Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
User Guide for Cisco Secure Policy
Manager 3.1
Version 3.1
Customer Order Number: DOC-7814178=
Text Part Number: 78-14178-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT
ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR
THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as
part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE
PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED
OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
User Guide for Cisco Secure Policy Manager 3.1
Copyright © 2002, Cisco Systems, Inc.
All rights reserved.
CCIP, the Cisco Powered Network mark, the Cisco Systems Verified logo, Cisco Unity, Follow Me Browsing, FormShare, Internet Quotient, iQ
Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, Networking Academy, ScriptShare, SMARTnet, TransPath, and
Voice LAN are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, The Fastest Way to
Increase Your Internet Quotient, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,
CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital,
the Cisco Systems logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, IOS, IP/TV,
LightStream, MGX, MICA, the Networkers logo, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX, Registrar, SlideCast,
StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain
other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0203R)
iii
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
CONTENTS
Preface
xxv
What’s In This User Guide
xxv
Audience
xxxi
Conventions
xxxi
Related Documentation
xxxii
Obtaining Documentation
xxxiii
World Wide Web
xxxiii
Ordering Documentation
xxxiii
Documentation Feedback
xxxiii
Obtaining Technical Assistance
xxxiv
Cisco.com
xxxiv
Technical Assistance Center
xxxv
Cisco TAC Web Site
xxxv
Cisco TAC Escalation Center
xxxvi
CSPM Overview
CHAPTER
1
Getting Started with CSPM
1-1
Logging In
1-1
CSPM Overview
1-2
Topology
1-5
Policy
1-7
Commands
1-10
Contents
iv
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Status
1-12
Reports
1-13
Getting Started Checklist
1-15
Configure Topology
1-16
Adding a PIX Firewall to the Internet
1-17
Adding a CSPM Server to Your Topology
1-23
Configure Policy
1-25
Creating a Policy Rule
1-25
Configure Logging, Reporting, and Notifications
1-27
Publish Commands
1-27
Generating Commands
1-28
Reviewing the Generated Command Set
1-29
Publishing Commands
1-30
CHAPTER
2
Preparing Your Network
2-1
IOS Firewall Worksheet
2-2
PIX Firewall Worksheet
2-6
CHAPTER
3
Finding Objects in CSPM
3-1
Tasks for the Find Tool
3-1
Finding an Object by Name
3-1
Finding an Object by IP Address
3-3
Finding an Object by Type
3-4
Finding an Object by Group Type
3-5
Finding a Rule by Keyword
3-6
v
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Contents
CHAPTER
4
Saving Changes in CSPM
4-1
Save
4-1
Learn More About Save
4-2
Saving Your Changes
4-3
Save and Update
4-4
Learn More About Save and Update
4-4
Saving Changes and Updating Network Policy
4-5
CHAPTER
5
Consistency Check
5-1
Learn More About Consistency Check
5-1
Task List for Consistency Check
5-2
Configuring Consistency Checks
5-2
Performing On-Demand Consistency Checks
5-3
CHAPTER
6
Setting CSPM Options
6-1
Learn More About Options
6-1
Task List for the Options Dialog Box
6-3
Enabling or Disabling Automatic Backup
6-3
Changing the Default Fonts
6-4
Specifying the Default Command Publishing Method
6-5
Specifying the Product Information Page
6-6
Specifying the Archive Count Setting
6-7
Specifying the File Export Settings
6-7
Specifying the Multiple Path Threshold
6-8
Enabling or Disabling Automatic Denies for Wildcard Policies
6-9
Contents
vi
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Configuring Network Topology
CHAPTER
7
Representing Your Network Topology
7-1
Roles of the Network Topology
7-2
Identifying Key Components in Your Topology
7-3
How the Network Topology Organizes Device-Centric Settings and Rules
7-5
Learn More About Defining the Physical Network Topology
7-7
How Network Objects Provide the Building Blocks for Policy Rules
7-9
Learn More About Perimeters and Interfaces
7-15
CHAPTER
8
Guidelines and Techniques for Defining Your Network Topology
8-1
Designing Topology from the Internet Down into Your Network
8-2
So How Much Do I Have to Define?
8-4
Mapping Between Physical Network Objects and CSPM Topology Objects
8-6
CHAPTER
9
Defining Your Network Topology
9-1
Worksheet for Defining your Network Topology
9-4
Internet
9-6
Learn More About the Internet
9-7
Learn More About Interfaces on the Internet
9-8
Networks
9-9
Adding a Network to Your Topology
9-10
Clouds
9-14
Learn More About Clouds
9-14
Learn More About Interfaces on a Cloud
9-15
Learn More about Cloud Networks
9-16
Learn More about Wildcard Networks
9-17
vii
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Contents
Task List for Clouds
9-18
Adding a Cloud to Your Topology
9-18
Adding a Cloud Network to Your Topology
9-26
Adding a Wildcard Network to Your Topology
9-27
PIX Firewall
9-28
Learn More About PIX Firewalls
9-29
Learn about PIX Firewall Failover
9-29
Learn More About Interfaces on a PIX Firewall
9-31
Task List for PIX Firewalls
9-33
Adding a PIX Firewall to Your Topology
9-34
Configuring a PIX Firewall for Failover
9-46
Modifying the Trust Settings of the Interfaces Installed in a
PIX Firewall
9-48
Cisco IOS Routers
9-49
Learn More About Cisco IOS Routers
9-50
Learn More About Interfaces Types: Real vs. Virtual and Numbered vs.
Unnumbered
9-51
Unnumbered Interfaces
9-52
Learn More About Interfaces on a Cisco IOS Router
9-53
IOS Interface Naming Guidelines
9-53
Adding a Cisco IOS Router to Your Topology
9-54
Adding a Cisco IOS Router to the Internet
9-54
Adding a Cisco IOS Router to a Network
9-61
Routers
9-67
Learn More About Interfaces on a Generic Router
9-68
Adding a Router to Your Topology
9-69
Adding a Router to the Internet
9-69
Adding a Router to a Network
9-73
Contents
viii
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
CSPM Servers
9-77
Adding a CSPM Server to Your Topology
9-77
Configuring the CSPM Server to Publish Notifications to an SMTP
Server
9-79
IP Ranges
9-80
Adding an IP Range to Your Topology
9-80
Hosts
9-82
Learn More About Hosts
9-82
Task List for Hosts
9-83
Adding a Host to Your Topology
9-83
Specifying a Client/Server Product is Running on a Host
9-84
Configuring a Host to Receive SMTP-Based Notifications
9-86
Authentication Server Panel
9-87
Learn More About Certificate Authority Servers
9-87
Learn More About RADIUS Authentication Servers
9-88
Learn More About TACACS+ Authentication Servers
9-89
Specifying that an Authentication Server Is Running on a Host
9-90
Syslog Server Panel
9-91
Learn More About Syslog Servers
9-92
Task List for Syslog Server
9-92
Modifying the IP Address Setting for a Syslog Server
9-92
Modifying the Network Service Port used by the Syslog Server
9-93
Selecting the Network Service Associated with a Syslog Server
9-94
CHAPTER
10
Configuring the Global Policy Override Settings for Managed Devices
10-1
Settings 1 Panel on a PIX Firewall
10-1
Learn More About the Settings 1 Panel on a PIX Firewall
10-2
Task List for the Settings 1 Panel on a PIX Firewall
10-2
Specifying Global ICMP Policy Overrides on a PIX Firewall
10-2
Specifying Global Timeout Settings on a PIX Firewall
10-3
ix
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Contents
Specifying Log Settings for PIX Firewall Activity
10-5
Enabling Flood Guard on a PIX Firewall
10-7
Settings 1 Dialog Box on the Interfaces Panel of a PIX Firewall
10-8
Default Security Stance for an Interface
10-8
Specifying the Routing Table Update and Broadcast Settings for a
PIX Firewall Interface
10-10
Device-Specific Settings for a Cisco IOS Router
10-11
Learn More About Device-Specific Settings on a Cisco IOS Router
10-11
Default Security Stance for an Interface
10-12
Task List for the Device-Specific Settings on a Cisco IOS Router
10-13
Enabling Address Translation Overload for a Cisco IOS Router
10-13
Enabling ICMP Policy Override Setting for a Cisco IOS Router
10-14
Specifying Log Settings for Cisco IOS Router Activity
10-15
Specifying the Global CBAC Settings for a Cisco IOS Router
10-17
Specifying the Global Inspection Command Settings for a Cisco IOS
Router
10-19
CHAPTER
11
Configuring Administrative Control Communications
11-1
Control Panel
11-1
Learn More About Controlling Managed Devices
11-2
Notes for Defining CSPM-to-Managed Device Tunnels
11-4
Guidelines for Deploying Your CSPM Server
11-6
Avoiding Losses of Connectivity Between CSPM and a Managed
Device
11-8
Task List for the Control Panel
11-10
Modifying the IP Address used to Communicate with a Managed
Device
11-11
Selecting the CSPM Server to Control a Managed Device
11-12
Requiring that a Managed Device Use an IPSec Tunnel for
Administration
11-12
Contents
x
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Configuring CSPM to Monitor the Syslog Data Streams Generated by a
Managed Device
11-13
Selecting the Syslog Servers that Monitor the Syslog Data Streams
Generated by a Managed Device
11-14
Specifying the Enable Password used to Administer a Managed
Device
11-15
Specifying the Telnet Password used to Administer a Managed
Device
11-15
CHAPTER
12
Defining Traffic Flows, Shaping Rules, and Enforcement Path Rules
12-1
Routes
12-1
Learn More About Routes
12-2
Task List for the Routes Panel
12-5
Creating a Routing Rule on a Gateway
12-6
Modifying a Routing Rule on a Gateway
12-7
Specifying Route Management Settings on a Gateway
12-9
Viewing Active Routing Rules on a Gateway
12-10
Using Mapping Rules
12-11
Learn More About Static Translation
12-11
Task List for Static Translation Rules
12-13
Creating a Static Translation Rule
12-13
Modifying a Static Translation Rule
12-17
Viewing Active Static Translation Rules
12-20
Learn More About Address Hiding
12-21
Learn More About Why You Should Use Address Hiding
12-22
Learn More About How Address Hiding Works
12-24
Learn More About How Session Awareness and Port Mapping Affect
Address Hiding
12-25
Task List for Address Hiding Rules
12-26
Creating an Address Hiding Rule
12-26
Modifying an Address Hiding Rule
12-29
xi
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Contents
Viewing Active Address Hiding Rules
12-32
Learn More About Path Restrictions
12-33
Flow Restrictions are Better than Path Restrictions
12-36
Types of Flow Restrictions
12-37
When to Define a Flow Restriction
12-42
Task List for Path Restriction Rules
12-45
Creating a Path Restriction Rule
12-45
Changing a Path Restriction Rule
12-47
Viewing Active Path Restriction Rules
12-49
Regional Flow Control Tool
12-49
Learn More About the Regional Flow Control Tool
12-49
Defining a Regional Flow Restriction
12-50
Learn More About Enforced On and the Global Enforcement Path Table
12-51
CHAPTER
13
Importing Your Configuration
13-1
Learn More About the Configuration Import Tool
13-1
Checklist for the Configuration Import tool
13-2
Accessing the Configuration Import Tool
13-4
Loading Devices from a CSV File
13-5
Loading Devices from a CiscoWorks2000 Database
13-6
Adding Devices to the Device List
13-7
Editing Devices in the Device List
13-8
Importing a Configuration from the Device List
13-9
Generating the Topology
13-10
Network Discovery Viewer Features
13-11
Reviewing the Generated Configuration
13-13
