Understanding FlexConfig Policies and Policy Objects
FlexConfig policy objects are used in FlexConfig policies. They allow you to configure device features that are not otherwise supported by Security Manager, or to otherwise fine-tune your device configurations. These policy objects include device configuration commands, variables, and optionally, scripting language instructions to control processing. FlexConfig objects are essentially programming routines to add content to the device configurations that Security Manager generates.
You can create FlexConfig policy objects from scratch or you can duplicate one of the objects that are included with Security Manager.
FlexConfig policies are simply an ordered list of FlexConfig policy objects. Your objects are processed in the order that you specify.
The following topics help you understand FlexConfig policy objects and by extension, FlexConfig policies. For more information about policy objects in general, see Managing Policy Objects.
Using CLI Commands in FlexConfig Policy Objects
The configuration commands that you enter into the FlexConfig Editor are actual CLI commands used to configure devices, such as PIX Firewalls and Cisco IOS Routers. You can include CLI commands that are not supported in Security Manager. You are responsible for knowing and implementing the command according to the proper syntax for the device type. See the command reference for the particular operating system for more information.
When you create a Flexconfig policy object, you determine whether the commands and instructions should be added to the beginning or end of the configuration that is generated from regular Security Manager policies:
-
Prepended objects—FlexConfig objects that are processed at the beginning of the configurations. If Security Manager policies configure any of the same commands included in the object, the prepended commands are replaced when configuration files are deployed.
-
Appended objects—FlexConfig objects that are processed at the end of the configurations, after all other commands in the configuration file and before the write mem command.
If the appended commands are already configured on the device, the device generates an error when you try to add them again. To resolve this, two workarounds are available:
-
Enter the command that removes the configuration in question as an appended command. For example, if the command is xyz, enter the following two lines:
no xyz
xyz
-
Change the setting that controls the action that the device will take to “warn.” This is set under Tools > Security Administration > Deployment.
The setting change will affect the behavior of devices for all commands being deployed, not just those designated as appended commands.
Note |
If you are deploying to a device, you should remove most appended commands after the initial deployment. This is especially true for object groups, where any unbound object group is replaced in the Ending Command section during command generation, then re-sent each time the configuration is deployed to a device. The device displays an error because the firewall device shows that the object group already exists. If you are deploying to a file or AUS, the appended commands should remain. |
Using Scripting Language Instructions
You can use scripting language instructions in a FlexConfig policy object to control how the commands in the object are processed. Scripting language instructions are a subset of commands supported in the Velocity Template Engine, a Java-based scripting language that supports looping, if/else statements, and variables.
Security Manager supports all Velocity Template Engine commands except the include and parse commands. For information about additional supported commands supported, see the Velocity Template Engine documentation.
The following topics provide examples of the most commonly used functions:
Scripting Language Example 1: Looping
A plain old telephone service (POTS) dial peer enables incoming calls to be received by a telephony device by associating a telephone number to a voice port. The following example enables caller ID for a set of POTS dial peers.
Object Body
#foreach ($peer_id in ["2", "3", "4"])
dial-peer voice $peer_id pots
caller-id
#end
CLI Output
dial-peer voice 2 pots
caller-id
dial-peer voice 3 pots
caller-id
dial-peer voice 4 pots
caller-id
Scripting Language Example 2: Looping with Two-Dimensional Arrays
In this example, a set of phone numbers is associated to voice ports so that incoming calls can be received at a router.
Object Body
#foreach ($phone in [ [ "2000", "15105552000", "1/0/0" ], [ "2100",
"15105552100", "1/0/1" ], [ "2200", "15105552200", "1/0/2" ] ] )
dial-peer voice $phone.get(0) pots
destination-pattern $phone.get(1)
port $phone.get(2)
#end
CLI Output
dial-peer voice 2000 pots
destination-pattern 15105552000
port 1/0/0
dial-peer voice 2100 pots
destination-pattern 15105552100
port 1/0/1
dial-peer voice 2200 pots
destination-pattern 15105552200
port 1/0/2
Example 3: Looping with If/Else Statements
In this example, a set of phone numbers is associated to voice ports so that incoming calls can be received at a router. In addition, another set of phone numbers is associated to IP addresses to enable Voice Over IP outgoing calls from the router.
Object Body
#foreach ( $phone in [ [ "2000", "15105552000", "1/0/0", "" ],
[ "2100", "15105552100", "1/0/1", "" ],
[ "2200", "15105552200", "", "ipv4:150.50.55.55"]
[ "2300", "15105552300", "", "ipv4:150.50.55.55"] ] )
dial-peer voice $phone.get(0) pots
destination-pattern $phone.get(1)
#if ( $phone.get(2) == "" )
session target $phone.get(3)
#else
port $phone.get(2)
#end
#end
CLI Output
dial-peer voice 2000 pots
destination-pattern 15105552000
port 1/0/0
dial-peer voice 2100 pots
destination-pattern 15105552100
port 1/0/1
dial-peer voice 2200 pots
destination-pattern 15105552000
session target ipv4:150.50.55.55
dial-peer voice 2300 pots
destination-pattern 15105552300
session target ipv4:150.50.55.55
Understanding FlexConfig Object Variables
Variables in FlexConfig policy objects start with the $ character. For example, in the following line, $inside is a variable:
interface $inside
There are three types of variables you can use in a FlexConfig policy object:
-
Policy object variables—Static variables that reference a specific property. For example, Text objects are a type of policy object variable. They are a name and value pair, and the value can be a single string, a list of strings, or a table of strings. Their flexibility allows you to enter any type of textual data to be referenced and acted upon by any policy object.
