- User Guide for Cisco Security Manager 4.8
- Table of Contents
- Preface
-
- The Basics of Using Security Manager
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Firewall Services and NAT
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Traffic Zones
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- VPN Configuration
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
-
- IPS Configuration
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- PIX/ASA/FWSM Device Configuration
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring FXOS Server Access Settings on Firepower 2100 Series Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- User Preferences
- Index
Configuring Device Access Settings on Firewall Devices
The Device Access section, located under the Device Admin folder in the Policy selector, contains pages for defining access to firewall devices.
Configuring Console Timeout
Use the Console page to specify a timeout value for inactive console sessions. When the time limit you specify is reached, the console session is closed.
In the Console Timeout field, enter the number of minutes a console session can remain idle before the device closes it. Valid values are 0 to 60 minutes. To prevent a console session from timing out, enter 0.
HTTP Page
Use the table on the HTTP page to manage the interfaces configured to access the HTTP server on a device, as well as HTTP redirect to HTTPS on those interfaces. You also can enable or disable the HTTP server on the device from this page. Administrative access by the specific device manager requires HTTPS access.
Note To redirect HTTP, the interface requires an access list that permits HTTP. Otherwise, the interface cannot listen to port 80, or to any other port that you configure for HTTP.
- (Device view) Select Platform > Device Admin > Device Access > HTTP from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > HTTP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
|
|
---|---|
Use the Add Row, Edit Row, and Delete Row buttons below this table to manage device interfaces on which HTTP-to-HTTPS redirect is configured. Add Row and Edit Row open the HTTP Configuration Dialog Box. |
|
Select this option to set the rules for extracting a username from the certificate. Enter the following:
Choose one of the following options: Note This feature is supported only in devices running ASA software version 9.4(1) or later. |
|
– C—Country: the two-letter country abbreviation which conforms to the ISO 3166 country abbreviations. – CN—Common Name: the name of a person, system, or other entity. Not available as a secondary attribute. – GENQ—Generational qualifier. – L—Locality: the city or town where the organization is located. – O—Organization: the name of the company, institution, agency, association, or other entity. – OU—Organizational Unit: the subgroup within the organization (O). – SP—State/Province: the state or province where the organization is located. |
|
Enables or disables the HTTP server on the device. When enabled, you can specify a communications Port for the server. The Port range is 1 to 65535; the default is 443. |
HTTP Configuration Dialog Box
Use the HTTP Configuration dialog box to add or edit a host or network that will be allowed to access the HTTP server on the device via a specific interface; you also can enable and disable HTTP redirect.
You can access the HTTP Configuration dialog box from the HTTP Page.
|
|
---|---|
Enter or Select the interface on which access to the HTTP server on the device is allowed. Note Beginning with Cisco Security Manager version 4.17, you can configure BVI interface for HTTP on ASA 9.9.2 devices and above. However, in multi-context, “Transparent” mode security context only supports BVI interface. |
|
Enter the IP address and netmask, separated by a forward slash (“/”) of the host or network that is permitted to establish an HTTP connection with the device. Alternately, you can click Select to select a Networks/Hosts object. Note Beginning with version 4.13, Cisco Security Manager supports policies—Groups, Hosts, Address Range, and Network for IPv6 devices. |
|
Select this option to require user certificate authentication in order to establish an HTTP connection. On ASA and PIX 8.0(2)+ devices, you can specify the authentication Port. |
|
Select the Certificate Map name that you configured in Remote Access VPN > certificate to Connection Profile Maps > Rules. For more information, see Map Rule Dialog Box (Upper Table). None is selected by default. This feature is available beginning with Security Manager version 4.12 for ASA 9.6(2) or later devices. This option is supported for single, multi, routed and transparent contexts for ASA devices. |
|
The port on which the security appliance listens for HTTP requests, which it then redirects to HTTPS. To disable HTTP redirect, ensure that this field is blank. |
Configuring ICMP
Use the table on the ICMP page to manage Internet Control Message Protocol (ICMP) rules, which specify the addresses of all hosts or networks that are allowed or denied ICMP access to specific interfaces on the security device.
Note Starting from ASA 8.2(1) ICMP IPv6 was supported in the transparent firewall mode.
The ICMP rules control ICMP traffic that terminates on any device interface. If no ICMP control list is configured, the device accepts all ICMP traffic that terminates at any interface, including the outside interface. However, by default, the device does not respond to ICMP echo requests directed to a broadcast address.
It is recommended that permission is always granted for the ICMP Unreachable message (type 3). Denying ICMP Unreachable messages disables ICMP Path MTU discovery, which can halt IPsec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.
If an ICMP control list is configured, the device uses a first match to the ICMP traffic, followed by an implicit deny all. That is, if the first matched entry is a permit entry, the processing of the ICMP packet continues. If the first matched entry is a deny entry, or an entry is not matched, the device discards the ICMP packet and generates a syslog message. If an ICMP control list is not configured, a permit rule is assumed in all cases.
- (Device view) Select Platform > Device Admin > Device Access > ICMP from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > ICMP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Note ICMP IPv6 support is not available for PIX and FWSM devices.
|
|
---|---|
Use the Add Row, Edit Row, and Delete Row buttons below this table to manage ICMP rules. Add Row opens the Add ICMP dialog box, while Edit Row opens the Edit ICMP dialog box. See Add and Edit ICMP Dialog Boxes for information about these dialog boxes. |
|
|
|
For ICMP traffic that terminates at an interface on this device, the maximum number of ICMP Unreachable messages the device can transmit per second. This value can be between 1 and 100 messages per second; the default is 1 message per second. |
|
The burst size for ICMP Unreachable messages; this can be a value between 1 and 10. Note This parameter is not currently used by the system, so you can choose any value. |
Add and Edit ICMP Dialog Boxes
Use the Add ICMP dialog box to add an ICMP rule, which specifies a host/network that is allowed or denied the specified ICMP access on the specified device interface.
Note The Edit ICMP dialog box is virtually identical to the Add ICMP dialog box, and is used to modify existing ICMP rules. The following descriptions apply to both dialog boxes.
You can access the Add or Edit ICMP dialog boxes from the Configuring ICMP.
Note While adding an ICMP policy, make sure that the network and service is of the same type i.e. IPv6 networks support IPv6 services.
Configuring Management Access
Use the Management Access page to enable or disable access on a high-security interface so you can perform management functions on the device. You can enable this feature on an internal interface to allow management functions to be performed on the interface over an IPsec VPN tunnel. You can enable the Management Access feature on only one interface at a time.
- (Device view) Select Platform > Device Admin > Device Access > Management Access from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Management Access from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Enabling and Disabling Management Access
In the Management Access Interface field, enter the name of the device interface that is to permit management access connections. You can click Select to select the interface from a list of interface objects.
You can enable the Management Access feature on only one interface at a time.
Clear the Management Access Interface field to disable management access.
Configuring Management Session Quota Limits
Beginning with 4.19, Cisco Security Manager allows you to configure enforcement of limits for the maximum number of admin sessions across all connection types and usernames, and for maximum number of concurrent sessions per username as well as per protocol limits on ASA 9.12(1) devices or later. The configured session concurrence limits is enforced prior to authenticating the incoming administrative session.
- (Device view) Select Platform > Device Admin > Device Access > Management Session Quota from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Management Session Quota from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Note The sequence of enforcement on the session limits would be—user limit followed by aggregate limit, and then by protocol limit.
Configuring Secure Shell Access
Use the Secure Shell page to configure rules that permit administrative access to a security device using the SSH protocol. The rules restrict SSH access to a specific IP address and netmask. Any SSH connection attempts that comply with these rules must then be authenticated by an AAA server or Telnet password.