Saving Your Configuration in an .xml File
13-15
Importing Your Configuration into CSPM
13-16
Contents
xii
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Configuring Policy
CHAPTER
14
Introduction to Network Security Policy
14-1
Role and Importance of Policy in CSPM
14-2
Policy Components and Tools
14-3
Advanced Policy Features
14-4
Policy Ordering and Enforcement
14-5
Policy Evaluation
14-5
Wildcard Networks in Policy Rules
14-6
Internet Node in Policy Rules
14-8
Task Flow for Configuring and Publishing Policy
14-9
CHAPTER
15
Policy Components
15-1
Conditions
15-1
Learn More About the Source Condition
15-3
Learn More About the Destination Condition
15-5
Learn More About Network Object Groups
15-7
Learn More About Perimeter Groups and Perimeters
15-8
Learn More About the Service Condition
15-10
Learn More About Network Service Groups
15-10
Actions
15-11
CHAPTER
16
Policy Tools
16-1
Policy Wizard
16-1
Policy
16-2
Learn More About Command Central
16-5
Commands
16-6
Command Viewer
16-8
xiii
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Contents
Policy Query Types
16-11
Example 1
16-11
Example 2
16-15
Example 3
16-19
CHAPTER
17
Basic Configuration
17-1
Basic Configuration Tasks
17-1
Creating a Policy Rule
17-2
Editing a Policy Rule
17-4
Deleting a Policy Rule
17-6
Generating Commands
17-7
Reviewing Command Generation and Distribution Status for all
Managed Devices
17-8
Reviewing the Generated Command Set
17-9
Mapping Commands to Policy Rules
17-10
Comparing Commands and Configurations Using the Command Diff
Tool
17-11
Adding Prologue Commands and Epilogue Commands
17-13
Verifying Policy Using the Policy Query Tool
17-15
Publishing Commands
17-18
CHAPTER
18
Advanced Configuration
18-1
Advanced Configuration Tasks
18-1
Creating a Network Service Group
18-2
Modifying a Network Service Group
18-4
Creating a Network Object Group
18-6
Modifying a Network Object Group
18-7
Creating a Perimeter Group
18-8
Modifying a Perimeter Group
18-10
Contents
xiv
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Configuring IPSec for VPNs
CHAPTER
19
IPSec Tunnels
19-1
How CSPM Manages IPSec
19-2
About IPSec Device Settings
19-3
About Certificates in IKE Negotiations
19-5
About Preshared Secrets in IKE Negotiations
19-6
About IPSec Tunnel Templates
19-6
About IKE Tunnels Templates
19-7
About Manual IPSec Tunnels
19-9
About the Default Tunnel Templates
19-9
About IPSec Tunnel Groups
19-11
About Tunnel Policy
19-12
Additional Information
19-13
CHAPTER
20
Remote-User Tunnels
20-1
Creating Remote User Tunnels
20-2
Enabling IPSec on a Network Object
20-4
Creating an IKE Tunnel Template
20-5
Accessing the IPSec Wizard for Creating IKE Tunnel Templates
20-6
Defining IKE Tunnel Options
20-7
Modifying IKE Protocols
20-9
Saving Tunnel Template Settings
20-12
Creating an IKE Tunnel Group
20-13
Accessing the IPSec Wizard for Creating IKE Tunnel Groups
20-15
Selecting the Tunnel Template
20-16
Defining Tunnel Hubs
20-16
Defining Tunnel Spokes
20-18
Defining Hub and Spoke Associations
20-19
xv
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Contents
Defining the IKE Preshared Keys
20-20
Defining the AAA Servers
20-21
Defining the Mode Config IP Address Pool
20-22
Defining the Certificate Authority Server
20-22
Reviewing Your Tunnel Group Settings
20-23
Creating Tunnel Policy Rules
20-23
Discovering Certificate Information
20-24
Entering Certificate Information Manually
20-26
Generating Commands
20-27
Publishing Commands
20-27
CHAPTER
21
Site-to-Site Tunnels
21-1
Creating Site-to-Site Tunnels
