog Box
Use the Add Certificate dialog box to add device certificates manually for devices that use the SSL transport protocol (firewall devices, FWSMs, ASAs, IPS devices, and Cisco IOS devices). Adding the device certificates manually gives you the highest level of security because then an intruder is prevented from introducing a fraudulent certificate thumbprint. Device certificates are stored in the database to be used for device authentication.
For more information about manually adding SSL certificates, see Manually Adding SSL Certificates for Devices that Use HTTPS Communications.
Select Tools > Security Manager Administration, select Device Communication from the table of content, and click Add Certificate.
Device Groups Page
Use the Device Groups page to manage the device groups and group types defined in the device inventory.
Select Tools > Security Manager Administration, then select Device Groups from the table of contents.
Discovery Page
Use the Discovery page to define how Security Manager should handle certain types of objects or events during inventory and policy discovery. You can also control how long Security Manager keeps discovery tasks.
Select Tools > Security Manager Administration and select Discovery from the table of contents.
|
|
---|---|
Whether the name of the device that contains the security context should be added to the front of the security context’s name. For example, if a security context is named admin, and it is contained in the device with the display name 10.100.15.16, the name that will appear in the Device selector is 10.100.15.16_admin. If you do not prepend the device name, the security context name appears in the inventory by itself. Because Security Manager does not place security contexts in a folder related to the parent device, the only way to easily see contexts that are related to a device is to prepend the device name. If you do not prepend device names, Security Manager adds a numbered suffix to distinguish identically named devices. For example, if the admin context exists in more than one firewall, you will see admin_01, admin_02, and so on, in the Device selector. |
|
The number of days to save discovery and device-import tasks. Tasks older than the number of days you enter are deleted. |
|
Whether to substitute any named policy objects, such as network/host or identity user group objects already defined in Security Manager, for inline values in the CLI. For more information on policy objects, see Chapter 6, “Managing Policy Objects”. |
|
For the types of objects for which overrides are possible, whether to allow users to override the parent object values at the device level for policy objects that are discovered. For example, if you select this option, if you run policy discovery on a device that has an ACL with the same name as an ACL policy object in Security Manager, the name of the discovered policy object is reused, but a device-level override is created for the object. If you deselect this option, a new policy object is created with a number appended to the name. For more information, see Understanding Policy Object Overrides for Individual Devices. |
|
Whether Security Manager should roll back all discovered policies if even one error is encountered for a single policy during policy discovery. When deselected, Security Manager keeps the policies successfully discovered and discards only those policies with errors. For more information on policy discovery, see Discovering Policies. |
|
Expands object groups, such as network or identity user group, with the listed prefixes during the device import process. Separate the prefixes with a comma. This expansion causes the elements of the object group to display as separate items in the discovered policies. For more information, see Expanding Object Groups During Discovery. |
|
Event Management Page
Use the Event Management page to enable event management, which allows you to view ASA, FWSM, and IPS events using the Event Viewer. You can also configure settings required for event collection.
The Event Manager service is also required by the Report Manager application, which allows you to view reports that aggregate information collected by the service.
Tip If you get a message that Event Viewer is unavailable when you select Launch > Event Viewer, but the Enable Event Management option is selected on this page, try restarting the Event Manager Service. First, deselect the Enable option and click Save. Wait for the service to stop. Then, select the Enable option, click Save, and wait for the service to finish restarting. You can then try opening Event Viewer again.
Click Tools > Security Manager Administration and select Event Management from the table of contents.
|
|
---|---|
|
|
Whether to enable the Event Manager service, which allows Security Manager to collect event information. If you disable this feature, you cannot use the Event Viewer or Report Manager applications. |
|
The directory to use for collecting event information. This is known as the primary event store. Click Browse to select a directory on the Security Manager server. If the directory does not yet exist, create it in Windows Explorer. You cannot create the directory from within Security Manager. |
|
The amount of disk space you want to allocate for storing event data, in gigabytes (GB). Events are incrementally deleted (rotated out) from the extended store when it becomes 90% full. Before changing this setting, consider the following:
|
|
The port on which you want to enable syslog event capture. The default is 514. You must ensure that the Security Manager server, and intervening firewalls, allow incoming traffic on this port for Security Manager to collect the events. Managed devices must be configured to send syslog information to this port on the Security Manager server. |
|
The maximum number of events per page each query response can contain. The default is 20000, but you can select a different size from the list of supported values. Note In Security Manager 4.10, the maximum number of events per page has been increased to 100000. |
|
|
|
Whether you want to define an extended storage location for event storage. Events are copied from the regular event storage location to the extended location so that they remain available for use. When you query for historical events in Event Viewer, events in the extended storage location are automatically retrieved if they are needed. |
|
The location of the extended data store for events. This location can be on directly-attached storage that appears as a drive on the server and that uses DAS protocols. For example, SAN storage attached through fiber channel. CIFS storage is not supported. Click Browse to select the desired drive and directory.
|
|
The amount of space you want to allocate to the extended event storage location, in gigabytes (GB). Events are incrementally deleted (rotated out) from the extended store when it becomes 90% full. The size must be equal to or larger than the primary event data storage location. You can see a visual representation of the amount of space currently used for event data. Open the Event Viewer (Launch > Event Viewer), then from Event Viewer, select Views > Show Event Store Disk Usage. |
|
The email addresses that should receive notifications if problems arise with the use of the extended storage location. Separate multiple addresses with commas. For notifications to be sent successfully, you must also configure an SMTP server as described in Configuring an SMTP Server and Default Addresses for E-Mail Notifications. The message indicates the problem, cause, and recommended action. For example, you get notifications if the extended storage is chronically unreachable, if data copy fails repeatedly, or if a partition was deleted from the primary storage area before it could be copied to the extended storage area (which might happen if the storage is chronically unreachable or if there are persistent copy problems). |
|
|
|
Enables or disables processing of syslog messages from the standby ASA. When enabled, syslog messages generated by the standby or failover ASA will be displayed in the Device Identifier column in the Event Monitoring window. Note By default, the processing of syslog messages from the standby ASA is disabled. |
|
Note Staring with version 4.13, Cisco Security Manager supports syslogs over IPv6 in Event Viewer but the Syslog Relay Service will not be supported for syslogs over IPv6. |
|
Enables or disables the Syslog Relay Service. Select the Enable Syslog Relay Service check box to enable the fields required for configuring the Syslog Relay Service. |
|
Specifies the UDP port on which the Syslog Relay Service listens for syslogs. The default is 514. If the Syslog Relay Service is enabled, devices must send syslogs to the Syslog Relay Capture Port so that they can be forwarded to the local collector and remote collectors. If the Syslog Relay Service is turned off, devices should send syslogs to the Event Syslog Capture Port. Note The Syslog Relay Capture Port and the Event Syslog Capture Port cannot be the same. When enabling the Syslog Relay Service, if devices are currently configured to send syslogs to the Event Syslog Capture Port, you should instead use that port number for the Syslog Relay Capture Port and then change the Event Syslog Capture Port to something else. You must ensure that the Security Manager server, and intervening firewalls, allow incoming traffic on this port for Security Manager to collect the events. Managed devices must be configured to send syslog information to this port on the Security Manager server. |
|
Enables or disables syslog relay for the local event collector. |
|
Specifies the IP address to which syslogs should be sent for Remote Collector 1. |
