|
|
As part of your daily work, you may need to make adjustments to the basic installation settings for your Cisco Secure Policy Manager system. These settings include the amount of disk space that the system can consume on a primary or secondary server, as well as the archival of audit event records. In addition, you may need to define additional administrative accounts to allow others to support the system. The first section in this chapter discusses these options and provides step-by-step procedures for performing these daily tasks.
As part of your failure recovery planning, you may need to create and archive backup copies of your configuration settings and the Policy Database that resides on the primary server. The second section in this chapter discusses your different backup options and explain how to restore the system from such backed up data. The section also provides step-by-step procedures for performing these failure recovery tasks.
The following tasks are related to daily operation and system maintenance.
This section explains how to schedule checkpoints for the Policy Database. By defining a checkpoint rule, you are specifying how frequently the Policy Database should write the information stored in its memory cache to the database files on the server's hard drive.
To schedule checkpoints for the Policy Database, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the Primary or Secondary Server for which you want to schedule checkpoints for the Policy Database, expand the Network Topology tree until you view that server node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Primary Server icon or the Secondary Server icon that represents the server on which the Policy Database is running.
Step 4 To view the Policy Database panel, point to Properties and click Policy Database on the shortcut menu.
Result: The Policy Database panel appears in the View pane.
Step 5 To select the time interval that you want to use to schedule checkpoints, specify either a time of day or how often (in hours).
You can specify this interval on the basis of either a daily time or an unbounded number of hours between each checkpoint.
Step 6 To specify the maximum size (in megabytes) that the working log file can reach before requiring a checkpoint, type the value in the Limit log file size to box.
The Policy Database synchronizes its working data with the data stored in the working log files when the specified amount of time elapses or when the log file tracking the changes made since the last checkpoint exceeds the specified value---whichever occurs first.
 |
Note This log file contains entries about what changes were made to the working memory. The size of the file determines how long the system takes to recover in the event of a system crash. During recovery, the security system must replay the entire log before it can synchronize with the state of the system before the crash occurred. However, you should not make the maximum size of this file too small because system resources are consumed each time a checkpoint occurs. The optimal value for the maximum log file size depends on the speed of the hard drive, the type of processors, and the amount of physical memory installed in the server. |
Step 7 To accept your changes and close the Policy Database panel, click OK.
Step 8 To save any changes that you have made, click Save on the File menu.
The fmcompact command enables you to compact the Policy Database on a primary or secondary server.
 |
Caution You must close all instances of the GUI client and stop all Cisco Secure Policy Manager services running on the Primary Policy Database before you can compact the Policy Database. Therefore, all communications between the primary server and any secondary servers will fail until you restart the Cisco Secure Policy Manager services on the primary server. |
To compact the Policy Database, perform the following task:
Result: The Services dialog box appears.
Step 2 To safely shutdown the Policy Database and all Cisco Secure Policy Manager services on the primary server, select Cisco Controlled Host Component in the Service list and click Stop.
Result: All Cisco Secure Policy Manager services are stopped.
Step 3 To access the fmcompact command, change to the Cisco Secure Policy Manager/bin folder in a command prompt window.
The Cisco Secure Policy Manager folder is the folder where you chose to install the product on this computer.
Step 4 To compact the current Policy Database copy, type fmcompact at the command prompt and press Enter.
Result: When the fmcompact operation is complete, a message displays "<number> original frames <number> new frames."
|
Note This operation can take several minutes to complete. |
Step 5 To ensure that all changes take effect and to restart the Cisco Secure Policy Manager services, reboot the Cisco Secure Policy Manager server when the command prompt returns.
You can specify how large the Policy Database can grow before the oldest audit records are either automatically deleted permanently or archived to an ODBC-compliant database and deleted. You can specify the rules that determine when these actions will take place on the basis of a period of time or the maximum size of the Policy Database. You can also identify the ODBC-compliant database and account information used to store the audit records that are archived.
To define event archival and deletion settings for the Policy Database, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the primary or secondary server that is running the Policy Monitor Point for which you want to modify the values for purging audit records, expand the Network Topology tree until you view that server node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Primary Server icon or the Secondary Server icon that represents the server on which the Policy Monitor Point is running.
Step 4 To view the Policy Monitor panel, point to Properties, and click Policy Monitor on the shortcut menu.