There are three ways to add policy object variables to a FlexConfig policy object. First, move the cursor to the desired location, and then:
-
Right-click and select Create Text Object. This command opens a dialog box where you can create a simple single-value text object and assign it a value. When you click OK, the variable is added to the object, and it is added to the list of defined Text objects in the Policy Object Manager window so that you can use it in other objects or edit its definition. For an example of creating simple text variables, see Example of FlexConfig Policy Object Variables.
-
Right-click and select a policy object type from the Insert Policy Object sub-menu. These commands open a selector dialog box where you can select the specific policy object that contains the variable that you want to insert. After selecting the policy object, you are presented with the Property Selector dialog box, where you choose the specific property of the object that you want to use and optionally change the name of the variable associated with the property.
By using this technique, you can add a property from an existing policy object when you know that the property has the value that you want to use. For example, if you want to insert a variable that specifies the RADIUS protocol from the AAA Server Group policy object named RADIUS, you would right-click, select Insert Policy Object > AAA Server Group, select RADIUS in the AAA Server Group Selector dialog box, click OK, and then select Protocol in the Object Property field on the AAA Server Group Property Selector dialog box and click OK. The $protocol variable is inserted at the cursor, and the value for the property as defined in the selected object is added to the variables list.
-
Type in a variable name. If you type in a variable, you cannot assign it a value until you click OK on the Add or Edit FlexConfig dialog box. You will be prompted that a variable is undefined, and given the opportunity to define its value. In the FlexConfig Undefined Variable dialog box, you can select the object type of the policy object that contains the desired value, which will prompt you to select the specific policy object and variable. This is essentially identical to the process for inserting policy object variables described above. The technique you use is a matter of personal preference; the end result is the same.
-
System variables—Dynamic variables that reference a value during deployment when the configuration is generated. The values are obtained from either the target device or policies configured for the target device. You can declare system variables to be optional in FlexConfig policy objects, which means that the variables do not need to be assigned a value for it to be deployed to the device.
To insert a system variable into a FlexConfig policy object, move the cursor to the desired location, right-click, and select the variable from the Insert System Variable sub-menus. For a description of the available system variables, see FlexConfig System Variables.
-
Local Variables—Variables that are local in the looping and assignment derivatives (the for each and set statements). Local variables get their values directly from the Velocity Template Engine. There is no need to supply values for the local variables.
To insert a local variable, simply type it in. When you click OK on the Add or Edit FlexConfig dialog box, you will be asked if you want to define the undefined variable. You can click No, or if you click Yes to define other variables, you can leave the object type of the local variable as Undefined.
Example of FlexConfig Policy Object Variables
Using CLI commands and variables, you can create a FlexConfig policy object to name the inside interface and crypto map on a Cisco router:
interface $inside
crypto map $mapname
The following example shows how to create a FlexConfig policy object that adds these commands and configures the value of $inside as serial0 and $mapname as my_crypto.
When you add the FlexConfig policy object to a device, and the configuration is generated, the following output is created:
interface serial0
crypto map my_crypto
Procedure
Step 1 |
Select Manage > Policy Objects to open the Policy Object Manager (see Policy Object Manager). |
||
Step 2 |
Select FlexConfigs from the table of contents. The table in the right pane lists the existing FlexConfig objects. |
||
Step 3 |
Right-click in the table and select New Object. The Add FlexConfig dialog box appears (see Add or Edit FlexConfig Dialog Box). |
||
Step 4 |
Enter a name and optionally a description for the object.
|
||
Step 5 |
Keep Appended for Type so that the commands are added at the end of the device configuration. |
||
Step 6 |
Create the content of the object:
|
||
Step 7 |
Click the Validate FlexConfig icon button above the edit box to check the integrity and deployability of the object. If any errors are identified, fix them. |
||
Step 8 |
Click OK to save the policy object. You can now add the object to a device’s local or shared FlexConfig policy. |
FlexConfig System Variables
System variables reference values during deployment when commands are generated. Security Manager provides a set of defined system variables for you to use in defining FlexConfig policy objects. The values come from the policies you create for the target devices. The values for these variables are required unless otherwise noted. For information about these variables, see the following tables:
-
Device system variables—Table 1. For more information about discovering or configuring devices to obtain values for these variables, see Managing the Device Inventory.
-
Firewall system variables—Table 2. For more information about firewall policies, see Managing Firewall Devices and Introduction to Firewall Services.
-
Router platform system variables—Table 3. For more information about router policies, see Managing Routers.
-
VPN system variables—Table 4. For more information about VPN policies, seeManaging Site-to-Site VPNs: The Basics.
-
Remote access system variables—Table 5. For more information about remote access policies, see Managing Remote Access VPNs: The Basics.