|
Specifies the UDP port on which Remote Collector 1 is listening for relayed syslogs. |
|
Specifies the IP address to which syslogs should be sent for Remote Collector 2. |
|
Specifies the UDP port on which Remote Collector 2 is listening for relayed syslogs. |
|
You can filter the devices for which syslogs should be relayed for a specific collector. Using this feature, you can configure syslogs for one set of devices to go to one collector and syslogs for a different set of devices to go to another collector: 1. Select the tab (Local Collector, Remote Collector 1, or Remote Collector 2) for which you want to filter devices. 2. To specify the devices for which you want relay syslogs for this collector, select Permit Relay. If instead you want to specify the devices for which you want to disable syslog relay for this collector, clear the Permit Relay check box. If the Permit Relay check box is not selected, then syslogs for the devices you add to the filter will not be relayed; however, syslogs for all other devices will be relayed. Note For each enabled collector, syslog relays from all devices are enabled by default. Note When adding a cluster to the filter list, the IP addresses for the cluster management pool will be included as part of filter configuration. 3. Select the devices or device groups from the Available Devices list that you want to add to the filter and click >> to move them to the Selected Devices list. For more information on selecting devices, see Using Selectors. 4. To add a device that is not managed in Security Manager, enter the IP address of the device in the Add Special Device field and then click the bottom >> to move the device to the Selected Devices list. |
|
Opens the CPU Throttling Policy dialog box in which you can control the CPU load used by the syslog relay service. For more information, see CPU Throttling Policy Dialog Box. |
|
Opens the Syslog Relay Statistics dialog box in which you can see the average CPU and memory usage of the syslog relay service process as well as traffic rates for the different collectors. For more information, see Syslog Relay Statistics Dialog Box. |
|
Most changes related to the Event Viewer settings require that the Event Manager service briefly stop and then restart. If you change whether the service is enabled, it stops or starts, as appropriate. You are shown a progress indicator. Changes to Syslog Relay Service settings require that the Syslog Relay Service briefly stop and then restart. If you change whether the service is enabled, it stops or starts, as appropriate. |
|
Troubleshooting Syslog Relay Servers
If the Syslog Relay Service is enabled, devices must send syslogs to the Syslog Relay Capture Port so that they can be forwarded to the local collector and remote collectors. If the Syslog Relay Service is turned off, devices should send syslogs to the Event Syslog Capture Port.
Syslog Relay Servers act as an intermediate connection between device events and Security Manager Event Manager application. It receives device event packets and forwards them to the Local Collectors and Remote Collectors.
Device Management via IP
To manage devices in Security Manager via IP (using IPv4 or IPv6), the Device Management interface must have the appropriate IP information.
For example, see the following sample configuration.
ip address 10.197.87.95 255.255.255.0
ipv6 address 2016::b2aa:77ff:fe7c:a068/64
In this configuration, the Device Management IP address has both IPv4 and IPv6 management addresses. So you can manage a device via IPv4 or IPv6.
If a device is managed via IPv6 Management Address in Security Manager, the communication between Security Manager and the device would occur only via IPv6 address and not IPv4 address.
However, Event Syslog server still sends the Event Syslog packets only to IPv4 address, therefore in this scenario Security Manager cannot map the equivalent device for the received IPv4 Event Syslog packets.
When you add a filter device in Local Collector or Remote Collector for Syslog Relay Services in Tools > Security Manager Administration > Event Management - Syslog Relay Service, Security Manager tries to extract the device Management IPv4 address instead of the IPv6 management address.
However, there is no IPv4 Management Interface configured in the device. Therefore, Security Manager displays the following error:
Device selection – Ipv4 address not found for device(s)
Go to Device View > Policies > Interfaces, to configure the device Management Interface with IPv4 address.
CPU Throttling Policy Dialog Box
Use the CPU Throttling Policy dialog box to specify settings for controlling the CPU load used by the syslog relay service.
After CPU throttling is enabled, if the syslog relay service’s average CPU usage over the time period selected in the Average Max CPU Usage Time field is greater than the Maximum CPU Usage threshold, then CPU throttling will take place for the collectors specified in the Stop Forwarding To field for the time specified in the Stop Forwarding For field.
Note You can use the Syslog Relay Statistics dialog box to see the number of syslog packets dropped per collector due to the throttle policy (see Syslog Relay Statistics Dialog Box).
Click Tools > Security Manager Administration, select Event Management from the table of contents, and then click CPU Throttle Settings.
|
|
---|---|
Whether to enable throttling for the syslog relay service. CPU throttling for the syslog relay service is disabled by default. |
|
Specify the maximum CPU usage for the syslog relay service as a percentage of total CPU capacity. This is threshold at which CPU throttling will be initiated. |
|
Specifies the time in minutes for which CPU usage by the syslog relay service is calculated. Options are 1 minute, 5 minutes, and 15 minutes. This average is compared to the Maximum CPU Usage value to determine whether throttling should take place. |
|
Specify the collectors for which you want to stop forwarding syslogs when throttling is engaged. |
|
Specify how long, in minutes, throttling should be enabled when the threshold is hit. After the specified interval of time has elapsed, if the CPU usage is still above the Maximum CPU Usage threshold, throttling will remain in effect. |
|
Whether to send email notifications when the syslog relay service enters or exits throttle mode. Email notifications are disabled by default. For the e-mails to be sent, you must configure an SMTP server as described in Configuring an SMTP Server and Default Addresses for E-Mail Notifications. |
|
Enter one or more valid addresses in the Notification Email IDs field; separate multiple addresses with commas. |
|
Specify how often to send notification emails:
|
Syslog Relay Statistics Dialog Box
Use the Syslog Relay Statistics dialog box to view the average CPU and memory usage of the syslog relay service process as well as traffic rates for the different collectors.
Click Tools > Security Manager Administration, select Event Management from the table of contents, and then click View Statistics.
|
|
---|---|
|
|
Shows the amount of memory used by the syslog relay service on average over the last minute. |
|
Shows the percentage of CPU capacity used by the syslog relay service on average over the last minute. |
|
Shows the total number of syslog packets that have been received by the syslog relay service since the service was started. |
|
Shows the average number of syslog packets that have been received by the syslog relay service per second since the service was started. |
|
Shows the average number of syslog packets that have been received by the syslog relay service per second over the last minute. |
|
Shows the average number of syslog packets that have been received by the syslog relay service per second over the last five minutes. |
|
Shows the average number of syslog packets that have been received by the syslog relay service per second over the last fifteen minutes. |
|
Shows how long, in minutes, the CPU throttle policy for the syslog relay service has been active. For more information, see CPU Throttling Policy Dialog Box. |
|
|
|
Shows the total number of syslog packets that have been sent by the syslog relay service since the service was started. |
|
Shows the total number of syslog packets that have been dropped by the syslog relay service in accordance with the defined filter policy since the service was started. |
|
Shows the total number of syslog packets that have been dropped by the syslog relay service in accordance with the throttle policy since the service was started. |
|
Shows the total number of syslog packets that were not able to be forwarded by the syslog relay service since the service was started. |
|
Shows the average number of syslog packets that have been sent by the syslog relay service per second since the service was started. |
|
Shows the average number of syslog packets that have been sent by the syslog relay service per second over the last minute. |
|
Shows the average number of syslog packets that have been sent by the syslog relay service per second over the last five minutes. |
|
Shows the average number of syslog packets that have been sent by the syslog relay service per second over the last fifteen minutes. |
|
Refreshes the statistics displayed on the Syslog Relay Statistics dialog box. |
Health and Performance Monitor Page
Use the Health and Performance Monitor page of the Security Manager Administration window to enable network-wide health and performance monitoring. The Health and Performance Monitor (HPM) is a stand-alone application that lets you monitor key health and performance data for ASA devices, IPS devices, and VPN services by providing network-level visibility into device status and traffic information.
