CHAP TER
57-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
57
Configuring Security Contexts on Firewall Devices
You can define multiple security “contexts” on a single security appliance. Each context operates as an
independent virtual device, with its own security policy, interfaces and administrators. Multiple contexts
are similar to having multiple stand-alone devices. Many features are supported in multiple-context
mode, including routing tables, firewall features, IPS, and management. Some features are not
supported; for example, VPN, multicast, and dynamic routing protocols; security contexts support only
static routes; and you cannot enable OSPF or RIP in multiple-context mode. Also, some features are not
directly managed by Cisco Security Manager, such as the IPS feature set for ASA and PIX devices.
In multiple-context mode, the security appliance includes a configuration for each context that identifies
the security policy, interfaces, and most of the options you can configure on a stand-alone device. The
system administrator adds and manages contexts by configuring them in the system configuration,
which, like a single-mode configuration, is the start-up configuration. The system configuration
identifies basic settings for the security appliance, but it does not include any network interfaces or
network settings for itself; rather, when the system needs to access network resources (such as
downloading the contexts from the server), it uses the context that is designated as the Admin context.
The system configuration is used to add, delete and edit basic context settings, including allocating
network interfaces to the various contexts.
The Admin context is just like any other context, except that when a user logs in to the Admin context,
that user has system administrator rights and can access the system configuration and all other contexts.
This chapter contains the following topics:
Enabling and Disabling Multiple-Context Mode, page 57-1
Checklist for Configuring Multiple Security Contexts, page57-2
Managing Security Contexts, page 57-4

Enabling and Disabling Multiple-Context Mode

Cisco Security Manager does not support switching to multiple-context mode on an existing device. To
perform this task, you must delete the device from Security Manager, enable multiple-context mode
using a device manager or CLI input, and then add the device again to Security Manager. After the device
is added in multiple-context mode, you can add, edit and delete security contexts.
Note When manually defining a multiple-context device, choose Multi from the Contexts list in the Operating
System section of the New Device - Device Information dialog box.