Main
User Guide for Cisco Security Manager 4.4
Page
CONTENTS
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Preface
Conventions
Page
Page
Page
Getting Started with Security Manager
Product Overview
Primary Benefits of Cisco Security Manager
Page
Security Manager Policy Feature Sets
Page
Security Manager Applications Overview
Device Monitoring Overview
IPv6 Support in Security Manager
Page
Policy Object Changes in Security Manager 4.4
Logging In to and Exiting Security Manager
Understanding User Permissions
Logging In to the Cisco Security Management Suite Server
Logging In to and Exiting the Security Manager Client
Using Configuration Manager - Overview
Configuration Manager Overview
Device View Overview
Policy View Overview
Page
Map View Overview
Task Flow for Configuring Security Policies
Policy and Policy Object Overview
Workflow and Activities Overview
Working in Workflow Mode
Working in Non-Workflow Mode
Comparing Workflow Modes
Page
Using the JumpStart to Learn About Security Manager
Completing the Initial Security Manager Configuration
Page
Configuring an SMTP Server and Default Addresses for E-Mail Notifications
Changing Workflow Modes
Understanding Basic Security Manager Interface Features
Menu Bar Reference for Configuration Manager
File Menu (Configuration Manager)
Edit Menu (Configuration Manager)
View Menu (Configuration Manager)
Policy Menu (Configuration Manager)
Map Menu (Configuration Manager)
Manage Menu (Configuration Manager)
Tools Menu (Configuration Manager)
Activities Menu (Configuration Manager)
Tickets Menu (Configuration Manager)
Launch Menu (Configuration Manager)
Help Menu (Configuration Manager)
Toolbar Reference (Configuration Manager)
Page
Page
Using Global Search
Page
Page
Using Selectors
Filtering Items in Selectors
Create Filter Dialog Box
Using Wizards
Using Tables
Filtering Tables
Table Columns and Column Heading Features
Using Text Fields
Understanding ASCII Limitations for Text
Finding Text in Text Boxes
Navigating Within Text Boxes
Selecting or Specifying a File or Directory in Security Manager
Troubleshooting User Interface Problems
Accessing Online Help
Page
Preparing Devices for Management
Understanding Device Communication Requirements
Page
Setting Up SSL (HTTPS)
Setting Up SSL (HTTPS) on PIX Firewall, ASA and FWSM Devices
Setting Up SSL on Cisco IOS Routers
Setting Up SSH
Critical Line-Ending Conventions for SSH
Testing Authentication
Setting Up SSH on Cisco IOS Routers, Catalyst Switches, and Catalyst 6500/7600 devices
Preventing Non-SSH Connections (Optional)
Setting Up AUS or Configuration Engine
Setting Up AUS on PIX Firewall and ASA Devices
Setting Up CNS on Cisco IOS Routers in Event-Bus Mode
Setting Up CNS on Cisco IOS Routers in Call-Home Mode
Configuring Licenses on Cisco ASA Devices
Configuring Licenses on Cisco IOS Devices
Initializing IPS Devices
Page
Page
Managing the Device Inventory
Understanding the Device Inventory
Understanding the Device View
Page
Understanding Device Names and What Is Considered a Device
Understanding Device Credentials
Page
Understanding Device Properties
Adding Devices to the Device Inventory
Page
Working with Generically Supported Devices
Working with Device Clusters
Page
Adding Devices from the Network
Page
Device Information Page Add Device from Network
Page
Page
Page
Page
Service Module Credentials Dialog Box
IPS Module Discovery Dialog Box
Adding Devices from Configuration Files
Page
Device Information PageConfiguration File
Page
Page
Adding Devices by Manual Definition
Device Information PageNew Device
Page
Page
Adding Devices from an Inventory File
Page
Device Information PageAdd Device from File
Page
Page
Working with the Device Inventory
Adding, Editing, or Deleting Auto Update Servers or Configuration Engines
Server Properties Dialog Box
Page
Available Servers Dialog Box
Adding or Changing Interface Modules
Viewing or Changing Device Properties
Device Properties: General Page
Page
Page
Page
Device Credentials Page
Page
RX-Boot Mode Credentials Dialog Box
SNMP Credentials Dialog Box
Device Groups Page
Cluster Information Page
Policy Object Override Pages
Changing Critical Device Properties
Image Version Changes That Do Not Change the Feature Set in Security Manager
Changes That Change the Feature Set in Security Manager
Page
Showing Device Containment
Cloning a Device
Deleting Devices from the Security Manager Inventory
Device Delete Validation Dialog Box
Working with Device Groups
Understanding Device Grouping
Edit Device Groups Dialog Box
Creating Device Group Types
Creating Device Groups
Deleting Device Groups or Group Types
Adding Devices to or Removing Them From Device Groups
Working with Device Status View
Page
Page
Page
Managing Activities
Understanding Activities
Benefits of Activities
Activity Approval
Activities and Locking
Activities and Multiple Users
Understanding Activity/Ticket States
Page
4-6
4-7
Working with Activities/Tickets
The following topics provide information to help you use activities and configuration sessions:
Accessing Activity Functions in Workflow Mode
Accessing Ticket Functions in Non-Workflow Mode
Activity/Ticket Manager Window
Page
Page
Page
Creating an Activity/Ticket
Responding to the Activity/Ticket Required Dialog Box
Opening an Activity/Ticket
Closing an Activity/Ticket
Viewing Change Reports
Page
Selecting a Change Report in Non-Workflow Mode with Ticket Management Disabled
Validating an Activity/Ticket
Page
Submitting an Activity for Approval (Workflow Mode with Activity Approver)
Approving or Rejecting an Activity (Workflow Mode)
Discarding an Activity/Ticket
Viewing Activity/Ticket Status and History
Page
Managing Policies
Understanding Policies
Settings-Based Policies vs. Rule-Based Policies
Service Policies vs. Platform-Specific Policies
Local Policies vs. Shared Policies
Understanding Rule Inheritance
Page
Inheritance vs. Assignment
Policy Management and Objects
Understanding Policy Locking
Page
Understanding Locking and Policies
Understanding Locking and VPN Topologies
Understanding Locking and Objects
Customizing Policy Management for Routers and Firewall Devices
Page
Discovering Policies
Page
Page
Discovering Policies on Devices Already in Security Manager
Page
Page
Create Discovery Task and Bulk Rediscovery Dialog Boxes
Page
Page
Viewing Policy Discovery Task Status
Discovery Status Dialog Box
Page
Policy Discovery Status Page
Page
Frequently Asked Questions about Policy Discovery
Page
Page
Managing Policies in Device View and the Site-to-Site VPN Manager
Policy Status Icons
Performing Basic Policy Management
Configuring Local Policies in Device View
Page
Copying Policies Between Devices
Page
Unassigning a Policy
Working with Shared Policies in Device View or the Site-to-Site VPN Manager
Using the Policy Banner
Page
Policy Shortcut Menu Commands in Device View and the Site-to-Site VPN Manager
Sharing a Local Policy
Sharing Multiple Policies of a Selected Device
Unsharing a Policy
Assigning a Shared Policy to a Device or VPN Topology
Adding Local Rules to a Shared Policy
Inheriting or Uninheriting Rules
Cloning (Copying) a Shared Policy
Renaming a Shared Policy
Modifying Shared Policy Definitions in Device View or the Site-to-Site VPN Manager
Modifying Shared Policy Assignments in Device View or the Site-to-Site VPN Manager
Managing Shared Policies in Policy View
Page
Policy View Selectors
Policy ViewShared Policy Selector Options
Creating a New Shared Policy
Modifying Policy Assignments in Policy View
Page
Deleting a Shared Policy
Managing Policy Bundles
Creating a New Policy Bundle
Cloning a Policy Bundle
Renaming a Policy Bundle
Assigning Policy Bundles to Devices
Managing Policy Objects
Selecting Objects for Policies
Page
Policy Object Manager
Page
Page
Page
Policy Object Manager: Undocking and Docking
Policy Object Manager Shortcut Menu
Working with Policy ObjectsBasic Procedures
Creating Policy Objects
Page
Page
Editing Objects
Using Category Objects
Cloning (Duplicating) Objects
Viewing Object Details
Generating Object Usage Reports
Page
Deleting Objects
Managing Object Overrides
Understanding Policy Object Overrides for Individual Devices
Allowing a Policy Object to Be Overridden
Creating or Editing Object Overrides for a Single Device
Creating or Editing Object Overrides for Multiple Devices At A Time
Policy Object Overrides Window
Deleting Device-Level Object Overrides
Importing and Exporting Policy Objects
Page
Page
Understanding AAA Server and Server Group Objects
Supported AAA Server Types
Additional AAA Support on ASA, PIX, and FWSM Devices
Page
Predefined AAA Authentication Server Groups
Default AAA Server Groups and IOS Devices
Creating AAA Server Objects
Add or Edit AAA Server Dialog Box
Page
AAA Server Dialog BoxRADIUS Settings
Page
Page
AAA Server Dialog BoxTACACS+ Settings
AAA Server Dialog BoxKerberos Settings
AAA Server Dialog BoxLDAP Settings
Page
Page
AAA Server Dialog BoxNT Settings
AAA Server Dialog BoxSDI Settings
AAA Server Dialog BoxHTTP-FORM Settings
Page
Add and Edit LDAP Attribute Map Dialog Boxes
Add and Edit LDAP Attribute Map Value Dialog Boxes
Add and Edit Map Value Dialog Boxes
Creating AAA Server Group Objects
AAA Server Group Dialog Box
Page
Page
Creating Access Control List Objects
Creating Extended Access Control List Objects
Creating Standard Access Control List Objects
Creating Web Access Control List Objects
Page
Creating Unified Access Control List Objects
Add or Edit Access List Dialog Boxes
Add and Edit Extended Access Control Entry Dialog Boxes
Page
Page
Add and Edit Standard Access Control Entry Dialog Boxes
Add and Edit Web Access Control Entry Dialog Boxes
Page
