-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
These topics describe the pages that are accessed from the Policy menu and within the Policy view, or that relate to general policy management. The Policy view is used to globally manage all the shared policies configured with Cisco Security Manager:
•Policy Menu General Reference
•Policy View General Reference
Use the commands on the Policy menu to manage local and shared policies. The commands in the Policy menu use the dialog boxes and wizards described in the following topics:
•Assign Shared Policy Dialog Box
•Shared Policy Assignments Dialog Box
•Discover Policies On Device Dialog Box
Use the Share Policy dialog box to convert a local policy to a shared policy that you can assign to multiple devices or VPNs.
Enter a name for the policy. Unlike local policies, shared policies require a name so that they can be identified when you assign the policy to devices or VPN topologies. Names can contain up to 255 characters, including spaces and special characters. For more information, see Sharing a Local Policy, page 6-27.
Navigation Path
In Device view, select a policy from the Device Policies selector, then do one of the following:
•Select Policy > Share Policy.
•Right-click the policy and select Share Policy.
•Click the local device link in the Assigned To field in the policy banner, then click Share Policy in the message dialog box that is opened.
Related Topics
•Assigning a Shared Policy to a Selected Device, page 6-29
•Sharing Multiple Policies of a Selected Device, page 6-28
•Using the Policy Banner, page 6-25
Use the Assign Shared Policy dialog box to assign an existing shared policy to a selected device. Select the desired policy and click OK. For more information, see Assigning a Shared Policy to a Selected Device, page 6-29.
Tip If you assign a shared policy to a device, it replaces the existing local policy. If you are assigning a rule-based policy, a warning message is displayed that gives you the option to inherit the rules of the shared policy instead of replacing the local policy through assignment. For more information on inheriting rules, see Inheritance vs. Assignment, page 6-6.
Navigation Path
In Device view, select a policy from the Device Policies selector, then do one of the following:
•Select Policy > Assign Shared Policy.
•Right-click the policy in the Device Policies selector, then select Assign Shared Policy.
•Click the local device link in the Policy Assigned field in the policy banner.
Related Topics
•Using the Policy Banner, page 6-25
When you assign a rule-based policy, such as access rules or AAA rules, to a device, you are given the option to inherit the rules of the shared policy rather than completely replacing the local policy. Use the Local Policy Will Be Replaced dialog box to make your selection. For more information on the difference between inheritance and assignment, see Inheritance vs. Assignment, page 6-6.
Note You can also inherit IPS signature policies and signature event actions, but inheritance works differently than for rules-based policies. For more information, see Understanding Signature Inheritance, page 12-8.
Your options are:
•Assign Policy—Assign the shared policy to replace the existing local policy. If you choose to assign, all local rules are removed and they cannot be retrieved.
•Inherit From Policy—Inherit the rules of the shared policy. If you choose to inherit, the inherited rules are added to the local rules that are already defined in the device's local policy. Use inheritance instead of assignment when the device needs to maintain the set of local rules already defined for it.
Tip You can select Do not show this again to save your selection and have it applied to all future times that you assign rule-based policies. Otherwise, you are prompted each time you assign policies, so that you can make different selections based on the circumstances. If you select this option, you can turn it off by resetting it on the Customize Desktop administration settings page (see Customize Desktop Page, page A-5).
Navigation Path
The Local Policy Will Be Replaced dialog box is displayed automatically when you click OK in the Assigned Shared Policy dialog box (see Assign Shared Policy Dialog Box).
Use the Copy Policies wizard to copy selected policies (both local and shared) to one or more devices that support the selected policies. For example, you can use the Copy Policies wizard to copy a set of firewall service policies and routing policies from one firewall device to fifty other devices with a single operation.
For more information, see Copying Policies Between Devices, page 6-22.
The pages of the Copy Policies wizard are described in the following topics:
•Copy Policies Wizard—Copy Policies from this Device Page
•Copy Policies Wizard—Select Policies to Copy Page
•Copy Policies Wizard—Copy Policies to these Devices Page
Navigation Path
To start the Copy Policies wizard, in Device view, select a device from the Device selector, then do one of the following:
•Select Policy > Copy Policies Between Devices. The Copy Policies wizard starts at step 1 (see Copy Policies Wizard—Copy Policies from this Device Page).