Name |
Dimension |
Description |
---|---|---|
SYS_DEVICE_IDENTITY |
0 |
Unique device identity for devices managed by a Configuration Engine or Auto Update Server (AUS) as defined on the Tools > Device Properties > General tab. There must be a device identity for devices managed by these servers. |
SYS_DOMAIN_NAME |
0 |
DNS domain name as defined on the Tools > Device Properties > General tab. This is not necessarily the same value that is defined in the Platform > Device Admin > Hostname policy. |
SYS_FW_OS_MODE |
0 |
Operating system mode of the FWSM or ASA device as defined on the Tools > Device Properties > General tab. Possible values are ROUTER (routed mode), TRANSPARENT, or NOT_APPLICABLE. |
SYS_FW_OS_MULTI |
0 |
Whether the FWSM or ASA is running in single- or multiple-context mode as defined on the Tools > Device Properties > General tab. Possible values are SINGLE, MULTI, or NOT_APPLICABLE. |
SYS_HOSTNAME |
0 |
Device hostname as defined on the Tools > Device Properties > General tab. This is not necessarily the same value that is defined in the Platform > Device Admin > Hostname policy. |
SYS_IMAGE_NAME |
0 |
Device image name as defined on the Tools > Device Properties > General tab. |
SYS_INTERFACE_IP_LIST |
1 |
IP addresses and masks of the interfaces configured in the Interfaces policy. The IP address and mask are in the x.x.x.x/nn format (for example, 10.20.1.2/24). If there are no interfaces defined on the device, no list is returned. Each element in SYS_INTERFACE_NAME_LIST and SYS_INTERFACE_IP_LIST share the same index for the interface. For example, if element 3 in SYS_INTERFACE_NAME_LIST is for Ethernet1, element 3 in SYS_INTERFACE_IP_LIST is the IP address for Ethernet1. If Ethernet1 has no IP address, element 3 in the SYS_INTERFACE_IP_LIST is empty. This variable is optional. |
SYS_INTERFACE_NAME_LIST |
1 |
Names of the interfaces on the device configured in the Interfaces policy. If no interfaces are defined on the device, no list is returned. See the explanation above for SYS_INTERFACE_IP_LIST for additional information. This variable is optional. |
SYS_MANAGEMENT_IP |
0 |
Management IP address of the device as defined on the Tools > Device Properties > General tab. |
SYS_MDF_TYPE |
0 |
Cisco MDF (MetaData Framework) device type, which indicates the device model. This value is displayed on the Tools > Device Properties > General tab, and is determined when you add the device to Security Manager. |
SYS_OS_RUNNING_VERSION |
0 |
Software version of the operating system running on the device as displayed on the Tools > Device Properties > General tab. For example, 12.1, 12.2S, and so on, on an IOS platform. This value is determined when you discover policies from the device. |
SYS_OS_TARGET_VERSION |
0 |
Operating system version to be used when generating the device configuration as defined on the Tools > Device Properties > General tab. |
SYS_OS_TYPE |
0 |
Operating system for the device as defined on the Tools > Device Properties > General tab. Possible values are IOS, PIX, ASA, FWSM, IPS. You configure this value when you add the device to Security Manager. |
SYS_SYS_OID |
0 |
System object ID (SysObjId) of the device, which is determined when you add the device to Security Manager. |
Name |
Dimension |
Description |
---|---|---|
SYS_FPM_INPUT_SP |
1 |
FPM policy map names applied on the interface corresponding to the entry in the SYS_FPM_INTERFACE list in the “in” direction. This data is not configured in Security Manager. It is obtained from a router’s running configuration and is used by the IOS_FPM FlexConfig. |
SYS_FPM_INTERFACE |
1 |
Interface names. This data is not configured in Security Manager. It is obtained from a router’s running configuration and is used by the IOS_FPM FlexConfig. |
SYS_FPM_OUTPUT_SP |
1 |
FPM policy map names applied on the interface corresponding to the entry in the SYS_FPM_INTERFACE list in the “out” direction. This data is not configured in Security Manager. It is obtained from a router’s running configuration and is used by the IOS_FPM FlexConfig. |
SYS_FW_ACL_IN_NAME |
1 |
Names of ACLs applied to interfaces for traffic filtering in the inbound direction. Each element has a one-to-one correspondence with the SYS_INTERFACE_NAME_LIST variable for Cisco IOS routers, PIX Firewalls, Firewall Service Modules, and ASA devices. Configure firewall access rules to generate values for this variable. |
SYS_FW_ACL_OUT_NAME |
1 |
Names of ACLs applied to interfaces for traffic filtering in the outbound direction. Each element of this array has a one-to-one correspondence with SYS_INTERFACE_NAME_LIST variable for Cisco IOS routers, PIX Firewalls, Firewall Service Modules, and ASA devices. Configure Access Rules policies to generate values for this variable. |
SYS_FW_BRIDGE_INTERFACE_NAMES |
1 |
Names of bridge interfaces. This variable applies only to IOS transparent firewalls. Configure the Firewall > Transparent Rules policies to generate values for this variable. |
SYS_FW_ETHERTYPERULE_ ACL_NAMES |
1 |
Names of ethertype access-lists applied to interfaces for traffic filtering coming in or going out. Each element of this array has a one-to-one correspondence with the elements in the SYS_FW_ETHERTYPERULE_INTERFACE_NAMES and SYS_FW_ETHERTYPERULE_DIRECTION_NAMES variables. Configure Firewall > Transparent Rules policies to generate values for this variable. |
SYS_FW_ETHERTYPERULE_ DIRECTION_NAMES |
1 |
Direction that ethertype access-lists are applied. The value is either “in” or “out.” Each element has a one-to-one correspondence with the elements in the SYS_FW_ETHERTYPERULE_ACL_NAMES and SYS_FW_ETHERTYPERULE_INTERFACE_NAMES variables. Configure Firewall > Transparent Rules policies to generate values for this variable. |
SYS_FW_ETHERTYPERULE_ INTERFACE_NAMES |
1 |
Interface names to which ethertype access-lists are applied. Each element has a one-to-one correspondence with the SYS_FW_ETHERTYPERULE_ACL_NAMES and SYS_FW_ETHERTYPERULE_DIRECTION_NAMES variables. Configure Firewall > Transparent Rules policies to generate values for this variable. |
SYS_FW_INSPECT_IN_NAME |
1 |
Names of Inspect Rules applied to Cisco IOS router interfaces in the inbound direction. Each element of this array has a one-to-one correspondence with the SYS_INTERFACE_NAME_LIST variable for Cisco IOS routers. Configure Inspection Rules policies to generate values for this variable. This variable is optional. |
SYS_FW_INSPECT_OUT_NAME |
1 |
Names of Inspect rules applied to Cisco IOS router interfaces in the outbound direction. Each element of this array has a one-to-one correspondence with the SYS_INTERFACE_NAME_LIST variable for Cisco IOS routers. Configure Inspection Rules policies as values for this variable. This variable is optional. |
SYS_FW_INTERFACE_HARDWARE_ ID_ LIST |
1 |
Hardware IDs for the device. Configure Interface policies on the device to generate values for this variable. This variable is optional. |
SYS_FW_INTERFACE_NETWORK_LIST |
1 |
Interface networks on the device. Configure Interface policies on the device to generate values for this variable. |
SYS_FW_INTERFACE_SECURITY_ LEVEL_LIST |
1 |
Interface security levels on the device. Configure Interface policies on the device to generate values for this variable. |
SYS_FW_INTERFACE_STATE_LIST |
1 |
Interface states on the device. Configure Interface policies on the device to generate values for this variable. |
SYS_FW_INTERFACE_VLAN_ID_LIST |
0 |
VLAN IDs on the device. Configure Interface policies on the device to generate values for this variable. |
SYS_FW_IPV6_ACL_IN_NAME |
1 |
A list of all IPv6 ACLs in the In direction on the device. Configure IPv6 Access Rules policies in the In direction on the device to generate values for this variable. |
SYS_FW_IPV6_ACL_OUT_NAME |
1 |
A list of all IPv6 ACLs in the Out direction on the device. Configure IPv6 Access Rules policies in the Out direction on the device to generate values for this variable. |
SYS_FW_MPCRULE_TRAFFICFLOW_ TUNNELGROUPNAME |
1 |
Names of tunnel groups specified in Traffic Flow objects. Traffic Flow objects configure class-map commands on PIX/ASA devices, and the names of the tunnel groups listed in Traffic Flow objects populate this variable. This variable is used by the ASA_define_traffic_flow_tunnel_group FlexConfig object to create tunnel groups on PIX/ASA devices. This variable is optional. |
SYS_FW_MULTICAST_PIM_ACCEPT_ REG_ROUTEMAP |
0 |
Route-map name used in the pim accept-register route-map command. Enter a name for the route-map (Platform > Multicast > PIM > Request Filter), then configure its features using FlexConfig to generate values for this variable. This variable is optional. |
SYS_FW_NAT0_ACL_NAMES |
1 |
Names of ACLs used in the nat interface_name 0 access-list acl_name command. This variable is optional. |
SYS_FW_OSPF_PROCESS_ID_LIST |
1 |
IDs for OSPF routing processes globally configured on PIX Firewalls, Firewall Service Modules, and ASA devices. Configure Platform > Routing > OSPF policies to generate values for this variable. |
SYS_FW_OSPF_REDISTRIBUTION_ ROUTE_MAP_LIST |
1 |
Names for the route maps to apply to the OSPF redistribute commands configured on PIX Firewalls, Firewall Service Modules, and ASA devices. Configure Platform > Routing > OSPF policies to generate values for this variable. |
SYS_FW_POLICY_NAT_ACL_NAMES |
1 |
Names of ACLs used in the policy nat commands (nat commands with non-0 pool id). Configure NAT (NAT > Translation Rules > Policy NAT) to generate values for this variable. This variable applies to only PIX 6.3(3) and later, PIX/ASA 7.x, 8.0(x), 8.1(x), and 8.2(x), and FWSM devices. This variable does not apply to Cisco IOS routers. This variable is optional. |
SYS_FW_POLICY_STATIC_ ACL_NAMES |
1 |
Names of ACLs used in the policy static commands that include access lists. Configure NAT 0 (NAT > Translation Rules > Policy NAT) to generate values for this variable. The variable contains the access-list names used by the nat-0, policy nat, and policy static commands. This variable applies to only PIX 6.3(3) and later, PIX/ASA 7.x, 8.0(x), 8.1(x), and 8.2(x), and FWSM devices. This variable does not apply to Cisco IOS routers. This variable is optional. |
Name |
Dimension |
Description |
---|---|---|
SYS_ROUTER_BGP_AS_NUMBERS_LIST |
1 |
