Cisco Systems CL-28826-01 Configuring Expiration Dates for Access Rules

16-19

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter16 Managing Firewall Access Rules

Configuring Expiration Dates for Access Rules

Configuring Expiration Dates for Access Rules

A frequent use of access rules is to provide temporary access to a network. For example, you might

configure an access rule to allow a partner access for the duration of a specific project. Ideally, you want

to remove the access rule at the completion of the project. However, as access rule lists grow, it is hard

to manage them and to remember which rules were meant to be temporary.

To help you deal with this problem, you can configure expiration dates for access rules. By configuring

an expiration date, you can project when you believe the rule will no longer be needed.

Expiration dates are not hard and fast dates; Security Manager does not delete rules that reach their

expiration date. Instead, when an expiration date is reached, Security Manager displays “Expired” in

bold letters in the Expiration Date column for the rule. You can filter the access rules page based on the

expiration date field, for example, filtering for “expiration date has passed” to see all expired rules.

If the rule is no longer needed, you can delete it (right-click and select Delete Row), or disable it

(right-click and select Disable), and then redeploy the configuration to the device. You might want to

initially disable the rule, which leaves the rule in the table (overlain with hash marks), in case you

discover the rule really was still needed after all, saving you the time of recreating the rule. You then just

need to re-enable the rule (right-click and select Enable) and redeploy the configuration.

When you configure an expiration date, you can also configure notification settings, specifying an e-mail

address that should be notified when an expiration date is approaching. You can specify how many days

before the expiration date to send the notification e-mail message to allow you time to evaluate the rule.

The notification settings are initially filled with the values configured in the administration settings

(select Tools > Security Manager Administration > Rule Expiration); you can enter different settings

for a given rule.

To configure rule expiration:

•When creating a new rule, or editing an entire rule, click the Advanced button in the Add and Edit

Access Rule Dialog Boxes, page 16-13 to get to the rule expiration settings.

•For existing rules, you can add or edit expiration settings without editing the entire rule. Right-click

the Expiration Date cell for the rule and select Edit Rule Expiration. You can select multiple rows

to configure the same rule expiration settings. For more information, see Advanced and Edit Options

Dialog Boxes, page 16-15.

Rules Selected The rules for which you want to obtain hit count details; choose:

•Select the rules option to obtain information for only those rules

you selected. You can select the rows related to the name of a

scope, a section name, multiple individual rules, or create a filter

and select all filtered rules. This is the default if any row is selected

when you initiate the hit count report.

•Select All Rules to get hit counts for all inherited, shared, and local

rules. The option is not restricted to the scope indicated in the

Policy Selected field.

This is the only available option if you do not select any rules

before initiating the hit count report.

Table16-4 Hit Count Selection Summary Dialog Box (Continued)

Element Description