Filter
Top Products
5-27
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 5 Managing Policies
Discovering Policies
Question: How does Security Manager handle my current CLI naming schemes for ACLs and object
groups?
Answer: When you discover policies from a device, Security Manager tries to use the same names you
have used. However, depending on your naming scheme, some minor differences might occur between
what you defined on your device and the policies created through discovery. Additionally, there is a
possibility that a naming conflict can occur between an existing ACL or object on the device and the
name required for the new policy or object; in this case, Security Manager generates a different name so
as not to misconfigure the device. For example, if the name of a discovered object conflicts with an
object of the same type that already exists in Security Manager, a suffix is added to the name of the new
object to make it unique or a device-level override is created.
Question: Are all configuration commands discovered and brought into Security Manager?
Answer: No. Security Manager does not discover all device configuration commands. Instead, it
discovers security policies. For any configuration commands not discovered, use the FlexConfig feature
to include the commands that Security Manager does not support.
Question: If I rediscover policies on a device already in Security Manager, what happens to the policies
assigned to the device?
Answer: If you rediscover policies on a device that you are already managing with Security Manager,
the newly discovered policies replace the ones assigned to the device. All policies within the selected
policy domain (firewall services, platform settings, or both) are replaced, not just the ones that are
different on the device compared to the ones in the Security Manager database. If you assigned shared
policies to the device, the assignment is removed and the shared policy is left unchanged (so that other
devices that use the shared policy are not affected). After policy discovery, all policies assigned to the
device are specific to that device; none of them are shared with other devices. If you want to use shared
policies with the device, you must redo the assignments after policy discovery.
In addition, any customizations done to local policies are also lost. For example, if you used sections to
organize rules-based firewall policies, the sections are removed and the rediscovered policy is a flat list
of entries.
Question: Does Security Manager use existing policies and objects during policy discovery?
Answer: During policy discovery, Security Manager uses existing policy objects (ones that you already
defined in Security Manager) when creating policies for the device. However, Security Manager does
not reuse existing policies; all policies created during discovery are local to the device being discovered.
Thus, you might find it beneficial to define your policy objects (such as network objects) before adding
devices to Security Manager.
Question: After adding a device and discovering policies, I cannot submit my changes to the database;
instead I get warnings such as “Connection Policies Not Set.” What must I do to complete the device
addition?
Answer: When you add a device and discover policies (particularly when you add devices from
configuration files), Security Manager warns you if the resulting configuration is incomplete in ways
that will prevent it from successfully managing the device. Connection policies, for example, are simply
the device credentials (user names and passwords) required to log into the device, as well as other
connection-related configuration settings (such as HTTP settings). Because these missing settings result
in an invalid configuration or prevent Security Manager from contacting and managing the device later,
you are prevented from submitting the changes to the database. Ensure that you have complete and valid
configurations for these settings, then resubmit your changes to the database.
Question: Why does the AAA policy not show the AAA configuration that I discovered on the device?
Answer: The AAA policy contains the default configurations for authentication, authorization, and
accounting. Other AAA commands that specify a particular list name are mapped to the policies that
reference them. If the list name is not referenced by a policy, it is not discovered.