Filter
Top Products
5-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 5 Managing Policies
Understanding Policies
Settings-Based Policies vs. Rule-Based Policies
Security Manager policies are structured as either rule-based policies or settings-based policies.
Rule-Based Policies
Rule-based policies contain one or more rules that govern how to handle traffic on a selected device, such
as the access rules and inspection rules defined as part of a firewall service. Rule-based policies can
contain hundreds or even thousands of rules arranged in a table, each defining different values for the
same set of parameters. The ordering of the rules is very important, as traffic flows are assigned the first
rule whose definition matches the flow (known as first matching).
The structure of the rules table depends on whether you configure a local policy or a shared policy (see
Local Policies vs. Shared Policies, page 5-3). If you configure a local rule-based policy for a single
device, the policy contains a flat table of local rules. If you configure a shared rule-based policy (either
in Device view or Policy view), the table is divided into two sections, Mandatory and Default. Mandatory
rules always precede the default rules, and cannot be overridden by local or default rules. The Default
section contains rules that can be overridden by mandatory and local rules. You can define rules in either
the Mandatory or Default section and move rules between sections using cut-and-paste.
When you define certain types of rule-based policies, such as firewall service policies, you can create a
policy hierarchy in which rules located at lower levels in the hierarchy acquire properties from the rules
located above them. This is known as rule inheritance. For example, you can define a set of inspection
rules that apply globally to all firewalls, while supplementing these rules with additional rules that can
be applied to a subset of devices. By maintaining common rules in a parent policy, inheritance enables
you to reduce the chance of introducing configuration errors that will cause deployment to fail. For more
information, see Understanding Rule Inheritance, page 5-4.
Settings-Based Policies
Settings-based policies contain sets of related parameters that together define one aspect of security or
device operation. For example, when you configure a Cisco IOS router, you can define a quality of
service (QoS) policy that defines which interfaces are included in the policy, the type of traffic on which
QoS is applied, and the definition of how this traffic should be queued and shaped. Unlike rule-based
policies, which can contain hundreds of rules containing values for the same set of parameters, you can
define only one set of parameters for each settings-based policy defined on a device.
Related Topics
• Understanding Policies, page 5-1
Service Policies vs. Platform-Specific Policies
Security Manager policies are divided into several domains, each of which represents a major policy
category. These domains can be divided into two categories: service policies and platform-specific
policies.
Service policies are divided into the following policy domains:
• Firewall.
• Site-to-site VPN.
• Remote Access VPN.
• IPS service policies.