5-33
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter5 Managing Policies
Managing Policies in Device View and the Site-to-Site VPN Manager
The device selector displays only those devices that support all of the policies you selected to copy. If
you do not see all of the devices to which you want to copy policies, you can return to the policy selection
page and deselect the more restrictive policies, and use the wizard a second time to copy the restrictive
policies to the subset of devices that support them.
The device list is empty if no other device in the inventory can support all selected policies.
Tip After selecting devices, Click the Preview button to view a summary of the policies that will be
copied. The summary shows the selected devices, the policies that will be copied to them, and
any overrides that will be created, updated, or deleted due to the copied policies.
Step 5 Click Finish. You are asked to confirm that you want to copy policies.
The policies are copied to the target devices. If the copy operation fails for any target device, the copy
is undone for successful devices, and you are shown a list of reasons why the copy failed for each
problem device. Typically, copy failures are because someone else has a lock on a policy or device, or
you do not have the required permissions to a device.
Unassigning a Policy
If you unassign a policy that has already been deployed to a device, in most cases the values that are
defined for the policy are erased, effectively removing the policy from the device’s planned
configuration. When you perform deployment, the configuration for this feature that already exists on
the device is removed.
The exact behavior depends on the type of policy that you unassign:
Firewall service policies—If you unassign a policy, Security Manager erases the policy from the
device.
VPN policies:
Site-to-site VPN policies—You cannot unassign mandatory site-to-site VPN policies from the
devices in the topology. If you unshare a mandatory policy, Security Manager assigns default
values to the affected device. If you unassign an optional policy, Security Manager erases the
configuration from the device. For more information, see Understanding Mandatory and
Optional Policies for Site-to-Site VPNs, page 24-6.
IPSec remote access VPN policies—If you unassign a policy, Security Manager erases the
policy from the device, even if it is a mandatory policy. In most cases, deployment fails if you
do not create a new definition for the mandatory policy. In those cases where deployment does
not fail, the device will fail to establish VPN tunnels.
SSL VPN policies—If you unassign a policy, Security Manager erases the policy from the
device.
Catalyst 6500/7600 or Catalyst switch policies—Interface and VLAN policies cannot be shared or
unassigned. If you unassign a platform policy (such as IDSM settings or VLAN access lists)
Security Manager removes the policy from the device.
IPS policies—For all IPS device and service policies, a default policy is assigned to the device.
PIX/ASA/FWSM policies—Policies that you cannot share with other devices cannot be unassigned
from the device on which they are created. This includes interface, failover, security context, and
resource policies. For other policy types (such as timeout policies), Security Manager makes a best
effort to restore the system default configuration on the device.