Filter
Top Products
5-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 5 Managing Policies
Discovering Policies
Remote Access VPN Policies, page 29-12. For more information about performing policy discovery,
see Adding Devices to the Device Inventory, page 3-6 and Discovering Policies on Devices Already
in Security Manager, page 5-15.
Note If you add a device using a configuration file, and discover security policies while adding
the device, Security Manager cannot successfully discover policies that require that files be
downloaded from the discovered device. This especially affects devices that include the svc
image command in an SSL VPN configuration. Because Security Manager does not have the
referenced file in its database, the no form of the command is generated for the discovered
configuration.
Policy Discovery and Cisco IOS Routers and Catalyst Devices
Security Manager supports a subset of the complete list of commands available in the Cisco IOS
software, mostly centered on security-related commands. You can discover all supported Cisco IOS
commands. Commands that are not supported are left in place unless they conflict directly with a policy
configured in Security Manager. For more information about performing policy discovery on Cisco IOS
routers, see Discovering Router Policies, page 58-3. For more information about performing policy
discovery on Catalyst devices, see Discovering Policies on Cisco Catalyst Switches and Cisco 7600
Series Routers, page 65-1.
Tip We recommend that you deploy to a file immediately after discovering a Cisco IOS router or Catalyst
device. This enables Security Manager to assume full management of the relevant CLI commands that
are configured on the device.
Policy Discovery and Firewall Security Contents
When you add a device that has security contexts, you should discover all contexts and policies at the
same time; otherwise, you will have to discover policies for each context separately. When you add the
device, select MULTI for Context and do not select Security Context of Unmanaged Device. (If you
select this option, only the admin context is imported, and it has no relationship to other security contexts
on the device; select this option only if you want to manage the security context independently from the
parent device.) Depending on how you add the device, you might need to select the option to discover
security contexts. During discovery, Security Manager identifies each security context and adds it as a
separate device to the device list, appending the security context name to the end of the parent’s name;
for example, if the parent is pix_141, the admin context would be pix_141_admin. (You can control the
naming convention for security contexts; for more information, see Discovery Page, page 11-21). You
can create new security contexts, or delete existing contexts, as well as create and delete policies for
those contexts.
If you create multiple security contexts on FWSM, which are contained in Catalyst 6500 devices, and
you are running IOS software on the chassis, add the chassis device using the SSH credentials for the
chassis. Then Security Manager can identify each FWSM on the chassis, and give you the option to add
each of them. During FWSM discovery, Security Manager discovers the security contexts for each
FWSM, including the policies for the FWSM and for each context. However, if you are using the Catalyst
OS on the device, you must discover each FWSM individually.
For more information about adding devices to the inventory, see Adding Devices to the Device Inventory,
page 3-6.
Policy Discovery and IPS Devices