- (Device view) Select Platform > Device Admin > Device Access > Secure Shell from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Secure Shell from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
|
|
---|---|
Specify the SSH version(s) accepted by the device: choose 1, 2, or 1 and 2. By default, SSH Version 1 and SSH Version 2 connections are accepted. |
|
Enter the number of minutes, 1 to 60, the Secure Shell session can remain idle before the device closes it. The default value is 5 minutes. |
|
Use the Add Row, Edit Row, and Delete Row buttons below this table to manage the hosts allowed to connect to the security device via SSH. Add Row opens the Add Host dialog box, while Edit Row opens the Edit Host dialog box. See Add and Edit SSH Host Dialog Boxes for information about these dialog boxes. |
|
Check this box to enable the secure copy (SCP) server on the security appliance. This allows the appliance to function as an SCP server for transferring files from/to the device. Only clients that are allowed to access the security appliance using SSH can establish a secure copy connection. This implementation of the secure copy server has the following limitations:
|
Add and Edit SSH Host Dialog Boxes
Use the Add Host dialog box to add an SSH access rule.
Note The Edit Host dialog box is virtually identical to the Add Host dialog box, and is used to modify existing SSH access rules. The following descriptions apply to both dialog boxes.
You can access the Add and Edit Host dialog boxes from the Configuring Secure Shell Access.
Configuring SSL - Basic and Advanced tabs
Beginning from version 4.8, Security Manager provides enhanced security features using Secure Sockets Layer (SSL).
- (Device view) Select Platform > Device Admin > Device Access > SSL from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > SSL from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
Note Due to import regulations in some countries the Oracle implementation provides a default cryptographic jurisdiction policy file that limits the strength of cryptographic algorithms. If stronger algorithms need to be configured or are already configured on the device (for example, AES with 256-bit keys, DH group with 5,14,24), follow these steps:
1. Download the Java 7 unlimited strength cryptography policy.jar files from http://www.oracle.com. Cisco recommends to search for the following on the Oracle website:
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Java 7
(Click the download button to download the files by accepting the license agreement.)
2. Replace local_policy.jar and US_export_policy.jar on your Security Manager server in the folder CSCOpx\MDC\vms\jre\lib\security.
Reference Identities
Beginning with version 4.12, Security Manager enables you to configure Reference Identity policy objects for Secure Syslog Server connections on devices running the ASA software version 9.6(2) or later. This object enables support for Common Criteria requirements.
Reference identities are configured as one or more identifiers to be compared to the presented identifiers in the server certificate. Identifiers are specific instances of the four identifier types specified in RFC 6125.
Add/Edit Reference Identity Dialog Box
Use the Add/Edit Reference Identity Dialog Box to create a new Reference Identity policy object or to edit existing policy objects.
Select Manage > Policy Objects, then select Reference Identity from the Object Type Selector. Right-click inside the work area, then select New Object or click the + button to add a new object, or right-click a row, then select Edit Object.
|
|
---|---|
Name of the Reference Identity policy object. Note that each Reference Identifier can have multi line values. |
|
A Relative Distinguished Name (RDN) in a certificate subject field that contains only one attribute-type-and-value pair of type Common Name (CN), where the value matches the overall form of a domain name. The CN value can be free text. A CN-ID reference identifier does not identify an application service. |
|
A subjectAltName entry of type dNSName. This is a DNS domain name. A DNS-ID reference identifier does not identify an application service. |
|
A subjectAltName entry of type otherName whose name form is SRVName as defined in RFC 4985. A SRV-ID identifier may contain both a domain name and an application service type. For example, a SRV-ID of “_imaps.example.net” would be split into a DNS domain name portion of “example.net” and an application service type portion of “imaps.” |
|
A subjectAltName entry of type uniformResourceIdentifier whose value includes both (i) a “scheme” and (ii) a “host” component (or its equivalent) that matches the “reg-name” rule specified in RFC 3986. A URI-ID identifier must contain the DNS domain name, not the IP address, and not just the hostname. For example, a URI-ID of “sip:voice.example.edu” would be split into a DNS domain name portion of “voice.example.edu” and an application service type of “sip.” |
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices. If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object. |
Note A reference identity is created when configuring one with a previously unused name. Once a reference identity has been created, the four identifier types and their associated values can be added or deleted from the reference identity. The reference identifiers MAY contain information identifying the application service and MUST contain information identifying the DNS domain name.
