3-52
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 3 Managing the Device Inventory
Working with the Device Inventory
If you make these changes, and you do not have any policies defined that are affected by the change,
you might be able to change the target OS version of the device. Security Manager prevents you from
changing the target OS version of a managed device to a version that changes the types of policies
that are available for that device, and informs you when it cannot make the change (identifying the
problem policies). Therefore, you must first delete the device from Security Manager, perform the
image change, then add the device back.
Certain types of policies, such as access rules, are not affected by changes in image version or
changes in platform type.
• Security context and operational mode changes—Changes that you make to the security context and
operational mode settings on an FWSM or ASA device enable a different set of features on that
device. These changes occur if you change the device from:
–
Single context to multiple context (or vice-versa).
–
Routed mode to transparent mode (or vice-versa).
Security Manager prevents you from changing the security context or operational mode settings of
a managed device. Therefore, you must first delete the device from Security Manager, change the
context or mode, then add the device back.
Certain policy types (for example, Banner, Clock, Console Timeout, and HTTP) are not affected by
changes in operational mode. Other policy types (for example, ICMP, SSH, and TFTP, in addition
to Banner and Clock) are not affected by changes in security context settings.
• Replacing device hardware—In some cases, you might replace a particular device but retain the
original contact information (such as the IP address), for example:
–
Replacing a PIX firewall with a Cisco IOS router.
–
Replacing a PIX firewall with an ASA device.
–
Replacing a router with a firewall device.
–
Replacing a router with a new router of a different model.
In all of these cases, the new device changes the types of policies available for that device in Security
Manager. Security Manager prevents you from modifying the hardware model of an existing device.
Therefore, you must first delete the device from Security Manager, change the physical device, then
add the device back.
Certain policy types (for example, access rules) are not affected by changes in device type.
We recommend that you share the policies configured on your device that will not be affected by the
change before you remove it from Security Manager. This provides a useful method for reassigning the
policies to the device (with any inheritance and policy object references intact) after you add it back to
Security Manager. The following procedure describes how to do this.
Related Topics
• Understanding the Device View, page 3-1
• Understanding Device Properties, page 3-6
• Understanding Policies, page 5-1
• Image Version Changes That Do Not Change the Feature Set in Security Manager, page 3-50
Step 1 Submit and deploy all the changes you configured for the device in Security Manager. This ensures that
the desired configuration is on the device before the image upgrade.