7-34
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 7 Managing FlexConfigs
Configuring FlexConfig Policies and Policy Objects
Editing FlexConfig Policies
You can assign FlexConfig policies to devices using either Device view or Policy view (for shared
policies) by selecting FlexConfigs from the policy selector. You can deploy configurations containing
these policies as you would deploy any configuration generated by Security Manager. For a scenario that
takes you through setting up a FlexConfig policy object and creating a shared FlexConfig policy, see A
FlexConfig Creation Scenario, page 7-24.
When you edit a FlexConfig policy, you can perform the following actions:
Add FlexConfig objects—To add a FlexConfig object to a policy, click the Add icon button and
select the desired object. You can also create new objects from the object selector dialog box. The
objects are added to the prepended or appended list depending on how the objects themselves are
defined.
Remove FlexConfig objects—If you no longer want to include an object in the policy, select it and
click the Remove icon button. This action removes the object from the policy, but it does not delete
the object from Security Manager. For information on deleting objects, see Deleting Objects,
page 6-16.
Change the order of the objects—Objects are processed in the order you specify. If an object
depends on the processing of another object, it is important that you order them correctly. Select the
object whose order you want to change and click the Up or Down arrow buttons until the object is
in the desired location.
When changing the order of FlexConfig objects that involve route-maps (for example, OSPF or
multicast route-maps), make sure that the corresponding access control lists (ACLs) are defined
before the route-maps. This is a device requirement. If you do not define ACLs before route-maps,
you will get a deployment error.
Change the values assigned to the variables used in a policy object—If you want to configure a
variable with a different value for a particular device, creating a device-level override for the object,
select the object and click Valu es . In the Values Assignment dialog box, click in the Values cell to
change the value. For more information, see Values Assignment Dialog Box, page 7-36.
Preview the CLI that will be generated for a policy object—In Device view, you can view the
CLI that will be generated for a policy object by selecting the object and clicking Preview. This is
especially useful for checking that the CLI commands generated are what you intend to implement
on the device.
Note During deployment, when the FlexConfig policy objects are compiled on the Security
Manager server, the correct system variable values and settings are used to generate
commands. However, because the Preview function does not have access to these values the
way it normally would during deployment, it might not display some CLI commands. In
addition, because the Preview function generates CLI commands on the client, some macros
used in FlexConfig policy objects reflect client settings instead of server settings.
Name The name of variable. This field is not available when you are defining
undefined variables.
Description An optional description of the variable. This field is not available when
you are defining undefined variables.
Table7-14 Property Selector Dialog Box (Continued)
Element Description