Filter
Top Products
6-91
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 6 Managing Policy Objects
How Policy Objects are Provisioned as Object Groups
How Policy Objects are Provisioned as Object Groups
Object groups are a feature of ASA, PIX, FWSM, and IOS 12.4(20)T+ devices that enable you reduce
the size of access rules by grouping objects such as IP hosts, networks, protocols, ports, and ICMP
message types. Although the functionality of object groups is similar to the functionality of policy
objects in Security Manager, there are several important differences in implementation.
As a result, when deploying policies to a device, it is not always possible to create object groups that are
an exact copy of the policy objects that you configured in Security Manager. To take one example, policy
object names are unique per object type in Security Manager (that is, you can define a network/host
object and a service object with the same name), whereas object groups of all types defined on the device
share a single naming scheme. Therefore, if you deploy a network/host object whose name matches an
existing service object group on the device, a suffix is added to the name of the network/host object to
distinguish it from the service object group.
Note For information about the options available when deploying object groups, see Deployment Page,
page 11-9.
Similarly, when discovering policies on a device, it is not always possible to create policy objects that
are an exact copy of the object groups that are configured on the device. However, Security Manager
preserves as much of the original configuration as possible.
Note For IOS devices, any policy objects that are used by access control list objects are subsequently replaced
during deployment by the contents of the object. Object groups used with ACL objects are not preserved,
although they are discovered as Security Manager policy objects.
The following sections describe the changes that are made when provisioning policy objects to object
groups on the device, or when creating the policy objects when discovering policies on these devices:
• How Network/Host, Port List, and Service Objects are Named When Provisioned As Object Groups,
page 6-92
• How Service Objects are Provisioned as Object Groups, page 6-92
Allow Value Override per
Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level.
For more information, see Allowing a Policy Object to Be Overridden,
page 6-18 and Understanding Policy Object Overrides for Individual
Devices, page 6-17.
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Table 6-35 Add and Edit Service Dialog Boxes (Continued)
Element Description