14-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter14 Managing TrustSec Firewall Policies
Configuring TrustSec Firewall Policies
In Type in comma separated (Name or Tag), first select the type of entry you are making, Name
or Tag. Type in a valid security group name or tag number, then click the Add >> button between
the lists. Separate multiple names or tags with commas; they are added as separate lines in the
members list.
To remove an item from the object, select it in the Members list and click the << Remove button
between the lists.
Step 6 (Optional) Under Category, select a category to help you identify this object in the Objects table. See
Using Category Objects, page 6-12.
Step 7 (Optional) Select Allow Value Override per Device to allow the properties of this object to be redefined
on individual devices. See Allowing a Policy Object to Be Overridden, page 6-18.
Step 8 Click OK to save the object.
Selecting Security Groups in Policies
In any policy or policy object that allows the specification of security groups, whether directly or through
the selection of a TrustSec security group object, you can click the Select button next to the Security
Groups field to help you enter the information.
In the Security Group Selector dialog box, you can define the content of the Security Groups field by
populating the Members in Group list. To populate the list, do any combination of the following:
In Available Security Group, select an existing object and click the Add >> button between the
lists. If the desired object does not exist, you can click the Add (+) button below the list to create a
new object. You can also select an object and click the Edit (pencil) button to modify it or to
examine its contents.
In Search name/tag, select a security group from the ISE server configured in the ISE Settings
administrative options. You must configure the settings before you can select a name or tag, so that
Security Manager knows which ISE server to use.
To find a security group, enter a search string. Then, click Search to find matches. A name is
considered a match if the string appears anywhere within the security group name.
To add the security group, select it in the list and click the Add >> button between the lists.
In Type in comma separated Security name or tag, first select the type of entry you are making,
Name or Tag. Type in a valid security group name or tag number, then click the Add >> button
between the lists. Separate multiple names or tags with commas; they are added as separate lines in
the members list.
To remove an item from the object, select it in the Members list and click the << Remove button
between the lists.
Configuring TrustSec-Based Firewall Rules
Security group awareness is integrated into the access control entries, or rules, in the ACLs used to
provide firewall services. Because the feature is integrated into the ACL, the techniques for adding
security group awareness to a firewall policy are the same for all types of firewall policy. This topic
provides general guidance on how to incorporate security group awareness into your existing policies,
and directs you to more specific information on configuring each type of policy that supports security
groups.