Filter
Top Products
5-11
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 5 Managing Policies
Understanding Policies
configurations of these types that were configured using other methods. For example, if you decide not
to manage SNMP policies, any SNMP configurations that you configured using CLI commands are
unknown to Security Manager.
Caution If you use AUS or CNS to deploy configurations to ASA or PIX devices, be aware that the device
downloads a full configuration from AUS or CNS. Thus, reducing the policies managed by Security
Manager actually removes the configurations from the device. If you intend to deselect some ASA/PIX
policies for management to use other applications along with Security Manager to configure devices, do
not use AUS or CNS.
The ability to customize policy management on routers and firewalls makes it possible, for example, to
use Security Manager to manage DHCP and NAT policies while leaving routing protocol policies, such
as EIGRP and RIP, unmanaged. These settings, which can be modified only by a user with administrative
permissions, affect all Security Manager users.
Unmanaged policies are removed from both Device view and Policy view. Any existing policies of that
type, local or shared, are removed from the Security Manager database.
To customize policy management for routers and firewalls, select Tools > Security Manager
Administration > Policy Management to open the Policy Management Page, page 11-45. The policy
types are organized in folders, with router and firewall (which includes all ASA, PIX, and FWSM
devices) handled separately. Select or deselect policy types as desired and click Save. Subsequent
processing depends on whether you are changing a policy type to be managed or unmanaged:
• Unmanaging a policy type—If you unmanage a policy type, and any device of that type has that
policy configured, you must unassign the policies before unmanaging them. Security Manager
displays a list of all devices that have assigned policies of that type, including the policy name,
device name, and the user or activity that has a lock on the policy. If you click Yes to continue
unmanaging the policy, Security Manager obtains the required locks, unassigns the policies, and
then unmanages the policy type.
If a lock could not be obtained for even one device, no policies are unassigned, the policy type is not
unmanaged, and you are told of the problem. You can then either manually unassign the policies
from the affected devices, or release the user or activity locks, and try again to unmanage the policy
type.
Note Unmanaging a policy has no effect on the active configuration running on the device;
Security Manager does not remove the configuration from the device. Instead, unmanaging
the policy removes it from the database, and Security Manager no longer considers that part
of the device configuration.
• Managing a previously-unmanaged policy type—If you start managing a policy type that you
previously did not manage using Security Manager, it is possible that the active configuration on the
device has commands controlled by the newly-managed policy type. It is therefore important that
you rediscover policies on all devices of that type (either all routers or all ASA, PIX, FWSM
devices). This ensures that Security Manager has the current configuration for these policies.
If you do not rediscover policies and leave the newly-managed policies unconfigured, on the next
deployment to the device, the existing settings configured on the device are removed. For more
information on discovering policies on devices already managed, see Discovering Policies on
Devices Already in Security Manager, page 5-15.