3-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 3 Managing the Device Inventory
Adding Devices to the Device Inventory
The New Device wizard guides you through the process of adding devices to the inventory. You can add
devices from many different sources, and the path through the wizard differs significantly based on the
method you are using.
To start the New Device wizard, from Device view, select File > New Device, or click the Add button
in the device selector.
Note There is also another way to add devices. If you exported a .dev file from another Security Manager
server, which contains not only a device inventory but also the policies and policy objects assigned to
them, you can import the file using the File > Import command. For more information, see Importing
Policies or Devices, page 10-13.
Tips on Adding Devices and Service Modules
• For PIX Firewalls and FWSM and ASA devices that are configured for failover, add only the active
unit to Security Manager. Ensure that the device is configured with a management IP address and
use that address for discovery. When discovering Catalyst switches that contain more than one
service module (FWSM or ASA-SM) configured for failover, when prompted, select Do Not
Discover Module for the failover modules. Security Manager always manages the active admin
context, regardless of whether you added the primary or secondary failover service module.
• Service modules are treated as separate devices. For most modules, you must add the service module
separately from its host device. However, Security Manager can automatically discover FWSM or
IDSM modules in a Catalyst 6500 device, so you need only add the parent device. (You cannot
discover an ASA-SM during discovery of the parent device. You must add the ASA-SM separately.)
The only exception is if you configure an FWSM or IDSM module to use a non-default port for
HTTPS (SSL), in which case you must add the module separately.
• When adding an ASA-SM or FWSM that has multiple security contexts (they are running in
multiple-context mode), do not add the security contexts individually using their management IP
addresses. Instead, add the device using the admin context management address (this also adds the
individual contexts). Then, configure Security Manager to deploy configurations to multiple-context
devices serially as described in Changing How Security Manager Deploys Configurations to
Multiple-Context FWSM, page 9-16.
• You cannot add devices beyond the device limits defined by your Security Manager license. For
example, if you have a license for 50 devices, and there are 45 devices in the inventory, if you try to
add a multiple-context ASA with 6 security contents, the device addition and discovery fails.
The following topics describe the various methods of adding devices:
• Add Device from Network—To add devices that are currently active on the network, see Adding
Devices from the Network, page 3-11. Security Manager connects directly and securely to the
device and discovers its identifying information and properties.
–
Pros—You need to specify minimal information about a device, and Security Manager obtains
the detailed information directly from the device, ensuring accuracy.
–
Cons—You can add only one device at a time. You cannot add devices that have dynamic IP
addresses, unless you determine the device’s current IP address, add it using that address, and
then update the device properties in Security Manager to identify the Configuration Engine that
is managing the device.
• Add from Configuration File—To add devices by using a copy of the device configuration files,
see Adding Devices from Configuration Files, page 3-20.
–
Pros—You can add more than one device at a time.