6-18
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 6 Managing Policy Objects
Working with Policy Objects—Basic Procedures
Device-level object overrides are especially important when the global object is included in the
definition of a VPN policy, which applies to every device in the VPN topology. For example, you select
a PKI enrollment object when defining a PKI policy on a site-to-site VPN. If the hub of your VPN uses
a different CA server than the spokes, you must use device-level overrides to specify the CA server used
by the hub. Although the PKI policy references a single PKI enrollment object, the actual CA server
represented by this object will differ for the hub, based on the device-level override you define.
You can quickly tell if an object can be overridden by looking for the Overrides column in the objects
table in the Policy Object Manager, page 6-4. A green checkmark indicates that you can create overrides
for the object; the presence of the column indicates the object type allows overrides.
Related Topics
Allowing a Policy Object to Be Overridden, page6-18
Creating or Editing Object Overrides for a Single Device, page6-18
Creating or Editing Object Overrides for Multiple Devices At A Time, page6-19
Deleting Device-Level Object Overrides, page6-21
Allowing a Policy Object to Be Overridden
To create overrides for an object, the object must allow overrides. Not all object types allow overrides.
For those that do allow overrides, you define the object as allowing overrides by selecting Allow Value
Override per Device when defining the object. After selecting this option, you must click OK to save
the object before you can define any overrides. For more information on creating objects, see Creating
Policy Objects, page 6-9.
You can also configure Security Manager to create device-level overrides for existing objects when you
discover policies on devices that you add to the inventory. During discovery, if Security Manager
determines that an existing object applies to a discovered policy, but that it is not a perfect fit, the object
is used but a device-level override is created to account for the difference. For example, if you run policy
discovery on a device that has an ACL with the same name as an ACL policy object in Security Manager,
the name of the discovered policy object is reused, but a device-level override is created for the object.
If you do not allow device-level overrides during discovery, a new policy object is created with a number
appended to the name; this is the default.
To configure Security Manager to allow device overrides during discovery, select Tools > Security
Manager Administration > Discovery and select Allow Device Override for Discovered Policy
Objects.
Related Topics
Understanding Policy Object Overrides for Individual Devices, page6-17
Creating or Editing Object Overrides for a Single Device, page6-18
Creating or Editing Object Overrides for Multiple Devices At A Time, page6-19
Deleting Device-Level Object Overrides, page6-21
Creating or Editing Object Overrides for a Single Device
You can create or edit device-level object overrides from the Device Properties window.
An override specifies a definition for a global object that affects only the selected device. For example,
you can override the definition of a AAA server group object so that the object represents a different
group of AAA servers for one device than the group it represents for other devices.