Configuring devices to use security contexts
TrueSight Network Automation supports managing devices that can be configured to use security contexts.
The use of multiple security contexts, or virtualization, strengthens security and reduces overall management and support costs by consolidating multiple security devices into a single physical device.
The association of devices with security contexts differs according to device type, as discussed in the following topics:
Associating a Cisco device with security contexts
The following Cisco devices can optionally be configured to use either single or multiple security contexts:
- Cisco Series Adaptive Security Appliances (ASA)
- Cisco Application Control Engine Module (ACE)
- Cisco Firewall Services Module (FWSM)
To add a device with a security context, navigate to Network > Devices > Add.
Devices configured to support security contexts display security context selection menus or view details. Not a Security Context is the default security context selection. System, Admin, and User-Defined are the other options.
In the Add Device dialog box, select the applicable security context. When you select User-Defined, you can enter the name that you want to use for the user-defined security context (for example, CiscoSecContext).
The following dialog boxes, views, and reports are enabled to support Cisco security contexts.
- Device view: Network > Devices > View
- Add device: Network > Devices > Add
- Edit device: Network > Devices > Edit
- Device filter: Network > Devices > Filter
- Commit: Network > Jobs > Add/Edit > Commit
- Add Rule: Network > Rules > Add/Edit
- View Rules: Network > Rules > View
- View Rule Set: Network > Rule Sets > View
- Trace Report: Reports > Compliance Summary Report > Trace
- Device Inventory Report: Reports > Device Inventory Report > wizard > Report
- Edit Device Import Tasks: Admin > Device Import > Edit
- Edit Dynamic Fields: Admin > Dynamic Fields > Edit
- View Dynamic Fields: Admin > Dynamic Fields > View
The following table specifies differences between the supported Cisco devices for the System, Admin, and User-Defined security contexts. For more information, see the Cisco documentation.
Feature | Admin (Security Context) | System (Security Context) | User-Defined (Security Context) |
---|---|---|---|
Name | ASA/FWSM: user-defined ACE: Admin | ASA/FWSM: system ACE: N/A in system context | User-defined |
Accessible over the network | Yes | No. Only via admin context | Yes |
Supports remote startup cfg (will not be able to restore if startup is a remote URL) | No | No | ASA/FWSM: Yes ACE: No |
Contents of "show context" | ASA/FWSM: shows just admin, has "*" next to it ACE: shows all contexts, admin is first | Shows all contexts, admin has "*" next to name | Shows only current context |
Emits syslog messages | Yes | No | Yes |
Can "write mem all" | ASA/FWSM: No ACE: Yes | Yes | No |
Can reboot | ASA/FWSM: No ACE: Yes | Yes | No |
Has config mode | Yes | Yes | ASA/FWSM: Yes ACE: No |
Has config copy commands for snapshot (must use tunneling when there is no copy cmd) | Yes (ASA startup only via tftp) | Yes. Uses admin context's network connection | ASA/FWSM: Yes (ASA startup only via tftp) ACE: No |
Has config copy commands for the Deploy to Active and Deploy to Stored actions (must use tunneling for the Deploy to Active action when there is no copy cmd) | Yes (ASA only via tftp) | Yes. Uses admin context's network connection | ASA/FWSM: Yes (ASA only via tftp) ACE: No |
Has config copy commands for the Deploy to Active and Deploy to Stored actions (must use tunneling for the Deploy to Active action when there is no copy cmd) | Yes (ASA only via tftp) | Yes. Uses admin context's network connection | ASA/FWSM: Yes (ASA only via tftp) ACE: No |
Has image copy commands | ASA/FWSM: No ACE: Yes | Yes | No |
Associating an F5 BIG-IP device with security contexts
Only the User-Defined security context is supported and required for the F5 BIG-IP Load Balancer version 10 and later. Security context is not supported on older device versions, although it is visible in the UI.
The following figure shows security context selection when you add or edit an F5 BIG-IP Load Balancer:
When you select User-Defined security context, in the Name field, enter the name of the administrative partition in which configuration is to be written. The default administrative partition is Common.
Note
To write the configuration in a user-defined administrative partition, the Deploy to Active action should be set to force tunnel transfer mode.
Associating a Juniper SRX Gateway device with security contexts
Only the User-Defined security context is supported for Juniper SRX Gateway version 11.2R3.3.
The following figure shows the security context selection when adding or editing a Juniper SRX Gateway:
After you select User-Defined, in the Name field, enter the name of the logical system in which configuration is to be written.
Comments
Log in or register to comment.