3-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 3 Managing the Device Inventory
Adding Devices to the Device Inventory
Cons—You cannot use this method to add Catalyst 6500/7600 or IPS devices. When adding
groups of configuration files, all files must be for the same device type.
Also, you cannot successfully discover policies that require a connection with the device. For
example, if a policy points to a file that resides on the device, adding the device using the
configuration file will result in a Security Manager configuration that includes the no form of
the command, because Security Manager cannot retrieve the referenced file from the device. For
example, the svc image command for web VPNs might be negated.
Add New Device—To add a device that does not yet exist in the network, so that you can
pre-provision it in Security Manager, see Adding Devices by Manual Definition, page 3-25. You can
create the device in the system, assign policies to the device, and generate configuration files before
installing the device hardware.
Pros—You can pre-provision devices that do not yet exist in the network.
Cons—You must specify more information than that required by any other method. If you create
a Catalyst 6500 device, or a router that contains an IPS module, you should discover its modules
by selecting Policy > Discover Policies on Device.
Add Device from File—To add devices from an inventory file in comma-separated values (CSV)
format, see Adding Devices from an Inventory File, page3-29.
Pros—You can add multiple devices of different types at one time. You can reuse the inventory
list from your other network management applications, including CiscoWorks Common
Services, Cisco Security Monitoring, Analysis and Response System (CS-MARS), and other
Security Manager servers. If you use a file exported from another Security Manager server, you
can optionally add the devices without discovering policies, which is convenient for adding
offline or standby devices.
Cons—You cannot use this method to update the properties of devices already defined in the
inventory. Also, policy discovery can fail if you attempt to import more than 100 devices at one
time, and might fail for even fewer devices. In the case of IPS devices, do not add more than
four IPS devices at a time to avoid policy discovery failures.
Working with Generically Supported Devices
Security Manager can manage some device models even if the model does not appear in the supported
device list. This type of generic device support relies on the fact that device features are controlled more
by the software running on the device than the device model. If you have a device that does not appear
in the explicitly supported device list, you can try to manage it as a generic device using the device
modules listed in the table below.
You can add a generic router using any of the various methods for adding devices:
If you are adding a router directly from the network that is not natively supported and can be
generically supported, Security Manager automatically discovers the device as a generic router. You
will be prompted whether you want to add the generic device or cancel the operation.
If you are adding a generic router by manual definition or from a configuration file, you must select
the appropriate generic device type according to the OS running on the router (see Table 3-1 on
page 3-9).
If you are adding a generic router from an inventory file, you must make sure that you use the correct
SYSOBJID in the CSV file. Use 1.0.0.0.0.0.0.0.1 for devices running Cisco IOS Software (Cisco
Generic Integrated Services Router) and use 1.0.0.0.0.0.0.0.2 for devices running Cisco IOS XE
Software (Cisco Generic Aggregation Services Router).