Filter
Top Products
5-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 5 Managing Policies
Discovering Policies
When you discover policies on an IPS device, the virtual sensors defined on the device are also
discovered along with the policies defined for the virtual sensors. If more than one virtual sensor uses
the same policy, that policy is created as a shared policy and is assigned to the virtual sensors. Policies
defined for a single virtual sensor, or only for the parent device, are created as local policies. You cannot
discover policies just for an individual virtual sensor; you can discover policies only on the parent
device. If policies are discovered on the parent device that are not assigned to any virtual sensors, those
policies are created as shared policies that are not assigned to any device or virtual sensor.
After discovering an IPS device that contains virtual sensors, you must submit your changes to the
database for the virtual sensors to appear in the device selector.
Policy Discovery and Object Groups
When you perform policy discovery, any object groups already configured on PIX, ASA, FWSM, and
IOS 12.4(20)T+ devices are brought into Security Manager as policy objects. For more information
about how Security Manager policy objects are translated into object groups and vice-versa, see How
Policy Objects are Provisioned as Object Groups, page 6-91.
In addition, object network and object service configurations on ASA 8.3+ devices are brought into
Security Manager as host, network, or address range network/host objects, or service objects (as opposed
to service group objects). The only exception is that address range objects that have the same address for
the start and end range are instead created as host network/host objects.
Note For IOS devices, any objects discovered that are used by access control lists that are discovered as ACL
objects are subsequently replaced during deployment by the contents of the object. Object groups used
with ACL objects are not preserved, although they are discovered as Security Manager policy objects.
Policy Discovery and Security Manager Policy Objects
When you perform policy discovery, Security Manager tries to reuse the policy objects that you have
already created in Security Manager. Based on the contents of the device configuration, the following
are the possible actions:
• Named policy objects in the configuration—Existing policy objects are reused if their content
matches the configuration on the device.
If the contents of the named policy object does not match, the policy object is reused and a
device-level override is created if Allow Device Override for Discovered Policy Objects is
selected on the Discovery administration page. For more information, see these topics:
–
Understanding Policy Object Overrides for Individual Devices, page 6-17
–
Discovery Page, page 11-21
• Unnamed policy objects in the configuration—Existing policy objects are used if their content
matches the configuration on the device. You can control this behavior by changing the value of the
Reuse Policy Objects for Inline Values setting on the Discovery administration page.
• You can discover objects that have the same definition as existing objects, regardless of the setting
you have defined for detecting redundant objects. For more information about this setting, see Policy
Objects Page, page 11-47.
For more information on policy objects, see Chapter 6, “Managing Policy Objects”.
Policy Discovery and Access Control Lists
Certain policies in Security Manager support only standard or only extended ACLs, even if both types
are supported by the CLI. In such cases, policy discovery works as follows: