General Parameters
|
Purge Debugging Files Older Than (days)
|
The maximum number of days the system should keep debugging files. Debug files are automatically deleted. If you decrease
the number of days, you can click Purge Now to immediately delete all debugging files older than the number of days specified.
|
Default Deployment Method
Directory
|
The method to use as the default method for deploying configurations to devices:
-
Device—Deploys the configuration directly to the device or to the transport mechanism specified for the device. For more
information, see Deploying Directly to a Device.
-
File—Deploys the configuration file to a directory on the Security Manager server. If you select File, specify the directory
to which you want to deploy the configuration file in the Destination column. Even if you select file as the default, the
setting does not apply to IPS devices; you can use device deployment only for IPS devices. For more information, see Deploying to a File.
You can override this method when you create deployment jobs.
|
When Out of Band Changes Detected
|
How Security Manager should respond when it detects that changes were made directly on the device CLI since a configuration
was last deployed to the device. Out of band change detection works correctly only when deploying to device, not to file,
and applies only when the deployment method is configured to obtain the reference configuration from the device (see below
for a description of the Reference Configuration setting).
This setting specifies the default action, which you can override when you create deployment jobs. You can choose one of the
following:
-
Overwrite changes and show warning (default)—If changes were made to the device manually, Security Manager continues with the deployment, overwrites the changes,
and displays a warning notifying you of this action.
-
Cancel deployment—If changes were made to the device manually, Security Manager cancels the deployment and displays a warning notifying you
of this action.
-
Do not check for changes—Security Manager does not check for changes and deploys the changes to the device, overwriting any local modifications.
For a more complete discussion of out-of-band change handling, see Understanding How Out-of-Band Changes are Handled.
Note
|
For devices in which failover is not configured, if you select the Cancel Deployment option when Out of Band changes are detected,
the bootstrap configuration may cause deployments to fail. For deployments to be successful, you must configure failover before
discovering the device in Security Manager.
|
|
Deploy to File Reference Configuration
|
The configuration that Security Manager uses to compare new policies against the previous configuration for the device, if
you are deploying the configuration to a file on the Security Manager server.
-
Archive (default)—The most recently archived configuration.
-
Device—The current running device configuration, which is obtained from the device.
After comparing the configurations, Security Manager generates the correct CLI for deployment.
|
Deploy to Device Reference Configuration
|
The configuration that Security Manager uses to compare new policies against the previous configuration for the device, if
you are deploying the configuration directly to the device (or to a transport server).
-
Archive—The most recently archived configuration.
-
Device (default)—The current running device configuration, which is obtained from the device.
After comparing the configurations, Security Manager generates the correct CLI for deployment.
|
Allow Download on Error
|
Whether deployments to devices should continue even if there are minor device configuration errors.
|
Save Changes Permanently on Device
|
Whether to save the running configuration to the startup configuration (using the write memory command) after deploying a configuration to a device. This applies to PIX, FWSM, ASA, or Cisco IOS devices. If you deselect
this check box, the startup configuration is not changed, which means your configuration changes will be lost if the device
reloads for any reason.
|
Preselect Devices with Undeployed Changes
|
Whether the list of changed devices you see when you create a deployment job has all changed devices preselected. If you deselect
this option, users must manually select the devices to include in the deployment job.
|
Enable Auto Refresh in Deployment Main Panel
|
Whether the deployment job and schedule status information should be automatically refreshed in the Deployment Manager window.
If you deselect this option, you must click the Refresh button to refresh the information manually.
|
Remove Unreferenced SSL VPN Files on Device
(ASA Only)
|
Whether to have Security Manager delete files related to the SSL VPN configuration from the device if the files are no longer
referred to by the device’s SSL VPN configuration. If you deselect this option, unused files remain on the device after deployment.
|
Mask Passwords and Keys When Viewing Configs and Transcripts
Mask Passwords and Keys When Deploying to File
|
The conditions, if any, under which Security Manager will mask the following items so that they cannot be read: passwords
for users, enable mode, Telnet, and console; SNMP community strings; keys, including those for TACACS+, Preshared Key, RADIUS
server, ISAKMP, failover, web VPN attributes, logging policy attributes, AAA, AUS, OSPF, RIP, NTP, logging FTP server, point-to-point
protocol, Storage Key, single sign-on server, load balancing, HTTP/HTTPS proxy, and the IPSEC shared key.
-
Mask Passwords and Keys When Viewing Configs and Transcripts—This option affects only the screen display of the credentials,
which guards against unauthorized personnel viewing them. If you do not select this option, credentials in full transcripts
might still be masked depending on how the device handles them.