Add and Edit Unified Access Control Entry Dialog Boxes
Page
Page
Page
Configuring Time Range Objects
Recurring Ranges Dialog Box
Understanding Interface Role Objects
Creating Interface Role Objects
Interface Role Dialog Box
Specifying Interfaces During Policy Definition
Using Interface Roles When a Single Interface Specification is Allowed
Handling Name Conflicts between Interfaces and Interface Roles
Understanding Map Objects
Page
Understanding Networks/Hosts Objects
Contiguous and Discontiguous Network Masks for IPv4 Addresses
Creating Networks/Hosts Objects
Add or Edit Network/Host Dialog Box
Page
Page
Using Unspecified Networks/Hosts Objects
Specifying IP Addresses During Policy Definition
Page
Understanding Pool Objects
Add or Edit IPv4 Pool Dialog Box
Add or Edit IPv6 Pool Dialog Box
Add or Edit MAC Address Pool Dialog Box
Understanding and Specifying Services and Service and Port List Objects
Configuring Port List Objects
Page
Configuring Service Objects
Page
How Policy Objects are Provisioned as Object Groups
How Network/Host, Port List, and Service Objects are Named When Provisioned As Object Groups
How Service Objects are Provisioned as Object Groups
Page
Page
Managing FlexConfigs
Understanding FlexConfig Policies and Policy Objects
Using CLI Commands in FlexConfig Policy Objects
Using Scripting Language Instructions
Scripting Language Example 1: Looping
Scripting Language Example 2: Looping with Two-Dimensional Arrays
7-4
Object Body
Example 3: Looping with If/Else Statements
Object Body
CLI Output
Understanding FlexConfig Object Variables
Example of FlexConfig Policy Object Variables
FlexConfig System Variables
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Predefined FlexConfig Policy Objects
Page
Page
Page
Page
Configuring FlexConfig Policies and Policy Objects
A FlexConfig Creation Scenario
Page
Page
Creating FlexConfig Policy Objects
Page
Add or Edit FlexConfig Dialog Box
Page
Create Text Object Dialog Box
Add or Edit Text Object Dialog Box
FlexConfig Undefined Variables Dialog Box
Property Selector Dialog Box
Editing FlexConfig Policies
FlexConfig Policy Page
Values Assignment Dialog Box
FlexConfig Preview Dialog Box
Troubleshooting FlexConfigs
Page
Managing Deployment
Understanding Deployment
Overview of the Deployment Process
Page
Deployment in Non-Workflow Mode
Deployment Task Flow in Non-Workflow Mode
Job States in Non-Workflow Mode
Deployment in Workflow Mode
Deployment Task Flow in Workflow Mode
Job States in Workflow Mode
Deployment Job Approval
Deployment Jobs and Multiple Users
Including Devices in Deployment Jobs or Schedules
Understanding Deployment Methods
Deploying Directly to a Device
Deploying to a Device through an Intermediate Server
Deploying to a File
Understanding How Out-of-Band Changes are Handled
Handling Device OS Version Mismatches
Page
Page
Overview of the Deployment Manager and Configuration Archive
Understanding What You Can Do with the Deployment Manager
Deployment Manager Window
Page
Page
Page
Deployment Workflow Commentary Dialog Box
Deployment Schedules Tab, Deployment Manager
Page
Configuration Archive Window
Page
Working with Deployment and the Configuration Archive
Viewing Deployment Status and History for Jobs and Schedules
Tips for Successful Deployment Jobs
Deploying Configurations in Non-Workflow Mode
Page
Edit Deploy Method Dialog Box
Warning - Partial VPN Deployment Dialog Box
Deployment Status Details Dialog Box
Page
Deploying Configurations in Workflow Mode
Creating and Editing Deployment Jobs
Page
Page
Submitting Deployment Jobs
Approving and Rejecting Deployment Jobs
Deploying a Deployment Job in Workflow Mode
Discarding Deployment Jobs
Deploying Configurations Using an Auto Update Server or CNS Configuration Engine
Deploying Configurations to a Token Management Server
Page
Previewing Configurations
Detecting and Analyzing Out of Band Changes
Page
OOB (Out of Band) Changes Dialog Box
Redeploying Configurations to Devices
Page
Aborting Deployment Jobs
Creating or Editing Deployment Schedules
Schedule Dialog Box
Add Other Devices Dialog Box
Suspending or Resuming Deployment Schedules
Adding Configuration Versions from a Device to the Configuration Archive
Viewing and Comparing Archived Configuration Versions
Configuration Version Viewer
Page
Viewing Deployment Transcripts
Rolling Back Configurations
Understanding Configuration Rollback
Page
Understanding Rollback for Devices in Multiple Context Mode
Understanding Rollback for Failover Devices
Understanding Rollback for Catalyst 6500/7600 Devices
Understanding Rollback for IPS and IOS IPS
Page
Commands that Can Cause Conflicts after Rollback
Commands to Recover from Failover Misconfiguration after Rollback
Rolling Back Configurations to Devices Using the Deployment Manager
Using Rollback to Deploy Archived Configurations
Performing Rollback When Deploying to a File
Page
Troubleshooting Device Communication and Deployment
Testing Device Connectivity
Page
Device Connectivity Test Dialog Box
Managing Device Communication Settings and Certificates
Manually Adding SSL Certificates for Devices that Use HTTPS Communications
Page
Security Certificate Rejected When Discovering Device
Invalid Certificate Error During Device Discovery
Troubleshooting SSH Connection Problems
Troubleshooting Device Communication Failures
Resolving Red X Marks in the Device Selector
Troubleshooting Deployment
Changing How Security Manager Responds to Device Messages
Memory Violation Deployment Errors for ASA 8.3+ Devices
Error While Attempting to Remove Unreferenced Object
Security Manager Unable to Communicate With Device After Deployment
Updating VPNs That Include Routing Processes
Mixing Deployment Methods with Router and VPN Policies
Deployment Failures for Routers
Deployment Failures for Catalyst Switches and Service Modules
Page
Changing How Security Manager Deploys Configurations to Multiple-Context FWSM
Deployment Failures to Devices Managed by AUS
Troubleshooting the Setup of Configuration Engine-Managed Devices
Page
Page
Managing the Security Manager Server
Overview of Security Manager Server Management and Administration
Managing a Cluster of Security Manager Servers
Overview of Security Manager Server Cluster Management
Splitting a Security Manager Server
Synchronizing Shared Policies Among Security Manager Servers
Exporting the Device Inventory
Exporting the Device Inventory from the Security Manager Client
Page
Page
Supported CSV Formats for Inventory Import/Export
Exporting the Device Inventory from the Command Line
Exporting Shared Policies
Page
Importing Policies or Devices
Page
Page
Installing Security Manager License Files
Certificate Trust Management
Page
Working with Audit Reports
Understanding Audit Reports
Generating the Audit Report
Using the Audit Report Window
Page
Purging Audit Log Entries
Taking Over Another Users Work
Changing Passwords for the Admin or Other Users
Backing up and Restoring the Security Manager Database
Backing Up the Server Database
Page
Restoring the Server Database
Generating Data for the Cisco Technical Assistance Center
Creating a Diagnostics File for the Cisco Technical Assistance Center
Generating Deployment or Discovery Status Reports
Generating a Partial Database Backup for the Cisco Technical Assistance Center
Page
Configuring Security Manager Administrative Settings
API Settings Page
AutoLink Settings Page
Configuration Archive Page
CS-MARS Page
New or Edit CS-MARS Device Dialog Box
Customize Desktop Page
Page
Debug Options Page
Deployment Page
Page
Page
Page
Page
Page
Page
Page
Device Communication Page
Page
Page
Add Certificate Dialog Box
Device Groups Page
Discovery Page
Page
Event Management Page
Page
Page
Health and Performance Monitoring Page
Identity Settings Page
Page
Image Manager Page
Page
IPS Updates Page
Page
Page
Page
Page
Edit Update Server Settings Dialog Box
Page
Edit Auto Update Settings Dialog Box
Edit Signature Download Filter Settings Dialog Box
ISE Settings Page
Licensing Page
CSM Tab, Licensing Page
IPS Tab, Licensing Page
Page
Verifying IPS Devices for License Update or Redeployment
Selecting IPS License Files
License Update Status Details Dialog Box
Logs Page
Policy Management Page
Page
Policy Objects Page
Rule Expiration Page
Server Security Page
Take Over User Session Page
Ticket Management Page
Token Management Page
VPN Policy Defaults Page
Workflow Page
Page
Wall Settings Page
Page
Page
Page
Page
Page
Introduction to Firewall Services
Overview of Firewall Services
Understanding the Processing Order of Firewall Rules
Understanding How NAT Affects Firewall Rules
ACL Names Preserved by Security Manager
ACL Naming Conventions
Resolving ACL Name Conflicts Between Policies
Managing Your Rules Tables
Using Rules Tables
Page
Adding and Removing Rules
Editing Rules
Page
Adding or Editing Address Cells in Rules Tables
Adding or Editing User Cells in Rules Tables
Adding or Editing Services Cells in Rules Tables
Adding or Editing Interfaces or Zones Cells in Rules Tables
Editing Category Cells in Rules Tables
Editing Description Cells in Rules Tables
Showing the Contents of Cells in Rules Tables
Page
Finding and Replacing Items in Rules Tables
Find and Replace Dialog Box
Page
Moving Rules and the Importance of Rule Order
Enabling and Disabling Rules
Using Sections to Organize Rules Tables
Page
Add and Edit Rule Section Dialog Boxes
Combining Rules
Page
Combine Rules Selection Summary Dialog Box
Interpreting Rule Combiner Results
Page
Example Rule Combiner Results
Converting IPv4 Rules to Unified Rules
Generating Policy Query Reports
Querying Device or Policy Dialog Box
Page
Page
Interpreting Policy Query Results
Page
Example Policy Query Result
