7-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 7 Managing FlexConfigs
Understanding FlexConfig Policies and Policy Objects
session target ipv4:150.50.55.55
Understanding FlexConfig Object Variables
Variables in FlexConfig policy objects start with the $ character. For example, in the following line,
$inside is a variable:
interface $inside
There are three types of variables you can use in a FlexConfig policy object:
Policy object variables—Static variables that reference a specific property. For example, Text
objects are a type of policy object variable. They are a name and value pair, and the value can be a
single string, a list of strings, or a table of strings. Their flexibility allows you to enter any type of
textual data to be referenced and acted upon by any policy object.
There are three ways to add policy object variables to a FlexConfig policy object. First, move the
cursor to the desired location, and then:
Right-click and select Create Text Object. This command opens a dialog box where you can
create a simple single-value text object and assign it a value. When you click OK, the variable
is added to the object, and it is added to the list of defined Text objects in the Policy Object
Manager window so that you can use it in other objects or edit its definition. For an example of
creating simple text variables, see Example of FlexConfig Policy Object Variables, page 7-6.
Right-click and select a policy object type from the Insert Policy Object sub-menu. These
commands open a selector dialog box where you can select the specific policy object that
contains the variable that you want to insert. After selecting the policy object, you are presented
with the Property Selector dialog box, where you choose the specific property of the object that
you want to use and optionally change the name of the variable associated with the property.
By using this technique, you can add a property from an existing policy object when you know
that the property has the value that you want to use. For example, if you want to insert a variable
that specifies the RADIUS protocol from the AAA Server Group policy object named RADIUS,
you would right-click, select Insert Policy Object > AAA Server Group, select RADIUS in
the AAA Server Group Selector dialog box, click OK, and then select Protocol in the Object
Property field on the AAA Server Group Property Selector dialog box and click OK. The
$protocol variable is inserted at the cursor, and the value for the property as defined in the
selected object is added to the variables list.
Type in a variable name. If you type in a variable, you cannot assign it a value until you click
OK on the Add or Edit FlexConfig dialog box. You will be prompted that a variable is
undefined, and given the opportunity to define its value. In the FlexConfig Undefined Variable
dialog box, you can select the object type of the policy object that contains the desired value,
which will prompt you to select the specific policy object and variable. This is essentially
identical to the process for inserting policy object variables described above. The technique you
use is a matter of personal preference; the end result is the same.
System variables—Dynamic variables that reference a value during deployment when the
configuration is generated. The values are obtained from either the target device or policies
configured for the target device. You can declare system variables to be optional in FlexConfig
policy objects, which means that the variables do not need to be assigned a value for it to be deployed
to the device.
To insert a system variable into a FlexConfig policy object, move the cursor to the desired location,
right-click, and select the variable from the Insert System Variable sub-menus. For a description
of the available system variables, see FlexConfig System Variables, page 7-7.