|
|
Cisco Security Manager represents security policies, routing information, and other device-specific settings using a representation that is not directly interpretable by a Policy Enforcement Point (PEP). Therefore, a translation process must take place to ensure that the device-specific command sets are generated from the intermediary representation used by Cisco Security Manager. This chapter explains how to generate these device-specific command sets, shows you where to look in the user interface to review the generated commands, and then explains how you download those commands to a PEP.
The Save and Update command on the File menu is responsible for generating the device-specific command sets that can be published to the PEPs, such as the corporate firewall in our example. Once you successfully perform a Save and Update operation, you can view the generated command set using the Command panel on the PIX Firewall for which you want to download that command set. When you are managing multiple PIX Firewalls, the Save and Update operation generates commands for each firewall identified in the Network Topology tree. In addition, it includes all the routing and mapping rules that are either derived by Cisco Security Manager or manually entered by you as part of these rule sets.
Once you generate and view the commands, you can publish them to the PIX Firewall by approving them manually, which is the default publishing method. Later, when you become more familiar with developing security policies, you can configure Cisco Security Manager to automatically publish the command sets to all thePIX Firewalls that you are administering each time you click Save and Update on the File menu.
Figure 6-1 depicts the Command panel as it will appear when you complete the procedure defined in this section.
The following procedure explains how to generate the command sets, review the generated commands, and publish them after you approve them to the corporate firewall.
Step 1 To save any changes that you have made to the Policy Database and generate the device-specific command sets for the corporate firewall, click Save and Update on the File menu.
Step 2 To find the corporate firewall for which you want to review/approve the generated command set, expand the Network Topology tree until you view the Corporate Firewall node in the Navigator pane.
Step 3 To access the shortcut menu, right-click the Corporate Firewall icon for which you want to review/approve the generated command set.
Step 4 To view the Command panel, point to Properties, and then click Command on the shortcut menu.
Result: The Command panel appears in the View pane.
Step 5 To review the generated command set, verify that Pending Commands is selected under Command Review/Edit.
Result: The command set that Cisco Security Manager generated for the selected PEP appears in the Commands/Messages box. Review these commands to ensure that they satisfy your organization's security policy. You can use the scroll bars to review the full set of commands.
Step 6 To approve the selected command set after you review it and to publish it to the corporate firewall, click Approve Now under Command Approval.
Result: The Status box message changes to "Processing completed" and the command sets are downloaded the corporate firewall.
Step 7 To accept your changes and close the Command panel, click OK. To reject your changes and close the Command panel, click Cancel.
Congratulations! You have successfully generated and published the device-specific command set to the corporate firewall. Now that you have had some practice, you can apply the basic concepts of this tutorial to your own network.
Posted: Mon Sep 6 13:44:24 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.