Generating, Verifying, and Publishing Command Sets

Cisco Secure Policy Manager uses the policies applied to the objects in the Security Policy Enforcement branch in conjunction with the network topology and routing information contained in the Network Topology tree to generate the device-specific commands. Additionally, you can define additional commands to be published to the devices as prologue commands (which are sent to the device before the generated commands are sent) or epilogue commands (which are sent to the device after the generated commands are sent).

Each step, described in the Step column, may contain several sub-steps and should be performed in the order presented. References to the specific procedures used to perform each step appear in the Reference column.

Table 10-1: Command Generation, Verification, and Publication Checklist

	Step	Reference
	1. Understand Distribution Point and Publishing Order Restraints The selection of a Policy Distribution Point for a Policy Enforcement Point can be restricted by your network topology layout. Before you publish to your devices, you should verify that you have selected a valid Policy Distribution Point. In addition, the order in which you publish your command sets to the various Policy Enforcement Points on your network can affect your ability to successfully publish all generated command sets. Therefore, you must study the common scenarios that can disrupt command distribution to ensure that you publish your generated command sets in an order that does not disrupt the ability to publish to all your Policy Enforcement Points.	"Learn More About Policy Distribution Points" section
	2. Set the Default Command Publication Method Depending on your network topology and the number of Policy Enforcement Points that you are managing with Cisco Secure Policy Manager, you must determine whether you can automatically publish the generated command sets or if you must publish the command sets manually.	"Specifying Policy Update Default" section "Specifying the Command Set Approval Method in the Command Console Panel" section (per device)
	Within Cisco Secure Policy Manager, two settings are available for selecting the publishing method: a global default value that applies to all newly created Policy Enforcement Points, and a per-Policy Enforcement Point setting available in the Command panel.
	3. Generate Command Sets Before Cisco Secure Policy Manager actually begins managing a Policy Enforcement Point, you must use the Save and Update command on the File menu to generate the commands. Each time you perform a Save and Update operation, Cisco Secure Policy Manager generates new command sets for each Policy Enforcement Point defined in your Network Topology tree. The resulting command sets are presented in the Pending Commands field in the Command panel for each Policy Enforcement Point.	"Saving Changes and Updating Network Policy" section
	4. Verify Command Sets You can verify the command sets that will be sent to the Policy Enforcement Points before they are actually sent if you have not set Cisco Secure Policy Manager to automatically publish the command sets when you perform a Save and Update operation. The command sets will be located in the Pending Commands field in the Command Panel for each Policy Enforcement Point.	"Reviewing the Generated Command Set" section
	5. Add Custom Commands to the Command Sets Cisco Secure Policy Manager enables you to add custom commands on a per-device basis.  The custom commands enable you to set features on the Policy Enforcement Point that are not controlled directly by Cisco Secure Policy Manager. Prologue commands are commands that are sent to the Policy Enforcement Point before the system-generated commands are sent. Epilogue commands are commands that are sent to the Policy Enforcement Point after the system-generated commands are sent.	"Entering Prologue/Epilogue Commands" section
	6. Publish Command Sets If you have not set the commands to be published automatically by a Save and Update operation, you must manually approve and publish the command sets for each device.	"Approving the Generated Command Set Manually" section
	7. Verify that the Command Sets were Published Successfully After you have approved your command sets and initiated the publishing process, you can verify that they were successfully published to the Policy Enforcement Point or detect when problems arise. The last step involved in publishing command sets is to determine that the command set that you wanted published to a Policy Enforcement Point is actively running on that gateway object. Cisco Secure Policy Manager provides status information during the publishing phase to assist you in making this determination.	"Verifying the Command Publishing Status" section

• It discovers a subset of the existing configuration settings for the Policy Enforcement Points that it controls.

• It accepts the intermediate network policies from the Policy Server Point.

• It acts as a distributed component of the security system that generates command sets. It translates the intermediate policies into device-specific command sets for each Policy Enforcement Point that it controls.

• It acts as a distributed component of the security system that publishes command sets. It publishes the appropriate generated device-specific command set to each Policy Enforcement Point that it controls.

