cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1736
Views
0
Helpful
11
Replies

Import Network host objects to Cisco Security Manager

martinv2008
Level 1
Level 1

Is it possible to import complete lists of Network Hosts objects to Cisco Security Manager?

Exporting the hosts already defined in the ASAs is easy but how to import them in CSM??

Thanks

11 Replies 11

chickman
Level 1
Level 1

Are these network object already defined on your ASA, or located on a document or something?

They are already defined in 2 FWSM modules and we will definetely see many more clients with objects already defined in ASAs wanting to pass them all to CSM.

The thing is how to import that huge list to CSM, instead of adding them 1 by 1.

We have CSM 3.1 now

Thanks

My understanding is that you'd just discover the device. Everything that is configured will port over and can be manipulated in the Policy Object Manager. You can then attribute these objects to a shared policy or whatever you want.

No hostnames discovered go the Policy Object Manager (nor to the Access rules), only group-names (there's a bug in ASAs related to single host names too). The way CSM handles single hosts is previously creating them, so when we later discover devices, the single hosts names set in the discovered device are not considered, only their IP addresses; then you can see that in the discovered access rules CSM shows the hostname as the previously defined ones in the Policy Object Manager. If you dont define those hostnames before the device discovery, you will only see IP addresses, no hostnames, no matter they are set in your firewalls.

Imagine discovering a couple FWSM modules with 500 access rules, and you only get to see the IP addresses of the 2,500 hosts on your network. And you have all those hosts already defined in your FWSM firewalls, when you log via ASDM you view your hard created rules with hostnames, and when you log to CSM you only view IP addresses. The clients get very disappointed with CSM after that, and discard it. The bigger the network, the faster they reject CSM.

The only way to add hosts in the Policy Object Manager is 1 by 1. But as this may have happened to more than one company and considering how easy it is to code a feature like that, I assume that it's possible to import a complete list of single hosts to CSM.

is that really possible? it should be.

thanks for the replies so far

Hmm, I'm not overly sure about this. We've populated our Networks/Hosts section merely by discovering our firewalls. I've got hosts and networks both populated with the corresponding object names. I might be misunderstanding what you're saying, if so sorry for the barrage of messages :)

But, as far as importing a mass amount of hosts.. That sounds to be a pain if they don't import themselves from the firewalls. I was unable to find any means of a importing. So, I think you're spot on with regards to that.

Thanks chickman for the feedback.

Which CSM version do you have?

I have discovered FWSM firewalls getting the warning: "name ares3 172.16.1.3 command not supported" or something similar. So the access rules show only IP ads.

We're running 3.1 as well.

Now, if you're doing individual naming for firewall ACL's.. I don't believe that comes over. I thought you were talking about the firewalls object-group's.

I think the only way to name hosts is this:

names

name 10.6.1.15 BR1-LAN-Server15

name 10.6.1.20 BR1-LAN-AdmCluster

name 10.6.1.30 BR1-LAN-CallManager

name 10.6.1.41 BR1-LAN-ClusterSql

... etc ...

!

If that's not set, then we would only see IP ads in the access rules. What I need is CSM to discover those hostnames (BR1-LAN-xxx, etc,etc.) instead of adding them manually. Or at least import them from a list.

Any help is welcome

Thanks

Now I gotcha! Lemme bite on that one for a few. We've never really had the need to accomplish that. mainly because we keep a standard naming for things like MAILINSIDE.. MAILOUTSITE.. and if we were to migrate those into CSM, it would have a naming conflict and do something like MAILOUTSIDE_1 and so forth.

any Cisco engineer out there?

Is the requirement I'm asking possible to achieve in Cisco Security Manager v3.1?

thanks

I've confirmed it is NOT POSSIBLE to do it.

I'm including a slide taken from "CTU-NPI-Cisco Security Manager 3.1" video on demand, chapter: "Discovery and Deployment (part 1)"

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: