5-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 5 Managing Policies
Understanding Policies
Any changes that you make to a shared policy are automatically applied to all the devices to which it is
assigned. As a result, shared policies both streamline the process of policy creation and help maintain
consistency and uniformity in your device configurations.
For more information about the actions you can perform on shared policies, see Working with Shared
Policies in Device View or the Site-to-Site VPN Manager, page 5-34.
Tips
Shared policies can be grouped together to form policy bundles. Policy bundles make managing the
assignment of shared policies easier especially when working with a large number of devices. For
more information, see Managing Policy Bundles, page 5-53.
In addition to sharing policies, you can choose to inherit the rules of a rule-based policy when
defining another policy of the same type. This makes it possible, for example, to maintain a set of
corporate access rules that apply to all firewall devices while providing the flexibility to define
additional rules on individual devices as required. For more information, see Understanding Rule
Inheritance, page 5-4.
If you use more than one Security Manager server, you can maintain a consistent set of policies
among the servers by regularly exporting shared policies from your master server and importing
them into the other servers. You must decide which server to use as the official policy source. For
more information, see Exporting Shared Policies, page 10-11 and Importing Policies or Devices,
page 10-13
Shared Policies and VPNs
In the same way that shared policies facilitate device configuration, they also facilitate the configuration
of VPNs. For example, you can create a shared IPsec proposal policy and assign it to multiple site-to-site
VPNs. Any changes that you make to the shared policy affect all the VPNs to which the policy is
assigned.
You can assign the shared policies to an existing VPN using the Site-to-Site VPN Manager; right-click
a shareable policy and select Assign Shared Policy. This is done in much the same way as assigning
shared policies in Device view. You can also configure shared policies as the default policies to use in
the Create VPN wizard, as described in Understanding and Configuring VPN Default Policies,
page 24-12.
Related Topics
Understanding Policies, page 5-1
Understanding Rule Inheritance
As described in Local Policies vs. Shared Policies, page 5-3, shared policies enable you to configure and
assign a common policy definition to multiple devices. Rule inheritance takes this feature one step
further by enabling a device to contain the rules defined in a shared policy in addition to local rules that
are specific to that particular device. Using inheritance, Security Manager can enforce a hierarchy where
policies at a lower level (called child policies) inherit the rules of policies defined above them in the
hierarchy (called parent policies).
Note If a policy bundle includes a shared policy that inherits from other shared policies, those inherited rules
are also applied to any devices on which the policy bundle is applied.