Tip If you get a message that the application is unavailable when you attempt to launch the Health and Performance Monitor, but the Enable Health and Performance Monitor option is selected on this page, try restarting Health and Performance Monitoring. First, deselect the Enable option and click Save. Wait for the service to stop. Then, select the Enable option, click Save, and wait for the service to finish restarting. You can then try opening the HPM application again.
Click Tools > Security Manager Administration and select Health and Performance Monitor from the table of contents.
|
|
---|---|
Lets you enable or disable the Health and Performance Monitoring service, which allows Security Manager to collect event information. If you disable this feature, you cannot use the HPM application. |
|
Note To receive email notifications make sure that an SMTP server has been configured on the Security Manager Server. For more information, see, Configuring an SMTP Server and Default Addresses for E-Mail Notifications Cisco Security Manager considers an out-of-band (OOB) change to be any change made to a device manually or outside of Security Manager control, for example, by logging into the (monitored) device directly and entering configuration commands through the CLI. For devices monitored by the HPM application, Cisco Security Manager monitors the OOB changes, detected by the HPM periodically. If any out-of-band changes are detected, HPM generates an alert displayed on the Device Status View page and sends an email, to the configured recipients. Note If a Cisco Security Manager restart occurs during the update time, after an OOB change is detected and an email notification has already been sent, the same email maybe sent again after Cisco Security Manager starts up. |
|
Lets you enable or disable email notifications for Out of Band changes. Note When the email notification is disabled, only an alert is displayed on the Device Status View page. Note When HPM detects the OOB change and syncs with the Configuration Manager, a separate email alert notification is sent for each device being monitored. To prevent duplication, emails sent for each OOB change are tracked and stored in a file, once in 5 minutes. |
|
Specify the recipients who must be notified of the OOB change. |
|
Most changes require that the Health and Performance Monitoring service briefly stop and then restart. If you change whether the service is enabled, it stops or starts, as appropriate. You are shown a progress indicator. |
|
Report Manager Page
Use the Report Manager page of the Security Manager Administration window to enable or disable the Report Manager feature in Cisco Security Manager. Report Manager is a stand-alone application that lets you view security and usage reports for devices and remote access IPsec and SSL VPNs.
Click Tools > Security Manager Administration and select Report Manager from the table of contents.
Identity Settings Page
Use the Identity Settings page to configure the Active Directory (AD) server group to use for a NetBIOS domain for use with identity-aware firewall policies on ASA devices. These settings enable you to use the Find feature when selecting users or user groups for identity-aware policies or identity user group policy objects.
Tip You can also add entries by configuring the Identity Options policy on an ASA. When you save the policy, you are asked if you want to update the identity settings administrative page. Keep in mind that you can have a single domain-to-AD server match on the settings page, whereas you can configure different ASAs to use different server groups for a domain. Username lookup always selects the AD servers defined in the identity settings administrative page, regardless of what server group is configured for the individual ASA that you are configuring.
Select Tools > Security Manager Administration and select Identity Settings from the table of contents.
|
|
---|---|
Each row in the table defines the Active Directory (AD) server group to use for a NetBIOS domain for use with identity-aware firewall policies on ASA devices.
|
|
The NetBIOS domain to use when you do not type in a domain when specifying a user or group name in a firewall policy or an identity user group policy object. The default is LOCAL, which means the name is defined on the ASA itself, either as a local user or as a VPN user who was authenticated by a means other than an LDAP server group associated with a domain name. Other than LOCAL, only domains configured in the Domain-AD Server Group Mapping table appear in this list. |
|
When you use the Find feature while selecting users or user groups, Security Manager must query the AD server. Select whether the query comes from the Security Manager client (the workstation on which you are running the client) or the server. |
|
If you select something other than LOCAL for the default domain, how to handle username or user group names that you type in without a domain name:
|
|
Image Manager Page
Use the Image Manager page to control the administrative settings for Image Manager within Security Manager.
Select Tools > Security Manager Administration and select Image Manager from the table of contents.
|
|
---|---|
Use the Edit CCO Settings link to quickly navigate to the CCO Settings page. For information on the CCO Settings page, see CCO Settings Page. |
|
Enter the length of time in days to hold Image Manager jobs before purging them. The default is 365 days. Select Purge Now to immediately clear previous Image Manager job specifications. |
|
If checked, the image repository is part of Security Manager backup. The default is to exclude images. |
|
IP Intelligence Settings Page
Use the IP Intelligence Settings page to control the administrative settings for the IP Intelligence features within Security Manager.
Select Tools > Security Manager Administration and select IP Intelligence Settings from the table of contents.
|
|
---|---|
Credentials for connecting to Cisco.com are required for automatic updates of the GeoIP database. You can use the Edit CCO Settings link to quickly navigate to the CCO Settings page where these credentials are configured. You can also configure settings for a proxy server on the CCO Settings page. For information on the CCO Settings page, see CCO Settings Page. |
|
|
|
Whether to enable or disable the Reverse DNS (FQDN) lookup service. Enable this service if you want to be able to determine the fully qualified domain name (FQDN) for an IPv4 address using the IP Intelligence tool. |
|
Select this option to use the DNS server defined on the Cisco Security Manager server for reverse DNS lookup requests. |
|
Select this option to manually specify the DNS servers to use for reverse DNS lookup requests. You can enter up to three DNS server addresses in the fields provided. Note Security Manager does not support the use of external DNS servers configured inside of a virtual machine. |
|
Whether to distribute reverse DNS lookup requests amongst the DNS servers when multiple DNS servers are available. |
|
Lists the IP address ranges that are excluded from Reverse DNS lookup by default: 0.0.0.0, 255.255.255.255, 127.0.0.1, 169.254.0.0-169.254.255.255, 224.0.0.0-239.255.255.255 |
|
Specifies additional IP addresses or address ranges that should be excluded from reverse DNS lookup requests. Click the Edit (pencil) button to open the Edit IPv4 Blocking Range Addresses dialog box in which you can specify the IPv4 addresses or address ranges to be excluded. Separate multiple entries using a comma ",". |
|
|
|
Whether to enable or disable the GeoIP lookup service. Enable this service if you want to be able to retrieve geographic location information for an IPv4 address using the IP Intelligence tool. Note You will need to download the geographic location database from Cisco.com before GeoIP information will be included in the IP intelligence data. You will also need to download the geographic location database from Cisco.com after restoring the Security Manager database from a backup. Beginning with version 4.9, Security Manager mandates you to read and accept the End User License Agreement (EULA) before you can proceed to downloading updates from cisco.com. |
|
Use the GeoIP Manual Upload fields to update the geographic location database in Security Manager using a MaxMind GeoLite City update package downloaded from Cisco.com. Note New update packages are made available on Cisco.com on a monthly basis. |
|
Click Browse and then navigate to and select the MaxMind GeoLite City update package that you downloaded from Cisco.com. Then, click Upload to upload the selected database to Cisco Security Manager. Note Geolocation updates obtained directly from MaxMind or any other source are not supported in Cisco Security Manager. |
|
GeoIP Maxmind Database Update Settings MaxMind GeoLite City update packages are updated monthly on Cisco.com. Use the GeoIP Maxmind Database Update Settings to download an update package automatically from Cisco.com and to configure scheduled updates. Note Credentials for connecting to Cisco.com are required for automatic updates of the geographic location database. You can use the Edit CCO Settings link to quickly navigate to the CCO Settings page where these credentials are configured. For information on the CCO Settings page, see CCO Settings Page. |
|
Click Update Now to update the geographic location database in Security Manager using the latest update package from Cisco.com. |
|
Whether to enable or disable automatic updates of the geographic location database on a regular schedule. After enabling scheduled updates, click Edit Settings to specify the schedule for when the update should take place. Using the Weekly option, you can specify the days of the week on which the automatic update should take place. Using the Monthly option, you can specify the day of the month on which the automatic update should take place. For either option, you can specify the time of day that the update should take place. Note Beginning with version 4.9, Security Manager mandates you to read and accept the End User License Agreement (EULA) before you can proceed to downloading updates from cisco.com. |
|
Lists the IP address ranges that are excluded from GeoIP lookup by default: 0.0.0.0, 255.255.255.255, 127.0.0.1, 10.0.0.0-10.255.255.255, 169.254.0.0-169.254.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255, 224.0.0.0-239.255.255.255 |
|
Specifies additional IP addresses or address ranges that should be excluded from GeoIP lookup requests. Click the Edit (pencil) button to open the Edit IPv4 Blocking Range Addresses dialog box in which you can specify the IPv4 addresses or address ranges to be excluded. Separate multiple entries using a comma ",". |
|
|
|
Whether to enable or disable the Whois lookup service. Enable this service if you want to be able to retrieve WHOIS information for an IPv4 address using the IP Intelligence tool. |
|
Whether to enable or disable use of an external proxy for Whois requests. Proxy server configuration is specified on the CCO Settings page. |
|
Lists the IP address ranges that are excluded from Whois lookup by default: 0.0.0.0, 255.255.255.255, 127.0.0.1, 10.0.0.0-10.255.255.255, 169.254.0.0-169.254.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255, 224.0.0.0-239.255.255.255 |
|
Specifies additional IP addresses or address ranges that should be excluded from Whois lookup requests. Click the Edit (pencil) button to open the Edit IPv4 Blocking Range Addresses dialog box in which you can specify the IPv4 addresses or address ranges to be excluded. Separate multiple entries using a comma ",". |
|
Opens the IP Intelligence Statistics dialog box which shows statistics for the IP Intelligence feature. Information provided in the IP Intelligence Statistics dialog box includes:
Click Refresh to update the data in the IP Intelligence Statistics dialog box. |
|
Eventing Notification Settings Page
Use the Eventing Notification Settings page to receive email notifications for IPS events and critical ASA events. You can configure the time interval at which you want to receive the email notifications.
The events are sent in the form of.CSV files in a.zip file format. By default, email notification is disabled. When you enable email notification, only the notification for IPS events is enabled. To receive email notification for critical events you must enable the additional settings for critical events.
Note For notifications to be sent successfully by Security Manager, you must configure an SMTP server, as described in Configuring an SMTP Server and Default Addresses for E-Mail Notifications.
Tip You can also use the Security Manager Event Viewer application or the Dashboard to view and monitor all events.
Select Tools > Security Manager Administration and select Eventing Notification Settings from the table of contents.
IPS Updates Page
Note From version 4.17, though Cisco Security Manager continues to support IPS features/functionality, it does not support any enhancements.
Use the IPS Updates page to perform administrative tasks associated with keeping your sensors up to date with regard to signatures, minor version updates, and service packs. You can use the IPS Updates page to:
- Monitor update status.
- Check the availability of updates and download them.
- Configure an IPS update server.
- Configure automatic update settings.
Note Beginning with Security Manager version 4.9, only the latest sensor and signature packages for IPS will be available for download from CCO. The older packages will not be available for download from CCO.
- To apply IPS updates manually, select Tools > Apply IPS Update. For more information, see Manually Applying IPS Updates.
- If you later decide that you did not want to apply a signature update, you can revert to the previous update level by selecting the Signatures policy on the device, clicking the View Update Level button, and clicking Revert.
Beginning with version 4.4, Security Manager has a certificate trust management feature. This feature helps you with improved handling of Cisco.com certificates. For detailed documentation of this feature, refer to Certificate Trust Management.
Select Tools > Security Manager Administration and select IPS Updates from the table of contents.
- Configuring the IPS Update Server
- Checking for IPS Updates and Downloading Them
- Automating IPS Updates
- Selecting a Signature Category for Cisco IOS IPS
|
|
---|---|
Displays the following items. Click Refresh to update the information.
