5-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 5 Managing Policies
Discovering Policies
Note Features that are unmanaged by Security Manager can still be modified manually with CLI commands
or FlexConfigs. For more information about FlexConfigs, see Chapter7, “Managing FlexConfigs”.
Discovering Policies
Policy discovery enables you to bring your existing network configuration into Security Manager to be
managed. Policy discovery can be performed by importing the configuration of a live device or by
importing a configuration file. If you import a configuration file, the file must have been generated by
the device (for example, by using the show run command on Cisco IOS Software devices); you cannot
discover configuration files in any other format.
You can initiate policy discovery when you add a device by selecting the relevant options in the New
Device wizard. For more information, see Adding Devices to the Device Inventory, page 3-6.
You can also initiate policy discovery on existing devices from Device view. For more information, see
Discovering Policies on Devices Already in Security Manager, page5-15.
When you initiate policy discovery on a device, the system analyzes the configuration on the device and
then translates this configuration into Security Manager policies and policy objects so that the device
can be managed. Warnings are displayed if the imported configuration completes only a partial policy
definition. If additional settings are required, you must go to the relevant page in the Security Manager
interface to complete the policy definition. Warnings and errors are also displayed if the imported
configuration is invalid.
After performing policy discovery, you must submit your changes (or approve your activity when
working in Workflow mode) to have the information included in change reports and to make the
information available to other users. If you make any changes to the discovered policies, you must
deploy the changes to the device for them to take effect. For more information, see Chapter 8, “Managing
Deployment”.
Tip Use the Security Manager Administration window to configure discovery-related settings that apply to
all devices. For more information, see Discovery Page, page 11-21.
Policy Discovery and VPNs
In addition to performing discovery on individual devices, Security Manager allows you to discover the
VPNs that are already deployed in your network. How you discover VPNs depends on the type of VPN
being discovered:
Site-to-Site VPNs—A wizard walks you through the discovery procedure step by step. For more
information, see Site-To-Site VPN Discovery, page 24-19.
Tip We recommend that you deploy to a file immediately after discovering a Site-to-Site VPN. This enables
Security Manager to assume full management of the relevant CLI commands that are configured on the
device.
IPSec and SSL Remote Access VPNs—You can discover IPSec and SSL VPNs when you discover
policies on the device, either when you add the device to the inventory or if you discover policies
on a device already in the inventory. Policies related to these VPNs are treated as regular device
policies. However, when selecting discovery options, you must specifically select to discover RA
VPN policies. For more information about remote access VPN policy discovery, see Discovering