Import Network host objects to Cisco Security Manager

Unanswered Question
May 6th, 2008

Is it possible to import complete lists of Network Hosts objects to Cisco Security Manager?

Exporting the hosts already defined in the ASAs is easy but how to import them in CSM??


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
martinv2008 Wed, 05/07/2008 - 10:03

They are already defined in 2 FWSM modules and we will definetely see many more clients with objects already defined in ASAs wanting to pass them all to CSM.

The thing is how to import that huge list to CSM, instead of adding them 1 by 1.

We have CSM 3.1 now


martinv2008 Wed, 05/07/2008 - 13:38

No hostnames discovered go the Policy Object Manager (nor to the Access rules), only group-names (there's a bug in ASAs related to single host names too). The way CSM handles single hosts is previously creating them, so when we later discover devices, the single hosts names set in the discovered device are not considered, only their IP addresses; then you can see that in the discovered access rules CSM shows the hostname as the previously defined ones in the Policy Object Manager. If you dont define those hostnames before the device discovery, you will only see IP addresses, no hostnames, no matter they are set in your firewalls.

Imagine discovering a couple FWSM modules with 500 access rules, and you only get to see the IP addresses of the 2,500 hosts on your network. And you have all those hosts already defined in your FWSM firewalls, when you log via ASDM you view your hard created rules with hostnames, and when you log to CSM you only view IP addresses. The clients get very disappointed with CSM after that, and discard it. The bigger the network, the faster they reject CSM.

The only way to add hosts in the Policy Object Manager is 1 by 1. But as this may have happened to more than one company and considering how easy it is to code a feature like that, I assume that it's possible to import a complete list of single hosts to CSM.

is that really possible? it should be.

thanks for the replies so far

Hmm, I'm not overly sure about this. We've populated our Networks/Hosts section merely by discovering our firewalls. I've got hosts and networks both populated with the corresponding object names. I might be misunderstanding what you're saying, if so sorry for the barrage of messages :)

But, as far as importing a mass amount of hosts.. That sounds to be a pain if they don't import themselves from the firewalls. I was unable to find any means of a importing. So, I think you're spot on with regards to that.

martinv2008 Wed, 05/07/2008 - 14:19

Thanks chickman for the feedback.

Which CSM version do you have?

I have discovered FWSM firewalls getting the warning: "name ares3 command not supported" or something similar. So the access rules show only IP ads.

martinv2008 Wed, 05/07/2008 - 15:24

I think the only way to name hosts is this:


name BR1-LAN-Server15

name BR1-LAN-AdmCluster

name BR1-LAN-CallManager

name BR1-LAN-ClusterSql

... etc ...


If that's not set, then we would only see IP ads in the access rules. What I need is CSM to discover those hostnames (BR1-LAN-xxx, etc,etc.) instead of adding them manually. Or at least import them from a list.

Any help is welcome


martinv2008 Thu, 05/08/2008 - 09:56

any Cisco engineer out there?

Is the requirement I'm asking possible to achieve in Cisco Security Manager v3.1?



This Discussion