|
|
These buttons check for updates, or download signature and sensor updates that have not already been downloaded to the Security Manager server, from the IPS Update server. You must configure an IPS Update server before checking for updates or downloading them (click Edit Settings in the Update Server group). When you click one of these buttons, a dialog box opens to display the results of the operation. Security Manager logs into the IPS Update server, checks for updates, and downloads them if you clicked the Download button. If a Cisco.com download fails, ensure that the account you are using has applied for eligibility to download strong encryption software. For details, see the description of User Name in Edit Update Server Settings Dialog Box. Note Beginning with version 4.9, Security Manager mandates you to read and accept the End User License Agreement (EULA) before you can proceed to downloading updates from cisco.com. |
|
Displays the settings used to access Cisco.com or the local server that contains the IPS update packages. The fields indicate whether the update server is Cisco.com or a locally-configured HTTP server, the name of the local server if you are using one, the user account for logging into the server, and the name of the proxy server, if any. To configure or change the IPS Update server, click Edit Settings to open the Edit Update Server Settings dialog box (see Edit Update Server Settings Dialog Box). For more information, see Configuring the IPS Update Server Beginning with version 4.4, Security Manager has a certificate trust management feature. This feature helps you with improved handling of Cisco.com certificates. For detailed documentation of this feature, refer to Certificate Trust Management. |
|
Enables you to download IPS signature updates selectively. Click Edit Settings to open the Edit Signature Download Filter Settings dialog box (see Edit Signature Download Filter Settings Dialog Box). |
|
Contains the settings specific to automatic updates. For more information, see Automating IPS Updates. |
|
Establishes whether, and to what extent, automatic updates are performed. Contains the following options:
By default, auto update is disabled. The other options are a combination of one or more of the following options:
|
|
The schedule for the actions selected in the Auto Update Mode field. To change the schedule, click Edit Update Schedule and define the schedule in the Edit IPS Updates Schedule dialog box. You can specify that Security Manager perform the updates based on hourly, daily, weekly, or monthly schedules, or specify a one-time event. When entering the start time, use the 24-hour clock and the hh:mm format. Note If you schedule an update to occur in less than 10 minutes from your Security Manager server time, the "Next Update" field will show tomorrow’s date and the job will run accordingly. This is a safety feature designed to guarantee the first occurrence to run. |
|
The e-mail address to which notifications of automatic updates are sent. If you enter more than one address, separate the addresses with commas. A notification is sent when an update: |
|
The selector includes the IPS devices that have local signature policies and the shared signature policies that are defined in Security Manager. The columns in the selector indicate whether a local device policy or a shared policy is selected for these types of updates:
For shared policies, a partial grey checked box indicates that some, but not all, of the devices that use the policy are selected. If you change the devices assigned to the shared policy between automatic update events, the shared policy is grayed out, and only the old assignments are shown on this page. After the update runs, the assignment list will be synchronized with the shared policy device assignments. To update the device list proactively prior to the next auto update run, select the policy and edit it (to select auto update settings), and the device assignment list will be corrected. Note Also for shared policies: You can select only the shared policy assigned to the default virtual sensor (vs0). If you attempt to select the shared policy for a different virtual sensor, your changes will not be applied, and you will not receive an error message. Use the Type field to toggle between viewing local and shared policies. Changing the view does not change your auto update selections. To select a local or shared policy for auto update, select it in the selector and click the Edit Row button below the selector. This opens the Edit Auto Update Settings dialog box, where you can select the types of updates for the policy. When you select any type of auto update for a policy, the affected devices are listed in the Devices to be Auto Updated list to the right of the selector. |
|
Edit Update Server Settings Dialog Box
Use the Edit Update Server Settings dialog box to configure the server to use for obtaining IPS updates. If necessary, you can configure a proxy server for communicating with the update server.
Also, use the Edit Update Server Settings dialog box for certificate trust management. (Security Manager downloads IPS packages from Cisco.com over HTTPS, which uses certificates for establishing trust.) The certificate trust management feature on the Image Manager page is new in Security Manager 4.4. It will help you with improved handling of Cisco.com certificates for IPS package downloads:
- You can use it to view a certificate and use discretion in accepting it.
- After you accept a certificate, it is stored on your Security Manager server.
- You can see all your certificates in a summary table on the Image Manager page, and you can use that table to view or remove certificates.
Tip Please be sure to refer to "Retrieve Certificate" in the table below.
Select Tools > Security Manager Administration > IPS Updates and click Edit Settings in the Update Server group.
|
|
---|---|
Whether to get IPS updates from Cisco.com or from a local HTTP/HTTPS server. Your selection changes the fields on the dialog box. If you select local, you must configure an HTTP or HTTPS server to use as the IPS update server. |
|
The hostname or IP address of the local IPS update web server. |
|
The port number that your local server listens to for connection requests. The default is 80. |
|
The username to log into the IPS update server. If you are configuring a local server that does not require a user login, leave this field blank. If you are specifying a Cisco.com username, the user account on Cisco.com must be eligible for downloading strong encryption software. If you are not certain that the account has the required permissions, use the account to log into Cisco.com and try to download an IPS update file ( http://www.cisco.com/cgi-bin/tablebuild.pl/ips5-system). If the account does not have the appropriate permissions, you are prompted to read and accept the required conditions. If you meet the eligibility requirements, you can accept them. Otherwise, talk to your Cisco sales representative for help. |
|
The password for the specified username, entered in both fields. If you are configuring a local server that does not require a password, leave these fields blank. |
|
The path to the IPS update files location on your local server. For example, if update files can be accessed at http://local-server-ip:port/update_files_path/, then enter update_files_path in this field. |
|
Whether to use SSL when connecting to the local IPS Update server. |
|
Displays the certificate thumbprint after it is calculated from the certificate on the local server. |
|
Used to connect to the local server specified in this dialog box, retrieve the certificate from the local server given, and calculate the certificate thumbprint, which is displayed in the Certificate Thumbprint field. |
|
|
|
Used to connect to and retrieve the certificate from the selected ‘"Contact URL’." After retrieving the certificate it opens the Certificate Verification dialog, which along with a brief summary of the certificate, i.e., who the certificate is issued to, by whom, and the validity period of the certificate, gives you the following choices:
|
|
A table that displays, for each certificate in your Security Manager installation, Subject, Issued By, and Accepted By. |
|
Opens the Certificate Viewer for a certificate selected in the Certificate table. |
|
|
|
Whether a proxy server is needed to connect to Cisco.com or to your local server. |
|
The hostname or IP address of the proxy server. You can configure the proxy server to use basic, digest, NT LAN Manager (NTLM) V1, or NTLM V2 authentication. NTLM V2 is the most secure scheme. |
|
The port number that the proxy server listens to for connection requests. The default is 80. |
|
The username to log into the proxy server. If the proxy server does not require a user login, leave this field blank. |
|
The password for the specified username, entered in both fields. If the proxy server does not require a password, leave these fields blank. |
Edit Auto Update Settings Dialog Box
Use the Edit Auto Update Settings dialog box to configure the automatic update options for the device or policy selected in the Apply Update To table on the IPS Updates page. For information on configuring automatic updates, see Automating IPS Updates.
Select a device or policy on in the Apply Update To table on the IPS Updates page (see IPS Updates Page) and click the Edit Row button.
Edit Signature Download Filter Settings Dialog Box
The Edit Signature Download Filter Settings dialog box enables you to download IPS signature updates selectively. It applies both to the manual download and to the automated download.
Note Filtering does not apply to IPS sensor packages or to IPS engine packages; it applies to IPS signature packages only. All the available sensor packages on Cisco.com or on the local server will be downloaded as part of a signature download.
The benefits of selective download are reduced download time, reduced disk storage space, and faster troubleshooting because you can download only what you need.
There are four types of signature download available to you with the Edit Signature Download Filter Settings dialog box:
- No filter
- Download all signatures for engine versions starting with [choose E4, E3, E2, or E1]
- Download all signature versions starting with [enter a signature version such as 1000]
- Download a single signature version number [enter a signature number such as 1000]
The default signature configuration is to download all signatures for engine versions starting with E4.
Tip This default value is the same for a new installation of Security Manager 4.3 and for upgrades from previous versions.
Select Tools > Security Manager Administration and then select IPS Updates from the table of contents; then click Edit Settings in the Signature Filter Settings group.
- Configuring the IPS Update Server
- Checking for IPS Updates and Downloading Them
- Automating IPS Updates
ISE Settings Page
Use the ISE Settings page to configure communication between Cisco Security Manager and the Cisco Identity Services Engine (ISE) for use with TrustSec firewall policies.
Note Security Manager supports communications with only one ISE appliance/server for fetching and resolving security group names and tags.
To be PCI compliant, in Cisco Security Manager 4.15 and 4.16, TLS 1.0 and TLS 1.1 were disabled respectively. Hence from 4.16, Cisco Security Manager was using only TLS 1.2 version.
