Transcription

Configuring Device Access Settings on FirewallDevicesThe Device Access section, located under the Device Admin folder in the Policy selector, contains pages fordefining access to firewall devices.This chapter contains the following topics: Configuring Console Timeout , on page 1 HTTP Page , on page 2 Configuring ICMP , on page 4 Configuring Management Access , on page 6 Configuring Management Session Quota Limits , on page 7 Configuring Secure Shell Access , on page 8 Configuring SSL - Basic and Advanced tabs , on page 9 Reference Identities , on page 15 Configuring SNMP , on page 16 Telnet Page , on page 31Configuring Console TimeoutUse the Console page to specify a timeout value for inactive console sessions. When the time limit you specifyis reached, the console session is closed.In the Console Timeout field, enter the number of minutes a console session can remain idle before the devicecloses it. Valid values are 0 to 60 minutes. To prevent a console session from timing out, enter 0.Navigation Path (Device view) Select Platform Device Admin Device Access Console from the Device Policyselector. (Policy view) Select PIX/ASA/FWSM Platform Device Admin Device Access Console fromthe Policy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.Configuring Device Access Settings on Firewall Devices1

Configuring Device Access Settings on Firewall DevicesHTTP PageHTTP PageUse the table on the HTTP page to manage the interfaces configured to access the HTTP server on a device,as well as HTTP redirect to HTTPS on those interfaces. You also can enable or disable the HTTP server onthe device from this page. Administrative access by the specific device manager requires HTTPS access.NoteTo redirect HTTP, the interface requires an access list that permits HTTP. Otherwise, the interface cannotlisten to port 80, or to any other port that you configure for HTTP.Navigation Path (Device view) Select Platform Device Admin Device Access HTTP from the Device Policyselector. (Policy view) Select PIX/ASA/FWSM Platform Device Admin Device Access HTTP from thePolicy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.Field ReferenceTable 1: HTTP PageElementDescriptionHTTP Interface table Use the Add Row, Edit Row, and Delete Row buttons below this table to managedevice interfaces on which HTTP-to-HTTPS redirect is configured. Add Row andEdit Row open the HTTP Configuration Dialog Box , on page 3.Fetch user namefrom certificatesettingsSelect this option to set the rules for extracting a username from the certificate. Enterthe following: Enable HTTP username from certificate—Check this box to get the HTTPusername from the certificate for authentication. Pre-fill user name—Check the Pre-fill Username checkbox to enable the use ofthis name for authentication. When enabled, this username, along with thepassword entered by the user, are used for authentication.Choose one of the following options:NoteThis feature is supported only in devices running ASA software version9.4(1) or later. Use the Entire DN as the username—Select this option if you want to use theentire DN as the username. This option is disabled by default.Configuring Device Access Settings on Firewall Devices2

Configuring Device Access Settings on Firewall DevicesHTTP Configuration Dialog BoxElementFetch user namefrom certificatesettings (contd.)Description Specify individual DN fields as the username—Choose from the Primary DNField and Secondary DN Field drop-down values to specify which attributes andadditional attributes to use to derive the username. This option is enabled bydefault. C—Country: the two-letter country abbreviation which conforms to the ISO3166 country abbreviations. CN—Common Name: the name of a person, system, or other entity. Notavailable as a secondary attribute. DNQ—Domain Name Qualifier. EA—Email address. GENQ—Generational qualifier. GN—Given name. I—Initials. L—Locality: the city or town where the organization is located. N—Name. O—Organization: the name of the company, institution, agency, association,or other entity. OU—Organizational Unit: the subgroup within the organization (O). SER—Serial number. SN—Surname. SP—State/Province: the state or province where the organization is located. T—Title. UID—User Identifier. UPN—User Principal Name. Use LUA Script generated by ASDM—Choose this option if you want to use theLUA script that is generated by ASDM. This option is disabled by default.Enable HTTP Server Enables or disables the HTTP server on the device. When enabled, you can specify acommunications Port for the server. The Port range is 1 to 65535; the default is 443.HTTP Configuration Dialog BoxUse the HTTP Configuration dialog box to add or edit a host or network that will be allowed to access theHTTP server on the device via a specific interface; you also can enable and disable HTTP redirect.Configuring Device Access Settings on Firewall Devices3