• It acts as a distributed component of the security system that provides feedback to the system and user. It queries each Policy Enforcement Point that it controls about the device's status with respect to publishing and discovery attempts, including successes and problems during a publishing attempt and connection problems during discovery.

These command sets can be published securely using secure protocols, such as PIX Secure Telnet, or the Policy Distribution Point can use an IPSec tunnel to publish the command sets securely to the Policy Enforcement Points that it controls.

Because each type of Policy Enforcement Point has its own control agent within the Policy Distribution Point component, a Policy Distribution Point can control more than one Policy Enforcement Point type and multiple Policy Enforcement Points of a specific type. For example, a single Policy Distribution Point can control three IOS Routers and four PIX Firewalls if configured to do so. However, in scenarios where a Policy Distribution Point controls more than one Policy Enforcement Point, it is critical to consider the placement of the primary server or secondary server on which the Policy Distribution Point resides in relation to the Policy Enforcement Points that you want it to control. In addition, some Policy Enforcement Points have restrictions with respect to which interface(s) in the device can be used to configure them. In such cases, considering the limitations of the Policy Enforcement Point can also help you determine the correct placement of Policy Distribution Points on your network.

Because the Policy Distribution Point component is installed on all Cisco Secure Policy Manager hosts, you can always alter the way that you want to configure your distributed security system. Just as you can enable or disable a Policy Monitor Point for use as a valid option in configuring your security system, you can also enable or disable a Policy Distribution Point. Cisco Secure Policy Manager uses the selection of a Policy Distribution Point to ensure that the communication between a selected Policy Distribution Point and the Policy Enforcement Points that it controls are permitted. The security policies and IPSec Tunnel Groups that enable these communications are automatically generated and maintained by Cisco Secure Policy Manager.

You can resolve many issues that can affect your ability to deploy network security policies to Policy Enforcement Points by carefully planning the placement of Policy Distribution Points within your network. The benefits of careful planning and placement include the following:

• Administrative connections to the Policy Enforcement Point are guaranteed by the security policies that are generated by Cisco Secure Policy Manager to enable these connections.

• Connections to Policy Enforcement Points are not lost because of changes to the active command set during the publishing operation.

• Distribution of the command sets to the Policy Enforcement Points is more secure and the distribution time is reduced.

Because you can have more than one Policy Distribution Point on your network, you must consider the selection of a Policy Distribution Point on a per-Policy Enforcement Point basis. The best way to make this selection is to understand the scenarios that can be problematic with regard to command distribution and to understand the effects of device-specific changes that you want to make after the initial deployment.

The first thing to determine when selecting a Policy Distribution Point is the traffic flows for the communications that occur between the Policy Distribution Point and all the Policy Enforcement Points that it controls. Next, you must consider the other Policy Distribution Points on your network and their required traffic flows. It is imperative that these traffic flows do not cross.

When such traffic flows cross, they can only cross at a gateway object, which is referred to as a concentrating gateway object for the remainder of this discussion. If that concentrating gateway object is a managed gateway object, it identifies a possible point of failure in the publishing of command sets, as the policies managing that gateway object can be altered as well. Since concentrating gateway objects represent points along the path between one or more Policy Enforcement Points and a Policy Distribution Point, these concentrating gateway objects can potentially be updated before the farther Policy Enforcement Points are provided with command sets that reflect the changes on the concentrating gateway object. This case is most likely to occur if you have enabled automatic publishing of the command sets by selecting Automatic under Command Approval in the Options dialog box (available on the Tools menu) or in the Command panel of a specific Policy Enforcement Point.

In this example, the HQ Router acts as a concentrating gateway object when the Policy Distribution Point attempts to publish the generated command sets to the routers on Site A or Site B. Therefore, the only way to ensure that the traffic flows to the Site A and Site B routers are not broken is to publish to those outermost managed gateway objects before you publish to the HQ Router.

In this case, the traffic flows that you must protect against being terminated are the traffic flows between the primary servers and the secondary servers of Cisco Secure Policy Manager. This problem only arises in scenarios where you have a distributed installation type for Cisco Secure Policy Manager.

In such cases, Cisco Secure Policy Manager does not support the intelligent synchronization of command distribution across such concentrating gateway objects. In this configuration, PDPa is oblivious to the needs of PDPb during the time that PDPb is publishing the generated command set for Gw2. As a result, PDPa could publish command sets that disrupt or disable the ability for PDPb to publish command sets to Gw2.

• Administrative interface and IP address changes on a Policy Enforcement Point. If you specify a different administrative interface or modify the IP address used for the administrative interface at any time after your initial configuration, you must define a special security policy that enables the old interface to be used to issue the entire command set (because the connection may be lost in the middle once the new interface is configured).

• Administrative password. If you specify a different administrative password, such as an enable password, using the Pending Commands option in the Command panel on a Policy Enforcement Point or using a third-party administrative interface, you must make the corresponding change in the Enforcement panel of the Policy Enforcement Point in the GUI client before you can publish a new command set to the Policy Enforcement Point.

• IP address changes on Cisco Secure Policy Manager hosts. Any time that you change the IP address used by a host running some component of Cisco Secure Policy Manager or select a different Policy Distribution Point to control a Policy Enforcement Point (which is effectively a change in the IP address used to manage the Policy Enforcement Point), you jeopardize the ability of the system to actually publish the command sets to a Policy Enforcement Point. These addresses are best defined as static IP addresses (not leased via DHCP), and they are best left unmodified.

If you do modify the IP address that Cisco Secure Policy Manager uses to publish the commands to a Policy Enforcement Point (the address in the Enforcement panel) or if you select a different Policy Distribution Point to manage a specific Policy Enforcement Point, you must define an intermediate security policy that allows the network service selected in the Enforcement panel to enable both the old and the new IP addresses. Otherwise, the connection to the Policy Enforcement Point is broken while the Policy Distribution Point is publishing the command set that changes from the old address to the new address.

• Routing rules. Cisco Secure Policy Manager automatically derives the routing rules required to ensure that traffic flows between Policy Distribution Points and the Policy Enforcement Points that they manage. If you override a derived routing rule or disable the generation of derived routing rules, you can accidentally cut off the routes used by these required communications.

• Path restriction rules (flow restrictions). You must ensure that the traffic flows required for Policy Distribution Point-to-Policy Enforcement Point communications are not prevented in either direction by a path restriction rule defined on a gateway object.

• Address hiding and static translation rules on managed Policy Enforcement Points. You should never define an address hiding rule for a Policy Distribution Point. If you must translate the IP address of a Policy Distribution Point, you must define a one-to-one static translation rule. Any changes to the one-to-one static translation rule have the same effect as modifying the IP address of the Policy Distribution Point. Therefore, you must define a temporary security policy for each Policy Enforcement Point managed by the Policy Distribution Point that allows that Policy Enforcement Point to accept the network service used to publish command sets from both the old and new alias addresses of the Policy Distribution Point.

• Address hiding and static translation rules on unmanaged gateway objects. Mapping rules defined on unmanaged gateway objects along a traffic flow between a Policy Enforcement Point and its Policy Distribution Point translate the IP addresses used to manage the communication and disrupt the traffic flow. You cannot define address translation rules that affect the addresses used for such communications. Therefore, we strongly recommend that you do not define a mapping rule (or have any form of NAT) defined on an unmanaged gateway object residing between your Policy Distribution Point host and the Policy Enforcement Points that it manages.

Unmanaged gateway objects that reside between any Policy Enforcement Points and Policy Distribution Points within your Network Topology tree definition cannot have any form of address translation being performed on these unmanaged gateway objects if either the Policy Enforcement Point or Policy Distribution Point resides upstream from them. Unmanaged gateway objects matching this configuration will guarantee that the generated command sets derived for gateway objects that are managed by Cisco Secure Policy Manager are incorrect. These network services include the network services required for Policy Distribution Point-to-Policy Enforcement Point communications.

• Performing a Reset operation. When you perform a Reset operation on the File menu, you can accidentally create a different kind of distribution problem. If the GUI client references differ from the references used by other agents within the system (such as the Policy Distribution Points), they can cause incorrect command sets to be generated and published to the Policy Enforcement Points defined under the Network Topology tree. By reinstalling or removing these network objects from the Network Topology tree, you are removing the GUI client references, which ensures that incorrect commands are not generated for your Policy Enforcement Points. For more information on removing GUI client references, refer to the Cisco Secure Policy Manager Administrator's Guide: System Configuration and Maintenance.

Warning You cannot define address hiding rules that hide Cisco Secure Policy Manager hosts from the Policy Enforcement Points that they are expected to manage. Defining such rules guarantees that the device-specific command sets cannot be published to the managed gateway objects for which Cisco Secure Policy Manager is responsible.

In this case, if you distribute the commands to Inside Gw or Middle Gw before you distribute them to Outside Gw, Outside Gw becomes unreachable by PDP. Even though the command set generated for Outside Gw understands the static translation rule, the command set to be replaced does not. Therefore, Outside Gw does not know to allow administrative updates from the translated PDP address.

Note The automatic command distribution to Outside Gw fails only when a change to the mapping rules occurs on Inside Gw or Middle Gw. In other words, it can occur when you add, delete, or modify an existing mapping rule for the Cisco Secure Policy Manager host, PDP. Once you use the manual distribution method to change the mapping rules, you can return to the automatic distribution method until a similar change occurs.

In this example, if the address of the PDP is not translated on any Policy Enforcement Points or it is translated only on Outside Gw, automatic updates would work fine, because in that case order does not matter.

To specify manual or automatic policy update default, perform the following task:

Result: The Options dialog box appears.

Step 2 To select a policy update default, select one of the two options under Policy Update Options.

• Manual. The GUI client will prompt you to manually approve command sets prior to their distribution for enforcement across your network.

• Automatic. Command sets will be automatically approved prior to their distribution for enforcement across your network.

Step 3 To accept your changes and close the Options dialog box, click OK.

Step 4 To save any changes that you have made, click Save on the File menu.

Step 2 To view the Command panel, point to Properties, and click Command on the shortcut menu.

Result: The Command panel appears in the View pane.

Step 3 To specify which method to follow for approving commands that are generated for this Policy Enforcement Point, click that method under Command Approval.

Three approval methods exist:

• Automatic. Specifies that you do not want to approve the commands sets generated for the selected Policy Enforcement Point before the Policy Distribution Point publishes them to the Policy Enforcement Point. The command sets are to be published automatically during a Save and Update operation.

• Default. Specifies that you want to use the value specified under Policy Update Default in the Options dialog box, which you can access by clicking Options on the Tools menu. This option enables you to define a global setting for all Policy Enforcement Points.

• Manual. Specifies that you want to manually approve the command sets generated for the selected Policy Enforcement Point before the Policy Distribution Point publishes them to the Policy Enforcement Point.

Step 4 To accept your changes and close the selected panel, click OK.

Step 5 To save any changes that you have made, click Save on the File menu.

Note If you are not ready to apply changes in network policy to your network and you only want to save the work in progress, use Save.

Caution You should enable Consistency Check prior to all Save and Update operations as a safeguard against applying inconsistent configurations that may lead to network security risks.

To save current changes and update the active network policy, perform the following task:

Result: The System Inconsistencies panel appears in the View pane.

Step 2 To specify the occurrence of a Consistency Check, click an option under Automatic Checking in the System Inconsistencies panel.

You can select from three options for Automatic Checking.

• Always. A consistency check is performed each time you select a node in the Navigator pane. Only the node is subject to the consistency check. This option includes At File Save, at which time all nodes are checked for inconsistencies.

• At File Save. Your security system is checked for inconsistencies at each Save or Save and Update operation.

• Disabled. Your security system is not checked for inconsistencies at any time.

Step 3 To confirm your selection for Automatic Checking, click OK on the System Inconsistencies panel.

If you selected Disabled, a dialog box displays a message informing you that this selection can possibly compromise system integrity and/or system security. Click Yes to confirm your selection.

Step 4 To save current changes and update network policy, click Save and Update on the File menu.

Current configurations in the GUI client are checked for errors in consistency. If errors are detected, the Save and Update operation will be aborted. If no errors are detected, current configurations will be saved to the Primary Policy Database and network policies will be updated and enforced across your network.