However, the ISE 1.3 server and its lower versions does not support TLS 1.2. This impacts the legacy ISE settings with Cisco Security Manager from release 4.15. This incompatibility prevents integration of ISE server with Cisco Security Manager.
If you are required to use ISE server (versions 1.3 and lower) in the Cisco Security Manager 4.15, 4.16, or 4.17 versions, to integrate ISE 1.3 and lower versions with Cisco Security Manager successfully, refer Cisco Security Manager User Guide for release 4.17.
Select Tools > Security Manager Administration and select ISE Settings from the table of contents.
- Chapter 14, “Managing TrustSec Firewall Policies”
- Creating Security Group Objects
- Selecting Security Groups in Policies
Licensing Page
Use the Licensing page to manage licenses for the Security Manager application and for IPS devices. For more information, see Managing IPS Licenses.
Select Tools > Security Manager Administration and select Licensing from the table of contents.
|
|
---|---|
The license settings for the Security Manager application. For a description of the fields on this tab, see CSM Tab, Licensing Page. |
|
The license settings for IPS devices managed by Security Manager. For a description of the fields on this tab, see IPS Tab, Licensing Page. |
CSM Tab, Licensing Page
Use the CSM tab on the Licensing page to view the list of installed Security Manager licenses and to install new licenses. For more information, see Installing Security Manager License Files.
Select Tools > Security Manager Administration, select Licensing from the table of contents, and click CSM.
IPS Tab, Licensing Page
Note From version 4.17, though Cisco Security Manager continues to support IPS features/functionality, it does not support any enhancements.
Use the IPS tab on the Licensing page to view the list of installed IPS device licenses, to install new or updated licenses, or to redeploy licenses. The license list shows current licenses, unlicensed devices, devices with expired licenses, and devices with invalid licenses. You can also use the settings on this page to send a report of all those IPS devices whose license would expire within a specified number of days.
Select Tools > Security Manager Administration, select Licensing from the table of contents, and click IPS.
- Updating IPS License Files
- Redeploying IPS License Files
- Automating IPS License File Updates
- License Update Status Details Dialog Box
- Filtering Tables
- Table Columns and Column Heading Features
Verifying IPS Devices for License Update or Redeployment
Note From version 4.17, though Cisco Security Manager continues to support IPS features/functionality, it does not support any enhancements.
When you select a device on the Licensing > IPS tab (see IPS Tab, Licensing Page) and try to update the license from Cisco.com (CCO) or redeploy the license, you are first shown a list of devices that will be updated. The name of the dialog box is based on the action you are taking:
- Updating Licenses via CCO dialog box —Review the IPS devices you selected to update from Cisco.com. The device list displays the IPS devices for which you can update the license from Cisco.com, which might not be all of the devices you selected.
To successfully update the license using this method, you must have a Cisco.com support contract that includes the serial numbers of the selected devices.
Tip The Cisco software license server (SWIFT) that contains the licenses might block requests from the same server for more than 9 licenses within a three minute period. Thus, you should select fewer than 9 devices at a time when performing manual license updates.
- Redeploying Licenses dialog box —Review the IPS devices you selected for redeploying licenses. Before you can redeploy a license to a device, you must have already deployed the license. Security Manager uses the file already associated with the IPS device to redeploy the license.
When you click OK, the License Update Status Details dialog box opens so that you can view the status of the license redeployment task. See License Update Status Details Dialog Box.
To open these dialog boxes, select one or more device on the Tools > Security Manager Administration > Licensing > IPS tab and click Update Selected via CCO or Redeploy Selected Licenses.
Selecting IPS License Files
Note From version 4.17, though Cisco Security Manager continues to support IPS features/functionality, it does not support any enhancements.
If you select one or more devices on the Tools > Security Manager Administration > Licensing > IPS tab and click Update from License File, you are prompted to select the license file you want to use with the Updating Licenses from File dialog box.
You can store the license file on a local drive on the Security Manager server, and, beginning with Version 4.5 of Security Manager, you can store it on a local drive on a client.
Click Browse to select the license file. You can select multiple license files using Ctrl+click or a range of files using Shift+click.
Note If you installed the Security Manager client on a different machine than the one on which Security Manager server is installed, you can choose to select the license file from either the client machine or the server machine. If both the client and the server are installed on the same machine, Security Manager allows you to select the license file only from the server.
When you have selected the license files you want to use, click OK to apply them to the IPS devices.
Note If you want to store the license file on a client machine, you must select "Enable Client side file browser" on the Customize Desktop page at Tools > Security Manager Administration > Customize Desktop.
License Update Status Details Dialog Box
Use the License Update Status Details dialog box to view the status of an IPS license update task. This dialog box opens whenever you start an update task from the IPS tab of the Licensing page. For more information, see IPS Tab, Licensing Page.
Logs Page
Use the Logs page to configure the default settings for the audit and operations logs. The audit log keeps a record of all state changes that occur in Security Manager.
Select Tools > Security Manager Administration and select Logs from the table of contents.
- Using the Audit Report Window
- Understanding Audit Reports
- Generating the Audit Report
- Purging Audit Log Entries
Policy Management Page
Use the Policy Management page to select the types of router and firewall policies you will manage in Security Manager. These selections apply to routers and firewall devices, but do not apply to IPS devices. By default, all policies are selected for management.
Unmanaged policies are removed from both Device view and Policy view. Any unmanaged policies, local or shared, are removed from the Security Manager database. The only exception is interface policies, which continue to appear in Security Manager but are marked as read-only policies. For firewall devices, interface and failover settings are considered a unit and are managed or unmanaged together.
For detailed information on managing and unmanaging policy types, including what you should do before and after changing these settings, see Customizing Policy Management for Routers and Firewall Devices.
Select Tools > Security Manager Administration and select Policy Management from the table of contents.
|
|
---|---|
The policy types are organized in folders, with router and firewall (which includes all ASA, PIX, and FWSM devices) handled separately, and then by category (NAT, Interfaces, and Platform). Select or deselect policy types as desired and click Save. Deselecting the check box for a group of policies deselects all policies in that group. By default, all policies are selected. Note Beginning with version 4.18, Cisco Security Manager provides support for ASA 9.10(1) devices that are configured on the Umbrella server. |
|
Display a warning on all shared policies and imported objects |
Whether to add a message to all shared policies and to objects that were imported using the File > Import command. If you select this option, messages appear on the following:
If you regularly import shared policies, the imported policies and objects replace any same-named policies and objects, so any changes made locally are removed. This message can notify users that policies might be imported and help users identify policy objects that they might not want to edit. |
If you are unmanaging a policy, you are shown a list of devices that have the policy assigned to them. Security Manager must be able to obtain the required locks to unassign the policy from all devices, or you must manually unassign the policies (or remove the locks) before unmanaging the policy. If you are managing a previously unmanaged policy, be sure to rediscover all affected devices to bring the existing configurations into Security Manager. |
|
Policy Objects Page
Use the Policy Objects page to define system defaults related to policy object creation.
Select Tools > Security Manager Administration and select Policy Objects from the table of contents.