Configuring Device Access Settings on Firewall DevicesConfiguring ICMPNavigation PathYou can access the HTTP Configuration dialog box from the HTTP Page , on page 2.Field ReferenceTable 2: HTTP Configuration Dialog BoxElementDescriptionInterface NameEnter or Select the interface on which access to the HTTP server on the device isallowed.NoteIP Address/NetmaskBeginning with Cisco Security Manager version 4.17, you can configureBVI interface for HTTP on ASA 9.9.2 devices and above. However, inmulti-context, “Transparent” mode security context only supports BVIinterface.Enter the IP address and netmask, separated by a forward slash (“/”) of the host ornetwork that is permitted to establish an HTTP connection with the device.Alternately, you can click Select to select a Networks/Hosts object.NoteBeginning with version 4.13, Cisco Security Manager supportspolicies—Groups, Hosts, Address Range, and Network for IPv6 devices.Enable Authentication Select this option to require user certificate authentication in order to establish anCertificateHTTP connection. On ASA and PIX 8.0(2) devices, you can specify theauthentication Port.Certificate MapsSelect the Certificate Map name that you configured in Remote Access VPN certificate to Connection Profile Maps Rules. For more information, see Map RuleDialog Box (Upper Table). None is selected by default.This feature is available beginning with Security Manager version 4.12 for ASA9.6(2) or later devices. This option is supported for single, multi, routed andtransparent contexts for ASA devices.Redirect portThe port on which the security appliance listens for HTTP requests, which it thenredirects to HTTPS. To disable HTTP redirect, ensure that this field is blank.Configuring ICMPUse the table on the ICMP page to manage Internet Control Message Protocol (ICMP) rules, which specifythe addresses of all hosts or networks that are allowed or denied ICMP access to specific interfaces on thesecurity device.NoteStarting from ASA 8.2(1) ICMP IPv6 was supported in the transparent firewall mode.The ICMP rules control ICMP traffic that terminates on any device interface. If no ICMP control list isconfigured, the device accepts all ICMP traffic that terminates at any interface, including the outside interface.However, by default, the device does not respond to ICMP echo requests directed to a broadcast address.Configuring Device Access Settings on Firewall Devices4

Configuring Device Access Settings on Firewall DevicesAdd and Edit ICMP Dialog BoxesIt is recommended that permission is always granted for the ICMP Unreachable message (type 3). DenyingICMP Unreachable messages disables ICMP Path MTU discovery, which can halt IPsec and PPTP traffic.See RFC 1195 and RFC 1435 for details about Path MTU Discovery.If an ICMP control list is configured, the device uses a first match to the ICMP traffic, followed by an implicitdeny all. That is, if the first matched entry is a permit entry, the processing of the ICMP packet continues. Ifthe first matched entry is a deny entry, or an entry is not matched, the device discards the ICMP packet andgenerates a syslog message. If an ICMP control list is not configured, a permit rule is assumed in all cases.Navigation Path (Device view) Select Platform Device Admin Device Access ICMP from the Device Policyselector. (Policy view) Select PIX/ASA/FWSM Platform Device Admin Device Access ICMP from thePolicy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.NoteICMP IPv6 support is not available for PIX and FWSM devices.Field ReferenceTable 3: ICMP PageElementDescriptionICMP Rules Table Use the Add Row, Edit Row, and Delete Row buttons below this table to manage ICMPrules. Add Row opens the Add ICMP dialog box, while Edit Row opens the Edit ICMPdialog box. See Add and Edit ICMP Dialog Boxes , on page 5 for information aboutthese dialog boxes.ICMP Unreachable ParametersRate LimitFor ICMP traffic that terminates at an interface on this device, the maximum number ofICMP Unreachable messages the device can transmit per second. This value can bebetween 1 and 100 messages per second; the default is 1 message per second.Burst SizeThe burst size for ICMP Unreachable messages; this can be a value between 1 and 10.NoteThis parameter is not currently used by the system, so you can choose anyvalue.Add and Edit ICMP Dialog BoxesUse the Add ICMP dialog box to add an ICMP rule, which specifies a host/network that is allowed or deniedthe specified ICMP access on the specified device interface.NoteThe Edit ICMP dialog box is virtually identical to the Add ICMP dialog box, and is used to modify existingICMP rules. The following descriptions apply to both dialog boxes.Configuring Device Access Settings on Firewall Devices5

