- Preface
-
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Traffic Zones
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring FXOS Server Access Settings on Firepower 2100 Series Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- User Preferences
- Index
Configuring Security Contexts on Firewall Devices
You can define multiple security “contexts” on a single security appliance. Each context operates as an independent virtual device, with its own security policy, interfaces and administrators. Multiple contexts are similar to having multiple stand-alone devices. Many features are supported in multiple-context mode, including routing tables, firewall features, IPS, and management. Some features are not supported; for example, VPN, multicast, and dynamic routing protocols; security contexts support only static routes; and you cannot enable OSPF or RIP in multiple-context mode. Also, some features are not directly managed by Cisco Security Manager, such as the IPS feature set for ASA and PIX devices.
In multiple-context mode, the security appliance includes a configuration for each context that identifies the security policy, interfaces, and most of the options you can configure on a stand-alone device. The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single-mode configuration, is the start-up configuration. The system configuration identifies basic settings for the security appliance, but it does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses the context that is designated as the Admin context. The system configuration is used to add, delete and edit basic context settings, including allocating network interfaces to the various contexts.
The Admin context is just like any other context, except that when a user logs in to the Admin context, that user has system administrator rights and can access the system configuration and all other contexts.
Enabling and Disabling Multiple-Context Mode
Cisco Security Manager does not support switching to multiple-context mode on an existing device. To perform this task, you must delete the device from Security Manager, enable multiple-context mode using a device manager or CLI input, and then add the device again to Security Manager. After the device is added in multiple-context mode, you can add, edit and delete security contexts.
Note
When manually defining a multiple-context device, choose Multi from the Contexts list in the Operating System section of the New Device - Device Information dialog box.
Similarly, Cisco Security Manager does not support restoring an existing device to single-context mode. To perform this task, you must delete the device and any of its child contexts from Security Manager, restore single-context operation using a device manager or CLI input, and then add the device again to Security Manager.
Note When manually defining a single-context device, choose Single from the Contexts list in the Operating System section of the New Device - Device Information dialog box.
Checklist for Configuring Multiple Security Contexts
Security contexts allow a single physical device to act as multiple independent firewalls. Each security context defines a single virtual firewall, complete with its own configuration—and just as with physical devices, each security context must be correctly configured, or overall security can be compromised. Thus, defining and configuring multiple firewalls on the same physical appliance requires special care.
The following checklist outlines the basic steps necessary to configure a firewall device with multiple security contexts. Each of these steps may involve multiple substeps; all steps should be performed in the order presented. For example, you must define interfaces before configuring the various contexts.
|
|
|
|---|---|
Define interfaces and subinterfaces, or VLANs, on the physical appliance. In this task, you define the interfaces and subinterfaces, or VLANs on FWSMs, that will be allocated to the various security contexts when you create them later. Provide physical interface parameters, such as connection type (Ethernet, GigabitEthernet, etc.), hardware Port ID, speed, and duplex mode, as well as VLAN ID if defining a subinterface. Result : All interfaces and subinterfaces are defined. For more information, see Configuring Firewall Device Interfaces. |
|
Define an Admin context for administering the base security appliance. This task is called out separately to ensure you define a context and IP address specifically for administration of the security appliance. The process is the same as defining a security context; however, during the process, be sure to check Admin Context to designate this as the administration context. In addition to being used to administer the appliance, the Admin context is used to publish syslog and SNMP messages to monitoring devices, such as the Cisco Security Monitoring, Analysis and Response System (CS-MARS), for further processing. Until you associate a specific management IP address with the Admin context, the IP address used to manage the security appliance is the one you specified when defining the device. When you specify a Management IP Address with the Admin context, it takes precedence over the one on the Device Properties page. Result : The Admin context is defined and associated with a physical interface. |
|