Optimizing Network Object Groups When Deploying Firewall Rules
Expanding Object Groups During Discovery
Page
Managing Identity-Aware Firewall Policies
Overview of Identity-Aware Firewall Policies
User Identity Acquisition
Requirements for Identity-Aware Firewall Policies
Page
Page
Page
Configuring the Firewall to Provide Identity-Aware Services
Configuring Identity-Aware Firewall Policies
Enabling Identity-Aware Firewall Services
Identifying Active Directory Servers and Agents
Page
Domain AD Server Dialog Box
Identity Configuration Wizard Active Directory Settings
Page
Identity Configuration Wizard Active Directory Agent
Page
Identity Configuration Wizard Preview
Configuring Identity Options
Page
Page
Page
Creating Identity User Group Objects
Page
Selecting Identity Users in Policies
Configuring Identity-Based Firewall Rules
Page
Configuring Cut-Through Proxy
Page
Collecting User Statistics
Filtering VPN Traffic with Identity-Based Rules
Monitoring Identity Firewall Policies
Page
Managing TrustSec Firewall Policies
Overview of TrustSec Firewall Policies
Understanding SGT and SXP Support in Cisco TrustSec
Roles in the Cisco TrustSec Solution
Security Group Policy Enforcement
Page
Page
About Speaker and Listener Roles
Prerequisites for Integrating an ASA with Cisco TrustSec
Configuring TrustSec Firewall Policies
Configuring Cisco TrustSec Services
Configuring Security Exchange Protocol (SXP) Settings
Defining SXP Connection Peers
Add/Edit Connection Peer Dialog Box
Page
Creating Security Group Objects
Selecting Security Groups in Policies
Configuring TrustSec-Based Firewall Rules
Monitoring TrustSec Firewall Policies
Managing Firewall AAA Rules
Understanding AAA Rules
Understanding How Users Authenticate
Page
Configuring AAA Rules for ASA, PIX, and FWSM Devices
Page
Page
Configuring AAA Rules for IOS Devices
Page
Page
AAA Rules Page
Page
Page
Add and Edit AAA Rule Dialog Boxes
Page
Page
Page
Page
Edit AAA Option Dialog Box
AuthProxy Dialog Box
Edit Server Group Dialog Box
AAA Firewall Settings Policies
AAA Firewall Settings Page, Advanced Setting Tab
Page
Interactive Authentication Configuration Dialog Box
Clear Connection Configuration Dialog Box
AAA Firewall Page, MAC-Exempt List Tab
Firewall AAA MAC Exempt Setting Dialog Box
AAA Page
Page
Firewall AAA IOS Timeout Value Setting
Page
Page
Page
Managing Firewall Access Rules
Understanding Access Rules
Page
Understanding Global Access Rules
Understanding Device Specific Access Rule Behavior
Understanding Access Rule Address Requirements and How Rules Are Deployed
Page
Configuring Access Rules
Page
Access Rules Page
Page
Page
Page
Add and Edit Access Rule Dialog Boxes
Page
Advanced and Edit Options Dialog Boxes
Page
Page
Hit Count Selection Summary Dialog Box
Configuring Expiration Dates for Access Rules
Configuring Settings for Access Control
Access Control Settings Page
Page
Firewall ACL Setting Dialog Box
Page
Using Automatic Conflict Detection
Understanding Automatic Conflict Detection
Page
Understanding the Automatic Conflict Detection User Interface
Page
Page
Page
Resolving Conflicts
Page
Viewing Hit Count Details
Page
Sample Hit Count Details Window
Page
Importing Rules
Import Rules WizardEnter Parameters Page
Import Rules WizardStatus Page
Import Rules WizardPreview Page
Examples of Imported Rules
Page
Optimizing Access Rules Automatically During Deployment
Page
Page
Page
Managing Firewall Inspection Rules
Understanding Inspection Rules
Choosing the Interfaces for Inspection Rules
Selecting Which Protocols To Inspect
Understanding Access Rule Requirements for Inspection Rules
Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices
Configuring Inspection Rules
Page
Inspection Rules Page
Page
Page
Add or Edit Inspect/Application FW Rule Wizard
Page
Add or Edit Inspect/Application FW Rule Wizard, Step 2
Page
Page
Page
Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page
Page
Configure DNS Dialog Box
Configure SMTP Dialog Box
Configure ESMTP Dialog Box
Configure Fragments Dialog Box
Configure IMAP or POP3 Dialog Boxes
Configure RPC Dialog Box
Custom Protocol Dialog Box
Configure Dialog Box
Configuring Protocols and Maps for Inspection
Page
Page
Page
Page
Configuring Class Maps for Inspection Policies
Configuring DCE/RPC Maps
Configuring DNS Maps
Page
DNS Map Protocol Conformance Tab
DNS Map Filtering Tab
DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Page
Page
Configuring ESMTP Maps
ESMTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Page
Configuring FTP Maps
FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Page
Configuring GTP Maps
Page
Add and Edit Country Network Codes Dialog Boxes
Add and Edit Permit Response Dialog Boxes
GTP Map Timeouts Dialog Box
GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Page
Configuring H.323 Maps
Page
Add or Edit HSI Group Dialog Boxes
Add or Edit HSI Endpoint IP Address Dialog Boxes
H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Page
Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices
HTTP Map General Tab
HTTP Map Entity Length Tab
Page
HTTP Map RFC Request Method Tab
HTTP Map Extension Request Method Tab
HTTP Map Port Misuse Tab
HTTP Map Transfer Encoding Tab
Configuring HTTP Maps for ASA 7.2+ and PIX 7.2+ Devices
Page
Page
Page
Page
Page
Configuring IM Maps for ASA 7.2+, PIX 7.2+ Devices
IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes
Page
Configuring IM Maps for IOS Devices
Configuring IP Options Maps
Page
Configuring IPv6 Maps
IPv6 Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Page
Page
Configuring IPsec Pass Through Maps
Configuring NetBIOS Maps
Configuring ScanSafe Maps
Configuring SIP Maps
Page
SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Page
Configuring Skinny Maps
Page
Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Configuring SNMP Maps
Configuring Regular Expression Groups
Configuring Regular Expressions for Inspection Maps
Metacharacters Used to Build Regular Expressions
Configuring Settings for Inspection Rules for IOS Devices
Page
Page
Page
Page
Managing Firewall Web Filter Rules
Understanding Web Filter Rules
Configuring Web Filter Rules for ASA, PIX, and FWSM Devices
Web Filter Rules Page (ASA/PIX/FWSM)
Page
Add and Edit PIX/ASA/FWSM Web Filter Rule Dialog Boxes
Page
Page
Edit Web Filter Type Dialog Box
Edit Web Filter Options Dialog Box
Configuring Web Filter Rules for IOS Devices
Web Filter Rules Page (IOS)
Page
IOS Web Filter Rule and Applet Scanner Dialog Box
IOS Web Filter Exclusive Domain Name Dialog Box
Configuring Settings for Web Filter Servers
Web Filter Settings Page
Page
Page
Web Filter Server Configuration Dialog Box
Page
Managing Firewall Botnet Traffic Filter Rules
Understanding Botnet Traffic Filtering
Task Flow for Configuring the Botnet Traffic Filter
Page
Configuring the Dynamic Database
Adding Entries to the Static Database
Enabling DNS Snooping
Enabling Traffic Classification and Actions for the Botnet Traffic Filter
Page
Page
Botnet Traffic Filter Rules Page
Dynamic Blacklist Configuration Tab
Traffic Classification Tab
BTF Enable Rules Editor
BTF Drop Rules Editor
Whitelist/Blacklist Tab
Device Whitelist or Device Blacklist Dialog Box
Page
Working with ScanSafe Web Security
Configuring ScanSafe Web Security
Page
ScanSafe Web Security Page
Page
Add and Edit Default User Groups Dialog Box
ScanSafe Web Security Settings Page
Page
Page
Managing Zone-based Firewall Rules
Page
Understanding the Zone-based Firewall Rules
Page
The Self Zone
Using VPNs with Zone-based Firewall Policies
Zones and VRF-aware Firewalls
Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules
Page
Page
Understanding the Relationship Between Services and Protocols in Zone-based Firewall Rules
General Recommendations for Zone-based Firewall Rules
Developing and Applying Zone-based Firewall Rules
Adding Zone-Based Firewall Rules
Page
Page
Configuring Inspection Maps for Zone-based Firewall Policies
Page
Configuring Class Maps for Zone-Based Firewall Policies
Page
Page
Zone-based Firewall IM Application Class Maps: Add or Edit Match Condition Dialog Boxes
Zone-based Firewall P2P Application Class Maps: Add or Edit Match Condition Dialog Boxes
H.323 (IOS) Class Maps Add or Edit Match Criterion Dialog Boxes
HTTP (IOS) Class Add or Edit Match Criterion Dialog Boxes
Page
IMAP and POP3 Class Maps Add or Edit Match Criterion Dialog Boxes
SIP (IOS) Class Add or Edit Match Criterion Dialog Boxes
SMTP Class Maps Add or Edit Match Criterion Dialog Boxes
Page
Page
Sun RPC Class Maps Add or Edit Match Criterion Dialog Boxes
Local Web Filter Class Add or Edit Match Criterion Dialog Boxes
N2H2 and Websense Class Add or Edit Match Criterion Dialog Boxes
Configuring Inspect Parameter Maps
Page
Page
Configuring Protocol Info Parameter Maps
Add or Edit DNS Server for Protocol Info Parameters Dialog Box
Configuring Policy Maps for Zone-Based Firewall Policies
Add or Edit Match Condition and Action Dialog Boxes for Zone-Based Firewall and Web Filter Policies
Configuring Content Filtering Maps for Zone-based Firewall Policies
Page
Configuring Local Web Filter Parameter Maps
Configuring N2H2 or WebSense Parameter Maps
Page
Add or Edit External Filter Dialog Box
Configuring Trend Parameter Maps
Configuring URL Filter Parameter Maps
Page
Add or Edit URL Domain Name Dialog Box for URL Filter Parameters
Configuring URLF Glob Parameter Maps
Page
Configuring Web Filter Maps
Changing the Default Drop Behavior
Configuring Settings for Zone-based Firewall Rules
Zone Based Firewall Page
Page
Zone Based Firewall Page - Content Filter Tab
Zone Dialog Box
Troubleshooting Zone-based Rules and Configurations
21-54
A.
B.
C.
D.
21-55
H.
I.
J.
K.