Configuring Device Access Settings on Firewall DevicesConfiguring Management AccessNavigation PathYou can access the Add or Edit ICMP dialog boxes from the Configuring ICMP , on page 4.NoteWhile adding an ICMP policy, make sure that the network and service is of the same type i.e. IPv6 networkssupport IPv6 services.Field ReferenceTable 4: Add and ICMP Dialog BoxesElementDescriptionActionWhether this rule permits or denies the selected ICMP Service message from the specifiedNetwork on the specified Interface. Choose: Permit – ICMP messages from the specified networks/hosts are allowed to the specifiedinterface. Deny – ICMP messages from the specified networks/hosts to the specified interface aredropped.ICMPServiceEnter or Select the specific ICMP service message to which the rule applies.InterfaceEnter or Select the device interface to which these ICMP messages are directed.NetworkEnter a host name, IPv4 or IPv6 address, or Select a Networks/Hosts object, to define thespecified ICMP message source.Configuring Management AccessUse the Management Access page to enable or disable access on a high-security interface so you can performmanagement functions on the device. You can enable this feature on an internal interface to allow managementfunctions to be performed on the interface over an IPsec VPN tunnel. You can enable the Management Accessfeature on only one interface at a time.Navigation Path (Device view) Select Platform Device Admin Device Access Management Access from theDevice Policy selector. (Policy view) Select PIX/ASA/FWSM Platform Device Admin Device Access ManagementAccess from the Policy Type selector. Select an existing policy from the Shared Policy selector, or createa new one.Configuring Device Access Settings on Firewall Devices6

Configuring Device Access Settings on Firewall DevicesConfiguring Management Session Quota LimitsEnabling and Disabling Management AccessIn the Management Access Interface field, enter the name of the device interface that is to permit managementaccess connections. You can click Select to select the interface from a list of interface objects.You can enable the Management Access feature on only one interface at a time.Clear the Management Access Interface field to disable management access.Configuring Management Session Quota LimitsBeginning with 4.19, Cisco Security Manager allows you to configure enforcement of limits for the maximumnumber of admin sessions across all connection types and usernames, and for maximum number of concurrentsessions per username as well as per protocol limits on ASA 9.12(1) devices or later. The configured sessionconcurrence limits is enforced prior to authenticating the incoming administrative session.Navigation Path (Device view) Select Platform Device Admin Device Access Management Session Quota fromthe Device Policy selector. (Policy view) Select PIX/ASA/FWSM Platform Device Admin Device Access ManagementSession Quota from the Policy Type selector. Select an existing policy from the Shared Policy selector,or create a new one.NoteThe sequence of enforcement on the session limits would be—user limit followed by aggregate limit, andthen by protocol limit.Field ReferenceTable 5: Add and ICMP Dialog BoxesElementDescriptionAggregate The maximum number of admin sessions across all connection types. The default is 15. You canconfigure the limit between 1 and 15.HTTPEnter management session quota limit for HTTP between 1 and 5. The default value is 5.SSHEnter management session quota limit for SSH between 1 and 5. The default value is 5.TelnetEnter management session quota limit for Telnet between 1 and 5. The default value is 5.UserEnter management session quota limit for the user between 1 and 5. There is no default valuespecified for user limit.Configuring Device Access Settings on Firewall Devices7

Configuring Device Access Settings on Firewall DevicesConfiguring Secure Shell AccessConfiguring Secure Shell AccessUse the Secure Shell page to configure rules that permit administrative access to a security device using theSSH protocol. The rules restrict SSH access to a specific IP address and netmask. Any SSH connection attemptsthat comply with these rules must then be authenticated by an AAA server or Telnet password.Navigation Path (Device view) Select Platform Device Admin Device Access Secure Shell from the Device Policyselector. (Policy view) Select PIX/ASA/FWSM Platform Device Admin Device Access Secure Shellfrom the Policy Type selector. Select an existing policy from the Shared Policy selector, or create a newone.Field ReferenceTable 6: Secure Shell PageElementDescriptionSSH VersionSpecify the SSH version(s) accepted by the device: choose 1, 2, or 1 and 2. By default,SSH Version 1 and SSH Version 2 connections are accepted.TimeoutEnter the number of minutes, 1 to 60, the Secure Shell session can remain idle beforethe device closes it. The default value is 5 minutes.Allowed HoststableUse the Add Row, Edit Row, and Delete Row buttons below this table to manage thehosts allowed to connect to the security device via SSH. Add Row opens the Add Hostdialog box, while Edit Row opens the Edit Host dialog box. See Add and Edit SSHHost Dialog Boxes , on page 9 for information about these dialog boxes.Enable SecureCopyCheck this box to enable the secure copy (SCP) server on the security appliance. Thisallows the appliance to function as an SCP server for transferring files from/to thedevice. Only clients that are allowed to access the security appliance using SSH canestablish a secure copy connection.This implementation of the secure copy server has the following limitations: The server can accept and terminate connections for secure copy, but cannot initiatethem. The server does not have directory support. The lack of directory support limitsremote client access to the security appliance internal files. The server does not support banners. The server does not support wildcards. The security appliance license must have the VPN-3DES-AES feature to supportSSH version 2 connections.Configuring Device Access Settings on Firewall Devices8