Autonomous system (AS) number of the border gateway protocol (BGP) and exterior gateway protocol (EGP) on the device. Configure Router Platform > Routing > BGP policies to generate values for this variable. This variable is optional. |
SYS_ROUTER_EIGRP_AS_ NUMBERS_LIST |
1 |
Autonomous system (AS) numbers of the different enhanced Internet gateway routing protocols (EIGRP) and interior gateway protocols (IGP) on the device. Configure Router Platform > Routing > EIGRP policies to generate values for this variable. This variable is optional. |
SYS_ROUTER_OSPF_PROCESS_ IDS_LIST |
1 |
Open shortest path first (OSPF) interior gateway protocol (IGP) process numbers on the device. Configure Router Platform > Routing > OSPF Process policies to generate values for this variable. This variable is optional. |
SYS_ROUTER_QOS_CLASS_MAP_LIST |
1 |
Names of QoS class maps on the device. Configure Quality of Service policies to generate values for this variable. This variable is optional. |
SYS_ROUTER_QOS_POLICY_MAP_LIST |
1 |
Names of the QoS policy-maps on the device. Configure Quality of Service policies to generate values for this variable. This variable is optional. |
Name |
Dimension |
Description |
---|---|---|
Topology Variables related to the VPN in which a device participates. Configure VPNs to generate values for these variables. |
||
SYS_VPN_TOPOLOGY |
1 |
Virtual private network (VPN) topology type. Possible values are HUB_AND_SPOKE, POINT_TO_POINT, and FULL_MESH. |
SYS_VPN_TOPOLOGY_NAME |
1 |
Name of the VPN topology in which the device participates. |
SYS_VPN_TOPOLOGY_ROLE |
1 |
Details about the role of the device in the VPN. Possible values are PEER, HUB, and SPOKE. |
Devices Variables related to devices in the VPN in which a device participates. Configure VPNs to generate values for these variables. |
||
SYS_VPN_HOST_NAME |
1 |
Device hostname. |
SYS_VPN_LOCAL_PREFIXES |
2 |
Interface and network IP addresses of protected networks. |
SYS_VPN_PRIVATE_INTERFACES |
2 |
Private interface names. |
SYS_VPN_PRIVATE_TUNNEL_ENDPT_IP |
1 |
Interface tunnel IP address. |
SYS_VPN_PUBLIC_INTERFACES |
2 |
Public interface names. |
SYS_VPN_TUNNEL_ENDPT_INTERFACE_IP |
1 |
IP address of the VPN endpoint. In IPSec, the endpoint is the VPN interface; in GRE, it is the tunnel source. |
SYS_VPN_TUNNEL_ENDPT_ INTERFACE_NAME |
1 |
Name of the VPN endpoint. In IPSec, the endpoint is the VPN interface; in GRE, it is the tunnel source. |
SYS_VPN_VPNSM_PUBLIC_IFC |
2 |
Export port names for Catalyst 6000 series switches. |
Remote Peers Variables related to remote peers in which a device participates. Configure VPNs to generate values for these variables. |
||
SYS_VPN_REM_PEER_BAK_ LOGICAL_PRIVATE_IP |
3 |
Interface tunnel IP addresses of remote peers of failover hubs. This value is used in DMVPN for next hop resolution protocol (NHRP). |
SYS_VPN_REM_PEER_BAK_PREFIX |
3 |
Protected networks (interface and network IP addresses) of remote peers of failover hubs. |
SYS_VPN_REM_PEER_BAK_PUBLIC_IP |
3 |
Public interface names of remote peers of failover hubs. |
SYS_VPN_REM_PEER_BAK_TUNNEL_SRC |
3 |
IP address of the VPN endpoint of remote peers. In IPSec, the endpoint is the VPN interface; in GRE, it is the tunnel source. |
SYS_VPN_REM_PEER_DEVICE_NAME |
2 |
Device hostnames of remote peers. |
SYS_VPN_REM_PEER_LOGICAL_ PRIVATE_IP |
2 |
Interface tunnel IP addresses of remote peers. This value is used in DMVPN for next hop resolution protocol (NHRP). |
SYS_VPN_REM_PEER_PREFIX |
3 |
Protected networks (interface and network IP addresses) of remote peers. |
SYS_VPN_REM_PEER_PRIVATE_IP |
2 |
Private interface names of remote peers. |
SYS_VPN_REM_PEER_PUBLIC_IP |
2 |
Public interface names of remote peers. |
SYS_VPN_REM_PEER_TUNNEL_SRC |
2 |
Tunnel sources (if included in the interface tunnel of remote peers). |
IPSec Proposal Variables related to IPSec Proposal policies. For more information, see Configuring IPsec Proposals in Site-to-Site VPNs and Configuring High Availability in Your VPN Topology. Configure the IPSec Proposal policy to generate values for these variables. |
||
SYS_VPN_CRYPTO_MAP_TYPE |
1 |
Crypto map type. Possible values are STATIC and DYNAMIC. |
SYS_VPN_DYNAMIC_CRYPTO_NAME |
1 |
Dynamic crypto map name. |
SYS_VPN_DYNAMIC_CRYPTO_NUM |
1 |
Dynamic crypto map number. |
SYS_VPN_STATIC_CRYPTO_NAME |
1 |
Static crypto map name. |
SYS_VPN_STATIC_CRYPTO_NAME_BAK |
1 |
Static crypto map name of failover hubs. |
SYS_VPN_STATIC_CRYPTO_NUM |
2 |
Static crypto map number. |
SYS_VPN_STATIC_CRYPTO_NUM_BAK |
2 |
Static crypto map number of failover hubs. |
Preshared Keys Variables related to Preshared Key and IKE Proposal policies. For more information, see Configuring IKEv1 Preshared Key Policies. |
||
SYS_VPN_IKE_AUTHENTICATION_MODE |
1 |
Authentication method of the IKE policy. Possible values are pre-share, rsa-sig, rsa-encr, dsa-sig. Configure an IKE Proposal policy to generate values for this variable. |
SYS_VPN_IKE_PRIORITY |
1 |
Priority number of the IKE policy Configure an IKE Proposal policy to generate values for this variable. |
SYS_VPN_NEGOTIATION_MODE |
1 |
Negotiation method. Possible values are MAIN_ADDRESS, MAIN_HOST, and AGGRESSIVE. Configure a Preshared Key policy to generate values for this variable. |
