Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Import Network host objects to Cisco Security Manager

Is it possible to import complete lists of Network Hosts objects to Cisco Security Manager?

Exporting the hosts already defined in the ASAs is easy but how to import them in CSM??

Thanks

11 REPLIES
Community Member

Re: Import Network host objects to Cisco Security Manager

Are these network object already defined on your ASA, or located on a document or something?

Community Member

Re: Import Network host objects to Cisco Security Manager

They are already defined in 2 FWSM modules and we will definetely see many more clients with objects already defined in ASAs wanting to pass them all to CSM.

The thing is how to import that huge list to CSM, instead of adding them 1 by 1.

We have CSM 3.1 now

Thanks

Community Member

Re: Import Network host objects to Cisco Security Manager

My understanding is that you'd just discover the device. Everything that is configured will port over and can be manipulated in the Policy Object Manager. You can then attribute these objects to a shared policy or whatever you want.

Community Member

Re: Import Network host objects to Cisco Security Manager

No hostnames discovered go the Policy Object Manager (nor to the Access rules), only group-names (there's a bug in ASAs related to single host names too). The way CSM handles single hosts is previously creating them, so when we later discover devices, the single hosts names set in the discovered device are not considered, only their IP addresses; then you can see that in the discovered access rules CSM shows the hostname as the previously defined ones in the Policy Object Manager. If you dont define those hostnames before the device discovery, you will only see IP addresses, no hostnames, no matter they are set in your firewalls.

Imagine discovering a couple FWSM modules with 500 access rules, and you only get to see the IP addresses of the 2,500 hosts on your network. And you have all those hosts already defined in your FWSM firewalls, when you log via ASDM you view your hard created rules with hostnames, and when you log to CSM you only view IP addresses. The clients get very disappointed with CSM after that, and discard it. The bigger the network, the faster they reject CSM.

The only way to add hosts in the Policy Object Manager is 1 by 1. But as this may have happened to more than one company and considering how easy it is to code a feature like that, I assume that it's possible to import a complete list of single hosts to CSM.

is that really possible? it should be.

thanks for the replies so far

Community Member

Re: Import Network host objects to Cisco Security Manager

Hmm, I'm not overly sure about this. We've populated our Networks/Hosts section merely by discovering our firewalls. I've got hosts and networks both populated with the corresponding object names. I might be misunderstanding what you're saying, if so sorry for the barrage of messages :)

But, as far as importing a mass amount of hosts.. That sounds to be a pain if they don't import themselves from the firewalls. I was unable to find any means of a importing. So, I think you're spot on with regards to that.

Community Member

Re: Import Network host objects to Cisco Security Manager

Thanks chickman for the feedback.

Which CSM version do you have?

I have discovered FWSM firewalls getting the warning: "name ares3 172.16.1.3 command not supported" or something similar. So the access rules show only IP ads.

Community Member

Re: Import Network host objects to Cisco Security Manager

We're running 3.1 as well.

Now, if you're doing individual naming for firewall ACL's.. I don't believe that comes over. I thought you were talking about the firewalls object-group's.

Community Member

Re: Import Network host objects to Cisco Security Manager

I think the only way to name hosts is this:

names

name 10.6.1.15 BR1-LAN-Server15

name 10.6.1.20 BR1-LAN-AdmCluster

name 10.6.1.30 BR1-LAN-CallManager

name 10.6.1.41 BR1-LAN-ClusterSql

... etc ...

!

If that's not set, then we would only see IP ads in the access rules. What I need is CSM to discover those hostnames (BR1-LAN-xxx, etc,etc.) instead of adding them manually. Or at least import them from a list.

Any help is welcome

Thanks

Community Member

Re: Import Network host objects to Cisco Security Manager

Now I gotcha! Lemme bite on that one for a few. We've never really had the need to accomplish that. mainly because we keep a standard naming for things like MAILINSIDE.. MAILOUTSITE.. and if we were to migrate those into CSM, it would have a naming conflict and do something like MAILOUTSIDE_1 and so forth.

Community Member

Re: Import Network host objects to Cisco Security Manager

any Cisco engineer out there?

Is the requirement I'm asking possible to achieve in Cisco Security Manager v3.1?

thanks

Community Member

Re: Import Network host objects to Cisco Security Manager

I've confirmed it is NOT POSSIBLE to do it.

I'm including a slide taken from "CTU-NPI-Cisco Security Manager 3.1" video on demand, chapter: "Discovery and Deployment (part 1)"

Regards

737
Views
0
Helpful
11
Replies
CreatePlease to create content