•Right-click the device in the Device selector, then select Copy Policies Between Devices. The Copy Policies wizard starts at step 2 (see Copy Policies Wizard—Select Policies to Copy Page).
Tip You can also right click a device in Map view and select Copy Policies Between Devices.
Related Topics
Use the Copy Policies from this Device page of the Copy Policies wizard to select the device whose policies will be copied to other devices. When you click Next, Security Manager evaluates the device and generates a list of the copyable policies defined on the device.
If you start the Copy Policies wizard by right-clicking a specific device, the device you right-clicked is automatically selected as the source device and the wizard starts on the Copy Policies Wizard—Select Policies to Copy Page. You can return to the Copy Policies from this Device page by clicking Back.
Navigation Path
For information on starting the Copy Policies wizard, see Copy Policies Wizard.
Related Topics
•Copying Policies Between Devices, page 6-22
•Filtering Items in Selectors, page 2-14
Use the Select Policies to Copy page of the Copy Policies wizard to select which policies to copy from the source device to the target devices. When you click Next, Security Manager evaluates the policies to determine which devices can support all selected policies.
Navigation Path
For information on starting the Copy Policies wizard, see Copy Policies Wizard.
Related Topics
•Copying Policies Between Devices, page 6-22
•Policy Status Icons, page 6-19
Field Reference
Use the Copy Policies to these Devices page of the Copy Policies wizard to select the devices to which policies from the source device will be copied.
When you click Finish, Security Manager ensures that the policies are successfully copied to every selected target device. If the copy fails for any target device, the Copy Policy Failed dialog box opens explaining the failures. Security Manager also removes the copied policies from any device to which the copy was successful.
Navigation Path
For information on starting the Copy Policies wizard, see Copy Policies Wizard.
Related Topics
•Copying Policies Between Devices, page 6-22
•Filtering Items in Selectors, page 2-14
Field Reference
Use the Share Policies wizard to take the policies configured on a particular device and make them shared policies that you can assign to other devices. For more information, see Sharing Multiple Policies of a Selected Device, page 6-28.
The pages of the Share Policies wizard are described in the following topics:
•Share Policies Wizard—Share Policies from this Device Page
•Share Policies Wizard—Select Policies to Share Page
Navigation Path
In Device view, select a device from the Device selector, then do one of the following:
•Select Policy > Share Device Policies.
•Right-click the device in the Device selector, then select Share Device Policies.
Tip You can also right click a device in Map view and select Share Device Policies.
Related Topics
Use the Share Policies from this Device page of the Share Policies wizard to select the device whose policies you want to share. When you click Next, Security Manager evaluates the device's policies and does not select those that cannot be shared.
When you access the Share Policies wizard by right-clicking a specific device, the device you right-clicked is automatically selected as the source device and you are brought directly to the Share Policies Wizard—Select Policies to Share Page. You can return to the Select Source Device page by clicking Back.
Navigation Path
For information on starting the Share Policies wizard, see Share Policies Wizard.
Related Topics
•Sharing Multiple Policies of a Selected Device, page 6-28
•Filtering Items in Selectors, page 2-14
Use the Select Policies to Share page of the Share Policies wizard to select which policies you want to share.
Navigation Path
For information on starting the Share Policies wizard, see Share Policies Wizard.
Related Topics
•Sharing Multiple Policies of a Selected Device, page 6-28
Field Reference
|
|
---|---|
Policy selector |
Selects the policies to share. Selecting the check box for a policy group selects all of the policies in that group. By default, all configured policies (local and shared) are selected. |
Save policies as |
The name to give to the policies you are sharing. All policies are given the same name. |
Use the Shared Policy Assignments dialog box to modify the list of devices or VPN topologies to which you have assigned a selected shared policy. For more information, see Modifying Shared Policy Assignments in Device View, page 6-34.
You can also modify policy assignments from Policy view. See Modifying Policy Assignments in Policy View, page 6-39.
Navigation Path
In Device view, select a shared policy from the Device Policies selector, then do one of the following:
•Select Policy > Edit Policy Assignments.
•Right-click the policy in the Device Policies selector, then select Edit Policy Assignments.
•Click the n device link in the Assigned To field in the policy banner.
Related Topics
•Assigning a Shared Policy to a Selected Device, page 6-29
•Inheritance vs. Assignment, page 6-6
•Using the Policy Banner, page 6-25
Field Reference
Use the Save Policy As dialog box to duplicate an existing shared policy under a new name. Names can contain up to 255 characters, including spaces and special characters. For more information, see Copying a Shared Policy, page 6-32.
Tip If you copy a policy in Device view, the new policy is assigned to the selected device. If you want to copy a policy without changing policy assignments, make the copy in Policy view.
Navigation Path
Select a shared policy in either Device view or Policy view, then do one of the following:
•Select Policy > Save Policy As.
•Right-click the shared policy, then select Save Policy As.
Use the Rename Policy dialog box to change the name of a selected shared policy. Names can contain up to 255 characters, including spaces and special characters. For more information, see Renaming a Shared Policy, page 6-33.
Navigation Path
Select a shared policy in either Device view or Policy view, then do one of the following:
•Select Policy > Rename Policy.
•Right-click the policy, then select Rename Policy.
Use the Inherit Rules dialog box to have a rule-based policy (such as access rules) inherit the rules of a shared policy of the same type.
Select the parent policy, that is, the policy whose rules should be inherited. The name of the selected parent policy is displayed below the selector.
Tip Select No Inheritance to remove an existing policy inheritance relationship.
For more information, see Inheriting Rules, page 6-32.
Navigation Path
Select a shared rule-based policy in either Device view or Policy view, then do one of the following:
•Select Policy > Inherit Rules.
•Right-click the policy, then select Inherit Rules.
•Click the link in the Inherits From field in the policy banner.
Related Topics
•Inheritance vs. Assignment, page 6-6
•Assigning a Shared Policy to a Selected Device, page 6-29
•Using the Policy Banner, page 6-25
Use the Discover Policies On Device dialog box to have Security Manager discover the policies for a device that is already in the device inventory. You can also discover policies when you add the device to the inventory. For more information about adding devices, see Adding Devices to the Device Inventory, page 5-7.
Navigation Path
In Device view, select a device from the Device selector and do one of the following:
•Select Policy > Discover Policies on Device.
•Right-click the device in the Device selector and select Discover Policies on Device.
Tip You can also right click a device in Map view and select Discover Policies on Device.
Related Topics
•Discovering Policies on Devices Already in Security Manager, page 6-14
•Discovering Policies, page 6-11
•Viewing Policy Discovery Task Status, page 6-16
•Selecting or Specifying a File or Directory on the Server File System, page 2-19
Field Reference
|
|
---|---|
Discovery Task Name |
The name assigned to the discovery task. Security Manager automatically generates a name for the task based on the current date and time, but you can modify this name as desired. |
Discover From Config. File |
The source of policy information to be discovered: •Live Device—Discover policies directly from the device. •Config File—Discover policies from a configuration file. Specify the location of the file in the Config File field. Click Browse to select the file on the Security Manager server. You can discover policies only from configuration files that were generated from the device (for example, with the show run command). For more information, see Adding Devices from Configuration Files, page 5-10. •Factory Default Configuration—Performs discovery on a firewall device using a file containing the factory-default settings for that device. Security Manager automatically chooses the appropriate file for the selected device. For more information, see Default Firewall Configurations, page 14-1. |
Discover Policies for Security Contexts |
Whether to discover policies for each security context that is configured on a firewall device running in multiple-context mode. This field applies only to PIX, ASA, and FWSM devices. When deselected, Security Manager treats the entire device as having a single set of policies configured in single-context mode. For more information about security contexts, see Configuring Security Contexts on Firewall Devices, page 14-82. |
Policies to Discover |
The policy types to discover on the selected device: •Inventory—Includes device information such as the hostname and domain name, interfaces, and security contexts (for firewall devices running in multiple-context mode). On Cisco IOS routers, this option also discovers all interface-related policies, such as DSL, PPP, and PVC policies. •Platform Settings—Includes all platform-specific policies that can be configured on the selected device. For example, if you are performing policy discovery on a PIX firewall device, this option includes such policies as device administration policies, multicast policies, and routing policies. •Firewall Services—Includes all firewall service policies. For more information, see Chapter 11, "Managing Firewall Services". •RA VPN Policies—Includes all IPSec and SSL remote access VPN policies that are configured on the selected device. For more information, see Chapter 10, "Managing Remote Access VPNs". •IPS—Includes all IPS policies that are configured on the selected device. For more information, see Chapter 16, "Managing IPS Devices" and Chapter 12, "Managing IPS Services". |
Use the Discovery Status dialog box to view detailed information about the current policy discovery task. The dialog box includes general information about the status of the task, as well as detailed information about any warnings or errors generated by the device being discovered.
