Filter
Top Products
5-26
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 5 Managing Policies
Discovering Policies
Answer: Typically, you should discover policies when you add devices to Security Manager. However,
if you are creating devices in Security Manager (instead of importing live devices or configuration files),
you must perform policy discovery after adding the device. You should also perform policy discovery in
order to synchronize Security Manager with any out-of-band changes that have been made to the device,
for example through the CLI.
Question: How can I determine the results of the discovery?
Answer: When you initiate a discovery task, a window opens that shows you the discovery status and
results. You can also view a history of discovery task results on the Policy Discovery Status page (select
Manage > Policy Discovery Status).
Question: Does Security Manager show which commands are not discovered, and what can I do about
them?
Answer: In the discovery status window, go to the Message Summary section, then select Commands
Not Discovered. Any undiscovered commands are listed in the Description field. You can either remove
the command from the device and repeat the discovery process, or continue. If you continue, Security
Manager will remove the unsupported command in the next deployment.
If Security Manager does not support a command found on a device, the discovery is generally not
aborted; however, if the device has any access control entries (ACEs) that refer to unsupported object
groups, the discovery is aborted. Other error messages, such as User groups not supported, might also
provide details about undiscovered commands. Read the information in the Action box for suggestions.
Question: How are discovered policies reflected in the user interface?
Answer: Security Manager converts the device commands into policies. There is no difference in
appearance between a policy discovered from a device configuration and one defined directly in Security
Manager.
Question: I am using Auto Update Server for my PIX or ASA devices. How do I discover policies?
Answer: If a device has a static IP address, you can discover policies from the device. If it has a dynamic
IP address, you must discover policies from the device’s configuration file (offline).
Question: I am using Cisco Secure ACS to manage authentication and authorization to Security
Manager. How does this affect policy discovery?
Answer: You must add all managed devices to Cisco Secure ACS before you can perform policy
discovery and manage these devices in Security Manager. This includes security contexts on
PIX/ASA/FWSM devices. For more information, see the Installation Guide for Cisco Security Manager.
Question: What should I do after discovering VPN or router platform policies?
Answer: Due to the way these features are discovered, Security Manager does not assume management
of discovered VPN and router platform policies until after it deploys them. This means that if you
discover a router, unassign one of its policies and deploy, no commands are removed from the router’s
configuration. We recommend, therefore, that you perform deployment to a file immediately after
discovering VPN or router platform policies, before you make any changes to those policies. After this
initial deployment, you can reconfigure these policies and deploy your changes as required.
Question: If I discover policies on a device and then deploy the policies from Security Manager without
changing them, what is the difference between the original configuration on the device and the one that
exists after the deployment?
Answer: Typically, there will be no differences between the new configuration and your original one,
assuming you set up FlexConfigs for any unsupported CLI commands. However, in certain cases minor
changes might occur in your ACL or object-group naming schemes. For more information, see How
Policy Objects are Provisioned as Object Groups, page 6-91. In addition, any discovered objects that are
not being used by a policy are removed from the configuration. There can also be instances where the
new configuration is functionally equivalent to the old one but does not use the same commands.