Result: The Policy Monitor panel appears in the View pane.
Step 5 To specify the number of days that you want to maintain warning audit event records before they are purged from the Policy Database, type that number in the Warning Events box under Event Purging.
To specify that you do not want to purge these audit records (you want to retain them indefinitely), type 0 (zero) in this box.
Step 6 To specify the number of days that you want to maintain composite audit records that summarize warning event activities before they are purged from the Policy Database, type that number in the Warning Summaries box under Event Purging.
To specify that you do not want to purge these audit records (you want to retain them indefinitely), type 0 (zero) in this box.
Step 7 To specify the number of days that you want to maintain detailed session audit event records before they are purged from the Policy Database, type that number in the Session Events box under Event Purging.
To specify that you do not want to purge these audit records (you want to retain them indefinitely), type 0 (zero) in this box.
Step 8 To specify the number of days that you want to maintain composite audit records that summarize network session activity before they are purged from the Policy Database, type that number in the Session Summaries box under Event Purging.
To specify that you do not want to purge these audit records (you want to retain them indefinitely), type 0 (zero) in this box.
Step 9 To specify the maximum size that you want to allow for the Policy Database before the oldest audit records are automatically purged, type that value in the Limit database size to box under Event Database.
The value that you enter represents the maximum number of megabytes (MB) of disk space that can be consumed by the Policy Database before audit records are purged.
Step 10 To specify how often the Policy Database should be examined for old audit records, type the number of minutes that should pass before the Policy Database is examined in the Examine database age/size every box under Event Database.
The Policy Database is examined to determine whether it contains audit records that are older than the values specified in Steps 5 through 8 or it has exceeded the maximum size value specified in Step 9. The optimal value for this field is dependent on the number of audit records being generated and the amount of disk space that can temporarily be used by the Policy Database.
Step 11 To accept your changes and close the Policy Monitor panel, click OK.
Step 12 To save any changes that you have made, click Save on the File menu.
The Policy Database supports archival of session data via the Microsoft ODBC API via the Policy Monitor Point. To configure the Policy Monitor Point to archive session data to an ODBC-compliant database, you must install an ODBC driver and configure the Policy Database to write data to that driver. For instructions on configuring the Policy Database to write to an ODBC driver, refer to "Configuring to Archive to an ODBC Data Source" section.
To install an ODBC driver and specify the data source path, perform the following task:
Result: Control Panel appears.
Step 2 In Control Panel, double-click the ODBC icon.
Result: The ODBC Data Source Administrator dialog box appears.
Step 3 To add a new data source, click Add on either the User DSN or the System DSN tab.
Result: The Create New Data Source dialog box appears.
A User DSN allows only a specific user on the local host to access the data source. A System DSN allows all users on the local host, as well as NT services, to access the data source.
Step 4 Under Name, select the database type that you want to use to create the data source that the Policy Monitor Point will use to archive session records.
Step 5 To create the new data source, click Finish.
Result: The ODBC Setup dialog box appears for the database type you selected.
Step 6 To name this data source, type the name that you want to use to identify this data source in the Data Source Name box, and press Tab.
Step 7 To provide a description of this data source (if desired), type a description in the Description box, and press Tab.
Step 8 To complete the ODBC setup, depending on the type of driver that you selected, you must complete additional fields in this dialog box, including identifying the location of the database.
Step 9 To close the ODBC Setup dialog box, click OK when you complete all the fields.
Result: The ODBC Setup dialog box closes.
Step 10 To close the ODBC Data Source Administrator dialog box, click OK.
Result: The ODBC Data Source Administrator dialog box closes.
Once you define the driver and data source name, you must configure the Policy Database to write its session data to that new data source. To configure the Policy Monitor Point to write to an ODBC data source, refer to "Configuring to Archive to an ODBC Data Source" section.
Step 11 To close Control Panel, click Close on the File menu.
Result: Control Panel closes.
The Policy Database supports archival of session data via the Microsoft ODBC API via the Policy Monitor Point. To configure the Policy Monitor Point to archive session data to an ODBC-compliant database, you must install an ODBC driver and configure the Policy Database to write data to that driver.
To configure the Policy Monitor Point to use a data source name for ODBC archival, perform the following task:
Result: The Network Topology tree appears in the Navigator pane.
Step 2 To find the primary or secondary server for which you want to specify the ODBC archival settings, expand the Network Topology tree until you view that server node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Primary Server icon or the Secondary Server icon that represents the server on which the Policy Monitor Point is running.
Step 4 To view the Policy Monitor panel, point to Properties, and click Policy Monitor on the shortcut menu.
Result: The Policy Monitor panel appears in the View pane.
Step 5 To archive data to an ODBC-compliant database, click Archive purged data under Event Archival (Requires ODBC).
Step 6 To identify the data source in which the Policy Database audit records should be archived, type the name of the data source that you previously defined in the Data Source Name box.
This information is available in ODBC Data Source Administrator in Control Panel. For instructions on defining a Data Source Name, refer to "Defining an ODBC Driver and Data Source Name" section.
Step 7 To specify the username of the account used to connect to the data source in which you want to archive audit records, type that username in the Username box.
Step 8 To authenticate the username, type the password that the data source uses to authenticate the specified username in the Password box.
Step 9 To accept your changes and close the Policy Monitor panel, click OK.
Step 10 To save any changes that you have made, click Save on the File menu.
You should create a new administrative account for each person who intends to administer Cisco Secure Policy Manager on either a primary or secondary server. Sharing an account is insecure because it provides no accountability of who made what change to the Primary Policy Database.
|
Caution All administrators should guard their passwords carefully. Otherwise, the security of the Policy Database, and hence your networks, could be compromised. |
To create a new administrative account, perform the following task:
Result: The Administrative Accounts tree appears in the Navigator pane.
Step 2 To create a new account node, right-click the Administrative Accounts tree icon, point to New, and click Administrator on the shortcut menu.
Result: A new administrative account node appears under the Administrative Accounts tree in the Navigator pane, and the General dialog box for the new account appears in the View pane.
Step 3 To name the administrative account, type the name in the Username box in the General panel, and then press Enter.
This name becomes the default username for the administrative account. The GUI client enables long usernames and the use of most alphanumeric or symbol characters. Also, you can use both uppercase and lowercase characters. However, you cannot use quotation marks or a semicolon.
The name of the account node under the Administrative Accounts tree in the Navigator pane automatically updates to the new username after you click OK.
Step 4 To designate the user's full name, type it in the Full Name box.
The GUI client enables long full names and the use of all alphanumeric or symbol characters. Also, you can use uppercase and lowercase characters. While this field does not affect operation of the Primary Policy Database, it provides all administrators with a means of keeping track of who uses which account.
Step 5 To specify a privilege level, select one from the Privileges list.
Three administrative privileges are available:
This account may be used to view scheduled and on-demand reports from a web browser. However, if you upgrade privileges assigned to this account to read-only access or full access, you should also change the password to avoid possible security breaches.
Step 6 To specify a new password, select the Change Password check box.
Result: A check mark appears in the Change Password check box, and the New password and Confirm password boxes become available.
Step 7 To assign a password to the new account, type it in the New password box.
The GUI client enables long passwords and the use of all alphanumeric and symbol characters. Also, you can use both uppercase and lowercase characters.
Step 8 To confirm the password that you assigned, type it again in the Confirm password box.
If an error message appears after typing and confirming the password, retype the password in the Confirm password box. If an error message persists, check the CAPS LOCK key on your keyboard.
Step 9 To accept your changes and close the General panel, click OK.
Step 10 To save any changes that you have made, click Save on the File menu.
The following tasks are related to failure recovery.
The Backup command on the File menu writes a backup copy of your Primary Policy Database to a safe location on the Primary Policy Database server. In the event that your Primary Policy Database experiences data corruption problems or you want to revert to a previously known state, you can use this backup copy in conjunction with the fmrestore command at a command prompt to restore the Policy Database to its "last known good" state.
|
Caution You can only back up the Primary Policy Database from the computer on which it resides. You cannot back up the Policy Database from a secondary server or a remote GUI client. Attempting to back up from a remote client can corrupt the Primary Policy Database. |
The backup copy contains a copy of your entire network configuration, defined policies, and administrative accounts that you have added. More importantly, the backup copy includes the history of your system and audit events at the time the backup occurred. This history includes details regarding traffic that has occurred across your network and any reports that have been generated regarding the status and use of your network.
Whenever you make a major change to the Cisco Secure Policy Manager configuration, you should back up the Policy Database to ensure that you have a safe copy of an operation system. In addition, you should back up Cisco Secure Policy Manager after you initially install and configure Cisco Secure Policy Manager.
|
Caution You can only back up the Primary Policy Database from the computer on which it resides. You cannot back up the Policy Database from a secondary server or a remote GUI client. |
To back up the Policy Database, perform the following task:
Result: The Select Backup Directory dialog box appears.
Step 2 To specify the drive on which you want to store the backup copy, select that drive letter in the Folder box.
You can specify to store the backup copy in a pre-existing folder or you can create a new folder. To select a pre-existing folder, continue with Step 3; to create a new folder, skip to Step 4.
Step 3 To specify a pre-existing folder, select that folder in the Select Backup Directory dialog box, and then skip to Step 6.
Step 4 To create a new folder, click the Create New Folder icon.
Result: A new folder appears with the name New Folder selected.
Step 5 To specify the name of the new folder, type the name in the selected text box, and then press Enter.
Step 6 To accept your selection, click Open.
Step 7 To perform the Backup operation, click OK.
Result: When the backup operation is complete, a message box displays "Backup Successful."
|
Note This operation can take several minutes or more to complete. |
Step 8 To close the message box, click OK.
The fmrestore command enables you to restore the Primary Policy Database configuration data from the backup directory that you specified during the backup process. You should use the fmrestore command whenever the Policy Database becomes corrupted or whenever you wish to revert the Policy Database to a prior state. You can restore only the Policy Database located on the primary server. The secondary servers will synchronize their configuration data with the contents in the Primary Policy Database once it is restored and the computer has been rebooted.
|
Caution You must close all instances of the GUI client and stop all Cisco Secure Policy Manager services running on the Primary Policy Database before you can restore the Policy Database. Therefore, all communications between the primary server and any secondary servers will fail until you restart the Cisco Secure Policy Manager services on the primary server, which you cannot do until the fmrestore operation has completed. |
To restore the Policy Database from a backup folder, perform the following task:
Result: The Services dialog box appears.
Step 2 To safely shutdown the Policy Database and all Cisco Secure Policy Manager services on the primary server, select Cisco Controlled Host Component in the Service list and click Stop.
Result: All Cisco Secure Policy Manager services are stopped.
Step 3 To access the fmrestore command, change to the Cisco Secure Policy Manager/bin folder in a command prompt window.
The Cisco Secure Policy Manager folder is the folder where you chose to install the product on this computer.
Step 4 To revert the current Policy Database to the backup copy, type fmrestore <source folder> at the command prompt and press Enter.
The source folder should include the folder name and the relative path to that folder from bin. This folder is the one that you specified when you used the GUI client to create the backup. Remember that a folder named "CiscoBackup" is automatically created under the backup folder specified during the backup process; however, you do not need to specify that folder in the path as it is automatically appended to the source folder that you specify. No other parameters are required.
Result: When the fmrestore operation is complete, a message displays "Successfully restored Cisco Policy Database files."
|
Note This operation can take several minutes to complete. |
Step 5 When the command prompt returns, reboot the primary server for all changes to take effect and to restart the Cisco Secure Policy Manager services.
Export to File enables you to export a copy of the current view of the GUI client to a location that you specify. The view that is extracted and copied includes your entire network configuration, defined policies, and administrative accounts that you have added. The exported file does not contain a history of traffic that has occurred across your network or of any reports that have generated regarding the status and use of your network.
An exported view of the GUI client can serve several purposes. For example, the Export to File command will be particularly useful should you need assistance from the Cisco Systems Technical Assistance Center (TAC). After you export a copy of your configurations, you can send the copy via e-mail to the TAC. Support personnel at the TAC can then review your configurations, make corrections or adjustments to them as necessary, and send the revised configurations to you via e-mail. Upon receiving the file from the TAC, you can use the Import from File command on the File menu to load the new configurations into the GUI client.
You can also export a copy of the current settings for use on a different Cisco Secure Policy Manager. The exported copy can be used to duplicate your configurations on another network or it can be used as a starting point from which to build a more extensive network policy.
|
Note The exported file does not contain a history of traffic that has occurred across your network or of any reports that have been generated regarding the status and use of your network. However, the view that is extracted and copied does include your entire network configuration, defined policies, and administrative accounts that you have added. |
|
Caution If, during the current work session, you have renamed the administrative account under which you logged on to the GUI client, you will be unable to export a copy of the Cisco Secure Policy Manager settings. To do so, you will need to exit the GUI client and log on again. |
To export a copy of current settings to a file, perform the following task:
Result: The Export To dialog box appears.
Step 2 To specify the folder in which you want to store the exported data, you can either select a pre-existing folder or create a new folder.
To select a pre-existing folder, continue with Step 3; to create a new folder, skip to Step 5.
Step 3 To specify the drive on which the folder resides, select that drive letter in the Save in box.
Step 4 To specify the folder to which you want to export a copy of the Cisco Secure Policy Manager settings, select that folder and click Open.
Skip to Step 8.
Step 5 To create a new folder, specify the letter of the drive on which you want to create the folder in the Save in box, and click the Create New Folder icon.
Step 6 To specify the name of the new folder, type the name in the selected New Folder box, and then press Enter.
Step 7 To accept your selection of folder, click Open in the Export To dialog box.
Step 8 To specify the filename of the exported copy, type the name in the File name box in the Export To dialog box.
Step 9 To continue with the Export to File operation, click Save in the Export To dialog box.
A copy of your current settings, as viewed in the GUI client, is exported and saved to the drive and file that you specified. The extension .cpm is automatically added to the filename that you specified.
The Import from File command on the File menu enables you to import a copy of the Cisco Secure Policy Manager settings that were previously exported and saved to a known location.
|
Note The exported file is a "snapshot" of settings viewed in the GUI client at the time they were exported to a file. |
The view that is imported includes network configurations, defined policies, and administrative accounts. The imported file does not contain a history of traffic that occurred across the network or of any reports that were generated regarding the status and use of the network to which the imported settings were applied.
An imported view of the GUI client can serve several purposes. The Import from File command will be particularly useful should you need assistance from the Cisco Systems TAC. For example, you can use the Export to File command on the File menu to export a copy of your configurations. You can then send that copy via e-mail to the TAC. Support personnel at the TAC can review your configurations, make corrections or adjustments to them as necessary, and send the revised configurations to you via e-mail. Upon receiving the file from the TAC, you can use the Import from File command to load the new configurations into the GUI client.
You can also import a previously exported file into a different Cisco Secure Policy Manager to duplicate the configurations on another network or to use those configurations as a starting point from which to build a more extensive network policy.
|
Note There are a couple of key points to remember when using the Import from File command. First of all, the file you import is a "snapshot" of settings viewed in the GUI client at the time they were exported to a file. Second, new services are often added between releases of Cisco Secure Policy Manager. Therefore, if you import a CPM file from a previous release, you must use the Service Library to reinstall any of the features that were not supported by the previous release. For example, the 1.1 release of Cisco Security Manager did not support the IPSec AH and ESP services now available in the 2.0 release of Cisco Secure Policy Manager. If you import a 1.x CPM file into a Cisco Secure Policy Manager 2.0 system, you must reinstall the IPSec AH and ESP services. |
|
Note The imported file does not contain a history of traffic that occurred across the network or of any reports that were generated regarding the status and use of the network to which the imported settings were applied. However, the view that is imported into the GUI client does include network configurations, defined policies, and administrative accounts. |
To import a copy of Cisco Secure Policy Manager settings from a file, perform the following task:
You will be prompted to save updated data if you have not already done so.
Step 2 To save updated data, click Yes in the Cisco Secure Policy Manager dialog box.
Result: The Import From dialog box appears.
Step 3 To specify the letter of the drive on which the copy to be imported resides, select that drive in the Look in box in the Import From dialog box.
Step 4 To specify the file that you want to import, select that file.
Result: The filename of the file you selected appears in the File name box.
Step 5 To import the file that you selected, click Open in the Import From dialog box.
The GUI client is refreshed to reflect the settings that were contained in the imported file. If the imported file includes an administrative account with a username that is the same as the one under which you are currently logged on to the GUI client, Cisco Secure Policy Manager will retain the original account and rename the imported account as your username (imported).
Posted: Thu May 25 13:07:11 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.