GRE Modes Variables related to GRE Modes policies. For more information, see Understanding the GRE Modes Page. |
||
SYS_VPN_BAK_TUNNEL_IFC |
2 |
Interface tunnel number of remote peers of failover hubs, for example, tunnel0. Configure VPNs to generate values for this variable. |
SYS_VPN_SIGP_PROCESS_NUMBER |
1 |
Process number of the interior gateway protocol (IGP). Configure GRE Modes policies to generate values for this variable. |
SYS_VPN_SIGP_ROUTING_PROTOCOL |
1 |
Type of secured interior gateway protocol (IGP) used. Possible values are STATIC, OSPF, EIGRP, RIPV2, BGP, and ODR. Configure GRE Modes policies to generate values for this variable. |
SYS_VPN_SPOKE_TO_SPOKE_ CONN |
1 |
Whether DMVPN is configured for spoke-to-spoke connectivity. Possible values are true or false. Configure GRE Modes policies to generate values for this variable. |
SYS_VPN_TUNNEL_IFC |
2 |
Interface tunnel number of remote peers, for example, tunnel0. Configure VPNs to generate values for this variable. |
VRF Variables related to virtual routing and forwarding (VRF). For more information, see Configuring VRF Aware IPsec Settings. Configure VPN VRF settings to generate values for these variables. |
||
SYS_VPN_VRF_AREA_ID |
1 |
Area ID numbers if the OSPF process number was chosen. |
SYS_VPN_VRF_MPLS_INTERFACE_IP |
1 |
Multiprotocol label switching (MPLS) interface IP addresses. |
SYS_VPN_VRF_MPLS_INTERFACE_NAME |
1 |
Multiprotocol label switching (MPLS) interface names. |
SYS_VPN_VRF_NAME |
1 |
VRF names. |
SYS_VPN_VRF_PROCESS_NUMBER |
1 |
Interior gateway protocol (IGP) process numbers. |
SYS_VPN_VRF_RD |
1 |
RD values. |
SYS_VPN_VRF_ROUTING_PROTOCOL |
1 |
Interior gateway protocol (IGP) values. IGP is used for routing the IPSec aggregator toward the Provider Edge (PE)/Multiprotocol Label Switching (MPLS) network. Possible values are STATIC, OSPF, EIGRP, RIPV2, and BGP. |
SYS_VPN_VRF_SOLUTION |
1 |
Virtual routing and forwarding (VRF) solution. Possible values are 1BOX and 2BOX. |
CA Variables related to certificate authority policies. For more information, see Configuring IKEv1 Public Key Infrastructure Policies in Site-to-Site VPNs. |
||
SYS_VPN_CA_NAME |
2 |
Certificate authority (CA) names. Configure PKI policies to generate values for this variable. |
EZVPN Variables related to EZVPN. For more information, see Understanding Easy VPN. |
||
SYS_VPN_EZVPN_GROUP_NAME |
2 |
User group names. Configure User Group policies to generate values for this variable. |
Dial Backup Variables related to dial backup configurations. For more information, see Configuring Dial Backup. |
||
SYS_VPN_RTR_WATCH |
1 |
The rtr/watch number. Configure dial backup to generate values for this variable. |
GETVPN Variables related to Group Encrypted Transport (GET) VPN. For more information, see Understanding Group Encrypted Transport (GET) VPNs. |
||
SYS_GDOI_GROUP_NAME |
1 |
Name of the Group Domain of Interpretation (GDOI) group. Configure the Group Encryption policy to generate values for this variable (Manage > Site-to-Site VPNs > Group Encryption Policy > Group Settings). |
SYS_GM_GET_ENABLED_INTF_NAME |
1 |
VPN-enabled outside interface to the provider edge (PE). Traffic originating or terminating on this interface is evaluated for encryption or decryption, as appropriate. Configure group members to generate values for this variable (Manage > Site-to-Site VPNs > Group Members). |
SYS_IPSEC_PROFILE_NAME |
1 |
Name of the profile that defines the parameters to be used for IPsec encryption between two group members. Configure the Group Encryption policy to generate values for this variable (Manage > Site-to-Site VPNs > Group Encryption Policy > Security Associations). |
SYS_KS_REG_INTERFACE |
0 |
Interface on the key server assigned to handle group domain of interpretation (GDOI) registrations. If no registration interface is specified, GDOI registrations can occur on any interface. Configure key servers to generate values for this variable (Manage > Site-to-Site VPNs > Key Servers). |
Name |
Dimension |
Description |
---|---|---|
SYS_ASA_RA_TUNNEL_GROUP_NAME |
2 |
Tunnel group name for ASA devices. |
SYS_ASA_RA_USER_GROUP_NAME |
2 |
Name of the ASA user group. |
SYS_EZVPN_RA_DYNAMIC_CRYPTO_ MAP_NAME |
1 |
Dynamic Crypto map name for EZVPN. |
SYS_EZVPN_RA_DYNAMIC_CRYPTO_ MAP_SEQ_NUM |
1 |
Dynamic Crypto map number for EZVPN. |
SYS_EZVPN_RA_PUBLIC_INTERFACE_PIX |
2 |
External interface names for EZVPN for PIX firewall and ASA devices only. |
SYS_EZVPN_RA_STATIC_CRYPTO_ MAP_NAME |
1 |
Static crypto map names for EZVPN. |
SYS_EZVPN_RA_STATIC_CRYPTO_ MAP_SEQ_NUM |
1 |
Static crypto map numbers for EZVPN. |
SYS_IOS_RA_CA_NAME |
1 |
Certificate authority (CA) names for Cisco IOS devices. |
SYS_IOS_RA_PUBLIC_INTERFACE |
1 |
External interface names for Cisco IOS devices. |
SYS_IOS_RA_USER_GROUP |
1 |
User group names for Cisco IOS devices. |
SYS_IOS_RA_VRF_NAME |
1 |
Virtual routing and forwarding (VRF) names for Cisco IOS devices. |
Predefined FlexConfig Policy Objects
Security Manager provides predefined FlexConfig policy objects for you to use. These policy objects have predefined commands and scripting.
Predefined FlexConfig policy objects are read-only objects. To edit these predefined FlexConfig policy objects, duplicate the desired object, make changes to the copy, and save it with a new name. This way, the original predefined FlexConfigs remain unchanged. For lists of these predefined policy objects and further information on each, see the following tables:
-
Predefined ASA FlexConfig Policy Objects—Table 3
-
Predefined Catalyst FlexConfig Policy Objects—Table 2
-
Predefined Cisco IOS FlexConfig Policy Objects—Table 3
-
Predefined PIX Firewall FlexConfig Policy Objects—Table 4
-
Predefined Router FlexConfig Policy Objects—Table 5
Name |
Description |
---|---|
ASA_add_ACEs |
Adds an access control entry (ACE) to all access control lists on the device. |
ASA_add_EtherType_ACL_remark |
Loops through a list of ethertype access-list names and adds ACEs or remarks to them. The ethertype access list is the same as Transparent Rules for Firewalls in Security Manager. The remarks set by the CLI in this FlexConfig will be shown in the description field of a transparent rule. |
ASA_add_IPv6_ACEs |
Loops through a list of IPv6 access lists and adds a deny ip any any log entry to the end of the ACL. |
ASA_command_alias |
Creates a command alias named “save” for the copy running-config and copy startup_config commands. |
ASA_copy_image |
Copies an image package from a TFTP server to flash. |
ASA_csd_image |
Provides an ASA Cisco Secure Desktop image. It copies the CSD image from /CSCOpx/tftpboot/device-hostname on the Cisco Security Manager server to the device, then configures the CSD image path. Make sure you fill out the device’s hostname in Device Properties. If the image name is different than the default, you can override it in Device Properties > Policy Object Overrides > Text Objects > AsaCsdImageName. Unassign this FlexConfig from the device after the image has been copied and configured. |
ASA_define_traffic_flow_tunnel _group |
Defines site-to-site VPN tunnel groups listed in the SYS_FW_MPCRULE_TRAFFICFLOW_TUNNELGROUPNAME system variable. This variable is populated with tunnel group names defined in Traffic Flow objects. |
ASA_established |
Permits return access for outbound connections through the security appliance. This command works with an original connection that is outbound from a network and protected by the security appliance and a return connection that is inbound between the same two devices on an external host. Uses the established command to specify the destination port that is used for connection lookups, which gives you more control over the command and supports protocols where the destination port is known, but the source port is unknown. The permitto and permitfrom keywords define the return inbound connection. |
ASA_FTP_mode_passive |
Sets the FTP mode to passive. |
ASA_generate_route_map |
Generates a route map to be used by the pim accept-register route-map command configured under Platform > Multicast > PIM > Request Filter. Security Manager exports the route-map name used in the pim command so that you can configure it as desired. |
ASA_IP_audit |
Uses the ip-audit command to provide the following:
|
ASA_MGCP |
Identifies a specific map for defining the parameters for Media Gateway Control Protocol (MGCP) inspection. |
ASA_no_router_Id |
Removes the router ID for each OSPF process. |
ASA_no_shut_Intf |
Loops through and enables all interfaces on a device. |
ASA_privilege |
Sets the privilege levels for the configuration, show and clear commands. |
ASA_route_map |
Defines a route map for each OSPF process redistribution route map name. |
ASA_RSA_KeyPair_generation |
Resets and generates RSA key pairs for certificates. |
ASA_svc_image |
Provides an ASA SSL VPN Client image. It copies the SVC image from /CSCOpx/tftpboot/device-hostname on the Cisco Security Manager server to the device, then configures the SVC image path. Make sure you fill out the device’s hostname in Device Properties. If the image name is different than the default, you can override it in Device Properties > Policy Object Overrides > Text Objects > AsaSvcImageName. Unassign this FlexConfig from the device after the image has been copied and configured. |
ASA_sysopt |
Uses the sysopt command to provide the following examples:
|
ASA_virtual |
Configures virtual HTTP and Telnet servers. |
Name |
Description |
---|---|
Cat6K_ECLB_algorithm |
Sets the Ether Channel load balance algorithm for modules. |
Cat6K_ECLB_port_mode |
Applies an Ether Channel to the Catalyst trunk ports where IPS sensors are plugged in. Make sure the ports are configure in trunk mode. |
Cat6K_ECLB_portchannel |
