5-15
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter5 Managing Policies
Discovering Policies
If the Security Manager policy supports only extended ACLs (for example, firewall service
policies), any standard ACLs configured on the device for that policy are imported as extended
ACLs.
If the Security Manager policy supports only standard ACLs (for example, SNMP traps on IOS
routers), any extended ACLs configured on the device for that policy are imported as standard ACLs.
During the discovery process, Security Manager will show any inactive ACLs that are imported as
disabled. If you later deploy these disabled ACLs, they are removed from the device configuration.
Related Topics
Frequently Asked Questions about Policy Discovery, page 5-25
Viewing Policy Discovery Task Status, page 5-21
Understanding Policy Object Overrides for Individual Devices, page6-17
Discovering Policies on Devices Already in Security Manager
When you add a device to the inventory, you can discover policies at the same time that you add the
device. However, you can skip policy discovery and do it later, or rediscover policies after adding the
device.
You might initiate policy discovery on existing devices when:
You discover out-of-band changes in the network, for example, changes to device configurations
using CLI commands. In such a situation, you can rediscover existing policies on the device to make
sure that the Security Manager database has the most current information. However, we recommend
that you enter out-of-band changes in Security Manager rather than perform rediscovery.
You want to discover a subset of policies (for example, platform-specific settings) that was not
discovered when you first added the device to Security Manager.
You want to import the factory-default configuration of a firewall device. For more information, see
Default Firewall Configurations, page 45-2.
Caution If you perform policy discovery on a device after configuring policies in Security Manager but before
you deploy your changes, the discovered policies overwrite the undeployed changes. For example, if you
select the option to discover platform-specific settings, the discovered configuration overwrites any
platform-specific undeployed policies you configured in Security Manager. This is true even if the
discovered configuration does not include the specific platform policy you configured. For example,
discovering platform-specific settings overwrites any routing policies that you have configured for the
device in Security Manager, even if the configuration you discover does not contain any routing
information. Another result of rediscovery is that any shared policies that were configured on the device
are replaced by the local policies that are discovered.
Caution Under certain conditions, Security Manager may fail to discover ASA interfaces in system context.
Specifically, if a rediscovery/deployment is done on the system context of a multiple context ASA
without checking (selecting) "inventory," then Security Manager may fail to discover the interfaces on
other security contexts. This can potentially result in Security Manager altering or altogether deleting
interface configurations of other contexts in a subsequent deployment. To avoid this problem, simply be
sure to select "inventory" when doing a rediscovery of the system context.