Page
Zone-based Firewall Rules Page
Page
Adding and Editing Zone-based Firewall Rules
Page
Page
Page
Zone-based Firewall Rule: Advanced Options Dialog Box
Protocol Selector Dialog Box
Configure Protocol Dialog Box
Page
Page
Page
Managing Transparent Firewall Rules
Configuring Transparent Firewall Rules
Page
Transparent Rules Page
Page
Add and Edit Transparent Firewall Rule Dialog Boxes
Page
Edit Transparent EtherType Dialog Box
Edit Transparent Mask Dialog Box
Page
Configuring Network Address Translation
Understanding Network Address Translation
Types of Address Translation
About Simplified NAT on ASA 8.3+ Devices
Page
NAT Policies on Cisco IOS Routers
NAT Page: Interface Specification
NAT Page: Static Rules
NAT Static Rule Dialog Boxes
Page
Disabling the Payload Option for Overlapping Networks
NAT Page: Dynamic Rules
NAT Dynamic Rule Dialog Box
Page
NAT Page: Timeouts
Page
NAT Policies on Security Devices
NAT in Transparent Mode
Translation Options Page
Page
Configuring NAT on PIX, FWSM, and pre-8.3 ASA Devices
Address Pools
Address Pool Dialog Box
Translation Rules: PIX, FWSM, and pre-8.3 ASA
Translation Exemptions (NAT 0 ACL)
Add/Edit Translation Exemption (NAT-0 ACL) Rule Dialog Box
Dynamic Rules Tab
Add/Edit Dynamic Translation Rule Dialog Box
Select Address Pool Dialog Box
Policy Dynamic Rules Tab
Add/Edit Policy Dynamic Rules Dialog Box
Static Rules Tab
Add/Edit Static Rule Dialog Box
Edit Translated Address Dialog Box
Advanced NAT Options Dialog Box
Page
General Tab
Page
Configuring NAT on ASA 8.3+ Devices
Translation Rules: ASA 8.3+
Page
Page
Add and Edit NAT Rule Dialog Boxes
Page
Page
Page
Page
PAT Pools and Round Robin Allocation
Add or Edit Network/Host Dialog Box: NAT Tab
Page
Page
Page
Per-Session NAT Rules: ASA 9.0(1)+
Add and Edit Per Session NAT Rule Dialog Boxes
Page
Page
Page
Page
Managing Site-to-Site VPNs: The Basics
Understanding VPN Topologies
Hub-and-Spoke VPN Topologies
Branch
Main
Point-to-Point VPN Topologies
Site 2Site 1
Secure tunnel
Full Mesh VPN Topologies
Implicitly Supported Topologies
Understanding IPsec Technologies and Policies
Understanding Mandatory and Optional Policies for Site-to-Site VPNs
Page
Overview of Site-to-Site VPN Policies
Understanding Devices Supported by Each IPsec Technology
Page
Including Unmanaged or Non-Cisco Devices in a VPN
Understanding and Configuring VPN Default Policies
Using Device Overrides to Customize VPN Policies
Understanding VRF-Aware IPsec
VRF-Aware IPsec One-Box Solution
VRF-Aware IPsec Two-Box Solution
Page
Enabling and Disabling VRF on Catalyst Switches and 7600 Devices
Accessing Site-to-Site VPN Topologies and Policies
Site-to-Site VPN Manager Window
Configuring VPN Topologies in Device View
Site-To-Site VPN Discovery
Supported and Unsupported Technologies and Topologies for VPN Discovery
Prerequisites for VPN Discovery
VPN Discovery Rules
Page
Page
Discovering Site-to-Site VPNs
Defining or Repairing Discovered VPNs with Multiple Spoke Definitions
Rediscovering Site-to-Site VPNs
Page
Creating or Editing VPN Topologies
Page
Defining the Name and IPsec Technology of a VPN Topology
Page
Selecting Devices for Your VPN Topology
Defining the Endpoints and Protected Networks
Page
Configuring VPN Interface Endpoint Settings
Page
Page
Page
Configuring Dial Backup
Dial Backup Settings Dialog Box
Configuring VPNSM or VPN SPA/VSPA Endpoint Settings
Page
Page
Page
Identifying the Protected Networks for Endpoints
Configuring a Firewall Services Module (FWSM) Interface with VPNSM or VPNSPA/VSPA
Configuring VRF Aware IPsec Settings
Page
Page
Configuring High Availability in Your VPN Topology
Page
Defining GET VPN Group Encryption
Page
Page
Add Certificate Filter Dialog Box
Add New or Edit Security Association Dialog Box
Page
Defining GET VPN Peers
Assigning Initial Policies (Defaults) to a New VPN Topology
Viewing a Summary of a VPN Topologys Configuration
Page
Page
Page
Creating or Editing Extranet VPNs
Page
Page
Page
Deleting a VPN Topology
Page
Configuring IKE and IPsec Policies
Overview of IKE and IPsec Configurations
Page
Comparing IKE Version 1 and 2
Understanding IKE
Deciding Which Encryption Algorithm to Use
Deciding Which Hash Algorithm to Use
Deciding Which Diffie-Hellman Modulus Group to Use
Deciding Which Authentication Method to Use
Configuring an IKE Proposal
Configuring IKEv1 Proposal Policy Objects
Page
Page
Configuring IKEv2 Proposal Policy Objects
Page
Page
Page
Understanding IPsec Proposals
Understanding IPsec Proposals for Site-to-Site VPNs
Understanding Crypto Maps
Understanding Transform Sets
Understanding Reverse Route Injection
Configuring IPsec Proposals in Site-to-Site VPNs
Page
Page
Page
Selecting the IKE Version for Devices in Site-to-Site VPNs
Configuring IPSec IKEv1 or IKEv2 Transform Set Policy Objects
Page
Page
Page
Configuring VPN Global Settings
Configuring VPN Global ISAKMP/IPsec Settings
Page
Page
Page
Configuring VPN Global IKEv2 Settings
Page
Page
Understanding NAT in VPNs
Configuring VPN Global NAT Settings
Page
Configuring VPN Global General Settings
Page
Page
Understanding IKEv1 Preshared Key Policies in Site-to-Site VPNs
Configuring IKEv1 Preshared Key Policies
Page
Page
Understanding Public Key Infrastructure Policies
Requirements for Successful PKI Enrollment
Page
Configuring IKEv1 Public Key Infrastructure Policies in Site-to-Site VPNs
Defining Multiple IKEv1 CA Servers for Site-to-Site VPNs
Configuring Public Key Infrastructure Policies for Remote Access VPNs
Page
PKI Enrollment Dialog Box
PKI Enrollment Dialog BoxCA Information Tab
Page
Page
Page
PKI Enrollment Dialog BoxEnrollment Parameters Tab
Page
PKI Enrollment Dialog BoxCertificate Subject Name Tab
PKI Enrollment Dialog BoxTrusted CA Hierarchy Tab
Configuring IKEv2 Authentication in Site-to-Site VPNs
Page
IKEv2 Authentication Policy
Page
IKEv2 Authentication (Override) Dialog Box
Page
Page
GRE and DM VPNs
Understanding the GRE Modes Page
GRE and Dynamic GRE VPNs
Understanding GRE
Advantages of IPsec Tunneling with GRE
How Does Security Manager Implement GRE?
Prerequisites for Successful Configuration of GRE
Page
Understanding GRE Configuration for Dynamically Addressed Spokes
Configuring IPsec GRE VPNs
Configuring GRE Modes for GRE or GRE Dynamic IP VPNs
Page
Page
Dynamic Multipoint VPNs (DMVPN)
Understanding DMVPN
Enabling Spoke-to-Spoke Connections in DMVPN Topologies
Advantages of DMVPN with GRE
Configuring DMVPN
Configuring GRE Modes for DMVPN
Page
Page
Page
Configuring Large Scale DMVPNs
Configuring Server Load Balancing in Large Scale DMVPN
Edit Load Balancing Parameters Dialog Box
Page
Easy VPN
Understanding Easy VPN
Easy VPN with Dial Backup
Easy VPN with High Availability
Easy VPN with Dynamic Virtual Tunnel Interfaces
Easy VPN Configuration Modes
Easy VPN and IKE Extended Authentication (Xauth)
Overview of Configuring Easy VPN
Important Notes About Easy VPN Configuration
Configuring Client Connection Characteristics for Easy VPN
Page
Configuring Credentials Policy Objects
Configuring an IPsec Proposal for Easy VPN
Page
Configuring Dynamic VTI for Easy VPN
Configuring a Connection Profile Policy for Easy VPN
Configuring a User Group Policy for Easy VPN
Page
Page
Group Encrypted Transport (GET) VPNs
Understanding Group Encrypted Transport (GET) VPNs
Page
Understanding the GET VPN Registration Process
Page
Choosing the Rekey Transport Mechanism
Configuring Redundancy Using Cooperative Key Servers
Configuring Fail-Close to Protect Registration Failures
Page
Understanding the GET VPN Security Policy and Security Associations
Understanding Time-Based Anti-Replay
Configuring GET VPN
Generating and Synchronizing RSA Keys
Page
Configuring the IKE Proposal for GET VPN
Configuring Global Settings for GET VPN
Page
Configuring GET VPN Key Servers
Add Key Server, Group Member Dialog Box
Edit Key Server Dialog Box
Configuring GET VPN Group Members
Edit Group Member Dialog Box
Page
Using Passive Mode to Migrate to GET VPN
Page
Troubleshooting GET VPN Configurations
Page
Managing Remote Access VPNs: The Basics
Understanding Remote Access VPNs
Understanding Remote Access IPSec VPNs
Understanding Remote Access SSL VPNs
Remote Access SSL VPN Example
SSL VPN Access Modes
Understanding and Managing SSL VPN Support Files
Page
Prerequisites for Configuring SSL VPNs
SSL VPN Limitations
Understanding Devices Supported by Each Remote Access VPN Technology
Overview of Remote Access VPN Policies
Page
Page
Discovering Remote Access VPN Policies
Using the Remote Access VPN Configuration Wizard
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA
SSL VPN Configuration WizardAccess Page (ASA)
SSL VPN Configuration WizardConnection Profile Page (ASA)
Page
Page
Creating User Groups with the Create Group Policy Wizard
Create Group Policy WizardFull Tunnel Page
Page
Create Group Policy WizardClientless and Thin Client Access Modes Page
Page
Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (ASA and PIX 7.0+ Devices)
Page
Page
Remote Access VPN Configuration WizardIPSec VPN Connection Profile Page (ASA)
Remote Access VPN Configuration WizardIPSec Settings Page (ASA)
Page
Remote Access VPN Configuration WizardDefaults Page
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS
SSL VPN Configuration WizardGateway and Context Page (IOS)
Page
SSL VPN Configuration WizardPortal Page Customization Page (IOS)
Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (IOS and PIX 6.3 Devices)
Page
Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Overview of Remote Access VPN Policies for ASA and PIX 7.0+ Devices
Page
Understanding Cluster Load Balancing (ASA)
Configuring Cluster Load Balance Policies (ASA)
Configuring Connection Profiles (ASA, PIX 7.0+)
Page
Connection Profiles Page
General Tab (Connection Profiles)
Add/Edit Interface Specific Client Address Pools Dialog Box
AAA Tab (Connection Profiles)
Page
Add/Edit Interface Specific Authentication Server Groups Dialog Box
Secondary AAA Tab (Connection Profiles)
Page
IPSec Tab (Connection Profiles)
Page
IPSec Client Software Update Dialog Box
SSL Tab (Connection Profiles)
Page
Add/Edit Connection Alias Dialog Box
Add/Edit Connection URL Dialog Box
Configuring Group Policies for Remote Access VPNs
Understanding Group Policies (ASA)
Creating Group Policies (ASA, PIX 7.0+)
Page