Define each security context, or virtual firewall, on the base appliance. In this task, you define individual security contexts, naming each, assigning a location for its configuration files, and allocating interfaces. Each security context represents a virtual firewall, and its definition includes the interfaces and range of associated VLAN IDs that are under its control. Note While the Admin context can operate as a firewall device, it is typically used as such only in single-context mode. Therefore, security contexts are treated as separate entities in this checklist. You cannot add new interfaces or modify the hardware Port value when defining a security context—you simply select previously defined interfaces for allocation to the context. Result : Each security context is defined and associated with a physical interface; the VLANs on which the security context will inspect traffic are also specified. |
|
Submit/deploy to generate the virtual firewalls as children of the base appliance. You must create the desired contexts on the security appliance before you can begin defining the individual settings of each context. To create contexts on the appliance, you must define them, and then either submit changes in Workflow mode, or deploy the changes to the security appliance in non-Workflow mode. When you create a security context, a “virtual firewall device” appears beneath the original security appliance in the Device View. Each virtual device is indicated by a related device icon with a dotted outline, and its name is the base security appliance name, underscore (_), context name. For example, the virtual device asaMultiRouted_admin would represent the Admin context (named “admin”) on the security appliance named “asaMultiRouted.” Similarly, asaMultiRouted_security1 would represent the security context “security1” on the same base appliance. Result : Your changes are submitted or deployed (depending on the Workflow mode), which in turn creates the Admin and security contexts as children of the base security appliance. |
|
Define additional settings for each security context. You can now complete the definition of each security context by selecting a virtual firewall device in the Device Selector and editing available policies, such as access rules, translation options and so on. Result : Each security context is fully defined, ready to operate as a virtual firewall. |
Managing Security Contexts
The Security Contexts page lists security contexts configured for the selected device. You can add, edit and delete security contexts for an ASA, PIX 7.0+, or FWSM device running in multiple-context mode from this page.
Tip Deleting a security context from an FWSM device removes the security context from the running configuration of the device, but it does not delete the associated configuration file. This can cause problems if you later add another security context with the same name as the one previously deleted. This is a known issue for FWSM and is not connected to the behavior of Security Manager. A work-around is to use the CLI to delete the configuration file from the device.
Remember, the security appliance must be in multiple-context mode in order for you to configure contexts using Security Manager. See Enabling and Disabling Multiple-Context Mode for more information.
Follow these steps to manage security contexts:
Step 1 Ensure Device View is your present application view; if necessary, click the Device View button on the toolbar.
For more information on using the Device View to configure device policies, see Managing Policies in Device View and the Site-to-Site VPN Manager).
Step 2 Select the appliance you want to configure.
Step 3 Select Security Contexts in the Device Policy selector to display the Security Contexts page.
Note The child contexts of a multiple-mode device are represented using a different icon than firewall devices in single mode.
Step 4 Add, edit and delete contexts, as necessary:
- To define a new context, click the Add Row button at the bottom of the page to open the Add Security Context box.
- To edit an existing context, select the desired entry in the Security Contexts list and then click the Edit Row button at the bottom of the page to open the Edit Security Context dialog box.
- To delete an existing context, select the desired entry in the list and then click the Delete Row button.
Note Deleting a security context here will also cause the security context device to be removed from device inventory.
Confirm the deletion of the security context and corresponding security context device.
Note Except for the titles, the Add Security Context dialog box and the Edit Security Context dialog box are identical. For PIX/ASA devices, see Add/Edit Security Context Dialog Box (PIX/ASA) for more information; for FWSMs, see Add/Edit Security Context Dialog Box (FWSM) for more information.
Add/Edit Security Context Dialog Box (FWSM)
Note From version 4.17, though Cisco Security Manager continues to support FWSM features/functionality, it does not support any bug fixes or enhancements.
The Add Security Context and Edit Security Context dialog boxes let you define and maintain contexts for the currently selected Firewall Service Module. (Except for their titles, the two dialog boxes are identical.)
Note that at least one security context must be designated as the Admin context.
Security Manager does not support mapped (that is, “named” or “aliased”) interfaces for FWSMs. If you discover an FWSM with named interfaces and then change the related configuration, redeployment will fail. Replace any interface aliases with the appropriate VLAN IDs.
You can access the Add Security Context and Edit Security Context dialog boxes from the Security Contexts page, as described in Managing Security Contexts.