The Discovery Status dialog box opens automatically when you initiate a discovery task on existing devices and when you add devices from the network, from a configuration file, or from an export file. For more information about initiating a discovery task, see Discover Policies On Device Dialog Box.
Related Topics
•Viewing Policy Discovery Task Status, page 6-16
•Discovering Policies, page 6-11
•Adding Devices from the Network, page 5-8
•Adding Devices from Configuration Files, page 5-10
•Adding Devices from an Inventory File, page 5-12
Field Reference
Use the Policy Discovery Status page to view the status of previous policy discovery and device addition tasks.
Navigation Path
Select Tools > Policy Discovery Status.
Related Topics
•Viewing Policy Discovery Task Status, page 6-16
Field Reference
Use Policy view to globally manage all the shared policies configured with Cisco Security Manager. Unlike Device view, which you use to manage all the policies configured on a selected device, Policy view enables you to manage all shared policies of a particular type regardless of device. For a general explanation of policy view, see Managing Shared Policies in Policy View, page 6-35.
Most of the pages and dialog boxes that are displayed in Policy view are the same as those displayed for specific policy types in Device view. The following topics describe some of the general features that are unique to Policy view:
•Policy View—Shared Policy Selector Options
Right-click a policy in the Shared Policy selector of Policy view to display a shortcut menu for performing functions on the selected policy.
Related Topics
•Policy View Selectors, page 6-37
•Managing Shared Policies in Policy View, page 6-35
Field Reference
|
|
---|---|
Save Policy As |
Saves a new instance of the selected shared policy under a different name. Use this option to create a new policy with the same definition as the policy from which it was created. See Copying a Shared Policy, page 6-32. |
Rename Policy |
Renames the selected policy. See Renaming a Shared Policy, page 6-33. |
Inherit Rules |
Applies only to rule-based policies such as access rules. Causes a rule-based policy to inherit the rules of a different shared policy of the same type. See Inheriting Rules, page 6-32. |
New [policy type] Policy |
Creates a new shared policy of the selected type. See Creating a New Shared Policy, page 6-39. |
Delete Policy |
Deletes the selected shared policy. See Deleting a Shared Policy, page 6-40 |
Use the Assignments tab in Policy view to modify the list of devices or VPNs to which the selected shared policy is assigned. For more information, see Modifying Policy Assignments in Policy View, page 6-39.
Navigation Path
In Policy view, select a policy from the Shared Policy selector, then click the Assignments tab in the work area.
Related Topics
•Managing Shared Policies in Policy View, page 6-35
Field Reference
When working in Policy view, use the Create a Policy dialog box to create a new shared policy of the selected policy type. Enter a name for the policy. Names can contain up to 255 characters, including spaces and special characters. For more information, see Creating a New Shared Policy, page 6-39.
Tip The new policy is initially not assigned to any devices or VPN topologies. For information about assigning the policy, see Policy View—Assignments Tab.
Navigation Path
In Policy view, do one of the following:
•Right-click a policy type in the Policy Types selector, then select New [name of policy] Policy.
•Right-click a policy in the Shared Policy selector, then select New [name of policy] Policy.
•Click the Create a Policy button beneath the Shared Policy selector.
Related Topics
•Managing Shared Policies in Policy View, page 6-35