Understanding SSL VPN Server Verification (ASA)
Configuring Trusted Pool Settings (ASA)
Using the Trustpool Manager
Working with IPSec VPN Policies
Configuring Certificate to Connection Profile Map Policies (ASA)
Configuring Certificate to Connection Profile Map Rules (ASA)
Page
Map Rule Dialog Box (Upper Table)
Map Rule Dialog Box (Lower Table)
Configuring an IPsec Proposal on a Remote Access VPN Server (ASA, PIX 7.0+
IPsec Proposal Editor (ASA, PIX 7.0+ Devices)
Page
Page
Working with SSL and IKEv2 IPSec VPN Policies
Understanding SSL VPN Access Policies (ASA)
SSL VPN Access Policy Page
Page
Page
Access Interface Configuration Dialog Box
Configuring an Access Policy
Configuring Other SSL VPN Settings (ASA)
Configuring SSL VPN Performance Settings (ASA)
Configuring SSL VPN Content Rewrite Rules (ASA)
Add/Edit Content Rewrite Dialog Box
Configuring SSL VPN Encoding Rules (ASA)
Page
Configuring SSL VPN Proxies and Proxy Bypass (ASA)
Page
Add or Edit Proxy Bypass Dialog Box
Configuring SSL VPN Browser Plug-ins (ASA)
Page
Understanding SSL VPN AnyConnect Client Settings
Cisco AnyConnect Profile Editor
Configuring SSL VPN AnyConnect Client Settings (ASA)
Page
Add/Edit AnyConnect Client Image Dialog Box
Understanding Kerberos Constrained Delegation (KCD) for SSL VPN (ASA)
Page
Configuring Kerberos Constrained Delegation (KCD) for SSL VPN (ASA)
Configuring AnyConnect Custom Attributes (ASA)
Add/Edit AnyConnect Custom Attribute Dialog Box
Configuring SSL VPN Advanced Settings (ASA)
Configuring SSL VPN Server Verification (ASA)
Configuring SSL VPN Shared Licenses (ASA 8.2+)
Page
Configuring an ASA Device as a Shared License Client
Configuring an ASA Device as a Shared License Server
Customizing Clientless SSL VPN Portals
Configuring ASA Portal Appearance Using SSL VPN Customization Objects
Page
Localizing SSL VPN Web Pages for ASA Devices
Page
Creating Your Own SSL VPN Logon Page for ASA Devices
Configuring SSL VPN Bookmark Lists for ASA and IOS Devices
Page
Using the Post URL Method and Macro Substitutions in SSL VPN Bookmarks
Configuring SSL VPN Smart Tunnels for ASA Devices
Page
Page
Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL VPNs
Page
Page
Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
Understanding Dynamic Access Policies
Configuring Dynamic Access Policies
Understanding DAP Attributes
Page
Page
Page
Configuring DAP Attributes
Configuring Cisco Secure Desktop Policies on ASA Devices
Page
Dynamic Access Page (ASA)
Page
Add/Edit Dynamic Access Policy Dialog Box
Main Tab
Page
Page
Page
Page
Page
Add/Edit DAP Entry Dialog Box
Add/Edit DAP Entry Dialog Box > AAA Attributes Cisco
Page
Add/Edit DAP Entry Dialog Box > AAA Attributes LDAP
Add/Edit DAP Entry Dialog Box > AAA Attributes RADIUS
Add/Edit DAP Entry Dialog Box > Anti-Spyware
Add/Edit DAP Entry Dialog Box > Anti-Virus
Add/Edit DAP Entry Dialog Box > AnyConnect Identity
Add/Edit DAP Entry Dialog Box > Application
Add/Edit DAP Entry Dialog Box > Device
Add/Edit DAP Entry Dialog Box > File
Add/Edit DAP Entry Dialog Box > NAC
Add/Edit DAP Entry Dialog Box > Operating System
Add/Edit DAP Entry Dialog Box > Personal Firewall
Add/Edit DAP Entry Dialog Box > Policy
Add/Edit DAP Entry Dialog Box > Process
Add/Edit DAP Entry Dialog Box > Registry
Logical Operations Tab
Page
Page
Advanced Expressions Tab
Cisco Secure Desktop Manager Policy Editor Dialog Box
Page
Page
Managing Remote Access VPNs on IOS and PIX 6.3 Devices
Overview of Remote Access VPN Policies for IOS and PIX 6.3 Devices
Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices)
IPsec Proposal Editor (IOS, PIX 6.3 Devices)
Page
VPNSM/VPN SPA/VSPA Settings Dialog Box
Configuring Dynamic VTI/VRF Aware IPsec in Remote Access VPNs (IOS
Page
Page
Page
Configuring High Availability in Remote Access VPNs (IOS)
Page
Configuring User Group Policies
Configuring an SSL VPN Policy (IOS)
SSL VPN Context Editor Dialog Box (IOS)
General Tab
Page
Creating Cisco Secure Desktop Configuration Objects
Page
Page
Configuring Policy Objects for Remote Access VPNs
ASA Group Policies Dialog Box
Page
Page
ASA Group Policies Client Configuration Settings
ASA Group Policies Client Firewall Attributes
Page
ASA Group Policies Hardware Client Attributes
ASA Group Policies IPSec Settings
Page
Add or Edit Client Access Rules Dialog Box
ASA Group Policies SSL VPN Clientless Settings
Page
Add or Edit VDI Server Dialog Box
ASA Group Policies SSL VPN Full Client Settings
Page
Page
Page
ASA Group Policies SSL VPN Settings
Page
Add or Edit Auto Signon Rules Dialog Box
ASA Group Policies DNS/WINS Settings
ASA Group Policies Split Tunneling Settings
ASA Group Policies Connection Settings
Add or Edit Secure Desktop Configuration Dialog Box
Page
Add and Edit File Object Dialog Boxes
Page
File Object Choose a file Dialog Box
Add or Edit Port Forwarding List Dialog Boxes
Page
Add or Edit A Port Forwarding Entry Dialog Box
Add or Edit Single Sign On Server Dialog Boxes
Page
Add or Edit Bookmarks Dialog Boxes
Add and Edit Bookmark Entry Dialog Boxes
Page
Page
Add and Edit Post Parameter Dialog Boxes
Add and Edit SSL VPN Customization Dialog Boxes
Page
SSL VPN Customization Dialog BoxTitle Panel
SSL VPN Customization Dialog BoxLanguage
Page
Add and Edit Language Dialog Boxes
SSL VPN Customization Dialog BoxLogon Form
SSL VPN Customization Dialog BoxInformational Panel
SSL VPN Customization Dialog BoxCopyright Panel
SSL VPN Customization Dialog BoxFull Customization
SSL VPN Customization Dialog BoxToolbar
SSL VPN Customization Dialog BoxApplications
SSL VPN Customization Dialog BoxCustom Panes
Add and Edit Column Dialog Boxes
Add or Edit Custom Pane Dialog Boxes
SSL VPN Customization Dialog BoxHome Page
SSL VPN Customization Dialog BoxLogout Page
Add or Edit SSL VPN Gateway Dialog Box
Page
Add and Edit Smart Tunnel List Dialog Boxes
Add and Edit A Smart Tunnel Entry Dialog Boxes
Page
Add and Edit Smart Tunnel Auto Signon List Dialog Boxes
Add and Edit Smart Tunnel Auto Signon Entry Dialog Boxes
Page
Add or Edit User Group Dialog Box
Page
User Group Dialog BoxGeneral Settings
User Group Dialog BoxDNS/WINS Settings
User Group Dialog BoxSplit Tunneling
User Group Dialog BoxIOS Client Settings
User Group Dialog BoxIOS Xauth Options
User Group Dialog BoxIOS Client VPN Software Update
Add/Edit Client Update Dialog Box
User Group Dialog BoxAdvanced PIX Options
User Group Dialog BoxClientless Settings
User Group Dialog BoxThin Client Settings
User Group Dialog BoxSSL VPN Full Tunnel Settings
User Group Dialog BoxSSL VPN Split Tunneling
Page
User Group Dialog BoxBrowser Proxy Settings
User Group Dialog BoxSSL VPN Connection Settings
Add or Edit WINS Server List Dialog Box
Add or Edit WINS Server Dialog Box
Page
Page
Using Map View
Understanding Maps and Map View
Understanding the Map View Main Page
Page
Map Toolbar
Using the Navigation Window
Maps Context Menus
Managed Device Node Context Menu
Multiple Selected Nodes Context Menu
VPN Connection Context Menu
Layer 3 Link Context Menu
Map Object Context Menu
Map Background Context Menu
Access Permissions for Maps
Working With Maps
Creating New or Default Maps
Opening Maps
Saving Maps
Deleting Maps
Exporting Maps
Arranging Map Elements
Panning, Centering, and Zooming Maps
Selecting Map Elements
Searching for Map Nodes
Using Linked Maps
Setting the Map Background Properties
Displaying Your Network on the Map
Understanding Map Elements
Page
Displaying Managed Devices on the Map
Showing Containment of Catalyst Switches, Firewalls, and Adaptive Security Appliances
Using Map Objects To Represent Network Topology
Add Map Object and Node Properties Dialog Boxes
Select Policy Object Dialog Box
Interface Properties Dialog Box
Creating and Managing Layer 3 Links on the Map
Select Interfaces and Link Properties Dialog Boxes
Add Link Dialog Box
Managing VPNs in Map View
Displaying Existing VPNs on the Map
Creating VPN Topologies in Map View
Editing VPN Policies or Peers From the Map
Managing Device Policies in Map View
Performing Basic Policy Management in Map View
Managing Firewall Policies in Map View
Managing Firewall Settings in Map View
Page
Page
Page
Getting Started with IPS Configuration
Understanding IPS Network Sensing
Capturing Network Traffic
Page
Correctly Deploying the Sensor
Tuning the IPS
Overview of IPS Configuration
Page
Identifying Allowed Hosts
Configuring SNMP
Page
General SNMP Configuration Options
SNMP Trap Configuration Tab
SNMP Trap Communication Dialog Box
Managing User Accounts and Password Requirements
Understanding IPS User Roles
Understanding Managed and Unmanaged IPS Passwords
Understanding How IPS Passwords are Discovered and Deployed
Configuring IPS User Accounts
Add User and Edit User Credentials Dialog Boxes
Configuring User Password Requirements
Configuring AAA Access Control for IPS Devices
Page
Identifying an NTP Server
Identifying DNS Servers
Identifying an HTTP Proxy Server
Configuring the External Product Interface
External Product Interface Dialog Box
Page
Posture ACL Dialog Box
Configuring IPS Logging Policies
IPS Health Monitor
Page
Configuring IPS Security Settings
Page
Managing IPS Device Interfaces
Understanding Interfaces
Understanding Interface Modes
Promiscuous Mode
Inline Interface Mode
Inline VLAN Pair Mode
VLAN Group Mode
Deploying VLAN Groups
Configuring Interfaces
Understanding the IPS Interfaces Policy
Page
Viewing a Summary of IPS Interface Configuration
Page
Configuring Physical Interfaces
Modify Physical Interface Map Dialog Box
Configuring Bypass Mode
Configuring CDP Mode
Configuring Inline Interface Pairs
Configuring Inline VLAN Pairs
Configuring VLAN Groups
Page
Page
Page
Configuring Virtual Sensors
Understanding the Virtual Sensor
Page
Advantages and Restrictions of Virtualization
Inline TCP Session Tracking Mode
Understanding Normalizer Mode
Assigning Interfaces to Virtual Sensors
Identifying the Virtual Sensors for a Device
Defining A Virtual Sensor
Page
Virtual Sensor Dialog Box
Page
Editing Policies for a Virtual Sensor
Deleting A Virtual Sensor
Defining IPS Signatures
Understanding Signatures
Obtaining Detailed Information About a Signature
Understanding Signature Inheritance
IPS Signature Purge
Configuring Signatures
Signatures Page
Page
Page
Signature Shortcut Menu
Edit, Add, Replace Action Dialog Boxes