Configuring SNMP
Simple Network Management Protocol (SNMP) defines a standard way for network management stations running on PCs or workstations to monitor the health and status of many types of devices, including switches, routers, and security appliances. You can use the SNMP page to configure a firewall device for monitoring by SNMP management stations.
The Simple Network Management Protocol (SNMP) enables monitoring of network devices from a central location. Cisco security appliances support network monitoring using SNMP versions 1, 2c, and 3, as well as traps and SNMP read access; SNMP write access is not supported.
You can configure a security appliance to send “traps” (event notifications) to a network management station (NMS), or you can use the NMS to browse the management information bases (MIBs) on the security appliance. Use CiscoWorks for Windows or any other SNMP MIB-II-compliant browser to receive SNMP traps and browse a MIB.
The security appliance has an SNMP agent that notifies designated management stations if specified events occur, for example, when a link in the network goes up or down. The notification includes an SNMP system object ID (OID), identifying the device to the management stations. The security appliance SNMP agent also replies when a management station asks for information.
An SNMP trap reports significant events occurring on a network device, most often errors or failures. SNMP traps are defined in Management Information Bases (MIBs), which can be either standard or enterprise-specific.
Standard traps and MIBs are created by the Internet Engineering Task Force (IETF) and documented in various RFCs. Standard traps are compiled into the security appliance software. If needed, you can also download RFCs, standard MIBS, and standard traps from the IETF website: http://www.ietf.org/.
For Cisco MIB files and OIDs, refer to: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml. OIDs may be downloaded from this FTP site: ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz.
This section contains the following topics:
SNMP Terminology
Here are definitions for some common SNMP terms:
- Agent – The SNMP server running on the security appliance. The agent responds to requests for information and action from the management station. The agent also controls access to its management information base (MIB), the collection of data objects that can be viewed or changed by the SNMP manager.
- Management stations – The PCs or workstations set up to monitor SNMP events and manage devices such as the security appliance. Management stations can also receive messages about events which require attention, such as hardware failures.
- MIBs – The agent maintains standardized data structures called Management Information Bases (MIBs), used to collect information, such as packet, connection and error counters, and buffer usage and failover status. A number of MIBs are defined for specific products, and for the common protocols and hardware standards used by most network devices. SNMP management stations can browse MIBs, or request only specific fields. In some applications, MIB data can be modified for administrative purposes.
- OID – The SNMP standard assigns a system object ID (OID) so that a management station can uniquely identify network devices with SNMP agents, and indicate to users the source of information monitored and displayed.
- Traps – Specified events that generate a message from the SNMP agent to the management station. Events include alarm conditions such as linkup, linkdown, coldstart, warmstart, authentication, or syslog events.
SNMP Version 3
SNMP Version 3 provides security enhancements that are not available in SNMP Version 1 or SNMP Version 2c. SNMP Versions 1 and 2c transmit data between the SNMP server and SNMP agent in clear text. SNMP Version 3 adds authentication and privacy options to secure protocol operations. In addition, this version controls access to the SNMP agent and MIB objects through the User-based Security Model (USM) and View-based Access Control Model (VACM). The ASA and ASASM also support the creation of SNMP groups and users, as well as hosts, which is required to enable transport authentication and encryption for secure SNMP communications.
Note SNMP Version 3 is supported on ASA devices running 8.2(1) or later and on ASASM devices running 8.5(1) or later.
For configuration purposes, the authentication and privacy options are grouped together into security models. Security models apply to users and groups, which are divided into the following three types:
- NoAuth—No Authentication and No Privacy, which means that no security is applied to messages.
- Auth—Authentication but No Privacy, which means that messages are authenticated.
- Priv—Authentication and Privacy, which means that messages are authenticated and encrypted.
An SNMP group is an access control policy to which users can be added. Each SNMP group is configured with a security model, and is associated with an SNMP view. A user within an SNMP group must match the security model of the SNMP group. These parameters specify what type of authentication and privacy a user within an SNMP group uses. Each SNMP group name and security model pair must be unique.
SNMP users have a specified username, a group to which the user belongs, authentication password, encryption password, and authentication and encryption algorithms to use. The authentication algorithm options are MD5 and SHA. The encryption algorithm options are DES, 3DES, and AES (which is available in 128, 192, and 256 versions). When you create a user, you must associate it with an SNMP group. The user then inherits the security model of the group.
An SNMP host is an IP address to which SNMP notifications and traps are sent. To configure SNMP Version 3 hosts, along with the target IP address, you must configure a username, because traps are only sent to a configured user. SNMP target IP addresses and target parameter names must be unique on the ASA and ASA Services Module. Each SNMP host can have only one username associated with it. To receive SNMP traps, configure the SNMP NMS, and make sure that you configure the user credentials on the NMS to match the credentials for the ASA and ASASM.
Implementation Differences Between the ASA, ASA Services Module, and the Cisco IOS Software
The SNMP Version 3 implementation in the ASA and ASASM differs from the SNMP Version 3 implementation in the Cisco IOS software in the following ways:
- The local-engine and remote-engine IDs are not configurable. The local engine ID is generated when the ASA or ASASM starts or when a context is created.
- No support exists for view-based access control, which results in unrestricted MIB browsing.
- Support is restricted to the following MIBs: USM, VACM, FRAMEWORK, and TARGET.
- You must create users and groups with the correct security model.
- You must remove users, groups, and hosts in the correct sequence.
- Use of the snmp-server host command creates an ASA or ASASM rule to allow incoming SNMP traffic.
SNMP Page
Use the SNMP page to configure the security appliance for monitoring by Simple Network Management Protocol (SNMP) management stations.
Note For SNMP Version 3, configuration must occur in the following order: group, user, host.
- (Device view) Select Platform > Device Admin > Device Access > SNMP from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > SNMP from the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.
- Configuring SNMP
- SNMP Trap Configuration Dialog Box
- Add/Edit SNMP Host Access Entry Dialog Box
- Add/Edit SNMP Host Group Entry Dialog Box
- Add/Edit SNMP Group Entry Dialog Box
- Add/Edit SNMP User Entry Dialog Box
- Add/Edit SNMP User List Entry Dialog Box
|
|
---|---|
When this option is selected, the security device provides SNMP information on the specified interface(s). You can deselect this option to disable SNMP monitoring while retaining the configuration information. |
|
Enter the password used by a SNMP management station when sending requests to this device. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The security device uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive alphanumeric string of up to 32 characters; spaces are not permitted. Repeat the password in the Confirm field to ensure it was entered correctly. |
|
Enter the name of the device administrator or other contact person. This string is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space. |
|
Describe the location of this security device (for example, Building 42, Sector 54). This string is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space. |
|
Specify the port on which incoming requests will be accepted. The default is 161. |
|
Click this button to configure SNMP traps in the SNMP Trap Configuration Dialog Box. |
|
Shows the ID of the SNMP engine configured on the device. Click Get SNMP Engine ID to retrieve the engine ID from the device. |
|
This table lists the SNMP management stations that can access the security appliance. This is a standard Security Manager table, with Add Row, Edit Row and Delete Row buttons, as described in Using Tables. The Add Row and Edit Row buttons open the Add/Edit SNMP Host Access Entry Dialog Box, used to add and edit management station host entries. Note For ASA devices running 9.1(5) or later, you can configure up to 129 SNMP hosts. For other devices and earlier ASA versions, you can only configure up to 32 SNMP hosts. |
|
Beginning with version 4.12, Security Manager enables you to add and edit the Host Group entries for SNMP Users. See Add/Edit SNMP Host Group Entry Dialog Box for more information. |
|
|
|
Lists the SNMP groups that have been configured. This is a standard Security Manager table, with Add Row, Edit Row and Delete Row buttons, as described in Using Tables. The Add Row and Edit Row buttons open the Add/Edit SNMP Group Entry Dialog Box, used to add and edit SNMP groups. |
|
Lists the SNMP users that have been configured. This is a standard Security Manager table, with Add Row, Edit Row and Delete Row buttons, as described in Using Tables. The Add Row and Edit Row buttons open the Add/Edit SNMP User Entry Dialog Box, used to add and edit SNMP users. |
|
Beginning with version 4.12, Security Manager enables you to add a user list containing multiple SNMP users. See Add/Edit SNMP User List Entry Dialog Box for more information. |
SNMP Trap Configuration Dialog Box
Use the SNMP Trap Configuration dialog box to configure SNMP traps (event notifications) for the selected security device.