- Understanding and Specifying Services and Service and Port List Objects
- Chapter 6, “Managing Policy Objects”
|
|
---|---|
The action you want Security Manager to take when you try to create a policy object that has the same definition as an existing object:
|
|
The port range value that is used as the default source port range for service objects. You can choose one of the following:
If you change the default source ports, you must manually redeploy any previously deployed devices that might be affected. These changes might not be reflected in any open activities until you refresh the data. For more information on port list objects, see Configuring Port List Objects. |
|
Whether to have Security Manager list matching service and port list names as you type them when you create a service. You can then easily select from names you have already defined. If you deselect AutoComplete, you have to remember the complete service and port list names and type them in yourself. |
|
Process Monitoring Settings Page
Use the Process Monitoring Settings page to enable process monitoring. Here, you can enable or disable monitoring for specific processes and configure notification settings such as monitoring interval and email addresses. This will send an email notification to specified recipients, when a process stops.
Configure SMTP Server and sender mail in the CS web console, to get email alerts.
Select Tools > Security Manager Administration and select Process Monitoring Settings from the table of contents.
Single Sign-on Configuration Page
Use the Single Sign-on Configuration page of the Security Manager Administration window to enable and configure a “single sign-on” (SSO) shared key to use for cross-launching Cisco Prime Security Manager or FireSIGHT Management Center.
Note Single sign-on allows users to cross-launch Prime Security Manager or FireSIGHT Management Center from Security Manager without logging into Prime Security Manager or FireSIGHT Management Center separately. However, SSO is not required to cross-launch Prime Security Manager or FireSIGHT Management Center.
Tip Cisco Prime Security Manager is used to manage ASA CX modules. FireSIGHT Management Center is used to manager ASA FirePOWER modules.
- Detecting ASA CX and FirePOWER Modules
- Launching Cisco Prime Security Manager or FireSIGHT Management Center
- Sharing Device Inventory and Policy Objects with PRSM
1. Click Tools > Security Manager Administration and select Single Sign-on Configuration from the table of contents.
2. Select Enable for Prime Security Manager [checkbox] or Enable for FireSIGHT Management Center [checkbox].
|
|
---|---|
[checkbox] Lets you enable or disable the SSO feature for Prime Security Manager. When disabled, the shared key is retained. |
|
[checkbox] Lets you enable or disable the SSO feature for FireSIGHT Management Center. When disabled, the shared key is retained. |
|
Use the features in this section to generate and view an encryption key for cross-launching Prime Security Manager or FireSIGHT Management Center. Click the Generate button to randomly generate a 128-bit AES key, which is then displayed as a 32 hexadecimal string in the SSO Shared Key field. Note This key must be provided when configuring single sign-on cross-launching in Prime Security Manager or FireSIGHT Management Center. Also, each allowed Security Manager user must be configured in the Prime Security Manager database or the FireSIGHT Management Center user database with the same username as that in the Security Manager user database (the password can be different). |
Rule Expiration Page
Use the Rule Expiration page to define the default values for policy rule expiration. When you create policies for some types of policy rules (such as access rules), you can set an expiration date for the rule, and Security Manager can notify you by e-mail of the approaching expiration date.
You must configure an SMTP server to enable e-mail notifications. For more information, see Configuring an SMTP Server and Default Addresses for E-Mail Notifications.
Select Tools > Security Manager Administration and select Rule Expiration from the table of contents.
Server Security Page
Use the Server Security page to open specific pages in the CiscoWorks Common Services application, where you can configure various security features on the Security Manager server. CiscoWorks Common Services controls the basic functions of the Security Manager server, including user access control and system security.
When you log in to Security Manager, your username and password are compared with the account information stored in the CiscoWorks or Cisco Secure Access Control Server (ACS) database, depending on which system you established at installation as your AAA provider. After the authentication of your credentials, you have access according to the role you have been assigned.
For more information on Security Manager roles and privileges, including descriptions of how Common Services roles translate to user functions in Security Manager, see the Installation Guide for Cisco Security Manager.
Select Tools > Security Manager Administration and select Server Security from the table of contents.
|
|
---|---|
Opens Common Services and displays the AAA Mode Setup page. From this page, you can set AAA as your fallback sign-on method. For more information about AAA, click Help from the AAA Mode Setup page. |
|
Opens Common Services and displays the Self-Signed Certificate Setup page. CiscoWorks enables you to create self-signed security certificates, which you can use to enable SSL connections between your client browser and management server. For more information about self-signed certificates, click Help from the Certificate Setup page. |
|
Opens Common Services and displays the Single Sign-On Setup page. With Single Sign On (SSO), you can use your browser session to transparently navigate to multiple CiscoWorks servers without having to authenticate to each of them. Communication between multiple CiscoWorks servers is enabled by a trust mode addressed by certificates and shared secrets. For more information about setting up SSO, click Help from the Single Sign-On page. |
|
Opens Common Services and displays the Local User Setup page, from which you can add and delete users, edit user settings, and assign roles or permissions. For more information, click Help from the Local User Setup page and see the Installation Guide for Cisco Security Manager. |
|
Opens Common Services and displays the System Identity Setup page. Communication between multiple CiscoWorks servers is enabled by a trust mode addressed by certificates and shared secrets. System Identity setup helps you to create a trust user on servers that are part of a multi- server setup. For more information about system identity setup, click Help from the System Identity Setup page. |
|
|
|
Allow logon for user ids not available in Local User Database |
For Security Manager installations integrated with an external authentication server like Active Directory, TACACS+, or RADIUS, specifies whether users can log in even when their user name is not defined in the Security Manager user list. When enabled, users are allowed to log in using the default role specified in Role Management Setup. If a default role is not configured, the user is not allowed to log in. |
Take Over User Session Page
Use the Take Over User Session page to take over another user’s configuration session. A user with administrative privileges can take over the work of another user in non-Workflow mode. Taking over a session is useful when a user is working on devices and policies, causing the devices and policies to be locked, and another user needs access to the same devices and policies. However, when you take over another user’s session, your current session is discarded, so make sure that you submit your changes before taking over a session.
The table shows all current configuration sessions, listing the user name and the state of the session, whether the user is currently logged in or logged out. Select the configuration session you want to take over and click Take over session. The session is transferred to you in its current state, including any saved changes the user made during the session.
If the selected user is logged in at the time you take over the session, the user receives a warning message, loses any unsaved changes in progress, and then is logged out.
For more information, see Taking Over Another User’s Work.
Select Tools > Security Manager Administration and select Take Over User Session from the table of contents.
Ticket Management Page
Use the Ticket Management page to enable Ticket Management, to configure a ticketing system URL for integration with an external change management system, and to configure purge settings for ticket information.
When Ticket Management is enabled, every Image Management installation job must have an assigned ticket or it will not be performed.