Edit Fidelity Dialog Box
Viewing Signature Update Levels
Enabling and Disabling Signatures
Editing Signatures
Edit Signature or Add Custom Signature Dialog Boxes
Page
Page
Page
Adding Custom Signatures
Engine Options
Cloning Signatures
Editing Signature Parameters (Tuning Signatures)
Page
Edit Signature Parameters Dialog Box
Page
Page
Page
Editing the Component List for Meta Engine Signatures
Obsoletes Dialog Box
Configuring Signature Settings
Page
Configuring Event Action Rules
Understanding the IPS Event Action Process
Understanding IPS Event Actions
Page
Configuring Event Action Filters
Page
Tips for Managing Event Action Filter Rules
Event Action Filters Page
Page
Filter Item Dialog Box
Page
Page
Page
Configuring Event Action Overrides
Event Action Override Dialog Box
Configuring IPS Event Action Network Information
Configuring Target Value Ratings
Target Value Rating Dialog Box
Understanding Passive OS Fingerprinting
Configuring OS Identification (Cisco IPS 6.x and Later Sensors Only)
Page
OS Map Dialog Box
Configuring Settings for Event Actions
Page
Page
Page
Managing IPS Anomaly Detection
Understanding Anomaly Detection
Worm Viruses
Anomaly Detection Modes
Anomaly Detection Zones
Knowing When to Turn Off Anomaly Detection
Configuring Anomaly Detection Signatures
Page
Configuring Anomaly Detection
Page
Configuring Anomaly Detection Learning Accept Mode
Understanding Anomaly Detection Thresholds and Histograms
Page
Configuring Anomaly Detection Thresholds and Histograms
Dest Port or Protocol Map Dialog Box
Histogram Dialog Box
Page
Configuring Global Correlation
Understanding Global Correlation
Understanding Reputation
Understanding Network Participation
Global Correlation Requirements and Limitations
Configuring Global Correlation Inspection and Reputation
Page
Configuring Network Participation
Page
Configuring Attack Response Controller for Blocking and Rate Limiting
Understanding IPS Blocking
Page
Strategies for Applying Blocks
Understanding Rate Limiting
Understanding Router and Switch Blocking Devices
Page
Understanding the Master Blocking Sensor
Configuring IPS Blocking and Rate Limiting
Blocking Page
Page
General Tab, IPS Blocking Policy
Page
User Profile Dialog Box
Master Blocking Sensor Dialog Box
Router, Firewall, Cat6K Device Dialog Box
Router Block Interface Dialog Box
Cat6k Block VLAN Dialog Box
Never Block Host or Network Dialog Boxes
Page
Managing IPS Sensors
Managing IPS Licenses
Updating IPS License Files
Redeploying IPS License Files
Automating IPS License File Updates
Managing IPS Updates
Configuring the IPS Update Server
Checking for IPS Updates and Downloading Them
Automating IPS Updates
Manually Applying IPS Updates
Page
Page
Managing IPS Certificates
Rebooting IPS Sensors
Page
Configuring IOS IPS Routers
Understanding Cisco IOS IPS
Understanding IPS Subsystems and Support of IOS IPS Revisions
Cisco IOS IPS Signature Scanning with Lightweight Signatures
Router Configuration Files and Signature Event Action Processor (SEAP)
Cisco IOS IPS Limitations and Restrictions
Overview of Cisco IOS IPS Configuration
Page
Initial Preparation of a Cisco IOS IPS Router
Selecting a Signature Category for Cisco IOS IPS
Configuring General Settings for Cisco IOS IPS
Configuring IOS IPS Interface Rules
IPS Rule Dialog Box
Pair Dialog Box
Page
Page
Page
Page
Managing Firewall Devices
Firewall Device Types
Default Firewall Configurations
Configuring Firewall Device Interfaces
Understanding Device Interfaces
Interfaces in Routed and Transparent Modes
Interfaces in Single and Multiple Contexts
About Asymmetric Routing Groups
Understanding ASA 5505 Ports and Interfaces
Configuring Subinterfaces (PIX/ASA)
Configuring Redundant Interfaces
Configuring EtherChannels
Page
Page
Editing LACP Parameters for an Interface Assigned to an EtherChannel
About EtherChannel Load Balancing
Page
Managing Device Interfaces, Hardware Ports, and Bridge Groups
Add/Edit Interface Dialog Box (PIX 6.3)
Page
Page
Device Interface: IP Type (PIX 6.3)
Add/Edit Interface Dialog Box (PIX 7.0+/ASA/FWSM)
Add/Edit Interface Dialog Box: General Tab (PIX 7.0+/ASA/FWSM)
Page
Page
Page
Page
Page
Page
Add/Edit Interface Dialog Box: Advanced Tab (ASA/PIX 7.0+)
Page
Configuring IPv6 Interfaces (ASA/FWSM)
Page
Page
Page
IPv6 Address for Interface Dialog Box
IPv6 Prefix Editor Dialog Box
Page
Device Interface: IP Type (PIX/ASA 7.0+)
Page
Device Interface: MAC Address
Configuring Hardware Ports on an ASA 5505
Page
Add/Edit Bridge Group Dialog Box
Advanced Interface Settings (PIX/ASA/FWSM)
Enabling Traffic between Interfaces with the Same Security Level
Managing the PPPoE Users List
Managing VPDN Groups
Page
Configuring Bridging Policies on Firewall
About Bridging on Firewall Devices
Page
Bridging Support for FWSM 3.1
ARP Table Page
Add/Edit ARP Configuration Dialog Box
ARP Inspection Page
Add/Edit ARP Inspection Dialog Box
Managing the IPv6 Neighbor Cache
MAC Address Table Page
Add/Edit MAC Table Entry Dialog Box
MAC Learning Page
Add/Edit MAC Learning Dialog Box
Management IP Page
Management IPv6 Page (ASA 5505)
Page
Page
Page
Page
Configuring Device Administration Policies on Firewall Devices
About AAA on Security Devices
Preparing for AAA
Local Database
AAA for Device Administration
AAA for Network Access
AAA for VPN Access
Configuring AAA - Authentication Tab
Authorization Tab
Accounting Tab
Configuring Banners
Configuring Boot Image/Configuration Settings
Images Dialog Box
Setting the Device Clock
Page
Configuring Device Credentials
Page
Configuring Device Access Settings on Firewall Devices
Configuring Console Timeout
HTTP Page
HTTP Configuration Dialog Box
Configuring ICMP
Add and Edit ICMP Dialog Boxes
Configuring Management Access
Configuring Secure Shell Access
Add and Edit SSH Host Dialog Boxes
Configuring SNMP
SNMP Terminology
SNMP Page
SNMP Trap Configuration Dialog Box
Page
Page
Add SNMP Host Access Entry Dialog Box
Telnet Page
Telnet Configuration Dialog Box
Configuring Failover
Understanding Failover
Page
Active/Active Failover
Stateful Failover
Basic Failover Configuration
Page
Adding a Security Context to Failover Group 2
Page
Additional Steps for an Active/Standby Failover Configuration
Exporting the Certificate to a File or PKCS12 data
Importing the Certificate onto the Standby Device
Failover Policies
Failover Page (PIX 6.3)
Edit Failover Interface Configuration Dialog Box (PIX 6.3)
Failover Page (FWSM)
Page
Page
Advanced Settings Dialog Box
Edit Failover Bridge Group Configuration Dialog Box
Failover Page (ASA/PIX 7.0+)
Page
Page
Settings Dialog Box
Page
Add/Edit Interface MAC Address Dialog Box
Edit Failover Interface Configuration Dialog Box
Edit Failover Group Dialog Box
Failover Page (Security Context)
Bootstrap Configuration for LAN Failover Dialog Box
Configuring Hostname, Resources, User Accounts, and SLAs
Hostname Page
Resource Management on Multi-context FWSMs
Resources Page
Add and Edit Resource Dialog Boxes
Page
Page
Configuring User Accounts
Add/Edit User Account Dialog Boxes
Monitoring Service Level Agreements (SLAs) To Maintain Connectivity
Creating Service Level Agreements
Configuring SLA Monitor Objects
Page
Page
Page
Configuring Server Access Settings on Firewall Devices
AUS Page
Page
Add and Edit Auto Update Server Dialog Boxes
Page
DHCP Relay Page
Add and Edit DHCP Relay Agent Configuration Dialog Boxes
Add and Edit DHCP Relay Server Configuration Dialog Boxes
DHCP Relay IPv6 Page
Add and Edit DHCP Relay IPv6 Agent Configuration Dialog Boxes
Add and Edit DHCP Relay IPv6 Server Configuration Dialog Boxes
Configuring DHCP Servers
DHCP Server Page
Add and Edit DHCP Server Interface Configuration Dialog Boxes
Add/Edit DHCP Server Advanced Configuration Dialog Box
Add/Edit DHCP Server Option Dialog Box
DNS Page
Page
Add DNS Server Group Dialog Box
Add DNS Server Dialog Box
Configuring DDNS
Add/Edit DDNS Interface Rule Dialog Box
DDNS Update Methods Dialog Box
Add/Edit DDNS Update Methods Dialog Box
NTP Page
NTP Server Configuration Dialog Box
SMTP Server Page
TFTP Server Page
Configuring Logging Policies on Firewall Devices
NetFlow Page
Add and Edit Collector Dialog Boxes (NetFlow)
E-Mail Setup Page
Add/Edit Email Recipient Dialog Box
Event Lists Page
Message Classes and Associated Message ID Numbers
Add/Edit Event List Dialog Box
Add/Edit Syslog Class Dialog Box
Add/Edit Syslog Message ID Filter Dialog Box
Logging Filters Page
Edit Logging Filters Dialog Box
Configuring Logging Setup
Logging Setup Page
Page
Configuring Rate Limit Levels
Rate Limit Page
Add/Edit Rate Limit for Syslog Logging Levels Dialog Box
Add/Edit Rate Limited Syslog Message Dialog Box
Configuring Syslog Server Setup
Server Setup Page
Page
Logging Levels
Add/Edit Syslog Message Dialog Box
Defining Syslog Servers
Syslog Servers Page
Add/Edit Syslog Server Dialog Box
Page
Page
Configuring Multicast Policies on Firewall Devices
Enabling PIM and IGMP
Configuring IGMP
IGMP Page - Protocol Tab
Configure IGMP Parameters Dialog Box
IGMP Page - Access Group Tab
Configure IGMP Access Group Parameters Dialog Box
IGMP Page - Static Group Tab
Configure IGMP Static Group Parameters Dialog Box
IGMP Page - Join Group Tab
Configure IGMP Join Group Parameters Dialog Box
Configuring Multicast Routes
Add/Edit MRoute Configuration Dialog Box
Configuring Multicast Boundary Filters
Add/Edit MBoundary Configuration Dialog Box
Add/Edit MBoundary Interface Configuration Dialog Box
Configuring PIM
PIM Page - Protocol Tab
Add/Edit PIM Protocol Dialog Box
PIM Page - Neighbor Filter Tab
Add/Edit PIM Neighbor Filter Dialog Box
PIM Page - Bidirectional Neighbor Filter Tab
Add/Edit PIM Bidirectional Neighbor Filter Dialog Box
PIM Page - Rendezvous Points Tab
Add/Edit Rendezvous Point Dialog Box
Add/Edit Multicast Group Rules Dialog Box
PIM Page - Route Tree Tab
PIM Page - Request Filter Tab
Add/Edit Multicast Group Rules Dialog Box
Page
Configuring Routing Policies on Firewall Devices
Configuring No Proxy ARP
Configuring OSPF
About OSPF
General Tab
OSPF Advanced Dialog Box
Page
Area Tab
Add/Edit Area/Area Networks Dialog Box
Range Tab
Add/Edit Area Range Network Dialog Box
Neighbors Tab
Add/Edit Static Neighbor Dialog Box
Redistribution Tab
Redistribution Dialog Box
Page
Virtual Link Tab
Add/Edit OSPF Virtual Link Configuration Dialog Box