Sets the port channel to trunk mode and add trunk-allowed VLANs. |
Cat6K_firewall_multiple_vlan_interfaces |
Sets multiple VLAN interfaces mode if multiple SVIs need to be provisioned. |
Name |
Description |
---|---|
IOS_add_bridge_interface_desc |
Loops through a list of bridge interfaces and adds the description “this is a bridge interface.” |
IOS_CA_server |
Configures a certificate authority server. |
IOS_compress_config |
Compresses large Cisco IOS configurations. |
IOS_config_root_wireless_station |
Creates and configures the root radio station for a wireless LAN on Cisco IOS routers such as the 851 and 871. |
IOS_console_AAA_bypass |
Provides examples of the following scenarios:
|
IOS_Copy_Image |
Copies the an SVC image from the Security Manager server to the device, then configures the SVC image path. Unassign this FlexConfig from the device after the image has been copied and configured. |
IOS_enable_SSL |
Enables SSL. |
IOS_FPM |
Copies traffic class definition files to a router and applies policy-maps. |
IOS_IPS_PUBLIC_KEY |
Defines public keys on an IOS IPS device. Public keys are required for Security Manager to perform signature updates. |
IOS_IPS_SIGNATURE_CATEGORY |
Retires all signatures except those in the ios_ips basic category. |
IOS_PKI_with_AAA |
Configures a PKI AAA authorization using the entire subject name. |
IOS_set_clock |
Sets the clock to the current time on the Security Manager server. |
IOS_VOIP_advance |
Loops through and associates a POTS port number to a telephone number and port or IP address number. |
IOS_VOIP_simple |
Associates a POTS port number to a telephone number and port number. |
IOS_VPN_config_gre_tunnel |
Uses VPN variables to configure the GRE tunnel for each VPN in which the device participates. |
IOS_VPN_set_interface_desc |
Using VPN variables, updates the description of the public interface for each VPN in which the device participates. |
IOS_VPN_shutdown_inside_interface |
Using VPN variables, shuts down all inside interfaces for each VPN in which the device participates. |
IOS_VRF_on_vFW |
Configures virtual routing and forwarding (VRF) on virtual firewall interfaces. |
Name |
Description |
---|---|
PIX6.3_nat0_acl_compiled |
Generates a compiled access list for NAT 0 access-control lists. |
PIX6.3_policy_nat_acl_compiled |
Generates a compiled access list for Policy NAT ACLs |
PIX6.3_policy_static_acl_compiled |
Generates a compiled access list for Policy Static ACLs. |
PIX_VPDN |
Configures a virtual private dialup network (VPDN). |
Name |
Description |
---|---|
ROUTER_add_inspect_rules |
Loops through and appends inspect rules. |
ROUTER_BGP_no_auto_summary |
Disables the auto route summary for each BGP process by using the no auto-summary sub-command. This FlexConfig policy object uses the list of border gateway protocol (BGP) numbers from the SYS_ROUTER_BGP_AS_NUMBERS_LIST system variable. |
ROUTER_BGP_untrusted_info |
Uses the distance bgp 255 255 255 sub-command to make the border gateway protocol (BGP) routing information untrusted for each BGP. This FlexConfig policy object uses the list of BGP numbers from the SYS_ROUTER_BGP_AS_NUMBERS_LIST system variable. |
ROUTER_EIGRP_min_cost_routes |
Configures traffic to use minimum cost routes when multiple routes have different cost routes to the same destination network. This is done using multi-interface load splitting on different interfaces with equal cost paths. This FlexConfig policy object uses the list of router enhanced interior gateway routing protocol (EIGRP) numbers from the SYS_ROUTER_EIGRP_AS_NUMBERS_LIST system variable. |
Router_EIGRP_no_auto_summary |
Disables the auto route summary for each router enhanced interior gateway routing protocol (EIGRP) processes by using the no auto-summary sub-command. This FlexConfig policy object uses the list of EIGRP numbers from the SYS_ROUTER_EIGRP_AS_NUMBERS_LIST system variable. |
ROUTER_interface_prevent_dos _attacks |
Prevents denial-of-service (DOS) attacks on all device interfaces. This FlexConfig policy object uses the list of interface names from the SYS_INTERFACE_NAME_LIST system variable. |
ROUTER_OSPF_no_router_Id |
Removes the router OSPF ID for each OSPF process. This FlexConfig policy uses the list of OSPF IDs from the SYS_ROUTER_OSPF_PROCESS_IDS_LIST system variable. |
ROUTER_QoS_Class_Map _description |
Sets QoS class map descriptions. This FlexConfig policy object uses the list of router QoS class names from the SYS_ROUTER_QOS_CLASS_MAP_LIST system variable. |
ROUTER_QoS_Policy_Map _description |
Sets QoS policy descriptions. This FlexConfig policy object uses the list of router QoS policy names from the SYS_ROUTER_QOS_POLICY_MAP_LIST system variable. |