Configuring Device Access Settings on Firewall DevicesAdd and Edit SSH Host Dialog BoxesAdd and Edit SSH Host Dialog BoxesUse the Add Host dialog box to add an SSH access rule.NoteThe Edit Host dialog box is virtually identical to the Add Host dialog box, and is used to modify existing SSHaccess rules. The following descriptions apply to both dialog boxes.Navigation PathYou can access the Add and Edit Host dialog boxes from the Configuring Secure Shell Access , on page 8.Field ReferenceTable 7: Add and Edit Host Dialog BoxesElementDescriptionInterfaceEnter or Select the name of the device interface on which SSH connections are permitted.NoteIPAddressesBeginning with Cisco Security Manager version 4.17, you can configure BVIinterface for SSH connections on ASA 9.9.2 devices and above. However, inmulti-context, “Transparent” mode security context only supports BVI interface.Enter the name or IP address for each host or network that is permitted to establish an SSHconnection with the security device on the specified interface; use commas to separate multipleentries. You also can click Select to select Networks/Hosts objects from a list.NoteBeginning with version 4.13, Cisco Security Manager supports policies—Groups,Hosts, Address Range, and Network for IPv6 devices.Configuring SSL - Basic and Advanced tabsBeginning from version 4.8, Security Manager provides enhanced security features using Secure SocketsLayer (SSL).To configure SSL under device access, ensure you enable SSL under CSM Admin Policy ManagementNavigation Path (Device view) Select Platform Device Admin Device Access SSL from the Device Policy selector. (Policy view) Select PIX/ASA/FWSM Platform Device Admin Device Access SSL from thePolicy Type selector. Select an existing policy from the Shared Policy selector, or create a new one.Configuring Device Access Settings on Firewall Devices9

Configuring Device Access Settings on Firewall DevicesConfiguring SSL - Basic and Advanced tabsField ReferenceTable 8: SSL Page Basic TabElementDescriptionCertificate AuthenticationFCA TimeoutEnter a value in the range of 1 to 120.NoteFCA Timeout is applicable for devices running the ASA software version9.1(2) or later.InterfaceUse the Add Row, Edit Row, and Delete Row buttons below the Interface table tomanage the interfaces and their port numbers allowed to connect to the security devicevia SSL. Add Row opens the Add Interface and Port dialog box, while Edit Row opensthe Edit Interface and Port dialog box. You can select the interface from the availableentries in the Interface Selector dialog box. Enter a value in the range of 1 to 65535 forthe port number.Client VersionThe Client Version is the SSL/TLS protocol version to use when the device acts as aclient. Select any one of the following:SSL/TLS ProtocolVersion Any—Select this keyword to transmit SSLV3 ClientHellos and negotiate SSLV3or greater. This is the default keyword. SSLV3—Enter this keyword to transmit SSLv3 ClientHellos and negotiate SSLV3or greater. TLSV1—Enter this keyword to transmit TLSv1 ClientHellos and negotiate TLSV1or greater. TLSV1.1—Enter this keyword to transmit TLSV1.1 ClientHellos and negotiateTLSV1.1 or greater. TLSV1.2—Enter this keyword to transmit TLSV1.2 ClientHellos and negotiateTLSV1.2 or greater.NoteTLSV1.1 and TLSV1.2 protocol versions are applicable for devices runningthe ASA software version 9.3(2) or later.Configuring Device Access Settings on Firewall Devices10