Page
Add/Edit OSPF Virtual Link MD5 Configuration Dialog Box
Filtering Tab
Add/Edit Filtering Dialog Box
Summary Address Tab
Add/Edit Summary Address Dialog Box
Interface Tab
Page
Add/Edit Interface Dialog Box
Page
Configuring OSPFv3
About OSPFv3
Page
Process Tab
OSPFv3 Advanced Properties Dialog Box
Page
Page
Area Tab (OSPFv3)
Add/Edit Area Dialog Box (OSPFv3)
Add/Edit Range Dialog Box (OSPFv3)
Add/Edit Virtual Link Dialog Box (OSPFv3)
Add/Edit Redistribution Dialog Box (OSPFv3)
Page
Add/Edit Summary Prefix Dialog Box (OSPFv3)
OSPFv3 Interface Tab
Add/Edit Interface Dialog Box (OSPFv3)
Page
Page
Add/Edit Neighbor Dialog Box (OSPFv3)
Page
Configuring RIP
RIP Page for PIX/ASA 6.37.1 and FWSM
Add/Edit RIP Configuration (PIX/ASA 6.37.1 and FWSM) Dialog Boxes
RIP Page for PIX/ASA 7.2 and Later
RIP - Setup Tab
Page
RIP - Redistribution Tab
Add/Edit Redistribution Dialog Box
RIP - Filtering Tab
Add/Edit Filter Dialog Box
RIP - Interface Tab
Add/Edit Interface Dialog Box
Configuring Static Routes
Add/Edit Static Route Dialog Box
Add/Edit IPv6 Static Route Dialog Box
Page
Page
Configuring Security Policies on Firewall
General Page
Configuring Floodguard, Anti-Spoofing and Fragment Settings
Add/Edit General Security Configuration Dialog Box
Configuring Timeouts
Page
Page
Configuring Service Policy Rules on Firewall
About Service Policy Rules
Page
About TCP State Bypass
Priority Queues Page
Priority Queue Configuration Dialog Box
IPS, QoS, and Connection Rules Page
Insert/Edit Service Policy (MPC) Rule Wizard
Step 1. Configure a Service Policy
Step 2. Configure the traffic class
Step 3. Configure the MPC actions
Page
Page
Page
Page
Page
About IPS Modules on ASA Devices
About the ASA CX
ASA CX Auth Proxy Configuration
Configuring Traffic Flow Objects
Page
Default Inspection Traffic
Page
Configuring TCP Maps
Page
Add and Edit TCP Option Range Dialog Boxes
Page
Page
Configuring Security Contexts on Firewall Devices
Enabling and Disabling Multiple-Context Mode
Checklist for Configuring Multiple Security Contexts
Page
Managing Security Contexts
Add/Edit Security Context Dialog Box (FWSM)
Page
Add/Edit Security Context Dialog Box (PIX/ASA)
Allocate Interfaces Dialog Box (PIX/ASA only)
Page
Page
Page
Page
Managing Routers
Configuring Routers Running IOS Software Releases 12.1 and 12.2
Discovering Router Policies
Page
Configuring Router Interfaces
Basic Interface Settings on Cisco IOS Routers
Available Interface Types
Defining Basic Router Interface Settings
Page
Page
Deleting a Cisco IOS Router Interface
Router Interfaces Page
Create Router Interface Dialog Box
Page
Page
Page
Interface Auto Name Generator Dialog Box
Advanced Interface Settings on Cisco IOS Routers
Understanding Helper Addresses
Advanced Interface Settings Page
Advanced Interface Settings Dialog Box
Page
Page
Page
Page
Page
IPS Module Interface Settings on Cisco IOS Routers
IPS Module Interface Settings Page
IPS Monitoring Information Dialog Box
CEF Interface Settings on Cisco IOS Routers
CEF Interface Settings Page
CEF Interface Settings Dialog Box
Dialer Interfaces on Cisco IOS Routers
Defining Dialer Profiles
Page
Defining BRI Interface Properties
Dialer Policy Page
Dialer Profile Dialog Box
Dialer Physical Interface Dialog Box
ADSL on Cisco IOS Routers
Supported ADSL Operating Modes
Defining ADSL Settings
ADSL Policy Page
ADSL Settings Dialog Box
Page
Page
SHDSL on Cisco IOS Routers
Defining SHDSL Controllers
SHDSL Policy Page
SHDSL Controller Dialog Box
Page
Page
Controller Auto Name Generator Dialog Box
PVCs on Cisco IOS Routers
Understanding Virtual Paths and Virtual Channels
Understanding ATM Service Classes
Understanding ATM Management Protocols
Understanding ILMI
Understanding OAM
Defining ATM PVCs
Page
Page
Defining OAM Management on ATM PVCs
PVC Policy Page
PVC Dialog Box
Page
PVC Dialog BoxSettings Tab
Page
Page
PVC Dialog BoxQoS Tab
Page
Page
PVC Dialog BoxProtocol Tab
Define Mapping Dialog Box
PVC Advanced Settings Dialog Box
PVC Advanced Settings Dialog BoxOAM Tab
Page
PVC Advanced Settings Dialog BoxOAM-PVC Tab
Page
PPP on Cisco IOS Routers
Understanding Multilink PPP (MLP)
Defining PPP Connections
Page
Page
Defining Multilink PPP Bundles
PPP/MLP Policy Page
PPP Dialog Box
PPP Dialog BoxPPP Tab
Page
PPP Dialog BoxMLP Tab
Page
Page
Page
Router Device Administration
AAA on Cisco IOS Routers
Supported Authorization Types
Supported Accounting Types
Understanding Method Lists
Defining AAA Services
Page
AAA Policy Page
AAA PageAuthentication Tab
AAA PageAuthorization Tab
Page
Command Authorization Dialog Box
AAA PageAccounting Tab
Page
Command Accounting Dialog Box
User Accounts and Device Credentials on Cisco IOS Routers
Defining Accounts and Credential Policies
Accounts and Credential s Policy Page
Page
User Account Dialog Box
Bridging on Cisco IOS Routers
Bridge-Group Virtual Interfaces
Defining Bridge Groups
Bridging Policy Page
Bridge Group Dialog Box
Time Zone Settings on Cisco IOS Routers
Defining Time Zone and DST Settings
Clock Policy Page
Page
CPU Utilization Settings on Cisco IOS Routers
Defining CPU Utilization Settings
CPU Policy Page
Page
HTTP and HTTPS on Cisco IOS Routers
Defining HTTP Policies
Page
HTTP Policy Page
HTTP PageSetup Tab
HTTP PageAAA Tab
Page
Command Authorization Override Dialog Box
Line Access on Cisco IOS Routers
Defining Console Port Setup Parameters
Page
Defining Console Port AAA Settings
Defining VTY Line Setup Parameters
Page
Defining VTY Line AAA Settings
Page
Console Policy Page
Console PageSetup Tab
Page
Console PageAuthentication Tab
Console PageAuthorization Tab
Page
Console PageAccounting Tab
Page
Page
VTY Policy Page
VTY Line Dialog Box
VTY Line Dialog BoxSetup Tab
Page
Page
VTY Line Dialog BoxAuthentication Tab
VTY Line Dialog BoxAuthorization Tab
VTY Line Dialog BoxAccounting Tab
Page
Page
Command Authorization Dialog BoxLine Access
Command Accounting Dialog BoxLine Access
Page
Optional SSH Settings on Cisco IOS Routers
Defining Optional SSH Settings
Secure Shell Policy Page
Page
SNMP on Cisco IOS Routers
Defining SNMP Agent Properties
Enabling SNMP Traps
SNMP Policy Page
Permission Dialog Box
Trap Receiver Dialog Box
SNMP Traps Dialog Box
Page
DNS on Cisco IOS Routers
Defining DNS Policies
DNS Policy Page
IP Host Dialog Box
Hostnames and Domain Names on Cisco IOS Routers
Defining Hostname Policies
Hostname Policy Page
Memory Settings on Cisco IOS Routers
Defining Router Memory Settings
Memory Policy Page
Page
Secure Device Provisioning on Cisco IOS Routers
Contents of Bootstrap Configuration
Secure Device Provisioning Workflow
Defining Secure Device Provisioning Policies
Configuring a AAA Server Group for Administrative Introducers
Secure Device Provisioning Policy Page
Page
DHCP on Cisco IOS Routers
Understanding DHCP Database Agents
Understanding DHCP Relay Agents
Understanding DHCP Option 82
Understanding Secured ARP
Defining DHCP Policies
Defining DHCP Address Pools
DHCP Policy Page
Page
DHCP Database Dialog Box
IP Pool Dialog Box
Page
NTP on Cisco IOS Routers
Defining NTP Servers
NTP Policy Page
NTP Server Dialog Box
Page
Configuring Identity Policies
802.1x on Cisco IOS Routers
Understanding 802.1x Device Roles
802.1x Interface Authorization States
Topologies Supported by 802.1x
Defining 802.1x Policies
802.1x Policy Page
Page
Page
Network Admission Control on Cisco IOS Routers
Router Platforms Supporting NAC
Understanding NAC Components
Understanding NAC System Flow
Defining NAC Setup Parameters
Defining NAC Interface Parameters
Page
Defining NAC Identity Parameters
Network Admission Control Policy Page
Network Admission Control PageSetup Tab
Page
Network Admission Control PageInterfaces Tab
NAC Interface Configuration Dialog Box
Network Admission Control PageIdentities Tab
NAC Identity Profile Dialog Box
NAC Identity Action Dialog Box
Page
Configuring Logging Policies
Logging on Cisco IOS Routers
Defining Syslog Logging Setup Parameters
Page
Defining Syslog Servers
Understanding Log Message Severity Levels
NetFlow on Cisco IOS Routers
Defining NetFlow Parameters
Syslog Logging Setup Policy Page
Page
Page
Syslog Servers Policy Page
Syslog Server Dialog Box
NetFlow Policy Page
Page
Page
Adding and Editing NetFlow Interface Settings
Page
Configuring Quality of Service
Quality of Service on Cisco IOS Routers
Quality of Service and CEF
Understanding Matching Parameters
Understanding Marking Parameters
Understanding Queuing Parameters
Tail Drop vs. WRED
Low-Latency Queuing
Default Class Queuing
Understanding Policing and Shaping Parameters
Understanding the Token-Bucket Mechanism
Page
Understanding Control Plane Policing
Defining QoS Policies
Defining QoS on Interfaces
Page
Defining QoS on the Control Plane
Defining QoS Class Matching Parameters
Page
Defining QoS Class Marking Parameters
Defining QoS Class Queuing Parameters
Defining QoS Class Policing Parameters
Defining QoS Class Shaping Parameters
Quality of Service Policy Page
Page
QoS Policy Dialog Box
Page
QoS Class Dialog Box
QoS Class Dialog BoxMatching Tab
Edit ACLs Dialog BoxQoS Classes
QoS Class Dialog BoxMarking Tab
QoS Class Dialog BoxQueuing and Congestion Avoidance Tab
Page
QoS Class Dialog BoxPolicing Tab
Page
QoS Class Dialog BoxShaping Tab
Page
Configuring Routing Policies
BGP Routing on Cisco IOS Routers
Defining BGP Routes
Redistributing Routes into BGP
BGP Routing Policy Page
BGP PageSetup Tab
Page
Neighbors Dialog Box
BGP PageRedistribution Tab
BGP Redistribution Mapping Dialog Box
EIGRP Routing on Cisco IOS Routers
Defining EIGRP Routes
Defining EIGRP Interface Properties
Page
Redistributing Routes into EIGRP
EIGRP Routing Policy Page
EIGRP PageSetup Tab
EIGRP Setup Dialog Box
EIGRP PageInterfaces Tab
EIGRP Interface Dialog Box
EIGRP PageRedistribution Tab
EIGRP Redistribution Mapping Dialog Box
OSPF Routing on Cisco IOS Routers
Defining OSPF Process Settings
Defining OSPF Area Settings
Redistributing Routes into OSPF
Defining OSPF Redistribution Mappings
Defining OSPF Maximum Prefix Values
Page
Defining OSPF Interface Settings
Understanding Interface Cost
Understanding Interface Priority
Disabling MTU Mismatch Detection
Blocking LSA Flooding
Understanding OSPF Timer Settings
Understanding the OSPF Network Type
Understanding OSPF Interface Authentication