21-2
Enabling IPSec on a Network Object
21-4
Creating an IKE Tunnel Template
21-5
Accessing the IPSec Wizard for Creating IKE Tunnel Templates
21-6
Defining IKE Tunnel Options
21-6
Modifying IKE Protocols
21-9
Saving Tunnel Template Settings
21-12
Creating a Manual Tunnel Template
21-13
Creating an IKE Tunnel Group
21-15
Accessing the IPSec Wizard for Creating IKE Tunnel Groups
21-18
Selecting the Tunnel Template
21-18
Defining Tunnel Hubs
21-19
Defining Tunnel Spokes
21-21
Defining Hub and Spoke Associations
21-22
Defining the IKE Preshared Keys
21-23
Defining the AAA Servers
21-23
Defining the Mode Config IP Address Pool
21-25
Contents
xvi
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Defining the Certificate Authority Server
21-25
Reviewing Your Tunnel Group Settings
21-26
Creating a Manual Tunnel Group
21-26
Creating Tunnel Policy Rules
21-31
Discovering Certificate Information
21-32
Entering Certificate Information Manually
21-33
Generating Commands
21-34
Publishing Commands
21-35
CHAPTER
22
Command Publication Tunnels
22-1
Creating Command Publication Tunnels
22-1
Creating an IKE Tunnel Template
22-3
Accessing the IPSec Wizard for Creating IKE Tunnel Templates
22-4
Defining IKE Tunnel Options
22-5
Modifying IKE Protocols
22-7
Saving Tunnel Template Settings
22-10
Creating a Manual Tunnel Template
22-11
Configuring Topology Objects to Use IPSec
22-14
Enabling IPSec on a Network Object
22-15
Specifying DES Cipher Settings on a Managed Device
22-15
Configuring a Certificate Authority Server
22-16
Discovering Certificate Information
22-17
Entering Certificate Information Manually
22-19
Specifying Preshared Secrets for IKE
22-20
Configuring Manual Keys
22-21
Generating Commands
22-22
Bootstrapping a Managed Device for IPSec
22-23
Publishing Commands
22-26
xvii
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Contents
CHAPTER
23
Advanced IPSec Features
23-1
About Tunnel Failover
23-1
About No-NAT Tunnels
23-2
Configuring NAT with IPSec
23-3
About GRE-Over-IPSec Tunnels
23-4
Configuring GRE-Over-IPSec
23-5
About IKE Preshared Key Generation
23-6
Generating Preshared Keys
23-7
Configuring AAA
CHAPTER
24
AAA
24-1
Learn More About AAA
24-1
Learn More About RADIUS Authentication Servers
24-3
Learn More About TACACS+ Authentication Servers
24-4
Virtual Addresses and PIX Firewall
24-5
Checklist for Authenticating Pass-Through Traffic
24-7
Checklist for Authenticating Administrative Traffic
24-9
Task List for AAA
24-11
Authenticating Pass-Through Traffic Using a AAA Server
24-11
Authenticating Administrative Traffic Using a AAA Server
24-12
Bootstrapping a Managed Device for AAA
24-13
Disabling AAA for a Managed Device
24-16
Logging, Reporting, and Notifications
CHAPTER
25
Logging
25-1
Checklist for Configuring Audit Event Monitoring and Logging
25-1
Contents
xviii
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Administering Audit Control Communications
25-4
Configuring CSPM to Monitor the Syslog Data Streams Generated by a
Managed Device
25-5
Selecting the Syslog Servers that Monitor the Syslog Data Streams
Generated by a Managed Device
25-6
Specifying Log Settings for Managed Devices
25-6
Specifying Log Settings for Cisco IOS Router Activity
25-7
Specifying Log Settings for PIX Firewall Activity
25-9
Event Filtering
25-11
Learn More About How to Configure Event Filtering
25-11
Event Categories
25-12
Event Classifications
25-13
Defining Event Filtering Rules Based on Event Classifications
25-14
Defining Event Filtering Rules Based on Specific Events
25-16
Defining Event Filtering Rules Based on Service Statistics
25-18
Working with Monitor Settings in CSPM
25-19
Modifying the IP Address Used to Communicate with the Monitoring
Subsystem
25-20
Modifying the UDP Port Used by CSPM to Listen for Event Streams from
Managed Devices
25-21
Selecting the Network Service Used by the Monitoring Subsystem
25-22
Archiving or Deleting Audit Records
25-23
Defining an ODBC Driver and Data Source Name
25-24
Configuring CSPM to Archive to an ODBC Data Source
25-26
Configuring CSPM to Duplicate and Redirect Syslog Messages
25-27
CHAPTER
26
Reporting
26-1
CSPM Reports
26-2
Learning More About Summary Reports
26-3
Learning More About Detailed Reports
26-4
xix
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Contents
Learning More About System Reports
26-5
Learning More About User Defined Reports
26-5
Learning More About Scheduled Reports
26-5
Checklist for Configuring Reports
26-5
Task List for CSPM Reports
26-7
Generating and Viewing Reports
26-7
Scheduling Reports
26-8
Viewing Scheduled Reports
26-10
Creating User Defined Reports
26-10
Generating, Scheduling, and Viewing Reports Remotely
26-12
Printing a Report
26-13
Configuring Reporting Settings
26-13
Task List for the Reports Panel
26-14
Modifying the TCP Port Used by the Reporting Subsystem
26-14
Modifying the IP Address Used to Communicate with the Reporting
Subsystem
26-16
Selecting the Network Service Used by the Reporting Subsystem
26-16
Secure Communications Between the Reporting Agent and Web Browsers
26-17
Replacing the Cisco Certificate With a Custom Certificate
26-18
Accessing CSPM Reports Using Secure Web Browser
Communications
26-19
CHAPTER
27
Notifications
27-1
Learn More About Configuring Notifications
27-1
Event Categories
27-3
Event Classifications
27-3
Checklist for Configuring Notifications
27-5
Learn More About Viewing and Managing Notifications
27-7
Contents
xx
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Task List for Notifications
27-8
Defining Notification Rules
27-8
Configuring a Host to Receive SMTP-Based Notifications
27-12
Configuring the CSPM Server to Publish Notifications to an SMTP
Server
27-14
Reviewing Generated Audit Event Notifications
27-14
Sorting Generated Audit Event Notifications
27-15
Confirming Notification Entries
27-16
Deleting Notification Entries
27-17
Refining Notification Settings
27-18
System Configuration and Maintenance
CHAPTER
28
Defining and Maintaining Administrative Accounts
28-1
Learn More About Administrative Accounts
28-1
Task List for Admin Dialog Box
28-3
Creating an Administrative Account
28-3
Changing the Privilege Settings of an Administrative Account
28-5
Specifying the Administrator Password Life
28-7
Changing an Administrative Account Password
28-7
CHAPTER
29
Configuring the CSPM Database
29-1
Learn More About the CSPM Database
29-1
Task List for the CSPM Database
29-2
Changing the Communications Port Used by the Database
29-3
Modifying the IP Address Used to Communicate with the Database
29-4
Selecting the Network Service Associated with the Database
29-5
Restarting the Database
29-6
Scheduling Checkpoint Events and Defining Log File Settings for the
Database
29-8
xxi
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Contents
CHAPTER
30
Backup and Recovery Procedures
30-1
Database Backup Options
30-1
Backing Up the Database Using the Backup Command on the File > Database
Menu
30-2
Performing Scheduled Database Backups Using CSPMfmbackup.exe and
scheduleBackup.bat
30-3
Cancelling Database Backups that Were Scheduled Using CSPMfmbackup.exe
and scheduleBackup.bat
30-5
Using CSPMfmrestore.exe to Restore the Database from Backup
30-6
CHAPTER
31
Resetting and Restoring the CSPM Client
31-1
Restoring Last Saved Changes
31-1
Resetting the CSPM System
31-2
CHAPTER
32
Managing Server Disk Space
32-1
Compacting the Database
32-1
Scheduling Checkpoint Events and Defining Log File Settings for the
Database
32-3
Archiving or Deleting Audit Records
32-5
CHAPTER
33
Working with Configuration Files, Standby Servers, and Support
Information
33-1
Export to File Command
33-2
Learn More About the Export to File Command
33-2
Exporting a Copy of Current Settings to a File
33-3
Import from File Command
33-4
Learn More About the Import from File Command
33-4
Importing a Copy of CSPM Settings from a File
33-5
Contents
xxii
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Active Standby Server
33-6
Configuring a Standby Server
33-6
Using cspmsupport to Collect Support Data
33-8
CHAPTER
34
Update Options
34-1
Update Product License
34-1
Updating Product License
34-1
File Signatures
34-2
Learn More About File Signatures
34-3
Updating File Signatures
34-3
Appendixes
APPENDIX
A
Version Management Utility
A-1
Learn More About the Version Management Utility
A-1
Task List for the Version Management Utility
A-2
Accessing the Version Management Utility
A-2
Creating a Version Mapping Rule
A-3
Modifying a Version Mapping Rule
A-4
Deleting a Version Mapping Rule
A-5
APPENDIX
B
Troubleshooting Tool Kit
B-1
Accounts
B-1
Creating a Temporary Administrative Account
B-2
Local Port
B-3
Changing the Default Database Port Value for the CSPM server
B-3
Restore Policy Database
B-4
Using a Backup File to Recover the System
B-4
xxiii
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Contents
File Signatures
B-5
Learn More About File Signatures
B-5
Updating File Signatures on the CSPM Server
B-5
APPENDIX
C
Example Scenarios
C-1
Case 1: Out-of-Band Management (CSPM on DMZ)
C-1
Description
C-1
Setup
C-2
Topology
C-2
Policy
C-4
Summary
C-5
Case 2: Load-Balanced Firewalls
C-6
Description
C-6
Setup
C-6
Topology
C-7
Policy
C-8
Summary
C-9
Case 3: Site-to-Site VPN (No-NAT Tunnels)
C-10
Description
C-10
Setup
C-10
Topology
C-11
Policy
C-12
Summary
C-13
Case 4: Site-to-Site IPSec/GRE with Dynamic Routing
C-14
Description
C-14
Setup
C-14
Topology
C-14
Policy
C-17
Summary
C-17
Contents
xxiv
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Case 5: Replicated DMZ and Out-of-Band Management
C-18
Description
C-18
Setup
C-19
Topology
C-19
Policy
C-22
Summary
C-22
Case 6: No-NAT IPSEC and NAT Architecture
C-23
Description
C-23
Setup
C-24
Topology
C-24
Policy
C-26
Summary
C-26
I
NDEX
xxv
User Guide for Cisco Secure Policy Manager 3.1
78-14178-01
Preface
The following sections are included in this preface:
•
What’s In This User Guide, page xxv
•
Audience, page xxxi
•
Conventions, page xxxi
•
Related Documentation, page xxxii
•
Obtaining Documentation, page xxxiii
•
Obtaining Technical Assistance, page xxxiv
What’s In This User Guide
This user guide describes how to use Cisco Secure Policy Manager 3.1.
This user guide is divided into 8 parts, as follows.
•
CSPM Overview
This part introduces the basic functionality and tasks for CSPM.
This part is organized into the following chapters:
–
Chapter 1, “Getting Started with CSPM”
This chapter describes the various parts of the CSPM Graphical User
Interface (GUI), and describes how to log in to CSPM and perform some
basic required tasks.