Traps are different than browsing; they are unsolicited “comments” from the managed device to the management station for certain events, such as linkup, linkdown, and syslog event generated.
An SNMP object ID (OID) for the device appears in SNMP event traps sent from the device. The SNMP service running on a security device performs two functions:
- Replies to SNMP requests from management stations.
- Sends traps to management stations or other devices that are registered to receive them from the security appliance.
Cisco security devices support three types of traps:
In the SNMP Trap Configuration dialog box, available traps are presented on four tabbed panels: Standard, Entity MIB, Resource, and Other.
You can access the SNMP Trap Configuration dialog box from the SNMP Page.
|
|
---|---|
Check this box to quickly select all traps on all four tabbed panels. |
|
Check this box to enable transmission of trap-related syslog messages. The severity level for syslog messages trapped is set on the Logging Filters Page. |
|
Select the desired event-notification traps on the following four tabbed panels. Note that only the traps applicable to the selected device are displayed in the dialog box. |
|
|
|
|
|
|
|
Percentage – Enter the desired upper limit of CPU resource usage as a percentage of total available. Valid values range from 10 to 94; default is 70%. Period – Specify the length of time, in minutes, that the specified Percentage can be exceeded before notification is triggered. Valid values range from 1 to 60.
Percentage – Enter the desired upper limit on interface usage as a percentage of total available bandwidth. Valid values range from 30 to 99; default is 70%.
Percentage – Enter the desired upper limit of CPU resource usage as a percentage of total available. Valid values range from 10 to 100; default is 70%. Period – Specify the length of time, in seconds, that the specified Percentage can be exceeded before notification is triggered. Valid values range from 60 to 3600. |
Add/Edit SNMP Host Access Entry Dialog Box
Use the Add/Edit SNMP Host Access Entry dialog box to add and edit entries in the SNMP Hosts table on the SNMP page. These entries represent SNMP management stations allowed to access the security device.
For ASA devices running any software version between 9.1(5) and 9.3(2), you can configure 129 SNMP hosts. For ASA devices running the software version lower than 9.1(5) you can configure only 32 SNMP hosts.
Beginning with version 4.9, Security Manager enables you to configure up to 4096 SNMP hosts for ASA devices running the software version 9.4(1) or later. However, only 129 of this number can be for traps. You cannot configure more than 129 trap configured SNMP hosts.
You can access the Add/Edit SNMP Host Access Entry dialog box from the SNMP Page.
