3-11
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 3 Managing the Device Inventory
Adding Devices to the Device Inventory
RSH
SUNRPC
TFTP
XDMCP
Dynamic routing (spanned EtherChannel mode only)
Multicast routing (individual interface mode only)
Static route monitoring
IGMP multicast control plane protocol processing (data plane forwarding is distributed across the
cluster)
PIM multicast control plane protocol processing (data plane forwarding is distributed across the
cluster)
Authentication and Authorization for network access. Accounting is decentralized.
Filtering Services
Features Applied to Individual Units
These features are applied to each ASA unit, instead of the cluster as a whole.
QoS—The QoS policy is synced across the cluster as part of configuration replication. However, the
policy is enforced on each unit independently. For example, if you configure policing on output, then
the conform rate and conform burst values are enforced on traffic exiting a particular ASA. In a
cluster with 8 units and with traffic evenly distributed, the conform rate actually becomes 8 times
the rate for the cluster.
Threat detection—Threat detection works on each unit independently; for example, the top statistics
is unit-specific. Port scanning detection, for example, does not work because scanning traffic will
be load-balanced between all units, and one unit will not see all traffic.
Resource management—Resource management in multiple context mode is enforced separately on
each unit based on local usage.
IPS module—There is no configuration sync or state sharing between IPS modules. Some IPS
signatures require IPS to keep the state across multiple connections. For example, the port scanning
signature is used when the IPS module detects that someone is opening many connections to one
server but with different ports. In clustering, those connections will be balanced between multiple
ASA devices, each of which has its own IPS module. Because these IPS modules do not share state
information, the cluster may not be able to detect port scanning as a result.
Related Topics
Cluster Information Page, page 3-48
Adding Devices from the Network
One of the easiest and most reliable ways to add devices to the inventory is to identify devices that are
active in the network. By providing the IP address (or DNS hostname) of a device, and the credentials
required to log into it, Security Manager can obtain much of the information it needs directly from the
device, ensuring the accuracy of the information.
Before You Begin
Before beginning this procedure, ensure the following preparations have been made: