|
|
This chapter discusses initial configuration of server settings for the Policy Report Point. In this chapter you will find the following topics:
From the Policy Reports panel, you can specify the network service definition that HTTP clients can use to request services from the reporting agent. You can also specify the URL to the HTML page that accesses all HTML-based reports, scheduled and on-demand, that the reporting agent presents to requesting web browsers.
The Policy Reports panel organizes the configuration settings for the Policy Report Point. The Policy Report Point represents the Reporting Subsystem within Cisco Secure Policy Manager. A key component of this subsystem is the reporting agent, which is the web server that specializes in presenting the reports generated about network and system activities. The reporting agent accepts requests for activity and warning reports and displays the resulting reports in HTML or plain text format. You can use any standard web browser or the built-in web browser provided with the GUI client to view these reports.
Depending on your location (the local network or a remote site that is separated from the Policy Report Point by a Policy Enforcement Point) when you are requesting reports, you may need to configure that Policy Enforcement Point to permit Cisco Policy Reporter traffic through. You can permit this traffic by including the Cisco Policy Reporter service definition in the security policy that you apply to the network object from which requests will originate (the remote GUI client workstation). To permit only that network service's traffic to the Policy Report Point, your security policy should include the following conditions:
if destination is <PolicyReportPointHost> then
if Service is Cisco Policy Reporter then
Accept
otherwise Reject
otherwise Reject END
Depending on the custom network services that you use on your network, you may need to modify the TCP port that you use to make requests from the Policy Report Point. When you define this network service or modify the provided service definition, you must verify that you have selected that network service as the Associated Network Service in the Policy Reports panel. By default, this network service is Cisco Policy Reporter, and it is defined as TCP port 8080.
 |
Note If you installed a standalone Cisco Secure Policy Manager, the Policy Report Point resides on that standalone host. Otherwise, in a distributed installation, it resides on the primary server. |
You can perform the following tasks from the Policy Reports panel. For step-by-step procedures on performing a specific task, refer to the corresponding task topic.
You can specify a custom TCP port on which the Policy Report Point listens for requests from web browsers. This feature is useful if you already have a network service that listens on the default TCP port used by the Policy Report Point, which is TCP port 8080. To modify the TCP port for the Policy Report Point, you must modify the provided network service definition (the Cisco Policy Reporter definition under the Network Services branch of the Tools and Services tree) or define a custom network service. To make the Policy Report Point consistent with your new port settings, you must then select that network service in the Policy Reports panel. This modification ensures that any security policies that you have applied that permit Policy Report Point network traffic will continue to operate correctly once you have modified the port value.
|
Note By changing the Cisco Policy Reporter definition rather than defining a new network service, you can ensure that any applied security policies that permit Policy Report Point communications across a Policy Enforcement Point will be updated automatically. |
When you specify a network service that uses a different TCP port value than the network service that is currently associated with the Policy Report Point, the Policy Report Point automatically detects the change; you will not need to reboot the server for the change to take effect.
To modify the TCP port used to connect to the Policy Report Point, perform the following task:
Step 2 To configure the TCP transport layer of the network service definition, right-click the Cisco Policy Reporter icon in the Navigator pane, and click Properties on the shortcut menu.
Result: The TCP panel appears in the View pane. You can make any changes directly in this panel.
Step 3 To change the TCP port value used by the Cisco Policy Reporter network service, type that new port number in the Port box under Instance Settings.
Step 4 To accept your changes and close the TCP panel, click OK.
|
Note For the change to take effect, you must select the Cisco Policy Reporter in the Associated Network Service box in the Policy Reports panel. |
Step 5 To save any changes that you have made, click Save on the File menu.
You can specify the IP address that web browsers and other HTTP clients, including the GUI client, use to contact the Policy Report Point. This feature is useful if you are interested in separating the Cisco Secure Policy Manager services onto different IP addresses so that you can monitor network sessions across Policy Enforcement Points to these services.
By assigning separate IP addresses, you can study the network sessions to the Policy Report Point that occur across a Policy Enforcement Point and develop custom reports that summarize this activity. This feature is also useful if you have multiple IP addresses assigned to the host, but you only have a DNS entry defined for one of the IP addresses.
To modify the IP address used to connect to the Policy Report Point, perform the following task:
Step 2 To access the shortcut menu, right-click the Primary Server icon that represents the server on which the Policy Report Point is running.
Step 3 To view the Policy Reports panel, point to Properties, and click Policy Reports on the shortcut menu.
Results: The Policy Reports panel appears in the View pane.
Step 4 To change the IP address on which the Policy Report Point running on this host listens for requests from web browsers, select the new IP address in the IP Address box under General Settings.
The list of IP addresses available are those IP addresses that are defined for the primary server on which the Policy Report Point is running. These addresses are defined in the IP Addresses box in the General panel of the selected server node. By default, the Policy Report Point uses the first IP address in the IP Addresses box.
Step 5 To accept your changes and close the Policy Reports panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
From the Policy Reports panel, you can specify the network service that is associated with the Policy Report Point. This network service identifies the TCP port on which the Policy Report Point listens for requests from web browsers.
When you specify a network service that uses a different TCP port value than the network service that is currently associated with the Policy Report Point, the Policy Report Point automatically detects the change. You will not need to reboot the server for the change to take effect.
To select the network service definition used to connect to the Policy Report Point, perform the following task:
Step 2 To access the shortcut menu, right-click the Primary Server icon that represents the server on which the Policy Report Point is running.
Step 3 To view the Policy Reports panel, point to Properties, and then click Policy Reports on the shortcut menu.
Result: The Policy Reports panel appears in the View pane.
Step 4 To select the network service definition used by the Policy Report Point running on this host, click that network service in the Associated Network Service box.
This network service must be defined under the Network Services branch of the Tools and Services tree. By default, the Policy Report Point uses the Cisco Policy Reporter network service, which specifies TCP port 8080 to conduct communications. If you change this port setting from the default value of 8080, the Policy Report Point automatically detects the change; you will not need to reboot the server for the change to take effect.
 |
Caution If you change the network service name from Cisco Policy Reporter, any security policies that you have applied that permit this service to pass through Policy Enforcement Points will need to be updated manually. |
Step 5 To accept your changes and close the Policy Reports panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
To modify the Policy Report Point start page setting, perform the following task:
Step 2 To access the shortcut menu, right-click the Primary Server icon that represents the server on which the reporting agent is running.
Step 3 To view the Policy Reports panel, point to Properties, and click Policy Reports on the shortcut menu.
Result: The Policy Reports panel appears in the View pane.
Step 4 To change the HTML page that the reporting agent loads when a web browser requests services from the server, type the new URL in the Starting Page box.
This URL identifies the start page for the HTML reports that the Policy Report Point generates to summarize network service and system event activity.
Step 5 To accept your changes and close the Policy Reports panel, click OK.
Step 6 To save any changes that you have made, click Save on the File menu.
Posted: Thu May 25 13:46:50 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.