Add/Edit Security Context Dialog Box (PIX/ASA)
Note From version 4.17, though Cisco Security Manager continues to support PIX features/functionality, it does not support any bug fixes or enhancements.
The Add Security Context and Edit Security Context dialog boxes let you define and maintain contexts for the currently selected PIX/ASA security appliance. (Except for their titles, the two dialog boxes are identical.)
Note that at least one security context must be designated as the Admin context.
You can access the Add Security Context and Edit Security Context dialog boxes from the Security Contexts page, as described in Managing Security Contexts.
|
|
|
|---|---|
Enter a name of up to 32 characters for the context. The names Note While context names are case-sensitive on the device, they are not in Security Manager. That is, you cannot have two contexts with the same name but different capitalization in Security Manager. |
|
Choose the mode, Router or Transparent, for this security context. Note You cannot change the chosen mode in the Edit Security Context dialog box. |
|
Check this box if this context is to be the Admin context for this device. Note The name of the Admin context for the device is displayed below the Security Contexts table. Note If this box is checked, the IPv4 Address Pool field is disabled. |
|
Specify the context configuration location, as a URL-type address, by choosing a file-system protocol and then entering the path and name of the file to access for the context configuration. That is, choose a protocol type from the drop-down list, and then type the server name (for remote file systems), path, and file name in the related text field. For example, the combined URL for FTP has the following format: |
|
| VPN in multiple context mode—Beginning with Security Manager version 4.12 for ASA version 9.6(2) devices, remote access VPN on multi-context supports flash virtualization. Within a multi-context structure, each created user context can have a private storage space and a shared storage place based on the total flash that is available. |
|
Click the Private check box to store files associated only with that user and specific to the content that you want for that user. From the drop-down menu, choose the private directory that you created and map it to what you designated in Config URL. Select one of the following options for Private Storage URL for multi-context ASA 9.6(2) or later devices. The default value of Storage URL - Private is disk0:/. You can modify this value. This context label name is used as a directory while performing any file deploy activity for ASA 9.6(2) Multi Context devices. |
|
Click the Shared check box to upload files to the shared storage space and have it accessible to any user context for read/write access. From the drop-down menu. choose the shared directory that you created and map it to what you designated in Config URL. Select one of the following options for Shared Storage URL for multi-context ASA 9.6(2) or later devices. The default value of Storage URL - Shared is shared. You can modify this value. This context label name is used as a directory while performing any file deploy activity for ASA 9.6(2) Multi Context devices. |
|
To enable ScanSafe inspection in this context, select Enable ScanSafe Web Security. To override the license specified in the system configuration, enter a license ID in the License field; must be 32 hexadecimal characters. See Chapter 20, “Working with ScanSafe Web Security” for more information. |
|
This table lists the interfaces and subinterfaces allocated to this context, and their associated settings. These are the interfaces and subinterfaces for which the security context will inspect traffic. To add interfaces and subinterfaces to this context, click the Add Row button below the table to open the Allocate Interfaces Dialog Box (PIX/ASA only). You can allocate one or more interfaces, and optionally with each interface, one or a range of subinterfaces. To edit an allocation entry, select it and then click the Edit Row button below the table to open the Edit Interface dialog box. Note that you can edit only the Alias Name and the Show hardware properties option; you cannot change the interface/subinterface assignments. Refer to Allocate Interfaces Dialog Box (PIX/ASA only) for more information about these options. To remove an interface/subinterface allocation, select the appropriate row in this table and then click the Delete Row button below the table. |
|
If this context is part of an active/active failover configuration, choose the failover group to which this context belongs. |
|
Allocate Interfaces Dialog Box (PIX/ASA only)
Note From version 4.17, though Cisco Security Manager continues to support PIX features/functionality, it does not support any bug fixes or enhancements.
The Allocate Interfaces dialog box lets you assign an interface, and optionally one or a range of related subinterfaces, to a context, and set name-aliasing options.
You access the Allocate Interfaces dialog box from the Add Security Context and Edit Security Context dialog boxes. See Add/Edit Security Context Dialog Box (PIX/ASA) for more information.
Feedback