To review the generated command set for the selected Policy Enforcement Point, perform the following task:

Step 2 To view the Command panel, point to Properties, and click Command on the shortcut menu.

Result: The Command panel appears in the View pane.

Step 3 To review the Pending Commands command set, select that option under Command Review/Edit.

Result: The command set that Cisco Secure Policy Manager generated for the selected Policy Enforcement Point appears in the Commands/Messages box. Review these commands to ensure that they satisfy your organization's security policy. You can use the scroll bars to review the full set of commands.

Tips To expand the Commands/Messages box when reviewing the generated command sets, click the << button at the bottom of the Command panel. To collapse the Command/Message box so that you can select a different command set, click the >> button at the bottom of the Command panel.

Step 4 To review the Prologue command set, select that option under Command Review/Edit.

Result: The Prologue commands appear in the Commands/Message box.

Step 5 To review the Epilogue command set, select that option under Command Review/Edit.

Result: The Epilogue commands appear in the Commands/Message box.

Step 6 To close the selected panel, click OK.

Step 2 To view the Command panel, point to Properties and click Command on the shortcut menu.

Result: The Command panel appears in the View pane.

Step 3 To enter prologue commands, select Prologue under Command Review/Edit. To enter epilogue commands, select Epilogue under Command Review/Edit.

If you had previously specified prologue or epilogue commands for the selected Policy Enforcement Point, those commands appear in the Commands/Messages box. If you had not previously entered prologue or epilogue commands for the selected Policy Enforcement Point, the Commands/Messages box is blank.

Step 4 To enter the commands, type the commands in the Commands/Messages box in the same manner as you would at the command line of the Policy Enforcement Point (or in a text configuration file for the Policy Enforcement Point). For information about the commands available for the selected Policy Enforcement Point, refer to the manufacturer's documentation.

Note When constructing prologue and epilogue command sets for IOS, you must make sure the command sets start and finish in the IOS config-mode. Additionally, the following types of commands should be followed by the exit command: crypto map crypto isakmp policy ip nat pool route-map

Step 5 To accept your changes and close the selected panel, click OK.

Step 6 To save any changes that you have made, click Save on the File menu.

To manually approve the generated command set for the selected Policy Enforcement Point, perform the following task:

Step 2 To view the Command panel, point to Properties, and click Command on the shortcut menu.

Result: The Command panel appears in the View pane.

Step 3 To review the Pending Commands command set, verify that command set is selected under Command Review/Edit.

The command set that Cisco Secure Policy Manager generated for the selected Policy Enforcement Point appears in the Commands/Messages box. Review these commands to ensure that they satisfy your organization's security policy. You can use the scroll bars to review the full set of commands.

Step 4 To approve the selected command set after you review it, click Approve Now under Command Approval.

Result: The pending command set is immediately published to the selected Policy Enforcement Point. The Status box message changes to "Processing completed."

Step 5 To accept your changes and close the selected panel, click OK.

Step 6 To save any changes that you have made, click Save on the File menu.

To verify the publishing status of the generated command set for the selected Policy Enforcement Point, perform the following task:

Step 2 To view the Command panel, point to Properties, and click Command on the shortcut menu.

Result: The Command panel appears in the View pane.

Step 3 To determine the current state of the publishing phase, refer to the message in the Status box.

The Status box displays interactive messages about the publishing phase, such as attempting to connect, upload complete (no errors), etc. If warnings or messages are generated, you can review these messages in the Distributions Status message box.

Step 4 To review the Distribution Status messages, select that option under Command Review/Edit.

Result: The Distribution Status messages appear in the Commands/Messages box.

These messages indicate the status and errors detected when the command set that is currently loaded was published to the Policy Enforcement Point. Included in this status are the actual commands published to the Policy Enforcement Point by Cisco Secure Policy Manager and any responses provided by the Policy Enforcement Point. An example error message is "Could not connect to device. Device not responding: connection failed in 1 seconds."

Tips To expand the Command/Message box when reviewing the command/message sets, click the << button at the bottom of the Command panel. To collapse the Command/Message box so that you can select a different command/message set, click the >> button at the bottom of the Command panel.

Step 5 To close the selected panel, click OK.