7-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 7 Managing FlexConfigs
Understanding FlexConfig Policies and Policy Objects
Note If you are deploying to a device, you should remove most appended commands after the
initial deployment. This is especially true for object groups, where any unbound object
group is replaced in the Ending Command section during command generation, then re-sent
each time the configuration is deployed to a device. The device displays an error because the
firewall device shows that the object group already exists. If you are deploying to a file or
AUS, the appended commands should remain.
Using Scripting Language Instructions
You can use scripting language instructions in a FlexConfig policy object to control how the commands
in the object are processed. Scripting language instructions are a subset of commands supported in the
Velocity Template Engine, a Java-based scripting language that supports looping, if/else statements, and
variable s.
Security Manager supports all Velocity Template Engine commands except the include and parse
commands. For information about additional supported commands supported, see the Velocity Template
Engine documentation.
The following topics provide examples of the most commonly used functions:
Scripting Language Example 1: Looping, page 7-3
Scripting Language Example 2: Looping with Two-Dimensional Arrays, page7-3
Example 3: Looping with If/Else Statements, page 7-4

Scripting Language Example 1: Looping

A plain old telephone service (POTS) dial peer enables incoming calls to be received by a telephony
device by associating a telephone number to a voice port. The following example enables caller ID for
a set of POTS dial peers.
Object Body
#foreach ($peer_id in ["2", "3", "4"])
dial-peer voice $peer_id pots
caller-id
#end
CLI Output
dial-peer voice 2 pots
caller-id
dial-peer voice 3 pots
caller-id
dial-peer voice 4 pots
caller-id

Scripting Language Example 2: Looping with Two-Dimensional Arrays

In this example, a set of phone numbers is associated to voice ports so that incoming calls can be received
at a router.