Cisco Systems CL-28826-01 Managing Object Overrides

6-17

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter6 Managing Policy Objects

Working with Policy Objects—Basic Procedures

Step 3 Right-click the object you want to delete and select Delete Object, or select the object and click the

Delete Object button. You are asked to confirm the deletion.

Managing Object Overrides

When you create a policy object, you can elect to allow the object to be overridden. This makes it

possible to create a generic object to enable you to create general policies. For individual devices, you

override the policy object definition to make the policy apply correctly to the device.

From the Policy Object Manager, page 6-4, you can select a policy object that can be overridden and

generate a table of device-level overrides that are defined for that global object. Right-click the object

and select Edit Device Overrides to generate the table (see Policy Object Overrides Window,

page 6-20).

You can create device-level overrides in two places:

•In the Device Properties window of a selected device, which allows you to create and manage

overrides for the selected device only. For more information, see Creating or Editing Object

Overrides for a Single Device, page 6-18.

•In the Policy Object Manager window, which allows you to create and manage overrides for more

than one device at a time. For more information, see Creating or Editing Object Overrides for

Multiple Devices At A Time, page 6-19.

Tip If you override any part of the object definition at the device level, any subsequent changes made to the

policy definition at the global level do not affect the device on which the object was overridden.

The following topics explain policy object overrides in more detail:

•Understanding Policy Object Overrides for Individual Devices, page6-17

•Allowing a Policy Object to Be Overridden, page6-18

•Creating or Editing Object Overrides for a Single Device, page6-18

•Creating or Editing Object Overrides for Multiple Devices At A Time, page6-19

•Deleting Device-Level Object Overrides, page6-21

For many types of policy objects, you can elect to allow an object to be overridden for a particular device.

Thus, you can create an object whose definition works for most devices, and then create modifications

to the object for the few devices that need slightly different definitions. Or, you can create an object that

needs to be overridden for all devices, but which allows you to create a single policy for all devices.

Object overrides make it possible for you to create a smaller set of shared policies for use across your

devices without giving up the ability to alter policies when needed for individual devices.

For example, you might want to deny ICMP traffic to the different departments in your company, each

of which is connected to a different network. You can do this by defining an access rule firewall policy

with a rule that includes a network/host object called Departmental Network. By allowing device

override for this object, you can then create overrides on each relevant device that specify the actual

network to which that device is connected.