CSPM 3.0 issues

wongks · ‎06-22-2002

Hi,

Currently, I have my existing PIX Firewall and IOS routers in my network. I already have firewall rules and access-list on the PIX and routers respectively.

My company has bought CSPM 3.0 to manage these devices. While trying to add the rules in the Policy Manager for using my PIX firewall rules, I discover that the same rules also appear as access-list in my routers... Can I add these rules to just my PIX firewall only??

My worry is that if I continue to add my IOS routers access-list(different from the PIX firewall rules). All these commands will appear for both my PIX and routers.... This is not what I want.

Pls help.

David White · ‎06-23-2002

You create all your "policies" in CSPM. Meaning you want network A to be able to talk to Network B on port 80... Then CSPM will calculate all the paths between A and B and then apply the corresponding Access-lists to the devices along the path.

Therefore, only the devices that need the access-list entries will have them applied.

Hope that helps,

David.

wongks · ‎06-23-2002

Correct me if I am wrong... Then in this case all my managed devices with network A and network B will have the access-list applied.This will definitely slow down my network...

is there a new release whereby we can choose the managed devices to distribute the rules to?

rgraether · ‎06-23-2002

you don't need to mark your devices as managed!

if you insert your routers as routers and not as ios routers cspm won't build access-lists for it.

the other possibility is to use the epilog window.

you can apply the commands

no ip inspect

and then for each interface

no ip access-group in