Filter
Top Products
5-16
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 5 Managing Policies
Discovering Policies
Before You Begin
Ensure that no one is configuring policies on the device or deploying configurations to the device. If you
rediscover policies on a device while a deployment job is deploying configurations to the device, you
might not be able to see the deployed changes after the rediscovery. Use the Deployment Manager to
determine if there are active jobs that include the device before you rediscover policies (select Manage
> Deployments). If you inadvertently rediscover policies during a deployment job, wait until the
deployment job is completed and then discover policies again to ensure that Security Manager is
synchronized with the device.
Related Topics
• Viewing Policy Discovery Task Status, page 5-21
• Discovering Policies, page 5-12
• Frequently Asked Questions about Policy Discovery, page 5-25
• Understanding Policies, page 5-1
• Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-28
• Managing Shared Policies in Policy View, page 5-47
Step 1 Decide whether you need to discover policies on a single device or if you want to discover policies on
more than one device at a time. Policy discovery options vary based on how you start the discovery
process.
• Single device discovery—If you need to discover policies related to any of the following, you can
do it using only single-device discovery. (Note that single-device discovery is the type of discovery
performed when you add a device to the inventory.)
–
Security context configurations for ASA, PIX, and FWSM devices running in multiple context
mode.
–
Virtual sensor configurations for IPS devices.
–
Service module information for Catalyst devices.
–
Policy discovery from a configuration file.
–
Policy discovery from the factory default configuration.
• Bulk rediscovery—If you need to discover policies for more than one device, you can perform bulk
rediscovery. However, bulk rediscovery can be performed only on live devices (that is, devices
currently running and accessible in your network), and you cannot discover security context, virtual
sensor, or Catalyst service module configurations. (You can discover service modules if you select
them directly instead of selecting the device that contains them.)
Step 2 If you want to perform single-device discovery, do the following:
a. In device view or map view, ensure that only one device is selected, then right-click and select
Discover Policies on Device. This opens the Create Discovery Task dialog box.
Tip: If the dialog box is called Bulk Rediscovery, you need to close the dialog box and try again.
Ensure that only a single device is selected and reissue the command. You must use the right-click
menu; it is the only way to perform single-device discovery.
b. Modify the discovery task name, if desired, and select the following discovery options. For detailed
information, see Create Discovery Task and Bulk Rediscovery Dialog Boxes, page 5-18.
• Discover From—Whether you are discovering from a live device (which is active and
accessible in the network), a configuration file (click Browse to select the file on the Security
Manager server), or factory default configuration (for ASA, PIX, and FWSM devices running