Configuring Device Access Settings on Firewall DevicesConfiguring SSL - Basic and Advanced tabsElementDescriptionServer VersionThe Server Version is the minimum SSL/TLS protocol version to use when the deviceacts as a server. Select any one of the following:SSL/TLS ProtocolVersion Any—Select this keyword to accept SSLV2 ClientHellos and negotiate the highestcommon version. This is the default keyword. SSLV3—Enter this keyword to accept SSLV2 ClientHellos and negotiate SSLV3or greater. SSLV3-Only—Enter this keyword to accept SSLV2 ClientHellos and negotiateSSLV3 or greater. TLSV1—Enter this keyword to accept SSLV2 ClientHellos and negotiate TLSV1or greater. TLSV1-Only—Enter this keyword to accept SSLV2 ClientHellos and negotiateTLSV1 or greater. TLSV1.1—Enter this keyword to accept SSLV2 ClientHellos and negotiateTLSV1.1 or greater. TLSV1.2—Enter this keyword to accept SSLV2 ClientHellos and negotiateTLSV1.2 or greater.NOTES: The Any keyword is the default for both Server Version and Client Version andmeans that the device will negotiate the highest common supported version of TLS. TLSV1.1 and TLSV1.2 protocol versions are applicable for devices running theASA software version 9.3(2) or later. SSLV3-Only and TLSV1-Only protocol versions are applicable for devices runningthe ASA software version older than 9.3(2).Table 9: SSL Page Advanced TabElementDescriptionAdvanced SSL Settings for devices running the ASA software version older than 9.3(2)Configuring Device Access Settings on Firewall Devices11

Configuring Device Access Settings on Firewall DevicesConfiguring SSL - Basic and Advanced tabsElementDescriptionEncryptionChoose the encryption algorithms from the available list. To add an encryption algorithm, select the itemin the Available Members list and then click . The item is moved from the Available Members list tothe Selected Members list. You can add multiple encryption algorithms.The available encryption algorithms are as follows: 3DES-SHA1 AES128-SHA1 AES256-SHA1 DES-SHA1 RC4-MD5 RC4-SHA1 NULL-SHA1 DHE-AES128-SHA1 DHE-AES256-SHA1NoteBeginning from 4.19, Cisco Security Manager does not support configuring TLS proxy withNULL SHA1 in SSL ciphers in ASA 9.12(1) and later devices.To remove an encryption algorithm, select the item in the Selected Members list and then click . Theitem is moved from the Selected Members list to the Available Members list.Click Save to save your settings.Advanced SSL Settings for devices running the ASA software version 9.3(2) or laterSSL CipherUse the Add Row, Edit Row, and Delete Row buttons below the SSL Cipher table to manage the SSLcipher version and level. On the Add Cipher dialog select a combination of the version and level.Configuring Device Access Settings on Firewall Devices12

Configuring Device Access Settings on Firewall DevicesConfiguring SSL - Basic and Advanced tabsElementDescriptionVersionSelect one of the following versions: DEFAULT DTLSV1 DTLSV1.2 SSLV3 TLSV1 TLSV1.1 TLSV1.2LevelNoteThe DEFAULT keyword is used to configure outbound connections when the device is actingas a client and establishing a connection to a server. All the other keywords are used when thedevice is acting as a server and accepting connections from a client.NoteThe SSLV3 version has been deprecated from ASA version 9.4(1). Therefore, beginning withversion 4.9, Security Manager performs a validation to check if SSLV3 option has beenconfigured for any ASA devices running the version 9.4(1) or later.Select one of the following versions: ALL - It includes all ciphers including NULL-SHA. LOW - It includes all ciphers except NULL-SHA. MEDIUM - It includes all ciphers except NULL-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5. FIPS - It includes all FIPS-compliant ciphers (that is, HA) HIGH - It includes only AES-256 with SHA-2 ciphers, so it only applies to TLSV1.2.Configuring Device Access Settings on Firewall Devices13

Configuring Device Access Settings on Firewall DevicesConfiguring SSL - Basic and Advanced tabsElementDescriptionCustom StringUse the CUSTOM keyword for Security Manager to exercise full control over the cipher suite usingOpenSSL cipher definition strings.NoteBeginning with version 4.9, Security Manager provides support for the following new TLSV1.2ciphers for devices running the ASA software version 9.4(1) or later. ECDHE RSA AES128 SHA256 ECDHE RSA AES256 SHA384 ECDHE ECDSA AES128 SHA256 ECDHE ECDSA AES256 SHA384NoteBeginning with version 4.16, Security Manager provides support for the following new TLSV1.2ciphers in addition to the above mentioned ciphers for devices running the ASA software version9.4(1) or later. ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256ECDH ConfigurationSelect from one of the options (19,20,21,none) in the ECDH Group. This feature is available from SecurityManager version 4.9 onwards for ASA devices version 9.4(1) or later.SSL DH GroupConfigurationSelect from one of the options (2, 5, 14, 15 and 24) in the SSL DH Group, DH group 14 is used by default.You can now use DH group 15 in SSL DH Group, for ASA 9.16(1) and later devices.NoteNoteBeginning with Cisco Security Manager 4.23, DH groups 2, 5, and 24 is unsupported in theSSL DH Group on ASA 9.16(1) and later devices.Due to import regulations in some countries the Oracle implementation provides a default cryptographicjurisdiction policy file that limits the strength of cryptographic algorithms. If stronger algorithms need to beconfigured or are already configured on the device (for example, AES with 256-bit keys, DH group with5,14,24), follow these steps:1. Download the Java 7 unlimited strength cryptography policy .jar files from http://www.oracle.com. Ciscorecommends to search for the following on the Oracle website:Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files Java 7Configuring Device Access Settings on Firewall Devices14