- Configuring SNMP
- SNMP Trap Configuration Dialog Box
- Add/Edit SNMP Group Entry Dialog Box
- Add/Edit SNMP User Entry Dialog Box
|
|
---|---|
Enter or Select the interface on which this SNMP management station contacts the device. |
|
Enter the IP address, or Select a Networks/Hosts object, representing the SNMP management station. Note Beginning with Cisco Security Manager version 4.17, IPv6 Address for SNMP policy is supported on ASA 9.9.2 devices and above. |
|
(Optional) Enter a UDP port for requests from the SNMP host. You can use this field to override the global value specified on the SNMP page. |
|
Enter the password used by the SNMP management station when sending requests to the security device. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. Thus, the password is used to determine if the incoming SNMP request is valid. The password is a case-sensitive alphanumeric string of up to 32 characters; spaces are not permitted. |
|
Choose the version of SNMP used by this management station: 1, 2c, or 3. |
|
If SNMP version 3 is selected, select the SNMP user. For information on SNMP users, see Add/Edit SNMP User Entry Dialog Box. |
|
Specify the type(s) of communication with this management station: poll only, trap only, or both trap and poll. Check either or both: |
Add/Edit SNMP Host Group Entry Dialog Box
Beginning with Security Manager version 4.12, you can use the Add/Edit SNMP Host Group Entry dialog box to add and edit entries in the SNMP Host Group table on the SNMP page. These entries represent SNMP management stations allowed to access the security device.
For ASA devices running any software version between 9.1(5) and 9.4, you can configure 129 SNMP hosts. For ASA devices running the software version lower than 9.1(5) you can configure only 32 SNMP hosts.
Beginning with version 4.9, Security Manager enables you to configure up to 4096 SNMP hosts for ASA devices running the software version 9.4(1) or later. However, only 129 of this number can be for traps. You cannot configure more than 129 trap configured SNMP hosts.
Note If you edit a used Address Range or Network object in the Networks/Host Policy Object Manager after adding or editing SNMP Host or Host Group entries in the Add/ Edit SNMP Host Group entry page, Cisco Security Manager will not validate for the total number of SNMP traps. Thus, if the trap entries exceed 129, it will result in a deployment failure.
You can access the Add/Edit SNMP Host Access Entry dialog box from the SNMP Page.
- Configuring SNMP
- SNMP Trap Configuration Dialog Box
- Add/Edit SNMP Group Entry Dialog Box
- Add/Edit SNMP User Entry Dialog Box
Add/Edit SNMP Group Entry Dialog Box
Use the Add/Edit SNMP Group Entry dialog box to add and edit entries in the SNMP Groups table on the SNMP page. An SNMP group is an access control policy to which users can be added. Each SNMP group is configured with a security model, and is associated with an SNMP view. A user within an SNMP group must match the security model of the SNMP group. These parameters specify what type of authentication and privacy a user within an SNMP group uses. Each SNMP group name and security model pair must be unique.
For configuration purposes, the authentication and privacy options are grouped together into security models. Security models apply to users and groups, which are divided into the following three types:
- NoAuth—No Authentication and No Privacy, which means that no security is applied to messages.
- Auth—Authentication but No Privacy, which means that messages are authenticated.
- Priv—Authentication and Privacy, which means that messages are authenticated and encrypted.
- Before a group can be deleted, you must ensure that all users associated with that group are deleted. If any hosts are associated with a user that needs to be deleted, you must delete those hosts before you can delete the user.
- If users have been configured to belong to a particular group with a certain security model, you must do the following to change the security level of that group:
a. Remove all host entries associated with any users belonging to the group.
b. Remove the users from the group.
c. Deploy the changes to the device.
d. Change the group security level.
e. Add users that belong to the group.
f. Add hosts belonging to the users that were added for the group.
g. Deploy the changes to the device.
You can access the Add/Edit SNMP Group Entry dialog box from the SNMP Page.
- Configuring SNMP
- SNMP Trap Configuration Dialog Box
- Add/Edit SNMP Host Access Entry Dialog Box
- Add/Edit SNMP User Entry Dialog Box
|
|
---|---|
Enter the name of the SNMP group. Group names must be 32 characters or less. |
|
Add/Edit SNMP User Entry Dialog Box
Use the Add/Edit SNMP User Entry dialog box to add a user to an SNMP group or to edit entries in the SNMP User table on the SNMP page. SNMP users inherit the security model of the group to which they are assigned.
- After a user has been created, you cannot change the group to which the user belongs.
- Before a user can be deleted, you must ensure that no hosts are configured that are associated with that username.
You can access the Add/Edit SNMP User Entry dialog box from the SNMP Page.
