11-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 11 Configuring Security Manager Administrative Settings
Deployment Page
ACL Parameters
Optimize the Deployment of
Access Rules For
(IPv4 and IPv6 access rules.)
How firewall rules are deployed. You can choose one of the following:
• Speed (default)—Increases deployment speed by sending only the
delta (difference) between the new and old ACLs. This is the
recommended option. By making use of ACL line numbers, this
approach selectively adds, updates, or deletes ACEs at specific
positions and avoids resending the entire ACL. Because the ACL
being edited is still in use, there is a small chance that some traffic
might be handled incorrectly between the time an ACE is removed
and the time that it is added to a new position. The ACL line
number feature is supported by most Cisco IOS, PIX and ASA
versions, and became available in FWSM from FWSM 3.1(1).
• Traffic—This approach switches ACLs seamlessly and avoids
traffic interruption. However, deployment takes longer and uses
more device memory before the temporary ACLs are deleted. First,
a temporary copy is made of the ACL that is intended for
deployment. This temporary ACL binds to the target interface.
Then the old ACL is recreated with its original name but with the
content of the new ACL. It also binds to the target interface. At this
point, the temporary ACL is deleted.
Note For FWSM devices, this option affects processing only if you
also select the Let FWSM Decide When to Compile Access
Lists option.
Firewall Access-List Names
(IPv4 and IPv6 access rules.)
How ACL names are deployed to devices if the access rule does not
have a name in Security Manager.
• Reuse existing names—Reuse the ACL name that is configured in
the reference configuration (which is usually from the device).
• Reset to CS-Manager generated names—Reset the name to a
Security Manager auto-generated ACL name.
Table 11-8 Deployment Page (Continued)
Element Description