-
Mask Passwords and Keys When Deploying to File—This option affects the contents of configuration files that are deployed to
file, making them undeployable to actual devices. Select this option only if you will never need to actually deploy these
configurations to real devices. Selecting this option has no effect on whether credentials are masked when viewed.
|
Deploy only new or modified Flexconfigs
|
Whether to deploy FlexConfigs only one time after creation or modification of a FlexConfig, or to deploy all FlexConfigs with
each deployment. This option is selected by default.
Note
|
If you have FlexConfigs that need to be deployed with each deployment, then you will need to disable this option. After changing
this setting, you will need to manage one-time FlexConfigs by deleting them after they have been deployed.
|
|
ACL Parameters
|
Optimize the Deployment of Access Rules For
(IPv4 and IPv6 access rules.)
|
How firewall rules are deployed. You can choose one of the following:
-
Speed (default)—Increases deployment speed by sending only the delta (difference) between the new and old ACLs. This is the
recommended option. By making use of ACL line numbers, this approach selectively adds, updates, or deletes ACEs at specific
positions and avoids resending the entire ACL. Because the ACL being edited is still in use, there is a small chance that
some traffic might be handled incorrectly between the time an ACE is removed and the time that it is added to a new position.
The ACL line number feature is supported by most Cisco IOS, PIX and ASA versions, and became available in FWSM from FWSM 3.1(1).
-
Traffic—This approach switches ACLs seamlessly and avoids traffic interruption. However, deployment takes longer and uses
more device memory before the temporary ACLs are deleted. First, a temporary copy is made of the ACL that is intended for
deployment. This temporary ACL binds to the target interface. Then the old ACL is recreated with its original name but with
the content of the new ACL. It also binds to the target interface. At this point, the temporary ACL is deleted.
Note
|
For FWSM devices, this option affects processing only if you also select the Let FWSM Decide When to Compile Access Lists
option.
|
|
Firewall Access-List Names
(IPv4 and IPv6 access rules.)
|
How ACL names are deployed to devices if the access rule does not have a name in Security Manager.
-
Reuse existing names—Reuse the ACL name that is configured in the reference configuration (which is usually from the device).
-
Reset to CS-Manager generated names—Reset the name to a Security Manager auto-generated ACL name.
|
Enable ACL Sharing for Firewall Rules
(IPv4 and IPv6 access rules.)
|
Whether Security Manager should share a single access control list (ACL) for an access rule policy with more than one interface.
If you do not select this option, Security Manager creates unique ACLs for every interface to which you apply an IPv4 or IPv6
access rule policy. The sharing of ACLs is done only for ACLs created by access rule policies.
If you select this option, Security Manager evaluates the access rules policy for each interface and deploys the minimum number
required to implement your policy while preserving your ACL naming requirements. For example, if you use an interface role
to assign the same rules to four interfaces, you specify Reset to CS-Manager generated names for the Firewall Access-List Names property, and you do not specify ACL names for the interfaces in the access control settings
policy, only a single ACL is deployed, and each interface uses that ACL.
If you select this option, keep the following in mind:
-
An interface might use an ACL that is named for a different interface.
-
If you specify a name for the ACL in the access control settings policy, an ACL by that name is created even if it is otherwise
identical to one used by another interface. Names specified in this policy have precedence over any other settings.
-
If you select Reuse existing names for the Firewall Access-List Names property, the existing names are preserved (unless you override them in the access control
settings policy). This means that you might end up with duplicate ACLs under different names if duplicate ACLs already exist
on the device.
-
Hit count statistics are based on ACL, not on interface, so a shared ACL provides statistics that are combined from all interfaces
that share the ACL.
-
Sharing ACLs is primarily beneficial for memory-constrained devices such as the FWSM.
|
Let FWSM Decide When to Compile Access Lists
(IPv4 access rules only.)
|
Whether to have the Firewall Services Module (FWSM) automatically determine when to compile access lists. Selecting this option
might increase deployment speed but traffic might be disrupted and the system might become incapable of reporting ACL compilation
error messages. If you select this option, you can use the Optimize the Deployment of Access Rules For Traffic setting to
mitigate potential traffic disruptions.
When deselected, Security Manager controls ACL compilation to avoid traffic interruption and to minimize peak memory usage
on the device.
Caution
|
You should not select this option unless you are experiencing deployment problems and you are an advanced user.
|
|
Remove Unreferenced Access-lists on Device
(IPv4 and IPv6 access rules.)
|
Whether to delete any access lists that are not being used by other CLI commands managed by Security Manager from devices
during deployment.