OSPF Interface Policy Page
OSPF Interface Dialog Box
Page
Page
OSPF Process Policy Page
OSPF Process PageSetup Tab
OSPF Setup Dialog Box
Edit Interfaces Dialog BoxOSPF Passive Interfaces
OSPF Process PageArea Tab
OSPF Area Dialog Box
OSPF Process PageRedistribution Tab
OSPF Redistribution Mapping Dialog Box
Page
OSPF Max Prefix Mapping Dialog Box
RIP Routing on Cisco IOS Routers
Defining RIP Setup Parameters
Defining RIP Interface Authentication Settings
Redistributing Routes into RIP
RIP Routing Policy Page
RIP PageSetup Tab
RIP PageAuthentication Tab
RIP Authentication Dialog Box
RIP PageRedistribution Tab
RIP Redistribution Mapping Dialog Box
Static Routing on Cisco IOS Routers
Defining Static Routes
Static Routing Policy Page
Static Routing Dialog Box
Page
Page
Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
Discovering Policies on Cisco Catalyst Switches and Cisco 7600 Series Routers
Viewing Catalyst Summary Information
Viewing a Summary of Catalyst Interfaces, VLANs, and VLAN Groups
Page
Interfaces
Creating or Editing Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
Page
Deleting Ports on Cisco Catalyst Switches and Cisco 7600 Series Routers
Interfaces/VLANs PageInterfaces Tab
Page
Create and Edit Interface Dialog BoxesAccess Port Mode
Page
Page
Create and Edit Interface Dialog BoxesRouted Port Mode
Page
Create and Edit Interface Dialog BoxesTrunk Port Mode
Page
Page
Page
Create and Edit Interface Dialog BoxesDynamic Mode
Page
Page
Page
Create and Edit Interface Dialog BoxesSubinterfaces
Page
Create and Edit Interface Dialog BoxesUnsupported Mode
VLANs
Creating or Editing VLANs
Deleting VLANs
Interfaces/VLANs PageVLANs Tab
Create and Edit VLAN Dialog Boxes
Page
Access Port Selector Dialog Box
Trunk Port Selector Dialog Box
VLAN Groups
Creating or Editing VLAN Groups
Deleting VLAN Groups
Interfaces/VLANs PageVLAN Groups Tab
Create and Edit VLAN Group Dialog Boxes
Service Module Slot Selector Dialog Box
VLAN Selector Dialog Box
VLAN ACLs (VACLs)
Creating or Editing VACLs
Page
Deleting VACLs
VLAN Access Lists Page
Page
Create and Edit VLAN ACL Dialog Boxes
Create and Edit VLAN ACL Content Dialog Boxes
Interface Selector Dialog BoxVLAN ACL Content
IDSM Settings
Creating or Editing EtherChannel VLAN Definitions
Deleting EtherChannel VLAN Definitions
Creating or Editing Data Port VLAN Definitions
Page
Deleting Data Port VLAN Definitions
IDSM Settings Page
Create and Edit IDSM EtherChannel VLANs Dialog Boxes
Create and Edit IDSM Data Port VLANs Dialog Boxes
IDSM Slot-Port Selector Dialog Box
Page
Page
Page
Viewing Events
Introduction to Event Viewer Capabilities
Historical View
Real-Time View
Views and Filters
Policy Navigation
Understanding Event Viewer Access Control
Scope and Limits of Event Viewer
Page
Deeply Parsed Syslogs
Overview of Event Viewer
Event Viewer File Menu
Event Viewer View Menu
Page
View List
Event Monitoring Window
Page
Event Table Toolbar
Page
Columns in Event Table
Page
Page
Page
Page
Page
Page
Time Slider
Event Details Pane
Preparing for Event Management
Ensuring Time Synchronization
Configuring ASA and FWSM Devices for Event Management
Configuring IPS Devices for Event Management
Managing the Event Manager Service
Starting, Stopping, and Configuring the Event Manager Service
Monitoring the Event Manager Service
Page
Page
Selecting Devices to Monitor
Monitoring Event Data Store Disk Space Usage
Archiving or Backing Up and Restoring the Event Data Store
Using Event Viewer
Using Event Views
Opening Views
Floating and Arranging Views
Customizing the Event Table Appearance
Switching Between Source/Destination IP Addresses and Host Object Names
Configuring Color Rules for a View
Creating Custom Views
Editing a Custom View Name or Description
Switching Between Real-Time and Historical Views
Saving Views
Deleting Custom Views
Filtering and Querying Events
Selecting the Time Range for Events
Using the Time Slider with Filtering
Refreshing the Event Table
Creating Column-Based Filters
Page
Filtering Based on a Specific Events Values
Filtering on a Text String
Clearing Filters
Performing Operations on Specific Events
Event Context (Right-Click) Menu
Page
Examining Details of a Single Event
Copying Event Records
Saving Events to a File
Looking Up a Security Manager Policy from Event Viewer
Page
Examples of Event Analysis
Help Desk: User Access To a Server Is Blocked By the Firewall
Page
Monitoring and Mitigating Botnet Activity
Understanding the Syslog Messages That Indicate Actionable Events
Monitoring Botnet Using the Security Manager Event Viewer
Page
Monitoring Botnet Using the Security Manager Report Manager
Monitoring Botnet Activity Using the Adaptive Security Device Manager (ASDM)
Mitigating Botnet Traffic
Page
Removing False Positive IPS Events from the Event Table
Page
Page
Managing Reports
Understanding Report Management
Understanding the Types of Reports Available in Security Manager
Preparing Devices for Report Manager Reporting
Understanding Report Manager Data Aggregation
Understanding Report Manager Access Control
Overview of Report Manager
Page
Report Manager Menus
Understanding the Report List in Report Manager
Understanding the Report Settings Pane
Understanding the Generated Report Pane and Toolbar
Page
Understanding the Predefined System Reports in Report Manager
Understanding Firewall Traffic Reports
Understanding Firewall Summary Botnet Reports
Understanding VPN Top Reports
Understanding General VPN Reports
Understanding IPS Top Reports
Understanding General IPS Reports
Working with Reports in Report Manager
Opening and Generating Reports
Page
Creating Custom Reports
Editing Report Settings
Page
Printing Reports
Exporting Reports
Configuring Default Settings for Reports
Arranging Report Windows
Saving Reports
Renaming Reports
Closing Report Windows
Deleting Reports
Managing Custom Reports
Scheduling Reports
Viewing Report Schedules
Configuring Report Schedules
Page
Viewing Scheduled Report Results
Enabling and Disabling Report Schedules
Deleting Report Schedules
Troubleshooting Report Manager
Page
Page
Page
Health and Performance Monitoring
Health and Performance Monitor Overview
Trend Information
Monitoring Multiple Contexts
HPM Access Control
Preparing for Health and Performance Monitoring
Launching the Health and Performance Monitor
Managing Monitored Devices
HPM Window
Page
Working with Table Columns
Showing and Hiding Table Columns
Table Columns: Device-related Views
Page
Page
Page
Table Columns: VPN-related Views
Page
Alert Table Columns
Column-based Filtering
Custom Filtering
Using The List Filter Fields
Page
Monitoring Devices
Managing Device Views
Page
Views: Opening and Closing
Views: Tiling Horizontally or Vertically
Views: Floating and Docking
Views: Custom
HPM Window: Monitoring Display
Page
Monitoring Views: Devices or VPNs Summary
Monitoring Views: Device or VPN Status List
Monitoring Views: Device or VPN Details
Monitoring Views: VPN, RA and S2S
Exporting HPM Data
Alerts and Notifications
HPM Window: Alerts Display
Page
Alerts: Configuring
Alerts Configuration: IPS
Alerts Configuration: Firewall
Page
Alerts Configuration: VPN
Configuring SNMP for S2S Polling
Alerts: Viewing
Alerts: Acknowledging and Clearing
Alerts: History
Page
Using External Monitoring, Troubleshooting, and Diagnostic Tools
Viewing Inventory Status
Inventory Status Window
Page
Starting Device Managers
Troubleshooting Device Managers
Access Rule Look-up from Device Managers
Navigating to an Access Rule from ASDM
Navigating to an Access Rule from SDM
Launching Cisco Prime Security Manager
Detecting ASA CX Modules
Sharing Device Inventory and Policy Objects with PRSM
Analyzing an ASA or PIX Configuration Using Packet Tracer
Page
Analyzing Connectivity Issues Using the Ping, Trace Route, or NS Lookup Tools
Analyzing Configuration Using Ping
Page
Analyzing Configuration Using TraceRoute
Analyzing Configuration Using NS Lookup
Using the Packet Capture Wizard
Page
Page
Page
Integrating CS-MARS and Security Manager
Checklist for Integrating CS-MARS with Security Manager
Configuring the Security Manager Server to Respond to CS-MARS Policy Queries
Registering CS-MARS Servers in Security Manager
Discovering or Changing the CS-MARS Controllers for a Device
Troubleshooting Tips for CS-MARS Querying
Looking Up CS-MARS Events for a Security Manager Policy
Viewing CS-MARS Events for an Access Rule
Page
Viewing CS-MARS Events for an IPS Signature
Looking Up a Security Manager Policy from a CS-MARS Event
System Log Messages Supported for Policy Look-up
NetFlow Event Reporting in CS-MARS
Page
Page
Page
Page
Page
Using Image Manager
Getting Started with Image Manager
Image Manager Supported Platforms and Versions
Device Configurations supported by Image Manager
Image Manager Supported Image Types
Administrative Settings for Image Manager
Page
Bootstrapping Devices for Image Manager
Working with Images
View All Images
Download Images to the Repository
Page
Working with Bundles
Creating Bundles
View Images by Bundle
Renaming Bundles
Deleting Bundles
Deleting Images from Bundles
Working with Devices
Viewing Device Inventory
Manage Images on a Device
View Device Memory
Configuring the Image Install Location
About Image Updates on Devices Using Image Manager
Page
Page
Validating a Proposed Image Update on a Device
Page
Page
Using the Image Installation Wizard to Install Images on Devices
Page
Page
Page
Install Bundled Images on Devices
Install Compatible Images on Devices
Install Images on Selected Devices
Working with Jobs
Viewing Image Installation Job Summary
Viewing Install Jobs
Aborting an Image Installation Job
Retry a Failed Image Install Job
Roll Back a Deployed Job
Image Installation Job Approval Workflow
Troubleshooting Image Management
Page
Page
Page
INDEX
Numerics
A
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
B
C
Page
Page
Page
Page
Page
Page
D
Page
Page
Page
Page
Page
Page
Page
E
Page
Page
Page
Page
Page
Page
F
Page
Page
Page
Page
G
Page
H
Page
I
Page
Page
Page
Page
Page
Page
Page
Page
Page
J
K
L
M
Page
Page
Page
N
Page
O
Page
Page
Page
Page
P
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Page
Q
R
Page
Page
Page
Page
Page
Page
Page
Page
S
Page
Page
Page
Page
Page
Page
Page
Page
Page
T
Page
Page
Page
U
V
Page
Page
Page
W
Page
X
Y
Z
