7-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 7 Managing FlexConfigs
Understanding FlexConfig Policies and Policy Objects
Understanding FlexConfig Policies and Policy Objects
FlexConfig policy objects are used in FlexConfig policies. They allow you to configure device features
that are not otherwise supported by Security Manager, or to otherwise fine-tune your device
configurations. These policy objects include device configuration commands, variables, and optionally,
scripting language instructions to control processing. FlexConfig objects are essentially programming
routines to add content to the device configurations that Security Manager generates.
You can create FlexConfig policy objects from scratch or you can duplicate one of the objects that are
included with Security Manager.
FlexConfig policies are simply an ordered list of FlexConfig policy objects. Your objects are processed
in the order that you specify.
The following topics help you understand FlexConfig policy objects and by extension, FlexConfig
policies. For more information about policy objects in general, see Chapter6, “M anaging Policy
Objects”.
Using CLI Commands in FlexConfig Policy Objects, page7-2
Using Scripting Language Instructions, page 7-3
Understanding FlexConfig Object Variables, page 7-5
Predefined FlexConfig Policy Objects, page7-19

Using CLI Commands in FlexConfig Policy Objects

The configuration commands that you enter into the FlexConfig Editor are actual CLI commands used
to configure devices, such as PIX Firewalls and Cisco IOS Routers. You can include CLI commands that
are not supported in Security Manager. You are responsible for knowing and implementing the command
according to the proper syntax for the device type. See the command reference for the particular
operating system for more information.
When you create a Flexconfig policy object, you determine whether the commands and instructions
should be added to the beginning or end of the configuration that is generated from regular Security
Manager policies:
Prepended objects—FlexConfig objects that are processed at the beginning of the configurations. If
Security Manager policies configure any of the same commands included in the object, the
prepended commands are replaced when configuration files are deployed.
Appended objects—FlexConfig objects that are processed at the end of the configurations, after all
other commands in the configuration file and before the write mem command.
If the appended commands are already configured on the device, the device generates an error when
you try to add them again. To resolve this, two workarounds are available:
Enter the command that removes the configuration in question as an appended command. For
example, if the command is xyz, enter the following two lines:
no xyz
xyz
Change the setting that controls the action that the device will take to “warn.” This is set under
Tools > Security Administration > Deployment.
The setting change will affect the behavior of devices for all commands being deployed, not just
those designated as appended commands.