Note
|
After enabling this option, Security Manager will remove access lists during deployment that are not used in any policies
managed or discovered by Security Manager. If any policy that is NOT discovered or managed by Security Manager is using such
an access list, Security Manager will still attempt to delete that object during deployment. This also applies to access lists
that are used in FlexConfigs but are not used in any other policies managed by Security Manager.
|
Warning
|
On enabling Remove Unreferenced Access-lists on Device option from Administrative Settings, Cisco Security Manager automatically removes access lists that are not used in any policies
managed or discovered by Security Manager. However, when a Group Policy VPN filter is used, even if Remove Unreferenced Access-lists on Device option has not been enabled, Security Manager still removes the unreferenced access lists.
|
|
Generate ACL Remarks During Deployment
(IPv4 and IPv6 access rules.)
|
Whether to display ACL warning messages and remarks during deployment.
|
Preserve Sections for Access Rules
|
Whether to deploy the section name under which access rules are organized. This option ensures that if a device is discovered
or rediscovered, the section names will not be lost.
|
Generate CSM Rule Number
|
Whether to deploy the rule number used in the Cisco Security Manager user interface. This option helps in correlating an access
rule in a device configuration to its position in rule table.
|
Object Group Parameters
|
Remove Unreferenced Object Groups from Device (PIX, ASA, FWSM, IOS 12.4(20)T+)
(IPv4 and IPv6 objects.)
|
Whether Security Manager should remove object groups that are not being used by other CLI commands managed by Security Manager
from devices during deployment. Object groups include network/host, service, and identity user groups.
Note
|
After enabling this option, Security Manager will remove objects during deployment that are not used in any policies managed
or discovered by Security Manager. If any policy that is NOT discovered or managed by Security Manager is using such an object,
Security Manager will still attempt to delete that object during deployment. In such cases, deployment will fail with a transcript
error indicating that it was unable to delete the object.
|
Tip
|
Network/host objects that include object NAT configurations on ASA 8.3+ devices are never considered unreferenced.
|
|
Create Object Groups for Policy Objects (PIX, ASA, FWSM, IOS 12.4(20)T+)
Create Object Groups for Multiple Sources, Destinations or Services in a Rule (PIX, ASA, FWSM, IOS 12.4(20)T+)
Optimize Network Object Groups During Deployment (PIX, ASA, FWSM, IOS 12.4(20)T+)
(IPv4 and IPv6 objects.)
|
Whether Security Manager should create object groups, such as network objects, service group objects, and identity user group
objects, to replace comma-separated values in a rule table cell for the indicated devices. When deselected, Security Manager
flattens the object groups to display the IP addresses, sources and destinations, users, ports, and protocols for these devices.
Tip
|
These options do not apply to host, network, or address range network/host objects, or to service objects (as opposed to service
group objects), which are always created as objects. Multiple FQDN network objects can be grouped into a single network object.
|
If you select this option, you can also select these options:
-
Create Object Groups for Multiple Sources, Destinations or Services in a Rule—Whether to automatically create network objects,
service objects, and identity user group objects to replace comma-separated values in a rule table cell that resulted when
multiple rules were combined. The objects are created during deployment and are in the format of ‘CSM_INLINE...’ for example,
‘CSM_INLINE_src_rule_8589960758’. For more information, see Combining Rules.
-
Optimize Network Object Groups During Deployment—Whether to optimize network object groups by making them more succinct.
For more information on optimizing policy objects, see Optimizing Network Object Groups When Deploying Firewall Rules.
|
IPS Parameters
|
Generate transcripts for IPS Auto-Update Jobs
|
|
Attach transcripts to email for IPS Auto-Update Jobs
|
|
Remove Unreferenced Signature and Event Action Variables from IPS Device (IPS Parameters object group)
|
Whether to delete the unused variables from the sensor (IPS device) configuration during the next deployment. IPS Event and
Signature Variables are defined as policy objects in Security Manager.
Disabled by default (checkbox is cleared by default); that is, do not remove the unreferenced variables.
Applies to the following variables; applies to both IPv4 and IPv6:
-
signature source and destination addresses
-
signature service port variables in signature engine parameters
-
victim and attacker addresses in event action filters
-
network information target addresses
Does not apply to the following variables:
|
Save button
|
Saves and applies changes.
|
Reset button
|
Resets changes to the last saved values.
|
Restore Defaults button
|
Resets values to Security Manager defaults.
|