- Configuring SNMP
- SNMP Trap Configuration Dialog Box
- Add/Edit SNMP Host Access Entry Dialog Box
- Add/Edit SNMP Group Entry Dialog Box
|
|
---|---|
Select the SNMP group to which this user belongs. For information on SNMP groups, see Add/Edit SNMP Group Entry Dialog Box. |
|
Enter the name of the SNMP user. Usernames must be 32 characters or less and must be unique for the SNMP server group selected. |
|
The SNMP EngineID identifier used for authentication in v3. You can enter comma separated multiple Engine IDs. The Engine ID identifier must be valid, and each Engine Id must be within the range of 1 to 257 characters.
– If you upgrade a failover ASA device from version 8.x or 9.x to version 9.6(2), the device will automatically create multiple SNMP User commands for multiple SNMP Engine IDs. You must copy the Engine ID by retrieving it from the device into this Engine ID text box. For information about retrieving Engine ID from the device see SNMP Page. – If you add or remove an ASA device to or from a failover configuration, you must manually enter the Engine ID because the ASA device automatically removes or creates new SNMP User commands for the existing Engine IDs. |
|
Specify the type of password you want to use: Clear Text or Encrypted. If the password type is Clear Text, Security Manager will encrypt the password when deploying to the device. If the password type is Encrypted, Security Manager will directly deploy the encrypted password. Security Manager will never directly deploy the clear text password to device. |
|
Specify the type of authentication you want to use: MD5 or SHA. |
|
Enter the password to use for authentication. If you selected Encrypted as the Encrypt Password Type, the password must be formatted as xx:xx:xx..., where xx are hexadecimal values. Note The length of the password will depend on the authentication algorithm selected. For all passwords, the length must be 256 characters or less. If you selected Clear Text as the Encrypt Password Type, repeat the password in the Confirm field. |
|
Specify the type of encryption you want to use: AES128, AES192, AES256, 3DES, DES. Note To use AES or 3DES encryption, you must have the appropriate license installed on the device. |
|
Enter the password to use for encryption. If you selected Encrypted as the Encrypt Password Type, the password must be formatted as xx:xx:xx..., where xx are hexadecimal values. For encrypted passwords, the length of the password depends on the encryption type selected. The password sizes are as follows (where each xx is one octal):
Note For all passwords, the length must be 256 characters or less. If you selected Clear Text as the Encrypt Password Type, repeat the password in the Confirm field. |
Add/Edit SNMP User List Entry Dialog Box
Beginning with version 4.12, Security Manager enables you to use the Add/Edit SNMP User List Entry dialog box to add a user list containing multiple SNMP users.
- You cannot delete a user list if the list is used by a particular host group.
- You cannot delete an SNMP user if that user is referred to in a particular user list..
You can access the Add/Edit SNMP User List Entry dialog box from the SNMP Page.
|
|
---|---|
Enter the name of the User List. User List names must be 1-33 characters in length. |
|
Telnet Page
Use the Telnet page to configure rules that permit only specific hosts or networks to connect to the firewall device using the Telnet protocol.
The rules restrict administrative Telnet access through a firewall device interface to a specific IP address and netmask. Connection attempts that comply with the rules must then be authenticated by a preconfigured AAA server or the Telnet password. You can monitor Telnet sessions using Monitoring > Telnet Sessions.
Note Only five Telnet sessions can be active at the same time in single-context mode. In multiple-context mode on ASAs, there can be only five Telnet sessions active per context, 100 Telnet sessions active per blade. With resource class, the administrator can further tune this parameter.
- (Device view) Select Platform > Device Admin > Device Access > Telnet from the Device Policy selector.
- (Policy view) Select PIX/ASA/FWSM Platform > Device Admin > Device Access > Telnet from the Policy Type selector. Right-click Telnet to create a policy, or select an existing policy from the Shared Policy selector.
Telnet Configuration Dialog Box
Use the Telnet Configuration dialog box to configure Telnet options for an interface.
You can access the Telnet Configuration dialog box from the Telnet Page.