Select Tools > Security Manager Administration and select Ticket Management from the table of contents.
|
|
---|---|
By default, this check box is checked. Clear the check box, if you do not want the ticket name to be appended with the system generated default name. The ticket name field in the activity creation dialog is left blank. |
|
|
|
The URL to use for launching an external change management system. When this field is configured, the Ticket ID is a hyperlink that will launch the URL specified. The URL must be formatted as a template that accepts the Ticket ID as part of the URL. The template format uses {0} in place of the actual Ticket ID. For example, if the URL to launch an external ticket management system for a ticket with the ticket ID of TKT12345 is http://ticketsystem/displayticket?ticketid=TKT12345, then the template URL you would use would be http://ticketsystem/displayticket?ticketid={0}. When you create a ticket, the Ticket ID you specify will be used in the hyperlink in place of the {0}. |
|
Click to display the Generate Template URL dialog box that can be used to create a Ticketing System URL. Using the example above, you would enter TKT12345 in the Ticket ID field and http://ticketsystem/displayticket?ticketid=TKT12345 in the Ticket URL field. When you click OK, the appropriate template URL is created and entered into the Ticketing System URL field. |
|
Ticket History settings are only available in non-Workflow mode. In Workflow mode, purge settings are controlled via the settings for Activities (see Workflow Page). |
|
The number of days that ticket information should be kept in the Ticket Manager table. The default is 30. You can specify from 1 to 120 days. Click Purge Now to delete all tickets older than the number of days specified. |
|
The number of days that change reports should be maintained. The default is 30. You can specify a value that is less than the Purge Tickets (including change report) Older than setting. Click Purge Now to delete all change reports older than the number of days specified. |
|
Token Management Page
Use the Token Management page to identify the Token Management System (TMS) server to use for deploying configurations to Cisco IOS routers that use TMS as the communication protocol. Security Manager uses the settings on this page to contact the TMS server.
Security Manager uses FTP to deploy the delta configuration file to the TMS server, from which the configuration file can be downloaded and encrypted onto an eToken.
To use TMS with Cisco IOS routers, you must specify TMS as the transport protocol. You can do this for all routers on the Device Communication page (see Device Communication Page), or for a specific router in its device properties (see Device Properties: General Page). You must also configure the TMS server as an FTP server, otherwise deployment will fail.
Select Tools > Security Manager Administration and select Token Management from the table of contents.
VPN Policy Defaults Page
Use the VPN Policy Defaults page to view or assign the default VPN policies that Security Manager uses for each IPsec technology. Before you can select a policy as a default, you must create the policy as a shared policy, submit it to the database and have it approved. You cannot create policies from this page. For detailed information on how to configure these defaults, see Understanding and Configuring VPN Default Policies.
For each tab that relates to a VPN topology, the drop-down lists for each policy type list the existing shared policies that you can select. You can select a policy and click the View Content button to see the definition of that policy. In some cases, you are allowed to make changes, but you cannot save them.
Security Manager uses VPN policy defaults to simplify VPN configuration while ensuring that policy consistency is maintained. Security Manager provides factory default policies for mandatory policies, which provide values for settings that must be configured on the devices in your VPN topology for the VPN to work. Mandatory policies differ depending on the assigned IPsec technology. Factory default policies with their default configurations enable you to deploy to your devices immediately after creating the VPN topology. Default settings are not provided for optional policies. You might want to create shared policies to provide different default settings instead of using the factory default settings.
Select Tools > Security Manager Administration and select VPN Policy Defaults from the table of contents.
- Assigning Initial Policies (Defaults) to a New VPN Topology
- Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (ASA and PIX 7.0+ Devices)
- Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (IOS and PIX 6.3 Devices)
Workflow Page
Use the Workflow page to select the workflow mode that Security Manager enforces and to define the default settings for activity and deployment job notifications and logging.
Before changing the workflow mode, read the following topics to understand how the modes differ and the effects of changing the modes:
- Working in Workflow Mode
- Working in Non-Workflow Mode
- Comparing Workflow Modes
- Changing Workflow Modes
Click Tools > Security Manager Administration and select Workflow from the table of contents.
|
|
---|---|
|
|
Whether to enable Workflow mode. When Workflow mode is enabled, you can select whether or not to have an approver for activities and deployment jobs. |
|
Whether to require that activities be approved explicitly by an assigned approver. For more information about the differences between working with and without an approver, see Activity Approval. |
|
Whether to require that deployment jobs and install image jobs be approved explicitly by an assigned approver. For more information about the differences between working with and without an approver, see Understanding Deployment. |
|
By default, this check box is checked. Clear the check box, if you do not want the activity name to be appended with the system generated default name. The activity name field in the activity creation dialog is left blank. |
|
|
|
The e-mail address that Security Manager will use for sending e-mail notifications. |
|
The default e-mail address for the person responsible for approving activities. Users can override this address when submitting an activity for approval. For more information, see Submitting an Activity for Approval (Workflow Mode with Activity Approver). |
|
The default e-mail address of the person responsible for approving deployment jobs or schedules. Users can override this address when submitting a job or schedule for approval. For more information, see Submitting Deployment Jobs. |
|
Whether to have e-mail notifications sent whenever the status of a deployment job changes. If you select this option, enter the e-mail addresses that should receive notification in the Job Completion Notification field. Separate multiple addresses with commas. You can also select Include Job Deployer to include the e-mail address of the person who deployed the job on the notification e-mail message. |
|
|
|
The number of days that activity information should be kept in the Activity table. The default is 30. You can specify from 1 to 180 days. Click Purge Now to delete all activities older than the number of days specified. Note If ticketing is enabled in non-Workflow mode, purge settings are controlled via the settings for Tickets (see Ticket Management Page). |
|
The number of days that deployment job information should be kept in the Deployment Job table. The default is 30. You can specify from 1 to 180 days. Click Purge Now to delete all jobs older than the number of days specified. |
|
The number of days that deployment job information should be kept in the Deployment Job table for each job schedule. This setting applies only to jobs that were initiated by a schedule. The default is 30. You can specify from 1 to 180 days. Click Purge Now to delete all jobs older than the number of days specified. |
|
Wall Settings Page
The Security Manager Wall Settings page is where you can enable or disable the Wall feature.
The "Wall" feature is also called the "ShoutBox" feature. You can use it to send messages to all users who are logged in on the same Security Manager server. First, however, it must be enabled on the Wall Settings page.
Note Only admin users have permission to enable or disable the Wall feature, but all users have permission to send messages.
You would want to use the Wall feature, for example, to interact with other users while making some changes in your Security Manager installation, perhaps about the changes being made or certain immediate actions to be performed on the changes. The message being sent is broadcast to all users who are logged in. The Wall feature allows users to enter basic profile information that can be viewed by others when logged in. A significant use of the Wall feature is that it can be used to view a list of all users who are currently logged in. (A user is removed from the Wall window after idle timeout or logging out through the Security Manager client.)
You cannot use the Wall feature to send *.pdf, *.xls, or other file attachments.
Click Tools > Security Manager Administration and select Wall Settings from the table of contents.
|
|
---|---|
When the Wall feature is enabled, you can open the Wall window by clicking Tools > Wall... or by clicking the Wall icon in Configuration Manager.
You can also open the Wall window by clicking the Wall icon in Health and Performance Monitor or Image Manager. You cannot open the Wall window in Event Viewer or Report Manager.
Detailed Wall feature help is available on the Wall window by clicking the help icon.
The Wall window contains the following elements:
- Left-hand pane, which shows the users who are logged in on the same Security Manager server and an expand/collapse button.
- Right-hand pane, which occupies most of the page and contains the text of the messages that users have sent. The right-hand pane also has a button to enable or disable wall alerts and the help icon, which you can click to see detailed help.