6-81
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter6 Managing Policy Objects
Understanding Networks/Hosts Objects
c. Double-click each device in the Policy Object Overrides dialog box, then modify the address field
for the value required by that device.
Step 3 Define a policy that requires this object. You can use one of two methods:
Define the policy on a single device in Device view, share the policy, then assign the policy to the
other devices. See Sharing a Local Policy, page 5-38 and Modifying Shared Policy Assignments in
Device View or the Site-to-Site VPN Manager, page5-46.
Create a shared policy in Policy view, then assign the policy to the other devices using the
Assignments tab. See Modifying Policy Assignments in Policy View, page 5-51.
Note You can create a Networks/Hosts group object that refers to a Networks/Hosts object with an
unspecified value. You do not have to create the device-level overrides before you assign the
policy containing the object to devices.
Specifying IP Addresses During Policy Definition
Many policies and policy objects require that you enter an IP address for a host or network. For some
policies or objects, you must enter just a host, or just a network. For other policies or objects, you can
enter some combination of hosts and networks. You are prevented from entering or selecting addresses
that are not appropriate for the circumstances.
The following is a description of all acceptable formats that you can use, both for IPv4 and IPv6
addresses, although a particular policy or object might not allow specific formats (for example, interface
roles are allowed as address designations in only a very limited number of policies). If the policy or
object allows it, you can enter multiple addresses by separating them with commas.
Networks/Hosts object. Enter the name of the object or click Select to select it from a list. You can
also create new Networks/Hosts objects from the selection list.
Note The only way to specify a fully qualified domain name (FQDN) is to use an FQDN
Networks/Hosts object, or a group object that includes an FQDN object. You cannot directly
type in an FQDN.
Host IP address, in v4 or v6 format.
Complete IPv4 address; for example, 10.10.10.100
Complete IPv6 address, showing all eight components. For example,
2001:DB8:0:0:0DB8:800:200C:417A. It is not necessary to include the leading zeros in an
individual field. Security Manager converts the address to compressed format if possible.
Compressed IPv6 address, where a group of fields is replaced by two colons (::). It is common
for IPv6 addresses to contain successive hexadecimal fields of zeros. To make IPv6 addresses
less cumbersome, you can use two colons (::) to compress successive hexadecimal fields of
zeros at the beginning, middle, or end of an IPv6 address (the colons represent successive
hexadecimal fields of zeros). You can use :: at most once in an IPv6 address. For example,
2001:DB8::0DB8:800:200C:417A. The unspecified address, 0:0:0:0:0:0:0:0, can be
represented as ::. The loopback address is ::1.