Configuring Device Access Settings on Firewall DevicesReference Identities(Click the download button to download the files by accepting the license agreement.)1. Replace local policy.jar and US export policy.jar on your Security Manager server in the folderCSCOpx\MDC\vms\jre\lib\security.2. Restart your Security Manager server.Reference IdentitiesBeginning with version 4.12, Security Manager enables you to configure Reference Identity policy objectsfor Secure Syslog Server connections on devices running the ASA software version 9.6(2) or later. This objectenables support for Common Criteria requirements.Reference identities are configured as one or more identifiers to be compared to the presented identifiers inthe server certificate. Identifiers are specific instances of the four identifier types specified in RFC 6125.Add/Edit Reference Identity Dialog BoxUse the Add/Edit Reference Identity Dialog Box to create a new Reference Identity policy object or to editexisting policy objects.Navigation PathSelect Manage Policy Objects, then select Reference Identity from the Object Type Selector. Right-clickinside the work area, then select New Object or click the button to add a new object, or right-click a row,then select Edit Object.Field ReferenceTable 10: Add/Edit Reference Identity Dialog BoxElementDescriptionNameName of the Reference Identity policy object. Note that each Reference Identifiercan have multi line values.DescriptionDescription of the Reference Identity policy object.Common Name IDA Relative Distinguished Name (RDN) in a certificate subject field that containsonly one attribute-type-and-value pair of type Common Name (CN), where thevalue matches the overall form of a domain name. The CN value can be free text.A CN-ID reference identifier does not identify an application service.Domain Name IDA subjectAltName entry of type dNSName. This is a DNS domain name. ADNS-ID reference identifier does not identify an application service.Service Name IDA subjectAltName entry of type otherName whose name form is SRVName asdefined in RFC 4985. A SRV-ID identifier may contain both a domain name andan application service type. For example, a SRV-ID of “ imaps.example.net”would be split into a DNS domain name portion of “example.net” and anapplication service type portion of “imaps.”Configuring Device Access Settings on Firewall Devices15

Configuring Device Access Settings on Firewall DevicesConfiguring SNMPElementDescriptionUniform ResourceIdentifier IDA subjectAltName entry of type uniformResourceIdentifier whose value includesboth (i) a “scheme” and (ii) a “host” component (or its equivalent) that matchesthe “reg-name” rule specified in RFC 3986. A URI-ID identifier must contain theDNS domain name, not the IP address, and not just the hostname. For example,a URI-ID of “sip:voice.example.edu” would be split into a DNS domain nameportion of “voice.example.edu” and an application service type of “sip.”Category(Optional) Select a category between CAT-A and CAT-J.Allow Value Overrideper DeviceWhether to allow the object definition to be changed at the device level. For moreinformation, see Allowing a Policy Object to Be Overridden and UnderstandingPolicy Object Overrides for Individual Devices.OverridesEdit buttonNoteIf you allow device overrides, you can click the Edit button to create, edit, andview the overrides. The Overrides field indicates the number of devices that haveoverrides for this object.A reference identity is created when configuring one with a previously unused name. Once a reference identityhas been created, the four identifier types and their associated values can be added or deleted from the referenceidentity. The reference identifiers MAY contain information identifying the application service and MUSTcontain information identifying the DNS domain name.Configuring SNMPSimple Network Management Protocol (SNMP) defines a standard way for network management stationsrunning on PCs or workstations to monitor the health and status of many types of devices, including switches,routers, and security appliances. You can use the SNMP page to configure a firewall device for monitoringby SNMP management stations.The Simple Network Management Protocol (SNMP) enables monitoring of network devices from a centrallocation. Cisco security appli

Configuring Management Access . Configuration Change -Therehasbeenahardwarechange,asindicatedinthe notification. . Configuring Device Access Settings on Firewall Devices Author: Unknown Created Date: 20220628062459Z .